Practical Three-Factor Authentication Protocol Based on Elliptic Curve Cryptography for Industrial Internet of Things

Because the majority of information in the industrial Internet of things (IIoT) is transmitted over an open and insecure channel, it is indispensable to design practical and secure authentication and key agreement protocols. Considering the weak computational power of sensors, many scholars have designed lightweight authentication protocols that achieve limited security properties. Moreover, these existing protocols are mostly implemented in a single-gateway scenario, whereas the multigateway scenario is not considered. To deal with these problems, this paper presents a novel three-factor authentication and key agreement protocol based on elliptic curve cryptography for IIoT environments. Based on the elliptic curve Diffie–Hellman problem, we present a protocol achieving desirable forward and backward secrecy. The proposed protocol applies to single-gateway and is also extended to multigateway simultaneously. A formal security analysis is described to prove the security of the proposed scheme. Finally, the comparison results demonstrate that our protocol provides more security attributes at a relatively lower computational cost.


Introduction
The emerging industrial Internet of things (IIoT) is a typical application scenario for wireless sensor network (WSN), where the IIoT is dedicated to affording the capacity to construct innovative services and applications within the industrial automation scenario [1]. The IIoT emphasizes extremely low latency, high security, and the ability to handle massive quantities of data [2]. Therefore, efficient authentication and key agreement mechanisms should be designed for the IIoT infrastructure to ensure security and privacy. In this manner, only authorized principals can access the IIoT resource, and these legal entities can interact over the channel using the session key that they have negotiated.
Considering authentication protocols for sensors with a low computing power, the literature [3,4] sacrifices security to build lightweight protocols, resulting in these schemes being vulnerable to certain attacks. It is clearly found that schemes using only a hash function, exclusive OR (XOR), and symmetric cryptography are unable to achieve forward and backward secrecy. Ma et al. [5] claimed that the public key cryptography algorithm was indispensable to achieve forward secrecy. After that, public key cryptography technology was widely implemented in authentication protocols, where using elliptic curve cryptography (ECC) or bilinear pairings was able to help protocols achieve forward and backward secrecy. Figure 1 illustrates that a representative IIoT architecture usually consists of three categories of entities: industrial IoT sensing devices, an industrial central, and an engineering expert [6], which, respectively, represent sensors, the gateway, and the user in WSNs. IIoT sensing devices are leveraged to monitor the status of objects and gather data, which is subsequently forwarded to a gateway via a wireless channel. A user is able to access the data collected by the gateway in real time. Sensors, in general, have low processing power, limited computational capabilities, and restricted energy and storage capacity, whereas gateways have a strong capacity for data processing [7].

