AMAKAS: Anonymous Mutual Authentication and Key Agreement Scheme for securing multi-server environments

The rapid growth of Internet users was the motivation of the emerge appearance of new computing models such as cloud computing, fog computing and edge computing. For this reason, the multi-server’s architecture has been introduced to extend scalability and accessibility. To ensure that these servers can only be accessed by the authorized users, many authentication and key agreement schemes have been introduced for multi–server environments. In this paper, we propose an anonymous mutual authentication and key agreement scheme for multi-server architecture based on elliptic curve cryptography to achieve the required security services and resist the well-known security attacks. Furthermore, formal and informal security analysis is conducted to prove the security of the proposed scheme. Moreover, we provide a performance comparison with related work in terms of computational cost, communication cost and the number of messages transferred on the public channel. This performance comparison clearly shows that the proposed scheme is highly efficient in terms of computation, communication cost and security analysis as compared to other related schemes which makes the proposed scheme more suitable and practical for multi-server environments than other related schemes.


Introduction
The multi-server environment was established as a result of the rapid increase in internet users and Internet of Things (IoT).A multi-server environment is a sort of server infrastructure that makes use of multiple physical servers to give consumers access to numerous services and applications.The key benefit of using a multi-server system is that it can provide a higher level of availability, reliability, and security than a single-server environment.Additionally, because the load may be distributed across numerous servers, a multi-server architecture can provide a higher level of performance than a single-server environment.However, secure and efficient communication between the concerned parties has grown more vital in multi-server environment especially in areas including e-commerce and distributed storage systems.
Many security requirements must be achieved in multi-server environments such as mutual authentication between the user and the server, user anonymity, user intractability and forward secrecy.Moreover, there are many types of attacks that must be resisted in multi-server environment such as impersonation attack, replay attack, insider attack, stolen card attack, man-inthe-middle attack, and known session specific temporary information attack.To communicate securely and effectively over an unsecure network, a shared session key must be negotiated and agreed between the involved parties first.The only remedy for such negotiations is to use authentication-and-key-agreement protocols.The first password authentication using insecure communication is proposed by Lamport [1] as the most simple and practical method for authenticating a user from remote servers.However, Lamport's scheme [1] could not resist insider attack once the password file stored in the server is compromised.To overcome this limitation, many twofactor authentication schemes have been proposed based on smart cards in which important secret parameters are stored [2][3][4].The main drawback of the two-factor authentication schemes is the power analysis attack on a stolen smart card which may lead the scheme to be exposed to offline password attack.As a result, research has shifted to three-factor authentication techniques based on biometrics [5][6][7].
Elliptic Curve Cryptography (ECC) was employed in two-factor and three-factor authentication protocols [8][9][10][11] in order to gain the advantages of ECC properties of creating small size keys with high security efficiency [12].Some multi-sever authentication protocols employed registration center to be involved not only in registration phase but also in authentication phase between user and server in order to decrease the computation load on user to overcome the limitation resources of the user [10,13,14].However, involving the registration center also in authentication phase between user and server adds overload on the registration center which causes delay of registration center response.

Motivation
The rapid increase of internet users and IoT makes the current research concerned in multi-server environment in which authentication and key agreement are the main goals to securely offer several services and applications.Numerous existing schemes are proposed to provide authentication and key agreement in multi-server environment using different methods such as password-based authentication [1], smart cards-based authentication [4,15,16], three-factor authentication [6,7,13], dynamic ID-based authentication [17,18], and ECC-based authentication [9,12].However, most of the existing schemes can't achieve some security services like mutual authentication and user untraceability and can't resist different types of attacks.On the other side, the scheme that succeeded in providing secure communications is at the expense of high computation cost and communication overhead.Motivated by the existing studies and the need of secure multi-server environment, designing a lightweight authenticated key agreement scheme with a small number of messages of small number of bits is imperatively needed to resist security threats, reduce communication overhead, and to meet the limitations of devices with low computation capabilities.

