A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments

Abstract

The Internet of Things (IoT) is being applied to various environments such as telecare systems, smart homes, and intelligent transportation systems. The information generated from IoT devices is stored at remote servers, and external users authenticate to the server for requesting access to the stored data. In IoT environments, the authentication process is required to be conducted efficiently, and should be secure against various attacks and ensure user anonymity and untraceability to ensure sustainability of the network. However, many existing protocols proposed in IoT environments do not meet these requirements. Recently, Rajaram et al. proposed a paring-based user authentication scheme. We found that the Rajaram et al. scheme is vulnerable to various attacks such as offline password guessing, impersonation, privileged insider, and known session-specific temporary information attacks. Additionally, as their scheme uses bilinear pairing, it requires high computation and communication costs. In this study, we propose a novel authentication scheme that resolves these security problems. The proposed scheme uses only hash and exclusive-or operations to be applicable in IoT environments. We analyze the proposed protocol using informal analysis and formal analysis methods such as the BAN logic, real-or-random (ROR) model, and the AVISPA simulation, and we show that the proposed protocol has better security and performance compared with existing authentication protocols. Consequently, the proposed protocol is sustainable and suitable for real IoT environments.

1. Introduction

The Internet of Things (IoT) has become an essential technology in business and industry that is being applied to various environments [1,2,3,4,5,6,7,8] including telecare systems, smart grids, intelligent transportation systems, and global roaming systems to make human lives more prosperous. For example, in IoT-based telecare environments (see Figure 1), medical devices and sensors check the patient’s pulse, blood pressure, and body temperature in real time, and transmit the information to a remote server. Thereafter, users such as doctors and researchers authenticate the server using mobile devices (i.e., smart phones) and access the information for diagnosis or research. IoT-based telecare systems can provide convenience to patients and contribute to the progress of healthcare. In addition, the IoT can be applied to other environments for increasing business productivity and industrial efficiency.

However, despite these advantages, several challenges must be addressed. Communications in IoT environments are performed on wireless channels, which are prone to attacks by adversaries. They can obtain transmitted messages and can attempt various attacks including replay, man-in-the-middle, and impersonation attacks [9,10,11] and also attempt to trace a user to obtain sensitive information. Additionally, to ensure real-time communication of mobile devices with limited computing power [12], the efficiency of the authentication protocol should be considered. Therefore, a secure and efficient authentication protocol is necessary for sustainable communications in IoT environments. However, recently proposed authentication schemes in IoT environments have several security vulnerabilities, and require high amounts of computation using elliptic curve cryptosystem (ECC) [13] scalar multiplication and bilinear paring operations [14]. These shortcomings can cause problems with the sustainability of the network.

Rajaram et al. [15] proposed a user authentication scheme using bilinear pairing in 2019. They claimed that their scheme is secure against possible attacks and provides various security features. However, we analyze that their scheme has several security vulnerabilities to be applied in wireless networks. Their scheme cannot guarantee user anonymity and requires a high amount of computational cost because it uses bilinear pairing. Therefore, we propose an improved authentication protocol that can resolve these issues.

1.1. Motivation

In IoT environments, each message is transmitted through public channels. The messages can contain personal sensitive information, and if the information is leaked to an adversary, it can cause serious privacy threats. Additionally, IoT devices have limited computing resources, a high amount of computation cost can cause delays. Therefore, a secure and efficient authentication protocol is essential for sustainable IoT environments. In 2019, Rajaram et al. proposed a pairing-based user authentication scheme. However, Rajaram et al. scheme does not have resistance to off-line guessing, impersonation, privileged insider, and known session-specific temporary information attacks. In addition to Rajaram et al. scheme, we note the limitations and weaknesses of existing researches (see Section 2). Several schemes used elliptic curve multiplication and bilinear pairing which require a high amount of computation, making it unsuitable for IoT environments. Additionally, most schemes do not have resistance to various attacks including impersonation, off-line guessing, and privileged insider attacks, and cannot guarantee security features such as mutual authentication, user anonymity, and user untraceability. Because of these weaknesses, existing schemes are not sustainable in IoT environments, and it motivated us to design a new authentication protocol that overcomes the drawbacks of existing researches and ensures both security and efficiency.

1.2. Main Contributions

The main contributions of this paper are as follows.

• We analyze that Rajaram et al. scheme [15] is vulnerable to offline password guessing, impersonation, privileged insider, and known session-specific temporary information attacks, and does not provide user anonymity and untraceability.
• We propose a secure, lightweight, and anonymous authentication protocol, which uses only hash and exclusive-or operations, making it suitable for IoT environments.
• We provide informal analyses of the proposed protocol and perform a security analysis under the real-or-random (RoR) model to prove the session key security.
• We prove correctness of the proposed protocol using the BAN logic, and show that the proposed protocol is secure against replay and MiTM attacks using automated validation of internet security protocols and application (AVISPA) simulation tool.
• We provide comparison results between the proposed protocol with existing protocols proposed in IoT environments. It shows that our protocol has lower computation and communication costs than the existing protocols, and that the proposed protocol is more suitable to real IoT environments.

2. Related Works

Over the past few years, many authentication protocols have been proposed for IoT environments. In 2018, Chen et al. [16] proposed a lightweight and anonymous authentication scheme for IoT environments. They used ECC for authentication and analyzed the scheme using the BAN logic. They also simulated computation and communication costs using C++. Dhillon and Kalra [17] proposed a three-factor user authentication scheme for IoT-based healthcare systems. They handled authentication between medical professionals and a cloud server. Thakare and Kim [18] indicated security and efficiency of the existing protocols and proposed an ECC-based authentication scheme for IoT environments. They formally analyzed the scheme using both AVISPA and ProVerif tools to prove security and correctness. However, these schemes [16,17,18] suffer from high computation cost, as they used an elliptic curve cryptosystem.

Some studies proposed lightweight authentication protocols using only hash and exclusive-or operations. In 2014, Kumari et al. [19] proposed a two-factor remote user authentication scheme for distributed systems. They claimed that their scheme has various security characteristics including resistance to smart card stolen attack and user impersonation attack. However, Kaul and Awasthi [20] indicated that the Kumari et al. scheme is vulnerable to smart card loss attacks. They proposed an enhanced authentication protocol and formally analyzed it using the AVISPA simulation tool. Kang et al. [21] showed that Kaul and Awasthi’s scheme cannot guarantee user anonymity, and is not secure against off-line password guessing and desynchronization attacks. They proposed a biometric-based key agreement scheme. However, they does not consider known session-specific temporary information attacks. Rana et al. [22] also asserted that Kaul and Awasthi’s scheme cannot resist user impersonation attacks using a stolen smart card, and proposed a lightweight authentication scheme, which is suitable for IoT infrastructures. However, their scheme does not consider known session-specific temporary information attacks and cannot ensure user untraceability.

