A Secure and Lightweight Authentication Protocol for IoT-Based Smart Homes

With the information and communication technologies (ICT) and Internet of Things (IoT) gradually advancing, smart homes have been able to provide home services to users. The user can enjoy a high level of comfort and improve his quality of life by using home services provided by smart devices. However, the smart home has security and privacy problems, since the user and smart devices communicate through an insecure channel. Therefore, a secure authentication protocol should be established between the user and smart devices. In 2020, Xiang and Zheng presented a situation-aware protocol for device authentication in smart grid-enabled smart home environments. However, we demonstrate that their protocol can suffer from stolen smart device, impersonation, and session key disclosure attacks and fails to provide secure mutual authentication. Therefore, we propose a secure and lightweight authentication protocol for IoT-based smart homes to resolve the security flaws of Xiang and Zheng’s protocol. We proved the security of the proposed protocol by performing informal and formal security analyses, using the real or random (ROR) model, Burrows–Abadi–Needham (BAN) logic, and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Moreover, we provide a comparison of performance and security properties between the proposed protocol and related existing protocols. We demonstrate that the proposed protocol ensures better security and lower computational costs than related protocols, and is suitable for practical IoT-based smart home environments.


With the development of information and communication technologies (ICT) and
Internet of Things (IoT), smart home automation systems are receiving a lot of attention. The smart home is a networking environment that connects smart devices (e.g., IoT and sensors) to each other. Based on these smart devices, users can utilize various home services. When the user is inside the home, the user can control all smart devices with a voice commands or applications, granting the user accesses to services such as turning the TV on/off, choosing music, switching lights on/off, and so on. When the user is outside the home, the user can monitor and control various smart devices by checking their status. Thus, users can enjoy a high level of comfort and an increased quality of life through smart home environments.
Generally, smart home environments consist of the user, smart devices, a home gateway, and a registration authority [1][2][3]. A remote user wants to use the data collected by smart devices. However, smart devices are resource limited in terms of computational power, amount of memory, and bandwidth [4]. For these reasons, smart devices communicate through the home gateway. The home gateway acts as a bridge between smart devices and remote users by providing short and long-distance wireless communication interfaces that maintain the connectivity with internal smart devices and remote users [5]. Users can remotely operate smart devices with the help of a home gateway using Internet-enabled mobile phones and tablets anytime and anywhere. Thus, the home gateway plays a crucial role by controlling the data exchange. It manages the communication between internal and external surroundings.
Unfortunately, the smart home has security and privacy problems because the sensitive data collected by smart devices are exchanged through wireless networks. If an adversary obtains the data, the adversary will abuse them for his own purposes. Thus, security and privacy are essential elements to providing secure home services. In addition, the exchanged data should meet confidentiality, integrity, and availability standards. Asymmetric and symmetric key cryptosystems are inappropriate for applying to low-capacity devices because they generate high computational costs. Thus, secure and lightweight authentication protocols are necessary to provide security and privacy in IoT-based smart homes.
In 2020, Xiang and Zheng [6] proposed a situation-aware protocol for device authentication in smart grid-enabled smart home environments. Xiang and Zheng claimed that their protocol can withstand impersonation, man-in-the-middle (MITM), and replay attacks. Xiang and Zheng also demonstrated that their protocol can provide data integrity and mutual authentication. However, herein we prove that their protocol does not prevent stolen smart device, impersonation, and session key disclosure attacks, and fails to ensure mutual authentication. They also mentioned that their protocol concentrates on the security of smart grid-enabled smart home environments. However, they proposed an authentication protocol that is only for smart home environments. Thus, we focus on general smart home environments and present a secure and lightweight authentication protocol for IoT-based smart homes that deals with the security drawbacks of Xiang and Zheng's protocol [6]. The proposed protocol is efficient for resource-constrained smart devices because we use only one-way hash functions and XOR operations.

Contributions
This paper has the following main contributions. • We analyze the security vulnerabilities of Xiang and Zheng's protocol [6]. To resolve the security drawbacks of their protocol, we propose a secure and lightweight authentication protocol for IoT-based smart homes. • We demonstrate that our protocol is secure against various kinds of known attacks by reporting on an informal security analysis. • We conducted formal analysis using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool [7][8][9], Burrows-Abadi-Needham (BAN) logic [10], and the real or random (ROR) model [11]. With the formal analysis, we proved secure mutual authentication, the session key security, and the resistance against MITM and replay attacks of our protocol. • We provide a comparison of performance and security properties between our protocol and related protocols. The results show that our protocol provides better security and computational costs compared to related protocols.