Contributions
We summarize our significant and key contributions in the field of multi-server environments as follows: • Firstly, a multi-server environment is considered, and then the Elliptic Curve Cryptography is employed to design the proposed Anonymous Mutual Authentication and Key Agreement Scheme (AMAKAS) for securing multi-server environments.• The proposed AMAKAS scheme guarantees the security requirements of multi-server environments and withstands against various types of attacks in multi-server environments.• The proposed AMAKAS scheme enables users to mutually authenticate with servers without involving the registration center in the authentication phase.• The performance of the proposed AMAKAS scheme is outperformed than the related schemes.

Road map of the paper
The remaining section of the paper is structured as follows: In "Related work" section, related work is reviewed, "System model and threat model" section depicts the system model and the threat model, while "The proposed AMAKAS scheme" section introduces the proposed anonymous mutual authentication and key agreement scheme."Security analysis" section passes through a security analysis of the proposed scheme.The security and performance comparison with other related schemes is demonstrated in "Security and performance comparisons" section.Finally, the paper is concluded in "Conclusion" section.

Related work
In 2016, Chang et al. proposed a scheme based on smart card and biometrics [15]; this scheme can resist offline password guessing and stolen card attack, but it could not resist user impersonation attack.In 2017, Quan et al. proposed a biometrics-based scheme [16] to overcome the shortcoming of Chang et al. 's scheme [15] to resist the impersonation attack.In the same year, Jangirala et al. proposed a remote user authentication scheme based on dynamic ID using smart cards [17] in which the user is free to choose his login credentials; However, Sahoo et al. [18] proved that Jangirala et al. 's scheme [17] failed to attain mutual authentication as it claimed and failed to resist user impersonation attack, forgery attack, and replay attack.Additionally, Sahoo et al. [18] proposed an improved two-factor dynamic ID based scheme to overcome the shortcoming of Jangirala et al. [17]; however, Sudhakar et al. [19] analyzed Sahoo et al. 's scheme [18] and proved that it still cannot resist replay and user impersonation attack.Shunmuganathan [20] proposed a lightweight two factor-based scheme to overcome the drawbacks of Sahoo et al. [18], but it failed to achieve user anonymity nor user-un-tractability as a result.Moreover, Shunmuganathan's scheme [20] has high computations at server and registration center.Kuo-Hui Yeh proposed a novel multi-server-based authentication scheme [21]; however, Truong et al. [22] proved that Kuo-Hui Yeh's scheme [21] failed to achieve mutual authentication and session-key agreement.Hence, Truong et al. [22] proposed an improved ECC based scheme to overcome the shortcoming of Yeh's scheme [21].However, Yan et al. [23] observed that Truong et al. 's scheme [22] could not resist impersonation attack.Hence, Yan et al. [23] they proposed a scheme to overcome Truong et al. 's scheme [22].However, Yan et al. 's scheme [23] still cannot achieve user anonymity and needs synchronization nodes to resist replay attack.Additionally, Yan et al. 's scheme [23] can't resist man-inthe-middle attack and known session specific temporary information attack.
In 2020, Akram et al. [24] proposed a three factor ECCbased authentication scheme that can achieve mutual authentication and user anonymity, and could resist replay, impersonation and password guessing attack.However, on the other hand, Akram et al. 's scheme [24] has a very high computational time due to using the ECC multiplicative inverse.In 2021, Amintoosi et al. [25] proposed an ECC-based three factor authentication scheme which is capable to achieve mutual authentication, user anonymity and forward secrecy, but it could not achieve user un-tractability and could not resist sever impersonation attack.Wang et al. [26] proposed a biometric-based multi-server authentication scheme using elliptic curve cryptosystem to achieve authentication; however, Wu et al. [27] demonstrated that Wang et al. 's scheme [26] can't resist user impersonation attacks, server impersonation attacks, and known session-specific temporary information attacks.Both schemes [26,27] suffered from high computations at registration center side as registration center is involved in authentication phase.
In 2022, Truong et al. proposed a three factor-based authentication scheme [28] in which registration center is a party in authentication phase to decrease the computations at user side where the user's resources are limited compared to registration center.Truong et al. 's scheme [28] could achieve mutual authentication and user anonymity, and also could resist both user and server impersonation attack, replay attack, man-in-the-middle attack, and known session specific temporary information attack.However, Truong et al. 's scheme [28] failed to achieve user un-tractability and suffers from high load computation at registration center side.[29] to achieve authentication; however, Chen et al. [30] demonstrated that Guo et al. 's scheme [29] can't resist user impersonation attack and replay attack.Additionally, Chen et al. [30] proposed a threeFactor authentication scheme to overcome the drawbacks of Guo et al. 's scheme [29]; but Chen et al. [30] failed to resist server impersonation attack; moreover, it needs synchronization nodes to resist replay attack due to using time stamp.

