Elliptic Curve Cryptography-Based Scheme for Secure Signaling and Data Exchanges in Precision Agriculture

Abstract

Precision agriculture encompasses automation and application of a wide range of information technology devices to improve farm output. In this environment, smart devices collect and exchange a massive number of messages with other devices and servers over public channels. Consequently, smart farming is exposed to diverse attacks, which can have serious consequences since the sensed data are normally processed to help determine the agricultural field status and facilitate decision-making. Although a myriad of security schemes has been presented in the literature to curb these challenges, they either have poor performance or are susceptible to attacks. In this paper, an elliptic curve cryptography-based scheme is presented, which is shown to be formally secure under the Burrows–Abadi–Needham (BAN) logic. In addition, it is semantically demonstrated to offer user privacy, anonymity, unlinkability, untraceability, robust authentication, session key agreement, and key secrecy and does not require the deployment of verifier tables. In addition, it can withstand side-channeling, physical capture, eavesdropping, password guessing, spoofing, forgery, replay, session hijacking, impersonation, de-synchronization, man-in-the-middle, privileged insider, denial of service, stolen smart device, and known session-specific temporary information attacks. In terms of performance, the proposed protocol results in 14.67% and 18% reductions in computation and communication costs, respectively, and a 35.29% improvement in supported security features.

1. Introduction

Many economies in developing countries are dependent on agriculture as a source of income and contributions to gross domestic product (GDP) [1]. However, the majority of the farming practices are based on experience and ad hoc insights of the farmers. Consequently, there is little control on the agricultural produce quantity and hence financial profits. Fortunately, precision agriculture (PA) and the Internet of Things (IoT) can be deployed to address these issues [2,3]. As explained in [4], PA is part of Agriculture 3.0 in which farm yields are regularly monitored. In addition, PA involves automation and the application of information technology (IT) to improve farm output. In Agriculture 4.0, also referred to as smart agriculture or smart farming, additional technologies such as drones, artificial intelligence (AI), blockchain, big data, wireless sensor networks (WSN), and robotics are incorporated in agriculture. In PA, a number of sensors are deployed, such as radiation, air humidity, optimal, soil moisture, and ground sensors. According to [5], intelligent precision agriculture (IPA) encompasses the deployment of numerous IoT devices and drones to monitor agricultural surroundings. To boost productivity in the face of limited resources and protection from disasters, traditional agronomy needs to be replaced with smart agronomy [6]. As discussed in [7], there are fraud risks in the agricultural sector, especially concerning beverage and food packaging. Therefore, agricultural organizations require ideal certification of their products since these risks can impact negatively on the health of their consumers.

The smart devices deployed in PA and IPA exchange a massive number of messages. Therefore, insecure communication channels among IoT devices, unmanned aerial vehicles (UAVs), or drones can expose smart farming to diverse attacks [5,8]. For instance, Wi-Fi de-authentication and denial of dervice (DoS) can be launched on Raspberry Pi-based smart farms [9]. This can have serious consequences as the sensed data are normally processed to help determine the agricultural field status and facilitate decision-making, which may involve taking measures to maintain or enhance the farm status [10]. These attacks can also target drones deployed to monitor field conditions such as irrigation, spraying of pesticides, pollination, and planting of seeds [11]. On their part, WSNs offer monitoring, sensing, and a continuous supply of information regarding climatic conditions such as the chemical content of the soil, air humidity, temperature, light, water quality, and soil moisture. These parameters are then utilized to boost productivity, both qualitatively and quantitatively. According to [12], WSNs facilitate monitoring, data collection, and control of agricultural systems and hence ensure efficiency, minimal packet losses and economic overheads, better network control, and increased scalability and flexibility. However, threats such as interference, masquerading, interception, and message alteration can compromise these networks and harm crop production and other monitored agricultural practices [6]. The authors in [13] pointed out that issues such as sufficient energy resource utilization and secure data transmission are yet to be solved in WSN. This is because of the usage of open wireless networks during data transfers [14], which can potentially compromise the integrity, confidentiality, and authenticity of the exchanged data.

To address the above issues, there is a need for robust authentication and access control to secure the internet of drones, WSNs, IoT, and agricultural monitoring [15,16,17]. For instance, sufficient user authentication ensures that external users can use their mobile devices to securely access real-time data from the deployed agricultural smart devices [18,19]. There is also a need for robust source authentication, message authentication, and entity authentication.

1.1. Contributions

• A lightweight authentication scheme based on elliptic curve cryptography is developed for secure message exchange among the communicating smart devices in precision agriculture.
• Formal security analysis is carried out using BAN logic to demonstrate that a session key is derived from enciphering the exchanged data between the farmers and the agricultural service providers.
• Extensive semantic analysis is executed to show that the proposed scheme can withstand side-channeling, physical capture, eavesdropping, password guessing, spoofing, forgery, replay, session hijacking, impersonation, de-synchronization, man-in-the-middle, privileged insider, denial of service, stolen smart device, and known session-specific temporary information attacks. In addition, this protocol is demonstrated to support user privacy, anonymity, unlinkability, untraceability, robust authentication, session key agreement, and key secrecy and does not require the deployment of verifier tables.
• An elaborate performance evaluation is carried out to show that our scheme yields 14.67% and 18% reductions in computation and communication costs, respectively, and a 35.29% improvement in supported security features.

1.2. Problem Definition and Motivation

In precision agriculture, information technology plays a critical role in ensuring that farming activities obtain exact requirements, which boosts health, productivity, and agricultural outputs. In this way, environmental protection, sustainability, and profitability are assured in smart farms. On the flip side, the public channels deployed for message exchanges make these networks vulnerable to numerous attacks such as eavesdropping, message falsification, DoS, replay, MitM, impersonation, drones capture, ephemeral secret leakage (ESL), privileged insider, and physical smart devices capture attacks. Proper user and device authentication is one of the most promising solutions to these security and privacy challenges. In addition, communication attributes such as untraceability, unlinkability, anonymity, and user privacy need to be assured. For instance, the secrecy of trading transactions among farmers and agricultural firms needs to be upheld.

1.3. Security Requirements

Owing to the open communication channels deployed in smart agriculture, adversaries can hijack the session, take control of the communication process, and execute other malicious activities. Therefore, a secure authentication protocol should be resilient against a myriad of attacks. In addition, it should fulfill the following privacy and security requirements.

Untraceability and unlinkability: It should be cumbersome for the adversary to trace or link some captured messages to a particular network entity.

Robust authentication: To prevent illegitimate entities from joining the network or accessing the agricultural services and smart devices, all the entities must be validated.

Session key negotiation: Immediately after successful mutual authentication procedures, the communicating parties should agree on the session key to encipher the exchanged messages.