Adversary Model
We adopted the widely-used Dolev-Yao (DY) threat model [12][13][14] and the Canetti and Krawczyk (CK) adversary threat model [15,16] to evaluate the security of the proposed protocol. The capabilities of an adversary A can be defined as follows. • A can eavesdrop, intercept, inject, replay, and modify transmitted messages via a public channel and then A can perform MITM, replay, impersonation attacks, etc. [17]. • A can steal the legal user's mobile device or smart device and extract secret credentials stored in the memory by performing the power analysis attack [18][19][20][21]. • A can access short-term keys, long-term keys, and session states of each party.
In addition, we developed some assumptions for our protocol. A cannot feasibly guess the identity and password of the mobile user simultaneously [22][23][24]. A cannot extract the data stored in the home gateway's database, since the home gateway has a secure database.

Organization
The remaining parts of this paper are structured as follows. In Section 2, we briefly discuss existing proposed protocols in IoT-based smart homes. We suggest the system model of the proposed protocol in Section 3. We review Xiang and Zheng's protocol in Section 4 and analyze security weaknesses of Xiang and Zheng's protocol in Section 5. Section 6 proposes a secure and lightweight authentication protocol for IoT-based smart homes to improve the security drawbacks of Xiang and Zheng's protocol. Section 7 analyzes the security of our protocol through informal and formal analyses with BAN logic, the ROR model, and the AVISPA tool. In Section 8, we present the results of performance and security property comparisons between the proposed protocol and related protocols. Finally, we present the conclusion in Section 9.

Related Works
In the last few years, many researchers proposed authentication protocols to provide secure communication between users and smart devices in smart home environments. Santoso and Vun [25] proposed a secure authentication protocol using elliptic curve cryptography (ECC) in IoT-based smart homes. Several authors [26,27] revealed that Santoso and Vun's protocol [25] is vulnerable to privileged-insider and stolen smart card attacks, and fails to achieve user anonymity and untraceability. Dey and Hossian [28] presented a secure session key establishment protocol for smart home environments using public key cryptosystems. Dey and Hossian [28] proved that their protocol achieves resilience against various attacks. Unfortunately, some researchers [29,30] pointed out that Dey and Hossian's protocol [28] has various security drawbacks, such as device compromised and known-key attacks, and is unsuccessful in ensuring anonymity and confidentiality. Shuai et al. [31] suggested an ECC-based anonymous authentication protocol for smart home environments. These protocols [25,28,31] use asymmetric key cryptosystems such as ECC for smart home security. However, in terms of costs, symmetric key cryptosystems are more efficient than asymmetric key cryptosystems for deployment on resource-constrained smart devices.
In view of the computational cost for low capacity devices, many authentication protocols have been proposed using symmetric key cryptosystems in smart home environments. Vaidya et al. [32] proposed a robust authentication protocol to provide secure remote access in home environments using symmetric key cryptosystems. Vaidya et al. [32] claimed that their protocol resists synchronization and stolen smart card attacks, and provides forward secrecy and mutual authentication. However, Kim and Kim [33] demonstrated that Vaidya et al.'s protocol [32] does not resist password guessing and smart card loss attacks, and does not provide forward secrecy. To resolve the security problems in Vaidya et al.'s protocol [32], Kim and Kim [33] proposed an improved authentication protocol. Wazid et al. [34] proposed a symmetric key-based secure remote user authentication protocol to provide future secure communications. Wazid et al. [34] proved that their protocol is secure against other possible known attacks. Lyu et al. [35] pointed out that Wazid et al.'s protocol [34] is not secure against desynchronization and compromised server attacks. Poh et al. [36] proposed a privacy-preserving authentication protocol to support data confidentiality. Unfortunately, Irshad et al. [37] pointed out that Poh et al.'s protocol [36] cannot maintain the privacy of authentication parameters. Although these protocols [32][33][34][35][36] use symmetric key cryptosystems considering the low capacity devices, symmetric key cryptosystems are still unacceptable for smart devices with limited resources in terms of computational costs.
Recently, several lightweight authentication protocols [6,38] have been proposed for smart home environments to solve these problems. Banerjee et al. [38] presented an anonymous and robust authentication protocol for IoT-based smart homes using one-way hash functions, XOR operations, and a fuzzy extractor. Banerjee et al. [38] proved that their protocol resists various attacks. However, AL-Turjman and Deebak [39] pointed out that Banerjee et al.'s protocol [38] does not provide identity protection, traceability, or session secret key agreement. Xiang and Zheng [6] presented a situation-aware protocol for device authentication in smart home environments. Xiang and Zheng [6] claimed that their protocol resists various security threats and ensures data integrity and mutual authentication. However, we prove here that Xiang and Zheng's protocol [6] cannot ensure secure mutual authentication and is vulnerable to stolen smart device, impersonation, and session key disclosure attacks. Therefore, we propose a secure and lightweight authentication protocol for IoT-based smart homes to improve the security flaws of Xiang and Zheng's protocol [6].