In 2019, Rajaram et al. [15] proposed a bilinear pairing based user authentication scheme. They claimed that their scheme is secure against off-line guessing, privileged insider, and impersonation attacks and can ensure mutual authentication. However, we observe that Rajaram et al. scheme cannot defend against mentioned attacks, and is vulnerable to known session-specific temporary information attack and suffers from lack of user anonymity. Their scheme also requires high computation cost as it uses bilinear pairing operation. In this paper, we propose a secure, lightweight, and anonymous user authentication scheme that resolves the above mentioned issues and is suitable for IoT environments.

3. Review of Rajaram et al.’s Scheme

Rajaram et al.’s scheme consists of initialization, user registration, user login, user authentication, and password update phase.

Table 1. Notations of the Rajaram et al. scheme.

Notation	Description
$U_x$	User/client X
$I{D}_x,P{W}_x$	Identity and password of $U_x$
$S{C}_x$	Smart card of $U_x$
$RS$	The remote server
$G_1$	Cyclic additive group
$G_2$	Cyclic multiplicative group
$RP$	Generator of $G_1$
q	Large prime order of the cyclic groups
$h{f}_1:{\{0,1\}}^{*}\to Z_q$	Cryptographic hash function
$e:G_1\times G_1\to G_2$	Bilinear mapping
$sK$	Secret key of $RS$
$P_{pub}=sK·RP$	Public key of $RS$
$y_1,y_2$	Session random numbers
$ssK$	Session key between $U_x$ and $RS$
*	Multiplication operation

represents the notations of Rajaram et al.’s scheme and the detailed description of each phase is as follows.

3.1. Initialization Phase

$RS$ generates a large prime number q, chooses an additive cyclic group $G_1$ and a multiplicative cyclic group $G_2$ with order q, and selects a cryptographic hash function $h{f}_1:{\{0,1\}}^{*}\to Z_q$. Thereafter, $RS$ chooses a generator $RP\in G_1$ and calculates $e(RP,RP)=\alpha$, and selects a secret key $sK$ and the public key of $RS$ is $P_{pub}=sK·RP$. $RS$ keeps $sK$ securely and publishes $(q,G_1,G_2,RP,\alpha ,h(·),P_{pub})$.

3.2. User Registration Phase

$U_x$ registers to $RS$ using $I{D}_x$ and $P{W}_x$. Firstly, $U_x$ chooses a $y\in Z_q$ and computes $PW{D}_x=h{f}_1(P{W}_x\left|\right|y)$. Thereafter, $U_x$ sends $(I{D}_x,PW{D}_x)$ to $RS$. After $RS$ receives the message, $RS$ computes $R_x=h{f}_1(sK,I{D}_x)\oplus PW{D}_x$ and $RE{G}_{I{D}_x}=h{f}_1(sK,I{D}_x)·PW{D}_x·RP$. After that, $RS$ stores $(R_x,RE{G}_{I{D}_x},h{f}_1(·),RP,P_{pub})$ in $S{C}_x$. Thereafter, $RS$ issues $S{C}_x$ to $U_x$, and $U_x$ stores y in $S{C}_x$. Subsequently, $(R_x,RE{G}_{I{D}_x},h{f}_1(·),RP,P_{pub},y)$ is stored in $S{C}_x$. The registration phase is performed via a secure channel. Figure 2 shows the registration phase of Rajaram et al. scheme.

3.3. User Login Phase

A registered $U_x$ can be offered services form $RS$ by inserting $S{C}_X$ to the card reader. After $U_x$ inputs $I{D}_x^{*}$ and $P{W}_x^{*}$ to $S{C}_x$, $S{C}_x$ computes $PW{D}_x^{*}=h{f}_1(P{W}_x^{*}\left|\right|y)$, $L_0=R_x\oplus PW{D}_x^{*}$, and $RE{G}_{I{D}_x^{*}}=L_0·PW{D}_x^{*}·RP$. Thereafter, $S{C}_x$ checks whether $RE{G}_{I{D}_x}^{*}\stackrel{?}{=}RE{G}_{I{D}_x}$. If they are equal, $S{C}_x$ chooses $y_1$ and computes $L_1=h{f}_1(y_1\left|\right|T_1),$$L_2=h{f}_1(PW{D}_x\left|\right|L_1)$, $L_3=(L_0+L_2)·P_{pub}$, and $L_4=L_1\oplus PW{D}_x^{*}$. $T_1$ is a current timestamp. Thereafter, $U_x$ sends $(I{D}_x,R_x,L_3,L_4,T_1)$ to $RS$ through a wireless channel. Figure 3 shows the login phase of Rajaram et al. scheme.

3.4. User Authentication Phase

After receiving the message from $U_x$, $RS$ verifies the validity of $I{D}_x$ and checks whether $|T_1-T_1^{*}|\le \Delta T?$, where $T_1^{*}$ is a timestamp when $RS$ received the message and $\Delta T$ is a tolerance. Thereafter, $RS$ computes $A_0=h{f}_1\left(sK\right||I{D}_x)$, $PW{D}_x=R_x\oplus A_0$, $L_1=PW{D}_x\oplus L_4,$ and $L_2=h{f}_1(PW{D}_x\left|\right|L_1)$. Subsequently, $RS$ checks whether $e(L_3,RP)\stackrel{?}{=}{\alpha }^{sK·(A_0+L_2)}$. If they are equal, $RS$ chooses $y_2\in Z_q^{*}$ and computes $A_1=h{f}_1(y_2\left|\right|T_x)$, $A_2=h{f}_1(A_0\left|\right|A_1)$, $A_3=A_2·PW{D}_x·RP$, $y_3=L_1\oplus A_1$, and session key $ssK=h{f}_1(A_2\left|\right|L_1\left|\right|A_1\left|\right|L_2)$. Then, $RS$ sends $(A_3,y_3,T_2)$ to $U_x$. After $U_x$ receives the message, $U_x$ checks whether $|T_2-T_2^{*}|\le \Delta T?$ and computes $A_1^{*}=y_3\oplus L_1$, $A_2^{*}=h{f}_1(L_0\left|\right|A_1^{*})$, and $A_3^{*}=A_2^{*}·PW{D}_x·RP$. If $A_3=A_3^{*}$, $U_x$ computes session key $ssK=h{f}_1(A_2\left|\right|L_1\left|\right|A_1\left|\right|L_2)$. Figure 4 shows the authentication phase of Rajaram et al. scheme.

3.5. Password Change Phase

The password change phase of the Rajaram et al. scheme can be conducted through a new registration (see Section 3.2) or during the authentication phase (see Section 3.3 and Section 3.4).