Anonymity and privacy: The real identities of the communicating parties should never be exchanged in plain text over public channels. This is to prevent attackers from eavesdropping them across the communication channel. This goes a long way in preserving the privacy of these parties.

Key secrecy: The session key should be computed in a manner that will make it cumbersome for the attacker to deploy the captured session key for the current communication process to derive the keys used in the previous or subsequent communication procedures.

Resistant to attacks: It should be difficult for the attacker to compromise the network and its smart devices through side-channeling, physical capture, eavesdropping, password guessing, spoofing, forgery, replay, session hijacking, impersonation, de-synchronization, man-in-the-middle (MitM), privileged insider, DoS, stolen smart device, and known session-specific temporary information (KSSTI) attacks.

1.4. Threat Modeling

In this paper, the adversary is assumed to have all the capabilities in the Dolev–Yao (DY) as well as Canetti and Krawczyk (CK) threat models. In the DY threat model, an attacker Ψ is capable of intercepting, altering, deleting, and injecting bogus messages into the communication channel. However, in the CK threat model, an adversary Ψ can compromise secret parameters, private keys, and session states that can be obtained from devices’ memory. In addition, the communicating entities are assumed to be untrustworthy, and Ψ can physically capture the IoT devices and extract the secrets in their memories through power analysis. Using the extracted secrets, further attacks, such as impersonations, can be launched.

The rest of this paper is structured as follows: Section 2 discusses the related work, while Section 3 presents the proposed scheme. On the other hand, Section 4 discusses the security analysis of our scheme, while Section 5 presents its performance evaluation. Finally, Section 6 concludes this paper and provides some research directions.

2. Related Work

Many schemes have been developed to enhance security in the smart farm environment. For example, a novel private blockchain-based authentication scheme is presented in [5]. However, this protocol fails to protect against de-synchronization and session hijacking attacks. Similarly, blockchain-based schemes were developed in [20,21,22,23,24]. Although blockchain offers traceability, integrity protection, and shareability in the agricultural environment, such as agri-food supply chains, it has high storage and computation overheads [25]. Based on signatures, the authors of [18] present a three-factor user authentication protocol. Unfortunately, this scheme cannot prevent attacks such as eavesdropping and session hijacking. On the other hand, an identity-based scheme was introduced in [26]. Nevertheless, this technique is vulnerable to stolen smart cards, sensor node spoofing, impersonation, and stolen verifier attacks [27]. In addition, it cannot provide backward key secrecy. To address these challenges, two protocols were developed in [27]. Unfortunately, the authentication and password change phases of these schemes are inefficient [28]. To offer privacy protection, a remote user authentication protocol was presented in [6]. However, this scheme cannot withstand attacks such as eavesdropping, de-synchronization, and spoofing.

Based on a public-key-based cryptosystem, an authentication scheme was developed in [29]. Although this approach protects against MitM and replay attacks, it cannot withstand privileged insider, user impersonation, and ephemeral secret leakage (ESL) attacks [5]. In addition, it does not include biometric change and user device revocation phases. The signature-based privacy-preserving protocol in [30] can address some of these issues. However, it is still susceptible to ESL attacks and cannot assure the untraceability and anonymity of the communicating parties [5]. Similarly, the protocol in [31] does not provide user and device anonymity since their internet protocol (IP) addresses incorporated in messages are exchanged publicly. In addition, it has high computation overheads due to the utilization of public key cryptography for its digital signatures and certificates [32]. Moreover, it is prone to replay, physical device capture, MitM, user and device impersonation, and attacks. On its part, the scheme in [33] cannot protect against user anonymity violation, user impersonation, and smart card loss attacks. Similarly, the protocol in [34] is vulnerable to physical sensing device capture, untraceability violation, and smart card loss attacks [5]. Using some bilinear pairing operations, authentication and key establishment protocols were introduced in [35,36]. However, the utilization of pairing operations increased the computation costs of these protocols [37]. Since the trusted authority in [36] has access to user identity and password, it is susceptible to privileged insider attacks. In addition, it cannot withstand replay, disclosure of sensor data, offline password guessing, and stolen smart card and verifier attacks [38]. As such, an improved elliptic curve cryptography (ECC)-based scheme was developed in [38]. However, this protocol has an inefficient and delayed authentication phase. In addition, it is not robust against DoS and replay attacks [39]. Although the protocol in [40] addresses some of these issues, its bilinear pairing operations result in high computation costs [41].

To offer security in a heterogeneous IoT environment, an authentication technique was presented in [42]. Unfortunately, this protocol is vulnerable to physical device capture, privileged insider, and ESL attacks. In addition, it cannot preserve untraceability and anonymity [5]. Similarly, a remote user authentication protocol was developed in [43], which was shown to be lightweight. However, it failed to protect against ESL and privileged insider attacks. It also failed to support untraceability and anonymity [5]. On its part, the scheme in [43] was not resilient against privileged insider and sensor node capture attacks. It also failed to preserve forward key secrecy [6]. The authors in [44,45] designed identity-based signature protocols to protect message exchanges in mobile devices. However, identity-based schemes have key escrow problems [46]. Based on ECC and symmetric key encryption, a security technique was presented in [47]. Although it was shown to be robust against MitM and replay attacks, it was vulnerable to ESL, privileged insider, and user impersonation attacks. It also failed to incorporate device revocation, node addition, and password and user biometric change phases [5]. Similarly, the biometric-based scheme in [48] did not include device revocation, user passwords, and biometric update phases. It was also vulnerable to privileged insider, user impersonation, ESL, DoS, and stolen smart card attacks [49]. On its part, the protocol in [50] was susceptible to DoS attacks and could not offer forward key secrecy [51]. Similarly, the scheme in [52] did not support forward key secrecy and was prone to stolen verifier attacks [53]. As such, an enhanced ECC-based protocol was introduced in [53], while a privacy-preserving scheme was developed in [54]. The scheme in [54] was demonstrated to be resilient against eavesdropping, DoS, masquerade, privileged insider, and forgery attacks. It also supports secret key updates, traceability, and anonymity. However, it cannot withstand MitM attacks [20].

It is evident that numerous schemes have been proposed to improve the security posture in precision agriculture. However, it has been shown that these techniques face a number of security, privacy, and performance challenges. The proposed scheme is shown to solve some of these challenges as described in Section 4 and Section 5 below.

3. The Proposed Scheme

The farmer smart devices SD_j and the agricultural service providers ASP_i are the main components of this scheme. As shown in Figure 1, the registration phase occurs over secure channels, while the SD_j and ASP_i exchange the data over the insecure public channels in an ad hoc manner. As such, the goal of the proposed protocol is to enhance the privacy and security of the transmitted information.

The proposed scheme comprises four major phases, which include system initialization, registration, login, and authentication phases.