System Model
Xiang and Zheng [6] claimed that their protocol concentrates on the security of smart grid-enabled smart home environments, but they proposed an authentication protocol that is only for smart home environments. Therefore, we focus on the architecture of general IoT-based smart home environments. The system model is shown in Figure 1. The proposed system is composed of a mobile user (MU), a smart device (SD), a home gateway (HGW), and a registration authority (RA). RA and HGW are trusted entities in smart home environments. RA is responsible for initializing the system and registering MU and SD. MU first needs to register at RA to utilize services. SD and HGW also need to register at RA for providing home services. After receiving the registration request message from MU and SD, RA stores the information of each entity in the mobile device of MU and in the memory of SD. RA also stores all information required for the authentication of the MU and SD in HGW's database. Then, the MU and SD perform the mutual authentication and session key agreement with the help of the HGW. With this session key, MU and SD can utilize secure smart home services.

Review of Xiang and Zheng's Protocol
This section reviews Xiang and Zheng's protocol [6]. Xiang and Zheng proposed an authentication protocol according to the security risk level in smart home environments. Their protocol consists of smart device registration, and authentication and key agreement phases. The notation of this paper is described in Table 1.

Smart Device Registration Phase
At the registration phase, RA generates an identity ID SD and a random number r RA for SD and computes S i = h(ID SD ||r RA ). Then, RA sends {ID SD , S i } to SD and {ID SD , r RA } to HGW through a secure channel. Master key of RA K SD Secret key of SD K MUG Shared secret key between MU and HGW K GSD Shared secret key between HGW and SD r MU , r RA , r SD , RN MU , RN G , RN SD Random number SK Session key between MU and SD h(·) One-way hash function Symmetric encryption/decryption using key K ⊕ XOR operation || Concatenation operation T Timestamp ∆T Maximum transmission delay HE i,L /HE i,H Message header at the low/low security risk

Authentication and Key Agreement Phase
After the registration, SD sends the message MSG 1 = [HE 1 ||ID SD ] to HGW in the authentication and key agreement phase. HE 1 = SD − AUTH is a message header of MSG 1 . Upon getting MSG 1 , HGW receives the current situation from the smart home system regarding whether the security risk level is low or high. According to the security risk level, the authentication phase is divided into low security risk and high security risk.

Low Security Risk
When HGW receives a low-security-risk level report, the authentication phase is described below.
Step 2: Upon receiving the message MSG 2,L at timestamp T 1 , SD knows the current security risk level is low from the message header. SD also computes C * 2,L = h(HE * 2,L ||ID * G ||T * 1 ||S i ) and checks if |T 1 − T * 1 | ≤ ∆T and C * 2,L ? = C 2,L . If it is not equal, the authentication process will be aborted. Then, SD computes A i = h(ID * G ||h(ID SD || S i )) and extracts the current timestamp T 2 . SD also computes C 3,L = (ID SD ||T 2 ) ⊕ A i and C 4,L = h(HE 3,L ||ID SD ||T 2 ||A i ). Finally, SD sends MSG 3,L = [HE 3,L ||C 3,L ||C 4,L ] to HGW, where HE 3,L = SD − LOW is the header of the message MSG 3,L . SD computes the session key SK = h(T * 1 ||T 2 ||S i ||A i ) for the future data communication.
Step 3: After receiving MSG 3,H at timestamp T 2 , HGW computes If it is correct, HGW computes the session key SK = h(T 1 ||T * 2 ||S * i ||A * i ) and adds ID SD to the trusted device list.

High Security Risk
If HGW receives a situation report detailing that the current security risk level is high, the authentication phase contains the following steps.
Step 1: HGW computes S * i = h(ID * SD ||r RA ), and generates a random number RN G . After that, HGW extracts a current timestamp T 1 , and computes Step 2: After getting MSG 2,H at timestamp T 1 , SD knows the security risk level is high from the header of MSG 2,H . SD then computes (ID * If the check is failed, the authentication process will be terminated. Otherwise, SD computes A i = h(ID * G ||h(ID SD ||S i )) and generates a random number RN SD . Then, SD extracts the current timestamp T 2 , and computes If it is correct, HGW computes the session key SK = h(T 1 ||T * 2 ||S * i ||A * i ||RN * SD ||RN G ) and adds ID SD to the trusted device list.

Cryptanalysis of Xiang and Zheng's Protocol
In this section, we discuss the security flaws of Xiang and Zheng's protocol. We demonstrate that their protocol is vulnerable to various attacks and does not perform secure mutual authentication.

