A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks

Due to their frequent use in unattended and hostile deployment environments, the security in wireless sensor networks (WSNs) has attracted much interest in the past two decades. However, it remains a challenge to design a lightweight authentication protocol for WSNs because the designers are confronted with a series of desirable security requirements, e.g., user anonymity, perfect forward secrecy, resistance to de-synchronization attack. Recently, the authors presented two authentication schemes that attempt to provide user anonymity and to resist various known attacks. Unfortunately, in this work we shall show that user anonymity of the two schemes is achieved at the price of an impractical search operation—the gateway node may search for every possible value. Besides this defect, they are also prone to smart card loss attacks and have no provision for perfect forward secrecy. As our main contribution, a lightweight anonymous authentication scheme with perfect forward secrecy is designed, and what we believe the most interesting feature is that user anonymity, perfect forward secrecy, and resistance to de-synchronization attack can be achieved at the same time. As far as we know, it is extremely difficult to meet these security features simultaneously only using the lightweight operations, such as symmetric encryption/decryption and hash functions.


Introduction
Wireless sensor networks (WSNs) have gained a great deal of attention from researchers in the academic and industrial field mainly because of two reasons: first, they consist of a large number of resource-constrained sensor nodes, which are deployed randomly in a target region [1], and second, they can be widely used in various kinds of applications, such as healthcare monitoring [2], environment sensing [3], industrial monitoring [4], etc. Generally, WSNs are developed to monitor physical or environmental conditions, such as temperature, humidity, sound, etc. and collect real-time information about these conditions. In many applications [5][6][7], external users need to access to this real-time information from the sensor nodes. Figure 1 describes a way for real-time information access in WSNs. For example, using a WSN in the healthcare environment, the patient's real-time information such as temperature, blood pressure, and pulse rate, will be collected by sensor nodes. Then, legitimate medical workers are able to access these data directly from the sensor nodes. Although it seems appealing for users to access the real-time data from the sensor nodes, user authentication has been a critical issue in WSNs due to their frequent use in unattended and hostile environments [8]. Because many applications for WSNs operate in such environments, such as battlefields, a malicious adversary could easily control the communication channel, i.e., he/she would be able to eavesdrop, insert, block, and alter the transmitted data. Thus, WSNs are subject to various types of attacks. To ensure that only authorized users can access the reliable sensor nodes and to protect the real-time information, it is indispensable to achieve mutual authentication and establish a session key between the user and the sensor node. Nowadays, there are mainly three ways to accomplish authenticated key establishment scheme in WSNs [9].
 The first and the simplest solution for the authenticated key establishment is a shared symmetric key between the user and the sensor node. In this case, if a WSN has n sensor nodes and m users, each sensor node needs to store m symmetric keys, each user needs to store n symmetric keys, and the WSN needs to establish nm symmetric keys.  Secondly, using public key cryptography, like ECC [10], RSA [11] or ElGamal [12], is another approach to complete authenticated key establishment.  Third, the user and the sensor node can achieve mutual authentication and establish a session key through a trust gateway node (GWN) [13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30]. In this case, both the user and the sensor node need to share only a single key with the GWN. The GWN can help the user and the sensor authenticate each other and distribute a shared secret session key at each session. After this phase, the user can use this session key to access the real-time data from the desired sensor node without involving the GWN.
Obviously, the first method does not scale well, and the second way using public key cryptography primitives may tend to be resource intensive because most of them are based on the large integer. Hence, the authenticated key establishment scheme with the help of the GWN is even more admired owing to limited computation and communication resources, capability, bandwidth of sensor nodes. Additionally, identity masquerade and identity tracing have become common attacks in WSNs, which will cause the problem of identity privacy. Hence, there is a growing demand to achieve anonymous authentication in WSNs. Besides, since the sensor node is unattended, the long-term key of the sensor node may be compromised by an adversary. In this case, the previous session keys will be in danger. To address it, perfect forward secrecy should be considered. Therefore, anonymous authentication schemes with perfect forward secrecy for WSNs should be designed by using only the lightweight cryptographic primitives, such as symmetric key encryption/decryption and hash functions.
Many anonymous authentication schemes using lightweight cryptographic primitive have been proposed for WSNs in the past several years. However, as far as we know, most of them cannot consider perfect forward secrecy or suffer from de-synchronization attack. In this work, we design a Although it seems appealing for users to access the real-time data from the sensor nodes, user authentication has been a critical issue in WSNs due to their frequent use in unattended and hostile environments [8]. Because many applications for WSNs operate in such environments, such as battlefields, a malicious adversary could easily control the communication channel, i.e., he/she would be able to eavesdrop, insert, block, and alter the transmitted data. Thus, WSNs are subject to various types of attacks. To ensure that only authorized users can access the reliable sensor nodes and to protect the real-time information, it is indispensable to achieve mutual authentication and establish a session key between the user and the sensor node. Nowadays, there are mainly three ways to accomplish authenticated key establishment scheme in WSNs [9].

•
The first and the simplest solution for the authenticated key establishment is a shared symmetric key between the user and the sensor node. In this case, if a WSN has n sensor nodes and m users, each sensor node needs to store m symmetric keys, each user needs to store n symmetric keys, and the WSN needs to establish nm symmetric keys. • Secondly, using public key cryptography, like ECC [10], RSA [11] or ElGamal [12], is another approach to complete authenticated key establishment. • Third, the user and the sensor node can achieve mutual authentication and establish a session key through a trust gateway node (GWN) [13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30]. In this case, both the user and the sensor node need to share only a single key with the GWN. The GWN can help the user and the sensor authenticate each other and distribute a shared secret session key at each session. After this phase, the user can use this session key to access the real-time data from the desired sensor node without involving the GWN.
In the same year, the authors of [28,29] proposed a lightweight authentication scheme, which uses a 'dynamic ID technique' to achieve user anonymity and is secure in resisting known session-specific temporary information attack. Unfortunately, we find that the two schemes are insecure against smart card loss attacks. Besides, both schemes have two design flaws, including impractical GWN search operation and no provision for perfect forward secrecy.
On the other hand, perfect forward secrecy is an important security property for authenticated schemes. Unfortunately, to the best of our knowledge, most of the authentication schemes only using lightweight cryptographic primitives cannot provide perfect forward secrecy (e.g., the recent pertinent authentication schemes [24][25][26][28][29][30]). Although Mir et al. [30] claimed that their scheme is secure in perfect forward secrecy, we find out it is still prone to forward secrecy attack. In this scheme, the authors proved that the session key SK = h(K i ||K j ||ID i ||SID i ||T 1 ) is secure under the assumption that the adversary A does not obtain the identity ID i of the user. However, if GWN's secret key d is compromised, A can offline guess ID i through the transmitted message M as below.
A guesses a candidate ID' i and computes X' i = h(ID' i ||d), ID i ||K i ||T 1 ||H i = D X'i (M). A checks whether ID' i and ID i are equivalent. If they are equal, A can obtain the correct ID i . Otherwise, A repeats this operation until the correct ID i is obtained. Hence, Mir et al.'s scheme is unable to achieve perfect forward secrecy. Several articles [32][33][34] pointed out that it is intrinsically unable to provide perfect forward secrecy in the scheme that does not employ public-key primitives. To the best of our knowledge, some schemes [27] tried to address this issue using the one-time hash chain technique. However, it may cause de-synchronization attack because the hash chain value will be updated after each successful session.