Literature Review
Das [8] first presented a password and smart-card-based two-factor user authentication protocol for WSNs using merely the hash function in 2009. Since then, some drawbacks to this scheme have been discovered by scholars. The presented schemes [9][10][11] identified some vulnerabilities in Das's scheme [8], and they suggested various countermeasures to overcome these flaws. In 2014, Turkanvoic et al. [12] proposed a novel user and mutual authentication scheme for WSNs using only a hash function and XOR. These lightweight schemes consumed relatively fewer resources but sacrificed security.
In order to achieve more security attributes, a public-key infrastructure was considered in some schemes. In 2011, Yeh et al. [13] performed a cryptanalysis of Das's scheme [8], and they discovered that there was no mutual authentication and no protection against an insider attack or forgery attack. As a result, they first implemented ECC to build the authentication protocol to address the current existing weaknesses. Shi and Gong [14] proposed a new ECC-based authentication protocol for WSNs in 2013, which addressed the shortcomings of the scheme in [13] that lacked a key agreement and forward secrecy. In 2016, Chang and Le [15] stated briefly that the scheme from Turkanovic et al. [12] suffered from an impersonation attack, stolen smart card attack, stolen-verifier attack, and failed to ensure backward secrecy, and they proposed an advanced scheme that used ECC to overcome these flaws. In 2018, Li et al. [16] indicated that the protocol in [15] lacked a proper mutual authentication and had other functionality defects. They [16] presented a three-factor user authentication protocol for the IIoT that addressed the protocol's [15] shortcomings by utilizing ECC and symmetric cryptography. A majority of protocols, however, are designed for a single-gateway scenario, ignoring how to implement them in a multigateway scenario.
In 2016, Aim and Biwas [17] solved some security flaws in the scheme from Turkanvoic et al. [12] and designed the first authentication protocols for a multigateway scenario. Later, Das et al. [18] indicated that there were no efficient online sensor node registration and password change phases in the literature [17], and they presented a new three-factor user authentication scheme applied to the multigateway WSN architecture using AES (Advanced Encryption Standard). In 2017, Wu et al. [19] demonstrated that the scheme in [17] suffered from tracking attacks due to the constant pseudo-identity and previously established session key that adversaries could calculate and presented a novel authentication scheme for multigateway WSNs. Srinivas et al. [20] showed that the protocol in [17] suffered from a stolen smart card attack, password guessing attack, and impersonation attack. They proposed an authentication scheme for multigateway WSNs that could withstand all the above-mentioned attacks. In 2018, Wang et al. [21] discovered that the scheme in [20] was still subject to offline password guessing attacks and node capture attacks and could not protect the user's anonymity. Therefore, they described efficient countermeasures for these attacks. Since all the above-mentioned multigateway schemes use lightweight cryptographic primitives, it is impossible to achieve forward and backward secrecy. Accordingly, our scheme will solve this problem. Figure 2 demonstrates how the single-gateway model is implemented in our presented IIoT protocol. After the user logs in, they send the message to the home gateway node (HGWN). If the user can pass the authentication of the HGWN, the HGWN sends the message to the sensor. After the sensor authenticates, it computes the session key and sends a message to the HGWN. Finally, the HGWN sends a message to the user, who calculates the session key to communicate with the sensor. Through two rounds of complete information exchange, the user, HGWN, and sensor can realize mutual authentication. Nevertheless, in traditional single-gateway WSNs, high-speed data streams are prone to conflict during data aggregation, because the distance between edge sensors and the gateway node is too far, which may cause an increased communication cost and reduced performance. In this case, multigateway protocols are required, and Figure 3 shows the model we used. This architecture is an extension of Figure 2. The user sends the authentication message to the HGWN. Following that, the HGWN checks the validity of the received message. In the event that this procedure is successful, the HGWN sends a message to the FGWN. The FGWN transmits a message to the HGWN after confirming the message's availability. Then, the HGWN checks the received message and delivers a message to the user. Following steps 1-4, the mutual authentication is achieved between the user and the FWGN. After that, user sends a message to the FGWN for further authentication. After the verification is successful, the FGWN transmits a message to the sensor. Subsequently, the sensor computes the session key and delivers a message to the FGWN. Finally, the user figures out the session key used for subsequent communication after confirming the message that the FGWN sent to it.

Motivations and Contributions
1. Intractable elliptic curve Diffie-Hellman problem (ECDHP) is applied to our protocol to guarantee the security of the session key. We extend our scheme to multigateway WNSs while considering the limitations of single-gateway WSNs.
2. The random oracle model (ROM) [22] helps us get the formal proof of the presented scheme. The result indicates that the probability of an adversary who can break the proposed protocol is negligible.
3. Scyther, an automated security protocol verification tool [23], is used to simulate and analyze the proposed protocol. The result demonstrates that the scheme is correct and secure against many adversary models.

Elliptic Curve Cryptography
ECC was initially proposed by Koblitz [24] and Miller [25] in the 1980s, and an introduction to the basic knowledge of ECC is described in the following. Given a large prime number p and a finite field F p , let a set of elliptic curve points E over F p be defined by the equation: E(F p ) : y 2 = x 3 + a · x + b mod p, where a, b ∈ F p and ∆ = 4a 3 + 27b 2 = 0 mod p. All points on E(F p ) and the point O at infinity come from an additive Abelian group G of order q, where P is the generator point of the group and n · P = P + P + . . . + P, where n is an integer and n ∈ Z * q . There are two corresponding mathematical problems in ECC defined as follows: 1.
The elliptic curve discrete logarithm problem (ECDLP): Figure 4 demonstrates points distributed over an elliptic curve y 2 = x 3 − x + 2 in finite field F 97 . Selecting two points Q and P in Figure 4, where Q, P ∈ F 97 satisfy Q = kP, where k is between 0 and 96 at random. Given k and P, it is easy to figure out Q by a scalar multiplication and addition rules. Nevertheless, given Q and P, it is difficult to calculate k.

