Lightweight Scheme for Secure Signaling and Data Exchanges in Intelligent Precision Agriculture

Abstract

Intelligent precision agriculture incorporates a number of Internet of Things (IoT) devices and drones to supervise agricultural activities and surroundings. The collected data are then forwarded to processing centers to facilitate crucial decisions. This can potentially help optimize the usage of agricultural resources and thwart disasters, enhancing productivity and profitability. To facilitate monitoring and decision, the smart devices in precision agriculture must exchange massive amounts of data across the open wireless communication channels. This inadvertently introduces a number of vulnerabilities, exposing the collected data to numerous security and privacy threats. To address these issues, massive security solutions have been introduced to secure the communication process in precision agriculture. However, most of the current security solutions either fail to offer perfect protection or are inefficient. In this paper, a scheme deploying efficient cryptographic primitives such as hashing, exclusive OR and random number generators is presented. We utilize the Burrows–Abadi–Needham (BAN) logic to demonstrate the verifiable security of the negotiated session keys. In addition, we execute an extensive semantic analysis which reveals the robustness of our scheme against a myriad of threats. Moreover, comparative performance evaluations demonstrate its computation overheads and energy consumption efficiency.

1. Introduction

Precision agriculture (PA) involves the integration of technologies such as drones, Wireless Sensor Networks (WSNs), IoT, artificial intelligence, geographic information systems (GISs), geospatial technologies (GTs) and machine learning to improve agricultural outputs. In PA, a large number of different sensors are used to remotely monitor farmlands. They also collect data regarding livestock health, environmental and crop growth. For instance, real-time data regarding soil conditions, quantity and quality of yield, crops, effects of deployed chemicals on crops, weather conditions and time of yield can be remotely collected and forwarded to servers for analysis and decision making [1]. This can help reduce threats to the production process and hence improve agricultural productivity. In addition, drones have been utilized for the application of pesticide spray and management of crops (such as disease discovery and management of weeds). In IoT-based smart agriculture, several technologies such as end-user applications, radio frequency identification (RFID), cloud computing and WSNs are utilized [2]. These technologies have been shown to positively impact the agricultural sector in terms of enhanced productivity, water conservation and increased income [3]. As explained in [4], crop water usage optimization is driven by the need for sustainable agricultural practices in the face of growing global food demands and climatic changes. According to [5], PA greatly helps in resource management in terms of agronomic (improving farm inputs effectiveness and hence yields), economic (enhancing competitiveness and productivity via efficient farming practices) and environment (reduction in ecological effects of agriculture via optimization of farm inputs usage). As explained in [6], smart agronomy has been implemented to increase productivity and offer disaster protection using limited resources. Similarly, faster decision making due to the incorporation of IoT and UAVs has been noted to result in costs savings and increased yields [7,8].

It is evident that the agricultural sector has benefited from rapid and intense transformations in access methods, data acquisition and sharing technologies. This has been reflected in production quality improvements, effective usage of natural resources and environmental sustainability. However, the usage of these integrated technologies render smart farming environments vulnerable to numerous cyber-security threats. For instance, the sensed data are exchanged over the open public internet and are hence susceptible to myriad threats such as eavesdropping and unauthorized access. These threats can result in the compromise of data availability, integrity and confidentiality. It is also possible for data belonging to an agricultural partner to be tampered with or altered, reducing its trustworthiness [9]. There is therefore a need for robust data verification schemes [10,11]. Due to extensive collaboration among different PA entities from diverse domains, there is a need for device authentication so as to foster secure communication [12,13]. This ensures that sensitive agricultural data are only shared with legitimate network entities. In addition, there is need to uphold trust by protecting both data in transit and in storage against any form of misuse. In this regard, we make the following contributions:

• We timestamp all the exchanged messages and validate them at the receiver end so as to thwart any packet replays.
• Frequently refreshed random numbers are incorporated in intermediary parameters to prevent against forgery and spoofing attacks.
• Elaborate formal security substantiation is executed to demonstrate the security verifiability of the negotiated session keys.
• Extensive semantic security analyses are executed, with results showing the resilience of our protocol against myriad precision agriculture threats.
• We carry out comparative performance evaluations to demonstrate the efficiency of our scheme. Specifically, this protocol is shown to consume the lowest energy and computation overheads at relatively low communication costs.

The remainder of this paper is organized as follows: Section 2 presents the related past research works, while Section 3 presents the detailed description of our protocol. Conversely, Section 4 and Section 5 discuss the security analyses and performance evaluation of the proposed scheme, respectively. Finally, Section 6 concludes this paper and offers some future research scopes.

1.1. Motivation

The requirement for data protection in precision agricultural networks and devices has seen the development of numerous security solutions. Most of these schemes are based on cryptographic operations such as public key infrastructure (PKI), blockchain technology, elliptic curve cryptography (ECC) and identity-based cryptography (IBC). However, schemes based on PKI, such as the Rivest–Shamir–Adleman (RSA) algorithm require third-party certificate authorities (CAs) for digital certificate assignment among devices. This comes with high costs for certificate management and storage. Although IBC-based crypto-systems solves this issue by using the identity of the devices as the public key and designating private key generator (PKG) for private keys distribution, these systems have key escrow challenges. For consistency, blockchain-based schemes require that each network entity maintain identical copies of the blockchains. This is detrimental to memory-limited agriculture Internet of Things (AIoT) devices. Similarly, ECC-based schemes require operations such as scalar multiplications which results in extensive overheads. In addition, most of the security solutions for PA security are based on centralized architectures, rendering them susceptible to single point of failure. Therefore, a truly efficient but robust security solution for resource-limited PA devices is required.

1.2. Research Goals

To provide perfect security in an environment characterized by frequent security threats, the following security goals should be pursued.

Message authentication: all the exchanged messages transmitted over the public channels should be verified at the receiver end.

Confidentiality: A session key need to be negotiated to encipher all the messages exchanged across the public communication channels. This presents attackers from eavesdropping on any secret parameters from the intercepted messages.

Availability: It should be cumbersome for the attackers to launch denial of service and de-synchronization attacks that can potentially lock legitimate users from accessing the required functionality and services.

Integrity: Based on any intercepted messages, attackers should be unable to modify or insert any bogus messages to the communication channel.

Perfect key secrecy: Adversaries should be unable to deploy the captured current session keys to work out session keys for the past as well as consequent communication sessions.

Anonymity: It should be cumbersome to reveal the real identities of any network entity based on the intercepted messages.

Robustness against threats: the authentication scheme needs to be resistant against typical intelligent precision agriculture threats such as denial of service (DoS), packet replay, man-in-the-middle (MitM), de-synchronization, privileged insider, impersonation and spoofing attacks.

1.3. Threat Model

The Canetti and Krawczyk model is one of the most popular threat models, and hence, we adopt it in our proposed scheme. In this model, adversary à is assumed to have the capabilities of eavesdropping on the wireless communication channel, intercepting all exchanged messages, modifying, or deleting these messages. In addition, the attacker can insert malicious messages into the communication channels to mislead the unsuspecting receivers. Moreover, à can steal smart farm devices and sensors, after which all stored security values can be extracted via power analysis. All low-entropy passwords can also be guessed by à in polynomial time, in addition to accessing all ephemeral keying parameters.

