ESCI-AKA: Enabling Secure Communication in an IoT-Enabled Smart Home Environment Using Authenticated Key Agreement Framework

Abstract

Smart home environments are a vital component of the larger ecosystem within smart cities, aiming to revolutionize residential living through the integration of Internet of Things (IoT) devices and advanced technologies. However, ensuring robust security and preserving privacy in these interconnected ecosystems present significant challenges. During the monitoring and controlling tasks in the smart home environment, diverse commands are exchanged between the IoT device and the user over the public Internet. The public Internet is open and vulnerable to various security attacks, which can corrode the monitoring and controlling operation of the smart home. In addition, conventional security algorithms are inappropriate for IoT devices deployed in the smart home. However, various pernicious security attacks are equally efficacious in the resource-limited smart home environment. Thus, various authenticated encryption schemes are proposed to enable security services in resource-constricted smart home environments. This paper presents a lightweight and efficient authentication framework for a smart home environment by leveraging the features of an authenticated encryption scheme and the hash function called “ESCI-AKA”. ESCI-AKA checks the authenticity of the user at the local device and exchanges three messages among the user, gateway, and smart embedded device for establishing a secure channel for indecipherable communication by setting a session key. In addition, we corroborate the security of the established session key through the random oracle model and informal security analysis. Moreover, the Scyther tool is employed for the security validation of ESCI-AKA. Finally, the performance comparison of ESCI-AKA and other eminent security frameworks explicates that ESCI-AKA requires low computational and communication costs while providing robust security features.

1. Introduction

The Internet of Things (IoT) has emerged as a crucial enabler in the advancement of smart cities. These cities strive to leverage technological innovations to improve urban living standards, promote sustainability, and enhance overall efficiency. IoT devices and sensors deployed throughout a city enable the collection, analysis, and utilization of vast amounts of data to improve various aspects of urban life [1,2]. In a smart home, IoT devices such as thermostats, lighting systems, security cameras, door locks, appliances, and entertainment systems are interconnected and can be controlled remotely through a central hub or a mobile application. These devices can communicate with each other, share data, and respond to user commands or environmental conditions, creating an interconnected and intelligent living environment [3].

The implementation of smart home technologies necessitates significant attention to security and privacy concerns, while smart homes endeavor to improve urban living through the employment of state-of-the-art technologies, they also introduce potential risks related to data security and privacy breaches [4]. Smart homes yield extensive amounts of data via sensors, cameras, and other connected IoT devices. To safeguard against unauthorized access, data breaches, and the misuse of sensitive information, it is essential to employ robust data security measures. This includes implementing strong encryption, authentication mechanisms, and access controls.

In Figure 1, we can observe a smart home setup, enabling remote communication between the user and resource-constrained IoT devices present within the premises. The user has the capability to send diverse command and control instructions to accomplish various tasks within the smart home environment. However, it is essential to address potential security risks. The command and control information transmitted through a public communication channel is exposed to potential security vulnerabilities. Consequently, it becomes crucial to implement authenticated key agreement (AKA) mechanisms to safeguard the confidentiality of information [5]. By employing such mechanisms, the communicated command and control information can be protected, ensuring that only authorized individuals or entities can access sensitive data.

Several AKA frameworks have been proposed to establish secure and encrypted communication within the smart home environment. Despite the presence of various existing AKA frameworks, several significant security concerns remain unresolved. These include the prevention of impersonation, mitigation of denial of service (DoS) attacks, protection against man-in-the-middle (MITM) attacks, and the need to ensure resource efficiency. Recently, various authenticated encryption (AE) schemes have been developed to enable security services in the resource-limited IIoT/IoT environment [6,7,8]. AEAD schemes are more lightweight regarding computational resources than symmetric and asymmetric encryption schemes [9]. Thus, a cost-effective AKA framework requiring low computational and communication delays can be realized using an AEAD encryption scheme. Therefore, this paper proposes tackling the aforementioned security challenges, and we have introduced a resource-efficient AKA framework for the smart home called “ESCI-AKA”.

1.1. Research Contribution

• ESCI-AKA is designed with the integration of resource-efficient cryptographic primitives, such as the ASCON encryption scheme and a “hash function”. Its primary goal is to enable the establishment of a secure channel (session key) between users and devices within the smart home environment, utilizing the gateway node. By setting up this secure channel, ESCI-AKA allows users and devices to securely communicate sensitive information in an encrypted format, thereby ensuring protection against unauthorized access. Moreover, ESCI-AKA introduces an innovative mechanism for the login and password change processes, which rely on a single encryption operation. This simplifies the authentication procedures involved, streamlining the overall user experience and enhancing system efficiency.
• The security of ESCI-AKA is validated using the widely recognized formal mechanism known as ROM. This ensures the credibility of the security claims associated with ESCI-AKA. In addition to its security features, ESCI-AKA prioritizes user anonymity, safeguarding the privacy of users within the smart home environment. To further ensure the security of ESCI-AKA, Scyther, a security verification tool, is employed. Scyther aids in validating and confirming that ESCI-AKA is indeed secure and meets the intended security objectives.
• The efficiency of ESCI-AKA is evaluated based on its computational and communication costs. A comparison is made between ESCI-AKA and several relevant user authentication frameworks, including references [10,11,12,13,14,15,16]. ESCI-AKA demonstrates superior efficiency, achieving (65.71%, 66.18%, 84.87%, 66.18%, 79.65%, 61.01%, 86.27%) lower computational costs compared to references [10,11,12,13,14,15,16], respectively. Furthermore, ESCI-AKA outperforms these reference frameworks in terms of communication costs, achieving (44.71%, 57.66%, 40.51%, 57.66%, 54.29%, 47.78%, 65.94%) lower communication costs, respectively. In addition to its improved efficiency, ESCI-AKA also provides enhanced security features compared to the relevant security frameworks.

1.2. Paper Organization

The paper’s remaining structure is outlined as follows: In Section 2, we provide an overview of the related AKA frameworks. Section 3 offers a comprehensive explanation of the authentication and system models employed in the study. The design procedure of the proposed ESCI-AKA is presented in Section 4, emphasizing the key aspects of its development. Section 5 conducts both formal and informal analyses of ESCI-AKA to evaluate its security capabilities. The performance of ESCI-AKA is demonstrated in Section 6, showcasing its efficiency and effectiveness in real-world scenarios. Finally, in Section 7, the paper concludes with a summary and key findings.

2. Related Work

In the smart home environment, the devices deployed face resource limitations, including restricted computational power, communication capabilities, and storage capacity. Despite these constraints, it is paramount to guarantee the security of information exchange among IIoT devices over the public Internet. Several authors, as referenced in [17,18,19], have conducted surveys on information protection necessities in both IoT and smart home environments, shedding light on the diverse problems that require handling. In the context of a 6LoWPAN-based IoT environment, the study in  [20] offers a user authentication technique. This technique operates an AEAD scheme and a hash function, and undergoes security confirmation operating the random oracle model (ROM) and Scyther. Another article [21] demonstrates an authentication technique, which also undergoes security verification via ROM and Scyther. However, the security technique presented in [22] is discovered to be weak against identity guessing, impersonation, and “man-in-the-middle” (MITM) attacks. To handle these problems, an authentication technique operating ECC and a hash function is suggested in [23]. The security of this technique is corroborated by operating the ROM and BAN logic.

The authentication technique suggested in [24] operates a hash function but is encountered to be powerless to “privilege insider, password guessing, and temporary secret number leakage attack”, as evidenced in [25]. Moreover, user anonymity remains unprotected within the security technique presented in [24]. In contrast, the authors of [11] designed a user authentication technique utilizing ECC and a hash function. However, this technique is incapable of withstanding “password guessing, impersonation, MITM, stolen smart card, and device capture” attacks. Likewise, it does not guarantee user anonymity. Similarly, the authentication technique suggested in [26] for the IoT environment, which operates symmetric encryption and a hash function, fails to prevent device capture and desynchronization attacks. Additionally, the user authentication framework presented in [26] does not guarantee user anonymity. Another three-factor authentication scheme using ECC and a hash function is proposed in [10], but it is found to be weak against device capture and impersonation attacks. Additionally, user anonymity is not ensured by the user authentication technique in [10]. For an IoT-enabled healthcare system, an authentication technique based on a hash function is suggested in [27], while resource-efficient, this technique is susceptible to diverse attacks, and it does not cover user anonymity. An AEAD and hash-function-based authentication technique is suggested in [28]. The security of this technique is corroborated by operating ROM and Scyther-based formal security analysis. Lastly, an authentication technique for a 6LoWPAN-enabled IoT environment is demonstrated in [29], which mandates fewer computational and communication resources for the authentication phase.

The authors of [30] developed a user authentication technique that lacks mutual authentication capability. In [31], an authentication technique is suggested particularly for the smart home environment. This technique utilizes XOR, concatenation, and hash function operations. For real-time data retrieval from IIoT devices, a cloud-assisted authentication technique is suggested in [32]. This technique employs the chaotic map and hash function. The security of the technique suggested in [33] is validated via ROM. This work demonstrates a strong and efficient authentication technique established on AEAD and hash function, and its security is substantiated by employing ROM and Scyther. In the context of smart grids, an authentication technique is familiarized in [34]. This technique depends on the hash function “Esch256”, authenticated encryption, and XOR operations. Further, the security of this technique is corroborated by operating the ROM and Scyther. An exhaustive examination of diverse user authentication techniques is demonstrated in

Table 1. Overview of Existing User AKA Frameworks.

