# Practical Three-Factor Authentication Protocol Based on Elliptic Curve Cryptography for Industrial Internet of Things

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Literature Review

#### 1.2. Network Model

#### 1.3. Motivations and Contributions

## 2. Preliminaries

#### 2.1. Elliptic Curve Cryptography

- The elliptic curve discrete logarithm problem (ECDLP): Figure 4 demonstrates points distributed over an elliptic curve ${y}^{2}={x}^{3}-x+2$ in finite field ${F}_{97}$. Selecting two points Q and P in Figure 4, where $Q,P\in {F}_{97}$ satisfy $Q=kP$, where k is between 0 and 96 at random. Given k and P, it is easy to figure out Q by a scalar multiplication and addition rules. Nevertheless, given Q and P, it is difficult to calculate k.
- The elliptic curve Diffie–Hellman problem (ECDHP): It is scarcely possible to find $abP$ when given $aP\in {F}_{p}$ and $bP\in {F}_{p}$ in polynomial time, where a and b are both between 0 and $p-1$ at random.

#### 2.2. Threat Model

- The used one-way hash function is unbreakable.
- In a uniform protocol, an identical format is used by each entity that wishes to communicate.
- An adversary can eavesdrop, intercept, replay, and even modify all the transmitted messages over an open and insecure channel.

#### 2.3. Fuzzy Extractor

- Probabilistic generation function $Gen$: The original biometric fingerprint $BI{O}_{i}$ is the input of $Gen$, and then the process outputs biometric identification key data and public parameter, namely $Gen\left(BI{O}_{i}\right)\to ({\sigma}_{i},{\theta}_{i})$.
- Deterministic reproduction procedure $Rep$: Using the public parameter ${\theta}_{i}$ and the fingerprint $BI{O}_{i}$ reproduces key data ${\sigma}_{i}$, namely $Rep(BI{O}_{i},{\theta}_{i})\to {\sigma}_{i}$.

## 3. The Proposed Scheme

#### 3.1. Initialization Phase

#### 3.2. Registration Phase

#### 3.2.1. User Registration Phase

**Step 1**: ${U}_{i}$ selects their identity $I{D}_{i}$ and password $P{W}_{i}$, and inputs biometric information $BI{O}_{i}$. The fuzzy extractor is used to compute biometric key data ${\sigma}_{i}$ and public parameter ${\theta}_{i}$, namely $Gen\left(BI{O}_{i}\right)\to ({\sigma}_{i},{\theta}_{i})$. $S{C}_{i}$ stores the public parameter ${\theta}_{i}$ in its memory. Then, ${U}_{i}$ figures out $HI{D}_{i}=h(I{D}_{i}\left|\right|{\sigma}_{i})$ and $HP{W}_{i}=h(P{W}_{i}\left|\right|{\sigma}_{i})$, and sends $\{HI{D}_{i},HP{W}_{i}\}$ to the nearest $HGWN$ via a secure channel.

**Step 2**: Upon receiving $\{HI{D}_{i},HP{W}_{i}\}$ from ${U}_{i}$, the $HGWN$ generates a random number ${r}_{h}$ and calculates ${A}_{i}=h(HI{D}_{i}\left|\right|{k}_{h}\left|\right|{r}_{h})\oplus HI{D}_{i}$, ${B}_{i}=h(HI{D}_{i}\left|\right|HP{W}_{i}\left|\right|{r}_{h})$, and ${C}_{i}=HI{D}_{i}\oplus {r}_{h}$. The $HGWN$ stores $\{HI{D}_{i},{r}_{h}\}$ in its memory. Then, the $HGWN$ sends $\{{A}_{i},{B}_{i},{C}_{i}\}$ to ${U}_{i}$ via a secure channel.

**Step 3**: Upon getting $\{{A}_{i},{B}_{i},{C}_{i}\}$ from $HGWN$, ${U}_{i}$ stores $\{{A}_{i},{B}_{i},{C}_{i},{\theta}_{i}\}$ into its own $S{C}_{i}$.

