A Three Factor Remote User Authentication Scheme Using Collision Re-sist Fuzzy Extractor in Single Server Environment

. Due to rapid growth of online applications, it is needed to provide such a facility by which communicators can get the services by applying the applications in a secure way. As communications are done through an insecure channel like Internet, any adversary can trap and modify the communication messages. Only authentication procedure can overcome the aforementioned problem. Many researchers have proposed so many authentication schemes in this literature. But, this paper has shown that many of them are not usable in real world application scenarios because, the existing schemes cannot resist all the possible attacks. Therefore, this paper has proposed a three factor authentication scheme using hash function and fuzzy extractor. This paper has further analyzed the security of the proposed scheme using random oracle model. The analysis shows that the proposed scheme can resist all the possible attacks. Furthermore, comparison between proposed scheme and related existing schemes shows that the proposed scheme has better trade-o ﬀ among storage, computational and communication costs.


Introduction
Nowadays, online applications like bill payment, banking system, telecare medical system, social networking, e-voting and so on are rapidly used for their easy and efficient access.All the applications are going through a client/server environment and communications are done through public channel like Internet because of availability of public bandwidth.Therefore, all communication messages of the applications are public.As a result, any one can trap and modify the communication messages.For this purpose, in such communication system, authentication scheme is rapidly used by which after verifying the communicators and their messages, a secure communication can be done through public channel.In this regard, smart card and password based user authentication scheme is very much popular for online communication system.However, a suitable smart card based authentication scheme should satisfy the following property: Low cost: Computational cost, communication cost and smart card storage cost are three basic network parameters to measure performances of an authentication scheme.Therefore, it has to considered that these three parameters are reduced as much possible when an authentication scheme is going to be designed.

Prevention of security attacks:
During communication through public channel, it is needed to secure the message from outsider adversary.An authentication scheme needs to be designed such a way by which from the communication messages, any adversary will unable to extract useful information and the scheme can resist security attacks.
Session key agreement: After authentication in both ways, a common secret session key is needed to carry on the communications within the same session after encrypting the paintext messages by the session key.
Mutual authentication: Mutual authentication is a essential property for an authentication scheme by which all the communicators can authenticate or verify each other.
Efficient login procedure: For an authentication scheme, it is needed that smart card checks the wrong inputs before going to send a login message to server.By checking wrong inputs in login phase, extra communication overhead can be avoided.Therefore, it is crucial property of a good authentication scheme.
Efficient password change procedure: A valid user can change the password freely and securely without taking any help from server.For this purpose, the smart card should verify the old password in the password change phase, so that an unauthorized user cannot change the authorized user's password even if it gets the valid users' smart card.The afore mentioned property should present in an authentication scheme.
Traceability: In an authentication scheme, it is also needed to trace the sender of a message for corresponding receiver [1].Otherwise, any one can mount denial of service (DoS) attack.Furthermore, to enhanced the security of password based authentication scheme, biometric feature (i.e, finger print, ires, retina etc.) [2] is added with the password.Therefore, this research focus to design a biometric plus password based efficient authentication scheme by considering all the afore mentioned properties.

Literature Survey
A brief survey of existing authentication schemes is described in this section.First Lamport [3] proposed a password-based authentication scheme based on one way hash function.However, Shimizu et al. [4] showed that the Lamport's scheme [3] suffers from different attacks.After that so many remote user authentication schemes [5][6][7][8][9][10][11][12][13][14][15][16] have been proposed in this regard which are based on only password.But, the researchers have considered biometric feature [2] with the password to enhance the security label.Therefore, many researchers have proposed biometric and password based authentication schemes in [17][18][19][20][21][22][23][24][25][26][27][28].Li and Hwang [17] proposed a biometrics-based remote user authentication scheme in 2010.However, in 2011, Das [18] showed that Li and Hwang's scheme [17] had flaws in the login phase, authentication phase and password change phase and therefore, Das also proposed an authentication scheme.An [19] showed that Das's scheme [18] cannot resist the server masquerading attack, user impersonation attack, password guessing attack and insider attack, and so proposed an improved scheme.Li et al. [20] found that An's scheme [19] suffered from the denial-of-service (DoS) attack, the forgery attack and also did not provide forward secrecy.Furthermore, in 2013, Lee and Hsu [21] pointed out that Das's scheme [18] is also suffering from privileged insider attack and the off-line password guessing attack.Therefore, Lee and Hsu [21] proposed a biometric based authentication scheme to overcome the weaknesses of Das's scheme [18].In 2013, Tan [22] proposed a three-factor authentication scheme.But, Yan et al. [23] pointed out that Tan's scheme [22] is vulnerable to the Denial-of-Service (DoS) attack.However, recently, Mishra et al. [24] showed that Yan et al.'s scheme [23] suffers from off-line password guessing attack and has inefficient login and password change phases.Huang et al. [29] proposed an authentication scheme based on RSA.But Amin et al. [30] proved that Huang et al.'s scheme [29] unable to protect forgery attack and also introduced an authentication protocol in [30].

