A Secure User Authentication Protocol for Heterogeneous Mobile Environments

Mobile devices have become very important for our daily needs. The user authentication protocols with the key agreement are required to deal with the security issues that arise from the use of mobile devices through Internet applications. However, existing user authentication protocols are only suitable if the client and the server use a similar cryptographic approach. Therefore, it is important to develop an authentication protocol for mobile environments with heterogeneous cryptographic approaches. In this paper, an efficient user authentication and key agreement protocol is proposed for a heterogeneous client-server mobile environment. The security of the proposed scheme is formally proved under the <inline-formula> <tex-math notation="LaTeX">${q}$ </tex-math></inline-formula>-strong Diffie-Hellman problem (<inline-formula> <tex-math notation="LaTeX">${q}$ </tex-math></inline-formula>-SDH), the <inline-formula> <tex-math notation="LaTeX">${q}$ </tex-math></inline-formula>-bilinear Diffie-Hellman inversion problem (<inline-formula> <tex-math notation="LaTeX">${q}$ </tex-math></inline-formula>-BDHI), and the modified bilinear Diffie-Hellman inversion problem (mBDHI), respectively. Our scheme has reasonable processing costs and communication costs on the client and server sides. Moreover, our scheme is suitable for applications that use different cryptographic approaches. In particular, the proposed protocol can work when the client applies the identity-based cryptosystem and the server applies the certificateless cryptosystem.


I. INTRODUCTION
Previously, larger devices such as laptops and PCs were preferred over smaller devices such as cell phones and tablets. Today, however, people prefer mobile devices because they can be used for a variety of applications such as e-commerce, e-banking, e-healthcare, and e-government [1]- [3]. Mobile applications can work in different architectures, for example, in a client-server environment and in a multi-server environment [4], [5]. In a client-server architecture, the mobile device represents the client for accessing the services offered The associate editor coordinating the review of this manuscript and approving it for publication was Junaid Arshad . by the server. Separately, mobile device applications operate in an open network by using the Internet, which raises security issues such as authentication, key agreement, and confidentiality [6]- [8]. The client and server must authorize each other. In addition, the two parties must agree on a session key for subsequent connections [9].
To overcome the drawbacks of authentication, key agreement, and confidentiality, various public-key cryptosystems have been proposed, such as the public-key infrastructure cryptosystem (PKI) [10], the identity-based cryptosystem (IBC) [11], and the certificateless cryptosystem (CLC) [12]. However, PKI is very computationally intensive due to certificate management and is therefore not suitable for mobile VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ environments. IBC appears to reduce the computational overhead of PKI and is more suitable for mobile environments, but lacks efficiency in key escrow. The CLC, on the other hand, eliminates both the need for the certificate in PKI and the key escrow problem in IBC [13]. Certain user authentication schemes with key agreement have been proposed to solve the user authentication and key agreement issues [14]- [16]. However, all protocols are homogeneous, i.e., the client and the server all belong to a similar cryptographic approach. For example, the clients get their keys from the server, which mainly uses IBC or CLC. With the rapid growth of mobile applications and the daily needs of users, it is important to have heterogeneous architectures that can work with different cryptographic approaches. For example, clients get their keys from the server using IBC and servers get their keys fromthe server using CLC. In this context, mobile applications using the Internet with different cryptographic environments may need to communicate with each other to access services.
Recently, Li et al. [17] proposed a heterogeneous user authentication scheme that takes into account when the client and the server use different cryptosystems. In their protocol, the client uses the IBC environment and the server is from PKI. However, their scheme has the disadvantage of causing certificate management overhead, which is unsuitable for mobile devices with limited memory and power. Therefore, existing systems need to be vastly improved or new ones created. For example, some applications require the client to request an IBC while the server requests a CLC. In this case, it is highly desirable to use a user authentication protocol that meets the requirements of this environment. In this paper, we propose a secure user authentication protocol for heterogeneous mobile environments.

