Int. J. of Computers, Communications & Control, ISSN 1841-9836, E-ISSN 1841-9844
Vol. VI (2011), No. 2 (June), pp. 227-235
A Time-Bound Ticket-Based Mutual Authentication
Scheme for Cloud Computing
Z. Hao, S. Zhong, N. Yu
Zhuo Hao
1. University of Science and Technology of China
Department of Electronic Engineering and Information Science
Hefei, Anhui 230027, P.R.China, and
2. State University of New York at Buffalo
Department of Computer Science and Engineering
201 Bell Hall, Amherst, NY 14260, USA
E-mail: hzhuo@mail.ustc.edu.cn
Sheng Zhong
State University of New York at Buffalo
Department of Computer Science and Engineering
201 Bell Hall, Amherst, NY 14260, USA
E-mail: szhong@buffalo.edu
Nenghai Yu
University of Science and Technology of China
Department of Electronic Engineering and Information Science
Hefei, Anhui 230027, P.R.China
E-mail: ynh@ustc.edu.cn
Abstract: Cloud computing is becoming popular quickly. In cloud comput-
ing, people store their important data in the cloud, which makes it important
to ensure the data integrity and availability. Remote data integrity check-
ing enables the client to perform data integrity verification without access to
the complete file. This service brings convenience to clients, but degrades the
server’s performance severely. Proper schemes must be designed to reduce the
performance degradation.
In this paper, a time-bound ticket-based mutual authentication scheme is pro-
posed for solving this problem. The proposed authentication scheme achieves
mutual authentication between the server and the client. The use of time-
bound tickets reduces the server’s processing overhead efficiently. The corre-
spondence relationship between the digital ticket and the client’s smart card
prevents user masquerade attack effectively. By security analysis, we show that
the proposed scheme is resistant to masquerade attack, replay attack and pass-
word guessing attack. By performance analysis, we show that the proposed
scheme has good efficiency. The proposed scheme is very suitable for cloud
computing.
Keywords: cloud computing, mutual authentication, digital ticket, masquer-
ade attack.
1 Introduction
Cloud Computing [1, 2] has become a very popular technology. By using cloud computing,
both the data storage and the computation resources are moved from personal computers into the
cloud. Recently many companies provide the cloud storage services, including Amazon Simple
Copyright c⃝ 2006-2011 by CCC Publications
228 Z. Hao, S. Zhong, N. Yu
Storage Service (S3) [3], Microsoft SkyDrive [4], Nirvanix CloudNAS [5], etc. As people store
their important data in the cloud without keeping a local copy, it is important for the cloud
clients to be able to verify the data integrity and availability.
Remote data integrity checking protocols [6–10] are proposed to ensure the data integrity in
the cloud. Ateniese et al. [6] propose the technology of provable data possession to enable the
client to verify the data integrity without retrieving it from the server. Juels and Kaliski [7]
propose the scheme called proofs of retrievability to enable the server to produce a concise
proof about the data availability. Other schemes [8–10] have also been proposed with increased
scalability and efficiency. However, as the clients of cloud services are numerous and are also
increasing very quickly, these technologies bring a lot of extra computation and storage overhead
to the server. Mechanisms should be designed to reduce these overhead as much as possible.
One possible solution is to limit the client’s data verification frequency. In this method, the
server releases a certain number of digital tickets to the client at a constant frequency, e.g., 12
tickets per year. The client uses one ticket for one time of data verification, and after that, the
used ticket becomes invalid and cannot be reused. If the client needs more tickets, she must
purchase them from the server. On the other hand, the client’s identity should be properly
authenticated to the server before she uses these services.
Recently Lin and Chang [11] propose a countable and time-bound password-based user au-
thentication scheme, which is a possible method for solving this problem. In the Lin-Chang
scheme, the tickets {TK1, TK2, ..., TKt} are generated by the server in a way that the authenti-
cation value in TKj is one of the square roots of the value in TKj+1. The Lin-Chang scheme is
secure against masquerading attack and replay attack, and also achieves good efficiency at the
client side. However, the Lin-Chang scheme has several disadvantages, which make it not suitable
in this environment. Firstly, the ticket in Lin-Chang scheme is not associated with the client’s
identity, which allows anyone who obtains the ticket to be able to use it. Secondly, the client’s
tickets can only be used sequentially. Whenever TKj expires, the tickets TK1, TK2, ..., TKj−1
cannot be used anymore. Thirdly, the Lin-Chang scheme involves high-cost modular exponentia-
tion operations at the server side, which bring large amount of overhead as the quantity of cloud
clients increases quickly. Finally, the Lin-Chang scheme does not achieve mutual authentication.