Reference	Environment	Cryptographic Primitive	Validation + Implementation	Attack Model	Strength/Weakness	Analyzed by	NP	ME
[37]	WSN	HF + XOR	ROM	DY + CK	Vulnerable to privilege insider, device capture, and impersonation attacks.	[38]	3	3
[39]	IoT	HF + XOR	ProVerify + NS2	DY + CK	Vulnerable to password guessing, DoS, replay, and impersonation attacks.	[38]	3	3
[40]	IoD	HF + ECC + XOR	ROM	DY + CK	Vulnerable to drone impersonation attacks.	[41]	3	3
[42]	IoT	HF + XOR	BAN logic	DY + CK	The devised authentication scheme is vulnerable to replay and DoS attacks.	[43]	3	3
[29]	IoT	HF + AEAD + XOR	BAN logic	DY + CK	The devised authentication scheme is secure and resource-efficient.	–	2	2
[28]	IIoT	HF + ECC + AEAD + XOR	ROM + Scyther	DY + CK	The devised authentication framework is lightweight and reliable.	–	3	3
[21]	IIoT	HF + ECC + AEAD + XOR	ROM + Scyther	DY + CK	The propounded user authentication framework is resilient against various security attacks.	–	3	3
[23]	IIoT	HF + ECC + XOR	ROM + BAN logic	DY + CK	Secure against various security threats.	–	3	3
[11]	WSN	HF + ECC + XOR	BAN logic + AVISPA	DY + CK	Incapacitated against off-line guessing, impersonation, and MITM attacks.	[44]	3	4
[27]	IoT	HF + XOR	AVISPA	DY + CK	Cannot prevent password guessing and impersonation attacks.	[45]	3	4
[14]	IIoT	HF + ECC + XOR	BAN logic + AVISPA	DY + CK	Weak against impersonation, replay, device capture attacks.	[46]	3	3
[47]	WSN	HF + ECC + XOR	ROM + Scyther	DY + CK	Cannot resist privilege insider attacks.		3	4
[48]	FC	HF + ECC + XOR	ROM + AVISPA	DY + CK	Cannot prevent DoS, privilege insider, stolen smart card attacks.	[47]	3	3
[16]	IIoT	HF + ECC + XOR	BAN logic	DY + CK	Weak against privileged insider and temporary secret leakage attacks.	–	3	3
[49]	IIoT	HF + ECC + XOR	–	DY	Weak against identity guessing and stolen smart card attacks.	–	3	3
[15]	IoT	HF + ECC + XOR	ROM	DY + CK	Weak against forgery, session key disclosure, and temporary parameters leakage attacks.	[50]	3	4
[51]	SG	HF + PUF + XOR	BAN logic	DY + CK	Cannot resist impersonation and desynchronization attacks	[52]	2	3
ESCI-AKA	IIoT	HF + ECC + AEAD + XOR	ROM + Scyther	DY + CK	Secure against various security attacks.	–	3	3

Note: HF: hash function; NP: number of participants; ME: message exchange; DY: Dolev–Yao; PUF: physical unclonable function; CK: Canetti–Krawczyk; AVISPA: automated validation of Internet security protocols and applications; FC: fog computing; WSN: wireless sensor network; BAN: Burrows–Abadi–Needham; SG: smart grid.

[35,36].

3. System Models

This subsection focuses on the explication of the authentication and attack models, which play a crucial role in the design of the proposed scheme. These models are employed to ensure robust security measures within the system.

3.1. Authentication Model

The authentication model employed for the proposed ESCI-AKA consists of the following components, as illustrated in Figure 2:

• Gateway: The trusted authority (TA) assumes the responsibility of deploying gateway nodes ($G{W}_k$) within the smart home environment. These gateway nodes provide internet connectivity to the IIoT-enabled devices deployed in the environment. Additionally, $G{W}_k$ stores the sensitive parameters associated with the remote user and smart embedded devices. It possesses the capability to establish connections between IIoT-enabled devices and the Internet, using cellular or other Internet connectivity options. Furthermore, all IIoT-enabled devices deployed in the environment are connected to $G{W}_k$ through communication protocols such as WiFi, 6LoWPAN, or Zigbee.
• Smart Embedded Device: Smart embedded devices (SEDs) refer to resource-limited devices deployed within the smart home environment. Each SED, denoted as $SE{D}_j$, is equipped with communication, storage, and computational resources. These devices can establish communication with $G{W}_k$ using communication protocols like WiFi, 6LoWPAN, or Zigbee. Additionally, SEDs are equipped with sensing modules, allowing them to collect sensitive information from their surrounding environment. This collected data can be transmitted to a central location for further analysis.
• Remote User: The user possesses smart devices ($S{D}_i$) equipped with biometric sensors. Communication between $U_i$ and $U_i$ occurs through the gateway node ($G{W}_k$). Furthermore, $U_i$ can communicate with $G{W}_k$ utilizing cellular or internet technology. In order to access real-time information from the deployed $SE{D}_j$ in the smart home environment, it is crucial to ensure that only authorized $U_i$ can obtain such information. To aid in comprehending the proposed scheme,

  Table 2. Notations Utilized in ESCI-AKA.

  Notation	Description
  $U_i$	The remote user
  $S{D}_{U_i}$	IoT-enabled smart device
  $GI{D}_k$	The identity of the gateway
  $I{D}_{U_i}$, $P{W}_{U_i}$	The identity and password of $U_i$, respectively
  $PI{D}^c$	Current pseudo-identities
  $PI{D}^o$	Old pseudo-identities
  $Ti{S}_1$, $Ti{S}_2$, $Ti{S}_3$	Timestamps utilized in ESCI-AKA’s authentication phase
  $AD{L}_{}$, $TR$	Allowed time delay limit and received time of a message
  $A{D}_x$	Associative data, where $x=1,2,3,\dots ,n$
  $E_k\left(P\right)$, $D_k\left(C\right)$	Secret-key-based encryption of string “P” and decryption “C” using ASCON
  $RN{U}_y$	Random numbers utilized while accomplishing the AKA phase
  $P_z$	Plaintext $z=1,2,3,4,5,6,7$
  $C_a$	Ciphertext $a=1,2,3,\dots ,7$
  $Bi{o}_{U_i}$, $\sigma$, $FE$.$Gen(·)$, $hd$, $FE.Rep(·)$	User biometric information and key, respectively
  $FE.Gen(·)$, $hd$, $FE.Rep(·)$	User key generation algorithm, reproduction parameter, and key reproduction algorithm, respectively
  ⊕, $\left|\right|$, $H(·)$	XOR, concatenation, and hash function, respectively

  provides an elucidation of the various symbols employed.

3.2. Attack Model

In order to evaluate the security of the ESCI-AKA framework, we utilize the widely acknowledged Dolev–Yao (DY) model [53,54]. The DY model effectively simulates the smart home environment. In the simulation, we consider that all parties in the smart home environment establish their trust in a trusted authority (TA) and communicate information securely via a dedicated communication channel with the TA. The TA handles the system initialization, user registration, and  cancellation. Apart from exchanges with the TA, all parties intercommunicate with other parties via public channels. In the DY model, an attacker has the capability to both eavesdrop and modify messages if they are communicated over open channels. Given the complex nature of the smart home environment, an attacker may also resort to physically seizing devices to obtain private parameters and information.

Furthermore, there is a potential risk that the user’s $S{D}_i$ may be stolen or lost, which can result in the adversary attaining access to the user’s confidential information via the compromised device. This emphasizes the importance of addressing security concerns related to users’ $S{D}_i$s. In addition, we consider the CK adversary attack model, which builds upon the DY model and enhances the capabilities of the adversary. This model grants the adversary the ability to obtain secret public parameters during the authentication session, thereby enabling them to acquire a short-lived partial key. This further amplifies the adversary’s capabilities and underscores the need for robust security measures.

4. The Proposed ESCI-AKA Framework

The ESCI-AKA system includes several phases: smart embedded registration, remote user registration, AKA, and password and biometric change. Each of these phases will be discussed in detail in the subsequent subsections.

4.1. Gateway Registration Phase

The TA is responsible for registration and deployment in the smart home environment. For deploying $G{W}_k$, TA selects a distinct identity, $GI{D}_k$, and generates a long-term gateway key, $LGK$, and stores the parameters {$LGK$, $GI{D}_k$} in the database of the $G{W}_k$.

4.2. Smart Embedded Device Registration Phase

The TA is responsible for deploying $SE{D}_j$ in the smart home environment after its registration. The following steps are imperative for the registration of $SE{D}_j$.

Step SEDRP-1

The TA selects a unique identity for $SI{D}_{SE{D}_j}$ and computes $DSK=H(SI{D}_{SE{D}_j}\Vert LGK)$. Finally, TA stores the parameters {$SI{D}_{SE{D}_j}$, $DSK$} in the memory of $SE{D}_j$ and stores the parameter $SI{D}_{SE{D}_j}$ in the database of $G{W}_k$.

4.3. Remote User Registration Phase

TA executes the following steps to register $U_i$ using a secure channel.

4.3.1. Step RMURP-1

$U_i$ selects its own secret parameter, such as distinct identity, $I{D}_{U_i}$, and password, $P{W}_{U_i}$. In addition, $U_i$ wakes its own biometric information ($Bi{o}_{U_i}$) on the biometric sensor deployed on the IoT-enabled smart device ($S{D}_{U_i}$), and $S{D}_{U_i}$ uses $FE.Gen(·)$ to generate the biometric key by computing $({\sigma }_1,hd)=FE.Gen\left(Bi{o}_{U_i}\right)$ after taking $Bi{o}_{U_i}$ as the input. In addition, $S{D}_{U_i}$ picks a random number, $RN{U}_1$, and, by using hashing algorithm, computes $K_1=H(I{D}_{U_i}\Vert P{W}_{U_i}\Vert {\sigma }_1)$ and, by using the ASCON encryption algorithm, computes $((C_1,C_2,C_3),MA{C}_1)$ = $E_{K_1}\{A{D}_1,P_1,P_2,P_3\}$, where $C_1$, $C_2$, and $C_3$ are the ciphertext, $P_1=I{D}_{U_i}$, $P_2=P{W}_{U_i}$, and $P_3={\sigma }_1$ are the plaintext, and $A{D}_1=RN{U}_1$ is the associative data. Moreover, $S{D}_{U_i}$ computes $CI{D}_i=C_1\oplus C_2$ and constructs the message with parameters {$CI{D}_i$, $C_3$} and sends it to TA via secure channel.

