Design of Secure and Efficient Authentication Protocol for Edge Computing-Based Augmented Reality Environments

Abstract

Augmented reality (AR) is a virtual technology that integrates virtual information and objects into real environments, offering unprecedented possibilities in such fields such as architecture, education, and healthcare. Real-time communication and security protocols are critical to the successful deployment of AR applications to ensure user immersion, prevent motion sickness, and address security problems. This paper proposes a secure user-to-user (U2U) and user-to-infrastructure (U2I) authentication protocol suitable for edge computing-based AR environments. We also employ extended Chebyshev chaotic maps and physical unclonable functions to ensure security and efficiency during the authentication process. The proposed protocol initiates session keys after U2I authentication when an AR user enters the edge node area, facilitating secure U2U authentication for sharing data with nearby users. We conduct comprehensive studies of the security robustness of the proposed protocol using formal and informal analyses, including “Burrows–Abadi–Needham logic”, “Real-Or-Random model”, the “Scyther tool” and informal security analyses. Furthermore, we measure the performance of cryptographic primitives using the “Multiprecision Integer and Rational Arithmetic Cryptographic Library” Cryptographic SDK. We perform a comparative analysis of security features and functionality, and we conduct a computational and communication cost analysis. The results reveal that the proposed protocol can provide security and efficiency for edge computing-based AR environments, presenting the methods for seamless and secure real-time AR data exchanges for U2I and U2U communications.

1. Introduction

Augmented Reality (AR) is a computer graphics technology that overlays virtual information and objects in real environments. In contrast to traditional computer graphics, AR uses real-time data on the actual surrounding environments, including length, depth, texture, and distance. Furthermore, AR devices are equipped with high-pixel displays, eye and object-tracking systems, and sensitive cameras and sensors to process real-time information [1]. Figure 1 illustrates the simplification of AR data processing. Recently, various network environments have attempted to use AR technology with the development of mobile chipset and wireless communication technologies. For instance, Microsoft launched the HoloLens series, which can perform AR tasks, including architectural design, education, and healthcare [2]. HoloLens increases work efficiency by querying necessary data from industrial sites and using them as visual material.

The implementation of real-time big data processing is necessary to ensure user immersion and prevent motion sickness in AR technology. Furthermore, the output of information with a higher pixel density (bit rate) than typical photographs and videos is essential. However, traditional cloud computing technology is burdened by high latency, and stand-alone technology demands high performance from end devices. Edge computing technology addresses this challenge by installing edge nodes at the network’s bottom, enabling efficient communication and performance in AR environments [3,4].

In edge computing-based AR environments, edge nodes provide similar visual information-based AR services to users within the area because of their locality. Furthermore, AR environments necessitate the real-time processing of substantial data compared to existing mobile computing environments [5]. Thus, edge computing-based AR environments still have a problem, potentially leading to frequent overloading on edge nodes, which is similar to traditional cloud-based mobile computing environments. The method of sharing AR content between users involves each user downloading necessary data from nearby users, bypassing the need for AR services from the edge node [6,7]. Through this approach, AR users can receive real-time data directly from nearby users, enabling the establishment of an efficient ad hoc network. Consequently, the overall operational efficiency can be enhanced because edge nodes do not need to carry the workload for all AR users employing user-to-user (U2U) communications.

The edge-computing-based AR content-sharing scheme can be subject to security problems because the communication channels of U2U and user-to-infrastructure (U2I) communications are public and wireless environments. If messages are hijacked, deleted, or captured by attackers, infringement of the user information can occur. Moreover, stolen or lost AR devices can threaten user privacy because they store sensitive information. If user information stored in an edge node is leaked, adversaries can use it to attempt a spoofing attack. In edge computing AR environments, edge nodes can be targeted to paralysis because they are regarded as local servers. Since user data in the AR environment are completely personalized data, untraceability and anonymity must be guaranteed. Nevertheless, the user’s identity must be verified in U2U and U2I communication while ensuring anonymity, and this process must be seamless and lightweight. Therefore, a secure authentication protocol is necessary for U2U and U2I communications. The security requirements and challenges for edge computing-based AR environments are as follows.

• Authentication: Mutual authentication is necessary to identify edge computing nodes and AR content users.
• Privacy preserving: Because the data that users use for AR services are based on personal information, resistance to privacy leaks is necessary.
• Anonymity and untraceability: Because the user’s AR device utilizes sensitive data and has mobility, it must provide anonymity and untraceability in U2U and U2I communications.
• Data access: Sophisticated data access is required because data are generated based on the user’s visual and auditory information in an edge computing-based AR environments.
• Latency: Since real-time communication is more important in the AR environment than in traditional environments, it must provide high performance while maintaining security.

In this paper, we propose a secure U2U and U2I authentication protocol for edge computing-based AR environments. The proposed protocol utilizes extended Chebyshev chaotic maps to ensure security and efficiency during the authentication process. After the user enters the edge node area through U2I authentication, a session key is created, and data are shared through U2U authentication with users who have adjacent AR content. Moreover, we use physical unclonable functions (PUFs) to guarantee the privacy of edge nodes. Therefore, AR users can receive seamless and secure real-time AR data from edge nodes and surrounding users.

1.1. Motivation

The edge computing-based AR environment has the characteristic of exchanging a huge amount of data compared to the traditional mobile networks. Since the exchanged data contain sensitive information of users, it can cause serious problem when these data are encrypted in low-level security. If a lot of computational resources are consumed for data masking, delays can occur due to low data response rates, which deteriorate service quality such as motion sickness. Based on the above motivations, we designed an authentication protocol to provide seamless U2I and U2U communications considering various security threats and efficiency for edge computing-based AR environments.

1.2. Contribution

The main contributions are as follows:

• We propose a secure and efficient authentication protocol for edge computing-based AR environments. The proposed protocol considers secure U2U and U2I communications for secure edge computing. Moreover, the proposed protocol can provide an efficient communication process using extended Chebyshev chaotic maps and PUFs.
• We analyze the security robustness of the proposed protocol using formal and informal analyses, such as “Burrows–Abadi–Needham (BAN) logic [8]”, “Real-Or-Random (ROR) model [9]” the “Scyther tool [10,11]”, and “informal security analysis”.
• We measure the performance of various cryptographic primitives using the “Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL) [12]” Cryptographic SDK. From that, we compare the security features and functionalities, and we conduct a computation and communication costs analysis of the proposed protocol and other related schemes.

2. Related Works

Edge computing-based AR environments have been being researched for a few years. In 2019, Ren et al. [13] introduced an architecture for AR environments based on edge computing technology. In Ren et al.’s AR architecture, cloud, edge, and user layers are constructed forming a hierarchy. Moreover, they present an operation mechanism to implement the edge computing-based AR technology. In 2021, Siriwardhana et al. [14] discussed AR technology that combines fifth-generation (5G) and edge computing. One of the main contributions in their paper is a division and analysis of AR environments, such as cloud, edge, localized, and hybrid-based architectures. They also discussed the requirements of security threats and solutions for AR environments. In the same year, Chen et al. [3] proposed an offloading scheme for AR edge computing environments. They considered a deep reinforcement learning model to obtain an optimized resource allocation. They demonstrated that their scheme could decrease the computation complexity and achieve a real-time offloading because this model does not consider combinatorial optimization. In 2022, Morín et al. [15] introduced a simplified AR offloading architecture using edge computing technology. Depending on the size and resource status of AR data, three AR offloading scenarios were introduced in their architecture: full, object detection and segmentation, and occlusion handling.

