Provably Secure and Privacy-Preserving Authentication Scheme for IoT-Based Smart Farm Monitoring Environment

Abstract

Smart farming is an agricultural technology integrating advanced technology such as cloud computing, Artificial Intelligence (AI), the Internet of Things (IoT), and robots into traditional farming. Smart farming can help farmers by increasing agricultural production and managing resources efficiently. However, malicious attackers can attempt security attacks because communication in smart farming is conducted via public channels. Therefore, an authentication scheme is necessary to ensure security in smart farming. In 2024, Rahaman et al. proposed a privacy-centric authentication scheme for smart farm monitoring. However, we demonstrated that their scheme is vulnerable to stolen mobile device, impersonation, and ephemeral secret leakage attacks. This paper suggests a secure and privacy-preserving scheme to resolve the security defects of the scheme proposed by Rahaman et al. We also verified the security of our scheme through “the Burrows-Abadi-Needham (BAN) logic”, “Real-or-Random (RoR) model”, and “Automated Validation of Internet Security Protocols and Application (AVISPA) tool”. Furthermore, a performance analysis of the proposed scheme compared with related studies was conducted. The comparison result proves that our scheme was more efficient and secure than related studies in the smart farming environment.

1. Introduction

Smart farming is a new farm management concept that can increase agricultural production by applying advanced technology such as big data, Artificial Intelligence (AI), cloud computing, Internet of Things (IoT), and robots to traditional farming [1]. Traditional farming comprises farmers and outdated agricultural equipment, and heavily depends on the farmer’s experience and the natural environment. Traditional farming is based on manual labor and is highly sensitive to weather and seasonal changes. Moreover, due to the lack of automation and advanced agricultural technology, traditional farming has limitations compared with modern smart farming in terms of productivity and efficiency. Although the number of people engaged in agriculture and resources is decreasing due to urbanization, the demand for agricultural production is increasing with the global population. The Food and Agriculture Organization predicts that the global population will rise to 10 billion by 2050 [2]. Therefore, traditional agriculture must transition to smart farming [3], which can generate the maximum agricultural production with minimal resources by integrating AI and IoT technologies. These advances can help farmers obtain information about the health statuses of crops and soil at each production stage. They can also serve as early warning systems, recognizing potential problems and offering timely solutions [4].

Typically, smart farming architecture that integrates AI and IoT consists of a server, users, and IoT sensors [5]. Real-time data, such as the soil condition, humidity, weather patterns, and temperature, are collected by IoT sensors. The vast data gathered from sensors are transmitted to the server as the basis for the AI analysis [6]. The server stores and preprocesses data, providing the AI model. Based on the sensor data, widely used deep learning models, such as Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks, can be employed to detect the location and types of diseases and pests in crops, including identifying infected areas on leaves, stems, or fruits. These models can further utilize the detection results to predict crop yields and estimate optimal harvest times [7]. The users are primarily farmers or farm managers who can remotely monitor their farms, making agricultural decisions regarding crop management and resource allocation. Farmers can establish more efficient strategies for crop selection and cultivation based on the result analyzed using the AI model [8].

Although smart farming with AI and IoT technology has considerable advantages for agriculture, it still faces several significant challenges. In smart farming architecture, the sensor data or results analyzed by AI models are transmitted via public channels [9]. The transmitted data includes the farmer’s personal information and sensitive farm data [10], which are prone to exposure to security attacks [11]. Therefore, the system has security requirements to address these vulnerabilities, including confidentiality, integrity, authentication, data freshness, identity privacy preservation, and non-repudiation [12]. To date, much research has been conducted to solve these problems in IoT environments. Recently, research was conducted to verify the message sender through authentication at the physical layer [13]. As a physical layer authentication scheme, a deep learning-based radio frequency fingerprint identification framework was proposed to enhance the security for zero-trust edge IoT environments [14]. In this study, we concentrated on designing the authentication protocol to protect privacy in smart farming. Entities in a smart farming system can establish a shared session key to enable secure access to data via authentication. Furthermore, IoT sensors deployed in smart farming environments often have limited computational and energy resources; therefore, lightweight authentication protocols must be designed to guarantee security while minimizing computational and communication overheads.

In 2024, Rahaman et al. [15] proposed a privacy-centric authentication protocol for smart farm monitoring with AI and IoT. Their scheme achieves simplicity and low overheads because it employs only XOR operations and hash functions. They asserted that their scheme resists adversarial attacks, including man-in-the-middle (MITM), privileged insider, replay, and impersonation attacks. However, their scheme does not defend against ephemeral secret leakage (ESL), stolen mobile device, sensor capture, insider, and impersonation attacks. In the authentication phase of this scheme, an authentication request message is transmitted directly to the IoT sensor by the user. The sensor cannot have the ability to verify whether the user is legitimate. Hence, if an attacker repeatedly transmits authentication requests to the sensor, it may result in a denial-of-service (DoS) attack or exhaust the sensor capabilities. Furthermore, their scheme does not guarantee the untraceability of the user. Therefore, we propose a secure and privacy-preserving authentication scheme to address the vulnerabilities of the scheme by Rahaman et al. The proposed scheme employs XOR operations and hash functions and adopts a physical unclonable function (PUF) to resist sensor capture attacks. The proposed scheme effectively withstands various adversarial attacks, including insider, stolen mobile device, and stolen verifier attacks. After authentication in the proposed scheme, the user can access the sensor data and AI results via the shared session key.

1.1. Contributions

We summarize the critical contributions of this study below:

• This work offers a security analysis of the scheme by Rahaman et al. [15] and reveals its vulnerabilities to various attacks, including device capture, impersonation, insider, and ephemeral secret leakage attacks.
• We propose a secure and privacy-preserving authentication scheme that ensures enhanced security. A PUF is employed in the proposed scheme to ensure the security of the sensor. The proposed scheme can guarantee resistance against sensor capture attacks.
• We prove the security of the proposed scheme by using the “Burrows-Abadi-Needham (BAN) logic” [16], “real-or-random (RoR) model” [17], and “Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool” [18,19] formally to demonstrate the robustness of the proposed scheme.
• We demonstrate the efficiency of the proposed scheme through a comparative analysis of the communication cost, computational cost, and security features with related works. The proposed scheme shows superior performance over previous works.

1.2. Organization

Section 2 discusses related studies for smart farming and IoT environments. Then, Section 3 describes the PUF, system architecture model, notations, adversary model, and review of the scheme by Rahaman et al. Next, Section 4 conducts a cryptanalysis of the scheme and reveals the security flaws. Section 5 introduces a secure and privacy-preserving authentication scheme for a smart farm monitoring environment, and Section 6 performs formal and informal analyses of the proposed scheme. Furthermore, Section 7 analyzes our scheme’s performance by comparing it with related studies. Finally, Section 8 summarizes the future directions.

2. Related Work

This section briefly reviews the previous research on authentication protocols. Recently, various communication technologies utilizing IoT have been developed for smart farming. He et al. [20] proposed an IoT-based communication scheme that enhances energy efficiency and connectivity by using a UAV relay, multiple antennas, and an antenna selection method to improve the signal quality for distant sensors. Yu et al. [21] developed an IoT-based cold chain logistics supervision system using blockchain, enabling real-time monitoring and secure data sharing throughout the agricultural supply chain. As smart farming increasingly incorporates cloud computing, IoT, and robotics, it introduces new security challenges. In response, various authentication schemes have been proposed to address the requirements and constraints of smart agricultural environments. Ali et al. [22] devised a secure user authentication protocol for agricultural monitoring systems, adopting a fuzzy extractor and bio-based hash functions to enhance the user security. However, Chen et al. [23] demonstrated that the scheme by Ali et al. fails to resist sensor impersonation and insider attacks, and cannot provide perfect forward secrecy, user anonymity, and untraceability. Chen et al. further designed a pseudonym-identity-based authentication scheme to address these weaknesses. Nevertheless, their scheme remains susceptible to privileged insider, ESL, and stolen mobile device attacks [24]. A blockchain-enabled key agreement scheme proposed in [24] provides two-party authentication for vehicle-assisted agricultural IoT networks. A lightweight authentication and key exchange protocol for smart agriculture systems was devised by Itoo et al. [25]. They employed fuzzy extractors and elliptic curve cryptography (ECC). Similarly, Abduljabbar et al. [26] designed a key agreement scheme for secure data exchange in agricultural environments based on ECC. However, the authentication request messages in these models [25,26] do not contain any form of user identity. Thus, the gateway fails to retrieve the user’s information, and the authentication process cannot be performed.

Authentication schemes for Wireless Sensor Networks (WSNs) can be effectively applied in smart farming environments with IoT sensors. Jabbari et al. [27] and Kumar et al. [28] devised user authentication schemes for IoT-based WSNs. However, both schemes fail to resist ESL attacks, as introduced in [29]. To enhance the security, Mo et al. [29] devised a three-factor authentication scheme employing Chebyshev chaotic mapping for WSNs. Nevertheless, their scheme remains susceptible to MITM and privileged insider attacks, and cannot guarantee perfect forward secrecy [30]. Alotaibi et al. [31] designed a user authentication protocol for WSNs. They employed a fuzzy extractor and symmetric key encryption for secure communication. However, their scheme does not withstand stolen verifier attacks and lacks perfect forward secrecy [32]. An efficient authentication protocol for WSNs was introduced by Moghadam et al. [32]. Their scheme is based on elliptic curve Diffie–Hellman. However, it remains prone to privileged insider and ESL attacks [33]. Badshah et al. [33] devised an anonymous key exchange scheme based on ECC for smart transportation. Their scheme supports two-party authentication between various entities, including two vehicles, a cluster head and a roadside unit (RSU), and the RSU and a cloud server. Likewise, various authentication schemes based on ECC have been designed to ensure a secure message exchange. For example, Li et al. [34] offered a provably privacy-preserving authentication scheme for industrial IoT. Although this is based on ECC, it does not defend against replay attacks and guarantee user anonymity and untraceability. A secure authentication scheme for agricultural WSNs was devised by Rangwani et al. [35]. This employs ECC to establish session keys for smart farming. Similarly, Vangala et al. [36] introduced a signature-based anonymous user authentication scheme that relies on ECC. However, this scheme suffers from a high computational overhead and does not prevent sensor impersonation attacks. Specifically, the transition of ECC-based signatures incurs high communication overheads. Due to the high computational and communication overheads of ECC, these schemes are unsuitable for smart farming systems with constrained resources.

