A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments

: The Internet of Things (IoT) is being applied to various environments such as telecare systems, smart homes, and intelligent transportation systems. The information generated from IoT devices is stored at remote servers, and external users authenticate to the server for requesting access to the stored data. In IoT environments, the authentication process is required to be conducted efﬁciently, and should be secure against various attacks and ensure user anonymity and untraceability to ensure sustainability of the network. However, many existing protocols proposed in IoT environments do not meet these requirements. Recently, Rajaram et al. proposed a paring-based user authentication scheme. We found that the Rajaram et al. scheme is vulnerable to various attacks such as ofﬂine password guessing, impersonation, privileged insider, and known session-speciﬁc temporary information attacks. Additionally, as their scheme uses bilinear pairing, it requires high computation and communication costs. In this study, we propose a novel authentication scheme that resolves these security problems. The proposed scheme uses only hash and exclusive-or operations to be applicable in IoT environments. We analyze the proposed protocol using informal analysis and formal analysis methods such as the BAN logic, real-or-random (ROR) model, and the AVISPA simulation, and we show that the proposed protocol has better security and performance compared with existing authentication protocols. Consequently, the proposed protocol is sustainable and suitable for real IoT environments.


Introduction
The Internet of Things (IoT) has become an essential technology in business and industry that is being applied to various environments [1][2][3][4][5][6][7][8] including telecare systems, smart grids, intelligent transportation systems, and global roaming systems to make human lives more prosperous. For example, in IoT-based telecare environments (see Figure 1), medical devices and sensors check the patient's pulse, blood pressure, and body temperature in real time, and transmit the information to a remote server. Thereafter, users such as doctors and researchers authenticate the server using mobile devices (i.e., smart phones) and access the information for diagnosis or research. IoT-based telecare systems can provide convenience to patients and contribute to the progress of healthcare. In addition, the IoT can be applied to other environments for increasing business productivity and industrial efficiency.
However, despite these advantages, several challenges must be addressed. Communications in IoT environments are performed on wireless channels, which are prone to attacks by adversaries. They can obtain transmitted messages and can attempt various attacks including replay, man-in-the-middle, and impersonation attacks [9][10][11] and also attempt to trace a user to obtain sensitive information. Additionally, to ensure real-time

Motivation
In IoT environments, each message is transmitted through public channels. The messages can contain personal sensitive information, and if the information is leaked to an adversary, it can cause serious privacy threats. Additionally, IoT devices have limited computing resources, a high amount of computation cost can cause delays. Therefore, a secure and efficient authentication protocol is essential for sustainable IoT environments. In 2019, Rajaram et al. proposed a pairing-based user authentication scheme. However, Rajaram et al. scheme does not have resistance to off-line guessing, impersonation, privileged insider, and known session-specific temporary information attacks. In addition to Rajaram et al. scheme, we note the limitations and weaknesses of existing researches (see Section 2). Several schemes used elliptic curve multiplication and bilinear pairing which require a high amount of computation, making it unsuitable for IoT environments. Additionally, most schemes do not have resistance to various attacks including impersonation, off-line guessing, and privileged insider attacks, and cannot guarantee security features such as mutual authentication, user anonymity, and user untraceability. Because of these weaknesses, existing schemes are not sustainable in IoT environments, and it motivated us to design a new authentication protocol that overcomes the drawbacks of existing researches and ensures both security and efficiency.

Main Contributions
The main contributions of this paper are as follows. • We analyze that Rajaram et al. scheme [15] is vulnerable to offline password guessing, impersonation, privileged insider, and known session-specific temporary information attacks, and does not provide user anonymity and untraceability. • We propose a secure, lightweight, and anonymous authentication protocol, which uses only hash and exclusive-or operations, making it suitable for IoT environments.
• We provide informal analyses of the proposed protocol and perform a security analysis under the real-or-random (RoR) model to prove the session key security. • We prove correctness of the proposed protocol using the BAN logic, and show that the proposed protocol is secure against replay and MiTM attacks using automated validation of internet security protocols and application (AVISPA) simulation tool. • We provide comparison results between the proposed protocol with existing protocols proposed in IoT environments. It shows that our protocol has lower computation and communication costs than the existing protocols, and that the proposed protocol is more suitable to real IoT environments.