2.
The elliptic curve Diffie-Hellman problem (ECDHP): It is scarcely possible to find abP when given aP ∈ F p and bP ∈ F p in polynomial time, where a and b are both between 0 and p − 1 at random.

Threat Model
The proposed authentication and key agreement protocol was formally analyzed taking advantage of the Dolev-Yao threat model [26], which assumes that two communication principals interact over an insecure and open channel. The following are the properties of this model: 1.
The used one-way hash function is unbreakable.

2.
In a uniform protocol, an identical format is used by each entity that wishes to communicate.

3.
An adversary can eavesdrop, intercept, replay, and even modify all the transmitted messages over an open and insecure channel.

Fuzzy Extractor
Biometric features are adopted to improve security in many schemes. Due to the uniqueness of biometric features, they can be effectively applied to authentication. Compared with low-entropy passwords, biometric features also have the advantages of being difficult to forge and not being easy to lose.
The fuzzy extractor was used to process the original biometric fingerprint, which can eliminate subtle differences between biometric features extracted by the same user at different points in time. A fuzzy extractor comprises two phases as follows Ref. [27]:

1.
Probabilistic generation function Gen: The original biometric fingerprint BIO i is the input of Gen, and then the process outputs biometric identification key data and public parameter, namely Gen(BIO i ) → (σ i , θ i ).

2.
Deterministic reproduction procedure Rep: Using the public parameter θ i and the fingerprint BIO i reproduces key data σ i , namely Rep(BIO i , θ i ) → σ i .

The Proposed Scheme
In this section, the detailed process of the proposed scheme is demonstrated. The proposed scheme consists of the following phases: initialization phase, registration phase, user login phase, authentication and key agreement phase, and user password update phase.

Initialization Phase
All the parameters that are used in the proposed protocol are listed in Table 1. During the initialization phase, SA chooses an elliptic curve E over a prime finite field F p , a point P ∈ E(F p ) and a subgroup G of E(F p ), where G is an additive cyclic group of order q. Then, the HGW N generates its private key and public key {k h , K h }, where k h ∈ Z * q and K h = k h P. Consistent with the above procedure, the FGW N chooses its private key and public key {k f , K f }, where k f ∈ Z * q and K f = k f P. Finally, the hash function h(·) : {0, 1} * → {0, 1} l is chosen to be used in the scheme, where l is the length of the output length of the hash function.
Private key and public key of HGW N k f , K f Private key and public key of Acceptable maximum transmission delay SK Session key h() One-way hash function ⊕ Exclusive-or operation || Concatenation operation Gen() Fuzzy extractor probabilistic generation procedure Rep() Fuzzy extractor deterministic reproduction procedure

Registration Phase
The registration phase is divided into a user registration phase and a sensor registration phase. All the messages in this phase are transmitted via a secure channel.

User Registration Phase
The procedure is also shown in Figure 5.
Step 1: U i selects their identity ID i and password PW i , and inputs biometric information BIO i . The fuzzy extractor is used to compute biometric key data σ i and public parameter θ i , namely Gen(BIO i ) → (σ i , θ i ). SC i stores the public parameter θ i in its memory. Then, U i figures out H ID i = h(ID i ||σ i ) and HPW i = h(PW i ||σ i ), and sends {HID i , HPW i } to the nearest HGW N via a secure channel.
Step 2: Upon receiving {HID i , HPW i } from U i , the HGW N generates a random number r h and calculates Step 3:

Sensor Registration Phase
Sensor registration process is shown in Figure 6. SA assigns a unique identity to each sensor node. SN j sends its own identity SID j to the nearest HGW N via a secure channel for registration. Then, the HGW N calculates A gs = h(SID j ||k h ) and stores {SID j , A gs } in its memory. After that, the HGW N sends A gs to SN j via a secure channel. After receiving A gs from the HGW N, SN j stores {SID j , A gs } in its own memory.

