A Privacy-Preserving Authentication and Key Agreement Scheme with Deniability for IoT

Abstract

User authentication for the Internet of Things (IoT) is a vital measure as it consists of numerous unattended connected devices and sensors. For security, only the user authenticated by the gateway node can access the real-time data gathered by sensor nodes. In this article, an efficient privacy-preserving authentication and key agreement scheme for IoT is developed which enables the user, the gateway node and sensor nodes to authenticate with each other. Only the trusted gateway node can determine the real identity of user; however, no other entities can get information about user’ identity by just intercepting all exchanged messages during authentication phase. The gateway cannot prove the received messages from the sender to a third party, and thus preserving the privacy of the sender. The correctness of the proposed scheme is proved to be feasible by using BAN logic, and its security is proved under the random oracle model. The execution time of the proposed scheme is evaluated and compared with existing similar schemes, and the results demonstrate that our proposed scheme is more efficient and applicable for IoT applications.

1. Introduction

The Internet of Things (IoT) [1] is an enormous ubiquitous-network which is connecting the objects through various sensor devices and networks. It plays an important role in people’s lives and has been widely used in many fields to gather data such as transportation [2], education, smart healthcare [3,4,5], logistics, etc. In general, the network of IoT is formed by end-users, sensors and base stations (e.g., gateway), in which sensors can collect data of specific areas around them and then end users can access data on demand through the network.

However, the IoT is vulnerable to lots of malicious attacks due to its inherent the computational constraints of the sensors and the openness of wireless channel in IoT environment [1]. It is becoming a principal security concern that how to ensure that only valid end-users can access the critical data. To address this problem effectively, several authentication mechanisms [6,7,8,9] have been proposed to guarantee the authenticity of entities as well as the confidentiality of transferred data during communication in IoT. In an IoT environment, there exist three types entities, i.e., users, gateways and sensors. The gateways are specific modes which are served as trusted servers during authentication. Then sensors locate in various application environment to collect data. The user can access data in sensors while he or she has been authenticated by gateway. The basic goal of authentication is to enable gateway nodes, end-users and sensor nodes to authenticate each other. In order to meet functionality and security requirements, however, designing authentication and key agreement schemes to guarantee secure communication for the Internet of Things is challenging.

User authentication is vital in the IoT environment since it is used to distinguish legitimate users from illegal users. Only legitimate users can be granted with permission to access the data collected by sensor devices. Over the past few years, many user authentication schemes about the IoT environments have been designed. For example, Wong et al. [10] in 2006 put forward a user authentication protocol using symmetric encryption which utilizes hash and XOR operations to lower the computational complexity. Later, Das [11] presented an improved password-based user authentication to enhance the security of Wong et al.’s scheme. [10]. Other scholars [12,13,14] revealed that Wong et al.’s scheme is short of providing user anonymity and mutual authentication. Due to the merits of identity-based cryptography, some researchers presented novel identity-based authentication schemes [15,16], however, the computational cost in these schemes are expensive because of the adoption of pairing operation. Taking account of many existing construction of classic authentication schemes are based on public key technique, some researchers adopted symmetric cryptography-based means to improve the performance of authentication. Jung et al. [17] proposed a user anonymous authentication scheme based on symmetric encryption, which uses dynamic $ID$ to achieve anonymity. Considering mutual authentication is important in some IoT applications, Xue et al. [18] constructed a user authentication scheme based on temporal-credential where the gateway node issues temporary certificates to the user and sensor nodes to achieve mutual authentication. Jiang et al. [19] pointed out that Xue et al.’s scheme fails to resist privileged-insider attack and then proposed an improved signature-based authentication scheme. Das [20] introduced an enhanced three-factor user authentication scheme based on Jiang et al.’s [19] work using user biometric information.

Since privacy plays a central role in designing authentication and key agreement schemes, and great efforts have been made in privacy-preserving authentication. Fox example, in 2015, Wang et al. [21] presented a new authentication scheme for wireless body area networks(WBANs) using bilinear pairing to achieve anonymity; however, it is vulnerable to the impersonation attack. Li et al. [22] proposed an anonymous authentication scheme using the hash message authentication code (HMAC). However, it is infeasible for the limited IoT environment since the bilinear pairing would bring enormous costs. Porambage et al. [23] presented an ECC-based authentication protocol without bilinear pairing to achieve high efficiency. Some signature-based authentication schemes [24,25] have been investigated besides interactive protocol-based authentication schemes.

The previous work has proposed different methods to ensure security and to meet the functionality requirements. However, most of the existing schemes have weaknesses, such as high computation overhead, being susceptible to some attacks or not providing user privacy-preserving. Furthermore, all these existing schemes fail to deal with deniability and traceability at the same time, which looks contradicts with each other. Deniability is essential for users in IoT environment to preserve her or his privacy, however, traceability is vital to prevent malicious entities to damage the IoT applications. Hence, based on the previous work, we propose an ECC-based privacy-preserving authentication and key agreement scheme for IoT, which aims to provide conditional privacy protection and desirable performance.

This paper presents a privacy-preserving authentication and key agreement scheme with deniability for IoT, which enables user to access IoT sensor securely. More specifically, the scheme meets appropriate security requirements and supports desirable features. The characteristics of our proposal are as follows:

• User anonymity. No entity except the trusted gateway nodes can obtain any information about the identity of the users during the authentication phase.
• Deniability. The gateway node can generate another message that is indistinguishable from the received message from the user, such that when the user request a service via the gateway node, any third party cannot tell whether the message is sent by the user or generated by the gateway node. Therefore, the user can deny that he or she has requested the service.
• Unlinkability. Any external entity except the trusted gateway node cannot determine whether two messages from distinguished authentication sessions are sent by the same entity.
• Traceability. If any dispute or misbehavior occurs during the authentication phase, the trusted gateway node can reveal the identity of the user with the exchanged messages.
• High-efficiency. Due to the adoption of low-cost hash functions and ECC(elliptic curve cryptography) operations, the proposed scheme is more efficient than the existing exponential or bilinear pairing-based authentication schemes.

The remainder of this article is structured as follows. Section 2 provides related preliminaries. The concrete construction of the proposed scheme is described in Section 3. Section 4 presents a rigorous security analysis about the proposed scheme. Section 5 conducts the performance evaluation. Conclusions of the paper are presented in Section 6.

2. Preliminaries

In this section, some basic knowledge including communication model, the random oracle model and elliptic curve discrete logarithm problem are introduced.

2.1. Communication Model

The communication model of our proposed scheme is shown in Figure 1. It includes three kinds of entities: the gateway node $GWN$, the user U and the sensor node S. A secure communication channel can be established between U and S. Once the user U intends to request a certain service or access the data via GWN, the authentication session is initiated. U first sends an authentication request the message $M1$ to $GWN$ which requests $GWN$ for authentication; after checking the validity of messages from U, $GWN$ sends the message $M2$ to S. When receives the message $M2$ from $GWN$, S replies the confirmation message about session key establishment with message $M3$ to $GWN$. Then $GWN$ verifies $M3$, generates and sends the message $M4$ including the message $M3$ to U. At last, after U authenticating $GWN$ and S, U securely establishes a session key with S successfully.