Related Works
Over the past few years, many authentication protocols have been proposed for IoT environments. In 2018, Chen et al. [16] proposed a lightweight and anonymous authentication scheme for IoT environments. They used ECC for authentication and analyzed the scheme using the BAN logic. They also simulated computation and communication costs using C++. Dhillon and Kalra [17] proposed a three-factor user authentication scheme for IoT-based healthcare systems. They handled authentication between medical professionals and a cloud server. Thakare and Kim [18] indicated security and efficiency of the existing protocols and proposed an ECC-based authentication scheme for IoT environments. They formally analyzed the scheme using both AVISPA and ProVerif tools to prove security and correctness. However, these schemes [16][17][18] suffer from high computation cost, as they used an elliptic curve cryptosystem.
Some studies proposed lightweight authentication protocols using only hash and exclusive-or operations. In 2014, Kumari et al. [19] proposed a two-factor remote user authentication scheme for distributed systems. They claimed that their scheme has various security characteristics including resistance to smart card stolen attack and user impersonation attack. However, Kaul and Awasthi [20] indicated that the Kumari et al. scheme is vulnerable to smart card loss attacks. They proposed an enhanced authentication protocol and formally analyzed it using the AVISPA simulation tool. Kang et al. [21] showed that Kaul and Awasthi's scheme cannot guarantee user anonymity, and is not secure against offline password guessing and desynchronization attacks. They proposed a biometric-based key agreement scheme. However, they does not consider known session-specific temporary information attacks. Rana et al. [22] also asserted that Kaul and Awasthi's scheme cannot resist user impersonation attacks using a stolen smart card, and proposed a lightweight authentication scheme, which is suitable for IoT infrastructures. However, their scheme does not consider known session-specific temporary information attacks and cannot ensure user untraceability.
In 2019, Rajaram et al. [15] proposed a bilinear pairing based user authentication scheme. They claimed that their scheme is secure against off-line guessing, privileged insider, and impersonation attacks and can ensure mutual authentication. However, we observe that Rajaram et al. scheme cannot defend against mentioned attacks, and is vulnerable to known session-specific temporary information attack and suffers from lack of user anonymity. Their scheme also requires high computation cost as it uses bilinear pairing operation. In this paper, we propose a secure, lightweight, and anonymous user authentication scheme that resolves the above mentioned issues and is suitable for IoT environments.

Review of Rajaram et al.'s Scheme
Rajaram et al.'s scheme consists of initialization, user registration, user login, user authentication, and password update phase. Table 1 represents the notations of Rajaram et al.'s scheme and the detailed description of each phase is as follows. Cryptographic hash function e : Bilinear mapping sK Secret key of RS P pub = sK · RP Public key of RS y 1 , y 2 Session random numbers ssK Session key between U x and RS * Multiplication operation

Initialization Phase
RS generates a large prime number q, chooses an additive cyclic group G 1 and a multiplicative cyclic group G 2 with order q, and selects a cryptographic hash function h f 1 : {0, 1} * → Z q . Thereafter, RS chooses a generator RP ∈ G 1 and calculates e(RP, RP) = α, and selects a secret key sK and the public key of RS is P pub = sK · RP. RS keeps sK securely and publishes (q, G 1 , G 2 , RP, α, h(·), P pub ).

User Registration Phase
U x registers to RS using ID x and PW x . Firstly, U x chooses a y ∈ Z q and computes PWD x = h f 1 (PW x ||y). Thereafter, U x sends (ID x , PWD x ) to RS. After RS receives the message, RS computes R x = h f 1 (sK, ID x ) ⊕ PWD x and REG ID x = h f 1 (sK, ID x ) · PWD x · RP. After that, RS stores (R x , REG ID x , h f 1 (·), RP, P pub ) in SC x . Thereafter, RS issues SC x to U x , and U x stores y in SC x . Subsequently, (R x , REG ID x , h f 1 (·), RP, P pub , y) is stored in SC x . The registration phase is performed via a secure channel. Figure 2 shows the registration phase of Rajaram et al. scheme.

User Login Phase
A registered U x can be offered services form RS by inserting SC X to the card reader. After and REG ID * x = L 0 · PWD * x · RP. Thereafter, SC x checks whether REG * ID x ? = REG ID x . If they are equal, SC x chooses y 1 and computes L 1 = h f 1 (y 1 ||T 1 ), L 2 = h f 1 (PWD x ||L 1 ), L 3 = (L 0 + L 2 ) · P pub , and L 4 = L 1 ⊕ PWD * x . T 1 is a current timestamp. Thereafter, U x sends (ID x , R x , L 3 , L 4 , T 1 ) to RS through a wireless channel. Figure 3 shows the login phase of Rajaram et al. scheme.