Therefore, a variety of resource-efficient authentication schemes have been presented by researchers. For example, a lightweight authentication scheme for IoT-based environments was developed by Guo et al. [37]. Although designed for devices with limited resources, the scheme incurs a high communication overhead and remains vulnerable to sensor impersonation, insider, and sensor capture attacks. Moreover, the scheme also does not guarantee perfect forward secrecy [38]. Similarly, Nyangaresi et al. [39] developed an authentication protocol for a WSN with limited-resource sensors. Although it achieves a low computational overhead, it imposes high communication costs and does not resist replay, sensor capture, impersonation, and insider attacks [40]. Rahaman et al. [15] offered a lightweight, privacy-preserving authentication scheme for rural smart farm monitoring systems using only XOR operations and hash functions. Despite its simplicity, the scheme is vulnerable to sensor capture, insider, stolen mobile device, and ESL attacks. Moreover, this scheme fails to ensure user untraceability. A comparative summary of these related schemes is indicated in

Table 1. Summary of the related work.

Schemes	Contributions	Limitations
[22]	Secure user authentication scheme for agriculture monitoring. Use a fuzzy extractor and bio-hash function.	Vulnerable to insider and sensor node impersonation attacks. Does not guarantee perfect forward secrecy.
[23]	Lightweight authentication scheme for agriculture monitoring. Based on dynamic pseudonym identity.	Vulnerable to stolen mobile device, privileged insider, and ESL attacks.
[25]	Lightweight authentication scheme for smart agriculture. Based on ECC.	Cannot retrieve due to lack of user information.
[26]	Secure authentication scheme for agriculture. Based on ECC.	Cannot retrieve due to lack of user information.
[27]	User authentication scheme for a WSN. Uses a fuzzy extractor.	Vulnerable to ESL attacks.
[28]	Secure and efficient user authentication scheme for a WSN. Based on XOR operations and hash functions.	Vulnerable to ESL attacks.
[29]	Secure three-factor authentication scheme for a WSN. Uses a Chebyshev chaotic mapping.	Vulnerable to MITM and privileged insider attacks. Does not guarantee perfect forward secrecy.
[30]	Three-factor authentication scheme for a WSN. Based on ECC.	High computational cost.
[31]	User authentication scheme for a WSN. Uses a fuzzy extractor.	Vulnerable to stolen verifier attacks. Does not guarantee perfect forward secrecy.
[32]	Efficient authentication scheme for a WSN. Based on ECDH.	Vulnerable to ESL and privileged insider attacks.
[34]	Provable secure authentication scheme for an IIoT. Based on ECC.	High communication cost. Vulnerable to replay attacks. Does not guarantee user untraceability.
[35]	Remote user authentication scheme for agricultural WSNs. Based on ECC.	High communication cost. Vulnerable to sensor impersonation and insider attacks.
[36]	Secure signature-based anonymous authentication scheme for an IoT-enabled farming environment. Based on ECC and signatures.	High computation cost. High communication cost.
[37]	Lightweight authenticated key agreement scheme for IoT environments. Based on XOR operations and hash functions.	High communication cost. Vulnerable to sensor impersonation and insider attacks. Does not guarantee perfect forward secrecy.
[39]	Lightweight authentication scheme for a WSN. Based on XOR operations and hash functions.	High communication cost. Vulnerable to replay, sensor capture, sensor impersonation, and privileged insider attacks.
[15]	Privacy-centric authentication scheme for smart farm monitoring. Based on XOR operations and hash functions.	Vulnerable to impersonation, insider, sensor capture, and ESL attacks. Does not guarantee user untraceability.

.

3. Preliminaries

To understand the proposed scheme, this section presents the necessary background, including the PUF, system model, notation, and adversary model.

3.1. Physical Unclonable Function

A PUF is a physical circuit that generates a distinct output for each input based on variations in the microstructure of the hardware [41,42]. The PUF operates through the sensor’s intrinsic response and can generate keys without requiring any external hardware modules. In addition, unlike biometric-based systems, PUF responses are not affected by user behavior or environmental noise, and they produce consistent outputs under identical conditions. The PUF derives secrets from the physical characteristics of the integrated circuit. In contrast to traditional secret key storage methods, the PUF does not require storing secret keys; instead, it produces unique input–output pairs, known as “challenge–response” pairs. This paper describes the PUF operation as $RE=PUF\left(CH\right)$, where $RE$ represents the corresponding response and $CH$ denotes the challenge. The properties of the PUF are described below:

• A PUF generates a unique response for each challenge.
• The physical structure of a PUF cannot be cloned.
• The response of a PUF is unpredictable and depends on physical circuits.

The PUF-based scheme is simple and requires minimal computational overhead. A PUF generates a unique fingerprint of the sensor without requiring additional hardware. Since the PUF module is inherently embedded in the IoT sensor, it offers a lightweight security mechanism without memory resources. These characteristics make it particularly suitable for IoT-based environments [43]. Therefore, we propose an authentication scheme utilizing PUF for IoT-based smart farming environments.

3.2. System Model

Figure 1 illustrates the system architecture of the proposed scheme. The system model for smart farming comprises three entities: the central server (CS), user, and IoT sensors.

• Central server: As a trusted entity, the CS possesses sufficient computational and storage capabilities. The user and IoT sensor must be registered with the CS before mutual authentication. After the mutual authentication, the CS can store the sensor data and provide insights or decision support information to the user using an AI model. Deep learning models, like a CNN and LSTM, can analyze sensor data to detect crop diseases and pests and use this information to predict yields and harvest timing.
• Users: The user refers to farmers or farm managers with mobile devices to access smart farming systems. After the authentication, the user can directly view the sensor data and receive the AI analysis results from the CS.
• IoT sensors: The IoT sensors deployed in smart farms have limited resources. They collect numerous real-time data, including temperature, humidity, soil condition, rain volume, and pest presence.
• Gateway: The gateway exchanges data between three other entities, acting as a communication relay.

3.3. Notation

Table 2. Notation.

Notation	Description
$U_{r_i}$	i-th user
$Io{T}_{S{L}_j}$	j-th sensor
$CS$	Central server
$S_k$	Master key of $CS$
$P{W}_i$	Password of $U_{r_i}$
$I{D}_i$	Real identity of $U_{r_i}$
$UI{D}_i$	Pseudo-identity of $U_{r_i}$
$SI{D}_j$	Real identity of $Io{T}_{S{L}_j}$
$C{H}_j,R{E}_j$	Challenge/response of $Io{T}_{S{L}_j}$
$SK$	Session key between $U_{r_i}$, $Io{T}_{S{L}_j}$, and $CS$
$n_{i1},n_{i2},n_{i3}$	Random numbers
$T_k$	Timestamp
$h(.)$	Hash function
$PUF(.)$	Physical unclonable function
$\left|\right|$	Concatenation function
⊕	Exclusive-or operation

presents the notation for the scheme by Rahaman et al. and the proposed scheme.

3.4. Adversary Model

This work introduces the “Dolev-Yao (DY) model [44]” and “Canetti-Krawczyk (CK) model [45]”. We evaluated the security of schemes based on these adversary models. The detailed assumptions are described below:

• Adversary $\mathcal{A}$ can eavesdrop, intercept, delete, forge, and resend messages exchanged via a public channel [46].
• Adversary $\mathcal{A}$ can obtain a stolen mobile user device and retrieve the secret values stored on it through a power analysis attack.
• Adversary $\mathcal{A}$ can register as a legitimate user on the $CS$ and participate in mutual authentication.
• Adversary $\mathcal{A}$ can obtain session-specific ephemeral secrets and long-term private keys of the $CS$ after the session termination.
• Adversary $\mathcal{A}$ can try to perform privileged insider, DoS, and impersonation attacks, among others.

3.5. Review of Rahaman et al.’s Scheme

This section describes the scheme by Rahaman et al. They proposed an authentication protocol for AI and IoT smart farm monitoring systems. Their scheme consists of two phases: (1) registration and (2) login and authentication.

3.5.1. Registration Phase

The user and sensor submit their identities and share secret information with the $CS$ to be utilized in the authentication phase.

Step 1: 

First, $Io{T}_{S{L}_j}$ transmits its identity $SI{D}_j$ to the $CS$ via a secure channel.

Step 2: 

The $CS$ computes a shared secret value $S{I}_j=h(SI{D}_j\left|\right|S_k)$ with its master key. Then, the $CS$ securely transmits $S{I}_j$ to $Io{T}_{S{L}_j}$.

Step 3: 

$U_{r_i}$ chooses its real identity $I{D}_i$, password $P{W}_i$, and temporary identity $UI{D}_i$. Next, $U_{r_i}$ calculates the encrypted password $Encp{w}_i=h(I{D}_i\left|\right|h\left(P{W}_i\right))$. Then, $U_{r_i}$ transmits $\{I{D}_i,Encp{w}_i,UI{D}_i\}$ to the $CS$.

Step 4: 

The $CS$ computes the user’s secret value $U{I}_i=h(Encp{w}_i\left|\right|S_k)$ and $h\left(S_k\right)$ after receiving the message. The $CS$ transmits $\{U{I}_i,h\left(S_k\right)\}$ to $U_{r_i}$ via a secure channel and stores $U{I}_i$ and $UI{D}_i$ in a database.

Step 5: 

$U_{r_i}$ stores $\{Encp{w}_i,UI{D}_i,U{I}_i,h\left(S_k\right)\}$ in a mobile device.

3.5.2. Login and Authentication Phase

All entities establish a common session key in the login and authentication phase. Messages in this phase are sent via a public channel. Figure 2 details the login and authentication phase steps.

Step 1: 

$U_{r_i}$ enters identity $I{D}_i$ and password $P{W}_i$ in the mobile device, which computes $Encp{w}_i^{*}=h(I{D}_i\left|\right|h\left(P{W}_i\right))$ and verifies $Encp{w}_i^{*}\stackrel{?}{=}Encp{w}_i$. If it matches, the mobile device generates a random number $n_{i1}$ and a timestamp $T_s$, and computes $C_i=U{I}_i\oplus h\left(S_k\right)\oplus n_{i1}$ and $Ver{U}_{r_i}=h(h\left(S_k\right)\left|\right|n_{i1})$. Then, the mobile device sends $\{C_i,Ver{U}_{r_i},T_s,UI{D}_i\}$ to $Io{T}_{S{L}_j}$ via a public channel.