Motivation and Contributions
Two previously-thought sound schemes [28,29] use 'dynamic ID technique' to achieve user anonymity at the price of the impractical exhaustive search operations. The reason is that users' real identities are encoded into dynamic identities, no one is able to get the identity information of the user without the secret key. When the user wants to access the WSNs systems, it is difficult for the GWN to tell apart the real identity of the user. As a result, the GWN needs to search for every possible parameter to figure out the exact user. Generally, to address this, a pseudonym identity method [25,26] is used to help the GWN to read the correct information from the user information table. In this way, both of the user and the GWN store a randomly generated pseudonym identity, which is updated after each successful session. Since the pseudonym identity is different at each session, the adversary cannot track a specific user. However, Wang et al. [31] pointed out the scheme using pseudonym identity may easily suffer from the de-synchronization attacks, which may render the scheme completely unusable unless the user or the sensor node re-registers.
To the best of our knowledge, the hash chain technique can be employed to ensure perfect forward secrecy for lightweight cryptographic protocols [27]. However, like the pseudonym identity method, both communicating parties need to update their shared one-time hash chain value after completion of each session. Thus, the technique may also cause the de-synchronization attack.
Motivated by the above facts, we construct a new efficient authentication scheme for WSNs using the pseudonym identity method and one-time hash chain technique to achieve user anonymity and perfect forward secrecy. For the communication between the user and the GWN, the back-end of GWN stores two pseudonym identities PID i0 and PID i1 to resist against de-synchronization attack. PID i0 stores the value of the new pseudonym identity. PID i1 has two functions: the one is storing the value of the old pseudonym identity, the other is a tag for updating hash chain. If PID i1 = ⊥, it means that the value of hash chain has updated in the previous session. Otherwise, the value of hash chain does not change, where ⊥ denotes null. For the communication between the GWN and the sensor node, serial number technique is used to resist against de-synchronization attack.
Altogether, in this paper, we analyze the security of two representative schemes [28,29] for WSNs and show their vulnerability to smart card loss attack, impractical GWN search operation and no provision for perfect forward secrecy. To overcome these weaknesses, we design a lightweight anonymous authentication protocol for WSNs based on the one-time hash chain and pseudonym identity. The main contributions of our scheme are summarized as follows: (1) The proposed scheme is resilient to various kinds of known attacks, such as de-synchronization attack, known session-specific temporary information attack; (2) The proposed scheme can provide mutual authentication, user anonymity, and perfect forward secrecy, etc. (3) The proposed scheme uses lightweight cryptographic primitives, such as symmetric encryption/decryption and hash functions. It is very suitable for the resource constrained sensor nodes.

Adversary Model
An adversary A has five goals. The first is that A can successfully impersonate the user U i authenticating to GWN. The second is that A can successfully impersonate GWN authenticating to U i . The third is that A can successfully impersonate the sensor node S nj authenticating to GWN. The fourth is that A can successfully impersonate GWN authenticating to S nj . And the last is that A can obtain the session key among U i , GWN and S nj . We assume that A is a probabilistic polynomial time attacker, and the feasible attacks are summarized as follows: A can control the channel among U i , GWN and S nj . It means that A can eavesdrop, insert, block, and alter the transmitted messages through the public communication channel.
A can obtain one of the two authentication factors, smart card or password. If A has obtained the smart card, he can extract the secret value in the smart card and has the capability of enumerating identity and password space |D ID *D PW |. A may be another legitimate but malicious user in the system. A may be a legitimate but malicious sensor node.

Notations
All the notations mentioned in two related schemes and our proposed scheme are defined in Table 1.

Organization of the Paper
This paper takes two relate schemes [28,29] as case studies, we present a concrete attack to show that the two schemes are insecure against the smart card loss attack. Besides, we also show both schemes have two design flaws, including impractical GWN search operation and no provision for perfect forward secrecy. Then, we put forward a new way to deal with de-synchronization attack and design an efficient anonymous authentication scheme with perfect forward secrecy for WSNs.
The rest of this paper is organized as follows: Section 2 reviews two related schemes for WSNs. Section 3 presents the detailed procedure of the proposed scheme. Section 4 gives security analysis of our scheme. The computation and communication costs analysis of the proposed scheme are discussed in Section 5. Finally, Section 6 concludes this paper.

Review of Two Related Schemes
This section will describe two related authenticated key establishment schemes for WSNs, which are Lu et al.'s scheme [28] and Jung et al.'s scheme [29]. The reason for choosing these two schemes is that they are the typical representations of recent schemes in WSNs which have the security flaws in smart card loss attack, impractical GWN search operation and no provision for perfect forward secrecy. First, we will give briefly review of two schemes. Later on, the detailed weaknesses of the two schemes will be described.

Review of Lu et al.'s Scheme
Lu et al.'s authentication scheme [28] is shown in Figure 2. This scheme consists of four phases: the user registration, the sensor node registration, login and authentication, password change.

User Registration
Step 1: A new user U i selects the identity ID i and the password PW i , generates a random number b i . Then U i computes C i = h(PW i ||b i ), U i transmits {ID i ,C i } to GWN through a secure channel.
Step 2: Upon receipt of the message, the GWN computes After that, GWN stores {TID i } in its memory, and stores {A i ,B i ,M i } into smart card SC. Finally, GWN sends SC to U i via a private channel.
Step 3: After receiving SC from GWN, U i stores b i into SC.

Sensor Node Registration
Step 1: A new sensor node S nj selects identity SID j and transmits {SID j } to GWN through a secure channel.
Step 2: The GWN computes A j = h(SID j ⊕K GMN_S ), and returen it to S nj after storing {SID j ,A j } into its memory.
Step 3: After receiving SID j , A j from GWN, S nj stores them into its memory as the secret.

Login
When a user Ui desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and Snj. As shown in Figure 2, the process of mutual authentication is described as follows.

Login
When a user U i desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and S nj . As shown in Figure 2, the process of mutual authentication is described as follows.
Step 1: U i inputs ID i and PW i into the smart card SC. SC computes C i = h(PW i ||b i ), A' i = h(h(ID i )||C i ), and compares A' i with the stored value A i . If they are not equal, SC terminates the session. Otherwise, SC believes U i as a legitimate user. Next, SC generates a random number r i , and computes h( where T 1 is the timestamp. Finally, SC sends the login request {CT 1 ,E i } to GWN through the public channel. Step 2: After receiving the login messages, the GWN computes EK = h 1 (TID i ||x), ID i ||T 1 || TID i ||r i = D EK (CT 1 ). Then, the GWN checks the timestamp T 1 , computes E' i = h(h(ID i ||x)||r i ||T 1 ), and checks whether E' i matches with the received E i .
If it does not hold, GWN terminates the session. Otherwise, the GWN generates a random numnber r k , and computes where T 2 is the timestamp. Finally, the GWN sends {CT 2 ,G i } to the sensor node S nj that U i wants to interact with via the public channel.
Step 3: Upon receiving the messages {CT 2 ,G i } from GWM, S nj at first computes r k ⊕r i ||TID i ||T 1 ||T 2 = D h(SIDj⊕KGMN_S) (CT 2 ). Then, S nj checks the timestamp T 2 , computes G' i = h(TID i ||SID j ||h(SID j ⊕K GMN_S )||ID GWN ||T 2 ||r k ⊕r i ), and checks whether G' i matches with the received G i . If it does not hold, S nj terminates the session. Otherwise, the S nj generates a random numnber r j , and computes SK = h(r k ⊕r i ⊕r j ||T 1 ||T 2 ||T 3 ), CT 3 = E h(SIDj⊕KGMN_S) (r j ||T 3 ||r k ⊕r i ), I i = h(SID j ||TID i ||T 3 ||SK), where T 3 is the timestamp. Finally, S nj transmits {CT 3 , I i } to GWN.