Stolen Smart Device Attack
We suppose that an adversary A can obtain secret credentials {ID SD , S i } of SD using the power analysis according to Section 1.2. Xiang and Zheng's protocol sends the authentication request message MSG 1 = [HE 1 ||ID SD ] as plaintext. A can obtain HE 1 from [HE 1 ||ID SD ] of the previous session. Then, A can make the message MSG 1 anytime and perform various attacks with secret credentials. In conclusion, their protocol does not prevent the stolen smart device attack.

Impersonation Attack
According to Section 1.2, A can perform an impersonation attack at low and lowsecurity-risk levels. The detailed processes are below.

Low Security Risk
A can perform the impersonation attack with the following steps.
Step 1: With the obtained secret credentials {ID SD , S i } from SD and HE 1 from the previous session, A can send the message MSG 1 = [HE 1 ||ID SD ].
. Thus, A can impersonate SD successfully, and Xiang and Zheng's protocol cannot prevent the impersonation attack at the low-security-risk level.

High Security Risk
With the obtained secret credentials {ID SD , S i }, A can disguise as SD, and the detailed steps are below.
Step 1: A can send MSG 1 = [HE 1 ||ID SD ] to HGW using obtained secret credentials {ID SD , S i } and HE 1 .
Step 2: Upon getting MSG 1 , HGW calculates S * i = h(ID * SD ||r RA ) and generates a random number RN G . After that, HGW extracts the current timestamp T 1 , and computes Step 3: After receiving . Then, A verifies the validity of T * 1 and C * 2,H . If all checks pass, A computes A * i = h(ID * G ||h(ID SD ||S i )), generates a random number RN SD , and extracts the current timestamp T 2 . After that, A computes Step 4: Upon getting MSG 3,H , HGW computes . Then, HGW checks the validity of T * 2 and C * 4,H . If it is equal, In conclusion, Xiang and Zheng's protocol cannot prevent the impersonation attack at the low-security-risk level because A can impersonate SD successfully.

Session Key Disclosure Attack
As mentioned in Section 1.2, A can extract secret credentials {ID SD , S i }. In addition, according to Section 5.2, A can obtain the session key between SD and HGW at the both low-security-risk and high-security-risk levels. With the obtained session key, A can communicate with HGW and misinform HGW for A's own purpose. Therefore, Xiang and Zheng's protocol is vulnerable to the session key disclosure attack.

Mutual Authentication
Xiang and Zheng claimed that their protocol supports the mutual authentication between SD and HGW because S i and A i cannot be obtained from the eavesdropped messages. However, in accordance with Section 5.2, A can generate an authentication request message MSG 1 = [HE 1 ||ID SD ] and calculate session key SK = h(T 1 ||T 2 ||S i ||A i ) and SK = h(T 1 ||T 2 ||S i ||A i ||RN SD ||RN G ) at low security and low security phases, respectively. Thus, Xiang and Zheng's protocol does not satisfy secure mutual authentication between SD and HGW.

Proposed Protocol
In this section, we present a secure and lightweight authentication protocol for IoTbased smart homes to improve the security drawbacks of Xiang and Zheng's protocol [6]. The proposed protocol consists of four phases: initialization, registration, authentication and key agreement, and password update.

Initialization Phase
Before SD and HGW are deployed in the smart home, RA generates a master key K RA . HGW has a unique identity ID G , and SD has a unique identity ID SD and secret key K SD .

Registration Phase
The detailed registration phases for the smart device and user are below.

Smart Device Registration Phase
To provide home services to MU, SD must register at RA. We indicate the registration phase of SD and RA in Figure 2, and detailed steps are described below.
Step 1: SD generates a random number r SD and computes PID SD = h(ID SD ||r SD ). Then, SD sends {PID SD , r SD } to RA through a secure channel.
Step 2: Upon getting the message, RA generates r RA and computes K GSD = h(PID SD || K RA ||r RA ). Then, RA stores {PID SD , K GSD , r SD } in HGW's database and sends {K GSD } to SD over a secure channel. After that, RA makes PID SD public.
Step 3: After receiving the message, SD computes

Mobile User Registration Phase
MU must register at RA to use the data transmitted from SD. Figure 3 shows the registration phase of MU and RA. This phase is described as follows.
Step 1: MU selects identity and password {ID MU , PW MU } and generates a random number r MU . Then, MU computes PID MU = h(ID MU ||r MU ) and sends {PID MU } to RA through a secure channel.
Step 2: Upon receiving the message, RA computes K MUG = h(PID MU ||K RA ||r RA ) and RID MU = h(PID MU ||K MUG ). Then, RA stores {PID MU , RID MU , K MUG } in HGW's database and sends {K MUG , RID MU } to MU via a secure channel.
Step 3: After receiving the message, MU computes