2. Related Works

In light of the many cyber threats in the smart agriculture ecosystem, several security schemes have been presented in the literature. For instance, blockchain technology allows the independent auditing and verification of transactions. This renders it ideal for enhancing trust during data access and recording in distributed network architectures [14]. Therefore, blockchain-based security solutions have been developed in [3,12,15,16,17,18,19,20,21,22]. These schemes help mitigate the single point of failure problems [23] in centralized architecture-based protocols developed in [6,24,25,26,27]. In addition, they boost both integrity and messages source verification. However, the storage and computation requirements for the blockchains are extensive IoT devices due to their limited resources [28]. Conversely, the security techniques developed in [29] utilize only one-way hash chains and hence can address the challenges in blockchain-based solutions. However, it does not offer untraceability, anonymity and dynamic node addition. In addition, it is susceptible to privileged insider, offline password guessing, impersonation and smart card loss attacks [3]. Similarly, the three factor user authentication protocol in [30] is not resilient session hijacking and eavesdropping threats.

Hinged on IBC, authentication protocols are presented in [31,32,33,34,35,36,37]. However, IBC-based schemes are susceptible to key escrow threats [38]. Similarly, the security solutions in [3,13,20,21] face key escrow threats. Although the scheme in [32] offers data confidentiality and mitigates several attacks, the leakage of the master key can result in the compromise of all the session keys [31]. Similarly, the protocol in [33] provides identity authentication, session key security and location privacy but incurs relatively high costs [31]. On the other hand, the scheme in [34] cannot withstand MitM, impersonation, DoS, privileged insider and offline password guessing attacks [3]. Similarly, the security technique presented in [35] cannot withstand privileged insider and DoS attacks [3], while the approach in [36] does not support secure communication and cannot withstand ephemeral secret leakage (ESL) attacks [39].

Some researchers have also utilized ECC to develop security schemes to secure systems and networks; for example, ECC-based authentication protocols have been developed in [40,41,42,43,44]. Although the technique in [40] protects against attacks such as impersonation and replay, it incurs high communication costs [31]. The schemes in [41,42] have relatively lower computation and communication overheads but fail to support anonymity and untraceability. In addition, the technique in [41] is exposed to ESL, smart card loss, DoS and privileged insider attacks [3]. For their part, the protocols in [42,43,44] cannot protect against ESL, offline guessing attacks, privileged insider and DoS attacks [3]. The Rabin cryptosystem-based scheme in [45] supports both untraceability and anonymity and hence can address the issues in [41,42]. However, it is not robust against privileged insider, smart card loss, ESL and offline guessing attacks [3]. Additionally, it has extensive communication overheads. In the same breath, the protocol in [46] exhibits extensive overheads due to bilinear pairing operations [47]. On the other hand, a scheme based on fuzzy extraction is presented in [48]. However, this scheme is not evaluated against attacks such as side-channeling, de-synchronization and session hijacking. A multi-factor user authentication protocol is developed in [49], while a multi-server scheme is developed in [50]. On the other hand, a homomorphic signcryption system is presented in [51], while an ECC-based scheme for authentication in smart agriculture monitoring systems is introduced in [52]. However, the scalar point multiplications in [51,52] and the fuzzy extraction operations in [49] render these schemes computationally extensive. Similarly, the required encryptions and decryptions in [50] increase its execution time.

From the discussions above, it is evident that the achievement of low-latency authentication with minimal communication overheads presents some challenges. In addition, the majority of the works in the literature are still vulnerable and hence expose the communication process to attacks. Our scheme is demonstrated to be not only efficient but also robust against conventional attacks inherent in precision agriculture environment.

3. The Proposed Scheme

The network model of our protocol comprises the user (U_i), controller node (CN_j) and smart farm sensor node (SN_k). The user in this case is the farmer performing some remote monitoring of his/her farm, while the sensor nodes are the actual devices that collect data from the field.

Conversely, the controller node performs the registration of all the users and sensors before the actual data collection process, as shown in Figure 1. The symbols utilized throughout this work are detailed in

Table 1. Symbols.

Symbol	Description
Ui	ith smart farm user
SNk	Smart farm node k
CNj	Controller node j
ɸj	Secret key for CNj
SIDk	Unique identity belonging to SNk
Sk, Sj	Sequence numbers at the SNk and CNj, respectively
PWi, SU	User password and secret key, respectively
UIDi	Ui’s unique identity
GIDi	Pseudonym shared among users of the group
GKi	Group key corresponding with GIDi
rc, ra	Random numbers
Tu, Tc	Timestamps
VT	Verification table
ΔT	Maximum transmission latency
SKC	Session key
P	A pool of generated identities
||	Concatenation operation
⊕	XOR operation

.

In terms of execution, our protocol executes in three major phases. The specific details of registration, authentication and parameter update phases are detailed below.

3.1. Registration

In this phase, all users and smart farm sensors are registered at the controller node prior to engaging in mutual verification, key setup and data exchange. The sub-sections that follow describe these procedures in finer detail. In addition, Algorithm 1 gives a summary of the registration process.

Algorithm 1: Sensor node and user registration

Begin ** Sensor registration ** (1) Choose SIDk (2) SNk $\overrightarrow{SI{D}_k}$ CNj (3) if SIDk $\in$ VT then: (4)         Prompt SNk to submit SIDk $\notin$ VT (5) else: (6)         Generate ra & set Sk= Sj = 0 (7)         Append {ra, SIDk, Sj} to VT (8)         CNj  $\overrightarrow{\{S_k, r_a\}}$ SNk (9)         Store {Sk, ra} in SNk’s memory   ** User registration ** (10)         Generate PWi & SU (11)         Compute Ua (12)         Ui $\overrightarrow{U_a}$ CNj (13)         Select UIDi$\in$ P & assign it to Ui (14)         Using UIDi, retrieve {GIDi, GKi} (15)         Extract ɸj & generate rb (16)         Compute Ca, Cb & Cd (17)         Append {GIDi, UIDi, rb} to VT (18)         CNj  $\overrightarrow{\{GI{D}_i, G{K}_i,C_b,C_d\}}$ Ui (19)         Store {GIDi, GKi, Cb, Cd} in SDi      End if End

3.1.1. Sensor Registration

Whenever a new sensor is introduced in the agricultural field, it must undergo registration prior to interacting with the rest of the network entities. To achieve this, the following three steps are carried out over the secure communication channels.

Step 1: The sensor node SN_k selects SID_k as its unique identity, which is then forwarded to the controller node CN_j, as depicted in Figure 2.

Step 2: After obtaining SID_k, CN_j checks whether it exists in its verification table (V_T). Essentially, SN_k is prompted to select a different identity if SID_k already exists in the CN_j verification table. Otherwise, CN_j generates random number ra and initializes the sequence numbers as S_k = S_j =0. These sequence numbers ensure that SN_k and CN_j are always synchronized. Next, CN_j appends value set {r_a, SID_k, S_j} to its verification table before forwarding {S_k, r_a} to the SN_k.

Step 3: Upon obtaining {S_k, r_a} from CN_j, the SN_k safely stores these parameters in its memory. These values will be used in the subsequent mutual authentication phase that is described in Section 3.2 below.

3.1.2. User Registration

The ultimate objective of this phase is to register all users at the controller node CN_j before being permitted to access information in specific sensor node SN_k. This is accomplished by the execution of the four steps below.