2.2. Security Definition

The secrecy of the session key is the central security goal for authentication and key agreement scheme. To formally prove the security, a game-based method is introduced in our paper based on Abdalla et al.’s [26] method. The security model of our proposed scheme is introduced as follows.

Participants. There are three types of participants: users, gateway nodes and sensor nodes. Let ${\prod }_P^n$ be the instance n of the participants such that $P\in \left\{U,G,S\right\}$, where $U,G,S$ represent users, gateway nodes and sensor nodes respectively. Let ${\prod }_S^j$ represent the j-th instance of S, ${\prod }_U^i$ denote the i-th instance of U, and ${\prod }_G^n$ represent the k-th instance of G. Any participant instance is assumed as an oracle.

Partnering. Let $sid$ denote the session identification which is unique for each conversation. If the instances ${\prod }_U^i$ and ${\prod }_S^j$ are called partners, then the following conditions would be satisfied: (1) A same $sid$ between ${\prod }_U^i$ and ${\prod }_S^j$ is shared; (2) ${\prod }_U^i$ and ${\prod }_S^j$ have accepted the conversation; (3) ${\prod }_U^i$ and ${\prod }_S^j$ are each other’s partners.

Adversary. It is assumed that there exists a probabilistic polynomial-time(PPT) adversary $\mathcal{A}$ that can fully control all the communications by accessing to a series of oracle queries during the execution of the protocol. All the adversary’s queries are listed as below:

• $Execute({\prod }_U^i,{\prod }_G^n,{\prod }_S^j)$: This query issued by the adversary $\mathcal{A}$ simulates the eavesdropping attacks on honest executions among the user instance ${\prod }_U^i$, trusted gateway instance ${\prod }_G^n$ and sensor instance ${\prod }_S^j$. It outputs a transcript of the exchanged messages during the honest execution of the protocol.
• $Send({\prod }_P^n,M)$: This query models the active attacks such as impersonation attack and replay attack. Once has received the messages, ${\prod }_P^n$ returns a corresponding result to $\mathcal{A}$.
• $Corrupt({\prod }_P^n)$: This query is issued by the adversary $\mathcal{A}$, it is used to simulate the attack that $\mathcal{A}$ corrupts an entity from ${\prod }_P^n$. $\mathcal{A}$ can get the private key of a participant with this query.
  Please note that this query does not corrupt the partner’s same internal data and ephemeral values of the instance ${\prod }_P^n$.
• $Reaveal\left({\prod }_P^n\right)$: The query is designed to simulate known session key attack. If there is a valid session from the instance ${\prod }_P^n$, returns the shared session key to $\mathcal{A}$. Otherwise, returns null.
• $Test({\prod }_P^n)$: This query is used to model the capability of the adversary $\mathcal{A}$ to distinguish between a random number and a real session key $SK$ by flipping an unbiased coin b. If the session key of the instance ${\prod }_P^n$ has been defined, the session key of ${\prod }_P^n$ will be responded to $\mathcal{A}$ if $b=1$ or a random value will be returned if $b=0$; otherwise, ⊥ will be responded.
• $H_1(x,v_1)$: As soon as the adversary $\mathcal{A}$ makes $H_1$ query adaptively on the message x, it returns the existing $v_1$ if the list $L_1$ exist a tuple $\left\{x,v_1\right\}$, where $L_1$ initially is an empty set; otherwise, it picks a random value $v_1^{{}^{\prime }}$, stores the tuple $\left\{x,v_1^{{}^{\prime }}\right\}$ in the list $L_1$ and returns $v_1^{{}^{\prime }}$ to $\mathcal{A}$.
• $H_2(y,v_2)$: Upon receiving the query about y from the adversary $\mathcal{A}$, examines whether the tuple $\left\{y,v_2\right\}$ is in $L_2$, where $L_2$ initially is an empty set. If so, it responds to the existing $v_2$ to $\mathcal{A}$; otherwise, it generates a random value $v_2^{{}^{\prime }}$, stores the tuple $\left\{y,v_2^{{}^{\prime }}\right\}$ in the list $L_2$ and returns $v_2^{{}^{\prime }}$ to $\mathcal{A}$.

The adversary $\mathcal{A}$ could issue any $Test$ query to the instances after being provided with the above queries. The output of $Test$ query is relevant to the bit b. At last, $\mathcal{A}$ outputs a guessing bit $b^{{}^{\prime }}$ about b. $\mathcal{A}$ is successful if $b^{{}^{\prime }}=b$. Let $Succ$ represent the event that $\mathcal{A}$ succeeds in the game, the advantage of the adversary $\mathcal{A}$ is defined as follows:

$$Ad{v}_{\mathcal{A}}^{Ind}=\mid 2·Pr\left[Succ\right]-1\mid$$

If the advantage $Ad{v}^{ake}(\mathcal{A})$ is negligible, then we conclude that the proposed scheme is secure.

2.3. Elliptic Curve Discrete Logarithm Problem

Let G be a cyclic additive elliptic curve group with the prime order q and P is a generator of G. Suppose that the multiplication and inversion operation in G can be computed efficiently, the two intractable problems in G are defined as follows:

• Elliptic curve discrete logarithm (ECDL) problem: Given $P,aP\in G$ for unknown $a\in Z_q^{*}$, to find a.
• Elliptic curve computational Diffie-Hellman (ECCDH) problem: Given P, $aP$, $bP\in G$ for unknown a, $b\in Z_q^{*}$, to compute $abP$.

3. The Proposed Scheme

In this section, we describe the proposed scheme in detail. It consists of four phases: system set up, user registration, sensor node registration and authentication phase.

Table 1. NOTATIONS.

Symbol	Definition
$E_p(a,b)$	An elliptic curve over a prime finite $Z_p$ defined by the equation $y^2=x^3+ax+b$ $mod$ p
G	An elliptic curve group with the order q, where G is constitutive of all points on E and the point at infinity O
P	A generator of the group G
$p,q$	Two large prime numbers
U	User
S	Sensor node
$GWN$	Gateway node
$I{D}_U$	Identity of the user U
$I{D}_S$	Identity of the sensor node S
$h,H_1,H_2$	Three collision-resistant one-way hash functions, where $h:{\left\{0,1\right\}}^{*}\to$ $z_q^{*}$, $H_1:{\left\{0,1\right\}}^{*}\to z_q^{*}$,$H_2:{\left\{0,1\right\}}^{*}\to z_q^{*}$
$P=\left(P^{(x)},P^{(y)}\right)$	An elliptic curve point in a non-singular elliptic curve $E_p(a,b)$, $P^{(x)}$ and $P^{(y)}$ are x and y coordinates of P respectively
$d_{GWN},Q_{GWN}$	The private key and the corresponding public key of $GWN$ respectively
$d_U,Q_U$	The private key and the corresponding public key of U respectively
$d_S,Q_S$	The private key and the corresponding public key of S respectively
r	The random number selected by involved entities
$t_U,t_{GWN},t_S$	The time stamps of $U,GWN,S$ respectively
$\Delta t$	Maximum transmission delay
⊕	The XOR operation
‖	Thet concatenation operation

summarizes all the notations used in this paper.

