A Privacy-Preserving Authentication Scheme Using PUF and Biometrics for IoT-Enabled Smart Cities

Abstract

With the advancement of communication technology, smart cities can provide remote services to users using mobile devices and Internet of Things (IoT) sensors in real time. However, the collected data in smart cities include sensitive personal information and data transmitted over public wireless channels, leaving the network vulnerable to security attacks. Thus, robust and secure authentication is critical to verify legitimate users and prevent malicious attacks. This paper reviews a recent authentication scheme for smart cities and identifies its susceptibilities to attacks, including insider attacks, sensor node capture, user impersonation, and random number leakage. We propose a secure and privacy-preserving authentication scheme for smart cities to resolve these security weaknesses. The scheme enables mutual authentication by incorporating biometric features to verify identity and using the physical unclonable function to prevent physical attacks. We evaluate the security of the proposed scheme via informal and formal analyses, including Burrows–Abadi–Needham logic, the real-or-random model, and the Automated Validation of Internet Security Protocols and Applications simulation tool. Finally, we compare the performance, demonstrating that the proposed scheme has better efficiency and security than existing schemes. Consequently, the proposed scheme is suitable for resource-constrained IoT-enabled smart cities.

1. Introduction

The smart city concept has evolved through the digitalization of urban management to enhance citizen welfare and optimize the administration of city services. This digital processing can be applied to several domains, including smart homes, energy management, intelligent transportation, healthcare, and industrial operations [1,2,3], improving daily life, environmental protection, public safety, and economic activities. With technological advancements, the Internet of Things (IoT) has facilitated smart city development. IoT systems enable wireless connectivity between various devices, including social media platforms, sensors, industrial machines, and mobile devices, within the smart city [4]. By applying such technology, smart cities can collect and exchange real-time data, enabling intelligent decision-making, location tracking, and efficient resource management [5]. Thus, smart cities can provide comfortable and adaptive services, such as supporting intelligent decision-making, efficient resource management, and location tracking accuracy [6].

While smart cities offer such advantages, they also bring some challenges and problems. Sensors and users generate smart city data, raising privacy issues. These data may include sensitive personal information, such as healthcare records, service transactions, location data, identity details, and service preferences [7,8]. If these data are leaked, the potential threats for privacy breaches become a critical problem [9]. Furthermore, IoT-enabled smart cities require efficient and lightweight communication because IoT devices have limited battery life, storage, and processing power [10]. Optimized communication has an influence on the performance of real-time city services. To ensure the successful and sustainable deployment of smart city technologies, it is crucial to maintain high-speed communication and implement robust security measures to protect sensitive data.

In addition, security attacks are important problems to solve when implementing smart cities. Heterogeneous networks comprising various devices provide smart city services, extending the attack surface of the network [11]. In smart city environments, data are transmitted via wireless channels. Messages transmitted over public channels are vulnerable to interception, reproduction, and unauthorized access, leading to potential data breaches [12]. Moreover, the sensors deployed in unattended or remote areas are vulnerable to physical attacks [13]. Mobile devices can be stolen, and stored values can be extracted via power analysis attacks. An attacker can impersonate a legitimate user and paralyze the network. Therefore, researchers have focused on authentication protocols to secure data exchanges between IoT devices and users to address these challenges. For example, authentication and key agreement (AKA) protocols effectively prevent unauthorized access across domains of varying scales, from industrial systems to wearable devices [14,15].

With the growing expansion of IoT systems in smart cities, protecting these systems with robust authentication protocols is imperative to maintaining the security and integrity of infrastructure and data in the city. Thus, a secure authentication scheme is required for IoT-enabled smart cities. In 2024, Nyangaresi et al. [16] proposed an efficient authentication scheme for smart cities using error correction codes and fuzzy commitment. They claimed their scheme ensures resistance to side-channeling attacks and has strong mutual authentication of communicating entities. However, the scheme by Nyangaresi et al. is vulnerable to insider, sensor node capture, user impersonation, and random number leakage attacks. Moreover, their scheme is unsuitable due to the high computational overhead of public key cryptography. Therefore, we propose a privacy-preserving authentication scheme to resolve the security vulnerabilities of the scheme by Nyangaresi et al. using physical unclonable functions (PUFs) and fuzzy extractors.

1.1. Research Contribution

The main contributions of this paper are outlined below:

• This work analyzes the scheme by Nyangaresi et al. [16] and demonstrates that it has security vulnerabilities, such as susceptibility to insider, sensor node capture, user impersonation, and random number leakage attacks.
• This work proposes a privacy-preserving authentication scheme for smart cities to address the security vulnerabilities of the scheme by Nyangaresi et al. [16]. The proposed scheme employs biometric information as an additional factor for secure user verification and applies PUF technology to defend against physical threats.
• This work demonstrates the security of the proposed scheme via an informal security analysis, which reveals the security properties and resistance to various attacks. The proposed scheme ensures mutual authentication and secure communication by verifying the legitimacy of entities.
• This work conducts formal analyses using Burrows–Abadi–Needham (BAN) logic, the real-or-random (ROR) model, and Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tools. The analyses evaluate mutual authentication, session key security, and resistance to man-in-the-middle (MitM) and replay attacks.
• This work demonstrates that the proposed scheme performs better than others in smart city applications. The proposed scheme is more suitable and efficient than other schemes for IoT-based smart city environments.

1.2. Organization

The remaining sections of this paper are organized as follows. We briefly discuss existing authentication schemes related to IoT-based smart city environments in Section 2. We introduce the network and adversary models of the proposed scheme, followed by a brief overview of PUFs and fuzzy extractors in Section 3. We present a review of Nyangaresi et al.’s scheme [16] in Section 4, and analyze security vulnerabilities of their scheme in Section 5. Then, we present our proposed scheme in Section 6. We demonstrate the security of the proposed scheme both informally and formally, using the BAN Logic, ROR model, and AVISPA tools in Section 7. We provide the performance evaluation of the protocol in Section 8 and the conclusion of this paper in Section 9.

Table 1. Notation and definitions.

Notation	Definition
$U_i$	ith user
$M{D}_i$	Mobile device of $U_i$
$G{W}_k$	kth gateway node
$S{N}_j$	jth sensor node
$RA$	Registration authority
$M{K}_x$	Primary key of x
$K_{xy}$	Secret shared key between x and y
$UI{D}_i,GI{D}_k,SI{D}_j$	Unique identity of $U_i,G{W}_k,S{N}_j$
$UPI{D}_i$	Masked identity of $U_i$
$TI{D}_i$	Temporary random identity of $U_i$
$P{W}_i$	High-entropy password of $U_i$
$BI{O}_i$	Biometric data of $U_i$
$S{K}_D,S{K}_G,S{K}_S$	Session key calculated by $M{D}_i,G{K}_k,$ and $S{N}_j$
$r,\alpha$	Random number
$N_n$	Random nonce $(n=1,2,3,\dots )$
$f(·)$	Error-correcting code [16]
$F(·)$	fuzzy commitment [16]
$(C_j,R_j)$	A pair of challenge and response values of PUF
$PUF(·)$	Physical unclonable function
$h(·)$	Collision-resistant cryptographic one-way hash function
⊕	Exclusive-OR operation
||	Concatenation operation

summarizes the notation and definitions used in this paper.

2. Related Work

With the increasing development of smart cities, numerous authentication schemes have been proposed to address various challenges in ensuring robust security and privacy. In 2019, Shuai et al. [17] introduced an efficient scheme for anonymous authentication in smart home environments. Their scheme achieves user anonymity and untraceability by encrypting the real identity using random numbers generated for each session. However, their scheme had security vulnerabilities, including node capture, device node impersonation attacks, and issues with forward secrecy [18]. Based on a cryptoanalysis of Shuai et al.’s scheme, Zou et al. [18] suggested a robust two-factor-based authentication scheme for smart homes. Their scheme enables successful mutual authentication and key establishment. In addition, they argued that their scheme ensures session key forward secrecy, user anonymity, and protection against all attacks. However, their scheme suffers from forgery, session key disclosure, and ephemeral secret leakage attacks.

Some researchers suggested multifactor authentication to provide comprehensive security and achieve a variety of desired security goals. Kaur et al. [19] proposed an enhanced authentication scheme utilizing a fuzzy verifier as an authentication factor. For example, the expression “$h\left(P{W}_i\right)\mathrm{mod}v$” increases computational complexity and makes password-guessing more difficult, where $P{W}_i$ is the password and v is the fuzzy verifier. Zou et al. [20] used three factors for their authentication scheme in smart factory environments. They demonstrate the resistance of their scheme against password guessing and smart card stolen attacks by combining multiple factors, such as biometric information, a password, and a smart card. Rangwani and Om [21] suggested a four-factor mutual authentication scheme for remote healthcare monitoring. They used the transformed bit string from the iris scan, which is unique even for twins, biometric data using a fuzzy commitment scheme, a password, and the identity of the user.

The smart city provides services according to numerous sensors which are deployed all over the cities, even in unattended areas. Researchers proposed authentication schemes considering the specifications of smart cities like the possibility of sensors or gateways being compromised. Xie et al. [22] proposed an authentication scheme designed to resist sensor node capture attacks in smart city environments. Their scheme distributes different secret keys among sensing devices, ensuring that an adversary cannot gain additional information from other captured devices. Furthermore, the long-term key cannot be extracted from the data stored in the sensor node due to protection by a cryptographic hash function. However, Xie et al.’s scheme has several security flaws, including untraceability and susceptibility to privileged insider, impersonation, and MitM attacks. Kumar et al. [23] proposed a multifactor authentication scheme utilizing PUF technologies for accessing remote sensors through a base station. With a session key update procedure, their scheme ensures the confidentiality of the session key among users, base stations, and sensor nodes. Although their scheme is lightweight and does not require a registration center, it fails to analyze critical security issues such as perfect forward secrecy, denial of service (DoS), and stolen verifier attacks. Badar et al. [24] devised a mutual authentication scheme for smart meters and service providers in smart city development. They used point multiplication with public keys, and provided physical attack resilience by using the PUF. In 2024, Nyangaresi et al. [16] presented an efficient authentication scheme in an IoT-enabled smart city environment. They lowered the number of elliptic curve cryptography (ECC) calculations and addressed security problems, including desynchronization, privileged insider attacks, and anonymity. However, their scheme has limitations in defending against insider, physical capture, user impersonation, and random number leakage attacks. Therefore, we propose a secure authentication scheme to resolve these shortcomings.

3. Preliminaries

This section presents the network and adversary models and discusses PUFs and fuzzy extractors.

3.1. Network Model

In this paper, the network model is composed of four entities: the registration authority (RA), users (U), gateway node (GW), and sensor nodes (SNs). As shown in Figure 1, users communicate remotely using their mobile devices and request sensor data. Once mutual authentication is successful, the remote user and the sensor generate a shared session key to communicate securely. The following descriptions offer a detailed introduction to each entity.

• Registration authority: The registration authority has sufficient storage capacity and computation power to register users, gateway nodes, and sensor nodes in the smart city. The registration authority is a trusted entity that manages the identification information for the user, gateway node, and sensor node.
• User: Users can employ their mobile devices to obtain sensor data remotely. To access data, users must first register with the registration authority. After registration, users can use their mobile devices to communicate with sensors through a gateway for successful authentication.
• Gateway node: The gateway is considered a semi-trusted entity in the scheme. Although the gateway can attempt to reveal the data using its information, it works properly as a bridge between users and sensor nodes in wireless networks. The sensor data must be authenticated by passing the gateways through insecure channels. Each gateway is responsible for managing the sensors within its designated region.
• Sensor node: The sensors are deployed everywhere in smart cities to collect environmental data. Before deployment, sensors register at the registration authority to obtain secret parameters for authentication. Through the gateway, sensors transfer collected data to legitimate users who require data. These sensors have limited computational power and storage capabilities.

3.2. Mathematical Preliminaries

In this section, we present some mathematical preliminaries for the proposed scheme in this paper, including a fuzzy extractor and physical unclonable function.