Contribution
This paper proposes a three factor authentication scheme using hash function and fuzzy extractor, where three factor means (1) users' password, (2) users' biometric and (3) smart card.This paper further analyzes the security of the proposed scheme using random oracle model.The analysis shows that an adversary cannot mount any attacks on the proposed scheme due to hardness of inversion of one-way hash function as well as it has to solve hardness of fuzzy factor.Furthermore, comparison between proposed scheme and related existing schemes shows that the proposed scheme has better trade-off among storage, computational and communication costs.It is a great contribution that the proposed scheme resists all the possible attacks with better trade-off among different costs.

Road Map
This section describes a road map which has been followed throughout this paper.Section 2 briefly introduces some preliminary mathematical concepts for introducing the proposed scheme.Section 3 describes a network model and an adversary model to analyze the proposed scheme.A proposed scheme is described in section 4. Section 5 describes cryptanalysis of the proposed scheme and Section 6 compares the performances of the proposed scheme with previously published schemes.Conclusion of this paper appears in section 7.

Preliminaries
In this section, a briefly review the basic concepts of cryptographic one-way hash function and collision resist fuzzy extractor are introduced.Definition 1.A collision resistant cryptographic one-way hash function [25,27] where Pr[E] denotes the random event E. Definition 2. A collision resistant fuzzy extractor [2,27] can be model as a procedure, known as Gen, which takes a binary string say, B of some metric space M as an input, where M ∈ {0, 1} k , for some k bits and produces a random string say, ϕ ∈ R {0, 1} n , for some n bits and an auxiliary string say, θ ∈ R {0, 1} r , for some r bits, where r = k or n bits.It can be mathematically represented by Gen : M → ϕ × θ.Another procedure, known as Rep, takes a binary string say, B ′ of the metric space M ∈ {0, 1} k , where B B ′ and a uniform distribution binary string say, θ ′ ∈ R {0, 1} r to produce the random string ϕ ′ ∈ R {0, 1} n , symbolized as for all probabilistic polynomial-time algorithms Gen and Rep.

Model
This section will introduce two following models: Network Model: Architecture of the proposed scheme is shown in Figure 1 where, users have to register to a remote server to get their smart card which is known as registration procedure (see Figure 1(a)).Whenever the registered users want to get service from the remote server by accessing their smart card through public channel like Internet, the smart card sends a login request message to the remote server.After verifying the login request message, the remote server sends corresponding reply message to the sender.After receiving the reply message, the corresponding smart card checks the validity of the reply message.Upon receiving correct reply message, both user and the remote server agree for a shared secret session key (See Figure 1(b)).Adversary Model: To analyze the security of the proposed scheme, Dolev-Yao threat model [31] has been considered in which the communicating parties communicate through an insecure channel.Therefore, an adversary A can trap the transmitted messages over the public or insecure channel, and furthermore he/she can modify, delete or change the contents of the transmitted messages.The adversary A also obtains the information which are stored in the user's smart card by monitoring the power consumption [32,33].Generally, identity and password of the user are low entropy in cryptography, that means the adversary can guess the identity and password individually using dictionary attack in polynomial time.But, the adversary cannot guess identity and password simultaneously in on-line/off-line within a polynomial time as pointed out in [34].According to our adversary model, we consider two following cases:

Smart card User
• Case 1.A third party from outside of the system tries to mount various attacks on authentication system as an adversary A. • Case 2. A registered user from inside of the system tries to extract secret information of the server by which he/she can mount various attacks on authentication system as an other user or adversary A.

Proposed Scheme
This section proposes an authentication scheme.A nomenclature is given in Table 1 to introduce the proposed scheme.The proposed scheme consists of five phases namely, 1) initialization phase, 2) registration phase, 3) login phase, 4) authentication and key agreement phase and 5) password update phase.The phases are as follows:

Initialization Phase
A remote server RS runs algorithm G to compute a large prime number q.Then it selects a random number s such that s ∈ R Z * q .It further chooses a collision resist cryptographic one-way hash function H : {0, 1} * → {0, 1} n , where n is a fixed length integer number.Finally, RS publishes H(•) as public and keeps s as secret.

