Informatica 37 (2013) 86-293 285 An Enterprise Digital Right Management Scheme with Anonymous Trust for Mobile Devices Jen-Ho Yang Department of Multimedia and Mobile Commerce, Kainan University, No. 1, Kannan Road, Luzhu, Taoyuan County, 33857, Taiwan E-mail: jenhoyang@mail.knu.edu.tw Hung-Ming Sun Department of Information Management, Kainan University, No. 1, Kannan Road, Luzhu, Taoyuan County, 33857, Taiwan E-mail: sunhm@mail.knu.edu.tw Ping-Liang Chen Department of Multimedia and Mobile Commerce, Kainan University, No. 1, Kannan Road, Luzhu, Taoyuan County, 33857, Taiwan E-mail: pingliang@mail.knu.edu.tw Keywords: enterprise digital right management, authentication, user privacy, anonymity, mobile device Received: August 3, 2012 In recent years, various enterprise digital right management (E-DRM) schemes have been proposed to protect and manage access rights of digital contents for the enterprise applications. However, we find that the previous E-DRM schemes do not protect the user privacy while mobile users access digital contents. In addition, the previous E-DRM schemes have high computation and communication loads. Besides, these schemes do not provide usage tracking for the digital content, and thus the digital right may be abused by malicious users. To solve the above problems, we propose a new E-DRM scheme with anonymous trust for mobile devices in this paper. The proposed scheme has low computation and communication loads, and it provides the user anonymity and usage tracking. Therefore, the proposed scheme is more efficient and practical than the related works for E-DRM applications. Povzetek: Razvita je nova shema E-DRM za določanje zaupanja v mobilnih napravah. 1 Introduction The Digital Right Management (DRM) scheme is a digital technique that protects and manages the access rights of digital contents. It can prevent the confidential information of a digital content from unauthorized usages by illegal users. Generally, there are four roles in the DRM scheme: a content provider (author), a consumer (client), a clearing house, and a distributor [1]. The content provider creates the digital content and encrypts it using some proper cryptosystems, such as RSA [2], ElGamal [3], and ECC [4]. Then, the content provider sends the encrypted content to the distributor (e.g., web server or online shop) for online distribution. Note that some researches combine the distributor with the content provider. Next, the content provider sends the usage rules to the clearing house, such as the copy permit, the pay-per-view, and the usage fee, to specify how to use the digital content. Note that the clearing house is responsible for issuing the digital license and handling the financial transactions for the content provider, the distributor, and the consumer. Assume that the consumer downloads the digital content from the web server. To access the encrypted content, the consumer requests the clearing house to issue a valid license, which contains the decryption key, usage rules, and descriptions of the digital content. Then, the clearing house performs the user authentication mechanisms [5-11] to verify the identity of the consumer. Then, the clearing house can charge the consumer account for the digital content. After the consumer has paid the money, the clearing house sends the license to the consumer. Finally, the consumer has the access rights to use the digital content. Figure 1 illustrates the above DRM infrastructure as follows. Due to the digital content can be easily obtained and distributed via the Internet, the DRM scheme becomes a popular research topic in recent years. Therefore, various DRM schemes [12-16] have been proposed to protect and manage the access right of a digital content. In 2005, Zhang et al. [12] proposed a license management scheme with anonymous trust for digital rights management (LMSAT) based on Elliptic Curve Cryptosystem (ECC). Zhang et al.'s scheme provides the user privacy protection, and their scheme allows the client access the content by using any permissive device. Thus, their 308 Informática 37 (2013) 307-313 J.