User Login Phase
U i inserts their smart card SC i to a terminal, and inputs identity ID i , password PW i and biometric information BIO i . Then, the terminal reproduces the biometric key data σ i through the fuzzy extractor, namely Subsequently, the terminal checks whether B i ? = B i . If the equation is not held, at least one parameter is incorrect, which leads to the login request being refused by the terminal and no subsequent authentication process being performed. Otherwise, U i 's login is successful, and the terminal generates a random number a ∈ Z * q , and a timestamp T 1 .

At last, the terminal computes
. This process is demonstrated in Figure 7.

Authentication and Key Agreement Phase
In this section, two cases are considered: authentication and key agreement in a home region and a foreign region, respectively.

Authentication and Key Agreement in the HGWN
When a user and the sensor that they want to access are in the same region controlled by the same HGW N, as illustrated in Figure 8, each entity will execute the following steps.
Step 1: U i sends the login request message {M 1 , M 2 , M 3 , D 1 , T 1 } to the HGW N.
Step 2: After receiving {M 1 , M 2 , M 3 , D 1 , T 1 } from U i , the HGW N checks whether |T 1 − T 1 | < ∆T is satisfied, where T 1 is the current timestamp the HGW N acquired and ∆T is the acceptable maximum transmission delay. If the inequality is not true, namely T 1 is not fresh, the HGW N aborts the current session. Otherwise, the HGW N computes D 2 = k h D 1 and H ID i = M 1 ⊕ h(D 2 ) to find r h stored in its own memory. Subsequently, the HGW N calculates Otherwise, the HGW N seeks A gs from its own memory through SID j , generates a random number r hg , a timestamp T 2 , and calculates Step 3: When SN j receives {M 4 , M 5 , D 1 , T 2 } from the HGW N, SN j obtains the current timestamp T 2 and verifies whether |T 2 − T 2 | < ∆T. If the inequality is not held, then SN j terminates the current session. Otherwise, SN j figures out Step 4: After getting {M 6 , M 7 , D 3 , T 3 } from SN j , the HGW N acquires the current timestamp T 3 and verifies whether |T 3 − T 3 | < ∆T. If the verification fails, the HGW N aborts the current session. Otherwise, the HGW N calculates D 4 = k h D 3 , M 6 = h(SID j ||r hg ||A gs ||D 4 ||T 3 ), and checks whether M 6 ? = M 6 . If M 6 = M 6 , the HGW N aborts the current session. Otherwise, the HGW N generates a timestamp T 4 , calculates Step 5: Upon receiving {M 7 , M 8 , D 3 , T 4 } from the HGW N, U i obtains the current timestamp T 4 and checks whether |T 4 − T 4 | < ∆T. If the verification fails, the current session is rejected by and checks whether M 8 If not, U i declines to establish a session key with SN j . Otherwise, U i and SN j share an identical session key, and the authentication process is successfully completed.