User Authentication Phase
After receiving the message from U x , RS verifies the validity of ID x and checks whether |T 1 − T * 1 | ≤ ∆T?, where T * 1 is a timestamp when RS received the message and ∆T is a tolerance. Thereafter, Figure 4 shows the authentication phase of Rajaram et al. scheme.

Password Change Phase
The password change phase of the Rajaram et al. scheme can be conducted through a new registration (see Section 3.2) or during the authentication phase (see Sections 3.3 and 3.4).

U X RS
checks format of ID x and T 1 computes

Cryptanalysis of the Rajaram et al. Scheme
Rajaram et al. asserted that their scheme has resistance to impersonation and privileged insider attacks. However, we observed that their scheme cannot prevent impersonation and privileged insider attacks. We also analyzed the Rajaram et al. scheme with the CK model and found that it is vulnerable to known session-specific temporary information attacks.

Adversary Model
To analyze the security of the proposed protocol, we adopt the Dolev-Yao (DY) adversary model [23]. The DY model is an widely-accepted adversary model, which is applied to various authentication protocols [24][25][26][27]. An adversary A has the following assumptions in the DY model.

•
A has full control over transmitted messages on wireless channels. A can eavesdrop, delete, inject, and modify messages. • A can steal a smart card of a legitimate user and can extract the stored value using power analysis [28,29]. • A can use the values obtained from the previous assumptions to attempt active attacks such as off-line guessing, impersonation, and session key disclosure.
We also apply the Canetti and Krawczyk (CK) adversary model [30] to further analyze the proposed protocol. The CK model has a stronger assumption compared to the DY model, and is also widely used in the analysis of an authentication protocol [31][32][33]. In the CK model, A can compromise session states and hijack random values generated in each session.

Off-Line Password Guessing Attack
By the assumptions of Section 4.1, an adversary A can obtain (R x , REG ID x , RP, P pub , y) stored in SC x and the transmitted message (ID x , R x , L 3 , L 4 , T 1 ) through an open channel. Thereafter, A can attempt off-line password guessing attack as follows. • A guesses password PW A x from a password dictionary, and then computes If it satisfies, A succeeds in guessing the correct password. If not, A performs the process again from the beginning.

Impersonation Attack
Using the guessed password as described in Section 4.2, A can impersonate as U x .
After RS receives the message, RS regards the message as sent by U X , and sends a response message.
A succeeds in impersonating as U X . Therefore, Rajaram et al.'s scheme cannot defend against the impersonation attack.

Privileged Insider Attack
If A is an privileged insider, A can obtain the registration request message (ID x , PWD x ) of U x and can attempt to discover the session key using the information. To calculate ssK, A can use R x , L 3 , L 4 , and y 3 , which are obtained from open channels. A computes , and therefore, Rajaram et al.'s scheme cannot resist a privileged insider attack.

Known Session-Specific Temporary Information Attack
Under the CK model, A can comprise a session and obtain session random numbers y 1 and y 2 . Then, A can disclose the session key ssK using the random numbers. A can obtain the messages (ID x , R x , L 3 , L 4 , T 1 ) and (A 3 , y 3 , T 2 ), which are transmitted during the authentication phase. Thereafter, A can compute and L 2 , and obtain ssK = h f 1 (A 2 , L 1 , A 1 , L 2 ). Therefore, Rajaram et al. scheme is vulnerable to known session-specific temporary information attacks.

User Anonymity and Untraceability
In Rajaram et al.'s scheme, user identity ID x is transmitted on a wireless channel without being masked and encrypted. Therefore, A can obtain ID x from transmitted messages to trace U x . Rajaram et al.'s scheme cannot support privacy-preservation and can raise serious security issues in several IoT environments, such as healthcare systems and smart home.

Proposed Scheme
The proposed scheme includes an initialization, user registration, user login, user authentication, and password update phase. Table 2 describes the notations of the proposed scheme.

Notation Description
U X User/client X ID X , PW X Identity and password of U X SC X Smart card of U X TID X Temporary identity of U X PID X Secret temporary identity of U X RS The remote server Session random numbers s Secret key of RS SK Session key between RS and U X

Initialization
RS chooses a large prime q, generates a secret key s ∈ Z * q , and selects a cryptographic hash function h(·) : 0, 1 * → Z q . RS publishes (q, h(·)) and keeps s securely.