3.2.1. Fuzzy Extractors

According to [25], this section discusses the fundamental concepts of a fuzzy extractor. We utilize fingerprints in biometric applications due to their superior distinctiveness, permanence, and measurability compared to other biometric modalities [26]. The minutiae points and the singular point are extracted from the fingerprint image, and a BIO template is constructed by fitting a polynomial curve to the distances between each minutia and the singular point [27]. We identify users by performing template-matching based on the similarity between the generated and stored templates. Suppose a finite set L is a metric space with a distance function, where the biometric data $B\in L$. The biometric input data can be changed because of the scanning angle or noise when a user inputs the data into a device. The fuzzy extractor uses a helper string to control the margin of error for the noise. A helper string P is auxiliary data used with fuzzy extractors to recover secrets from noisy biometric inputs. Even if P is disclosed, P does not reveal information about the secret key R, which remains computationally indistinguishable from a uniform distribution. This indistinguishability can be quantified by the statistical distance, which measures how closely the distribution of R matches the uniform distribution. The statistical distance between two distributions X and Y is defined as

$$\mathrm{SD}(X,Y)={\displaystyle \frac{1}{2}}\sum _a\left|Pr[X=a]-Pr[Y=a]\right|$$

Helper strings enable fuzzy extractors to handle variations in biometric inputs, ensuring reliable secret recovery without increasing false rejection or false acceptance rates [28]. Therefore, the fuzzy extractor can encrypt biometric information into a consistent secret string. This mechanism comprises two procedures, $Gen$ and $Rep$, explained below:

• $Gen\left(B\right)=(R,P)$: When a user inputs the biometric data $B\in L$, the probabilistic function $Gen$ generates a secret string $R\in {\{0,1\}}^l$ and a helper string $P\in {\{0,1\}}^{*}$, where l and ∗ are lengths of bit strings.
• $Rep(B^{*},P)=\left(R\right)$: When a user reimprints biometric data $B^{*}\in L$, $B^{*}$ could have some noise compared to the initial biometric data B. The $Rep$ procedure recovers the value $R\in {\{0,1\}}^l$ using P.

Fuzzy extractors are preferable for constrained devices due to their minimal communication overhead, low energy consumption, and lack of reliance on uniformly distributed inputs or complex cryptographic assumptions [29].

3.2.2. Physical Unclonable Functions

The PUF was introduced as a physical security primitive [30], operating with a one-way function. The PUF circuit employs input and output bit string pairs called the challenge–response pair. After making a random string of bits as a challenge, the PUF generates responses to challenges based on the random physical differences for each device. The manufacturing process of PUF involves randomness that device producers cannot even control, making it impossible to copy identically [31]. These slight differences cause each PUF to respond uniquely to the same challenge. Therefore, PUFs are unclonable and help prevent attacks, including cloning and physical capture attacks. As the ideal stability of PUF is important, we have to consider environmental factors such as temperature variations, which can affect the response of some PUFs. Fortunately, in recent years, several types of ideal PUFs have been developed that guarantee the data stability of a PUF over a wide range of temperature and voltage fluctuations. For example, some ideal PUFs generate stable responses by relying on the randomness of soft gate oxide breakdown locations or intentionally permanent physical defects [32,33]. As a result, using ideal PUF design is a practical and feasible option while avoiding the need for stability enhancement technologies like helper data or fuzzy extractors [34] to save on computational and storage costs [35]. This paper uses ideal PUF design for stability and describes the process as $R=PUF\left(C\right)$, where C denotes a challenge and R represents a response. The properties of PUF are outlined as follows:

• The PUF has unclonable properties that prevent replication.
• The PUF response is unpredictable due to its physical characteristics.
• In the same device, the PUF responds identically to the same challenge.
• The PUF circuit is easy to estimate and implement.

In the verification phase, the device uses the stored challenge and generates the response. Then, the device compares this response with the parameter stored in its database. The verification is considered successful if the two values are equal.

3.3. Adversary Model

This section outlines the adversary model assumed for the security analysis of the proposed scheme. This work follows the Dolev–Yao (DY) threat model [36], which assumes that the adversary has full control over all messages transmitted via an open channel. In addition, this work considers the Canetti and Krawczyk (CK) threat model [37], where the adversary is capable of compromising secret information, such as ephemeral parameters or session states. These models are widely used in protocol analysis and help define the security assumptions [38,39,40]. The capabilities of the adversary are outlined below:

• Message control: The adversary can intercept, alter, delete, and inject malicious or forged messages during communication over a wireless public channel.
• Device compromise: The adversary can extract sensitive data from lost or stolen mobile devices. Through power analysis attacks [41], the adversary can retrieve private information, including credentials and other stored parameters.
• Various attacks: The adversary can perform various attacks, such as replay, privileged insider, impersonation, and sensor node capture.

4. Review of Nyangaresi et al.’s Scheme

This section presents the authentication scheme by Nyangaresi et al. [16], which was proposed for a smart city. Their scheme includes the system setup, registration of sensor node and user, login, authentication, and key negotiation phases.

4.1. System Setup Phase

The scheme by Nyangaresi et al. uses ECC to establish key agreements between entities. At first, a gateway $G{W}_k$ chooses an elliptic curve E over $F_p$ and an additive group G, with generator P having a large prime order q. The $G{W}_k$ generates a secret key n and computes the corresponding public key $P_k=nP$, while keeping both n and its primary key $M{K}_{G_k}$ private. Finally, $G{W}_k$ publishes the set of parameters $P,P_k,G,E\left(F_p\right)$.

4.2. Registration Phase

In this phase, sensor nodes $S{N}_j$ and users $U_i$ should perform the registration process with the corresponding $G{W}_k$. The communication is assumed to be secure during this phase. The $G{W}_k$ assigns secret values to $S{N}_j$ and $U_i$ for subsequent authentication and key agreement.

4.2.1. Sensor Node Registration

The sensor node $S{N}_j$ is registered at the gateway node $G{W}_k$ and is deployed in the smart city to collect and exchange data. This phase executes the following two steps.

Step 1:

The $G{W}_k$ selects a unique identity $SI{D}_j$ for $S{N}_j$ and derives a secret key $K_{GS}=h(SI{D}_j\parallel M{K}_{G_k})$. Those parameters $\{SI{D}_j,K_{GS}\}$ are sent to $S{N}_j$ via a secure channel.

Step 2:

Upon receiving the message $\{SI{D}_j,K_{GS}\}$, the $S{N}_j$ stores the parameters.

4.2.2. User Registration

All users $U_i$ should register with the $G{W}_k$ to acquire data from $S{N}_j$. This phase describes the registration process of $U_i$, which is explained in the next 3 steps.

Step 1:

Through the $M{D}_i$, the $U_i$ generates a unique identity $UI{D}_i$, password $P{W}_i$, and random number $r_i$. Next, $U_i$ computes $A_1=h(P{W}_i\parallel r_i)$ and inputs biometric data $BI{O}_i$ into the $M{D}_i$. Then, $U_i$ composes and sends a registration request $Req=\{UI{D}_i,A_1,BI{O}_i\}$ to $G{W}_k$ through a secure channel.

Step 2:

The $G{W}_k$ chooses a random codephrase $C{P}_i\in CP$ for the $U_i$, and derives $\lambda =h\left(C{P}_i\right)$, $ϵ=C{P}_i\oplus BI{O}_i$, $F(C{P}_i,BI{O}_i)=(\lambda ,ϵ)$, $A_2=h(UI{D}_i\parallel A_1\parallel C{P}_i)$, $A_3=h(UI{D}_i\parallel M{K}_{G_k})\oplus h(A_1\parallel C{P}_i)$. After that, $G{W}_k$ stores $UI{D}_i$ in its database and constructs a registration response $Res=\{f(·),\lambda ,ϵ,A_2,A_3,P_k\}$. The message $Res$ is sent to $U_i$ over a secure channel.

Step 3:

Upon receiving the response, $U_i$ stores parameters $\{f(·),\lambda ,ϵ,A_2,A_3,P_k,r_i\}$ in the memory of $M{D}_i$.

4.3. Login, Authentication, and Key Negotiation Phase

To access data from $S{N}_j$, the $U_i$ sends a login request message $Lo{g}_{Req}$ to $G{W}_k$ through the $M{D}_i$. Upon receiving $Lo{g}_{Req}$, $G{W}_k$ authenticates the user to verify registration and then establishes a session key shared among $U_i$, $G{W}_k$, and $S{N}_j$. The detailed steps are described below.

Step 1:

The $U_i$ inputs $BI{O}_i^{*}$ into the $M{D}_i$, which uses an error correcting code $f(·)$ to compute $C{P}_i^{*}=f(ϵ\oplus BI{O}_i^{*})$ and recover $C{P}_i$ if the Hamming distance between $BI{O}_i^{*}$ and $BI{O}_i$ is within the acceptable threshold. Afterward, $M{D}_i$ checks whether $h\left(C{P}_i^{*}\right)\stackrel{?}{=}\lambda =h\left(C{P}_i\right)$, where $ϵ=C{P}_i\oplus BI{O}_i$. After the biometric validation is successfully completed, $U_i$ inputs $UI{D}_i$ and $P{W}_i$. Then, the $M{D}_i$ computes $A_2^{*}=h(UI{D}_i\parallel h(P{W}_i\parallel r_i)\parallel C{P}_i^{*})$ and checks whether $A_2^{*}\stackrel{?}{=}{A}_2$. If validated, $M{D}_i$ chooses random nonces $N_1,N_2\in Z_q^{*}$ and computes $A_4=A_3\oplus h(A_1\parallel C{P}_i^{*})$, $A_5=N_2·P$, $B_1=N_2·P_k$, $B_2=UI{D}_i\oplus B_1$, $B_3=A_4\oplus N_1$, $B_4=h(UI{D}_i\parallel N_1)\oplus SI{D}_j$, $B_5=h(A_4\parallel SI{D}_j\parallel B_1\parallel N_1$, where $A_1=h(P{W}_i\parallel r_i)$. Finally, $M{D}_i$ composes the login request message $Lo{g}_{Req}=\{A_5,B_2,B_3,B_4,B_5\}$ and sends it to the $G{W}_k$ through a public channel.

Step 2:

After receiving $Lo{g}_{Req}$, the $G{W}_k$ computes $B_1^{*}=n·A_5$, $UI{D}_i^{*}=B_2\oplus B_1^{*}$. Next, $G{W}_k$ confirms whether $UI{D}_i^{*}$ exists in its database. When $UI{D}_i$ is found and identified, $G{W}_k$ computes $A_4^{*}=h(UI{D}_i^{*}\parallel M{K}_{G_k})$, $N_1^{*}=B_3\oplus A_4^{*}$, $B_2=UI{D}_i\oplus B_1$, $B_3=A_4\oplus N_1$, $B_4=h(UI{D}_i\parallel N_1)\oplus SI{D}_j$, $B_5=h(A_4\parallel SI{D}_j\parallel B_1\parallel N_1)$. Then, $G{W}_k$ confirms whether $B_5^{*}\stackrel{?}{=}{B}_5$. If validated, $G{W}_k$ generates $N_3$ and computes $K_{GS}^{*}=h(SI{D}_j^{*}\parallel M{K}_{G_k})$, $C_1=UI{D}_i^{*}\oplus K_{GS}^{*}$, $C_2=N_3\oplus h(UI{D}_i^{*}\parallel K_{GS}^{*})$, $C_3=N_3\oplus n_1^{*}$, $C_4=h(UI{D}_i^{*}\parallel SI{D}_j^{*}\parallel K_{GS}^{*}\parallel N_1^{*}\parallel N_3)$. Finally, $G{W}_k$ construct the authentication message $Aut{h}_1=\{C_1,C_2,C_3,C_4\}$ and sends it to the $S{N}_j$ over a public channel.