Table 1. Deployed symbols.

Symbol	Description
ASPi	Agricultural service provider i
MKA	Master key for ASPi
Fj	Farmer j
SDj	Smart device for Fj
FIDj	Unique identity for Fj
FPWj	Login password for Fj
Ri	Random nonce i
||	Concatenation operation
PB	Padding bits
⊕	XOR operation
ϕA	Session key computed at ASPi
ϕS	Session key computed at SDj

presents the notations used throughout this paper.

The subsections below provide detailed descriptions of the various major phases of the proposed scheme.

3.1. System Initialization

In this phase, the agricultural service provide ASP_i executes the following three steps to generate the security parameters that will be utilized during the other three phases. These steps are described in detail, as shown in Figure 2.

Step 1: The ASP_i selects the prime number p, whose length is k-bits. It also chooses some elliptic curve group G whose base point is P and whose order is q.

Step 2: The ASP_i selects a random parameter MK_A from {1, q − 1} and deploys it as its master secret key. In addition, it chooses three collision-resistant one-way hashing functions, h₁(.), h₂(.), and h₃(.), where h₂(.) serves as the map-to-point hashing function. Therefore, h₂(.): {0,1}^*→ G, h₁(.): {0,1}^*→ {0,1}^k, and h₃(.): G → {0,1}^k.

Step 3: Parameter MK_A is secretly retained by the ASP_i, while parameter set {h₁(.), h₂(.), h₃(.),P, E_p (x, y)} is publicly made available to all smart devices.

3.2. Registration Phase

It is required that all farmers register with the ASP_i and obtain some security tokens before being allowed to access some services from the ASP_i. This is a four-step process, as described below.

Step 1: The farmer F_j selects a unique identity FID_j and password FPW_j that are input to the SD_j. Next, a registration message Reg₁ = {FID_j} is constructed that is forwarded to the ASP_i over secured communication channels.

Step 2: Upon receipt of Reg₁, the ASP_i selects random nonce R₁. Next, it derives security values A₁ = h₂ (FID_j||R₁), A₂ = h₂ (FID_j||R₁). MK_A, A₃ = h₁(FID_j||R₁||MK_A), and A₄ = h₁(h₁(MK_A ⊕ R₁)||FID_j).

Step 3: The ASP_i stores parameter set {A₃, FID_j, R₁} in its database for later use during the login and authentication phases. Finally, it constructs registration message Reg₂ = {A₁, A₂, A₃, A₄}, which is forwarded to F_j over secure channels, as shown in Figure 2.

Step 4: After receiving message Reg₂, the SD_j generates fixed-bit padding parameter P_B. This is followed by the computation of values A₂^* = A₂ + h₂(FID_j||FPW_j), A₃^* = A₃ ⊕ h₁(FPW_j||FID_j), A₄^* = A₄ ⊕ h₁(FID_j||FPW_j ||P_B), and B₁ = h₁(A₂||A₃||A₄). Finally, it erases parameter set {A₂, A₃, A₄} and stores value set {A₁, A₂^*, A₃^*, A₄^*, B₁} in its memory.

3.3. Login

The goal of this phase is to validate the farmer password and unique identity that are input to the smart device SD_j. To accomplish this, the following two steps are executed:

Step 1: The farmer F_j inputs the unique identity FID_j and password FPW_j into the SD_j. Next, the SD_j derives values A₂ = A₂^* − h₂(FID_j||FPW_j), A₃ = A₃^* ⊕ h₁(FPW_j||FID_j), and A₄ = A₄^* ⊕ h₁(FID_j||FPW_j||P_B).

Step 2: The SD_j computes B₁^* = h₁(A₂||A₃||A₄) and verifies if B₁^* ≟ B₁. the session is terminated if these two values are not identical. Otherwise, F_j has logged in successfully and can now proceed to the authentication phase.

3.4. Authentication and Key Agreement

In this phase, the farmer F_j, through the SD_j, generates and exchanges a number of security tokens with the agricultural service provider ASP_i, through which these two entities verify one another before the onset of agricultural data exchanges. In addition, the session keys for data encryption are derived as described below.

Step 1: The SD_j generates random nonces R₂ and R₃, where R₂ $\in$ {1, q − 1} and R₃ $\in$ {0,1}^k. Next, it derives parameters B₂ = A₁. R₂, B₃ = A₂. R₂, B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, and C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄). Lastly, it composes authentication message Auth₁ = {B₂, B₄, C₁, C₂}, which is transmitted to the ASP_i over public channels, as shown in Figure 3.

Step 2: Upon receiving the authentication message Auth₁ message from SD_j, the ASP_i derives B₃^* = MK_A. B₂ and A₃^** = B₄ ⊕ h₃ (B₃^*). Next, it confirms whether parameter set {A₃^**, FID_j^*, R₁^*} is in its database. Here, the session is terminated if this verification fails. Otherwise, the ASP_i proceeds to compute values A₄^** = h₁(h₁(MK_A ⊕ R₁^*)||FID_j^*) and R₃^* = C₁ ⊕ A₄^**.

Step 3: The ASP_i derives values C₂^* = h₁(B₂||B₃^*||B₄||C₁||R₃^*||A₄^**) and confirms whether C₂^* ≟ C₂. The authentication session is essentially terminated if this verification flops. Otherwise, the ASP_i chooses random nonceR₄ $\in$ {0,1}^k, which is utilized in deriving parameters C₃ = R₄ ⊕ A₄^**, session key ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**), and C₄ = h₁(FID_j^*||ϕ_A). Finally, it constructs an authentication message Auth₂ = {C₃, C₄} that it forwards to SD_j over public communication channels.

Step 4: After obtaining message Auth₂ from ASP_i, the SD_j derives values R₄^* = C₃ ⊕ A₄, session key ϕ_S = h₁(R₃||R₄^*||B₃||A₄), and C₄^* = h₁(FID_j||ϕ_S). This is followed by the validation of whether C₄^* ≟ C₄. The authentication session is aborted if these two parameters are unequal. Otherwise, SD_j deploys ϕ_S as the session key to encipher all the exchanged messages.

3.5. Password Renewal Phase

The proposed scheme allows the farmer F_j to change his/her password FPW_j. This may be prompted by the loss of FPW_j or when they suspect that this password might have been compromised. This is attained by executing the following steps.

Step 1: The farmer F_j inputs the current password FPW_j into the SD_j. Next, SD_j deploys the stored parameter set {A₁, A₂^*, A₃^*, A₄^*, B₁} in its memory to derive A₂ = A₂^* − h₂(FID_j||FPW_j), A₃ = A₃^* ⊕ h₁(FPW_j||FID_j), and A₄ = A₄^* ⊕ h₁(FID_j||FPW_j||P_B).