-H. Yang et al. scheme provides a flexible license acquisition and usage tracking for the digital right management. However, Zhang et al.'s scheme has large computation loads because it utilizes the public-key cryptosystem [2-4]. Thus, their scheme is not suitable for the mobile device with low computation ability. Figure 1: The DRM infrastructure [1]. On the other hand, the DRM scheme can be also applied to digital right protection for enterprise applications. In 2008, Chen [14] proposed a traceable enterprise digital right management (E-DRM) scheme based on one-way hash functions for mobile devices. However, Chang et al. [16] found that Chen's scheme is insecure, and thus they proposed an improved E-DRM scheme in 2010. Chang et al.'s scheme solved the security problem, and it has lower computation cost. Unfortunately, we find that Chang et al.'s scheme has some flaws shown as follows. First, their scheme does not provide the anonymity so that the user's privacy may be revealed. Second, their scheme does not provide the usage trace of the digital content. Thus, the digital right may be ruined by any malicious user. Third, their scheme uses the certificate to authenticate the mobile user. This increases the communication time because the mobile user must apply the certificate from the certification authority (CA). Fourth, their scheme still has large computation costs because it has to compute the digital signature for authenticating messages. To solve the above-mentioned flaws, we propose a new E-DRM authentication scheme with user anonymity for mobile devices in this paper. In the proposed scheme, the mobile user can be authenticated by using an anonymity identity so that the user privacy can be well-protected. Moreover, the proposed scheme provides the usage tracking of a digital content, and thus the digital right would not be abused by any malicious user. Instead of using the certificate and digital signature, we only use the one-way hash function and exclusive-or (XOR) operations to accomplish the user authentication so the computation costs can be greatly reduced. According to the above descriptions, the proposed scheme is more efficient and practical than the previously proposed E-DRM schemes, and it is more suitable for the digital right management in mobile environments. 2 Review of Chang et al.'s E-DRM scheme In this section, we review Chang et al.'s scheme [16] and point out some drawbacks of their scheme. There are six roles in their scheme: the author of the digital content, the package server (PS), the content server (CS), the license server (LS), the authorization authority (AA), and the mobile user (MU). Table 1 shows the notations used in Chang et al.'s scheme. T, t A timestamp and a time constant Cert The digital certificate of a mobile user P i The i-th one-time password SEED The initial random seed number generated by the authorization authority Ni The i-th request random number generated by authorization authority IMEI A unique International Mobile Equipment Identification number of each mobile terminal msgreq The authorization request message of the mobile user CID The identity of a digital content DRM - AP type The type of the DRM-Enable application Vx (')/Sx (•) The verifying/signing function using X's public/secret key KEYcid The symmetric key for the digital content with CID EkeyX (•)/ DkeyX (•) The symmetric encryption / decryption function using a symmetric key KEYx H (•), F (•) Two collision free one-way hash functions Table 1: The notations used in Chang's E-DRM scheme The package phase: Step 1. The author produces the digital content and uploads it to PS. Step 2. PS chooses a symmetric key KEYcid to encrypt M by C = Ekeycid (M) . Then, PS generates the content header CH and uses its private key to produce two signatures Sigc = Sps (C) and SigcH = Sps (CH). In addition, PS generates the E-DRM formatted file and sends it to CS. Step 3. PS generates a signature Si§KEYcID = SPS (CID KEYCID ) and sends the messages {CID, KEYcd , SsgKEYcID } to LS. Step 4. After receiving the E-DRM formatted file, CS uses PS's public key to verify whether Sigc = Sps (C) and SigcH = Sps (CH) are valid or not. If they are valid, then CS stores the E- An Enterprise Digital Right Management Scheme with. Informatica 37 (2Q13) 307-313 309 DRM formatted file to its database and publishes the file to its public directory. Step 5. After receiving {CID, KEYCID , Sig^ }, LS uses PS's public key to verify SigKEYCID = S PS (CID, KEYcid ) . If the signature is valid, then LS stores (CID, KEYCID ) to its database. Step 6. To access the digital content, MU downloads the E-DRM file from the public directory of CS. According to URL of the content