Step 2: 

When the authentication request is obtained from $U_{r_i}$, $Io{T}_{S{L}_j}$ selects a random number $n_{i2}$ and computes $D_i=S{I}_j\oplus n_{i2}$ and $Verf{s}_j=h(S{I}_j\left|\right|n_{i2})$. Next, $Io{T}_{S{L}_j}$ transmits a message $\{C_i,Ver{U}_{r_i},T_s,UI{D}_i,SI{D}_j,D_i,Verf{s}_j\}$ to the $CS$.

Step 3: 

The $CS$ receives a message from $Io{T}_{S{L}_j}$ and first validates timestamp $T_s$. If valid, the $CS$ retrieves $U{I}_i$ against $UI{D}_i$. The $CS$ computes $S{I}_j^{*}=h(SI{D}_j\left|\right|S_k)$, $n_{i2}^{*}=S{I}_j^{*}\oplus D_j$, and $Verf{s}_j^{*}=h(S{I}_j^{*}\left|\right|n_{i2}^{*})$ and checks $Verf{s}_j^{*}\stackrel{?}{=}Verf{s}_j$. The $CS$ computes $n_{i1}^{*}=U{I}_i\oplus h\left(S_k\right)\oplus C_i$ and $Ver{U}_{r_i}^{*}=h(h\left(S_k\right)\left|\right|n_{i1}^{*})$ and checks $Ver{U}_{r_i}^{*}\stackrel{?}{=}Ver{U}_{r_i}$. If matched, the $CS$ generates random number $n_{i3}$ and timestamp $T_s$. Afterward, the $CS$ computes $SK=h(C_i\left|\right|h\left(S_k\right))\oplus h(n_{i1}\oplus n_{i2}\oplus n_{i3})$, $E_i=n_{i1}\oplus n_{i2}\oplus h(SI{D}_j\left|\right|n_{i2})$, $F_i=h(C_i\left|\right|h\left(S_k\right))\oplus h(SI{D}_j\left|\right|n_{i2})$, and $L_i=n_{i2}\oplus n_{i3}\oplus h(C_i\left|\right|H\left(S_k\right))$, and then transmits $\{E_i,F_i,L_i,T_s\}$ to $Io{T}_{S{L}_j}$.

Step 4: 

$Io{T}_{S{L}_j}$ verifies $T_s$ and calculates $(n_{i1}\oplus n_{i3})=E_i\oplus h(SI{D}_j\oplus n_{i2})$, $h(C_i\left|\right|h\left(S_k\right))=F_i\oplus h(SI{D}_j\oplus n_{i2})$, and $SK=h(C_i\left|\right|h\left(S_k\right))\oplus h(n_{i1}\oplus n_{i2}\oplus n_{i3})$. Then, $Io{T}_{S{L}_j}$ sends the rest of message $\{L_i,T_s\}$ to $U_{r_i}$.

Step 5: 

$U_{r_i}$ also confirms the validity of $T_s$. If legitimate, the user computes $n_{i2}\oplus n_{i3}=L_i\oplus h(C_i\left|\right|h\left(S_k\right))$ and shares a session key $SK=h(C_i\left|\right|h\left(S_k\right))\oplus h(n_{i1}\oplus n_{i2}\oplus n_{i3})$ with the $CS$ and $Io{T}_{S{L}_j}$.

4. Cryptanalysis of Rahaman et al.’s Scheme

We describe the security weaknesses of Rahaman et al.’s scheme in this section. The scheme cannot prevent security attacks, including stolen mobile device, impersonation, user insider, sensor capture, and ESL attacks. This work demonstrates the weaknesses of the scheme based on the adversary model described in Section 3.4.

4.1. Stolen Mobile Device Attacks

If adversary $\mathcal{A}$ acquires a legal user’s stolen mobile device, $\mathcal{A}$ can retrieve the credentials stored in the mobile device. $\mathcal{A}$ can calculate all session keys using the credentials.

Step 1: 

Adversary $\mathcal{A}$ extracts the stored secret credentials $\{Encp{w}_i,UI{D}_i,U{I}_i,h\left(S_k\right)\}$ in the user’s mobile device, intercepts $C_i$, and $L_i$ is transmitted via a public channel.

Step 2: 

$\mathcal{A}$ calculates $n_{i1}=C_i\oplus U{I}_i\oplus h\left(S_k\right)$, $n_{i2}\oplus n_{i3}=L_i\oplus h(C_i\left|\right|h\left(S_k\right))$, and a session key $SK=h(C_i\left|\right|h\left(S_k\right))\oplus h(n_{i1}\oplus n_{i2}\oplus n_{i3})$.

Step 3: 

Furthermore, $\mathcal{A}$ can calculate the session key for all users with $h\left(S_k\right)$ and messages transmitted through a public channel. $\mathcal{A}$ eavesdrops on $C_i^{\prime },SI{D}_j,E_i^{\prime }$, and $L_i^{\prime }$ from the message of another user and computes $h\left(C_i^{\prime }\right|\left|h\left(S_k\right)\right)$, $n_{i2}^{\prime }\oplus n_{i3}^{\prime }=L_i^{\prime }\oplus h(C_i^{\prime }\left|\right|h\left(S_k\right))$, and $n_{i1}^{\prime }=E_i^{\prime }\oplus n_{i3}^{\prime }\oplus h(SI{D}_j\oplus n_i{2}^{\prime })$. Finally, $\mathcal{A}$ can compute another user’s session key $S{K}^{\prime }=h(C_i^{\prime }\left|\right|h\left(S_k\right))\oplus h(n_{i1}^{\prime }\oplus n_{i2}^{\prime }\oplus n_{i3}^{\prime })$.

4.2. User Impersonation Attacks

If adversary $\mathcal{A}$ acquires secret credentials stored in the user’s stolen mobile device, $\mathcal{A}$ can masquerade as the legitimate user. The detailed description is provided below:

Step 1: 

$\mathcal{A}$ acquires a legitimate user’s mobile device and obtains the stored credentials $\{Encp{w}_i,UI{D}_i,U{I}_i,h\left(S_k\right)\}$.

Step 2: 

$\mathcal{A}$ generates timestamp $T_A$ and random number $n_A$ and calculates $C_A=U{I}_i\oplus h\left(S_k\right)\oplus n_A$ and $Ver{U}_A=h(h\left(S_k\right)\left|\right|n_A)$ using the credentials of the legitimate user.

Step 3: 

$Io{T}_{S{L}_j}$ receives the message from $\mathcal{A}$ and transmits it with its information to the $CS$, which calculates the session key $SK=h(C_A\left|\right|h\left(S_k\right))\oplus h(n_A\oplus n_{i2}\oplus n_{i3})$ with the random number from $\mathcal{A}$.

4.3. User Insider Attacks

It is assumed that adversary $\mathcal{A}$ can register with the $CS$ as a legitimate user. Then, $\mathcal{A}$ can calculate another user’s session key, as detailed below:

Step 1: 

$\mathcal{A}$ obtains the hash value of the $CS$ master key $h\left(S_k\right)$ via registration and eavesdrops on $C_i^{\prime },E_i^{\prime },L_i^{\prime }$, and $SI{D}_j$ transmitted on a public channel.

Step 2: 

$\mathcal{A}$ calculates $h\left(C_i^{\prime }\right|\left|h\left(S_k\right)\right)$, $n_{i2}^{\prime }\oplus n_{i3}^{\prime }=L_i^{\prime }\oplus h(C_i^{\prime }\left|\right|h\left(S_k\right))$, and $n_{i1}^{\prime }=E_i^{\prime }\oplus n_{i3}^{\prime }\oplus h(SI{D}_j\oplus n_i{2}^{\prime })$.

Step 3: 

Finally, $\mathcal{A}$ knows all the information $h(C_i^{\prime }\left|\right|h\left(S_k\right)),n_{i1}^{\prime },n_{i2}^{\prime }$, and $n_{i3}^{\prime }$ needed to establish a session key of another legitimate user and computes $S{K}^{\prime }=h(C_i^{\prime }\left|\right|h\left(S_k\right))\oplus h(n_{i1}^{\prime }\oplus n_{i2}^{\prime }\oplus n_{i3}^{\prime })$.

4.4. Sensor Capture Attacks

Suppose that an IoT sensor is captured by an adversary $\mathcal{A}$ and $\mathcal{A}$ retrieves the credentials stored in it. $\mathcal{A}$ can calculate a session key, as explained below:

Step 1: 

Adversary $\mathcal{A}$ obtains the sensor credentials $\{SI{D}_j,S{I}_j\}$ from a captured sensor and eavesdrops on $D_i,E_i$, and $F_i$ transmitted on a public channel.

Step 2: 

$\mathcal{A}$ calculates $n_{i2}=D_i\oplus S{I}_j$, $n_{i1}\oplus n_{i3}=E_i\oplus h(SI{D}_j\oplus n_{i2})$, and $h(C_i\left|\right|h\left(S_k\right))=F_i\oplus h(SI{D}_j\oplus n_{i2})$. Finally, $\mathcal{A}$ can calculate the session key $SK=h(C_i\left|\right|h\left(S_k\right))\oplus h(n_{i1}\oplus n_{i2}\oplus n_{i3})$.

Adversary $\mathcal{A}$ can also impersonate a sensor with its credentials. Therefore, the scheme by Rahaman et al. does not mitigate sensor capture attacks.

4.5. Ephemeral Secret Leakage Attacks

Assuming that an adversary $\mathcal{A}$ acquires the temporary credentials generated during a session, $\mathcal{A}$ can compute the session key. In Rahaman et al.’s scheme, the session key contains a hash value $h\left(C_i\right|\left|h\left(S_k\right)\right)$ and three random numbers $\{n_{i1}$, $n_{i2}$, and $n_{i3}\}$. If $\mathcal{A}$ knows the three random numbers, $\mathcal{A}$ can compute $h(C_i\left|\right|h\left(S_k\right))=F_i\oplus h(SI{D}_j\oplus n_{i2})$. Furthermore, $\mathcal{A}$ establishes the session key $SK=h(C_i\left|\right|h\left(S_k\right))\oplus h(n_{i1}\oplus n_{i2}\oplus n_{i3})$.