Step 3:

Upon obtaining $Aut{h}_1$, $S{N}_j$ calculates $UI{D}_i^{*}=C_1\oplus K_{GS}$, $N_3^{*}=C_2\oplus h(UI{D}_i^{*}\parallel K_{GS})$, $N_1^{*}=N_3^{*}\oplus C_3$, $C_4^{*}=h(UI{D}_i^{*}\parallel SI{D}_j\parallel K_{GS}\parallel N_1^{*}\parallel N_3^{*})$. Subsequently, $S{N}_j$ checks whether $C_4^{*}\stackrel{?}{=}{C}_4$, and, if equal, generates $N_4$ as a random nonce. Then, $S{N}_j$ calculates $C_5=N_4\oplus K_{GS}$, $S{K}_S=h(UI{D}_i^{*}\parallel SI{D}_j\parallel N_1^{*}\parallel N_3^{*}\parallel N_4)$, $D_1=h(K_{GS}\parallel S{K}_S\parallel N_4)$. Finally, $S{N}_j$ composes the authentication response message $Aut{h}_2=\{C_5,D_1\}$, which is transmitted to $G{W}_k$ via a public channel.

Step 4:

After receiving $Aut{h}_2$ from the $S{N}_j$, $G{W}_k$ computes $N_4^{*}=C_5\oplus K_{G{S}^{*}}$, $S{K}_G=h(UI{D}_i^{*}\parallel SI{D}_j^{*}\parallel N_1^{*}\parallel N_3\parallel N_4^{*})$, $D_1^{*}=h(K_{GS}^{*}\parallel S{K}_G\parallel N_4^{*})$. If $D_1^{*}$ equals $D_1$, $G{W}_k$ computes $D_2=A_4^{*}\oplus N_3$, $D_3=N_1^{*}\oplus N_4^{*}$, $D_4=h(UI{D}_i^{*}\parallel S{K}_G\parallel N_3\parallel N_4^{*})$. Finally, $G{W}_k$ constructs $Aut{h}_3=\{D_2,D_3,D_4\}$ that is sent to the $M{D}_i$.

Step 5:

$M{D}_i$ computes $N_3^{*}=A_4\oplus D_2$, $N_4^{*}=N_1\oplus D_3$, $S{K}_D=h(UI{D}_i\parallel SI{D}_j\parallel N_1\parallel N_3^{*}\parallel N_4^{*})$, and $D_4^{*}=h(UI{D}_i\parallel S{K}_D\parallel N_3^{*}\parallel N_4^{*})$. After that, $M{D}_i$ checks whether $D_4^{*}\stackrel{?}{=}{D}_4$. If $D_4^{*}$ is valid, the session key is set as $S{K}_D=S{K}_G=S{K}_S$ and key negotiation is completed.

5. Cryptoanalysis of Nyangaresi et al.’s Scheme

This section demonstrates that the scheme by Nyangaresi et al. [16] is susceptible to security attacks, including insider, sensor node capture, user impersonation, and random number leakage attacks. A detailed discussion is provided in the following sections.

5.1. Insider Attack

This work assumes that an adversary $\mathcal{A}$ is registered at gateway node $G{W}_k$. As a legitimate user, $\mathcal{A}$ can successfully authenticate with the $G{W}_k$ and $S{N}_j$. Moreover, $\mathcal{A}$ can obtain authentication information via legitimate communication. The $\mathcal{A}$ can compute the session key of other users using this acquired information.

Step 1:

An adversary $\mathcal{A}$ completes the authentication phase using his/her identity $UI{D}_{\mathcal{A}}$ and password $P{W}_{\mathcal{A}}$ as a legitimate user. During this phase, $\mathcal{A}$ intercepts the message $C_1$ and derives the secret key $K_{GS}=C_1\oplus UI{D}_{\mathcal{A}}$ which is shared between $G{W}_k$ and $S{N}_j$.

Step 2:

The $\mathcal{A}$ eavesdrops parameters $\{B_4,C_1,C_2,C_3,C_5\}$ from the messages exchanged by another user $U_i$ via a public channel. Since the parameter $K_{GS}$ is consistently used during the authentication phase, $\mathcal{A}$ can obtain the session key between $U_i$ and $S{N}_j$.

Step 3:

Using the secret key $K_{GS}$, $\mathcal{A}$ computes $UI{D}_i=C_1\oplus K_{GS}$, $N_4=C_5\oplus K_{GS}$. Next, $\mathcal{A}$ derives $N_3=C_2\oplus h(UI{D}_i\parallel K_{GS})$, $N_1=C_3\oplus N_3$, and $SI{D}_j=B_4\oplus h(UI{D}_i\parallel N_1)$. Finally, $\mathcal{A}$ can compute the session key $SK=h(UI{D}_i\parallel SI{D}_j\parallel N_1\parallel N_3\parallel N_4)$.

Therefore, the scheme by Nyangaresi et al. cannot resist insider attacks.

5.2. Physical Capture Attack

The $\mathcal{A}$ can obtain a stolen or lost user’s mobile device and attempt to extract the stored parameters $\{f(·),\lambda ,ϵ,A_2,A_3,P_k,r_i\}$ in it. If $\mathcal{A}$ attempts to guess $C{P}_i$ from $\lambda =h\left(C{P}_i\right)$, $\mathcal{A}$ can compute the user’s biometric information $BI{O}_i=ϵ\oplus C{P}_i$. Moreover, sensor nodes are typically placed in unattended or hostile environments; thus, $\mathcal{A}$ can easily capture them and potentially access sensitive user information. If $\mathcal{A}$ obtains parameters $\{SI{D}_j,K_{GS}\}$, $\mathcal{A}$ can compute the $SK$ as described in Section 5.1. In addition, $\mathcal{A}$ can determine another user’s identity $UI{D}_i$ and the secret parameter $A_4$. By intercepting the messages $\{B_3,C_1,C_2,C_3\}$, $\mathcal{A}$ can compute $UI{D}_i=C_1\oplus K_{GS}$, $N_3=C_2\oplus h(UI{D}_i\parallel K_{GS})$, $N_1=C_3\oplus N_3$ and $A_4=B_3\oplus N_1$. Therefore, Nyangaresi et al.’s scheme cannot prevent sensor node capture attacks.

5.3. User Impersonation Attack

Following Section 5.2, $\mathcal{A}$ can infer $UI{D}_i$ and $A_4$. Afterward, $\mathcal{A}$ can generate the login request message $Lo{g}_{Req}$ to impersonate another authorized user.

Step 1:

An adversary $\mathcal{A}$ generates random nonces $N_1^{\mathcal{A}}$ and $N_2^{\mathcal{A}}$. Then, $\mathcal{A}$ computes $A_5=N_2^{\mathcal{A}}·P$, $B_1=N_2^{\mathcal{A}}·P_k$.

Step 2:

Using the obtained parameters $\{UI{D}_i,A_4\}$, $\mathcal{A}$ computes $B_2=UI{D}_i\oplus B_1$, $B_3=A_4\oplus N_1^{\mathcal{A}}$, $B_4=h(UI{D}_i\parallel N_1^{\mathcal{A}})\oplus SI{D}_j$ and $B_5=h(A_4\parallel SI{D}_j\parallel B_1\parallel N_1^{\mathcal{A}})$. Finally, $\mathcal{A}$ can successfully compose $Lo{g}_{Req}=\{A_5,B_2,B_3,B_4,B_5\}$ and impersonate a user $U_i$.

Therefore, the scheme by Nyangaresi et al. cannot prevent user impersonation attacks.

5.4. Random Number Leakage Attack

According to Section 3.3, this work assumes that $\mathcal{A}$ can reveal random nonces $N_1,N_2,N_3$, and $N_4$. Adversary $\mathcal{A}$ can eavesdrop on authentication messages via a public channel and calculate the session key $SK$. The details are described in the following steps.

Step 1:

After obtaining parameters $\{B_4,C_1,C_5\}$ from the public messages, $\mathcal{A}$ computes $K_{GS}=C_5\oplus N_4$, $UI{D}_i=C_1\oplus K_{GS}$, and $SI{D}_j=B_4\oplus h(UI{D}_i\parallel N_1)$.

Step 2:

Finally, $\mathcal{A}$ calculates the $SK=h(UI{D}_i\parallel SI{D}_j\parallel N_1\parallel N_3\parallel N_4)$.

Therefore, Nyangaresi et al.’s scheme cannot prevent random number leakage attacks.

6. Proposed Scheme

According to Section 3.1, we propose a privacy-preserving authentication scheme for smart cities that utilizes biometrics and PUFs to address the security weaknesses of the existing scheme [16]. The proposed scheme comprises three phases: registration, login, and authentication.

6.1. Registration Phase

Smart cities are planned environments where data collection types and citizen services provided to citizens are predefined. Sensor deployment locations and gateway coverage areas are determined through location-based mapping. During registration, the RA assigns the appropriate gateway to each sensor node based on this mapping. Prior to the deployment in the smart city, gateways and sensors must be registered with the registration authority. Users within a smart city must also register their identities at the registration authority for authenticated communication. The registration phase processes these via secure channels.

6.1.1. Gateway Node Registration

A gateway node $G{W}_k$ registers its identity with the registration authority. Then, $G{W}_k$ receives a secret key $PS{K}_k$ for mutual authentication between sensors and users within its responsible area.

Step 1:

The gateway node $G{W}_k$ selects its unique identity $GI{D}_k\in {\{0,1\}}^{128}$. Then, $G{W}_k$ sends $GI{D}_k$ to $RA$ as shown in Figure 2.

Step 2:

If the received $GI{D}_k$ does not exist in the database, $RA$ processes a registration phase for $G{W}_k$. The $RA$ generates a random number $r_k\in {\{0,1\}}^{160}$ and computes $PS{K}_k=h(GI{D}_k\parallel r_k\parallel M{K}_{RA})$. The $RA$ stores $\{GI{D}_k,r_k\}$ in its database and sends $PS{K}_k$ to $G{W}_k$.

Step 3:

After receiving $PS{K}_k$ from $RA$, $G{W}_k$ stores $PS{K}_k$ with $GI{D}_k$ in its memory.

6.1.2. Sensor Node Registration

Sensor nodes register at the registration authority to deploy in a smart city, obtaining secret values for the authentication and session key. Moreover, sensor nodes have a secret key used for a secret shared session key with a gateway node. Figure 3 shows the registration process for sensor nodes, and the following steps are explained in detail.

Step 1:

The sensor node $S{N}_j$ selects its identity $SI{D}_j\in {\{0,1\}}^{128}$ and generates a random challenge $C_j\in {\{0,1\}}^{160}$. $S{N}_j$ calculates a PUF response $R_j=PUF\left(C_j\right)\in {\{0,1\}}^{160}$, and $S{X}_j=h(C_j\parallel R_j)$. $S{N}_j$ sends $\{SI{D}_j,S{X}_j\}$ to $RA$.

Step 2:

If the $SI{D}_k$ does not exist in the database, $RA$ derives corresponding parameters $\{GI{D}_k,r_k\}$ of $G{W}_k$, which is responsible for the area where $S{N}_j$ will be deployed. Then, $RA$ calculates $K_{G{S}_j}=h(SI{D}_j\parallel PS{K}_k)$, $P{S}_j=h(SI{D}_j\parallel GI{D}_k\parallel M{K}_{RA})$, and $X_j=S{X}_j\oplus P{S}_j$. The $RA$ stores the sensor information $\{SI{D}_j,S{X}_j\}$ in its database and $\left\{SI{D}_j\right\}$ in the gateway node $G{W}_k$ database. Finally, $RA$ transmit secret parameters $K_{GS},X_j$ to $S{N}_j$.

Step 3:

After receiving these parameters, $S{N}_j$ calculates $C{X}_j=X_j\oplus R_j$, $E{X}_{G{S}_j}=K_{G{S}_j}\oplus S{X}_j$. $S{N}_j$ stores values $\{SI{D}_j,C_j,C{X}_j,E{X}_{G{S}_j}\}$.

