1 Introduction

The most significant problem when establishing a secure communication between parties is authentication. Public key infrastructure (PKI)-based schemes have such problems as high cost, the need for certificate authorities (CAs), digital certificates (X.509 certificates), storage, certificate issuing, verification, and revocation. Since in ad hoc networks, there is no support for infrastructure, conventional authentication schemes that are based on public key encryption (PKE) cannot be used in these networks [1]. Therefore, we need an authentication method which can make use of identity-based encryption (IBE). The main advantage of identity-based cryptosystem is that each participant uses its identity as the public key.

The concept of identity-based cryptosystem was presented by Shamir for the first time in 1984 [2]. His contribution was removing digital certificates and the problems related to them and simplifying key management mechanisms. He designed an identity-based signature system, but a system capable of encrypting/decrypting via identities was an unsolvable problem until in 2001, when Boneh and Franklin proposed a usable and provably secure IBE cryptosystem using bilinear pairings [3]. Another IBE scheme invented by Cocks in 2001 was based on quadratic residues, but his scheme was not efficient. Recently, Gentry et al. [4] constructed IBE schemes using lattices. However, it has been stated in study [5] that this scheme is not as efficient as the IBE scheme constructed using bilinear pairings in elliptic curve groups due to the size of the keys and the ciphertexts. Elliptic curve cryptography has some advantages, including low bandwidth, short key size, and high performance [6]. Therefore, in this study, we focus on the authentication schemes applying bilinear pairing on elliptic curves.

The main disadvantage of IBE cryptosystem was key escrow property. Authors of [7] and [8] proposed some solutions to this problem. Manik et al. [9] in 2006 proposed the first authentication scheme using bilinear pairing with smart card. Their scheme was not safe as it was vulnerable to some attacks. Chou et al. identified a security flaw in Manik et al.’s scheme and proposed an improvement in [10]. In 2006, Thulasi et al. showed that Chou et al.’s improved scheme was still vulnerable to forgery and replay attacks [11]. In the same year, Fang and Huang tried to minimize the weakness of Thulasi et al.’s scheme in [12]. In 2013, Vallent and Kim in [13] proposed a new authentication scheme using bilinear pairings. The authors claimed that their protocol is secure while they did not prove some security properties such as protection against forgery attack in their paper. Moreover, their scheme did not provide non-repudiation property. In 2015, Hsu et al. in [14] showed that Manik et al.’s scheme had some security flaws and that it was not secure against off-line password guessing and privileged insider attacks. They also demonstrated the forgery attack on Fang and Huang’s scheme. In the same year, Luo and Zhao presented an authentication and key management mechanism for wireless networks using certificateless public key cryptography in [15]. Tsai and Lo, also in 2015, proposed a secure and efficient authentication protocol for mobile devices using bilinear pairings in [16]. Although these two latter schemes are secure, neither provides non-repudiation and digital signature properties for all participants. On the other hand, since these schemes are user authentication protocols for client–server environments, the authentication in them needs infrastructures. Hence, they are not appropriate for ad hoc networks. However, in the scheme proposed in the present paper, the two participants can authenticate each other without the need for any base station (BS) or special server.

The remainder of this paper is organized as follows. We concisely desctibe bilinear maps and provide some significant definitions in Sect. 2. Section 3 provides the proposed authentication scheme. In Sect. 4, we analyze our scheme from different security perspectives such as correctness, formal proof using the BAN logic, validation of authentication method using AVISPA, and protection against different attacks. In Sect. 5, we compare our scheme with other related schemes in terms of performance and security. Finally, Sect. 6 concludes the paper and explores possible avenues for future research.

2 Preliminaries

In this section, we briefly discuss the significant concepts within bilinear pairing and the computational problems required for understanding our scheme as follows.

Let \({\mathbb{G}}_{1}\) be a cyclic additive group of the large prime order \(q\) and the generator \(P\), and \({\mathbb{G}}_{2}\) be a cyclic multiplicative group with the same prime order \(q\). Therefore, a bilinear pairing is a map \(\hat{e}:{\mathbb{G}}_{1} \times {\mathbb{G}}_{1} \to {\mathbb{G}}_{2}\) that satisfies the following three properties:

  1. 1.