Guo et al. proposed biometric-based authentication scheme using public key encryption
Bae et al. [31] proposed a smart card-based authentication protocol to protect multi-server IoT environment from potential security vulnerabilities; Agarwal et al. [32] demonstrated that Bae et al. 's scheme [31] can't resist user impersonation attack, replay attack, and insider attack.Additionally, Agarwal et al. [32] proposed a threeFactor authentication scheme to overcome the drawbacks of Bae et al. 's scheme [31]; however, Agarwal et al. 's scheme [32] suffers from high computations at server and registration center as well.
Cho et al. [33] proposed an ECC three factor-based authentication scheme to overcome the drawbacks of Sudhakar et al. 's scheme [19], but Cho et al. 's scheme [33] needs synchronization nodes to resist replay attack.Khan et al. [34] proposed an ECC three factor-based authentication scheme for cloud server, but it failed to achieve user un-tractability and it could not resist replay attack.
In 2023, Yao et al. proposed an authentication and key agreement scheme for edge computing in vehicular ad hoc networks (VANETs) [35] based on bilinear map.It could achieve mutual authentication, user anonymity, user un-tractability and forward secrecy.However, Yao et al. 's scheme [35] suffers from high computational time due to employing bilinear map.Also, Also, LAMAS scheme [36] has been proposed for securing fog computing environment; however, the scheme didn't consider the mobility movability of fog users between fog areas.
Ui Haq et al. [37] proposed a hash-based authenticated key agreement scheme using only x-or operations and hash functions.The scheme [37] can achieve user anonymity at a low-cost; however, it can't achieve user un-traceability as the attacker can trace user and link many sessions f the same user by using Ex-OR between the sent parameters of the login request.Moreover, the scheme [37] can't achieve perfect forward secrecy, and it is also vulnerable to replay attacks.Dhillon and Kalra [38] proposed a lightweight three-factor user authentication scheme based on x-or operations and hash functions; however, Lee et al. [39] found that Dhillon and Kalra's scheme [38] can't provide a session key agreement and user un-traceability and can't resist user impersonation attack, replay attack, stolen mobile device attack, and known session-specific temporary information attack.

System model and threat model
In this section, the system model and threat model will be demonstrated.

System model
As shown in Fig. 1, multi-servers' architecture consists of three entities which are n users, m servers and the Registration Center (RC).
• In registration phase, RC starts generating the required secret credentials for each user U i and each S j as each user and each server must register only once with the registration center.Also, RC stores the U i 's secret parameters generated by RC on a smart card SC and delivers smart card to U i .Both user registration and server registration are done through a secure channel.• Once the registration is done, authentication phase started as user authenticate himself by inserting SC into smart card reader and using his login parameters (username, password, and biometric impression) to verify himself.After that, user and server run mutual authentication and key agreement protocol for secure communication between them noting that mutual authentication is done through insecure public channel.• Once mutual authentication is achieved, any legitimate registered user can connect with any legitimate registered m severs in the network.

Threat model
Assuming that the adversary: • Has full control over the insecure public communication channel between user and server.• Can intercept, modify, replay, or even delete messages transmitted through the public channel.• Can find the secret parameters stored on the smart card using the power analysis attack.• Can find the password through an offline dictionary attack using parameters which are disclosed from smart card.• Try to find the current session key and upon revealing the current session key, old session keys can be comprised as well.• Can run user impersonation attack if user's password or smart card can be accessed.