II. RELATED WORKS
To tackle the authentication issues in mobile environments, several identity-based user authentication schemes have been suggested without mutual authentication and key agreement [18], [19].
To address authentication issues in mobile environments, several identity-based user authentication schemes without mutual authentication and key agreement have been proposed [18], [19]. Similarly, many identity-based user authentication protocols with the key agreement have been introduced to overcome the weaknesses of the previous schemes in terms of computational cost, communication cost, and security vulnerabilities. Wu and Tseng [14] have presented a new user authentication protocol based on IBC and provided a formal proof of their protocol. In addition, their protocol provides key agreement and mutual authentication. In terms of computational cost improvement, He [20] proposed another user authentication protocol with formal proof that has the same security properties as Wu and Tseng's scheme [14], resulting in a computationally effective and efficient scheme compared to that of Wu and Tseng's [14]. Chou et al. [21] proposed a two-party scheme AKA for the mobile application environment. This scheme is based on identity with ECC.
In addition, they extended their work to design another three-party scheme AKA for initiating the session key between trusted service providers and users. They claimed that their proposed scheme resists common attacks on user authentication schemes, such as perfect forward secrecy, known key security, and key identity compromise impersonation [22]. Later, Farash and Attari [23] found that Chou's schemes et al. [21]are not as resistant to the above attacks as they claimed. They introduced an improved identity-based AKA scheme to overcome the drawbacks of Chou et al.'s scheme [21].
Tsai and Lo [24] considered the anonymous property of the client identity which led them to design anonymous user authentication protocol for mobile device applications. Furthermore, their scheme has less processing cost on the client side than He's scheme. Tseng et al. [25] also considered ephemeral secret leakage (ESL) attacks which resulted in designing a user authentication protocol which resists these attacks. In all the schemes above, the client and the server belong to the IBC. Because the private keys in IBC are generated by trust party called the private key generator (PKG), these schemes suffer from the key escrow problem. Consequently, if the PKG is compromised by an adversary, then all clients' private keys are jeopardized.
Since the certificateless cryptosystem (CLC) [26] is proposed to overcome the key escrow problem in the IBC, Hou et al. [27] suggested the scheme of user authentication protocol without achieving mutual authentication which used CLC. The proposed protocols should be secure against the adversary type I and adversary type II as discussed in [26]. Aftermath, Hassan et al. [16] presented a new protocol based on CLC that offers key agreement and mutual authentication. They claimed that their scheme is secured from adversary types I and II respectively. Nevertheless, Hassan et al. [28] found that the protocol in [16] does not resist adversary type II. Then, they proposed another user authenticated key agreement protocol with mutual authentication which is indeed secure against adversary types I and II. In all the schemes above, the client and the server remains on the CLC.
After looking at all the previous user authentication protocols, we found that the client and the server belong to the same cryptosystem environment. For example, the client and the server belong to the IBC or the CLC. However, if an application needs to work in different cryptosystem environments (eg., the client belongs to the PKI and the server belongs to CLC), it doesn't requires such user authentication protocol. Recently, Li et al. [17] proposed a heterogeneous user authentication protocol of mobile client-server. In their scheme, the client belongs to the IBC and the server belongs to the PKI. In this paper, user authentication with the key agreement protocol is presented for the heterogeneous mobile client-server environment. In our proposed scheme, the client applies to the IBC, while the server applies to the CLC.

A. ORGANIZATION
Our paper is presented as follows: The preliminaries are introduced in Section III while our protocol is proposed in Section IV. The security of the presented protocol is displayed in Section V and the analysis of the protocol's performance is demonstrated in Section VI with the conclusions in Section VII.

A. BILINEAR PAIRINGS
Let G 1 be a cyclic additive group and G 2 be a cyclic multiplicative group with a large prime order q. Let P be a generator of G 1 . Therefore, a bilinear map e : G 1 ×G 1 → G 2 realizes the following properties [29], [30]: 1) Bilinearity : ∀x, y ∈ Z * q and ∀Q, R ∈ G 1 , e(xQ, yR) = e(Q, R) xy . 2) Non-degeneracy: Let P be a generator of G 1 , e(P, P) = 1 G 2 . Where 1 G 2 is identity element of G 2 . 3) Computability: ∀Q, R ∈ G 1 , the e(Q, R) is processed efficiently.

3) MODIFIED BILINEAR DIFFIE-HELLMAN INVERSION PROBLEM
Given (P, αP, γ ) the modified bilinear Diffie-Hellman inversion problem (mBDHIP) in (G 1 , G 2 ) is to produce e(P, P) 1 α+γ as hard assumption. Figure 1 depicts our scheme's network architecture. The architecture comprises the client, a service provider (SP), and an Internet server. The client employs the IBC to communicate with the server, while the server employs the CLC. In IBC, the private key generator (PKG) generates the private keys of the clients, while the clients' partial private keys are generated by the key generator center (KGC). Here, the SP plays the role of PKG for the clients and the role of the KGC for the server. Our protocol is capable of working in this environment. It is assumed that the SP is trusted and cannot be attacked [17].

C. SECURITY MODEL
In this subsection, the security authentication and key agreement as well as the capabilities of the adversary A are presented. The symbol λ u denotes as an instance λ of a member u. In the following, we show how the challenger C reacts with the adversary A: 1) Setup(1 λ ): Taking as input a security parameter λ. C runs the Setup algorithm to create the master secret key x ∈ Z * q , the master public key P pub as well as the system parameters params. Afterwards, C sends params to A and remains x secret. 2) Probing: At any time A can request the following queries in an adaptive manner: a) Extract partial private key queries: For any identity ID, A can request the partial private key. The corresponding partial private key D ID is calculated by C and is reverted to A consequently. b) Extract private key queries: A allows to request the private key for any ID. The corresponding private key is computed by C and is returned to A consequently. c) Request public key queries: Upon A requests the public key for any ID, C calculates public key PK ID associated with ID and returns PK ID to A. d) Replace public key queries: a new secret value v for any ID, can be chosen by A. Then, using v a new public key is computed by A consequently. Thus, the PK ID can be replaced by A with PK ID . e) Send( λ u , m) queries: while a plaintext m is submitted depending on the introduced protocol from A to C, the estimation and the response to A are made by C. f) Reveal ( λ u ) queries: A may access to the session key sk from C, when C accepts. If C does not accept A's session key, C returns a null. g) Corrupt(u) queries: When a member's u private key is remitting, A makes a Corrupt query to C. h) Test ( λ u ) queries: After A sends one Test query, C throws a coin b. If b = 1, A obtains the session key. Otherwise, an arbitrary string is returned. This query gives the semantic security of the session key.  Afterwards, A generates b as estimation for b. Mathematically, the advantage of A is represented by Adv(A). Therefore, Adv In our security proof, Extract private key and Send queries are used to show that our scheme has client-to-server authentication. For the key agreement, we show that our scheme is secure against adversary type I and adversary type II due to the server belongs to the CLC. Extract partial private key, Extract private key, Request public key, Replace public key, Send, Reveal, Corrupt, and Test queries are used for adversary type I. Extract private key, Request public key, Send, Reveal, Corrupt, and Test queries are used for adversary type II.

