An Anonymous Device to Device Authentication Protocol Using ECC and Self Certified Public Keys Usable in Internet of Things Based Autonomous Devices

Abstract

Two party authentication schemes can be good candidates for deployment in Internet of Things (IoT)-based systems, especially in systems involving fast moving vehicles. Internet of Vehicles (IoV) requires fast and secure device-to-device communication without interference of any third party during communication, and this task can be carried out after registration of vehicles with a trusted certificate issuing party. Recently, several authentication protocols were proposed to enable key agreement in two party settings. In this study, we analyze two recent protocols and show that both protocols are insecure against key compromise impersonation attack (KCIA) as well as both lack of user anonymity. Therefore, this paper proposes an improved protocol that does not only resist KCIA and related attacks, but also offers comparable computation and communication. The security of proposed protocol is tested under formal model as well as using well known Burrows–Abadi–Needham (BAN) logic along with a discussion on security features. While resisting the KCIA and related attacks, proposed protocol also provides comparable trade-of between security features and efficiency and completes a round of key agreement in just $13.42$ ms, which makes it a promising candidate to be deployed in IoT environments.

1. Introduction

A Two-Party Authentication Key Agreement Protocol (2PAKA) shares a secret key after authentication for secure communication between two parties. The certificate based 2PAKA can be deployed in Internet of Things (IoT)-based vehicular environments to offer autonomous device to device communication because in such dynamic and fast moving devices network, the interference of some gateway or trusted authority may lead to delay, and such delays may lead to infeasibility of the whole network [1]. In 2PAKA systems, the vehicle, after registering with the trusted certificate generation authority, gets a private and public key pair based credentials of both trusted authority and the requesting vehicle. However, the security and privacy of such schemes remain on stake due to open architecture beneath the communication. Such architecture is shown in Figure 1, involving the smart devices networks and the certificate authority which can also termed as server. Every device in a smart network gets its key pair from certificate authority and then can communicate autonomously without involvement of the authority. In this article the term device and vehicle are used interchangeably as well as server and certificate authority means same.

Diffie & Hellman key exchange protocol [2] was the first approach in this direction. After then, several key exchange protocols [3,4,5,6] based on traditional public key infrastructure (PKI) were proposed to avoid man-in-middle (MIM) attack. The use of modular exponentiation in PKI led towards PKI’s inapplicability in resource constrained environments like smart phones, smadrcards etc. Therefore, research efforts then have focused on lightweight Elliptic Curve Cryptography (ECC) and some 2PAKA protocols based on ECC [7,8,9] were proposed. The ECC-based 2PAKA protocols require less computation and storage with same level of security, due to the use of 160 bits key in ECC instead of 1024 bits key in Rivest, Shamir, and Adleman (RSA) algorithm. The ECC-based 2PAKA protocols require a trusted third party, called certificate authority(CA), to manage and generate certificates. It also validates and generates public keys of users.

In 1989, Gunther et al. [10] proposed a key exchange protocol based on user’s identity. The protocol in [10] requires the intervention of certificate authority for establishing a secure channel between two users. In 2000 Saeedina [11] proposed the improvement over Gunther et al.’s identity-based key exchange protocol. The modified scheme overcomes the number of passes to half, and so minimize the communication between the parties. In 2002, Hsieh et al. [12] proposed a slight modification of Saeednia’s identity-based key exchange protocol to reduce computation cost. However, Tseng et al. [9] demonstrated that the scheme proposed by Hiesh et al. cannot withstand key compromise impersonation attack (KCIA). Holbl and Welzer [13] proposed two new two-party identity-based authenticated key agreement protocols.The first is based on the protocol of Hsieh et al. to make it immune against KCIA, while the second is an efficient enhancement of Tseng’s protocol. Zhang et al. [14] proved that the protocols proposed in [13] cannot resist impersonation attack as well as KCIA. Smart [15] proposed another identity based key agreement protocol using weil pairing. Chen and Kudla [16] and Shim [17] independently purposed authenticated key agreement (AKA) protocols. Sun and Hsieh [18] proved that both the protocols [16,17] are vulnerable to KCIA and man-in-middle (MIM) attacks. Ryu et al. [19] also proposed another protocol and demonstrated that their protocol minimizes the cost of computation and communication and is more efficient than Chen and Kudla’s protocol with same security properties. Boyd and Choo [20] showed that the Ryu et al.’s protocol could not achieve the KCIA resilience properties. McCullagh and Barreto [21] claimed that their protocol can be used in either escrow or escrow-less mode. They also described conditions under which users of different key generation centers can agree on a shared secret key. In 2005 Zu-hua et al. [22] proposed bilinear pairing based self-certified protocol using computational Diffie-Hellman assumption. Ni et al. [23] also presented two secure variants of their proposal.

In 2008 Cao et al. [24] put forwarded a new identity-based authentication key agreement protocol and claimed it to achieve forward secrecy. Tsaur [25] also proposed an ECC-based self-certified public key cryptosystem based AKA and their protocol achieved session and public keys in a single step. In 2009 Hölbl and Welzer [26] proposed two new identity-based 2PAKA protocols but their scheme were proved to be vulnerable to key compromise impersonation attacks. Their protocol do not offer provable security. Some other IBC-based 2PAKA protocols using ECC were also proposed [9,11,12,13,16,17,18,19,20,21,27,28,29,30], these protocols suffer from private key escrow problem because the private key is known as Private Key Generation (PKG) party. If the PKG is malicious with man-in-middle (MIM) attack then the whole protocol is suffered [31].

Motivations and Contribution

In 2015, Islam & Biswas (Islam-Biswas) [31] proposed a self certified ECC based key agreement protocol and claimed that their protocol provides security against all kinds of attacks. Mandal et al. [32] found that their protocol lacks anonymity and is defenseless against replay and clogging attacks [33]. However, in this paper we show that both the protocols of Islam-Biswas and Mandal et al. are insecure against key compromise impersonation attack (KCIA). Moreover, both protocols lack user anonymity. This paper then introduces a new scheme to overcome the insecurities of Islam-Biswas and Mandal et al.’s protocols. The proposed protocol achieves following merits:

• Proposed protocol resists KCIA and related attacks under the hardness assumption of Elliptic Curve Discrete Logarithm Problem ($ECDLP$).
• Proposed protocol achieves low computation and communication cost as compared with related secure schemes.

2. Fundamentals

This section describes some fundamental concepts relating to Hash Functions, Elliptic Curve Cryptography along with some hard problems. The adversarial model is also defined in this section. Moreover, notation guide is provided in

Table 1. Notation Guide.

Notation	Definition
${\mathcal{U}}_x$,$\mathcal{S}$	User x, Server
${\mathcal{D}}_a$,${\mathcal{D}}_b$	Device a and Device b
$I{D}_x$, $F_p$	Identity of ${\mathcal{U}}_x$, Prime Field
$E/F_p$, G	Elliptic Curve over $F_p$, Base Point over $E/F_p$
$K_{Pri}$, $K_{Pub}$	Private and public key pair of $\mathcal{S}$
$E_{ki},D_{ki}$	Encryption, Decryption using $ki$ as key
$||$, ⊕	Concatenation and Exclusive-Or operations
$h(.)$, $H(.)$, $H_i(.)$	Hash Functions
$\stackrel{?}{=}$	Equality Checking operator

.