In this paper, we propose a new ticket-based mutual authentication scheme which has im-
provements in these aspects. Firstly, we use smart card in the mutual authentication scheme.
Each client has her own unique smart card. The client’s tickets are associated with her smart
card, so that even when her tickets are lost, they cannot be used by other clients. Secondly, in
the proposed scheme, tickets are relatively independent of one another, so that the tickets need
not be used sequentially. When one ticket expires, all other tickets that do not expire can still
be used. Thirdly, the proposed scheme involves only lightweight exclusive-or and hash compu-
tations, which makes it very efficient at both the client side and the server side. Finally, the
proposed scheme achieves mutual authentication, so that both the server and the client authen-
ticates each other when performing the data verification. By security analysis, we show that the
proposed scheme is secure against lost smart card attack, lost ticket attack, masquerade attack,
replay attack, etc. By performance analysis, we show that the proposed scheme achieves good
performance at both the server side and the client side. The proposed scheme is suitable for
cloud computing.
The rest of this paper is organized as follows. Section 2 presents the system model and
introduces common notations used throughout this paper. In section 3, the proposed time-
bound ticket-based mutual authentication scheme is presented. In section 4, we show that the
proposed scheme is secure against adversary’s attacks. In section 5, we show that the proposed
scheme is cost-efficient. Finally, we conclude in section 6.
A Time-Bound Ticket-Based Mutual Authentication
Scheme for Cloud Computing 229
2 System Model and Common Notations
In the proposed scheme, there are two different entities: the cloud server and the client. The
cloud server provides data storage services to a lot of clients, and also provides data integrity
verification services to the clients. Furthermore, the cloud server is in charge of the client
registration, client authentication and digital ticket management. Clients put their data at the
server and retrieves the data on demand. Each client has a unique identification and a password
with which she can prove her identity to the server. In addition, similar to the Lin-Chang
scheme [11], a bulletin board is maintained by the server for preventing repeated usage of one
ticket.
For convenience of description, we denote the cloud server by S and the clients by {Ui, i =
1, 2, 3, ...}. Denote the identification and password of Ui by IDi and PWi. We use a cryptographic
hash function h() and a keyed hash function hK(), with K as a cryptographic key. S has two
long-term secret keys, denoted by K1 and K2.
3 The Proposed Mutual Authentication Scheme
In this section, we present the proposed time-bound ticket-based mutual authentication
scheme. The proposed scheme consists of 4 phases: registration phase, verification request
phase, mutual authentication phase and password change phase.
3.1 Registration Phase
When the client Ui initially registers herself to S, the registration phase is invoked. The
registration phase consists of the following steps:
1. Ui selects her own IDi, her password PWi and a random number b. Then Ui computes
IPBi = H(IDi||H(PWi ⊕b)) and sends {IDi, IPBi, t} to the server, in which t is the number of
digital tickets Ui needs. At the same time Ui pays the corresponding ticket fee to S. The ticket
fee can be payed in the form of either real or virtual currency, which depends on the policy of S.
2. After S receives the message and ticket fee from Ui, S generates t tickets for Ui. Denote
the jth ticket of Ui by T
(j)
i . Denote by TID
(j)
i and V P
(j)
i the ticket ID and valid period of T
(j)
i
respectively. Specifically, S generates {(TID(j)i , V P
(j)
i ), j = 1, 2, ..., t} and computes as follows:
Wi = IPBi ⊕ H(IDi, K1),
α
(j)
i = HK2(IDi ∥ TID
(j)
i ∥ V P
(j)
i ),
β
(j)
i = α
(j)
i ⊕ IPBi.
T
(j)
i has two parts:
T
(j)
i = (T
(j)1
i , T
(j)2
i ),
in which
T
(j)1
i = (TID
(j)
i , V P
(j)
i ),
T
(j)2
i = β
(j)
i .
S also computes Zi = HK2(IDi) ⊕ IPBi, which is used during the password change phase.
3. S writes IDi, t, Wi, Zi and T
(j)
i , j = 1, 2, ..., t into a smart card and sends it to Ui.