4.3.2. Step RMURP-2

TA, after obtaining {$CI{D}_i$, $C_3$}, picks $RN{U}_2$ and computes $PI{D}_i=(CI{D}_i\oplus RN{U}_2)$. In addition, TA selects the list of registered $SI{D}_{SE{D}_j}$ for $U_i$, from where $U_i$ can access real-time information. TA stores the parameters {$PI{D}_i$, $C_3$} in the database of $G{W}_k$. Finally, TA sends the parameters {$RN{U}_2$, $SI{D}_{SE{D}_j}$, $PI{D}_i$, $GI{D}_k$} to $U_i$/$S{D}_{U_i}$ through a secure channel.

4.3.3. Step RMURP-3

$U_i$/$S{D}_{U_i}$, after sending the parameters {$RN{U}_2$, $SI{D}_{SE{D}_j}$, $PI{D}_i$, $GI{D}_k$} to $U_i$/$S{D}_{U_i}$ from TA, computes the following:

$$\begin{array}{c}{Q}_1=(SI{D}_{SE{D}_j}\Vert C_3)\oplus H(C_2^{*}\oplus C_3^{*}\oplus C_1^{*}),\end{array}$$

(1)

$$\begin{array}{c}GI{D}_k^{*}=GI{D}_k\oplus H(C_2^{*}\oplus C_3^{*}),\end{array}$$

(2)

$$\begin{array}{c}RN{U}_2^{*}=H(C_2^{*}\oplus C_3^{*}\oplus C_1^{*})\oplus RN{U}_2^{}.\end{array}$$

(3)

Finally, $U_i$/$S{D}_{U_i}$ stores the parameters {$RN{U}_2^{*}$, $GI{D}_k^{*}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $FE.Gen(·)$, $FE.Rep(·)$} in its own memory.

Remark 1.

In the proposed ESCI-AKA, we utilize ASCON [6] as the encryption/decryption algorithm. ASCON is an AEAD scheme that ensures the simultaneous provision of integrity, authenticity, and confidentiality of information. The encryption operation of ASCON can be represented as $((C,\mathit{MAC})=E_K\{AD,P\})$, where C, MAC, $AD$, P, and K represent the ciphertext, authentication code (Tag), associated data, plaintext, and encryption key, respectively.

Similarly, the decryption operation can be expressed as $((P,\mathit{MAC}\mathit{1})=E_K\{AD,C\})$. In this case, the generated MAC1 during the decryption operation will be valid if it matches the original MAC value. If the condition, $MAC=\mathit{MAC}\mathit{1}$, holds, the plaintext will be considered valid. Otherwise, if the condition is not satisfied, the plaintext will be deemed invalid.

Definition 1.

An AEAD scheme is reflected as protected if ${\mathcal{A}}^{\prime }$s ultimate OCCA3 advantage is insignificant. The OCCA3 advantage of $\mathcal{A}$ on an AEAD is the cumulative advantage of $\mathcal{A}$ for performing a chosen plaintext attack and compromising the integrity of an AEAD scheme [55,56].

$$\begin{array}{c}\hfill Ad{v}_{AEAD,\mathcal{A}}^{OCCA3}\left(polt\right)\le Ad{v}_{AEAD}^{OPRP-CPA}(Qr,len,polt)\\ \hfill +Ad{v}_{AEAD}^{INT-CTXT}(Qr,len,polt),\end{array}$$

(4)

Here, $Adv$, $Qr$, $len$, $polt$, $OPRP-CPA$, and $INT-CTXT$ denote the advantage, number of queries performed by $\mathcal{A}$, length, polynomial time, online permutations, and ciphertext integrity, respectively.

Remark 2.

In the proposed ESCI-AKA, the fuzzy extractor (FE) technique is utilized to derive a reliable biometric key from the user’s biometric information. The FE consists of two main functions: $FE.Gen(·)$ and $FE.Rep(·)$. The $FE.Gen(·)$ function takes the biometric information of the user as input and generates both the biometric key and the corresponding helper data. On the other hand, the $FE.Rep(·)$ function takes the helper data and the biometric information as input and reconstructs the biometric key. To reconstruct the biometric key, a condition is imposed: $HD(Bi{o}_{U_i},Bi{o}_{U_i}^{*})\le et$. Here, $HD$ denotes the Hamming distance, and $et$ represents the allowable difference between $Bi{o}_{U_i}$ and $Bi{o}_{U_i}^{*}$ (the login biometric template and the current biometric sample, respectively). If the Hamming distance between these two values falls within the specified threshold, $et$, the biometric key can be successfully reconstructed.

4.4. AKA Phase

During this stage, $U_i$/$S{D}_{U_i}$ and $SE{D}_j$ work together to establish a secure channel, also known as a session key, for secure information exchange. The secure channel is established through mutual authentication and session key exchange. The subsequent algorithms are performed by using $U_i$/$S{D}_{U_i}$ and $SE{D}_j$ to initiate the setup of the session key or secure channel.

4.4.1. Local Authentication and Generation of $M{G}_1$

Algorithm 1 accomplishes the task of local authentication and generates the authentication message, $M{G}_1$. The algorithm starts by taking the input parameters as $I{D}_{U_i}$, $P{W}_{U_i}$, $Bi{o}_{U_i}^{*}$, $MA{C}_1$, and $hd$. It then generates the biometric key (${\sigma }_1^{}$) using the reproduction function of FE. This reproduction function takes the biometric information of the user and helper data as input and produces the biometric key. Furthermore, the algorithm derives the encryption key and utilizes the ASCON encryption algorithm for encryption. In this encryption process, $P_1^{*}=ID{U}_i$, $P_2^{*}=PW{U}_i$, and $P_3^{*}={\sigma }_1^{*}$ serve as the plaintext, while $C_1^{*}$, $C_2^{*}$, and $C_3^{*}$ represent the associated ciphertext. The integrity of the secret credentials and the local authentication of the user is verified by checking if $MA{C}_1^{*}\stackrel{?}{=}MA{C}_1$. Upon successful local authentication, the algorithm retrieves the values $SI{D}_{SE{D}_j}$, $GI{D}_k$, and $C_3$ for further processing.

In addition, the algorithm proceeds to derive a temporary pseudo-identity and compute associative data. ASCON encryption is employed to encrypt certain parameters, such as $SI{D}_{SE{D}_j}$ and $RN{U}_3$. It is worth noting that the nonce used in the ASCON encryption and decryption algorithm is computed by XORing associative data and a secret encryption key. Finally, $S{D}_{U_i}$ constructs the message, $M{G}_1$, which includes $Ti{S}_1$ (timestamp), $PI{D}_i$ (pseudo-identity), $C_4^{}$, $C_5^{}$, and $MA{C}_2^{}$. This message is then transmitted to $G{W}_k$ using an open channel of communication.

4.4.2. Validates $M{G}_1$ and Generates $M{G}_2$

Algorithm 2 facilitates the validation of the received message, $M{G}_1$, by $G{W}_k$ and generates $M{G}_2$. Upon receiving the message, $M{G}_1$, $G{W}_k$ performs several checks to ensure its validity. Firstly, it examines whether the message $M{G}_1$ is a replay by comparing the condition $T_{ADL}\ge |Ti{S}_1-RTM|$. If the message is determined to be a replay, $G{W}_k$ discards $M{G}_1$. Otherwise, $G{W}_k$ proceeds with further checks.

Algorithm 1 Performs Local Authentication and Generates $M{G}_1$

Input: {$I{D}_{U_i}$, $P{W}_{U_i}$, $Bi{o}_{U_i}^{*}$, $MA{C}_1$, $hd$} Output: {$Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}$}   1: procedure ALGO-1({$I{D}_{U_i}$, $P{W}_{U_i}$, $Bi{o}_{U_i}^{*}$, $hd$, $MA{C}_1$})   2:     ${\sigma }_1^{*}\leftarrow FE.Rep(Bi{o}_{U_i}^{*},hd)$   3:     $K_1^{*}\leftarrow H(I{D}_{U_i}\Vert P{W}_{U_i}\Vert {\sigma }_1^{*})$   4:     $((C_1^{*},C_2^{*},C_3^{*}),MA{C}_1^{*})\leftarrow E_{K_1^{*}}\{A{D}_1,P_1^{*},P_2^{*},P_3^{*}\}$   5:     $A{D}_1\leftarrow RN{U}_1$   6:     if $MA{C}_1^{*}\stackrel{?}{=}MA{C}_1$ then   7:         $(SI{D}_{SE{D}_j}\Vert C_3)\leftarrow (Q_1\oplus H(C_2^{*}\oplus C_3^{*}))$   8:         $GI{D}_k\leftarrow GI{D}_k^{*}\oplus H(C_2^{*}\oplus C_3^{*}\oplus C_1^{*})$   9:         $RN{U}_2^{}\leftarrow H(C_2^{*}\oplus C_3^{*}\oplus C_1^{*})\oplus RN{U}_2^{*}$ 10:         selects $RN{U}_3$ and $Ti{S}_1$ 11:         $PI{D}_i\leftarrow (C_1^{*}\oplus C_2^{*}\oplus RN{U}_2)$ 12:         $A{D}_2\leftarrow (PI{D}_i\oplus Ti{S}_1\oplus GI{D}_k)$ 13:         $N_1\leftarrow (PI{D}_i\oplus Ti{S}_1\oplus GI{D}_k)\oplus C_3^{}$ 14:         $((C_4^{},C_5^{}),MA{C}_2^{})\leftarrow E_{(C_3^{}\Vert N_1)}\{A{D}_2,SI{D}_{SE{D}_j},RN{U}_3\}$ 15:     else 16:         terminates execution 17:     end if 18: end procedure

$G{W}_k$ verifies if the condition $PI{D}_i\stackrel{?}{=}PI{D}_i^c$ is satisfied. If it holds true, $G{W}_k$ retrieves $C_3$ and $RN{U}_4$ from its own database. On the other hand, if the condition $PI{D}_i\stackrel{?}{=}PI{D}^{o}i$ is met, $G{W}_k$ retrieves $C_3$ and $RN{U}_2$ from its database. Here, $PI{D}_i$ refers to the received pseudo-identity with the message $MG1$, $PI{D}_i^c$ represents the current pseudo-identity, and $PI{D}_i^o$ corresponds to the old pseudo-identity. If no match is found in either case, $G{W}_k$ terminates the AKA process.