2.1. Hash Function

The arbitrary size input $S_a$ to a hash function $H:{\{0,1\}}^{*}\to Z_q^{*}$ with collision resistant property yields a fixed length value $F_h=H(S_a)$ with following additional pre-requisit properties:

• A slight fluctuation in $S_a$ (the input), there is a massive change in output $F_h=H(S_a)$.
• Computing $F_h$, given $S_a$ is easy; whereas, computing $S_a$, given $F_h$ is a hard problem
• Finding a pair $\{S_a,S_b\}$ such that $H(S_a)=H(S_b)$ is a hard problem and this property is termed as collision resistance property (CRP).

Definition 1.

[CRP for Secure Hash] Given $H(.)$, an attacker $\mathcal{A}$ can compute an input pair $\{S_a,S_b\}$ such that $H(S_a)=H(S_b)$ with probability $Adv{g}_{\mathcal{A}}^{HASH}(t)=P[(S_a,S_b){\Leftarrow }_r\mathcal{A}:(S_a\ne S_b)andH(S_a)=H(S_b)]$. $\mathcal{A}$ is considered to select the pair at random. The computed advantage is based on polynomial-time t bound arbitrary choices. As per CRP $Adv{g}_{\mathcal{A}}^{HASH}(t)\le ϵ$ for $ϵ>0$.

2.2. Elliptic Curve Cryptography

Consider p (a very large prime, ($160bits\le |p|$), an Elliptic Curve $EC$: $j^2=i^3+\alpha i+\beta modp$ is a set with finite points $E_p(\alpha ,\beta )$. The pair $\{\alpha ,\beta \}$ is pragmatically selected to satisfy the relationship ($4{\alpha }^3+27{\beta }^2)modp\ne 0$. The point W multiplication with some chosen scalar a can be computed as $a.W=\{W+W+\dots \dots \dots +W\}$a times addition repeatedly. All system parameters are chosen from finite field $F_p$; whereas, $EC$ forms an abelian group with point O considered to be at infinity and described as additive identity.

Definition 2.

[ Discrete logarithm problem for EC (ECDLP)] Consider $\{V,W\}$ are two points over $E_p(\alpha ,\beta )$ such that $V=aW$, knowing the duo $\{(V=aW,W)\}$, the probability of computing a can be solicited as: $Adv{g}_{\mathcal{A}}^{ECDLP}(t)=P[(\mathcal{A}(V=aW,W)=a:a\in Z_p]$, the experiment is allowed to be conducted by a polynomial-time t bound attacker $\mathcal{A}$. As per $ECDLP$, $Adv{g}_{\mathcal{A}}^{ECDLP}(t)\le ϵ$.

Definition 3.

[ Diffie Hellman problem for EC (ECDHP)]Consider $\{V,W,G\}$ are three points over $E_p(\alpha ,\beta )$ such that $V=aG$, $W=bG$ and knowing the trio $\{(V=aG,W=bG),G\}$, the probability of computing $X=abG$ can be solicited as: $Adv{g}_{\mathcal{A}}^{ECDHP}(t)=P[(\mathcal{A}(V=aG,W=bG,G)=\{a,b\}:(a,b)\in Z_p]$, the experiment is allowed to be conducted by a polynomial-time t bound attacker $\mathcal{A}$. As per $ECDHP$, $Adv{g}_{\mathcal{A}}^{ECDHP}(t)\le ϵ$.

2.3. Attacker Model

The authenticated key agreement is achieved over an insecure networks, assuming a strong attacker having many capabilities [34,35]. Some common assumptions related with attackers’ capabilities are made as follows:

• The adversary $\mathcal{A}$ is having access to public keys of both parties.
• $\mathcal{A}$ knows public identities of all users of the system.
• $\mathcal{A}$ can control the insecure communication channel, precisely $\mathcal{A}$ can eavesdrop, inject, delete or replay any message, while $\mathcal{A}$ can not have any access to secure channel.

3. Review of Islam-Biswas Protocol

In this section, we review Islam-Biswas 2PAKA protocol [31] consisting of three phases: system setup, registration and authenticated key agreement phase, the detail of each phase is as follows:

3.1. System Setup Phase

In system setup phase, the server ($\mathcal{S}$) initializes the system parameter Ω. Initially $\mathcal{S}$ chooses a security parameter $k\in Z^{+}$ along with an elliptic curve $E/F_p$, then $\mathcal{S}$ selects a base point G over $E/F_p$. Further $\mathcal{S}$ selects $K_{Pri}$ as his private key and computes $K_{Pub}=K_{Pri}G$ and chooses three one-way hash functions $H_0,H_1,H_2:{\{0,1\}}^{*}\to {\{0,1\}}^k$. Finally $\mathcal{S}$ publishes all public parameters $\mathsf{\Omega }=\{E/F_p,H_0,H_1,H_2,G,K_{Pub}\}$ and keeps $K_{Pri}$ secret.

3.2. Registration Phase

This phase is executed when a user ${\mathcal{U}}_a$ wants to register with server. ${\mathcal{U}}_a$ selects his identity $I{D}_a$ and a random number $x_a{\in }_R{Z}_p^{*}$, then ${\mathcal{U}}_a$ computes $X_a=H_0(I{D}_a\parallel x_a)G$ and sends $I{D}_a,X_a$ to $\mathcal{S}$ via some secure channel, which selects $t_a{\in }_R{Z}_p^{*}$ upon receiving a message from ${\mathcal{U}}_a$. $\mathcal{S}$ then computes $P_a=H_0(I{D}_a\parallel t_a)K_{Pub}+X_a$, $r_a=[H_0(I{D}_a\parallel t_a)+H_0(I{D}_a\parallel P_a)]K_{Pri}$ and $Q_a=P_a+H_0(I{D}_a\parallel P_a)K_{Pub}$. $\mathcal{S}$ sends $(I{D}_a,P_a,r_a)$ to $\mathcal{U}$ via some secure channel and publishes $Q_a$. Upon receiving, ${\mathcal{U}}_a$ computes his private key $d_a=[r_a+H_0(I{D}_a\parallel x_a)]$, the public key of ${\mathcal{U}}_a$ is $d_{a}G=Q_a$.

3.3. Authenticated Key Agreement Phase

This phase takes place when two users say ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$ want to exchange information and ${\mathcal{U}}_i$ initiates the process. The following steps as shown in Figure 2 are performed among ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$.

IKA 1: 

${\mathcal{U}}_i\to {\mathcal{U}}_j:m_j\{I{D}_i,T_i,R_i\}$

${\mathcal{U}}_i$ selects $x{\in }_R{Z}_p^{*}$ and computes $T_i=x{Q}_i$ & $R_i=H_1(T_i\parallel d_i{Q}_j)$, ${\mathcal{U}}_i$ then sends $I{D}_i,T_i,R_i$ to ${\mathcal{U}}_j$.