Authentication and Key Agreement Phase
To utilize secure home services, MU and SD establish a session key with the help of HGW. We indicate the detailed steps below, and a summarized version of this phase is in Figure 4.  = V MU . If it is equal, HGW retrieves K GSD and r SD corresponding to PID SD . Then, HGW generates a random nonce RN G and computes Step 3: After receiving the message, SD computes Step 4: Upon receiving the message, HGW computes h(

Password Update Phase
MU can update the password individually. In Figure 5, we represent the password update phase and the detailed steps are below.
Step 1: MU inputs identity and old password {ID MU , PW old MU } to the mobile device over a secure channel.
Step 2: Mobile device computes r MU = A 1 ⊕ h(ID MU ||PW old MU ), HPW MU = h(PW old MU || r MU ), and A * 2 = h(ID MU ||PW old MU ||r MU ||HPW MU ). Then, the mobile device checks whether A * 2 ? = A 2 . If this condition is met, the mobile device sends the authentication message to MU.
Step 3: Upon receiving the authentication message, MU inputs the new password PW new MU to the mobile device.
Step 4: After getting the new password, the mobile device computes

Security Analysis
This section shows informal and formal security analyses of our protocol using BAN logic, the ROR model, and the AVISPA tool. Through theses analyses, we demonstrate that the proposed protocol prevents various kinds of known attacks.

Informal Security Analysis
We performed informal analysis to describe how our protocol withstands various attacks and supports perfect forward secrecy and mutual authentication.

Mobile User Impersonation Attack
According to Section 1.2, an adversary A can have the lost/stolen mobile device of a legal user MU, and extract secret credentials {A 1 , A 2 , A 3 , A 4 , PID MU } using the power analysis [18,19]. With these values, A can try to impersonate MU by intercepting transmitted messages through an insecure channel. However, A cannot send a valid authentication request message {M 1 , C 1 , V MU } because A cannot calculate {HPW MU , RID MU , K MUG } without the knowledge of the MU's real identity ID MU , password PW MU , and a random nonce RN MU . Hence, the proposed protocol resists the mobile user impersonation attack.

Home Gateway Impersonation Attack
Suppose that an adversary A intercepts messages {PID MU , M 3 , C 2 , V MUG } and {M 5 , V GSD } over an insecure channel. A can try to calculate the other valid messages {PID MU , M 3 , C 2 , V MUG } and {M 5 , V GSD }. However, A cannot compute messages, because A has no knowledge of the MU's real identity ID MU and a random nonce RN MU . In addition, A does not know HGW's real identity ID G , a random nonce RN G , and the shared secret key K GSD . Thus, the proposed protocol withstands the home gateway impersonation attack.

Smart Device Impersonation Attack
An adversary A can try to impersonate SD using the exchanged message {M 4 , V SD }. According to Section 1.2, A can extract stored values in the lost/stolen smart device. However, A cannot compute the message because A does not know the SD's unique identity ID SD , secret key K SD , and a random nonce RN SD . Therefore, our protocol prevents the smart device impersonation attack.

Session Key Disclosure Attack
In accordance with Section 1.2, an adversary A can extract secret credentials {A 1 , A 2 , A 3 , A 4 , PID MU } and {B 1 , B 2 , PID SD } of MU and SD, respectively. To calculate the session key, A should know real identities and random nonces of MU, HGW, and SD. However, A cannot obtain {ID MU , ID G , ID SD } and {RN MU , RN G , RN SD } from transmitted messages because these are encrypted with secret keys {K MUG , K GSD , K SD }. Thus, the proposed protocol withstands the session key disclosure attack.

Replay and MITM Attack
We assume that an adversary A intercepts and resends the previous authentication request message {PID MU , M 1 , C 1 , V MU } to HGW for the purpose of disguising MU. HGW detects RN MU is not fresh by checking the validity of V MU . In addition, even if A tries to modify the authentication request message, A cannot modify {M 1 , C 1 , V MU } without the knowledge of the MU's real identity ID MU , password PW MU , a random nonce RN MU , and shared secret key K MUG . In conclusion, our protocol prevents replay and MITM attacks.

Offline Guessing Attack
After extracting the information from the MU's mobile device, A can obtain All of these values are encrypted with ID MU and PW MU . If A wants to compromise the security of our protocol, A needs to guess both ID MU and PW MU . However, it is a computationally infeasible problem to A according to Section 1.2. As a result, our protocol resists the offline guessing attack.

