A Higher Performance Data Backup Scheme Based on Multi-Factor Authentication ^†

Abstract

Remote data backup technology avoids the risk of data loss and tampering, and has higher security compared to local data backup solutions. However, the data transmission channel for remote data backup is not secure, and the backup server cannot be fully trusted, so users usually encrypt the data before uploading it to the remote server. As a result, how to protect this encryption key is crucial. We design a User-Centric Design (UCD) data backup scheme based on multi-factor authentication to protect this encryption key. Our scheme utilizes a secret sharing scheme to divide the encryption key into three parts, which are stored in the laptop, the smart card, and the server. The encryption key can be easily reconstructed from any two parts with user’s private information password, identity and biometrics. As long as the biometrics has enough entropy, our scheme can resist replay attacks, impersonation user attacks, impersonation server attacks, malicious servers and offline password guessing attacks.

1. Introduction

In recent years, cloud computing technology has developed rapidly, and remote cloud storage services have been widely applied due to their higher security and scalability [1]. However, there is still a risk of data leakage during the data transmission to remote servers [2]. Therefore, people usually encrypt data before transmitting them, such as by using an AES encryption algorithm [3]. In this way, even if the data are leaked, the adversary cannot recover the plaintext. Usually, users store their encryption key in devices such as USBs and laptops, but these devices pose a risk of theft and tampering. Once the storage device is stolen or tampered with, the key will be leaked or lost. How to securely protect the encryption key is the core of remote cloud storage.

By using a $(t,n)$-threshold secret sharing scheme, people can split the encryption key into n shares, and store the n shares in different devices. As long as the user obtains t shares, the user can reconstruct the encryption key. If the shares are stored in devices in plain text, once t devices are corrupt, the encryption key is leaked.

Chang et al. [4] proposed a data protection scheme based on Shamir’s $(2,3)$-threshold secret sharing scheme to protect sensitive data. In their scheme, the server chooses the encryption key, and divides the key into three shares, which are stored in the laptop, the USB device, and the server, respectively. The user can reconstruct the key on the laptop with the help of the USB offline after the user obtains the authentication of the USB device via their identity and password. If the USB or laptop is unavailable, the user can reconstruct the key through the interaction of the laptop or USB device with the server online after the user obtains the authentication of the server. However, since the encryption key is chosen by the server, it requires the server to be fully trustable. This is infeasible in reality.

To solve the problem in Chang et al’s scheme, Liu et al. [5] proposed a user-centered design (UCD) data backup scheme. In their scheme, the encryption key is chosen by the data owner rather than the server. Similar to Chang et al.’s scheme, using Shamir’s $(2,3)$-threshold secret sharing scheme, the encryption key is divided into three shares. The user stores the three shares in the laptop, the smart card, and the server, respectively. Whenever the user needs to encrypt/decrypt data, they can reconstruct the key with two of the three devices and their identity, password, and biometrics.

Hu et al. [6] found that the design of Liu et al.’s scheme in the authentication phase is unreasonable, as their scheme can not resist offline password-guessing attacks, server/user camouflage attacks, and so on. Then, Hu et al. presented an enhanced secure data backup scheme to overcome all above-mentioned security threats.

In 2023, Yi et al. [7] found that Hu et al.’s scheme cannot achieve their claimed security. Their scheme could not resist offline guessing attacks, replay attacks, and denial of service attacks. They also did not consider the situation of users rebuilding an incorrect key. Then, Yi et al. proposed an enhanced scheme to address the aforementioned issues. Yi et al. constructed an enhanced data backup scheme based on Shamir’s $(2,3)$-threshold secret sharing scheme, a message authentication code, and a robust fuzzy extractor. In their scheme, the user chooses the encryption key. Then, by Shamir’s $(2,3)$-threshold secret sharing scheme, the user divides the encryption key into three shares. The user computes pseudoshares using their private information such as identity, password, and biometrics and stores the three pseudoshares in the laptop, the smart card, and the server, respectively. Whenever the user needs to encrypt/decrypt data, he can reconstruct the key if he gets access to two of the three devices and types the correct private information (identity, password, and biometrics) to pass the multi-factor authentication.

In Yi et al.’s scheme, if the smart card/laptop is unavailable, the user needs to connect their laptop/smart card to the server and provides the valid identity, password, and biometrics to pass the authentication of the server. After the authentication phase, a session key is established between the user and the server. Then, the server uses the session key to encrypt the pseudoshare ($A_{ser}$) stored on the server. Finally, the user obtains two shares and performs the recovery phase to reconstruct the encryption key.

Establishing a session key and using the session key to encrypt the pseudoshare $A_{ser}$ involves more hash computations and more communication rounds between the laptop/smart card and the server.

We are wondering, can we reduce the hash computations and communication rounds between the laptop/smart card and the server?

Our Contribution. We answer the above question in the affirmative. We propose a data backup scheme which inherits the advantages of Yi et al.’s scheme while having higher execution efficiency. More precisely, our contributions are as follows:

• We propose a data backup scheme which fixes two encryption keys $s{k}_{lps}$ and $s{k}_{scs}$ shared between the laptop and the server, and the smart card and the server, respectively, during the registration phase. In this way, we can reduce ten hash computations and one round communication in the authentication phase, which improves the execution efficiency of our scheme. We recall that, in Yi et al.’s scheme, there are two communication rounds between the laptop/smart card and the server. This means that we have reduced the number of communication rounds by 50%.
• In addition, our scheme also enjoys other benefits, such as reducing two hash computations and four hash computations during the registration phase and the updating phase, respectively.
• We give the security analysis and performance evaluation of our new data backup scheme, which shows that our new scheme enjoys the same security of previous papers and has a higher execution efficiency.

1.1. Related Work

1.1.1. Key Management

Key management is one of the core issues in the field of cryptography, defined as a set of techniques and processes that enable the establishment and maintenance of encrypted key relationships between authorized parties. Under certain security policy controls, it completes the entire process from key generation to final destruction, including key generation, storage, distribution, use, backup, recovery, update, revocation, and destruction. According to their different characteristics, key management can be mainly divided into the following categories.

• Dynamic and Static Key Management

Static management adopts the principle of key pre-allocation, which ensures that the keys allocated to each participant throughout the entire lifecycle of the network are fixed. In this way, the key usage time is longer and the probability of being attacked significantly increases. On the contrary, in dynamic key management, encryption keys are updated throughout the entire network lifecycle, which significantly improves the security and lifecycle of the system.

• Centralized and Distributed Key Management

Centralized key management refers to a single central node responsible for generating, distributing, and updating encryption keys or session keys used by nodes in the system. Xu et al. proposed a key management scheme based on multi-party joint management [8], which uses an authoritative key generation center and multiple ordinary key generation centers to work together to generate keys. The addition of the authoritative center avoids the problem of malicious nodes randomly modifying selected strings to steal multiple user private keys. The advantage of centralized key management schemes is lower computational and transmission overhead, but it requires a trusted third party to act as the key generation center (KGC) and establish paired shared keys with each user during the registration phase.

In distributed key management, there is no clear key generation center, which can reduce dependence on central entities. Xu et al. [9] proposed a decentralized key management scheme based on a dynamic trust model, which does not require centralized or pre-established trust institutions and introduces three subsystems to integrate dynamic trust and key management. Zheng et al. [10] proposed a decentralized key management scheme based on secret sharing, which divides the key into multiple sub-keys and shares and distributes them to multiple nodes. Multiple nodes jointly maintain one key without a central node. In distributed key management, although the dependence on central entities is reduced, the resources of nodes are limited, and most schemes suffer from overly complex key algorithms and excessive resource consumption.

• Symmetric and Asymmetric Key Management

Symmetric key schemes refer to encryption techniques where both parties use the same pair of keys for encryption and decryption, with DES, 3DES, and AES algorithms being the main representatives. Symmetric key schemes have a high speed in encryption and decryption, and can improve the difficulty of information cracking by using long keys. However, the distribution of symmetric keys requires a strictly secure channel, which is difficult to guarantee. Moreover, all nodes that require communication need different key pairs, making the key distribution very difficult in large-scale networks.

Asymmetric key schemes use publicly available public keys and confidential private keys as encryption and decryption key pairs, which have high security and low storage requirements, and better meet the needs of identity authentication in networks. However, asymmetric encryption has lower encryption efficiency and is often combined with symmetric encryption algorithms to form a hybrid encryption scheme that balances security and efficiency.

Many scholars have proposed a series of key negotiation protocols. In 2014, Yang et al. [11] proposed a three-party authentication key protocol for smart cards, which was later proven by Park [12] to be unable to resist offline password-guessing attacks and internal privilege attacks. In 2017, Jiang et al. [13] proposed a three-factor lightweight authentication and key negotiation protocol for wireless sensor networks, but their scheme lacks perfect forward security, resistance to impersonation attacks, and message integrity.

1.1.2. Secure Multi-Party Computation

The basic idea of secure multi-party computation (MPC) was first introduced by Yao in 1982 in the “Millionaire” problem [14]. Afterwards, Goldreich, Micali, and Wigderson [15] extended two-party computation to multi-party computation and provided a security definition for secure multi-party computation. Generally speaking, secure multi-party computation allows a group of untrusted data holders to jointly calculate a predetermined function using their respective secret data as input without relying on any third party. This makes it possible to use secure multi-party computation to build privacy protection applications. The basic cryptographic primitives involved in MPC mainly include Oblivion Transfer (OT), Garbled Circuit (GC), secret sharing (SS), and so on. We mainly introduce the work related to secret sharing.

The secret sharing scheme is a protocol that securely distributes secret information to a certain group of users. Secret sharing can divide secret information into multiple parts and hand them over to different participants, each of whom can only obtain a portion of the information. Only when some participants collaborate together can the complete secret information be recovered. The linear secret sharing scheme (LSSS) refers to a sharing protocol in which a group of users can restore their own shares to their original secret values solely through linear operations. At present, research on secure multi-party computation based on secret sharing mainly focuses on linear secret sharing schemes.