Step 2: F_j selects the new password FPW_j^*_. This is followed by the computation of parameters A₂^New = A₂ + h₂(FID_j||FPW_j^*), A₃^New = A₃ ⊕ h₁(FPW_j^*||FID_j), and A₄^New = A₄ ⊕ h₁(FID_j||FPW_j^*||P_B).

Step 3: The SD_j erases value set {A₂, A₃, A₄, A₂^*_, A₃^*, A₄^*} from its memory and stores parameter set {A₁, A₂^New, A₃^New, A₄^New, B₁} in its memory.

4. Security Analysis

In this section, the proposed scheme’s security and privacy are analyzed using both formal and semantic techniques described below.

4.1. Formal Security Analysis

In this sub-section, we deploy the BAN logic to demonstrate that the farmer F_j and agricultural service provider ASP_i interact to set up a session key between them. This key is then utilized to encipher the data exchanged between these two entities. Suppose that A and B are principals, M and N are statements, and μ is the encryption key. The notations used in this analysis are described below.

A |≡ M: A trusts M.

{M}: Statement M is enciphered using key μ.

A$⨞$M: A receives M.

<M>_N: Statement M is combined statement N.

# (M): M is fresh.

A$\Rightarrow$M: A has control.

(M, N): Statement M or N is part of (M, N).

A$\stackrel{ \mu }{\leftrightarrow }$B: Principals A and B deploy shared key μ during communication.

A|$~$M: Principal A once said statement M.

(M)_h: Statement M is hashed using hashing function h.

During the formal security verification, the following BAN logic rules are utilized.

Freshness Rule (F-R)

$\frac{A believes fresh M}{A believes fresh \left(M,N\right)}$, mathematically represented as $\frac{A |\equiv \# \left(M\right)}{A |\equiv \# \left(M, N\right)}.$

The Message-Meaning Rule (M-M-R)

$\frac{A believes \mathrm{A}\stackrel{ \mu }{\leftrightarrow }\mathrm{B}, \mathrm{A} sees {\left\{\mathrm{M}\right\}}_{\mu }}{A believes B once said M}$, which can be mathematically expressed as $\frac{A |\equiv \mathrm{A}\stackrel{\mu }{\leftrightarrow }\mathrm{B}, \mathrm{A}⨞{\left\{\mathrm{M}\right\}}_{\mu }}{A \left|\equiv B\right|~M}$.

Jurisdiction-Rule (J-R)

$\frac{A believes B control M, A believes B believes M}{A believes M}$, mathematically denoted as $\frac{A \left|\equiv B \Rightarrow M, A \right|\equiv B |\equiv M}{A |\equiv M}.$

Believe–Rule (B-R)

$\frac{A believes B believes \left(M, N\right)}{A believes B believes M}$, also expressed as $\frac{A \left|\equiv B \right|\equiv \left(M, N\right)}{A \left|\equiv B \right|\equiv M}.$

Nonce Verification Rule (N-V-R)

$\frac{A believes fresh \left(M\right), A believes B once said M}{A believes B believes M}$, which can be denoted as $\frac{A |\equiv \#\left(M\right), A \left|\equiv B\right|~M}{A\left|\equiv B\right|\equiv M}.$

To show the establishment of session key μ between provider ASP_i and farmer F_j, the following two goals are formulated.

Goal 1: ASP_i |≡ (F_j$\stackrel{ \mu }{\leftrightarrow }$ASP_i).

Goal 2: F_j|≡ (F_j$\stackrel{ \mu }{\leftrightarrow }$ASP_i).

To achieve this, the following initial assumptions are made:

• IA₁: F_j |≡ R₂;
• IA₂: F_j |≡ R₃;
• IA₃: F_j |≡ B₂;
• IA₄: F_j |≡ B₃;
• IA₅: F_j |≡ F_j$\stackrel{ A_{4 }}{\leftrightarrow }$ASP_i;
• IA₆: F_j |≡ ASP_i$\Rightarrow$(R₄);
• IA₇: ASP_i |≡ B₂;
• IA₈: ASP_i |≡ MK_A;
• IA₉: ASP_i |≡ R₄;
• IA₁₀: ASP_i |≡ F_j$\stackrel{A_4}{\leftrightarrow }$ASP_i;
• IA₁₁: ASP_i |≡ F_j$\Rightarrow$(R₃, B₂).

In the proposed protocol, two messages are exchanged during the authentication and key agreement phase. These messages include Auth₁ and Auth₂, transmitted by the SD_j and ASP_i, respectively. For efficient analysis, these messages are transformed into idealized designs, as described below.

SD_j → ASP_i:

Auth₁ = {B₂, B₄, C₁, C₂};

Idealized form: {B₂, B₄, C₁, C₂,$\langle B_3\rangle {}_{B_2}, \langle A_3\rangle {}_{B_3}, \langle R_3\rangle {}_{A_4}$}.

ASP_i → SD_j:

Auth₂ = {C₃, C₄};

Idealized form: {C₃, C₄, $\langle R_4\rangle {}_{A_4}$}.

Next, the above BAN logic notations, rules, and initial state assumptions are deployed to demonstrate that the farmer F_j and the agricultural service provider ASP_i derive and share similar session key μ to encipher the exchanged messages. This procedure proceeds as described below.

Based on Auth₁, the following is obtained:

DM₁: ASP_i$⨞${B₂, B₄, C₁, C₂, $\langle B_3\rangle {}_{B_2}, \langle A_3\rangle {}_{B_3}, \langle R_3\rangle {}_{A_4}$}.

Using M-M-R, DM₁, IA₇, and IA₈, DM₂ is yielded.

DM₂: ASP_i$\left|\equiv F_{\mathrm{j}}\right|~${B₂, B₄, C₁, C₂, $\langle B_3\rangle {}_{B_2}, \langle A_3\rangle {}_{B_3}, \langle R_3\rangle {}_{A_4}$}.

Since C₂^* = h₁(B₂||B₃^*||B₄||C₁||R₃^*||A₄^**), from DM₂,

DM₃: ASP_i$\left|\equiv F_{\mathrm{j}}\right|\equiv${B₂, B₄, C₁, C₂, $\langle B_3\rangle {}_{B_2}, \langle A_3\rangle {}_{B_3}, \langle R_3\rangle {}_{A_4}$}.

Using the B-R and DM₃, the following is obtained:

DM₄: ASP_i$\left|\equiv F_{\mathrm{j}}\right|\equiv$ (R₃, B₂)

Based on IA₁₁ and DM₄, we obtain:

DM₅: ASP_i$|\equiv$(R₃, B₂).

On the other hand, the application of B-R on DM₅ yields:

DM₆: ASP_i$|\equiv$(R₃) and ASP_i$|\equiv$(B₂).