IKA 2: 

${\mathcal{U}}_j\to {\mathcal{U}}_i:m_i=\{I{D}_j,T_j,R_j\}$

${\mathcal{U}}_j$ selects $y{\in }_R{Z}_p^{*}$ and computes $T_j=y{Q}_j$ & $R_j=H_1(T_j\parallel d_j{Q}_i)$, ${\mathcal{U}}_j$ then sends $I{D}_j,T_j,R_j$ to ${\mathcal{U}}_i$.

IKA 3: 

Now the authenticated key is computed as follows:

• ${\mathcal{U}}_i$ computes $R_j^{*}=H_1(T_j\parallel d_i{Q}_j)$ and verifies $R_j^{*}\stackrel{?}{=}{R}_j$, if not true, ${\mathcal{U}}_i$ aborts the session, otherwise the key is computed as: $K_i=(x{d}_i)T_j=xy{d}_i{d}_{j}G$.
• Similarly ${\mathcal{U}}_j$ computes $R_i^{*}=H_1(T_i\parallel d_j{Q}_i)$ and verifies $R_i^{*}\stackrel{?}{=}{R}_i$, if not true, ${\mathcal{U}}_j$ aborts the session, otherwise the key is computed as: $K_j=(y{d}_j)T_i=xy{d}_i{d}_{j}G$.

4. Review of Mandal et al.’s Protocol

In this section, we review Mandal et al.’s 2PAKA protocol [32] consisting of three phases: system setup, registration and authenticated key agreement phase. The system setup phase is as it is taken from Islam-Biswas protocol, except Mandal et al. just selected one hash function $H(.)$ instead of three in Islam-Biswas protocol. The detail of other two phases is as follows:

4.1. Registration Phase

This phase is executed when a user ${\mathcal{U}}_a$ wants to register with server. ${\mathcal{U}}_a$ selects his identity $I{D}_a$ and a random number $x_a{\in }_R{Z}_p^{*}$, then ${\mathcal{U}}_a$ computes $X_a=H(I{D}_a\parallel x_a)G$ and sends $\{I{D}_a,X_a\}$ to $\mathcal{S}$ via some secure channel, which selects $k_a{\in }_R{Z}_p^{*}$ upon receiving a message from ${\mathcal{U}}_a$. $\mathcal{S}$ then computes $V_a=H(I{D}_a\parallel k_a)K_{Pri}$, $TI{D}_a=X_a\oplus V_a$, $W_a=X_a\oplus k_{a}G$ and $X_{sa}=H(TI{D}_a\parallel W_a)K_{Pri}\oplus k_a$. $\mathcal{S}$ sends $\{I{D}_a,TI{D}_a,W_a,X_{sa}\}$ to ${\mathcal{U}}_a$ via some secure. Upon receiving, ${\mathcal{U}}_a$ computes his private key $d_a=X_{sa}\oplus H(I{D}_a\parallel x_a)$, and public key $Q_a=d_{a}G$. ${\mathcal{U}}_a$ checks the validity/correctness of public private key pair as $d_a.G\stackrel{?}{=}[H(TI{D}_a||W_a)K_{Pub}\oplus W_a]$. On successful verification, ${\mathcal{U}}_a$ keeps $d_a$ secret and publishes $Q_a$.

4.2. Authenticated Key Agreement Phase

This phase takes place when two users say ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$ want to exchange information and ${\mathcal{U}}_i$ initiates the process. The following steps as shown in Figure 3 are performed among ${\mathcal{U}}_i$ and ${\mathcal{U}}_j$.

MKA 1: 

${\mathcal{U}}_i\to {\mathcal{U}}_j:m_i=\{N_i,t_i,C_i\}$

${\mathcal{U}}_i$ selects $N_i{\in }_R{Z}_p^{*}$, generate $t_i$ and computes $W_1=TI{D}_i\oplus W_i$, $Z_i=H(x_i)$, $Ke{y}_i=H(d_i{Q}_j||N_i||t_i)$, $M_1=H(W_1||Ke{y}_i||N_i||Z_1)$ and $Z_1=Z_i\oplus M_1$. ${\mathcal{U}}_i$ then compute encryption as: $C_i=E_{Ke{y}_i}(TI{D}_i||M_1||Z_1||W_i||N_i||t_i)$ and sends $m_i=\{N_i,t_i,C_i\}$ to ${\mathcal{U}}_j$.

MKA 2: 

${\mathcal{U}}_j\to {\mathcal{U}}_i:m_j=\{N_j,t_j,Z_2,C_j\}$

On receiving a message, ${\mathcal{U}}_j$ checks the time-stamp freshness and aborts the session if $t_c-t_i\le T$, does not hold. Otherwise, ${\mathcal{U}}_j$ computes $Ke{y}_i^{\prime }=H(d_j{Q}_i||N_i||t_i)$ and decrypts $C_i$ using key $Ke{y}_i^{\prime }$ to obtain $(TI{D}_i||M_1||Z_1||W_i||N_i||t_i)$. ${\mathcal{U}}_j$ further computes $W_1^{\prime }=TI{D}_i\oplus W_i$, $M_1^{\prime }=H(W_1||Ke{y}_i||N_i||Z_1)$ and aborts the session if $M_1^{\prime }\stackrel{?}{=}{M}_1$, does not hold. Otherwise, ${\mathcal{U}}_j$ computes $Z_i^{\prime }=Z_1\oplus M_1^{\prime }$ and selects $N_j{\in }_R{Z}_p^{*}$ and current time-stamp $t_j$ and further computes $Z_j=H(x_j)$, $Z_2=Z_j\oplus M_1^{\prime }$, $Ke{y}_j=H(Z_i^{\prime }{Z}_j||N_j||t_j)$, $W_2=TI{D}_j\oplus W_j$, $M_2=H(W_2||Ke{y}_j||N_j||Z_2)$. ${\mathcal{U}}_j$ then computes session key $S{K}_{xy}=H(TI{D}_i||TI{D}_j||Z_i^{\prime }{Z}_j{d}_j{Q}_i||ke{y}_i^{\prime }||ke{y}_j||M_1^{\prime }||M_2||N_i||N_j)$ and $C_j=E_{Ke{y}_j}(TI{D}_j||M_2||W_j||N_j||t_j)$ and sends back $m_j=\{N_j,t_j,Z_2,C_j\}$ to ${\mathcal{U}}_j$.

MKA 3: 

On receiving a message, ${\mathcal{U}}_i$ checks the time-stamp freshness and aborts the session if $t_c-t_j\le \Delta T$, does not hold. Otherwise, ${\mathcal{U}}_i$ computes $Z_j^{\prime }=Z_2\oplus M_1$, $Ke{y}_j^{\prime }=H(Z_i{Z}_j^{\prime }||N_j||t_j)$ and decrypts $C_j$ using $Ke{y}_j^{\prime }$ to obtain $(TI{D}_j||M_2||W_j||N_j||t_j)$. Further ${\mathcal{U}}_i$ computes $W_2^{\prime }=TI{D}_j\oplus W_j$, $M_2^{\prime }=H(W_2^{\prime }||Ke{y}_j^{\prime }||N_j||Z_2)$ and aborts the session if $M_2^{\prime }\stackrel{?}{=}{M}_2$, does not hold. Otherwise, ${\mathcal{U}}_i$ considers ${\mathcal{U}}_j$ is authenticated and computes session key $S{K}_{xy}=H(TI{D}_i||TI{D}_j||Z_i{Z}_j^{\prime }{d}_i{Q}_j||ke{y}_i||ke{y}_j^{\prime }||M_1||M_2^{\prime }||N_i||N_j)$.