IV. PROPOSED PROTOCOL
The symbols used in our paper are displayed in Table 1. Our scheme is illustrated by the phases: Setup, Key Extraction, as well as User Authentication with Key agreement. The proposed scheme lets the client and the server register by their identity in the SP. Note that the client applies the IBC and the server applies the CLC. To be sure that our scheme provides the user authentication and key agreement requirement, the proposed scheme follows the following steps. First, in the Setup phase, the SP prepares the public parameters that will be used in the communication between the client and the server. Second, the SP runs the extract phase to generate the corresponding keys for the client and the server respectively. Third, the client computes a value and sends this value with his identity to the server. Then, the server checks this value which is correct or not. Fourth, after verify the value sent by the client, the server computes other values and sends it to the client. By this step, the server can know whether is communicating with the right server or not. Fifth, the client receives the server's values and used them to compute the session key and generate a signature and send it to the server. Finally, the server receives the client's signature and checks if it's correct will accept the client otherwise reject the client.

A. SETUP PHASE
The service provider (SP) executes this phase by the following steps : 1) Take λ as input and calculate the params.
2) Pick two cyclic groups G 1 and G 2 ,where G 1 is additive group and G 2 is multiplicative group with the same prime order q and the bilinear pairing e : Let P be a generator of G 1 . 3) Pick the master secret key x ∈ Z * q randomly and let P pub = xP, and pick secure hash functions H 1 : where g = e(P, P), as the public parameters and remain x secret.

B. KEY EXTRACTION
This algorithm is carried out by the SP as follows: • IBC-KG: A client sends his identity ID c to the SP. Then, the SP responds with SK c = (1/H 1 (ID c ) + x)P as a client's private key. The client uses his identity ID c as public key.
• CLC-KG: A server sends his identity ID s to the SP. Then, the SP responds with D ID s = (1/H 1 (ID s ) + x)P as a server's partial private key. Then, the server with identity ID s chooses randomly v ∈ Z * q as secret value to compute his public key as follows PK s = v(H 1 (ID s )P + P pub ). When the D ID s and the v are given, the server computes his full private key as follows SK ID s = 1 v+H 2 (PK s ) D ID s . Figure 2 depicts the collaboration among the client and the server to do the verification. Here, this phase gives the ability to the client who applies the IBC to authenticate from himself/herself in the server, while the server applies the CLC. Indeed, this step illustrates the authentication in heterogeneous cryptographic approaches. This phase can be completed by the following steps:

C. USER AUTHENTICATION WITH KEY AGREEMENT
• While a client private key SK c , a client public key ID c , and the server public key PK s are given, the client responds as follows: Ppub)) and return ID c and T to the server. Note that the values of r and T are precomputed off-line by the client.
• After ID c and T are received, the server responds by the following :  • Since β and h are received, the client responds as follows: sion key that will be used between the client and the server for the future communication. 3) Compute S = (ϕ+h)SK c and return it to the server.
• Since S is received, the server verifies from S using the following equation r = e(S, H 1 (ID c )P + P pub )g −h .
Then, the session key sk = H 2 (ID c , ID s , PK s , β, r) is computed. To insure that the proposed scheme is correct, first we have = e(ϕP, P) = e(P, P) ϕ = g ϕ = r Then, we verify the correctness of the following equation This section depicts that our protocol can achieve the clientto-server authentication (CSA), key agreement, and serverto-client authentication (SCA) by using the random oracle model [31]. We employed the logic in [14] to do the security analysis.