Based on IA₈ and IA₉, the following is obtained:

DM₇: ASP_i$|\equiv$MK_A and ASP_i$|\equiv$ (R₄),

Since ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**), then from DM₆ and DM₇,

DM₈: ASP_i |≡ (F_j$\stackrel{ \mu }{\leftrightarrow }$ASP_i), hence Goal 1 is attained.

From Auth₂, the following is obtained:

DM₉: F_j$⨞${C₃, C₄, $\langle R_4\rangle {}_{A_4}$}.

Using the M-M-R on IA₁₀ results in the following:

DM₁₀: F_j |≡ASP_i |$~${C₃, C₄, $\langle R_4\rangle {}_{A_4}$}.

Based on DM₁₀, IA₅, and IA₉,

DM₁₁: F_j |≡ ASP_i|≡ R₄.

The application of the J-R on DM₁₁ and IA₆ results in the following:

DM₁₂: F_j |≡ R₄.

Based on DM₁₂ and IA₂–IA₅, we obtain:

DM₁₃: F_j |≡ (F_j$\stackrel{ \mu }{\leftrightarrow }$ASP_i); therefore, Goal 2 is accomplished.

The attainment of these two security goals confirms that farmer F_j and agricultural service provider ASP_i strongly trust that they share session key μ for traffic protection.

4.2. Semantic Security Analysis

The objective of this subsection is the formulation and proofing of some hypotheses regarding the supported security features in the proposed scheme.

Hypothesis 1: 

Farmer privacy and anonymous communication are achieved.

Proof: 

In the proposed scheme, the real identity of the farmer is FID_j. This identity is incorporated in values such as A₁ = h₂ (FID_j||R₁), A₂ = h₂ (FID_j||R₁) MK_A, A₃ = h₁(FID_j||R₁||MK_A), A₄ = h₁(h₁(MK_A ⊕ R₁)||FID_j), and C₄ = h₁(FID_j^*||ϕ_A). In all these parameters, FID_j is encapsulated in other parameters before being hashed. During the authentication and key agreement phase, messages Auth₁ = {B₂, B₄, C₁, C₂} and Auth₂ = {C₃, C₄} are transmitted over public channels. Here, B₂ = A₁. R₂, B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A). It is evident that of all these parameters, it is only C₄ that directly incorporates farmer identity FID_j. However, this identity is encapsulated in session key ϕ_A before being hashed. Due to the difficulty of reversing the hashing function, it is difficult for adversary Ψ to obtain this identity from message Auth₂. □

Hypothesis 2: 

Side-channeling and physical attacks are prevented.

Proof: 

Suppose that attacker Ψ has physically captured the farmer’s smart device SD_j. The objective is to extract the security tokens in its memory to compute the session key ϕ_S = h₁(R₃||R₄^*||B₃||A₄). During the registration phase, the SD_j stores parameter set {A₁, A₂^*, A₃^*, A₄^*, B₁} in its memory. Here, A₁ = h₂ (FID_j||R₁), A₂^* = A₂ + h₂(FID_j||FPW_j), A₃^* = A₃ ⊕ h₁(FPW_j||FID_j), A₄^* = A₄ ⊕ h₁(FID_j||FPW_j ||P_B), B₁ = h₁(A₂||A₃||A₄), and B₃ = A₂.R₂. As such, although the attacker may have access to value A₄^*, random nonces R₃ and R₄^*, as well as parameter B₃, cannot be recovered from SD_j’s memory. As such, the derivation of session key ϕ_S flops. □

Hypothesis 3: 

This scheme is robust against eavesdropping and password-guessing attacks.

Proof: 

Let us assume that adversary Ψ is interested in capturing the farmer’s password FPW_j for malicious login into SD_j. To achieve this, an attempt is made to eavesdrop FPW_j from the exchanged messages Auth₁ = {B₂, B₄, C₁, C₂} and Auth₂ = {C₃, C₄}. Here, B₂ = A₁. R₂, A₁ = h₂ (FID_j||R₁), B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A). Evidently, none of the components of these two messages contains plain-text FPW_j. The only parameters incorporating this password are A₂ = A₂^* − h₂(FID_j||FPW_j), A₃ = A₃^* ⊕ h₁(FPW_j||FID_j), and A₄ = A₄^* ⊕ h₁(FID_j||FPW_j||P_B), which are never sent directly over the public channels. In addition, FPW_j is encapsulated in other values before being hashed. Due to the difficulty of reversing or colliding the hashing function, any guessing of FPW_j from these parameters will fail. □

Hypothesis 4: 

This scheme upholds unlinkability and untraceability.

Proof: 

During the authentication phase, the SD_j generates random nonce R₂ and R₃, where R₂ $\in$ {1, q − 1} and R₃ $\in$ {0,1}^k. These nonces are utilized to construct authentication message Auth₁ = {B₂, B₄, C₁, C₂}, where B₂ = A₁. R₂, A₁ = h₂ (FID_j||R₁), B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, and C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄). Similarly, ASP_i chooses random nonceR₄ $\in$ {0,1}^k, which is used in the derivation of authentication response message Auth₂ = {C₃, C₄}, where), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A). Consequently, messages Auth₁^Sub and Auth₁^Sub for the subsequent communication session will be different from those of the current session. This lack of correlation among authentication messages implies that Ψ is incapable of tracking F_j using any captured messages. □

Hypothesis 5: 

Spoofing and forgery attacks are thwarted.

Proof: 

Let us assume that attacker Ψ is attempting to forge message Auth₁ = {B₂, B₄, C₁, C₂} sent from SD_j towards the ASP_i, as well as response message Auth₂ = {C₃, C₄} forwarded back to the SD_j from ASP_i. Here, B₂ = A₁. R₂, A₁ = h₂ (FID_j||R₁), B₄ = A₃ ⊕ h₃ (B₃), A₃ = h₁(FID_j||R₁||MK_A), C₁ = A₄ ⊕ R₃, A₄ = A₄^* ⊕ h₁(FID_j||FPW_j||P_B), C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A). Clearly, this requires random nonces such as R₁, R₂, and R₃, farmer’s real identity FID_j and password FPW_j, master key for ASP_iMK_A, and padding bits P_B, among other parameters. Hypothesis 1 illustrates the difficulty of obtaining FID_j, Hypothesis 3 demonstrates the difficulty of obtaining FPW_j, while Hypothesis 4 shows the difficulty of obtaining random nonces. In addition, Ψ cannot obtain master key MK_A since it is randomly selected from {1, q − 1} by ASP_i. □

Hypothesis 6: 

This scheme can withstand session hijacking attacks.