Authentication and Key Agreement in the FGWN
When a user requires access to a sensor that is in a foreign region and registered in a FGW N, this phase can be completed with the assistance of the HGW N and the FGW N, as illustrated in Figures 9 and 10.
Step 1: U i computes the login request message {M 1 , M 2 , M 3 , D 1 , T 1 } as in the User Login Phase Section and sends them to the HGW N.
Step 2: After receiving {M 1 , M 2 , M 3 , D 1 , T 1 } from U i , the HGW N obtains the current timestamp T 1 and verifies T 1 's validity, namely |T 1 − T 1 | < ∆T. If the verification fails, the HGW N aborts. Otherwise, the HGW N calculates Next, if SID j is not in the HGW N's database, the HGW N broadcasts the target sensor's identity SID j to the rest of the gateway nodes. If any FGW N finds SID j in its database, it will react to the HGW N and broadcasts its own public key K f in WSNs. Subsequently, the HGW N generates a random number b ∈ Z * q , timestamp T 2 , and computes D 3 = bP, Step 3: Upon receiving {M 4 , D 3 , T 2 } from the HGW N, the corresponding FGW N obtains the current timestamp T 2 and verifies whether |T 2 − T 2 | < ∆T. If not, the FGW N terminates the current session. Otherwise, the FGW N computes Then, the FWGN transmits {M 5 , M 6 , D 5 , T 3 } to the HGW N.
Step 4: Upon getting {M 5 , M 6 , D 5 , T 3 } from the FGW N, the HGW N acquires the current timestamp T 3 and verifies whether |T 3 − T 3 | < ∆T. If the verification fails, the HGW N rejects the current session. Otherwise, the HGW N figures out Step 5: After receiving {M 7 , M 8 , T 4 } from the HWGN, U i gets the current timestamp T 4 and checks whether |T 4 − T 4 | < ∆T. If not, the current session is rejected by Step 6: After receiving {M 9 , M 10 , T 5 } from U i , the FGW N obtains the current timestamp T 5 and checks whether |T 5 − T 5 | < ∆T is satisfied. If failed, the FGW N aborts the current session. Otherwise, the FGW N computes Step 7: When SN j receives {M 11 , M 12 , T 6 } from the FGW N, SN j obtains the current timestamp T 6 and verifies whether |T 6 − T 6 | < ∆T. If not, SN j aborts the current session. = M 14 . If the verification fails, U i declines to establish a session key with SN j . Otherwise, U i and SN j share an identical session key, and the authentication process is successfully completed.

User Password Update Phase
U i inserts their smart card SC i into the terminal, and enters identity ID i , password PW i , and biometric information BIO i . Then, the terminal reproduces the biometric key data Rep(BIO i , θ i ) → σ i and reads secret parameter C i = H ID i ⊕ r h in SC i to calculate H ID i = h(ID i ||σ i ), HPW i = h(PW i ||σ i ), and r h = H ID i ⊕ C i . Next, the terminal checks

Formal Security Proof
The security of our protocol is proved under the ROM.

Formal Security Model
The security of the presented protocol dependent on the CK model [28]. Participants: In this model, the adversary A controls the communication between all participants. For the single-gateway scenario, there are three types of participants in this protocol P: the user U, the gateway HGW N, and the sensor SN. Each principal has a large number of instances, which are usually treated as the actions of specific protocols run by each principal. U i , HGW N k , and SN j represent the ith instance of U, kth instance of HGW N, and jth instance of SN in P separately. Moreover, I denotes any other instance.
Queries: The interaction between A and the protocol principals occurs merely through oracle queries, which simulate A 's capabilities to break P in a real attack. A is allowed to execute the following queries.
Execute(U i , HGW N k , SN j ): A uses this query to simulate a passive attack, and they can obtain the entire transcript as a result of the conversation among U, HGW N, and SN.
Send(I i , m): It models an active attack of A , who forges a message m and sends it to instance I i . Subsequently, I i returns the processing outcomes of the message m to A according to P. If the message m is invalid, the query is ignored.
SKReveal(I i ): This query simulates that A can obtain session key SK of any completed session.
SSReveal(I i ): This query can be asked of an incomplete session and receives the internal state in return.
Corrupt(I i ): This query can help A obtain the private key of I i , which is usually used to simulate the forward secrecy of protocols. A can obtain the private key of U, HGW N, and SN.
Test(I i ): A asks this query to a fresh instance. Then, A can continue to ask other queries, as long as the tested session remains fresh. In other words, if I i has been asked SSReveal(I i ), SKReveal(I i ), or Corrupt(I i ), both I i and its partner cannot be asked by a Test query.
Test(I i ) query is used to evaluate the semantic security of a session key. Only one test query is allowed to be executed during the whole game. To answer the test query, we imagine a challenger who flips a coin to define a bit b. If there is no session key established for instance I i , then ⊥ is returned. If the query has already been asked, then it outputs the same answer as above. Otherwise, if b = 1, I i returns the real session key. If b = 0, I i returns an entirely random string of the same length as the session key. The final output of Test(I i ) is a bit b , which is the guessing value of b. The adversary wins this game if and only if b = b.