4. Cryptanalysis of the Rajaram et al. Scheme

Rajaram et al. asserted that their scheme has resistance to impersonation and privileged insider attacks. However, we observed that their scheme cannot prevent impersonation and privileged insider attacks. We also analyzed the Rajaram et al. scheme with the CK model and found that it is vulnerable to known session-specific temporary information attacks.

4.1. Adversary Model

To analyze the security of the proposed protocol, we adopt the Dolev–Yao (DY) adversary model [23]. The DY model is an widely-accepted adversary model, which is applied to various authentication protocols [24,25,26,27]. An adversary A has the following assumptions in the DY model.

• A has full control over transmitted messages on wireless channels. A can eavesdrop, delete, inject, and modify messages.
• A can steal a smart card of a legitimate user and can extract the stored value using power analysis [28,29].
• A can use the values obtained from the previous assumptions to attempt active attacks such as off-line guessing, impersonation, and session key disclosure.

We also apply the Canetti and Krawczyk (CK) adversary model [30] to further analyze the proposed protocol. The CK model has a stronger assumption compared to the DY model, and is also widely used in the analysis of an authentication protocol [31,32,33]. In the CK model, A can compromise session states and hijack random values generated in each session.

4.2. Off-Line Password Guessing Attack

By the assumptions of Section 4.1, an adversary A can obtain $(R_x,RE{G}_{I{D}_x},RP,P_{pub},y)$ stored in $S{C}_x$ and the transmitted message $(I{D}_x,R_x,L_3,L_4,T_1)$ through an open channel. Thereafter, A can attempt off-line password guessing attack as follows.

• A guesses password $P{W}_x^A$ from a password dictionary, and then computes $PW{D}_x^A=h{f}_1(P{W}_x^A\left|\right|y)$.
• Thereafter, A computes $L_0^A=R_x\oplus PW{D}_x^A$ and $RE{G}_{I{D}_x}^A=L_0^A·PW{D}_x^A·RP$, and checks whether $RE{G}_{I{D}_x}^A\stackrel{?}{=}RE{G}_{I{D}_x}$.
• If it satisfies, A succeeds in guessing the correct password. If not, A performs the process again from the beginning.

4.3. Impersonation Attack

Using the guessed password as described in Section 4.2, A can impersonate as $U_x$.

• A generates a timestamp $T_A$ and $y_1^A\in Z_q^{*}$.
• A computes $L_1^A=h{f}_1(y_1^A\left|\right|T_A)$, $L_2^A=h{f}_1(PW{D}_x\left|\right|L_1^A)$, $L_3^A=(L_0+L_2^A)·P_{pub}$, and $L_4^A=PW{D}_x\oplus L_1^A$.
• A sends $\left(I{D}_x\right|\left|R_x\right|\left|L_3^A\right|\left|L_4^A\right|\left|T_A\right)$ to $RS$. After $RS$ receives the message, $RS$ regards the message as sent by $U_X$, and sends a response message.

A succeeds in impersonating as $U_X$. Therefore, Rajaram et al.’s scheme cannot defend against the impersonation attack.

4.4. Privileged Insider Attack

If A is an privileged insider, A can obtain the registration request message $(I{D}_x,PW{D}_x)$ of $U_x$ and can attempt to discover the session key using the information. To calculate $ssK$, A can use $R_x,L_3,L_4,$ and $y_3$, which are obtained from open channels. A computes $L_0=R_x\oplus PW{D}_x$, $L_1=PW{D}_x\oplus L_4$, and $L_2=h{f}_1(PW{D}_x\left|\right|L_1)$. Thereafter, A computes $A_1=y_3\oplus L_1$ and $A_2=h{f}_1(L_0\left|\right|A_1)$. Finally, A can calculate $ssK=h{f}_1(A_2\left|\right|L_1\left|\right|A_1\left|\right|L_2)$, and therefore, Rajaram et al.’s scheme cannot resist a privileged insider attack.

4.5. Known Session-Specific Temporary Information Attack

Under the CK model, A can comprise a session and obtain session random numbers $y_1$ and $y_2$. Then, A can disclose the session key $ssK$ using the random numbers. A can obtain the messages $(I{D}_x,R_x,L_3,L_4,T_1)$ and $(A_3,y_3,T_2)$, which are transmitted during the authentication phase. Thereafter, A can compute $L_1=h{f}_1(y_1,T_1)$, $PW{D}_x=L_4\oplus L_1$, $L_2=h{f}_1(PW{D}_x,L_1)$, $A_1=y_3\oplus L_1$, $A_2=h{f}_1(R_x\oplus PW{D}_x\left|\right|A_1)$. A can calculate $A_1,A_2,L_1,$ and $L_2$, and obtain $ssK=h{f}_1(A_2,L_1,A_1,L_2)$. Therefore, Rajaram et al. scheme is vulnerable to known session-specific temporary information attacks.

4.6. User Anonymity and Untraceability

In Rajaram et al.’s scheme, user identity $I{D}_x$ is transmitted on a wireless channel without being masked and encrypted. Therefore, A can obtain $I{D}_x$ from transmitted messages to trace $U_x$. Rajaram et al.’s scheme cannot support privacy-preservation and can raise serious security issues in several IoT environments, such as healthcare systems and smart home.

5. Proposed Scheme

The proposed scheme includes an initialization, user registration, user login, user authentication, and password update phase.

Table 2. Notations of the proposed scheme.

Notation	Description
$U_X$	User/client X
$I{D}_X,P{W}_X$	Identity and password of $U_X$
$S{C}_X$	Smart card of $U_X$
$TI{D}_X$	Temporary identity of $U_X$
$PI{D}_X$	Secret temporary identity of $U_X$
$RS$	The remote server
$h:{\{0,1\}}^{*}\to Z_q$	Cryptographic hash function
$a_x,b_x$	Session random numbers
s	Secret key of $RS$
$SK$	Session key between $RS$ and $U_X$

describes the notations of the proposed scheme.

5.1. Initialization

$RS$ chooses a large prime q, generates a secret key $s\in Z_q^{*}$, and selects a cryptographic hash function $h(·):{0,1}^{*}\to Z_q$. $RS$ publishes $(q,h(·\left)\right)$ and keeps s securely.