Password Update Phase
When a user U i wants to update the password, he/she needs to execute the following steps: Step 1: , and checks whether A' i and A i are equal. If not, SC fails to authenticate U i , and rejects the request of the password update. Otherwise U i inputs a new password PW* i .
Step 3: Finally, A* i ,B* i , and M* i are stored in SC to replace A i , B i , and M i respectively.

Review of Jung et al.'s Scheme
Jung et al.'s authentication scheme [29] is shown in Figure 3. This scheme consists of three phases: registration, login and authentication, password change. This scheme has not sensor node registration phase. When the sensor node is developed, a shared key K GWN_S between the sensor node and the GWN is assigned.

User Registration
Step 1: A new user U i selects the identity ID i and the password PW i , generates a random number Step 2: Upon receipt of the message, the GWN computes After that, GWN stores {v} in its memory, and stores {N i ,M i ,h} into smart card SC. Finally, GWN sends SC to U i via a private channel.
Step 3: After receiving SC from GWN, U i stores b i into SC.

Login and Authentication
When a user Ui desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and Snj. Figure 3 illustrates the process of mutual authentication for the proposed scheme. In detail, the process is: Step 1: Ui inputs IDi and PWi into the smart card SC. SC computes Ci = h(PWi||bi), v = h(IDi||Ci) ⊕Ni, M'i = h(Ci||v), and compares M'i with the stored value Mi. If they are not equal, SC terminates the session. Otherwise, SC believes Ui as a legitimate user. Next, SC generates a random number R1, and computes DIDi = h(IDi||R1), EK = h(DIDi||v||T1), CT1 = EEK(DIDi||R1||T1), where T1 is the timestamp. Finally, SC sends the login request {DIDi, CT1, T1} to GWN through the public channel.

Login and Authentication
When a user U i desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and S nj . Figure 3 illustrates the process of mutual authentication for the proposed scheme. In detail, the process is: Step 1: U i inputs ID i and PW i into the smart card SC. SC computes , and compares M' i with the stored value M i . If they are not equal, SC terminates the session. Otherwise, SC believes U i as a legitimate user. Next, SC generates a random number R 1 , and computes DID i = h(ID i ||R 1 ), EK = h(DID i ||v||T 1 ), CT 1 = E EK (DID i ||R 1 ||T 1 ), where T 1 is the timestamp. Finally, SC sends the login request {DID i , CT 1 , T 1 } to GWN through the public channel.
Step 2: After receiving the login messages, the GWN first checks the timestamp T 1 , and computes EK = h(DID i ||h(x i )||T 1 ), DID i ||R 1 ||T 1 = D EK (CT 1 ). Then, the GWN checks whether DID i and T 1 matches with the received values. If they do not hold, GWN terminates the session. Otherwise, the GWN generates a random numnber R 2 , and computes where T 2 is the timestamp. Finally, the GWN sends {CT 2 ,DID i ,B i ,T 2 } to the sensor node S nj .
Step 3: Upon receiving the messages {CT 2 ,DID i ,B i ,T 2i } from GWM, S nj first checks the timestamp T 2 , and computes . Then, the S nj checks whether B' i matches with the received B i . If it does not hold, S nj terminates the session. Otherwise, the S nj computes Step 4: GWN first checks the timestamp T 3 , and computes C' i = h(h(K GWN_S ||SID j )||SK ||DID i ||SID j ||T 3 ). Then, the GWN checks whether C' i matches with the received C i . If it does not hold, GWN terminates the session. Otherwise, the GWN computes CT 3 = E EK (DID i ||SID j ||SK||R 1 ||T 4 ), where T 4 is the timestamp. Finally, GWN transmits {CT 3 , T 4 } to U i .
Step 5: U i checks the timestamp T 4 and computes DID i ||SID j ||SK||R 1 ||T 4 = D EK (CT 3 ). Then U i checks whether DID i , R 1 , and T 4 matches with the previous values. If it holds, U i completes the authentication. Otherwise, U i fails to authenticate the GWN.

Password Update Phase
When a user U i wants to update the password, he/she needs to execute the following steps: Step 1: , and checks whether M' i and the stored M i are equal. If not, SC fails to authenticate U i , and rejects the request for the password update. Otherwise U i inputs a new password PW* i .
Step 3: Finally, N* i and M* i are stored in SC to replace N i and M i respectively.

Security Analysis of Two Related Schemes
The security of the above two related schemes will be discussed in this section. Both of them are claimed that they can resist against various kinds of attacks and fulfill the desirable security requirements. However, we find that these two schemes are prone to smart card loss attack. Besides, they also suffer from two design flaws, including the impractical GWN search operation and no provision for perfect forward security.

Smart Card Loss Attack
The smart card loss attack means that the password in the smart card can be guessed offline in the case where the smart card is lost or stolen. The authors of the above two schemes [28,29] have proved that their schemes are secure against this attack. The proofs assume that the identity of the user is unable to be guessed. However, since the identity of the user is a weak strength with low entropy, several articles [32,35,36] have proposed that the identity may be leaked when the smart card is lost or stolen. We now describe the details of this attack.
For Lu et al.'s scheme [28], suppose that the adversary A has obtained the smart card of U i , and can extract secret information Then A can successfully guess the ID i and PW i as below.
Step 1: A guesses a candidate pair ID' i and PW' i , and computes Step 2: A checks whether A' i and A i stored in smart card are equivalent. If they are equal, A can obtain the correct ID i and PW i pair. Otherwise, A repeats the steps 1 and 2 until the correct ID i and PW i pair is obtained.
For Jung et al.'s scheme [29], the smart card stores . Therefore, the process of launching smart card loss attack is similar, in many ways, to the process of attacking Lu et al.'s scheme. A can guess the correct ID i and PW i pair through checking whether Since the identity space |D ID | and the password space |D PW | are usually not more than 10 6 , the time required for A to complete this attack is linear [35]. As a result, Lu et al.'s scheme and Jung et al.'s scheme still fail to smart card loss attack.

Impractical GWN Search Operation
User anonymity is an important security feature of authentication scheme for WSNs, which consists of two properties, user identity-protection, and untraceability [36]. User identity-protection means that the adversary could not know the real identity of the user, and user untraceability guarantees that the adversary can neither determine who the user is nor distinguish whether two sessions are executed by the same user. To achieve user anonymity, the 'dynamic ID technique' is widely adopted in most schemes, so do Lu et al.'s scheme [28] and Jung et al.'s scheme [29]. In the two schemes, a user requires concealing his real identity into a dynamic identity. When the user wants to log in GWN, it is difficult for GWN to tell apart the real identity of the user. As a result, the GWN needs to search for every possible parameter or have a back-end channel to figure out the exact user, which is impractical [27]. The detailed of this operation will be described as follows.
For Lu et al.'s scheme, the user sends a login message After receiving the message {CT 1 ,E i } from the user, the GWN decrypts CT 1 by the symmetric key EK = h(TID i ||x). Now, there is a problem that the GWN does not figure out exactly which TID i is the communicating user's because all of the users' TID i are stored in the GWN. The GWN has to perform an exhaustive search operation to obtain the exact user's TID i . Let L is the size of user's information table, T h is the execution time for hash operation and T E is the execution time for the decryption operation. The time complexity of the above operation is O(L*T h *T E ). This is obviously impractical.
The similar problem can also be found in Jung et al.'s scheme. The user sends a login message , where x i is the shared symmetric key between the user and the GWN. Since all users' shared symmetric keys are stored in the GWN, the GWN does not figure out exactly which one is the communicating user's. It is obviously unrealistic for the GWN to perform an exhaustive search operation to obtain the exact user's x i . Because the time complexity of the above operation is O(L*2T h *T E ), where L is the size of user's key table, T h is the execution time for hash operation and T E is the execution time for the decryption operation.