#### 3.2.2. Sensor Registration Phase

#### 3.3. User Login Phase

#### 3.4. Authentication and Key Agreement Phase

#### 3.4.1. Authentication and Key Agreement in the HGWN

**Step 1**: ${U}_{i}$ sends the login request message $\{{M}_{1},{M}_{2},{M}_{3},{D}_{1},{T}_{1}\}$ to the $HGWN$.

**Step 2**: After receiving $\{{M}_{1},{M}_{2},{M}_{3},{D}_{1},{T}_{1}\}$ from ${U}_{i}$, the $HGWN$ checks whether $|{T}_{1}^{\prime}-{T}_{1}|<\Delta T$ is satisfied, where ${T}_{1}^{\prime}$ is the current timestamp the $HGWN$ acquired and $\Delta T$ is the acceptable maximum transmission delay. If the inequality is not true, namely ${T}_{1}$ is not fresh, the $HGWN$ aborts the current session. Otherwise, the $HGWN$ computes ${D}_{2}^{\prime}={k}_{h}{D}_{1}$ and $HI{D}_{i}^{\prime}={M}_{1}\oplus h\left({D}_{2}^{\prime}\right)$ to find ${r}_{h}$ stored in its own memory. Subsequently, the $HGWN$ calculates ${A}_{h}^{\prime}=h(HI{D}_{i}^{\prime}\left|\right|{k}_{h}\left|\right|{r}_{h})$, $SI{D}_{j}^{\prime}={M}_{2}\oplus h\left({D}_{2}^{\prime}\right)\oplus {A}_{h}^{\prime}$, and ${M}_{3}^{\prime}=h(HI{D}_{i}^{\prime}\left|\right|{A}_{h}^{\prime}\left|\right|{D}_{2}^{\prime}\left|\right|{M}_{1}\left|\right|{M}_{2}\left|\right|{T}_{1})$, and checks whether ${M}_{3}^{\prime}\stackrel{?}{=}{M}_{3}$. The current session is aborted if ${M}_{3}^{\prime}\ne {M}_{3}$. Otherwise, the $HGWN$ seeks ${A}_{gs}$ from its own memory through $SI{D}_{j}$, generates a random number ${r}_{hg}$, a timestamp ${T}_{2}$, and calculates ${M}_{4}={r}_{hg}\oplus h({A}_{gs}\left|\right|{T}_{2})$, ${M}_{5}=h(SI{D}_{j}\left|\right|{r}_{hg}\left|\right|{A}_{gs}\left|\right|{D}_{1}\left|\right|{T}_{2})$. Finally, the $HGWN$ sends $\{{M}_{4},{M}_{5},{D}_{1},{T}_{2}\}$ to $S{N}_{j}$.

**Step 3**: When ${SN}_{j}$ receives $\{{M}_{4},{M}_{5},{D}_{1},{T}_{2}\}$ from the $HGWN$, ${SN}_{j}$ obtains the current timestamp ${T}_{2}^{\prime}$ and verifies whether $|{T}_{2}^{\prime}-{T}_{2}|<\Delta T$. If the inequality is not held, then ${SN}_{j}$ terminates the current session. Otherwise, ${SN}_{j}$ figures out ${r}_{hg}^{\prime}=h({A}_{gs}\left|\right|{T}_{2})\oplus {M}_{4}$, ${M}_{5}^{\prime}=h(SI{D}_{j}\left|\right|{r}_{hg}^{\prime}\left|\right|{A}_{gs}\left|\right|{D}_{1}\left|\right|{T}_{2})$, and examines whether ${M}_{5}^{\prime}\stackrel{?}{=}{M}_{5}$. The current session is terminated if ${M}_{5}^{\prime}\ne {M}_{5}$. Otherwise, ${SN}_{j}$ generates a random number $b\in {\mathrm{Z}}_{q}^{*}$, a timestamp ${T}_{3}$, and figures out ${D}_{3}=bP$, ${D}_{4}=b{K}_{h}$, $SK=h\left({D}_{1}\right|\left|{D}_{3}\right|\left|b{D}_{1}\right)$, ${M}_{6}=h(SI{D}_{j}\left|\right|{r}_{hg}\left|\right|{A}_{gs}\left|\right|{D}_{4}\left|\right|{T}_{3})$, and ${M}_{7}=h\left(SK\right||{D}_{1}\left|\right|{D}_{3})$. Lastly, ${SN}_{j}$ transmits $\{{M}_{6},{M}_{7},{D}_{3},{T}_{3}\}$ to the $HGWN$.

**Step 4**: After getting $\{{M}_{6},{M}_{7},{D}_{3},{T}_{3}\}$ from ${SN}_{j}$, the $HGWN$ acquires the current timestamp ${T}_{3}^{\prime}$ and verifies whether $|{T}_{3}^{\prime}-{T}_{3}|<\Delta T$. If the verification fails, the $HGWN$ aborts the current session. Otherwise, the $HGWN$ calculates ${D}_{4}^{\prime}={k}_{h}{D}_{3}$, ${M}_{6}^{\prime}=$$h\left(SI{D}_{j}\right|\left|{r}_{hg}\right|\left|{A}_{gs}\right|\left|{D}_{4}^{\prime}\left|\right|{T}_{3}\right)$, and checks whether ${M}_{6}^{\prime}\stackrel{?}{=}{M}_{6}$. If ${M}_{6}^{\prime}\ne {M}_{6}$, the $HGWN$ aborts the current session. Otherwise, the $HGWN$ generates a timestamp ${T}_{4}$, calculates ${M}_{8}=h(HI{D}_{i}\left|\right|{A}_{h}\left|\right|{D}_{1}\left|\right|{D}_{3}\left|\right|{M}_{7}\left|\right|{T}_{4})$, and dispatches $\{{M}_{7},{M}_{8},{D}_{3},{T}_{4}\}$ to ${U}_{i}$.

**Step 5**: Upon receiving $\{{M}_{7},{M}_{8},{D}_{3},{T}_{4}\}$ from the $HGWN$, ${U}_{i}$ obtains the current timestamp ${T}_{4}^{\prime}$ and checks whether $|{T}_{4}^{\prime}-{T}_{4}|<\Delta T$. If the verification fails, the current session is rejected by ${U}_{i}$. Otherwise, ${U}_{i}$ computes ${M}_{8}^{\prime}=h(HI{D}_{i}\left|\right|{A}_{h}\left|\right|{D}_{1}\left|\right|{D}_{3}\left|\right|{M}_{7}\left|\right|{T}_{4})$ and checks whether ${M}_{8}^{\prime}\stackrel{?}{=}{M}_{8}$. If ${M}_{8}^{\prime}\ne {M}_{8}$, ${U}_{i}$ aborts the current session. Otherwise, ${U}_{i}$ computes $S{K}^{\prime}=h({D}_{1}\left|\right|{D}_{3}\left|\right|a{D}_{3})$, ${M}_{7}^{\prime}=h(S{K}^{\prime}\left|\right|{D}_{1}\left|\right|{D}_{3})$, and verifies whether ${M}_{7}^{\prime}\stackrel{?}{=}{M}_{7}$. If not, ${U}_{i}$ declines to establish a session key with ${SN}_{j}$. Otherwise, ${U}_{i}$ and ${SN}_{j}$ share an identical session key, and the authentication process is successfully completed.