5.2. User Registration Phase

Before the authentication, $U_X$ registers to $RS$. $U_X$ chooses $I{D}_X$ and $P{W}_X$, and generates $r\in Z_q^{*}$. $U_X$ computes $PW{D}_X=h(P{W}_X\left|\right|r)$, and then sends $(I{D}_X,PW{D}_X)$ to $RS$. $RS$ checks whether $I{D}_X$ is already registered after receiving the message. If not, $RS$ chooses $t\in Z_q^{*}$, and computes $TI{D}_X=h(I{D}_X\left|\right|t)$ and $PI{D}_X=h(TI{D}_X\left|\right|s)$. Thereafter, $RS$ stores $(TI{D}_X,h(I{D}_X\left|\right|PW{D}_X\left)\right)$ in secure memory. $RS$ generates a fuzzy extractor $l\in [2^4,2^8]$ and stores $(TI{D}_X,PI{D}_X,h(·),l)$ in smart card $S{C}_X$. $RS$ transmits $S{C}_X$ to $U_X$. Subsequently, $U_X$ computes $A_X=r\oplus h(I{D}_X\left|\right|P{W}_X)$, $B_X=TI{D}_X\oplus h(I{D}_X\left|\right|P{W}_X\left|\right|r)$, $C_X=PI{D}_X\oplus h(TI{D}_X\left|\right|r)$, and $Aut{h}_X=h(TI{D}_X\left|\right|PI{D}_X)$$mod$ l. $U_X$ replaces $PI{D}_X$ to $(A_X,B_X,C_X,Aut{h}_X)$ in $S{C}_X$. The proposed user registration phase is shown in Figure 5.

5.3. User Login Phase

$U_X$ inputs $I{D}_X^{{}^{\prime }}$ and $P{W}_X^{{}^{\prime }}$ in $S{C}_X$. Thereafter, $S{C}_X$ computes $r^{{}^{\prime }}=A_X\oplus h(I{D}_X^{{}^{\prime }}\left|\right|P{W}_X^{{}^{\prime }})$, $TI{D}_X^{{}^{\prime }}=B_X\oplus h(I{D}_X^{{}^{\prime }}\left|\right|P{W}_X^{{}^{\prime }}\left|\right|r^{{}^{\prime }})$, and $PI{D}_X^{{}^{\prime }}=C_X\oplus h(TI{D}_X^{{}^{\prime }}\left|\right|r^{{}^{\prime }})$, and checks $Aut{h}_X\stackrel{?}{=}h(TI{D}_X^{{}^{\prime }}\left|\right|PI{D}_X^{{}^{\prime }})$$mod$ l. If they are equal, $S{C}_X$ generates $a_X\in Z_q^{*}$ and current timestamp $T_1$, and computes $M_1=h(PI{D}_X\left|\right|h(I{D}_X\left|\right|PW{D}_X\left)\right)\oplus a_X$ and $M_2=h(TI{D}_X\left|\right|PI{D}_X\left|\right|a_X\left|\right|T_1)$. Thereafter, $S{C}_X$ sends $(TI{D}_X,M_1,M_2,T_1)$ to $RS$. The proposed login phase is shown in Figure 6.

5.4. User Authentication Phase

After $RS$ receives the authentication request message, $RS$ checks whether $|T_1-T_1^{*}|\le \Delta T?$. Subsequently, $RS$ retrieves $h\left(I{D}_X\right|\left|PW{D}_X\right)$ using $TI{D}_X$, computes $PI{D}_X=h(TI{D}_X\left|\right|s)$ and $a_X=h(PI{D}_X\left|\right|h(I{D}_X\left|\right|PW{D}_X\left)\right)\oplus M_1$, and checks $M_2\stackrel{?}{=}h(TI{D}_X\left|\right|PI{D}_X\left|\right|a_X\left|\right|T_1)$. If it is valid, $RS$ generates $b_X\in Z_q^{*}$ and current timestamp $T_2$. Thereafter, $RS$ generates $TI{D}_X^{new}=TI{D}_X\oplus b_X$, $PI{D}_X^{new}=h(TI{D}_X^{new}\left|\right|s)$, $M_3=h(PI{D}_X\left|\right|h(I{D}_X\left|\right|PW{D}_X\left)\right)\oplus b_X$, $M_4=PI{D}_X^{new}\oplus h(TI{D}_X^{new}\left|\right|h(I{D}_X\left|\right|PW{D}_X\left)\right||b_X)$, $SK=h\left(PI{D}_X\right|\left|a_X\right|\left|b_X\right)$, and $M_5=h\left(SK\right||PI{D}_X^{new}\left|\right|T_2)$, where $TI{D}_X^{new}$ and $PI{D}_X^{new}$ are updated temporary identity and secret identity of $U_X$, respectively. $RS$ sends $(M_3,M_4,M_5,T_2)$ to $U_X$. After reception of the message, $U_X$ checks whether $|T_2-T_2^{*}|\le \Delta T?$, computes $b_X=h(PI{D}_X\left|\right|h(I{D}_X\left|\right|PW{D}_X\left)\right)\oplus M_3$, $TI{D}_X^{new}=TI{D}_X\oplus b_X$, $PI{D}_X^{new}=M_4\oplus h(TI{D}_X^{new}\left|\right|h(I{D}_X\left|\right|PW{D}_X\left)\right||b_X),$ and $SK=h\left(PI{D}_X\right|\left|a_X\right|\left|b_X\right)$, and checks whether $M_5=h\left(SK\right||PI{D}_X^{new}\left|\right|T_2)$. If they are equal, the session key is established. Thereafter, $U_X$ computes $B_{new}=TI{D}_{new}\oplus h(I{D}_X\left|\right|P{W}_X\left|\right|r)$, $C_{new}=PI{D}_{new}\oplus h(TI{D}_{new}\left|\right|r)$, and $Aut{h}_{new}=h(TI{D}_{new}\left|\right|PI{D}_{new})$$mod$ l. Subsequently, $U_X$ updates $(B_X,C_X,Aut{h}_X)$ to $(B_{new},C_{new},Aut{h}_{new})$ in $S{C}_X$. The proposed mutual authentication phase is shown in Figure 7.

5.5. Password Change Phase

After the authentication phase, $U_X$ generates a new password $P{W}_X^{new}$ and a random number $r^{new}$, computes $PW{D}_X^{new}=h(P{W}_X^{new}\left|\right|r^{new})$, and sends a password change request message to $RS$ including $(I{D}_X,PW{D}_X^{new})$. Thereafter, $RS$ updates $h\left(I{D}_X\right|\left|PW{D}_X\right)$ to $h\left(I{D}_X\right|\left|PW{D}_X^{new}\right)$ and the password update is completed.

6. Security Analysis

We analyze the security of the proposed protocol using informal analysis and formal analysis such as the BAN logic, RoR model, and AVISPA.

6.1. Informal Analysis

We informally describe that the proposed protocol is secure against the following attacks.

6.1.1. Replay and MITM Attacks

In the proposed protocol, each message transmitted during the authentication contains a timestamp and random number. Timestamps $T_1$ and $T_2$, and random numbers $a_x$ and $b_x$ are included in message hash values $M_2$ and $M_5$. An adversary cannot forge these message hash values, and therefore, the proposed protocol is secure against replay and MITM attacks.