No Provision for Perfect Forward Secrecy
Perfect forward secrecy is one of the important security properties for authenticated key establishment protocols. A protocol is said to achieve the notion of perfect forward secrecy if the compromise of long-term keys does not compromise the previous session keys [33]. In the practical application, such as battlefield, the sensor node is unattended, which make it be dangerous in compromised by the adversary. Then the long-term key of the sensor node may be compromised and the previous session keys will be retrieved. Therefore, perfect forward secrecy should be considered for WSNs. However, none of the above two schemes [28,29] can provide perfect forward secrecy.
For Lu et al.'s scheme, suppose the user's long-term secret key h(ID i ||x) and h(TID i ||x) are compromised by the adversary A, and A has captured all the previous transmitted messages through the public communication channel. In this case, A is able to obtain all the previous message CT 4 . Thus, A can retrieve the past session keys through r k ⊕r j ||r i ||SID j ||ID GWN ||T 2 ||T 3 ||T 4 = D h(IDi⊕x) (CT 4 ), SK = h(r k ⊕r i ⊕r j ||T 1 ||T 2 ||T 3 ). Meanwhile, if the GWN's long-term secret key x and the sensor node's long-term secret key K GMN_S are compromised, the previous session keys will also be retrieved.
The similar problem can also be found in Jung et al.'s scheme, if the user's long-term secret key v is compromised by A, and A has captured all the previous transmitted messages DID i , CT 3 , T 1 through the public communication channel. Thus, A can retrieve the past session keys through EK = h(DID i ||v||T 1 ), DID i ||SID j ||SK||R 1 ||T 4 = D EK (CT 3 ). Meanwhile, if the GWN's long-term secret key x i and the sensor node's long-term secret key K GWN_S are compromised, the previous session keys will also be retrieved.

The Proposed Scheme
This section will describe each phase of the proposed anonymous authentication scheme for WSNs. It uses PID instead of the user's real identity to protect user anonymity. In order to achieve the perfect forward secrecy, the transmitted messages in public channel are protected by the one-time hash chain technique. The back-end of GWN stores new PID and old PID during execution so as to resist against de-synchronization attack. The old PID will be set null until the GWN completes the authentication successfully. The proposed scheme consists of four phases: registration phase, authentication and key agreement phase, password update phase, and dynamically deploy sensor nodes phase. We will describe the detail in the upcoming subsection.

Registration Phase
The registration phase includes user registration phase and sensor node registration. The details of these processes are described as follows. Figure 4 illustrates the registration phase for the proposed scheme. This section will describe each phase of the proposed anonymous authentication scheme for WSNs. It uses PID instead of the user's real identity to protect user anonymity. In order to achieve the perfect forward secrecy, the transmitted messages in public channel are protected by the one-time hash chain technique. The back-end of GWN stores new PID and old PID during execution so as to resist against de-synchronization attack. The old PID will be set null until the GWN completes the authentication successfully. The proposed scheme consists of four phases: registration phase, authentication and key agreement phase, password update phase, and dynamically deploy sensor nodes phase. We will describe the detail in the upcoming subsection.

Registration Phase
The registration phase includes user registration phase and sensor node registration. The details of these processes are described as follows. Figure 4 illustrates the registration phase for the proposed scheme.

User Registration
When a user Ui wants to access a sensor node Snj, he/she needs to register in GWN first. The GWN issues a smart card to Ui as a response to the registration request. As shown in Figure 4a, the procedure of user registration is described as follows.
Step 1: A new user Ui selects identity IDi and password PWi, generates a random number bi. Then Ui computes Ci = h0(IDi||PWi||bi), Ui transmits {IDi,Ci} to GWN through a secure channel.
Step 2: The GWN checks whether IDi exists in the user information Step 3: After receiving SC from GWN, Ui stores bi into SC.

Sensor Node Registration
When a new sensor node Snj is deployed, Snj is required to register in GWN. As shown in Figure  4b, the procedure of sensor node registration is described as follows.
Step 1: The new sensor node Snj selects identity SIDj and transmits {SIDj} to GWN through a secure channel.
Step 2: The GWN checks whether SIDj exists in the sensor node information table. If it exists, the GWN rejects the registration request. Otherwise, the GWN generates a random number KGWN-S, and

User Registration
When a user U i wants to access a sensor node S nj , he/she needs to register in GWN first. The GWN issues a smart card to U i as a response to the registration request. As shown in Figure 4a, the procedure of user registration is described as follows.
Step 1: A new user U i selects identity ID i and password PW i , generates a random number b i .
Step 2: The GWN checks whether ID i exists in the user information table. If it exists, GWN rejects the registration request. Otherwise, GWN generates three random numbers u i ,a,b, sets NC i = a, where ⊥ denotes null. After that, GWN updates the user identity information table with the new entry {PID i0 ,PID i1 ,ID i ,NC i ,u i }, and stores {PID i ,F i ,NC i ,V} into smart card SC. Finally, GWN sends SC to U i via a private channel.
Step 3: After receiving SC from GWN, U i stores b i into SC.

Sensor Node Registration
When a new sensor node S nj is deployed, S nj is required to register in GWN. As shown in Figure 4b, the procedure of sensor node registration is described as follows.
Step 1: The new sensor node S nj selects identity SID j and transmits {SID j } to GWN through a secure channel.
Step 2: The GWN checks whether SID j exists in the sensor node information table. If it exists, the GWN rejects the registration request. Otherwise, the GWN generates a random number K GWN-S , and sets the initial sequence numbers NS j = NS j0 = 0. After that, GWN updates the sensor node information table with the new entry {SID j ,NS j0 ,K GWN-S }, and sends {NS j ,K GWN-S } to S nj via a private channel.
Step 3: After receiving NS j ,K GWN-S from GWN, S nj stores them into its memory as secret.

Authentication and Key Agreement Phase
When a user U i wants to gain access to WSNs, U i needs to achieve mutual authenticate with GWN and S nj . As shown in Figure 5, the process of mutual authentication is described as follows.
Step 1: U i inputs ID i and PW i into the smart card SC. SC computes , and compares V' with the stored value V. If they are not equal, SC terminates the session. Otherwise, SC believes U i as a legitimate user. Next, SC generates a random number r A , and computes where T is the timestamp. Finally, SC sends the login request {PID i ,CT 1 ,V 1 } to GWN through the public channel.
Step 2: After receiving the login messages, GWN at first checks the timestamp T. Then GWN searches its back-end database to get each pair of the pseudonym identity (PID i0 ,PID i1 ) and operates as follows: (1) GWN checks whether the pseudonym identity exists in the user information table.