6.1.3. User Registration

Users must register with the $RA$ to access and receive remote services with $S{N}_j$ as legitimate users. Through the $M{D}_i$, users input their $UI{D}_i,P{W}_i$, and $BI{O}_i$ factors and process the registration phase, which is ready to authenticate with sensors. Figure 4 describes each user registration step, detailed as follows:

Step 1:

The user $U_i$ inputs $U_i$’s unique identity $UI{D}_i\in {\{0,1\}}^{128}$, password $P{W}_i\in {\{0,1\}}^{160}$, and biometric data $BI{O}_i\in {0,1}^{160}$ into $M{D}_i$. The $U_i$ requires access to sensor nodes ${\left\{S{N}_j\right\}}_{j=1}^m$, and $M{D}_i$ sends the requirements and $UI{D}_i$ to $RA$.

Step 2:

The $RA$ derives stored information of $S{N}_j(1\le j\le m)$ that communicates with $U_i$, as well as $G{W}_k$ that manages those sensors. Then, $RA$ selects a temporary random identity $TI{D}_i\in {\{0,1\}}^{128}$ and generates a random number $r_i,{\alpha }_j$. Then, $RA$ calculates parameters $UPI{D}_i=UI{D}_i\oplus h(r_i\parallel M{K}_{RA})$, $S_{U{S}_j}=h(S{X}_j\parallel {\beta }_j)$, $K_{U{S}_j}=h(SI{D}_j\parallel P{S}_j)$, and $K_{UG}=h(TI{D}_i\parallel PS{K}_k)$ required for authentication. The $RA$ stores $\{UPI{D}_i,r_i\}$ in its database and sends $\{TI{D}_i,K_{UG},(SI{D}_j,{\alpha }_j,S_{U{S}_j},K_{U{S}_j}|1\le j\le m)\}$ to $U_i$.

Step 3:

When the response is received, $M{D}_i$ computes a secret parameter ${\sigma }_i$ and a helper string ${\tau }_i$ from $BI{O}_i$, and encrypts secret keys $\{K_{UG},{\alpha }_j,S_{U{S}_j},K_{U{S}_j}\}$ using $h(·)$. The $M{D}_i$ computes $Gen\left(BI{O}_i\right)=({\sigma }_i,{\tau }_i)$, $A_1=K_{UG}\oplus h(UI{D}_i\parallel P{W}_i\parallel {\sigma }_i)$, $A_{2j}={\alpha }_j\oplus h(SI{D}_j\parallel K_{UG}\parallel P{W}_i)$, $A_{3j}=S_{U{S}_j}\oplus h({\alpha }_j\parallel UI{D}_i\parallel {\sigma }_i)$, $A_{4j}=K_{U{S}_j}\oplus h(S_{U{S}_j}\parallel P{W}_i\parallel {\sigma }_i)$, and $V_L=h(K_{UG}\parallel {\sigma }_i\parallel UI{D}_i\parallel P{W}_i)$. Finally, $M{D}_i$ stores parameters $\{TI{D}_i,{\tau }_i,A_1,V_L,$$(A_{2j},A_{3j},A_{4j},SI{D}_j)|1\le j\le m\}$ in its database and completes registration successfully.

6.2. Login and Authentication Phase

In the login phase, $U_i$ enters his credential information $I{D}_i$, $P{W}_i$, and $BI{O}_i^{*}$ into his $M{D}_i$. The $M{D}_i$ computes $V_L^{*}$ and if $V_L^{*}\ne V_L$, it rejects the login request, considering the user illegitimate. To access data of $S{N}_j$, $U_i$ composes $Lo{g}_{Req}$ and sends it to $G{W}_k$. During authentication, the user and sensor perform the following steps via the gateway to establish a secure session key and achieve mutual authentication. Figure 5 illustrates the login and authentication phase.

Step 1:

The $U_i$ first inputs $I{D}_i,P{W}_i$, and $BI{O}_i^{*}$ into $M{D}_i$. Then, $M{D}_i$ computes ${\sigma }_i^{*}=Rep(BI{O}_i^{*},{\tau }_i)$, $K_{UG}=A_1\oplus h(UI{D}_i\parallel P{W}_i\parallel {\sigma }_i)$, $V_L^{*}=h(K_{UG}\parallel {\sigma }_i\parallel UI{D}_i\parallel P{W}_i)$. If $V_L^{*}$ equals $V_L$, the login is successful and $U_i$ is authenticated. Next, $M{D}_i$ generates $N_1$ and computes ${\alpha }_j=A_{2j}\oplus h(SI{D}_j\parallel K_{UG}\parallel P{W}_i)$, $S_{U{S}_j}=A_{3j}\oplus h({\alpha }_j\parallel UI{D}_i\parallel {\sigma }_i)$, and $K_{U{S}_j}=A_{4j}\oplus h(S_{U{S}_j}\parallel P{W}_i\parallel {\sigma }_i)$. Then, $M{D}_i$ composes the message $Lo{g}_{Req}=\{TI{D}_i,M_1,M_2,M_3,V_1\}$, where $M_1=SI{D}_j\oplus h(TI{D}_i\parallel K_{UG})$, $M_2=N_1\oplus K_{UG}\oplus K_{U{S}_j}$, $M_3={\alpha }_j\oplus h(N_1\parallel K_{U{S}_j})$, $V_1=h(M_3\parallel SI{D}_j\parallel M_2\oplus K_{UG})$. The $M{D}_i$ sends $Lo{g}_{Req}$ to $G{W}_k$.

Step 2:

Upon receipt of the message, the $G{W}_k$ computes $K_{UG}^{*}=h(TI{D}_i\parallel PS{K}_k)$, $SI{D}_j^{*}=M_1\oplus h(TI{D}_i\parallel K_{UG}^{*})$, $V_1^{*}=h(M_3\parallel SI{D}_j^{*}\parallel M_2\oplus K_{UG}^{*})$. Then, $G{W}_k$ verifies whether $V_1^{*}=V_1$. If this is valid, the $G{W}_k$ generates $N_2$ and computes $K_{G{S}_j}=h(SI{D}_j^{*}\parallel PS{K}_k)$, $V_2=h(N_2\parallel K_{G{S}_j}\parallel V_1)$, $M_4=M_2\oplus K_{UG}^{*}\oplus N_2\oplus K_{G{S}_j}$, $M_5=N_2\oplus h(V_2\parallel K_{G{S}_j})$. $G{W}_k$ constructs the authentication message $Aut{h}_1=\{M_3,M_4,M_5,V_2\}$ and transmits to $S{N}_j$.

Step 3:

On receiving $Aut{h}_1$, the $S{N}_j$ calculates $R_j=PUF\left(C_j\right)$, $S{X}_j=h(C_j\parallel R_j)$, $K_{U{S}_j}^{*}=h(SI{D}_j\parallel C{X}_j\oplus R_j\oplus S{X}_j)$, $K_{G{S}_j}=E{K}_{G{S}_j}\oplus S{X}_j$, $N_2^{*}=M_5\oplus h(V_2\parallel K_{G{S}_j})$, $V_1^{*}=h(M_3\parallel SI{D}_j\parallel M_4\oplus N_2^{*}\parallel K_{G{S}_j})$, $V_2^{*}=h(N_2^{*}\parallel K_{G{S}_j}\parallel V_1^{*})$. After that, $S{N}_j$ checks whether $V_2^{*}$ equals $V_2$. If this is correct, $S{N}_j$ generates $N_3$ and calculates $N_1^{*}=M_4\oplus N_2\oplus K_{G{S}_j}\oplus K_{U{S}_j}$, ${\alpha }_j^{*}=M_3\oplus h(N_1^{*}\parallel K_{U{S}_j}^{*})$, ${\beta }_j=C{X}_j\oplus R_j\oplus {\alpha }_j^{*}$, $S_{U{S}_j}=h(S{X}_j\parallel {\beta }_j)$, $M_6=N_1^{*}\oplus N_2^{*}\oplus N_3$, $S{K}_S=h(SI{D}_j\parallel K_{U{S}_j}^{*}\parallel S_{U{S}_j}\parallel N_1^{*}\parallel N_2^{*}\oplus N_3)$, $V_3=h(S{K}_S\parallel M_6)$, $V_4=h(M_6\parallel V_3\parallel SI{D}_j\parallel N_2^{*}\parallel K_{G{S}_j})$. Finally, $S{N}_j$ sends $Aut{h}_2=\{M_6,V_3,V_4\}$ to $G{W}_k$.

Step 4:

When $G{W}_k$ receives the response from $S{N}_j$, $G{W}_k$ computes and checks the validity of $V_4^{*}=h(M_6\parallel V_3\parallel SI{D}_j^{*}\parallel N_2\parallel K_{G{S}_j})$ compared with $V_4$. If the verification is successful, $G{W}_k$ randomly selects a new temporary identity $TI{D}_i^{new}$ for subsequent communication of $U_i$. Then, $G{W}_k$ computes $K_{UG}^{new}=h(TI{D}_i^{new}\parallel PS{K}_k)$, $M_7=TI{D}_i^{new}\oplus h(TI{D}_i\parallel M_2\oplus K_{UG})$, $M_8=K_{UG}^{new}\oplus h(TI{D}_i^{new}\parallel K_{UG})$, $V_5=h(TI{D}_i^{new}\parallel K_{UG}^{new}\parallel V_4)$. Finally, $G{W}_k$ constructs the message $Aut{h}_3=\{M-6,M_7,M_8,V_5\}$ and transmits it to $U_i$.

Step 5:

After obtaining $Aut{h}_3$, $M{D}_i$ computes $TI{D}_i^{new}=M_7\oplus h(TI{D}_i\parallel M_2\oplus K_{UG})$, $K_{UG}^{new}=M_8\oplus h(TI{D}_i^{new}\parallel K_{UG})$, ${(N_2\oplus N_3)}^{*}=M_6\oplus N_1$, $S{K}_D=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel$${(N_2\oplus N_3)}^{*})$, $V_3^{*}=h(S{K}_D\parallel M_6)$, and $V_5^{*}=h(TI{D}_i^{new}\parallel K_{UG}^{new}\parallel V_3^{*})$. Next, $M{D}_i$ verifies whether $V_5^{*}\stackrel{?}{=}{V}_5$. If the values do not match, the session is aborted. Otherwise, the session key is set as $S{K}_D=S{K}_S$, and key agreement is successful between $U_i$ and $S{N}_j$. Followed by the successful authentication phase, $M{D}_i$ computes $A_1^{new}=A_1\oplus K_{UG}\oplus K_{UG}^{new}$, $V_L^{new}=h(K_{UG}^{new}\parallel {\sigma }_i\parallel UI{D}_i\parallel P{W}_i)$ and updates $\{TI{D}_i,A_1,V_L\}$ to $\{TI{D}_i^{new},A_1^{new},V_L^{new}\}$. After that, $M{D}_i$ erases $\{TI{D}_i,A_1,V_L\}$ from its database to prevent any backward key secrecy violations.

6.3. Dynamic Node Addition Phase

There is a possibility that some of the deployed sensor nodes may not work properly or may be physically stolen by an attacker. When fresh nodes need to be deployed to continue services, the new nodes can be added into the network through the dynamic node addition phase. The following steps describe the dynamic node addition phase.

Step 1:

Before the new node $S{N}_j^{new}$ is deployed, $S{N}_j^{new}$ executes the sensor node registration phase. By following the Section 6.1.2, the $RA$ stores $\{SI{D}_j,S{X}_j\}$ and the $S{N}_j^{new}$ stores $\{SI{D}_j,C_j,C{X}_j,E{K}_{G{S}_j}\}$ in its memory.

Step 2:

After the successful registration of $S{N}_j^{new}$ and its deployment, $S{N}_j^{new}$ informs the gateway $G{W}_k$ about its addition. The $S{N}_j$ calculates $R_j=PUF\left(C_j\right)$, $S{X}_j=h(C_j\parallel R_j)$, and $K_{G{S}_j}=E{K}_{G{S}_j}\oplus S{X}_j$. The $S{N}_j^{new}$ encrypts its identity $SI{D}_j$ by the secret key $K_{G{S}_j}$ and sends it to $G{W}_k$.