The secret sharing scheme was initially independently proposed by Shamir and Blakley in 1979. The former was constructed based on interpolation polynomials [16], while the latter was based on hyperplane geometry [17]. Subsequently, more threshold secret sharing schemes were proposed, and their properties were continuously improved and strengthened through discussions. The BGW protocol [18] is a classic secure multi-party computation protocol constructed based on the secret sharing protocol. Ben Or and Rabinz [19] proposed the verifiable secret sharing scheme in 1989 and constructed a secure multi-party computation protocol based on it that includes an honest majority of participants.

1.1.3. Multi-Factor Authentication

The existing identity authentication protocols include three basic authentication factors [20]:

• Knowledge factors: what the user knows (such as passwords or PINs);
• Ownership factors: things owned by the user (such as tokens, smart cards, or smartphones);
• Biometric factors: the user’s biometrics (such as fingerprints or iris).

These three basic authentication factors can be used alone or in combination to form an identity authentication system.

Password-based authentication technology began in the 1970s, where the user’s identity and password were stored in the server’s authentication table, which was directly compared with the information on the authentication table when the user logged in. In 1981, Lamport [21] first proposed a password authentication scheme for non-secure channels. Subsequent solutions have been improved in terms of security, computational cost, and effectiveness [22,23,24]. These schemes are easy to implement, but the disadvantage is that the server needs to maintain a password table. Chen Ku [25] pointed out that they are vulnerable to verification table leakage attacks. In 1989, Harn, Huang, and Laih [26] proposed a password authentication scheme based on the public key encryption system. In this scheme, the Diffie Hellman public key [27] encryption technology is used, and the server no longer needs to protect the password table.

With the development of smart cards, people are beginning to attempt to combine smart cards with passwords to address the shortcomings of single-factor authentication schemes. In 1991, Chang and Wu [28] proposed a dual-factor identity authentication protocol based on the Chinese remainder theorem using smart cards. Afterwards, many scholars [29,30,31] conducted extensive research on this dual-factor identity authentication protocol. However, none of these schemes have achieved their claimed security, and dual-factor identity authentication schemes are easily vulnerable to existing internal attacks, anonymity attacks, and other attacks. Particularly, due to the inherent characteristics of smart cards, many schemes are unable to resist the loss of smart cards [32,33].

The emergence of biometric recognition technology has provided a new breakthrough point for identity authentication. Biometrics have many characteristics such as universality, uniqueness, and stability, which provide a more reliable and convenient way of identity verification. In 2002, Lee et al. [34] proposed an identity authentication protocol based on fingerprints and smart cards, which first applied three-factor authentication technology to remote identity authentication protocols. However, biometric technology also has some drawbacks, as users’ biometric information, such as fingerprints, can be easily obtained by adversaries. Furthermore, it is difficult for users to modify their biometric information. Therefore, many protocols [35,36,37] store hashed or encrypted biometric data, rather than the biometric information itself. However, this method is still unrealistic because the recognition data of biometric information are noisy, and the hash function is very sensitive to the input, which can lead to users being unable to successfully complete identity authentication themselves. Fortunately, Dodis et al. [38] proposed the concept of a fuzzy extractor in 2004, which can effectively address this issue.

Nowadays, a multi-factor authentication design for different systems and application scenarios has been widely studied and applied [39,40,41,42,43,44]. For example, Odyuo et al. [39] suggested a novel authentication algorithm based on device serialization and digital signature authentication. According to the suggested approach, a device will only be permitted access to the network if it has successfully completed multi-factor authentication; otherwise, the authentication procedure will fail and must be repeated from scratch. Braeken et al. [40] presented an authentication and key agreement protocol for users who want to have access to constrained sensor nodes deployed in the field, e.g., a doctor with healthcare nodes of a patient. In their protocol, both the sensor and user device provide direct multi-factor authentication relying on physical unclonable functions and biometrics, respectively. In [41], Mostafa et al. proposed an adaptive multi-factor multi-layer authentication framework that embeds an access control and intrusion detection mechanisms with an automated selection of authentication methods. They implemented multiple authentication factors through the user’s geographical location and browser confirmation method that enhance the identity verification of cloud users.

The arrangement of this article is as follows: Section 2 introduces the model of the scheme and some basic tools. In Section 3, we analyze the execution efficiency of Yi et al.’s scheme. In Section 4, we systematically introduce proposed scheme. In Section 5, we conduct a security analysis of the proposed scheme. In addition, we also compare the performance with the scheme proposed by Yi et al. Finally, we provide the conclusion in Section 6.

2. Preliminaries

In this chapter, we will first introduce some basic tools used in this paper, and then, we will introduce the model of our scheme. A brief review of Yi et al.’s scheme is given in Appendix A.

Table 1. The main abbreviation used in the paper.

Abbreviation	Meaning
$I{D}_{usr}$	Identity of the user
$I{D}_{sc}$	Identity of the smart card
$I{D}_{ser}$	Identity of the server
$Pwd$	Password of the user
$Bio$	Biometrics of the user
$sk$	Session key
$ku$	A random number selected by the user
$X1,X2$	Random number generated by the server
$Ti$	Time stamp
$\Delta t$	Time interval
⊕	Exclusive-or operation
${\#}^{\ast }$	A new message #
‖	Concatenation operator
$h(.)$	Collision-resistant hash function
$\mathcal{A}$	Adversary
$E/D$	Symmetric encryption / decryption algorithm
$\mathbb{R}$	The set of natural real numbers

summarizes the key abbreviations used throughout this paper for ease of reference.

2.1. Shamir’s (t-n) Threshold Secret Sharing Scheme

Shamir’s threshold secret sharing scheme is based on the Lagrange interpolation method. It splits the secret s and shares it with n participants. As long as at least t participants cooperate, the secret s can be reconstructed. However, as long as there are fewer than t participants cooperating, no information about the secret s can be obtained. Shamir’s threshold secret sharing scheme includes the following phases:

• Preparation
  Let $GF\left(p\right)$ be a finite field (p is a large odd prime number and $p>n$; n is the number of participants), $s\in GF\left(p\right)$ is the shared secret, and at least $t\le n$ out of the n participants are required to reconstruct s.
• Secret sharing
  Firstly, the secret dealer independently selects $t-1$ elements ${\alpha }_1,{\alpha }_2,\dots ,{\alpha }_{t-1}\in GF\left(p\right)$, and then constructs a polynomial of degree $t-1$ as follows:

  $$f\left(x\right)=s+{\alpha }_{1}x+{\alpha }_2{x}^2+\cdots +{\alpha }_{t-1}{x}^{t-1}\left(modp\right),$$

  (1)

  where Equation (1) satisfies $f\left(0\right)=s\left(modp\right)$ and ${\alpha }_{t-1}\ne 0$.
  Then, the dealer randomly selects n different non-zero elements $x_1,x_2,\dots ,x_n\in GF\left(p\right)$, and computes $y_i=f\left(x_i\right)$ for $i=1,2,\dots ,n$. The share $(x_i,y_i)$ is given to the corresponding participant $P_i$.
• Secret reconstruction
  We assume that the combiner receives t shares $(x_{i_1},y_{i_1}),(x_{i_2},y_{i_2}),\dots ,(x_{i_t},y_{i_t})$; the polynomial $f\left(x\right)$ can be reconstructed by

  $$f\left(x\right)=\sum _{j=1}^t{y}_{i_j}\left(\prod _{k=1,k\ne j}^t{\displaystyle \frac{x-x_{i_k}}{x_{i_j}-x_{i_k}}}\right)\left(modp\right),$$

  (2)

  and then the secret s can be recovered, since: $s=f\left(0\right)$.

2.2. Fuzzy Extractor

A fuzzy extractor can extract a random string R from noisy random data with enough entropy, such as biometrics. The extracted random string R can be used as the private key or random numbers in the cryptosystem. With the helper string P, it can reproduce the same R from biometric templates $Bi{o}^{\ast }$ and $Bio$, in case $Bi{o}^{\ast }$ is sufficiently close to $Bio$.

Definition 1

(Metric spaces). A metric space is a set $\mathcal{W}$ with a distance function $dis:\mathcal{W}\times \mathcal{W}\to {\mathbb{R}}^{+}=[0,\infty )$. For all $x,y,z\in \mathcal{W}$, the distance function should satisfy the following conditions:

1. 

Reflexivity: $dis(x,y)$ = 0 if and only if $x=y$;

2. 

Symmetry: $dis(x,y)=dis(y,x)$;

3. 

Triangle inequality: $dis(x,z)\le dis(x,y)+dis(y,z)$.

Definition 2

(Min-entropy). For a random variable X, the min-entropy of X, denoted by $H_{\infty }\left(X\right)$, is defined by

$$H_{\infty }\left(X\right):=-lo{g}_2\left(ma{x}_{x}Pr[X=x]\right).$$

(3)

Definition 3

(Robust fuzzy extractor). A $(\mathcal{W},m,\ell ,t,ϵ,\delta )$ robust fuzzy extractor FE consists of two probabilistic polynomial-time algorithms $(Gen,Rep)$. They are described as follows:

• $(R,P)\leftarrow Gen\left(Bio\right)$. It takes biometrics $Bio\in \mathcal{W}$ as input, and outputs an extracted random string $R\in {\{0,1\}}^{\ell }$ and an auxiliary string P.
• $R\leftarrow Rep(Bi{o}^{\ast },P)$. The reproduction algorithm $Rep$ takes P and $Bi{o}^{\ast }\in \mathcal{W}$ as inputs, and outputs an extracted string R.