The proposed AMAKAS scheme
To achieve anonymous mutual authentication and key agreement between user and server in multi-server environments, we proposed a scheme consisting of three phases which are: Registration phase, login phase, and authentication phase.

Registration phase
In this phase, both user and server register with the registration center (RC) as follows: Server registration 1.Initially, a server S j registers with the RC by choosing an identity ID j and sends it to the RC through secure channel.2. The RC generates a random number e j and calculates server secret key ASID j = h ID j ||X||e j where X is the secret key of RC and calculates the server pub-Fig. 1 Multi-server's architecture lic key PKS j = ASID j .P where P is the elliptic curve base point.3. Finally, the RC sends to each server S j its own secret key and server public key through a secure channel.

User registration
1. Similarly, each user U i registers with the RC by selecting the user identity ID u and password PW u and describes his biometric impression B u .2. User U i generates random nonce a , calculates and sends {ID u , M, TW } to the RC through secure channel.3. RC generates random number a u and calculates A u= a u .P , channel to be printed on the Smart Card ( SC).

Login phase
Login and authentication phase is shown in Fig. 2; In login phase, the user U i logs into a system by taking the subsequent steps: 1. Initially, user U i inserts the SC into smart card reader and inputs his login parameters{ID u , PW u , B u } 2. SC calculates TW = h(a ⊕ H (B u ||PW u )) and F * u = h(h(ID u ||TW)) , and compares F * u with the stored F u in the SC.

If F *
u � = F u , the session will be discarded; other- wise, SC generates random number C u and com- putes W = C u .P , OP = C u .PKS j = C u .ASID j .P , OPA u = A u ⊕ OP , and uses the most significant l-bits of h(OP) to compute to server S j via public channel.

Authentication phase
In this phase, mutual authentication and key agreement between the user and the server can be achieved by taking the subsequent steps: 1. Upon receiving M 1 = {W, OPA u , PID u , DID u } , the server calculates OP = C u .PKS j = W .ASID j = C u .P.ASID j , A u = OPA u ⊕ OP , and uses the most signifi- cant l-bits of h(OP) to compute Then, S j compares the calculated DID * u with the received DID u .

If DID *
u � = DID u , the session will be discarded; otherwise, S j generates random number D j , and calculates v j = D j ⊕ OP , SK = h ID u ||OP||D j ||X u ||ID j , and , and compares the calculated Q uj with the received Q ju . 5. If Q uj = Q ju , mutual authentication has been achieved and session key has been agreed between the user U i and the server S j ; otherwise, the session will be discarded.

Security analysis
This section provides an informal security analysis of the proposed AMAKAS scheme in addition to formal security analysis using Burrows-Abadi-Needham (BAN) logic [41].

Informal security analysis
In this subsection, an informal security analysis will be provided to explain how the proposed AMAKAS scheme achieves the most important security requirements including mutual authentication, user anonymity, un-traceability, and forward secrecy.In addition, we explain how the proposed AMAKAS scheme resists the most known attacks including impersonation attack, replay attack, stolen card attack, man-in-the-middle attack, and known session specific temporary information attack.

Mutual authentication
The proposed AMAKAS scheme achieves mutual authentication since both the legitimate user and the legitimate server can authenticate each other.The server S j authenticates the user U i by com- puting DID * u = h(A u ||X u ||OP) and comparing it with the receivedDID u inM 1 .The user computes where Y u is stored on the SC, calculating M = H(ID u ||B u ) requires knowing the user identity ID u and bio- metric impression B u of the user, and calculating TW = h(a ⊕ H(B u ||PW u )) requires knowing the random number a , the biometric impression B u , and the user pass- word PW u which are known only to the legitimate user.Therefore, the server can authenticate the user.
On the other hand, the user U i authenticates the server S j by computing Q uj = h(ID u ||OP| D j ID j |SK ) and comparing it with the received Q ju in M 2 .The server S j can obtain OP = C u .PKS j = W .ASID j using the server's private key ASID j which is known only to the server S j , and then extract the identity of the user as ID u = PID u ⊕ h(OP) .Thus, the server can authenticate the user.
Therefore, mutual authentication between user and server has been achieved and session key has been agreed on.Furthermore, early detection of any possible replay attack has been ensured.