    Bilinear: if \(\forall P,Q \in {\mathbb{G}}_{1}\) and \(a,b \in {\mathbb{Z}}_{q}^{ *}\) in a map \(\hat{e}:{\mathbb{G}}_{1} \times {\mathbb{G}}_{1} \to {\mathbb{G}}_{2} ,\) and we have \(\hat{e}\left( {aP,bQ} \right) = \hat{e}\left( {bP,aQ} \right) = \hat{e}\left( {abP,Q} \right) = \hat{e}\left( {P,Q} \right)^{ab}\), then we say this map is bilinear.

  2. 2.

    Non-degenerate: For all \(P\), where \(P\) is not a generator, \(\exists {\text{Q }} \in {\mathbb{G}}_{1}\) such that \(\hat{e}\left( {P,Q} \right) \ne 1\).

  3. 3.

    Computable: \(\forall P,Q \in {\mathbb{G}}_{1}\), a polynomial time algorithm exists to compute \(\hat{e}\left( {P,Q} \right)\).

More detailed information on bilinear maps and their applications can be found in [3]. With the above assumptions, we have the following definition of the computational problems:

  • Discrete Logarithm Problem (DLP): Having knowledge of the two elements \(P,Q \in {\mathbb{G}}_{1}\), find an integer \(a \in {\mathbb{Z}}_{q}^{ *}\), so that \(Q = aP\).

  • Computational Diffie-Hellman problem (CDHP): Having knowledge of \(P,aP,bP \in {\mathbb{G}}_{1}\), for \(a,b \in {\mathbb{Z}}_{q}^{*}\), find the element \(abP.\)

  • Bilinear Diffie-Hellman Problem (BDHP): The elements \(P,aP,bP,cP \in {\mathbb{G}}_{1 }\) for \(a,b,c \in {\mathbb{Z}}_{q}^{*}\) are given, compute \(\hat{e}\left( {P,P} \right)^{abc} \in {\mathbb{G}}_{2} .\)

3 The Proposed Scheme

This section describes the proposed certificateless and secure authentication scheme based on IBE through the use of bilinear pairing. As noted earlier, our scheme is appropriate for ad hoc networks because it does not use any infrastructure. This scheme consists of three types of participants: a private key generator (PKG) who generates private keys for all entities using its master secret key, a station A (SA) who wants its identity to be authenticated, and a station B (SB) who verifies the identity of SA. It is noteworthy that this scheme provides mutual authentication between SA and SB.

For some reasons, strong authentication schemes are often referred to as challenge-response authentication schemes [17]. We this in mind, we apply a challenge-response mechanism for authentication in our scheme.

Our protocol consists of the following three phases: (1) initial phase, (2) registration phase, and (3) authentication phase. Table 1 presents all notations used in this study.

Table 1 Notations used in the study
Full size table

3.1 Initial Phase

We assume that the IBE in our scheme is obtained from a bilinear map \(\hat{e}:{\mathbb{G}}_{1} \times {\mathbb{G}}_{1} \to {\mathbb{G}}_{2}\) between the two Groups \({\mathbb{G}}_{1}\) and \({\mathbb{G}}_{2}\). At this step, the PKG first chooses a \(k \in {\mathbb{Z}}^{ + }\) as an input security parameter of the system and then does the following steps to generate system parameters.

  • Step 1 The PKG runs the algorithm \({\mathcal{G}}\) on k to generate the Groups \({\mathbb{G}}_{1}\) and \({\mathbb{G}}_{2}\) with the prime order q and bilinear map \(\hat{e}:{\mathbb{G}}_{1} \times {\mathbb{G}}_{1} \to {\mathbb{G}}_{2}\). \({\mathbb{G}}_{1}\) is a cyclic additive group of the large prime order \(q\) and the generator \(P\), and \({\mathbb{G}}_{2}\) is a cyclic multiplicative group with the same prime order \(q\).

  • Step 2 The PKG randomly chooses a master secret key \(s \in {\mathbb{Z}}_{q}^{*}\) to compute the corresponding public key \(P_{pub} = sP\), where P is a generator of Group \({\mathbb{G}}_{1}\).