4.6. User Untraceability

The user’s temporary identity is included in the login request message and is transmitted over the public channel. Moreover, the temporary identity is not updated during the authentication phase, $\mathcal{A}$ can track the user’s continuous activity. Thus, the scheme by Rahaman et al. is unable to guarantee user untraceability.

5. Proposed Scheme

We propose a secure and privacy-preserving authentication scheme for smart farming integrated with AI and IoT to resolve the security defects of the scheme by Rahaman et al. We only utilized XOR operations and hash functions to reduce the computational overhead. In addition, PUF technology is introduced to improve the sensor security. The phases of our scheme are initialization, user registration, sensor registration, and login and authentication. Figure 3 illustrates the flow of the authentication phase.

5.1. Initialization Phase

Initially, the $CS$ selects a one-way hash function $h(.)$ and a master key $S_k$. Then, the $CS$ publishes $h(.)$ while keeping $S_k$ secret.

5.2. User Registration Phase

During the registration, the user transmits a real identity to the $CS$. Figure 4 represents the user registration phase of the scheme.

Step 1: 

$U_{r_i}$ chooses identity $I{D}_i$ and password $P{W}_i$ and generates random number $r_i$. The user transmits its identity $I{D}_i$ to the $CS$ for registration.

Step 2: 

The $CS$ generates random number $k_i$ and calculates the user’s temporary identity $UI{D}_i=h(I{D}_i\left|\right|k_i)$ and shared secret value $U{I}_i=h(I{D}_i\left|\right|k_i)$. The $CS$ also computes $U{A}_i=k_i\oplus h(S_k\left|\right|UI{D}_i)$ to hide $U{I}_i$. Then, the $CS$ transmits $UI{D}_i$ and $U{I}_i$ to $U_{r_i}$ securely and stores $U{A}_i$ with $UI{D}_i$.

Step 3: 

After receiving that, $U_{r_i}$ computes a value for hiding random number $R_0=r_i\oplus h(I{D}_i\left|\right|P{W}_i)$, a value for login $R_1=h(I{D}_i\left|\right|P{W}_i\left|\right|r_i)$, and $R_2=U{I}_i\oplus h(P{W}_i\left|\right|r_i)$.

5.3. Sensor Registration Phase

The sensor sends a real identity to the $CS$ for registration. The sensor adopts PUF technology to store secrets. Figure 5 presents the detailed registration steps.

Step 1: 

$Io{T}_{S{L}_j}$ chooses identity $SI{D}_j$ and challenge value $C{H}_j$. The sensor transmits its identity $SI{D}_j$ to the $CS$ over a secure channel.

Step 2: 

The $CS$ generates random number $r_k$ and computes shared secret value $S{I}_j=h(SI{D}_j\left|\right|r_k\left|\right|S_k)$ with the master key. Then, the $CS$ transmits $S{I}_j$ to $Io{T}_{S{L}_j}$ securely and stores $SI{D}_j$ and $r_k$.

Step 3: 

$Io{T}_{S{L}_j}$ computes $R{E}_j=PUF\left(C{H}_j\right)$ and $S{A}_j=S{I}_j\oplus h(SI{D}_j\left|\right|R{E}_j)$. The sensor stores $\{SI{D}_j,S{A}_j,C{H}_j\}$.

5.4. Login and Authentication Phase

The user submits a login request to the $CS$ to initiate authentication and key agreement. After the authentication, the user, sensor, and central server can communicate securely via a shared session key. Figure 6 presents a detailed description of the process.

Step 1: 

$U_{r_i}$ inserts $I{D}_i$ and $P{W}_i$. The user computes $r_i^{*}=R_0\oplus h(I{D}_i\left|\right|P{W}_i)$ and $R_1^{*}=h(I{D}_i\left|\right|P{W}_i\left|\right|r_i^{*})$ and checks $R_1^{*}\stackrel{?}{=}{R}_1$. If it matches, $U_{r_i}$ generates random number $n_{i1}$ and timestamp $T_1$. $U_{r_i}$ calculates $U{I}_i=R_2\oplus h(P{W}_i\left|\right|r_i)$, $A_i=(SI{D}_j\left|\right|n_{i1})\oplus h(U{I}_i\left|\right|T_1)$, and $V_1=h(SI{D}_j\left|\right|n_{i1}\left|\right|U{I}_i\left|\right|T_1)$, and then sends a login request message $\{UI{D}_i,A_i,V_1,T_1\}$ to the $CS$ over a public channel.

Step 2: 

The $CS$ first verifies whether timestamp $T_1$ is valid. If valid, the $CS$ computes $k_i=U{A}_i\oplus h(S_k\left|\right|UI{D}_i)$, $U{I}_i=h(UI{D}_i\left|\right|k_i\left|\right|S_k)$, $(SI{D}_j\left|\right|n_{i1}{)}^{*}=A_i\oplus h(U{I}_i\left|\right|T_1)$, and $V_1^{*}=h(SI{D}_j^{*}\left|\right|n){i1}^{*}\left|\right|U{I}_i\left|\right|T_1)$. If $V_1^{*}$ matches the received $V_1$, the $CS$ retrieves $\{SI{D}_j,r_k\}$ and generates timestamp $T_2$ and random number $n_{i2}$. The $CS$ computes $S{I}_j=h(SI{D}_j\left|\right|r_k\left|\right|S_k)$, $B_i=(n_{i1}\left|\right|n_{i2})\oplus h(S{I}_j\left|\right|T_2)$, and $V_2=h(n_{i1}\left|\right|n_{i2}\left|\right|UI{D}_i\left|\right|S{I}_j\left|\right|T_2)$, and then transmits $\{UI{D}_i,B_i,V_2,T_2\}$ to the sensor.

Step 3: 

$Io{T}_{S{L}_j}$ validates timestamp $T_2$ and computes $R{E}_j=PUF\left(C{H}_j\right)$, $S{I}_j=S{A}_j\oplus h(SI{D}_j\left|\right|R{E}_j)$, $(n_{i1}\left|\right|n_{i2}{)}^{*}=B_i\oplus h(S{I}_j\left|\right|T_2)$, and $V_2^{*}=h(n_{i1}^{*}\left|\right|n_{i2}^{*}\left|\right|UI{D}_i\left|\right|S{I}_j\left|\right|T_2)$. $Io{T}_{S{L}_j}$ checks whether $V_2^{*}$ and $V_2$ match. If they match, $Io{T}_{S{L}_j}$ generates timestamp $T_3$ and random number $n_{i3}$ and computes a shared session key $SK=h(UI{D}_i\left|\right|S{I}_j\left)\right)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$, $C_i=n_{i3}\oplus h(S{I}_j\left|\right|T_3)$, and $V_3=h\left(SK\right||n_{i3}\left|\right|T_3)$. Finally, $Io{T}_{S{L}_j}$ sends $\{C_i,V_3,T_3\}$ to the $CS$.

Step 4: 

The $CS$ verifies the legitimacy of $T_3$. Then, the $CS$ computes $n_{i3}^{*}=C_i\oplus h(S{I}_j\left|\right|T_3)$, $S{K}^{*}=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$, and $V_3^{*}=h(S{K}^{*}\left|\right|n_{i3}^{*}\left|\right|T_3)$. The $CS$ compares $V_3^{*}$ and $V_3$, and if equal, the $CS$ computes the user’s new temporary identity $UI{D}_i^{new}=h(UI{D}_i\left|\right|n_{i2})$, $U{I}_i^{new}=h(UI{D}_i^{new}\left|\right|n_{i2}\left|\right|S_k)$, and $U{A}_i^{new}=n_{i2}\oplus h(S_k\left|\right|UI{D}_i^{new})$. Afterward, the $CS$ generates $T_4$ and computes $D_i=(n_{i2}\left|\right|n_{i3})\oplus h(U{I}_i\left|\right|UI{D}_i\left|\right|T_4)$, $E_i=U{I}_i^{new}\oplus h(U{I}_i\left|\right|T_4)$, $F_i=h(UI{D}_i\left|\right|S{I}_j)\oplus h(U{I}_i^{new}\left|\right|T_4)$, and $V_4=h(n_{i2}\left|\right|n_{i3}\left|\right|SK\left|\right|U{I}_i^{new}\left|\right|T_4)$. Last, the $CS$ updates $\{UI{D}_i,U{A}_i\}$ to $UI{D}_i^{new}$ and $U{A}_i^{new}$, and sends $\{D_i,E_i,F_i,V_4,T_4\}$ to $U_{r_i}$ over a public channel.

Step 5: 

$U_{r_i}$ validates timestamp $T_4$. If valid, $U_{r_i}$ computes $(n_{i2}\left|\right|n_{i3}{)}^{*}=D_i\oplus h(U{I}_i\left|\right|UI{D}_i\left|\right|T_4)$, $U{I}_i^{new*}=E_i\oplus h(U{I}_i\left|\right|T_4)$, $h(UI{D}_i\left|\right|S{I}_j{)}^{*}=F_i\oplus h(U{I}_i^{new*}\left|\right|T_4)$, $S{K}^{*}=h(UI{D}_i\left|\right|S{I}_j{)}^{*}\oplus h(n_{i1}\left|\right|n_{i2}^{*}\left|\right|n_{i3}^{*})$, and $V_4^{*}=h(n_{i2}^{*}\left|\right|n_{i3}^{*}\left|\right|S{K}^{*}\left|\right|U{I}_i^{new*}\left|\right|T_4)$. $U_{r_i}$ checks whether $V_4^{*}$ and $V_4$ are the same. If they are the same, $U_{r_i}$ computes a new temporary identity $UI{D}_i^{new}=h(UI{D}_i\left|\right|n_{i2})$ and updates $R_2^{new}=U{I}_i^{new}\oplus h(P{W}_i\left|\right|r_i)$ and $R_3^{new}=UI{D}_i^{new}\oplus h(I{D}_i\left|\right|r_i)$.