• Correctness: If $dis(Bio,Bi{o}^{\ast })\le t$, then, for all $(R,P)\leftarrow Gen\left(Bio\right)$, it holds that $R\leftarrow Rep(P,Bi{o}^{\ast })$.
• Security: Let W be a distribution on $\mathcal{W}$, if $H_{\infty }\left(W\right)\ge m$, then, for all PPT adversaries $\mathcal{A}$,

$$Ad{v}_{FE,\mathcal{A}}^{ind}\left(k\right)=|Pr[\mathcal{A}(P,R)\Rightarrow 1]-Pr[\mathcal{A}(P,U_{\ell })\Rightarrow 1]|\le ϵ,$$

(4)

where $(P,R)\leftarrow Gen\left(Bio\right),Bio\leftarrow W$ and $U_{\ell }$ denotes the uniform distribution on ℓ-bit binary strings.

Furthermore, these two algorithms satisfy Equation (5) when adversary $\mathcal{A}$ involves the following game: $\mathcal{A}$: Compute $(R,P)\leftarrow Gen\left(Bio\right)$ and $\tilde{P}=\mathcal{A}(R,P)$,

$$Pr(\tilde{P}\ne P\cup Rep(Bi{o}^{\ast },\tilde{P})\ne \perp )\le \delta .$$

(5)

2.3. Message Authentication Code

Definition 4

(Message authentication code). A message authentication code consists of three probabilistic polynomial-time algorithms $(Gen,Mac,Vrfy)$. They are described as follows:

• $k\leftarrow Gen\left(1^n\right)$: it takes a security parameter $1^n$ as input and outputs a key $k\in {\{0,1\}}^n$.
• $t\leftarrow Ma{c}_k\left(m\right)$: it takes a key k and a message $m\in {\{0,1\}}^{\ast }$ as inputs, and outputs a tag t.
• $b\leftarrow Vrf{y}_k(m,t)$: it takes a key k, a message m, and a tag t as inputs, and outputs a bit b; $b=1$ means valid and $b=0$ means invalid.

For every n, every $k\in {\{0,1\}}^n$, and every $m\in {\{0,1\}}^{\ast }$, it satisfies the following equation:

$$Vrf{y}_k(m,Ma{c}_k\left(m\right))=1.$$

(6)

Definition 5

(Existentially unforgeable under an adaptive chosen-message attack). A message authentication code $\Pi =(Gen,Mac,Vrfy)$ is existentially unforgeable under an adaptive chosen-message attack, if, for all probabilistic polynomial-time adversaries $\mathcal{A}$, the message authentication code satisfies the following equation:

$$Pr[Mac-forg{e}_{\mathcal{A},\Pi }\left(n\right)=1]\le negl\left(n\right),$$

(7)

where the experiment $Mac-forg{e}_{\mathcal{A},\Pi }\left(n\right)$ is defined as follows:

• A random key $k\leftarrow {\{0,1\}}^n$ is chosen.
• The adversary $\mathcal{A}$ is given oracle access to $Ma{c}_k(.)$ and outputs a pair $(m,t)$. Formally, $(m,t)\leftarrow {\mathcal{A}}^{Ma{c}_k(.)}\left(1^n\right)$. Let Q denote the queries asked by $\mathcal{A}$ during the execution.
• The output of the experiment is defined to be 1 if and only if $Vrf{y}_k(m,t)=1$ and $m\notin Q$.

2.4. Model of Our Scheme

Like the scheme proposed by Yi et al., in our model, the user first selects a private key k to encrypt the sensitive data, then the user shares the private key k among the laptop, the smart card, and the server through Shamir’s (2,3) threshold secret sharing scheme. The private key k will be destroyed after the share generation. The user can recover the private key from any two shares using the Lagrange interpolation method. Our scheme mainly focuses on the secret sharing and secret reconstruction phase.

The specific process is shown in Figure 1.

2.5. Adversary Capabilities

In this section, we provide a precise description of the adversary’s capabilities.

• Capabilities of the adversary

$C1$:

The adversary can eavesdrop, modify, intercept, or redirect the information transferred on open channels.

$C2$:

When the adversary obtains a smart card or a laptop, the adversary can extract the information in it.

$C3$:

The adversary can modify the information on the smart card and the laptop.

$C4$:

The adversary can achieve at most two of the following conditions: (1) obtain the smart card; (2) obtain the laptop; (3) obtain the password; (4) obtain the biometrics; or (5) corrupt the server.

2.6. Security Goals

In this section, we describe the security goals of our scheme.

• Security goals

$T1$:

Even if the adversary has the above capabilities, the adversary cannot reconstruct the private key k.

$T2$:

When the adversary tampers with the smart card or the laptop, the user can quickly detect this attack.

$T3$:

When a malicious server sends a wrong message to the user, the user can quickly detect it.

3. Efficiency Analysis of Yi et al.’s Scheme

In this section, we will report the time consumption of each phase in Yi et al.’s scheme. Since the time complexity of the exclusive-OR operation and concatenation operation is negligible, we do not take them into account.

The notations to analyze the computational cost of each phase are as follows:

$T_H$:

The time complexity of the hash function operation.

$T_S$:

The time complexity of the symmetric key encryption/decryption operation.

$T_P$:

The time complexity of the polynomial interpolation operation.

$T_M$:

The time complexity of the message authentication code tag generation algorithm.

$T_V$:

The time complexity of the message authentication code verification algorithm.

$T_G$:

The time complexity of the fuzzy extractor generation algorithm.

$T_R$:

The time complexity of the fuzzy extractor recovery algorithm.

$T_{SS}$:

The time complexity of generating three shares using Shamir’s secret sharing.

Among them, the main notations used to analyze the time complexity of the scheme are $T_H,T_S,T_V$, and $T_R$, while the other notations are only used in the some phases.

The computational cost of three entities at each phase is shown in

Table 2. Computational cost of Yi et al.’s scheme.

Phase	Entity	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{S}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{V}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathbf{SS}}$
Registration	Laptop	3	0	0	3	0	1	0	1
	Smart card	0	0	0	0	0	0	0	0
	Server	2	0	0	0	0	0	0	0
Authentication (Case 1)	Laptop	0	0	0	0	1	0	1	0
	Smart card	1	0	0	0	1	0	0	0
	Server	0	0	0	0	0	0	0	0
Authentication (Case 2)	Laptop	6	1	0	0	1	0	1	0
	Smart card	0	0	0	0	0	0	0	0
	Server	6	1	0	0	0	0	0	0
Authentication (Case 3)	Laptop	0	0	0	0	0	0	0	0
	Smart card	6	1	0	0	1	0	1	0
	Server	6	1	0	0	0	0	0	0
Rebuilding smart card	Laptop	1	1	0	3	0	0	0	1
	Smart card	0	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Rebuilding laptop	Laptop	1	1	0	3	0	0	0	1
	Smart card	0	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Updating biometrics	Laptop	5	1	0	3	0	1	1	0
	Smart card	1	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Updating password	Laptop	5	1	0	3	0	0	1	0
	Smart card	1	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Reconstruction	Laptop	0	0	1	0	0	0	0	0
	Smart card	0	0	0	0	0	0	0	0
	Server	0	0	0	0	0	0	0	0

. Furthermore, in Table 2, Case 1 is “possession of the laptop and the smart card”, Case 2 is “losing the smart card”, and Case 3 is “losing the laptop”.

4. Proposed Scheme

We found that the performance of Yi et al’s scheme is not very ideal. In their scheme, the laptop and the smart card need to establish a session key with the server to obtain the server information, which involves a lot of hash operations. In addition, each updating phase requires going through the above steps.

Therefore, we proposed a more efficient solution: during the registration phase, the server negotiates an encryption key with the laptop and the smart card, respectively. In this way, we can reduce the computation required to establish a session key during the authentication phase, and improve the execution efficiency of the scheme.

In this chapter, we will introduce our more efficient data backup scheme, which consists of four phases: the registration phase, the authentication phase, the key reconstruction phase, and the updating phase.

Similar to Yi et al.’s scheme, in our scheme, the registration phase and key reconstruction phase are carried out on a secure channel. The interaction between the laptop and the smart cards occurs over a secure physical channel. Additionally, all other phases are carried out on the common channel.

The adversary capabilities and the security goals are consistent with those introduced in Section 2; therefore, they are omitted here.

4.1. Registration Phase

In the registration phase, the user uses the laptop to interact with the smart card and server to complete the distribution and storage of keys. The specific process is as follows (see Game 1):

Game 1 Registration phase
Smart card		Laptop (user)		Server
		choose
		$I{D}_{usr},I{D}_{sc},I{D}_{ser},$
		$Pwd,Bio,ku,$
		$f\left(x\right)=rx+k,s{k}_{lps},s{k}_{scs};$
		compute
		$I{D}_{usr},I{D}_{sc},I{D}_{ser},$
		$(R,P)\leftarrow Gen\left(Bio\right),$
		$R=(R1,R2)$,
		$y_{usr}=f\left(I{D}_{usr}\right)$,
		$y_{sc}=f\left(I{D}_{sc}\right)$,
		$y_{ser}=f\left(I{D}_{ser}\right)$,
		$A_{usr}=y_{usr}\oplus Pwd\oplus R1$,
		$A_{sc}=y_{sc}\oplus Pwd\oplus R1$,
		$A_{ser}=y_{ser}\oplus Pwd\oplus R1$,
		$V=h\left(I{D}_{sc}\right|\left|Pwd\right|\left|I{D}_{usr}\right|\left|R1\right|\left|ku\right)$,
		$H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)$,
		$t_{usr}\leftarrow Ma{c}_{R2}\left(A_{usr}\right),$
		$t_{sc}\leftarrow Ma{c}_{R2}\left(A_{sc}\right),$
		$t_{ser}\leftarrow Ma{c}_{R2}\left(A_{ser}\right);$
			${\displaystyle \underset{(t_{ser},s{k}_{lps},s{k}_{scs},H)}{\overset{(I{D}_{ser},I{D}_{sc},I{D}_{usr},A_{ser})}{\to }}}$
				choose    $X;$
				compute    $Y=h\left(I{D}_{ser}\right|\left|X\right),$
				$Z=Y\oplus H;$
				store
				$(I{D}_{ser},I{D}_{sc},I{D}_{usr})$
				and $(A_{ser},t_{ser},s{k}_{lps},s{k}_{scs},X)$
			${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{Z}{\leftarrow }}}$
		store
		$(I{D}_{usr},A_{usr},t_{usr})$
		and $(s{k}_{lps},Z,P,ku)$
	${\displaystyle \underset{(s{k}_{scs},Z,P,V)}{\overset{(I{D}_{sc},A_{sc},t_{sc})}{\leftarrow }}}$
store
$(I{D}_{sc},A_{sc},t_{sc})$
and $(s{k}_{scs},Z,P,V)$