  • Step 3 The PKG selects the following cryptographic hash functions for subsequent steps and finally publishes public parameters \(params = \left\{ {{\mathbb{G}}_{1} ,{\mathbb{G}}_{2} ,\hat{e},P_{pub} ,P,q,n,H_{1} ,H_{2} ,H_{3} ,H_{4} ,H_{5} } \right\}\) and holds \(s\) as its master secret key.

    $$\begin{aligned} H_{1} = \left\{ {0,1} \right\}^{ *} \to G_{1}^{*} \hfill \\ H_{2} = G_{2} \to \left\{ {0,1} \right\}^{n} \hfill \\ H_{3} = \left\{ {0,1} \right\}^{n} \times \left\{ {0,1} \right\}^{n} \to {\mathbb{Z}}_{q}^{*} \hfill \\ H_{4} = \left\{ {0,1} \right\}^{n} \to \left\{ {0,1} \right\}^{n} \hfill \\ H_{5} = \left\{ {0,1} \right\}^{n} \to {\mathbb{Z}}_{q}^{*} \hfill \\ \end{aligned}$$

3.2 Registration Phase

In this phase, each entity i (i.e., SA or SB) wishes to obtain its private key, selects a \(PW_{i}\) as its password, and then submits its identity \(ID_{i} \in \left\{ {0,1} \right\}^{*}\) as its public key and \(H_{1} \left( {PW_{i} } \right)\) to the PKG for registration. Later, the PKG computes the corresponding private key \(d_{{ID_{i} }}\) for each entity as follows and finally sends \(K_{i}\) to the owner in a secure manner. These phases are shown in Fig. 1.

Fig. 1
figure 1

The initial and registration phases in the proposed scheme

Full size image
$$\begin{aligned} Q_{{ID_{i} }} & = H_{1} \left( {ID_{i} } \right) \in {\mathbb{G}}_{1}^{*} \\ d_{{ID_{i} }} & = sQ_{{ID_{i} }} \\ K_{i} & = d_{{ID_{i} }} + H_{1} \left( {PW_{i} } \right) \\ \end{aligned}$$

Once the entity i (e.g., SA or SB) receives the corresponding \(K_{i}\) from the PKG, it computes \(d_{{ID_{i} }}\) as follows:

$$d_{{ID_{i} }} = K_{i} - H_{1} \left( {PW_{i} } \right)$$

3.3 Authentication Phase

As shown in Fig. 2, the authentication phase of the scheme takes place in the following steps:

Fig. 2
figure 2

The authentication phase between SA and SB in the proposed scheme

Full size image

  • Step 1. SB asks SA to authenticate itself if necessary.

  • Step 2. Upon receiving the request message, SA sends its identity \(ID_{SA}\) to SB for creating the public key of SA.

  • Step 3. Once SB receives \(ID_{SA}\), it performs the following:

    1. (a)

      Using the one-way hash function \(H_{1}\) to compute the public key of SA as follows:

      $$Q_{SA} = H_{1} \left( {ID_{SA} } \right) \in {\mathbb{G}}_{1}^{*}$$
    2. (b)

      Choosing a random number (nonce) \(N_{SB}\), concatenating it with the current timestamp \(T_{0}\), and generating a message \(m\)

    3. (c)

      Applying the hash function \(H_{5}\) on the message \(m\) and computing \(\mu\) to sign the message \(m\) using its private key \(d_{{ID_{SB} }}\)

    4. (d)

      Sending the message \(m ||\hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right)\) to SA

  • Step 4 Upon receiving the message m \(\parallel \hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right)\), SA performs the following:

    1. (a)

      Receiving its current timestamp value \(T_{1}\)

    2. (b)

      Checking the condition \(T_{1} - T_{0} { \nleq \Delta }T\), and if it is true, SA rejects the received message. Otherwise, to ensure that message integrity is maintained and the received message has not been changed in communication, SA generates \(\mu\).

    3. (c)

      Computing \(\hat{e}\left( {sQ_{{ID_{SA} }} , \mu Q_{{ID_{SB} }} } \right)\) for verifying the signature of SB. If the value of \(\hat{e}\left( {sQ_{{ID_{SA} }} , \mu Q_{{ID_{SB} }} } \right)\) is equal to that of \(\hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right)\), this means that the integrity of the message m has been maintained. Therefore, SA accepts the message \(m\) and extracts the value \(N_{SB}\). Note that at this step SA also searches for \(N_{SB}\) in its database to make sure that this value has not been used before.

    4. (d)

      Computing the public key of SB by computing \(Q_{{ID_{SB} }} = H_{1} \left( {ID_{SB} } \right) \in {\mathbb{G}}_{1}^{*}\).

    5. (e)

      Selecting a random number \(\sigma \in {\mathbb{Z}}_{q}^{*}\), generating the message \(m = N_{SA} \parallel N_{SB} \parallel SA\parallel T_{1}\), and computing \(r = H_{3} \left( {\sigma ,m} \right)\) and \(c = r,\sigma \oplus H_{2} \left( {\hat{e}\left( {rQ_{{ID_{SB} }} ,d_{IDSA} } \right)} \right),m \oplus H_{4} \left( \sigma \right)\).