Step 3:

After receiving the messages about a new sensor addition, the $G{W}_k$ verify the legitimacy of $SI{D}_j^{new}$ by using $K_{G{S}_j}$. Then, $G{W}_k$ broadcasts $SI{D}_j$ for the new node addition. Then, users can request access to the newly deployed node.

7. Security Analysis

This work demonstrates the scheme security using informal and formal analysis methods. We describe the security features of attack resistance via an informal analysis. Moreover, this work employs widely used formal analyses, including BAN logic, the ROR model, and AVISPA simulation.

7.1. Informal Analysis

This section reveals that the scheme supports numerous security features and resists many typical security attacks in a smart city.

7.1.1. Session Key Disclosure Attacks

The goal of $\mathcal{A}$ is to compute a valid session key by intercepting public communication messages. For every session, the session key is $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$, where $N_1,N_2$, and $N_3$ are random nonces. The random nonces are freshly chosen for every new session. The session key depends on a secret key $K_{U{S}_j}$, shared between legitimate users and the sensor. Even the secret key $S_{U{S}_j}$ is only shared between the sensor and respective users. If $\mathcal{A}$ wants to know the random nonces, $\mathcal{A}$ must know the shared keys with sensors and the shared keys with gateway $K_{UG}$ and $K_{G{S}_j}$. Each random nonce is encrypted by keys $K_{UG}$ and $K_{U{S}_j}$ as indicated in messages $M_2$ and $M_4$. Therefore, the proposed scheme can resist session key disclosure attacks.

7.1.2. Denial of Service Attacks

The adversary can conduct a DoS attack to block user access. Adversary A can continuously attempt to issue fake request messages. $\mathcal{A}$ intercepts $Lo{g}_{Req}$ and replaces parameters and sends it to the gateway. However, the gateway first checks whether the received $V_1$ is valid. If any parameter in the request message is changed, $V_1$ is never matched and validated. The parameter $TI{D}_i$ is related to $K_{UG}$, and then $K_{UG}$ is related to $M_1$ and $M_2$ to be used to compute these messages. Since $\mathcal{A}$ cannot know a secret shared key, the session is terminated upon validation failure. Therefore, the proposed scheme can resist DoS attacks.

7.1.3. Replay Attacks

$\mathcal{A}$ may try to impersonate a legitimate user by resending messages from a previous session. However, $\mathcal{A}$ is unable to access the previous messages through this replay because the scheme checks the freshness of all exchanged messages using random nonces $N_1$, $N_2$, and $N_3$. These random nonces compose all parameters in authentication messages $Lo{g}_{Req}, Aut{h}_1, Aut{h}_2, Aut{h}_3$. Consequently, the proposed scheme can withstand replay attacks.

7.1.4. Desynchronization Attacks

We assume that a user does not receive the correct response $Aut{h}_3$ from a gateway due to unexpected terminations, or $\mathcal{A}$ may attempt desynchronization attacks. $\mathcal{A}$ may change the messages that update the user’s temporary identity $TI{D}_i^{new}$ and the corresponding shared secret key $K_{UG}^{new}$. However, a user checks the message $Aut{h}_3$ by validating if $V_5^{*}\stackrel{?}{=}{V}_5$ is the same. The parameter $V_5$ includes a shared parameter not only with a gateway but also with a sensor. If it fails to verify, the session is terminated. Moreover, the gateway does not need to store a temporary identity $TI{D}_i^{new}$ of a user. Therefore, the scheme has resistance to desynchronization attacks.

7.1.5. Insider Attacks

As a legitimate user, $\mathcal{A}$ can register at the registration authority and authenticate to $G{W}_k$ and $S{N}_j$. Using his authentication messages and parameters, $\mathcal{A}$ attempts to compromise other legal users’ sessions. To compute session key $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$, $\mathcal{A}$ must need the secret shared keys {$K_{U{S}_j}$, $S_{U{S}_j}$, $K_{UG}$, $K_{U{S}_j}$, $S_{U{S}_j}$}, which are masked by hash functions and XOR operations with random nonces $\{N_1,N_2,N_3\}$. Therefore, the proposed scheme is resilient to insider attacks.

7.1.6. Privileged Insider Attacks

A privileged insider attacker $\mathcal{A}$ can intercept a legitimate user $U_i$’s registration request message $\left\{UI{D}_i\right\}$. Then, $\mathcal{A}$ attempts to compute a session key by using public communication messages of the user. However, $\mathcal{A}$ is unable to obtain the session key of $U_i$. To compute the session key $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$, $\mathcal{A}$ needs to know $K_{U{S}_j}=h(SI{D}_j\parallel P{S}_j)$ and $S_{U{S}_j}=h(S{X}_j\parallel {\beta }_j)$, which are shared between $U_i$ and $S{N}_j$. Since $\mathcal{A}$ cannot obtain these parameters from the registration message $\left\{UI{D}_i\right\}$ alone, the proposed scheme remains secure against privileged insider attacks.

7.1.7. User Impersonation Attacks

An unauthorized adversary attempts to authenticate with sensors to impersonate a legitimate user. To impersonate the user, an adversary must construct a registration request $Lo{g}_{Req}=\{TI{D}_i,M_1,M_2,M_3,V_1\}$. However, $\mathcal{A}$ cannot compute parameters $M_1,M_2,M_3,V_1$ due to a shared secret key $K_{UG}$ between $U_i$ and $G{W}_k$, which is updated in every session.

7.1.8. Man-in-the-Middle Attacks

During the authentication phase, $\mathcal{A}$ may intercept and modify the authentication messages in the middle. However, as discussed in Section 7.1.7, $\mathcal{A}$ cannot construct a login request message and other messages $Aut{h}_1, Aut{h}_2, Aut{h}_3$. Additionally, the PUF response $R_j$ cannot be modified due to the unclonable property of PUFs. Therefore, the proposed scheme has resistance to MitM attacks.

7.1.9. Forgery Attacks

$\mathcal{A}$ may try to modify messages during the authentication phase. However, such attempts can be easily detected by the gateways, sensors, and users using the verification values $V_1,V_2,V_3,V_4,V_5$. It is impossible to compute without passing through all entities. The random nonce $N_1$, which is used to compute a session key, is doubly encrypted by $K_{U{S}_j}$ for a sensor and $K_{UG}$ for a gateway, respectively. Moreover, the key parameter ${\beta }_j$ is not transmitted through the public channel and is only known between $U_i$ and $S{N}_j$. Thus, the proposed scheme prevents forgery attacks.

7.1.10. Physical Capture Attacks

Users can lose their mobile devices, and we assume that $\mathcal{A}$ can extract parameters stored in a mobile device $M{D}_i$. However, $\mathcal{A}$ cannot obtain users’ information without knowing $UI{D}_i$, $P{W}_i$, and $BI{O}_i$ simultaneously, since the stored parameters are encrypted using XOR operations and one-way hash functions. Here, $A_1=K_{UG}\oplus h(UI{D}_i\parallel P{W}_i\parallel {\sigma }_i)$, $A_{2j}={\alpha }_j\oplus h(SI{D}_j\parallel K_{UG}\parallel P{W}_i)$, $A_{3j}=S_{U{S}_j}\oplus h({\alpha }_j\parallel UI{D}_i\parallel {\sigma }_i)$, $A_{4j}=K_{U{S}_j}\oplus h(S_{U{S}_j}\parallel P{W}_i\parallel {\sigma }_i)$. In addition, $\mathcal{A}$ cannot obtain ${\sigma }_i$ with only a helper string ${\tau }_i$ without $BI{O}_i$. Similarly, the sensors deployed within a smart city could be compromised. $\mathcal{A}$ attempts to compute a session key after extraction of stored data in sensors $\{SI{D}_j,C_j,C{X}_j,E{K}_{G{S}_j}\}$. However, the secret key $K_{G{S}_j}$ shared with a gateway and the secret parameter $S{X}_j=h(C_j\parallel R_j)$ are encrypted using the PUF’s response $R_j$, which is unclonable. Thus, the proposed scheme is robust against physical capture attacks.

7.1.11. Random Number Leakage Attacks

In the scheme, the session key $SK$ is derived including ephemeral random numbers $N_1,N_2,N_3$, where $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$. Based on Section 3.3, $\mathcal{A}$ can reveal all random numbers during the authentication phase. Nevertheless, $\mathcal{A}$ cannot compute $SK$ without the secret parameters $K_{U{S}_j}$ and $S_{U{S}_j}$, which are only shared between $U_i$ and $S{N}_j$. Moreover, it is impossible to calculate $S_{U{S}_j}=h(S{X}_j\parallel {\beta }_j)$ because only $S{N}_j$ knows ${\beta }_j$, which is protected by $R_j$. Accordingly, the proposed scheme provides security against random number leakage attacks.

7.1.12. Mutual Authentication

In the proposed scheme, each entity verifies the validity of the messages to ensure they come from legitimate entities. The authentication is verified using the values $\{V_1,V_2,V_3,V_4,V_5\}$, where $V_1=h(M_3\parallel SI{D}_j\parallel M_2\oplus K_{UG})$, $V_2=h(N_2\parallel K_{G{S}_j}\parallel V_1)$, $V_3=h(S{K}_S\parallel M_6)$, $V_4=h(M_6\parallel V_3\parallel SI{D}_j\parallel N_2\parallel K_{G{S}_j})$, $V_5=h(TI{D}_i^{new}\parallel K_{UG}^{new}\parallel V_3)$. The $G{W}_k$ determines the legitimacy of $U_i$ by checking $V_1$ and consistently ensures message freshness. During this verification, $G{W}_k$ can confirm the correctness of $M_2=N_1\oplus K_{UG}\oplus K_{U{S}_j}$ and $M_3={\alpha }_j\oplus h(N_1\Vert K_{U{S}_j})$. In each session, the login request message $Lo{g}_{req}$ differs even for the same user because of the random nonces $N_1$. Since $V_2$ is calculated using $V_1$, the $S{N}_j$ can confirm the legitimacy and freshness of both $U_i$ and $G{W}_k$ by the validation of $V_2$. The parameter $V_2$ includes random nonces $N_1$ and $N_2$, which are generated in every session. The $G{W}_k$ checks the legitimacy of $S{N}_j$ by verifying $V_3$. Since $V_3$ includes the random nonce $N_3$ generated by $S{N}_j$, the $G{W}_k$ can believe the freshness of messages. Similarly, $U_i$ checks $V_5$ and can confirm the legitimacy of both $G{W}_k$ and $S{N}_j$ because $V_5$ comprises $V_3$. The messages one entity sends to another can be verified; thus, the scheme can achieve mutual authentication.

7.1.13. Key Agreement

The session key $SK$ is established between $U_i$ and $S{N}_j$ to protect the exchanged sensor data. In the scheme, the semi-trusted gateway does not know the session key, but the authentication phase is processed through the gateway. Upon receiving the authentication message $Aut{h}_1=\{M_3,M_4,M_5,V_2\}$, $S{N}_j$ computes values $N_1=M_4\oplus N_2\oplus K_{G{S}_j}\oplus K_{U{S}_j}$, ${\alpha }_j=M_3\oplus h(N_1\parallel K_{U{S}_j})$, ${\beta }_j=C{X}_j\oplus R_j\oplus {\alpha }_j$, $S_{U{S}_j}=h(S{X}_j\parallel {\beta }_j)$. According to Section 7.1.12, $S{N}_j$ can check the legitimacy of $U_i$ and $G{W}_k$ and derive $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$. Similarly, $U_i$ can compute $SK$ using the received authentication message $Aut{h}_3$ and known secret parameters $\{SI{D}_j,K_{U{S}_j},S_{U{S}_j},N_1\}$. In the session key $SK$, the parameter $SI{D}_j$ identifies the sensor that communicates with the user. The secret parameters $K_{U{S}_j}$ and $S_{U{S}_j}$ ensure secure communication between the legitimate user and the sensor. Additionally, the random nonces $N_1$ and $N_2\oplus N_3$ are refreshed in every session, making it difficult for an adversary $\mathcal{A}$ to compute the session key. Therefore, $U_i$ and $S{N}_j$ securely proceed with a session key agreement between only themselves.