6. Security Analysis

Here, we evaluate the security of our scheme via formal and informal analyses. The informal analysis considered attack scenarios to demonstrate the robustness of the scheme. The formal analysis verified mutual authentication using “BAN logic”, provided a security proof for the session key based on the “RoR model”, and validated the resistance to attacks via the “AVISPA simulation tool”.

6.1. Informal Security Analysis

The proposed scheme prevents assorted security attacks, including sensor capture, replay, ESL, and DoS attacks. Furthermore, the proposed scheme guarantees mutual authentication, user anonymity, and untraceability.

6.1.1. Resistance to Stolen Mobile Device Attacks

We assume that adversary $\mathcal{A}$ acquires a legal user’s stolen mobile device. Under the adversary model in Section 3.4, $\mathcal{A}$ can retrieve secret credentials through power analysis attacks, and $\mathcal{A}$ seeks to determine the session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$. However, $\mathcal{A}$ cannot calculate $SK$ because $\mathcal{A}$ does not know $U{I}_i$ without the user’s real identity $I{D}_i$ and password $P{W}_i$. Thus, our scheme offers resilience to stolen mobile device attacks.

6.1.2. Resistance to Impersonation Attacks

Similar to Section 6.1.1, an adversary $\mathcal{A}$ possesses the values stored in the user’s mobile device. To impersonate the user and generate a login request message, $\mathcal{A}$ requires the user’s $U{I}_i$. However, $\mathcal{A}$ cannot obtain $U{I}_i$ without knowing the user’s real identity $I{D}_i$, password $P{W}_i$, and random number $r_i$. Thus, our scheme defends against user impersonation attacks. Furthermore, if $\mathcal{A}$ captures the sensor $Io{T}_{S{L}_j}$, $\mathcal{A}$ can obtain $\{SI{D}_j,S{A}_j,C{H}_j\}$. However, $\mathcal{A}$ cannot compute $S{I}_j$ because the PUF of the sensor cannot be duplicated. Therefore, our scheme prevents sensor impersonation attacks.

6.1.3. Resistance to Off-Line Guessing Attacks

Through offline guessing attacks, adversary $\mathcal{A}$ tries to reveal the user’s identity and password. $\mathcal{A}$ can obtain the hash value $R_1=h(I{D}_i\left|\right|P{W}_i\left|\right|r_i)$ by extracting data from the stolen or lost mobile device. However, because $\mathcal{A}$ lacks knowledge of the random number $r_i$, it is computationally infeasible to recover $I{D}_i$ and $P{W}_i$ via off-line guessing attacks.

6.1.4. Resistance to Insider Attacks

Assuming that the $CS$ registers adversary $\mathcal{A}$ as a legal user, $\mathcal{A}$ can establish authentication with $Io{T}_{S{L}_j}$ and the $CS$. In this scenario, $\mathcal{A}$ seeks to compute the session key of another legitimate user. However, $\mathcal{A}$ cannot obtain the credentials $U{I}_i$ or the random numbers of other users from the messages transmitted over the public channel. Hence, our scheme provides resistance to insider attacks.

6.1.5. Resistance to Sensor Capture Attacks

Suppose that adversary $\mathcal{A}$ captures an IoT sensor and extracts secret values from it. To impersonate the sensor or compute the session key, $\mathcal{A}$ requires $S{I}_j$, which is masked with the PUF response value $R{E}_j$. However, based on the properties of PUF presented in Section 3.1, replicating or predicting the PUF response is infeasible for $\mathcal{A}$. Thus, our scheme is resilient to sensor capture attacks.

6.1.6. Resistance to Replay and MITM Attacks

Adversary $\mathcal{A}$ captures a message transmitted over the public channel and tries to replay or forge it. In the proposed scheme, a freshly generated timestamp and random numbers are included in every message for each section. Upon receiving a message, each entity verifies the validity of these values. Thus, $\mathcal{A}$ cannot generate a valid message even if the original message is intercepted. Furthermore, any replayed message is rejected due to the timestamp verification mechanism. Therefore, our scheme provides resilience against replay and MITM attacks.

6.1.7. Resistance to Ephemeral Secret Leakage Attacks

If adversary $\mathcal{A}$ acquires the session-specific random numbers $n_{i1},n_{i2}$, and $n_{i3}$ generated by $U_{r_i}$, $Io{T}_{S{L}_j}$, and the $CS$ during the authentication phase, $\mathcal{A}$ seeks to obtain the session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$. The session key is derived from $UI{D}_i$, $S{I}_j$, and the random numbers. However, $\mathcal{A}$ cannot derive $S{I}_j$ from the publicly transmitted messages because $S{I}_j$ is masked using the server’s master key $S_k$. Thus, our scheme can withstand ESL attacks.

6.1.8. Resistance to Stolen Verifier Attacks

The $CS$ stores $\{UI{D}_i,U{A}_i\}$ for the user and $\{SI{D}_j,r_k\}$ for the sensor in its database. We assume that the data is stolen by adversary $\mathcal{A}$. Then, $\mathcal{A}$ can attempt to calculate a session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$. However, $\mathcal{A}$ cannot obtain the secret value $S{I}_j$ and random numbers $n_{i1}$, $n_{i2}$, and $n_{i3}$ without master key $S_k$ from the $CS$. Thus, our scheme can prevent stolen verifier attacks.

6.1.9. Resistance to Privileged Insider Attacks

Adversary $\mathcal{A}$ captures the user’s registration request message $I{D}_i$ as a privileged insider and attempts to derive the user’s secret $U{I}_i$ using the intercepted $I{D}_i$. However, in the proposed scheme, $U{I}_i$ is masked using a random number $r_k$ and the master key $S_k$ of the $CS$. Hence, $\mathcal{A}$ cannot recover $U{I}_i$ or compute the session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$, even with knowledge of $I{D}_i$. Therefore, our scheme is resilient to privileged insider attacks.

6.1.10. Resistance to Denial-of-Service Attacks

A DoS attack occurs when an adversary $\mathcal{A}$ tries to overload a system with excessive traffic, preventing legitimate users from accessing services. In our scheme, $\mathcal{A}$ must first log in to a mobile device masquerading as a legitimate user and generate an authentication request. However, because $\mathcal{A}$ does not possess the user’s identity and password, $\mathcal{A}$ cannot forge a valid authentication request. Thus, our scheme is robust to DoS attacks.

6.1.11. Support User Anonymity and Untraceability

The user’s real identity $I{D}_i$ is never transmitted on a public channel. Instead, users reveal themselves with a temporary identity $UI{D}_i$ generated by the $CS$ during the user registration phase. In addition, the temporary identity is updated in every session. Therefore, our scheme guarantees user anonymity and untraceability.

6.1.12. Support Perfect Forward Secrecy

Following the CK model specified in Section 3.4, an adversary $\mathcal{A}$ can obtain the $CS$’s master key $S_k$. Using $S_k$, $\mathcal{A}$ seeks to compute the session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$. However, the values $UI=h\left(UI{D}_i\right|\left|k_i\right|\left|S_k\right)$ and $S{I}_j=h(SI{D}_j\left|\right|r_k)$ are masked using $k_i$ and $r_k$. Thus, $\mathcal{A}$ cannot compute the session key with $S_k$. Thus, our scheme offers perfect forward secrecy.

6.1.13. Support Mutual Authentication

In the authentication phase, $U_{r_i}$, $Io{T}_{S{L}_j}$, and the $CS$ verify the legitimacy of the received messages. The $CS$ verifies the validity of $V_1$ and $V_3$, and $Io{T}_{S{L}_j}$ verifies $V_2$. In addition, $U_{r_i}$ verifies $V_4$. The entities mutually authenticate and establish a shared session key via this mutual verification process. Hence, our scheme ensures mutual authentication.

6.2. Formal Proof Under BAN Logic

“BAN logic” is a formal tool utilized to guarantee mutual authentication in protocols. In this part, we use it to prove that the proposed scheme sets up a common session key between $U_{r_i}$, $Io{T}_{S{L}_j}$, and the $CS$.

Table 3. Notation of BAN logic.

Notation	Descriptions
$P_1,P_2$	Principals
$M_1,M_2$	Statements
$SK$	Session key
$P_1\mid \sim M_1$	$P_1$ once said $M_1$
$P_1\mid \equiv M_1$	$P_1$ believes $M_1$
$P_1⊲M_1$	$P_1$ receives $M_1$
$P_1\Rightarrow M_1$	$P_1$ controls $M_1$
${\left\{M_1\right\}}_K$	$M_1$ is encrypted with K
$P_1\stackrel{K}{⟷}{P}_2$	$P_1$ and $P_2$ share a key K
$\#M_1$	$M_1$ is fresh

presents the notation used in this section.

6.2.1. Rules

The rules of BAN logic are listed below:

• Message meaning rule (MMR):

  $${\displaystyle \frac{P_1\mid \equiv P_1\stackrel{K}{⟷}{P}_2,P_1⊲{\left\{M_1\right\}}_K}{P_1\mid \equiv P_2\mid \sim M_1}}$$
• Nonce verification rule (NVR):

  $${\displaystyle \frac{P_1\mid \equiv \#\left(M_1\right),P_1\mid \equiv P_2\mid \sim M_1}{P_1\mid \equiv P_2\mid \equiv M_1}}$$
• Jurisdiction rule (JR):

  $${\displaystyle \frac{P_1\mid \equiv P_2\Rightarrow M_1,P_1\mid \equiv P_2\mid \equiv M_1}{P_1\mid \equiv M_1}}$$
• Belief rule (BR):

  $${\displaystyle \frac{P_1\mid \equiv (M_1,M_2)}{P_1\mid \equiv M_1}}$$
• Freshness rule (FR):

  $${\displaystyle \frac{P_1\mid \equiv \#\left(M_1\right)}{P_1\mid \equiv \#(M_1,M_2)}}$$

6.2.2. Goals

The goal of BAN logic is to verify whether each principal achieves mutual authentication and establishes a session key. The goals of the proposed scheme are presented below:

Goal 1: 

$U_{r_i}\mid \equiv U_{r_i}\stackrel{SK}{⟷}CS$

Goal 2: 

$U_{r_i}\mid \equiv CS\mid \equiv U_{r_i}\stackrel{SK}{⟷}CS$

Goal 3: 