Upon obtaining $C_3$ and $RN{U}_2$, $G{W}_k$ calculates the associative data, $A{D}_3$, and nonce, $N_2$. Furthermore, after performing the decryption using $C_3$ as the secret key, $G{W}_k$ obtains $((SI{D}_{SE{D}_j},RN{U}_3),MA{C}_3^{})$. The decryption operation is carried out utilizing the ASCON decryption algorithm. Moreover, $G{W}_k$ verifies the integrity of the received message by checking if ($MA{C}_2^{}\stackrel{?}{=}MA{C}_3^{}$). Finally, $G{W}_k$ retrieves the values, $SIDSE{D}_j$ and $RN{U}_3$, for further processing.

$G{W}_k$ performs the computation of plaintexts $P_4$, $P_5$, and $P_6$, along with the generation of associative data, $A{D}_4$. By utilizing the ASCON encryption algorithm and the encryption key, $K_2$, the encryption process encrypts $P_4$, $P_5$, and $P_6$, resulting in the generation of $((C_6^{},C_7^{},C_8^{}),MA{C}_4^{})$. Finally, $G{W}_k$ constructs the message, $M{G}_2$: {$Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4$}, and sends $M{G}_2$ to $SE{D}_j$ using the open communication channel.

Remark 3.

To avoid identity desynchronization, $G{W}_k$ computes a new pseudo-identity, $PI{D}_i^n=(PI{D}_i\oplus RN{U}_2\oplus RN{U}_4)$, and updates $PI{D}_i^c$ with $PI{D}_i^n$. In addition, $G{W}_k$ also keeps $C_3$ and updates $RN{U}_2$ with $RN{U}_4$. Furthermore, $G{W}_k$ also updates $PI{D}_i^o$ with $PI{D}_i^c$ and keeps $C_3$ and $RN{U}_2$ in its own database.

Algorithm 2 Validates $M{G}_1$ and Generates $M{G}_2$

Input: {$Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}$} Output: {$Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4$}   1: procedure ALGO-2({$Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}$, $LGK$, $SI{D}_{SE{D}_j}$})   2:     if $T_{ADL}\ge |Ti{S}_1-RTM|$ then   3:         if ($PI{D}_i\stackrel{?}{=}PI{D}_i^c$) then   4:            retrieves $C_3$ and $RN{U}_4$   5:            if ($PI{D}_i\stackrel{?}{=}PI{D}_i^o$) then   6:                retrieves $C_3$ and $RN{U}_2$   7:                $A{D}_3\leftarrow (PI{D}_i\oplus Ti{S}_1\oplus GI{D}_k)$   8:                $N_2\leftarrow (PI{D}_i\oplus Ti{S}_1\oplus GI{D}_k)\oplus C_3^{}$   9:                $((SI{D}_{SE{D}_j},RN{U}_3),MA{C}_3^{})\leftarrow D_{(C_3^{}\Vert N_2)}\{A{D}_3,C_4^{},C_5^{}\}$ 10:                if ($MA{C}_2^{}\stackrel{?}{=}MA{C}_3^{}$) then 11:                    generates $Ti{S}_2$, $RN{U}_4$ and $RN{U}_5$ 12:                    $P_4^{}\leftarrow C_3\oplus RN{U}_3$ 13:                    $P_5^{}\leftarrow RN{U}_4$ 14:                    $P_6^{}\leftarrow RN{U}_5$ 15:                    $K_2^{}\leftarrow H(LGK\Vert SI{D}_{SE{D}_j})$ 16:                    $A{D}_4\leftarrow (SI{D}_{SE{D}_j}\oplus Ti{S}_2)$ 17:                    $((C_6^{},C_7^{},C_8^{}),MA{C}_4^{})\leftarrow E_{K_2^{}}\{A{D}_4,P_4^{},P_5^{},P_6^{}\}$ 18:                    $PI{D}_i^n\leftarrow (PI{D}_i\oplus RN{U}_2\oplus RN{U}_4)$ 19:                    updates $PI{D}_i^c$ with $PI{D}_i^n$ 20:                    keeps $C_3$ and updates $RN{U}_2$ with $RN{U}_4$ 21:                    updates $PI{D}_i^o$ with $PI{D}_i^c$ 22:                    keeps $C_3$ and $RN{U}_2$ 23:                else 24:                    terminates execution 25:                end if 26:            else 27:                terminates execution 28:            end if 29:         else 30:            terminates execution 31:         end if 32:     else 33:         terminates execution 34:     end if 35: end procedure

4.4.3. Validates $M{G}_2$ and Generates $M{G}_3$

Algorithm 3 is designed to enable the validation of the received message, $M{G}_2$, by $SE{D}_j$ and subsequently generate $M{G}_3$. The freshness of the message is validated by $SE{D}_j$ using the condition $T_{ADL}\ge |Ti{S}_2-RTM|$. If the received message is determined to not be fresh, $SE{D}_j$ terminates the authentication process. Conversely, if the message is fresh, $SE{D}_j$ proceeds to compute the associative data, $A{D}_5$, and the decryption key, $K_3^{}$. The ASCON decryption algorithm utilizes $K_3^{}$ to decrypt the ciphertext and generate the plaintext along with the authentication parameter, i.e., $((P_4^{},P_5^{},P_6^{}),MA{C}_5^{})$. The integrity of these returned parameters is verified by comparing $MA{C}_4^{}$ with $MA{C}_5^{}$. If they match, the returned $(P_4^{},P_5^{},P_6^{})$ is considered valid, where $P_4^{}$ = $C_3\oplus RN{U}_3$, $P_5^{}$ is equal to $RN{U}_4$, and $P_6^{}$ is equal to $RN{U}_5$. In the case of a mismatch, the authentication process is terminated by $SE{D}_j$.

Algorithm 3 Validates $M{G}_2$ and Generates $M{G}_3$

Input: {$Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4$} Output: $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$   1: procedure ALGO-3({$Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4$})   2:     if $T_{ADL}\ge |Ti{S}_2-RTM|$ then   3:         $A{D}_5\leftarrow (SI{D}_{SE{D}_j}\oplus Ti{S}_2)$   4:         $K_3^{}\leftarrow DSK$   5:         $((P_4^{},P_5^{},P_6^{}),MA{C}_5^{})\leftarrow D_{K_3^{}}\{A{D}_5,C_6^{},C_7^{},C_8^{}\}$   6:         if ($MA{C}_4^{}\stackrel{?}{=}MA{C}_5^{}$) then   7:            selects $Ti{S}_3$ and $RN{U}_6$   8:            $S{K}_{SE{D}_j}\leftarrow H(RN{U}_6\Vert (C_3\oplus RN{U}_3)\Vert (SI{D}_{SE{D}_j}\oplus RN{U}_6\oplus RN{U}_5)\Vert Ti{S}_3)$   9:            $A{D}_6\leftarrow (S{K}_{SE{D}_j}^a\oplus S{K}_{SE{D}_j}^b)$ 10:            $K_4^{}\leftarrow (SI{D}_{SE{D}_j}\oplus (C_3\oplus RN{U}_3))$ 11:            $N_3\leftarrow (SI{D}_{SE{D}_j}\oplus (C_3\oplus RN{U}_3)\oplus A{D}_6)$ 12:            $P_7^{}\leftarrow RN{U}_4$ 13:            $P_8^{}\leftarrow (SI{D}_{SE{D}_j}\oplus RN{U}_6\oplus RN{U}_5)$ 14:            $((C_9^{},C_{10}^{}),MA{C}_6^{})\leftarrow E_{(K_4^{}\Vert N_3)}\{A{D}_6,P_7^{},P_8^{}\}$ 15:         else 16:            terminates execution 17:         end if 18:     else 19:         terminates execution 20:     end if 21: end procedure

Moreover, $SE{D}_j$ proceeds to select $Ti{S}_3$ and $RN{U}_6$, followed by the computation of the session key, $S{K}_{SE{D}_j}$, for future secure communication with the user. Once $S{K}_{SE{D}_j}$ is computed, $SE{D}_j$ proceeds to calculate the associative data, $A{D}_6$; nonce, $N_3$; encryption key, $K_4^{}$; and plaintexts, $P_7^{}$ and $P_8^{}$. By utilizing the ASCON encryption algorithm, $SE{D}_j$ encrypts $P_7^{}$ and $P_8^{}$ with the encryption key, $K_4^{}$, generating $((C_7^{},C_8^{}),MA{C}_6^{})$. Subsequently, $SE{D}_j$ constructs the message, $M{G}_3$, as $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$ and transmits it to $S{D}_i$ or the user via the public communication channel.

4.4.4. Validates $M{G}_3$ and Session Key

Algorithm 4 is designed to enable the validation of the received message $M{G}_3$ by $S{D}_i$ and subsequently generate the session key. If $S{D}_i$ or the user verifies the freshness of the message $M{G}_3$, they need to check the condition $T_{ADL}\ge |Ti{S}_3-RTM|$. If the message is determined to be valid, $S{D}_i$ calculates the decryption key, $K_5^{}$, and the nonce, $N_4$. By utilizing the ASCON decryption algorithm with $K_5^{}$ and $N_4$, $(P_7^{},P_8^{}),$ and $MA{C}_7^{}$ are generated.