    6. (f)

      Sending \(c = u,v,w\) to SB. In this message, \(T_{1}\) shows the current timestamp value of SA.

  • Step 5 Once SB receives \(c = u,v,w\), it performs the following:

    1. (a)

      Computing \(v \oplus H_{2} \left( {\hat{e}\left( {d_{{ID_{SB} }} ,uQ_{{ID_{SA} }} } \right)} \right)\) to derive \(\sigma\).

    2. (b)

      Computing \(m = w \oplus H_{4} \left( \sigma \right)\) to derive \(m\) and r. If \(u \ne r\) or \(T_{2} - T_{1} { \nleq}\Delta T\), SB rejects the received message. Otherwise, it generates the message \(m = N_{SA} \parallel T_{2}\) and computes \(\mu = H_{5} \left( m \right)\) and \(\hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right).\)

    3. (c)

      Sending the message, including \(m \parallel \hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right)\) to SA.

  • Step 6 After receiving the message, SA checks the validation of the message by its timestamp value. If the condition \(T_{3} - T_{2} { \nleq}\Delta T\) is true, SA rejects the received message. Otherwise, it checks message integrity and verifies the signature of SB on the message by computing \(\hat{e}\left( {sQ_{{ID_{SA} }} , \mu Q_{{ID_{SB} }} } \right)\).

4 Security Analysis of the Proposed Scheme

This section provides an analysis of the proposed scheme from different standpoints: correctness, formal verification, validation of authentication method, and protection against different attacks.

4.1 Correctness

The correctness of our scheme is described as follows:

As stated earlier,\(d_{{ID_{i} }} = sQ_{{ID_{i} }}\) and \(r = u\); therefore, we can conclude (1) and (2) below.

$$H_{2} \left( {\hat{e}\left( {rQ_{{ID_{SB} }} ,d_{{ID_{SA} }} } \right)} \right) = H_{2} \left( {\hat{e}\left( {rQ_{{ID_{SB} }} ,sQ_{{ID_{SA} }} } \right) } \right)$$
(1)
$$H_{2} \left( {\hat{e}\left( {d_{{ID_{SB} }} ,uQ_{{ID_{SA} }} } \right)} \right) = H_{2} \left( {\hat{e}\left( {sQ_{{ID_{SB} }} ,rQ_{{ID_{SA} }} } \right)} \right)$$
(2)

Applying the key properties of pairings and the results (1) and (2), we have:

$$H_{2} \left( {\hat{e}\left( {rQ_{{ID_{SB} }} ,sQ_{{ID_{SA} }} } \right) } \right) = H_{2} \left( {\hat{e}\left( {sQ_{{ID_{SB} }} ,rQ_{{ID_{SA} }} } \right)} \right)$$
(3)

Replacing \(v\) and using the result (3), we have:

$$v \oplus H_{2} \left( {\hat{e}\left( {d_{{ID_{SB} }} ,uQ_{{ID_{SA} }} } \right)} \right) = \sigma \oplus H_{2} \left( {\hat{e}\left( {rQ_{{ID_{SB} }} ,d_{{ID_{SA} }} } \right) } \right) \oplus H_{2} \left( {\hat{e}\left( {d_{{ID_{SB} }} ,uQ_{{ID_{SA} }} } \right)} \right) = \sigma$$

4.2 Formal Verification Using the BAN Logic

In this subsection, we use the BAN logic as a formal method to formally verify the propounded scheme. The BAN logic is a “Logic of Authentication” proposed by Burrows, Abadi, and Needham [18]. It is an attempt to provide a formal method for analyzing protocols. In this logic, symbols P and Q denote specific principals; \(K_{P}\) and \(K_{Q}\) represent specific public keys for P and Q, respectively; and \(K_{P}^{ - 1}\) and \(K_{Q}^{ - 1}\) are used for the corresponding secret keys. Let us first define some notations belonging to the BAN logic.

  • P | ≡ X: The principal P believes that a message X or P is entitled to believe X.

  • P \(\triangleleft\) X: The principal P sees the message X. As an example, P has received the message X over a network and can read or replay it.

  • P |~ X: The principal P once uttered the message X.

  • P ⇒ X: The principal P has jurisdiction over the message X. For instance, X is the public key of P.