4. When Ui receives her smart card, she writes b into the card.
230 Z. Hao, S. Zhong, N. Yu
3.2 Verification Request Phase
As the client receives t tickets, she can use these tickets to perform data verification at most
t times. The description below assumes that this is the kth verification request that Ui invokes.
1. Ui inserts her smart card into a card reader and enters IDi and PWi.
2. The smart card generates a nonce rU according to system time, and computes
IPBi = H(IDi||H(PWi ⊕ b)), Hi = Wi ⊕ IPBi ;
C1 = rU ⊕ Hi, C2 = H(rU) ⊕ T
(k)2
i ⊕ IPBi.
Then Ui’s smart card sends {IDi, T
(k)1
i , C1, C2} to S.
3.3 Mutual Authentication Phase
When S receives the verification request message from Ui, it executes the following steps:
1. S checks the validity of IDi and rejects the service request if IDi is invalid.
2. S checks whether the ticket ID TID(k)i is on the bulletin board. If it is on the bulletin
board, then S rejects Ui’s service request and terminates the process.
3. S checks whether the current date is in the range of V P (k)i or not. If not, then S rejects
Ui’s service request and terminates the process.
4. S computes D0 = H(IDi, K1), D1 = C1 ⊕ D0 and D2 = H(D1) ⊕ C2.
5. S computes HK2(IDi ∥ TID
(k)
i ∥ V P
(k)
i ) and checks whether it is equal to D2. If they
are not equal, then S rejects Ui’s service request and terminates the process. Otherwise, S
authenticates Ui successfully.
6. S generates a random nonce rS, computes C3 = D0 ⊕ rS and C4 = H(rU, rS) and sends
{C3, C4} to Ui. S also computes KS = H(D0, rU||rS), which will be used as a subsequent session
key.
7. Ui’s smart card computes D3 = C3 ⊕ Hi. Then it compares H(rU, D3) with C4. If they
are equal, Ui authenticates S successfully. Then the smart card computes KC = H(Hi, rU||rS)
and uses K to communicate with S in the subsequent data verification process. Note that
KC = H(Hi, rU||rS) = H(H(IDi, K1), rU||rS) = KS. When the kth data verification is finished,
Ui deletes the ticket T
(k)
i from its smart card, and S publishes TID
(k)
i to its bulletin board.
Finally the smart card deletes the nonce rU , and S deletes rS from its memory, to prevent replay
attack.
8. After the mutual authentication, the data verification is performed. The data verification
schemes [6–10] are independent of the proposed authentication scheme, so we don’t describe the
details. The keys KC and KS can be used for secret communication.
3.4 Password Change Phase
This phase is invoked when Ui needs to change her password PWi to a new one. The password
change phase consists of the following steps:
1. Ui inserts her smart card into a card reader, and enters IDi and PWi.
2. The smart card generates a nonce rU according to system time, and computes
IPBi = H(IDi||H(PWi ⊕ b)),
C1 = rU ⊕ Wi ⊕ IPBi, C2 = H(rU) ⊕ Zi ⊕ IPBi.
Then Ui’s smart card sends {update, IDi, C1, C2} to S, in which update is the message type
indicating this is a password change request message.
A Time-Bound Ticket-Based Mutual Authentication
Scheme for Cloud Computing 231
3. When S receives this message, it checks the validity of IDi. If IDi is invalid, it rejects
the service request.
4. S computes D1 = C1⊕H(IDi, K1) and D2 = H(D1)⊕C2. After that S checks whether D2
is equal to HK2(IDi). If they are not equal, S rejects the password change request. Otherwise,
S authenticates Ui successfully and accepts the password change request.
5. S generates a random nonce rS, computes C3 = H(IDi, K1)⊕rS and C4 = H(rU, rS) and
sends {C3, C4} to Ui.
6. The smart card computes D3 = C3 ⊕ Wi ⊕ IPBi. Then it compares H(rU, D3) with C4.
If they are equal, the smart card successfully authenticates S and prompts Ui to enter a new
password.
7. Ui enters a new password PW newi . Then the smart card computes IPB
new
i = H(IDi||H(PW
new
i ⊕
b)). After that the smart card computes W newi = Wi⊕IPBi⊕IPB
new
i , which yields H(IDi, K1)⊕
IPBnewi , and computes Z
new
i = Zi ⊕ IPBi ⊕ IPB
new
i , which yields HK2(IDi) ⊕ IPB
new
i . The
smart card also updates T (j)2i to T
(j)2
i ⊕ IPBi ⊕ IPB
new
i for all remaining tickets, which yields
α
(j)
i ⊕ IPB
new
i .