Recently, various service caching mechanisms have been proposed to address heavy computing tasks in AR environments. Dang et al. [16] proposed an on-device computational caching scheme for AR environments. In Dang et al.’s scheme, they presented a system model that can provide various AR services through computing caching-based device to device (D2D) communications. In their system model, D2D communication is activated when a user device cannot access an edge server due to overloading problems. In 2023, Park et al. [17] presented an object modeling system using collaborative communication for AR streaming services. In Park et al.’s modeling system, an AR user requests a part of segments from the edge computing node (ECN) and other nearby AR users to construct a complete three-dimensional (3D) virtual object. From that, the AR user can receive a decreased end-to-end delay and check the quality of the part-segments directly.

To provide secure communications between devices, D2D authentication schemes are introduced considering various network environments. In 2019, Chen et al. [18] proposed an authentication protocol for smart grid environments. Chen et al. considered communication channels between energy-trading consumers and constructed an U2U authentication protocol using bilinear pairings. Alzahrani et al. [19] introduced a two-party authentication scheme for the Internet of Vehicles. In their system model, various autonomous devices, including sensors, cameras, and smart vehicles, are registered to certificate authority. Then, the autonomous devices exchanges the authentication messages directly using the public key infrastructure. In 2021, Pham and Dang [20] proposed a lightweight D2D authentication protocol for the Internet of Things (IoT) environment using elliptic curve cryptography (ECC). In Phan and Dang’s protocol, a gateway participates in the authentication process to burden the computational overhead of ECC. In 2022, Hajian et al. [21] proposed a mutual authentication and key agreement protocol for D2D IoT deployments. In Hajian et al.’s protocol, IoT devices authenticate with each other using a direct communication link. Moreover, Hajian et al. used ECC to ensure a higher security than symmetric key-based cryptosystems. However, the above schemes [18,19,20,21] used ECC and bilinear pairings, which are unsuitable for U2U and U2I communications in edge computing-based AR environments. Moreover, several schemes used the main server as a certificate authority to complete D2D authentications, which can increase communication overhead. Because large volumes of data interact in real time in AR environments, designing computationally-efficient authentication protocols is essential. Thus, we propose a mutual authentication protocol using extended Chebyshev chaotic maps and PUFs to ensure a lightweight and secure scheme.

Table 1. Summary of the related schemes for D2D and U2U authentications.

Year	Scheme	Contributions	Limitations
2019	[18]	Proposed a D2D communication model in smart grids U2U authentication and key estabilshment protocol for smart grid environments Utilized bilinear pairings to establish shared key	Vulnerable to impersonation, privileged insider, and ESL attacks Requires huge computation costs using bilinear pairings
2019	[19]	Proposed D2D network model for IoT environments A two-party authentication scheme for the autonomous devices Used self-certifed public keys and ECC	Vulnerable to privileged insider attacks Cannot guarantee user anonymity Requires high computation costs using ECC
2021	[20]	Proposed a layered-based network architecture for IoT deployments Lightweight D2D authentication protocol for IoT networks Utilized ECC to establish a session key	Vulnerable to replay, man-in-the-middle, and impersonation attacks The gateway must be involved in the D2D authentication process Requires high computation costs using ECC
2022	[21]	Proposed 6G-based network model in IoT environments Mutual authentication and key agreement protocol for D2D IoT deployments Utilized ECC to establish a session key	Vulnerable to verification table leakage attacks High computation costs using ECC
-	Proposed	○ Proposed an edge computing-based system model for AR environments ○ Lightweight and secure mutual authentication protocol for U2U and U2I communications in edge computing-based AR environments ○ Utilize Chebyshev chaotic maps and PUFs to ensure security requirements and challenges for edge computing-based AR environments

shows the summarized literature review of the related schemes and the proposed protocol.

3. Preliminaries

In this section, we introduce the backgrounds of the proposed protocol, such as the system model, adversary model, security model, extended Chebyshev chaotic maps, and PUFs.

3.1. System Model

The proposed system model consists of the AR cloud, edge computing nodes (ECNs), and AR users. Figure 2 presents the proposed system model and details as follows:

AR cloud:

The AR cloud manages the proposed network system. Thus, the AR cloud registers ECN and AR users, and it stores their data in a secure database. The AR cloud has substantial data and computational resources.

ECN:       

The ECN is a infrastructure that performs the tasks of the AR cloud. Thus, ECNs are deployed in specific areas to provide useful AR services to service users. The ECNs communicate with the AR cloud to receive and store AR user data in the edge cache [13]. The data can be distributed to the corresponding AR users to enable real-time services. In the proposed system model, ECNs have sufficient computation and storage resources.

AR user: 

These users are end nodes that receive AR services using smart devices, including head-mounted display (HMD) devices. They interact with the corresponding infrastructure and users using wireless communication links. With the downloaded data, smart devices display the rendered information, and AR users can receive AR services. Thus, AR users register to the AR cloud and receive AR information from ECNs. Moreover, AR users can share their AR service data with other users (AR service user) when the ECN suffers from overloading problems.

3.2. Adversary Model

We adopt the well-known adversary model, “Dolev–Yao (DY)” [22] and “Canetti–Krawczyk (CK)” [23] network model. In the DY network model, network participants communicate with each other through public channels. Thus, adversaries can be concerned with the messages because adversaries have authority over public networks. The adversary can handle (e.g., eavesdrop, delete, insert, capture) messages transmitted via open channels. In the CK network model, the adversary can obtain short-term (e.g., ephemeral secret parameters) or long-term (e.g., master key) parameters. Thus, the adversary can try to calculate network participants’ sensitive information using ephemeral secret parameters or the master key of an AR cloud. The adversary also can obtain the legitimate AR user’s secret value using power analysis attacks [24]. Therefore, the adversary can conduct various security attacks as follows:

• The adversary can try to impersonate a legitimate user [25].
• The adversary can attempt to compute the session key using secret parameters [26].
• The adversary can try to reveal the real identity or the location information of the AR user [27].
• The adversary can conduct various security threats, including insider, replay, verification table leakage, and man-in-the-middle attacks [28].

3.3. Extended Chebyshev Chaotic Maps

The extended Chebyshev chaotic maps are a cryptosystem based on the Chebyshev polynomials [29]: $T_n\left(x\right)=2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right)$. Note that $n\ge 2$, $n\in Z$, $x\in [-\infty , \infty ]$, $T_0\left(x\right)=1$, and $T_1\left(x\right)=x$. Moreover, the extended Chebyshev chaotic maps can be described as the following equation: $T_n\left(x\right)=cos(n\ast arccos\left(x\right))$. Therefore, the extended Chebyshev chaotic maps have the property of being a semi-group.

$$(T_a\left(T_b\left(x\right)\right)=T_b\left(T_a\left(x\right)\right)=T_{ab}\left(x\right)$$

The extended Chebyshev chaotic maps can be utilized as a cryptosystem using the following mathematical problems:

• Extended chaotic map-based discrete logarithm problem (ECMDLP): A problem to find an integer a when x and y are given (Equation: $T_a\left(x\right)=y$).
• Extended chaotic map-based computational Diffie–Hellman (ECMCDH): A problem to calculate $T_{ab}\left(x\right)$ when $T_a\left(x\right)$ and $T_b\left(x\right)$ are given.
• Extended chaotic map-based decisional Diffie–Hellman (ECMDDH): A problem to decide $T_{ab}\left(x\right)\stackrel{?}{=}{T}_m$ when $T_a$, $T_b$, and $T_m$ are given.

3.4. Physical Unclonable Functions

PUFs are the technology that makes physical replication impossible. PUFs utilize differences in the microstructure of semiconductors produced in the same manufacturing process. Thus, the same PUF-based devices output different results when the same values are input. PUFs can be utilized as a fingerprint for various devices by creating a unique security key that cannot be physically copied. In this paper, we define an equation $R=PUF\left(C\right)$ where R, $PUF(.)$, and C indicate response, PUF function, and challenge, respectively. We utilize PUF technology to preserve the security of the private key for ECNs.