  • #(X): The message X is fresh.

  • \(\left\{ X \right\}_{K}\): The message X has been encrypted by the key K.

  • \(X_{Y}\): The message X has been combined with the message Y.

  • \({\mathop{\longrightarrow}\limits^{K}}{P}\): The key K is the public key of the principal P. This key corresponds with the private key \(K^{ - 1} .\)

The logical postulates of the BAN logic used in the proof are summarized as follows:

  1. 1.

    The ‘message-meaning’ rule for the case of the public keys:

    $$\frac{{P| \equiv \mathop{\longrightarrow}\limits^{K}{\text{Q}}, {\text{P}} \triangleleft \left\{ {\text{X}} \right\}_{{^{{K^{ - 1} }} }} }}{{P| \equiv {\text{Q}}|\sim{\text{X}}}}$$

    That is, if P believes that K and K−1 are the key pair of Q and sees the message X signed by K−1, then P believes that Q once said X.

  2. 2.

    The ‘say’ rule in [19] means that if P believes that Q once said message X and P also believes that X has been created in the current run, then P believes that Q uttered the message X in the current run.

    $$\frac{{P| \equiv {\text{Q}}| \sim X, {\text{P}}| \equiv \# (X)}}{{P| \equiv {\text{Q}}{ \vdash }{\text{X}}}}$$
  3. 3.

    Another point to note is that if a principal sees a formula, then it can also see the components of this formula, providing that it knows about the required keys [18]:

    $$\frac{{P| \equiv \mathop{\longrightarrow}\limits^{K}{\text{ Q}}, {\text{P}} \triangleleft \left\{ {\text{X}} \right\}_{{^{{K^{ - 1} }} }} }}{{P \triangleleft {\text{X}}}}$$

    That is, if P believes that K and K−1 are the key pair of Q and sees the message X signed by K−1, then P sees X.

We consider A for SA and B for SB in the following; \(K_{a}\) and \(K_{b}\) are the public keys of A and B, respectively. They know the corresponding secret keys \(K_{a}^{ - 1}\) and \(K_{b}^{ - 1} . n_{a}\) and \(n_{b}\) denote random numbers generated by A and B, respectively. First, we must generate an idealized form for our scheme. For idealization, we drop unencrypted messages (i.e., plaintexts) because they do not contribute to the beliefs of the agents. A message in the idealized protocol is called a formula. The idealized form of our scheme is as follows:

$$\begin{aligned} {\text{Message}}\,2:\quad B \to A:\{ n_{b} \}_{{K_{b}^{ - 1} }} \hfill \\ {\text{Message}}\,3:\quad A \to B:\{ \{ n{}_{b},n_{a} ,A\}_{{K_{b} }} \}_{{K_{a}^{ - 1} }} \hfill \\ {\text{Message}}\,4:\quad B \to A:\left\{ {n_{a} } \right\}_{{K_{b}^{ - 1} }} \hfill \\ \end{aligned}$$

The security goals of the proposed scheme expressed in terms of the BAN logic are A|≡B \({ \vdash }n_{a}\) (i.e., Alice believes that Bob uttered \(n_{a}\) in the current run) and B|≡A \({ \vdash }n_{b}\) (i.e., Bob believes that Alice uttered \(n_{b}\) in the current run).

To analyze our scheme, we must first present the assumptions. Thus, we assume that each participant A knows the public key of B; therefore, each participant can verify the signature belonging to it on the messages. We assume that each participant believes that its nonce, which is a random number, is fresh. The assumptions are:

$$A| \equiv \# (n_{a} ),\,B| \equiv \# (n_{b} ),\,A| \equiv \mathop{\longrightarrow}\limits^{{K_{b} }}B,\,B| \equiv \mathop{\longrightarrow}\limits^{{K_{b}^{1} }}B,\,B| \equiv \mathop{\longrightarrow}\limits^{{K_{a} }}A,\,A| \equiv \mathop{\longrightarrow}\limits^{{K_{a}^{ - 1} }}A$$

Formal analysis of the proposed scheme is as follows:

First, we prove the first part of authentication goals, i.e., A|≡B \({ \vdash }n_{a}\). Receiving Message 4 in the idealized form of our protocol, we have the following formula:

$$A \triangleleft \{ n_{a} \}_{{K_{b}^{ - 1} }}$$
(1)

According to the assumptions, we also have:

$$A |{\equiv} \mathop{\longrightarrow}\limits^{{K_{b} }}B$$
(2)