User anonymity
The proposed AMAKAS scheme can achieve user anonymity as in each authentication message, the user identity ID u is randomized using OP = C u .PKS j where C u is a random number and hidden through a dynamic-pseudo identity PID u = ID u ⊕ h(OP) .Even if the Adversary A intercepts the transmitted message M 1 = {W, OPA u , PID u , DID u } , he still cannot extract the user identity ID u from the dynamic-pseudo identity PID u = ID u ⊕ h(OP) as the adversary needs first to obtain OP using the server's secret key ASID j which is unknown to the adversary.

User un-traceability
The proposed AMAKAS scheme can achieve user's untractability as in each login message sent to the server by the user M 1 = {W, OPA u , PID u , DID u } ,, the user gen- erates a new random number C u which is used to cal- culate W = C u .P and OP = C u .PKS j , then OP is used to randomize OPA u = A u ⊕ OP , PID u = ID u ⊕ h(OP) , and DID u = h(A u ||X u ||OP) .Hence, the value of the trans- mitted message M 1 = {W, OPA u , PID u , DID u } is updated in each session.Moreover, if the attacker computes OPA u ⊕ PID u , this will result in A u ⊕ OP ⊕ ID u ⊕ h(OP) which is not a fixed value; this is why we used h(OP) to randomize ID u instead of using OP directly.Thus, even if the Adversary A intercepts the transmitted message M 1 = {W, OPA u , PID u , DID u } , he still cannot relate any repeated messages.Therefore, user un-tractability is guaranteed.

Forward secrecy
Forward Secrecy can be achieved in the encryption scheme when producing temporary secret session key uniquely generated for every individual session between user and server.If one of these session keys is compromised, transmitted messages in past sessions will be protected from attacks.
In the proposed AMAKAS scheme, the session keys are independent on each other as in in each session, the session key SK = h(ID u ||OP| D j |X u | ID j is generated based on new random values of C u and D j where D j is a random number generated by the legiti- mate server and C u is a random number generated by the legitimate user as well to compute OP = C u .PKS j .Therefore, even if the current session key is comprised, the adversary still cannot obtain the previous session keys.
Additionally, assuming that the attacker can get the server's secret key ASID j and can intercept all trans- mitted messages M 1 = {W, OPA u , PID u , DID u } and M 2 = {Q ju , v j } .Even under these assumptions, without knowing the random number D j and the value of OP , the attacker will not be able to compromise the messages of previous sessions.Furthermore, the computation to obtain the server's secret key ASID j is a very complex task due to ECDHP problem.For the server impersonation attack:

Impersonation
The server secret key ASID j = h ID j ||X||e j is calculated through one way hash function for server ID, secret key of registration center, and the random number e j generated by the registra- tion center; therefore, ASID j is only known by the legitimate server.If the adversary aims to impersonate the legitimate server, he has to be capable of generating M 2 = {Q ju , v j } , but calculating v j = D j ⊕ OP requires obtaining the correct value of OP = C u .PKS j = W .ASID j which is based on server's secret key which is known by only legitimate server.Hence, the adversary cannot generate a valid v j .Simi- larly for calculating Q ju = h(ID u ||OP| D j ID j |SK ) , it requires calculating the correct value for OP and the session key SK = h ID u ||OP||D j ||X u ||ID j which is based on calculating X u = h a i .PKS j ||ID u ||ASID j which requires knowing the random number a i gen- erated by the registration center, user ID, and the server's secret key ASID j .Therefore, still only the legitimate server can generate Q ju .Hence, the pro- posed AMAKAS scheme can resist server impersonation attack.