• The user chooses $I{D}_{usr},I{D}_{sc},I{D}_{ser},Pwd,Bio$, a random number $ku$, and a first-degree polynomial $f\left(x\right)=rx+k$, where k is the key to encrypt sensitive information, and r is a random number. The user chooses a symmetric encryption key $s{k}_{lps}$ for encrypted communication between the laptop and the server. The user chooses a symmetric encryption key $s{k}_{scs}$ for encrypted communication between the smart card and the server (e.g.,the user can choose $s{k}_{lps}$ and $s{k}_{scs}$ by using the key generation algorithm in AES).
• The user computes $(R,P)\leftarrow Gen\left(Bio\right)$, and divides R into two parts $R1,R2,$ which are, respectively, applied to the three pseudoshares and the message authentication code. The user computes three true shares $y_{usr}=f\left(I{D}_{usr}\right)$, $y_{sc}=f\left(I{D}_{sc}\right)$, and $y_{ser}=f\left(I{D}_{ser}\right)$, three pseudoshares $A_{usr}=y_{usr}\oplus Pwd\oplus R1$, $A_{sc}=y_{sc}\oplus Pwd\oplus R1$, and $A_{ser}=y_{ser}\oplus Pwd\oplus R1$, the authentication message $V=h\left(I{D}_{sc}\right|\left|Pwd\right|\left|I{D}_{usr}\right|\left|R1\right|\left|ku\right)$, $H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)$, and three tags $t_{usr}\leftarrow Ma{c}_{R2}\left(A_{usr}\right)$, $t_{sc}\leftarrow Ma{c}_{R2}\left(A_{sc}\right)$, and $t_{ser}\leftarrow Ma{c}_{R2}\left(A_{ser}\right)$.
• The user sends the message $(I{D}_{ser},I{D}_{sc},I{D}_{usr},A_{ser},t_{ser},s{k}_{lps},s{k}_{scs},H)$ to the server.
• After the server receives the message $(I{D}_{ser},I{D}_{sc},I{D}_{usr},A_{ser},t_{ser},s{k}_{lps},s{k}_{scs},H)$, the server chooses a random number X and generates $Y=h\left(I{D}_{ser}\right|\left|X\right)$, $Z=Y\oplus H$. Finally, the server stores values $(I{D}_{ser},I{D}_{sc},I{D}_{usr},A_{ser},t_{ser},s{k}_{lps},s{k}_{scs},X)$.
• The server sends the message Z to the user.
• The user stores values $(I{D}_{usr},A_{usr},t_{usr},s{k}_{lps},Z,P,ku)$ in the laptop.
• The user then sends $(I{D}_{sc},A_{sc},t_{sc},s{k}_{scs},Z,P,V)$ to the smart card.
• The smart card stores $(I{D}_{sc},A_{sc},t_{sc},s{k}_{scs},Z,P,V)$.

4.2. Authentication Phase

If the user wants to recover the private key for decrypting the encrypted sensitive data, the user needs to first perform the authentication phase. According to the possession of secret shares, the authentication phase can be divided into the following threes case: (1) laptop and smart card; (2) laptop and server; and (3) smart card and server.

4.2.1. Laptop and Smart Card

The user can easily obtain the information needed to reconstruct the private key if he has the smart card and the laptop. The specific process is as follows (see Game 2):

Game 2 Authentication phase: possession of the laptop and the smart card
Smart card		Laptop (user)
		compute
		$R^{\ast }\leftarrow Rep(Bi{o}^{\ast },P),$
		$R^{\ast }=(R{1}^{\ast },R{2}^{\ast }),$
		$b\leftarrow Vrf{y}_{R{2}^{\ast }}(t_{usr},A_{usr});$
		if    $b=0$, stop;
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(I{D}_{usr},Pwd,ku,R{1}^{\ast },R{2}^{\ast })}{\leftarrow }}}$
compute
$b\leftarrow Vrf{y}_{R{2}^{\ast }}(t_{sc},A_{sc});$
if    $b=0$, stop;
else compute
$V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R{1}^{\ast }\left|\right|ku);$
check    $V^{\ast }?=V$
if    $V^{\ast }\ne V$, stop;
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{A_{sc}}{\to }}}$
		compute
		$y_{sc}=A_{sc}\oplus Pwd\oplus R{1}^{\ast },$
		$y_{usr}=A_{usr}\oplus Pwd\oplus R{1}^{\ast };$

• The user inserts the smart card into the card reader, and the card reader reads the information $(I{D}_{sc},A_{sc},t_{sc},s{k}_{scs},Z,P,V$) in the smart card.
• The user inputs $Bi{o}^{\ast }$, and computes $Rep(Bi{o}^{\ast },P)=R^{\ast }$, then divides $R^{\ast }$ into two parts $R{1}^{\ast },$ and $R{2}^{\ast }$. Then, the laptop verifies whether $t_{usr}$ is a valid tag for message $A_{usr}$ ($b\leftarrow Vrf{y}_{R{2}^{\ast }}(t_{usr},A_{usr})$). If $b=0$, the laptop stops; otherwise, the laptop sends message $(I{D}_{usr},Pwd,ku,R{1}^{\ast },R{2}^{\ast })$ to the smart card.
• After receiving the message, the smart card verifies whether $t_{sc}$ is a valid tag for message $A_{sc}$ ($b\leftarrow Vrf{y}_{R{2}^{\ast }}(t_{sc},A_{sc})$). If $b=0$, the smart card stops.
• The smart card computes $V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R{1}^{\ast }\left|\right|ku)$, then checks if $V^{\ast }$ is equal to V.
• If $V^{\ast }\ne V$, the procedure aborts; otherwise, the smart card sends $A_{sc}$ to the laptop.
• After receiving $A_{sc}$, the user computes $y_{sc}^{\ast }=A_{sc}\oplus Pwd\oplus R{1}^{\ast }$, and $y_{usr}^{\ast }=A_{usr}\oplus Pwd\oplus R{1}^{\ast }$.

4.2.2. Laptop and Server

When the user’s smart card share is unavailable (e.g., the smart card may be lost, the share may be corrupt, etc.), the user needs to complete the authentication phase through the interaction between the laptop and the server. The specific process is as follows (see Game 3):

Game 3 Authentication phase: laptop and server
Laptop (user)		Server
input    $I{D}_{usr},Pwd,Bi{o}^{\ast },T1;$
compute
$R^{\ast }\leftarrow Rep(Bi{o}^{\ast },P),$
$R^{\ast }=(R{1}^{\ast },R{2}^{\ast }),$
$H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R{1}^{\ast }\right),$
$Y=Z\oplus H,$
$c1\leftarrow E_{s{k}_{lps}}\left(Y\right);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(c1,I{D}_{usr},T1)}{\to }}}$	check    $T^{\ast }-T1?\le \Delta t$
		if    $T^{\ast }-T1>\Delta t$, stop;
		compute
		$Y^{\ast }\leftarrow D_{s{k}_{lps}}\left(c1\right),$
		$Y=h\left(I{D}_{ser}\right|\left|X\right);$
		check    $Y^{\ast }?=Y$
		if    $Y^{\ast }\ne Y$, stop;
		otherwise, server authenticates user;
		compute
		$c2\leftarrow E_{s{k}_{lps}}\left(A_{ser}\right);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(c2,t_{ser})}{\leftarrow }}}$
compute
$A_{ser}^{\prime }\leftarrow D_{s{k}_{lps}}\left(c2\right),$
$b\leftarrow Vrf{y}_{R{2}^{\ast }}(A_{ser}^{\prime },t_{ser});$
if    $b=0$, stop;
else, compute
$y_{ser}=A_{ser}^{\prime }\oplus R{1}^{\ast }\oplus Pwd,$
$y_{usr}=A_{usr}^{\prime }\oplus R{1}^{\ast }\oplus Pwd;$

• The user inputs $Bi{o}^{\ast }$, computes $Rep(Bi{o}^{\ast },P)=R^{\ast }$, and divides $R^{\ast }$ into two parts $R{1}^{\ast }$ and $R{2}^{\ast }$. Then, the user inputs their $I{D}_{usr}$, $Pwd$, and current timestamp $T1$. The laptop computes $H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R{1}^{\ast }\right)$, and $Y=Z\oplus H$, $c1\leftarrow E_{s{k}_{lps}}\left(Y\right)$.
• The laptop sends $(c1,I{D}_{usr},T1)$ to the server.
• After receiving the request message $(c1,I{D}_{usr},T1)$, the server checks whether the current timestamp $T{1}^{\ast }-T1\le \Delta t$ or not. If $T{1}^{\ast }-T1>\Delta t$, the server stops; otherwise, the server uses the symmetric key $s{k}_{lps}$ to compute $Y^{\ast }\leftarrow D_{s{k}_{lps}}\left(c1\right)$.
• $Y=h\left(I{D}_{ser}\right|\left|X\right)$. The server check whether $Y^{\ast }$ is equal to Y. If $Y^{\ast }\ne Y$, the server stops; otherwise, the server authenticates the user identity.
• The server computes $c2\leftarrow E_{s{k}_{lps}}\left(A_{ser}\right)$ and sends $(c2,t_{ser})$ to the laptop.
• After receiving the message $(c2,t_{ser})$, the laptop computes $A_{ser}^{\prime }\leftarrow D_{s{k}_{lps}}\left(c2\right)$ and $b\leftarrow Vrf{y}_{R{2}^{\ast }}(A_{ser}^{\prime },t_{ser})$. If $b=0$, the laptop stops; otherwise, the user computes $y_{ser}=A_{ser}^{\prime }\oplus R{1}^{\ast }\oplus Pwd$.