Stolen Smart Device Attack
Assume that an adversary A obtains SD and extracts secret credentials {B 1 , B 2 , PID SD } stored in the memory through the power analysis attack [20,21]. Although A obtains these values, A cannot get sensitive information of SD because all information stored in the memory is masked with SD's unique identity ID SD and secret key K SD . Thus, the proposed protocol withstands the stolen smart device attack.

Privileged-Insider Attack
In this attack, a privileged-insider adversary A is able to get PID MU during the MU's registration phase. Then, A can extract secret credentials {A 1 , A 2 , A 3 , A 4 , PID MU } stored in the mobile device. However, since A does not know the MU's real identity ID MU , password PW MU , and a random number r MU , A cannot calculate the session key SK = h(h(ID MU ||RN MU )||h(ID G ||RN G )||h(ID SD ||RN SD )). Hence, our protocol prevents the privileged-insider attack.

Known Session-Secret Temporary Information Attack
An adversary A can obtain session specific random nonces {RN MU , RN G , RN SD } to conduct the known session-secret temporary information attack under the CK-adversary model. Even if A knows these secrets, A cannot calculate the session key SK = h(h(ID MU || RN MU )||h(ID G ||RN G )||h(ID SD ||RN SD )), because SK consists of MU, HGW, and SD's identities. Thus, our protocol withstands the known session-secret temporary information attack.

Desynchronization Attack
A desynchronization attack is when an adversary A can modify and block the transmitted messages to make MU, HGW, and SD unable to authenticate in the future. Assume that A tries to modify the messages for desynchronizing the next session. However, as mentioned in Section 7.1.5, A cannot modify the exchanged messages because A has no knowledge about MU's secret credentials. In addition, we assume that A blocks the transmitted messages to disturb the synchronization. HGW calculates PID new MU , generates a verification message {M 5 , V GSD } using PID new MU , and sends it to MU. HGW stores the PID new MU with PID MU , and MU checks V GSD . If the V GSD is correct, MU updates PID new MU . MU sends the message M 6 to HGW to describe that authentication is complete. Then, HGW checks the validation of M 6 . If M 6 is validated, HGW deletes the old PID MU and RID MU . Otherwise, HGW stores them. Through these things, MU and HGW always have synchronized values. Consequently, a desynchronization attack is impossible in our protocol.

Perfect Forward Secrecy
We assume that an adversary A knows long-term secret keys {K RA , K MUG , K GSD , K SD }. A can try to calculate the session key SK = h(h(ID MU ||RN MU )||h(ID G ||RN G )||h(ID SD || RN SD )). However, A cannot affect on the confidentiality of past communications because SK is composed of the random nonces {RN MU , RN G , RN SD } which is generated for each session. Thus, the proposed protocol provides the perfect forward secrecy.

Anonymity and Untraceability
An adversary A can obtain exchanged messages in the authentication and key agreement phase. However, A cannot obtain real identities of MU, HGW, and SD because these are dependent on {r MU , RN G , r SD }. In addition, MU and HGW update PID MU to PID new MU = h(PID MU ||RN MU ) for every session. It makes all messages are dynamic at every session. Consequently, the proposed protocol provides anonymity and untraceability.

BAN Logic
We performed the formal security analysis with BAN logic to evaluate the secure mutual authentication of the proposed protocol [10,40]. We present the notation of BAN logic in Table 2.

Notation Description skey
Secret key

Goals
The following are the main goals to demonstrate that our protocol satisfies the secure mutual authentication.

Assumptions
We assume the following to initiate states of the proposed protocol.

Idealized Forms
We present ideal forms of our protocol as below.

Proof
We conducted the BAN logic test, and detailed steps are described as follows.
Step 1: From M 1 , we can obtain S 1 .
Step 2: Using S 1 and A 1 with MMR, we can get S 2 .
Step 3: S 3 can obtained using S 2 and A 2 with FR.
Step 4: Using S 2 and S 3 with NVR, we can get S 4 .
Step 5: We can obtain S 5 from M 2 .
Step 6: S 6 can obtained using S 5 and A 3 with MMR.
Step 7: Utilizing S 6 and A 4 with FR, we can get S 7 .
Step 8: For obtaining S 8 , we can use S 6 and S 7 with NVR.
Step 9: From M 3 , we can obtain S 9 . Step 10: For getting S 10 , we can utilize S 9 and A 5 with MMR.
Step 11: For obtaining S 11 , we can use A 6 and S 10 with FR.
Step 12: Using S 10 and S 11 with NVR, we can get S 12 .  Step 14: S 14 can obtained using S 13 and A 7 with MMR.
Step 15: S 15 can obtained using S 14 and A 8 with FR.
Step 16: Using S 14 and S 15 with NVR, we can get S 16 .
Step 17: Since the session key is we can obtain S 17 from S 12 , S 16 , and A 9 .
Step 18: From S 4 , S 8 , and A 10 , we can get S 18 .
Step 19: S 19 can obtained from S 17 and A 11 .
Step 20: S 20 can obtained using S 18 and A 12 . Therefore, MU, HGW, and SD can perform the secure mutual authentication in our protocol.