•
If PID i = PID i1 , it means that the user's pseudonym identity and hash chain are not updated in the previous session. GWN computes . GWN checks whether V' 1 matches with the received V 1 . If it holds, GWN generates a random PID' i0 , and sets PID i0 = PID' i0 . Otherwise, GWN terminates the session.
(3) GWN sends {CT 2 ,V 2 ,NS j0 } to the sensor node S nj that U i wants to interact with via the public channel.
Step 3: Upon receiving the messages {CT 2 ,V 2 ,NS j0 } from GWM, S nj at first verifies whether 1≤NS j0 -NS j ≤N, where N is a threshold, which sets according to specific requirements of applications.
Step 5: , and checks whether V' 4 matches with the received V 4 . If it holds, U i computes V 5 = h 3 (SID j ||ID i ||PID i0 ||sk), and updates NC i = h 1 (NC i ), PID i = PID i0 . Otherwise, U i terminates the session. Finally, U i sends {V 5 } to GWN.
Step 6: After receiving the message V 5 from U i , GWN computes V' 5 = h 3 (SID j ||ID i ||PID i0 ||sk), and checks whether V' 5 matches with the received V 5 . If it holds, GWN updates NC i = h 1 (NC i ), PID i1 = ⊥. Otherwise, GWN fails to authenticate U i .
Thus, the authentication key agreement among three-party is successful, and they establish the session key sk with each other as summarized in Figure 5.

Password Update Phase
When a user U i wants to update the password, he/she needs to run the following steps: Step 1: U i inputs ID i , PW i into the smart card SC. SC computes C i = h 0 (ID i ||PW i ||b i ), K i = F i ⊕C i , V' = h 2 (h 3 (K i ||C i )), and checks whether V' and V are equal. If not, SC fails to authenticate U i , and rejects the request of the password update. Otherwise U i inputs a new password PW* i .
Step 3: Finally, F* i and V* are stored in SC to replace F i and V respectively.

Dynamically Deploy Sensor Nodes Phase
When the system administrator deploys a new sensor node in the existing system, the deployed sensor node is required to apply to register in the GWN. The procedure of sensor node registration follows the steps described in Section 3.1.2.

Security Analysis of Our Scheme
In the section, we will discuss the security of our proposed scheme. First, the strand space model will be adopted to demonstrate the validity of our scheme. Second, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif. Finally, further security analysis illustrates the ability of the proposed scheme to resist various known attacks.

Authentication Proof Based on Strand Space Model
Strand space model [37,38] is a well-known formal analysis method to verify the security of cryptographic protocols. Before we prove the correctness of our proposed scheme using stand space mode, we will describe the basic notions as below.

The Basic Notion of Strand Space Model
According to [37,38], a stand space is a set Σ of stands with a trace mapping tr:Σ→(±A)*, which includes various protocol participant stands and penetrator strands. Where A is a set, the elements of

Security Analysis of Our Scheme
In the section, we will discuss the security of our proposed scheme. First, the strand space model will be adopted to demonstrate the validity of our scheme. Second, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif. Finally, further security analysis illustrates the ability of the proposed scheme to resist various known attacks.

Authentication Proof Based on Strand Space Model
Strand space model [37,38] is a well-known formal analysis method to verify the security of cryptographic protocols. Before we prove the correctness of our proposed scheme using stand space mode, we will describe the basic notions as below.

The Basic Notion of Strand Space Model
According to [37,38], a stand space is a set Σ of stands with a trace mapping tr:Σ → (±A)*, which includes various protocol participant stands and penetrator strands. Where A is a set, the elements of which are the transmitted messages between principals. (±A)* is the set of finite sequences. The elements of A is denoted as terms t. t 1 t is defined as that t 1 is a subterm of t. Due to the limitations of space, only the fundamental notations and lemmas in strand space model are enumerated here: +t/-t: send/receive a term t. <s,i>: a node of s, where s ∈ Σ, 1 ≤ i ≤ length(tr(r)). If n = <s,i>, then, index(n) = i, strand(n) = s, term(n) is the ith signed term in the trace of s, and uns_term(n) is the unsigned part of the ith signed term in the strand of s. n 1 → n 2 : it means that the node n 1 sends a message and n 2 receives the message. n 1 ⇒ n 2 : it means that n 1 is an immediate causal predecessor of n 2 , n 1 = <s,i> and n 2 = <s,i + 1>. n 1 ⇒ + n 2 : it means that n 1 is a precedence of n 2 , n 1 = <s,i> and n 2 = <s,j>, i < j. S: a set of edges with respect to the causal relations →, ⇒ and ⇒ + . n ≺ S n': it means that there are one or more edges in S leading from n to n'. n ≺ S n': it means that there are zero or more edges in S leading from n to n'. T: a set of atomic messages. K: a set of cryptographic keys, which disjoints from T. {m} K : it means that the message m is encrypted by the key K.

Lemma 1.
Suppose C is a bundle. Then ≺ C is a partial order, i.e., a reflexive, anti-symmetric, transitive relation. Every non-empty subset of the nodes in C has ≺ C -minimal members.

Lemma 2.
Suppose C is a bundle. and suppose S is a set of nodes such that uns_term(m) = uns_term(m') implies that m ∈ S iff m' ∈ S, for all nodes m,m'. If n is a ≺ C -minimal member of S, then the sign of n is positive.

Penetrator Strands
The following describes the abilities of an adversary, which are mainly characterized by the two factors, the one is the key set K p possessed by the adversary, the other is the capability of the adversary to generate new messages from messages he intercepts. The strands of the adversary/penetrator are as follows: M. Text message: < + t>, the penetrator sends an atomic messages t, where t ∈ T. F. Flushing: <-g>, the penetrator receives message g. T. Tee: <-g, + g, + g>, the penetrator receives message g and forward it. C. Concatenation: <-g,-h, + gh>, after receiving messages g and h, the penetrator joins them to get gh, then sends gh.
S. Separation into components: <-gh, + g, + h>, upon receiving message gh, the penetrator sends message g and h.
K. Key: < + K>, the penetrator sends a key K, where K ∈ K P . E. Encryption: <-K,-h, + {h} K >, after receiving a key K and a message h, the penetrator encrypts h using K, and gets {h} K . Then, he sends {h} K . D. Decryption: <-K −1 ,-{h} K , + h>, after receiving a private key K −1 and a ciphertext {h} K , the penetrator decrypts {h} K using K, and gets h. Then, he sends h.
H. Hash:<-K,-M, + H(K,M)>, after receiving a key K and a message M, the penetrator compute the hash value of K||M, and gets H{K||M}. Then, he sends H{K||M}.

Authentication Proof Based on the Stand Space Model
The process of our proposed authentication scheme is as follows: The security goal of our proposed scheme is that the three participants should authenticate each other and share a secret key sk. In order to make the process of proof description clearer, we will refer to our proposed scheme using abbreviations LAAP. (1) Penetrator strands s ∈ P.
(2) 'User strands' with trace U[ID i ,SID j ,T, r A ,PID i ,PID i0 ,K i ,NC i ,sk], defined to be < + {PID i , CT 1 where ID i , SID j ∈ T name , r A , sk,PID i ,PID i0 ,PID i1 ∈ T, K i ,NC i ,K GWN-S ∈ K, sk / ∈ T name , sk / ∈ K. (4) 'Sensor node' strands with trace Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ],defined to be <−{CT 2 ,V 2 ,NS j0 }, If the user, the GWN, and the sensor node can achieve successful authentication with each other, our scheme is a secure authentication scheme. The details in the proof of our proposed scheme using strand space model is described in the Appendix A.
The security goal of our proposed scheme is that the three participants should authenticate each other and share a secret key sk. In order to make the process of proof description clearer, we will refer to our proposed scheme using abbreviations LAAP. Figure 6. (Σ,P)  If the user, the GWN, and the sensor node can achieve successful authentication with each other, our scheme is a secure authentication scheme. The details in the proof of our proposed scheme using strand space model is described in the Appendix A.