A. ANALYSIS OF CLIENT-TO-SERVER AUTHENTICATION
In theorem 1, A unable to use the client to complete the communication with the server. The A can not solve the q-SDH problem which is known as hard. Theorem 1: Supposing that A takes a non-negligible advantage ε for breaking the CSA security. Also, at most q S queries to the server's oracle j S , q C queries to the client's oracle i C , Extract private key queries and q H i queries on H i oracle ∀i ∈ {1, 2, 3} are made by a challenger C. Therefore C solves the q-SDH problem by having a non-negligible probability.
Proof: Figure 3 depicts the proof structure of this theorem. As the proof in [30], the challenger C takes as input (P, αP, α 2 P, ...α p P) and attempts to extract (w i , 1 w i +α P) from its communication with A, where w i , α ∈ Z * q . Initialization: In IBC-KG preparation phase, C chooses randomly w 1 , w 2 , . . . , w p−1 ∈ Z * q . As in the proof technique of [30], C sets up a generator Q ∈ G 1 and the public key Q pub = αP ∈ G 1 , such that it knows p − 1 pairs After that, Q and Q pub are computed by C using the following equations: The pair (w i , k i ) can be acquired similar to the proof in [30].
The following equations f i (z) are expanded by the C to get i=0 d i z i and k i is taken as Q pub and α are set as the master public key and master secret key of the SP, respectively. Then Q, Q pub , and g = e(Q, Q) are sent to the A by the C. The public key and private key of the server PK s , SK s are computed by the C using the CLC-KG algorithm and are sent to A. A challenged identity ID t is chosen and is given to the A by the C.
Attack: The algorithm C generates the system parameters 2) H 2 queries: When A submits this query on PK s , First of all C verifies if the value of H 2 was precedently defined for PK s . If it was defined, C returns the value that was defined previously. Otherwise, C randomly chooses h 2,i ∈ Z * q . Then, C returns h 2,i to A and updates L H 2 with (PK s , h 2,i ).
3) H 3 queries: When A sends this query on (ID c , ID s , PK i , r i , β i ), C firstly looks at L H 3 to verify that the value of H 3 was precedently assigned to the (ID c , ID s , PK i , r i , β i ). If yes, the precedent value is returned by C to A. Otherwise, C randomly chooses Extract private key queries: When A forwards this query to get the private key of ID, C does as follows: a) If ID = ID t , C fails and stops the simulation. b) If ID = ID t , the private key of the client is known and is computed by the C with to the server, if ID = ID t , C computes r = e(T , SK s ). Then, β ∈ Z * q is chosen randomly and h = H 3 (ID c , ID s , PK s , r, β) is computed by C. Finally, β and h are returned to A. Otherwise, C fails and stops the simulation. c) When A submits Send ( i C , (β, h)) query to the client, If ID = ID t , H 2 (ID c , ID s , PK s , r, β) is computed again by C to check whether it is equal to the h that is received from the server or not.Then, S = µSK s and sk = H 3 (ID c , ID s , PK s , r, β) are computed by C. Finally, S is returned to A. If ID = ID t , C fails due to the A can not get the correct value of h . d) Whenever A forwards Send ( j S , S) query to the server, if ID = ID t , e(S, w i Q + Q pub )g −h is computed by C to check whether is equal to r. If the condition is satisfied, C accepts and computes sk = H 3 (ID c , ID s , PK s , r, β). Otherwise, the simulation is stopped by C. Analysis: Turing machine A can be constructed if A is a forger in the above simulation, according to the forking lemma [32]. Then, A is ables to sign messages (ID * , h, S) and (ID * , h * , S * ) with h = h * and sed them to the challenger. A machine C is constructed to solve the q-SDHP by using A as follows: • C finds two various signatures (ID * , h, S) and (ID * , h * , S * ) by running A . can be computed as • The pair (w * , 1 α+w * P) is outputted by C as answer of q-SDHP. By the forking lemma [32], if A is succeeded in a time t with probability ε 10(q s +1)(q s +q H 2 ) 2 k . Then, the q-SDHP is solved by C with expected time Indeed, our scheme provides a client-to-server authentication under the q-SDHP.

B. ANALYSIS OF KEY AGREEMENT
Theorem 2: Suppose that the Test query coin can be predicted by A I and A II with a non-negligible advantage ε and at most q S queries to the server's oracle j S , q C queries to the client's oracle i C , Extract partial private key queries, Extract private key queries, Request public key queries, Replace public key queries, Send queries, Corrupt queries, Reveal queries, Test queries and q H i queries on H i oracle ∀i ∈ {1, 2, 3} are made by C. Then, C solves the q-BDHI Problem and mBDHI problem with a non-negligible probability.
Proof: Lemma 1: Our protocol resists to the adversary type I A I under q-BDHI problem in the random oracle model.
Proof: Figure 4 depicts the proof structure of this theorem. When a Test query is submitted, adversary can guess the value of coin b correctly with probability not less than 1/2. Lets suppose that the adversary is able to guess the coin with ε. As result, adversary with advantage Pr[Esk] ≥ ε/2 enables to acquire the correct session key. Here, some symbols are employed in our proof. We use the symbol Esk to show the event of acquiring the correct session key by the adversary. In addition, these symbols Test(C i ) and Test(S j ) are used to explain the correct test queries that are made to the client and to the server separately. The symbol E C2S represents the event of breaking the CSA security. By supposing that the Test query can be submitted to the client as well as to the server by adversary, subsequently this probability, into some i and j, is: Assuming the possibility of breaking the CSA security is denoted by Pr C2S . Then, the following probability is computed into some i and j As the proof in [30], the challenger C takes as input (P, αP, α 2 P, ...α p P) and attempts to extract (w i , 1 w i +α P) from its communication with A I . Where w i , α ∈ Z * q Initialization: In preparation phase, C chooses randomly e γ ∈ Z * q and w 1 , w 2 , . . . , w γ −1 , w γ −2 , w p ∈ Z * q where γ ∈ {1, 2, 3, . . . , q H 1 }.Then, e i = e γ −w i is computed by C for i ∈ {1, 2, 3 . . . , γ −1, γ −2, p}. As in the proof technique of [30], C sets up a generator Q ∈ G 1 and Y = αQ ∈ G 1 , such that it knows p − 1 pairs (w i , k i = 1 w i +α Q) for i ∈ {1, 2, 3, . . . , p} except γ . To do so, the polynomial f (z) = p−1 i=1 (z + w i ) is expanded by C to acquire the coefficients of f (z), then f (z) = p−1 i=0 l i z i where {l 0 , l 1 , l 3 , . . . , l p−1 } ∈ Z * q . Then, Q and Y are computed by C by the following equations: The pair (w i , k i ) can be acquired similar to the proof in [30].
The following equations f i (z) are expanded by the C to get i=0 d i z i and k i is taken as Q pub and x = (−α − e γ ) are chosen as the master public key and master secret key of the SP respectively. VOLUME 10, 2022 Q = (−α − e γ ), Q pub = (−Y − e γ Q) and g = e(Q, Q) are sent to the A I by the C. ∀i ∈ {1, 2, 3, . . . , p} except γ , then we have (e i , −k i ) = (e i , 1 e i +x Q). The public key and private key of the server PK s , SK s are computed by the C using the CLC-KG algorithm and are sent to A I .
The algorithm C generates the system parameters {G 1 , G 2 , q, e, P, g, P pub , H 1 , H 2 , H 3 } and sends them with the public key of the server PK s = v(H 1 (ID s )P + P pub ) to A I . C selects ID t randomly. C simulates the random oracles of H 1 , H 2 and H 3 with lists regarding to avoid collision and consistency. For oracles queries and responses, C prepares four lists L H 1 , L H 2 , L H 3 and L K to keep the public keys.
We assume H 1 (ID) query is completed first then the other queries are created. 1) H 1 queries: When A I sends this query on ID, C chooses randomly e i ∈ Z * q as well as sends it to A I . However, if ID = ID t , C returns e i to A I . Then, C updates L H 1 with (ID, h 1,i ).
2) H 2 queries: When A I submits this query on PK s , First of all C verifies if the value of H 2 was precedently defined for PK s . If it was defined, C returns the value that was defined previously. Otherwise, C randomly chooses h 2,i ∈ Z * q . Then, C returns h 2,i to A I and updates L H 2 with (PK s , h 2,i ).