Registration Phase
Whenever a new user U i wants to register to the remote server RS , this phase is invoked.This phase is as follows: 1.The user inputs their biometric feature (i.e., finger print) to a sensor.The sensor generates a corresponding biometric information B i and provides it to U i .
2. The user U i chooses an identity ID i , password pw i and generates an unique pair (θ i , ϕ i ) from B i by computing   Then RS issues the smart card for U i and sends it through a secure channel or by person.RS then updates its database by adding D i into the list.
4. After getting the smart card, U i inserts it into a terminal or card reader and submits their identity ID i and password pw i .

The smart card computes
Finally, the smart card stores ⟨ B i , θ i ⟩ into its memory.Note that, smart card stored parameters are ⟨C i , D i , B i , θ i , des(•)⟩.
Figure 2 shows the registration phase of the proposed scheme.

Login Phase
Whenever a registered user U i wants to access the remote server, this phase is invoked.U i inserts their smart card into a card reader or terminal and provides their biometric information B * i through sensor, identity ID i and password pw i to the smart card.The smart card then executes following steps: If it does not hold, the smart card rejects U i ; otherwise, it follows next step.

The smart card computes θ
) and checks computed D ′ i and stored D i are equal or not.If equality does not hold, the smart card rejects U i ; otherwise, it follows next step.
3. The smart card chooses a random number r i ∈ R Z * q and further computes where T 1 i is the current login timestamp of U i .The user U i then sends a login request message ⟨ID i , G i , F i , E i ⟩ to the registration server RS through a public channel.
Figure 3 shows the login phase of the proposed scheme.

Authentication and Key Agreement Phase
After receiving the login request message ⟨ID i , G i , F i , E i ⟩ from the user U i at timestamp T s , the remote server RS computes following steps: ) and checks computed F * i and received F i are equal or not.If it does not hold, RS rejects login request message of U i ; otherwise, follows the next step.
3. RS chooses a random number y i ∈ R Z * q and further computes and sends a reply message ⟨Q i , L i , K i ⟩ to U i through a public channel.RS accepts S K i as a shared secret session key.
After receiving the reply message ⟨Q i , L i , K i ⟩ from RS at timestamp T 2 i , the smart card of the user U i further executes the following steps to verify the reply message of RS : It it does not hold, the smart card rejects the reply message; otherwise, executes the next step.

The smart card computes S K
) and checks computed L ′ i and received L i are equal or not.If they are equal, the user U i agrees upon the shared secret key S K i ; otherwise, rejects the reply message.
Figure 4 shows the authentication and key agreement phase of the proposed scheme.

Password Update Phase
Whenever a user U i wants to change their password, this phase is invoked.U i inserts their smart card into a card reader or terminal and provides their biometric information B * i through sensor, identity ID i and password pw i to the smart card.The smart card then executes following steps: ) and checks computed D ′ i and stored D i are equal or not.If equality does not hold, the smart card rejects U i ; otherwise, gives permission to enter their new password. [new]   i and proves it to the smart card.The smart card then further proceeds to next step.

The smart card computes pwr
) and ).The smart card then stores C [new]   i , B [new]   i and θ [new]   i in the place of C i , B i and θ i respectively into the memory of smart card.
Figure 5 shows the password update phase of the proposed scheme.

Security Analysis of Proposed Scheme
The formal security analysis of the proposed scheme under the random oracle model is presented in this section.This security analysis uses the formal security analysis under the generic group model of cryptography.In the following, this work defines random oracles for the formal security analysis of the proposed scheme: • OracleH is a random oracle which maintains a tuple ⟨x, y⟩ such that y = H(x).It returns x from y upon receiving a query (qH, y) if ⟨x, y⟩ is present in the tuple; otherwise returns a random number r 1 .Then it stores a new entry ⟨r 1 , y⟩ into its tuple.
• OracleF E is a random oracle which contains two parts: 1.OracleF E Gen unconditionally outputs the pair (ϕ, θ) from the corresponding tuple ⟨B, ϕ, θ⟩ upon receiving a query (qGen, B) such that (ϕ, θ) ← Gen(B) if ⟨B, ϕ, θ⟩ is present in its tuple; otherwise returns two random numbers r 2 and r 3 .Then it stores new entry ⟨B, r 2 , r 3 ⟩ into its tuple.