$CS\mid \equiv U_{r_i}\stackrel{SK}{⟷}CS$

Goal 4: 

$CS\mid \equiv U_{r_i}\mid \equiv U_{r_i}\stackrel{SK}{⟷}CS$

Goal 5: 

$Io{T}_{S{L}_j}\mid \equiv Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS$

Goal 6: 

$Io{T}_{S{L}_j}\mid \equiv CS\mid \equiv Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS$

Goal 7: 

$CS\mid \equiv Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS$

Goal 8: 

$CS\mid \equiv Io{T}_{S{L}_j}\mid \equiv Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS$

6.2.3. Idealized Forms

The values exchanged via public channels throughout the login and authentication phase are represented in idealized forms. The idealized forms of the proposed scheme are presented below:

$M_1$:

$U_{r_i}\to CS:{\{SI{D}_j,n_{i1}\}}_{U{I}_i}$

$M_2$:

$CS\to Io{T}_{S{L}_j}:{\{n_{i1},n_{i2}\}}_{S{I}_j}$

$M_3$:

$Io{T}_{S{L}_j}\to CS:{\left\{n_{i3}\right\}}_{S{I}_j}$

$M_4$:

$CS\to U_{r_i}:\{n_{i2},n_{i3},UI{D}_i^{new},h(UI{D}_i\left|\right|S{I}_j{\left)\right\}}_{U{I}_i}$

6.2.4. Assumptions

In the authentication phase, each principal trusts the freshness of the random numbers. In addition, $U_{r_i}$ and $Io{T}_{S{L}_j}$ share secret keys with the $CS$ during the registration phase. Each principal also believes that the other is responsible for the shared session key. The following assumptions are made:

$A_1$:

$CS\mid \equiv \#\left(n_{i1}\right)$

$A_2$:

$Io{T}_{S{L}_j}\mid \equiv \#\left(n_{i2}\right)$

$A_3$:

$CS\mid \equiv \#\left(n_{i3}\right)$

$A_4$:

$U_{r_i}\mid \equiv \#\left(n_{i2}\right)$

$A_5$:

$U_{r_i}\mid \equiv U_{r_i}\stackrel{U{I}_i}{⟷}CS$

$A_6$:

$CS\mid \equiv U_{r_i}\stackrel{U{I}_i}{⟷}CS$

$A_7$:

$Io{T}_{S{L}_j}\mid \equiv Io{T}_{S{L}_j}\stackrel{S{I}_j}{⟷}CS$

$A_8$:

$CS\mid \equiv Io{T}_{S{L}_j}\stackrel{S{I}_j}{⟷}CS$

$A_9$:

$U_{r_i}\mid \equiv CS\Rightarrow (U_{r_i}\stackrel{SK}{⟷}CS)$

$A_{10}$:

$CS\mid \equiv U_{r_i}\Rightarrow (U_{r_i}\stackrel{SK}{⟷}CS)$

$A_{11}$:

$Io{T}_{S{L}_j}\mid \equiv CS\Rightarrow (Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS)$

$A_{12}$:

$CS\mid \equiv Io{T}_{S{L}_j}\Rightarrow (Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS)$

6.2.5. BAN Logic Proof

The BAN logic proof of our scheme is conducted below:

Step 1: 

$S_1$ can be derived from $M_1$:

$$S_1:CS⊲{\{SI{D}_j,n_{i1}\}}_{U{I}_i}$$

Step 2: 

By employing the MMR with $S_1$ and $A_6$, $S_2$ can be derived:

$$S_2:CS\mid \equiv U_{r_i}\mid \sim (SI{D}_j,n_{i1})$$

Step 3: 

By employing the FR with $S_2$ and $A_1$, $S_3$ can be derived:

$$S_3:CS\mid \equiv \#(SI{D}_j,n_{i1})$$

Step 4: 

By employing the NVR with $S_2$ and $S_3$, $S_4$ can be derived:

$$S_4:CS\mid \equiv U_{r_i}\mid \equiv (SI{D}_j,n_{i1})$$

Step 5: 

$S_5$ can be obtained from $M_2$:

$$S_5:Io{T}_{S{L}_j}⊲{\{n_{i1},n_{i2}\}}_{S{I}_j}$$

Step 6: 

$S_6$ can be derived by applying the MMR to $S_5$ and $A_7$:

$$S_6:Io{T}_{S{L}_j}\mid \equiv CS\mid \sim (n_{i1},n_{i2})$$

Step 7: 

By employing the FR with $S_6$ and $A_2$, $S_7$ can be derived:

$$S_7:Io{T}_{S{L}_j}\mid \equiv \#(n_{i1},n_{i2})$$

Step 8: 

By employing the NVR with $S_6$ and $S_7$, $S_8$ can be derived:

$$S_8:Io{T}_{S{L}_j}\mid \equiv CS\mid \equiv (n_{i1},n_{i2})$$

Step 9: 

$S_9$ can be obtained from $M_3$:

$$S_9:CS⊲{\left\{n_{i3}\right\}}_{S{I}_j}$$

Step 10: 

By employing the MMR with $S_9$ and $A_8$, $S_{10}$ can be derived:

$$S_{10}:CS\mid \equiv Io{T}_{S{L}_j}\mid \sim \left(n_{i3}\right)$$

Step 11: 

By employing the FR with $S_{10}$ and $A_3$, $S_{11}$ can be derived:

$$S_{11}:CS\mid \equiv \#\left(n_{i3}\right)$$

Step 12: 

By employing the NVR with $S_{10}$ and $S_{11}$, $S_{12}$ can be derived:

$$S_{12}:CS\mid \equiv Io{T}_{S{L}_j}\mid \equiv \left(n_{i3}\right)$$

Step 13: 

$S_{13}$ and $S_{14}$ can be derived from $S_8$ and $S_{12}$. $Io{T}_{S{L}_j}$ and $CS$ can calculate a session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$:

$$\begin{array}{c}\hfill S_{13}:CS\mid \equiv Io{T}_{S{L}_j}\mid \equiv (Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS)(\mathrm{Goal}8)\\ \hfill S_{14}:Io{T}_{S{L}_j}\mid \equiv CS\mid \equiv (Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS)(\mathrm{Goal}6)\end{array}$$

Step 14: 

$S_{15}$ and $S_{16}$ can be derived by employing the JR with $S_{13}$ and $A_{12}$, and $S_{14}$ and $A_{11}$, respectively:

$$\begin{array}{c}\hfill S_{15}:CS\mid \equiv (Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS)(\mathrm{Goal}7)\\ \hfill S_{16}:Io{T}_{S{L}_j}\mid \equiv (Io{T}_{S{L}_j}\stackrel{SK}{⟷}CS)(\mathrm{Goal}5)\end{array}$$

Step 15: 

$S_{17}$ can be derived from $M_4$:

$$S_{17}:U_{r_i}⊲\{n_{i2},n_{i3},UI{D}_i^{new},h(UI{D}_i\left|\right|S{I}_j{\left)\right\}}_{U{I}_i}$$

Step 16: 

By employing the MMR with $S_{17}$ and $A_5$, $S_{18}$ can be derived:

$$S_{18}:U_{r_i}\mid \equiv CS\mid \sim (n_{i2},n_{i3},UI{D}_i^{new},h(UI{D}_i\left|\right|S{I}_j\left)\right)$$

Step 17: 

By employing the FR with $S_{18}$ and $A_4$, $S_{19}$ can be derived:

$$S_{19}:U_{r_i}\mid \equiv \#(n_{i2},n_{i3},UI{D}_i^{new},h(UI{D}_i\left|\right|S{I}_j\left)\right)$$

Step 18: 

By employing the NVR with $S_{18}$ and $S_{19}$, $S_{20}$ can be derived:

$$S_{20}:U_{r_i}\mid \equiv CS\mid \equiv (n_{i2},n_{i3},UI{D}_i^{new},h(UI{D}_i\left|\right|S{I}_j\left)\right)$$

Step 19: 

$S_{21}$ and $S_{22}$ can be derived from $S_4$ and $S_{18}$. $U_{r_i}$ and $CS$ can calculate the session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$:

$$\begin{array}{c}\hfill S_{21}:U_{r_i}\mid \equiv CS\mid \equiv (U_{r_i}\stackrel{SK}{⟷}CS)(\mathrm{Goal}2)\\ \hfill S_{22}:CS\mid \equiv U_{r_i}\mid \equiv (U_{r_i}\stackrel{SK}{⟷}CS)(\mathrm{Goal}4)\end{array}$$

Step 20: 

$S_{23}$ and $S_{24}$ can be derived by employing the JR with $S_{21}$ and $A_9$, and $S_{22}$ and $A_{10}$, respectively:

$$\begin{array}{c}\hfill S_{23}:U_{r_i}\mid \equiv (U_{r_i}\stackrel{SK}{⟷}CS)(\mathrm{Goal}1)\\ \hfill S_{24}:CS\mid \equiv (U_{r_i}\stackrel{SK}{⟷}CS)(\mathrm{Goal}3)\end{array}$$

6.3. Formal Proof Under RoR Model

We performed a formal analysis based on the “Real-or-Random (RoR) model” [17] to validate a security of the session key. The queries specified in the RoR model are $Execute$, $CorruptMD$, $Send$, and $Test$ [47]. An adversary $\mathcal{A}$ can utilize these queries to attempt various attacks. Detailed descriptions of each query are provided below, where ${\mathcal{P}}_U^{t_1}$, ${\mathcal{P}}_{CS}^{t_2}$, and ${\mathcal{P}}_S^{t_3}$ denote the users, central server, and sensors in the proposed scheme, respectively.

• $Execute({\mathcal{P}}_U^{t_1},{\mathcal{P}}_{CS}^{t_2},{\mathcal{P}}_S^{t_3})$: This query corresponds to a passive attack where $\mathcal{A}$ eavesdrops on messages sent via a public channel between ${\mathcal{P}}_U^{t_1}$, ${\mathcal{P}}_{CS}^{t_2}$, and ${\mathcal{P}}_S^{t_3}$.
• $CorruptMD\left({\mathcal{P}}_U^{t_1}\right)$: This query presents stolen mobile device attacks. $\mathcal{A}$ can retrieve the confidential values stored in a user’s mobile device.
• $Send({\mathcal{P}}^t,M)$: This query corresponds to an active attack in which adversary $\mathcal{A}$ transmits a message M to ${\mathcal{P}}^t$ and accepts the corresponding response.
• $Test\left({\mathcal{P}}^t\right)$: This query determines whether a session key is real or random. Before the game begins, $flaw\mathcal{A}$ flips a fair coin. If $c=1$, the returned key is the valid session key, and if $c=0$, it is a random string. Otherwise, if the result is $null$, $\mathcal{A}$ cannot distinguish the session key.