Step 1: User U_i generates password PW_i and private key S_U. Next, parameter U_a = h (PW_i||S_U) is derived before forwarding {U_a} to the controller node, as shown in Figure 2.

Step 2: Upon obtaining {U_a}, CN_j randomly chooses unused UID_i$\in$ P and assigns it to the current U_i, where P is a pool of generated identities (UID₁, UID₂,…UID_N). Essentially, CN_j maintains a pool of identities from which one is picked and assigned to a new user U_i. Next, CN_j utilizes this UID_i to obtain the equivalent pseudonym GID_i shared among users of the group, ɸ_j and GK_i. Basically, each user’s unique identity UID_i is associated with a certain group whose pseudonym is GID_i and group key is GK_i. After the effective retrieval of GID_i and GK_i, CN_j retrieves its secret key ɸ_j used to compute the parameters in the subsequent steps.

Step 3: CN_j chooses random number r_b and proceeds to derive C_a = h (UID_i||GK_i||r_b), C_b = U_a$\oplus$(C_a||ɸ_j) and C_d = h (C_a||ɸ_j||U_a). Next, CN_j appends {GID_i, UID_i, r_b} to its verification table and sends {GID_i, GK_i, C_b, C_d} over to user U_i for subsequent login and mutual authentication. This verification table is searched every time new users and sensor nodes are registered so that a given identity is not assigned to more than one network entity.

Step 4: Upon obtaining {GID_i, GK_i, C_b, C_d}, the user’s smart device SD_i stores these parameters in its memory. The user will deploy these security tokens to authenticate with the controller node CN_j as well as the smart farm sensor node SN_k.

3.2. Login and Authentication

When the user wishes to access some particular smart farm sensor SN_k, the two must mutually authenticate each other. In addition, they must negotiate a session key upon successful mutual verification. This key is then utilized to encipher all the exchanged information over the wireless public channels. This is accomplished using the seven steps described below, and summarized in Algorithm 2.

Step 1: User U_i enters password PW_i into his/her smart device SD_i, which then computes U_a* = h (PW_i||S_U), (C_a||ɸ_j) = C_b$\oplus$U_a* and C_d* = h (C_a||ɸ_j||U_a*). Next, it checks if C_d* = C_d, where C_d is the value stored in its memory. Essentially, the login request is rejected if this verification fails. Otherwise, U_i has successfully logged into his/her smart device SD_i.

Step 2: The smart device SD_i generates random number r_c and derives U_b = ɸ_j$\oplus$h (GID_i||GK_i||T_u), U_c = (r_c||SID_k||)$\oplus$h(GID_i||ɸ_j||C_a||T_u) and U_d = h (r_c||C_a||GID_i||T_u). At the end, the smart device SD_i composes authentication message Auth_u = {GID_i, U_b, U_c, U_d, T_u}, which is forwarded to CN_j, as shown in Figure 3.

Step 3: Upon obtaining Auth_u, CN_j determines current timestamp T_c that it deploys to validate the received T_u against ΔT by checking if |T_c − T_u| ≤ ΔT. On the condition that T_u is not fresh, the session is aborted. Otherwise, CN_j retrieves GK_i based on the received GID_i. It then computes ɸ_j = U_b$\oplus$h (GID_i||GK_i||T_u) and retrieves user identity UID_i from its verification table. Next, values C_a = h (UID_i||GK_i||r_b), (r_c||SID_k||) = U_c$\oplus$h(GID_i||ɸ_j||C_a||T_u) and U_d* = h (r_c||C_a||GID_i||T_u) are derived before checking whether the derived U_d* is equivalent to U_d received in message Auth_u. Provided that these two values are dissimilar, the session is aborted immediately. If not, CN_j randomly selects SK_C as the session key, which it utilizes to calculate C_e = (SK_C||UID_i)$\oplus$h (S_j||SID_k||r_a) and C_f = h (SK_C||UID_i||SID_k||S_j||r_a).

Step 4: CN_j updates random number r_a as r_a^new = h (r_a||SID_k). In addition, it increments the sequence number S_j by 1; that is, S_j = S_j + 1. At the end, it constructs authentication message Auth_c = {S_j, C_e, C_f} and sends it over to SN_k.

Step 5: Having received Auth_c, the SN_k checks if 1≤ |S_j − S_k|≤ P. In a nutshell, the authentication session is aborted when this validation fails. However, if the verification is successful, the SN_k proceeds to derive (SK_C||UID_i)= C_e$\oplus$h (S_k||SID_k||r_a) and C_f* =h (SK_C||UID_i||SID_k||S_k||r_a). Next, it confirms whether C_f* = C_f and terminates the session if this condition is false. Otherwise, S_a = h (UID_i||SID_k||SK_C||S_j) is computed. This is followed by updating r_a as r_a^new = h (r_a||SID_k) and setting S_k = S_j. At the end, the SN_k composes authentication message Auth_s = {SID_k, S_a} which is transmitted towards CN_j.

Step 6: Upon obtaining message Auth_s, CN_j derives S_a* = h (UID_i||SID_k||SK_C||S_j) and checks if S_a* is equivalent to S_a received Auth_s. Provided that these two parameters are dissimilar, the authentication session is aborted. However, if the verification succeeds, CN_j calculates C_g = (SK_C||UID_i)$\oplus$h (SID_k||r_c||C_a||ɸ_j) and C_h = h (SK_C||r_c||UID_i||SID_k). Finally, CN_j constructs message Auth_n = {C_g, C_h}, which is forwarded towards U_i.

Step 7: After receiving message Auth_n, the user’s smart device SD_i computes (SK_C||UID_i) = C_g$\oplus$h (SID_k||r_c||C_a||ɸ_j) and C_h* = h (SK_C||r_c||UID_i||SID_k). Next, the smart device SD_i confirms whether the derived C_h* is equivalent to C_h received in message Auth_n. Provided that this verification is successful, the authentication among U_i, CN_j and SN_k is considered complete, and SK_C is set as the session key.

Algorithm 2: Login and authentication

Begin (1) Input PWi into SDi (2) Calculate Ua*, (Ca||ɸj) & Cd* (3) if Cd* != Cd then: (4)              Reject login request (5) else (6)            Generate rc (7)            Compute Ub, Uc & Ud (8)            Construct Authu (9)           Ui $\overrightarrow{Aut{h}_u}$ CNj (10)         Determine Tc (11)     end if (12)             if  |Tc − Tu| ≥ ΔT then: (13)                     flag Authu as replay (14)       else: (15)                   Based on GIDi, retrieve GKi (16)                   Derive ɸj & retrieve UIDi from VT (17)                   Compute Ca, ), (rc||SIDk||) & Ud* (18)       end if (19)               if Ud* != Ud then: (20)                         Halt session (21)                         Choose SKC (22)                         Calculate Ce & Cf (23)                         Update ra to ranew & set Sj = Sj +1 (24)                         Compose Authc (25)                         CNj $\overrightarrow{Aut{h}_c}$ SNk (26)             end if (27)                       if  1 ≥ |Sj − Sk| ≥ P then: (28)                               Terminate session (29)               else: (30)                               Derive (SKC||UIDi) & Cf* (31)           end if (32)                       if Cf* != Cf then: (33)                                 Abort session (34)                   else: (35)                             Calculate Sa & update ra to ranew (36)                             Set Sk = Sj (37)                             Construct Auths (38)                             SNk $\overrightarrow{Aut{h}_s}$ CNj (39)                             Derive Sa* (40)                 end if (41)                             if Sa* != Sa then: (42)                                     Halt the session (43)                   else: (44)                                 Compute Cg & Ch (45)                                 Compose Authn (46)                                 CNj $\overrightarrow{Aut{h}_n}$ Ui (47)                                 Calculate (SKC||UIDi) & Ch* (48)                     end if (49)                                 if Ch* != Ch then: (50)                                           Abort session (51)                       else: (52)                                     Set SKC as the session key (53)               end if End

3.3. Parameter Update Phase

The two procedures below are activated upon the compromising of user password PW_i.

