Open Access
This article is

- freely available
- re-usable

*Electronics*
**2019**,
*8*(4),
450;
https://doi.org/10.3390/electronics8040450

Article

A Privacy-Preserving Authentication and Key Agreement Scheme with Deniability for IoT

^{1}

College of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing 400065, China

^{2}

School of Cyber Security and Information Law, Chongqing University of Posts and Telecommunications, Chongqing 400065, China

^{3}

College of Mathematical Sciences, De Zhou University, Shandong 253023, China

^{*}

Author to whom correspondence should be addressed.

Received: 23 March 2019 / Accepted: 15 April 2019 / Published: 19 April 2019

## Abstract

**:**

User authentication for the Internet of Things (IoT) is a vital measure as it consists of numerous unattended connected devices and sensors. For security, only the user authenticated by the gateway node can access the real-time data gathered by sensor nodes. In this article, an efficient privacy-preserving authentication and key agreement scheme for IoT is developed which enables the user, the gateway node and sensor nodes to authenticate with each other. Only the trusted gateway node can determine the real identity of user; however, no other entities can get information about user’ identity by just intercepting all exchanged messages during authentication phase. The gateway cannot prove the received messages from the sender to a third party, and thus preserving the privacy of the sender. The correctness of the proposed scheme is proved to be feasible by using BAN logic, and its security is proved under the random oracle model. The execution time of the proposed scheme is evaluated and compared with existing similar schemes, and the results demonstrate that our proposed scheme is more efficient and applicable for IoT applications.

Keywords:

IoT; security; authentication; anonymity; deniability## 1. Introduction

The Internet of Things (IoT) [1] is an enormous ubiquitous-network which is connecting the objects through various sensor devices and networks. It plays an important role in people’s lives and has been widely used in many fields to gather data such as transportation [2], education, smart healthcare [3,4,5], logistics, etc. In general, the network of IoT is formed by end-users, sensors and base stations (e.g., gateway), in which sensors can collect data of specific areas around them and then end users can access data on demand through the network.

However, the IoT is vulnerable to lots of malicious attacks due to its inherent the computational constraints of the sensors and the openness of wireless channel in IoT environment [1]. It is becoming a principal security concern that how to ensure that only valid end-users can access the critical data. To address this problem effectively, several authentication mechanisms [6,7,8,9] have been proposed to guarantee the authenticity of entities as well as the confidentiality of transferred data during communication in IoT. In an IoT environment, there exist three types entities, i.e., users, gateways and sensors. The gateways are specific modes which are served as trusted servers during authentication. Then sensors locate in various application environment to collect data. The user can access data in sensors while he or she has been authenticated by gateway. The basic goal of authentication is to enable gateway nodes, end-users and sensor nodes to authenticate each other. In order to meet functionality and security requirements, however, designing authentication and key agreement schemes to guarantee secure communication for the Internet of Things is challenging.

User authentication is vital in the IoT environment since it is used to distinguish legitimate users from illegal users. Only legitimate users can be granted with permission to access the data collected by sensor devices. Over the past few years, many user authentication schemes about the IoT environments have been designed. For example, Wong et al. [10] in 2006 put forward a user authentication protocol using symmetric encryption which utilizes hash and XOR operations to lower the computational complexity. Later, Das [11] presented an improved password-based user authentication to enhance the security of Wong et al.’s scheme. [10]. Other scholars [12,13,14] revealed that Wong et al.’s scheme is short of providing user anonymity and mutual authentication. Due to the merits of identity-based cryptography, some researchers presented novel identity-based authentication schemes [15,16], however, the computational cost in these schemes are expensive because of the adoption of pairing operation. Taking account of many existing construction of classic authentication schemes are based on public key technique, some researchers adopted symmetric cryptography-based means to improve the performance of authentication. Jung et al. [17] proposed a user anonymous authentication scheme based on symmetric encryption, which uses dynamic $ID$ to achieve anonymity. Considering mutual authentication is important in some IoT applications, Xue et al. [18] constructed a user authentication scheme based on temporal-credential where the gateway node issues temporary certificates to the user and sensor nodes to achieve mutual authentication. Jiang et al. [19] pointed out that Xue et al.’s scheme fails to resist privileged-insider attack and then proposed an improved signature-based authentication scheme. Das [20] introduced an enhanced three-factor user authentication scheme based on Jiang et al.’s [19] work using user biometric information.

Since privacy plays a central role in designing authentication and key agreement schemes, and great efforts have been made in privacy-preserving authentication. Fox example, in 2015, Wang et al. [21] presented a new authentication scheme for wireless body area networks(WBANs) using bilinear pairing to achieve anonymity; however, it is vulnerable to the impersonation attack. Li et al. [22] proposed an anonymous authentication scheme using the hash message authentication code (HMAC). However, it is infeasible for the limited IoT environment since the bilinear pairing would bring enormous costs. Porambage et al. [23] presented an ECC-based authentication protocol without bilinear pairing to achieve high efficiency. Some signature-based authentication schemes [24,25] have been investigated besides interactive protocol-based authentication schemes.

The previous work has proposed different methods to ensure security and to meet the functionality requirements. However, most of the existing schemes have weaknesses, such as high computation overhead, being susceptible to some attacks or not providing user privacy-preserving. Furthermore, all these existing schemes fail to deal with deniability and traceability at the same time, which looks contradicts with each other. Deniability is essential for users in IoT environment to preserve her or his privacy, however, traceability is vital to prevent malicious entities to damage the IoT applications. Hence, based on the previous work, we propose an ECC-based privacy-preserving authentication and key agreement scheme for IoT, which aims to provide conditional privacy protection and desirable performance.

This paper presents a privacy-preserving authentication and key agreement scheme with deniability for IoT, which enables user to access IoT sensor securely. More specifically, the scheme meets appropriate security requirements and supports desirable features. The characteristics of our proposal are as follows:

**User anonymity**. No entity except the trusted gateway nodes can obtain any information about the identity of the users during the authentication phase.**Deniability**. The gateway node can generate another message that is indistinguishable from the received message from the user, such that when the user request a service via the gateway node, any third party cannot tell whether the message is sent by the user or generated by the gateway node. Therefore, the user can deny that he or she has requested the service.**Unlinkability**. Any external entity except the trusted gateway node cannot determine whether two messages from distinguished authentication sessions are sent by the same entity.**Traceability**. If any dispute or misbehavior occurs during the authentication phase, the trusted gateway node can reveal the identity of the user with the exchanged messages.**High-efficiency**. Due to the adoption of low-cost hash functions and ECC(elliptic curve cryptography) operations, the proposed scheme is more efficient than the existing exponential or bilinear pairing-based authentication schemes.

The remainder of this article is structured as follows. Section 2 provides related preliminaries. The concrete construction of the proposed scheme is described in Section 3. Section 4 presents a rigorous security analysis about the proposed scheme. Section 5 conducts the performance evaluation. Conclusions of the paper are presented in Section 6.

## 2. Preliminaries

In this section, some basic knowledge including communication model, the random oracle model and elliptic curve discrete logarithm problem are introduced.

#### 2.1. Communication Model

The communication model of our proposed scheme is shown in Figure 1. It includes three kinds of entities: the gateway node $GWN$, the user U and the sensor node S. A secure communication channel can be established between U and S. Once the user U intends to request a certain service or access the data via GWN, the authentication session is initiated. U first sends an authentication request the message $M1$ to $GWN$ which requests $GWN$ for authentication; after checking the validity of messages from U, $GWN$ sends the message $M2$ to S. When receives the message $M2$ from $GWN$, S replies the confirmation message about session key establishment with message $M3$ to $GWN$. Then $GWN$ verifies $M3$, generates and sends the message $M4$ including the message $M3$ to U. At last, after U authenticating $GWN$ and S, U securely establishes a session key with S successfully.

#### 2.2. Security Definition

The secrecy of the session key is the central security goal for authentication and key agreement scheme. To formally prove the security, a game-based method is introduced in our paper based on Abdalla et al.’s [26] method. The security model of our proposed scheme is introduced as follows.