Proof: 

Suppose that adversary Ψ has captured random nonces R₁, R₂, R₃, and R_4. Next, an attempt is made to compute session parameters B₃ = A₂. R₂, C₁ = A₄ ⊕ R₃, C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄), A₄^** = h₁(h₁(MK_A ⊕ R₁^*)||FID_j^*), and C₃ = R₄ ⊕ A₄^** used in messages Auth₁ = {B₂, B₄, C₁, C₂} and Auth₂ = {C₃, C₄}. Here, B₂ = A₁. R₂, A₁ = h₂ (FID_j||R₁), B₄ = A₃ ⊕ h₃ (B₃), A₃ = h₁(FID_j||R₁||MK_A), C₁ = A₄ ⊕ R₃, A₄ = A₄^* ⊕ h₁(FID_j||FPW_j||P_B), C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A). To hijack the session, other parameters are required apart from these random nonces, as illustrated in Hypothesis 5. Since these values are unavailable to Ψ, session hijacking is not possible. □

Hypothesis 7: 

Impersonation attacks are prevented.

Proof: 

Upon receiving message Auth₁, the ASP_i confirms whether parameter set {A₃^**, FID_j^*, R₁^*} is in its database. The aim is to abort the session if this verification fails. In addition, it derives value C₂^* = h₁(B₂||B₃^*||B₄||C₁||R₃^*||A₄^**) and checks if C₂^* ≟ C₂. Here, the authentication session is terminated if this verification flops. On its part, the SD_j computes parameters R₄^* = C₃ ⊕ A₄, session key ϕ_S = h₁(R₃||R₄^*||B₃||A₄), and C₄^* = h₁(FID_j||ϕ_S) upon receiving message Auth₂. This is followed by the verification of whether C₄^* ≟ C₄. Essentially, the authentication session is aborted if these two parameters are not the same. As such, the legitimacy of all the communicating entities is verified to thwart impersonations. □

Hypothesis 8: 

Robust authentication is executed.

Proof: 

At the SD_j side, noncesR₂ and R3 are generated and parameters B₂ = A₁. R₂, B₃ = A₂. R₂, B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, and C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄) are computed. These parameters are deployed to construct authentication message Auth₁ = {B₂, B₄, C₁, C₂} forwarded to the ASP_i. Similarly, the ASP_i generates random nonce R₄ utilized to derive values C₃ = R₄ ⊕ A₄^**, session key ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**), and C₄ = h₁(FID_j^*||ϕ_A). Lastly, authentication message Auth₂ = {C₃, C₄} is composed and forwarded to SD_j. During this process of authentication procedures, the legitimacy of SD_j is verified at the ASP_i using parameters {A₃^**,FID_j^*, R₁^*}, C₂^*, and C₂, as demonstrated in Hypothesis 7. Similarly, the authenticity of ASP_i is verified at the SD_j using parameters C₄^*and C₄, as illustrated in Hypothesis 7. □

Hypothesis 9: 

This protocol prevents de-synchronization and DoS attacks.

Proof: 

Most of the authentication protocols incorporate timestamps in the exchanged messages, which renders them susceptible to de-synchronization and DoS attacks. The aim of these timestamps is to uphold the freshness of the transmitted messages. In the proposed scheme, random nonces are utilized to preserve the freshness of the exchanged messages. For instance, the SD_j generates random nonces R₂ and R₃ that are used to derive parameters B₂ = A₁. R₂, B₃ = A₂. R₂, B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, and C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄) of authentication message Auth₁ = {B₂, B₄, C₁, C₂} forwarded to the ASP_i. On its part, the ASP_i chooses random nonce R₄, which is incorporated in values C₃ = R₄ ⊕ A₄^**, session key ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**), and C₄ = h₁(FID_j^*||ϕ_A) of message Auth₂ = {C₃, C₄} forwarded to SD_j. □

Hypothesis 10: 

This scheme eliminates the need for verifier tables.

Proof: 

Some authentication schemes require that the communicating parties maintain verifier tables, which are queried during the authentication process. If the attackers gain access to these verifier tables, the entire network can be compromised and brought down. In the proposed scheme, the ASP_i authenticates the SD_j using parameter set {A₃^**,FID_j^*, R₁^*}, and C₂^*and C_2. Whereas values A₃^**,FID_j^* and R₁^* are re-computed and compared to the ones in its database, parameter C₂^* is re-computed and compared to the one received in authentication message Auth₁ = {B₂, B₄, C₁, C₂} received from the SD_j. On the other hand, the SD_j authenticates ASP_i using value C₄^* = h₁(FID_j||ϕ_S), which is re-calculated and compared with its equivalent C₄ received from ASP_i in authentication message Auth₂ = {C₃, C₄}. This eliminates the need for the ASP_i and SD_j to maintain verifier tables. □

Hypothesis 11: 

Man-in-the-middle and replay attacks are thwarted.

Proof: 

Suppose that the adversary is interested in computing and replaying bogus authentication parameters A₃^**, FID_j^*, R₁^*, C₂^*, C₃, and C₄ needed to successfully authenticate ASP_i and SD_j. Here, A₃^** = B₄ ⊕ h₃ (B₃^*), B₃ = A₂. R₂, B₃^* = MK_A. B₂, B₄ = A₃ ⊕ h₃ (B₃), A₃ = A₃^* ⊕ h₁(FPW_j||FID_j), C₂^* = h₁(B₂||B₃^*||B₄||C₁||R₃^*||A₄^**), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A). Based on Hypothesis 1, Ψ has no access to FID_j, while according to Hypothesis 3, Ψ has no access to FPW_j. Similarly, it has been shown in Hypothesis 4 that Ψ does not have access to random nonces incorporated in these parameters. Based on Hypothesis 5, master key MK_A is never available to Ψ. Therefore, our scheme can withstand MitM attacks. □

Hypothesis 12: 

The session key is set up for message encryption.

Proof: 

Upon receiving message Auth₁ from SD_j, the ASP_i generates nonce R₄ and computes values B₃^* = MK_A. B₂, A₃^** = B₄ ⊕ h₃ (B₃^*), A₄^** = h₁(h₁(MK_A ⊕ R₁^*)||FID_j^*), and R₃^* = C₁ ⊕ A₄^**. These parameters are utilized to derive session key ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**). Similarly, after receiving message Auth₂ = {C₃, C₄} from ASP_i, the SD_j computes value R₄^* = C₃ ⊕ A₄ and session key ϕ_S = h₁(R₃||R₄^*||B₃||A₄). These keys are employed to encipher the exchanged messages. □

Hypothesis 13: 

Known session-specific temporary information attacks are prevented.