3.5. Security Model

We introduce the security model of the proposed protocol for the ROR model [9]. The ROR model is a formal analysis to verify a secure session key agreement of the security protocol. We define the primitives which are used in the ROR model.

3.5.1. Participants

Participants are the network entities in the proposed protocol. Thus, we define $A{R}_U^{n_1}$, $A{R}_E^{n_2}$, and $A{R}_C^{n_3}$ as AR user, ECN, and AR cloud, respectively. Note that $n_k$ ($k=1, 2, 3$) is the instance of the participants.

3.5.2. Partnering

If two instances have session identity $sid$ and the values are the same, they become partners. In the proposed protocol, it can be considered as a partnering when $A{R}_U^{n_1}$ and $A{R}_E^{n_2}$ share unique values, such as $sid$.

3.5.3. Freshness

If the adversary is unable to reveal the session key $SK$ and thus cannot distinguish between $SK$ and random nonce, we consider instance $A{R}^{n_k}$ to be fresh.

3.5.4. Adversary

In the ROR model, the adversary can capture, delete, hijack, and insert messages over the public channel. The adversary conducts the following queries with the above abilites.

• $Execute(A{R}_U^{n_1}, A{R}_E^{n_1}, A{R}_C^{n_1})$: The adversary can obtain the content of messages over the public channel.
• $Send\left(A{R}^{n_k}\right)$: The adversary actively transmits messages to a participant $A{R}^{n_k}$ and receives the return message. This query can be considered as active attack.
• $Corrupt\left(A{R}_U^{n_1}\right)$: The adversary reveals the secret values from the smart device of an AR user. This query can be considered as active attack.
• $Test\left(A{R}^{n_k}\right)$: When the adversary conducts this query, the adversary obtains a flipped unbiased coin f. If the flipped coin shows 1 ($f=1$), it means that the adversary cannot distinguish the session key $sk$ and random number. Thus, $sk$ can be considered as fresh and secure. When the flipped coin shows 0 ($f=0$), $sk$ is not fresh. Otherwise, the result outputs $NULL$ value (⊥).

4. Proposed Protocol

We introduce the proposed protocol which is designed for edge computing-based AR environments. The proposed protocol consists of six phases: Initialization, ECN registration, AR user registration, U2I authentication, AR service user search, and U2U authentication phases.

Table 2. Notations and descriptions.

Notation	Explanation
$I{D}_{AM}$	Real identity of ECN
$I{D}_{AU}$	Real identity of AR user
$P{W}_{AU}$	Password of AR user
$PI{D}_s$	Pseudo-identity of AR user
$TI{D}_s$	Temporary identity of AR user
$r_s$	Random number
$t_s$	Timestamp
$T_s\left(z\right)$	Chebyshev chaotic maps operator
$h(.)$	Hash function
$PUF(.)$	PUF operator
$C_i$	Challenge of PUF
$R_i$	Response of PUF
$SK, K_{AR}$	Session key
⊕	XOR operator
$\left|\right|$	Concatenation operator
·	Multiplication operator

presents the explanation for each notation.

4.1. Initialization Phase

The AR cloud selects its master key $X_{AR}$ and a large prime number q. Then, the AR cloud selects $z\in [-\infty ,\infty ]$ for $T_n\left(z\right)=2z{T}_{n-1}\left(z\right)-T_{n-2}\left(z\right)$$mod$q. From that, the AR cloud computes its public key $P_{AR}=T_{X_{AR}}\left(z\right)$ and picks a hash function $h(.)$. Finally, the AR cloud publishes $\{P_{AR}, q, z, h(.)\}$ to the network.

4.2. ECN Registration Phase

MNR1: 

An ECN selects its identity $I{D}_{AM}$ and generates a random number $R_{ECN}$. Then, the ECN computes $RI{D}_{AM}=h(I{D}_{AM} \Vert R_{ECN})$ and sends $\{I{D}_{AM}, RI{D}_{AM}\}$ to the AR cloud via a secure channel.

MNR2: 

The AR cloud checks the validity of $I{D}_{AM}$ and generates $N_{AM}$ and $C_{AM}=[C_1, C_2, \dots , C_i, \dots , C_n]$. After that, the AR cloud computes $R_{AM}=h(N_{AM} \Vert RI{D}_{AM})$ and sends $\{R_{AM}, C_{AM}\}$ to the ECN through a secure channel.

MNR3: 

The ECN computes $S_{AM}=PUF\left(C_{AM}\right)=[R_1, R_2, \dots , R_i, \dots , R_n]$, fuzzy extractor [30] $E{H}_{AM}=Gen\left(S_{AM}\right)=[(E_1, H_1), \dots , (E_i, H_i), \dots , (E_n, H_n)]$, $Gen\left(PUF\left(h(I{D}_{AM} \Vert R_{ECN})\right)\right)=$$(M_{ECN}, H_{ECN})$, and $P_{AM}=T_{M_{ECN}}\left(z\right)$. Moreover, the ECN stores $\{I{D}_{AM},$$H_{ECN}, S_{AM}, H_{AM}\}$ in its secure database and sends $\{E{H}_{AM}, P_{AM}\}$ to the AR cloud.

MNR4: 

The AR cloud computes $S{C}_{AM}=C_{AM}\oplus h(X_{AR} \Vert I{D}_{AM} \Vert P_{AM})$ and $S{E}_{AM}=E_{AM}\oplus h(C_{AM} \Vert X_{AR} \Vert I{D}_{AM})$, and it stores $\{S{C}_{AM}, S{E}_{AM}, P_{AM}, I{D}_{AM}\}$ in its secure database.

4.3. AR User Registration Phase

AUR1: 

An AR user selects an identity $I{D}_{AU}$ and password $P{W}_{AU}$. Then, the AR user generates $R_{AU}$ and computes $RI{D}_{AU}=h(I{D}_{AU} \Vert R_{AU})$, $RP{W}_{AU}=h(P{W}_{AU} \Vert R_{AU} \Vert I{D}_{AU})$, $M_{AU}=h(I{D}_{AU} \Vert RI{D}_{AU} \Vert P{W}_{AU})$, and $P_{AU}=T_{M_{AU}}\left(z\right)$. The AR user sends $\{I{D}_{AU}, RI{D}_{AU}, P_{AU}\}$ to the AR cloud via a secure channel.

AUR2: 

The AR cloud checks the identity of AR user $I{D}_{AU}$ and generates $R_{AU}$, $r_E\in \{2^4, 2^8\}$. The AR cloud retrieves $S{C}_{AMi}$ and $S{E}_{AMi}$ from $S{C}_{AM}$ and $S{E}_{AM}$, respectively. Then, the AR cloud computes $C_i=S{C}_{AMi}\oplus h(X_{AR} \Vert I{D}_{AM}\Vert P_{AM})$, $E_i=S{E}_{AMi}\oplus h(C_i \Vert X_{AR} \Vert I{D}_{AM})$, $V{U}_i=h(C_i \Vert E_i \Vert P_{AM})$, $PI{D}_{AU}=h(R_{UC} \Vert RI{D}_{AU} \Vert P_{AU})$, $SI{D}_{AU}=I{D}_{AU}\oplus h(X_{AR} \Vert P_{AU} \Vert PI{D}_{AU})$, and $SC{E}_{AU}=C_i\oplus h(I{D}_{AU} \Vert X_{AR} \Vert P_{AU})$. After that, the AR cloud stores $\{PI{D}_{AU}, P_{AU}, SI{D}_{AU}$, $SC{E}_{AU}\}$ in its database and returns $\{PI{D}_{AU}, V{U}_i, C_i, r_E\}$ to the AR user through a secure channel.