5. Weakness of Existing Protocols

In this section, firstly we perform cryptanalysis of Islam-Biswas protocol to show its weaknesses and then we perfom the cryptanalysis of Mandal et al.’s protocol. The following subsections show that both the protocols of Islam-Biswas and Mandal et al. are vulnerable to key compromise impersonation attack, and lack of user anonymity.

5.1. Key Compromise Impersonation Attack on Islam-Biswas Protocol

By key compromise impersonation attack, if an active adversary is able to get access to a user’s (e.g., ${\mathcal{U}}_i$) long term private key, then he can masquerade himself as an other user (e.g., ${\mathcal{U}}_j$) to the victim. In this subsection, we show that Islam-Biswas protocol is vulnerable to key compromise impersonation attack. An active adversary can mount this attack to share a session key with a peer. Let $\mathcal{A}$ be an attacker who wants to impersonate as a legal user ${\mathcal{U}}_i$ to another legal user ${\mathcal{U}}_j$. For successful impersonation, the steps performed between $\mathcal{A}$ and ${\mathcal{U}}_j$ are described as follows:

Step KCI 1: 

$\mathcal{A}$ computes:

$$\begin{array}{cc}\hfill T_i^{\prime }& =G\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill R_i^{\prime }& =H_1(T_i^{\prime }\parallel d_j{Q}_i)\hfill \end{array}$$

(2)

Then $\mathcal{A}$ sends $(I{D}_i,T_i^{\prime },R_i^{\prime })$ to ${\mathcal{U}}_j$.

Step KCI 2: 

Upon receiving the message ${\mathcal{U}}_j$ selects $y{\in }_R{Z}_p^{*}$, and computes ${\mathcal{U}}_j$

$$\begin{array}{cc}\hfill T_j& =y{Q}_j\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill R_j& =H_1(T_j\parallel d_j{Q}_i)\hfill \end{array}$$

(4)

Further ${\mathcal{U}}_j$ sends $(I{D}_j,T_j,R_j)$ to ${\mathcal{U}}_i$.

Step KCI 3: 

$\mathcal{A}$ intercepts the message and computes

$$\begin{array}{cc}\hfill R_j^{*}& =H_1(T_j\parallel d_j{Q}_i)\hfill \end{array}$$

(5)

and verifies

$$\begin{array}{cc}\hfill R_j^{*}& \stackrel{?}{=}{R}_j\hfill \end{array}$$

(6)

Then $\mathcal{A}$ computes:

$$\begin{array}{cc}\hfill K& =K_i^{\prime }=(d_j)T_j=y{d}_{j}G\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill SK& =H_2(I{D}_i\parallel I{D}_j\parallel T_i^{\prime }\parallel T_j\parallel R_i^{\prime }\parallel R_j\parallel K)\hfill \end{array}$$

(8)

Similarly ${\mathcal{U}}_j$ computes:

$$\begin{array}{cc}\hfill R_i^{*}& =H_1(T_i^{\prime }\parallel d_j{Q}_i)\hfill \end{array}$$

(9)

and verifies

$$\begin{array}{cc}\hfill R_i^{*}& \stackrel{?}{=}{R}_i^{\prime }\hfill \end{array}$$

(10)

If Equation (10) does not hold, ${\mathcal{U}}_j$ aborts the session, otherwise ${\mathcal{U}}_j$ believes the party on other side is ${\mathcal{U}}_i$ and computes:

$$\begin{array}{cc}\hfill K& =K_j=(y{d}_j)T_i^{\prime }=y{d}_{j}G\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill SK& =H_2(I{D}_i\parallel I{D}_j\parallel T_i^{\prime }\parallel T_j\parallel R_i^{\prime }\parallel R_j\parallel K)\hfill \end{array}$$

(12)

Proposition 1.

In Islam-Biswas protocol, upon execution of key compromise impersonation attack, user ${\mathcal{U}}_j$ accepts adversary $\mathcal{A}$ as another user ${\mathcal{U}}_i$ and $\mathcal{A}$ shares the session key with ${\mathcal{U}}_j$ on behalf of ${\mathcal{U}}_i$.

Proof. 

$\mathcal{A}$ initiates the key compromise impersonation attack by computing $T_i^{\prime }=G$ and $R_i^{\prime }=H_1(T_i^{\prime }\parallel d_j{Q}_i)$, then $\mathcal{A}$ sends $I{D}_i,T_i^{\prime },R_i^{\prime }$ to ${\mathcal{U}}_j$, which believes the other party is legal ${\mathcal{U}}_i$ if Equation (10) holds. ${\mathcal{U}}_j$ computes $R_i^{*}$ in Equation (9), which is equal to $R_i^{\prime }$ computed by $\mathcal{A}$ in Equation (2). Hence $\mathcal{A}$ is believed to be ${\mathcal{U}}_i$ by ${\mathcal{U}}_j$. The session key computed by both $\mathcal{A}$ and ${\mathcal{U}}_j$ is also same, as $\mathcal{A}$ computed session key $SK$ in Equation (8) which is exactly the same as computed by ${\mathcal{U}}_j$ in Equation (12). Hence, $\mathcal{A}$ has successfully launched KCIA on Islam-Biswas’s protocol. □

5.2. Key Compromise Impersonation Attack on Mandal et al.’s Protocol

This subsection shows that the protocol of Mandal et al. is also vulnerable to Key Compromise Impersonation Attack (KCIA). Let $\mathcal{A}$ be an attacker who wants to impersonate as a legal user ${\mathcal{U}}_i$ to another legal user ${\mathcal{U}}_j$. For successful impersonation, the steps performed between $\mathcal{A}$ and ${\mathcal{U}}_j$ are simulated as follows:

KCM 1: 

$\mathcal{A}$ randomly selects $N_a,TI{D}_a,W_a,Z_a{\in }_R{Z}_p^{*}$, generates $t_a$ and computes:

$$\begin{array}{cc}\hfill & W_1=TI{D}_a\oplus W_a\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill & Ke{y}_a=H(d_j{Q}_i||N_a||t_a)\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill & M_1=H(W_1||Ke{y}_a||N_a||Z_1)\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill & Z_1=Z_a\oplus M_1\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill & C_a=E_{Ke{y}_a}(TI{D}_a||M_1||Z_1||W_a||N_a||t_a)\hfill \end{array}$$

(17)

$\mathcal{A}$ sends $m_a=\{N_a,t_a,C_a\}$ to ${\mathcal{U}}_j$.