3.1. System Setup Phase

System setup is performed by $GWN$ as follows,

• $GWN$ chooses a non-singular elliptic curve $E_p(a,b)$ over a prime finite $Z_p$, where p is a large prime. Let G be an elliptic curve group. Then, $GWN$ chooses a generator P of order q over $E_p$. $GWN$ selects its private key $d_{GWN}$ and computes the public key $Q_{GWN}=d_{GWN}P$ in accordance with $d_{GWN}$.
• $GWN$ selects three collision-resistant one-way hash functions $h,H_1,H_2:{\{0,1\}}^{*}\to Z_q$.
• Finally, the system parameters $params=\left\{E_p(a,b),P,p,q,h,H_1,H_2,Q_{GWN}\right\}$ is published while the private key $d_{GWN}$ is kept secretly by $GWN$.

3.2. Registration Phase

A user U registers at the gateway node $GWN$ in line with the requirement, while a regular sensor node S registers at $GWN$ offline. A detailed process of registration process about U and S is highlighted as below.

3.2.1. User Registration Phase

The registration process is between the $GWN$ and U is as follows:

• U selects an identity $I{D}_U$, a private key $d_U$ and then gets the public key $Q_U=d_{U}P$ according to $d_U$. Then, U calculates the registration message $MI{D}_U=h\left(I{D}_U\right)$, and sends it to $GWN$ via a non-public channel.
• After receiving the registration message from U, $GWN$ calculates $M_U=h\left(MI{D}_U\Vert d_{GWN}\right)$ and returns it to U via a non-public channel.
• U computes $M_U^{*}=M_U\oplus h\left(I{D}_U\Vert d_U\right)$ and deletes $M_U$.

3.2.2. Sensor Node Registration Phase

S proceeds offline registration with the help of $GWN$ as below:

• S generates its identity $I{D}_S$, private key $d_S$ and computes the corresponding public key $Q_S=d_{S}P$ and $h(I{D}_S\Vert d_S)$. Then, S sends $\left\{I{D}_S,Q_S,h(I{D}_S\Vert d_S)\right\}$ to GWN via a non-public channel.
• After receiving the message $\left\{I{D}_S,Q_S,h(I{D}_S\Vert d_S)\right\}$ from S, $GWN$ computes $R_S=\left(h\left(I{D}_S\Vert d_S\right)+h\left(I{D}_S\Vert d_{GWN}\right)\right)P$ and sent it to S. $GWN$ publish $Q_S$ and stores $\{I{D}_S,Q_S,R_S\}$ into its database.
• Upon receiving $R_S$ from $GWN$, S stores it into its memory.

3.3. Authentication and Key Agreement Phase

When the user U wants to access the sensor node S, he or she initiates this phase by issuing a request via $GWN$. This phase enables $GWN$, U and S to effectively authenticate each other and then establish a session key between U and S. If a session key is negotiated successfully by U and S, then they can exchange private messages with each other via a public channel. A detailed description of the steps of this phase are as follows:

• U selects a random number $r_U\in z_q^{*}$, generates the current timestamp $t_1$ and computes $E_U=r_{U}P$, $M_U^{{}^{\prime }}=M_U^{*}\oplus h\left(I{D}_U\Vert d_U\right)$, $N_U=r_U{Q}_{GWN}=(N_U^{(x)}$, $N_U^{(y)})$, $AI{D}_U=MI{D}_U\oplus N_U^{\left(y\right)}$, $K_U=(r_U+d_U)Q_{GWN}$ and $h_U=H_1(K_U\Vert M_U^{{}^{\prime }}\Vert t_1)$. Then, U sends the request message $\left\{E_U,AI{D}_U,h_U,t_1\right\}$ via a public channel to GWN.
• When $GWN$ receives the authentication request message from U at the time $t_1^{{}^{\prime }}$, it checks whether the condition $|t_1^{{}^{\prime }}-t_1|\le \Delta t$ holds. If yes, $GWN$ then computes: $N_U^{{}^{\prime }}=d_{GWN}{E}_U=(N_U^{{(x)}^{\prime }}$, $N_U^{{(y)}^{\prime }})$. $GWN$ then verifies U by computing the following: $MI{D}_U^{{}^{\prime }}=AI{D}_U\oplus N_U^{{\left(y\right)}^{\prime }}$, $M_U=h(MI{D}_U^{{}^{\prime }}\Vert d_{GWN})$, $K_U^{{}^{\prime }}=d_{GWN}(Q_U+E_U)$, and $h_U^{{}^{\prime }}=H_1\left(K_U^{{}^{\prime }}\Vert M_U\Vert t_1\right)$. $GWN$ verifies if the equation $h_U^{{}^{\prime }}=h_U$ holds or not. If the verification does not hold, $GWN$ rejects the user’s authentication request; else, goes to 3.
• $GWN$ generates its current timestamp $t_2$, selects a random number $r_{GWN}\in z_q^{*}$ and calculates: $E_{GWN}=r_{GWN}P$, $K_{GWN}=(r_{GWN}+d_{GWN})Q_S$, $M_{GWN}=N_U^{{(x)}^{\prime }}\oplus h\left(R_S\Vert K_{GWN}\Vert E_{GWN}\right)$, $h_{GWN}=H_1\left(K_{GWN}\Vert I{D}_S\Vert t_2\right)$. Then, the gateway node $GWN$ sends the message {$E_U$, $E_{GWN}$, $M_{GWN}$, $h_{GWN}$, $t_2$, $t_1$} to S via a public channel.
• Upon receiving the authentication message from $GWN$ at time $t_2^{{}^{\prime }}$, S first checks the validity of the timestamp on the condition $|t_2^{{}^{\prime }}-t_2|\le \Delta t$. If $t_2$ is invalid, S terminates the session. If it is valid, S then computes: $K_{GWN}^{{}^{\prime }}=d_S(E_{GWN}+Q_{GWN})$, $N_U^{{(x)}^{″}}=M_{GWN}\oplus h\left(R_S\Vert K_{GWN}^{{}^{\prime }}\Vert E_{GWN}\right)$, and $h_{GWN}^{{}^{\prime }}=H_1\left(K_{GWN}^{{}^{\prime }}\Vert I{D}_S\Vert t_2\right)$. Next, S verifies $h_{GWN}^{{}^{\prime }}$. If $h_{GWN}^{{}^{\prime }}=h_{GWN}$, the sensor node S accepts $GWN$ and goes to 5; otherwise, it rejects $GWN$.
• S generates its current timestamp $t_3$ and selects a random number $r_S\in z_q^{*}$, and computes $E_S=r_{S}P$, $K_S=r_S\left(R_S-h(I{D}_S\Vert d_S)P\right)$, $h_S=H_1\left(K_S\Vert I{D}_S\Vert t_3\right)$, $s{k}_S=r_S(E_U+N_U^{{(x)}^{\prime }}P)$ and $Aut{h}_S=H_1(s{k}_S\Vert t_3)$. S sends the message $\left\{E_S,t_3,h_S,Aut{h}_S\right\}$ to $GWN$ via a public channel. Then, S computes the session key $SK=H_2(s{k}_S\Vert E_S\Vert E_U\Vert t_3\Vert t_1)$.
• Upon receiving the replied message from S at time $t_3^{{}^{\prime }}$, $GWN$ checks the validity of $t_3$ on the condition $|t_3^{{}^{\prime }}-t_3|\le \Delta t$. If $t_3$ is valid, $GWN$ computes $K_S^{{}^{\prime }}=h\left(I{D}_S\Vert d_{GWN}\right)E_S$ and $h_S^{{}^{\prime }}=H_1\left(K_S^{{}^{\prime }}\Vert I{D}_S\Vert t_3\right)$. Then, $GWN$ checks whether $h_S^{{}^{\prime }}=h_S$. If yes, $GWN$ generates its current timestamp $t_4$, computes $Aut{h}_{GWN}=H_1(r_{GWN}{Q}_U\Vert M_U\Vert t_4)$ and sends the message $\left\{E_S,E_{GWN},t_3,t_4,Aut{h}_S,Aut{h}_{GWN}\right\}$ to U.
• After receiving the replied message from $GWN$ at time $t_4^{{}^{\prime }}$, U checks the validity of $t_4^{{}^{\prime }}$ with the condition $|t_4^{{}^{\prime }}-t_4|\le \Delta t$. If it is valid, U computes $Aut{h}_{GWN}^{{}^{\prime }}=H_1(d_U{E}_{GWN}\Vert M_U^{{}^{\prime }}\Vert t_4)$ and checks whether $Aut{h}_{GWN}^{{}^{\prime }}=Aut{h}_{GWN}$. If yes, U computes $s{k}_U=(r_U+N_U^{(x)})E_S$, $Aut{h}_S^{{}^{\prime }}=H_1(s{k}_U\Vert t_3)$. Then, U checks whether $Aut{h}_S^{{}^{\prime }}=Aut{h}_S$. If yes, U calculates the secret session key $SK=H_2(s{k}_U\Vert E_S\Vert E_U\Vert t_3\Vert t_1)$.