4.2.3. Smart Card and Server

When the user’s laptop share is unavailable (e.g., the laptop may be lost, the share may be corrupt, etc.), the user can use another device with a smart card reader to interact with the server and complete the authentication phase. The specific process is as follows (see Game 4):

Game 4 Authentication phase: smart card and server
Smart card (user)		Server
input    $I{D}_{usr},Pwd,Bi{o}^{\ast },T1;$
compute
$R^{\ast }\leftarrow Rep(Bi{o}^{\ast },P),$
$R^{\ast }=(R{1}^{\ast },R{2}^{\ast }),$
$H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R{1}^{\ast }\right),$
$Y=Z\oplus H,$
$c1\leftarrow E_{s{k}_{scs}}\left(Y\right);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(c1,I{D}_{sc},T1)}{\to }}}$
		check    $T^{\ast }-T1?\le \Delta t$
		if    $T^{\ast }-T1>\Delta t$, stop;
		compute
		$Y^{\ast }\leftarrow D_{s{k}_{scs}}\left(c1\right),$
		$Y=h\left(I{D}_{ser}\right|\left|X\right);$
		check    $Y^{\ast }?=Y$
		if    $Y^{\ast }\ne Y$, stop;
		otherwise, server authenticates user;
		compute
		$c2\leftarrow E_{s{k}_{scs}}\left(A_{ser}\right);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(c2,t_{ser})}{\leftarrow }}}$
compute
$A_{ser}^{\prime }\leftarrow D_{s{k}_{scs}}\left(c2\right),$
$b\leftarrow Vrf{y}_{R{2}^{\ast }}(A_{ser}^{\prime },t_{ser});$
if    $b=0$, stop;
else, compute
$y_{ser}=A_{ser}^{\prime }\oplus R{1}^{\ast }\oplus Pwd,$
$y_{usr}=A_{usr}^{\prime }\oplus R{1}^{\ast }\oplus Pwd;$

• The user inputs $Bi{o}^{\ast }$, computes $Rep(Bi{o}^{\ast },P)=R^{\ast }$, and divides $R^{\ast }$ into two parts $R{1}^{\ast }$ and $R{2}^{\ast }$. Then, the user inputs their $I{D}_{usr}$, $Pwd$, and current timestamp $T1$. The laptop computes $H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R{1}^{\ast }\right)$ and $Y=Z\oplus H$, $c1\leftarrow E_{s{k}_{lps}}\left(Y\right)$.
• The laptop sends $(c1,I{D}_{sc},T1)$ to the server.
• After receiving the request message $(c1,I{D}_{sc},T1)$, the server checks whether the current timestamp $T{1}^{\ast }-T1\le \Delta t$ or not. If $T{1}^{\ast }-T1>\Delta t$, the server stops; otherwise, the server uses the symmetric key $s{k}_{scs}$ to compute $Y^{\ast }\leftarrow D_{s{k}_{scs}}\left(c1\right)$.
• $Y=h\left(I{D}_{ser}\right|\left|X\right)$. The server check whether $Y^{\ast }$ is equal to Y. If $Y^{\ast }\ne Y$, the server stops; otherwise, the server authenticates the user identity.
• The server computes $c2\leftarrow E_{s{k}_{scs}}\left(A_{ser}\right)$ and sends $(c2,t_{ser})$ to the laptop.
• After receiving the message $(c2,t_{ser})$, the laptop computes $A_{ser}^{\prime }\leftarrow D_{s{k}_{scs}}\left(c2\right)$ and $b\leftarrow Vrf{y}_{R{2}^{\ast }}(A_{ser}^{\prime },t_{ser})$. If $b=0$, the laptop stops; otherwise, the user computes $y_{ser}=A_{ser}^{\prime }\oplus R{1}^{\ast }\oplus Pwd$.

4.3. Key Reconstruction Phase

The user can easily recover key k through the Lagrange interpolation method if he knows two of the three tuples $(I{D}_{usr},y_{usr}),(I{D}_{sc},y_{sc})$, and $(I{D}_{ser},y_{ser})$. For example, if the user knows $(I{D}_{sc},y_{sc})$ and $(I{D}_{usr},y_{usr})$, the user can obtain the private key by computing $k=y_{sc}(-I{D}_{sc}/(I{D}_{usr}-I{D}_{sc}))+y_{usr}(-I{D}_{usr}/(I{D}_{sc}-I{D}_{usr}))\left(modp\right)$.

4.4. Updating Phase

When the user has both the smart card and the laptop, the user can update their password or biometrics. When the user’s smart card share or laptop share is unavailable, the user can rebuild it by interacting with the server through another share.

4.4.1. Updating Password

The user can update the password $Pwd$ to $Pw{d}^{\ast }$. Before updating the password, the user need to interact with the server through the laptop or the smart card to obtain $A_{ser}$ stored on the server (Section 4.4.2, lines 5 and 6; Section 4.4.3, lines 5 and 6). After obtaining the information $A_{ser}$ stored on the server, the subsequent process is as follows (see Game 5):

Game 5 Updating password
Smart card		Laptop (user)		Server
		compute
		$R\leftarrow Rep(Bio,P),R=(R1,R2);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(I{D}_{usr},Pwd,ku,R1)}{\leftarrow }}}$
compute
$V^{\ast }=$
$h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|ku);$
check    $V^{\ast }?=V$
if    $V^{\ast }\ne V$, stop;
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{A_{sc}}{\to }}}$
		choose    $k{u}^{\ast },Pw{d}^{\ast };$
		compute
		$V^{\ast }=h(I{D}_{sc}\left|\right|Pw{d}^{\ast }\left|\right|I{D}_{usr}\left|\right|R1\left|\right|k{u}^{\ast })$,
		$H^{\ast }=h(I{D}_{usr}\left|\right|Pw{d}^{\ast }\left|\right|R1)$,
		$H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)$,
		$Z^{\ast }=Z\oplus H\oplus H^{\ast }$,
		$A_{usr}^{\ast }=A_{usr}\oplus Pwd\oplus Pw{d}^{\ast }$,
		$A_{sc}^{\ast }=A_{sc}\oplus Pwd\oplus Pw{d}^{\ast }$,
		$A_{ser}^{\ast }=A_{ser}\oplus Pwd\oplus Pw{d}^{\ast }$,
		$t_{usr}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{usr}^{\ast }\right),t_{sc}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{sc}^{\ast }\right),$
		$t_{ser}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{ser}^{\ast }\right),c\leftarrow E_{s{k}_{lps}}(A_{ser}^{\ast },A_{ser});$
		store
		$(Z^{\ast },k{u}^{\ast },A_{usr}^{\ast },t_{usr}^{\ast })$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(Z^{\ast },V^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })}{\leftarrow }}}$
store
$(Z^{\ast },V^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })$
			${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(t_{ser}^{\ast },c)}{\to }}}$
				compute
				$D_{s{k}_{lps}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime });$
				if    $A_{ser}^{\prime }\ne A_{ser}$, stop;
				store
				$(t_{ser}^{\ast },A_{ser}^{\ast })$

• The user inserts the smart card into the card reader, and the card reader reads the information in the smart card.
• The user obtains $I{D}_{usr}$ and the random number $ku$ in the laptop, and inputs their biometrics $Bio$ and the old password $Pwd$. Then, the user computes $(R,P)\leftarrow Gen\left(Bio\right)$ and divides R into two parts $R1$ and $R2$. After that, the laptop sends $(I{D}_{usr},Pwd,ku,R1)$ to the smart card.
• After receiving the message $(I{D}_{usr},Pwd,ku,R1)$, the smart card computes $V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|ku)$ and checks whether $V^{\ast }$ is equal to V. If $V^{\ast }\ne V$, the smart card stops; otherwise, the smart card sends $A_{sc}$ to the laptop.
• The user chooses a new random number $k{u}^{\ast }$ and a new password $Pw{d}^{\ast }$ and computes following values:
  $V^{\ast }=h(I{D}_{sc}\left|\right|Pw{d}^{\ast }\left|\right|I{D}_{usr}\left|\right|R1\left|\right|k{u}^{\ast })$, $H^{\ast }=h(I{D}_{usr}\left|\right|Pw{d}^{\ast }\left|\right|R1)$,
  $H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)$, $Z^{\ast }=Z\oplus H\oplus H^{\ast }$,
  $A_{usr}^{\ast }=A_{usr}\oplus Pwd\oplus Pw{d}^{\ast }$, $A_{sc}^{\ast }=A_{sc}\oplus Pwd\oplus Pw{d}^{\ast }$, $A_{ser}^{\ast }=A_{ser}\oplus Pwd\oplus Pw{d}^{\ast }$,
  $t_{usr}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{usr}^{\ast }\right)$, $t_{sc}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{sc}^{\ast }\right)$, $t_{ser}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{ser}^{\ast }\right)$.
  Then, the user stores $(Z^{\ast },k{u}^{\ast },A_{usr}^{\ast },t_{usr}^{\ast })$ in the laptop to replace $(Z,ku,A_{usr},t_{usr})$ and sends $(Z^{\ast },V^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })$ to the smart card.
• The smart card stores $(Z^{\ast },V^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })$ to replace $(Z,V,A_{sc},t_{sc})$.
• The laptop sends $(t_{ser}^{\ast },c=E_{s{k}_{lps}}(A_{ser}^{\ast },A_{ser}))$ to the server.
• After receiving the message $(t_{ser}^{\ast },c)$, the server calculates $D_{s{k}_{lps}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime })$ and checks if $A_{ser}^{\prime }$ is equal to $A_{ser}$. If $A_{ser}^{\prime }=A_{ser}$, the server replaces $(A_{ser},t_{ser})$ with $(A_{ser}^{\ast },t_{ser}^{\ast })$; otherwise, the server stops.

