1. \(MU_i\) sends an authentication request to \(FA_j\) to use the roaming service.

2. After receiving the request, \(FA_j\) sends the request for verifying the legitimacy of \(MU_i\)’s request to \(HA_k\).

3. \(HA_k\) checks the request received from \(FA_j\), authenticates \(MU_i\), and responds to \(FA_j\).

4. \(FA_j\) sends a response to \(MU_i\), and then \(MU_i\) and \(FA_j\) mutually establish a session key.

1. Elliptic curve discrete logarithm problem (ECDLP): Given \(P, aP \in E_p (a,b)\), it is computationally infeasible to find a within polynomial time.

2. Elliptic curve computational Diffie-Hellman problem (ECCDHP): Given \(aP,bP \in E_p (a,b)\), it is computationally infeasible to find \(abP\) in polynomial time.

1. By controlling a public channel, an attacker can eavesdrop on messages between \(MU_i\), \(FA_j\) and \(HA_k\), and then modify or replay them to impersonate participants.

2. An attacker can perform a side-channel attack to extract information stored in the smart card.

3. An attacker can discover sensitive information by combining eavesdropping and the extracted messages.

1. \(MU_i\) selects \(ID_U\), \(PW_U\), and random \(r \in Z_q^*\), computes \(FID_U=h(ID_U||r)\), and sends the registration request with \(<ID_U, FID_U>\) to \(HA_k\).

2. \(HA_k\) select a random \(n_H \in Z_q^*\), computes \(R_U=h(FID_U||x)\), and \(DID_U=h(x)\oplus \{FID_U||n_H\}\), stores \(<DID_U, R_U, h(\cdot), P, ID_H >\) in the smart card, and sends it to \(MU_i\).

3. After receiving the smart card, \(MU_i\) computes \(r^*=h(ID_U||PW_U) \oplus r\), \(V_U=h(ID_U||PW_U||r)\), and \(R_U^*=R_U\oplus r\), and finally stores \(<r^*, V_U, R_U^*, DID_U, h(\cdot), P, ID_H >\) in the smart card.

1. \(MU_i\) inputs \(ID_U\) and \(PW_U\), computes \(r=h(ID_U||PW_U) \oplus r^*\) and checks \(V_U=h(ID_U||PW_U||r)\). If they are not equal, \(MU_i\) terminates this process; otherwise, \(MU_i\) computes \(FID_U=h(ID_U||r)\), \(R_U=R_U^*\oplus r\), \(a=f(ID_U||T_{seed}) \in Z_q^*\), \(Q_1=aP\), and \(Q_2=h(DID_U||R_U||Q_1||FID_U||ID_F||ID_H)\), and sends the message \(M_1=<ID_F, ID_H, DID_U, Q_1, Q_2>\) to \(FA_j\), where \(T_{seed}\) is seed to generate a random number and \(f()\) is a number-generating function.

2. After receiving the message, \(FA_j\) selects a random \(b \in Z_q^*\), computes \(W_1=bP\) and \(W_2=h(M_1||W_1||K_{FH}||ID_F||ID_H)\), and sends the message \(M_2=<M_1, W_1, W_2>\) to \(HA_k\).

3. \(HA_k\) first checks \(W_2=h(M_1||W_1||K_{FH}||ID_F||ID_H)\). If they are not equal, \(HA_k\) terminates the process; otherwise, \(HA_k\) retrieves \(FID_U\) and \(n_H\) by calculating \(\{FID_U, n_H\}=h(x)\oplus DID_U\) and computes \(R_U=h(FID_U||x)\). \(HA_k\) then checks \(Q_2=h(DID_U||R_U||Q_1||FID_U||ID_F||ID_H)\). If they are not equal, \(HA_k\) terminates the process; otherwise, \(HA_k\) selects a random \(n_H^{new} \in Z_q^*\), computes \(DID_U^{new}=h(x)\oplus \{FID_U||n_H^{new}\}\), \(E_1=h(R_U)\oplus DID_U^{new}\), \(E_2=h(R_U||Q_1||W_1||DID^{new}_U)\), and \(E_3=h(K_{FH}||Q_1||W_1||ID_F||ID_H||E_1||E_2)\), and sends the massage \(M_3=<Q_1, E_1, E_2, E_3>\) to \(FA_j\).