Theorem 1. Under the assumption that a cryptographic one-way hash function H(•) and fuzzy extractor FE act as random oracles, the proposed scheme is provably secure against an adversary A for deriving the password pw i and biometric parameter B i of a user U i even if the adversary A gets parameters that are stored into the memory of U i 's smart card and traps the communication messages between U i and the remote server RS .
Proof 1.This research construct an adversary A who has the ability to derive the password pw i and biometric parameter B i of a user U i .For this purpose, this research assumes that the smart card of a user U i is lost or stolen.Thus, the adversary A can extract the stored parameters ⟨C i , D i , B i , θ i ⟩ from the memory of the smart card ITM Web of Conferences 13, 01020 (2017) DOI: 10.1051/itmconf/20171301020

CMES2017
of the user U i by power monitoring [32][33].The adversary A also traps login request message ⟨ID i , G i , F i , E i ⟩ and a reply message ⟨Q i , L i , K i ⟩.The adversary A runs the experiment, EXP1 oracle A, T FUAS for our three factor user authentication scheme (TFUAS) to derive the password pw i and biometric parameter B i of the user U i as given in the Algorithm 1.

Algorithm 1 EXP1 oracle
Calls OracleH on the input F i to retrieve the information A i , r i and 3: Calls OracleH on the input L i to retrieve the information S K i , T s and Computes Computes else 11: Return 0 (Failure) Chooses a password pw [guess]   i 21: Calls OracleF E Rep on the input B [guess]   i and θ [guess]   i to retrieve the information ϕ i , as (ϕ Computes pwr [guess]   i = H(pw [guess]   i ∥ϕ * i ) 24: until (pwr [guess]   i == pwr * i ) 25: if (pwr [guess]   i == pwr * i ) then

Then the advantage of EXP1 oracle
A, T FUAS is given by Adv1 oracle A, T FUAS (t, qH, qFE) = max A {S ucc1 oracle A, T FUAS }, where the maximum is taken over all A with the execution time t, the number of queries qH made to the OracleH oracle and the number of queries qFE made to the OracleF E. Our proposed scheme is said to be provably secure against the adversary A for deriving the password pw i and biometric parameter B i of a user U i , if Adv1 oracle A, T FUAS (t, qH, qFE) ≤ ξ, for any small ξ > 0. According to algorithm EXP1 oracle A, T FUAS (see Algorithm 1), if the adversary A gets success to compute inversion of the cryptographic one-way hash function H(•) and also gets success to solve hardness of fuzzy extractor, he/she can successfully derive the password pw i and biometric parameter B i of the user U i by using of the OracleH random oracle and OracleF E random oracle, and wins the game.But, according to Definition 1 and Definition 2, we know that Adv OracleH A (t) ≤ ξ 1 , for any small ξ 1 > 0 and Adv OracleF E A (t) ≤ ξ 2 , for any small ξ 2 > 0. Since, we get Adv1 oracle A, T FUAS (t, qH, qFE) ≤ ξ, for any small ξ > 0 because, the proposed scheme depends on both Adv OracleH A (t) and Adv OracleF E A (t). Thus, our proposed scheme is secure against the adversary A for deriving the password pw i and biometric parameter B i of the user U i .

Theorem 2. Under the assumption that a cryptographic one-way hash function H(•) acts as a random oracle, the proposed scheme is provably secure against an adversary A for deriving the secret key s of the remote server RS even if the adversary A gets parameters that are stored into the memory of U i 's smart card and traps the communication messages between a user U i and the remote server RS .
Proof 2. This research construct an adversary A who has the ability to derive the secret key s of the remote server RS .For this purpose, this research considers same assumptions as discussed in Theorem 1.The adversary A runs the experiment, EXP2 oracle A, T FUAS for our three factor user authentication scheme (TFUAS) to derive the secret key s of the remote server RS as given in the Algorithm 2.