header, MU sends the registration request to AA for asking the access right. Content Identity (CID) Type of the DRM-enable Application ( drm - apfype) Identity of the Decryption Key < keyCid ) Attributes Signature of the Encrypted Content (SlgC) Authorization Authority (URL) The Encrypted Digital Content(C) Figure 2: The E-DRM formatted file. The registration phase: Step 1. MU sends its IMEI and Cert to AA via a secure channel. Step 2. AA checks MU by verifying IMEI and Cert. If MU is valid, then AA generates an initial random number N1 = SEED and sends it to MU through a secure channel. Step 3. AA stores IMEI, Cert, and SEED in its database and sends them to the LS through a secure channel. C II Mobile User (MU) Authorization Authority (AA) License Server (LS) IMEI, Cert SEED ¡ME!, Cert, SEED i » Figure 3: The registration Phase of Chang et al. 's scheme. The authentication phase: Step 1. When MU asks for i-th authentication from AA, it uses N to generate i-th one-time password P = Hl (Nt © IMEI © Cert || T || CID), where Hl (•) denotes the message x performs one-way hash function for I times, and T is a timestamp. Then, MU sends the messages {i, msg eq , T, CID, P , Cert} to AA. Step 2. AA checks whether T is correct or not. If T is smaller than t, AA loads N and IMEI from its database and computes Hl (N © IMEI © Cert || T || CID) . If Pl and Hl (N © IMEI © Cert || T || CID) are equal, then AA computes HF(n'\IMEI || T || Nt) © Nl+1 and H(IMEI || N || Nl+1). Then, AA sends the above messages to MU. Step 3. AA generates SlgAA = SM(MEI,CD,l,T,Cert, Hm)(MEI || T || N) ©NJ and sends {IMEI, CID, l, T, Cert, HF(n'\IMEI || T || N) © N+1, SlgAA} to MU. Step 4. After MU obtains the messages sent from AA, it computes N+j = Hm)(MEI || T || N ) ©Hm)(MEI || T || N ) © N+i and checks whether H (IMEI || N || N'+J is equal to H(IMEI || N . || N.+1) or not. If they are equal, MU accepts Nl+1 and keeps it. Step 5. LS uses the public key of AA to verify the digital signature by VAA(SlgAA) = IMEI, CID, l , T, Cert, Hf(n')(IMEI || T || N )©N+1 . If the equation holds, LS uses KEYCID stored in its database to generate Hf(N)(IMEI © Cert © T © Nt) © KEYCID and H(IMEI || N t || KEYCID) . Then, LS sends the above messages to MU. Finally, MU computes the equation NM = Hf(n\IME || T || n )©Hf = II * ®IMEI'i>Certl\ T\\ CID) (I.J'lit:. .T.CID.P.Cert ) /' 1 // (A' ÎMF1 + < m I CID) Randomly generate V . Sift , S IMIl.CiD.i.l'.i en.ll ' -IMII 11| JV,)© iV;+1) (^,"',(»iE/||r|rtr!]ffi,\.1.fflBIE;||»J|:iy'41)) ilMEI.CID.I.I.Cert.H"" (I1IEI|| r|| iY> A' , il' ■ {SLID IMEI&T)® il" ysrrT' IMTl ' T.-r V , lUiMin N-1| v ) in nrir 1 || (H"_ _ = ff™ '' IMfl . t ert .' T® V |© ' l\IH -t ! -:.V )© hiy H(I\IEI\\ \ || A/ >: liHWif .V || KiiY'-.-M- D. yiemeun /v: /r (I.win I / I , I _ ( IMEI.CID. fl IVII I 1 ( 1MEI © Cert © T © y, I - Kry,ll'IMFT\ N, Il AT Ï" .) : A ..V« ) iVJ© AT()©A:I+1 'il'Cprt A.:: A") Figure 4: The authentication phase of Chang et al.'s scheme. 3 The proposed E-DRM scheme There are three roles in the proposed scheme: the content provider (CP), the clearing house (CH), and the client device with the DRM agent (DA). The E-DRM model of the proposed scheme is similar as Figure 1. The difference of the proposed scheme and Chang et al.'s scheme is that the proposed scheme combines the functions of authorization authority and license server into a clearing house. This combination can greatly reduce the communication time, and that is why we do not adopt the model of Chang et al.'s scheme. In the proposed scheme, DA is loaded in the Client's mobile device. And, DA is responsible for paying the digital content, acquiring the digital license from CH, authenticating the license and the content, decrypting the encrypted content, and reporting the usage to CH. The notations used in the proposed scheme are shown in Table 2. Notations Explanations H(. ) A secure one-way hash function SK The session key Esk (•)/ Dsk (•) The symmetric encryption / decryption with the session key SK X The secret key of the content provider License License of a digital content Anonymity ID The anonymity identity of a client Content ID The identity of a digital content Usage Rules The usage rules of a digital content Usage Data The usage data of the digital content || The concatenation of strings SN The sequence number of the license ® Exclusive-or operation Decryption Key The decryption key for the encrypted