4. \(FA_j\) checks \(E_3=h(K_{FH}||Q_1||W_1||ID_F||ID_H||E_1||E_2)\). If they are not equal, \(FA_j\) terminates the process; otherwise, \(FA_j\) computes \(SK_{F}=h(bQ_1)\) and \(B_3=h(SK_{F}||E_1||E_2)\), and sends the message \(M_4=<E_1, E_2, W_1, B_3>\) to \(MU_i\).

5. \(MU_i\) computes \(DID_U^{new}=E_1 \oplus h(R_U)\) and \(SK_{U}=h(aW_1)\), \(SK_{ij}=h_1(PK_i||ID_j||K_3||K_4)\), and checks \(B_3=h(SK_{U}||E_1||E_2)\). If they are equal, \(MU_i\) and \(FA_j\) successfully establish the session key \(SK\).

1. \(MU_i\) inputs \(ID_U\) and \(PW_U\), computes \(r=h(ID_U||PW_U) \oplus r^*\) and checks \(V_U=h(ID_U||PW_U||r)\). If they are not equal, \(MU_i\) terminates the process; otherwise, \(MU_i\) selects a new password \(PW_U^{new}\).

2. \(MU_i\) computes \(r^{new*}=h(ID_U||PW_U^{new}) \oplus r\) and \(V_U^{new}=h(ID_U||PW_U^{new}||r)\), and replace \(r^*\) and \(V_U\) with \(r^{new*}\) and \(V_U^{new}\), respectively.

1. \(MU_i\) selects a random \(a_U \in Z_q^*\) and computes \(H_1=a_UP\), \(H_2=h(H_1||SK_U^{i-1})\) where \(SK^{i-1}\) is the \(i-1\)th session key. Then, \(MU_i\) sends \(M_1=<H_1, H_2>\) to \(FA_j\).

2. \(FA_j\) checks \(H_2=h(H_1||SK_F^{i-1})\). If they are equal, \(FA_j\) selects a random \(b_F \in Z_q^*\), computes \(J_1=b_FP\), \(SK_F^i=h(b_FH_1)\), and \(J_2=h(SK_F^i||SK_F^{i-1})\), and sends \(M_2=<J_1, J_2>\) to \(MU_i\).

3. After receiving the message, \(MU_i\) computes \(SK_U^i=h(a_U J_1)\) and checks \(J_2=h(SK_U^i||SK_U^{i-1})\). If they are equal, then \(MU_i\) and \(FA_j\) successfully update the session key.

1. First, the attacker obtains \(M_2\) and \(M_3\) by eavesdropping the public messages.

2. The attacker generates a random number \(b^A\), and uses \(Q_1\), \(E_1\), and \(E_2\) included in \(M_3\) to compute \(SK^A=h(b^AQ_1)=h(b^AaP)\), \(W_1^A=b^AP\), and \(B_3^A=h(SK^A||E_1 ||E_2)\).

3. The attacker generates \(M_4=<E_1, E_2, W_1^A, B_3>\) and transmits them to \(MU\).

4. According to the authentication process, \(MU\) calculates \(SKu=h(aW_1^A)=h(ab^AP)\) and then verifies the correctness of \(B_3\). Finally, \(MU\) agrees with the session key of the attacker.

1. \(MU_i\) selects \(ID_U\), \(PW_U\), \(BIO_U\) and random \(r \in Z_q^*\), computes \(FID_U=h(ID_U||r)\) and \(PB_U=h(PW_U||H(BIO_U))\), and sends the registration request with \(<ID_U, FID_U>\) to \(HA_k\).

2. \(HA_k\) selects a random \(n_H \in Z_q^*\), computes \(R_U=h(FID_U||x)\), and \(DID_U=h(x)\oplus \{FID_U||n_H\}\), stores \(<DID_U, R_U, h(\cdot), ID_H >\) in the smart card, and sends it to \(MU_i\).

3. After receiving the smart card, \(MU_i\) computes \(r^*=h(ID_U||PB_U) \oplus r\), \(V_U=h(ID_U||PB_U||r)\), and \(R_U^*=R_U\oplus r\), and finally stores \(<r^*, V_U, R_U^*, DID_U, h(\cdot), ID_H >\) in the smart card.