Algorithm 2 EXP2 oracle
Calls OracleH on the input F i to retrieve the information A i , r i and 3: Calls OracleH on the input L i to retrieve the information S K i , T s and Computes Calls OracleH on the input A * i to retrieve the information s and ID i as (s Accepts s * as secret key of RS Return 0 (Failure) where the maximum is taken over all A with the execution time t, the number of queries qH made to the OracleH oracle.The proposed scheme is said to be provably secure against the adversary A for deriving the secret key s of the remote server RS , if Adv2 oracle A, T FUAS (t, qH) ≤ ξ, for any small ξ > 0. According to algorithm EXP2 oracle A, T FUAS (see Algorithm 2), if the adversary A gets success to compute inversion of the cryptographic one-way hash function H(•), he/she can successfully derive the secret key s of the remote server RS by using of the OracleH random oracle and wins the game.But, according to Definition 1, we know that Adv OracleH A (t) ≤ ξ 1 , for any small ξ 1 > 0. Since, we get Adv2 oracle A, T FUAS (t, qH) ≤ ξ, for any small ξ > 0 because, the proposed scheme depends on Adv OracleH A (t). Thus, our proposed scheme is secure against the adversary A for deriving the secret key s of the remote server RS .Theorem 3.Under the assumption that a cryptographic one-way hash function H(•) acts as a random oracle, the proposed scheme is provably secure against an adversary A for deriving a shared secret session key S K i between a user U i and the remote server RS even if the adversary A gets parameters that are stored into the memory of U i 's smart card and traps the communication messages between U i and the remote server RS .
Proof 3.This research construct an adversary A who has the ability to derive the session key S K i between a user U i and the remote server RS .For this purpose, this research considers same assumptions as discussed in Theorem 1.The adversary A runs the experiment, EXP3 oracle A, T FUAS for our three factor user authentication scheme (TFUAS) to derive the session key S K i between the user U i and the remote server RS as given in the Algorithm 3.

Algorithm 3 EXP3 oracle
Output: 0 or 1 1: Calls OracleH on the input D i to retrieve the information A i = H(s∥ID i ) as (A * i ) ← OracleH(D i ) 2: Calls OracleH on the input F i to retrieve the information A i , r i and 3: Calls OracleH on the input L i to retrieve the information S K i , T s and Computes Calls OracleH on the input S K * i to retrieve the information y i and r i as (y A, T FUAS is given by Adv3 oracle A, T FUAS (t, qH) = max A {S ucc3 oracle A, T FUAS }, where the maximum is taken over all A with the execution time t, the number of queries qH made to the OracleH oracle.The proposed scheme is said to be provably secure against the adversary A for deriving the session key S K i between the user U i and the remote server RS , if Adv3 oracle A, T FUAS (t, qH) ≤ ξ, for any small ξ > 0. According to algorithm EXP3 oracle A, T FUAS (see Algorithm 3), if the adversary A gets success to compute inversion of the cryptographic one-way hash function H(•), he/she can successfully derive the session key S K i between the user U i and the remote server RS by using of the OracleH random oracle and wins the game.But, according to Definition 1, we know that Adv OracleH A (t) ≤ ξ 1 , for any small ξ 1 > 0. Since, we get Adv3 oracle A, T FUAS (t, qH) ≤ ξ, for any small ξ > 0 because, the proposed scheme depends on Adv OracleH A (t). Thus, our proposed scheme is secure against the adversary A for deriving the session key S K i between the user U i and the remote server RS .Theorem 1 demonstrated that the proposed scheme is secure against the off-line password guessing attack.Theorem 3 demonstrates that the proposed scheme is secure against the session key recovery attack because, without knowing random numbers {r i , y i } then A cannot compute the session key S K i .In the proposed scheme, the communicating messages depend on random numbers and the timestamp.Therefore, the communication messages are guaranteed to be different for every session.Thus, A cannot mount a replay attack on this proposed scheme.In this proposed scheme, A cannot mount a forgery attack without knowing secret password pw i and biometric parameter B i of a user U i and the secret key s of the remote server RS .Theorems 1 and 2 show that the secret information of the remote server and the user are secure from A. Thus, it is infeasible to mount a forgery attack on this proposed scheme.
A valid user say, U A as an adversary A cannot login into the proposed authentication scheme as an another user say, U i because, to login into the system, A has to know the secret key s of the remote server RS .As, A is a valid user, it knows their identity ID A , password pw A and biometric information ϕ A .Therefore, A can compute

Comparison
In this section, the performances of the proposed scheme with the existing authentication schemes namely, Li and Hwang's scheme [17], Das's scheme [18], An's scheme [19], Tan's scheme [22], Yan et al.'s scheme [23], Mishra et al.'s schemw [24] and He et al.'s scheme [26] are compared.However, the compared schemes in [17][18][19] and [22][23][24] and [26] are not suitable for practical use because, the schemes cannot resist the possible attacks as shown in Table 2.In the introduction part of this paper, it has been described that is insecure against security attacks.Moreover, security analysis of the proposed scheme (see Section 5) shows that the proposed scheme can resist all the possible attacks.Thus, the proposed scheme is more secure than other schemes.
After resisting all possible attacks as shown in Section 5, the proposed scheme provides better trade-off among storage, computational and communication costs than other related existing schemes.Hence, it can be claimed that the proposed scheme is more efficient and secure than other related existing schemes and also it is applicable for practical applications.