4 Security Analysis of the Proposed Scheme
In this section, we present security analysis of the proposed scheme. In section 4.1, we show
that the server’s secret key cannot be obtained by an adversary who monitors the communication.
In sections 4.2-4.5, we show that the proposed scheme is resistant to lost smart card attack,
masquerade attack, replay attack and valid period extending attack.
4.1 Secrecy of the server’s secret key
In the proposed scheme, communications between Ui and S are through a common channel.
So we assume the adversary can eavesdrop this channel and get any messages transmitted between
Ui and S.
During the kth verification request and mutual authentication phase, the adversary can get
messages {IDi, T
(k)1
i , C1, C2, C3, C4}, in which IDi and T
(k)1
i have no relationship with K1 or
K2, and C1, C2, C3, C4 are as follows:
C1 = rU ⊕ Wi ⊕ IPBi = rU ⊕ H(IDi, K1)
C2 = H(rU) ⊕ T
(k)2
i ⊕ IPBi = H(rU) ⊕ HK2(IDi ∥ TID
(k)
i ∥ V P
(k)
i )
C3 = H(IDi, K1) ⊕ rS
C4 = H(rU, rS)
As rU and rS are both random nonces generated by Ui and S, the adversary cannot guess
their values. In addition, due to the one-wayness of hash function, the adversary cannot get
rU or rS from H(rU, rS). So the adversary cannot get the value of H(IDi, K1) or HK2(IDi ∥
TID
(k)
i ∥ V P
(k)
i ). As a result, the adversary cannot get any information on S’s secret keys by
eavesdropping channels.
4.2 Resistance to Attacks Based on Lost Smart Card
A user’s smart card may get lost due to an accident or the user’s carelessness. In this
section, we show that when an adversary gets a lost smart card, he cannot carry out attacks to
the proposed scheme. We first show that the proposed scheme is resistant to offline password
guessing attack. After that, we show that the lost tickets cannot be used by the adversary.
232 Z. Hao, S. Zhong, N. Yu
Resistance to Offline Password Guessing Attack
When an adversary gets the lost smart card of Ui, he can extract the stored data from it
by monitoring the power consumption [12] or analyzing the leaked information [13]. The values
stored in Ui’s smart card are
IDi, t, Wi, Zi, b, T
(j)
i , j = 1, 2, ..., t.
The adversary can pick up a password candidate PW ′. Then he can computes IPB′i =
H(IDi||H(PW ′i ⊕ b)). From Wi = IPBi ⊕ H(IDi, K1), Zi = HK2(IDi) ⊕ IPBi and β
(j)
i =
α
(j)
i ⊕ IPBi = HK2(IDi ∥ TID
(j)
i ∥ V P
(j)
i ) ⊕ IPBi he can further compute H
′(IDi, K1) =
Wi ⊕ IPB′i, H
′
K2
(IDi) = Zi ⊕ IPB′i and H
′
K2
(IDi ∥ TID
(j)
i ∥ V P
(j)
i ) = β
(j)
i ⊕ IPB
′
i. However,
as K1 and K2 are S’s secret keys, the adversary cannot get them. So the adversary cannot test
whether PW ′ is equal to PWi from these values.
From the above analysis, we can see that the proposed scheme is resistant to offline password
guessing attack.
Resistance to Attacks Based on Lost Tickets
When an adversary gets the lost smart card of Ui, he can extract the stored tickets T
(j)
i , j =
1, 2, ..., t from it. However, as the adversary cannot get PWi from offline guessing attack (refer
to 4.2), he cannot compute IPBi = H(IDi||H(PWi ⊕ b)). As a result, the adversary cannot
make a valid verification request message {C1, C2}, because both the computations of C1 and
C2 require the knowledge of IPBi.
From the above analysis, we can see that the proposed scheme is secure when an adversary
gets a lost ticket.
4.3 Resistance to Masquerade Attack
Suppose the adversary gets a set of history messages during the past channel eavesdropping.
In order to masquerade as Ui, the adversary has to forge a valid message {ID∗i , T
(k)∗1
i , C
∗
1, C
∗
2}
which can pass S’s authentication process.
It’s easy to see that the computation of C∗1 = rU ⊕ H(IDi, K1) requires the adversary to get
knowledge of H(IDi, K1). From 4.1 we know that the adversary cannot get H(IDi, K1), so he
cannot forge a valid verification request message either.