1. \(MU_i\) inputs \(ID_U\), \(PW_U\) and \(BIO_U\), computes \(PB_U=h(PW_U||H(BIO_U))\) and \(r=h(ID_U||PW_U) \oplus r^*\), and checks \(V_U=h(ID_U||PB_U||r)\). If they are not equal, \(MU_i\) terminates this process; otherwise, \(MU_i\) selects \(a_U \in Z_q^*\), computes \(FID_U=h(ID_U||r)\), \(R_U=R_U^*\oplus r\), \(Q_1=R_U \oplus a_U\), and \(Q_2=h(DID_U||R_U||a_U||FID_U||ID_F||ID_H)\), and sends the message \(M_1=<ID_F, ID_H, DID_U, Q_1, Q_2>\) to \(FA_j\).

2. After receiving the message \(M_1\), \(FA_j\) selects a random \(b_F \in Z_q^*\), computes \(W_1=h(M_1||K_{FH}||ID_F||ID_H)\oplus b_F\) and \(W_2=h(W_1||b_F)\), and sends the message \(M_2=<M_1, W_1, W_2>\) to \(HA_k\).

3. After receiving the message \(M_2\), \(HA_k\) computes \(b=h(M_1||K_{FH}||ID_F||ID_H) \oplus b_F\) and checks \(W_2=h(W_1||b_F)\). If they are not equal, \(HA_k\) terminates the process; otherwise, \(HA_k\) retrieves \(FID_U\) and \(n_H\) by calculating \(\{FID_U, n_H\}=h(x)\oplus DID_U\), and then computes \(R_U=h(FID_U||x)\), and \(a_U=R_U \oplus Q_1\). \(HA_k\) then checks \(Q_2=h(DID_U||R_U||a_U||FID_U||ID_F||ID_H)\). If they are not equal, \(HA_k\) terminates the process; otherwise, \(HA_k\) selects a random \(n_H^{new} \in Z_q^*\), computes \(DID_U^{new}=h(x)\oplus \{FID_U||n_H^{new}\}\), \(E_1=h(DID_U^{new}||FID_U)\), \(E_2=h(R_U) \oplus DID^{new}_U\), \(E_3=h(K_{FH}||b_F)\oplus E_1\), \(E_4=a_U \oplus b_F\), and \(E_5=h(K_{FH}||b_F||E_1)\), and sends \(M_3=<E_2, E_3, E_4, E_5>\) to \(FA_j\).

4. \(FA_j\) computes \(a_U=E_4 \oplus b_F\) and \(E_1=h(K_{FH}||b_F) \oplus E_3\), and checks \(E_5=h(K_{FH}||b_F||E_1)\). If they are not equal, \(FA_j\) terminates the process; otherwise, \(FA_j\) computes \(SK_{F}=h(E_1||a_U||b_F)\), \(W_3=b_F \oplus h(E_1||a_U)\), and \(W_4=h(SK_{F}||M_1||E_2)\). Then it sends the message \(M_2=<E_2, W_3, W_4>\) to \(MU_i\).

5. \(MU_i\) computes \(DID_U^{new}=E_2 \oplus h(R_U)\), \(b_F=W_3 \oplus h(h(DID_U^{new}||FID_U)||a_U)\) and \(SK_{U}=h(h(DID_U^{new}|| FID_U)||a_U||b_F)\), and checks \(W_4=h(SK_{U}||M_1||E_2)\). If they are equal, \(MU_i\) and \(FA_j\) successfully establish the session key \(SK\).

1. \(MU_i\) inputs \(ID_U\), \(PW_U\) and \(BIO_U\), computes \(PB_U=h(PW_U||H(BIO_U))\) and \(r=h(ID_U||PB_U) \oplus r^*\), and checks \(V_U=h(ID_U||PB_U||r)\). If they are not equal, \(MU_i\) terminates the process; otherwise, \(MU_i\) selects a new password \(PW_U^{new}\).

2. \(MU_i\) computes \(r^{new*}=h(ID_U||PB_U^{new}) \oplus r\) and \(V_U^{new}=h(ID_U||PB_U^{new}||r)\), and replaces \(r^*\) and \(V_U\) with \(r^{new*}\) and \(V_U^{new}\).