AUR3: 

The AR user computes $API{D}_{AU}=PI{D}_{AU}\oplus h(I{D}_{AU} \Vert P_{AU} \Vert P{W}_{AU})$, $A{R}_{AU}=R_{AU}\oplus h(PI{D}_{AU} \Vert P{W}_{AU} \Vert RP{W}_{AU})$, $AV{U}_{AU}=V{U}_i\oplus h(R_{AU} \Vert RI{D}_{AU} \Vert P{W}_{AU})$, $A{C}_{AU}=C_i\oplus h(V{U}_i \Vert RP{W}_{AU} \Vert I{D}_{AU})$, and $V_{AU}=h(M_{AU} \Vert PI{D}_{AU} \Vert P_{AU} \Vert V{U}_i \Vert C_i)$ mod $r_E$. Then, the AR user stores $\{P_{AU}, API{D}_{AU}, A{R}_{AU}, AV{U}_{AU}$, $A{C}_{AU},$$V_{AU}, r_E\}$ in the memory.

4.4. U2I Authentication Phase

After the registration phase, the AR user enters the management region of ECN and sends an initial authentication request message to ECN. Then, the ECN and AR user perform a U2I authentication process. Figure 3 shows the U2I authentication phase, and the details are as follows.

U2I1: 

The AR user inputs $I{D}_{AU}$ and $P{W}_{AU}$, and computes $RI{D}_{AU}=h(I{D}_{AU} \Vert R_{AU})$, $PI{D}_{AU}=API{D}_{AU}\oplus h(I{D}_{AU} \Vert P_{AU} \Vert P{W}_{AU})$, $R_{AU}=A{R}_{AU}\oplus h(PI{D}_{AU} \Vert P{W}_{AU} \Vert RP{W}_{AU})$, $RP{W}_{AU}=h(P{W}_{AU} \Vert R_{AU} \Vert I{D}_{AU})$, $V{U}_i=AV{U}_{AU}\oplus h(R_{AU} \Vert RI{D}_{AU} \Vert P{W}_{AU})$, $C_i=A{C}_{AU}\oplus h(V{U}_i \Vert RP{W}_{AU} \Vert I{D}_{AU})$, and $V_{AU}^{\prime }=h(M_{AU} \Vert PI{D}_{AU} \Vert P_{AU} \Vert V{U}_i \Vert C_i)$ mod $r_E$. After checking $V_{AU}^{\prime }\stackrel{?}{=}{V}_{AU}$, the AR user generates a random nonce $r_1$ and timestamp $t_1$, and they compute $A_1=T_{r_1}\left(z\right)$, $A_2=T_{r_2}\left(P_{AM}\right)$, $TI{D}_1=PI{D}_{AU}\oplus h(t_1 \Vert A_2 \Vert I{D}_{AM})$, $M{C}_1=C_i\oplus h(PI{D}_{AU} \Vert A_1 \Vert A_2)$, and $V_1=h(V{U}_i \Vert C_i \Vert PI{D}_i \Vert A_2 \Vert t_1 \Vert I{D}_{AM})$. The AR user generates an authentication request message $\{TI{D}_1, A_1, M{C}_1, V_1, t_1\}$ and sends it to the ECN via an open channel.

U2I2: 

The ECN first checks $|t_1-t_c|<\Delta t$ and computes $Rep(PUF\left(h(I{D}_{AM} \Vert R_{ECN})\right),$$H_{ECN})=M_{ECN}$, $A_2^{\prime }=T_{M_{ECN}}\left(A_1\right)$, $PI{D}_{AU}^{\prime }=TI{D}_1\oplus h(t_1 \Vert A_2^{\prime } \Vert I{D}_{AM})$, $C_i^{\prime }=M{C}_1\oplus h(PI{D}_{AU}^{\prime } \Vert A_1 \Vert A_2^{\prime })$, $S_i^{\prime }=PUF\left(C_i^{\prime }\right)$, $E_i^{\prime }=Rep(S_i^{\prime }, H_i)$, $V{U}_i^{\prime }=h(C_i^{\prime } \Vert E_i^{\prime } \Vert PI{D}_{AU}^{\prime } \Vert P_{AM})$, and $V_1^{\prime }=h(V{U}_i^{\prime } \Vert C_i^{\prime } \Vert PI{D}_{AU}^{\prime } \Vert A_2^{\prime } \Vert t_1 \Vert I{D}_{AM})$. When the result of $V_1^{\prime }\stackrel{?}{=}{V}_1$ is correct, the ECN generates $r_2$ and $t_2$ and computes $A_3=T_{r_2}\left(z\right)$, $A_4=T_{r_2}\left(A_1\right)$, a session key $SK=h(A_4 \Vert A_2 \Vert t_2 \Vert V{U}_i \Vert PI{D}_{AU} \Vert I{D}_{AM})$, and $V_2=h(A_4 \Vert SK \Vert t_2 \Vert V{U}_i \Vert A_2)$. Then, the ECN sends $\{A_3, V_2, t_2\}$ to the AR user through an open channel.

U2I3: 

The AR user checks $|t_2-t_c|<\Delta t$ and computes $A_4^{\prime }=T_{r_1}\left(A_3\right)$, $S{K}^{\prime }=h(A_4^{\prime } \Vert A_2 \Vert t_2 \Vert V{U}_i \Vert PI{D}_{AU} \Vert I{D}_{AM})$, and $V_2^{\prime }=h(A_4^{\prime } \Vert S{K}^{\prime } \Vert t_2 \Vert V{U}_i \Vert A_2)$. If $V_2^{\prime }\stackrel{?}{=}{V}_2$, the session key is completely agreed.

4.5. AR Service User Search Phase

After the U2I authentication phase, the AR user requests AR data from the ECN. If the ECN has a lot of work or is overloaded, it transmits search results about nearby users who own AR service data. Details are as follows.

AUS1: 

The AR user generates an AR request message $M_{AR}$ and timestamp $t_{AR}$, and they compute $V_{AR}=h(M_{AR} \Vert TI{D}_1 \Vert t_{AR} \Vert SK)$, $C_{AR}=AES{(TI{D}_1, M_{AR}, V_{AR})}_{SK}$. Then, the AR user sends $\{C_{AR}, t_{AR}\}$ to the ECN.

AUS2: 

After checking $|t_{AR}-t_c|<\Delta t$, the ECN decrypts $(TI{D}_1, M_{AR}, V_{AR})=D{\left(C_{AR}\right)}_{SK}$ and computes $V_{AR}^{\prime }=h(M_{AR} \Vert TI{D}_1 \Vert t_{AR} \Vert SK)$. If $V_{AR}^{\prime }\stackrel{?}{=}{V}_{AR}$, the ECN searches a $M_{AR}$ service user $TI{D}_M$. Then, the ECN generates $t_M$ and computes $V_M=h(S{K}_M \Vert PI{D}_M \Vert M_{AR})$, $V_{AR2}=h(TI{D}_M \Vert P_M \Vert t_M \Vert V_M)$, and $C_M=AES{(TI{D}_M, V_M, V_{AR2}, P_M)}_{SK}$. Note that $S{K}_M$, $PI{D}_M$, $V_M$ are the session key, pseudo-identity, and verification parameter for $TI{D}_M$. Finally, the ECN sends $\{C_M, t_M\}$ to the AR user via an open channel.

AUS3: 

The AR user checks $|t_M-t_c|<\Delta t$ and decrypts $C_M$ to obtain $(TI{D}_M, V_M, V_{AR2}, P_M)$. The AR user computes $V_{AR2}^{\prime }=h(TI{D}_M \Vert P_M \Vert t_M \Vert V_M)$ and checks $V_{AR2}^{\prime }\stackrel{?}{=}{V}_{AR2}$.

4.6. U2U Authentication Phase

The AR user broadcasts an authentication request message. The AR service user who owns AR data inspects this message and conducts the U2U authentication process. Figure 4 indicates the U2U authentication phase, and the details are as follows.