So, applying the ‘message meaning’ rule related to the public key and the Formulas (1) and (2), we have the following:

$$A|{\equiv} B| \sim n_{a}$$
(3)

According to the assumptions, we have the following:

$$A|{\equiv} \# (n_{a} )$$
(4)

Lastly, applying the ‘Say’ rule and Formulas (3) and (4), we can infer the following:

$$A|{\equiv}B{ \vdash }n_{a}$$
(5)

In this way, we proved the first part of authentication goals. Next, we prove the second part of authentication goals, i.e., B|≡A \({ \vdash }n_{b}\) as follows:

Receiving Message 3 in the idealized form of our protocol, we will have the following formula:

$$B \triangleleft \{ n_{b} \}_{{K_{a}^{ - 1} }}$$
(6)

According to the assumptions, we also have:

$$B|{\equiv} \mathop{\longrightarrow}\limits^{{K_{a} }}A$$
(7)

Hence, with applying the ‘meaning message’ rule related to the public key and the results (6) and (7), we will obtain the following:

$$B|{\equiv} A| \sim n_{b}$$
(8)

Then, according to the assumptions, we have:

$$B|{ \equiv }\# (n_{b} )$$
(9)

Finally, applying the ‘say’ rule and Formulas (8) and (9), we obtain the following:

$$B|{ \equiv }A{ \vdash }n_{b}$$
(10)

This way, we prove the first and second parts of authentication goals.

4.3 Validation Using AVISPA

Here, we show the validation of the proposed scheme using the AVISPA tool. AVISPA is a push-button tool for validating Internet security protocols and applications [20]. This tool provides an explicit, modular, and formal language for specifying protocols and their security features. Various important protocols, including Kerberos and EAP(Extensible Authentication Protocol) are modeled in AVISPA [2023]. This type of analysis is appropriate for identifying design flaws and problems that would be very difficult and expensive to solve once the protocol has been deployed in real systems [24]. In this section, we simulate our authentication method via this instrument.

Figure 3 shows the architecture of this tool. AVISPA employs a role-based language called the High-Level Protocol Specification Language (HLPSL) to specify protocols and their security-related properties. HLPSL specifications are translated to low-level Intermediate Format (IF) by the HLPSL2IF translator. The Output Format (OF) of AVISPA is created using four back-ends: OFMC (On-the-Fly Model Checker), CL-AtSe (Constraint-Logic-based Attack Searcher), SATMC (SAT-based Model Checker), and TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols). The results obtained from these back-ends have a ‘SAMMARY’ part which determines if the simulated protocol is safe or not.

Fig. 3
figure 3

The architecture of the AVISPA tool

Full size image

Figure 4 gives the HLPSL code of the proposed authentication method in AVISPA. In this code, Alice’s role is regarded as SA; Bob’s role as SB. Also, Kb and Ka denote the public keys of SB and SA, respectively. As shown in the ‘SUMMARY’ part of Figs. 5 and 6, the results from executing this protocol in the OFMC and CL-AtSe back-ends are safe.

Fig. 4
figure 4

Specifying the roles of the entities in HLPSL

Full size image
Fig. 5
figure 5

The simulation results of the proposed authentication scheme in the OFMC back-end

Full size image
Fig. 6
figure 6

The simulation results of the proposed authentication scheme in the CL-AtSe back-end

Full size image

4.4 Analysis Against Different Attacks

This subsection states how the proposed scheme resists a number of known attacks. Using the one-way hash function, discrete logarithm problem, and computational Diffie-Hellman problem, we show how our scheme provides the following key security properties.

Theorem 1

Our scheme provides mutual authentication.

Proof

In this type of authentication, both parties that wish to establish a secure communication have to prove their identities to each other. The proposed protocol provides mutual authentication in such a way that at the beginning of the scheme, the participant SB generates \(N_{SB}\) and then signs and sends it to SA. When SA signs the \(N_{SB}\) and sends it to SB in the reply message, SB is assured that only SA will be able to compute its digital signature, and no one else can compute \(\hat{e}\left( {rQ_{{ID_{SB} }} ,d_{{ID_{SA} }} } \right)\). On the other hand, SA puts \(N_{SA}\) in the reply message, signs it using its private key, and encrypts it with the public key of SB. Since SB is the only party that knows the corresponding private key, it is able to compute \(\hat{e}\left( {d_{{ID_{SB} }} ,uQ_{{ID_{SA} }} } \right)\), extract \(N_{SA}\), and send it to SA in the subsequent reply message. Thus, SA is sure that the one who claims is SB is really SB; and the identity of SB is proven to SA.