KCM 2: 

On receiving a message, ${\mathcal{U}}_j$ checks the time-stamp freshness and aborts the session if $t_c-t_a\le \Delta T$, does not hold. ${\mathcal{U}}_j$ then computes:

$$\begin{array}{cc}\hfill & Ke{y}_a^{\prime }=H(d_j{Q}_i||N_a||t_a)\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill & (TI{D}_a||M_1||Z_1||W_a||N_a||t_a)=D_{Ke{y}_a^{\prime }}(C_a)\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill & W_1^{\prime }=TI{D}_a\oplus W_a\hfill \end{array}$$

(20)

$$\begin{array}{cc}\hfill & M_1^{\prime }=H(W_1||Ke{y}_a||N_a||Z_1)\hfill \end{array}$$

(21)

${\mathcal{U}}_j$ then checks:

$$\begin{array}{cc}\hfill & M_1^{\prime }\stackrel{?}{=}{M}_1\hfill \end{array}$$

(22)

Upon success, ${\mathcal{U}}_j$ selects $N_j{\in }_R{Z}_p^{*}$ and $t_j$ and computes:

$$\begin{array}{cc}\hfill & Z_a^{\prime }=Z_1\oplus M_1^{\prime }\hfill \end{array}$$

(23)

$$\begin{array}{cc}\hfill & Z_j=H(x_j)\hfill \end{array}$$

(24)

$$\begin{array}{cc}\hfill & Z_2=Z_j\oplus M_1^{\prime }\hfill \end{array}$$

(25)

$$\begin{array}{cc}\hfill & Ke{y}_j=H(Z_a^{\prime }{Z}_j||N_j||t_j)\hfill \end{array}$$

(26)

$$\begin{array}{cc}\hfill & W_2=TI{D}_j\oplus W_j\hfill \end{array}$$

(27)

$$\begin{array}{cc}\hfill & M_2=H(W_2||Ke{y}_j||N_j||Z_2)\hfill \end{array}$$

(28)

$$\begin{array}{cc}\hfill & S{K}_{xy}=H(TI{D}_a||TI{D}_j||Z_a^{\prime }{Z}_j{d}_j{Q}_a||ke{y}_a^{\prime }||ke{y}_j||M_1^{\prime }||M_2||N_a||N_j)\hfill \end{array}$$

(29)

$$\begin{array}{cc}\hfill & C_j=E_{Ke{y}_j}(TI{D}_j||M_2||W_j||N_j||t_j)\hfill \end{array}$$

(30)

${\mathcal{U}}_j$ sends back $m_j=\{N_j,t_j,Z_2,C_j\}$ to ${\mathcal{U}}_i$.

KCM 3: 

$\mathcal{A}$ intercepts the messages and computes:

$$\begin{array}{cc}\hfill & Z_j^{\prime }=Z_2\oplus M_1\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill & (TI{D}_j||M_2||W_j||N_j||t_j)=D_{Ke{y}_j^{\prime }}(C_j)\hfill \end{array}$$

(32)

$$\begin{array}{cc}\hfill & W_2^{\prime }=TI{D}_j\oplus W_j\hfill \end{array}$$

(33)

$$\begin{array}{cc}\hfill & M_2^{\prime }=H(W_2^{\prime }||Ke{y}_j^{\prime }||N_j||Z_2)\hfill \end{array}$$

(34)

$\mathcal{A}$ then computes session key as:

$$\begin{array}{cc}\hfill & S{K}_{xy}=H(TI{D}_a||TI{D}_j||Z_a{Z}_j^{\prime }{d}_j{Q}_i||ke{y}_a||ke{y}_j^{\prime }||M_1||M_2^{\prime }||N_a||N_j)\hfill \end{array}$$

(35)

Proposition 2.

In Mandal et al.’s protocol, upon execution of key compromise impersonation attack, user ${\mathcal{U}}_j$ accepts adversary $\mathcal{A}$ as another user ${\mathcal{U}}_i$ and $\mathcal{A}$ shares the session key with ${\mathcal{U}}_j$ on behalf of ${\mathcal{U}}_i$.

Proof. 

$\mathcal{A}$ initiates the key compromise impersonation attack by computing $W_1,Ke{y}_a,M_1,Z_1$ and $C_a$ then $\mathcal{A}$ sends $\{N_a,t_a,C_a\}$ tuple to ${\mathcal{U}}_j$, which believes the other party is legal ${\mathcal{U}}_i$ if Equation (22) holds. The security of the protocol relies on the computation of $Ke{y}_a$, if $Ke{y}_a$ is computed same on both sides, then decryption of $C_a$ on ${\mathcal{U}}_j$ will be same as computed by $\mathcal{A}$. Therefore, $M_1$ computed in Equation (15) by $\mathcal{A}$ and in Equation (21) by ${\mathcal{U}}_j$ will also be same. Hence Equation (22) will hold true. ${\mathcal{U}}_j$ computes $Ke{y}_a^{\prime }$ in Equation (18), which is equal to $Ke{y}_a$ computed by $\mathcal{A}$ in Equation (14). Therefore, Equation (22) holds. Hence, $\mathcal{A}$ is believed to be ${\mathcal{U}}_i$ by ${\mathcal{U}}_j$. The session key computed by both $\mathcal{A}$ and ${\mathcal{U}}_j$ is also same, as $\mathcal{A}$ computed session key $SK$ in Equation (35) which is exactly the same as computed by ${\mathcal{U}}_j$ in Equation (29). Hence, $\mathcal{A}$ has successfully launched KCIA on Mandal et al.’s protocol. ☐

5.3. Lacking User Anonymity

Both the protocols of Islam-Biswas and Mandal et al., lack user anonymity and privacy. The former did not claim to provide anonymity, whereas, latter claimed to provide it. However, after a careful analysis, it is revealed that their protocol lacks anonymity. Our analysis is simulated as follows:

After computing $W_1,Ke{y}_i,M_1,Z_1$ and $C_a$, the ${\mathcal{U}}_i$ sends $\{N_i,t_i,C_i\}$ tuple to ${\mathcal{U}}_j$. ${\mathcal{U}}_j$ after verification of freshness computes:

$$\begin{array}{c}Ke{y}_i^{\prime }=H(d_j{Q}_i||N_i||t_i)\hfill \end{array}$$

(36)

The computation of Equation (36) requires the public key $Q_i$ of the user ${\mathcal{U}}_i$. However, the received message $\{N_i,t_i,C_i\}$ does not contain any information to identify the requesting user. Therefore, the protocol will not work. The authors in this paper consider it a typographical mistake and the complete request message may be $\{N_i,t_i,C_i,I{D}_i\}$, because in other case, the protocol is incorrect and cannot complete the authentication process. As per the valid assumption made by authors, the protocol of Mandal et al. does not provide user anonymity.