Proof: 

During the authentication phase, the ASP_i computes session key ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**, while the SD_j derives session key ϕ_S = h₁(R₃||R₄^*||B₃||A₄). Here, R₃^* = C₁ ⊕ A₄^**, C₁ = A₄ ⊕ R₃, A₄^** = h₁(h₁(MK_A ⊕ R₁^*)||FID_j^*), B₃^* = MK_A. B₂, R₄^* = C₃ ⊕ A₄, C₃ = R₄ ⊕ A₄^**, A₄ = h₁(h₁(MK_A ⊕ R₁)||FID_j), B₃ = A₂. R₂, and A₂ = A₂^* − h₂(FID_j||FPW_j). It was demonstrated in Hypothesis 11 that attacker Ψ has no access to FID_j, MK_A, FPW_j, and random nonces used in these session keys. In addition, the computation of parameters, such as B₃^* = MK_A. B₂ = MK_A. A₁. R₂ = MK_A. h₂ (FID_j||R₁). R₂ = A₂. R₂, even when B₂ and A₂ are known, is difficult due to the intractability of the computational Diffie–Hellman (CDH) problem. □

Hypothesis 14: 

Key secrecy is upheld.

Proof: 

Suppose that attacker Ψ has access to private values such as random nonces R₂, R₃, and R₄. Let us also assume that authentication messages Auth₁ = {B₂, B₄, C₁, C₂} and Auth₂ = {C₃, C₄} have been captured by the adversary. Using these parameters, an attempt is made to derive messages Auth₁^Sub and Auth₁^Sub for the subsequent communication session. Here, B₂ = A₁. R₂, A₁ = h₂ (FID_j||R₁), B₃ = A₂. R₂, A₂ = h₂ (FID_j||R₁).MK_A, B₄ = A₃ ⊕ h₃ (B₃), A₃ = h₁(FID_j||R₁||MK_A), C₁ = A₄ ⊕ R₃, A₄ = h₁(h₁(MK_A ⊕ R₁)||FID_j), C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄),ϕ_A = h₁(R₃^*||R₄||B₃^*||A₄^**), and C₄ = h₁(FID_j^*||ϕ_A). It is clear that even with the captured random nonces, the computation of these authentication messages will still fail. This is because Ψ still needs other parameters, such as FID_j and MK_A. According to Hypothesis 1, FID_j is unavailable to Ψ. Similarly, Hypothesis 5 has shown the difficulty of obtaining master key MK_A. Moreover, Hypothesis 13 has demonstrated the difficulty of deriving B₃ since it requires solving the CDH problem. □

Hypothesis 15: 

Privileged insider and stolen smart device attacks are prevented.

Proof: 

Let us assume that Ψ has stolen the farmer’s smart device SD_j. Thereafter, the security tokens {A₁, A₂^*, A₃^*, A₄^*, B₁} stored in its memory are extracted. This can also happen when Ψ has some privileged access to these parameters. Here, A₁ = h₂ (FID_j||R₁), A₂^* = A₂ + h₂(FID_j||FPW_j), A₃^* = A₃ ⊕ h₁(FPW_j||FID_j), A₄^* = A₄ ⊕ h₁(FID_j||FPW_j||P_B), and B₁ = h₁(A₂||A₃||A₄). The aim of the attacker is to access the secret value set {A₂, A₃, A₄}, where A₂ = h₂ (FID_j||R₁). MK_A, A₃ = h₁(FID_j||R₁||MK_A), and A₄ = h₁(h₁(MK_A ⊕ R₁)||FID_j). However, all these parameters are encapsulated in other values such FID_j, FPW_j, and P_B; hence, their recovery is challenging. □

Hypothesis 16: 

The proposed scheme is highly scalable and adaptable.

Proof: 

In the proposed scheme, farmer F_j communicates directly to the service provider ASP_i devoid of any centralized entity. In addition, Hypothesis 10 describes how the proposed scheme eliminates the need for verifier tables. As such, any farmer smart device SD_K can seamlessly join and leave the network without affecting the performance of the already existing devices. □

5. Performance Evaluation

In this section, three common metrics deployed in the performance evaluation of authentication protocols are used to gauge the proposed scheme. These metrics include computation and communication costs, as well as the supported security characteristics. The specific details about the evaluation procedures are described in the following sub-sections.

5.1. Computation Costs

To determine the execution time for the various cryptographic operations, ASP_i is emulated in a multi-precision integer and rational arithmetic cryptographic library (MIRACL) in a server with the specifications in

Table 2. Server specifications.

Feature	Description
Operating system	Ubuntu 22.04 LTS
RAM	8 GB
Processor	Intel Core i7-8565U
Operating system type	64-bit
Clock frequency	3.2 GHz

.

On the other hand, the farmer’s SD_j is emulated using Raspberry Pi 3 Model B Rev 1.2, whose specifications are presented in

Table 3. Smart device specifications.

Feature	Description
Operating system	Ubuntu 20.04 LTS
RAM	1 GB
Processor	Quad-core
Operating system type	64 bit
Clock frequency	1.4 GHz

.

Under these conditions, the average execution times for various cryptographic primitives are presented in

Table 4. Execution time for various cryptographic operations.

Cryptographic Operation	Time (ms)
	SDj	ASPi
Hashing operation (TH)	0.314	0.056
Bilinear pairing (TBP)	33.051	4.715
Elliptic curve scalar multiplications (TSM)	2.256	0.654
Symmetric encryption/Decryption (TED)	0.019	0.002
Elliptic curve point subtraction (TPS)	0.0115	0.003
Modular exponentiation (TME)	0.325	0.083
Modular multiplication (TMM)	0.015	0.002
Modular addition (TMA)	0.012	0.001
Fuzzy extraction (TFE)	2.253	0.674
t-degree univariate polynomial evaluation (TPL)	13.3	0.3
Map-to-point hashing (TMTP)	5.264	2.853
Elliptic curve point addition (TPA)	0.017	0.004

.

During the authentication and key negotiation phase, the SD_j executes a single T_MTP, six T_H, a single T_PS, and two T_SM operations. On the other hand, the ASP_i carries out a single T_SM and six T_H operations.

Table 5. Computation costs comparisons.

Scheme	Derivations		Total (ms)
	User/Smart Device/Sensor	Server/Gateway Node
Vangala et al. [18]	22 TH +8 TSM+ 2 TPA+ TFE = 27.243	12 TH +6 TSM+ 2 TPA = 4.604	31.847
Rangwani et al. [6]	8 TH +5 TSM = 13.792	7 TH +TSM = 1.046	14.838
Bera et al. [5]	7 TH + 6 TSM + 2 TPA + TPL = 29.068	7 TH + 6 TSM + 2 TPA + TPL = 4.624	33.692
Vangala et al. [20]	9 TH + 4 TSM = 11.85	9 TH + 4 TSM = 3.12	14.970
Wu et al. [40]	2 TBP + 2 TME + 2 TED + TH = 67.446	2 TBP + 2 TME + 2 TED + TH = 9.656	77.102
Proposed	TMTP + 6 TH + 2 TSM + TPS = 11.672	TSM + 6 TH = 0.99	12.662

presents the comparisons of the computation cost of the proposed scheme with other related protocols.

