We have found that the addition of the random number d in the signature of the fourth message makes the nonce n useless. It was used at first for the user to authenticate the TTP. The TTP's signature of the acknowledgement is sufficient to perform this authentication. The user knows the TTP's public key so that he can verify that this message originates from the TTP. The random number d ensures that it belongs to the current registration and has not been replayed by the intruder. Thus, the user has the guarantee that he is talking to the TTP for the registration presently in progress.
Section 4.5 demonstrates that the signature of the registration acknowledgement message is very important. It can certainly not be removed as it performs the authentication of the whole registration. The message 4 is composed of the TTP's response, the user's identity and the random number d. So the authentication of d with a signature in the registration challenge message is not necessary. Only the final check of the acknowledgement is mandatory.
These two simplifications lead to a very simple protocol with only one signature :
All the five properties are satisfied. This version is as robust as the previous one from the point of view of the mutual authentication. Obviously, the intruder can more easily disturb the registration. The only difference is that the intruder's actions will be discovered later in the protocol. Regarding the special events only, a safety preorder exists between the corrected version of the protocol and this simplified version. Hence, all safety properties, expressible on the special events, verified on the latter are verified on the former.