1. \(MU_i\) selects a random \(a_U \in Z_q^*\) and computes \(H_1=a_U \oplus h(SK_U^{i-1})\), \(H_2=h(H_1||SK_U^{i-1}||a_U)\) where \(SK^{i-1}\) is the \(i-1\)th session key. Then, \(MU_i\) sends \(M_1=<H_1, H_2>\) to \(FA_j\).

2. \(FA_j\) computes \(a_U= H_1 \oplus h(SK_U^{i-1})\) and checks \(H_2=h(H_1||SK_F^{i-1}||a_U)\). If they are same, \(FA_j\) selects a random \(b_F \in Z_q^*\), computes \(J_1=b_F \oplus a_U\), \(SK_F^i=h(SK_U^{i-1}||a_U||b_F)\), and \(J_2=h(SK_F^i||SK_F^{i-1})\), and sends \(M_2=<J_1, J_2>\) to \(MU_i\).

3. After receiving the message, \(MU_i\) computes \(b_F=J_1 \oplus a_U\) and \(SK_U^i=h(SK_U^{i-1}||a_U||b_F)\). \(MU_i\) finally checks \(J_2=h(SK_U^i||SK_U^{i-1})\). If they are equal, then \(MU_i\) and \(FA_j\) successfully update the session key.

6.1.1  User Anonymity

In the proposed scheme, the real \(ID_U\) of \(MU_i\) is included in \(DID_U\) and transmitted through a public channel. \(ID_U\) is protected by a hashed secret key \(x\), as well as random numbers \(r\) and \(n_H\). It is difficult for an attacker to find these three values directly, which makes it impossible to determine the \(ID_U\). Moreover, \(DID_U^{new}=h(x)\oplus \{FID_U||n_H^{new}\}\) is updated for each session. Therefore, the proposed scheme guarantees user anonymity.

6.1.2  Untraceability

In the proposed scheme, all values included in \(M_1-M_4\) transmitted through the public channel contain random numbers. In addition, these random numbers are changed every session and are never reused. Therefore, since the attacker cannot track the activities of the communication participants, the proposed scheme satisfies untraceability.

6.1.3  Resistance to Stolen-Mobile Device Attack

An adversary can potentially steal \(MU_i\)’s mobile device and access \(<r^*, V_U, R_U^*, DID_U, h(\cdot), ID_H >\) through a side-channel attack. However, the disclosure of \(ID_U\) and \(PW_U\) relies on XOR or biohash functions that are fortified by the values of \(r\) and \(BIO_U\), rendering it practically unfeasible for the adversary to ascertain this information. Moreover, the generation of an authentication request message, essential for impersonating \(MU_i\), necessitates access to \(FID_U\), which remains shielded by the secret key \(x\) of \(HA_k\). Consequently, even if an attacker acquires \(MU_i\)’s mobile device, he/she cannot obtain sensitive information or disguise it as \(MU_i\). Therefore, the proposed scheme is secure against a stolen-mobile device attack.

6.1.4  Resistance to Replay Attack

To maliciously generate a session key and mimic either \(MU_i\) or \(FA_j\) by replaying messages \(M_1\) and \(M_4\), an adversary requires a random number \(a_U\) or \(b_F\). The acquisition of \(a_U\) necessitates access to \(R_U\) and \(FID_U\), while obtaining \(b_F\) requires knowledge of \(K_{FH}\). However, the adversary is unable to deduce these values from publicly transmitted messages. Consequently, the proposed scheme effectively mitigates the risks associated with potential replay attacks.