On the other hand, if the adversary wants to masquerade as the server, he must be able to
compute a valid message {C3, C4}, in which C3 = H(IDi, K1)⊕rS and C4 = H(rU, rS). Because
the computation of C3 requires the knowledge of H(IDi, K1), which the adversary does not have,
the adversary cannot masquerade as the server.
From the above analysis, we can see that the proposed scheme is resistant to masquerade
attack.
4.4 Resistance to Replay Attack
In the proposed scheme, the unique ticket ID and the nonces are used for preventing replay
attack.
Assume that the adversary gets a valid message {IDi, T
(k)1
i , C1, C2} by eavesdropping com-
munications between Ui and S. Then he tries to resend the message to S after a period of time
when the mutual authentication process finishes, with the expectation of obtaining data verifi-
cation service. However, when S receives this message, it will find that the ticket ID TID(k)i is
A Time-Bound Ticket-Based Mutual Authentication
Scheme for Cloud Computing 233
already on the bulletin board. So S will reject the adversary’s service request and terminate the
process.
On the other hand, if the adversary gets a message from S to Ui: {C3 = H(IDi, K1)⊕rS, C4 =
H(rU, rS)}. The adversary may try to resend it to Ui after a period of time when the mutual
authentication process is finished. However, when Ui’s smart card receives {C3, C4}, the nonce
rU has already been deleted from its storage. So this message will be discarded immediately.
From the above analysis, we can see that the proposed scheme is resistant to replay attack.
4.5 Resistance to Valid Period Extending Attack
Whenever Ui wants to use a ticket whose valid period does not include the current date, the
protocol can ensure that the ticket cannot be used even if Ui tries to modify the ticket’s begin
date or expiration date.
Assume Ui wants to use ticket T
(k)
i by changing the ticket’s V P
(k)
i to ˆV P
(k)
i , so that the
current date is included in ˆV P
(k)
i . Denote the modified ticket by T̂
(k)
i . When Ui sends the message
{IDi, T̂
(k)1
i , C1, C2} to S, S computes D1 = C1 ⊕ H(IDi, K1) and D2 = H(D1) ⊕ C2. Then S
computes HK2(IDi ∥ TID
(k)
i ∥ ˆV P
(k)
i ) and compares it with D2. Since D2 = H(D1) ⊕ C2 =
H(C1 ⊕H(IDi, K1))⊕C2 = α
(k)
i = HK2(IDi ∥ TID
(k)
i ∥ V P
(k)
i ) ̸= HK2(IDi ∥ TID
(k)
i ∥ ˆV P
(k)
i ),
S will reject Ui’s verification request and terminate the process immediately.
From the above analysis, we can see that the server can limit the data verification frequency
by specifying a valid period for each ticket. For example, the typical coverage of the valid period
can be one week, one month, one year, etc. The proposed scheme can prevent the client from
using a ticket whose valid period does not include the current date.
5 Performance Analysis
In this section we present performance analysis of the proposed scheme. The main operations
include the hash computation and the exclusive-or operations, which are summarized in Table
1. We use the hash-based message authentication code (HMAC) [14] as the keyed hash, which
incurs 2 exclusive-or and 2 common hash operations.
Table 1: Performance Analysis of the Proposed Scheme
operation verification request phase mutual authentication phase
client
xor 5 1
hash 3 2
keyed hash 0 0
server
xor 0 3
hash 0 4
keyed hash 0 1
Compared with [11], which uses expensive operations like modular exponentiations, our
scheme is much more efficient. According to the Crypto++ benchmarks1 [15], the SHA-256
hash algorithm [16] can achieve a throughput of 111MiB/Sec under Intel Core2 1.83GHz pro-
cessor. In the proposed scheme, the length of a message to be hashed does not exceed 1KB,
so the average time for one hash computation is about 0.009ms. If the Lin-Chang scheme uses
1The Crypto++ 5.6.0 benchmark is evaluated in Intel Core2 1.83 GHz processor under Windows Vista in
32-bit mode
234 Z. Hao, S. Zhong, N. Yu
the primes of length 1024bits, then one time of modular exponentiation will cost about 1.46ms
under the same platform [15]. Our scheme is at least 40 times more efficient than the Lin-
Chang scheme [11] in case of the server’s computation time. This is a tremendous performance
improvement to the cloud servers.