ROR Model
The session key security of the proposed protocol is demonstrated using the ROR model [11]. We interpret the ROR model before proving the session key security of the proposed protocol. In the authentication and key agreement phase of the proposed protocol, we have three participants P t , which are mobile user P t 1 MU , home gateway P t 2 HGW , and smart device P t 3 SD . These are instances t 1 , t 2 , and t 3 for MU, HGW, and SD, respectively. A can eavesdrop, intercept, or modify transmitted messages through an insecure channel. In addition, A can simulate active and passive attacks by executing various queries defined in the ROR model, such as Execute, CorruptMD, Reveal, Send, and Test queries. Detailed instructions of the queries are below.
• Execute(P t 1 MU , P t 2 HGW , P t 3 SD ): A performs this query to obtain transmitted messages over a public channel between MU, HGW, and SD.
• CorruptMD(P t 1 MU ): This query represents that A can extract sensitive information stored in the mobile device of MU.
• Reveal(P t ): This query is that A reveals the current session key SK between P t 1 MU and P t 3 SD . If an adversary A cannot reveal the session key SK between P t 1 MU and P t 3 SD using the Reveal(P t ) query, then SK is secure. • Send(P t , M): With this query, A can send the message M to P t and receive a response message. • Test(P t ): Before the start of the game, a fair coin f c is tossed and the result becomes only known to A. A uses this result to make a decision of the Test query. If A runs the Test query and the session key SK is fresh, P t returns SK for f c = 1 or a random number for f c = 0. Otherwise, it returns a null (⊥).
After A performs the Test query on P t , A must distinguish the result value. A uses the output of the Test query for checking the consistency of the random bit f c. A wins the game when the guessed bit f c is equal to f c. Moreover, all participants have access to a collision-resistant cryptographic one-way hash function h(·). We model h(·) as a random oracle, Hash.

Security Proof
We prove the session key security of the proposed protocol using Zipf's law [41].

Theorem 1.
A can break the session key security of the proposed protocol. We denote the advantage of A running in polynomial time as Adv A . Then, we obtain the following.
Here, q h is the number of Hash queries, |Hash| is the range space of the hash function h(·), and q send is the number of Send queries. In addition, C and s denote Zipf's parameters [41].
Proof. The proof of Theorem 1 is similar as presented in [42,43]. We prove the session key security through a sequence of four games, GM i , where i ∈ [0, 3]. Succ A,i indicates the event that A wins GM i by guessing the random bit f c correctly. We denote the advantage of A winning the game GM i as Pr[Succ A,GM i ]. In the following, we describe each game.
• GM 0 : This game allows A to execute the real attack against the proposed protocol. A chooses a random bit f c at the beginning of GM 0 . Then, we obtain the following in accordance with this game.
• GM 1 : In this game, A runs the Execute(P t 1 MU , P t 2 HGW , P t 3 SD ) query and eavesdrops transmitted messages {PID MU , M 1 , C 1 , V MU }, {PID MU , M 3 , C 2 , V MUG }, {M 4 , V SD }, and {M 5 , V GSD }. Then, A executes Reveal and Test queries to validate whether the derived session key is real or not. In our protocol, the session key is constructed as SK = h(h(ID MU ||RN MU )||h(ID G ||RN G )||h(ID SD ||RN SD )). To derive the session key, A needs to know the identities and random nonces of MU, HGW, and SD. Consequently, there are no instances in which A increases GM 1 's winning probability. Therefore, GM 0 and GM 1 turn out to be indistinguishable, and we can obtain the following.
• GM 2 : To obtain the session key, A performs Hash and Send queries in this game. A can perform an active attack by modifying exchanged messages. However, all exchanged messages are constructed with secret credentials and random nonces, and protected using one-way hash function h(·). In addition, A is difficult to derive secret credentials and random nonces because it is a computationally infeasible problem according to the property of h(·). Hence, we can get the following result through the use of birthday paradox [44].
As all games have been run, A must guess the bit for winning the game. Therefore, we can obtain the following result.
From Equations (1) and (2), we obtain the result as follows.
By using the triangular inequality, we can have the following result with Equations (4), (5), and (7).
Finally, by multiplying both sides of Equation (8) by two, we can obtain the required result.