6.1.5  Mutual Authentication

In the proposed scheme, \(MU_i\) and \(FA_j\) establish a session key using \(HA_k\). After \(HA_k\) receives \(DID_U\) from message \(M_1\), \(HA_k\) retrieves \(FID_U\) and \(n_H\) by calculating \(\{FID_U, n_H\}=h(x)\oplus DID_U\) using its own secret key and then verifies the identity of \(MU_i\) by checking \(Q_2=h(DID_U||R_U||a_U||FID_U||ID_F||ID_H)\). \(FA_j\) is authenticated to \(HA_k\) using \(W_1\), which is created using \(K_{FH}\). After \(HA_k\) successfully authenticates \(FA_j\) and \(MU_i\), \(HA_k\) can obtain the random numbers \(a_U\) and \(b_F\). Then, \(HA_k\) transmits \(E_4\) to \(FA_j\), and \(FA_j\) obtains the random \(a_U=E_4 \oplus b_F\) and \(E_1=h(K_{FH}||b_F) \oplus E_3=h(DID_U^{new}||FID_U)\) that only \(MU_i\) can calculate. \(MU_i\) obtains \(b_F\) from \(W_3 \oplus h(h(DID_U^{new}||FID_U)||a_U)\). Finally, \(MU_i\) and \(FA_j\) compute the session key \(SK=h(h(DID_U^{new}||FID_U)||a_U||b_F)\) using the parameters obtained through mutual authentication. Thus, the proposed scheme provides mutual authentication.

6.1.6  Forward Secrecy

In the proposed scheme, the random numbers \(a_U\) and \(b_F\) included in the session key are not reused for every session. In other words, they are updated with new values. Therefore, an attacker is unable to infer any relevance from the past, present, and future session keys. Therefore, the proposed scheme satisfies the forward secrecy requirement.

6.1.7  Session Key Agreement and Verification

In the proposed scheme, \(MU_i\) and \(FA_j\) generate session key \(SK=h(h(DID_U^{new}||FID_U)||a_U||b_F)\) through mutual authentication. The \(FA_j\) transmits \(W_4=h(SK_{F}||M_1||E_2)\) to \(MU_i\). Then, \(MU_i\) checks whether \(W_4\) is legitimate by using the generated session key. Through this process, \(MU_i\) verifies that the same session key has been exchanged between them. Therefore, the proposed scheme satisfies the session key agreement.

6.1.8  Resistance to User Impersonation Attack

In the proposed scheme, an attacker can attempt to impersonate a \(MU_i\). Nevertheless, our scheme ensures resistance against stolen-mobile device attacks. Furthermore, the proposed scheme guarantees mutual authentication and verifies the validity of the session key. Therefore, the proposed scheme is secure against a user impersonation attack.

6.1.9  Resistance to FA Impersonation Attack

In the proposed scheme, an attacker can create a random \(b_A\) and attempt to impersonate \(FA_j\). However, without \(K_{FH}\) shared by \(FA_j\) and \(HA_k\), a valid message cannot be generated and the random number \(a_U\) of \(MU_i\) cannot be determined. Therefore, the proposed scheme is safe from FA impersonation attacks.

6.1.10  Local User Verification

In the proposed scheme, the identity of \(MU_i\) is verified before a mutual authentication request message is generated. \(MU_i\) can generate the same value as \(V_U\) stored in the smart card by correctly entering \(ID_ {U}, PW_ {U}\), and \(BIO_ {U}\). Therefore, the proposed scheme can block malicious access locally.

6.1.11  Resistance to Stolen-Verifier Attack

In the proposed scheme, \(HA_k\) does not maintain a verifier table because it does not store any sensitive information for authenticating \(MU_i\) and \(FA_j\). Therefore, an attacker cannot perform a stolen-verifier attack.

6.1.12  Resistance to Known Session-Specific Temporary Information Attack

If an attacker knows the random \(a_U\) and \(b_F\) constituting the session key, he/she can try to determine the session key. However, to calculate the session key, \(E_1\) together with two random numbers is required. Because an attacker cannot determine \(FID_U\), the proposed scheme is secure from known session-specific temporary information attacks.

• \(P \triangleleft C\): Participant \(P\) sees condition \(C\).

• \(P \mid\equiv C\): \(C\) is believed by \(P\)

• \(\sharp (C)\): It makes a fresh \(C\).

• \(P \mid\sim C\): \(P\) expresses \(C\).

• \(P_1 \overset{K}{\longleftrightarrow} P_2\): Two participants \(P_1\) and \(P_2\) share a secret key \(K\).

• \(P \Rightarrow C\): \(C\) is handled by \(P\).

• \((C)_K\): Perform the cryptographic operation on \(C\) using \(K\).

• Rule 1 (Message-meaning rule): \(\frac{P_1\mid\equiv P_1\overset{K}{\leftrightarrow} P_2, P_1 \triangleleft <C>_{ K}}{ P_1\mid\equiv P_2\mid\sim C}\), and if \(P_1\) trusts that the key \(K\) is shared with \(P_2\), \(P_1\) sees \(C\) combined with \(K\), and then \(P_1\) trusts \(P_2\) once said \(C\).