In addition, the integrity of the message, $M{G}_3$, is checked by comparing $MA{C}_6$ with $MA{C}_7$. To ensure secure encrypted communication between $S{D}_i$ and $SE{D}_j$, a session key, $S{K}_{U_i}$, is established. In order to verify the session key, $S{D}_i$ computes $A{D}_7$ and checks whether $A{D}_6$ matches $A{D}_7$. If they match, this indicates that the session keys derived at $S{D}_i$ and $SE{D}_j$, which are identical.

Finally, $RN{U}_2^{*}$ is computed, and $S{D}_i$ updates $RN{U}_2^{*}$ with the new value, $RN{U}_2^{}$.

4.5. Secret Credentials Change Phase

The ESCI-AKA mechanism offers a user-friendly way to modify the secret credentials (e.g., passwords and biometrics) of $U_i$ using Algorithm 5. To initiate this process, $U_i$ provides its old secret credentials, namely, $I{D}_{U_i}$ and $P{W}^o{U}_i$, and biometric information $Bi{o}_{U_i}^o$ to $S{D}_i$. Upon receiving these secret credentials, $S{D}_i$ utilizes the FE to generate the biometric key, ${\sigma }_1^o$, from $Bi{o}_{U_i}^o$ and $h{d}^o$ as input parameters. Subsequently, $S{D}_i$ derives the encryption key, $K_1^o$, and employs the ASCON encryption algorithm to encrypt $P_1^o,P_2^o,P_3^o$, resulting in $((C_1^o,C_2^o,C_3^o),MA{C}_1^o)$ using the encryption key, $K_1^o$, and $A{D}_1^o=RN{U}_1$.

Algorithm 4 Validates $M{G}_3$ and Generates Session Key

Input: $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$ Output: {Session key $S{K}_{U_i}$ Generation and Mutual Authentication}   1: procedure ALGO-4($\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$)   2:     if $T_{ADL}\ge |Ti{S}_3-RTM|$ then   3:         $K_5^{}\leftarrow (SI{D}_{SE{D}_j}\oplus (C_3\oplus RN{U}_3))$   4:         $N_4\leftarrow K_5^{}\oplus A{D}_6$   5:         $((P_7^{},P_8^{}),MA{C}_7^{})\leftarrow D_{(K_5^{}\Vert N_4)}\{A{D}_6,C_9^{},C_{10}^{}\}$   6:         if $MA{C}_6\stackrel{?}{=}MA{C}_7$ then   7:            $P_7^{}\leftarrow RN{U}_4$   8:            $P_8^{}\leftarrow (SI{D}_{SE{D}_j}\oplus RN{U}_6\oplus RN{U}_5)$   9:            $S{K}_{U_i}\leftarrow H(RN{U}_6\Vert (C_3\oplus RN{U}_3)\Vert (SI{D}_{SE{D}_j}\oplus RN{U}_6\oplus RN{U}_5)\Vert Ti{S}_3)$ 10:            $A{D}_7\leftarrow (S{K}_{U_i}^a\oplus S{K}_{U_i}^b)$ 11:            if $A{D}_6\stackrel{?}{=}A{D}_7$ then 12:                $RN{U}_2^{*}\leftarrow H(C_2^{*}\oplus C_3^{*}\oplus C_1^{*})\oplus RN{U}_4$ 13:                updates $RN{U}_2$ with $RN{U}_2^{*}$ 14:                Mutual authentication is achieved 15:            else 16:                terminates execution 17:            end if 18:         else 19:            terminates execution 20:         end if 21:     else 22:         terminates execution 23:     end if 24: end procedure

Algorithm 5 Performs Password Change and Biometric Update

Input: {$I{D}_{U_i}$, $Bi{o}_{U_i}^o$, $P{W}_{U_i}^o$, $RN{U}_2^{}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $GI{D}_k^{*}$, $FE.Gen(·)$, $FE.Rep(·)$} Output: {$RN{U}_2^n$, $A{D}_1^n$, $Q_1^n$, $MA{C}_1^n$, $h{d}^n$, $GI{D}_k^n$, $FE.Gen(·)$, $FE.Rep(·)$}   1: procedure ALGO-1({$RN{U}_2^{}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $GI{D}_k^{*}$, $FE.Gen(·)$, $FE.Rep(·)$})   2:     ${\sigma }_1^o\leftarrow FE.Rep(Bi{o}_{U_i}^o,hd)$   3:     $K_1^o\leftarrow H(I{D}_{U_i}\Vert P{W}_{U_i}^o\Vert {\sigma }_1^o)$   4:     $((C_1^o,C_2^o,C_3^o),MA{C}_1^o)\leftarrow E_{K_1^o}\{A{D}_1,P_1^o,P_2^o,P_3^o\}$   5:     $A{D}_1^o\leftarrow RN{U}_1$   6:     if $MA{C}_1^o\stackrel{?}{=}MA{C}_1$ then   7:         $(SI{D}_{SE{D}_j}\Vert C_3)\leftarrow (Q_1\oplus H(C_2^o\oplus C_3^o))$   8:         $GI{D}_k\leftarrow GI{D}_k^o\oplus H(C_2^o\oplus C_3^o\oplus C_1^o)$   9:         $RN{U}_2^{}\leftarrow H(C_2^o\oplus C_3^o\oplus C_1^o)\oplus RN{U}_2^o$ 10:         Enters the new or fresh secret parameters 11:         $({\sigma }_1^n,h{d}^n)\leftarrow FE.Gen\left(Bi{o}_{U_i}^n\right)$ 12:         $K_1^n\leftarrow H(I{D}_{U_i}\Vert P{W}_{U_i}^n\Vert {\sigma }_1^n)$ 13:         $A{D}_1^n\leftarrow RN{U}_1^n$ 14:         $((C_1^n,C_2^n,C_3^n),MA{C}_1^n)\leftarrow E_{K_1^n}\{A{D}_1^n,P_1^n,P_2^n,P_3^n\}$ 15:         $Q_1^n\leftarrow ((SI{D}_{SE{D}_j}\Vert C_3)\oplus H(C_2^n\oplus C_3^n))$ 16:         $GI{D}_k^n\leftarrow GI{D}_k\oplus H(C_2^n\oplus C_3^n\oplus C_1^n)$ 17:         $RN{U}_2^n\leftarrow H(C_2^n\oplus C_3^n\oplus C_1^n)\oplus RN{U}_2^{}$ 18:     else 19:         terminates execution 20:     end if 21: end procedure

To ensure the authenticity of the secret credentials and perform local authentication, $S{D}_i$ verifies the condition, $MA{C}_1^o\stackrel{?}{=}MA{C}_1$. If the condition holds true, $S{D}_i$ derives the parameters $SI{D}_{SE{D}_j}$, $GI{D}_k$, and $RN{U}_2^{}$. Moreover, $S{D}_i$ notifies $U_i$ to input a new $P{W}_{U_i}^n$ and update the biometric information to $Bi{o}_{U_i}^n$ to complete the process. $S{D}_i$ picks a new random number, $RN{U}_1^n$, and computes {$RN{U}_2^n$, $A{D}_1^n$, $Q_1^n$, $MA{C}_1^n$, $h{d}^n$, $GI{D}_k^n$, $FE.Gen(·)$, $FE.Rep(·)$}. Finally, it replaces {$RN{U}_2^{}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $GI{D}_k^{*}$, $FE.Gen(·)$, $FE.Rep(·)$} with {$RN{U}_2^n$, $A{D}_1^n$, $Q_1^n$, $MA{C}_1^n$, $h{d}^n$, $GI{D}_k^n$, $FE.Gen(·)$, $FE.Rep(·)$} in $S{D}_i$’s memory.

5. Security Validation

We provide a security analysis of ESCI-AKA, formally and informally, in this section.

5.1. Informal Security Analysis

In this subsection, we provide an informal security analysis of the proposed ESCI-AKA framework.

5.1.1. Secret Credential Change Attack

$\mathcal{A}$, after capturing $S{D}_i$, can obtain the sensitive parameters, such as {$RN{U}_2^{*}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $GI{D}_k^{*}$, $FE.Gen(·)$, $FE.Rep(·)$}, which are stored in the memory of $S{D}_i$ at the time of registration. $\mathcal{A}$ cannot update the secret credentials, such as $P{W}_{U_i}^{}$, $Bi{o}_{U_i}^{}$, and $I{D}_{U_i}$, because $\mathcal{A}$ needs to compute:

$$\left({\sigma }_1^{\mathcal{A}}\right)=FE.Rep(Bi{o}_{U_i}^{\mathcal{A}},h{d}^{}),$$

(5)

$$K_1^{\mathcal{A}}=H(I{D}_{U_i}^{\mathcal{A}}\Vert P{W}_{U_i}^{\mathcal{A}}\Vert {\sigma }_1^{\mathcal{A}}),$$

(6)

$$((C_1^{\mathcal{A}},C_2^{\mathcal{A}},C_3^{\mathcal{A}}),MA{C}_1^{\mathcal{A}})=E_{K_1^{\mathcal{A}}}\{A{D}_1,P_1^{\mathcal{A}},P_2^{\mathcal{A}},P_3^{\mathcal{A}}\},$$

(7)

$$MA{C}_1^{\mathcal{A}}\stackrel{?}{=}MA{C}_1.$$

(8)

$\mathcal{A}$ can update the secret credentials, such as $P{W}_{U_i}^{}$, $Bi{o}_{U_i}^{}$ if Condition (8) holds. However, $\mathcal{A}$ cannot generate the biometric key. Thus, without knowing the secret credentials, it is hard for $\mathcal{A}$ to update the password and biometric key. Hence, the proposed ESCI-AKA is resistant to password and biometric key update attacks.