6.1.2. Off-Line Guessing Attack

By assumption of the adversary model, an adversary A can attempt off-line guessing attack using transmitted messages $(TI{D}_X,M_1,M_2,T_1)$ and $(M_3,M_4,M_5,T_2)$, and the extracted values $(A_X,B_X,C_X,Aut{h}_X,h(.),l)$ from $S{C}_X$. Using a password dictionary, A can guess $P{W}_X^{*}$ and calculate $r^{*}=A_X\oplus h(I{D}_X\left|\right|P{W}_X^{*}$), $TI{D}_X^{*}=B_X\oplus h(I{D}_X\left|\right|P{W}_x^{*}\left|\right|r^{*})$, and $PI{D}_X^{*}=C_X\oplus h(TI{D}_X^{*}\left|\right|r)$, and can check whether $Aut{h}_X\stackrel{?}{=}h(TI{D}_X^{*}\left|\right|PI{D}_X^{*})$$mod$ l. However, A cannot know that the guessed $P{W}_x^{*}$ is legitimate because $Aut{h}_X$ is masked using fuzzy verifier l. The probability that $P{W}_x^{*}$ is a legitimate password is $\frac{2^8}{\left|hash\right|}\approx \frac{1}{{10}^{15}}$, which is negligible.

6.1.3. Impersonation Attack

A can attempt to impersonate as $U_x$ and send the authentication request message to $RS$. A can obtain $TI{D}_X$ from the transmitted message. However, referring to Section 6.1.2, A cannot generate a valid authentication request message because A cannot guess the correct $P{W}_X$ in polynomial time and A cannot calculate the valid $M_1$ and $M_2$. Therefore, the proposed protocol can defend against the impersonation attack.

6.1.4. Session Key Disclosure Attack

A can directly attempt to compute $SK$ using transmitted messages and extracted values of $S{C}_x$. A has to obtain $PI{D}_x$, $a_x$, and $b_x$ to calculate $SK=h\left(PI{D}_x\right|\left|a_x\right|\left|b_x\right)$. However, A cannot acquire any of these values because they are masked using s, $I{D}_X$, and $PW{D}_X$, which are secret values. The proposed protocol has resistance to session key disclosure attacks.

6.1.5. Perfect Forward Secrecy

If the long-term secret key s is compromised to A, then A can compute $PI{D}_X=h(TI{D}_X\left|\right|s)$, where $TI{D}_X$ is obtained from a public channel. However, $RS$ cannot calculate $a_X$ and $b_X$ without obtaining $h\left(I{D}_X\right|\left|PW{D}_X\right)$, which is stored in the secure memory of $RS$. Therefore, A cannot calculate $SK$ and the proposed protocol supports perfect forward secrecy.

6.1.6. Privileged Insider Attack

As we described in Section 4.4, A can obtain the message transmitted during the registration phase, and can use it to calculate $SK$. A can calculate $h\left(I{D}_X\right|\left|PW{D}_X\right)$ using $(I{D}_X,PW{D}_X)$, and can obtain messages transmitted on public channels. In this scenario, A still cannot calculate the session key without knowing $PI{D}_X$, which is masked with secret key s. A also cannot calculate $a_X$ and $b_X$. Therefore, the proposed protocol is secure against privileged insider attacks.

6.1.7. Stolen Verifier Attack

When the verification table stored in $RS$ can be compromised, then A can obtain the list of $h\left(ID\right|\left|PWD\right)$. A can retrieve the corresponding $h\left(I{D}_X\right|\left|PW{D}_X\right)$ from $TI{D}_X$. However, A cannot calculate $PI{D}_X$ or obtain $a_x$ and $b_x$, which are necessary to compute $SK$. The proposed protocol has resistance to stolen verifier attacks.

6.1.8. Known Session-Specific Temporary Information Attack

A can hijack the session and obtain random numbers $a_x$ and $b_x$, which are generated during the authentication. A cannot calculate $PI{D}_X$ without knowing $RS$’s secret key s. Additionally, A cannot gain any information for a future authentication request message of $U_X$. Even if session random numbers are leaked to A, the proposed protocol is secure.

6.1.9. User Anonymity and Untraceability

In the proposed protocol, $I{D}_X$ is not transmitted in public channels. Instead, $U_X$ uses temporal identity $TI{D}_X$ for authentication. $TI{D}_X$ is updated to $TI{D}_X^{new}$ in every session, and $TI{D}_X^{new}$ is veiled until $U_X$ request a new authentication to $RS$. Therefore, user anonymity is ensured in the proposed protocol. Additionally, A cannot find the connection between $TI{D}_X$ and $TI{D}_X^{new}$ to trace $U_X$.

6.2. Formal Analysis Using the Ban Logic

The BAN logic [34] is a widely-accepted [35,36,37] analysis method to verify the correctness of an authentication protocol. The BAN logic is simple but robust validation logic to prove the mutual authentication of an authentication protocol. In the BAN logic analysis, we set the idealized form of the transmitted messages and assumptions of the BAN logic proof. Thereafter, we perform the proof based on the BAN logic rules. We have presented notations of the BAN logic in

Table 3. BAN logic notations.

Notation	Description
${\pi }_1,{\pi }_2$	Two principals
${\sigma }_1,{\sigma }_2$	Two statements
${\pi }_1|$≡${\sigma }_1$	${\pi }_1$ believes ${\sigma }_1$
${\pi }_1|$∼${\sigma }_1$	${\pi }_1$ once said ${\sigma }_1$
${\pi }_1$⇒${\sigma }_1$	${\pi }_1$ controls ${\sigma }_1$
${\pi }_1$⊲${\mu }_1$	${\pi }_1$ receives ${\sigma }_1$
$\#{\sigma }_1$	${\pi }_1$ is fresh
${\left({\sigma }_1\right)}_K$	${\sigma }_1$ is encrypted with K
${\pi }_1\stackrel{K}{\leftrightarrow }$${\pi }_2$	${\pi }_1$ and ${\pi }_2$ have shared key K
$SK$	The session key

, then describe the assumptions and idealized forms, and conduct the BAN logic proof in turn.

