This section explains the automated formal security validation of the proposed algorithm using popular tool ProVerif, as well as under the hardness assumptions of ECDLP, collision resistant property of one-way hash, and hardness of symmetric encryption algorithm. The section then solicits the informal discussion on required security, supplemented by the security features comparisons with existing related schemes.

#### 5.1. Formal Security Analysis

For the purpose of formal security analysis of our protocol, we define formal interpretations of repetition and chose the cipher-text attack (IDN-CCA) of the symmetric cryptographic algorithm, secure hash collision-resistant function, and ECDLP as follows:

**Definition** **1.** Given $(\mathsf{\Sigma},\mathsf{\Omega},\mathsf{\Phi})$ is the algorithm of symmetric key and cipher-text $CP=EN{C}_{key}\left(k\right)$, the IDN-CCA’s definition is considered as hard problem if $AD{V}_{\mathcal{A}}^{IDN-CCA}\left({t}_{a1}\right)\le {\u03f5}_{a1}$, in which $AD{V}_{\mathcal{A}}^{IDN-CCA}\left({t}_{a1}\right)$ describes an $\mathcal{A}$’s benefit in finding the string $p\in \mathsf{\Omega}$ (the set of plain-texts) of antecedent messages from the given $CP\in \mathsf{\Sigma}$ (the set of cipher-texts) also algorithm of symmetric key with key $k\in \mathsf{\Phi}$ (the set of enc/dec keys) which is unknown, for any small enough ${\u03f5}_{a1}>0$ [32]. **Definition** **2.** Given an elliptic curve based point $G=yP$ over ${E}_{p}(x,y)$, the interpretation of the ECDLP is considered as hard problem if $AD{V}_{\mathcal{C}}^{ECDLP}\left({t}_{a2}\right)\le {\u03f5}_{a2}$, in which $AD{V}_{\mathcal{C}}^{ECDLP}\left({t}_{a2}\right)$ describes the benefit of an $\mathcal{A}$ in discovering the integer $y\in {\mathcal{Z}}_{q}^{*}$ from G and P which are given, for any small enough ${\u03f5}_{a2}>0$ [32]. **Definition** **3.** Given the output $O=H\left(y\right)$, the interpretation of the function of hash is considered as hard problem if $AD{V}_{\mathcal{A}}^{H}\left({t}_{a3}\right)\le {\u03f5}_{a3}$, in which $AD{V}_{\mathcal{A}}^{H}\left({t}_{a3}\right)$ describes the benefit of an $\mathcal{A}$ in extracting the input $y\in {\{0,1\}}^{*}$ from $H\left(y\right)$ which is given, for any small enough ${\u03f5}_{a3}>0$ [32]. For the formal analysis of security, we have defined random oracles [33] which are as follows: $Reveal\phantom{\rule{4pt}{0ex}}1$: This oracle will output plain-text k unconditionally from cipher-text $CP=EN{C}_{key}\left(k\right)$ that is given.

$Reveal\phantom{\rule{4pt}{0ex}}2$: This oracle will output integer y unconditionally from $yP$ and P that are publicly given values.

$Reveal\phantom{\rule{4pt}{0ex}}3$: This oracle will output the input y from O that is the corresponding value of hash.

**Theorem** **1.** On the basis of supposition $IND-CCA$ Security of Symmetric Cryptography algorithm, the enhanced protocol is provably protected in the arbitrary oracle model across a probabilistic polynomial time restricted attacker for extracting mobile user.