User Registration Phase
Before the authentication, U X registers to RS. U X chooses ID X and PW X , and generates r ∈ Z * q . U X computes PWD X = h(PW X ||r), and then sends (ID X , PWD X ) to RS. RS checks whether ID X is already registered after receiving the message. If not, RS chooses t ∈ Z * q , and computes TID X = h(ID X ||t) and PID X = h(TID X ||s). Thereafter, RS stores (TID X , h(ID X ||PWD X )) in secure memory. RS generates a fuzzy extractor l ∈ [2 4 , 2 8 ] and stores (TID X , PID X , h(·), l) in smart card SC X . RS transmits SC X to U X . Subsequently, U X computes A X = r ⊕ h(ID X ||PW X ), B X = TID X ⊕ h(ID X ||PW X ||r), C X = PID X ⊕ h(TID X ||r), and Auth X = h(TID X ||PID X ) mod l. U X replaces PID X to (A X , B X , C X , Auth X ) in SC X . The proposed user registration phase is shown in Figure 5.
replaces PID X to (A X , B X , C X , Auth X ) in SC X Figure 5. Proposed registration phase.

User Login Phase
U X inputs ID X and PW X in SC X . Thereafter, SC X computes r = A X ⊕ h(ID X ||PW X ), TID X = B X ⊕ h(ID X ||PW X ||r ), and PID X = C X ⊕ h(TID X ||r ), and checks Auth X ? = h(TID X ||PID X ) mod l. If they are equal, SC X generates a X ∈ Z * q and current timestamp T 1 , and computes M 1 = h(PID X ||h(ID X ||PWD X )) ⊕ a X and M 2 = h(TID X ||PID X ||a X ||T 1 ). Thereafter, SC X sends (TID X , M 1 , M 2 , T 1 ) to RS. The proposed login phase is shown in Figure 6.

User Authentication Phase
After RS receives the authentication request message, RS checks whether |T 1 − T * 1 | ≤ ∆T?. Subsequently, RS retrieves h(ID X ||PWD X ) using TID X , computes PID X = h(TID X ||s) and a X = h(PID X ||h(ID X ||PWD X )) ⊕ M 1 , and checks M 2 ? = h(TID X ||PID X ||a X ||T 1 ). If it is valid, RS generates b X ∈ Z * q and current timestamp T 2 . Thereafter, RS generates TID new , where TID new X and PID new X are updated temporary identity and secret identity of U X , respectively. RS sends (M 3 , M 4 , M 5 , T 2 ) to U X . After reception of the message, U X checks whether X ||h(ID X ||PWD X )||b X ), and SK = h(PID X ||a X ||b X ), and checks whether M 5 = h(SK||PID new X ||T 2 ). If they are equal, the session key is established. Thereafter, U X computes B new = TID new ⊕ h(ID X ||PW X ||r), C new = PID new ⊕ h(TID new ||r), and Auth new = h(TID new ||PID new ) mod l. Subsequently, U X updates (B X , C X , Auth X ) to (B new , C new , Auth new ) in SC X . The proposed mutual authentication phase is shown in Figure 7.

Password Change Phase
After the authentication phase, U X generates a new password PW new X and a random number r new , computes PWD new X = h(PW new X ||r new ), and sends a password change request message to RS including (ID X , PWD new X ). Thereafter, RS updates h(ID X ||PWD X ) to h(ID X ||PWD new X ) and the password update is completed.

Security Analysis
We analyze the security of the proposed protocol using informal analysis and formal analysis such as the BAN logic, RoR model, and AVISPA.

Informal Analysis
We informally describe that the proposed protocol is secure against the following attacks.

Replay and MITM Attacks
In the proposed protocol, each message transmitted during the authentication contains a timestamp and random number. Timestamps T 1 and T 2 , and random numbers a x and b x are included in message hash values M 2 and M 5 . An adversary cannot forge these message hash values, and therefore, the proposed protocol is secure against replay and MITM attacks.