The process of authentication and key agreement is visually illustrated in Figure 2.

4. Analysis of Correctness and Security

In this section, the correctness of the proposed scheme is validated using BAN-logic and the security of our scheme is proved under the random oracle model. In addition, some other security features are also discussed in the end.

4.1. Correctness

With the formal validation tool Burrows-Abadi-Needham Logic (BAN-logic) [27], we provide the proof of correctness of the proposed scheme in this section. Let U be the user, S represent the sensor node and $GWN$ denote the gateway node. We demonstrate that a session key can be created successfully after the process of mutual authentication among S and U. Now, the basic notations of BAN-logic are given below:

• $P\mid \equiv X$: P believes X.
• $P◃X$: P sees X. i.e., P has received messages containing X.
• $P\mid \sim X$: P said X. i.e., P has sent messages containing X.
• $P\mid \Rightarrow X$: P controls X.
• $\#(X)$ or $fresh(X)$: X is a fresh message. X is usually a temporary value.
• $(X)$: The hashed value of X.
• $P\stackrel{K}{⟷}Q$: K is a shared secret key between P and Q.
• ${〈X〉}_Y$: X is combined with secret Y.
• $\left(X,Y\right)$: X or Y is one part of $(X,Y)$.

Some logic postulates of BAN-logic are described as follows:

• Message-meaning rule$(MMR)$: $\frac{P\mid \equiv Q\stackrel{k}{⟷}P,P◃{\left\{X\right\}}_K}{P\mid \equiv Q\mid \sim X}$ or $\frac{PbelievesQ\stackrel{k}{⟷}P,Psees{\left\{X\right\}}_K}{PbelievesQsaidX}$
  If P believes that K is a shared secret key between P and Q and has received messages containing X, P believes that Q has sent messages containing the message X.
• Nonce-verification rule$(NVR)$: $\frac{P\mid \equiv \#(X),P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X}$ or $\frac{Pbelievesfresh(X),PbelievesQsaidx}{PbelievesQbelievesX}$
  If P believes that X is a fresh message and Q has sent messages containing the message X, P believes that Q believes the message X.
• Jurisdiction rule$(JR)$: $\frac{P\mid \equiv Q\Rightarrow X,P\mid \equiv Q\mid \equiv X}{P\mid \equiv X}$ or $\frac{PbelievesQcontrolsX,PbelievesQbelievesX}{PbelievesX}$
  If P believes that Q controls the message X and Q believes the message X, P believes the message X.
• Freshness rule$(FR)$: $\frac{P\mid \equiv \#(X)}{P\mid \equiv \#(X,Y)}$ or $\frac{Pbelievesfresh(X)}{Pbelievesfresh(X,Y)}$
  If P believes that X is a fresh message, P believes $(X,Y)$ is fresh messages.
• Belief rule$(BR)$: $\frac{P\mid \equiv (X,Y)}{P\mid \equiv X}$ or $\frac{Pbelieves(X,Y)}{Pbelieves(X)}$
  If P believes the messages $(X,Y)$, P believes the message X.

Our proposed scheme can realize the establishment of a secret session key $SK$ between U and S, and the following goals can be achieved after the protocol execution.

• Goal 1: $U\mid \equiv (U\stackrel{SK}{⟷}S)$
• Goal 2: $S\mid \equiv (U\stackrel{SK}{⟷}S)$

The exchange of messages during the authentication phase is depicted as follows:

• Message 1: $GWN\to S$: ${〈r_{GWN}P,t_2,\left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)〉}_{R_S}$
• Message 2: $GWN\to S$: ${〈r_{U}P,r_{GWN}P,t_2,t_1,\left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)〉}_{K_{GWN}}$
• Message 3: $GWN\to U$: ${〈r_{S}P,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)〉}_{M_U}$
• Message 4: $GWN\to U$: ${〈r_{S}P,t_3,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)〉}_{r_{GWN}{Q}_U}$

To proceed the derivation, the initial state assumptions are set as A1–A9:

• A1: $S\mid \equiv \#(t_2)$
• A2: $S\mid \equiv \#(t_1)$
• A3: $U\mid \equiv \#(t_4)$
• A4: $S\mid \equiv GWN\stackrel{\underleftrightarrow{R_S}}{}S$
• A5: $U\mid \equiv U\stackrel{\underleftrightarrow{M_U}}{}GWN$
• A6: $S\mid \equiv GWN\mid \Rightarrow \left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)$
• A7: $S\mid \equiv GWN\mid \Rightarrow \left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)$
• A8: $U\mid \equiv GWN\mid \Rightarrow \left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)$.
• A9: $U\mid \equiv GWN\mid \Rightarrow \left(U\stackrel{\underleftrightarrow{s{k}_S}}{}S\right)$.