**Proof.** Assume that experiment $EXPE{1}_{\mathcal{A}}^{IND-CCA}$ for the attacker $\mathcal{A}$ who has capability to extract the user’s ID, $\mathcal{A}$ be a probabilistic polynomial time restricted attacker. We determine success probability for $EXPE{1}_{\mathcal{A}}^{IND-CCA}$ like $Succ{1}_{\mathcal{A}}^{IND-CCA}=2Pr[EXPE{1}_{\mathcal{A}}^{IND-CCA}=1]-1$. Then, the benefit of $EXPE{1}_{\mathcal{A}}^{IND-CCA}$ is examined as $Ad{v}_{\mathcal{A}}^{IND-CCA}({t}_{1},{q}_{R1})=ma{x}_{\mathcal{A}}Succ{1}_{\mathcal{A}}^{IND-CCA}$, whereas the maximal is taken overall attacker $\mathcal{A}$ with number of query ${q}_{R1}$ and time of execution ${t}_{1}$ made the Reveal1 oracle. the enhanced protocol is provably protected in the arbitrary oracle model across attacker $\mathcal{A}$ for extract the $ID$ of mobile user $M{U}_{a}$ if $Ad{v}_{\mathcal{A}}^{IND-CCA}(e{t}_{1};{q}_{R1})\le {\in}_{1}$, for any appropriately small ${\in}_{1}>0$. Examine the experiment $EXPE{1}_{\mathcal{A}}^{IND-CCA}$ as described in $Algorithm\phantom{\rule{4pt}{0ex}}1$, $\mathcal{A}$ can successfully extract the $ID$ of mobile user $M{U}_{a}$ if he is able to break $IND-CCA$ security of symmetric encryption description algorithm. Nevertheless, according to Definition 1, we could have $Ad{v}_{\mathcal{A}}^{IND-CCA}\left({t}_{1}\right)\le {\in}_{1}$, for any appropriately small ${\in}_{2}>0$. Thus, we get $Ad{v}_{\mathcal{A}}^{IND-CCA}({t}_{1};{q}_{R1})\le {\in}_{1}$ since $Ad{v}_{\mathcal{A}}^{IND-CCA}({t}_{1};{q}_{R1})$ depends on $Ad{v}_{\mathcal{A}}^{IND-CCA}\left({t}_{1}\right)$. So, concluded that the enhanced protocol is protected against an $\mathcal{A}$ for extracting the $ID$ of mobile user $M{U}_{a}$.□

**Theorem** **2.** Under the consideration that a hash function intently behaves as an arbitrary oracle model adjacent to a probabilistic polynomial time restricted attacker for extracting session key $SK$ between user and foreign agent.

**Proof.** Assume that experiment $EXPE{2}_{\mathcal{A}}^{Hash,ECDLP}$ for the attacker $\mathcal{A}$ who has capability to extract the arbitrary numbers in calculated the $SK$ between user and foreign agent, $\mathcal{A}$ be a probabilistic polynomial time restricted attacker. We determine success probability for $EXPE{2}_{\mathcal{A}}^{Hash,ECDLP}$ as $Succ{2}_{\mathcal{A}}^{Hash,ECDLP}=2Pr[EXPE{2}_{\mathcal{A}}^{Hash,ECDLP}=1]-1$. After that, the benefit of $EXPE{2}_{\mathcal{A}}^{Hash,ECDLP}$ is considered as $Ad{v}_{\mathcal{A}}^{Hash,ECDLP}({t}_{2};{q}_{R2};{q}_{R3})=ma{x}_{\mathcal{A}}Succ{2}_{\mathcal{A}}^{Hash,ECDLP}$, whereas the maximal is taken overall attacker $\mathcal{A}$ with time of execution ${t}_{2}$ and number of queries ${q}_{R2}$ made to Reveal2 and ${q}_{R3}$ made to Reveal3 oracles. The enhanced protocol is provably protected in the random oracle model across $\mathcal{A}$ for the values of hash of session key $SK$ if $Ad{v}_{\mathcal{A}}^{Hash,ECDLP}({t}_{2};{q}_{R2};{q}_{R3})\le {\in}_{2}$,for any appropriately small ${\in}_{2}>0$. Examine the experiment $EXPE{2}_{\mathcal{A}}^{Hash,ECDLP}$ shown in $Algorithm\phantom{\rule{4pt}{0ex}}2$, $\mathcal{A}$ can successfully extract the values of hash of session key $SK$ if he has the capability to convert the hash function and solve the $ECDLP$. Though, as by the Definition 2 and Definition 3, $Ad{v}_{\mathcal{A}}^{ECDLP}\left({t}_{2}\right)\le {\in}_{3}$, $Ad{v}_{\mathcal{A}}^{Hash}\left({t}_{3}\right)\le {\in}_{4}$, for any appropriately small ${\in}_{3}>0$, ${\in}_{4}>0$. Thus, we get $Ad{v}_{\mathcal{A}}^{Hash,ECDLP}({t}_{2};{q}_{R2};{q}_{R3})\le {\in}_{2}$ since $Ad{v}_{\mathcal{A}}^{Hash,ECDLP}({t}_{2};{q}_{R2};{q}_{R3})$ depends on $Ad{v}_{\mathcal{A}}^{ECDLP}\left({t}_{2}\right)\le {\in}_{3}$ and $Ad{v}_{\mathcal{A}}^{Hash}\left({t}_{3}\right)\le {\in}_{4}$. So, concluded that the enhanced protocol is provably protected against an attacker for extracting session key $SK$ and foreign agent. □