• Rule 2 (Nonce-verification rule): \(\frac{P_1 \mid\equiv \# (C), P_1\mid\equiv P_2\mid\sim C}{P_1\mid\equiv P_2\mid\equiv C}\): if \(P_1\) trusts that \(C\)’s freshness and \(P_1\) trusts \(P_2\) once said \(C\), then \(P_1\) trusts that \(P_2\) trusts \(C\).

• Rule 3 (Believe rule): \(\frac{P\mid\equiv C, P\mid\equiv M}{P\mid\equiv (C, M)}\): if \(P\) trusts \(C\) and \(M\), \((C, M)\) are also trusted by \(P\).

• Rule 4 (Freshness-conjuncatenation rule): \(\frac{P\mid\equiv \#(C)}{P\mid\equiv \#(C, M)}\): if the freshness of \(C\) is trusted by \(P\), then \(P\) can trust the freshness of the full condition.

• Rule 5 (Jurisdiction rule): \(\frac{P_1\mid\equiv P_2\mid\Rightarrow C, P_1\mid\equiv P_2\mid\equiv C}{P_1\mid\equiv C}\): if \(P_1\) trusts that \(P_2\) has jurisdiction over \(C\), and \(P_1\) trusts that \(P_2\) trusts condition \(C\), then \(P_1\) also trusts \(C\).

• Goal 1: \(MU \mid\equiv (MU \overset{SK}{\longleftrightarrow}FA)\)

• Goal 2: \(FA \mid\equiv (MU \overset{SK}{\longleftrightarrow}FA)\)

• Goal 3: \(MU \mid\equiv FA \mid\equiv (MU \overset{SK}{\longleftrightarrow}FA)\)

• Goal 4: \(FA \mid\equiv MU \mid\equiv (MU \overset{SK}{\longleftrightarrow}FA)\)

• Using \(M_1=<ID_F, ID_H, DID_U, Q_1, Q_2>\), \(MU \rightarrow FA\): \(DID_U=h(x)\oplus \{FID_U||n_H\}\), \(Q_1=R_U \oplus a_U\), \(Q_2=h(DID_U||R_U||a_U||FID_U||ID_F||ID_H)\). This is reduced to \(MSG_1:(ID_F, ID_H, FID_U, R_U, a_U)_x\).

• Using \(M_2=<M_1, W_1, W_2>\), \(FA \rightarrow HA\): \(W_1=h(M_1||K_{FH}||ID_F||ID_H)\oplus b_F\), \(W_2=h(W_1||b_F)\). This is reduced to \(MSG_2: (M_1, ID_F, ID_H, b_F)_{K_{FH}}\).

• Using \(M_3=<E_2, E_3, E_4, E_5>\), \(HA \rightarrow FA\): \(E_1=h(DID_U^{new}||FID_U)\), \(E_2=h(R_U)\oplus DID_U^{new}\), \(E_3=b_F \oplus E_1\), \(E_4=a_U \oplus b_F\), \(E_5=h(K_{FH}||b_F||E_1)\). This is reduced to \(MSG_3: (FID_U, R_U, a_U, b_F)_{K_{FH}}\).

• Using \(M_4=<E_2, W_3, W_4>\), \(FA \rightarrow MU\): \(W_3= b_F \oplus h(E_1||a_U)\) and \(W_4=h(SK_{F}||M_1||E_2)\). This is reduced to \(MSG_4: (FID_U, R_U, a_U, b_F)_{x}\).