U2U1: 

The AR user generates $r_3$, $t_3$ and computes $A_5=T_{r_3}\left(z\right)$, $A_6=T_{r_3}\left(P_M\right)$, $M{C}_2=(M_{AR} \Vert P_{AU})\oplus h(A_6 \Vert TI{D}_M \Vert t_3 \Vert A_5)$, and $V_3=h(M_{AR} \Vert A_6 \Vert V_M \Vert P_{AU} \Vert t_3)$. Then, the AR user sends $\{A_5, M{C}_2, V_3, t_3\}$ to the AR service user $I{D}_M$.

U2U2: 

The AR service user $I{D}_M$ first checks $|t_3-t_c|<\Delta t$ and computes $A_6^{\prime }=T_{M_M}\left(A_5\right)$, $(M_{AR}^{\prime } \Vert P_{AU}^{\prime })=M{C}_2\oplus h(A_6^{\prime } \Vert TI{D}_M \Vert t_3 \Vert A_5)$, $V_M^{\prime }=h(S{K}_M \Vert PI{D}_M^{\prime } \Vert M_{AR}^{\prime })$, and $V_3^{\prime }=h(M_{AR}^{\prime } \Vert A_6^{\prime } \Vert V_M^{\prime } \Vert P_{AU}^{\prime } \Vert t_3)$. If $V_3^{\prime }\stackrel{?}{=}{V}_3$, the AR service user $I{D}_M$ generates $r_4$, $t_4$ and computes $A_7=T_{r_4}\left(z\right)$, $A_8=T_{M_M}\left(P_{AU}\right)$, $A_9=T_{r_4}\left(A_5\right)$, $K_{AR}=h(A_8 \Vert A_9 \Vert t_4 \Vert TI{D}_M \Vert M_{AR})$, and $V_4=h(K_{AR} \Vert A_7 \Vert A_8 \Vert A_9 \Vert t_4 \Vert M_{AR})$. Then, the AR service user sends $\{A_7, V_4, t_4\}$ to the AR user via an open channel.

U2U3: 

The AR user checks $|t_4-t_c|<\Delta t$ and computes $A_8^{\prime }=T_{M_{AR}}\left(P_M\right)$, $A_9^{\prime }=T_{r_3}\left(A_7\right)$, $K_{AR}^{\prime }=h(A_8^{\prime } \Vert A_9^{\prime } \Vert t_4 \Vert TI{D}_M \Vert M_{AR})$, and $V_4^{\prime }=h(K_{AR}^{\prime } \Vert A_7 \Vert A_8^{\prime } \Vert A_9^{\prime } \Vert t_4 \Vert M_{AR})$. If $V_4^{\prime }\stackrel{?}{=}{V}_4$, the U2U authentication phase is successful and the AR user receives the AR contents using the session key $K_{AR}$.

5. Security Analysis

To prove the security robustness of the proposed protocol, we conduct informal security analysis, using the Scyther tool, BAN logic, and the ROR model.

5.1. Informal Security Analysis

5.1.1. Replay and Man-in-the-Middle Attack

In our protocol, the network participants send messages with random numbers $r_1$, $r_2$, $r_3$, and $r_4$, and timestamps $t_1$, $t_2$, $t_3$, and $t_4$. Thus, network participants can check the freshness of messages. Although an adversary captures and sends a message from a previous session, the network participants can filter it using the timestamp and random nonce. Therefore, the proposed protocol can prevent replay and man-in-the-middle attacks.

5.1.2. AR User Impersonation Attack

Suppose that an adversary captures messages of a legitimate user and tries to impersonate the user. However, the messages transmitted through open channels are masked in the public key of AR user $P_{AU}$, so the adversary must obtain the private key $M_{AU}$. Moreover, the adversary cannot impersonate as the AR user without knowing the pseudo-identity $PI{D}_{AU}$. These parameters are encrypted in the AR user’s device with the identity and password. Thus, the proposed protocol is secure against impersonation attacks.

5.1.3. Privileged Insider Attack

If an adversary is a privileged insider in our proposed network system, the adversary can reveal and captures all of registration messages, including $\{I{D}_{AU}, RI{D}_{AU}, P_{AU}\}$. Moreover, suppose that the adversary obtains secret parameters of the AR user $\{P_{AU}, API{D}_{AU},$$A{R}_{AU}, AV{U}_{AU}, A{C}_{AU}, V_{AU}, r_E\}$. To calculate and decrypt these parameters, the adversary must guess the password $P{W}_{AU}^{\prime }$ of the AR user. However, our protocol utilizes fuzzy verifier $r_E$, so the probability of guessing correct $P{W}_{AU}$ is $2^8/\left|hash\right|\approx 1/{10}^{15}$. Therefore, the proposed protocol can prevent privileged insider attacks.

5.1.4. Verification Table Leakage Attack

Suppose that the adversary obtains the leaked-verification table $\{S{C}_{AM}, S{E}_{AM}, P_{AM},$$I{D}_{AM}\}$ and $\{PI{D}_{AU}, P_{AU}, SI{D}_{AU},$$SC{E}_{AU}\}$. From that, the adversary tries to reveal and attack the proposed network. However, the adversary cannot reveal any secret parameters without knowing the master key of AR cloud $X_{AR}$. Therefore, the proposed protocol can prevent verification table leakage attacks.

5.1.5. Ephemeral Secret Leakage Attack

If an adversary obtains the ephemeral secret parameters $r_1$, $r_2$, $r_3$, and $r_4$, the adversary tries to compute the session key $SK=h(A_4 \Vert A_2 \Vert t_2 \Vert V{U}_i \Vert PI{D}_{AU} \Vert I{D}_{AM})$ and $K_{AR}=h(A_8 \Vert A_9 \Vert t_4 \Vert TI{D}_M \Vert M_{AR})$. To calculate the session key, the adversary must obtain $A_2$, $A_4$, $A_8$, and $A_9$. However, this task is infeasible according to the ECMCDH problem. Thus, the proposed protocol is secure against ESL attacks.

5.1.6. Anonymity

If AR users send their real identity $I{D}_{AU}$, it can cause various security and privacy problems, including traceability. In our protocol, AR users use the temporary identities $TI{D}_k$, which are used in a specific session. Thus, the adversary cannot distinguish and trace the AR user. Thus, the proposed protocol can ensure AR user anonymity.

5.1.7. Perfect Forward Secrecy

Suppose that an adversary obtains the master key $X_{AR}$ and the public messages $\{TI{D}_1, A_1, M{C}_1, V_1, t_1\}$, $\{A_3, V_2, t_2\}$, $\{C_{AR}, t_{AR}\}$, $\{C_M, t_M\}$, $\{A_5, M{C}_2, V_3, t_3\}$, and $\{A_7, V_4, t_4\}$. However, the adversary cannot calculate the session key $SK$ and $K_{AR}$ because these parameters are composed of the secret parameters of AR users and ECNs, extended chaotic maps, and ephemeral secret parameters. Thus, the proposed protocol can guarantee perfect forward secrecy.

5.1.8. Mutual Authentication

In our protocol, all messages include timestamps $t_1$, $t_2$, $t_3$, and $t_4$, and network participants check the validity of them. If these processes are successful, the network participants decrypt messages and check the integrity using $V_1$, $V_2$, $V_3$, and $V_4$. When the integrity correctness process is complete, the mutual authentication is successful. Thus, the proposed protocol can ensure mutual authentication.