#### 5.2. Automated Security Analysis with ProVerif

We chose the prevailing software tool ProVerif [

34,

35] for performing an automated security perusal. The ProVerif is developed over the concept of applied

$\pi $ calculus [

36]. It is able to test and simulate many cryptographic operations, such as encryption/decryption, symmetric/asymmetric cryptosystems, hashes, signatures, etc. It can substantiate the characteristics of secrecy and authenticity. Complete protocol as given in

Figure 2 is implemented and verified in ProVerif. Three channels as shown in

Figure 3a are introduced in the implementation. The secure channel sch1 is dedicated for facilitating registration between mobile user and home agent, whereas two public channels pch2 and pch3 have been introduced for commencing communication between mobile user and home agent with foreign agent. Subsequently, variables and constants are also defined in

Figure 3a. To keep the mobile user anonymous, its identity IDmx is kept private, whereas identities of home and foreign agents, i.e., IDhz and IDfy, respectively, are public. Mobile user’s password PWmx, shared keys Kxz, Kyz between mobile user-home agent and foreign agent-home agent, respectively, are assumed as private. Sh and Ph are considered as the private public key pairs of home agent. The Constructors are specified to simulate cryptographic operations and functions. Thereafter, destructor and equation are specified to simulate inverse and decryption.

Every participant can be described through two events a begin and an end event. The protocol authenticity is realized through exposing the respective relationship between begin and end interval of the related event initiated by the specific participant. If end event is not reached it simply means the protocol terminated unsuccessfully and scheme is incorrect. In

Figure 3b, three distinct processes are implemented and simulated on behalf of three participants. These participants includes pMuser, pHagt, and pFagt, which are defined and implemented as shown in

Figure 2 and described in

Section 4. The proposed scheme is simulated as an unbounded parallel execution of user, home and foreign networks processes.

The subsequent four queries are defined in

Figure 3c to substantiate the security and correctness of our protocol. The query attacker simulates an actual attack to expose the session key, whereas another 3 queries inj-event corresponds to begin and end event of 3 processes, i.e., user, home, and foreign networks. If any of these queries results false, it implies the scheme is incorrect. The abilities of an attacker are evaluated by executing the Not-attacker (SK) predicate, where

$SK$ is private. It is assumed that public parameters are accessible to the attacker. The Not-attacker is also applied over SK. Moreover, three successive queries on inj-event affirms the association between initiation and termination of events corresponding to each of these processes, i.e., user, home, and foreign networks. The outcome of the discussed queries are shown in

Figure 3d.

It is observed through results 1, 2, and 3 in

Figure 3d that each process initiated and terminated successfully, which substantiates the correctness of our scheme, whereas result 4 Not-attacker (SK) affirms that session key is secure against security threats. Hence, our protocol maintains authenticity and secrecy during its execution.

#### 5.3. Security Requirements

The security requirement of the proposed scheme and a comparison of the proposed scheme with related competing schemes [

9,

12,

14,

25,

26] is detailed in following subsections.

Table 2 also illustrates the comparisons and confirms that only the proposed scheme provides all the required features and resists known attacks, whereas competing schemes lacks either some features or ensuring against some known attack.