Formal Security Validation Using ProVerif
In this section, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif [39][40][41]. ProVerif is one of the widely used formal verification tools for cryptography protocols, which supports many cryptographic primitives, including symmetric and asymmetric cryptography, digital signatures, hash functions, Diffie-Hellman key agreements, and signature proofs of knowledge.

Formal Security Validation Using ProVerif
In this section, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif [39][40][41]. ProVerif is one of the widely used formal verification tools for cryptography protocols, which supports many cryptographic primitives, including symmetric and asymmetric cryptography, digital signatures, hash functions, Diffie-Hellman key agreements, and signature proofs of knowledge.
In order to analyze the security of our scheme by ProVerif, we define two public channels, c1 is the public channel between the user and the GWN and c2 is the public channel between the GWN and the sensor node. The proposed scheme is modeled as the parallel execution of three distinct processes: the user, the GWN and the sensor node. We have implemented the specifications in the latest version 1.96 of Proverif [42] for three processes. The implementation details of the proposed scheme are provided in the supplementary material available at [43].
ProVerif allows the verifier encrypts some free names using the secrecy session key, and verifies the security of session key by test the secrecy of that free names [41]. As shown in Figure 3, we use four names secretA, secretB, secretC and secretD for secrecy queries to analyze the secrecy of session key sk. To verify mutual authentication, we declare eight events: event beginUGparam(host), event endUGparam(host), event beginGUparam(host), event endGUparam(host), event beginGSparam(host), event endGSparam(host), event beginSGparam(host), event endSGparam(host).
Intuitively, if one participant believes he has completed the scheme with another participant and hence executes the event endXXparam(host), where XX denotes UG, GU, GS, or SG. The results show that our scheme can achieve mutual authentication and session key security. We describe the results of the code as below: 6 The result means that the adversary has not trace to reconstruct secretA, secretB, secretC, secretD. Hence, the session key sk is secure to resist cracking.
Query inj-event(endUGparam(user)) => inj-event(beginUGparam(user)) 6 RESULT inj-event(endUGparam(user)) = > inj-event(beginUGparam(user)) is true. 6 This result means that the execution of the event beginUGparam(user) is preceded by the execution of the event endUGparam(user). Hence, the authentication of the GWN to the user holds.

Further Security Analysis of Our Scheme
In this section, the ability of the proposed scheme to resist various known attacks will be analyzed.

Resistance to De-synchronization Attack
Our scheme employs PID and one-time hash chain techniques to provide user anonymity and perfect forward secrecy. Hence, it needs an additional synchronization method to maintain the consistency of several one-time values among the user, the GWN, and the sensor node. In the proposed scheme, the consistencies of PID and hash chain value will be ensured by using two pseudonym identities < PID i0 ,PID i1 > for the communication between the user and the GWN. For the communication between the GWN and the sensor node, we use the serial number to resist de-synchronization attack. Since the hash function is one way, we let the initiator updates the hash chain value at first. As a result, even if the adversary blocked the message, the hash chain value of the GWN and the sensor node can re-synchronize. In order to make our analysis clearer, a brief framework of our scheme is shown in Figure 7.

Further Security Analysis of Our Scheme
In this section, the ability of the proposed scheme to resist various known attacks will be analyzed.

Resistance to De-synchronization Attack
Our scheme employs PID and one-time hash chain techniques to provide user anonymity and perfect forward secrecy. Hence, it needs an additional synchronization method to maintain the consistency of several one-time values among the user, the GWN, and the sensor node. In the proposed scheme, the consistencies of PID and hash chain value will be ensured by using two pseudonym identities < PIDi0,PIDi1 > for the communication between the user and the GWN. For the communication between the GWN and the sensor node, we use the serial number to resist desynchronization attack. Since the hash function is one way, we let the initiator updates the hash chain value at first. As a result, even if the adversary blocked the message, the hash chain value of the GWN and the sensor node can re-synchronize. In order to make our analysis clearer, a brief framework of our scheme is shown in Figure 7. The adversary can launch the following malicious scenarios: Scenario 1: If the adversary blocks the ① message flow, obviously, this attack will not work because all the participants have not even started updating. So, this scenario will be omitted. Scenario 2: If the ② message flow is blocked by the adversary, the communication will be jammed. For the communication between the Ui and the GWN, this scenario is the same as scenario 4. For the communication between the GWN and Snj, the hash chain values of two participants will not match each other. This attack does not cause our scheme completely unusable because we use serial number NSj0 and NSj to record the number of hash chain updated, where NSj0 is the serial number of GWN side, NSj is the serial number of Snj side. When the GWN sends the ② message flow, the value of hash chain and NSj0 in GWN side must be updated. The Snj receives the ② message {CT2,V2,NSj0}, he/she can synchronize the one-time hash chain value through performing NSj0-NSj time hash functions. Therefore, this scenario will cause asynchronous between the GWN and the Snj, but it will not have any impact on the future session. Scenario 3: If the adversary blocks the ③ message flow, obviously, this attack will not work between the GWN and the Snj because the two participants have updated their hash chain values, and the hash chain values are equal to each other. For the communication between the Ui and the GWN, this scenario is the same as scenario 4. Therefore, this scenario will be omitted.
Scenario 4: If the ④ message flow is blocked by the adversary, this attack will not work between The adversary can launch the following malicious scenarios: Scenario 1: If the adversary blocks the 1 message flow, obviously, this attack will not work because all the participants have not even started updating. So, this scenario will be omitted. Scenario 2: If the 2 message flow is blocked by the adversary, the communication will be jammed. For the communication between the U i and the GWN, this scenario is the same as scenario 4. For the communication between the GWN and S nj , the hash chain values of two participants will not match each other. This attack does not cause our scheme completely unusable because we use serial number NS j0 and NS j to record the number of hash chain updated, where NS j0 is the serial number of GWN side, NS j is the serial number of S nj side. When the GWN sends the 2 message flow, the value of hash chain and NS j0 in GWN side must be updated. The S nj receives the 2 message {CT 2 ,V 2 ,NS j0 }, he/she can synchronize the one-time hash chain value through performing NS j0 -NS j time hash functions. Therefore, this scenario will cause asynchronous between the GWN and the S nj , but it will not have any impact on the future session. Scenario 3: If the adversary blocks the 3 message flow, obviously, this attack will not work between the GWN and the S nj because the two participants have updated their hash chain values, and the hash chain values are equal to each other. For the communication between the U i and the GWN, this scenario is the same as scenario 4. Therefore, this scenario will be omitted.
Scenario 4: If the 4 message flow is blocked by the adversary, this attack will not work between the GWN and the S nj because both of them have updated hash chain values. But the communication between the U i and the GWN will be jammed. In this scenario, since both the hash chain values in two participants are not changed, only the synchronization of pseudonym identities are required to consider. The value of PID i0 in the GWN side has been a new pseudonym identity, while the value of PID i in the U i side does not change. Fortunately, the old pseudonym identity is stored in PID i1 in the GWN side, that is PID i1 = PID i . So, when the next session is initiated by the U i using unchanged PID i , the GWN is still able to recognize it and continues to complete the authentication. Therefore, this scenario will cause pseudonym identity asynchronous between the U i and the GWN, but it will not have any impact on the future session.
Scenario 5: If the 5 message flow is blocked by the adversary, like scenario 4, this attack will not work between the GWN and the S nj . However, for the communication between the U i and the GWN, it will be jammed. Since the pseudonym identities values of two participants have updated, it means PID i0 = PID i , we only need to worry about the synchronization of two participants' hash chain values. In this scenario, the hash chain value in the U i side is updated, while the value hash chain in the GWN side is unchanged. When U i using changed hash chain value initiates a new session, the GWN will update its hash chain value through checking whether the value of PID i1 is non-null or not. Therefore, even if this scenario will cause hash chain value asynchronous between the U i and the GWN, the two pseudonym identities will make the hash chain values synchronize again. As a result, our scheme can resist de-synchronization attack through the above analyses.