**Participants**. There are three types of participants: users, gateway nodes and sensor nodes. Let ${\prod}_{P}^{n}$ be the instance n of the participants such that $P\in \left\{U,G,S\right\}$, where $U,G,S$ represent users, gateway nodes and sensor nodes respectively. Let ${\prod}_{S}^{j}$ represent the j-th instance of S, ${\prod}_{U}^{i}$ denote the i-th instance of U, and ${\prod}_{G}^{n}$ represent the k-th instance of G. Any participant instance is assumed as an oracle.

**Partnering**. Let $sid$ denote the session identification which is unique for each conversation. If the instances ${\prod}_{U}^{i}$ and ${\prod}_{S}^{j}$ are called partners, then the following conditions would be satisfied: (1) A same $sid$ between ${\prod}_{U}^{i}$ and ${\prod}_{S}^{j}$ is shared; (2) ${\prod}_{U}^{i}$ and ${\prod}_{S}^{j}$ have accepted the conversation; (3) ${\prod}_{U}^{i}$ and ${\prod}_{S}^{j}$ are each other’s partners.

**Adversary**. It is assumed that there exists a probabilistic polynomial-time(PPT) adversary $\mathcal{A}$ that can fully control all the communications by accessing to a series of oracle queries during the execution of the protocol. All the adversary’s queries are listed as below:

- $Execute({\prod}_{U}^{i},{\prod}_{G}^{n},{\prod}_{S}^{j})$: This query issued by the adversary $\mathcal{A}$ simulates the eavesdropping attacks on honest executions among the user instance ${\prod}_{U}^{i}$, trusted gateway instance ${\prod}_{G}^{n}$ and sensor instance ${\prod}_{S}^{j}$. It outputs a transcript of the exchanged messages during the honest execution of the protocol.
- $Send({\prod}_{P}^{n},M)$: This query models the active attacks such as impersonation attack and replay attack. Once has received the messages, ${\prod}_{P}^{n}$ returns a corresponding result to $\mathcal{A}$.
- $Corrupt({\prod}_{P}^{n})$: This query is issued by the adversary $\mathcal{A}$, it is used to simulate the attack that $\mathcal{A}$ corrupts an entity from ${\prod}_{P}^{n}$. $\mathcal{A}$ can get the private key of a participant with this query.Please note that this query does not corrupt the partner’s same internal data and ephemeral values of the instance ${\prod}_{P}^{n}$.
- $Reaveal\left({\prod}_{P}^{n}\right)$: The query is designed to simulate known session key attack. If there is a valid session from the instance ${\prod}_{P}^{n}$, returns the shared session key to $\mathcal{A}$. Otherwise, returns null.
- $Test({\prod}_{P}^{n})$: This query is used to model the capability of the adversary $\mathcal{A}$ to distinguish between a random number and a real session key $SK$ by flipping an unbiased coin b. If the session key of the instance ${\prod}_{P}^{n}$ has been defined, the session key of ${\prod}_{P}^{n}$ will be responded to $\mathcal{A}$ if $b=1$ or a random value will be returned if $b=0$; otherwise, ⊥ will be responded.
- ${H}_{1}(x,{v}_{1})$: As soon as the adversary $\mathcal{A}$ makes ${H}_{1}$ query adaptively on the message x, it returns the existing ${v}_{1}$ if the list ${L}_{1}$ exist a tuple $\left\{x,{v}_{1}\right\}$, where ${L}_{1}$ initially is an empty set; otherwise, it picks a random value ${v}_{1}^{{}^{\prime}}$, stores the tuple $\left\{x,{v}_{1}^{{}^{\prime}}\right\}$ in the list ${L}_{1}$ and returns ${v}_{1}^{{}^{\prime}}$ to $\mathcal{A}$.
- ${H}_{2}(y,{v}_{2})$: Upon receiving the query about y from the adversary $\mathcal{A}$, examines whether the tuple $\left\{y,{v}_{2}\right\}$ is in ${L}_{2}$, where ${L}_{2}$ initially is an empty set. If so, it responds to the existing ${v}_{2}$ to $\mathcal{A}$; otherwise, it generates a random value ${v}_{2}^{{}^{\prime}}$, stores the tuple $\left\{y,{v}_{2}^{{}^{\prime}}\right\}$ in the list ${L}_{2}$ and returns ${v}_{2}^{{}^{\prime}}$ to $\mathcal{A}$.

The adversary $\mathcal{A}$ could issue any $Test$ query to the instances after being provided with the above queries. The output of $Test$ query is relevant to the bit b. At last, $\mathcal{A}$ outputs a guessing bit ${b}^{{}^{\prime}}$ about b. $\mathcal{A}$ is successful if ${b}^{{}^{\prime}}=b$. Let $Succ$ represent the event that $\mathcal{A}$ succeeds in the game, the advantage of the adversary $\mathcal{A}$ is defined as follows:

$$Ad{v}_{\mathcal{A}}^{Ind}=\mid 2\xb7Pr\left[Succ\right]-1\mid $$

If the advantage $Ad{v}^{ake}(\mathcal{A})$ is negligible, then we conclude that the proposed scheme is secure.

#### 2.3. Elliptic Curve Discrete Logarithm Problem

Let G be a cyclic additive elliptic curve group with the prime order q and P is a generator of G. Suppose that the multiplication and inversion operation in G can be computed efficiently, the two intractable problems in G are defined as follows:

**Elliptic curve discrete logarithm**(ECDL) problem: Given $P,aP\in G$ for unknown $a\in {Z}_{q}^{*}$, to find a.**Elliptic curve computational Diffie-Hellman**(ECCDH) problem: Given P, $aP$, $bP\in G$ for unknown a, $b\in {Z}_{q}^{*}$, to compute $abP$.

## 3. The Proposed Scheme

In this section, we describe the proposed scheme in detail. It consists of four phases: system set up, user registration, sensor node registration and authentication phase. Table 1 summarizes all the notations used in this paper.

#### 3.1. System Setup Phase

System setup is performed by $GWN$ as follows,

- $GWN$ chooses a non-singular elliptic curve ${E}_{p}(a,b)$ over a prime finite ${Z}_{p}$, where p is a large prime. Let G be an elliptic curve group. Then, $GWN$ chooses a generator P of order q over ${E}_{p}$. $GWN$ selects its private key ${d}_{GWN}$ and computes the public key ${Q}_{GWN}={d}_{GWN}P$ in accordance with ${d}_{GWN}$.
- $GWN$ selects three collision-resistant one-way hash functions $h,{H}_{1},{H}_{2}:{\{0,1\}}^{*}\to {Z}_{q}$.
- Finally, the system parameters $params=\left\{{E}_{p}(a,b),P,p,q,h,{H}_{1},{H}_{2},{Q}_{GWN}\right\}$ is published while the private key ${d}_{GWN}$ is kept secretly by $GWN$.

#### 3.2. Registration Phase

A user U registers at the gateway node $GWN$ in line with the requirement, while a regular sensor node S registers at $GWN$ offline. A detailed process of registration process about U and S is highlighted as below.

#### 3.2.1. User Registration Phase

The registration process is between the $GWN$ and U is as follows:

- U selects an identity $I{D}_{U}$, a private key ${d}_{U}$ and then gets the public key ${Q}_{U}={d}_{U}P$ according to ${d}_{U}$. Then, U calculates the registration message $MI{D}_{U}=h\left(I{D}_{U}\right)$, and sends it to $GWN$ via a non-public channel.
- After receiving the registration message from U, $GWN$ calculates ${M}_{U}=h\left(MI{D}_{U}\Vert {d}_{GWN}\right)$ and returns it to U via a non-public channel.
- U computes ${M}_{U}^{*}={M}_{U}\oplus h\left(I{D}_{U}\Vert {d}_{U}\right)$ and deletes ${M}_{U}$.