U and S intend to share a session key $SK$ to achieve confidential communication. As stated above, the mutual authentication between U and S shows that $Goal$ 1 and $Goal$ 2 can be achieved in the end. The result is proved as follows:

• From Message 1, we have:

  $$S◃{〈r_{GWN}P,t_2,\left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)〉}_{R_S}$$

  (1)

  S has received the message $\{r_{GWN}P,t_2,(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S)\}$ encrypted by $R_S$.
• According to the message-meaning rule, if the Formula (1) and the state assumption A4 hold at the same time, we can infer that:

  $$S\mid \equiv GWN\mid \sim 〈r_{GWN}P,t_2,\left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)〉$$

  (2)

  S believes that $GWN$ has sent the messages $\{r_{GWN}P,t_2,(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S)\}$.
• According to the freshness rule, if the state assumption A1 holds, we then obtain:

  $$S\mid \equiv \#〈r_{GWN}P,t_2,\left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)〉$$

  (3)

  S believes the message $\{r_{GWN}P,t_2,(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S)\}$ are fresh.
• According to the nonce-verification rule, if the Formula (2) and (3) hold at the same time, we can deduce:

  $$S\mid \equiv GWN\mid \equiv 〈r_{GWN}P,t_2,\left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)〉$$

  (4)

  S believes that $GWN$ believes the message $\{r_{GWN}P,t_2,(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S)\}$ are real.
• According to the belief rule, if the Formula (4) holds, we can get:

  $$S\mid \equiv GWN\mid \equiv \left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)$$

  (5)

  S believes that $GWN$ believes $K_{GWN}$ is a shared secret key between $GWN$ and S.
• According to the jurisdiction rule, if the Formula (5) and the state assumption A6 hold at the same time, we can obtain:

  $$S\mid \equiv \left(GWN\stackrel{\underleftrightarrow{K_{GWN}}}{}S\right)$$

  (6)

  S believes that $K_{GWN}$ is a shared secret key between $GWN$ and S.
• From Message 2, we can have:

  $$S◃{〈r_{U}P,r_{GWN}P,t_2,t_1,\left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)〉}_{K_{GWN}}$$

  (7)

  S has received the message $\{r_{U}P,r_{GWN}P,t_2,t_1,(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S)\}$ encrypted by $K_{GWN}$.
• According to the message-meaning rule, if the Formula (6) and (7) hold at the same time, we can infer that:

  $$S\mid \equiv GWN\mid \sim 〈r_{U}P,r_{GWN}P,t_2,t_1,\left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)〉$$

  (8)

  S believes that $GWN$ has sent the message $\{r_{U}P,r_{GWN}P,t_2,t_1,(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S)\}$.
• According to the freshness rule, if the state assumption A2 holds, we can deduce:

  $$S\mid \equiv \#〈r_{U}P,r_{GWN}P,t_2,t_1,\left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)〉$$

  (9)

  S believes the messages $\{r_{U}P,r_{GWN}P,t_2,t_1,(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S)\}$ are fresh.
• According to the nonce-verification rule, if the Formula (8) and (9) hold at the same time, we can get:

  $$S\mid \equiv GWN\mid \equiv 〈r_{U}P,r_{GWN}P,t_2,t_1,\left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)〉$$

  (10)

  S believes that $GWN$ believes the message $\{r_{U}P,r_{GWN}P,t_2,t_1,(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S)\}$ are real.
• According to the belief rule, if the Formula (10) holds, we can obtain:

  $$S\mid \equiv GWN\mid \equiv \left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)$$

  (11)

  S believes that $GWN$ believes $N_U^{(x)}$ is a shared secret key between U and S.
• According to the jurisdiction rule, if the Formula (11) and the state assumption A7 hold at the same time, we can have:

  $$S\mid \equiv \left(U\stackrel{\underleftrightarrow{N_U^{{(x)}^{″}}=N_U^{(x)}}}{}S\right)$$

  (12)

  S believes that $N_U^{(x)}$ is a shared secret key between U and S.
• According to the belief rule, if the Formula (12) holds, the Formula (13) holds, we can infer:

  $$S\mid \equiv \left(U\stackrel{\underleftrightarrow{SK}}{}S\right)Goal2$$

  (13)

  S believes that $SK$ is a shared secret key between U and S, which can be seen that $Goal2$ has been achieved.
• From Message 3, we can get:

  $$U◃{〈r_{S}P,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)〉}_{M_U}$$

  (14)

  U has received the message $\{r_{S}P,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN)\}$ encrypted by $M_U$.
• According to the message-meaning rule, if the Formula (14) and the state assumption A5 hold at the same time, we can deduce:

  $$U\mid \equiv GWN\mid \sim 〈r_{S}P,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)〉$$

  (15)

  U believes that $GWN$ has sent the message $\{r_{S}P,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN)\}$.
• According to the freshness rule, if the state assumption A3 holds, we can have:

  $$U\mid \equiv \#〈r_{S}P,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)〉$$

  (16)

  U believes the message $\{r_{S}P,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN)\}$ are fresh.
• According to the nonce-verification rule, if the Formula (15) and (16) hold at the same time, we can obtain:

  $$U\mid \equiv GWN\mid \equiv 〈r_{S}P,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)〉$$

  (17)

  U believes that $GWN$ believes the message $\{r_{S}P,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN)\}$ are real.
• According to the belief rule, if the Formula (17) holds, we can infer:

  $$U\mid \equiv GWN\mid \equiv \left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)$$

  (18)

  U believes that $GWN$ believes $r_{GWN}{Q}_U$ is a shared secret key between U and $GWN$.
• According to the jurisdiction rule, if the Formula (18) and the state assumption A8 hold at the same time, we can deduce:

  $$U\mid \equiv \left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right)$$

  (19)

  U believes that $r_{GWN}{Q}_U$ is a shared secret key between U and $GWN$.
• From Message 4, we can get:

  $$U◃{〈r_{S}P,t_3,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)〉}_{r_{GWN}{Q}_U}$$