6. Proposed Protocol

This section briefly explains the proposed protocol designed specifically to resist key compromise impersonation attack (KCIA). The proposed protocol is based on ECC and self certified keys and resist all known attacks. The proposed protocol involves two entities: (1) The server is responsible for registration of the devices and assigns certificates to each of the device, the server is assumed to be trusted, (2) the communicating devices after getting certificate from server can establish secure connection with each other without intervention of server or any other party. Following subsections explains the proposed methodology:

6.1. Setup Phase

In system setup phase, the server ($\mathcal{S}$) initializes the system parameter Ω. Initially $\mathcal{S}$ chooses a security parameter $k\in Z^{+}$ along with an elliptic curve $E/F_p$, then $\mathcal{S}$ selects a base point G over $E/F_p$. Further $\mathcal{S}$ selects $K_{Pri}$ as his private key and computes $K_{Pub}=K_{Pri}G$ and chooses a one way hash functions $H:{\{0,1\}}^{*}\to {\{0,1\}}^k$. Finally $\mathcal{S}$ publishes all public parameters $\mathsf{\Omega }=\{E/F_p,H,G,K_{Pub}\}$ and keeps $K_{Pri}$ secret.

6.2. Registration Phase

This phase is very similar to the corresponding phase of Islam et al.’s protocol and is initiated by a device ${\mathcal{D}}_a$, when ${\mathcal{D}}_a$ wants to register with $\mathcal{S}$. ${\mathcal{D}}_a$ selects his identity $I{D}_a$ and a random number $x_a{\in }_R{Z}_p^{*}$, then ${\mathcal{D}}_a$ computes $X_a=H(I{D}_a\parallel x_a)G$ and sends $I{D}_a,X_a$ to $\mathcal{S}$ via some secure channel, which selects $t_a{\in }_R{Z}_p^{*}$ upon receiving a message from ${\mathcal{D}}_a$. $\mathcal{S}$ then computes $P_a=H(I{D}_a\parallel t_a)K_{Pub}+X_a$, $r_a=[H(I{D}_a\parallel t_a)+H(I{D}_a\parallel P_a)]K_{Pri}$ and $Q_a=P_a+H(I{D}_a\parallel P_a)K_{Pub}$. $\mathcal{S}$ sends $(I{D}_a,P_a,r_a)$ to ${\mathcal{D}}_a$ via some secure channel and publishes $Q_a$. Upon receiving, ${\mathcal{D}}_a$ computes his private key $d_a=[r_a+H(I{D}_a\parallel x_a)]$, the public key of ${\mathcal{D}}_a$ is $d_{a}G=Q_a$. The registration phase is also illustrated in Figure 4. The private key of ${\mathcal{D}}_a$ can be verified as follows:

$$\begin{array}{cc}\hfill d_{a}G& =[r_a+H(I{D}_a\parallel x_a)]G\hfill \\ & =[[H(I{D}_a\parallel t_a)+H(I{D}_a\parallel P_a)]K_{Pri}+H(I{D}_a||X_a)]G\hfill \\ & =[H(I{D}_a\parallel t_a)K_{Pub}+H(I{D}_a\parallel P_a)K_{Pub}+H(I{D}_a||X_a)G\hfill \\ & =P_a+H(I{D}_a||P_a)K_{Pub}\hfill \\ & =Q_a\hfill \end{array}$$

(37)

6.3. Authenticated Key Agreement Phase

In proposed scheme, a device say ${\mathcal{D}}_i$ initiates the process to exchange authenticated key with peer say ${\mathcal{D}}_j$. Following steps as shown in Figure 5 are performed among ${\mathcal{D}}_i$ and ${\mathcal{D}}_j$:

PKA 1: 

${\mathcal{D}}_i\to {\mathcal{D}}_j:m_{i1}=\{AI{D}_i,{\tau }_i,{\gamma }_i,t_i\}$

${\mathcal{D}}_i$ selects $x{\in }_R{Z}_p^{*}$, generates $t_i$ and computes ${\tau }_i=xG$, ${\alpha }_i=x{Q}_j$, $AI{D}_i={\alpha }_i\oplus I{D}_i$ and ${\gamma }_i=H({\alpha }_i||{\tau }_i||I{D}_i||I{D}_j||t_i)$. Then ${\mathcal{D}}_i$ sends $m_{i1}=\{AI{D}_i,{\tau }_i,{\gamma }_i{t}_i\}$ to ${\mathcal{D}}_j$.

PKA 2: 

${\mathcal{D}}_j\to {\mathcal{D}}_i:m_j=\{AI{D}_j,{\tau }_j,R_j,t_j\}$

On receiving request message, ${\mathcal{D}}_j$ aborts the session if $t_c-t_i\le \Delta T$. Otherwise, ${\mathcal{D}}_j$ computes ${\alpha }_i=d_j{\tau }_i$, $I{D}_i=AI{D}_i\oplus {\alpha }_i$ and aborts the session if ${\gamma }_i\ne H({\alpha }_i||{\tau }_i||I{D}_i||I{D}_j||t_i)$. Otherwise, ${\mathcal{D}}_j$ selects $y{\in }_R{Z}_p^{*}$, generates $t_j$ and computes ${\tau }_j=yG$, $K=K_j=y{Q}_i+d_j{\tau }_i$, $AI{D}_j={\alpha }_i\oplus I{D}_j$, $R_j=H(K||{\alpha }_i||{\tau }_i||{\tau }_j||I{D}_i||I{D}_j||t_j)$. The ${\mathcal{D}}_j$ sends $m_j=\{AI{D}_j,{\tau }_j,R_j,t_j\}$ to ${\mathcal{D}}_i$.

PKA 3: 

${\mathcal{D}}_i\to {\mathcal{D}}_j:m_{i2}=\{R_i\}$

After receiving the reply, ${\mathcal{D}}_i$ aborts the session if $t_c-t_j\le \Delta T$. Otherwise, ${\mathcal{D}}_i$ computes $I{D}_j=AI{D}_j\oplus {\alpha }_i$, $K=K_i=x{Q}_j+d_i{\tau }_j$ and checks $R_j\stackrel{?}{=}H(K||{\alpha }_i||{\tau }_i||{\tau }_j||I{D}_i||I{D}_j||t_j)$, continues to compute $SK=H(I{D}_i\parallel I{D}_j\parallel {\tau }_i\parallel {\tau }_j\parallel K)$ and $R_i=H(SK||I{D}_i||I{D}_j||K)$, if the equality holds. The ${\mathcal{D}}_i$ sends $m_{i2}=\{R_i\}$ to ${\mathcal{D}}_j$.

PKA 4: 

${\mathcal{D}}_j$ on receiving $m_{i2}$ computes $SK=H(I{D}_i\parallel I{D}_j\parallel {\tau }_i\parallel {\tau }_j\parallel K)$ and verifies $R_i\stackrel{?}{=}H(SK||I{D}_i||I{D}_j||K)$. ${\mathcal{D}}_j$ terminates the session on failure and keeps $SK$ as session key upon success.

7. Security Analysis

In this section the security of proposed protocol under the attack model of automated tool Scyther is performed, backed by the security requirements discussion. This section also provides a security features comparison of the proposed and existing protocols [13,31,32,36,37] in

Table 2. Security Comparison table.