3) H 3 queries: When A I submits this query on
(ID c , ID s , PK i , r i , β i ), C firstly looks at L H 2 to verify that the value of H 3 was precedently assigned to the (ID c , ID s , PK i , r i , β i ). If yes, the precedent value is returned by C to A I . Otherwise, C chooses randomly h 3,i ∈ Z * q , ζ * = r i .e(Q, Q) h 3,i and returns it to A I . C updates L H 2 with (ID c , ID s , PK i , r i , β i , h 3,i , ζ * ). 4) Extract partial private key queries: This query can be asked by A I on identity ID. If ID = ID t , C fails and stops the simulation. Else, the value of H 1 (ID) = e i is known by C that can be used to compute the partial private key −k i = 1 e i +x P and is returned to A I . 5) Extract private key queries: A I can submit this query on ID i requesting for the private key. ID = ID t , C fails and stops the simulation. If ID = ID t , the partial private key is known by C. Then, C looks up at the L k for the inputs (ID i , PK i , v i ) (if these inputs do not already exist in L k , a new user key information will be generated by C) and SK i = −(1/v)k i is returned by C to A I . 6) Request public key queries: An identity ID i can be selected by A I and is sent to C. Then, C checks whether L k has these tuples (ID i , PK i , v i ) if yes, the PK i is returned to A. If it has not, a random v ∈ Z * q is selected and PK i = v i (e i Q + Q pub ) is set. Finally, C updates L k with (ID i , PK i , v i ) and returns PK i to A I . 7) Replace public key queries: The public key PK i may be replaced with chosen value by A I . For this query on (ID i , PK i ) the L k is updated by C with (ID i , PK i , ⊥) where ⊥ means that the value is unknown. 8) Send queries : a) When A I submits Send ( i C , "start ") query with the client identity ID c , If ID c = ID t , µ ∈ Z * q is chosen randomly by C. Then, r = g µ and T = µ(w i Q + Q pub ) − h(PK s + h 2,i (w i Q + Q pub )) are computed. Finally, C returns ID c and T to A I . If ID = ID t , C fails and stops the simulation. b) When A I submits Send ( j S , (ID c , T )) query to the server with (ID c , T ), if ID = ID t , C computes r = e(T , SK s ). Then, β ∈ Z * q is chosen randomly and h = H 3 (ID c , ID s , PK s , r, β) is computed by C. Finally, β and h are returned to A I . Otherwise, C fails and stops the simulation. c) When A I submits Send ( i C , (β, h)) query to the client, If ID = ID t , H 2 (ID c , ID s , PK s , r, β) is computed again by C to check whether it is equal to the h that is received from the server or not. Then, S = µSK s and sk = H 3 (ID c , ID s , PK s , r, β) are computed by C. Finally, S is returned to A. If ID = ID t , C fails due to the A I can not get the correct value of h . d) When A I submits Send ( j S , S) query to the server, If ID = ID t , e(S, e i Q + Q pub )g −h is computed by C to check whether is equal to r. If the condition is satisfied, C accepts and computes sk = H 3 (ID c , ID s , PK s , r, β). Otherwise, the simulation is stopped by C. 9) Corrupt queries: Whenever this query on ID c is sent by A I , −k i is returned by C. 10) Reveal queries: Whenever this query on ID c is submitted by A I , If ID s = ID t , C fails and stops the simulation. Otherwise, λ ∈ Z * q is chosen and T * = −λQ is computed by C. T * is returned to A I to get the session key. Assume that = λ α and we know that x = (−α − e i ), so then we can get Then, A I is unable to get the correct session key unless it makes H 3 query on e(P, P) . 11) Test queries: Whenever this query is sent by A I , a fair coin b is generated by C. A random input (ID c , ID s , PK i , r i , β i , h 2,i , ς i ) is selected from L H 3 by C that contains no more than q H 3 inputs. If b = 1 the session key is returned to A I by C. If b = 0, C sends ⊥ to A I where ⊥ denotes a random string. On the other hand, it is observed by C that these two events It is known that Pr C2S is negligible from the proof in Theorem 1. Furthermore, whether ε is non-negligible, then we know that ε 2 − Pr C2S is a non-negligible. Hence, to obtain the session key, the adversary A I needs to select inputs containing the correct element of r i = e(P, P) with probability 1 A I allows to make the previous queries with the following limitations: 1) A I can not submit Extract partial private key query on ID t when the public key of the ID t has been replaced. 2) A I can not submit Extract private key query on ID t . Indeed, as the proof in [33] the value of (e(Q, Q)) λ −1 is computed by C as a solution for q-BDHI problem when ζ * = e(P, P) λ −1 with the following equation Hence, our scheme achieves a key agreement protocol under q-BDHI problem against adversary type I.
Lemma 2: Our scheme is resists to A II under mBDHI problem in the random oracle model.
Proof: When a Test query is submitted, the adversary can guess the value of coin b correctly with probability not less than 1/2. Lets suppose adversary is able to guess the coin with ε. As result, the adversary with advantage Pr[Esk] ≥ ε/2 enables to acquire the correct session key. Here, some symbols are employed in our proof. We use the symbol Esk to show the event of acquiring the correct session key by adversary. In addition, these symbols Test(C i ) and Test(S j ) are used to explain the correct test queries that are made to the client and to the server separately. The symbol E C2S represents the event of breaking the CSA security. By supposing that the Test query can be submitted to the client as well as to the server by adversary, then this probability, into some i and j, is : Assuming the possibility of breaking the CSA security is denoted by Pr C2S . Then, the following probability is computed into some i and j As the proof in [30], the challenger C takes as input (P, αP, α 2 P, ...α p P) and attempts to extract (w i , 1 w i +α P) from its communication with A II , where w i , α ∈ Z * q Initialization In preparation phase, C chooses randomly x ∈ Z * q and P pub = xP is computed. The algorithm C generates the system parameters {G 1 , G 2 , q, e, P, g, P pub , H 1 , H 2 , H 3 } and forwards to A II . C selects ID t randomly. C simulates the random oracles of H 1 , H 2 and H 3 with lists regarding to avoid collision and consistency. For oracles queries and responses, C prepares four lists L H 1 , L H 2 , L H 3 and L K to keep the public keys. We assume H 1 (ID) query is completed first then the other queries are created.
1) H 1 queries: When A II submits this query on ID, C checks whether L H 1 has these inputs (ID i , h 1,i ). If it has them, e i is returned to A II and L H 1 is updated with (ID, e i ). However, if ID = ID t , C returns H 1 (ID) = e i to A when A II submits this query on ID t . 2) H 2 queries: When A II submits this query on PK s , First of all C verifies if the value of H 2 was precedently defined for PK s . If it was defined, C returns the value that was defined previously. Otherwise, C verifies if PK i = e i αP + xαP. If it is satisfied, C returns h 2,i = γ and updates L H 2 with (PK s , γ ). If it is not satisfied, C randomly chooses h 2,i ∈ Z * q . Then, C returns h 2,i to A II and updates L H 2 with (PK s , h 2,i ).