Security Proof
Suppose A is the adversary who can break protocol P in polynomial time. q hash and q send refer to the number of hash query oracles and send query oracles, respectively. Adv ECDHP P (t) represents the advantage of an adversary who can resolve the intractable ECDHP in polynomial time. Now, the advantage of A that breaks the semantic security of our authentication and key agreement (AKA) protocol is defined: Proof. Game i (i = 0, 1, 2, 3, 4) is used to perform the whole procedure of P. The event WG i signifies that A guesses the bit b correctly to win the game.

Game 0:
In the random oracle model, the real attack on P is modeled, and the following formula can be obtained: Game 1: A carries out Execute queries to model an eavesdropping attack. Even if we take Execute queries into consideration, the probability of an adversary who can win the game has not increased.
Game 2: Hash oracles are added to the foundation of Game 1 by Game 2. This game models the active attack, and A attempts to trick a legitimate principal into accepting the modified message. When the collision happens between the constructed information and the real authentication information, A gets the secret information and wins the game. According to the birthday paradox, the maximum probability of the hash oracle collision is q 2 hash 2 l+1 , and we have: Game 3: Send queries are added. This game models the active attack, and A attempts to trick a legitimate principal into accepting the modified message. Therefore, we have: A executes Corrupt(I i ) to obtain the private key of this entity, where I is equal to U, HGW N, and SN successively, and thus A can obtain all the private keys. SKReveal(I i ) can be executed in this game. It will answer an SK if the target instance has formed an SK. A executes SSReveal(I i ) to get the internal state of an incomplete session. In order to compute the session key, A has to resolve the intractable ECDHP to get a or b from D 1 = aP or D 3 = bP. Let Adv ECDHP P (t) be the advantage of A , who can resolve the ECDHP in polynomial time. As a result, we get: At the end of Game 4, all the queries are simulated, so what A can do is to guess the bit b to win the game after performing Test query. Now, we have the following: According to Equations (2)-(7), we can obtain Equation (1). It indicates that the adversary has negligible advantage in winning the game. Therefore, our protocol is secure under the random oracle model.

Formal Verification Using Scyther
Scyther is a tool for the formal analysis of security protocols under the perfect cryptography assumption, in which it is assumed that all cryptographic functions are perfect. In this section, we formally analyze the security of the proposed protocol based on Scyther in the HGW N and FGW N. The results in Figures 11 and 12 illustrate that the scheme is correct and secure against many adversary models under the Scyther security checks.

Mutual Authentication
In the home region, the HGW N authenticates U i by relying on M 3 = h(H ID i ||A h ||D 2 || M 1 ||M 2 ||T 1 ), where D 2 is possessed by U i and can be recovered by the HGW N from D 1 and its private key k h . U i authenticates the HGW N using A h contained in M 8 = h(H ID i ||A h ||D 1 ||D 3 ||M 7 ||T 4 ), which can only be calculated by U i and HGW N. Any other principals cannot obtain A h . The HGW N verifies SN j dependent on M 6 = h(SID j ||r hg ||A gs || D 4 ||T 3 ), where D 4 is possessed by SN j and can be recovered by the HGW N from D 3 and k h . SN j verifies the HGW N using A gs contained in M 5 = h(SID j ||r hg ||A gs ||D 1 ||T 2 ), which can be calculated by the HGW N and stored in SN j 's memory. U i can verify the legitimacy of SK using M 7 .
In the foreign region, there is a similar process as above. The HGW N authenticates U i by relying on the secret parameter D 2 only shared by both parties. U i authenticates the HGW N using A h contained in The FGW N and HGW N implement mutual authentication using (b + k h )K f and (c + k f )K h , respectively, which are both the secret parameters and can only be computed by themselves and verified by the other party. The FGW N authenticates U i dependent on where D 2 f is possessed by U i and can be retrieved by the FGW N from D 1 and its private key k f . U i authenticates the FGW N by relying on A f contained in M 15 = h(H ID i ||A f ||D 1 ||D 7 ||M 14 ||T 8 ), which can be calculated by the FGW N and retrieved by U i . SN j verifies the FGW N using A f s contained in M 12 = h(SID j ||r f g ||A f s ||D 1 ||T 6 ), which can be only calculated by the FGW N using k f and stored in SN j 's memory. The FGW N verifies SN j dependent on M 13 = h(SID j ||r f g ||A f s ||D 8 ||T 7 ), where D 8 is possessed by SN j and can be retrieved by the FGW N from D 7 and k f . U i can verify the legitimacy of SK using M 14 .