Features→	${\mathcal{RF}}_1$	${\mathcal{RF}}_2$	${\mathcal{RF}}_3$	${\mathcal{RF}}_4$	${\mathcal{RF}}_5$	${\mathcal{RF}}_6$	${\mathcal{RF}}_7$	${\mathcal{RF}}_8$	${\mathcal{RF}}_9$	${\mathcal{RF}}_{10}$
Protocols↓
Ours	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
[13]	✗	✗	✓	✓	✓	✓	✓	✗	✓	✓
[36]	✓	✗	✓	✓	✓	✓	✓	✗	✓	✓
[37]	✓	✗	✓	✓	✓	✓	✓	✗	✓	✓
[31]	✗	✗	✓	✓	✓	✓	✓	✓	✓	✓
[32]	✗	✗	✓	✓	✓	✓	✓	✓	✓	✗

Note: ${\mathcal{RF}}_1$: Key Compromise Impersonation Attack; ${\mathcal{RF}}_2$: device Anonymity; ${\mathcal{RF}}_3$: Man in Middle Attack; ${\mathcal{RF}}_4$: Known Key attack; ${\mathcal{RF}}_5$: Unknown Key Share Attack; ${\mathcal{RF}}_6$: Perfect Forward Secrecy; ${\mathcal{RF}}_7$: Known Session Specific Information Attack; ${\mathcal{RF}}_8$: Key Offset/Replicate Attack; ${\mathcal{RF}}_9$: No Key Control;${\mathcal{RF}}_{10}$: Replay Attack ✓: indicates that the scheme provides or is secure against that feature; ✗: indicates that the scheme does not provide or is insecure against that feature.

. Referring to Table 2, only the proposed schemes provide all security features, whereas all other protocols lacks device anonymity. The protocols [13,36,37] are insecure key replication (KRA/KOA) attack, the protocols [13,31,32] are insecure against Key compromise impersonation attack (KCIA). Protocol proposed by Islam-Biswas [31] is also insecure against replay attack. Following subsections provides detailed security analysis and security features provided by the proposed protocol:

7.1. Formal Security

To analyze formally, the security and privacy of the proposed protocol, following oracles are defined:

• $Revea{l}_h$: Execution of this oracle unconditionally yields $S_a$ out of $H(S_a)$.
• $Revea{l}_{dlp}$: Given the pair $\{V=a.W,W\}$, execution of this oracle unconditionally provides a.

Theorem 1.

The proposed device to device security protocol is secure for $\mathcal{A}$ - an attacker, to expose $I{D}_a$ of device ${\mathcal{D}}_a$, the parameter $K=y{Q}_i+d_j.{\tau }_i$, the session key $SK=H(I{D}_i||I{D}_j||{\tau }_i||{\tau }_j||K)$ shared between ${\mathcal{D}}_a$ and $\mathcal{S}$ under the hardness of $ECDLP$ and hash function is considered as a random oracle.

Proof. 

$\mathcal{A}$ is considered as an attacker with abilities to compute $I{D}_a$ of device ${\mathcal{D}}_a$, secretly computed parameter $K=y{Q}_i+d_j{\tau }_j$ and $SK=H(I{D}_i||I{D}_j||{\tau }_i||{\tau }_j||K)$ between ${\mathcal{D}}_a$ and ${\mathcal{D}}_b$. $\mathcal{A}$ simulates the oracles oracles $Revea{l}_h$ and $Revea{l}_{dlp}$ for the execution of the algorithmic experiment (Algorithm 1) $EXPE{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$ against the two party device-to-device authenticated key agreement ($2DTDAKA$) protocol. The success probability of $EXPE{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$ can be solicited as $Su{c}_{ex1}=|P[EXPE{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}=1]-1|$, where the advantage of $\mathcal{A}$ is $Advt{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}(t_f,q_{revH},q_{revD})=ma{x}_{\mathcal{A}}(Succ{e}_{ex1})$. The maximum allowed queries $\mathcal{A}$ can make are $q_{revH}$ and $q_{revD}$, for each of the oracles $Revea{l}_h$ and $Revea{l}_{dlp}$. Referring the simulation of $EXPE{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$, $\mathcal{A}$ can compute $I{D}_a$, K and $SK$ if $\mathcal{A}$ has the abilities to (i) break one-way property of hash and (ii) Compute the hard $ECDLP$. As per Definition 1, inverting hash is hard problem; likewise, by Definition 2 solving ECDLP is also computationally infeasible for large parameter sizes ($geq160$ bits). Hence, proposed $2DTDAKA$ is unbreakable against disclosure of secretly computed parameter K, session key $SK$ and device identity $I{D}_a$. ☐

Algorithm 1$EXPE{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$

1: Eavesdrop the Request $m_{i1}=\{AI{D}_i,{\tau }_i,{\gamma }_i,t_i\}$, Where $AI{D}_i={\alpha }_i\oplus I{D}_i$, ${\tau }_i=x.G$ and ${\gamma }_i=H({\alpha }_i||{\tau }_i||I{D}_i||I{D}_j||t_i)$ 2: Call $Revea{l}_{dlp}$ oracle on ${\tau }_i$ and G and get $x^{\prime }\leftarrow Revea{l}_{dlp}({\tau }_i,G)$ 3: Compute ${\alpha }_i^{\prime }=x^{\prime }.Q_j$ and $I{D}_i^{\prime }=AI{D}_i\oplus {\alpha }_i^{\prime }$ 4: Call $Revea{l}_h$ on ${\gamma }_i$ and get $({\alpha }_i^{{}^{\prime \prime }}||{\tau }_i^{\prime }||I{D}_i^{{}^{\prime \prime }}||I{D}_j^{\prime }||t_i^{\prime })\leftarrow Revea{l}_h({\gamma }_i)$ 5: if ($I{D}_i^{{}^{\prime \prime }}=I{D}_i^{{}^{\prime }}$ and $t_i==t_i^{{}^{\prime }}$ and ${\alpha }_i^{\prime }=={\alpha }_i^{{}^{\prime \prime }}$ ) then 6:  Accept $I{D}_i^{\prime }$ along-with session parameters $x^{\prime }$ and ${\tau }_i^{\prime }$ and 7:  Eavesdrop Challenge $m_j=\{AI{D}_j,{\tau }_j,R_j,t_j\}$, where $AI{D}_j={\alpha }_i\oplus I{D}_j$, ${\tau }_j=y.G$ and $R_j=H(K||{\alpha }_i||{\tau }_i||{\tau }_j||I{D}_i||I{D}_j||t_j)$ 8:  Compute $I{D}_j^{\prime }=AI{D}_j\oplus {\alpha }_i^{\prime }$ 9:  Call $Revea{l}_h$ on $R_j$ and get $(K^{\prime }||{\alpha }_i^{{}^{\prime \prime \prime }}||{\tau }_i^{{}^{\prime \prime }}||{\tau }_j^{\prime }||I{D}_i^{{}^{\prime \prime \prime }}||I{D}_j^{{}^{\prime \prime }}||t_j^{\prime })\leftarrow Revea{l}_h(R_j)$ 10:  if ($I{D}_j^{{}^{\prime }}=I{D}_j^{{}^{\prime \prime \prime }}$ and $t_j==t_i^{{}^{\prime }}$) then 11:   Accept $K^{\prime }$ and compute $S{K}^{\prime }=H(I{D}_i^{\prime }||I{D}_j^{\prime }||{\tau }_i^{\prime }||{\tau }_j^{\prime }||k^{\prime })$ 12:   Eavesdrop response $m_{i2}=\{R_i\}$ 13:   Call $Revea{l}_h$ on $R_i$ and get $(S{K}^{{}^{\prime \prime }}||I{D}_i^{{}^{\prime \prime \prime }}||I{D}_j^{{}^{\prime \prime \prime }}||K^{{}^{\prime \prime }})\leftarrow Revea{l}_h(R_i)$ 14:   if ($S{K}^{\prime }==S{K}^{{}^{\prime \prime }}$) then 15:    Accept $S{K}^{\prime }$ 16:   else 17:    return Fail 18:   end if 19:  else 20:   return Fail 21:  end if 22: else 23:  return Fail 24: end if