#### 3.4.2. Authentication and Key Agreement in the FGWN

**Step 1**: ${U}_{i}$ computes the login request message $\{{M}_{1},{M}_{2},{M}_{3},{D}_{1},{T}_{1}\}$ as in the User Login Phase Section and sends them to the $HGWN$.

**Step 2**: After receiving $\{{M}_{1},{M}_{2},{M}_{3},{D}_{1},{T}_{1}\}$ from ${U}_{i}$, the $HGWN$ obtains the current timestamp ${T}_{1}^{\prime}$ and verifies ${T}_{1}$’s validity, namely $|{T}_{1}^{\prime}-{T}_{1}|<\Delta T$. If the verification fails, the $HGWN$ aborts. Otherwise, the $HGWN$ calculates ${D}_{2}^{\prime}={k}_{h}{D}_{1}$, $HI{D}_{i}^{\prime}={M}_{1}\oplus h\left({D}_{2}^{\prime}\right)$, ${A}_{h}^{\prime}=h(HI{D}_{i}^{\prime}\left|\right|{k}_{h}\left|\right|{r}_{h})$, $SI{D}_{j}^{\prime}={M}_{2}\oplus {A}_{h}^{\prime}\oplus h\left({D}_{2}^{\prime}\right)$, and ${M}_{3}^{\prime}=h(HI{D}_{i}^{\prime}\left|\right|{A}_{h}^{\prime}\left|\right|{D}_{2}^{\prime}\left|\right|{M}_{1}\left|\right|{M}_{2}\left|\right|{T}_{1})$. Subsequently, the $HGWN$ checks whether ${M}_{3}^{\prime}\stackrel{?}{=}{M}_{3}$. The current session is aborted if ${M}_{3}^{\prime}\ne {M}_{3}$. Next, if ${SID}_{j}$ is not in the $HGWN$’s database, the $HGWN$ broadcasts the target sensor’s identity ${SID}_{j}$ to the rest of the gateway nodes. If any $FGWN$ finds ${SID}_{j}$ in its database, it will react to the $HGWN$ and broadcasts its own public key ${K}_{f}$ in WSNs. Subsequently, the $HGWN$ generates a random number $b\in {Z}_{q}^{*}$, timestamp ${T}_{2}$, and computes ${D}_{3}=bP$, ${D}_{4}=b{K}_{f}$, $(b+{k}_{h}){K}_{f}$, and ${M}_{4}=h(SI{D}_{j}\left|\right|{D}_{3}\left|\right|(b+{k}_{h}){K}_{f}\left|\right|{T}_{2})$. Finally, the $HGWN$ dispatches $\{{M}_{4},{D}_{3},{T}_{2}\}$ to the corresponding $FGWN$.

**Step 3**: Upon receiving $\{{M}_{4},{D}_{3},{T}_{2}\}$ from the $HGWN$, the corresponding $FGWN$ obtains the current timestamp ${T}_{2}^{\prime}$ and verifies whether $|{T}_{2}^{\prime}-{T}_{2}|<\Delta T$. If not, the $FGWN$ terminates the current session. Otherwise, the $FGWN$ computes ${D}_{4}^{\prime}={k}_{f}{D}_{3}$, ${D}_{4}^{\prime}+{k}_{f}{K}_{h}$, and ${M}_{4}^{\prime}=h(SI{D}_{j}\left|\right|{D}_{3}\left|\right|{D}_{4}^{\prime}+{k}_{f}{K}_{h}\left|\right|{T}_{2})$, and examines whether ${M}_{4}^{\prime}\stackrel{?}{=}{M}_{4}$. the $FGWN$ terminates the current session if ${M}_{4}^{\prime}\ne {M}_{4}$. Otherwise, the $FGWN$ generates random numbers $c\in {Z}_{q}^{*}$, ${r}_{f}$, a timestamp ${T}_{3}$, and calculates ${D}_{5}=cP$, ${D}_{6}=c{K}_{h}$, $(c+{k}_{f}){K}_{h}$, ${A}_{f}=h(HI{D}_{i}\left|\right|{k}_{f}\left|\right|{r}_{f})$, ${M}_{5}={A}_{f}\oplus h\left({D}_{6}\right)$, and ${M}_{6}=h(SI{D}_{j}\left|\right|{A}_{f}\left|\right|(c+{k}_{f}){K}_{h}\left|\right|{M}_{5}\left|\right|{T}_{3})$. Then, the $FWGN$ transmits $\{{M}_{5},{M}_{6},{D}_{5},{T}_{3}\}$ to the $HGWN$.