4.4.2. Updating Biometrics

The process of changing the biometrics is similar to that of changing the password. Before updating the biometrics, the user needs to interact with the server through the laptop or the smart card to obtain $A_{ser}$ stored on the server (Section 4.4.2, lines 5 and 6; Section 4.4.3, lines 5 and 6). Furthermore, the subsequent process is as follows (see Game 6):

• The user inserts the smart card into the card reader, and the card reader reads the information in the smart card.
• The user obtains $I{D}_{usr}$ and the random number $ku$ in the laptop, and inputs their biometrics $Bio$ and the password $Pwd$. Then, the user computes $(R,P)\leftarrow Gen\left(Bio\right)$ and divides R into two parts $R1$ and $R2$. After that, the laptop sends $(I{D}_{usr},Pwd,ku,R1)$ to the smart card.
• After receiving the message $(I{D}_{usr},Pwd,ku,R1)$, the smart card computes $V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|ku)$ and checks whether $V^{\ast }$ is equal to V. If $V^{\ast }\ne V$, the smart card stops; otherwise, the smart card sends $A_{sc}$ to the laptop.
• The user chooses a new random number $k{u}^{\ast }$ and inputs new biometrics $Bi{o}^{\ast }$ and computes following values:
  $(R^{\ast },P^{\ast })\leftarrow Gen\left(Bi{o}^{\ast }\right)$, $R^{\ast }=(R{1}^{\ast },R{2}^{\ast })$,
  $V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R{1}^{\ast }\left|\right|k{u}^{\ast })$,
  $H^{\ast }=h(I{D}_{usr}\left|\right|Pwd\left|\right|R{1}^{\ast })$, $H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)$, $Z^{\ast }=Z\oplus H\oplus H^{\ast }$,
  $A_{usr}^{\ast }=A_{usr}\oplus R1\oplus R{1}^{\ast }$, $A_{sc}^{\ast }=A_{sc}\oplus R1\oplus R{1}^{\ast }$, $A_{ser}^{\ast }=A_{ser}\oplus R1\oplus R{1}^{\ast }$,
  $t_{usr}^{\ast }\leftarrow Ma{c}_{R{2}^{\ast }}\left(A_{usr}^{\ast }\right)$, $t_{sc}^{\ast }\leftarrow Ma{c}_{R{2}^{\ast }}\left(A_{sc}^{\ast }\right)$, $t_{ser}^{\ast }\leftarrow Ma{c}_{R{2}^{\ast }}\left(A_{ser}^{\ast }\right)$.
  Then, the user stores $(Z^{\ast },k{u}^{\ast },P^{\ast },A_{usr}^{\ast },t_{usr}^{\ast })$ in the laptop to replace $(Z,ku,P,A_{usr},t_{usr})$ and sends $(Z^{\ast },V^{\ast },P^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })$ to the smart card.
• The smart card stores $(Z^{\ast },V^{\ast },P^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })$ to replace $(Z,V,P,A_{sc},t_{sc})$.
• The laptop sends $(t_{ser}^{\ast },c=E_{s{k}_{lps}}(A_{ser}^{\ast },A_{ser}))$ to the server.
• After receiving the message $(t_{ser}^{\ast },c)$, the server calculates $D_{s{k}_{lps}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime })$ and checks if $A_{ser}^{\prime }$ is equal to $A_{ser}$. If $A_{ser}^{\prime }=A_{ser}$, the server replaces $(A_{ser},t_{ser})$ with $(A_{ser}^{\ast },t_{ser}^{\ast })$; otherwise, the server stops.

Game 6 Updating biometrics
Smart card		Laptop (user)		Server
		compute
		$R\leftarrow Rep(Bio,P),R=(R1,R2);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(I{D}_{usr},Pwd,ku,R1)}{\leftarrow }}}$
compute
$V^{\ast }=$
$h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|ku);$
check    $V^{\ast }?=V$
if    $V^{\ast }\ne V$, stop;
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{A_{sc}}{\to }}}$
		choose    $k{u}^{\ast },Bi{o}^{\ast };$
		compute
		$(R^{\ast },P^{\ast })\leftarrow Gen\left(Bi{o}^{\ast }\right),$
		$R^{\ast }=(R{1}^{\ast },R{2}^{\ast })$,
		$V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R{1}^{\ast }\left|\right|k{u}^{\ast })$,
		$H^{\ast }=h(I{D}_{usr}\left|\right|Pwd\left|\right|R{1}^{\ast })$,
		$H=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)$,
		$Z^{\ast }=Z\oplus H\oplus H^{\ast }$,
		$A_{usr}^{\ast }=A_{usr}\oplus R1\oplus R{1}^{\ast }$,
		$A_{sc}^{\ast }=A_{sc}\oplus R1\oplus R{1}^{\ast }$,
		$A_{ser}^{\ast }=A_{ser}\oplus R1\oplus R{1}^{\ast }$,
		$t_{usr}^{\ast }\leftarrow Ma{c}_{R{2}^{\ast }}\left(A_{usr}^{\ast }\right),t_{sc}^{\ast }\leftarrow Ma{c}_{R{2}^{\ast }}\left(A_{sc}^{\ast }\right),$
		$t_{ser}^{\ast }\leftarrow Ma{c}_{R{2}^{\ast }}\left(A_{ser}^{\ast }\right),c\leftarrow E_{s{k}_{lps}}(A_{ser}^{\ast },A_{ser});$
		store
		$(Z^{\ast },k{u}^{\ast },P^{\ast },A_{usr}^{\ast },t_{usr}^{\ast })$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(Z^{\ast },V^{\ast },P^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })}{\leftarrow }}}$
store
$(Z^{\ast },V^{\ast },P^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })$
			${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(t_{ser}^{\ast },c)}{\to }}}$
				compute
				$D_{s{k}_{lps}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime });$
				if    $A_{ser}^{\prime }\ne A_{ser}$, stop;
				store
				$(t_{ser}^{\ast },A_{ser}^{\ast })$

4.4.3. Rebuilding a New Smart Card

When the user’s smart card is unavailable, the user can use the laptop to interact with the server to rebuild it. The process of rebuilding a new smart card is as follows (see Game 7):

• The user chooses a new identity of smart card $I{D}_{sc}^{\ast }$, a new random number $k{u}^{\ast }$, and a new first-degree polynomial $f^{\ast }\left(x\right)=r^{\ast }x+k$, where $r^{\ast }$ is a random number and two new symmetric keys are $s{k}_{lps}^{\ast }$ and $s{k}_{scs}^{\ast }$.
• The user computes three true shares $y_{usr}^{\ast }=f^{\ast }\left(I{D}_{usr}\right)$, $y_{sc}^{\ast }=f^{\ast }\left(I{D}_{sc}^{\ast }\right)$, and $y_{ser}^{\ast }=f^{\ast }\left(I{D}_{ser}\right)$, three pseudoshares $A_{usr}^{\ast }=y_{usr}^{\ast }\oplus Pwd\oplus R1$, $A_{sc}^{\ast }=y_{sc}^{\ast }\oplus Pwd\oplus R1$, and $A_{ser}^{\ast }=y_{ser}^{\ast }\oplus Pwd\oplus R1$, the authentication message $V^{\ast }=h(I{D}_{sc}^{\ast }\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|k{u}^{\ast })$, and $t_{usr}^{\ast }=Ma{c}_{R2}\left(A_{usr}^{\ast }\right)$, $t_{ser}^{\ast }=Ma{c}_{R2}\left(A_{ser}^{\ast }\right)$, $t_{sc}^{\ast }=Ma{c}_{R2}\left(A_{sc}^{\ast }\right)$.
• The laptop uses $(A_{usr}^{\ast },t_{usr}^{\ast },k{u}^{\ast },s{k}_{lps}^{\ast })$ to replace $(A_{usr},t_{usr},ku,s{k}_{lps})$ and sends message $(t_{ser}^{\ast },c=E_{s{k}_{lps}}(A_{ser}^{\ast },A_{ser},s{k}_{lps}^{\ast },s{k}_{scs}^{\ast }),I{D}_{sc}^{\ast })$ to the server.
• After receiving the message $(t_{ser}^{\ast },c,I{D}_{sc}^{\ast })$, the server calculates $D_{s{k}_{lps}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast })$ and checks if $A_{ser}^{\prime }$ is equal to $A_{ser}$. If $A_{ser}^{\prime }=A_{ser}$, the server replaces $(A_{ser},t_{ser},s{k}_{lps},s{k}_{scs},I{D}_{sc})$ with $(A_{ser}^{\ast },t_{ser}^{\ast },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast },I{D}_{sc}^{\ast })$; otherwise, the server stops.
• The laptop sends the message $(I{D}_{sc}^{\ast },A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast },Z,P)$ to the smart card.
• The user stores $(I{D}_{sc}^{\ast },A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast },Z,P)$ in the new smart card.