#### 3.2.2. Sensor Node Registration Phase

S proceeds offline registration with the help of $GWN$ as below:

- S generates its identity $I{D}_{S}$, private key ${d}_{S}$ and computes the corresponding public key ${Q}_{S}={d}_{S}P$ and $h(I{D}_{S}\Vert {d}_{S})$. Then, S sends $\left\{I{D}_{S},{Q}_{S},h(I{D}_{S}\Vert {d}_{S})\right\}$ to GWN via a non-public channel.
- After receiving the message $\left\{I{D}_{S},{Q}_{S},h(I{D}_{S}\Vert {d}_{S})\right\}$ from S, $GWN$ computes ${R}_{S}=\left(h\left(I{D}_{S}\Vert {d}_{S}\right)+h\left(I{D}_{S}\Vert {d}_{GWN}\right)\right)P$ and sent it to S. $GWN$ publish ${Q}_{S}$ and stores $\{I{D}_{S},{Q}_{S},{R}_{S}\}$ into its database.
- Upon receiving ${R}_{S}$ from $GWN$, S stores it into its memory.

#### 3.3. Authentication and Key Agreement Phase

When the user U wants to access the sensor node S, he or she initiates this phase by issuing a request via $GWN$. This phase enables $GWN$, U and S to effectively authenticate each other and then establish a session key between U and S. If a session key is negotiated successfully by U and S, then they can exchange private messages with each other via a public channel. A detailed description of the steps of this phase are as follows:

- U selects a random number ${r}_{U}\in {z}_{q}^{*}$, generates the current timestamp ${t}_{1}$ and computes ${E}_{U}={r}_{U}P$, ${M}_{U}^{{}^{\prime}}={M}_{U}^{*}\oplus h\left(I{D}_{U}\Vert {d}_{U}\right)$, ${N}_{U}={r}_{U}{Q}_{GWN}=({N}_{U}^{(x)}$, ${N}_{U}^{(y)})$, $AI{D}_{U}=MI{D}_{U}\oplus {N}_{U}^{\left(y\right)}$, ${K}_{U}=({r}_{U}+{d}_{U}){Q}_{GWN}$ and ${h}_{U}={H}_{1}({K}_{U}\Vert {M}_{U}^{{}^{\prime}}\Vert {t}_{1})$. Then, U sends the request message $\left\{{E}_{U},AI{D}_{U},{h}_{U},{t}_{1}\right\}$ via a public channel to GWN.
- When $GWN$ receives the authentication request message from U at the time ${t}_{1}^{{}^{\prime}}$, it checks whether the condition $|{t}_{1}^{{}^{\prime}}-{t}_{1}|\le \Delta t$ holds. If yes, $GWN$ then computes: ${N}_{U}^{{}^{\prime}}={d}_{GWN}{E}_{U}=({N}_{U}^{{(x)}^{\prime}}$, ${N}_{U}^{{(y)}^{\prime}})$. $GWN$ then verifies U by computing the following: $MI{D}_{U}^{{}^{\prime}}=AI{D}_{U}\oplus {N}_{U}^{{\left(y\right)}^{\prime}}$, ${M}_{U}=h(MI{D}_{U}^{{}^{\prime}}\Vert {d}_{GWN})$, ${K}_{U}^{{}^{\prime}}={d}_{GWN}({Q}_{U}+{E}_{U})$, and ${h}_{U}^{{}^{\prime}}={H}_{1}\left({K}_{U}^{{}^{\prime}}\Vert {M}_{U}\Vert {t}_{1}\right)$. $GWN$ verifies if the equation ${h}_{U}^{{}^{\prime}}={h}_{U}$ holds or not. If the verification does not hold, $GWN$ rejects the user’s authentication request; else, goes to 3.
- $GWN$ generates its current timestamp ${t}_{2}$, selects a random number ${r}_{GWN}\in {z}_{q}^{*}$ and calculates: ${E}_{GWN}={r}_{GWN}P$, ${K}_{GWN}=({r}_{GWN}+{d}_{GWN}){Q}_{S}$, ${M}_{GWN}={N}_{U}^{{(x)}^{\prime}}\oplus h\left({R}_{S}\Vert {K}_{GWN}\Vert {E}_{GWN}\right)$, ${h}_{GWN}={H}_{1}\left({K}_{GWN}\Vert I{D}_{S}\Vert {t}_{2}\right)$. Then, the gateway node $GWN$ sends the message {${E}_{U}$, ${E}_{GWN}$, ${M}_{GWN}$, ${h}_{GWN}$, ${t}_{2}$, ${t}_{1}$} to S via a public channel.
- Upon receiving the authentication message from $GWN$ at time ${t}_{2}^{{}^{\prime}}$, S first checks the validity of the timestamp on the condition $|{t}_{2}^{{}^{\prime}}-{t}_{2}|\le \Delta t$. If ${t}_{2}$ is invalid, S terminates the session. If it is valid, S then computes: ${K}_{GWN}^{{}^{\prime}}={d}_{S}({E}_{GWN}+{Q}_{GWN})$, ${N}_{U}^{{(x)}^{\u2033}}={M}_{GWN}\oplus h\left({R}_{S}\Vert {K}_{GWN}^{{}^{\prime}}\Vert {E}_{GWN}\right)$, and ${h}_{GWN}^{{}^{\prime}}={H}_{1}\left({K}_{GWN}^{{}^{\prime}}\Vert I{D}_{S}\Vert {t}_{2}\right)$. Next, S verifies ${h}_{GWN}^{{}^{\prime}}$. If ${h}_{GWN}^{{}^{\prime}}={h}_{GWN}$, the sensor node S accepts $GWN$ and goes to 5; otherwise, it rejects $GWN$.
- S generates its current timestamp ${t}_{3}$ and selects a random number ${r}_{S}\in {z}_{q}^{*}$, and computes ${E}_{S}={r}_{S}P$, ${K}_{S}={r}_{S}\left({R}_{S}-h(I{D}_{S}\Vert {d}_{S})P\right)$, ${h}_{S}={H}_{1}\left({K}_{S}\Vert I{D}_{S}\Vert {t}_{3}\right)$, $s{k}_{S}={r}_{S}({E}_{U}+{N}_{U}^{{(x)}^{\prime}}P)$ and $Aut{h}_{S}={H}_{1}(s{k}_{S}\Vert {t}_{3})$. S sends the message $\left\{{E}_{S},{t}_{3},{h}_{S},Aut{h}_{S}\right\}$ to $GWN$ via a public channel. Then, S computes the session key $SK={H}_{2}(s{k}_{S}\Vert {E}_{S}\Vert {E}_{U}\Vert {t}_{3}\Vert {t}_{1})$.
- Upon receiving the replied message from S at time ${t}_{3}^{{}^{\prime}}$, $GWN$ checks the validity of ${t}_{3}$ on the condition $|{t}_{3}^{{}^{\prime}}-{t}_{3}|\le \Delta t$. If ${t}_{3}$ is valid, $GWN$ computes ${K}_{S}^{{}^{\prime}}=h\left(I{D}_{S}\Vert {d}_{GWN}\right){E}_{S}$ and ${h}_{S}^{{}^{\prime}}={H}_{1}\left({K}_{S}^{{}^{\prime}}\Vert I{D}_{S}\Vert {t}_{3}\right)$. Then, $GWN$ checks whether ${h}_{S}^{{}^{\prime}}={h}_{S}$. If yes, $GWN$ generates its current timestamp ${t}_{4}$, computes $Aut{h}_{GWN}={H}_{1}({r}_{GWN}{Q}_{U}\Vert {M}_{U}\Vert {t}_{4})$ and sends the message $\left\{{E}_{S},{E}_{GWN},{t}_{3},{t}_{4},Aut{h}_{S},Aut{h}_{GWN}\right\}$ to U.
- After receiving the replied message from $GWN$ at time ${t}_{4}^{{}^{\prime}}$, U checks the validity of ${t}_{4}^{{}^{\prime}}$ with the condition $|{t}_{4}^{{}^{\prime}}-{t}_{4}|\le \Delta t$. If it is valid, U computes $Aut{h}_{GWN}^{{}^{\prime}}={H}_{1}({d}_{U}{E}_{GWN}\Vert {M}_{U}^{{}^{\prime}}\Vert {t}_{4})$ and checks whether $Aut{h}_{GWN}^{{}^{\prime}}=Aut{h}_{GWN}$. If yes, U computes $s{k}_{U}=({r}_{U}+{N}_{U}^{(x)}){E}_{S}$, $Aut{h}_{S}^{{}^{\prime}}={H}_{1}(s{k}_{U}\Vert {t}_{3})$. Then, U checks whether $Aut{h}_{S}^{{}^{\prime}}=Aut{h}_{S}$. If yes, U calculates the secret session key $SK={H}_{2}(s{k}_{U}\Vert {E}_{S}\Vert {E}_{U}\Vert {t}_{3}\Vert {t}_{1})$.