digital content Other Data The other information of the license Table 2. The notations used in the proposed scheme The registration phase: In this phase, the client sends the registration information to the CP. Then, CP sends an anonymity identity and the authentication information to the client. Finally, the above information is stored in DA for the authentication. The steps of this phase are shown as follows. Step 1. For the registration, the client sends his/her identity (ID) and password (PW) to CP in a secure channel. Step 2. CP generates Anonymity ID to compute the authentication information Auth _ Info = HAnonymity _ ID © X) © PW for the client. Then, CP sends Anonymity ID and Auth _ Info to the client. Step 3. The client stores Anonymity ID and Auth _ Info in his/her device for later authentications. The authentication and license acquisition phase: In this phase, DA downloads the encrypted digital content from CP. To access the digital content, DA has to get the digital license from CH. In addition, CH is responsible for authenticating the client and sending the license to DA. Note that the client has to pay the money to CH for buying the license. However, we omit the payment steps because it is another research topic for DRM. The steps of this phase are shown as follows. Step 1. The client computes Auth _ Info © PW = H(Anonymity _ ID © X) by using PW. Then, the client (DA) chooses a random number Rr to Step 2. compute SDA = H (H (Anonymity _ ID © X)) © RDA and CDA = H(Rda ). Finally, DA sends Anonymity _ ID , SDA , and CDA to CH. CH computes Rda = SDA © H(H(Anonymity _ ID © X)) to check if CDA is equal to C'DA = H (RDA) . If they are equal, then CH authenticates that DA is valid. Next, CH chooses random number RCH to compute SCH = H(H(Anonymity _ID ©X) || RDA) ©RCH and the session key SK = H(H(aAnonymity _ID ©X) || RDA || RCH) . Finally, CH computes CCH = H(RDA || RCH || SK) and sends SCH and CCH to DA. Step 3. DA R = S1 CH CH computes © H(H(Anonymity _ID © X) || RDA) and the session key SK' = H(H(Anonymity _ID © X) || RDA || R'CH) . Then, DA computes C'CH = H(RDA || R'CH || SK') An Enterprise Digital Right Management Scheme with. Informatica 37 (2Q13) 307-313 309 to check if cch is equal to cch. If they are equal, then DA authenticates that CH and SK are both valid. Next, DA computes Esk (Anonymity _ ID || Content _ ID || Usage _ Rules || SK) and sends it to CH. Step 4. CH computes the digital license which contains the decryption key by the equation: License = {SN || Content _ ID || Usage _ Rules || Decryption _ Key || OtherData } . Then, CH computes ESK (License || SK) and sends it to DA. Finally, DA can use SK to decrypt Esk(License || SK) and obtain License. Thus, the client gets DecryptionKey from License and uses it to decrypt the encrypted digital content. Next, DA computes CDA = H(RCH || RDA || SK) and sends SDA and CDA to CH. Step 3. CH computes Rda = SDA © H(H(Anonymity _ ID © X) || RCH) and the session key SK = H(H{Anonymity_ID © X) || RCH || RDA) . Then, CH computes CDA = H(RCH || RDA || SK) to check if CDA is equal to C'DA . If they are equal, then CH ensures that DA and SK are both valid. Next, CH computes E-(Anonymity_ID || Content_ID || SN || SK) and sends it to DA. Step 4. DA computes E— (Usage_Data || SK) and sends it to CH. Finally, CH can decrypt E— (Usage _ Data || SK) to trace the content usage. Figure 5: The authentication and license acquisition phase. The usage tracking phase: In this phase, CH receives the report of the content usage from DA. For fraud prevention, CH needs to authenticate the validity of DA. In addition, the usage information needs to be encrypted for protecting the user privacy. The steps of this phase are shown as follows. Step 1. First, CH chooses a random number RCH to compute SCH = H(H(Anonymity _ ID © X)) © RCH and CCH = H (Rch ) . Then, CH sends Anonymity _ ID , SCH , and CCH to DA. Step 2. DA computes RCH = SCH © H(H(Anonymity _ ID © X)) to check if CDA is equal to C'CH = H(R 'CH). If they are equal, then DA authenticates that CH is valid. Next, DA chooses random number RDA to compute SDA = H(H(Anonymity _ID © X) || RCH) © RDA and the session key SK = H(H(Anonymity _ ID © X) || RCH || RDA) . Figure 6: The usage tracking phase. According to the above descriptions, the proposed scheme is designed by one-way hash functions and XOR operations. Thus, the computation cost of the mobile device can be greatly reduced. In addition, the proposed scheme provides the usage tracking and user anonymity so the digital right and the user privacy can be well-protected. Besides, we simplify the communication model and eliminate the use of the certificate. Therefore, the communication cost of the proposed scheme is much lower than that of Chang et al. 