3) H 3 queries: When A II submits this H 3 query on
(ID c , ID s , PK i , r i , β i ), C firstly looks at L H 3 to verify that the value of H 3 was precedently assigned to the (ID c , ID s , PK i , r i , β i ). If yes, the precedent value is returned by C to A II . Otherwise, C chooses randomly h 3,i ∈ Z * q , ζ * = r i .e(P, P) h 3,i is computed and is returned to A II . C updates L H 3 with (ID c , ID s , PK i , r i , β i , h 3,i , ζ * ). 4) Extract private key queries: A II can submit this query on ID i requesting for the private key. ID = ID t , C fails and stops the simulation. If ID = ID t , C looks up at the L k for the inputs (ID i , PK i , v i ) (if these inputs do not already exist in L k a new user key information will be generated by C) and SK i = 1 v+h 2,i . 1 e i +x P is computed and returned by C to A II . 5) Request public key queries: An identity ID can be selected by A II and is sent to C. If ID = ID t , v ∈ Z * q is selected randomly by C and PK i = v(e i P + P pub ) is set as public key. Then, C updates L k with (ID i , PK i , v i ) and PK i is returned to A II . If ID = ID t , the public key PK t = e t αP+xαP is set and is returned to A II . Finally, C updates L k with (ID i , PK t , ⊥). 6) Send queries: a) When A II submits Send ( i C , "start ") query with the client identity ID c , If ID c = ID t , µ ∈ Z * q is chosen randomly by C. Then, r = g µ and T = µ(e i P + P pub ) − h(PK s + h 2,i (e i P + P pub )) are computed. Finally, C returns ID c and T to A II . If ID = ID t , C fails and stops the simulation. b) When A II submits Send ( j S , (ID c , T )) query to the server with (ID c , T ), if ID = ID t , C computes r = e(T , SK s ). Then, β ∈ Z * q is chosen randomly and h = H 3 (ID c , ID s , PK s , r, β) is computed by VOLUME 10, 2022 C. Finally, β and h are returned to A II . Otherwise, C fails and stops the simulation. c) When A II submits Send ( i C , (β, h)) query to the client, If ID = ID t , H 3 (ID c , ID s , PK s , r, β) is computed again by C to check whether it is equal to the h that is received from the server or not. Then, S = µSK s and sk = H 3 (ID c , ID s , PK s , r, β) are computed by C. Finally, S is returned to A II . If ID = ID t , C fails due to the A II can not get the correct value of h . d) When A II submits Send ( j S , S) query to the server, If ID = ID t , e(S, e i P + P pub )g −h is computed by C to check whether it is equal to r. If the condition is satisfied, C accepts and computes sk = H 3 (ID c , ID s , PK s , r, β). Otherwise, the simulation is stopped by C.