Step 1: U_i enters his/her password into SD_i. This is followed by the calculation of U_a = h (PW_i||S_U), (C_a||ɸ_j) = U_a$\oplus$C_b and C_d* = h (C_a||ɸ_j||U_a). Next, it confirms whether the derived C_d* is equivalent to C_d, stored in its memory. If this verification is unsuccessful, the password change request is denied. However, if the verification is successful, the SD_i inputs new password PW_i^new.

Step 2: SD_i calculates U_a^new = h (PW_i^new||S_U), C_b^new = U_a^new$\oplus$(C_a||ɸ_j) and C_d^new = h (C_a||ɸ_j||U_a^new). At the end, the SD_i substitutes parameter set {C_b, C_d} with its updated version {C_b^new, C_d^new} in its memory.

4. Security Analysis

In this part, we carry out both formal and informal security analyses of our scheme. The aim is to demonstrate its semantic robustness and resilience to typical attacks in the precision agriculture environment.

4.1. Formal Security Evaluation

In this sub-section, we utilize the Burrows–Abadi–Needham (BAN) logic to reveal the robustness of the authentication procedures as well as the session key setup between U_i and SN_k. In this proof, we let A and B represent statements, while S and T denote the subjects. The symbols used during the BAN logic proofs are detailed below.

# (B): Message B is fresh;

S | ≡ A: Subject S considers statement A to be true;

S | ~ A: At some point, subject S sent message A;

S | $⨞$ A: S has seen message A;

S | ⇒ A: S has control over A;

$S\stackrel{ k }{\leftrightarrow }T$: Subject S and T are sharing key k;

S$\begin{array}{c} k \\ \rightleftharpoons \end{array}$T: k is the shared secret between principals S and T;

{A}_k: Message A is encrypted using key k;

$\langle A_k\rangle$: Secret k is combined with A.

In addition to the above logic symbols, we deployed BAN logic rules below to demonstrate that the authentication among U_i, CN_j and SN_k is carried out in a secure manner.

Message-meaning rule (MMR): ${\displaystyle \frac{S|\equiv \mathrm{S}\stackrel{k}{\leftrightarrow }\mathrm{T},\mathrm{S}⨞{\left\{\mathrm{A}\right\}}_k}{S\left|\equiv T\right|~A}}$;

Nonce verification rule (NVR): ${\displaystyle \frac{S|\equiv \#\left(A\right),S\left|\equiv T\right|~A}{S\left|\equiv T\right|\equiv A}}$;

Jurisdiction rule (JR): ${\displaystyle \frac{S\left|\equiv T\Rightarrow A,S\right|\equiv T|\equiv A}{S|\equiv A}}$;

Believe rule (BR): ${\displaystyle \frac{S|\equiv \left(A,B\right)}{S|\equiv A}}$;

Freshness rule (FR):${\displaystyle \frac{S|\equiv \#\left(A\right)}{S|\equiv \#\left(A,B\right)}}$.

To demonstrate that our scheme achieves perfect and protected joint validation between U_i and SN_k, the goals below must be attained.

Goal 1: U_i$|\equiv$U_i $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k;

Goal 2: U_i$|\equiv$ SN_k$|\equiv$U_i  $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k;

Goal 3: SN_k $|\equiv$ U_i  $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k;

Goal 4: SN_k$|\equiv$ U_i$|\equiv$U_i  $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k.

During the login and authentication process, four messages are exchanged among U_i, CN_j and SN_k. For effective proofs, these messages are converted into idealized format as detailed below.

Auth_u (U_i → CN_j): {GID_i, U_b, U_c, U_d, T_u};

Idealized form: (U_i$\stackrel{ r_c }{\leftrightarrow }$CN_j, SID_k${)}_{U_i\stackrel{ C_a\left|\right|G{K}_i }{\leftrightarrow }C{N}_{\mathrm{j}}}$, < GID_i, SID_k, r_c, T_u ${>}_{U_i\stackrel{ C_a\left|\right|G{K}_i }{\leftrightarrow }C{N}_{\mathrm{j}}}$;

Auth_c (CN_j → SN_k): {S_j, C_e, C_f };

Idealized form: (CN_j$\stackrel{ S{K}_C }{\leftrightarrow }$SN_k, UID_i${)}_{C{N}_{\mathrm{j}}\stackrel{ r_a }{\leftrightarrow }S{N}_k}$, < UID_i, SID_k, $C{N}_{\mathrm{j}}\stackrel{ S{K}_C }{\leftrightarrow }S{N}_k$, S_j ${>}_{C{N}_{\mathrm{j}}\stackrel{ r_a }{\leftrightarrow }S{N}_k}$;

Auth_s (SN_k → CN_j): {SID_k, S_a};

Idealized form: < UID_i, SID_k,$S{N}_k\stackrel{ S{K}_C }{\leftrightarrow }C{N}_{\mathrm{j}}$ ${>}_{S{N}_k\stackrel{ r_a }{\leftrightarrow }C{N}_{\mathrm{j}}}$;

Auth_n (CN_j → U_i): {C_g, C_h};

Idealized form: (CN_j$\stackrel{ S{K}_C }{\leftrightarrow }$U_i${)}_{U_i\stackrel{ C_a }{\leftrightarrow }C{N}_{\mathrm{j}}}$, < UID_i, SID_k, CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i ${>}_{U_i\begin{array}{c} r_{c } \\ \rightleftharpoons \end{array}C{N}_{\mathrm{j}}}$.

Next, the following preliminary state assumptions (PSA_i) are made regarding our proposed scheme. The freshness and legitimacy of the values in these assumptions are deployed to demonstrate the robustness of the authentication procedures and the session key setup between Ui and SNk (as seen in proofs P1 to P24 that follow).

PSA₁: CN_j |≡ # (T_u);

PSA₂: CN_j |≡ # (r_c);

PSA₃: SN_k |≡ # (SK_C);

PSA₄: SN_k |≡ # (SK_C);

PSA₅: U_i$|\equiv$U_i$\stackrel{ C_a\left|\right|G{K}_i }{\leftrightarrow }$CN_j;

PSA₆: CN_j$|\equiv$U_i$\stackrel{ C_a\left|\right|G{K}_i }{\leftrightarrow }$CN_j;

PSA₇: SN_k$|\equiv$SN_{k i}$\stackrel{ r_a }{\leftrightarrow }$CN_j;

PSA₈: CN_j$|\equiv$SN_{k i}$\stackrel{ r_a }{\leftrightarrow }$CN_j;

PSA₉: U_i$|\equiv$CN_j$|\Rightarrow U_i$ $\stackrel{ S{K}_C }{\leftrightarrow }$SN_k;

PSA₁₀: SN_k$|\equiv$CN_j$|\Rightarrow U_i$ $\stackrel{ S{K}_C }{\leftrightarrow }$SN_k.