Off-Line Guessing Attack
By assumption of the adversary model, an adversary A can attempt off-line guessing attack using transmitted messages (TID X , M 1 , M 2 , T 1 ) and (M 3 , M 4 , M 5 , T 2 ), and the extracted values (A X , B X , C X , Auth X , h(.), l) from SC X . Using a password dictionary, A can guess PW * X and calculate r and PID * X = C X ⊕ h(TID * X ||r), and can check whether Auth X ? = h(TID * X ||PID * X ) mod l. However, A cannot know that the guessed PW * x is legitimate because Auth X is masked using fuzzy verifier l. The probability that PW * x is a legitimate password is 2 8 |hash| ≈ 1 10 15 , which is negligible.

Impersonation Attack
A can attempt to impersonate as U x and send the authentication request message to RS. A can obtain TID X from the transmitted message. However, referring to Section 6.1.2, A cannot generate a valid authentication request message because A cannot guess the correct PW X in polynomial time and A cannot calculate the valid M 1 and M 2 . Therefore, the proposed protocol can defend against the impersonation attack.

Session Key Disclosure Attack
A can directly attempt to compute SK using transmitted messages and extracted values of SC x . A has to obtain PID x , a x , and b x to calculate SK = h(PID x ||a x ||b x ). However, A cannot acquire any of these values because they are masked using s, ID X , and PWD X , which are secret values. The proposed protocol has resistance to session key disclosure attacks.

Perfect Forward Secrecy
If the long-term secret key s is compromised to A, then A can compute PID X = h(TID X ||s), where TID X is obtained from a public channel. However, RS cannot calculate a X and b X without obtaining h(ID X ||PWD X ), which is stored in the secure memory of RS. Therefore, A cannot calculate SK and the proposed protocol supports perfect forward secrecy. 6.1.6. Privileged Insider Attack As we described in Section 4.4, A can obtain the message transmitted during the registration phase, and can use it to calculate SK. A can calculate h(ID X ||PWD X ) using (ID X , PWD X ), and can obtain messages transmitted on public channels. In this scenario, A still cannot calculate the session key without knowing PID X , which is masked with secret key s. A also cannot calculate a X and b X . Therefore, the proposed protocol is secure against privileged insider attacks.

Stolen Verifier Attack
When the verification table stored in RS can be compromised, then A can obtain the list of h(ID||PWD). A can retrieve the corresponding h(ID X ||PWD X ) from TID X . However, A cannot calculate PID X or obtain a x and b x , which are necessary to compute SK. The proposed protocol has resistance to stolen verifier attacks.

Known Session-Specific Temporary Information Attack
A can hijack the session and obtain random numbers a x and b x , which are generated during the authentication. A cannot calculate PID X without knowing RS's secret key s. Additionally, A cannot gain any information for a future authentication request message of U X . Even if session random numbers are leaked to A, the proposed protocol is secure.

User Anonymity and Untraceability
In the proposed protocol, ID X is not transmitted in public channels. Instead, U X uses temporal identity TID X for authentication. TID X is updated to TID new X in every session, and TID new X is veiled until U X request a new authentication to RS. Therefore, user anonymity is ensured in the proposed protocol. Additionally, A cannot find the connection between TID X and TID new X to trace U X .

Formal Analysis Using the Ban Logic
The BAN logic [34] is a widely-accepted [35][36][37] analysis method to verify the correctness of an authentication protocol. The BAN logic is simple but robust validation logic to prove the mutual authentication of an authentication protocol. In the BAN logic analysis, we set the idealized form of the transmitted messages and assumptions of the BAN logic proof. Thereafter, we perform the proof based on the BAN logic rules. We have presented notations of the BAN logic in Table 3, then describe the assumptions and idealized forms, and conduct the BAN logic proof in turn.
← → π 2 π 1 and π 2 have shared key K SK The session key

BAN Logic Rules
The basic rules of the BAN logic are as followings: 1. Message meaning rule (MMR): Nonce verification rule (NVR): 3. Jurisdiction rule (JR):

Goals
The goals are to show that U X and RS believe that they agreed on the same session key.

Idealized Forms
The idealized forms of the messages exchanged during the authentication can be described as follows.