7)
Corrupt queries: Whenever Corrupt query on ID c is sent by A II , D ID c is returned by C. 8) Reveal queries: Whenever Reveal query on ID c is sent by A II , If ID = ID t , C is fails and stops the simulation. Otherwise, α ∈ Z * q is chosen and T * = αP is processed by C. The T * is returned to A II to get the session key. Then, A II is unable to get the correct r i unless it makes H 3 query on e(T * , SK s ) to get the session key. 9) Test queries: Whenever this query is sent by A II , a fair coin b is generated by C. A random input (ID c , ID s , PK i , r i , β i , h 2,i , ς i ) is selected from L H 3 by C that contains no more than q H 3 inputs. If b = 1 the session key is returned to A II by C. If b = 0, C sends ⊥ to A II where ⊥ denotes a random string.
On the other hand, it is observed by C that these two events ∃i, Esk ∧ Test( j C ) and ∃j, Esk ∧ Test( j S ) ∧ ¬E C2S are equivalent. As a result, we know this probability Pr[Esk ∧ Test( i C )] ≥ ε 2 − Pr C2S . In addition, by simulating the queries that are submitted to the client we can get this probability It is known that Pr C2S is negligible from the proof in Theorem 1. Furthermore, whether ε is non-negligible, then we know that ε 2 − Pr C2S is a non-negligible. Hence, to have the key agreement the adversary should select inputs containing the correct element of r i = e(T * , SK s ) with probability 1 q H 3 . A II allows to make the previous queries, which can not submit Extract private key query on ID t . Indeed, the mBDHI problem can be delivered by the following equation Indeed, our scheme achieves a key agreement protocol under mBDHI problem against adversary type II.

C. ANALYSIS OF SERVER-TO-CLIENT AUTHENTICATION
The server can not be compromised by the adversary to interact with the client by Theorem 3 under q-BDHI problem. Theorem 3: Supposing that A takes a non-negligible advantage ε for breaking the SCA security. Also, at most q S queries to the server's oracle j S , q C queries to the client's oracle i C , and q H i queries on H i oracle ∀i ∈ {1, 2, 3} are made by A. Therefore a challenger C solves the q-BDHI problem by having a non-negligible probability.
Proof: Figure 5 depicts the proof structure of this theorem. As it is mentioned in Theorem 2, the simulation is working correctly since the E C2S happens. We denote the event of breaking the server-to-client authentication with this symbol E S2C . The event E S2C happens during the simulation when (ID c , T ) are sent by the client to the server. In addition, (β, h) are received by the client while are not issued from the correct server. The previous situation occurs in one of the following conditions :   1) The value of h is guessed by adversary A with probability less than q C /2 k . 2) The value T is happened in a further session with a probability q C /q × (q C − 1) less than q 2 C /q.

3) H 1 (ID t ) is asked by adversary A with a probability
Pr[(ID c , ID s , PK s , r, β)| β ∈ R Z * q , r = e(T , SK s )]. Then, we have The algorithm C generates the system parameters {G 1 , G 2 , q, e, P, g, P pub , H 1 , H 2 , H 3 } and sends them with the public key of the server PK s = v(H 1 (ID s )P + P pub ) to A. C selects ID t randomly. C simulates the random oracles of H 1 , H 2 and H 3 with lists regarding to avoid collision and consistency. For oracles queries and responses, C prepares four lists L H 1 , L H 2 , L H 3 and L K to keep the public keys. Hence, to break our server-to-client authentication, the adversary needs to select inputs containing the correct element of r i = e(T * , SK s ) with probability 1 q H 2 . Indeed, The q-BDHI problem can be delivered by the following equation Indeed, our scheme achieves mutual authentication under q-BDHI problem .