5.2. Scyther Tool

In this section, we simulate the security robustness of the proposed protocol using the Scyther tool. To simulate the proposed protocol, we first convert it into “Security Protocol Description Language (SPDL)”, which is the specific language for the Scyther tool. After that, the Scyther command-line tool verifies the security of the proposed protocol using various claim events. When the simulation is complete, we can obtain the result window which indicates the security robustness of the proposed protocol. If the result window shows “OK” in the “Status” tab and “No attacks” in the “Comment” tab, we can ensure that the proposed protocol has a secure authentication process.

Table 3. Scyther tool claim events.

Claim Event	Description
Secrecy	Integrity and confidentiality of an authentication parameter.
Alive	Checking the status whether the communication partner is active or not.
Weakagree	Checking the status whether the communication partner is the actual user or not (Simultaneously satisfying alive claim event).
Niagree	The data-set is agreed by network participants who satisfies alive and weakagree claim events.
Nisynch	The network participants conduct communications under instructions of the protocol (simultaneously satisfying alive, weak-agree, and no-agree claim events).

shows the claim events and Figure 5 indicates the result window of the proposed protocol.

5.3. BAN Logic

BAN logic [8] is a formal analysis method to prove the mutual authentication of the protocol. Thus, various security protocols analyzed the property of mutual authentication using BAN logic [31,32,33]. To analyze the proposed protocol using BAN logic, we define basic notations and descriptions in

Table 4. Basic notations and description.

Notation	Description
$R_i, R_j$	Principals
$SK$	Session key
$A_1, A_2$	Statements
$R_i|\equiv A_1$	$R_i$  believes  $A_1$
$R_1|\sim A_1$	$R_i$ once said $A_1$
$R_i⤇A_1$	$R_i$  controls  $A_1$
$R_i⊲A_1$	$R_i$  receives  $A_1$
$\#A_1$	$A_1$ is fresh
${\left\{A_1\right\}}_S$	$A_1$ is encrypted with S
$R_i\stackrel{KS}{\leftrightarrow }{R}_j$	$R_i$ and $R_j$ have a shared key $KS$

.

5.3.1. Rules

In BAN logic, there are five rules. The details are outlined below.

1.

Message meaning rule (MMR):

$$\frac{R_i| \equiv R_i\stackrel{KS}{\leftrightarrow }{R}_j, R_i⊲{\left\{A_1\right\}}_{SH}}{R_i| \equiv R_j|\sim A_1}$$

2.

Nonce verification rule (NVR):

$$\frac{R_i| \equiv \#\left(A_1\right), R_i|\equiv R_j|\sim A_1}{R_i| \equiv R_j|\equiv A_1}$$

3.

Jurisdiction rule (JR):

$$\frac{R_i| \equiv R_j⤇A_1, R_i| \equiv R_j|\equiv A_1}{R_i{A}_1}$$

4.

Belief rule (BR):

$$\frac{R_i| \equiv (A_1, A_2)}{R_i| \equiv A_1}$$

5.

Freshness rule (FR):

$$\frac{R_i| \equiv \#\left(A_1\right)}{R_i| \equiv \#(A_1, A_2)}$$

5.3.2. Goals

In our protocol, a session key is established between the network participants during the authentication phase. Therefore, the goals in our protocol are as follows.

Goal 1: 

$ARU| \equiv ECN\stackrel{SK}{\leftrightarrow }ARU$

Goal 2: 

$ARU| \equiv ECN| \equiv ARU\stackrel{SK}{\leftrightarrow }ECN$

Goal 3: 

$ECN| \equiv ARU\stackrel{SK}{\leftrightarrow }ARU$

Goal 4: 

$ECN| \equiv ARU| \equiv ECN\stackrel{SK}{\leftrightarrow }ARU$

5.3.3. Idealized Forms

In our protocol, an AR user and ECN exchange $\{TI{D}_1, A_1,$$M{C}_1, V_1, t_1\}$ and $\{A_3, V_2, t_2\}$ through open channels. Thus, we convert these messages into idealized forms.

IF 1: 

$ARU\to ECN:{\{PI{D}_{AU}, A_1, C_i, t_1\}}_{A_2}$

IF 2: 

$ECN\to ARU:{\{I{D}_{AM}, A_3, t_2\}}_{A_4}$

5.3.4. Assumptions

In our protocol, assumptions are as follows.

Assumption A1.

$ECN|\equiv \#(t_1)$.

Assumption A2.

$ARU|\equiv \#(t_2)$.

Assumption A3.

$ECN| \equiv ARU\stackrel{A_2}{\leftrightarrow }ECN$.

Assumption A4.

$ARU| \equiv ECN\stackrel{A_4}{\leftrightarrow }ARU$.

5.3.5. BAN Logic Analysis

Step 1: 

From $I{F}_1$, we can obtain $A{N}_1$.

$$A{N}_1 : ECN⊲{\{PI{D}_{AU}, A_1, C_i, t_1\}}_{A_2}$$

Step 2: 

We can obtain $A{N}_2$ utilizing the message meaning rule and Assumption 3.

$$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}A{N}_2 : ECN|\equiv ARU|\sim (PI{D}_{AU}, A_1, C_i, t_1)$$

Step 3: 

We can obtain $A{N}_3$ utilizing the freshness rule and Assumption 1.

$$A{N}_3 : ECN|\equiv \#(PI{D}_{AU}, A_1, C_i, t_1)$$

Step 4: 

We can obtain $A{N}_4$ utilizing the nonce verification rule, $A{N}_2$, and $A{N}_3$.

$$A{N}_4 : ECN|\equiv ARU|\equiv (PI{D}_{AU}, A_1, C_i, t_1)$$

Step 5: 

From $I{F}_2$, we can obtain $A{N}_5$.

$$A{N}_5 : ARU⊲{\{PI{D}_{AM}, A_3, t_2\}}_{A_4}$$

Step 6: 

We can obtain $A{N}_6$ utilizing the message meaning rule and Assumption 4.

$$A{N}_6 : ARU|\equiv ECN|\sim (I{D}_{AM}, A_3, t_2)$$

Step 7: 

We can obtain $A{N}_7$ utilizing the freshness rule and Assumption 2.

$$A{N}_7 : ARU|\equiv \#(I{D}_{AM}, A_3, t_2)$$

Step 8: 

We can obtain $A{N}_8$ utilizing the nonce verification rule, $A{N}_6$, and $A{N}_7$.

$$A{N}_8 : ARU|\equiv ECN|\equiv (I{D}_{AM}, A_3, t_2)$$

Step 9: 

In our protocol, $ARU$ and $ECN$ establish the session key $SK=h(A_4 \Vert A_2 \Vert t_2 \Vert V{U}_i \Vert PI{D}_{AU} \Vert I{D}_{AM})$. Thus, we use $A{N}_4$ and $A{N}_8$ to obtain $A{N}_9$ and $A{N}_{10}$.

$$A{N}_9 : ARU|\equiv ECN|\equiv ARU\stackrel{SK}{\leftrightarrow }ECN \mathbf{(}\mathbf{Goal} \mathbf{2}\mathbf{)}$$

$$A{N}_{10} : ECN|\equiv ARU|\equiv ECN\stackrel{SK}{\leftrightarrow }ARU \mathbf{(}\mathbf{Goal} \mathbf{4}\mathbf{)}$$

Step 10: 

We can obtain $A{N}_{11}$ and $A{N}_{12}$ using $A{N}_9$, $A{N}_{10}$, and the jurisdiction rule.

$$A{N}_{11} : ARU|\equiv ECN\stackrel{SK}{\leftrightarrow }ARU \mathbf{(}\mathbf{Goal} \mathbf{1}\mathbf{)}$$

$$A{N}_{12} : ECN|\equiv ARU\stackrel{SK}{\leftrightarrow }ECN (\mathbf{Goal} \mathbf{3}\mathbf{)}$$

5.4. ROR Model

In this section, we analyze the session key security of the proposed protocol using the ROR model [9]. We utlize the security model in Section 3.5 and follow the security proof of [34,35,36] which proved the session key security using the ROR model.