Performance Benefit by Limiting Verification Frequency The cloud server can also
benefit its performance by limiting the client’s data verification frequency. This is achieved by
controlling the valid period of the digital ticket. From the performance evaluation of [6] we know
that for a 30MB file, the computation time of the data integrity verification is approximately
1 second2 at the server side. Assume the cloud storage system has 100,000 clients, and each
client performs data integrity verification once a week. Then the average computation time of
the cloud server during one day is approxiately:
100, 000
7
· 1s ≈ 3.97 hours.
By using the proposed scheme, the server can limit the data verification frequency to once per
month, or even once per quarter, so that the average computation time of the cloud server is
reduced to 56 minutes per day and 18.5 minutes per day respectively.
6 Conclusions
In this paper, we propose a time-bound ticket-based mutual authentication scheme. In the
proposed scheme, the digital tickets are associated with the client’s smart card, which effectively
prevents the ticket from being used by other clients. By designing a mutual authentication based
on the client’s smart card, both the server and the client are assured of each other’s identity.
The proposed authentication scheme can efficiently decrease the server’s processing overhead
by limiting the data verification frequency. By security analysis and performance analysis, the
proposed scheme is shown to be both secure and efficient. It is very suitable for providing mutual
authentication in cloud computing.
Acknowledgment
This work was supported by NSF CNS-0845149, NSF CCF-0915374 and Knowledge Innova-
tion Program of Chinese Academy of Sciences (No. YYYJ-1013).
Bibliography
[1] B. Hayes, “Cloud computing,” Commun. ACM, vol. 51, no. 7, pp. 9–11, 2008.
[2] C. Cachin, I. Keidar, and A. Shraer, “Trusting the cloud,” SIGACT News, vol. 40, no. 2,
pp. 81–86, 2009.
[3] Amazon.com, “Amazon Web Services (AWS),” http://aws.amazon.com/s3/, 2009.
[4] Microsoft.com, “Microsoft Windows SkyDrive,” http://windowslive.com/online/skydrive,
2009.
2The experiment environment in [6] is Intel 2.8 GHz Pentium IV system with a 512 KB cache, an 800 MHz
EPCI bus, and 1024 MB of RAM.
A Time-Bound Ticket-Based Mutual Authentication
Scheme for Cloud Computing 235
[5] Nirvanix.com, “Nirvanix cloudNAS,” http://www.nirvanix.com/products-services/, 2009.
[6] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song,
“Provable data possession at untrusted stores,” in CCS ’07: Proceedings of the 14th ACM
conference on Computer and communications security, (New York, NY, USA), pp. 598–609,
ACM, 2007.
[7] A. Juels and B. S. Kaliski, Jr., “Pors: proofs of retrievability for large files,” in CCS ’07:
Proceedings of the 14th ACM conference on Computer and communications security, (New
York, NY, USA), pp. 584–597, ACM, 2007.
[8] E.-C. Chang and J. Xu, “Remote integrity check with dishonest storage server,” in 13th
ESORICS, pp. 223–237, Springer Berlin / Heidelberg, 2008.
[9] A. Heitzmann, B. Palazzi, C. Papamanthou, and R. Tamassia, “Efficient integrity checking
of untrusted network storage,” in StorageSS ’08, pp. 43–54, ACM, 2008.
[10] K. D. Bowers, A. Juels, and A. Oprea, “HAIL: a high-availability and integrity layer for
cloud storage,” in CCS ’09, (New York, NY, USA), pp. 187–198, ACM, 2009.
[11] I.-C. Lin and C.-C. Chang, “A countable and time-bound password-based user authentica-
tion scheme for the applications of electronic commerce,” Information Sciences, vol. 179,
no. 9, pp. 1269 – 1277, 2009.
[12] P. C. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in CRYPTO ’99: Proceed-
ings of the 19th Annual International Cryptology Conference on Advances in Cryptology,
(London, UK), pp. 388–397, Springer-Verlag, 1999.
[13] T. Messerges, E. Dabbish, and R. Sloan, “Examining smart-card security under the threat
of power analysis attacks,” IEEE Transactions on Computers, vol. 51, no. 5, pp. 541–552,
2002.
[14] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC: Keyed-Hashing for Message Authenti-
cation,” RFC2104, February 1997.
[15] “Crypto++ 5.6.0 benchmarks,” http://www.cryptopp.com/benchmarks.html.
[16] “Secure hash standard,” Federal Information Processing Standards Publication 180-2, August
2002.