Theorem 1.

Consider the case where $\mathcal{A}$ attempts to compute a session key established in the proposed scheme within polynomial time. Moreover, $Ad{v}_{\mathcal{A}}$ denotes the probability that $\mathcal{A}$ will obtain the session key. Therefore, the following equation can be derived:

$$Ad{v}_{\mathcal{A}}\le {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2\{C^{\prime }·q_{send}^{s^{\prime }}\},$$

where $q_h$, $q_p$, and $q_{send}$ denote the number of hash, PUF, and send queries, respectively. The terms $\left|Hash\right|$ and $\left|PUF\right|$ represent the output space of the hash function and PUF. In addition, $C^{\prime }$ denotes Zipf’s parameter [48].

Proof. 

To validate the semantic security of the session key, we conduct a game sequence $G_i$$(i=0,1,2,3)$. Furthermore, $Pr\left[Suc{c}_{GMi}\right]$ represents the probability that $\mathcal{A}$ successfully guesses a bit c in game $G_i$.

• $Gam{e}_0$: In this game, $\mathcal{A}$ performs a real attack on the proposed scheme. $\mathcal{A}$ must randomly select a bit c before starting the game. Therefore, the probability is presented in Equation (1):

  $$Ad{v}_{\mathcal{A}}=[2Pr\left[Suc{c}_{GM0}\right]-1]$$

  (1)
• $Gam{e}_1$: An eavesdropping attack is performed by $\mathcal{A}$ through the $Execute$ query. $\mathcal{A}$ attempts to compute a session key $SK=h(UI{D}_i\left|\right|S{I}_j)\oplus h(n_{i1}\left|\right|n_{i2}\left|\right|n_{i3})$ using messages transmitted over a public channel. Then, $\mathcal{A}$ uses the $Test$ query to determine whether the computed session key is real. In the proposed scheme, $S{I}_j,n_{i1},n_{i2}$, and $n_{i3}$ are required to compute the session key. However, $\mathcal{A}$ cannot calculate the session key; hence, the probability of success in this game is equal to that of $Gam{e}_0$:

  $$Pr\left[Suc{c}_{GM1}\right]=Pr\left[Suc{c}_{GM0}\right]$$

  (2)
• $Gam{e}_2$: In this game, $\mathcal{A}$ tries to forge a message using the $Send$ and $Hash$ queries. To do this, $\mathcal{A}$ must determine a hash collision because messages are generated as hash values of secret parameters and random numbers. However, due to the one-way nature of the hash function, it is difficult for $\mathcal{A}$ to determine the hash collision. Thus, based on the birthday paradox [49], Equation (3) can be derived:

  $$|Pr\left[Suc{c}_{GM2}\right]-Pr\left[Suc{c}_{GM1}\right]|\le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}$$

  (3)
• $Gam{e}_3$: Similar to $Gam{e}_2$, $\mathcal{A}$ uses $PUF$ and $Send$ queries. However, due to the property of PUF explained in Section 3.1, $\mathcal{A}$ cannot succeed in $Gam{e}_3$. Therefore, the equation is expressed as follows:

  $$|Pr\left[Suc{c}_{GM3}\right]-Pr\left[Suc{c}_{GM2}\right]|\le {\displaystyle \frac{q_p^2}{2\left|PUF\right|}}$$

  (4)
• $Gam{e}_4$: $\mathcal{A}$ uses the $CorruptMD$ query to obtain values $UI{D}_i$, $R_0=r_i\oplus h(I{D}_i\left|\right|P{W}_i)$, $R_1=h(I{D}_i\left|\right|P{W}_i\left|\right|r_i)$, and $R_2=U{I}_i\oplus h(P{W}_i\left|\right|r_i)$ stored in the user’s mobile device. To compute the session key using these values, $\mathcal{A}$ must recover $U{I}_i$ via the user’s real identity $I{D}_i$ and password $P{W}_i$. Therefore, because $\mathcal{A}$ must guess $I{D}_i$ and $P{W}_i$ simultaneously, the equation can be derived according to Zipf’s law [48] as follows:

  $$|Pr\left[Suc{c}_{GM4}\right]-Pr\left[Suc{c}_{GM3}\right]|\le C^{\prime }·q_{send}^{s^{\prime }}$$

  (5)

$\mathcal{A}$ needs to determine a bit c to succeed in the game. However, $\mathcal{A}$ has no advantage in guessing c; thus, the success probability remains unchanged. Therefore, Equation (6) can be derived:

$$Pr\left[Suc{c}_{G{M}_4}\right]={\displaystyle \frac{1}{2}}$$

(6)

We derive Equation (7) from Equations (1) and (2):

$${\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}=|Pr\left[Suc{c}_{GM0}\right]-{\displaystyle \frac{1}{2}}|=|Pr\left[Suc{c}_{GM1}\right]-{\displaystyle \frac{1}{2}}|$$

(7)

We derive Equation (8) from Equations (6) and (7):

$${\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}=|Pr\left[Suc{c}_{GM1}\right]-Pr\left[Suc{c}_{GM4}\right]|$$

(8)

Then, we can derive the equation below by applying the triangle inequality:

$$\begin{array}{cc}\hfill \phantom{{\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}}& \begin{array}{cc}\hfill {\displaystyle \frac{1}{2}}Ad{v}_{\mathcal{A}}& =|Pr\left[Suc{c}_{GM1}\right]-Pr\left[Suc{c}_{GM4}\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_{GM1}\right]-Pr\left[Suc{c}_{GM2}\right]|+|Pr\left[Suc{c}_{GM2}\right]-Pr\left[Suc{c}_{GM3}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{GM3}\right]-Pr\left[Suc{c}_{GM4}\right]|\hfill \\ \hfill & \le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{2\left|PUF\right|}}+C^{\prime }·q_{send}^{s^{\prime }}\hfill \end{array}\hfill \end{array}$$

(9)

Finally, the following is derived by multiplying that equation by 2:

$$Ad{v}_{\mathcal{A}}\le {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2\{C^{\prime }·q_{send}^{s^{\prime }}\}$$

(10)

Therefore, Theorem 1 is successfully proved. □

6.4. Formal Proof Under AVISPA Simulation

“AVISPA” is a commonly employed simulation platform for verifying whether authentication protocols provide security against adversarial attacks, such as replay and MITM attacks [50]. In this part, we utilize AVISPA to validate the security of our scheme. The AVISPA simulation uses the “High-Level Protocol Specification Language (HLPSL)” to describe the protocol concerning the user, server, and sensor roles. This “HLPSL” is converted into an “intermediate format (IF)” executing the “HLPSL2IF” compiler. The “IF” is analyzed by one or more of AVISPA’s four back-ends: “On-the-Fly Model-Checker (OFMC)”, “SAT-Based Model Checker(SATMC)”, “Constraint-Logic-based Attack Searcher (CL-AtSe)”, and “Tree Automata-based Protocol Analyzer (TA4SP)”. The results of the analysis are presented in the “Output Format (OF)”. If no attack is found against the modeled threat, the result is indicated as “SAFE”, indicating that the protocol security has been formally verified against attacks.

We employed two back-end models, the “OFMC” and “CL-AtSe”, to simulate the proposed scheme using the AVISPA tool. Due to their support for the algebraic properties of cryptographic functions, including XOR and concatenation, “OFMC” and “CL-AtSe” are suitable for the formal verification of the proposed scheme. In the HLPSL specification, three roles $U_{r_i}$, $Io{T}_{S{L}_j}$, and the $CS$ are defined, along with corresponding session and environment roles based on these entities. Each session verifies the security of secret parameters and the correctness of the mutual authentication. The simulation results are shown in Figure 7, where both back-ends return the status “SAFE”, indicating that no attacks were detected. Therefore, the proposed scheme prevents adversary $\mathcal{A}$ from conducting replay or MITM attacks.

7. Performance Analysis

This section compares the computational costs, communication costs, and security features of the proposed scheme with existing works [15,32,34,35,36,37,39].

7.1. Computational Costs

We compared the computational overheads of the proposed scheme with existing works [15,32,34,35,36,37,39]. For this, we referred to an experimental setup using a Raspberry Pi 3 B+ Rev 1.3 equipped with a 64-bit operating system, 1 GB of RAM, and 1.4 GHz quad-core processor, as described in [36]. The experiment measured the average computational time using MIRACL, a widely used open-source cryptographic library written in C/C++, supporting encryption algorithms including ECC. In addition, $T_h,T_{fe},T_{ecm},T_{eca},T_{sym}$, and $T_{puf}$ are the execution times for the hash function, fuzzy extractor, ECC point multiplication, ECC point addition, symmetric key encryption, and PUF, respectively. The execution time for the PUF was assumed to be about 0.7 times that of the hash function. The average execution time of each function is indicated in

Table 4. Execution time.

${\mathit{T}}_{\mathit{h}}$	${\mathit{T}}_{\mathit{fe}}$	${\mathit{T}}_{\mathit{ecm}}$	${\mathit{T}}_{\mathit{eca}}$	${\mathit{T}}_{\mathit{sym}}$	${\mathit{T}}_{\mathit{puf}}$
0.309 ms	2.288 ms	2.288 ms	0.016 ms	0.018 ms	0.216 ms

. We ignore the execution times for the concatenation function and the XOR operation, which are negligible. The computational overhead comparison results are in

Table 5. Computational costs.