7.1.14. Anonymity and Untraceability

In the scheme, $\mathcal{A}$ cannot know the real identity $UI{D}_i$ of a user $U_i$. The identity $UI{D}_i$ is used in the login process, but it is stored in $M{D}_i$ with encryption of the hash function with $P{W}_i$ and ${\sigma }_i$, which is difficult to reproduce. In the registration phase, $UI{D}_i$ is also masked by RA’s primary key $M{K}_{RA}$ and instead receives a temporary identity $TI{D}_i$ for authentication. During the authentication phase, the user does not use $UI{D}_i$. In addition, $TI{D}_i$ is updated in every session, and the proposed scheme ensures anonymity and untraceability.

7.1.15. Perfect Forward Secrecy

If $\mathcal{A}$ obtains the primary key $M{K}_{RA}$ from the registration authority, then $\mathcal{A}$ may attempt to calculate the session key $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$. However, $\mathcal{A}$ cannot affect the confidentiality of past communications because the session key $SK$ comprises random nonces $N_1,N_2,N_3$ generated for each session. These random nonces ensure that the session key $SK$ is different in every session, even when the same user and sensor communicate. The secret value $S_{U{S}_j}$ guarantees secure communication between the legitimate user and the sensor. Moreover, $S_{U{S}_j}=h(S{X}_j\mid {\beta }_j)$ includes a random value ${\beta }_j$ known only to $U_i$ and $S{N}_j$. Even when multiple users access the same sensor, each user has a different session key. Accordingly, the proposed scheme provides perfect forward secrecy.

7.1.16. Modeling Attacks

Modeling attacks on PUFs aim to construct a predictive model by using a sufficient number of collected challenge–response pairs (CRPs). Using the trained model, $\mathcal{A}$ can potentially predict valid responses to challenges. However, in the proposed scheme, the PUF mechanism is used only for protecting stored parameters and does not expose CRPs to public channels. During the authentication phase, $S{N}_j$ computes the PUF response $R_j=PUF\left(C_j\right)$ and secret parameters $S{X}_j=h\left(C_j\right|R_j)$. CRPs are not transmitted via an open channel. Even if $\mathcal{A}$ intercepts all communication, no additional CRPs can be obtained. This restricts the adversary’s ability to collect a sufficient dataset for model training. Consequently, the proposed scheme is resilient against modeling attacks on PUFs, as it limits CRP exposure and prevents adversaries from building a reliable model.

7.2. BAN Logic

We demonstrate that the proposed scheme ensures mutual authentication through widely used BAN logic analysis.

Table 2. Notations of BAN logic.

Notations	Descriptions
$P_1,P_2$	Principals
$M_1,M_2$	Statements
$SK$	Session key
$P_1\mid \sim M_1$	$P_1$ once said $M_1$
$P_1\mid \equiv M_1$	$P_1$ believes $M_1$
$P_1⊲M_1$	$P_1$ receives $M_1$
$P_1\Rightarrow M_1$	$P_1$ controls $M_1$
$P_1\stackrel{K}{⟷}{P}_2$	$P_1$ and $P_2$ have shared key K
${\left\{M_1\right\}}_K$	$M_1$ is encrypted with K
$\#M_1$	$M_1$ is fresh

presents the notations and descriptions used in BAN logic. The following section introduces the BAN logic rules and the security goals of the scheme. To apply the BAN logic proof to the scheme, we idealize the communication messages and provide the necessary assumptions. Finally, we outline the entire proof process in the following section.

7.2.1. Rules

The BAN logic is based on the five basic rules summarized below.

1. Message meaning rule (MMR):

$${\displaystyle \frac{P_1\mid \equiv P_1\stackrel{K}{⟷}{P}_2,P_1⊲{\left\{M_1\right\}}_K}{P_1\mid \equiv P_2\mid \sim M_1}}$$

2. Nonce verification rule (NVR):

$${\displaystyle \frac{P_1\mid \equiv \#\left(M_1\right),P_1\mid \equiv P_2\mid \sim M_1}{P_1\mid \equiv P_2\mid \equiv M_1}}$$

3. Jurisdiction rule (JR):

$${\displaystyle \frac{P_1\mid \equiv P_2\Rightarrow M_1,P_1\mid \equiv P_2\mid \equiv M_1}{P_1\mid \equiv M_1}}$$

4. Belief rule (BR):

$${\displaystyle \frac{P_1\mid \equiv (M_1,M_2)}{P_1\mid \equiv M_1}}$$

5. Freshness rule (FR):

$${\displaystyle \frac{P_1\mid \equiv \#\left(M_1\right)}{P_1\mid \equiv \#(M_1,M_2)}}$$

7.2.2. Goals

The principals of the user, gateway, and sensor are denoted by U, G, and S, respectively. The goals of the proposed scheme describe the user U and sensor S to establish a session key, as presented below:

$Goal1$:

$U\mid \equiv U\stackrel{SK}{⟷}S$

$Goal2$:

$U\mid \equiv S\mid \equiv U\stackrel{SK}{⟷}S$

$Goal3$:

$S\mid \equiv U\stackrel{SK}{⟷}S$

$Goal4$:

$S\mid \equiv U\mid \equiv U\stackrel{SK}{⟷}S$

7.2.3. Idealized Forms

This framework transmits messages in the idealized form and omits other messages because they cannot efficiently provide the logical properties of a BAN logic proof. Messages for the proposed scheme are formed as follows:

$Ms{g}_1$:

$U\to G:{\{TID,SID,N_1,{\{S_{US},N_1\}}_{K_{US}}\}}_{K_{UG}}$

$Ms{g}_2$:

$G\to S:{\{{\{S_{US},N_1\}}_{K_{US}},N_1,N_2\}}_{K_{GS}}$

$Ms{g}_3$:

$S\to G:{\{N_2\oplus N_3\}}_{K_{GS}}$

$Ms{g}_4$:

$G\to U:{\{N_2\oplus N_3,TI{D}^{new},K_{UG}^{new}\}}_{K_{UG}}$

7.2.4. Assumptions

We assume that the shared key is correctly distributed and that timestamps are fresh. Using BAN logic notation, these assumptions are expressed as follows:

$A_1$:

$U\mid \equiv \#(N_2\oplus N_3)$

$A_2$:

$G\mid \equiv \#(N_2\oplus N_3)$

$A_3$:

$S\mid \equiv \#(N_1,N_2)$

$A_4$:

$G\mid \equiv \#\left(N_1\right)$

$A_5$:

$U\mid \equiv U\stackrel{K_{UG}}{⟷}G$

$A_6$:

$G\mid \equiv G\stackrel{K_{GS}}{⟷}S$

$A_7$:

$S\mid \equiv G\stackrel{K_{GS}}{⟷}S$

$A_8$:

$G\mid \equiv U\stackrel{K_{UG}}{⟷}G$

$A_9$:

$S\mid \equiv U\stackrel{K_{US}}{⟷}S$

$A_{10}$:

$U\mid \equiv S\Rightarrow \left(U\stackrel{SK}{⟷}S\right)$

$A_{11}$:

$S\mid \equiv U\Rightarrow \left(U\stackrel{SK}{⟷}S\right)$

7.2.5. BAN Logic Proof

We prove the goals of the proposed scheme using BAN logic rules and the mentioned assumptions. The following steps present the detailed procedure of the BAN logic proof.

Step 1: 

According to $Ms{g}_4$, we can obtain $S_1$.

$$S_1:U⊲{\{N_2\oplus N_3,TI{D}^{new},K_{UG}^{new}\}}_{K_{UG}}$$

Step 2: 

From the MMR using $A_5$ and $S_1$, we can obtain $S_2$.

$$S_2:U\mid \equiv G\mid \sim (N_2\oplus N_3,TI{D}^{new},K_{UG}^{new})$$

Step 3: 

From the FR using $A_1$, we can obtain $S_3$.

$$S_3:U\mid \equiv \#(N_2\oplus N_3,TI{D}^{new},K_{UG}^{new})$$

Step 4: 

From the NVR using $S_2$ and $S_3$, we can obtain $S_4$.

$$S_4:U\mid \equiv G\mid \equiv (N_2\oplus N_3,TI{D}^{new},K_{UG}^{new})$$

Step 5: 

According to $Ms{g}_3$, we can obtain $S_5$.

$$S_5:G⊲{\{N_2\oplus N_3\}}_{K_{GS}}$$

Step 6: 

From the MMR using $A_6$ and $S_5$, we can obtain $S_6$.

$$S_6:G\mid \equiv S\mid \sim (N_2\oplus N_3)$$

Step 7: 

From the NVR using $A_2$ and $S_6$, we can obtain $S_7$.

$$S_7:G\mid \equiv S\mid \equiv (N_2\oplus N_3)$$

Step 8: 

According to $Ms{g}_2$, we can obtain $S_8$.

$$S_8:S⊲{\{{\{S_{US},N_1\}}_{K_{US}},N_1,N_2\}}_{K_{GS}}$$

Step 9: 

From the MMR using $A_7$ and $S_8$, we can obtain $S_9$.

$$S_9:S\mid \equiv G\mid \sim ({\{S_{US},N_1\}}_{K_{US}},N_1,N_2)$$

Step 10: 

From the FR using $A_3$, we can obtain $S_{10}$.

$$S_{10}:S\mid \equiv \#({\{S_{US},N_1\}}_{K_{US}},N_1,N_2)$$

Step 11: 

From the NVR using $S_9$ and $S_{10}$, we can obtain $S_{11}$.

$$S_{11}:S\mid \equiv G\mid \equiv ({\{S_{US},N_1\}}_{K_{US}},N_1,N_2)$$

Step 12: 

According to $Ms{g}_2$ and $S_9$, we can obtain $S_{12}$.

$$S_{12}:S⊲{\{S_{US},N_1\}}_{K_{US}}$$

Step 13: 

From the MMR using $A_9$ and $S_{12}$, we can obtain $S_{13}$.

$$S_{13}:S\mid \equiv U\mid \sim (S_{US},N_1)$$

Step 14: 

From the FR using $A_3$, we can obtain $S_{14}$.

$$S_{14}:S\mid \equiv \#(S_{US},N_1)$$

Step 15: 

From the NVR using $S_{13}$ and $S_{14}$, we can obtain $S_{15}$.

$$S_{15}:S\mid \equiv U\mid \equiv (S_{US},N_1)$$

Step 16: 

According to $Ms{g}_1$, we can obtain $S_{1}6$.

$$S_{16}:G⊲{\{TID,SID,N_1,{\{S_{US},N_1\}}_{K_{US}}\}}_{K_{UG}}$$

Step 17: 

From the MMR using $A_8$ and $S_{16}$, we can obtain $S_{17}$.

$$S_{17}:G\mid \equiv U\mid \sim (TID,SID,N_1,{\{S_{US},N_1\}}_{K_{US}})$$

Step 18: 

From the FR using $A_4$, we can obtain $S_{18}$.

$$S_{18}:G\mid \equiv \#(TID,SID,N_1,{\{S_{US},N_1\}}_{K_{US}})$$

Step 19: 

From the NVR using $S_{17}$ and $S_{18}$, we can obtain $S_{19}$.

$$S_{19}:G\mid \equiv U\mid \equiv (TID,SID,N_1,{\{S_{US},N_1\}}_{K_{US}})$$

Step 20: 

Since the session key is $SK=h(SID\parallel K_{US}\parallel S_{US}\parallel N_1\parallel N_2\oplus N_3)$, we can obtain $S_{20}$ from $S_4$ and $S_7$. From $S_{11}$, $S_{15}$, and $S_{19}$, we can obtain $S_{21}$.

$$\begin{array}{c}\hfill S_{20}:U\mid \equiv S\mid \equiv U\stackrel{SK}{⟷}S\left(\mathbf{Goal}\mathbf{2}\right)\\ \hfill S_{21}:S\mid \equiv U\mid \equiv U\stackrel{SK}{⟷}S\mathbf{\left(}\mathbf{Goal}\mathbf{4}\mathbf{\right)}\end{array}$$

Step 21: 

From the JR using $A_{10}$, $A_{11}$, $S_{20}$, and $S_{21}$, we can obtain $S_{22}$ and $S_{23}$.

$$\begin{array}{c}\hfill S_{22}:U\mid \equiv U\stackrel{SK}{⟷}S\left(\mathbf{Goal}\mathbf{1}\right)\\ \hfill S_{23}:S\mid \equiv U\stackrel{SK}{⟷}S\mathbf{\left(}\mathbf{Goal}\mathbf{3}\mathbf{\right)}\end{array}$$

7.3. ROR Model

This section describes the semantic security of the proposed scheme with the analysis of the ROR model [42]. This work defines three participants in the authentication phase of the scheme: user ${\mathcal{P}}_U^{t_1}$, gateway node ${\mathcal{P}}_G^{t_2}$, and sensor node ${\mathcal{P}}_S^{t_3}$, which are the $t_{1}th$ user, $t_{2}th$ gateway node, and $t_{3}th$ sensor node, respectively. In the ROR model, adversary $\mathcal{A}$ can use various queries, including Execute, CorruptD, Send, and Test, to attempt to disclose the session key. The queries are described in detail below.