#### 5.3.1. Mutual Authentication

The proposed scheme, through ${\mathcal{HA}}_{z}$ (the home agent) provides mutual authentication between ${\mathcal{MN}}_{x}$ ( the mobile node) and ${\mathcal{FA}}_{y}$ (the foreign agent). ${\mathcal{HA}}_{z}$ authenticates ${\mathcal{MN}}_{x}$ by validating ${C}_{mx}\stackrel{?}{=}Ma{c}_{{U}_{hz}}({N}_{mx}P,I{D}_{mx},{T}_{1}))$, computation of valid/legal ${C}_{mx}$ requires an adversary to have access to the secret parameter of ${\mathcal{MN}}_{x}$, i.e., ${U}_{hz}=h(I{D}_{mx},{S}_{h})$, as well as valid/legal ${N}_{mx}P$, which can only be extracted though ${A}_{mx}$ by the use of secret key (${S}_{h}$) of ${\mathcal{HA}}_{z}$. Neither ${U}_{hz}$ nor ${N}_{mx}P$ can be computed by any adversary, which implies that only valid ${\mathcal{MN}}_{x}$ can pass this test. Moreover, ${\mathcal{HA}}_{z}$ authenticates ${\mathcal{FA}}_{y}$ by validating ${B}_{fy}\stackrel{?}{=}Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{1})$. The computation of valid/legal ${B}_{fy}$ requires an adversary to extract ${N}_{fy}P$, which can by computed by public parameter ${A}_{fy}={N}_{fy}P+H({K}_{yz},I{D}_{fy},{T}_{2})P$ sent by ${\mathcal{FA}}_{y}$. The computation of ${A}_{fy}$ requires an adversary to have access to the pre-shared secret key ${K}_{yz}$ among ${\mathcal{HA}}_{z}$ and ${\mathcal{FA}}_{y}$. No adversary, insider/outsider can have access to the pre-shared secret key. Therefore, only legal/valid ${\mathcal{FA}}_{y}$ can pass this test. Similarly, ${\mathcal{FA}}_{y}$ authenticates ${\mathcal{HA}}_{z}$ validating ${B}_{hz}\stackrel{?}{=}Ma{c}_{{K}_{yz}}({N}_{fy}P,{N}_{mx}P+H\left(I{D}_{mx}\right)P,{T}_{3})$, the computation of valid ${B}_{hz}$ requires an adversary to have access to pre-shared secret key ${K}_{yz}$ between ${\mathcal{HA}}_{z}$ and ${\mathcal{FA}}_{y}$. Moreover, the adversary also needs to compute the valid/legal, corresponding ${N}_{fy}P$ against the parameter ${A}_{fy}={N}_{fy}P+H({K}_{yz},I{D}_{fy},{T}_{2})P$ sent on public channel earlier by ${\mathcal{FA}}_{y}$ to ${\mathcal{HA}}_{z}$, the computation of ${A}_{fy}$ again requires the use of pre-shared secret key ${K}_{yz}$. Therefore, only valid ${\mathcal{HA}}_{z}$ can pass this test. likewise, ${\mathcal{MN}}_{x}$ authenticates: 1) ${\mathcal{HA}}_{z}$ by validating ${D}_{hz}\stackrel{?}{=}Ma{c}_{{U}_{hz}}(I{D}_{fy},{N}_{fy}P,{T}_{3},PI{D}_{mx})$ and 2) ${\mathcal{FA}}_{y}$ by verifying ${C}_{fy}\stackrel{?}{=}Ma{c}_{{({N}_{mx}P+H\left(I{D}_{mx}P\right))}_{x}}(I{D}_{fy},{N}_{fy}P,{T}_{3},{T}_{4},{C}_{mx})$. To generate a valid/legal ${D}_{hz}$, an adversary requires having access to secret parameter ${U}_{hz}$ of ${\mathcal{MN}}_{x}$, as well as computation of valid/legal ${N}_{fy}P$, both of which can be performed only by legal ${\mathcal{HA}}_{z}$. Likewise, to generate valid ${C}_{fy}$, an adversary requires to compute valid/legal ${N}_{mx}P+H(I{D}_{mx}P$, ${N}_{fy}P$ and ${C}_{mx}$. All the mentioned parameters can only be computed by legal ${\mathcal{FA}}_{y}$. Hence, mutual authentication among $\mathcal{MN}x$ and ${\mathcal{FA}}_{y}$ through ${\mathcal{HA}}_{z}$ is essential trait of the proposed scheme.

#### 5.3.2. Correctness

The proposed scheme correctly accomplishes the process of authentication between $\mathcal{MN}x$ and ${\mathcal{FA}}_{y}$ through ${\mathcal{HA}}_{z}$. Unlike Lu et al.’s scheme, in the proposed scheme, ${\mathcal{HA}}_{z}$ does not unnecessarily updates (${K}_{xz},{K}_{yz}$) after each successful login. More precisely, the proposed schemes does not require any verifier table for any user; therefore, no entry can be modified by ${\mathcal{HA}}_{z}$. Due to non-usage of verifier table by ${\mathcal{HA}}_{z}$, the user request does not involve fining and comparing with verifier entries, which helps in minimizing the delay. Hence, the proposed scheme provides correct and secure authentication process.

#### 5.3.3. User Anonymity/Untraceability

Unfortunately and despite their claim, in the scheme of Lu et al. the pseudo identity $PI{D}_{mx}$ remains same not only for multiple but for all sessions. In the proposed scheme, on every login/authentication request $\mathcal{MN}x$ selects a new random variable ${N}_{mx}$ and computes the dynamic pseudo identity $PI{D}_{mx}={N}_{mx}P\oplus I{D}_{mx}$. Therefore, the proposed scheme not only provides identity hiding but also untraceability/unlinkability.