Scheme	User	Server	Sensor	Total Cost (ms)
Moghadam et al. [32]	$5T_h+2T_{sym}+2T_{ecm}$	$5T_h+2T_{sym}+2T_{ecm}$	$3T_h+1T_{ecm}$	15.529
Li et al. [34]	$9T_h+2T_{ecm}+1T_{fe}$	$8T_h$	$4T_h+1T_{ecm}$	15.641
Rangwani et al. [35]	$3T_h+2T_{ecm}$	$7T_h+1T_{ecm}$	$4T_h+1T_{ecm}$	13.478
Vangala et al. [36]	$13T_h+4T_{ecm}+1T_{eca}+1T_{fe}$	$12T_h+6T_{ecm}+2T_{eca}$	$9T_h+4T_{ecm}+1T_{eca}$	44.874
Guo et al. [37]	$12T_h+1T_{fe}$	$10T_h$	$10T_h$	12.176
Nyangaresi et al. [39]	$10T_h$	$18T_h$	$8T_h$	10.815
Rahaman et al. [15]	$4T_h$	$9T_h$	$4T_h$	5.253
Proposed	$13T_h$	$17T_h$	$7T_h+1T_{puf}$	11.649

and Figure 8. In our scheme, the user required $13T_h$, the server required $17T_h$, and the sensor required $7T_h+1T_{puf}$. Therefore, the total computational overhead was $37T_h+1T_{puf}$. Although our scheme required marginally more computational resources than those in [15,39], it achieved significantly enhanced security. Nyangaresi et al.’s scheme [39] fails to defend against sensor privileged insider, impersonation, and sensor capture attacks. Similarly, Rahaman et al.’s scheme [15] is exposed to attacks, including impersonation, stolen mobile device, and insider attacks. Moreover, it does not guarantee user untreaceability and mutual authentication. Hence, our scheme is efficient regarding security and the computational cost.

7.2. Communication Costs

A comparative analysis of the communication overhead was conducted between the proposed scheme and existing works [15,32,34,35,36,37,39]. We assumed a reliable communication environment and measured the ideal communication costs based on the bits of messages transmitted in the authentication phase. Following the assumptions in [35,36], we defined the sizes of the hash value, symmetric key encryption/decryption message, and ECC point as 160, 128, and 320 bits, respectively. The timestamp was 32 bits, and the identity and random nonce were assumed to be 64 bits each. In the proposed scheme, the login request message $\{UI{D}_i,A_i,V_1,T_1\}$ required 160 + 160 + 160 + 32 = 512 bits. Similarly, the messages exchanged during the authentication phase $\{UI{D}_i,B_i,V_2,T_2\}$, $\{C_i,V_3,T_3\}$, and $\{D_i,E_i,F_i,V_4,T_4\}$ required 512 bits, 352 bits, and 672 bits, in order. Thus, a total of 2048 bits was incurred as the communication overhead in our scheme comprising four messages.

Table 6. Communication costs.

Scheme	Number of Messages	Communication Cost (Bits)
Moghadam et al. [32]	4	2144
Li et al. [34]	4	2720
Rangwani et al. [35]	4	2528
Vangala et al. [36]	4	3712
Guo et al. [37]	3	2400
Nyangaresi et al. [39]	4	2752
Rahaman et al. [15]	4	2016
Proposed	4	2048

indicates the comparative results with related schemes. Although Rahaman et al.’s scheme [15] incurs a slightly lower communication overhead than ours, it fails to defend against various security attacks. Therefore, our scheme achieved a well-balanced trade-off between the communication overhead and security.

7.3. Energy Consumption

During the authentication phase, entities consume energy during computation and transmission processes. Since IoT sensors have power limitations, it is essential to minimize the energy consumption for implementing a lightweight authentication scheme. According to [51], the total energy consumption E can be expressed as $E=E_{comp}+E_{comm}$, where $E_{comp}$ denotes the energy consumption required to execute the computation, and $E_{comm}$ represents the energy cost consumed by the communication, including the message transmission and reception. The computation energy cost $E_{comp}$ can be calculated using $E_{comp}=3.5$ V × 0.4 A $\times T_{comp}$, where $T_{comp}$ denotes the average computational time required for each function presented in Table 4. Based on the execution time in Table 4, the energy consumption for each operation was calculated as follows: hash function, fuzzy extractor, ECC point multiplication, ECC point addition, symmetric key encryption, and PUF were given by $E_h=3.5$ V × 0.4 A × 0.309 ms $=0.433$ mJ, $E_{fe}=$ 3.5 V × 0.4 A × 2.288 ms = 3.203 mJ, $E_{ecm}=3.5$ V × 0.4 A × 2.288 ms = 3.203 mJ, $E_{eca}=3.5$ V × 0.4 A × 0.016 ms = 0.022 mJ, $E_{sym}=3.5$ V × 0.4 A × 0.018 ms = 0.025 mJ, and $E_{puf}=3.5$ V × 0.4 A × 0.216 ms = 0.324 mJ, respectively. In addition, the communication energy cost can be calculated as $E_{comm}=n_s{E}_s+n_r{E}_r$, where $n_s$ and $n_r$ denote the number of bytes sent and received, respectively. We assumed that the energy cost of sending and receiving messages was $E_s\approx 5.9$ $\mathsf{\mu }$J and $E_r\approx 4.7$ $\mathsf{\mu }$J [51]. Therefore, the energy consumptions of the IoT sensor in the proposed scheme could be calculated as $E_{comp}=7E_h+1E_{puf}=3.355$ mJ and $E_{comm}=64E_s+44E_r=0.584$ mJ, with a total energy consumption of $3.939$ mJ. Rahaman et al.’s scheme shows a lower energy consumption than the proposed scheme. However, it is vulnerable to various attacks, including impersonation and insider attacks. Thus, the proposed scheme offers improved efficiency in terms of both security and energy consumption.

Table 7. Energy consumption of IoT sensors.

Scheme	Total Consumption (mJ)
Moghadam et al. [32]	5.298
Li et al. [34]	5.783
Rangwani et al. [35]	5.854
Vangala et al. [36]	18.342
Guo et al. [37]	4.614
Nyangaresi et al. [39]	4.383
Rahaman et al. [15]	3.009
Proposed	3.939

presents the results of the energy consumption comparison.

7.4. Security Features

A comparative analysis of the security properties was conducted between our scheme and existing works [15,32,34,35,36,37,39]. We conducted a comparative analysis of the following security features: $S_1$: “Resistance to stolen mobile device attacks”, $S_2$: “Resistance to user impersonation attacks”, $S_3$: “Resistance to sensor capture attacks”, $S_4$: “Resistance to sensor impersonation attacks”, $S_5$: “Resistance to off-line guessing attacks”, $S_6$: “Resistance to insider attacks”, $S_7$: “Resistance to MITM attacks”, $S_8$: “Resistance to replay attacks”, $S_9$: “Resistance to stolen verifier attacks”, $S_{10}$: “Resistance to privileged insider attacks”, $S_{11}$: “Resistance to ESL attacks”, $S_{12}$: “Resistance to DoS attacks”, $S_{13}$: “Support user anonymity and untraceability”, $S_{14}$: “Support mutual authentication”, and $S_{15}$: “Support perfect forward secrecy”. A comparative analysis is summarized in

Table 8. Security features.

Security Feature	[32]	[34]	[35]	[36]	[37]	[39]	[15]	Proposed
$S_1$	∘	∘	∘	∘	∘	∘	×	∘
$S_2$	∘	∘	∘	∘	∘	∘	×	∘
$S_3$	×	×	∘	×	×	×	×	∘
$S_4$	∘	×	×	×	×	×	×	∘
$S_5$	×	∘	∘	∘	∘	∘	×	∘
$S_6$	×	-	∘	-	×	-	×	∘
$S_7$	∘	×	∘	∘	∘	∘	∘	∘
$S_8$	∘	×	∘	∘	∘	∘	∘	∘
$S_9$	∘	-	-	-	×	-	∘	∘
$S_{10}$	×	-	∘	∘	∘	×	∘	∘
$S_{11}$	×	×	∘	∘	∘	-	×	∘
$S_{12}$	∘	∘	-	∘	∘	∘	-	∘
$S_{13}$	∘	×	∘	∘	∘	∘	×	∘
$S_{14}$	×	×	∘	∘	∘	∘	×	∘
$S_{15}$	∘	∘	-	∘	∘	∘	×	∘

×: No guarantee, ∘: Guarantee, –: Not considered

. The related works have limitations in defending against security attacks, including stolen mobile device, sensor capture, and insider attacks. Thus, our scheme offers enhanced security.

8. Conclusions

In this study, we conducted a review of the scheme by Rahaman et al. and showed it fails to prevent security attacks, such as stolen mobile device, user impersonation, insider, sensor capture, and ESL attacks. Moreover, the scheme by Rahaman et al. does not ensure user untraceability. We propose a secure and privacy-preserving authentication scheme for a smart farming environment to overcome the weakness of Rahaman et al.’s scheme. Our scheme employs only the XOR operation, hash function, and PUF, considering the limited resources of IoT sensors commonly used in smart farming environments. The proposed scheme achieves the security demands for smart farming and resists numerous security attacks, including stolen mobile device, insider, sensor capture, and replay attacks. We formally verified the security of our scheme using “BAN logic” to ensure mutual authentication, the “RoR model” to validate the robustness of the session key, and the “AVISPA simulation tool” to demonstrate resilience to replay and MITM attacks. In addition, we demonstrated that our scheme has light computational and communication overheads. In comparison with related schemes regarding the computational cost, communication cost, and security features, our scheme offers more security features with a lower overhead; hence, it is the most efficient in terms of both cost and security. In future work, we aim to apply our scheme to real-world smart farming environments to evaluate its scalability and develop a more practical authentication protocol. By integrating our scheme into actual IoT-based smart farming systems, we aim to enhance the security and privacy of sensor data communications, which are critical for ensuring the reliability and efficiency of automated farming operations. This approach would contribute to building a more resilient and secure smart agriculture infrastructure. In the future, we plan to design a better protocol that considers AI attacks and quantum attacks based on the proposed protocol. The more advanced protocol can adopt lattice-based cryptographic techniques to ensure post-quantum security. In addition, since the proposed protocol performs AI-based data analysis after authentication, there is a potential risk of AI attacks, such as data poisoning. To address this issue, future enhancements of the protocol may incorporate defensive mechanisms, such as anomaly detection, or adversarial training to secure AI-based analysis. Furthermore, to evaluate the practicality and performance of the protocol, experimental validation will be conducted not only using the AVISPA tool but also in a real smart farming testbed environment.