• Execute(${\mathcal{P}}_U^{t_1}$, ${\mathcal{P}}_G^{t_2}$, ${\mathcal{P}}_S^{t_3}$): $\mathcal{A}$ can intercept the messages transmitted between ${\mathcal{P}}_U^{t_1}$, ${\mathcal{P}}_G^{t_2}$, and ${\mathcal{P}}_S^{t_3}$ through a public channel. The $Execute$ query indicates an eavesdropping attack.
• CorruptD(${\mathcal{P}}^t$): Using this query, $\mathcal{A}$ obtains the data stored in the mobile device of a user ${\mathcal{P}}_U^{t_1}$.
• Send(${\mathcal{P}}^t$, $Msg$): $\mathcal{A}$ can transmit and receive a message $Msg$ between other participants ${\mathcal{P}}_U^{t_1}$, ${\mathcal{P}}_G^{t_2}$, and ${\mathcal{P}}_S^{t_3}$.
• Test(${\mathcal{P}}^t$): This query executes a coin flip test to verify the semantic security of the session key. If $c=0$, a random string is returned; if $c=1$, the session key is returned. Otherwise, $\mathcal{A}$ gets a $NULL(\perp )$ value. The session key is secure if $\mathcal{A}$ cannot distinguish between the random string and the session key.

Theorem 1.

Let $\mathcal{A}$ attempt to break the session key security of the proposed scheme. Let $Ad{v}_{\mathcal{A}}$ be the advantage of $\mathcal{A}$ to calculate the session key in polynomial time. We define $\left|Hash\right|$ and $\left|PUF\right|$ as the range space of the hash function $h(·)$ and PUF $PUF(·)$, respectively. Then, we denote $q_h$, $q_p$ and $q_s$ as the number of $Hash$, $PUF$ and $Send$ queries executed by $\mathcal{A}$. $C^{\prime }$ and $s^{\prime }$ are Zipf’s parameters [43], and $l_{BIO}$ is the number of bits in the biometric information $BIO$ of a user $U_i$.

$$Ad{v}_{\mathcal{A}}\le {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2max\{C^{\prime }{q}_s^{s^{\prime }},{\displaystyle \frac{q_s}{2^{l_{BIO}}}}\}.$$

(1)

Proof. 

We conduct four games, $G_i$ (where $i=0,1,2,3,4$), based on the attack procedures of $\mathcal{A}$. The term $Pr\left[Suc{c}_i\right]$ denotes the probability that $\mathcal{A}$ wins each game by correctly guessing the result c in $G_i$. The proof processes for $G_i$ and $Suc{c}_i$ are shown as follows:

$G_0$: This game involves $\mathcal{A}$ attempting an attack without any information to guess a random bit c. Therefore, we can derive the following Equation (2).

$$Ad{v}_{\mathcal{A}}=|2Pr\left[Suc{c}_0\right]-1|.$$

(2)

$G_1$: $\mathcal{A}$ performs $Execute$ query to attempt an eavesdropping attack. Then, $\mathcal{A}$ uses the $Test$ query to guess whether the return value is a random string or a session key $SK$. However, $\mathcal{A}$ is unable to compute $SK=h(SI{D}_j\parallel K_{U{S}_j}\parallel S_{U{S}_j}\parallel N_1\parallel N_2\oplus N_3)$ through the eavesdropping attack. Since $\mathcal{A}$ gains no advantage from winning $G_1$, $G_1$ and $G_0$ are indistinguishable. Therefore, we obtain the following equation.

$$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right].$$

(3)

$G_2$: In this game, $\mathcal{A}$ performs an “active attack” by using “Send” and “Hash” queries. In the scheme, all parameters and messages $\{Lo{g}_{Req},Aut{h}_1,Aut{h}_2,Aut{h}_3\}$ are composed of secret keys and random numbers. In addition, they are masked by a one-way hash function $H(·)$, which is resistant to hash collisions. Based on the birthday paradox [44], the probability of hash collision is given by $(q_h^2/2^{l_h+1})$, where $l_h$ represents the length of a hash output and $\left|Hash\right|$ equals $2^{l_h+1}$. As $G_1$ and $G_2$ are indistinguishable, except when the collision of $Hash$ happens, we can obtain the advantage of $\mathcal{A}$ in $G_2$ as follows:

$$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}.$$

(4)

$G_3$: Similar to $G_2$, $\mathcal{A}$ performs $Send$ and $PUF$ queries. As explained in Section 3.2.2, the secure properties of the PUF make it difficult to guess or compute the response of the PUF. Therefore, we can obtain the following equation:

$$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le {\displaystyle \frac{q_p^2}{2\left|PUF\right|}}.$$

(5)

$G_4$: In the final game $G_4$, $\mathcal{A}$ executes the $CorruptD$ query to obtain parameters $\{TI{D}_i,{\tau }_i,A_1,V_L,{\{A_{2j},A_{3j},A_{4j},SI{D}_j\}}_{j=1}^m\}$ stored in a mobile device. Then, $\mathcal{A}$ attempts to compute secret keys $\{K_{UG},{\alpha }_j,S_{U{S}_j},K_{U{S}_j}\}$, where $K_{UG}=A_1\oplus h(UI{D}_i\parallel P{W}_i\parallel {\sigma }_i)$, ${\alpha }_j=A_{2j}\oplus h(SI{D}_j\parallel K_{UG}\parallel P{W}_i)$, $S_{U{S}_j}=A_{3j}\oplus h({\alpha }_j\parallel UI{D}_i\parallel {\sigma }_i)$, and $K_{U{S}_j}=A_{4j}\oplus h(S_{U{S}_j}\parallel P{W}_i\parallel {\sigma }_i)$. $\mathcal{A}$ must simultaneously guess the user’s identity $UI{D}_i$, password $P{W}_i$, and biometric secret key ${\sigma }_i$ to calculate $SK$. Guessing all of them in polynomial time is a computationally infeasible task; hence, $\mathcal{A}$ cannot derive the session key $SK$. Furthermore, the probability of guessing ${\sigma }_i$ is roughly $2^{l_{BIO}}$, where the length of ${\sigma }_i$ is $l_{BIO}$ bits. We can apply Zipf’s law [43] on the password and $\mathcal{A}$ executes $Send$ queries. Then, we can derive the following equation:

$$|Pr\left[Suc{c}_4\right]-Pr\left[Suc{c}_3\right]|\le max\{C^{\prime }{q}_s^{s^{\prime }},{\displaystyle \frac{q_s}{2^{l_{BIO}}}}\}.$$

(6)

After executing all the games, $\mathcal{A}$ performs the $Test$ query, guessing whether $c=1$ or $c=0$. Since $\mathcal{A}$ cannot gain any advantage in guessing c, we obtain the following equation:

$$Pr\left[Suc{c}_4\right]={\displaystyle \frac{1}{2}}.$$

(7)

By using Equations (2), (3) and (7), we can derive the following result:

$$\begin{array}{cc}\hfill \phantom{{\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}}& \begin{array}{cc}\hfill {\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}& =|Pr\left[Suc{c}_0\right]-{\displaystyle \frac{1}{2}}|\hfill \\ \hfill & =|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_4\right]|.\hfill \end{array}\hfill \end{array}$$

(8)

By applying the triangle inequality to Equation (8), we can derive the following result:

$$\begin{array}{cc}\hfill \phantom{{\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}}& \begin{array}{cc}\hfill {\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}& =|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_4\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|+|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_3\right]|+|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_4\right]|\hfill \\ \hfill & \le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{2\left|PUF\right|}}+max\{C^{\prime }{q}_s^{s^{\prime }},{\displaystyle \frac{q_s}{2^{l_{BIO}}}}\}.\hfill \end{array}\hfill \end{array}$$

(9)

By multiplying both sides of Equation (9) by 2, we can obtain the required result:

$$Ad{v}_{\mathcal{A}}\le {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2max\{C^{\prime }{q}_s^{s^{\prime }},{\displaystyle \frac{q_s}{2^{l_{BIO}}}}\}.$$

(10)

Therefore, we prove Theorem 1. □

7.4. AVISPA Simulation

The AVISPA [45,46] is a simulation tool to analyze the security of protocols for formal verification. In the AVISPA simulation, adversary $\mathcal{A}$ has attack capabilities based on the DY model. The AVISPA uses “High-Level Protocol Specification Language (HLPSL)”. In this section, we show the whole process of the proposed scheme written in HLPSL codes and the output of AVISPA simulation. We use “On-the-Fly Model Checker (OFMC)” [47] and “Constraint Logic-based Attack Searcher (CL-AtSe)” [48] backend models because these two models support XOR operation. If the summary displays ‘Safe’, the scheme has been proven to resist man-in-the-middle (MitM) and replay attacks [49].

7.4.1. HLPSL Specification

This work defines four roles for user $U_i$, gateway $G{W}_k$, sensor $S{N}_j$, and registration authority $RA$, denoted by “U”, “G”, “S”, and “RA”, respectively. Then, we comprise the role specifications for the session, goal, and environment of the proposed scheme. Figure 6 presents the source code for the role of $U_i$, and we will explain its role in detail as an example. In the registration and authentication phases, $U_i$ recognizes four agents: user (U), gateway (G), sensor (S), and registration authority (RA). “(SN, RV)” means that agents send and receive messages through a public channel channel(dy) which follows the DY model. At first, $U_i$ initializes the state to 0 (State = 0) and receives the start signal “RV(start)”. In the state = 1, “RV({TIDi’.H(TIDi’.H(GIDk.Rk.MKra)).SIDj.ALPj’. H(H(Cj.Puf(Cj)).xor(xor(H(Cj.Puf(Cj)),H(SIDj.GIDk.MKra)),ALPj’)). H(SIDj.H(SIDj.GIDk. MKra)))}_SKru)” indicates that the $U_i$ receives messages $\{TI{D}_i,K_{UG},SI{D}_j,{\alpha }_j,S_{U{S}_j},K_{U{S}_j}\}$ from the RA. The “SKru” ensures that the registration messages are transmitted via a secure channel. After that, $U_i$ sends the authentication request message $Lo{g}_{Req}$ to $G{W}_k$ through a public channel. “SN(TIDi’.M1’.M2’.M3’.V1’)” means that $U_i$ sends $Lo{g}_{Req}$. In the state = 3, $U_i$ computes a session key and authenticates completely with $S{N}_j$.

7.4.2. AVISPA Simulation Result

The HLPSL code is converted into “Intermediate Format (IF)” by the AVISPA simulation translator. From the IF code, the backend models generate the simulation outputs in “Output Format (OF)”, which is ‘SUMMARY’. Figure 7 shows the summaries of the proposed scheme under the OFMC and CL-AtSe backend models. In the case of OFMC, the search time is 22.33 s and the number of visited nodes is 0. In CL-AtSe, the result reveals four analyzed states and takes 6.39 s for translation. Both simulation outputs are “SAFE,” and therefore we demonstrate that the scheme prevents replay and MitM attacks.