Theorem 2

Our scheme can resist replay attacks.

Proof

Areplay attack occurs when a valid and signed message is copied and resent. To avoid this attack, various mechanisms, including sequence number, timestamp, and nonce, are considered. In the proposed protocol, we employed a challenge-response method where each participant SA and SB selects unique and random values \(N_{SA }\) and \(N_{SB}\), respectively. In addition, we use timestamps in all the messages for the sake of message freshness and in order to avoid a large database in SA and SB for storing these nonce values. An attacker will fail even if it wants to replay a duplicate message in a valid time interval \(\Delta T\). This is because, except checking the time interval \(\Delta T\), the receiver checks the nonce values to prevent duplicate messages. Thus, this mechanism may make the entities sure about message freshness.

Theorem 3

Our scheme can resist interleaving attacks.

Proof

An interleaving attack is a type of replay attack in which the sent data does not belong to the current run of the protocol, but they are obtained in the previous runs. This attack usually occurs in communication protocols where the liveness of the participants is absent. This attack is prevented because message \(m = N_{SA} \parallel N_{SB} \parallel SA\parallel T_{1}\) consists of the identity of the message sender and the nonce of the receiver that encrypted the message using the public key of SB. The attacker will not be able to use the replay messages belonging to the previous instances of the protocol even if it causes SA to perform other instances of protocol. The reason is the fact that this message consists of \(N_{SA}\) and the identity and signature of SA. Therefore, the messages containing the identity of the sender can prevent such attacks.

Theorem 4

Our scheme can resist reflection attacks.

Proof

Areflection attack is a type of replay attack where an attacker tricks the target into providing the reply to the challenge it has generated and sent before. This type of attack is observed mostly in symmetric key cryptography protocols. To avoid this attack, if the message generator (e.g., SA) puts its identity in the message that is being sent and the attacker sends this message back to SA, SA can find out that it is its own message that has been sent back and will as a result reject this message. This attack occurs in consequence of the fact that the live-ness property is lacking. This property is provided via the identity of the message generator and also the nonce it has received to the message it sends.

Theorem 5

Our scheme can resist man-in-the-middle attacks.

Proof

Aman-in-the-middle attack happens when the attacker is able to impersonate the identity of a party while other parties are not aware. If mutual authentication is not provided in authentication protocols, it will be very easy for this attack to occur. Given that mutual authentication is provided in our scheme and that the message \(m = N_{SA} \parallel N_{SB} \parallel SA\parallel T_{1}\) consists of the nonce and the identity of the sender, both being encrypted using the public key of the receiver, even if the attacker replaces its nonce with \(N_{SB}\) in the message \(m = N_{SB} \parallel T_{0}\), it is not able to compute \(\hat{e}\left( {d_{{ID_{SB} }} ,uQ_{{ID_{SA} }} } \right)\) and cannot obtain the content of the message \(m = N_{SA} \parallel N_{SB} \parallel SA\parallel T_{1}\). Therefore, such attacks cannot be successful in the proposed scheme.

Theorem 6

Our scheme can resist forgery attacks.

Proof

In the propounded scheme, an attacker cannot forge messages because they consist of the signature of senders. For instance, if the attacker intercepts the message \(m\parallel \hat{e}\left( {\mu Q_{IDSA} , d_{IDSB} } \right)\) sent by SB to SA, it cannot impersonate the legal participant SB without knowing the private key of this participant.

Theorem 7

Our scheme can resist off-line password guessing attacks.

Proof

Assume an attacker found the \(K_{i} = d_{{ID_{i} }} + H_{1} \left( {PW_{i} } \right)\) belonging to the entity i. Since the entity i is the only one who knows \(PW_{i}\), the attacker is not able to guess \(PW_{i}\). Therefore, it cannot obtain the private key \(d_{{ID_{i} }}\) of the entity i.

Theorem 8

Our scheme provides non-repudiation property.

Proof

As we know, non-repudiation means that the message sender cannot deny the authenticity of its signature on a document or message it transmitted. Non-repudiation of origin is easily provided by signing sent messages. Since all messages in our scheme are signed by the message sender, this property is easily provided for all the participants.

Theorem 9

Our scheme provides data integrity.