Theorem 1.

In the ROR model, the adversary tries to reveal the session key in polynomial time. Thus, let $SP{D}_{adv}\left(PT\right)$ be the probability that the session key security is broken in polynomial time. We also define $HS$, $q_{hs}$, $PF$, $q_{pf}$ and $SP{D}_{adv}^{ECMDDH}\left(PT\right)$ as hash function $h(.)$’s range space, the number of hash queries, the function $PUF(.)$’s range space, the number of PUF queries, and probability to break the ECMDDH problem. $C^{\prime }$ and $s^{\prime }$ are the Zipf’s parameters [37].

$$SP{D}_{adv}\left(PT\right)\le \frac{q_{hs}^2}{\left|HS\right|}+\frac{q_{pf}^2}{\left|PF\right|}+2SP{D}_{adv}^{ECMDDH}\left(PT\right)+2\left\{C^{\prime }{q}_{send}^{s^{\prime }}\right\}$$

(1)

We perform six games $G_n$ ($n=0, 1, 2, 3, 4, 5$) to prove the security of the session key in our proposed protocol. In each game $G_n$, the winning probability of the adversary and the advantage is $WP{A}_{adv}\left(G_n\right)$ and $P\left[WP{A}_{adv}\left(G_n\right)\right]$, respectively.

• $G_0$: It is a stating game where the adversary has no information about the session key. Thus, the adversary selects a random bit. Thus, the relationship between $SP{D}_{adv}\left(PT\right)$ and $WP{A}_{adv}\left(G_0\right)$ can be expressed as follows.

  $$SP{D}_{adv}\left(PT\right)=|2P\left[WP{A}_{adv}\left(G_0\right)\right]-1|$$

  (2)
• $G_1$: In this game, the adversary collects messages transmitted over public channels using the $Execute$ query. Thus, the adversary obtains $\{TI{D}_1, A_1, M{C}_1, V_1, t_1\}$, $\{A_3, V_2, t_2\}$, $\{A_5, M{C}_2, V_3, t_3\}$, and $\{A_7, V_4, t_4\}$. With this information, the adversary tries to reveal the session key $S{K}^{\prime }=h(A_4^{\prime } \Vert A_2 \Vert t_2 \Vert V{U}_i \Vert PI{D}_{AU} \Vert I{D}_{AM})$ and $K_{AR}^{\prime }=h(A_8^{\prime } \Vert A_9^{\prime } \Vert t_4 \Vert TI{D}_M \Vert M_{AR})$. After that, the adversary conducts a $Test$ query to distinguish the session key and random number. However, the adversary cannot guess a successful session key because each parameter in the message is masked in various security parameters, including $r_1$, $r_2$, and $A_2$. Thus, we obtain the following equation.

  $$P\left[WP{A}_{adv}\left(G_1\right)\right]=P\left[WP{A}_{adv}\left(G_0\right)\right]$$

  (3)
• $G_2$: The adversary performs $Send$ and hash queries. However, the adversary cannot have an advantage in this game because all of security parameters are masked in cryptographic one-way hash functions, which has resistance against hash collision problems. Using birthday paradox [38], we can obtain the following inequation.

  $$|P\left[WP{A}_{adv}\left(G_2\right)\right]-P\left[WP{A}_{adv}\left(G_1\right)\right]|\le \frac{q_{hs}^2}{\left|HS\right|}$$

  (4)
• $G_3$: In this game, the adversary performs $Send$ and PUF queries. As we mentioned in Section 3.4, the adversary cannot have an advantage because PUF is an anti-duplicated microstructure. Thus, we can obtain the inequation similar to (4).

  $$|P\left[WP{A}_{adv}\left(G_3\right)\right]-P\left[WP{A}_{adv}\left(G_2\right)\right]|\le \frac{q_{pf}^2}{\left|PUF\right|}$$

  (5)
• $G_4$: The adversary tries to reveal the session key calculating $A_2$, $A_4$, $A_6$, and $A_8$. However, the adversary must solve the ECMDDH problem to find random numbers $r_1$, $r_2$, $r_3$, and $r_4$. However, this process is not possible in polynomial time. Thus, we obtain the following inequation.

  $$|P\left[WP{A}_{adv}\left(G_4\right)\right]-P\left[WP{A}_{adv}\left(G_3\right)\right]|\le SP{D}_{adv}^{ECMDDH}\left(PT\right)$$

  (6)
• $G_5$: This is the final game that the adversary conducts, using the $Corrupt$ query. With the revealed parameters $\{P_{AU}, API{D}_{AU}, A{R}_{AU}, AV{U}_{AU}, A{C}_{AU}, V_{AU}, r_E\}$ from the AR user’s smart device, the adversary tries to guess the session key. However, the adversary cannot reveal the real identity and password of the AR user because the verification parameter $V_{AU}$ is processed under fuzzy verifier $r_E$. Thus, the adversary cannot guess $I{D}_{AU}$ and $P{W}_{AU}$ simultaneously. As a result, we obtain the following inequation using Zipf’s law [37].

  $$|P\left[WP{A}_{adv}\left(G_5\right)\right]-P\left[WP{A}_{adv}\left(G_4\right)\right]|\le \left\{C^{\prime }{q}_{send}^{s^{\prime }}\right\}$$

  (7)

When all the games are finished, the adversary guesses a random bit.

$$P\left[WP{A}_{adv}\left(G_5\right)\right]=\frac{1}{2}$$

(8)

We derive the following equation from (2) and (3).

$$\frac{1}{2}SP{D}_{adv}\left(PT\right)=|P\left[WP{A}_{adv}\left(G_0\right)\right]-\frac{1}{2}|=|P\left[WP{A}_{adv}\left(G_1\right)\right]-\frac{1}{2}|$$

(9)

Combining Equations (8) and (9), we obtain the following:

$$\frac{1}{2}SP{D}_{adv}\left(PT\right)=|P\left[WP{A}_{adv}\left(G_1\right)\right]-P\left[WP{A}_{adv}\left(G_5\right)\right]|$$

(10)

Using the triangular inequality, we obtain the following:

$$\begin{gathered} \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\frac{1}{2}SP{D}_{adv}\left(PT\right)=|P\left[WP{A}_{adv}\left(G_1\right)\right]-P\left[WP{A}_{adv}\left(G_5\right)\right]| \\ \le |P\left[WP{A}_{adv}\left(G_1\right)\right]-P\left[WP{A}_{adv}\left(G_4\right)\right]|+|P\left[WP{A}_{adv}\left(G_4\right)\right]-P\left[WP{A}_{adv}\left(G_5\right)\right]| \\ \le |P\left[WP{A}_{adv}\left(G_1\right)\right]-P\left[WP{A}_{adv}\left(G_2\right)\right]|+|P\left[WP{A}_{adv}\left(G_2\right)\right]-P\left[WP{A}_{adv}\left(G_3\right)\right]| \\ |P\left[WP{A}_{adv}\left(G_3\right)\right]-P\left[WP{A}_{adv}\left(G_4\right)\right]|+|P\left[WP{A}_{adv}\left(G_4\right)\right]-P\left[WP{A}_{adv}\left(G_5\right)\right]| \end{gathered}$$

$$\le \frac{q_{hs}^2}{2\left|HS\right|}+\frac{q_{pf}^2}{2\left|PF\right|}+SP{D}_{adv}^{ECMDDH}\left(PT\right)+\left\{C^{\prime }{q}_{send}^{s^{\prime }}\right\}$$

(11)

At last, we obtain the following inequation multiplying (11) by 2. Thus, we can prove Theorem 1.

$$SP{D}_{adv}\left(PT\right)\le \frac{q_{hs}^2}{\left|HS\right|}+\frac{q_{pf}^2}{\left|PF\right|}+2SP{D}_{adv}^{ECMDDH}\left(PT\right)+2\left\{C^{\prime }{q}_{send}^{s^{\prime }}\right\}$$

(12)

6. Performance Analysis

In this section, we conduct comparative studies about computational, communicational, and security features. To estimate the performance of the proposed protocol, we utilize the MIRACL testbed. We compare the performance result of the proposed protocol and the other related schemes [18,19,20,21] which are proposed for U2U and U2I authentication schemes.