8. Performance Comparison

This section discusses the scheme performance regarding computational costs, communication costs, energy consumption, and security features. The comparison results reveal that the scheme provides better overall performance than other related schemes.

8.1. Computational Costs

We analyzed computational costs of the proposed and related schemes [16,17,18,19,20,21,22,23,24,34,35]. We approximated the execution time for each cryptographic operation, referring to the work [50]. The execution time of operations is measured using the MIRACL library [51]. The evaluations were conducted with the following configurations on each platform:

• GWN: Intel Core i5-11400 processor (Intel Corporation, Santa Clara, CA, USA), 24 GB RAM, 2.6 GHz, running Ubuntu 20.04 LTS 64-bit.
• User and Sensor: Raspberry Pi 4 Model B (Raspberry Pi Ltd., Cambridge, UK), 8 GB RAM, ARM Cortex-A72 1.5 GHz processor, running Ubuntu 20.04 LTS 64-bit.

We do not consider the execution time for XOR, concatenation, and mod operations because these are minimal and negligible. In addition, we assume that $T_{Kh}\approx T_H$ according to [21].

Table 3. Cryptographic operations and execution time (ms).

Notation	Operation	GWN	User/Sensor
$T_M$	Elliptic curve point multiplication	0.411	2.353
$T_H$	One-way hash function	0.001	0.009
$T_{Kh}$	Keyed hash function	0.001	0.009
$T_S$	Symmetric encryption/decryption	0.001	0.004
$T_A$	Asymmetric encryption/decryption	0.373	4.764
$T_F$	Fuzzy extractor	0.411	2.353
$T_P$	Physical unclonable function	0.0007	0.0063

shows the execution time for each cryptographic operation.

We calculate the costs required for each entity: user, gateway, and sensor node. By applying the execution time in Table 3, we calculate the computation cost of the proposed scheme as follows: (a user: $14T_H+T_F\approx 2.479$ ms; a gateway node: $11T_H\approx 0.011$ ms; a sensor node: $10T_H+T_P\approx 0.0963$ ms).

Table 4. Total computational costs.

Scheme	User	GWN	Sensor	Total Cost (ms)
Shuai et al. [17]	$2T_M+6T_H$	$T_M+7T_H$	$3T_H$	5.205
Zou et al. [18]	$3T_M+7T_H$	$T_M+6T_H$	$2T_M+5T_H$	12.29
Kaur et al. [19]	$2T_M+7T_H$	$T_M+7T_H$	$3T_H$	5.214
Zou et al. [20]	$2T_M+11T_H+T_F$	$15T_H$	$2T_M+8T_H$	11.951
Rangwani et al. [21]	$6T_H+2T_{Kh}+3T_A$	$8T_H+2T_A$	$5T_H+2T_{Kh}+2T_A$	24.709
Xie et al. [22]	$3T_M+8T_H+T_S+T_F$	$T_M+7T_H+2T_S$	$T_M+6T_H+T_S$	12.319
Kumar et al. [23]	$9T_H$	$T_M+12T_H+T_F$	$T_M+9T_H+T_F+T_P$	4.9573
Badar et al. [24]	$5T_M+3T_H+T_P$	$5T_M+3T_H$	$4T_M+4T_H$	15.5043
Alruwaili et al. [34]	$3T_M+12T_H+T_F$	$7T_H+T_F+T_P$	$T_M+12T_H+T_F+T_P$	14.759
Sarbishaei et al. [35]	$9T_H+T_F$	$19T_H+2T_P$	$6T_H+T_P$	2.5147
Nyangaresi et al. [16]	$2T_M+7T_H$	$T_M+9T_H$	$4T_H$	5.225
Proposed	$14T_H+T_F$	$11T_H$	$10T_H+T_P$	2.5863

represents the total operations and computation costs of related and proposed schemes. Although the scheme [35] has the lowest computational overhead, the proposed scheme ranks second with only a difference of 0.0716 ms. Consequently, the proposed scheme ensures high efficiency for smart city environments compared with related schemes [16,17,18,19,20,21,22,23,24,34,35]. For clarity, we include the scheme [24] in Table 4, where the “user” column refers to a smart meter (platform: “User and Sensor”), and the “sensor” column refers to a service provider (platform: “GWN”).

8.2. Communication Costs

According to [52], we define that the elliptic curve point, asymmetric encryption/decryption, symmetric encryption/decryption, hash digest, random nonces, identity, and timestamp are 320, 1024, 256, 160, 160, 128, and 32 bits, respectively. In the proposed scheme, four messages $\{Lo{g}_{Req},Aut{h}_1,Aut{h}_2,Aut{h}_3\}$ are exchanged between entities as described in Section 6.2. The communication costs for each message are as follows: ($Lo{g}_{Req}=\{TI{D}_i,M_1,M_2,M_3,V_1\}$: 768 bits; $Aut{h}_1=\{M_3,M_4,M_5,V_2\}$: 640 bits; $Aut{h}_2=\{M_6,V_3,V_4\}$: 480 bits; $Aut{h}_3=\{M_6,M_7,M_8,V_5\}$: 640 bits). The total communication cost for the proposed scheme is 768 + 640 + 480 + 640 = 2528 bits. The results indicate that Alruwaili et al.’s scheme achieves the lowest communication cost, followed by the proposed scheme. However, the computational cost of Alruwaili et al.’s scheme is more than about six times higher than that of our scheme. Consequently, our scheme has a lower overall communication cost compared with related schemes [16,17,18,19,20,21,22,23,24,34,35].

Table 5. Total communication costs.

Scheme	No. of Messages	Total Cost (bits)
Shuai et al. [17]	4 messages	2752
Zou et al. [18]	4 messages	3488
Kaur et al. [19]	4 messages	3040
Zou et al. [20]	4 messages	3488
Rangwani et al. [21]	6 messages	4800
Xie et al. [22]	6 messages	2560
Kumar et al. [23]	4 messages	3904
Badar et al. [24]	4 messages	3520
Alruwaili et al. [34]	3 messages	2464
Sarbishaei et al. [35]	6 messages	2912
Nyangaresi et al. [16]	4 messages	2560
Proposed	4 messages	2528

describes the communication cost analysis of each scheme.

8.3. Energy Consumption

During the authentication phase, energy is consumed to compute parameters and exchange messages between entities. Since sensor nodes have limited resources, the high energy consumption has the potential to affect low performance. We can calculate energy consumption as $E=E_{comp}+E_{comm}$ [53]. $E_{comp}$ and $E_{comm}$ denote the energy consumption during computation and communication, respectively. According to [53], we can calculate energy consumption of operation computation as $E_{op}=3.5V\times 0.4A\times \left(computationcost\right)$. The energy consumption of $T_M$, $T_H$, $T_{Kh}$, $T_S$, $T_A$, $T_F$, and $T_P$ are 3.2942 mJ, 0.0126 mJ, 0.0126 mJ, 0.0056 mJ, 6.6696 mJ, 3.2942 mJ, and 0.0088 mJ. In addition, communication energy consumption can be calculated as $E_{comm}=n_s{E}_s+n_r{E}_r$. We assumed energy costs of sending messages $E_s\approx 5.9$$\mathsf{\mu }$J where $n_s$ is the bytes of messages, and receiving messages $E_r\approx 4.7$$\mathsf{\mu }$ J where $n_r$ is the bytes of messages. Therefore, in our scheme, energy consumption of the sensor node can be assumed as $E_{comp}=10T_H+Tp=0.1348$ mJ and $E_{comm}=60E_s+80E_r=0.0730$ mJ, i.e., 0.2078 mJ in total. The results of the energy consumption comparison are shown in

Table 6. Energy consumption of sensor.

Scheme	${\mathit{E}}_{\mathit{comp}}$ (mJ)	${\mathit{E}}_{\mathit{comm}}$ (mJ)	Total (mJ)
Shuai et al. [17]	0.0378	0.6684	0.7062
Zou et al. [18]	6.6514	1.3708	8.0222
Kaur et al. [19]	0.0378	0.8236	0.8614
Zou et al. [20]	6.6892	1.2768	7.966
Rangwani et al. [21]	13.4274	1.8232	15.2506
Xie et al. [22]	6.6696	0.9468	7.6164
Kumar et al. [23]	3.4308	1.2344	4.6652
Badar et al. [24]	16.5176	0.872	17.3896
Alruwaili et al. [34]	6.7476	0.7484	7.4948
Sarbishaei et al. [35]	0.0844	0.9656	1.05
Nyangaresi et al. [16]	0.0504	0.612	0.6624
Proposed	0.1348	0.730	0.8648

.

8.4. Security Features

We compare the security features of the proposed scheme with those of related schemes [16,17,18,19,20,21,22,23,24]. The following describes each security feature: $SF1$: “resistance to session key disclosure attacks”; $SF2$: “resistance to DoS attacks”; $SF3$: “resistance to replay attacks”; $SF4$: “resistance to desynchronization attacks”; $SF5$: “resistance to insider attacks”; $SF6$: “resistance to privileged insider attacks”; $SF7$: “resistance to user impersonation attacks”; $SF8$: “resistance to MitM attacks”; $SF9$: “resistance to forgery attacks”; $SF10$: “resistance to physical capture attacks”; $SF11$: “resistance to random number leakage attacks”; $SF12$: “mutual authentication”; $SF13$: “key agreement”; $SF14$: “anonymity and untraceability”; and $SF15$: “perfect forward secrecy”. The comparison results of each scheme are presented in

Table 7. Security features.

	[17]	[18]	[19]	[20]	[21]	[22]	[23]	[24]	[16]	Proposed
$SF1$	∘	×	×	∘	∘	×	∘	∘	∘	∘
$SF2$	∘	∘	∘	∘	∘	∘	∘	-	-	∘
$SF3$	×	∘	-	∘	-	-	-	∘	∘	∘
$SF4$	∘	∘	-	∘	-	-	∘	-	∘	∘
$SF5$	×	-	∘	∘	∘	∘	×	∘	×	∘
$SF6$	×	∘	-	∘	∘	×	∘	-	∘	∘
$SF7$	×	∘	∘	∘	∘	∘	∘	×	×	∘
$SF8$	∘	-	-	∘	∘	×	-	-	∘	∘
$SF9$	∘	×	-	∘	-	-	∘	-	∘	∘
$SF10$	×	∘	×	∘	∘	∘	-	∘	∘	∘
$SF11$	×	×	-	∘	∘	-	-	-	×	∘
$SF12$	∘	∘	×	×	∘	∘	×	∘	∘	∘
$SF13$	∘	×	∘	∘	∘	∘	∘	∘	∘	∘
$SF14$	×	∘	∘	∘	×	∘	×	∘	∘	∘
$SF15$	×	∘	∘	∘	×	×	-	×	-	∘

∘: Supported, ×: Not supported, -: not considered

. The results demonstrate that the proposed scheme can provide secure communication for smart cities.

9. Conclusions

The implementation of IoT has advanced smart urban services, but challenges such as data privacy and security threats drive the need for secure authentication schemes. In this paper, we reviewed Nyangaresi et al.’s authentication scheme [16] for smart cities. According to cryptoanalysis of their scheme, it is vulnerable to various security attacks, such as insider, sensor node capture, user impersonation, and random number leakage attacks. Therefore, we present a secure authentication scheme to resolve these security flaws. The scheme employs only hash functions and XOR operations to reduce the computational and communication cost burdens. Moreover, the scheme applies PUF and fuzzy extractor functions to address security threats. The critical concern of this paper is ensuring resistance against various security attacks, such as physical node capture, DoS, and user impersonation. Finally, this work demonstrates the security via informal and formal security analyses and its improved performance via comparisons with related schemes. The experimental results on real devices demonstrate that the proposed scheme has suitability for real-time applications in IoT-based smart cities, offering low cost, energy efficiency, and secure communication. In future work, we plan to extend our evaluation through real-world deployment and simulation.