  (20)

  which means that U has received the message $\{r_{S}P,t_3,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN),(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S)\}$ encrypted by $r_{GWN}{Q}_U$.
• According to the message-meaning rule, if the Formula (19) and (20) and the state assumption A5 hold at the same time, we can deduce:

  $$U\mid \equiv GWN\mid \sim 〈r_{S}P,t_3,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)〉$$

  (21)

  which means that U believes that $GWN$ has sent the message $\{r_{S}P,t_3,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN),(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S)\}$.
• According to the freshness rule, if the state assumption A3 holds, we can have:

  $$U\mid \equiv \#〈r_{S}P,t_3,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)〉$$

  (22)

  which means that U believes the message $\{r_{S}P,t_3,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN),(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S)\}$ are fresh.
• According to the nonce-verification rule, if the Formula (21) and (22) hold at the same time, we can obtain:

  $$U\mid \equiv GWN\mid \equiv 〈r_{S}P,t_3,t_4,\left(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN\right),\left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)〉$$

  (23)

  U believes that $GWN$ believes the message $\{r_{S}P,t_3,t_4,(U\stackrel{\underleftrightarrow{r_{GWN}{Q}_U}}{}GWN),(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S)\}$ are real.
• According to the belief rule, if the Formula (23) holds, we can infer:

  $$U\mid \equiv GWN\mid \equiv \left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)$$

  (24)

  U believes that $GWN$ believes $s{k}_U$ is a shared secret key between U and S.
• According to the jurisdiction rule, if the Formula (24) and the state assumption A9 hold at the same time, we can deduce:

  $$U\mid \equiv \left(U\stackrel{\underleftrightarrow{s{k}_U=s{k}_S}}{}S\right)$$

  (25)

  U believes that $s{k}_U$ is a shared secret key between U and S.
• According to the belief rule, if the Formula (25) holds, we can have:

  $$U\mid \equiv \left(U\stackrel{\underleftrightarrow{SK}}{}S\right)Goal1$$

  (26)

  U believes that $SK$ is a shared secret key between U and S.

At this point, it can be seen that $Goal1$ and $Goal2$ have been achieved, which means that the proposed scheme is correct and feasible.

4.2. Security

We first demonstrate that our proposed scheme possesses semantic security under the random oracle model.

Theorem 1.

Let $\mathcal{A}$ denote an adversary within a polynomial time t against the proposed protocol under the random oracle model, then we have:

$$Ad{v}_{\mathcal{A}}^{Ind}⩽\frac{q_{H_1}^2}{\mid H_1\mid }+\frac{q_{H_2}^2}{\mid H_2\mid }+\frac{{(q_{exe}+q_{send})}^2}{p}+2Ad{v}_{\mathcal{A}}^{ECCDH}(t)$$

where $Ad{v}_{\mathcal{A}}^{ECCDH}(t)$ is the advantage of $\mathcal{A}$ breaks the ECCDH problem; $q_{H_1}$, $q_{H_2}$, $q_{exe}$, $q_{send}$ represent the number of $H_1$, $H_2$, $Execute$ and $Send$ queries respectively; $|H_1|$, $|H_2|$ denote the range space of $H_1$ and $H_2$ function respectively.

Proof. 

Let $Suc{c}_i$ represent the event that $\mathcal{A}$ wins in the game $G_i$, i.e., $\mathcal{A}$ guesses bit b, where $i=\left[0,3\right]$.

Game$G_0$: In $G_0$, a real attack against our proposed scheme from $\mathcal{A}$ is simulated. Firstly, the value of b is selected randomly. According to the above definitions, we obtain:

$$Ad{v}_{\mathcal{A}}^{Ind}=2·Pr\left[Suc{c}_0\right]-1$$

(27)

Game$G_1$: To increase the probability that $\mathcal{A}$ wins game, the query $Execute$ is used to model the eavesdropping attacks. Since its goal is to get some information about $SK$, $\mathcal{A}$ has to compute $s{k}_U$ or $s{k}_S$ according to the definition of the proposed scheme; however, $s{k}_U=r_S(r_U+N_U^{(x)})P$, where $r_U$, $r_S$ are unknown. Without corrupting the gateway node $GWN$ to get $d_{GWN}$, the probability of success would not be increased just by eavesdropping the transmitted messages, which implies that

$$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right]$$

(28)

Game$G_2$: The game is transferred from $G_1$ is used to simulate active attacks by adding $H_1$, $H_2$ and $Send$ oracles in which $\mathcal{A}$ tries to forge messages. By arbitrarily issuing queries to $H_1$, $H_2$, $\mathcal{A}$ attempts to capture collisions. The probability of collisions is at most $(\frac{q_{H_1}^2}{\mid H_1\mid }+\frac{q_{H_2}^2}{\mid H_2\mid })$ according to the birthday paradox. The probability of collisions in the transcripts is at most $\frac{{(q_{send}+q_{exe})}^2}{p}$. Therefore, we get:

$$|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|⩽\frac{q_{H_1}^2}{2\mid H_1\mid }+\frac{q_{H_2}^2}{2\mid H_2\mid }+\frac{{(q_{exe}+q_{send})}^2}{2p}$$

(29)

Game$G_3$: $G_3$ models the attack that the the gateway node $GWN$ has been corrupted. By issuing $Corrupt({\prod }_P^k)$ oracles, $\mathcal{A}$ can get the long-term key of $GWN$. According to the definition, the common secret value $s{k}_S$ or $s{k}_U$ are the core of the session key $SK$. Considering the following fact,

$$\begin{array}{cc}\hfill s{k}_U& =s{k}_S\hfill \\ & =r_S(r_U+N_U^{(x)})P=r_U{r}_{S}P+r_S{N}_U^{(x)}P\hfill \\ & =r_U{r}_{S}P+{(d_{GWN}{E}_U)}^{(x)}{E}_S\hfill \end{array}$$

Thus, $\mathcal{A}$ can use the long-term key $d_{GWN}$ to compute partial value from transcripts. The probability of success of $\mathcal{A}$ between $G_3$ and $G_2$ would not be greater than the advantage of solving ECCDH problem instance. Let $Ad{v}_{\mathcal{A}}^{ECCDH}$ be the advantage that the adversary $\mathcal{A}$ solves ECCDH problem instance within t in this game. Hence, we get

$$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_3\right]|⩽Ad{v}_{\mathcal{A}}^{ECCDH}(t)$$

(30)

To win the game $G_3$, $\mathcal{A}$ has no choice but guess the bit b, which leads to the following result

$$Pr\left[Suc{c}_3\right]=\frac{1}{2}$$

(31)

Thus, from (28)–(31), we get

$$\begin{array}{cc}\hfill |Pr\left[Suc{c}_0\right]-\frac{1}{2}|& =|Pr\left[Suc{c}_0\right]-Pr\left[Suc{c}_3\right]|\hfill \\ & ⩽|Pr\left[Suc{c}_0\right]-Pr\left[Suc{c}_1\right]|+|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|\hfill \\ & +|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_3\right]|\hfill \\ & ⩽\frac{q_{H_1}^2}{2\mid H_1\mid }+\frac{q_{H_2}^2}{2\mid H_2\mid }+\frac{{(q_{send}+q_{exe})}^2}{2p}+Ad{v}_{\mathcal{A}}^{ECCDH}(t)\hfill \end{array}$$