Assumptions
The basic assumptions for the BAN logic proof are as follows:

Ban Logic Proof
We perform the BAN logic proof of the proposed protocol as below: Step 1: RS receives Msg 1 .
S 1 : RS (TID X , a X , T 1 ) PID X Step 2: Applying S 1 and A 6 to the MMR, we can obtain S 2 .
Step 3: Applying S 2 and A 1 to the FR, we can obtain S 3 .
Step 4: Applying S 2 and S 3 to the NVR, we can obtain S 4 .
S 4 : RS| ≡ U X | ≡ (TID X , a X , T 1 ) Step 5: We can obtain S 5 applying S 4 to the BR.
Step 7: Applying S 6 and A 5 to the MMR, we can obtain S 7 .
Step 8: Applying S 7 and A 2 to the FR, we can obtain S 8 .
Step 9: Applying S 7 and S 8 to the NVR, we can obtain S 9 .
Step 10: We can obtain S 10 applying S 9 to the BR.
Step 11: From S 5 and S 10 , RS and U X can compute session key SK = h(PID X ||a X ||b X ).
Step 12: The JR can be applied to S 11 and S 12 using A 3 and A 4 , respectively.
Finally, the user and server are mutually authenticated each other.

Formal Analysis Using the Ror Model
The RoR model [38] is a formal analysis method of an authentication protocol [39][40][41][42]. The RoR model is used to verify the semantic security of session key SK of an authentication protocol probabilistically. Under the RoR model, an adversary A can attempt passive and active attacks represented by queries to find SK. Before conducting the RoR model based analysis, we explain notations and queries to be used. We denote p t as a participant with the t th instance. Thereafter, p t 1 U X and p t 2 RS are participants U X and RS with t th 1 and t th 2 instances, respectively. Additionally, the queries executed by A are presented in Table 4. Table 4. Queries of the ROR model.

Query Description
A can perform eavesdropping attack using this query. A can obtain messages transmitted during the authentication between p t 1 U X and p t 2

RS
CorruptSC(p t 1 U X ) A can steal the smart card of p t 1 U X and extract the stored data using this query.

Send(p t , M)
Using this query, A sends message M to participant p t to receive the response of sent messages.

Test(p t )
A executes this query at the end of each game. When this query is executed, an unbiased coin c is flipped. The heads represents 1 and the tails represents 0. After c is flipped, p t returns SK when c = 1 and a random number when c = 0. Otherwise, p t returns NULL. If A can distinguish between SK and a random value, A wins the game.
A can get the output value of the hash function for the input by performing a Hash query. When Adv(A) is the probability of the advantage for A to break the session key, we prove the following equation: where q h represents the number of hash queries performed by A, |Hash| represents the range space of the cryptographic hash function, q send represents the number of Send queries performed by A, and |D| represents the size of the password dictionary.

Proof.
A plays four games G i (i = 0, 1, 2, 3) under the RoR model. We denote Adv G i (A) is a advantage of A to compromise SK after playing G i .
• G 0 : A selects the bit c at the start of the game. In the first game, A has no information about SK and no queries to perform. By the definition of semantic security, we can induce the following equation.
• G 1 : A attempts an eavesdropping attack in this game. First, A uses the Execute query. Thereafter, A performs a Test query to receive the return value. Finally, A guesses whether the value is SK or a random number. For A to win the game, A should be able to calculate SK, which is computed by PID X , a X , and b X . These values cannot be obtained using eavesdropping attacks. There is no advantage for A to be gained by the Execute query. Therefore, the advantage of A at the end of G 1 is equal to that at the end of G 0 .
• G 2 : In this game, A uses the Send and Hash queries to compromise SK. From the transmitted messages, A obtains (TID X , M 1 , M 2 , T 1 ) and (M 3 , M 4 , M 5 , T 2 ). However, the only way for A to win the game is to find a hash collision because there is no information about SK from these values. The advantage function at the end of G 2 is as follows by the birthday paradox.
• G 3 : In the final game, A performs a stolen smart card attack, which is represented as the CorruptSC query, then A can extract (A X , B X , C X , Auth X ) from SC X . To win the game, A should succeed in finding the identity ID X and password PW X simultaneously to login to SC X . Because A cannot obtain any information about ID X and PW X , A should guess the values from identity dictionary D id and password dictionary D pw . Thereafter, the following equation can be induced.
After all the games are over, A should guess the correct bit c from the Test query. It follows that From Equations (2) and (3), we can obtain the following equation: We can apply the triangular inequality to Equation (7).
We can obtain the following equation using Equations (7) and (8).
which is the same as Equation (1). Finally, we prove the semantic security of the proposed protocol using the RoR model.