Game 7 Rebuilding a new smart card
New smart card		Laptop (user)		Server
		choose
		$I{D}_{sc}^{\ast },k{u}^{\ast },r^{\ast },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast },$
		f* (x)=r*x + k;
		compute
		$y_{usr}^{\ast }=f^{\ast }\left(I{D}_{usr}\right)$,
		$y_{sc}^{\ast }=f^{\ast }\left(I{D}_{sc}^{\ast }\right)$,
		$y_{ser}^{\ast }=f^{\ast }\left(I{D}_{ser}\right)$,
		$A_{usr}^{\ast }=y_{usr}^{\ast }\oplus Pwd\oplus R1$,
		$A_{sc}^{\ast }=y_{sc}^{\ast }\oplus Pwd\oplus R1$,
		$A_{ser}^{\ast }=y_{ser}^{\ast }\oplus Pwd\oplus R1$,
		$V^{\ast }=h(I{D}_{sc}^{\ast }\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|k{u}^{\ast })$,
		$t_{usr}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{usr}^{\ast }\right),$
		$t_{sc}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{sc}^{\ast }\right),$
		$t_{ser}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{ser}^{\ast }\right),$
		$c\leftarrow E_{s{k}_{lps}}(A_{ser}^{\ast },A_{ser},s{k}_{lps}^{\ast },s{k}_{scs}^{\ast });$
		store
		$(A_{usr}^{\ast },t_{usr}^{\ast },k{u}^{\ast },s{k}_{lps}^{\ast })$
			${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(t_{ser}^{\ast },c,I{D}_{sc}^{\ast })}{\to }}}$
				compute
				$D_{s{k}_{lps}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast });$
				if    $A_{ser}^{\prime }\ne A_{ser}$, stop;
				store
				$(t_{ser}^{\ast },A_{ser}^{\ast },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast },I{D}_{sc}^{\ast })$
	${\displaystyle \underset{(V^{\ast },s{k}_{scs}^{\ast },Z,P)}{\overset{(I{D}_{sc}^{\ast },A_{sc}^{\ast },t_{sc}^{\ast })}{\leftarrow }}}$
store
$(I{D}_{sc}^{\ast },A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast },Z,P)$

4.4.4. Rebuilding a New Laptop

When the user’s laptop is unavailable, the user can use the smart card to interact with the server to rebuild it. The process of rebuilding a new laptop is as follows (see Game 8):

• The user chooses a new random number $k{u}^{\ast }$, a new first-degree polynomial $f^{\ast }\left(x\right)=r^{\ast }x+k$, where $r^{\ast }$ is a random number, and two new symmetric keys $s{k}_{lps}^{\ast }$ and $s{k}_{scs}^{\ast }$.
• The user computes three true shares $y_{usr}^{\ast }=f^{\ast }\left(I{D}_{usr}\right)$, $y_{sc}^{\ast }=f^{\ast }\left(I{D}_{sc}\right)$, and $y_{ser}^{\ast }=f^{\ast }\left(I{D}_{ser}\right)$, three pseudoshares $A_{usr}^{\ast }=y_{usr}^{\ast }\oplus Pwd\oplus R1$, $A_{sc}^{\ast }=y_{sc}^{\ast }\oplus Pwd\oplus R1$, and $A_{ser}^{\ast }=y_{ser}^{\ast }\oplus Pwd\oplus R1$, the authentication message $V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|k{u}^{\ast })$, and $t_{usr}^{\ast }=Ma{c}_{R2}\left(A_{usr}^{\ast }\right)$, $t_{ser}^{\ast }=Ma{c}_{R2}\left(A_{ser}^{\ast }\right)$, $t_{sc}^{\ast }=Ma{c}_{R2}\left(A_{sc}^{\ast }\right)$.
• The new laptop sends the message $(A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast })$ to the smart card.
• The smart card uses $(A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast })$ to replace $(A_{sc},t_{sc},V,s{k}_{scs})$ and sends the message $(Z,P,s{k}_{scs}^{\ast })$ to the new laptop.
• After receiving the message $(Z,P,s{k}_{scs}^{\ast })$, the new laptop stores $(I{D}_{usr},A_{usr}^{\ast },t_{usr}^{\ast },k{u}^{\ast },s{k}_{lps}^{\ast },Z,P)$ and sends message $(t_{ser}^{\ast },c\leftarrow E_{s{k}_{scs}}(A_{ser}^{\ast },A_{ser},s{k}_{lps}^{\ast },s{k}_{scs}^{\ast }))$ to the server.
• After receiving the message $(t_{ser}^{\ast },c)$, the server computes $D_{s{k}_{scs}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime },s{k}_{lps,}^{\ast }s{k}_{scs}^{\ast })$ and checks whether $A_{ser}^{\prime }$ is equal to $A_{ser}$. If $A_{ser}^{\prime }=A_{ser}$, the server uses $(A_{ser}^{\ast },t_{ser}^{\ast },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast })$ to replace $(A_{ser},t_{ser},s{k}_{lps},s{k}_{scs})$; otherwise, the server stops.

Game 8 Rebuilding a new laptop
Smart card		New laptop (user)		Server
		choose
		$k{u}^{\ast },r^{\ast },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast },$
		f*(x)=r*x + k;
		compute
		$y_{usr}^{\ast }=f^{\ast }\left(I{D}_{usr}\right)$,
		$y_{sc}^{\ast }=f^{\ast }\left(I{D}_{sc}\right)$,
		$y_{ser}^{\ast }=f^{\ast }\left(I{D}_{ser}\right)$,
		$A_{usr}^{\ast }=y_{usr}^{\ast }\oplus Pwd\oplus R1$,
		$A_{sc}^{\ast }=y_{sc}^{\ast }\oplus Pwd\oplus R1$,
		$A_{ser}^{\ast }=y_{ser}^{\ast }\oplus Pwd\oplus R1$,
		$V^{\ast }=h(I{D}_{sc}\left|\right|Pwd\left|\right|I{D}_{usr}\left|\right|R1\left|\right|k{u}^{\ast })$,
		$t_{usr}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{usr}^{\ast }\right),$
		$t_{sc}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{sc}^{\ast }\right),$
		$t_{ser}^{\ast }\leftarrow Ma{c}_{R2}\left(A_{ser}^{\ast }\right);$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast })}{\leftarrow }}}$
store
$(A_{sc}^{\ast },t_{sc}^{\ast },V^{\ast },s{k}_{scs}^{\ast })$
	${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(Z,P,s{k}_{scs}^{\ast })}{\to }}}$
		store
		$(I{D}_{usr},A_{usr}^{\ast },t_{usr}^{\ast },k{u}^{\ast },s{k}_{lps}^{\ast },Z,P)$
		compute
		$c\leftarrow E_{s{k}_{scs}}(A_{ser}^{\ast },A_{ser},s{k}_{lps}^{\ast },s{k}_{scs}^{\ast });$
			${\displaystyle \underset{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\overset{(t_{ser}^{\ast },c)}{\to }}}$
				compute
				$D_{s{k}_{scs}}\left(c\right)=(A_{ser}^{\ast },A_{ser}^{\prime },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast });$
				if    $A_{ser}^{\prime }\ne A_{ser}$, stop;
				store
				$(t_{ser}^{\ast },A_{ser}^{\ast },s{k}_{lps}^{\ast },s{k}_{scs}^{\ast })$

5. Security Analysis and Performance Evaluation

In this section, we mainly analyze the security and performance of our scheme. Our scheme is secure against all secure goals claimed in Section 2.5.

5.1. Security Analysis

5.1.1. Resist Replay Attacks

When the laptop or the smart card is unavailable, the user needs to complete mutual authentication with the server through another device. The attacker can participate in this interaction process and implement a replay attack. We claim that our scheme can resist replay attacks.

If the smart card is unavailable, the user needs to complete mutual authentication with the server to recover the private key. During the authentication phase, the laptop will send a message $(c,I{D}_{usr},T1)$ to the server, and the attacker may intercept the message and continuously send it to the server to carry out a replay attack. Our scheme resists the above replay attacks using timestamps. The specific process of resisting replay attacks is as follows:

(1)

After receiving the message, the server first needs to determine that $T^{\ast }-T1\le \Delta t$ is established.

(2)

When the laptop sends message $(c,I{D}_{usr},T1)$ to the server for the first time, we have $T^{\ast }-T1\le \Delta t$. If the attacker continues to send the message to the server, the server will terminate the authentication process when the time does not satisfy equation $T^{\ast }-T1\le \Delta t$.

From the above analysis, it can be found that our scheme can resist replay attacks if the smart card is unavailable. The same analysis can also be applied to the situation where the attacker implements replay attacks when the laptop is unavailable.

5.1.2. Resist Impersonation User Attacks

In this kind of attack, the attacker attempts to impersonate a legitimate user and interacts with the server. If the attacker wants to impersonate a legitimate user, the attacker must calculate the ciphertext $c1$ to pass the server’s verification. It should be noted that $c1\leftarrow E_{s{k}_{lps}}\left(Y\right)$, so the attacker must calculate a valid Y and a correct key $s{k}_{lps}$. We recall that $Y=Z\oplus h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right),R\leftarrow Rep(Bio,P),R=(R1,R2)$. The security of the fuzzy extractor guarantees that $R1$ is almost uniformly distributed if the biometric information has a high enough entropy. Therefore, calculating Y requires the attacker knowing the correct password $Pwd$, obtaining the correct biometric information $Bio$, and obtaining the values of Z and P stored in the smart card or the laptop. According to the description of the attacker’s ability, it is impossible for the attacker to obtain both the password and biometric information while obtaining the smart card or the laptop device. Therefore, the attacker cannot impersonate a legitimate user.

5.1.3. Resist Impersonation Server Attacks

In this kind of attack, the attacker attempts to impersonate a legitimate server and interacts with the user. When the adversary successfully impersonates the server, they may deceive users or steal sensitive information. For example, the adversary may also send incorrect information to the user, causing them to rebuild a wrong key.

We analyze the case where the adversary wants to impersonate a legitimate server by interacting with the user through the laptop. We review the process in Section 4.2.2. If the attacker wants to impersonate a legitimate server, the attacker needs to calculate a valid mac $t_{ser}$ and a correct ciphertext $c2$ to pass the user’s verification. We recall that $t_{ser}\leftarrow Ma{c}_{R2}\left(A_{ser}\right),R\leftarrow Rep(Bio,P),R=(R1,R2)$ and $c2\leftarrow E_{s{k}_{lps}}\left(A_{ser}\right)$.

Since the biometric information $Bio$ has enough entropy, through the security of the fuzzy extractor, $R2$ is almost uniformly distributed. Then, by the security of $MAC$, it is infeasible for the adversary to forge a valid tag $t_{ser}$ without biometric information $Bio$. Through the security of the encryption scheme, it is infeasible to forge a valid ciphertext $c2$ for message $A_{ser}$ without the encryption key $s{k}_{lps}$. Therefore, the adversary must obtain the biometric information $Bio$, the valid $A_{ser}$, the encryption key $s{k}_{lps}$, and the auxiliary string P. However, according to the description of the adversary’s abilities, it is impossible for the adversary to simultaneously corrupt the server, obtain biometric information, and obtain the laptop. A similar analysis can be used for the situation where the laptop is unavailable.