6.2.1. BAN Logic Rules

The basic rules of the BAN logic are as followings:

• Message meaning rule (MMR):

  $$\frac{{\pi }_1|\equiv {\pi }_1\stackrel{K}{\leftrightarrow }{\pi }_2,{\rho }_1⊲{\left({\sigma }_1\right)}_K}{{\pi }_1|\equiv {\pi }_2|\sim {\sigma }_1}$$
• Nonce verification rule (NVR):

  $$\frac{{\pi }_1|\equiv \#\left({\sigma }_1\right),{\pi }_1|\equiv {\pi }_2|\sim {\sigma }_1}{{\pi }_1|\equiv {\pi }_2|\equiv {\sigma }_1}$$
• Jurisdiction rule (JR):

  $$\frac{{\pi }_1|\equiv {\pi }_2|⟹{\sigma }_1,{\pi }_1|\equiv {\pi }_2|\equiv {\sigma }_1}{{\pi }_1|\equiv {\sigma }_1}$$
• Belief rule (BR):

  $$\frac{{\pi }_1|\equiv ({\sigma }_1,{\sigma }_2)}{{\pi }_1|\equiv {\sigma }_1}$$
• Freshness rule (FR):

  $$\frac{{\pi }_1|\equiv \#\left({\sigma }_1\right)}{{\pi }_1|\equiv \#({\sigma }_1,{\sigma }_2)}$$

6.2.2. Goals

The goals are to show that $U_X$ and $RS$ believe that they agreed on the same session key.

Goal 1:

$U_X|\equiv U_X\stackrel{SK}{\leftrightarrow }RS$

Goal 2:

$U_X|\equiv RS|\equiv U_X\stackrel{SK}{\leftrightarrow }RS$

Goal 3:

$RS|\equiv U_X\stackrel{SK}{\leftrightarrow }RS$

Goal 4:

$RS|\equiv U_X|\equiv U_X\stackrel{SK}{\leftrightarrow }RS$

6.2.3. Idealized Forms

The idealized forms of the messages exchanged during the authentication can be described as follows.

$Ms{g}_1$

: $U_X\to RS:{(TI{D}_X,a_X,T_1)}_{PI{D}_X}$

$Ms{g}_2$

: $RS\to U_X:{(PI{D}_X^{new},a_X,b_X,T_2)}_{PI{D}_X}$

6.2.4. Assumptions

The basic assumptions for the BAN logic proof are as follows:

$A_1$:

$RS|\equiv \#(T_1)$

$A_2$:

$U_X|\equiv \#\left(T_2\right)$

$A_3$:

$U_X|\equiv RS\Rightarrow \left(U_X\stackrel{SK}{\leftrightarrow }RS\right)$

$A_4$:

$RS|\equiv U_X\Rightarrow \left(U_X\stackrel{SK}{\leftrightarrow }RS\right)$

$A_5$:

$U_X|\equiv U_X\stackrel{PI{D}_X}{\leftrightarrow }RS$

$A_6$:

$RS|\equiv U_X\stackrel{PI{D}_X}{\leftrightarrow }RS$

6.2.5. Ban Logic Proof

We perform the BAN logic proof of the proposed protocol as below:

Step 1:

$RS$ receives $Ms{g}_1$.

$$S_1:RS⊲{(TI{D}_X,a_X,T_1)}_{PI{D}_X}$$

Step 2:

Applying $S_1$ and $A_6$ to the MMR, we can obtain $S_2$.

$$S_2:RS|\equiv U_X|\sim (TI{D}_X,a_X,T_1)$$

Step 3:

Applying $S_2$ and $A_1$ to the FR, we can obtain $S_3$.

$$S_3:RS|\equiv \#(TI{D}_X,a_X,T_1)$$

Step 4:

Applying $S_2$ and $S_3$ to the NVR, we can obtain $S_4$.

$$S_4:RS|\equiv U_X|\equiv (TI{D}_X,a_X,T_1)$$

Step 5:

We can obtain $S_5$ applying $S_4$ to the BR.

$$S_5:RS|\equiv U_X|\equiv \left(a_X\right)$$

Step 6:

$U_X$ receives $Ms{g}_2$.

$$S_8:U_X⊲{(PI{D}_X^{new},a_X,b_X,T_2)}_{PI{D}_X}$$

Step 7:

Applying $S_6$ and $A_5$ to the MMR, we can obtain $S_7$.

$$S_7:U_X|\equiv RS|\sim (PI{D}_X^{new},a_X,b_X,T_2)$$

Step 8:

Applying $S_7$ and $A_2$ to the FR, we can obtain $S_8$.

$$S_8:U_X|\equiv \#(PI{D}_X^{new},a_X,b_X,T_2)$$

Step 9:

Applying $S_7$ and $S_8$ to the NVR, we can obtain $S_9$.

$$S_9:U_X|\equiv RS|\equiv (PI{D}_X^{new},a_X,b_X,T_2)$$

Step 10:

We can obtain $S_{10}$ applying $S_9$ to the BR.

$$S_{10}:U_X|\equiv RS|\equiv (PI{D}_X^{new},a_X,b_X)$$

Step 11:

From $S_5$ and $S_{10}$, $RS$ and $U_X$ can compute session key $SK=h\left(PI{D}_X\right|\left|a_X\right|\left|b_X\right)$.

$$S_{11}:U_X|\equiv RS|\equiv (U_X\stackrel{SK}{\leftrightarrow }RS)\hspace{1em}(\mathrm{Goal}2)$$

$$S_{12}:RS|\equiv U_X|\equiv (U_X\stackrel{SK}{\leftrightarrow }RS)\hspace{1em}(\mathrm{Goal}4)$$

Step 12:

The JR can be applied to $S_{11}$ and $S_{12}$ using $A_3$ and $A_4$, respectively.

$$S_{11}:U_X|\equiv (U_X\stackrel{SK}{\leftrightarrow }RS)\hspace{1em}(\mathrm{Goal}1)$$

$$S_{12}:RS|\equiv (U_X\stackrel{SK}{\leftrightarrow }RS)\hspace{1em}(\mathrm{Goal}3)$$

Finally, the user and server are mutually authenticated each other.

6.3. Formal Analysis Using the Ror Model

The RoR model [38] is a formal analysis method of an authentication protocol [39,40,41,42]. The RoR model is used to verify the semantic security of session key $SK$ of an authentication protocol probabilistically. Under the RoR model, an adversary A can attempt passive and active attacks represented by queries to find $SK$. Before conducting the RoR model based analysis, we explain notations and queries to be used. We denote $p^t$ as a participant with the $t^{th}$ instance. Thereafter, $p_{U_X}^{t_1}$ and $p_{RS}^{t_2}$ are participants $U_X$ and $RS$ with $t_1^{th}$ and $t_2^{th}$ instances, respectively. Additionally, the queries executed by A are presented in

Table 4. Queries of the ROR model.