From (27), we have $Pr\left[Suc{c}_0\right]=Ad{v}_{\mathcal{A}}^{Ind}/2+1/2$. Hence,

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A}}^{Ind}⩽\frac{q_{H_1}^2}{\mid H_1\mid }+\frac{q_{H_2}^2}{\mid H_2\mid }+\frac{{(q_{send}+q_{exe})}^2}{p}+2Ad{v}_{\mathcal{A}}^{ECCDH}(t)\end{array}$$

□

4.3. Deniable Authentication

In our proposed scheme, the polynomial time deniability means that the gateway node as a receiver can simulate the messages sent by the user which are indistinguishable for any third party. The concrete simulation process of $GWN$ is as follows:

• $GWN$ selects a random number $\overline{r_U}\in z_q^{*}$, computes $\overline{E_U}=\overline{r_U}P$ and $\overline{N_U}=\overline{r_U}{Q}_{GWN}=(\overline{N_U^{(x)}},\overline{N_U^{(y)}})$.
• $GWN$ chooses a user pseudo-identity $\overline{h(I{D}_U)}$ and a public key, computes $\overline{AI{D}_U}=\overline{h(I{D}_U)}\oplus \overline{N_U^{(y)}}$, $\overline{K_U}=d_{GWN}(\overline{E_U}+\overline{Q_U})$ and $\overline{h_U}=H_1(\overline{K_U}\Vert h(\overline{h(I{D}_U)\Vert d_{GWN}})\Vert t_1)$.

$GWN$ sends $\overline{E_U},\overline{AI{D}_U},\overline{h_U},t_1$ to the third party. After receiving the message, the third party cannot get any information related to the user by $\overline{AI{D}_U}$. In addition, $\overline{h_U}$ can be calculated by the user or the gateway. Hence, the third party is unable to determine the true source of the message. Therefore, our proposed scheme achieves deniable authentication.

4.4. Anonymity

Since the transmitted authentication messages are carried via a public channel, an outside adversary can easily eavesdrop the communication. However, our proposed scheme can preserve the anonymity of the user. Suppose that an adversary $\mathcal{A}$ intercepts $\left\{E_U,AI{D}_U,h_U,t_1\right\}$ during the authentication phase and attempts to reveal some information about the user’s identity. $\mathcal{A}$ obtains $N_U=r_U{Q}_{GWN}=(N_U^{(x)},N_U^{(y)})$, $AI{D}_U=MI{D}_U\oplus N_U^{\left(y\right)}$, which $MI{D}_U=h(I{D}_U)$. Due to the utilization of random number $r_U$ and one-way hash function, $\mathcal{A}$ cannot calculate $N_U$ and get $I{D}_U$. Since the use of the timestamps and random numbers, those intercepted messages by $\mathcal{A}$ are unique and dynamic for each authentication between U, S and $GWN$. Therefore, the proposed scheme ensures user anonymity.

4.5. Mutual Authentication

With the received request message $\left\{E_U,AI{D}_U,h_U,t_1\right\}$U sent, $GWN$ can compute $N_U^{{}^{\prime }}=d_{GWN}{E}_U=(N_U^{{(x)}^{\prime }},N_U^{{(y)}^{\prime }})$ to get the values $M_U$ and $K_U$ and checks the validity of U via the equivalence $h_U=h_U^{{}^{\prime }}$. After receiving the message {$E_U$, $E_{GWN}$, $M_{GWN}$, $h_{GWN}$, $t_2$, $t_1$} from $GWN$, the sensor node S could obtain the values $K_{GWN}$ and $N_U^{{(x)}^{\prime }}$ and then computes $h_{GWN}^{{}^{\prime }}=H_1\left(K_{GWN}^{{}^{\prime }}\Vert I{D}_S\Vert t_2\right)$ to verify the validity of $GWN$ via the equivalence $h_{GWN}=h_{GWN}^{{}^{\prime }}$. Once receiving the message $\left\{E_S,t_3,h_S,Aut{h}_S\right\}$ from S, $GWN$ computes $K_S^{{}^{\prime }}$ and $h_S^{{}^{\prime }}=H_1\left(K_S^{{}^{\prime }}\Vert I{D}_S\Vert t_3\right)$ to check the validity of S via the equivalence $h_S^{{}^{\prime }}=h_S$. Then, $GWN$ sends message {$E_S$, $t_3$, $t_4$, $Aut{h}_S$, $Aut{h}_{GWN}$} to U and U computes $s{k}_U=(r_U+N_U^{(x)})E_S$, $Aut{h}_{GWN}^{{}^{\prime }}=H_1(d_U{E}_{GWN}\Vert M_U^{{}^{\prime }}\Vert t_4)$ and $Aut{h}_S^{{}^{\prime }}=H_1(s{k}_U\Vert t_3)$ and checks the validity of $GWN$ and S by the equivalence $Aut{h}_{GWN}^{{}^{\prime }}=Aut{h}_{GWN}$ and $Aut{h}_S^{{}^{\prime }}=Aut{h}_S$. If the above verification processes are successfully completed, our protocol provides mutual authentication.

4.6. Unlinkability

In our proposed scheme, the real identities or related information of all participants are not sent in plaintext over the insecure network because each transmitted message contains timestamps, random values and one-way hash function values. An outside adversary $\mathcal{A}$ cannot determine whether two or more authentication messages come from the same participant. Therefore, the transmitted messages cannot be linked by the adversary.

4.7. Traceability

In our proposed scheme, given a disputed message $\left\{E_U,AI{D}_U,h_U,t_1\right\}$, only the trusted gateway node($GWN$) can reveal the identity of the user. With above message, $GWN$ computes $N_U^{{}^{\prime }}=d_{GWN}{E}_U=(N_U^{{(x)}^{\prime }},N_U^{{(y)}^{\prime }})$ and $MI{D}_U^{{}^{\prime }}=AI{D}_U\oplus N_U^{{\left(y\right)}^{\prime }}$ to get the user’s identity $MI{D}_U$. In addition, the tracing process does not need real user to participate because the message $\left\{E_U,AI{D}_U,h_U,t_1\right\}$ sent by the user contains sufficient information to derive the user identity. Therefore, our proposed scheme achieves traceability.