Based on the values in Table 5, the protocol in [18] has a computation cost of 31.847 ms, while the scheme in [6] has a computation overhead of 14.838 ms. Similarly, the computation costs for the protocols in [5,20,40] and the proposed scheme are 33.692 ms, 14.97 ms, 77.102 ms, and 12.662 ms, respectively. As shown in Figure 4, the protocol in [40] incurs the highest computation costs.

This is attributed to the time-consuming bilinear pairing operations executed in this scheme. This is followed by the schemes in [5,6,18,20] and the proposed protocols in that order. The high computation overhead in [40] is attributed to the time-consuming bilinear pairing operations executed in this scheme. Since the farmer’s smart device is battery-powered, our scheme is the most efficient and ensures that the battery for SD_j lasts longer. On the other hand, deploying the protocol in [40] in SD_j will drain its battery within a short time.

5.2. Communication Costs

To derive the number of bits used in the proposed protocol, the sizes of the messages exchanged between the SD_j and ASP_i during the authentication and key agreement phase are taken into consideration. For fair comparison, the values in [5] are used, in which the output sizes of the various cryptographic operations are presented in

Table 6. Parametric sizes.

Operation	Size (bits)
Real identity	160
Random nonce	160
Hashing output	256
Points in finite group	512
Timestamp	32
Password	160

below.

In our scheme, two messages are exchanged during the authentication and key negotiation phase. Whereas message Auth₁ = {B₂, B₄, C₁, C₂} is sent from the SD_j towards the ASP_i, message Auth₂ = {C₃, C₄} is transmitted from ASP_i towards SD_j. Here, B₂ = A₁. R₂, B₄ = A₃ ⊕ h₃ (B₃), C₁ = A₄ ⊕ R₃, C₂ = h₁(B₂||B₃||B₄||C₁||R₃||A₄), C₃ = R₄ ⊕ A₄^**, and C₄ = h₁(FID_j^*||ϕ_A).

Table 7. Message sizes.

Message	Size (bits)
SDj → ASPi Auth1:{B2, B4, C1, C2} B4 = C1 = C2 = 160; B2 = 512	992
ASPi → SDj Auth2: {C3, C4} C3 = C4 = 160	320
Total	1312

illustrates the derivation of the communication cost of this scheme.

On the other hand, the protocol in [18] exchanges four messages, while the scheme in [6] requires five messages during the authentication process, as shown in

Table 8. Communication costs comparisons.

Scheme	Number of Exchanged Messages	Size (bits)
Vangala et al. [18]	4	5792
Rangwani et al. [6]	5	4128
Bera et al. [5]	2	2016
Vangala et al. [20]	3	2305
Wu et al. [40]	10	1600
Proposed	2	1312

. On their part, the schemes in [5,20,40] exchange 2 messages, 3 messages, and 10 messages, respectively. In terms of the total message sizes, the schemes in [5,6,18,20,40] require 5792 bits, 4128 bits, 2016 bits, 2305 bits, and 1600 bits, respectively.

As shown in Figure 5, the scheme in [18] has the highest communication cost of 5792 bits, followed by the protocols in [5,6,20,40] and the proposed scheme, respectively.

Since the farmer’s smart device is battery-powered, it has limited communication capability and hence the proposed protocol is the most efficient.

5.3. Security Characteristics

The goal of this section is to compare the security characteristics of the proposed scheme with other related protocols.

Table 9. Security characteristics comparisons.

	[18]	[6]	[5]	[20]	[40]	Proposed
Security features
User privacy	√	√	-	√	√	√
Anonymity	√	√	-	√	√	√
Unlinkability	-	-	-	-	-	√
Untraceability	√	√	-	√	√	√
Robust authentication	√	√	√	√	√	√
No verifier tables	×	√	√	×	-	√
Session key agreement	√	√	√	√	√	√
Key secrecy	√	√	√	-	-	√
Robust against:
Side-channeling	√	√	√	√	×	√
Physical capture	√	√	√	√	×	√
Eavesdropping	×	×	√	×	×	√
Password guessing	√	√	×	×	√	√
Spoofing	×	×	×	×	×	√
Forgery	×	×	√	×	×	√
Replay	√	√	√	√	√	√
Session hijacking	×	×	×	×	×	√
Impersonation	√	√	√	√	×	√
De-synchronization	×	×	×	×	×	√
MitM	√	√	√	√	√	√
Privileged insider	√	√	√	√	√	√
KSSTI	×	√	√	√	×	√
DoS	√	√	-	√	√	√
Stolen smart device	√	√	√	√	×	√

√: supported; ×: not supported; -: not considered.

presents the results of this comparative evaluation.

As shown in Table 9, the schemes in [5,20] each support 14 security characteristics, while the protocol in [18] offers support for 15 security features. On the other hand, the scheme in [6] supports 17 features, while the proposed protocol supports all 23 security features. Therefore, our scheme is the most secure and privacy-preserving.

Based on the results above, it is evident that the proposed scheme results in significant improvements in computation costs, communication costs, and supported security characteristics. Regarding computation overheads, the protocol in [6] with a cost of 14.838 m is used as the baseline. On the hand, the scheme in [40] with a communication cost of 1600 bits is used as the baseline. Similarly, the protocol in [18], which offers support for 15 security features, is deployed as the baseline. Using these baseline values, the proposed protocol results in 14.67% and 18% reductions in computation and communication costs, respectively, and a 35.29% improvement in supported security features.

6. Conclusions

In precision agriculture, numerous sensors such as radiation, air humidity, optimal, soil moisture, and ground sensors are deployed. In addition, intelligent precision agriculture utilizes numerous IoT devices and drones to monitor agricultural surroundings. Although these technologies help boost productivity in the face of limited resources, they are exposed to threats such as eavesdropping, message falsification, DoS, replay, MitM, and impersonations. Therefore, past researchers have seen the development of many security solutions for this environment. However, the attainment of perfect privacy and security at low computation and communication overheads still remains a mirage. The developed scheme has been shown to solve some of these challenges. For example, it has been shown to be resilient against side-channeling, physical capture, eavesdropping, password guessing, spoofing, forgery, replay, session hijacking, impersonation, de-synchronization, man-in-the-middle, privileged insider, denial of service, stolen smart device, and known session-specific temporary information attacks. Using the values in [6,18,40] as baselines, the proposed scheme leads to 14.67% and 18% reductions in computation and communication costs, respectively, and a further 35.29% improvement in supported security features. Future research will revolve around further enhancements of its performance as well as evaluation using metrics that were out of the scope of the current work.