Replay attack
The proposed AMAKAS scheme can resist replay attack as with each login message M 1 = {W, OPA u , PID u , DID u } , generated by the user, a fresh random number C u is gen- erated.Even if the Adversary could replay M 1 , mutual authentication between user and server cannot be achieved as the Adversary does not know the random number C u ; therefore, he cannot compute OP = C u .PKS j nor D j = v j ⊕ OP .Hence, he cannot extract the session key SK = h(ID u ||OP| D j |X u | ID j .

Stolen card attack
The proposed AMAKAS scheme can resist the stolen card attack as even if the adversary can steal the SC and extract the stored data on the SC {A u , Y u , F u } , he still cannot guess the user password nor the user ID since the extracted data are not used in computing the password, and user ID is not included in the extracted data.Therefore, the Adversary cannot generate the login message.Therefore, the proposed AMAKAS scheme can resist stolen card attack.

Man-in-the-middle attack
Between the user and server, a man-in-the-middle attacker pretends to be a node in the middle, but the attacker can't know the password PW u of the user U i and can't get his biometric impression B u , also the attacker can't obtain the secret key ASID j of server S j .When the attacker attempts to impersonate each party in this situation, he is unable to generate a valid DID u as it is computed using X u = Y u ⊕ h(M||TW ) which is locally computed at user U i using user's password and biom- etric impression as TW = h(a ⊕ H (B u ||PW u )) .Addi- tionally, the attacker can't know the shared session key SK = h(ID u ||OP| D j |X u | ID j as it requires knowing OP and the random number D j which can't be obtained without knowing the secret key ASID j of server S j .Hence, the proposed AMAKAS scheme can resist manin-the-middle attack.

Known session specific temporary information attack
In this attack, when temporary secret values, such as random numbers, are revealed, an attacker tries to obtain the current session key.After completing the login and authentication phase, if OP and the random number D j can be obtained, the attacker can compute A u and ID u , but it can't compute the session key SK = h ID u ||OP||D j ||X u ||ID j as it depends on X u which is computed using user's password and biometric impression at user side and using the secret key ASID j of server S j at server side.Hence, the proposed AMAKAS scheme can resist known session specific temporary information attack.

Formal security analysis using BAN logic
In this subsection, BAN Logic is used to formally prove the security of the proposed AMAKAS scheme.

Idealization
The idealized messages between the user and the server are listed as follows.

Assumptions
The assumptions of the proposed scheme to proceed the BAN logic analysis are listed as follows:

Goals
The goals that our proposed scheme should be achieved are listed as follows.

Analysis
The following steps are taken to perform the BAN logic proof of our suggested scheme.
Step 1: From message M 2 , we obtain: Step 2: From the assumption A 5 , we obtain: Step 3: From M 2 and A 5 , and applying the message- meaning rule, we obtain: Step 4: From A 1 , A 2 , step 2, and applying nonce verification rule, we obtain, Step 5: from A 8 , step 4, and applying the jurisdic- tion rule, we obtain: Step 6: From A 1 , A 2 , step 4, and applying the fresh- ness conjuncatenation rule, we obtain: Step 7: From step 5 and step 6, we obtain: Hence, Goal 1 has been achieved.
Step 8: From step 2, A 2 , and applying the nonce verification rule, we obtain: Step 9: From step 8, A 8 , and applying the jurisdic- tion rule, we obtain: Step 10: From step 9,A 2 , step 4 and applying the freshness conjuncatenation rule, we obtain: Thus, U i | ≡ #(D j ) and Goal 3 has been achieved.
Step 11: From A 6 , and applying the message-meaning rule, we obtain: Step 12: From A 1 , step 11, and applying the nonce verification rule, we obtain: Step 13: From A 7 , step 12, and applying the juris- diction rule, we obtain: Step 14: From A 1 , step 11, step 13, and applying the freshness conjuncatenation rule, we obtain: Therefore, S j | ≡ #(C u ) and Goal 2 has been achieved.