4.8. Resistance to Impersonation Attack

Assume an adversary $\mathcal{A}$ intercepts message $\left\{E_U,AI{D}_U,h_U,t_1\right\}$ to impersonate a user, where $E_U=r_{U}P$, $AI{D}_U=MI{D}_U\oplus N_U^{\left(y\right)}$, $K_U=(r_U+d_U)Q_{GWN}$, $h_U=H_1(K_U\Vert M_U^{{}^{\prime }}\Vert t_1)$. By following the authentication process, the adversary produces a timestamp $t_1^{{}^{\prime }}$ and a value $r_U^{{}^{\prime }}\in Z_q^{*}$ randomly to get $E_U^{{}^{\prime }}$, $AI{D}_U^{{}^{\prime }}$ and $K_U^{{}^{\prime }}$. However, $\mathcal{A}$ is unable to successfully compute $h_U^{{}^{\prime }}$ because he or she does not has the user’s real identity $I{D}_U$ and private key $d_U$. Hence, our scheme can resist such attacks according to the above analysis.

4.9. Resistance to Replay Attack

Suppose an adversary $\mathcal{A}$ intercepts all transmitted messages between participants and then attempts to replay some or all of them. In our scheme, however, timestamps and random numbers are integrated into the generation of the messages for U, $GWN$, S, thus the freshness of messages is well preserved. Therefore, the proposed protocol can resist replay attacks.

4.10. Forward Security

Assume an adversary $\mathcal{A}$ could get the private keys of all participants, i.e., $d_U$, $d_{GWN}$, $d_S$. Even if the adversary $\mathcal{A}$ had obtained the current session key $SK=H_2\left(s{k}_U\Vert E_S\Vert E_U\Vert t_3\Vert t_1\right)$, he or she cannot derive the previous session key. However, due to $s{k}_U=s{k}_S=(r_U+N_U^{(x)})E_S=r_U{r}_{S}P+{(d_{GWN}{E}_U)}^{(x)}{E}_S$, where $r_U$ and $r_S$ are chosen randomly by U and S respectively. $\mathcal{A}$ can never obtain the previous session key since the difficulty of the ECCDH problem. So, our proposed scheme achieves forward security.

5. Performance Comparison

In this section, we evaluate the performance of our scheme regarding the computational cost in the authentication phase. Moreover, we present the comparison between the proposed scheme and some existing similar schemes [15,16,21,23,24,25]. For convenience, we use the symbols in

Table 2. Approximate running time of operations.

Operation	Description	Computation Time (ms)
$T_h$	a hash function	$3\times {10}^{-3}$
$T_{bp}$	a bilinear pairing	$2.14\times {10}^{-1}$
$T_{pmul}$	a ECC-based point multiplication	$1.6\times {10}^{-2}$
$T_{padd}$	a ECC-based point addition	$6.07\times {10}^{-1}$

to denote the computational cost regarding hash operation, ECC-based operation and bilinear paring operation and the approximate running time required of various operations is presented in Table 2.

Please note that we only consider the operations listed in Table 2 since the running time of addition operation and XoR operation is ignorable. To fairly compare the computational time cost of these similar protocols. The experiments use OpenSSL and JPBC cryptographic libraries, and then are programmed with Visual C language.

Table 3. Comparison of computational cost.

Protocol	Computational Cost	Running Time (ms)
Ours	$18T_h+17T_{pmul}+4T_{padd}$	≈3.791
[15]	$9T_h+15T_{pmul}+3T_{padd}+9T_{bp}$	≈8.705
[16]	$9T_h+8T_{pmul}+2T_{padd}+6T_{bp}$	≈5.927
[21]	$10T_h+5T_{pmul}+2T_{bp}$	≈2.779
[23]	$14T_h+8T_{pmul}+3T_{padd}$	≈2.079
[24]	$15T_h+7T_{pmul}+9T_{bp}$	≈7.041
[25]	$5T_h+7T_{pmul}+6T_{bp}$	≈5.215

and Figure 3 presents the comparisons among the other protocols [15,16,21,23,24,25] and ours.

Table 4. The comparison of security features.

Scheme	Ours	[15]	[16]	[21]	[23]	[24]	[25]
Anonymity	Yes	No	No	No	No	No	No
Mutual authentication	Yes	No	Yes	Yes	Yes	Yes	Yes
Session key security	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Perfect forward secrecy	Yes	Yes	Yes	Yes	No	Yes	Yes
Resistance to replay attack	Yes	No	No	Yes	No	No	No
Resistance to impersonation attack	Yes	Yes	Yes	No	Yes	No	No

presents the comparison of security properties between ours and the above protocols. According to the experimental results, it is observed that our scheme costs 3.791 ms, which is better than [15,16,24,25]. We sort the time consumption on the operations as below: $T_h<T_{padd}<T_{pmul}<T_{bp}$. The hash function spends the least time, while the bilinear pairing operation takes the more time. To fully demonstrate the proposed scheme’s advantage, we define $\left(T_{\left[others\right]}-T_{\left[ours\right]}\right)/T_{\left[others\right]}$, where $T_{\left[others\right]}$ denotes computational cost of the other schemes and $T_{\left[ours\right]}$ represents computational cost of ours, as the improved ratio of ours compared with others [15,16,24,25]. Hence, the improved ratios of the proposed scheme compared with [15,16,24,25] are $(7.041-3.791)/7.041\approx 43.44\%$, $(8.705-3.791)/8.705\approx 58.81\%$, $(5.927-3.791)/5.927\approx 32.51\%$ and $(5.215-3.791)/5.215\approx 23.37\%$ respectively.

Compared to Porambage’s scheme [23] and Wang’s scheme [21], our scheme requires more communication overheads from Table 3 and Figure 3. However, from Table 4 our scheme possesses more desirable security compared with the existing schemes. However, Porambage’s scheme cannot protect against the replay attack and provide the user’s anonymity. In addition, the user’s anonymity can be violated. Wang’s scheme [21] is prone to client impersonation attacks. Specifically, an adversary is able to masquerade as a legitimate client to be authenticated by application provider. Therefore, our proposed scheme provides a better secure communication and higher efficiency than the compared existing schemes in IoT.

6. Conclusions

With the evolution of the Internet of Things, its security is currently drawing wide attention. The privacy protection in communication is a major concern for people. In this article, we proposed an anonymous authentication and key agreement protocol with deniability property using elliptic curve. In our proposed scheme, other participants except the trusted gateway node can obtain nothing regarding the real identity of a user. We have demonstrated that our proposed scheme posses more appropriate security features than similar schemes, which are shown in the BAN logic-based proof and random oracle model-based proof. In addition, we have provided informal analysis to further confirm that our scheme can resist various attacks. By experimental evaluation, we demonstrate that the proposed scheme is efficient according to the comparison on computational costs against other similar protocols. In view of the advantages in security and performance, our proposed scheme is more suitable for IoT systems.

From the analysis, the computational overhead of our proposed scheme become relatively low. Therefore, we aim to achieve a better trade-off among security and efficiency in designing authentication protocols for IoT applications in our future work, so as to meet the requirements of low-cost computation and communication of resource-constrained sensors.