The process of authentication and key agreement is visually illustrated in Figure 2.

## 4. Analysis of Correctness and Security

In this section, the correctness of the proposed scheme is validated using BAN-logic and the security of our scheme is proved under the random oracle model. In addition, some other security features are also discussed in the end.

#### 4.1. Correctness

With the formal validation tool Burrows-Abadi-Needham Logic (BAN-logic) [27], we provide the proof of correctness of the proposed scheme in this section. Let U be the user, S represent the sensor node and $GWN$ denote the gateway node. We demonstrate that a session key can be created successfully after the process of mutual authentication among S and U. Now, the basic notations of BAN-logic are given below:

- $P\mid \equiv X$: P believes X.
- $P\u25c3X$: P sees X. i.e., P has received messages containing X.
- $P\mid \sim X$: P said X. i.e., P has sent messages containing X.
- $P\mid \Rightarrow X$: P controls X.
- $\#(X)$ or $fresh(X)$: X is a fresh message. X is usually a temporary value.
- $(X)$: The hashed value of X.
- $P\stackrel{K}{\u27f7}Q$: K is a shared secret key between P and Q.
- ${\u2329X\u232a}_{Y}$: X is combined with secret Y.
- $\left(X,Y\right)$: X or Y is one part of $(X,Y)$.

Some logic postulates of BAN-logic are described as follows:

- Message-meaning rule$(MMR)$: $\frac{P\mid \equiv Q\stackrel{k}{\u27f7}P,P\u25c3{\left\{X\right\}}_{K}}{P\mid \equiv Q\mid \sim X}$ or $\frac{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}Q\stackrel{k}{\u27f7}P,P\phantom{\rule{4pt}{0ex}}sees\phantom{\rule{4pt}{0ex}}{\left\{X\right\}}_{K}}{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}Q\phantom{\rule{4pt}{0ex}}said\phantom{\rule{4pt}{0ex}}X}$If P believes that K is a shared secret key between P and Q and has received messages containing X, P believes that Q has sent messages containing the message X.
- Nonce-verification rule$(NVR)$: $\frac{P\mid \equiv \#(X),P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X}$ or $\frac{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}fresh(X),P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}Q\phantom{\rule{4pt}{0ex}}said\phantom{\rule{4pt}{0ex}}x}{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}Q\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}X}$If P believes that X is a fresh message and Q has sent messages containing the message X, P believes that Q believes the message X.
- Jurisdiction rule$(JR)$: $\frac{P\mid \equiv Q\Rightarrow X,P\mid \equiv Q\mid \equiv X}{P\mid \equiv X}$ or $\frac{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}Q\phantom{\rule{4pt}{0ex}}controls\phantom{\rule{4pt}{0ex}}X,\phantom{\rule{4pt}{0ex}}P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}Q\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}X}{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}X}$If P believes that Q controls the message X and Q believes the message X, P believes the message X.
- Freshness rule$(FR)$: $\frac{P\mid \equiv \#(X)}{P\mid \equiv \#(X,Y)}$ or $\frac{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}fresh(X)}{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}fresh(X,Y)}$If P believes that X is a fresh message, P believes $(X,Y)$ is fresh messages.
- Belief rule$(BR)$: $\frac{P\mid \equiv (X,Y)}{P\mid \equiv X}$ or $\frac{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}(X,Y)}{P\phantom{\rule{4pt}{0ex}}believes\phantom{\rule{4pt}{0ex}}(X)}$If P believes the messages $(X,Y)$, P believes the message X.

Our proposed scheme can realize the establishment of a secret session key $SK$ between U and S, and the following goals can be achieved after the protocol execution.

- Goal 1: $U\mid \equiv (U\stackrel{SK}{\u27f7}S)$
- Goal 2: $S\mid \equiv (U\stackrel{SK}{\u27f7}S)$

The exchange of messages during the authentication phase is depicted as follows:

- Message 1: $GWN\to S$: ${\u2329{r}_{GWN}P,{t}_{2},\left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)\u232a}_{{R}_{S}}$
- Message 2: $GWN\to S$: ${\u2329{r}_{U}P,{r}_{GWN}P,{t}_{2},{t}_{1},\left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)\u232a}_{{K}_{GWN}}$
- Message 3: $GWN\to U$: ${\u2329{r}_{S}P,{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)\u232a}_{{M}_{U}}$
- Message 4: $GWN\to U$: ${\u2329{r}_{S}P,{t}_{3},{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)\u232a}_{{r}_{GWN}{Q}_{U}}$

To proceed the derivation, the initial state assumptions are set as A1–A9:

- A1: $S\mid \equiv \#({t}_{2})$
- A2: $S\mid \equiv \#({t}_{1})$
- A3: $U\mid \equiv \#({t}_{4})$
- A4: $S\mid \equiv GWN\stackrel{\underleftrightarrow{{R}_{S}}}{}S$
- A5: $U\mid \equiv U\stackrel{\underleftrightarrow{{M}_{U}}}{}GWN$
- A6: $S\mid \equiv GWN\mid \Rightarrow \left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)$
- A7: $S\mid \equiv GWN\mid \Rightarrow \left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)$
- A8: $U\mid \equiv GWN\mid \Rightarrow \left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)$.
- A9: $U\mid \equiv GWN\mid \Rightarrow \left(U\stackrel{\underleftrightarrow{s{k}_{S}}}{}S\right)$.

U and S intend to share a session key $SK$ to achieve confidential communication. As stated above, the mutual authentication between U and S shows that $Goal$ 1 and $Goal$ 2 can be achieved in the end. The result is proved as follows:

- From Message 1, we have:$$S\u25c3{\u2329{r}_{GWN}P,{t}_{2},\left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)\u232a}_{{R}_{S}}$$
- According to the message-meaning rule, if the Formula (1) and the state assumption A4 hold at the same time, we can infer that:$$S\mid \equiv GWN\mid \sim \u2329{r}_{GWN}P,{t}_{2},\left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)\u232a$$
- According to the freshness rule, if the state assumption A1 holds, we then obtain:$$S\mid \equiv \#\u2329{r}_{GWN}P,{t}_{2},\left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)\u232a$$
- According to the nonce-verification rule, if the Formula (2) and (3) hold at the same time, we can deduce:$$S\mid \equiv GWN\mid \equiv \u2329{r}_{GWN}P,{t}_{2},\left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)\u232a$$
- According to the belief rule, if the Formula (4) holds, we can get:$$S\mid \equiv GWN\mid \equiv \left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)$$
- According to the jurisdiction rule, if the Formula (5) and the state assumption A6 hold at the same time, we can obtain:$$S\mid \equiv \left(GWN\stackrel{\underleftrightarrow{{K}_{GWN}}}{}S\right)$$
- From Message 2, we can have:$$S\u25c3{\u2329{r}_{U}P,{r}_{GWN}P,{t}_{2},{t}_{1},\left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)\u232a}_{{K}_{GWN}}$$
- According to the message-meaning rule, if the Formula (6) and (7) hold at the same time, we can infer that:$$S\mid \equiv GWN\mid \sim \u2329{r}_{U}P,{r}_{GWN}P,{t}_{2},{t}_{1},\left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)\u232a$$
- According to the freshness rule, if the state assumption A2 holds, we can deduce:$$S\mid \equiv \#\u2329{r}_{U}P,{r}_{GWN}P,{t}_{2},{t}_{1},\left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)\u232a$$
- According to the nonce-verification rule, if the Formula (8) and (9) hold at the same time, we can get:$$S\mid \equiv GWN\mid \equiv \u2329{r}_{U}P,{r}_{GWN}P,{t}_{2},{t}_{1},\left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)\u232a$$
- According to the belief rule, if the Formula (10) holds, we can obtain:$$S\mid \equiv GWN\mid \equiv \left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)$$
- According to the jurisdiction rule, if the Formula (11) and the state assumption A7 hold at the same time, we can have:$$S\mid \equiv \left(U\stackrel{\underleftrightarrow{{N}_{U}^{{(x)}^{\u2033}}={N}_{U}^{(x)}}}{}S\right)$$
- According to the belief rule, if the Formula (12) holds, the Formula (13) holds, we can infer:$$S\mid \equiv \left(U\stackrel{\underleftrightarrow{SK}}{}S\right)\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}Goal\phantom{\rule{4pt}{0ex}}2$$
- From Message 3, we can get:$$U\u25c3{\u2329{r}_{S}P,{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)\u232a}_{{M}_{U}}$$
- According to the message-meaning rule, if the Formula (14) and the state assumption A5 hold at the same time, we can deduce:$$U\mid \equiv GWN\mid \sim \u2329{r}_{S}P,{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)\u232a$$
- According to the freshness rule, if the state assumption A3 holds, we can have:$$U\mid \equiv \#\u2329{r}_{S}P,{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)\u232a$$
- According to the nonce-verification rule, if the Formula (15) and (16) hold at the same time, we can obtain:$$U\mid \equiv GWN\mid \equiv \u2329{r}_{S}P,{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)\u232a$$
- According to the belief rule, if the Formula (17) holds, we can infer:$$U\mid \equiv GWN\mid \equiv \left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)$$
- According to the jurisdiction rule, if the Formula (18) and the state assumption A8 hold at the same time, we can deduce:$$U\mid \equiv \left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right)$$
- From Message 4, we can get:$$U\u25c3{\u2329{r}_{S}P,{t}_{3},{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)\u232a}_{{r}_{GWN}{Q}_{U}}$$
- According to the message-meaning rule, if the Formula (19) and (20) and the state assumption A5 hold at the same time, we can deduce:$$U\mid \equiv GWN\mid \sim \u2329{r}_{S}P,{t}_{3},{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)\u232a$$
- According to the freshness rule, if the state assumption A3 holds, we can have:$$U\mid \equiv \#\u2329{r}_{S}P,{t}_{3},{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)\u232a$$
- According to the nonce-verification rule, if the Formula (21) and (22) hold at the same time, we can obtain:$$U\mid \equiv GWN\mid \equiv \u2329{r}_{S}P,{t}_{3},{t}_{4},\left(U\stackrel{\underleftrightarrow{{r}_{GWN}{Q}_{U}}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)\u232a$$
- According to the belief rule, if the Formula (23) holds, we can infer:$$U\mid \equiv GWN\mid \equiv \left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)$$
- According to the jurisdiction rule, if the Formula (24) and the state assumption A9 hold at the same time, we can deduce:$$U\mid \equiv \left(U\stackrel{\underleftrightarrow{s{k}_{U}=s{k}_{S}}}{}S\right)$$
- According to the belief rule, if the Formula (25) holds, we can have:$$U\mid \equiv \left(U\stackrel{\underleftrightarrow{SK}}{}S\right)\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}Goal\phantom{\rule{4pt}{0ex}}1$$

At this point, it can be seen that $Goal\phantom{\rule{4pt}{0ex}}1$ and $Goal\phantom{\rule{4pt}{0ex}}2$ have been achieved, which means that the proposed scheme is correct and feasible.

#### 4.2. Security

We first demonstrate that our proposed scheme possesses semantic security under the random oracle model.

**Theorem**

**1.**

Let $\mathcal{A}$ denote an adversary within a polynomial time t against the proposed protocol under the random oracle model, then we have:
where $Ad{v}_{\mathcal{A}}^{ECCDH}(t)$ is the advantage of $\mathcal{A}$ breaks the ECCDH problem; ${q}_{{H}_{1}}$, ${q}_{{H}_{2}}$, ${q}_{exe}$, ${q}_{send}$ represent the number of ${H}_{1}$, ${H}_{2}$, $Execute$ and $Send$ queries respectively; $|{H}_{1}|$, $|{H}_{2}|$ denote the range space of ${H}_{1}$ and ${H}_{2}$ function respectively.

$$Ad{v}_{\mathcal{A}}^{Ind}\u2a7d\frac{{q}_{{H}_{1}}^{2}}{\mid {H}_{1}\mid}+\frac{{q}_{{H}_{2}}^{2}}{\mid {H}_{2}\mid}+\frac{{({q}_{exe}+{q}_{send})}^{2}}{p}+2Ad{v}_{\mathcal{A}}^{ECCDH}(t)$$

**Proof.**

Let $Suc{c}_{i}$ represent the event that $\mathcal{A}$ wins in the game ${G}_{i}$, i.e., $\mathcal{A}$ guesses bit b, where $i=\left[0,3\right]$.

**Game**${G}_{0}$: In ${G}_{0}$, a real attack against our proposed scheme from $\mathcal{A}$ is simulated. Firstly, the value of b is selected randomly. According to the above definitions, we obtain:

$$Ad{v}_{\mathcal{A}}^{Ind}=2\xb7Pr\left[Suc{c}_{0}\right]-1$$

**Game**${G}_{1}$: To increase the probability that $\mathcal{A}$ wins game, the query $Execute$ is used to model the eavesdropping attacks. Since its goal is to get some information about $SK$, $\mathcal{A}$ has to compute $s{k}_{U}$ or $s{k}_{S}$ according to the definition of the proposed scheme; however, $s{k}_{U}={r}_{S}({r}_{U}+{N}_{U}^{(x)})P$, where ${r}_{U}$, ${r}_{S}$ are unknown. Without corrupting the gateway node $GWN$ to get ${d}_{GWN}$, the probability of success would not be increased just by eavesdropping the transmitted messages, which implies that

$$Pr\left[Suc{c}_{1}\right]=Pr\left[Suc{c}_{0}\right]$$

**Game**${G}_{2}$: The game is transferred from ${G}_{1}$ is used to simulate active attacks by adding ${H}_{1}$, ${H}_{2}$ and $Send$ oracles in which $\mathcal{A}$ tries to forge messages. By arbitrarily issuing queries to ${H}_{1}$, ${H}_{2}$, $\mathcal{A}$ attempts to capture collisions. The probability of collisions is at most $(\frac{{q}_{{H}_{1}}^{2}}{\mid {H}_{1}\mid}+\frac{{q}_{{H}_{2}}^{2}}{\mid {H}_{2}\mid})$ according to the birthday paradox. The probability of collisions in the transcripts is at most $\frac{{({q}_{send}+{q}_{exe})}^{2}}{p}$. Therefore, we get:

$$|Pr\left[Suc{c}_{1}\right]-Pr\left[Suc{c}_{2}\right]|\u2a7d\frac{{q}_{{H}_{1}}^{2}}{2\mid {H}_{1}\mid}+\frac{{q}_{{H}_{2}}^{2}}{2\mid {H}_{2}\mid}+\frac{{({q}_{exe}+{q}_{send})}^{2}}{2p}$$

**Game**${G}_{3}$: ${G}_{3}$ models the attack that the the gateway node $GWN$ has been corrupted. By issuing $Corrupt({\prod}_{P}^{k})$ oracles, $\mathcal{A}$ can get the long-term key of $GWN$. According to the definition, the common secret value $s{k}_{S}$ or $s{k}_{U}$ are the core of the session key $SK$. Considering the following fact,

$$\begin{array}{cc}\hfill s{k}_{U}& =s{k}_{S}\hfill \\ & ={r}_{S}({r}_{U}+{N}_{U}^{(x)})P={r}_{U}{r}_{S}P+{r}_{S}{N}_{U}^{(x)}P\hfill \\ & ={r}_{U}{r}_{S}P+{({d}_{GWN}{E}_{U})}^{(x)}{E}_{S}\hfill \end{array}$$