VI. PERFORMANCE
This section illustrates the advantages of the proposed protocol compared to existing protocols. To this regard, the evaluation with consideration to security and the performance is conducted. The performance evaluation shows the the computational cost and the communication overhead in the client and server for the compared protocols. This comparison is conduct with the following protocols He (HE) [20], Tseng et al. (TW) [25], and Hassan et al. (HA) [28]. For the performance evaluation, we use these notations T p , T m , T ad , and T inv to explian the bilinear pairing operation time, multiplication time in G 1 , inversion operation time, and addition in G 1 time respectively. The theoretical analysis is given regarding to the computational cost in Table 3. From Table 2, We use Y in Table 3 to indicate that the protocol satisfies specific security requirement. We find that the proposed scheme can be employed when the client belong to IBC and the server belong to CLC. Hence, the proposed scheme owns the advantage of working with applications using various cryptosystem environments compared with the existing protocols.
To evaluate the real computational costs, four schemes [20], [25] [28] including our proposed scheme are implemented using Java pairing-based cryptography (JPBC) Library [34]. Our experimental is done on a machine with CPU Intel Core i 7-3537U dual core (2.00 and 2.50) GHz and RAM 4 GB for the server, while Huawei Mate 8 with CPU Hisilicon Kirin 950 and RAM 4.0 GB is used for the client.
The curve y 2 = x 3 +x over the field F p is used to construct the Type A pairings for p = 3 mod 4. The experimental, entailed 80-bit AES key size security level while the size of p = 1024 bits and size of q = 160 bits [35]. The processing costs of the mobile side and the server side are shown in Figure 6 and Figure 7 respectively. Our scheme has better processing cost in the client side while it is better than HE [20] and HA [28] schemes in the server side. Indeed, the proposed scheme is suitable for the mobile devices that have limited storage and power.
The communication costs of the schemes are displayed in Figure 8. We use the following notations |id| = 80 8 = 10 bytes, the elliptic carve with q = 160 8 = 20 bytes, and the G 1 size is 65 bytes according to the work introduced in [36], to calculate the exact costs for each scheme.

VII. CONCLUSION
In this paper, we present a scheme for user authentication with a key agreement in heterogeneous client-server systems. The security of our scheme is proved in the random oracle model. We also use the q-strong Diffie-Hellman problem (q-SDH), the q-bilinear Diffie-Hellman inversion problem (q-BDHI), and the modified bilinear Diffie-Hellman inversion problem (mBDHI) as hard assumptions in our security proof. Our protocol can be used in heterogeneous environments when the client relies on IBC and the server relies on CLC. However, exciting protocols cannot be used in this environment, which emphasizes the importance of our scheme. Moreover, our protocol can be used in both client-server architectures and multi-server architectures. In the future, we plan to improve the efficiency of our protocol by using post-quantum latticebased cryptography. We will also address privacy preservation in the development of user authentication protocols for mobile requirements. RAFIK HAMZA received the M.Sc. and Ph.D. degrees in cryptography and security from Batna 2 University, Algeria, in 2014 and 2017, respectively. In 2018, he joined DC Research and Development Sonatrach, where he worked as a Principal Engineer focused on data reliability and AI-based prediction for industrial systems. In March 2019, he moved to Guangzhou University, where he worked as a Postdoctoral Researcher. His research activities focused on developing secure and efficient machine learning solutions for industry 4.0 applications while maintaining data privacy. In February 2020, he started working as a Researcher at the Big Data Integration Research Center, NICT, Tokyo. The NICT team focuses on developing data collection and analysis technologies that aim to leverage real-world information for better social life and enable cross-domain combinations (https://www.xdata.nict.jp). In April 2022, he became an Associate Professor at Tokyo International University. His research interests include privacy-preserving machine learning for real-world industrial technologies and applied cryptography for big data applications. MOHAMMED BAKRI BASHIR received the B.Sc. degree from SUST University, Sudan, and the Ph.D. degree from the University of Technology Malaysia (UTM), Malaysia, in 2014. He is currently an Associate Professor at the Faculty of Computer Science and Information Technology, Shendi University, Sudan. In addition, he is also an Associate Professor at the Turubah University College, Taif University, Saudi Arabia. His research interests include computer network and data processing, grid computing, distributed computing, NoSQL databases, and AI applications. VOLUME 10, 2022 SAMAR M. ALQHTANI received the Ph.D. degree in information technology from the University of Newcastle, Australia. She is currently an Assistant Professor at Najran University, Saudi Arabia. She has lectured and developed curricula for computer science and information system courses. She has recently led and worked on various projects, including event detection applications in social media, medical applications, and applying artificial intelligence and machine learning algorithms to emerging technologies. Her research interests include information technology and multimedia, including artificial intelligence, machine learning, deep learning, health informatics, data mining, image processing, computer vision, text processing, and the IoT.
TAWFEEG MOHMMED TAWFEEG received the bachelor's degree in information for communication and technology and the master's degree in information security from the University of Science and Technology, Sudan, in 2016 and 2018, respectively. He is currently working as a Lecturer at the University of Science and Technology. His research interests include cloud computing security, network security, and data science.
ADIL YOUSIF received the B.Sc. and M.Sc. degrees from the University of Khartoum, Sudan, and the Ph.D. degree from the University of Technology in Malaysia (UTM). He is currently an Associate Professor at the College of Arts and Sciences Sharourah, Najran University, Saudi Arabia. He is also a principal investigator of several research projects in artificial intelligence and emerging technologies. His research interests include computer networks, cloud computing, artificial intelligence, and optimization techniques.