6.1. Execution Time of Cryptographic Primitives Using MIRACL

The MIRACL is a C/C++ language-based cryptographic SDK that facilitates the development of cryptographic schemes. There are built-in libraries for various cryptographic primitives, including ECC, bilinear pairings, hash functions, and symmetric encryptions. Thus, we measure the execution time of each primitive using MIRACL in the desktop (11th Generation Intel(R) Core(TM) i5-11400 @ 2.60 GHz with 24.0 GB RAM) and Raspberry-PI 4 (Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit System on Chip @ 1.8 GHz, with 8 GB RAM) testbed environments. We measured the execution time for each cryptographic primitive 100 times. We defined the ECC multiplication, ECC addition, hash function, AES encryption, AES decryption, modular exponentiation, and bilinear pairing as $M_{em}$, $M_{ea}$, $M_{hf}$, $M_{ae}$, $M_{ad}$, $M_{me}$, and $M_{bp}$, respectively.

Table 5. Performance results on the desktop platform using MIRACL.

Primitives	Max Time	Min Time	Average Time
$M_{em}$	0.539 ms	0.385 ms	0.413 ms
$M_{ea}$	0.009 ms	0.002 ms	0.003 ms
$M_{hf}$	0.004 ms	0.001 ms	0.001 ms
$M_{ae}$	0.002 ms	0.001 ms	0.001 ms
$M_{ad}$	0.001 ms	0.001 ms	0.001 ms
$M_{me}$	0.083 ms	0.027 ms	0.040 ms
$M_{bp}$	2.653 ms	2.223 ms	2.235 ms

and

Table 6. Performance results in Raspberry-PI 4 platform using MIRACL.

Primitives	Max Time	Min Time	Average Time
$M_{em}$	3.008 ms	2.152 ms	2.375 ms
$M_{ea}$	0.032 ms	0.026 ms	0.028 ms
$M_{hf}$	0.009 ms	0.004 ms	0.007 ms
$M_{ae}$	0.007 ms	0.004 ms	0.004 ms
$M_{ad}$	0.008 ms	0.004 ms	0.005 ms
$M_{me}$	0.233 ms	0.052 ms	0.113 ms
$M_{bp}$	14.232 ms	13.753 ms	13.928 ms

show the performance results for the max, min, and the average time for each primitive using MIRACL. The testbed results show that the desktop platform has much better performance compared to Raspberry-PI 4. Thus, we apply the desktop and Raspberry-PI 4 platform to infrastructure and user devices, respectively.

6.2. Comparison of Computational Cost

We compare the computational cost of the proposed protocol and the related schemes [18,19,20,21]. The computational cost of $M_{em}$, $M_{ea}$, $M_{hf}$, $M_{ae}$, $M_{ad}$, $M_{me}$, and $M_{bp}$ can be denoted as $0.413$ ms, $0.003$ ms, $0.001$ ms, $0.001$ ms, $0.001$ ms, $0.040$ ms, and $2.235$ ms according to Table 5, and $2.235$ ms, $0.028$ ms, $0.007$ ms, $0.004$ ms, $0.005$ ms, $0.113$ ms, and $13.928$ ms according to Table 6. Note that the computational cost of extended Chebyshev chaotic maps $M_{cm}$ is one-third of $M_{em}$ [39] ($0.138$ ms in a desktop and $0.792$ ms in the Raspberry-PI platform). In addition, the computational cost of fuzzy extractor $M_f$ is similar to $M_{em}$. The results of computational cost analysis are shown in

Table 7. Comparison of computational cost.

Scheme	Phase	User	Infrastructure	Total Costs
Chen et al. [18]	U2U	$7M_{em}+2M_{ea}+8M_{hf}+3M_{bp}$	-	58.521 ms
Alzahrani et al. [19]	U2U	$6M_{em}+8M_{hf}$	-	14.306 ms
Pham et al. [20]	U2U	$6M_{em}+7M_{hf}$	-	14.299 ms
	U2I	$5M_{em}+5M_{hf}$	$5M_{em}+7M_{hf}$	13.982 ms
Hajian et al. [21]	U2U	$8M_{em}+14M_{hf}$	-	19.098 ms
Proposed	U2U	$8M_{cm}+9M_{hf}$	-	6.396 ms
	U2I	$3M_{cm}+12M_{hf}$	$3M_{cm}+2M_f+6M_{hf}$	3.704 ms

. Thus, the proposed protocol can provide a more lightweight authentication process than the related schemes [18,19,20,21].

6.3. Comparison of Communcational Cost

We conduct a comparatvie study of computational cost among the proposed protocol and the related schemes [18,19,20,21]. According to [40], we define that the real identity, hash function, timestamp, ECC operation, Chebyshev polynomial, and elements in group $G_1$ and $G_2$ are 64 bits, 160 bits, 32 bits, 320 bits, 256 bits, 1024 bits, and 1024 bits, respectively. The result of communicational cost comparison is shown in

Table 8. Comparison of communcational cost.

Schemes	Phase	Total Communication Costs	Messages
Chen et al. [18]	U2U	1920 bits	2
Alzahrani et al. [19]	U2U	1824 bits	3
Pham et al. [20]	U2I	2560 bits	3
	U2U	3040 bits	3
Hajian et al. [21]	U2U	1344 bits	2
Proposed	U2I	1216 bits	2
	U2U	1056 bits	2

. The result shows that the proposed protocol has a lower communicational overhead than the related schemes [18,19,20,21].

6.4. Security Features

Table 9. Security and functionality features comparison.

Security Features	[18]	[19]	[20]	[21]	Proposed
SEC1	∘	∘	×	∘	∘
SEC2	∘	∘	×	∘	∘
SEC3	×	∘	×	∘	∘
SEC4	×	×	∘	∘	∘
SEC5	×	∘	∘	∘	∘
SEC6	∘	∘	∘	×	∘
SEC7	∘	×	∘	∘	∘
SEC8	∘	∘	∘	∘	∘
SEC9	∘	∘	∘	∘	∘

∘: “Provide the security and functionality features”; ×: “Does not provide the security and functionality features”.

presents the security and functionality features of the proposed protocol and the related schemes [18,19,20,21]. We define (SEC1: Replay attacks), (SEC2: Man-in-the-middle attacks), (SEC3: Impersonation attacks), (SEC4: Privileged insider attacks), (SEC5: ESL attacks), (SEC6: Verification table leakage attacks), (SEC7: Anonymity), (SEC8: Perfect forward secrecy), and (SEC9: Mutual authentication), respectively. Therefore, the proposed protocol can provide a robust secure and lightweight communication for edge computing-based AR environments.

7. Conclusions

In this paper, we proposed an authentication protocol for edge computing-based AR environments. The proposed protocol consists of U2I and U2U authentication processes considering the workload of edge nodes. Moreover, the proposed protocol can provide secure and lightweight authentication services using Chebyshev chaotic maps and PUFs. We performed various security analyses, such as the Scyther tool, BAN logic, and informal security analysis. Moreover, we conducted comparative performance analysis using MIRACL, proving the computational and communicational lightweightness against the related schemes. Thus, the proposed protocol is suitable for edge computing AR environments, and users can share AR data using a robust secure communication channel. In future work, we will implement a practical AR environment and design an improved scheme to make secure and seamless AR services.