Using these notation, rules, initial state assumptions and idealized messages, we execute the rigorous BAN logic proofs to demonstrate the existence of robust and secured authentication among U_i, CN_j and SN_k.

Based on message Auth_u, we obtain the following proof.

P1: CN_j $⨞$ (U_i$\stackrel{ r_c }{\leftrightarrow }$ CN_j, SID_k${)}_{U_i\stackrel{ C_a\left|\right|G{K}_i }{\leftrightarrow }C{N}_{\mathrm{j}}}$.

According to PSA₆, the MMR is applied to yield P2.

P2: CN_j |≡ U_i$\stackrel{ r_c }{\leftrightarrow }$ CN_j, SID_k.

On the other hand, the freshness rule is used in PSA₆ to obtain P3.

P3: CN_j |≡# (UID_i, SID_k, GID_i, T_u, U_i$\stackrel{ r_c }{\leftrightarrow }$ CN_j).

Based on P2 and P3, we apply the NVR to obtain P4.

P4: CN_j |≡ U_i$|\equiv$ (UID_i, SID_k, GID_i, T_u, U_i$\stackrel{ r_c }{\leftrightarrow }$ CN_j).

According to Auth_c, we obtain P5 as follows.

P5: SN_k $⨞$ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$SN_k, UID_i${)}_{C{N}_{\mathrm{j}}\stackrel{ r_a }{\leftrightarrow }S{N}_k}$.

Based on PSA₇ and P5, the message-meaning rule is applied to yield P6.

P6: SN_k |≡ CN_j|~ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$SN_k, UID_i).

In accordance with PSA₃, the freshness rule is effected to obtain P7.

P7: SN_k |≡ # (UID_i, SID_k, CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$SN_k, S_j).

From P6 and P7, we utilize the nonce-verification rule to obtain P8.

P8: SN_k |≡ CN_j |≡ (UID_i, SID_k, CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$SN_k, S_j).

Based on Auth_s, we obtain P9 as follows.

P9: CN_j $⨞$ < UID_i, SID_k,$S{N}_k\stackrel{ S{K}_C }{\leftrightarrow }C{N}_{\mathrm{j}}$ ${>}_{S{N}_k\stackrel{ r_a }{\leftrightarrow }C{N}_{\mathrm{j}}}$.

In accordance with PSA₈ and P9, the message-meaning rule is applied to yield P10.

P10: CN_j |≡ SN_k|~ (UID_i, SID_k,$S{N}_k\stackrel{ S{K}_C }{\leftrightarrow }C{N}_{\mathrm{j}}$ ).

The application of the freshness rule to P10 results in P11 as follows.

P11: CN_j |≡ SN_k|≡ (UID_i, SID_k,$S{N}_k\stackrel{ S{K}_C }{\leftrightarrow }C{N}_{\mathrm{j}}$ ).

Based on message Auth_n, we obtain P12.

P12: U_i $⨞$ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i${)}_{U_i\stackrel{ C_a }{\leftrightarrow }C{N}_{\mathrm{j}}}$.

In accordance with PSA₅ and P12, we utilize the message-meaning rule to obtain P13.

P13: U_i |≡ CN_j |~ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i).

The application of the freshness rule on PSA₄ results in P14.

P14: U_i |≡# (UID_i, SID_k, CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i).

On the other hand, NVR is applied to P13 and P14 to obtain the following.

P15: U_i |≡ CN_j |≡ (UID_i, SID_k, CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i).

Similarly, the belief rule is applied to P6 and P7 to obtain P16.

P16: SN_k |≡ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k).

From P8, we utilize the belief rule to obtain P17.

P17: SN_k |≡ CN_j |≡ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i).

On the other hand, the belief rule is used in P11 to obtain P18.

P18: CN_j |≡ SN_k|≡ ($S{N}_k\stackrel{ S{K}_C }{\leftrightarrow }C{N}_{\mathrm{j}}$ ).

Similarly, the belief rule is utilized in P13 and P14 to obtain P19.

P19: U_i |≡ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i).

However, the application of the belief rule in P15 yields P20.

P20: U_i |≡ CN_j |≡ (CN_j $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i).

Based on PSA₁₀ and P16, we obtain P21.

P21: SN_k |≡ (U_i $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k); hence, Goal 3 is realized.

On the other hand, we obtain P22 from PSA₁₀ and P17 as follows.

P22: SN_k |≡ U_i |≡ (U_i $\stackrel{ S{K}_C }{\leftrightarrow }$ SN_k) and hence Goal 4 is attained.

From PSA₉, P18 and P19, we obtain the following.

P23: U_i |≡ (SN_k $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i), achieving Goal 1.

Finally, from PSA₉, P18 and P20, we obtain P24 as follows.

P24: U_i |≡ SN_k|≡ (SN_k $\stackrel{ S{K}_C }{\leftrightarrow }$ U_i), attaining Goal 2.

4.2. Informal Security Analysis

In this sub-section, we formulate and prove a number of lemmas to show that our scheme is secure under the adversarial capabilities in the Canetti–Krawczyk attack model. These capabilities are described in [53].

Lemma 1. 

MitM and forgery threats are prevented.

Proof. 

Let us assume that adversary à is wants to forge validation messages so as to deceive any unsuspecting receivers. To achieve this goal, messages Auth_u = {GID_i, U_b, U_c, U_d, T_u}, Auth_c = {S_j, C_e, C_f }, Auth_s = {SID_k, S_a} and Auth_n = {C_g, C_h} are captured. Next, attempts are made to modify these messages. Here, U_b = ɸ_j$\oplus$ h (GID_i||GK_i||T_u), U_c = (r_c||SID_k||)$\oplus$ h(GID_i||ɸ_j||C_a||T_u), U_d = h (r_c||C_a||GID_i||T_u), C_e = (SK_C||UID_i)$\oplus$ h (S_j||SID_k||r_a), C_f = h (SK_C||UID_i||SID_k||S_j||r_a), S_a = h (UID_i||SID_k||SK_C||S_j), C_g = (SK_C||UID_i)$\oplus$ h (SID_k||r_c||C_a||ɸ_j) and C_h = h (SK_C||r_c||UID_i||SID_k). Evidently, adversary à does not have access to keys such as GK_i and SK_C, sequence number S_j, unique identities SID_k and UID_i, and random numbers r_c and r_a. Since these two threats are easily mitigated in our protocol, both integrity and confidentiality are upheld. □

Lemma 2. 

Robust mutual verification is executed.

Proof. 