• Advantages of proposed scheme
In the following, the advantages of the proposed scheme have been discussed.
Efficient login phase: If a user U i enters faulty password and faulty identity by some means in login phase of the proposed scheme, the smart easily can detect the wrong inputs before going to generate a login request message.For this purpose, smart card computes B ′ i = B i ⊕ H(ID i ∥pw i ) and checks des(B * i , B ′ I ) ≤ δd.If it does not hold, the smart card rejects U i ; otherwise, it computes ) and checks computed D ′ i and stored D i are equal or not.If equality does not hold, the smart card rejects U i ; otherwise, accepts the password pw i and identity ID i as correct inputs.Therefore, extra communication overhead due to wrong inputs can be avoided in the proposed scheme.
Efficient password change phase: If a user U i enters faulty password and faulty identity by some means in password phase of the proposed scheme, the smart easily can detect the wrong inputs before going to give permission to the user to submit their new password.For this purpose, smart card computes executes the same steps as mentioned above to check the submitted inputs.If provided inputs are correct, then only the smart card give permission to enter new password to U i .Furthermore, to change password of a user, smart card does not need to communicate with the remote server.Therefore, communication overhead is also reduced in proposed scheme with efficient wrong input detection.
Mutual authentication: In the proposed scheme, the remote server RS computes and accepts a secret session key S K i after verifying legitimacy of a user U i through login request message and then, RS sends a reply message to the user U i .The user U i agrees upon the same secret session key S K i with RS after verifying legitimacy of RS through reply message.Therefore, both way authentication has been done in the proposed scheme.Furthermore, the proposed scheme can resist all the possible attacks (see, Section 5).Hence, the proposed scheme achieves mutual authentication.

Figure 1 .
Figure 1.Network architecture of proposed scheme (a) registration procedure and (b) login and authentication procedure

Figure 2 .
Figure 2. Registration phase of the proposed scheme

Figure 3 .
Figure 3. Login phase of the proposed scheme

Figure 4 .
Figure 4. Authentication and key agreement phase of the proposed scheme

Figure 5 .
Figure 5. Password update phase of the proposed scheme end if We define the success probability for EXP1 oracle A, T FUAS as S ucc1 oracle A, T FUAS = Pr[EXP1 oracle A, T FUAS = 1].
maps a string of arbitrary length to a string of fixed length called the hashed value.It can be symbolized as: H : A → B, where A is a binary string of arbitrary length and B is a binary string of fixed length n.If Adv H A (t 1 ) is the advantage to an adversary A to choose a random pair (a, b) ∈ A × A such that H(a) = H(b), where a b for the time duration t 1 , it can be considered that Adv H A (t 1 ) is the probability in the advantage which is computed over the random choices made by the adversary A for the time duration t 1 .Then the cryptographic one-way hash function H(•) is called collision-resistant, if where δd is the difference tolerance level and B B ′ for the time duration t 2 , it can be considered that Adv FE A (t 2 ) is the probability that the advantage is computed over the random choices made by A for the time duration t 2 .Then the fuzzy extractor FE is called collision-resistant, if Adv FE A (t 2 ) ≤ ξ 2 , for any small ξ 2 > 0. Adv FE A (t 2 ) is represented as:

Table 1 .
Nomenclature ′ Parameter X computed or extracted by smart card X * Parameter X computed or extracted by RS δT Estimated timestamp S K i Shared session key between U i and RS H(•) Cryptographic one-way hash function s Secret key of remote server ∥ Concatenation operation ⊕ Bit wise XOR operation Choose ID i and pw and sends ⟨ID i , pwr i ⟩ to RS through a secure channel.
TerminalRS Input ID i , pw i and biometric B * it does not hold, RS rejects U i ; otherwise, executes the next step.i Compute B TerminalInput ID i , pw i and biometric B iCompute B 1.The smart card computes B ′ i = B i ⊕ H(ID i ∥pw i ) and checks des(B * i , B ′ I ) ≤ δd.If it does not hold, the smart card rejects U i ; otherwise, it follows next step.