Thus, $\mathcal{A}$ can use the long-term key ${d}_{GWN}$ to compute partial value from transcripts. The probability of success of $\mathcal{A}$ between ${G}_{3}$ and ${G}_{2}$ would not be greater than the advantage of solving ECCDH problem instance. Let $Ad{v}_{\mathcal{A}}^{ECCDH}$ be the advantage that the adversary $\mathcal{A}$ solves ECCDH problem instance within t in this game. Hence, we get

$$|Pr\left[Suc{c}_{2}\right]-Pr\left[Suc{c}_{3}\right]|\u2a7dAd{v}_{\mathcal{A}}^{ECCDH}(t)$$

To win the game ${G}_{3}$, $\mathcal{A}$ has no choice but guess the bit b, which leads to the following result

$$Pr\left[Suc{c}_{3}\right]=\frac{1}{2}$$

Thus, from (28)–(31), we get

$$\begin{array}{cc}\hfill |Pr\left[Suc{c}_{0}\right]-\frac{1}{2}|& =|Pr\left[Suc{c}_{0}\right]-Pr\left[Suc{c}_{3}\right]|\hfill \\ & \u2a7d|Pr\left[Suc{c}_{0}\right]-Pr\left[Suc{c}_{1}\right]|+|Pr\left[Suc{c}_{1}\right]-Pr\left[Suc{c}_{2}\right]|\hfill \\ & +|Pr\left[Suc{c}_{2}\right]-Pr\left[Suc{c}_{3}\right]|\hfill \\ & \u2a7d\frac{{q}_{{H}_{1}}^{2}}{2\mid {H}_{1}\mid}+\frac{{q}_{{H}_{2}}^{2}}{2\mid {H}_{2}\mid}+\frac{{({q}_{send}+{q}_{exe})}^{2}}{2p}+Ad{v}_{\mathcal{A}}^{ECCDH}(t)\hfill \end{array}$$

From (27), we have $Pr\left[Suc{c}_{0}\right]=Ad{v}_{\mathcal{A}}^{Ind}/2+1/2$. Hence,
□

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A}}^{Ind}\u2a7d\frac{{q}_{{H}_{1}}^{2}}{\mid {H}_{1}\mid}+\frac{{q}_{{H}_{2}}^{2}}{\mid {H}_{2}\mid}+\frac{{({q}_{send}+{q}_{exe})}^{2}}{p}+2Ad{v}_{\mathcal{A}}^{ECCDH}(t)\end{array}$$

#### 4.3. Deniable Authentication

In our proposed scheme, the polynomial time deniability means that the gateway node as a receiver can simulate the messages sent by the user which are indistinguishable for any third party. The concrete simulation process of $GWN$ is as follows:

- $GWN$ selects a random number $\overline{{r}_{U}}\in {z}_{q}^{*}$, computes $\overline{{E}_{U}}=\overline{{r}_{U}}P$ and $\overline{{N}_{U}}=\overline{{r}_{U}}{Q}_{GWN}=(\overline{{N}_{U}^{(x)}},\overline{{N}_{U}^{(y)}})$.
- $GWN$ chooses a user pseudo-identity $\overline{h(I{D}_{U})}$ and a public key, computes $\overline{AI{D}_{U}}=\overline{h(I{D}_{U})}\oplus \overline{{N}_{U}^{(y)}}$, $\overline{{K}_{U}}={d}_{GWN}(\overline{{E}_{U}}+\overline{{Q}_{U}})$ and $\overline{{h}_{U}}={H}_{1}(\overline{{K}_{U}}\Vert h(\overline{h(I{D}_{U})\Vert {d}_{GWN}})\Vert {t}_{1})$.

$GWN$ sends $\overline{{E}_{U}},\overline{AI{D}_{U}},\overline{{h}_{U}},{t}_{1}$ to the third party. After receiving the message, the third party cannot get any information related to the user by $\overline{AI{D}_{U}}$. In addition, $\overline{{h}_{U}}$ can be calculated by the user or the gateway. Hence, the third party is unable to determine the true source of the message. Therefore, our proposed scheme achieves deniable authentication.

#### 4.4. Anonymity

Since the transmitted authentication messages are carried via a public channel, an outside adversary can easily eavesdrop the communication. However, our proposed scheme can preserve the anonymity of the user. Suppose that an adversary $\mathcal{A}$ intercepts $\left\{{E}_{U},AI{D}_{U},{h}_{U},{t}_{1}\right\}$ during the authentication phase and attempts to reveal some information about the user’s identity. $\mathcal{A}$ obtains ${N}_{U}={r}_{U}{Q}_{GWN}=({N}_{U}^{(x)},{N}_{U}^{(y)})$, $AI{D}_{U}=MI{D}_{U}\oplus {N}_{U}^{\left(y\right)}$, which $MI{D}_{U}=h(I{D}_{U})$. Due to the utilization of random number ${r}_{U}$ and one-way hash function, $\mathcal{A}$ cannot calculate ${N}_{U}$ and get $I{D}_{U}$. Since the use of the timestamps and random numbers, those intercepted messages by $\mathcal{A}$ are unique and dynamic for each authentication between U, S and $GWN$. Therefore, the proposed scheme ensures user anonymity.

#### 4.5. Mutual Authentication

With the received request message $\left\{{E}_{U},AI{D}_{U},{h}_{U},{t}_{1}\right\}$U sent, $GWN$ can compute ${N}_{U}^{{}^{\prime}}={d}_{GWN}{E}_{U}=({N}_{U}^{{(x)}^{\prime}},{N}_{U}^{{(y)}^{\prime}})$ to get the values ${M}_{U}$ and ${K}_{U}$ and checks the validity of U via the equivalence ${h}_{U}={h}_{U}^{{}^{\prime}}$. After receiving the message {${E}_{U}$, ${E}_{GWN}$, ${M}_{GWN}$, ${h}_{GWN}$, ${t}_{2}$, ${t}_{1}$} from $GWN$, the sensor node S could obtain the values ${K}_{GWN}$ and ${N}_{U}^{{(x)}^{\prime}}$ and then computes ${h}_{GWN}^{{}^{\prime}}={H}_{1}\left({K}_{GWN}^{{}^{\prime}}\Vert I{D}_{S}\Vert {t}_{2}\right)$ to verify the validity of $GWN$ via the equivalence ${h}_{GWN}={h}_{GWN}^{{}^{\prime}}$. Once receiving the message $\left\{{E}_{S},{t}_{3},{h}_{S},Aut{h}_{S}\right\}$ from S, $GWN$ computes ${K}_{S}^{{}^{\prime}}$ and ${h}_{S}^{{}^{\prime}}={H}_{1}\left({K}_{S}^{{}^{\prime}}\Vert I{D}_{S}\Vert {t}_{3}\right)$ to check the validity of S via the equivalence ${h}_{S}^{{}^{\prime}}={h}_{S}$. Then, $GWN$ sends message {${E}_{S}$, ${t}_{3}$, ${t}_{4}$, $Aut{h}_{S}$, $Aut{h}_{GWN}$} to U and U computes $s{k}_{U}=({r}_{U}+{N}_{U}^{(x)}){E}_{S}$, $Aut{h}_{GWN}^{{}^{\prime}}={H}_{1}({d}_{U}{E}_{GWN}\Vert {M}_{U}^{{}^{\prime}}\Vert {t}_{4})$ and $Aut{h}_{S}^{{}^{\prime}}={H}_{1}(s{k}_{U}\Vert {t}_{3})$ and checks the validity of $GWN$ and S by the equivalence $Aut{h}_{GWN}^{{}^{\prime}}=Aut{h}_{GWN}$ and $Aut{h}_{S}^{{}^{\prime}}=Aut{h}_{S}$. If the above verification processes are successfully completed, our protocol provides mutual authentication.

#### 4.6. Unlinkability

In our proposed scheme, the real identities or related information of all participants are not sent in plaintext over the insecure network because each transmitted message contains timestamps, random values and one-way hash function values. An outside adversary $\mathcal{A}$ cannot determine whether two or more authentication messages come from the same participant. Therefore, the transmitted messages cannot be linked by the adversary.