5.1.2. Replay Attack

To prevent a replay attack, in ESCI-AKA, timestamps are incorporated in all the communicated messages. The freshness of the messages, $M{G}_1$, $M{G}_2$, and $M{G}_3$, are checked through the conditions $T_{ADL}\ge |Ti{S}_1-RTM|$, $T_{ADL}\ge |Ti{S}_2-RTM|$, and $T_{ADL}\ge |Ti{S}_3-RTM|$, respectively. If any of the conditions fail, the associated message is considered to be invalid or replayed. Thus, the proposed ESCI-AKA demonstrates resistance against replay attacks.

5.1.3. DoS Attack

The proposed scheme prevents a DoS attack through the local authentication of $U_i$ secret credentials. To achieve local authentication, the $S{D}_i$ of $U_i$ needs to perform the following computations:

$$\begin{array}{c}\left({\sigma }_1^{*}\right)=FE.Rep(Bi{o}_{U_i}^{*},h{d}^{}),\end{array}$$

(9)

$$\begin{array}{c}{K}_1^{*}=H(I{D}_{U_i}\Vert P{W}_{U_i}^{}\Vert {\sigma }_1^{*}),\end{array}$$

(10)

$$\begin{array}{c}((C_1^{*},C_2^{*},C_3^{*}),MA{C}_1^{*})=E_{K_1^{*}}\{A{D}_1,P_1^{},P_2^{},P_3^{}\},\end{array}$$

(11)

$$\begin{array}{c}whereA{D}_1^{}=RN{U}_1,\end{array}$$

(12)

$$\begin{array}{c}MA{C}_1^{*}\stackrel{?}{=}MA{C}_1,\end{array}$$

(13)

If the condition in (13) holds, then $S{D}_i$ sends the authentication and AKA request to $G{W}_k$. Otherwise, $S{D}_i$ stops the further execution of the AKA phase. In this way, the proposed ESCI-AKA prevents DoS attacks.

5.1.4. MITM Attack

An authentication and key agreement mechanism must be capable of resisting an MITM attack. In the proposed ESCI-AKA, there are three messages, such as $M{G}_1$: $\{Ti{S}_1,$$PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}\}$, $M{G}_2$: $\{Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4\}$, and $M{G}_3$: $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,$ $MA{C}_6^{}\}$, which are disseminated by $S{D}_i$, $G{W}_k$, and $SE{D}_j$, respectively, to accomplish a secure channel. To effectuate an MITM attack, $\mathcal{A}$ requires knowing the secret parameters, which are used in the construction of all the messages communicated during the AKA phase, such as $RN{U}_3$, $RN{U}_4$, $RN{U}_5$, $RN{U}_6$, $C_3$, $GI{D}_k$, $C_1$, and $C_2$. A lack of knowledge of these parameters makes it hard for $\mathcal{A}$ to generate an MITM attack. This way, ESCI-AKA exhibits resistance to MITM attacks.

5.1.5. $U_i$ Impersonation Attack

In ESCI-AKA, when the message $M{G}_1$: $\{Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}\}$ is transmitted to $G{W}_k$ for authentication and the AKA process, an impersonation attack requires $\mathcal{A}$ to generate fabricated or modified messages using random parameters, like $C_3^{\mathcal{A}}$, $GI{D}_k^{\mathcal{A}}$, and $RN{U}_3^{\mathcal{A}}$. However, since $\mathcal{A}$ does not possess the knowledge of the actual valid parameters ($C_3^{}$, $GI{D}_k^{}$, and $RN{U}_3^{}$), it is unable to generate a valid message, especially the parameter $MA{C}_2^{}$. Consequently, $\mathcal{A}$ cannot impersonate a valid user in the smart home environment. Therefore, ESCI-AKA effectively prevents user impersonation attacks.

5.1.6. $SE{D}_j$ Impersonation Attack

In ESCI-AKA, the message, $M{G}_3$: $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$, is transmitted to $U_i$. Therefore, in order to impersonate a valid $SE{D}_j$, $\mathcal{A}$ would need to generate a fabricated message, $M{G}_3^{\mathcal{A}}$. However, for the generation of $M{G}_3^{\mathcal{A}}$, $\mathcal{A}$ must possess knowledge of the parameters $RN{U}_3$, $RN{U}_4$, $RN{U}_5$, $RN{U}_6$, $C_3$, and $SI{D}_{SE{D}_j}$. Without knowing these parameters, $\mathcal{A}$ cannot generate a valid $M{G}_3^{}$. As a result, the proposed ESCI-AKA effectively safeguards against impersonation attacks targeting $SE{D}_j$.

5.1.7. Temporary Parameter Leakage Attack

In ESCI-AKA, the session key is computed as $S{K}_{SE{D}_j}(=S{K}_{U_i})=H(RN{U}_6\Vert (C_3\oplus RN{U}_3)\Vert (SI{D}_{SE{D}_j}\oplus RN{U}_6\oplus RN{U}_5)\Vert Ti{S}_3)$, which incorporates a combination of ephemeral and long-term parameters to enhance its security measure. $\mathcal{A}$ needs to obtain ephemeral parameters, such as $RN{U}_3$, $RN{U}_4$, $RN{U}_5$, and $RN{U}_6$, and long-term parameters, such as $C_3$, $SI{D}_{SE{D}_j}$, $GI{D}_k$, $C_1$, and $C_2$, to breach the security of the session key. Hence, the proposed ESCI-AKA is resistant to temporary parameter leakage attacks.

5.1.8. Anonymity and Untraceability

During the secure channel establishment (AKA) phase, three messages are exchanged: $M{G}_1$: $\{Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}\}$, $M{G}_2$: $\{Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4\}$, and $M{G}_3$: $\{Ti{S}_3,C_9^{},$$C_{10}^{},A{D}_6,MA{C}_6^{}\}$. After capturing these messages, $\mathcal{A}$ is unable to determine the user’s identity, which prevents user tracking. Additionally, all the messages generated during the current and previous AKA phases are different and random, making it impossible for $\mathcal{A}$ to establish any correlation between captured messages from different sessions. Furthermore, even if $\mathcal{A}$ obtains parameters such as {$RN{U}_2^{*}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $GI{D}_k^{*}$, $FE.Gen(·)$, $FE.Rep(·)$}, it cannot extract the real identity of the user. Thus, the proposed ESCI-AKA ensures anonymous communication.

5.1.9. Desynchronization

In the proposed authentication scheme, the pseudo-identity is updated at the gateway. However, this updating of pseudo-identities introduces vulnerability to desynchronization attacks. To mitigate the risk of desynchronization attacks, we have implemented a solution by retaining both the old and current pseudo-identities at the gateway. In the event of eavesdropping or jamming attacks, an attacker can capture messages and drop them at any point during the execution of the proposed scheme. Nevertheless, even if the messages are dropped, users can still utilize the old identities to successfully complete the AKA phase of the scheme. This safeguard ensures protection against desynchronization attacks.

5.2. ROM-Based Validation

A formal analysis of the security of the session key generated during the AKA phase of ESCI-AKA is conducted using the random oracle model (ROM). The essential components of the ROM are outlined below:

• Participants: In ESCI-AKA, there are three main participants: $U_i$, $G{W}_k$, and $SE{D}_j$. We represent the instances, $p1$, $p2$, and $p3$, of $U_i$, $G{W}_k$, and $SE{D}_j$ of these participants as ${\Pi }_{U_i}^{p1}$, ${\Pi }_{G{W}_k}^{p2}$, and ${\Pi }_{SE{D}_j}^{p3}$, which serve as oracles in the system.
• Partnership: Upon reaching the acceptance state, the instances, ${\Pi }_{U_i}^{p1}$ and ${\Pi }_{SE{D}_j}^{p3}$, establish a partnership if they possess a shared session key.
• Freshness: $\mathcal{A}$ is incapable of disclosing the session key that is established between ${\Pi }_{U_i}^{p1}$ and ${\Pi }_{SE{D}_j}^{p3}$ during the AKA phase.

The capabilities of $\mathcal{A}$ are analyzed in Section 3.2. Furthermore, $\mathcal{A}$ can influence different queries to execute various attacks on ESCI-AKA.

• $\mathbf{Execute}({\Pi }_{U_i}^{p1},{\Pi }_{G{W}_k}^{p2},{\Pi }_{SE{D}_j}^{p3})$: A passive attack can be simulated employing this query, authorizing $\mathcal{A}$ to model and observe the passive attack. With this query, $\mathcal{A}$ can acquire all the messages exchanged during the AKA process of ESCI-AKA.
• $\mathbf{Test}\left({\Pi }^{p1}\right)$: $\mathcal{A}$ operates this query to demonstrate whether the imagined session key is definitely the correct session key or merely a random guess.
• $\mathbf{Reveal}\left({\Pi }^{p1}\right)$: This query is effectuated by $\mathcal{A}$ to acquire the session key maintained by the oracle, ${\Pi }^{p1}$.
• $\mathbf{Send}({\Pi }^{p1},MG)$: This query is effectuated to establish an active attack. Additionally, ${\Pi }^{p1}$ can transmit a message, $MG$, to ${\Pi }^{p1}$ and acquire an affiliated response.
• $\mathbf{CorruptSD}\left({\Pi }^{p1}\right)$: This query is effectuated by $\mathcal{A}$ to acquire the long-term parameters held in the memory of $S{D}_i$.

Theorem 1.