Session Key Agreement
is established between U i and SN j in the home region. Similarly, in the foreign region, U i and SN j share a common session key SK = h(D 7 ||dD 1 ) = h(D 7 ||aD 7 ) = h(dP||adP). The established SK can be used for subsequent communication between U i and SN j .

Forward and Backward Secrecy
Forward secrecy is used to guarantee that previously established session keys remain secure in the event that the long-term private keys are compromised. Identically, backward secrecy affords the guarantee that a session key that will be established in the future remains secure even if the long-term private keys are compromised.
The proposed protocol uses the ECDHP to achieve forward and backward secrecy. In the home region, U i and SN j share a common session key SK = h(aP||bP||abP), which is related to the random numbers a and b generated by U i and SN j , respectively. In the foreign region, U i and SN j share a common session key SK = h(dP||adP), which is related to the random numbers a and d generated by U i and SN j , respectively. If all the long-term private keys of U i , HGW N, FGW N, and SN j are compromised by an adversary, since the adversary has to resolve the intractable ECDHP to get abP or adP from aP, bP, or aP, dP, respectively, the previous or future session key is still secure. Consequently, forward and backward secrecy can be guaranteed.

User Anonymity and Untraceability
In the proposed protocol, the real identity ID i cannot be acquired by the adversary from the interaction messages. In the home region, there is only the legitimate gateway node who, in possession of private key k h , can calculate D 2 to recover U i 's pseudonym H ID i and sensor's identity SID j . Simultaneously, considering the one-way nature of the hash function, it is difficult for the adversary to acquire H ID i from M 3 , M 8 and SID j from M 5 , M 6 , respectively. In the foreign region, the adversary without gateway node's private key cannot compute D 2 to recover H ID i . Likewise, considering the one-way nature of hash function, the adversary is unable to get H ID i from M 3 , M 8 , M 10 , M 15 . As a result, user anonymity can be achieved. In addition, because of the login request message being updated at each session round, the adversary is unable to trace a specific user. Therefore, the user's untraceability is guaranteed.

Illegal Login Detection
A user needs to input their identity, password, and biometric information to complete login, and if the terminal declines this session, at least one of these three items is incorrect. In our protocol, when the incoming information is invalid, the identification parameter B i cannot be recovered correctly, which leads to the login request being aborted by the terminal. This mechanism guarantees the system can check illegal login requests quickly.

Stolen Smart Card Attack
The secret parameters and θ i is generated by Gen(BIO i ). If U i 's smart card is lost and obtained by the adversary, then the adversary can get {A i , B i , C i , θ i }, but they are still unable to acquire the correct identity, password, and biometric key data. The adversary cannot compute a correct H ID i through C i without r h . The biometric key data σ i also cannot be recovered correctly without a real BIO i . Furthermore, even in this case, there is no chance for an adversary to get the password. As a result, the login request message M 1 , M 2 , M 3 cannot be figured out without the correct H ID i . Our protocol can be resistant to stolen smart card attack.

Replay Attack
The timestamp mechanism is used to guarantee the freshness of transmitted messages in our scheme. When the message is exchanged, the node first checks whether the time difference between the received timestamp and its own timestamp is within the acceptable maximum delay allowed by the system. Expired messages will be rejected. As a result, the protocol is capable of defending against replay attack.