Query	Description
$Execute(p_{U_X}^{t_1},p_{RS}^{t_2})$	A can perform eavesdropping attack using this query. A can obtain messages transmitted during the authentication between $p_{U_X}^{t_1}$ and $p_{RS}^{t_2}$
$CorruptSC\left(p_{U_X}^{t_1}\right)$	A can steal the smart card of $p_{U_X}^{t_1}$ and extract the stored data using this query.
$Send(p^t,M)$	Using this query, A sends message M to participant $p^t$ to receive the response of sent messages.
$Test\left(p^t\right)$	A executes this query at the end of each game. When this query is executed, an unbiased coin c is flipped. The heads represents 1 and the tails represents 0. After c is flipped, $p^t$ returns $SK$ when $c=1$ and a random number when $c=0$. Otherwise, $p^t$ returns $NULL$. If A can distinguish between $SK$ and a random value, A wins the game.

.

A can get the output value of the hash function for the input by performing a $Hash$ query. When $Adv\left(A\right)$ is the probability of the advantage for A to break the session key, we prove the following equation:

$$Adv\left(A\right)\le \frac{q_h^2}{\left|Hash\right|}+\frac{2q_{send}}{|D_{id}{D}_{pw}|},$$

(1)

where $q_h$ represents the number of hash queries performed by A, $\left|Hash\right|$ represents the range space of the cryptographic hash function, $q_{send}$ represents the number of $Send$ queries performed by A, and $\left|D\right|$ represents the size of the password dictionary.

Proof. 

A plays four games $G_i(i=0,1,2,3)$ under the RoR model. We denote $Ad{v}^{G_i}\left(A\right)$ is a advantage of A to compromise $SK$ after playing $G_i$.

• $G_0$: A selects the bit c at the start of the game. In the first game, A has no information about $SK$ and no queries to perform. By the definition of semantic security, we can induce the following equation.

  $$Adv\left(A\right)=|2Ad{v}_{G_0}\left(A\right)-1|.$$

  (2)
• $G_1$: A attempts an eavesdropping attack in this game. First, A uses the $Execute$ query. Thereafter, A performs a $Test$ query to receive the return value. Finally, A guesses whether the value is $SK$ or a random number. For A to win the game, A should be able to calculate $SK$, which is computed by $PI{D}_X$, $a_X$, and $b_X$. These values cannot be obtained using eavesdropping attacks. There is no advantage for A to be gained by the $Execute$ query. Therefore, the advantage of A at the end of $G_1$ is equal to that at the end of $G_0$.

  $$Ad{v}_{G_0}\left(A\right)=Ad{v}_{G_1}\left(A\right).$$

  (3)
• $G_2$: In this game, A uses the $Send$ and $Hash$ queries to compromise $SK$. From the transmitted messages, A obtains $(TI{D}_X,M_1,M_2,T_1)$ and $(M_3,M_4,M_5,T_2)$. However, the only way for A to win the game is to find a hash collision because there is no information about $SK$ from these values. The advantage function at the end of $G_2$ is as follows by the birthday paradox.

  $$|Ad{v}_{G_2}\left(A\right)-Ad{v}_{G_1}\left(A\right)|\le \frac{q_h^2}{2\left|Hash\right|}.$$

  (4)
• $G_3$: In the final game, A performs a stolen smart card attack, which is represented as the $CorruptSC$ query, then A can extract $(A_X,B_X,C_X,Aut{h}_X)$ from $S{C}_X$. To win the game, A should succeed in finding the identity $I{D}_X$ and password $P{W}_X$ simultaneously to login to $S{C}_X$. Because A cannot obtain any information about $I{D}_X$ and $P{W}_X$, A should guess the values from identity dictionary $D_{id}$ and password dictionary $D_{pw}$. Thereafter, the following equation can be induced.

  $$|Ad{v}_{G_3}\left(A\right)-Ad{v}_{G_2}\left(A\right)|\le \frac{q_{send}}{|D_{id}{D}_{pw}|}.$$

  (5)

After all the games are over, A should guess the correct bit c from the $Test$ query. It follows that

$$Ad{v}_{G_3}\left(A\right)=\frac{1}{2}.$$

(6)

From Equations (2) and (3), we can obtain the following equation:

$$\begin{array}{cc}\hfill \frac{1}{2}Adv\left(A\right)& =|Ad{v}_{G_1}\left(A\right)-\frac{1}{2}|\hfill \\ \hfill & =|Ad{v}_{G_1}\left(A\right)-Ad{v}_{G_3}\left(A\right)|.\hfill \end{array}$$

(7)

We can apply the triangular inequality to Equation (7).

$$\begin{array}{cc}\hfill |Ad{v}_{G_3}\left(A\right)-Ad{v}_{G_1}\left(A\right)|& \le |Ad{v}_{G_3}\left(A\right)-Ad{v}_{G_2}\left(A\right)|+|Ad{v}_{G_2}\left(A\right)-Ad{v}_{G_1}\left(A\right)|\hfill \\ \hfill & \le \frac{q_h^2}{\left|Hash\right|}+\frac{2q_{send}}{|D_{id}{D}_{pw}|}.\hfill \end{array}$$

(8)

We can obtain the following equation using Equations (7) and (8).

$$Adv\left(A\right)\le \frac{q_h^2}{\left|Hash\right|}+\frac{2q_{send}}{|D_{id}{D}_{pw}|},$$

(9)

which is the same as Equation (1). Finally, we prove the semantic security of the proposed protocol using the RoR model. □

6.4. Formal Analysis Using Avispa Simulation

The AVISPA tool [43] can verify that the authentication protocol is secure against replay and MITM attacks by simulating the implementation of the authentication protocol as code. AVISPA is used in many authentication protocols as a formal verification tool [44,45,46]. It is implemented using the “High-Level Protocol specification Language” (HLPSL) and uses four back-ends: “On-the-fly Model-Checker (OFMC)”, “SAT-based Model-Checker (SATMC)”, “Constraint Logic Based Attack Searcher (CL-AtSe)”, and “Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)”. The HLPSL2IF translator converts the intermediate format (IF) of the code implemented using HLPSL into the output format (OF). The OF shows the simulation results which include “SUMMARY”, “DETAILS”, “PROTOCOL”, “GOAL”, “BACKEND”, and “STATISTICS”. The SUMMARY shows whether the protocol is safe, the BACKEND gives the name of the back-ends, and STATISTICS shows the time of the trace of the attack. The left side of Figure 8 represents the role of user implemented in AVISPA tool. The remote server is implemented similar to the user. Furthermore, the right side of Figure 8 shows the session, environments, and goals of the proposed protocol.

Generally, the AVISPA simulation is executed using the OFMC and CL-AtSe models, which support the exclusive-or operation. If the summaries under the two back-end models are safe, we can say that the protocol is secure against replay and MITM attacks. The simulation results are shown in Figure 9. The simulation summaries of the proposed protocol are safe under the OFMC and CL-AtSe back-ends. This means that the back-ends cannot search for an attack. Therefore, we verify that the proposed protocol has resistance to the replay and MITM attacks.