's scheme. 4 Discussions In this section, we perform some possible attacks on the proposed scheme to show the security analyses as follows. Man-in-the-middle attack: Assume that an attacker wants to get the Decryption Key from CH, and he/she impersonates DA to share the session key SK with CH. First, the attacker intercepts all messages sent form DA to CH. Then, the attacker impersonates DA to generate the forged 313 Informatica 37 (2013) 315-338 N. Meghanathan et al. SDA = H (H (Anonymity _ ID © X )) © RD and CDA = H (Rda ). Next, the attacker sends Anonymity_ ID, S'DA, and CDA to CH. However, the attacker cannot pass the authentication because S"DA ^ SDA . Thus, CH can find that Anonymity _ ID , S"DA , and CDA are sent from an attacker. Similarly, an attacker cannot impersonate CH because he does not know the real H(Anonymity _ ID © X) . Therefore, the man-in-the-middle attack is infeasible for the proposed scheme. Outsider attack: Assume that an attacker wants to get SK, and then he/she wiretaps the communications between DA and CH. Thus, the attacker can obtain SDA, CDA, SCH, and CCH . Then, the attacker wants to use the information to compute SK = H(H(Anonymity _ID ©X) || RDA || RCH). Unfortunately, the attacker needs to know H (Anonymity _ ID © X), RDA, and RCH from SDA, CDA, SCH , and CCH to obtain SK. Thus, the attack is impossible because H(Anonymity _ ID © X), RDA, and Rch are protected by the one-way hash function. Therefore, the outsider attack is infeasible for the proposed scheme. Replay attack: Assume that an attacker collects the messages once being transferred between DA and CH. To get the digital license or the session key, the attacker may pretend to be DA or CH by resending the pre-collected messages between DA and CH. However, this attack cannot work because all messages are generated and changed according to the random numbers in the proposed scheme. Thus, the messages are different in each time so that the replay attack is infeasible for the proposed scheme. Stolen-verifier attack: Assume that the client's device is lost or stolen by an attacker. The attacker may try to use this device to access the digital content as a legal client. However, this attack is impossible because the authentication information H(Anonymity _ ID © X) is protected by user's password PW. And, the attacker does not know the correct PW to compute Auth _ Info © PW . Therefore, the proposed scheme is still secure even if the client's device is lost or stolen. Impersonating attack: Assume that an attacker wants to impersonate a legal user to access the digital content. Then, he/she may generate a forged H (Anonymity _ ID © X)" and RDA" to compute SDA" = H(H(Anonymity _ ID © X)") © RDA" and sends Anonymity _ID , SDA" , and CDA" to CH, where CDA" = H(RDA") . However, this attack does not work because the CH will use H (Anonymity _ ID © X) to compute RDA = SDA "©H (H (Anonymity _ ID © X)) . Finally, CH will find that CDA" is not equal to C'DA = H(Rda ) . Therefore, the impersonating attack is impossible for the proposed scheme. Performance analyses: In Table 3, we show some comparisons among the proposed scheme, Zhang et al.'s scheme [12], and Chang et al.'s scheme [16]. According to Table 3, only the proposed scheme has no stolen-verifier attack. Unlike the other schemes, the proposed scheme can solve the security problem when the mobile devise is lost or stolen. Moreover, the proposed scheme provides the user anonymity and usage tracking. Table 3 also shows the computation costs in the user's sides of these three schemes. The computation costs of the asymmetric encryption, symmetric encryption, one-way hash function and exclusive-or operation are denoted as A, S, H, and X, respectively. According to [18], the measurement of the above computation costs can be denoted as A>>>S>>>H>>>X, where "A>>>S" means that A is much larger than S. According to Table 3, the computation cost of the proposed scheme is lower than those of the other schemes. In conclusion, the proposed scheme is more efficient and practical