We consider that $\mathcal{A}$ is a polynomial-time ($polt$) adversary endeavoring to crack the security of the session key established between the user and $SE{D}_j$ in ESCI-AKA. Hence, the advantage of $\mathcal{A}$ in successfully cracking the security of the session key can be derived as follows:

$$\begin{array}{c}\hfill {Adv}_{\mathcal{A}}^{ESCI-AKA}\left(polt\right)\le \frac{H_q^2}{\left|HSP\right|}+\frac{S_q^{}}{2^{bkl-1}·\left|PSP\right|}\\ \hfill +2·{Adv}_{AEAD}^{OCCA3}.\end{array}$$

(14)

In the above equation, $H_q^2$, $S_q^{}$, $\left|PSP\right|$, and $2^{bkl}$, $\left|HSP\right|$ represent the number of queries for the hash function, send queries, password space, biometric key space/length, and hash function space, respectively. Furthermore, ${Adv}_{\mathcal{A}}^{OCCA3}\left(polt\right)$ [55] denotes the advantage of $\mathcal{A}$ in breaking the security of ASCON within a polynomial-time constraint.

Proof. 

The proof of Theorem 1 is conducted in the same way as in [54,57,58]. Here, we consider the four games $\left(G_q\right|q=0,1,2,3)$, where the winning probability of $\mathcal{A}$ to determine the correct bit “b” is denoted by $Ad{v}^G$. All the games are explicated in the following sections in detail.

$G0$: This is considered an initial attack from $\mathcal{A}$ against ESCI-AKA in the ROM model. As “b” must be decided before $G0$, it is obvious that

$${Adv}_{\mathcal{A}}^{ESCI-AKA}\left(polt\right)=|2·Ad{v}^{G0}-1|.$$

(15)

$G1$: This game enables $\mathcal{A}$ to perform $Execute({\Pi }_{U_i}^{p1},{\Pi }_{G{W}_k}^{p2},{\Pi }_{SE{D}_j}^{p3})$. By using this query, $\mathcal{A}$ can capture all the messages, such as $M{G}_1$: $\{Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}\}$, $M{G}_2$: $\{Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4\}$, and $M{G}_3$: $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$, exchanged between network participants, such as $S{D}_i$, $G{W}_k$, and $SE{D}_j$, respectively. Now, the primary objective of $\mathcal{A}$ is to construct the session key $S{K}_{SE{D}_j}(=S{K}_{U_i})=H(RN{U}_6\Vert (C_3\oplus RN{U}_3)\Vert (SI{D}_{SE{D}_j}\oplus RN{U}_6\oplus RN{U}_5)\Vert Ti{S}_3)$, which is constructed during the execution of the AKA phase. As the session key in ESCI-AKA is generated using a combination of long-term and ephemeral parameters, such as $RN{U}_3$, $RN{U}_4$, $RN{U}_5$, $RN{U}_6$, $C_3$, $GI{D}_k$, $C_1$, and $C_2$, the $Reveal$ query is employed at the end of $G1$ to reveal the session key, and the $Test$ query is used to verify whether the constructed session key is a valid output or a random one. However, the probability of $\mathcal{A}$ winning without knowledge of $RN{U}_3$, $RN{U}_4$, $RN{U}_5$, $RN{U}_6$, $C_3$, $GI{D}_k$, $C_1$, and $C_2$ is extremely low. Therefore, $G0$ and $G1$ can be considered equivalent. Thus, we can conclude that

$$Ad{v}^{G1}=Ad{v}^{G0}$$

(16)

$G2$: An active attack is conducted by executing $H_q^2$ queries. In ESCI-AKA, the hash function generates the session key (SK) for $U_i$ and $SE{D}_j$. $\mathcal{A}$ attempts to find a collision by constructing $HSP$ queries to compromise the security of the SK. However, the likelihood of a collision is minimal, as indicated by the birthday paradox.

$$Ad{v}^{G2}-Ad{v}^{G1}\le \frac{H_q^2}{2\left|HSP\right|}.$$

(17)

$G3$: In this scenario, $\mathcal{A}$ captures the $S{D}_i$ of a user and extracts sensitive parameters, including {$RN{U}_2^{}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $GI{D}_k^{}$, $FE.Gen(·)$, $FE.Rep(·)$}, from the memory of $S{D}_i$. To accomplish this, $\mathcal{A}$ executes $CorruptSD\left({\Pi }^{p1}\right)$. The objective of $\mathcal{A}$ is to modify or change the user’s password and biometrics. However, generating or guessing biometric keys is challenging, and the length of the biometric key, denoted as $bkl$, makes the probability of guessing the biometric key ($\frac{1}{2^{bkl}}$) negligible. Furthermore, considering the limited number of permissible incorrect password attempts, we can deduce that the probability of successfully guessing or modifying the user’s password and biometrics within the allowed number of attempts is extremely low. Therefore, the security of ESCI-AKA is maintained, as it effectively protects against unauthorized access to and manipulation of user credentials. Hence, we have the following:

$$\begin{array}{c}\hfill Ad{v}^{G3}-Ad{v}^{G2}\le \frac{S_q^{}}{2^{bkl}·\left|PSP\right|}.\end{array}$$

(18)

$G4$: In this game, $\mathcal{A}$ conducts a real attack by capturing all the exchanged messages, including $M{G}_1$, $M{G}_2$, and $M{G}_3$, using the $Execute({\Pi }_{U_i}^{p1},{\Pi }_{G{W}_k}^{p2},{\Pi }_{SEDj}^{p3})$ query. It is important to note that all the messages transmitted during the AKA phase are encrypted using the ASCON encryption algorithm. Based on the security definition of ASCON (refer to Definition 1), ASCON is deemed safe for usage. Consequently, the advantage of $\mathcal{A}$ in cracking the security of the AEAD scheme is nominal. Thus, we can extrapolate that

$$\begin{array}{c}\hfill Ad{v}^{G4}-Ad{v}^{G3}\le {Adv}_{AEAD,\mathcal{A}}^{OCCA3}\left(polt\right).\end{array}$$

(19)

$\mathcal{A}$, after finishing games, such as $\left(G_q\right|q\in [0,3])$, receives no considerable advantage to gain the correct bit “b”. Thus, we arrive at

$$Ad{v}^{G4}=1/2$$

(20)

From (15) and (16), we obtain

$${Adv}_{\mathcal{A}}^{ESCI-AKA}\left(polt\right)=|2·Ad{v}^{G0}-\frac{1}{2}|.$$

(21)

From (21), we obtain

$$\frac{1}{2}·{Adv}_{\mathcal{A}}^{ESCI-AKA}\left(polt\right)=|Ad{v}^{G0}-Ad{v}^{G4}|.$$

(22)

By using (20) and (22), we obtain

$$\frac{1}{2}·{Adv}_{\mathcal{A}}^{ESCI-AKA}\left(polt\right)=|Ad{v}^{G1}-Ad{v}^{G4}|$$

(23)

Upon considering the triangular inequality, we have

$$\begin{array}{c}\hfill |Ad{v}^{G1}-Ad{v}^{G4}|\le |Ad{v}^{G1}-Ad{v}^{G2}|\\ \hfill +|Ad{v}^{G2}-Ad{v}^{G4}|\\ \hfill \le |Ad{v}^{G1}-Ad{v}^{G2}|+|Ad{v}^{G2}-Ad{v}^{G3}|\\ \hfill +|Ad{v}^{G3}-Ad{v}^{G4}|.\end{array}$$

(24)

By using (17), (19), and (24), we obtain

$$\begin{array}{c}\hfill {Adv}_{\mathcal{A}}^{ESCI-AKA}\left(polt\right)\le \frac{H_q^2}{\left|HSP\right|}+\frac{S_q^{}}{2^{bkl-1}·\left|PSP\right|}\\ \hfill +2.{Adv}_{AEAD,\mathcal{A}}^{OCCA3}\left(polt\right).\end{array}$$

(25)

 □

5.3. Formal Validation Using Scyther

Scyther is employed to analyze potential vulnerabilities in security frameworks. Developed in Python, Scyther ensures that all cryptographic operations/functions are impenetrable. This implies that unless an attacker manages to seize the decryption key, the encrypted transmission remains incomprehensible to them. In this article, we employ Scyther to examine the security characteristics of ESCI-AKA. ESCI-AKA is implemented using Security Protocol Description Language (SPDL), which defines three roles: (i) $GWK$ (gateway role), (ii) $SEDJ$ (smart embedded device role), and (iii) $RMU/SDI$ (user role). The SPDL script contains both manually established claims and automatically generated ones, all of which are verified by Scyther, as depicted in Figure 3. Consequently, we can affirm that ESCI-AKA is well protected and secure, as illustrated in Figure 3.

6. Performance Comparison

The proposed ESCI-AKA was compared with several references, including [10,11,12,13,14,15,16], in terms of their security characteristics and communication and computational costs. To evaluate the computational performance of various cryptographic primitives, we conducted tests on “Raspberry-Pi-3 with a CPU clocked at 1.2 GHz and 1 GB of RAM”, running the Ubuntu operating system. Each cryptographic primitive was executed 100 times, and the average time taken by each primitive is presented in

Table 3. Execution Time.

Cryptographic Function	Notation	Raspberry Pi-3	Size in Bits
ECC scalar multiplication	$T_{ECC}$	3.47 ms	ECC size (320 bits)
Encryption/decryption	$T_{ENC}$	0.664 ms	ID size (128 bits)
Hash function (SHA-256)	$T_{HF}$	0.382 ms	HASH output size (256 bits)
ASCON encryption/decryption	$T_{AEAD}$	0.401 ms	MAC size (128 bits)
Biometric key generation	$T_B\approx T_{ECC}$	3.47 ms	Timestamps (32 bits)

.