During the login and validation phase, entities U_i, SD_i, CN_j and SN_k mutually verify each other. To gain access to his/her smart device SD_i, it checks whether C_d* = C_d, where C_d is the value stored in its memory. Basically, the login request is rejected if this verification unsuccessful. On the other hand, CN_j validates SD_i by deriving U_d* = h (r_c||C_a||GID_i||T_u) and confirming if U_d* = U_d. For its part, the SN_k verifies CN_j by deriving C_f* = h (SK_C||UID_i||SID_k||S_k − 1||r_a) and confirming whether C_f* = C_f. Similarly, CN_j validates SN_k through the computation of S_a* = h (UID_i||SID_k||SK_C||S_j) and confirmation of whether S_a* = S_a. Finally, SD_i authenticates CN_j by calculating C_h* = h (SK_C||r_c||UID_i||SID_k) and checking if C_h* = C_h. For all these scenarios, the authentication session is halted upon verification failure. □

Lemma 3. 

Our security technique prevents replay threats.

Proof. 

In our scheme, we make use of timestamps, sequence numbers and random numbers to curb these threats. During the authentication procedures, messages Auth_u = {GID_i, U_b, U_c, U_d, T_u}, Auth_c = {S_j, C_e, C_f }, Auth_s = {SID_k, S_a} and Auth_n = {C_g, C_h} are exchanged. Here, U_b = ɸ_j$\oplus$ h (GID_i||GK_i||T_u), U_c = (r_c||SID_k||)$\oplus$ h(GID_i||ɸ_j||C_a||T_u), C_a = h (UID_i||GK_i||r_b), U_d = h (r_c||C_a||GID_i||T_u), C_e = (SK_C||UID_i)$\oplus$ h (S_j||SID_k||r_a), C_f =h (SK_C||UID_i||SID_k||S_j||r_a), S_a = h (UID_i||SID_k||SK_C||S_j), C_g = (SK_C||UID_i)$\oplus$ h (SID_k||r_c||C_a||ɸ_j) and C_h = h (SK_C||r_c||UID_i||SID_k). Evidently, these messages incorporate timestamp T_u, random numbers r_c, r_b and r_a, and sequence number S_j. Therefore, any replayed message can be effortlessly decerned at the receiver end since these parameters will fail the freshness tests. □

Lemma 4. 

Anonymity and untraceability are preserved.

Proof. 

The objective of anonymity is to prevent adversaries from discerning the actual identity of the users hinged on the messages transferred across the public channels. On the other hand, untraceability ensures that users are not tracked based on the publicly exchanged messages. In our scheme, messages Auth_u = {GID_i, U_b, U_c, U_d, T_u}, Auth_c = {S_j, C_e, C_f }, Auth_s = {SID_k, S_a} and Auth_n = {C_g, C_h} are exchanged over the public internet. It is clear that the user’s real identity UID_i is never sent in plaintext in all these messages. In fact, it is only the GID_i (pseudonym shared among users of the group) that can be extracted from these messages. Any effort to retrieve UID_i from C_e = (SK_C||UID_i)$\oplus$ h (S_j||SID_k||r_a), C_f =h (SK_C||UID_i||SID_k||S_j||r_a), S_a = h (UID_i||SID_k||SK_C||S_j), C_g = (SK_C||UID_i)$\oplus$ h (SID_k||r_c||C_a||ɸ_j) and C_h = h (SK_C||r_c||UID_i||SID_k) will fail due to its encapsulation in other parameters. In addition, there is need to reverse h (.), which is computationally cumbersome. □

Lemma 5. 

Our protocol mitigates eavesdropping and sensor node spoofing threats.

Proof. 

The ultimate goal of this attack is to derive verification parameter S_a = h (UID_i||SID_k||SK_C||S_j) used to authenticate SN_k at CN_j. This requires that adversary à access identities UID_i and SID_k, session key SK_C and sequence number S_j. Based on Lemma 4, adversary à does not have access to UID_i. Similarly, session key SK_C and sequence number S_j are generated at the CN_j and hence not available to Ã. Therefore, although SID_k can be obtained by eavesdropping on message Auth_s, an adversary cannot execute sensor node spoofing. □

Lemma 6. 

KSSTI attacks are thwarted and forward secrecy is preserved.

Proof. 

To uphold forward key secrecy, it is required that the leakage of long-term secret keys cannot result in the recovery of the previous and subsequent session keys. Let us assume that à has compromised long-term secrets such as S_U and GK_i. The session key in our protocol is generated at CN_j and encapsulated in parameters such as C_e = (SK_C||UID_i)$\oplus$ h (S_j||SID_k||r_a), C_f =h (SK_C||UID_i||SID_k||S_j||r_a), S_a = h (UID_i||SID_k||SK_C||S_j), C_g = (SK_C||UID_i)$\oplus$ h (SID_k||r_c||C_a||ɸ_j) and C_h = h (SK_C||r_c||UID_i||SID_k). Evidently, these long-term keys cannot help adversary à in deriving session key SK_C. □

Lemma 7. 

Our approach can withstand user impersonation attacks.

Proof. 

In the proposed protocol, user U_i constructs message Auth_u = {GID_i, U_b, U_c, U_d, T_u}, which is transmitted towards CN_j over the public internet. Let us assume that adversary à wants to construct this message so as to impersonate U_i. Here, U_b = ɸ_j$\oplus$ h (GID_i||GK_i||T_u), ɸ_j = U_b$\oplus$ h (GID_i||GK_i||T_u), U_c = (r_c||SID_k||)$\oplus$ h(GID_i||ɸ_j||C_a||T_u), C_a = h (UID_i||GK_i||r_b) and U_d = h (r_c||C_a||GID_i||T_u). According to Lemma 4, adversary à cannot access UID_i. In addition, group key GK_i cannot be eavesdropped on from the public Internet since it is never sent in messages Auth_u, Auth_c, Auth_s and Auth_n. For the same reason, adversary à does not have access to random numbers r_b and r_c. □

Lemma 8. 

Our scheme can withstand physical, stolen device and side-channeling threats.

Proof. 

Supposing that an adversary has stolen or captured sensor node SN_k and extracted value set {S_k, r_a} stored in it through power analysis. Using the extracted parameters, attempts are made to derive sensor node verification parameter S_a = h (UID_i||SID_k||SK_C||S_j). It is clear that the extracted values cannot help the adversary to derive S_a. Similarly, the physical capture and extraction of value set {GID_i, GK_i, C_b, C_d} cannot facilitate the computation of user verification parameter U_d = h (r_c||C_a||GID_i||T_u). □

Lemma 9. 

Privileged insider attacks are thwarted.

Proof. 

Suppose that some entities in the control node CN_j turns out to be malicious. As such, attempts may be made to capture user password PW_i and use it for malicious activities. During user registration, U_i sends parameter U_a = h (PW_i||S_U) to CN_j over secured channels. Although U_a contains PW_i, it is masked in secret key S_U prior to being exposed to one-way hashing operation. Therefore, it is extremely cumbersome for à to extract PW_i from parameter U_a. □

Lemma 10. 

Our scheme can withstand password guessing and session hijacking threats.

Proof. 

Let us assume that adversary à wants to gain access to user smart device SD_i and thereafter hijack the session and exchange data with other network entities. In our scheme, after entering PW_i^à into SD_i, it computes parameters U_a* = h (PW_i^Ã||S_U), (C_a||ɸ_j) = C_b$\oplus$ U_a* and C_d* = h (C_a||ɸ_j||U_a*). Next, it checks if C_d* = C_d, where C_d is the value stored in SD_i’s memory. Since PW_i^à$\ne$ PW_i, the adversary à will fail the C_d* $⨞$ C_d check. □

Lemma 11. 

