Step 1	In the previous session, when Ui sends the authentication request {DIDi, MUi−G, vi, Ti} to GW as shown in Section 2.2, Uα eavesdrops on it.
Step 2	Uα computes the following. RNα is a random nonce generated by Uα. Tα is the current timestamp of Uα system. xs and h(K) are already known to Uα, as mentioned above.
	RNi=vi ⊕ xs
	$h\left(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s\right)=DI{D}_i\oplus h\left(x_s\left|\left|R{N}_i\right|\right|T_i\right)$
	$DI{D}_i=h(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s)\oplus h(x_s\Vert R{N}_i\Vert T_i)$
	$A_i=h(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s)\oplus h(K)$
	MUi−G = h(Ai∥xs∥RNα∥Tα)
	vi = RNα ⊕ xs
	Uα sends the authentication request {DIDi, MUi−G, vi, Tα} to GW.
Step 3	When GW receives {DIDi, MUi−G, vi, Tα}, GW checks if (TG−Tα) ≤ ΔT, where TG is the current timestamp of GW system. If (TG−Tα) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
Step 4	GW computes the following.
	RNα = vi ⊕ xs
	X*=DIDi ⊕ h(xs∥RNα∥Tα)
	MUi−G* = h((X* ⊕ h(K))∥xs∥RNα∥Tα)
	GW compares MUi−G with MUi−G*. GW regards {DIDi, MUi−G, vi, Tα} as being sent from a legitimate user because MUi−G=MUi−G*.