Formal Analysis Using Avispa Simulation
The AVISPA tool [43] can verify that the authentication protocol is secure against replay and MITM attacks by simulating the implementation of the authentication protocol as code. AVISPA is used in many authentication protocols as a formal verification tool [44][45][46]. It is implemented using the "High-Level Protocol specification Language" (HLPSL) and uses four back-ends: "On-the-fly Model-Checker (OFMC)", "SAT-based Model-Checker (SATMC)", "Constraint Logic Based Attack Searcher (CL-AtSe)", and "Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)". The HLPSL2IF translator converts the intermediate format (IF) of the code implemented using HLPSL into the output format (OF). The OF shows the simulation results which include "SUMMARY", "DETAILS", "PROTOCOL", "GOAL", "BACKEND", and "STATISTICS". The SUMMARY shows whether the protocol is safe, the BACKEND gives the name of the back-ends, and STATISTICS shows the time of the trace of the attack. The left side of Figure 8 represents the role of user implemented in AVISPA tool. The remote server is implemented similar to the user. Furthermore, the right side of Figure 8 shows the session, environments, and goals of the proposed protocol. Generally, the AVISPA simulation is executed using the OFMC and CL-AtSe models, which support the exclusive-or operation. If the summaries under the two back-end models are safe, we can say that the protocol is secure against replay and MITM attacks. The simulation results are shown in Figure 9. The simulation summaries of the proposed protocol are safe under the OFMC and CL-AtSe back-ends. This means that the back-ends cannot search for an attack. Therefore, we verify that the proposed protocol has resistance to the replay and MITM attacks.

Computation Cost
Referring to the classification in [12], user's mobile device is class 15, and the remote server is class 19. Considering the different computing powers of user's mobile device and the remote server, we conducted the experiment in both Raspberry PI (class 14) and desktop environments (class 17). The desktop is quad-core i7-4790 CPU with a 16GB RAM and the operation system is the Linux Ubuntu 20.04, and Raspberry PI 3B is a quad-core system with 1GB RAM. We used the MIRACL Cryptography library to implement the operations used for the authentication protocols [47]. The executed operations and execution time are as presented in Table 5. As shown in Table 5, the operations on Raspberry Pi take 2-3 times longer than the operations on desktop. According to the results shown in Table 5, we calculate the total computation cost of the proposed protocol and other related protocols [15][16][17][18][19][20][21][22] as shown in Table 6. Some existing lightweight schemes are more efficient than the proposed scheme. However, the existing lightweight schemes is vulnerable to a variety of attacks. The proposed scheme has considerably higher efficiency than the public key-based protocols and also can provide better security.  [16] T ecc mul + 5T h ≈ 2.704 ms T ecc mul + 4T h ≈ 1.505 ms [17] 2T ecc mul + 3T h ≈ 5.233 ms 2T ecc mul + 6T h ≈ 3.002 ms [18] 2T ecc mul + 8T h ≈ 5.358 ms T mul + T h ≈ 1.493 ms [19] 11T h ≈ 0.275 ms 5T h ≈ 0.02 ms [20] 10T h ≈ 0.25 ms 5T h ≈ 0.02 ms [21] 8T h ≈ 0.2 ms 4T h ≈ 0.016 ms [22] 20T h ≈ 0.5 ms 5T h ≈ 0.032 ms Proposed 14T h ≈ 0.35 ms 8T h ≈ 0.032 ms

Communication Cost
We calculate the total bits transmitted during the authentication to compare the communication costs. We assumed that a timestamp is 32 bits, identity and password are 128 bits, SHA-256 hash output is 256 bits, a random number is 256 bits, an elliptic curve point is 320 bits, and an element of a pairing-based group is 1024 bits. The total communication cost of the existing and proposed schemes are as presented in Table 7. Table 7. Communication cost comparison.

Security Features
We analyzed security characteristics of the proposed protocol with related protcols. This includes: A1: " Resistance to replay attack", A2: "Resistance to privileged insider attack", A3: "Resistance to known session specific temporary information attack", A4: "Resistance to off-line guessing attack", A5: "Resistance to impersonation attack", A6: "Resistance to session key disclosure attack", A7: "Support of perfect forward secrecy", A8: "Support of user anonymity", A9: "Support of user untraceability", A10: "Formal proof using the BAN logic" A11: "Formal proof using the RoR model", and A12: "Formal proof using the AVISPA simulation". Table 8 shows that the proposed protocol has better security than other protocols.