**Step 4**: Upon getting $\{{M}_{5},{M}_{6},{D}_{5},{T}_{3}\}$ from the $FGWN$, the $HGWN$ acquires the current timestamp ${T}_{3}^{\prime}$ and verifies whether $|{T}_{3}^{\prime}-{T}_{3}|<\Delta T$. If the verification fails, the $HGWN$ rejects the current session. Otherwise, the $HGWN$ figures out ${D}_{6}^{\prime}={k}_{h}{D}_{5}$, ${D}_{6}^{\prime}+{k}_{h}{K}_{f}$, ${A}_{f}^{\prime}={M}_{5}\oplus h\left({D}_{6}^{\prime}\right)$, and ${M}_{6}^{\prime}=h(SI{D}_{j}\left|\right|{A}_{f}^{\prime}\left|\right|{D}_{6}^{\prime}+{k}_{h}{K}_{f}\left|\right|{M}_{5}\left|\right|{T}_{3})$, and checks whether ${M}_{6}^{\prime}\stackrel{?}{=}{M}_{6}$. If ${M}_{6}^{\prime}\ne {M}_{6}$, the $HGWN$ rejects the current session. Otherwise, the $HGWN$ generates a timestamp ${T}_{4}$, calculates ${M}_{7}={A}_{f}\oplus {A}_{h}$, ${M}_{8}=h(HI{D}_{i}\left|\right|SI{D}_{j}\left|\right|{A}_{h}\left|\right|{A}_{f}\left|\right|{M}_{7}\left|\right|{T}_{4})$, and dispatches $\{{M}_{7},{M}_{8},{T}_{4}\}$ to ${U}_{i}$.

**Step 5**: After receiving $\{{M}_{7},{M}_{8},{T}_{4}\}$ from the $HWGN$, ${U}_{i}$ gets the current timestamp ${T}_{4}^{\prime}$ and checks whether $|{T}_{4}^{\prime}-{T}_{4}|<\Delta T$. If not, the current session is rejected by ${U}_{i}$. Otherwise, ${U}_{i}$ computes ${A}_{f}^{\prime}={M}_{7}\oplus {A}_{h}$, ${M}_{8}^{\prime}=h(HI{D}_{i}\left|\right|SI{D}_{j}\left|\right|{A}_{h}\left|\right|{A}_{f}^{\prime}\left|\right|{M}_{7}\left|\right|{T}_{4})$ and checks whether ${M}_{8}^{\prime}\stackrel{?}{=}{M}_{8}$. If ${M}_{8}^{\prime}\ne {M}_{8}$, ${U}_{i}$ rejects the current session. Otherwise, ${U}_{i}$ generates a timestamp ${T}_{5}$ and computes ${D}_{2f}=a{K}_{f}$, ${M}_{9}=HI{D}_{i}\oplus h\left({D}_{2f}\right)$, ${M}_{10}=h(HI{D}_{i}\left|\right|{A}_{f}\left|\right|{D}_{2f}\left|\right|{M}_{9}\left|\right|{T}_{5})$, and delivers $\{{M}_{9},{M}_{10},{T}_{5}\}$ to the $FGWN$.

**Step 6**: After receiving $\{{M}_{9},{M}_{10},{T}_{5}\}$ from ${U}_{i}$, the $FGWN$ obtains the current timestamp ${T}_{5}^{\prime}$ and checks whether $|{T}_{5}^{\prime}-{T}_{5}|<\Delta T$ is satisfied. If failed, the $FGWN$ aborts the current session. Otherwise, the $FGWN$ computes ${D}_{2f}^{\prime}={k}_{f}{D}_{1}$, $HI{D}_{i}^{\prime}={M}_{9}\oplus h\left({D}_{2f}^{\prime}\right)$, ${M}_{10}^{\prime}=h(HI{D}_{i}^{\prime}\left|\right|{A}_{f}\left|\right|{D}_{2f}^{\prime}\left|\right|{M}_{9}\left|\right|{T}_{5})$, and checks whether ${M}_{10}^{\prime}\stackrel{?}{=}{M}_{10}$. The current session is aborted if ${M}_{10}^{\prime}\ne {M}_{10}$. Otherwise, $FGWN$ generates a random number ${r}_{fg}$, a timestamp ${T}_{6}$, and calculates ${M}_{11}={r}_{fg}\oplus h({A}_{fs}\left|\right|{T}_{6})$, ${M}_{12}=h(SI{D}_{j}\left|\right|{r}_{fg}\left|\right|{A}_{fs}\left|\right|{D}_{1}\left|\right|{T}_{6})$. Finally, $FGWN$ sends $\{{M}_{11},{M}_{12},{T}_{6}\}$ to $S{N}_{j}$.