Denial of service and de-synchronization attacks are mitigated.

Proof. 

Supposing that adversary à is determined to de-sync the controller node CN_j so that the sensor nodes are denied access to CN_j. To avert this, our scheme uses sequence numbers S_k and S_j to ensure that SN_k and CN_j are always synchronized. During the authentication procedures, message Auth_c = {S_j, C_e, C_f} is sent by CN_j towards the SN_k. Here, C_e = (SK_C||UID_i)$\oplus$ h (S_j||SID_k||r_a) and C_f =h (SK_C||UID_i||SID_k||S_j||r_a). Similarly, message Auth_s = {SID_k, S_a} is forwarded from the SN_k towards CN_j, where S_a = h (UID_i||SID_k||SK_C||S_j). It is clear that these messages contain sequence number S_j. □

Lemma 12. 

Scalability is enhanced in the proposed scheme.

Proof. 

In our scheme, the network entities do not rely solely on the controller node to generate and distribute all the identities and keying parameters. For instance, during the registration phase, the sensor node SN_k selects SID_k as its unique identity, which is then forwarded to the controller node CN_j. Similarly, user U_i generates password PW_i and private key S_U, and computes value U_a = h (PW_i||S_U) before forwarding {U_a} to the controller node. This lack of total dependency on CN_j for derivation and distribution of identities and keying parameters imply that more users and sensors can be added without overwhelming the controller node. □

5. Comparative Performance Evaluations

In the majority of the security techniques, communication costs, offered functionalities, energy consumption levels and computation overheads are frequently utilized to evaluate their performance. Therefore, we utilize these four performance measures to evaluate our scheme as described below.

5.1. Computation Overheads

The implementation details of our scheme involved a laptop with 4 GB of RAM, running on an Intel processor with 2.4 Ghz of clock frequency. On the other hand, the operating system installed in this machine is Ubuntu 22.04 LTS. Under these operational conditions, the Pairing-Based Cryptography (PBC) library is used to yield the execution time for various cryptographic primitives as follows: elliptic curve scalar multiplications (T_pm ≈ 3.53 ms), one-way hashing (T_h ≈ 0.128 ms), elliptic curve point addition (T_pa ≈ 0.026 ms), fuzzy extraction (T_fe ≈ 3.53 ms), t-degree univariate polynomial evaluation (T_pe ≈ 16.28 ms), bilinear pairing (T_b ≈ 27.52 ms), modular exponentiation (T_e ≈ 0.275 ms) and symmetric encryption/decryption (T_en ≈ 0.028 ms). During the login and verification procedures, SD_i executes 8T_h, while SN_k executes 5T_h.

On the other hand, the controller node CN_j executes 10T_h operations, and hence, the cumulative computation overhead in our scheme is 23T_h.

Table 2. Computation overheads.

Scheme	Computations			Total (ms)
	User/Smart Device	Sensor	Controller/Gateway
[6]	4Th + 2Tpm	4Th + Tpm	7Th + Tpm	16.04
[12]	4Th + 5Tpm + Tpa	3Th + 4Tpm + 2Tpa	2Th + 3Tpm + Tpa	43.62
[16]	-	9Th + 4Tpm	9Th + 4Tpm	30.54
[18]	-	7Th + 6Tpm + 2TPA + Tpe	7Th + 6Tpm + 2TPA + Tpe	76.82
[30]	13Th + 4Tpm + Tpa + Tfe	9TH + 4Tpm + Tpa	12Th + 6Tpm + 2Tpa	57.41
[48]	9Th + Tfe + Ten	3Th + Ten	5Th + 5Ten	5.91
[49]	11Th + Tfe	6Th	13Th	7.37
[50]	14Th	9Th + Ten	20Th + Ten	5.56
[51]	3Tpm	4Tpm	-	24.71
[52]	7Th + Tpm + Ten+ Tfe	6Th + Tpm + Ten	2Th	12.54
Proposed	8Th	5Th	10Th	2.94

presents the comparison of this computation overhead with other related schemes.

As demonstrated in Figure 4, the approach in [18] incurs the heaviest computation costs of 76.82 ms. This is followed by the security methods in [6,12,16,30,48,49,50,51,52] with computation overheads of 57.41 ms, 43.62 ms, 30.54 ms, 16.04 ms, 12.54 ms, 7.37 ms, 5.91 ms and 5.56 ms, respectively. The high execution durations of these schemes is attributed to the computationally extensive scalar multiplications, fuzzy extractions and encryptions.

However, the proposed scheme involves only efficient one-way hashing and XOR operations. This explains its low computation costs. High computation overheads translate to increased operational delays, which can result in packet drops. These frequent packet drops can potentially interfere with the proper transmission and reception of messages exchanged in precision agriculture. Since the proposed scheme yields the lowest computation overheads, it exhibits the lowest latencies and hence achieves the greatest packet delivery ratio.

5.2. Communication Overheads

In this part, we utilize the sizes of the messages transferred during the login and authentication procedures to obtain the cumulative communication overheads of the developed protocol. To accomplish this, we deploy the values in [18] in which the sizes of the passwords, timestamps and sequence numbers, identities, finite group points, hashing output, elliptic curve points and random numbers are 160 bits, 32 bits, 160 bits, 512 bits, 160 bits, 320 bits and 160 bits, correspondingly. Therefore, the sizes of Auth_u, Auth_c, Auth_s and Auth_n are (160 + 160 + 160 + 160 + 32 = 672 bits), (32 + 160 + 160 = 352 bits), (160 + 160 = 320 bits), and (160 + 160 = 320 bits), respectively. As such, our scheme has 1664 bits as its communication costs.

Table 3. Communication overheads.

Scheme	Message Exchange Details	Size (Bits)
[6]	U$\stackrel{ 1152 }{\leftrightarrow }$GWN $\stackrel{ 1600 }{\leftrightarrow }$ SN	2752
[12]	SN $\stackrel{ 1344 }{\to }$ SM $\stackrel{ 256 }{\to }$CBC $\stackrel{ 1312 }{\to }$SM$\stackrel{ 256 }{\to }$ DSP $\stackrel{ 1088 }{\to }$ SN	4256
[16]	SN$\stackrel{ 928 }{\to }$ GWN $\stackrel{ 1088 }{\to }$ SN $\stackrel{ 288 }{\to }$ GWN	2304
[18]	GSS $\stackrel{ 1088 }{\to }$ DR $\stackrel{ 928 }{\to }$ GSS	2016
[30]	U $\stackrel{ 1088 }{\to }$ CN $\stackrel{ 1344 }{\to }$ SN $\stackrel{ 1376 }{\to }$ CN $\stackrel{ 1984 }{\to }$ U	5792
[48]	U $\stackrel{ 704 }{\to }$ HGWN $\stackrel{ 640 }{\to }$ SN $\stackrel{ 384 }{\to }$ U	1728
[49]	U $\stackrel{ 832 }{\to }$ GWN $\stackrel{ 672 }{\to }$ SN $\stackrel{352 }{\to }$ GWN $\stackrel{ 512 }{\to }$ U	2368
[50]	U $\stackrel{ 672 }{\to }$ SN $\stackrel{ 1344 }{\to }$ CA $\stackrel{800 }{\to }$ SN $\stackrel{ 960 }{\to }$ U	3776
[51]	U $\stackrel{ 100 }{\to }$ AG $\stackrel{ 320 }{\leftrightarrow }$ SN $\stackrel{ 320 }{\leftrightarrow }$ AG $\stackrel{ 320 }{\to }$ U	1060
[52]	U $\stackrel{ 320 }{\to }$ GWN $\stackrel{ 352 }{\to }$ SN $\stackrel{320 }{\to }$ GWN $\stackrel{ 320 }{\to }$ U	1312
Proposed	U $\stackrel{ 672 }{\to }$ CN $\stackrel{ 352 }{\to }$ SN $\stackrel{320 }{\to }$ CN $\stackrel{ 320 }{\to }$ U	1664

shows the communication costs of other related schemes, where HGWN is the home gateway node, U is the user, SN is the sensor node, DR is the drone, GSS is the ground station server, AG is the aggregator, DSP is the data service provider, CBC is the consortium blockchain, SM is the service manager and CA is the controlling authority.