Mutual Authentication
According to the proofs of Proposition A1-Proposition A4 and the formal validation using ProVerif, it is infeasible for an adversary to forge a legitimate user's or GWN's or sensor node's authentication message. Thus, the user, the GWN, and the sensor node can successfully authenticate each other.

User Anonymity
To protect user's identity, the proposed scheme employs pseudonym identity as a transmitted message instead of user's real identity. The pseudonym identity is randomly generated and changes after completing each session. Thus, the pseudonym identity is different for every session. Moreover, it is almost impossible for an adversary to get the user's real identity from transmitted messages. Therefore, our scheme is able to support user anonymity and untraceability.

Perfect Forward Secrecy
In the proposed scheme, suppose the adversary has obtained the long-term keys of two participants, that are K i , NC i , and K GWN-S , he/she still cannot get the session key sk. The reason is that after each successful session, the keys NC i and K GWN-S will be updated by one-way hash function, that is NC' i = h 1 (NC i ), K' GWN-S = h 1 (K GWN-S ||SID j ). Because the hash function is one way, the adversary cannot obtain NC i and K GWN-S from NC' i and K' GWN-S . Therefore, our scheme can provide perfect forward secrecy.

Resistance to Smart Card Loss Attack
Suppose the adversary steals the user's smart card and obtains the data The adversary cannot guess the correct password, because there exist |D ID |*|D PW |/1024 candidates of the password, where |D ID |is the space of the identity and |D PW | is the space of the password. This method is called 'fuzzy verifier' [23,44,45], which prevents the adversary from obtaining the exacting correct password. Therefore, our proposed scheme can resist smart card loss attack.

Resistance Known Session-Specific Temporary Information Attack
In the proposed scheme, suppose the adversary gets the ephemeral random number r A , he still cannot obtain information of session key sk. The reason is that the adversary has no way to compute the long-term key K i , one-time hash chain values NC i and K GWN-S . Moreover, transmitted messages in the public channel are unhelpful to compute sk. Therefore, the proposed scheme has the ability to prevent the session-specific temporary information attack. Table Attack In our scheme, no any password-verifier table of the user is stored in the GWN side. Therefore, our scheme can resist stolen verifier table attack.

Resistance to User Impersonation Attack
In our scheme, in order to forge a user, the adversary has to generate a valid value {T,PID i ,CT 1 ,V 1 }. However, it is infeasible because the adversary does not know the secret keys K i and NC i . Therefore, our proposed scheme can resist against user impersonation attack.

Resistance to Sensor Node Spoofing Attack
Proposition A1-Proposition A4 and the formal validation using ProVerif show that the adversary cannot forge a legitimate user's or sensor node's authentication message without the secret keys K i , NC i or K GWN_S . In the proposed scheme, the sensor node only has his own secret value and does not know the secret values of other sensor nodes or users. Therefore, he cannot spoof any user or other sensor nodes.

Resistance to Replay Attack
The proposed scheme uses timestamp, nonce and serial number to prevent the replay attack. For the communication between the user and the GWN, the first message flow includes a current timestamp T, and other message flow employs challenge-response mechanism to resist reply attack. For the communication between the GWN and the sensor node, the serial number is used in every message flow, which is updated after each successful authentication session. As a result, when the user and the sensor node accept each other, it must be the current session, not previous session. Therefore, our proposed scheme can avoid the replay attack.

Resistance to Man-in-the-middle Attack
In the proposed scheme, the transmitted messages are protected by the secret values K i , NC i and K GWN_S , anyone without them cannot forge legal authentication messages. Therefore, our scheme can resist man-in-the-middle attack.

Resistance to Wrong Password Login/Update Attack
In the proposed scheme, the password verification information V = h 2 (h 3 (K i ||C i )) is stored in the mobile device, which is designed to check the correctness of password. If the user inputs wrong password PW' i , the verification data V and V' = h 2 (h 3 (F i ⊕h 0 (ID i ||PW' i ||b i )||h 0 (ID i ||PW' i ||b i ))) will not be equal. Therefore, our scheme can quickly detect unauthorized login and password update.

Security Comparisons
The security features of our proposed scheme with the two prior related schemes [28,29] will be compared in this section. The results of the comparison are listed in Table 2.  Table 2, it can be concluded that the proposed scheme is the only one who can resist against various kinds of known attacks and fulfill the desirable security features. Therefore, our scheme has better security than the previously related schemes.

Performance Analysis
This section will compare the communication and communication costs of our proposed scheme with the two prior related schemes [28,29]. Since the registration phase and password update phase are not used frequently, we only concentrate on comparing authentication phase.

Computation Analysis
For efficiency analysis, we compare the computation costs of our scheme with the two prior related schemes [28,29]. To facilitate analysis, we use the following notations to measure computation costs.

•
T h : the time complexity of the general hash function. • T E/D : the time complexity of general symmetric-key encryption/decryption algorithm.
As pointed out in [46,47], the running time of a one-way hash function operation, and symmetric-key encryption/decryption operation are 0.00032s and 0.0056s respectively. Thus, we have T h ≈ 0.00032s, T E/D ≈ 0.0056s. The results of the computation complexity comparisons of our scheme and two related schemes are summarized in Table 3. It shows that our scheme is as efficient as the most efficient one of these prior related schemes at sensor nodes. Although the computation cost for the user and the GWN of our proposed scheme is higher than that of Jung et al.'s scheme, it should be toleratable because our proposed scheme provides higher security, and resists most well-known attacks. Table 3. Computation complexity comparisons of our scheme and the two related schemes.

Communication Analysis
In this section, we compare the communication cost of our proposed scheme with the two prior related schemes [28,29]. To achieve convincing comparisons, we assume that the bit length of identity (ID i ,SID j ,ID GWN ), password (PW i ), pseudonym identity (PID i ,PID i0 ,PID i1 ), timestamp (T,T 1 ,T 2 ,T 3 ,T 4 ), serial number (NS j0 , NS j ), random number (r A ,sk), hash (h,h 1 ,h 3 ) output and hash (h 0 ) output are 64, 64, 64, 160, 64, 256, 160 and 320 bits, the block length of the symmetric encryption is 128 bits, respectively. Since the bit length of ciphertext using the symmetric encryption is the multiples of 128 bits, the bit length of CT 1 and CT 3 are 512 and 384 bits, respectively. Table 4  Using the above similar approach, the total communication cost of the other related schemes can be computed in Table 4. From comparison in Table 4, it can be concluded that the proposed scheme has the least communication cost among the above schemes. Table 4. Communication cost comparisons of our scheme and the two related schemes.

