In this subsection, the formal security analysis of the proposed protocol is discussed using random oracle model (ROM) and automated validation of internet security protocols and applications (AVISPA).
Random Oracle Model
In this subsection, the formal security analysis of the proposed protocol is discussed using the following theorem.
Theorem 1. Let P denote the proposed protocol. If an adversary wins the AKA attack game, having advantage , then there must be a polynomial time algorithm that can solve the hard problem with following:whereas indicates the time of , and queries, respectively. Proof. Let be an attacker who attacks on protocol and wins the game with an advantage of . A challenger C is constructed, who solves problem instance for some unknown and , to decide if holds or not. All the hash functions of the proposed protocol are simulated as random oracles, and C established a hash list which is initialized as an empty list. Message (a = 1,2,3,4) indicates the messages that are being transmitted by the entities during protocol’s execution. C chooses randomly and publishes ; C also sets identities , for the user and fog-node. C runs the proposed protocol and answers the following queries of oracle. □
Send query: initiates an active attack and using different queries forwards the messages. Four different queries are available to , which are as follows:
(: After getting the query, C initiates a new session and returns the login message produced by the user. Particularly, C chooses and randomly and computes Moreover, C returns to , and is set to an expecting state.
(): After getting this query, C first breaks the into picks , and computes , , . Then C returns to and sets to an expecting state.
(): After getting this query, C breaks the into and computes and and checks either and holds or not. If not, query is rejected by C and returns nothing. Else, C picks and calculates and sends to and instance terminates.
(): After getting this query, it is assumed that is in an expecting state, and determines if holds or not, If not, then C rejects query otherwise C returns back to and fog instance terminates.
(): After getting this send query, it is supposed that is in an expecting state, C breaks into which verifies . If this condition does not hold then C rejects query and returns nothing. Otherwise, C calculates and the instance of the client is accepted and terminated. Furthermore, are added to list.
Corrupt query: In order to obtain the long term key of user, an adversary initiates this query.
Upon receiving corrupt the information stored in the database protected with secret key x is returned.
Execute (): On this query, the execution process of proposed protocol is simulated by
C after issuing the following
queries.
and
C returns
to
.
Reveal : On receiving this query, C responds with a session key if instance is accepted; otherwise, it returns ⊥.
Test query: On receiving the test query , C chooses . If , then C gives back the true session key; otherwise, it return a the random value of similar size. The above said proof is compared on sequence games . Let be the event that outputs the correct in game (a = 0,1,2,3,4).
Game:
is the actual attacking game. Just like a real player,
C simulates the oracle queries in this game. The chances of success in this game are quite equal to the probability that
succeeds in attacking the proposed protocol and obtains the following:
Game: This game is identical to
. The difference is that
C maintains a list of values
.
C searches the related list when the hash oracle is queried. If there exists any entry, then the same value is returned; otherwise,
C returns the random value and inserts it into corresponding list
. It is visible and concluded here from the properties of oracle that
is indistinguishable from
. Therefore:
Game : This game is identical to . The difference is that in this game, the simulation of all queries will be terminated only if the following two events occur:
Event (): Collision on the result hash queries.
Event (): Collision on the copy of all messages ().
As per the the definition of birthday paradox:
Since a,b,c are randomly chosen, the probability of
happening is
, where
and
are upper bound of the
and
queries, respectively. Therefore, we have:
Game : In this game, the send query is modified. C picks an instance () and answers queries as follows:
When initiates a ()) query, C generates and forwards to .
When generates a query , C generates a message to .
When initiates a query , C sets and terminates the instance.
When initiates a query (), C sets and returns message to . It is demonstrated that if the hard assumption holds, then the difference between and is ignorable, just as follows:
If there is a differentiator which can easily differentiate
and
, then
C can solve the
problem by using a differentiator. In the case that the differentiator interacts with
, then
C outputs 1; otherwise, it outputs 0. So, we get
, and Equation (
5) holds; the
can easily differentiate the true and random session key because the values used in
are random. This can only be possible if the following events occur.
Event ():
queried
oracle, which has probability of
Event ():
impersonates the user by forging the
which posseses the verification executed by
. The probability of generating a valid
by
is:
Event ():
successfully impersonates the fog-node by forging
, which passes the verification executed by
. Like Event
, the probability of generating a valid
by
is:
Using Equations (
1) to (
5) and (
9):
Now, it can be concluded from Theorem 1 that as much as the problem is hard, for any challenger, it is computationally challenging to break the security of the proposed protocol in polynomial time.