**Step 7**: When $S{N}_{j}$ receives $\{{M}_{11},{M}_{12},{T}_{6}\}$ from the $FGWN$, $S{N}_{j}$ obtains the current timestamp ${T}_{6}^{\prime}$ and verifies whether $|{T}_{6}^{\prime}-{T}_{6}|<\Delta T$. If not, $S{N}_{j}$ aborts the current session. Otherwise, $S{N}_{j}$ computes ${r}_{fg}^{\prime}=h({A}_{fs}\left|\right|{T}_{6})\oplus {M}_{11}$, ${M}_{12}^{\prime}=h(SI{D}_{j}\left|\right|{r}_{fg}^{\prime}\left|\right|{A}_{fs}\left|\right|{D}_{1}\left|\right|{T}_{6})$, and examines whether ${M}_{12}^{\prime}\stackrel{?}{=}{M}_{12}$. The current session is aborted if ${M}_{12}^{\prime}\ne {M}_{12}$. Otherwise, $S{N}_{j}$ generates a random number $d\in {\mathrm{Z}}_{q}^{*}$, a timestamp ${T}_{7}$, and figures out ${D}_{7}=dP$, ${D}_{8}=d{K}_{f}$, $SK=h\left({D}_{7}\right|\left|d{D}_{1}\right)$, ${M}_{13}=h(SI{D}_{j}\left|\right|{r}_{fg}\left|\right|{A}_{fs}\left|\right|{D}_{8}\left|\right|{T}_{7})$, and ${M}_{14}=h\left(SK\right||{D}_{7})$. After that, $S{N}_{j}$ transmits $\{{M}_{13},{M}_{14},{D}_{7},{T}_{7}\}$ to the $FGWN$.

**Step 8**: After getting $\{{M}_{13},{M}_{14},{D}_{7},{T}_{7}\}$ from $S{N}_{j}$, the $FGWN$ acquires the current timestamp ${T}_{7}^{\prime}$ and verifies whether $|{T}_{7}^{\prime}-{T}_{7}|<\Delta T$. If the verification fails, the $FGWN$ aborts the current session. Otherwise, the $FGWN$ computes ${D}_{8}^{\prime}={k}_{f}{D}_{7}$, ${M}_{13}^{\prime}=$$h\left(SI{D}_{j}\right|\left|{r}_{fg}\right|\left|{A}_{fs}\right|\left|{D}_{8}^{\prime}\left|\right|{T}_{7}\right)$, and checks whether ${M}_{13}^{\prime}\stackrel{?}{=}{M}_{13}$. If ${M}_{13}^{\prime}\ne {M}_{13}$, the $FGWN$ aborts the current session. Otherwise, the $FGWN$ generates a timestamp ${T}_{8}$, calculates ${M}_{15}=h(HI{D}_{i}\left|\right|{A}_{f}\left|\right|{D}_{1}\left|\right|{D}_{7}\left|\right|{M}_{14}\left|\right|{T}_{8})$, and dispatches $\{{M}_{14},{M}_{15},{D}_{7},{T}_{8}\}$ to ${U}_{i}$.

**Step 9**: After receiving $\{{M}_{14},{M}_{15},{D}_{7},{T}_{8}\}$ from the $FGWN$, ${U}_{i}$ obtains the current timestamp ${T}_{8}^{\prime}$ and checks whether $|{T}_{8}^{\prime}-{T}_{8}|<\Delta T$. If not, ${U}_{i}$ rejects the current session. Otherwise, ${U}_{i}$ computes ${M}_{15}^{\prime}=h(HI{D}_{i}\left|\right|{A}_{f}\left|\right|{D}_{1}\left|\right|{D}_{7}\left|\right|{M}_{14}\left|\right|{T}_{8})$ and checks whether ${M}_{15}^{\prime}\stackrel{?}{=}{M}_{15}$. If ${M}_{15}^{\prime}\ne {M}_{15}$, ${U}_{i}$ aborts the current session. Otherwise, ${U}_{i}$ figures out $S{K}^{\prime}=h({D}_{7}\left|\right|a{D}_{7})$, ${M}_{14}^{\prime}=h(S{K}^{\prime}\left|\right|{D}_{7})$, and verifies whether ${M}_{14}^{\prime}\stackrel{?}{=}{M}_{14}$. If the verification fails, ${U}_{i}$ declines to establish a session key with $S{N}_{j}$. Otherwise, ${U}_{i}$ and $S{N}_{j}$ share an identical session key, and the authentication process is successfully completed.

#### 3.5. User Password Update Phase

## 4. Security Analysis

#### 4.1. Formal Security Proof

#### 4.1.1. Formal Security Model

#### 4.1.2. Security Proof

**Proof.**

**Game 0**: In the random oracle model, the real attack on P is modeled, and the following formula can be obtained:

**Game 1**: $\mathcal{A}$ carries out $Execute$ queries to model an eavesdropping attack. Even if we take $Execute$ queries into consideration, the probability of an adversary who can win the game has not increased.

**Game 2**: Hash oracles are added to the foundation of $Game$ 1 by $Game$ 2. This game models the active attack, and $\mathcal{A}$ attempts to trick a legitimate principal into accepting the modified message. When the collision happens between the constructed information and the real authentication information, $\mathcal{A}$ gets the secret information and wins the game. According to the birthday paradox, the maximum probability of the hash oracle collision is $\frac{{q}_{hash}^{2}}{{2}^{l+1}}$, and we have:

**Game 3**: $Send$ queries are added. This game models the active attack, and $\mathcal{A}$ attempts to trick a legitimate principal into accepting the modified message. Therefore, we have:

**Game 4**: In this game, $\mathcal{A}$ asks $Execute$ queries eavesdropping on all exchanged messages $\{{M}_{1},{M}_{2},{M}_{3},{D}_{1},{T}_{1}\}$, $\{{M}_{4},{M}_{5},{D}_{1},{T}_{2}\}$, $\{{M}_{6},{M}_{7},{D}_{3},{T}_{3}\}$, and $\{{M}_{7},{M}_{8},{D}_{3},{T}_{4}\}$. $\mathcal{A}$ executes $Corrupt\left({I}^{i}\right)$ to obtain the private key of this entity, where I is equal to U, $HGWN$, and $SN$ successively, and thus $\mathcal{A}$ can obtain all the private keys. $SKReveal\left({I}^{i}\right)$ can be executed in this game. It will answer an $SK$ if the target instance has formed an $SK$. $\mathcal{A}$ executes $SSReveal\left({I}^{i}\right)$ to get the internal state of an incomplete session. In order to compute the session key, $\mathcal{A}$ has to resolve the intractable $ECDHP$ to get a or b from ${D}_{1}=aP$ or ${D}_{3}=bP$. Let $Ad{v}_{P}^{ECDHP}\left(t\right)$ be the advantage of $\mathcal{A}$, who can resolve the $ECDHP$ in polynomial time. As a result, we get:

#### 4.2. Formal Verification Using Scyther

#### 4.3. Informal Security Analysis

#### 4.3.1. Mutual Authentication

#### 4.3.2. Session Key Agreement

#### 4.3.3. Forward and Backward Secrecy

#### 4.3.4. User Anonymity and Untraceability

#### 4.3.5. Illegal Login Detection

#### 4.3.6. Stolen Smart Card Attack

#### 4.3.7. Replay Attack

#### 4.3.8. Privileged Insider Attack

#### 4.3.9. Desynchronization Attack

#### 4.3.10. Impersonation Attack

## 5. Performance and Security Comparison

#### 5.1. Security Features Comparison

#### 5.2. Communication Cost Comparison

#### 5.3. Computation Cost Comparison

## 6. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Acknowledgments

## Conflicts of Interest

## Abbreviations

IIoT | Industrial Internet of things |

WSNs | Wireless sensor networks |

XOR | Exclusive OR |

ECC | Elliptic curve cryptography |

ECDHP | Elliptic curve Diffie–Hellman problem |

ECDLP | Elliptic curve discrete logarithm problem |

AES | Advanced Encryption Standard |

HGWN | Home gateway node |

FGWN | Foreign gateway node |

ROM | Random oracle model |

AKA | Authentication and key agreement |

SHA-1 | Secure Hash Standard 1 |

SHA-256 | Secure Hash Standard 256 |

## References

- Farag, H.M.; Österberg, P.; Gidlund, M. Congestion Detection and Control for 6TiSCH Networks in IIoT Applications. In Proceedings of the 2020 IEEE International Conference on Communications, ICC 2020, Dublin, Ireland, 7–11 June 2020; pp. 1–6. [Google Scholar]
- Sisinni, E.; Saifullah, A.; Han, S.; Jennehag, U.; Gidlund, M. Industrial Internet of Things: Challenges, Opportunities, and Directions. IEEE Trans. Ind. Inform.
**2018**, 14, 4724–4734. [Google Scholar] [CrossRef] - Far, H.A.N.; Bayat, M.; Das, A.K.; Fotouhi, M.; Pournaghi, S.M.; Doostari, M. LAPTAS: Lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT. Wirel. Netw.
**2021**, 27, 1389–1412. [Google Scholar] - Choudhary, K.; Gaba, G.S.; Butun, I.; Kumar, P. MAKE-IT—A Lightweight Mutual Authentication and Key Exchange Protocol for Industrial Internet of Things. Sensors
**2020**, 20, 5166. [Google Scholar] [CrossRef] [PubMed] - Ma, C.; Wang, D.; Zhao, S. Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst.
**2014**, 27, 2215–2227. [Google Scholar] [CrossRef] - Sun, D. Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT. Symmetry
**2021**, 13, 1952. [Google Scholar] [CrossRef] - Kumari, S.; Khan, M.K.; Atiquzzaman, M. User authentication schemes for wireless sensor networks: A review. Ad Hoc Netw.
**2015**, 27, 159–194. [Google Scholar] [CrossRef] - Das, M.L. Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun.
**2009**, 8, 1086–1090. [Google Scholar] [CrossRef] - Nyang, D.; Lee, M. Improvement of Das’s Two-Factor Authentication Protocol in Wireless Sensor Networks. Cryptology ePrint Archive. 2009. Available online: https://eprint.iacr.org/2009/631 (accessed on 25 August 2022).
- Vaidya, B.; Makrakis, D.; Mouftah, H.T. Improved two-factor user authentication in wireless sensor networks. In Proceedings of the IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications, Niagara Falls, ON, Canada, 11–13 October 2010; pp. 600–606. [Google Scholar]
- He, D.; Gao, Y.; Chan, S.; Chen, C.; Bu, J. An Enhanced Two-factor User Authentication Scheme in Wireless Sensor Networks. Ad Hoc Sens. Wirel. Netw.
**2010**, 10, 361–371. [Google Scholar] - Turkanovic, M.; Brumen, B.; Hölbl, M. A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad Hoc Netw.
**2014**, 20, 96–112. [Google Scholar] [CrossRef] - Yeh, H.; Chen, T.; Liu, P.; Kim, T.; Wei, H. A Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography. Sensors
**2011**, 11, 4767–4779. [Google Scholar] [CrossRef] - Shi, W.; Gong, P. A New User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography. Int. J. Distrib. Sens. Netw.
**2013**, 9, 730831. [Google Scholar] [CrossRef] - Chang, C.; Le, H. A Provably Secure, Efficient, and Flexible Authentication Scheme for Ad hoc Wireless Sensor Networks. IEEE Trans. Wirel. Commun.
**2016**, 15, 357–366. [Google Scholar] [CrossRef] - Li, X.; Peng, J.; Niu, J.; Wu, F.; Liao, J.; Choo, K.R. A Robust and Energy Efficient Authentication Protocol for Industrial Internet of Things. IEEE Internet Things J.
**2018**, 5, 1606–1615. [Google Scholar] [CrossRef] - Amin, R.; Biswas, G.P. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw.
**2016**, 36, 58–80. [Google Scholar] [CrossRef] - Das, A.K.; Sutrala, A.K.; Kumari, S.; Odelu, V.; Wazid, M.; Li, X. An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks. Secur. Commun. Netw.
**2016**, 9, 2070–2092. [Google Scholar] [CrossRef] [Green Version] - Wu, F.; Xu, L.; Kumari, S.; Li, X.; Shen, J.; Choo, K.R.; Wazid, M.; Das, A.K. An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment. J. Netw. Comput. Appl.
**2017**, 89, 72–85. [Google Scholar] [CrossRef] - Srinivas, J.; Mukhopadhyay, S.; Mishra, D. Secure and efficient user authentication scheme for multi-gateway wireless sensor networks. Ad Hoc Netw.
**2017**, 54, 147–169. [Google Scholar] [CrossRef] - Wang, D.; Li, W.; Wang, P. Measuring Two-Factor Authentication Schemes for Real-Time Data Access in Industrial Wireless Sensor Networks. IEEE Trans. Ind. Inform.
**2018**, 14, 4081–4092. [Google Scholar] [CrossRef] - Bellare, M.; Rogaway, P. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS’93, Fairfax, VA, USA, 3–5 November 1993; pp. 62–73. [Google Scholar]
- Cremers, C.J.F. The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In Proceedings of the 20th International Conference, CAV 2008, Princeton, NJ, USA, 7–14 July 2008; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2008; Volume 5123, pp. 414–418. [Google Scholar]
- Koblitz, N. Elliptic Curve Cryptosystems. Math. Comput.
**1987**, 48, 203–209. [Google Scholar] [CrossRef] - Miller, V.S. Use of Elliptic Curves in Cryptography. In Proceedings of the Advances in Cryptology—CRYPTO ’85, Santa Barbara, CA, USA, 18–22 August 1985; Lecture Notes in Computer Science. Williams, H.C., Ed.; Springer: Berlin/Heidelberg, Germany, 1985; Volume 218, pp. 417–426. [Google Scholar]
- Dolev, D.; Yao, A.C. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–207. [Google Scholar] [CrossRef] - Dodis, Y.; Reyzin, L.; Smith, A.D. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Proceedings of the Advances in Cryptology—EUROCRYPT, Interlaken, Switzerland, 2–6 May 2004; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2004; Volume 3027, pp. 523–540. [Google Scholar]
- Canetti, R.; Krawczyk, H. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In Proceedings of the EuroCrypt, Innsbruck, Austria, 6–10 May 2001; Pfitzmann, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 453–474. [Google Scholar]
- Srinivas, J.; Das, A.K.; Kumar, N.; Rodrigues, J.J.P.C. Cloud Centric Authentication for Wearable Healthcare Monitoring System. IEEE Trans. Dependable Secur. Comput.
**2020**, 17, 942–956. [Google Scholar] [CrossRef] - Challa, S.; Das, A.K.; Odelu, V.; Kumar, N.; Kumari, S.; Khan, M.K.; Vasilakos, A.V. An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks. Comput. Electr. Eng.
**2018**, 69, 534–554. [Google Scholar] [CrossRef] - Lee, C.; Chen, C.; Wu, P.; Chen, T. Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices. IET Comput. Digit. Tech.
**2013**, 7, 48–56. [Google Scholar] [CrossRef] - Dang, Q.H. Secure hash standard. In US Doc/NIST FIPS Publication 180-4; NIST: Gaithersburg, MD, USA, 2015. [Google Scholar]

Symbol | Description |
---|---|

$SA$ | System administrator |

${U}_{i}$ | ith user node |

${SN}_{j}$ | jth sensor node |

${SC}_{i}$ | Smart card of ${U}_{i}$ |

$HGWN$ | Home gateway node |

$FGWN$ | Foreign gateway node |

${ID}_{i}$ | Identity of ${U}_{i}$ |

${SID}_{j}$ | Identity of ${SN}_{j}$ |

${PW}_{i}$ | Password of ${U}_{i}$ |

${BIO}_{i}$ | Biometric information of ${U}_{i}$ |

$k{}_{h},{K}_{h}$ | Private key and public key of $HGWN$ |

$k{}_{f},{K}_{f}$ | Private key and public key of $FGWN$ |

${r}_{h},{r}_{hg},{r}_{f},{r}_{fg}$ | Random numbers |

$a,b,c,d$ | Random numbers $\in {Z}_{q}^{*}$ |

P | A point on the elliptic curve |

${T}_{1},{T}_{2},...,{T}_{8}$ | Timestamps |

$\Delta T$ | Acceptable maximum transmission delay |

$SK$ | Session key |

$h\left(\right)$ | One-way hash function |

⊕ | Exclusive-or operation |

$\left|\right|$ | Concatenation operation |

$Gen\left(\right)$ | Fuzzy extractor probabilistic generation procedure |

$Rep\left(\right)$ | Fuzzy extractor deterministic reproduction procedure |

Security Properties | [13] | [17] | [18] | [19] | [20] | Ours |
---|---|---|---|---|---|---|