Security and performance comparisons
In this section, the security and performance of the proposed AMAKAS scheme are compared with the existing related schemes.The performance will be evaluated in terms of computation cost and communication overheads.

Security comparison
Table 1 provides a summarized analysis for the security features of the proposed AMAKAS scheme while comparing it with some related schemes [23-25, 28, 38].From Table 3, we can observe that the schemes in [23,38] cannot achieve user anonymity, and the schemes [23,25,28,38] are unable to achieve user un-traceability.Moreover, the schemes [23,25,38] cannot resist man-in-themiddle attack, and none of the schemes in [23][24][25]38] can resist server impersonation attack or known session specific temporary information attack.It can be seen that the lightweight authentication scheme in [38] can't resist against several attacks including user impersonation 10.5602 ms.Scheme [28] consumes execution time of 13 one-way hash functions, 5 ECC Scalar multiplications, 7-point addition operations and one fuzzy extraction operations which totally costs 13.5944 ms.Finally, it is obvious that the lowest computation cost can be offered by the proposed scheme as the proposed scheme consumes the time of executing 15 one-way hash functions and 4 ECC Scalar multiplication operations which total costs 8.9385 ms.The comparison of computation cost is also graphically shown in Fig. 3. Hence, the proposed scheme is highly efficient in terms of computation cost as compared to other related schemes which makes the proposed AMAKAS scheme more suitable and practical for multi-server environments than other related schemes.

Communication overhead comparison
The number of communication messages is shown in Table 4.It is obvious that the proposed AMAKAS scheme and the scheme in [24] require only 2 messages to complete login and authentication phase, however, the schemes in [23,25,28] require 3 messages to complete the same phases.
In Table 5, we compared the communication overhead of the proposed scheme and that of the schemes [23][24][25]28], where the bit size of random number, user's identity, timestamp, ECC point, and hash output (using SHA-1 as h(•)) are 160, 160, 32, 320, 160 bits, respectively.We can observe that the proposed AMAKAS scheme requires 1280 bits to transmit M 1 and M 1 , which is the less than the schemes in [23,25,28], while it is slightly higher than the scheme in [24] which is a little cost compared to the advantages of the proposed scheme in terms of the computation cost over the scheme in [24] which requires 190.189E + 06 ms to execute login and authentication phase.As a result, we can state that our proposed scheme is more appropriate for multi-server environments in terms of performance and security.

Conclusion
In this paper, we have proposed a lightweight ECC based mutual authentication and key agreement scheme in multi-server environments.The proposed AMAKAS scheme employed ECC in order to obtain the advantage of ECC properties of creating small size keys with high security efficiency.The security analysis shows that the proposed AMAKAS scheme can achieve mutual authentication, user anonymity and untractability, and forward secrecy.In addition, the proposed AMAKAS scheme can resist replay attack without the need for synchronization nodes, user and server impersonation attack, stolen card attack, manin-the-middle attack, and known session specific temporary information attack.Moreover, the proposed AMAKAS scheme decreases the computational and communication cost the other related schemes with only two messages of exchange to provide anonymous authentication and key agreement.These advantages make the proposed AMAKAS scheme more suitable and practical for multi-server environments than other related schemes.

Fig. 3 Table 4
Fig. 3 The comparison of computation cost If the adversary aims to impersonate the legitimate user, he has to be capable of generating a valid login message M 1 = {W, OPA u , PID u , DID u } .The adversary can generate a random number C u and calculate W, PID u , and OPA u , but he cannot generate DID u = h(A u ||X u ||OP) as the calcula- tion of X u = Y u ⊕ h(M||TW ) requires knowing {Y u , M, TW } , Y u is a stored value on the smart card, calculating M = H(ID u ||B u ) requires knowing the user identity ID u and biometric impression B u of the user, and calculating TW = h(a ⊕ H(B u ||PW u )) requires knowing the random number a , the user password PW u , and the biometric impression B u which are known only by the legitimate user.Moreover, password is protected by double hash one way function.Hence, the adversary cannot generate a valid login message M 1 , and therefore, the proposed scheme can resist user impersonation attack.