#### 4.7. Traceability

In our proposed scheme, given a disputed message $\left\{{E}_{U},AI{D}_{U},{h}_{U},{t}_{1}\right\}$, only the trusted gateway node($GWN$) can reveal the identity of the user. With above message, $GWN$ computes ${N}_{U}^{{}^{\prime}}={d}_{GWN}{E}_{U}=({N}_{U}^{{(x)}^{\prime}},{N}_{U}^{{(y)}^{\prime}})$ and $MI{D}_{U}^{{}^{\prime}}=AI{D}_{U}\oplus {N}_{U}^{{\left(y\right)}^{\prime}}$ to get the user’s identity $MI{D}_{U}$. In addition, the tracing process does not need real user to participate because the message $\left\{{E}_{U},AI{D}_{U},{h}_{U},{t}_{1}\right\}$ sent by the user contains sufficient information to derive the user identity. Therefore, our proposed scheme achieves traceability.

#### 4.8. Resistance to Impersonation Attack

Assume an adversary $\mathcal{A}$ intercepts message $\left\{{E}_{U},AI{D}_{U},{h}_{U},{t}_{1}\right\}$ to impersonate a user, where ${E}_{U}={r}_{U}P$, $AI{D}_{U}=MI{D}_{U}\oplus {N}_{U}^{\left(y\right)}$, ${K}_{U}=({r}_{U}+{d}_{U}){Q}_{GWN}$, ${h}_{U}={H}_{1}({K}_{U}\Vert {M}_{U}^{{}^{\prime}}\Vert {t}_{1})$. By following the authentication process, the adversary produces a timestamp ${t}_{1}^{{}^{\prime}}$ and a value ${r}_{U}^{{}^{\prime}}\in {Z}_{q}^{*}$ randomly to get ${E}_{U}^{{}^{\prime}}$, $AI{D}_{U}^{{}^{\prime}}$ and ${K}_{U}^{{}^{\prime}}$. However, $\mathcal{A}$ is unable to successfully compute ${h}_{U}^{{}^{\prime}}$ because he or she does not has the user’s real identity $I{D}_{U}$ and private key ${d}_{U}$. Hence, our scheme can resist such attacks according to the above analysis.

#### 4.9. Resistance to Replay Attack

Suppose an adversary $\mathcal{A}$ intercepts all transmitted messages between participants and then attempts to replay some or all of them. In our scheme, however, timestamps and random numbers are integrated into the generation of the messages for U, $GWN$, S, thus the freshness of messages is well preserved. Therefore, the proposed protocol can resist replay attacks.

#### 4.10. Forward Security

Assume an adversary $\mathcal{A}$ could get the private keys of all participants, i.e., ${d}_{U}$, ${d}_{GWN}$, ${d}_{S}$. Even if the adversary $\mathcal{A}$ had obtained the current session key $SK={H}_{2}\left(s{k}_{U}\Vert {E}_{S}\Vert {E}_{U}\Vert {t}_{3}\Vert {t}_{1}\right)$, he or she cannot derive the previous session key. However, due to $s{k}_{U}=s{k}_{S}=({r}_{U}+{N}_{U}^{(x)}){E}_{S}={r}_{U}{r}_{S}P+{({d}_{GWN}{E}_{U})}^{(x)}{E}_{S}$, where ${r}_{U}$ and ${r}_{S}$ are chosen randomly by U and S respectively. $\mathcal{A}$ can never obtain the previous session key since the difficulty of the ECCDH problem. So, our proposed scheme achieves forward security.

## 5. Performance Comparison

In this section, we evaluate the performance of our scheme regarding the computational cost in the authentication phase. Moreover, we present the comparison between the proposed scheme and some existing similar schemes [15,16,21,23,24,25]. For convenience, we use the symbols in Table 2 to denote the computational cost regarding hash operation, ECC-based operation and bilinear paring operation and the approximate running time required of various operations is presented in Table 2.

Please note that we only consider the operations listed in Table 2 since the running time of addition operation and XoR operation is ignorable. To fairly compare the computational time cost of these similar protocols. The experiments use OpenSSL and JPBC cryptographic libraries, and then are programmed with Visual C language.

Table 3 and Figure 3 presents the comparisons among the other protocols [15,16,21,23,24,25] and ours. Table 4 presents the comparison of security properties between ours and the above protocols. According to the experimental results, it is observed that our scheme costs 3.791 ms, which is better than [15,16,24,25]. We sort the time consumption on the operations as below: ${T}_{h}<{T}_{padd}<{T}_{pmul}<{T}_{bp}$. The hash function spends the least time, while the bilinear pairing operation takes the more time. To fully demonstrate the proposed scheme’s advantage, we define $\left({T}_{\left[others\right]}-{T}_{\left[ours\right]}\right)/{T}_{\left[others\right]}$, where ${T}_{\left[others\right]}$ denotes computational cost of the other schemes and ${T}_{\left[ours\right]}$ represents computational cost of ours, as the improved ratio of ours compared with others [15,16,24,25]. Hence, the improved ratios of the proposed scheme compared with [15,16,24,25] are $(7.041-3.791)/7.041\approx 43.44\%$, $(8.705-3.791)/8.705\approx 58.81\%$, $(5.927-3.791)/5.927\approx 32.51\%$ and $(5.215-3.791)/5.215\approx 23.37\%$ respectively.

Compared to Porambage’s scheme [23] and Wang’s scheme [21], our scheme requires more communication overheads from Table 3 and Figure 3. However, from Table 4 our scheme possesses more desirable security compared with the existing schemes. However, Porambage’s scheme cannot protect against the replay attack and provide the user’s anonymity. In addition, the user’s anonymity can be violated. Wang’s scheme [21] is prone to client impersonation attacks. Specifically, an adversary is able to masquerade as a legitimate client to be authenticated by application provider. Therefore, our proposed scheme provides a better secure communication and higher efficiency than the compared existing schemes in IoT.

## 6. Conclusions

With the evolution of the Internet of Things, its security is currently drawing wide attention. The privacy protection in communication is a major concern for people. In this article, we proposed an anonymous authentication and key agreement protocol with deniability property using elliptic curve. In our proposed scheme, other participants except the trusted gateway node can obtain nothing regarding the real identity of a user. We have demonstrated that our proposed scheme posses more appropriate security features than similar schemes, which are shown in the BAN logic-based proof and random oracle model-based proof. In addition, we have provided informal analysis to further confirm that our scheme can resist various attacks. By experimental evaluation, we demonstrate that the proposed scheme is efficient according to the comparison on computational costs against other similar protocols. In view of the advantages in security and performance, our proposed scheme is more suitable for IoT systems.

From the analysis, the computational overhead of our proposed scheme become relatively low. Therefore, we aim to achieve a better trade-off among security and efficiency in designing authentication protocols for IoT applications in our future work, so as to meet the requirements of low-cost computation and communication of resource-constrained sensors.

## Author Contributions

Y.Z. and T.L. conceived and designed the experiments and wrote the paper; F.T. and F.W. designed the experiments; M.T. performed the experiments.

## Acknowledgments

This work was supported in part by the Venture and Innovation Support Program for Chongqing Overseas Returnees under Grant CX2018122, and in part by the National Natural Science Foundation of China under Grant 61702067.

## Conflicts of Interest

The authors declare that there is no conflict of interest regarding the publication of this paper.