AVISPA Tool
We utilized the AVISPA tool [7][8][9] to verify the security of our protocol against MITM and replay attacks. The AVISPA tool uses a role based language, High-Level Protocols Specification Language (HLPSL), to specify actions of each protocol participant [45]. For the security analysis, the HLPSL is entered and translated into the Intermediate Format (IF) in the AVISPA tool. If the IF becomes the input of the back-end, the back-end outputs the security analysis result as the Output Format (OF). The back-end of the AVISPA tool consists of four components, including SAT-based Model-Checker (SATMC), Tree-Automata-based Protocol Analyzer (TA4SP), On-the-Fly-Model-Checker (OFMC), and CL-based Attack Searcher (CL-AtSe). If the OF is SAFE for the back-end, the proposed protocol prevents MITM and replay attacks. We use OFMC and CL-AtSe for the proposed protocol, since SATMC and TA4SP do not support XOR operations.

Specifications of the Proposed Protocol
We set up the session, environment, and security goals using the HLPSL language. Details of these are shown in Figure 6. In session and environment, we specify instances of each role and construct the whole protocol session. In addition, we state the security goals of the proposed protocol. secrecy is used to check secret values are explicitly undisclosed and authentication is used to verify the validity of secret values between entities. Through secrecy and authentication, we can confirm that the proposed protocol is resistant to MITM and replay attacks.

Result of AVISPA
We use OFMC and CL-AtSe for XOR operations to show the security analysis result. The OFMC estimates that the proposed protocol withstands the MITM attack, and CL-AtSe assesses our protocol is resistant to the replay attack. Figure 8 shows the OF of OFMC and CL-AtSe back-ends for the proposed protocol. The output shows that the proposed protocol is SAFE in OFMC and CL-AtSe back-ends. Thus, our protocol successfully satisfies the specified security goals. In other words, our protocol withstands MITM and replay attacks.

Performance and Security Analyses
This section shows the comparison results of the proposed protocol with similar protocols [6,31,34,38], including computational and communication costs, and security properties.

Computational Costs
The computational costs are analyzed for our protocol and related existing protocols [6,31,34,38]. For comparison, we refer to the work [46]. T m , T R , T h , and T s denote the execution times of an ECC point multiplication (≈7.3529 ms), fuzzy extractor function (≈7.3529 ms), a hash function (≈0.0004 ms), and symmetric key encryption/decryption (≈0.1303 ms), respectively. Table 3 contains the result of the computational costs comparison. Although the proposed protocol has a slightly higher computational cost than the low-security-risk path of Xiang and Zheng's protocol [6], our protocol provides more robust security. Moreover, the proposed protocol has a lower computational cost compared with the other related protocols, except for the low-security-risk path of Xiang and Zheng's protocol [6].

Communication Costs
The communication cost of our protocol is compared to those costs of other related protocols [6,31,34,38]. Referring to the paper [31], we define that an ECC point, symmetric key encryption/decryption, hash function, random number, identity, and timestamp are 320, 256, 160, 160, 128, and 32 bits. We estimate the message header as Internet Protocol version 4 (IPv4) packet header, 4 bits. In the authentication and key agreement phase of the proposed protocol, exchanged messages {PID MU , M 1 , C 1 , V MU }, {PID MU , M 3 , C 2 , V MUG }, {M 4 , V SD }, {M 5 , V GSD }, and M 6 need 640, 640, 320, 20, and 160 bits, respectively. Consequently, our protocol has 2080 bits as the total communication cost. In Table 4, we show the results of the communication costs comparison. Although our protocol has a higher communication cost than some of the existing protocols [6,31,38], it provides more efficient computational costs and security.

Security Properties
In Table 5, we present security properties of the proposed protocol and those of models by Shuai et al. [31], Wazid et al. [34], Banerjee et al. [38], and Xiang and Zheng [6]. In contrast with the other protocols [6,31,34,38], our protocol prevents more attacks. Thus, the proposed protocol meets more security requirements compared to related protocols.

Conclusions
We proved that Xiang and Zheng's protocol does not perform secure mutual authentication. We also discovered that their protocol is vulnerable to impersonation, stolen smart device, and session key disclosure attacks. To deal with the security threats to Xiang and Zheng's protocol, we proposed a secure and lightweight authentication protocol for IoTbased smart homes. We demonstrated that the proposed protocol is secure against various attacks, including impersonation, replay, MITM, and session key disclosure attacks. We performed the BAN logic test to show that our protocol ensures secure mutual authentication. Furthermore, we demonstrated that the proposed protocol provides session key security and resists replay and MITM attacks by utilizing the ROR model and the AVISPA tool. We compared our protocol with associated existing protocols in terms of security properties, and computational and communication costs. In conclusion, our protocol provides better security and low computational costs. When we consider all perspectives of security and costs, our protocol is suitable for practical IoT-based smart home environments. In the future, we will develop a better protocol and implement it in an actual environment.