• A1: \(MU \mid\equiv\sharp (a_U)\)

• A2: \(FA \mid\equiv\sharp (b_F)\)

• A3: \(FA \mid\equiv (FA \overset{K_{FH}}{\longleftrightarrow}HA)\)

• A4: \(HA \mid\equiv (FA \overset{K_{FH}}{\longleftrightarrow}HA)\)

• A5: \(MU \mid\equiv (MU \overset{x}{\longleftrightarrow}HA)\)

• A6: \(HA \mid\equiv (MU \overset{x}{\longleftrightarrow}HA)\)

• A7: \(FA \mid\equiv (MU \overset{a_U}{\longleftrightarrow} FA)\)

• A8: \(MU \mid\equiv (MU \overset{b_F}{\longleftrightarrow} FA)\)

• A9: \(MU \mid\equiv FA \Rightarrow (MU \overset{SK}{\longleftrightarrow} FA)\)

• A10: \(FA \mid\equiv MU \Rightarrow (MU \overset{SK}{\longleftrightarrow} FA)\)

• From \(M_1\), we obtain V1: \(FA \triangleleft(ID_F, ID_H, FID_U, R_U)_{a_U}\)

• Based on Assumption A5 and Rule 1, we derive V2: \(FA \mid\equiv MU \mid\sim (\, ID_F, ID_H, FID_U, R_U)_{a_U}\)

• Based on Assumption A1 and Rule 4, we derive V3 as follows: \(FA \mid\equiv \sharp (\, ID_F, ID_H, FID_U, R_U)_{a_U}\)

• Based on V1, V2 and Rule 2, we derive V4: \(FA \mid\equiv MU \mid\equiv (\, ID_F, ID_H, FID_U, R_U)_{a_U}\)

• From \(M_2\), we obtain V5: \(HA \triangleleft (\, M_1, ID_F, ID_H, a_U, b_F)_{K_{FH}}\)

• Based on Assumption A5 and Rule 1, we derive V6: \(HA \mid\equiv FA \mid\sim (\, M_1, ID_F, ID_H, a_U, b_F)_{K_{FH}}\)

• Based on Assumption A1 and Rule 4, we derive V7 as follows: \(HA \mid\equiv \sharp (\, M_1, ID_F, ID_H, a_U, b_F)_{K_{FH}}\)

• Based on V1, V2 and Rule 2, we derive V8: \(HA \mid\equiv FA \mid\equiv (\, M_1, ID_F, ID_H, a_U, b_F)_{K_{FH}}\)

• From \(M_3\), we obtain V9: \(FA \triangleleft (\, DID_U^{new}, FID_U, a_U, b_F)_{K_{FH}}\)

• Based on Assumption A5 and Rule 1, we derive V10: \(FA \mid\equiv HA \mid\sim (\, DID_U^{new}, FID_U, a_U, b_F)_{K_{FH}}\)

• Based on Assumption A1 and Rule 4, we derive V11 as follows: \(FA \mid\equiv \sharp (\, DID_U^{new}, FID_U, a_U, b_F)_{K_{FH}}\)

• Based on V1, V2 and Rule 2, we derive V12: \(FA \mid\equiv HA \mid\equiv (\, DID_U^{new}, FID_U, a_U, b)_{K_{FH}}\)

• From \(M_4\), we obtain V13: \(MU \triangleleft (\, DID_U^{new}, FID_U)_{b_F}\)

• Based on Assumption A5 and Rule 1, we derive V14: \(MU \mid\equiv FA \mid\sim (\, DID_U^{new}, FID_U)_{b_F}\)

• Based on Assumption A1 and Rule 4, we derive V15 as follows: \(MU \mid\equiv \sharp (\, DID_U^{new}, FID_U)_{b_F}\)

• Based on V1, V2 and Rule 2, we derive V16: \(MU \mid\equiv FA \mid\equiv (\, DID_U^{new}, FID_U)_{b_F}\)

• Based on V8, \(SK_{F}=h(E_1||a_U||b_F)\), and \(E_1=h(DID_U^{new}||FID_U)\), we derive V17 as follows: \(MU \mid\equiv(MU \overset{SK_F}{\longleftrightarrow}FA)\) (Goal 1)

• Based on V6 and \(SK_{U}=h(h(DID_U^{new}||FID_U)||a_U||b_F)\), we derive V18: \(FA \mid\equiv(MU \overset{SK_U}{\longleftrightarrow}FA)\) (Goal 2)

• Based on A9, V8 and Rule 5, we derive V19 as follows: \(MU \mid\equiv FA\mid\equiv (MU \overset{SK}{\longleftrightarrow}FA)\) (Goal 3)

• Based on A10, V9 and Rule 5, we derive V20 as follows: \(FA \mid\equiv MU \mid\equiv (MU \overset{SK}{\longleftrightarrow}FA)\) (Goal 4)