5.1.4. Resist Malicious Servers

In this attack, the attacker can act as a malicious server sending incorrect information to the user, causing them to rebuild a wrong key. We consider the situation where the server sends incorrect messages to the laptop. A similar analysis can also be applied to the situation where the server sends incorrect messages to the smart card.

We recall that, in our scheme, the server sends the message $(c2,t_{ser})$ to the laptop. After the laptop receives this message, the laptop calculates $A_{ser}^{\prime }\leftarrow De{c}_{s{k}_{lps}}\left(c2\right)$ and $b\leftarrow Vrf{y}_{R2}(A_{ser}^{\prime },t_{ser})$.

In the chapter on resisting impersonation server attacks, we have analyzed that the attacker cannot forge legitimate messages $(c2,t_{ser})$ to pass the user’s verification. Furthermore, when the server sends mismatched $c2$ and $t_{ser}$ to the laptop, $b=0$. Therefore, the user can determine the correctness of the messages sent by the server by checking the value of b. Thus, our scheme can resist malicious servers.

5.1.5. Resist Offline Guessing Attacks

There are two ways for the adversary to perform offline guessing password attacks. One way involves validating the value of V, and the other involves validating the value of Z. We will separately discuss how our scheme resists offline guessing attacks in these two scenarios.

(1)

The adversary validates the value of V. In our scheme, V is stored in the smart card; thus, the adversary can only carry out offline guessing attacks in this way if he obtains the smart card. We recall that $V=h\left(I{D}_{sc}\right|\left|Pwd\right|\left|I{D}_{usr}\right|\left|R1\right|\left|ku\right)$ and $ku$ is a random number stored in the laptop. It should be noted that the adversary cannot simultaneously obtain the smart card, the biometric information, and the laptop, which means the adversary cannot know both $R1$ and $ku$ at the same time. Therefore, if the adversary wants to perform offline password-guessing attacks, he must guess the value of $R1$ or $ku$ correctly. The security of the fuzzy extractor guarantees that $R1$ is almost uniformly distributed since the biometrc information has enough entropy, and through the randomness of $ku$, the adversary cannot guess V correctly in polynomial time.

(2)

The adversary validates the value of Z. In our scheme, Z is stored in the smart card and the laptop, thus the adversary can only carry out offline guessing attacks in this way if he obtains the smart card or the laptop. We recall that $Z=H\oplus Y=h\left(I{D}_{usr}\right|\left|Pwd\right|\left|R1\right)\oplus Y$. We consider the worst-case scenario, where the adversary obtains the laptop, which means that the adversary obtains both Z and $I{D}_{usr}$. We note that the adversary cannot simultaneously obtain the smart card, obtain the laptop, and corrupt the server, which means that the adversary cannot know both $R1$ and Y at the same time. Therefore, if the adversary wants to perform offline password-guessing attacks, he must guess the value of $R1$ or Y correctly. The security of the fuzzy extractor and the randomness of Y guarantees that, the adversary cannot guess Z correctly in polynomial time.

5.2. Performance Evaluation

In this section, we will show the time consumption of each phase. The notations we used in this section are the same as those in Section 3. Since the time complexity of the exclusive-OR operation and concatenation operation is negligible, we do not take them into account.

Table 3. Computational cost of our scheme.

Phase	Entity	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{S}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{V}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathbf{SS}}$
Registration	Laptop	2	0	0	3	0	1	0	1
	Smart card	0	0	0	0	0	0	0	0
	Server	1	0	0	0	0	0	0	0
Authentication (Case 1)	Laptop	0	0	0	0	1	0	1	0
	Smart card	1	0	0	0	1	0	0	0
	Server	0	0	0	0	0	0	0	0
Authentication (Case 2)	Laptop	1	2	0	0	1	0	1	0
	Smart card	0	0	0	0	0	0	0	0
	Server	1	2	0	0	0	0	0	0
Authentication (Case 3)	Laptop	0	0	0	0	0	0	0	0
	Smart card	1	2	0	0	1	0	1	0
	Server	1	2	0	0	0	0	0	0
Rebuilding smart card	Laptop	1	1	0	3	0	0	0	1
	Smart card	0	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Rebuilding laptop	Laptop	1	1	0	3	0	0	0	1
	Smart card	0	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Updating biometrics	Laptop	3	1	0	3	0	1	1	0
	Smart card	1	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Updating password	Laptop	3	1	0	3	0	0	1	0
	Smart card	1	0	0	0	0	0	0	0
	Server	0	1	0	0	0	0	0	0
Reconstruction	Laptop	0	0	1	0	0	0	0	0
	Smart card	0	0	0	0	0	0	0	0
	Server	0	0	0	0	0	0	0	0

shows the time cost for each phase of our scheme while

Table 4. Performance comparison between the proposed scheme and Yi et al.’s scheme.

Scheme	Compution Cost
	Registration Phase			Authentication Phase			Updating Phase
	Laptop	Smart Card	Server	Laptop	Smart Card	Server	Laptop	Smart Card	Server
Yi et al.’s scheme [7]	$3T_H+3T_M+1T_G+1T_{SS}$	0	$2T_H$	$6T_H+1T_S+2T_V+2T_R$	$7T_H+1T_S+2T_V+1T_R$	$12T_H+2T_S$	$12T_H+4T_S+12T_M+1T_G+2T_R+2T_{SS}$	$2T_H$	$4T_S$
Our scheme	$2T_H+3T_M+1T_G+1T_{SS}$	0	$1T_H$	$1T_H+2T_S+2T_V+2T_R$	$2T_H+2T_S+2T_V+1T_R$	$2T_H+4T_S$	$8T_H+4T_S+12T_M+1T_G+2T_R+2T_{SS}$	$2T_H$	$4T_S$
Time cost reduction		$2T_H$			$20T_H-4T_S=10T_H$			$4T_H$

shows the comparison between our scheme and Yi et al. ’s scheme in terms of efficiency.

Compared with Yi et al.’s scheme, our scheme reduces two hash computations during the registration phase; reduces twenty hash computations, adds four symmetric encryption and decryption computations during the authentication phase; and reduces four hash computations during the updating phase. According to the literature [45], we have $1T_S=2.5T_H$. Therefore, our scheme consumes less time than Yi et al.’s scheme by $2T_H+20T_H+4T_H-4T_S=26T_H-4T_S=26T_H-4\ast 2.5T_H=16T_H$.

In

Table 5. Performance comparison between the proposed scheme and similar schemes.

Scheme	Authentication Phase	Entity			Execution Time	Communication Cost
		Laptop	Smart Card	Server	(ms)	(bits)
Liu et al.’s [5]	Case1	-	$T_H$	-	9.18	128
	Case2	$4T_H+T_S$	-	$5T_H+T_S$	128.52	896
	Case3	$4T_H+T_S$	$T_H$	$5T_H+T_S$	128.52	1024
Hu et al.’s [6]	Case1	$2T_H$	-	-	18.36	128
	Case2	$6T_H+T_S$	-	$4T_H+T_S$	137.70	1024
	Case3	$6T_H+T_S$	$2T_H$	$4T_H+T_S$	156.06	1024
Yi et al.’s [7]	Case1	$T_V+T_R$	$T_H+T_V$	-	109.96	768
	Case2	$6T_H+T_S+T_V+T_R$	-	$6T_H+T_S$	237.99	1152
	Case3	-	$6T_H+T_S+T_V+T_R$	$6T_H+T_S$	237.99	1152
Ours	Case1	$T_V+T_R$	$T_H+T_V$	-	109.96	768
	Case2	$1T_H+2T_S+T_V+T_R$	-	$1T_H+2T_S$	192.09	640
	Case3	-	$1T_H+2T_S+T_V+T_R$	$1T_H+2T_S$	192.09	640

, we compare the computational cost and communication cost in the similar schemes. In the authentication protocol, the frequency of login and authentication is much higher than the frequency of user registration, and the update phase is only executed when the user has an update request, so we only consider the authentication phase. When evaluating the computational and communication costs of these schemes, we assume that the laptop identity $I{D}_{usr}$, smart card identity $I{D}_{sc}$, server identity $I{D}_{ser}$, password $pwd$, output of the hash function H, ciphertext of symmetric encryption algorithm, timestamp, and random number are 128 bits, and the length of the random number R generated by the fuzzy extractor is 256 bits. The computation time of the XOR operation can be ignored. According to [4,45,46,47], we have $T_H\approx 9.18$ ms, $T_S=2.5T_H\approx 22.95$ ms, $T_V\approx 18.85$ ms, and $T_R\approx 63.08$ ms.

From the comparison results, it can be seen that the computational complexity of Liu et al.’s and Hu et al.’s schemes is significantly lower than the latter two schemes. However, as mentioned earlier (in the introduction), their protocol cannot achieve the security they claim. Their protocol’s small computational costs stems from a significant sacrifice in security. Our scheme achieves the same level of security as Yi et al.’s scheme, while also having higher efficiency. In addition, our scheme also reduces one round of communication in the authentication phase, which greatly reduces our communication costs. Among the four schemes, our scheme has the lowest communication cost.

6. Conclusions

This paper gave a systematic analysis of Yi et al.’s scheme and found that its efficiency is relatively low, because users need to establish a session key with the server using a laptop or a smart card before obtaining information stored on the server. This process involves a large amount of hash operations, and the above steps are repeated every time the update operation is performed. Therefore, we proposed a data backup scheme with better performance. Our scheme involves negotiating session keys in advance during the registration phase. In this way, we can reduce ten hash computations and one round of communication in the authentication phase. The experimental results show that our scheme has better execution efficiency and lower communication costs.

Meanwhile, this paper also carried out the security analysis of the scheme and ensured that the scheme has the same security as the scheme of Yi et al. [7].