7. Performance Analysis

In this section, we compare the computation and communication cost of the proposed protocols with related protocols [15,16,17,18,19,20,21,22].

7.1. Computation Cost

Referring to the classification in [12], user’s mobile device is class 15, and the remote server is class 19. Considering the different computing powers of user’s mobile device and the remote server, we conducted the experiment in both Raspberry PI (class 14) and desktop environments (class 17). The desktop is quad-core i7-4790 CPU with a 16GB RAM and the operation system is the Linux Ubuntu 20.04, and Raspberry PI 3B is a quad-core system with 1GB RAM. We used the MIRACL Cryptography library to implement the operations used for the authentication protocols [47]. The executed operations and execution time are as presented in

Table 5. Execution time of each operation.

Notation	Description	Raspberry PI	Desktop
$T_{bp}$	Bilinear pairing operation	46.130 ms	13.440 ms
$T_{exp}$	Modular exponentiation operation	5.119 ms	1.864 ms
$T_{mul}^{bp}$	Scalar multiplication in pairing-based group	5.611 ms	2.521 ms
$T_{add}^{bp}$	Point addition in pairing-based group	0.043 ms	0.018 ms
$T_{mul}^{ecc}$	Scalar multiplication in elliptic curve group	2.579 ms	1.489 ms
$T_{add}^{ecc}$	Point addition in elliptic curve group	0.019 ms	0.008 ms
$T_h$	SHA-256 hash operation	0.025 ms	0.004 ms

. As shown in Table 5, the operations on Raspberry Pi take 2–3 times longer than the operations on desktop.

According to the results shown in Table 5, we calculate the total computation cost of the proposed protocol and other related protocols [15,16,17,18,19,20,21,22] as shown in

Table 6. Computation cost comparison.

Scheme	User Overhead	Server Overhead
[15]	$3T_{mul}^{bp}+7T_h\approx$ 17.008 ms	$T_{bp}+T_{mul}^{bp}+6T_h\approx$ 15.985 ms
[16]	$T_{mul}^{ecc}+5T_h\approx$ 2.704 ms	$T_{mul}^{ecc}+4T_h\approx$ 1.505 ms
[17]	$2T_{mul}^{ecc}+3T_h\approx$ 5.233 ms	$2T_{mul}^{ecc}+6T_h\approx$ 3.002 ms
[18]	$2T_{mul}^{ecc}+8T_h\approx$ 5.358 ms	$T_{mul}+T_h\approx$ 1.493 ms
[19]	$11T_h\approx$ 0.275 ms	$5T_h\approx$ 0.02 ms
[20]	$10T_h\approx$ 0.25 ms	$5T_h\approx$ 0.02 ms
[21]	$8T_h\approx$ 0.2 ms	$4T_h\approx$ 0.016 ms
[22]	$20T_h\approx$ 0.5 ms	$5T_h\approx$ 0.032 ms
Proposed	$14T_h\approx$ 0.35 ms	$8T_h\approx$ 0.032 ms

. Some existing lightweight schemes are more efficient than the proposed scheme. However, the existing lightweight schemes is vulnerable to a variety of attacks. The proposed scheme has considerably higher efficiency than the public key-based protocols and also can provide better security.

7.2. Communication Cost

We calculate the total bits transmitted during the authentication to compare the communication costs. We assumed that a timestamp is 32 bits, identity and password are 128 bits, SHA-256 hash output is 256 bits, a random number is 256 bits, an elliptic curve point is 320 bits, and an element of a pairing-based group is 1024 bits. The total communication cost of the existing and proposed schemes are as presented in

Table 7. Communication cost comparison.

Scheme	Total Communication Cost	Number of Messages
[15]	1824 bits	2
[16]	1696 bits	2
[17]	1920 bits	3
[18]	1804 bits	2
[19]	1344 bits	2
[20]	960 bits	2
[21]	1536 bits	2
[22]	1216 bits	2
Proposed	1600 bits	2

.

Similar to the results in Table 6, the total communication cost of the proposed scheme is slightly higher than those of the existing lightweight protocols [19,20,21,22]. However, the proposed scheme generates lower communication cost than those in [15,16,17,18]. Furthermore, as described in Section 7.3, our protocol is more secure than existing schemes.

7.3. Security Features

We analyzed security characteristics of the proposed protocol with related protcols. This includes: A1: “ Resistance to replay attack”, A2: “Resistance to privileged insider attack”, A3: “Resistance to known session specific temporary information attack”, A4: “Resistance to off-line guessing attack”, A5: “Resistance to impersonation attack”, A6: “Resistance to session key disclosure attack”, A7: “Support of perfect forward secrecy”, A8: “Support of user anonymity”, A9: “Support of user untraceability”, A10: “Formal proof using the BAN logic” A11: “Formal proof using the RoR model”, and A12: “Formal proof using the AVISPA simulation”.

Table 8. Security features comparison.

Security Features	[15]	[16]	[17]	[18]	[19]	[20]	[21]	[22]	Proposed
A1	O	O	O	O	O	O	O	O	O
A2	X	-	O	O	O	O	O	O	O
A3	X	O	O	-	-	-	-	-	O
A4	X	O	O	O	X	O	X	O	O
A5	X	O	O	X	X	X	X	O	O
A6	O	O	O	O	O	X	X	O	O
A7	-	O	O	O	-	-	-	-	O
A8	X	O	X	X	X	X	X	-	O
A9	X	O	X	X	X	X	X	X	O
A10	O	X	X	X	X	X	X	X	O
A11	X	O	X	X	X	X	X	O	O
A12	X	X	O	O	X	X	X	O	O

-: Not considered. X: Insecure. O: Secure.

shows that the proposed protocol has better security than other protocols.

8. Conclusions

In this paper, we designed a secure, lightweight, and anonymous authentication protocol suitable for IoT environments. The proposed protocol resolved security flaws of the Rajaram et al. scheme. It uses only hash and exclusive-or operations during the authentication. Therefore, it is considerably more efficient than Rajaram et al. scheme as well as other existing authentication schemes proposed for IoT environments. Additionally, the proposed protocol can defeat various attacks and ensure more security features than the existing protocols. We analyzed the proposed protocol using BAN logic analysis to prove the correctness, the RoR model to formally verify the session key security, and the AVISPA simulation tool to show the resistance against replay and man-in-the-middle (MITM) attacks. The proposed protocol is sustainable because it has a high security level and low computation cost, and it can contribute to increase energy efficiency and reduce economic costs. Therefore, the proposed protocol can be applied to for various IoT environments. In the future work, we plan to implement the proposed protocol in practice.