6.1. Security Comparison

In this subsection, we correlate the security characteristics of ESCI-AKA with other references: [10,11,12,13,14,15,16]. The security mechanism offered in [10] lacks protection against impersonation and device capture attacks, and it does not guarantee mutual authentication. The authentication mechanism offered in [11] is defenseless against password guessing, impersonation, and MITM attacks. Moreover, it is unable to accomplish mutual authentication and achieve user anonymity. The authentication mechanism offered in [12] does not guarantee protection against privileged insider, user anonymity, stolen smart card, and password guessing attacks. The security mechanism offered in [13] is ineffective against password guessing and temporary secret leakage, and it also lacks anonymity and untraceability characteristics. The scheme offered in [14] is defenseless against privileged insider, impersonation, replay, stolen smart card, identity guessing, and password guessing attacks. The security protocol proposed in [16] is unable to resist privileged insider and temporary parameter leakage attacks. In contrast, the proposed ESCI-AKA is protected against diverse security attacks. A comparison of the security characteristics is represented in

Table 4. Security Properties Comparison.

Features/Attacks	[10]	[11]	[12]	[13]	[14]	[15]	[16]	ESCI-AKA
“Anonymity/Untraceability”	✓	×	×	×	✓	✓	✓	✓
“Password Guessing Attack”	✓	×	×	×	×	✓	✓	✓
“Impersonation Attack”	×	×	✓	✓	×	✓	✓	✓
“MITM”	✓	×	✓	✓	✓	✓	✓	✓
“TSL Attack”	✓	✓	✓	×	✓	✓	×	✓
“Replay Attack”	✓	✓	✓	✓	×	✓	✓	✓
“SSC Attack”	✓	✓	✓	✓	✓	✓	✓	✓
“Identity Guessing”	✓	✓	✓	✓	×	✓	✓	✓
“Desynchronization”	✓	✓	✓	✓	✓	✓	✓	✓

Note: SSC: stolen smart card; TSL: temporary secret leakage; ✓ denotes the availability of features; × indicates the feature not available.

.

6.2. Memory Cost

In the proposed scheme, the memory requirements at different nodes are as follows:

• Smart device node: $SI{D}_{SE{D}_j}$, $DSK$ = {128 + 256} = 384 bits;
• Gateway node: 2 × ($PI{D}_i$$RNU$) = {256 × 2} = 512 bits;
• User device: {$RN{U}_2^{*}$, $GI{D}_k^{*}$, $A{D}_1$, $Q_1$, $MA{C}_1$, $hd$, $FE.Gen(·)$, $FE.Rep(·)$} = {128 + 128 + 128 + 256 + 160} = 800 bits. In the proposed scheme, the total memory cost required is 1696 bits, while the works referenced as [10,11,12,13,14,15,16] require 1888 bits, 2048 bits, 1928 bits, 1024 bits, 992 bits, 1024 bits, and 992 bits, respectively. The proposed scheme requires more memory compared to certain security schemes but still demands less memory compared to other relevant security schemes. The proposed scheme, in comparison to related security schemes, incurs lower computational and communication costs while offering more significant security features.

6.3. Computational Cost

The computational cost of the proposed ESCI-AKA and other relevant security frameworks are computed using the computational time given in Table 3. The aggregated computational cost of ESCI-AKA is 8.569 ms, which is 65.71%, 66.18%, 84.87%, 66.18%, 79.65%, 61.01%, and 86.27% less than the security frameworks presented in [10,11,12,13,14,15,16], respectively. In addition, a comparison of the total computational cost is given in Figure 4, which indicates that the proposed ESCI-AKA requires low computational time to accomplish the AKA phase. The computational costs at $U_i$, $G{W}_k$, and $SE{D}_j$ are 6.201 ms, 1.184 ms, and 1.184 ms, respectively. A comparison of computational cost at $U_i$, $G{W}_k$, and $SE{D}_j$ is provided in Figure 5, which shows that ESCI-AKA requires low computation resources at $U_i$, $G{W}_k$, and $SE{D}_j$.

In addition, the proposed ESCI-AKA requires fewer computational resources when many users are sending the security channel establishment or authentication request to $G{W}_k$. A comparison of computation cost when increasing the number of users at $G{W}_k$ is provided in Figure 6 and

Table 5. Computational Cost.

Scheme	${\mathit{U}}_{\mathit{i}}$ Side	${\mathbf{GW}}_{\mathit{k}}/\mathbf{TA}$ Side	${\mathbf{SED}}_{\mathit{j}}$ Side	Total Time (ms)
[10]	$8T_{HF}+3T_{ECC}\approx \mathbf{13.46}$	$7T_{HF}+T_{ECC}\approx \mathbf{6.144}$	$5T_{HF}+T_{ECC}\approx \mathbf{5.38}$ ms	$20T_{HF}+5T_{ECC}\approx \mathbf{24.99}$ ms
[11]	$14T_{HF}+2T_{ECC}\approx \mathbf{12.288}$	$10T_{HF}\approx \mathbf{3.82}$	$6T_{HF}+2T_{ECC}\approx \mathbf{9.232}$ ms	$30T_{HF}+4T_{ECC}\approx \mathbf{25.34}$ ms
[12]	$5T_{HF}+5T_{ECC}+T_B\approx \mathbf{22.73}$	$4T_{HF}+5T_{ECC}\approx \mathbf{18.87}$	$3T_{HF}+4T_{ECC}\approx \mathbf{15.026}$ ms	$12T_{HF}+14T_{ECC}+T_B\approx \mathbf{56.634}$ ms
[13]	$8T_{HF}+2T_{ECC}\approx \mathbf{9.96}$	$5T_{HF}+T_{ECC}\approx \mathbf{5.38}$	$6T_{HF}+2T_{ECC}\approx \mathbf{9.232}$ ms	$30T_{HF}+4T_{ECC}\approx \mathbf{25.34}$ ms
[14]	$3T_{HF}+2T_{ECC}+2T_{ENC}\approx \mathbf{9.41}$	$12T_{HF}+2T_{ECC}\approx \mathbf{1.71}$	$T_{HF}+2T_{ENC}\approx \mathbf{19.24}$ ms	$16T_{HF}+3T_{ENC}+4T_{ECC}\approx \mathbf{42.11}$ ms
[15]	$6T_{HF}+3T_{ECC}\approx \mathbf{12.70}$	$6T_{HF}+T_{ECC}\approx \mathbf{5.76}$	$5T_{HF}+2T_{ECC}\approx \mathbf{8.85}$ ms	$17T_{HF}+6T_{ECC}\approx \mathbf{21.98}$ ms
[16]	$8T_{HF}+3T_{ECC}\approx \mathbf{13.46}$	$6T_{HF}+6T_{ECC}\approx \mathbf{23.11}$	$4T_{HF}+5T_{ECC}\approx \mathbf{18.87}$ ms	$18T_{HF}+16T_{ECC}\approx \mathbf{62.39}$ ms
ESCI-AKA	$4T_{HF}+3T_{AEAD}+T_B\approx \mathbf{6.201}$	$T_{HF}+2T_{AEAD}\approx \mathbf{1.184}$	$T_{HF}+2T_{AEAD}\approx \mathbf{1.184}$ ms	$6T_{HF}+7T_{AEAD}+T_B\approx \mathbf{8.569}$ ms

.

6.4. Communication Cost

To estimate the communication cost of the proposed ESCI-AKA during the AKA phase or authentication phase, we consider the sizes of the different parameters given in Table 3. In ESCI-AKA, three messages are exchanged among various network entities: $M{G}_1$: $\{Ti{S}_1,PI{D}_i,C_4^{},C_5^{},MA{C}_2^{}\}$, $M{G}_2$: $\{Ti{S}_2,C_6^{},C_7^{},C_8^{},MA{C}_4\}$, and $M{G}_3$: $\{Ti{S}_3,C_9^{},C_{10}^{},A{D}_6,MA{C}_6^{}\}$. The sizes of $M{G}_1$, $M{G}_2$, and $M{G}_3$ are 544 bits, 544 bits, and 416 bits, respectively. ESCI-AKA requires 544 + 544 + 416 = 1540 bits to complete the AKA phase. In comparison, the communication costs required by [10,11,12,13,14,15,16] (shown in Figure 7 and

Table 6. Communication Cost.

Frameworks	Factor	Communicated Messages
[10]	3F	2720 bits
[11]	2F	3552 bits
[12]	3F	2528 bits
[13]	2F	3552 bits
[14]	3F	3290 bits
[15]	2F	2880 bits
[16]	3F	4416 bits
ESCI-AKA	3F	1504 bits

) are 2720 bits, 3550 bits, 2528 bits, 3552 bits, 3290 bits, 2880 bits, and 4416 bits, respectively. Figure 7 and Table 6 provide a comparison of the communication costs between ESCI-AKA and other related security mechanisms.

7. Conclusions

In this paper, we introduced ESCI-AKA, an innovative secure authentication framework designed specifically for the smart home environment. The primary goal of ESCI-AKA is to establish a secure channel between a user’s device and the smart home, ensuring secure communication over the public Internet. To achieve optimal resource efficiency, ESCI-AKA makes use of the lightweight cryptographic authenticated encryption scheme called “ASCON” and incorporates a hash function. The security of the session key established by ESCI-AKA is verified through a thorough ROM-based analysis. Furthermore, extensive informal analysis has demonstrated ESCI-AKA’s robustness against various types of attacks, including replay attacks, MITM attacks, and desynchronization attacks. This ensures that the communication between the device and the smart home remains secure even in the presence of potential threats. The security claims of ESCI-AKA are further supported by a Scyther-based implementation, which reinforces its reliability in real-world scenarios. This implementation has proven its effectiveness in practical applications, enhancing the overall security of the framework. Moreover, in performance evaluations, ESCI-AKA has shown significant improvements in computational and communication costs. The framework achieves a significant computational cost reduction, ranging from 61.01% to 86.27%, and a communication cost reduction, ranging from 40.51% to 65.94%. These improvements not only enhance the efficiency of the system but also ensure that the security features remain intact. In the future, we plan to utilize lightweight cryptographic primitives, such as ASCON and Esch256, to design data sharing and access control mechanisms using blockchain technology.