It is apparent from Figure 5 that the protocol in [30] incurs the highest communication costs of 5792 bits. This is followed by the schemes in [6,12,16,18,48,49,50], the proposed protocol, and [51,52] with communication costs of 4256 bits, 3776 bits, 2752 bits, 2368 bits, 2304 bits, 2016 bits, 1728 bits, 1664 bits, 1312 bits and 1060 bits, respectively. Although the schemes in [51,52] incur relatively lower communication costs, they have high computation overheads and are vulnerable to numerous attacks, as shown in

Table 4. Energy consumption levels.

Scheme	Energy (mJ)
[6]	0.106
[12]	0.288
[16]	0.202
[18]	0.507
[30]	0.379
[48]	0.039
[49]	0.049
[50]	0.037
[51]	0.163
[52]	0.083
Proposed	0.019

.

Therefore, although our protocol incurs relatively high communication overheads, it offers perfect security at the lowest computation overheads. It is therefore suitable for addressing security issues in precision agriculture.

5.3. Energy Consumption

In this sub-section, we estimate the power consumed by our scheme during the login and authentication process. The power consumption (in mJ) is given by the product of voltage in volts, current (in milliamps, mA) drawn in active mode and the time in seconds. That is,

Power consumption = supply voltage (in V) × current (in mA) × execution time (in S),

where execution time is equivalent to the computation overheads in Table 2 above.

According to [54], this current is 2.2 mA, while the supply voltage is 3V. Using these values, the energy consumption of our scheme is 0.019 mJ. Table 4 presents the comparisons of energy consumption of our scheme against other related protocols.

Based on the graphs in Figure 6, the protocol in [18] exhibits the heaviest amount of energy consumption of 0.507 mJ. This is followed by the schemes in [6,12,16,30,48,49,50,51,52] with energy consumption levels of 0.379 mJ, 0.288 mJ, 0.202 mJ, 0.163 mJ, 0.106 mJ, 0.083 mJ, 0.049 mJ, 0.039 mJ and 0.037 mJ.

However, the proposed scheme consumes only 0.019 mJ of energy, which is the lowest. Since most of the PA sensor devices are limited in terms of energy, our scheme is the best suited for deployment in these sensors.

5.4. Supported Functionalities

The proposed protocol supports a wide range of security and privacy characteristics which are key in precision agriculture. In addition, it has been demonstrated to be robust against numerous security threats.

Table 5. Security characteristics.

	[12]	[49]	[50]	[51]	[52]	[30]	[6]	[18]	[16]	[48]	Proposed
Security features:
F1	√	√	√	√	√	√	√	×	√	√	√
F2	×	√	√	×	√	√	√	×	√	√	√
F3	√	√	√	√	√	√	√	√	√	√	√
F4	√	√	√	√	√	√	√	√	×	√	√
Robust against the following:
F5	×	×	×	×	×	√	√	√	√	×	√
F6	×	√	×	√	×	√	√	√	√	√	√
F7	×	×	×	√	√	×	×	√	×	×	√
F8	×	√	√	×	√	√	√	×	×	√	√
F9	×	×	×	×	×	×	×	×	×	×	√
F10	×	×	×	√	×	×	×	√	×	×	√
F11	√	√	√	√	√	√	√	√	√	√	√
F12	×	×	×	×	×	×	×	×	×	×	√
F13	√	√	√	√	√	√	√	√	√	√	√
F14	×	×	×	×	√	×	×	×	×	×	√
F15	√	×	√	√	√	√	√	√	√	√	√
F16	×	√	√	×	√	√	√	√	√	√	√
F17	×	√	√	×	×	×	√	√	√	×	√
F18	√	√	×	√	√	√	√	×	√	√	√
F19	×	√	√	√	×	√	√	√	√	√	√

F1—Anonymity; F2—Untraceability; F3—Authentication; F4—Perfect key secrecy; F5—Side-channeling; F6—Physical capture; F7—Eavesdropping; F8—Offline guessing; F9—Spoofing; F10—Forgery; F11—Replay; F12—Session hijacking; F13—Impersonation; F14—De-synchronization; F15—MitM; F16—Privileged insider; F17—KSSTI; F18—DoS; F19—Stolen smart device; √ Supported; × Not supported or not considered.

presents the comparative evaluation of the features of our scheme against other related protocols.

It is evident from Table 5 that the security protocol in [12] supports only seven features, rendering it the most vulnerable. Conversely, the protocols in [50,51] support 11 features each, while the schemes in [16,18,48,49,52] support 12 features each. For its part, the protocol in [30] supports 13 features, while the scheme in [6] offers support for 14 features. However, our proposed scheme supports all 19 of the security features. Overall, the proposed scheme has been demonstrated to offer robust security at relatively low communication costs and the least computation costs, as well as the lowest energy consumption. Since the majority of the devices in precision agriculture are resource-constrained, our scheme is the most suitable this environment. Our scheme adopts the conventional communication framework typical in existing farming systems, where we have central controllers, users and sensor nodes. In addition, the proposed scheme deploys only one-way hashing functions, which are lightweight. As such, no additional hardware is required for extensive computations. Consequently, our protocol is easy to integrate into existing farming systems such as drones and other IoT devices.

6. Conclusions

The need to increase the food supply in the face of limited resources for the ever-growing global population has seen the incorporation of smart technologies in agriculture. Sensors in precision agriculture collect information such as water content, soil moisture, humidity and temperature, which are then analyzed to facilitate decision making. These technologies have been shown to result in increased agricultural yields at low labor and resources. In spite of these positive contributions of smart agronomy, the amalgamation of a wide range of sensors and technologies coupled with the deployment of open wireless internet for message exchange results in numerous security threats. Although many solutions have been presented in the literature, security vulnerabilities and high resource requirements in most of these schemes render them unsuitable for deployment in resource-limited PA devices. The developed scheme is demonstrated to mitigate the majority of these security threats, such as packet replay, MitM, DoS, de-synchronization, privileged insider, impersonation and spoofing attacks. From the performance perspective, our technique consumes the least energy and computational resources while incurring relatively lower communication overheads. As such, our protocol can reduce operational costs and improve the resilience of agricultural IoT networks. Future research in this area will involve further improvements in the obtained communication costs so as to make it bandwidth-friendly. In addition, real-world testing and various case studies may be carried out against this scheme.