than the other schemes. "---....Meth. Comp. [12] [16] Ours User anonymity Yes No Yes Usage tracking Yes No Yes Stolen-verifier attack Yes Yes No Computation cost 3A+2S +3H 1S+(2|F(X,)| +/+2)H+7X 1S+4H+3 X Table 3. Comparisons of the related works 5 Conclusion In this paper, we propose an efficient and practical E-DRM scheme with anonymity trust for mobile devices. According to our analysis, the proposed scheme has low computation cost so it is suitable for mobile devices. In addition, it protects the user's privacy by using the anonymous identity for the user authentication. Thus, the proposed scheme allows users access their digital contents by any permissive mobile devices. Besides, the proposed scheme provides usage tracking to make sure that the access is not abused by malicious users. Compared with the related works, the proposed scheme is more efficient and practical in the E-DRM applications for mobile devices. Based on the proposed scheme, we will investigate the usage charge for E-DRM applications to make our research more complete in the future. An Enterprise Digital Right Management Scheme with. Informatica 37 (2Q13) 307-313 309 Acknowledgement This work was supported in part by National Science Council under the grants NSC 100-2221-E-424-006. References [1] Q. Liu, S. N. Reihaneh, and N. P. Sheppard, "Digital rights management for content distribution," Proceedings of Australasian Information Security Workshop 2003 (AISW2003), Conferences in Research and Practice in Information Technology, Adelaide, Australia., Vol. 21, 2003. [2] R. L. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," Communications of the ACM, Vol. 21, pp. 120-126, 1978. [3] T. ElGamal, "A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions on Information Theory, Vol. 31, pp. 469-472, 1985. [4] N. Koblitz, "Elliptic curve cryptosystem", Mathematics of Computation, Vol. 48, pp. 203-209, 1987. [5] T. Kwon and J. Song, "Efficient key exchange and authentication protocols protecting weak secrets," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E81-A, pp. 156-163, 1998. [6] T. Kwon and J. Song, "Authenticated key exchange protocols resistant to password guessing attacks," IEEE Proceedings Communications, Vol. 145, pp. 304-308, 1998. [7] M. Sandirigama, A. Shimizu, and M. T. Noda, "Simple and secure password authentication protocol (SAS)," IEICE Transactions on Communications, Vol. E83-B, pp. 1363-1365, 2000. [8] M. S. Hwang, C. C. Lee, and Y. L. Tang, "A simple remote user authentication protocol," Mathematical and Computer Modelling, Vol. 36, pp. 103-107, 2002. [9] H. Y. Chien and J. K. Jan, "Robust and simple authentication protocol," Computer Journal, Vol. 46, pp. 193-201, 2003. [10] E. Bresson, O. Chevassut, A. Essiari, and D. Pointcheval, "Mutual authentication and group key agreement for low-power mobile devices," Computer Communications, Vol. 27, pp. 17301737, 2004. [11] H. M. Sun and H. T. Yeh, "Password-based authentication and key distribution protocols with perfect forward secrecy," Journal of Computer and System Sciences, Vol. 72, pp. 1002-1011, 2006. [12] J. Zhang, B. Li, L. Zhao, and S. Q. Yang, "License management scheme with anonymous trust for digital rights management," Proceedings of 2005 IEEE International Conference on Multimedia and Expo, Amsterdam, Netherlands, pp. 257-260, July 2005. [13] C. C. Lin and P. H. Chiang, "A mobile trading scheme for digital content based on digital rights", Proceedings of the Eighth International Conference on Intelligent Systems Design and Applications (ISDA 2008), Kaohsiung City, Taiwan, Vol. 3, pp. 451-456, Nov. 2008. [14] C. L. Chen, "A secure and traceable E-DRM system based on mobile device," Expert Systems with Applications, Vol. 35, No. 3, pp. 878-886, Oct. 2008. [15] C. C. Lin, S. C. Wu, P. H. Chiang, and C. C. Chen, "Enterprise-oriented digital rights management mechanism: eDRM," Proceedings of International Conference on Availability, Reliability and Security, ares, pp. 923-928, 2009. [16] C. C. Chang, J. H. Yang, and, D. W. Wang, "An efficient and reliable E-DRM scheme for mobile environments," Expert Systems with Applications, Vol. 37, No. 9, pp. 6168-6176, Sep. 2010. [17] D. Hankerson, A. Menezes, and S. Vanstone, Guide to elliptic curve cryptography, SpringerVerlag, New York, USA, 2004. [18] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, John Wiley & Sons, Inc., New York, USA, 1996.