#### 5.3.4. Perfect Forward Secrecy:

The session key $SK=h\left({N}_{fy}({N}_{mx}P+H\left(I{D}_{mx}\right)P)\right)$ computed after successful authentication among ${\mathcal{MN}}_{x}$ or ${\mathcal{FA}}_{y}$ contains the share from both, i.e., ${N}_{mx}$ from ${\mathcal{MN}}_{x}$ and ${N}_{fy}$ from ${\mathcal{FA}}_{y}$. Both ${N}_{mx}$ and ${N}_{fy}$ are generated freshly for each session. Moreover, neither ${\mathcal{MN}}_{x}$ nor ${\mathcal{FA}}_{y}$ having full control on key generation. Even if one or more shared keys from previous session/s are compromised, the adversary may not be able to compute any future session key. Hence, the proposed scheme provides perfect forward secrecy.

#### 5.3.5. User Forgery Attack

As described in

Section 5.3.1, the

${\mathcal{HA}}_{z}$ authenticates the user by validating

${C}_{mx}$ and valid/legal

${C}_{mx}$ can only be computed by legal

${\mathcal{MN}}_{x}$. Moreover,

${\mathcal{FA}}_{y}$ authenticates

${\mathcal{MN}}_{x}$ by validating

${D}_{mx}\stackrel{?}{=}Ma{c}_{{({N}_{mx}+H\left(I{D}_{mx}\right)P)}_{x}}({C}_{fy},{N}_{fy}P)$, an adversary requires to compute

${N}_{mx}P$, as well as

${N}_{fy}P$. Only legal

${\mathcal{MN}}_{x}$ can compute it’s own secretly generated parameter

${N}_{mx}P$ and extract

${N}_{fy}P$ out of

${N}_{fy}P={C}_{hz}-H({U}_{hz},I{D}_{hz},{N}_{mx}P)P$, which requires the usage of secret parameter

${U}_{hz}$ of

${\mathcal{MN}}_{x}$. Therefore, the proposed scheme strongly resists user forgery attack.

#### 5.3.6. Stolen Verifier and Insider Attack

The home agent ${\mathcal{HA}}_{z}$, in the proposed scheme does not store any information relating to the credentials of, including password, ${\mathcal{MN}}_{x}$; rather, ${\mathcal{HA}}_{z}$ is free of any verifier table. The only information stored is the public identities of the users. Moreover, during registration process, ${\mathcal{MN}}_{x}$ sends $PW{U}_{hz}=h(P{W}_{mx},{r}_{mx})$, along with $I{D}_{mx}$, to ${\mathcal{HA}}_{z}$. The password is concealed in one-way hash function, along with a random number. Therefore, no deceitful insider gets any information relating to password and is having no advantage. Hence, the proposed scheme resists insider attacks. Moreover, without verifier table, the stolen verifier is impossible in the proposed scheme.

#### 5.3.7. Stolen Smart-Card Attack

In the proposed scheme, the smart-card contains $\{{\alpha}_{hz},{\beta}_{hz},{r}_{mx},h\left(\right),H\left(\right),{E}_{k},{D}_{k},Ma{c}_{k},{P}_{h}={S}_{h},P\}$, where, the user related information is stored in ${\alpha}_{hz},{\beta}_{hz}$ and ${r}_{mx}$ parameters, where ${\alpha}_{hz}={U}_{hz}\oplus PW{U}_{hz}$, and ${\beta}_{hz}=h(h\left(I{D}_{mx}\right),PW{U}_{hz})$. Extracting password information from $\alpha $ or $\beta $ requires inverse to hash function, which by definition is a hard problem. Moreover, user secret parameter ${U}_{hz}$ is also concealed with $PW{U}_{hz}$, and without password information, it is computationally infeasible to compute ${U}_{hz}$. Therefore, the proposed scheme resists stolen smart-card attacks.

#### 5.3.8. Known Session-Specific Parameters Attack

The adversary in the proposed scheme may not able to compute session key even if, he gets the session parameters ${N}_{mx}$ and ${N}_{fy}$, as the session key also requires the hashed identity concealed in an elliptic curve point $H\left(I{D}_{mx}\right)P$. Computation of $I{D}_{mx}$ needs to break on way property of hash, as well as elliptic curve discrete logarithm problem. Therefore, the proposed scheme resists known session-specific parameters attack.