Mutual authentication | × | ✓ | ✓ | ✓ | ✓ | ✓ |

Session key agreement | ✓ | ✓ | ✓ | × | × | ✓ |

Forward and backward secrecy | × | × | × | × | × | ✓ |

User anonymity | ✓ | × | × | × | × | ✓ |

Untraceability property | × | × | ✓ | × | × | ✓ |

Illegal login detection | × | ✓ | ✓ | × | ✓ | ✓ |

Stolen smart card attack | × | × | ✓ | ✓ | ✓ | ✓ |

Replay attack | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

Insider attack | ✓ | ✓ | ✓ | × | ✓ | ✓ |

Desynchronization attack | × | × | ✓ | ✓ | × | ✓ |

Impersonation attack | × | × | ✓ | × | ✓ | ✓ |

Scheme | Number of Messages | Communication Cost (bits) | |
---|---|---|---|

[13] | Case-1 | 2 | 1504 |

[17] | Case-1 | 4 | 2528 |

Case-2 | 5 | 3008 | |

[18] | Case-1 | 3 | 2784 |

Case-2 | 6 | 4704 | |

[19] | Case-1 | 4 | 2688 |

Case-2 | 8 | 4480 | |

[20] | Case-1 | 4 | 2368 |

Case-2 | 7 | 3904 | |

Ours | Case-1 | 4 | 2848 |

Case-2 | 8 | 4416 |

Symbol | Description | Approximate Computation Time (s) |
---|---|---|

${T}_{h}$ | Hash function | 0.00032 |

${T}_{ecm}$ | ECC point multiplication | 0.0171 |

${T}_{eca}$ | ECC point addition | 0.0044 |

${T}_{sym}$ | Symmetric encryption/decryption | 0.0056 |

${T}_{fe}$ | Fuzzy extractor function | 0.0171 |

Protocols | User | HGWN | FGWN | Sensor | Total (s) | |
---|---|---|---|---|---|---|

[13] | Case-1 | $4{T}_{h}+2{T}_{ecm}+1{T}_{eca}$ | $4{T}_{h}+6{T}_{ecm}+3{T}_{eca}$ | - | $3{T}_{h}+2{T}_{ecm}+2{T}_{eca}$ | 0.20092 |

[17] | Case-1 | $7{T}_{h}$ | $8{T}_{h}$ | - | $5{T}_{h}$ | 0.00640 |

Case-2 | $8{T}_{h}$ | $1{T}_{h}$ | $7{T}_{h}$ | $5{T}_{h}$ | 0.00672 | |

[18] | Case-1 | $9{T}_{h}+1{T}_{fe}+1{T}_{sym}$ | $5{T}_{h}+2{T}_{sym}$ | - | $3{T}_{h}+1{T}_{sym}$ | 0.04494 |

Case-2 | $10{T}_{h}+1{T}_{fe}+2{T}_{sym}$ | 0 | $5{T}_{h}+2{T}_{sym}$ | $4{T}_{h}+1{T}_{sym}$ | 0.05118 | |

[19] | Case-1 | $9{T}_{h}$ | $11{T}_{h}$ | - | $4{T}_{h}$ | 0.00768 |

Case-2 | $11{T}_{h}$ | $7{T}_{h}$ | $7{T}_{h}$ | $4{T}_{h}$ | 0.00928 | |

[20] | Case-1 | $10{T}_{h}$ | $14{T}_{h}$ | - | $7{T}_{h}$ | 0.00992 |

Case-2 | $14{T}_{h}$ | $6{T}_{h}$ | $17{T}_{h}$ | $6{T}_{h}$ | 0.01376 | |

Ours | Case-1 | $9{T}_{h}+1{T}_{fe}+3{T}_{ecm}$ | $8{T}_{h}+2{T}_{ecm}$ | - | $5{T}_{h}+3{T}_{ecm}$ | 0.16094 |

Case-2 | $12{T}_{h}+1{T}_{fe}+4{T}_{ecm}$ | $8{T}_{h}+6{T}_{ecm}+2{T}_{eca}$ | $10{T}_{h}+7{T}_{ecm}+2{T}_{eca}$ | $5{T}_{h}+3{T}_{ecm}$ | 0.38780 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Zhao, X.; Li, D.; Li, H.
Practical Three-Factor Authentication Protocol Based on Elliptic Curve Cryptography for Industrial Internet of Things. *Sensors* **2022**, *22*, 7510.
https://doi.org/10.3390/s22197510

**AMA Style**

Zhao X, Li D, Li H.
Practical Three-Factor Authentication Protocol Based on Elliptic Curve Cryptography for Industrial Internet of Things. *Sensors*. 2022; 22(19):7510.
https://doi.org/10.3390/s22197510

**Chicago/Turabian Style**

Zhao, Xingwen, Dexin Li, and Hui Li.
2022. "Practical Three-Factor Authentication Protocol Based on Elliptic Curve Cryptography for Industrial Internet of Things" *Sensors* 22, no. 19: 7510.
https://doi.org/10.3390/s22197510