Number of Message Required Number of Bits Required
Lu et al. [28] 4 Messages 3840 Jung et al. [29] 4 Messages 2624 Ours 5 Messages 2208

Conclusions
In this paper, we propose a lightweight anonymous authentication protocol for WSNs based on a one-time hash chain and pseudonym identity. The proposed scheme can provide mutual authentication, user anonymity, perfect forward secrecy, etc. Besides, it is resilient to various kinds of known attacks, such as de-synchronization attack, and known session-specific temporary information attack. Formal security analysis and simulations are also conducted by ProVerif to demonstrate that our scheme is secure against active and passive attacks. Furthermore, the proposed scheme only uses symmetric key encryption/decryption and hash functions. It is very suitable for the resource constrained sensor nodes.

Appendix A. The Details in the Proof of Our Proposed Scheme Using Strand Space Model
Proposition A1. Suppose: (1) Σ is a LAAP space and C is a bundle containing a GWN's strand s with trace G[ID i ,SID j ,T, r A ,PID i0 , PID i1 ,K i ,NC i ,sk,K GWN-S , NS j0 ]; (2) EK / ∈ K P , K GWN-S / ∈ K P , where EK = h 1 (PID i ||K i ||NC i ); and (3) r A = PID i0 = sk = PID i = PID i1 , PID i0 and sk are uniquely originating in Σ.
then C contains a user's strand with trace U[ID i ,SID j ,T,r A ,PID i ,PID i0 ,K i ,NC i ,sk], and a sensor node's strand with Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ]. We will prove Proposition A1 using the following lemmas. For the sake of convenience, we will refer to <s,2> (that is the second node + {CT 2 ,V 2 ,NS j } of s) as a 0 , and to its term(that is term(a 0 )) as u 0 . We will refer to <s,3> (that is the third node + {SID j , V 3 } of s) as a 3 , and to its term(that is term(a 3 )) as u 3 . We will refer to other nodes similarly. The node <s,4> is denoted as b 0 , and term(b 0 ) = v 0 . The node <s,5> is denoted as b 3 , and term(b 3 ) = v 3 . As shown in Figure A1, we will use four additional nodes a 1 ,a 2 ,b 1 ,b 2 during the course of the proof, such that a 0 ≺ a 1 ≺ a 2 ≺ a 3  We will prove Proposition 1 using the following lemmas. For the sake of convenience, we will refer to <s,2> (that is the second node + {CT2,V2,NSj} of s) as a0, and to its term(that is term(a0)) as u0.
Proof. Because a3∈C, sk∈C, u0!  u3, S is non-empty. Therefore, S has at least a minimal element a2 by Lemma 1, and the sign of the node a2 is positive by Lemma 2. Whether a2 lie on a penetrator stand p? We will check it through the form of the trace of p. □ M. Text message: < + t>, where t ∈ T. If this stand contains the node a2, which means that sk originates on this strand. Accord to Lemma 3, sk originates at a0. Obviously, it is a contradictory assumption. Therefore, M strand cannot contain the node a2.
First, we will prove C contains a sensor node's strand with Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ].
Proof. By the assumptions, sk u 0 , and the sign of a 0 is positive. According to the definition of originates, we only require verifying that sk is not the subterm of a node a', where a' is the precedence node of a 0 . Since on the same strand, the precedence node of a 0 is <s,1>, uns_term(<s,1>) = -{PID i ,CT 1 ,V 1 }, where EK = h 1 (PID i ||K i ||NC i ), CT 1 = E EK (r A ||T), V 1 = h 3 (ID i ||r A ||K i ||PID i ||NC i ||T). We need to check that sk = r A , sk = PID i , which is a hypothesis, sk = K i , sk = NC i , sk = SID j , sk = ID i , which follows from the stipulation in Definition 1 Clause 3 that sk / ∈ T name , sk / ∈ K.
Lemma A2. The set S = {a ∈ C: sk term(a) ∧ u 0 ! term(a)} has a minimal node a 2 , u 0 ! term(a) denotes as u 0 that is the subterm of term(a). The node a 2 is regular and the sign of a 2 is positive.
Lemma A3 and Lemma A4 shows C contains a sensor node's strand with Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ]. Moreover, we can prove that C contains a user node's strand with U[ID i ,SID j ,r A ,PID i ,PID i0 ,K i ,NC i ,sk] using the above similar proof methods.
Proposition A2. If Σ is an LAAP space, C is a bundle, and sk are uniquely originating in Σ, then there are at most one sensor node strand t 1 with trace Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ] for any GWN, sensor node and sk.
Proof. If any sensor node strand t 1 has trace Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ] any user, GWN, and sk, the <t 1 ,2> is positive, sk term<t 1 ,2>, and sk is the challenge information of GWN. Hence, if sk originates uniquely in Σ, there can be at most one such t 1 .
Proposition A3. If Σ is an LAAP space, C is a bundle, and r A is uniquely originating in Σ, then there are at most one user strand t 2 a with trace U[ID i ,SID j ,r A ,PID i ,PID i0 ,K i ,NC i ,sk] for any user, GWN, and sk.
Proof. If any user strand t 2 has trace U[ID i ,SID j ,r A ,PID i ,PID i0 ,K i ,NC i ,sk] any user, GWN, and sk, the <t 2 ,1> is positive, r A term<t 2 , 1>, and r A cannot possibly occur earlier on t 2 . Therefore, r A originates at node <t 2 , 1>. Hence, if r A originates uniquely in Σ, there can be at most one such t 2 .

Proposition A4.
Suppose: (1) Σ is a LAAP space and C is a bundle containing a user's strand s with trace U[ID i ,SID j ,r A ,PID i ,PID i0 ,K i ,NC i ,sk] and a sensor node's strand t with Sn[ID i ,SID j ,sk,K GWN-S ,NS j0 ]; (2) GEK / ∈ K P , K GWN-S / ∈ K P , where GEK = h 1 (r A ||PID i1 ||K i ||NC i ); and (3) r A = PID i0 = sk = PID i = PID i1 , PID i0 and sk are uniquely originating in Σ.
then C contains a GWN's strand with trace G[ID i ,SID j ,r A ,PID i0 , PID i1 ,K i ,NC i ,sk,K GWN-S , NS j0 ].
Proof. In order to prove Proposition A4, we can refer to the GWN's strand as a responder's strand of the user or a initiator's stand of the sensor node. As the responder's strand and as the initiator's stand, the processes of proofs are similar with Proposition A1. Take the case of GWN as an responder's strand, we only consider the set S = {a ∈ C: {V 4 } term(a)} is non-empty. Because <s 2 ,2> is the element of S, S has at least a minimal element a 0 . If a 0 is on the regular strand g, it is easy to prove g ∈ G[ID i ,SID j ,r A ,PID i0 , PID i1 ,K i ,NC i ,sk,K GWN-S , NS j0 ]. Otherwise, g should be on the H strand with trace<-GEK,-r A ||sk||PID 0 , + {V 4 }>. Obviously, it is contradictory because GEK / ∈ K P . Therefore, C contains a GWN's strand with trace G[ID i ,SID j ,r A ,PID i0 , PID i1 ,K i ,NC i ,sk,K GWN-S , NS j0 ]. Proposition A1-Proposition A4 show that our scheme is a secure mutual authentication scheme among the user, the GWN and the sensor node.