Proof

Data integrity means that the sent message is not altered by any illegal participant in a communication. Hash functions are used for data integrity when applying digital signature schemes. For this purpose, in our scheme, all messages are signed by the sender of the message. In order to sign a message, the sender applies a one-way hash function to the message and then signs the hashed-value in place of the original message. In the proposed scheme, the sender generates \(\mu = H_{5} \left( m \right)\), signs the message \(m\) by computing \(\hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right)\), and then sends \(m\parallel \hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right)\) to the receiver. If the data sent for any purpose are modified, the receiver of the message could easily find out about this by computing \(\mu = H_{5} \left( m \right)\) and checking \(\hat{e}\left( {sQ_{{ID_{SA} }} , \mu Q_{{ID_{SB} }} } \right)\hat{e}\left( {\mu Q_{{ID_{SA} }} , d_{{ID_{SB} }} } \right).\) This way, our scheme provides data integrity.

5 Security and Efficiency Comparisons

In this section, we compare our scheme with a few other related schemes (i.e., [9, 12, 13, 15, 16]) in terms of computational costs and security properties. To analyze and compare the computational cost, we use the notations, given in Table 2, which define the time complexity of operations.

Table 2 Notations for the time complexity of operations
Full size table

Table 3 summarizes the results of comparisons of the computational costs. Generally, the complexities of asymmetric key encryption and exponential pairing-based operations require a massive amount of computational power to implement the calculation [14]. On the other hand, less expensive operations are additions and hash operations, and more expensive operations include asymmetric key encryption, pairing, scalar multiplications, and exponential operations [25]. Study [26] showed that the time complexity for evaluating one pairing operation is almost equal to that for evaluating three scalar multiplications.

Table 3 Comparison of the schemes in terms of computational costs
Full size table

In comparison to scheme [12], our scheme does not apply any asymmetric key encryption/decryption. Since schemes [15] and [16] have nine scalar multiplications, it can be said that these schemes have four pairing-based operations, as stated by [25] and [26].

We used the time complexity conversions of Study [27] for computing the computational time of the schemes being compared.

As shown in Fig. 7, our scheme is more efficient than other schemes in the registration phase. Moreover, the computational time for SB in the authentication phase of our scheme is more efficient than schemes [12], [15], and [16] (Fig. 8). Although the computational time for SA in the authentication phase of our scheme is not less than the other schemes, our scheme supports non-repudiation, digital signature properties, and other important security requirements for all network participants. Furthermore, since our scheme is based on IBE, unlike the other schemes, each two participants can authenticate each other without the need for any infrastructure, base station, or special server. This indicates that the proposed authentication scheme is more appropriate for ad hoc networks.

Fig. 7
figure 7

Comparison of the schemes in terms of computation time in the registration phase

Full size image
Fig. 8
figure 8

Comparison of the schemes in terms of computation time in the authentication phase

Full size image

Security analysis in Sects. 4.2, 4. 3, and 4. 4 shows that our scheme is secure against well-known attacks. we considered a Dolev-Yao intruder model [28] in AVISPA for simulating the scheme. Under this model, the intruder has complete control over the network such that it can get all the messages sent by the participants. It may intercept, analyze, and/or modify the messages (as it has knowledge of the required keys), and send any message to any participant it likes. Our scheme provides many important security properties as presented in Table 4. The other specified schemes each has one or more security-related weak points, and none provides non-repudiation and digital signature for all participants. What is more, these schemes have not proven some security properties, while we showed that our scheme supports many important security requirements for participant authentication.

Table 4 Comparison of the schemes in terms of security properties
Full size table

Another point is that since the schemes being compared to ours are user authentication protocols for client–server environments, the authentication they provide needs infrastructure. For this reason, they are not appropriate for ad hoc networks. However, in our scheme, each two participants can authenticate each other without the need for any infrastructure, base station, or special server.

6 Conclusions

This paper proposed a new certificateless and secure mutual authentication scheme based on IBE and bilinear pairing for ad hoc networks. Since our scheme does not need any certificate and infrastructure, it is appropriate for ad hoc networks. Unlike the existing schemes, our scheme provides non-repudiation and digital signature properties for all participants. In addition, we analyzed the security of our scheme by means of the AVISPA tool and employed the BAN logic as a formal method to prove that it is safe. Finally, we compared our protocol and some other protocols from the two perspectives of computational costs and security properties. In our future work, we will attempt to lower the communicational costs of our scheme by choosing suitable groups and fields and reducing the number of pairing-based operations.