## References

- Sundmaeker, H.; Guillemin, P.; Friess, P. Vision and challenges for realising the Internet of Things. Clust. Eur. Res. Proj. Internet Things Eur. Commis.
**2010**, 3, 34–36. [Google Scholar] [CrossRef] - Lo, N.W.; Tsai, J.L. An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks without pairings. IEEE Trans. Intell. Transp. Syst.
**2016**, 17, 1319–1328. [Google Scholar] [CrossRef] - He, D.; Kumar, N.; Chen, J. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed. Syst.
**2015**, 21, 49–60. [Google Scholar] [CrossRef] - Li, X.; Niu, J.; Kumari, S.; Liao, J.; Liang, W.; Khan, M.K. A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity. Secur. Commun. Netw.
**2016**, 9, 2643–2655. [Google Scholar] [CrossRef] - Wu, F.; Xu, L.; Kumari, S. An improved and anonymous two-factor authentication protocol for health-care applications with wireless medical sensor networks. Multimed. Syst.
**2017**, 23, 195–205. [Google Scholar] [CrossRef] - He, D.; Kumar, N.; Chilamkurti, N. A secure temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. Int. Symp. Wirel. Pervasive Comput.
**2013**, 36, 316–323. [Google Scholar] [CrossRef] - Castiglione, A.; Santis, A.D.; Castiglione, A.; Palmieri, F. An Efficient and Transparent One-Time Authentication Protocol with Non-interactive Key Scheduling and Update. In Proceedings of the 2014 IEEE 28th International Conference on Advanced Information Networking and Applications, Gwangju, Korea, 25–27 March 2014; pp. 351–358. [Google Scholar] [CrossRef]
- Gupta, A.; Tripathi, M. A lightweight Mutually Authenticated Key-Agreement scheme for Wireless Body Area Networks in Internet of Things Environment. Radio Freq. Identif. IoT Secur.
**2018**, 804–806. [Google Scholar] [CrossRef] - Li, X.; Niu, J.; Kumari, S.; Wu, F.; Sangaiah, A.K.; Choo, K.-K.R. A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments. J. Netw. Comput. Appl.
**2018**, 103, 194–204. [Google Scholar] [CrossRef] - Wong, K.H.M.; Zheng, Y.; Cao, J.; Wang, S. A dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC’06), Taichung, Taiwan, 5–7 June 2006; Volume 1, p. 8. [Google Scholar] [CrossRef]
- Das, M.L. Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun.
**2009**, 17, 1086–1090. [Google Scholar] [CrossRef] - Khan, M.K.; Alghathbar, K. Cryptanalysis and Security Improvements of ‘Two-Factor User Authentication in Wireless Sensor Networks’. Sensors
**2010**, 10, 2450–2459. [Google Scholar] [CrossRef] - Chen, T.-H.; Shih, W.-K. A Robust Mutual Authentication Protocol for Wireless Sensor Networks. ETRI J.
**2010**, 32, 704–712. [Google Scholar] [CrossRef] - He, D.; Gao, Y.; Chan, S. An Enhanced Two-factor User Authentication Scheme in Wireless Sensor Networks. Ad Hoc Wirel. Netw.
**2010**, 10, 361–371. [Google Scholar] - Holbl, M.; Welzer, T.; Brumen, B. Two proposed identity-based three-party authenticated key agreement protocols from pairings. Comput. Secur.
**2010**, 29, 244–252. [Google Scholar] [CrossRef] - Holbl, M.; Welzer, T.; Brumen, B. An improved two-party identity-based authenticated key agreement protocol using pairings. J. Comput. Syst. Sci.
**2012**, 78, 233–271. [Google Scholar] [CrossRef] - Jung, J.; Kim, J.; Choi, Y. An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks. Sensors
**2016**, 16, 1299. [Google Scholar] [CrossRef] [PubMed] - Xue, K.; Ma, C.; Hong, P. A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. J. Netw. Comput. Appl.
**2013**, 36, 316–323. [Google Scholar] [CrossRef] - Jiang, Q.; Ma, J.; Lu, X. An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw. Appl.
**2015**, 8, 1070–1081. [Google Scholar] [CrossRef] - Das, A.K. A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw. Appl.
**2016**, 9, 223–244. [Google Scholar] [CrossRef] - Wang, C.; Zhang, Y. New Authentication Scheme for Wireless Body Area Networks Using the Bilinear Pairing. J. Med. Syst.
**2015**, 39, 136. [Google Scholar] [CrossRef] [PubMed] - Tong, L.; Yuhui, Z.; Ti, Z. Efficient Anonymous Authenticated Key Agreement Scheme for Wireless Body Area Networks. Secur. Commun. Netw.
**2017**, 2017. [Google Scholar] [CrossRef] - Porambage, P.; Braeken, A.; Schmitt, C. Group Key Establishment for Enabling Secure Multicast Communication in Wireless Sensor Networks Deployed for IoT Applications. IEEE Access
**2015**, 3, 1503–1511. [Google Scholar] [CrossRef] - Xiong, H.; Qin, Z. Revocable and Scalable Certificateless Remote Authentication Protocol with Anonymity for Wireless Body Area Networks. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 1442–1455. [Google Scholar] [CrossRef] - Liu, J.; Zhang, Z.; Chen, X.; Kwak, K.S. Certificateless Remote Anonymous Authentication Schemes for WirelessBody Area Networks. IEEE Trans. Parallel Distrib. Syst.
**2014**, 25, 332–342. [Google Scholar] [CrossRef] - Abdalla, M.; Fouque, P.-A.; Pointcheval, D. Password-Based Authenticated Key Exchange in the Three-Party Setting; Springer: Berlin/Heidelberg, Germany, 2015; pp. 65–84. [Google Scholar]
- Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. R. Soc.
**1989**, 426, 233–271. [Google Scholar] [CrossRef]

Symbol | Definition |
---|---|

${E}_{p}(a,b)$ | An elliptic curve over a prime finite ${Z}_{p}$ defined by the equation ${y}^{2}={x}^{3}+ax+b$ $mod$ p |

G | An elliptic curve group with the order q, where G is constitutive of all points on E and the point at infinity O |

P | A generator of the group G |

$p,q$ | Two large prime numbers |

U | User |

S | Sensor node |

$GWN$ | Gateway node |

$I{D}_{U}$ | Identity of the user U |

$I{D}_{S}$ | Identity of the sensor node S |

$h,{H}_{1},{H}_{2}$ | Three collision-resistant one-way hash functions, where $h:{\left\{0,1\right\}}^{*}\to $ ${z}_{q}^{*}$, ${H}_{1}:{\left\{0,1\right\}}^{*}\to {z}_{q}^{*}$,${H}_{2}:{\left\{0,1\right\}}^{*}\to {z}_{q}^{*}$ |

$P=\left({P}^{(x)},{P}^{(y)}\right)$ | An elliptic curve point in a non-singular elliptic curve ${E}_{p}(a,b)$, ${P}^{(x)}$ and ${P}^{(y)}$ are x and y coordinates of P respectively |

${d}_{GWN},{Q}_{GWN}$ | The private key and the corresponding public key of $GWN$ respectively |

${d}_{U},{Q}_{U}$ | The private key and the corresponding public key of U respectively |

${d}_{S},{Q}_{S}$ | The private key and the corresponding public key of S respectively |

r | The random number selected by involved entities |

${t}_{U},{t}_{GWN},{t}_{S}$ | The time stamps of $U,GWN,S$ respectively |

$\Delta t$ | Maximum transmission delay |

⊕ | The XOR operation |

‖ | Thet concatenation operation |

Operation | Description | Computation Time (ms) |
---|---|---|

${T}_{h}$ | a hash function | $3\times {10}^{-3}$ |

${T}_{bp}$ | a bilinear pairing | $2.14\times {10}^{-1}$ |

${T}_{pmul}$ | a ECC-based point multiplication | $1.6\times {10}^{-2}$ |

${T}_{padd}$ | a ECC-based point addition | $6.07\times {10}^{-1}$ |

Protocol | Computational Cost | Running Time (ms) |
---|---|---|

Ours | $18{T}_{h}+17{T}_{pmul}+4{T}_{padd}$ | ≈3.791 |

[15] | $9{T}_{h}+15{T}_{pmul}+3{T}_{padd}+9{T}_{bp}$ | ≈8.705 |

[16] | $9{T}_{h}+8{T}_{pmul}+2{T}_{padd}+6{T}_{bp}$ | ≈5.927 |

[21] | $10{T}_{h}+5{T}_{pmul}+2{T}_{bp}$ | ≈2.779 |

[23] | $14{T}_{h}+8{T}_{pmul}+3{T}_{padd}$ | ≈2.079 |

[24] | $15{T}_{h}+7{T}_{pmul}+9{T}_{bp}$ | ≈7.041 |

[25] | $5{T}_{h}+7{T}_{pmul}+6{T}_{bp}$ | ≈5.215 |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).