Privileged Insider Attack
During the registration phase, user transmits {HID i , HPW i } to the HGW N via a secure channel. It is assumed that an internal malicious privileged node who executes privileged insider attack in order to get user's password PW i after getting {HID i , HPW i }. However, the obtained values are hash values consisting of password and biometric key data. Considering the one-way nature of the hash function, it is intractable for the privileged node to extract PW i from HPW i . Therefore, our protocol can be resistant to privileged insider attack.

Desynchronization Attack
In the proposed protocol, the user does not store the same secret values with the gateway node. All participants in the protocol are not required to update any information when a session is accomplished. Accordingly, the protocol can resist a desynchronization attack.

Impersonation Attack
In our protocol, in order to forge a user, a valid login request {M 1 , M 2 , M 3 , D 1 , T 1 } is necessary. Nevertheless, the adversary has no capacity to figure out the true M 1 , M 2 , M 3 , D 1 without the correct H ID i , SID j , A h , D 2 . As a result, the adversary fails to impersonate a legitimate user.
In addition, when the fake gateway node receives the correct login request, it cannot retrieve the true D 2 without the real private key. Therefore, the adversary is also unable to impersonate a legitimate gateway node. Moreover, if the adversary wants to forge a sensor node, they need to recover r hg and generate M 5 , M 6 , which all depend on A gs that is only computed by the HGW N and stored in the sensor's memory. Consequently, this scheme is protected against a sensor impersonation attack.

Performance and Security Comparison
In order to illustrate the balance between the security and usability of our protocol, the comparative consequences of the security and overhead of our scheme with other associated schemes are as follows, where Case-1 and Case-2 represent the protocol designed in the home region and the foreign region, respectively. According to [17,[29][30][31], all operations were implemented in MATLAB on a four-core, 3.2 GHz computer with 8 GB of memory.

Security Features Comparison
The statistics of the security attributes that each scheme can satisfy are summarized in Table 2, where represents that this literature can satisfy this corresponding security attribute in Table 2, whereas × represents that it cannot achieve. All the indicators listed in Table 2 were achieved by our scheme. Moreover, none of the studies in the literature [13,[17][18][19][20] has the capability to achieve forward and backward secrecy. However, the implementation of ECC in our scheme enables ours to accomplish forward and backward secrecy.

Communication Cost Comparison
In order to calculate the communication cost, we assumed that the identity, random number, hash digest, ECC point, and timestamp were 160 bits, 160 bits, 160 bits, 320 bits, and 32 bits, respectively. Additionally, the symmetric encryption/decryption using AES-128 required 128 bits for a 128-bit plaintext block. We evaluated the communication overhead between our protocol and other relevant protocols [13,[17][18][19][20] during the login and authentication phases according to the overall quantity of transmitted messages. Table 3 shows the comparison results. Compared with [19], the transmitted number of messages was identical to our scheme, and there were similar communications costs as ours, but our scheme met more security attributes. As we can see, in order to compare with previous protocols [13,[17][18][19][20], we chose SHA-1 [32] as the hash function. However, to achieve more security, we recommend using SHA-256 [32] as the hash function.  Table 4 lists the approximate required computational time of various cryptographic operations, which were used as a comparative standard. Table 5 compares the computational overhead of our scheme and other relevant schemes during the login, authentication, and key agreement phases. The total cost of the proposed scheme increased slightly. Nevertheless, most of the cost was calculated on the gateway side with strong computational power rather than the resource-limited sensor side. Accordingly, integrated with both security and communication cost, our protocol was relatively secure with an acceptable overhead.

Conclusions
In this paper, we designed an authentication protocol based on ECC using three factors, applied to the IIoT environment. The proposed scheme was appropriate for single-gateway scenarios, and we also extended it to multigateway scenarios. Furthermore, forward and backward secrecy was realized in our scheme utilizing the intractable ECDHP. The formal security analysis under the ROM indicated that the proposed protocol was able to satisfy semantic security. We simulated our scheme using the formal verification tool Scyther, and the result showed that our scheme was secure. The informal security analysis proved our protocol was capable of satisfying most common security properties. Finally, compared with other representative protocols, the comparative results of security attributes, communication, and computation cost in Tables 2, 3 and 5 clearly showed that our protocols could achieve many security attributes at a reasonable computation cost.