Theorem 2.

The proposed device to device security protocol is secure for $\mathcal{A}$ - an attacker, with access to private key of a registered device ${\mathcal{D}}_j$, to share a session key $SK$ with ${\mathcal{D}}_j$ on behalf of another registered device ${\mathcal{D}}_i$.

Proof. 

$\mathcal{A}$ having access to private key $d_j$ of registered device ${\mathcal{D}}_j$ is considered as competent enough to compute, secretly computed parameter $K=y{Q}_i+d_j{\tau }_i$ and $SK=H(I{D}_i||I{D}_j||{\tau }_i||{\tau }_j||K)$ between $\mathcal{A}$ (on behalf of ${\mathcal{D}}_i$ ) and ${\mathcal{D}}_b$. $\mathcal{A}$ simulates the oracles $Revea{l}_h$ and $Revea{l}_{dlp}$ for the execution of the algorithmic-experiment (Algorithm 2) $EXPE{2}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$ against the 2 party device-to-device authenticated key agreement ($2DTDAKA$) protocol. The success probability of $EXPE{2}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$ can be solicited as $Su{c}_{ex2}=|P[EXPE{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}=1]-1|$, where the advantage of $\mathcal{A}$ is $Advt{1}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}(t_f,q_{revH},q_{revD})=ma{x}_{\mathcal{A}}(Succ{e}_{ex2})$. The maximum allowed queries $\mathcal{A}$ can make are $q_{revH}$ and $q_{revD}$, for each of the oracles $Revea{l}_h$ and $Revea{l}_{dlp}$. Referring the simulation of $EXPE{2}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$, $\mathcal{A}$ can compute K and $SK$ if $\mathcal{A}$ has the abilities to (i) break one-way property of hash and (ii) Compute the hard $ECDLP$. As per Definition 1, inverting hash is hard problem; likewise, by Definition 2 solving ECDLP is also computationally infeasible for large parameter sizes ($\ge 160$ bits). Therefor, proposed $2DTDAKA$ is unbreakable against disclosure of secretly computed parameter K and session key $SK$, given private key of victim and can resist KCIA. ☐

Algorithm 2$EXPE{2}_{\mathcal{A},2DTDAKA}^{ECDLP,HASH}$

Compute ${\tau }_i=x.G$, ${\alpha }_i=x.Q_j$, $AI{D}_i={\alpha }_i\oplus I{D}_i$ and ${\gamma }_i=H({\alpha }_i||{\tau }_i||I{D}_i||I{D}_j||t_i)$

2: Send $m_{i1}=\{AI{D}_i,{\tau }_i,{\gamma }_i,t_i\}$ to ${\mathcal{D}}_j$

4: Eavesdrop Challenge $m_j=\{AI{D}_j,{\tau }_j,R_j,t_j\}$, where $AI{D}_j={\alpha }_i\oplus I{D}_j$, ${\tau }_j=y.G$ and $R_j=H(K||{\alpha }_i||{\tau }_i||{\tau }_j||I{D}_i||I{D}_j||t_j)$

Compute $I{D}_j=AI{D}_j\oplus {\alpha }_i$

6: Call $Revea{l}_{dlp}$ oracle on ${\tau }_j$ and get $y^{\prime }\leftarrow Revea{l}_{dlp}({\tau }_j)$

Compute $K=x.Q_j+d_i.{\tau }_j=(x.Q_j+y^{\prime }.Q_i)$

8: Call $Revea{l}_h$ on $R_j$ and get $(K^{{}^{\prime }}||{\alpha }_i||{\tau }_i||{\tau }_j||I{D}_i||I{D}_j||t_j)\leftarrow Revea{l}_h(R_j)$

if ($K==K^{{}^{\prime }}$) then

10:  Compute $SK=H(I{D}_i\parallel I{D}_j\parallel {\tau }_i\parallel {\tau }_j\parallel K)$

Compute $R_i=H(SK||I{D}_i||I{D}_j||K)$

12: else Send $m_{i2}=\{R_i\}$ to ${\mathcal{D}}_j$

return Fail

14: end if

7.2. BAN Logic Based Security Analysis

In this section the formal security analysis of the proposed scheme has been done by using Burrows-Abadi-Needham (BAN) logic. We analyze the likelihood of mutual authentication among participants, along with the resistance from session key disclosure by using the BAN logic.

Various rules and principals were presented by Burrows, Abadi and Needham in 1989. If any one of these rules is being violated then the protocol/scheme is considered incorrect. Here are some rules and their descriptions:

Rule 1: Message Meaning

$$\frac{P|\equiv P\stackrel{K}{⟷}Q.P⊲<X{>}_K}{P|\equiv Q|\sim X}$$

This rule depicts that P believe, and Q one time said that if P believes than secret key K shared with Q and P see that X is encrypted by using key K.

Rule 2: Nonce Verification

$$\frac{P|\equiv \#(X),P|\equiv Q|\sim X}{P|\equiv Q|\equiv X}$$

this rule says that P is believing that Q also believes X, if P is still believing that X is fresh and Q said that X.

Rule 3: Jurisdiction

$$\frac{P|\equiv Q\Rightarrow X,P|\equiv Q|\equiv X}{P|\equiv X}$$

We can say that P is believing on Q and also X is valid, if and only if when P is believing that Q has the jurisdiction over X.

Rule 4: Acceptance Conjunction

$$\frac{P|\equiv X,P|\equiv Y}{P|\equiv (X,Y)}$$

If a P believes on X and X believes on Y, as a result we can say that P principal believes on both $(X,Y)$ too.

Rule 5: Freshness Conjunction

$$\frac{P|\equiv \#(X)}{P|\equiv \#(X,Y)}$$

In this rule we can said that P believing that both X and Y are fresh if and only if when P believe X is still fresh.

Rule 6: Session Key

$$\frac{P|\equiv \#(X),P|\equiv Q\equiv X}{P|\equiv P\stackrel{K}{⟷}Q}$$

In the session key rule if a P principal believes on the freshness of session key then also P and then Q also on X believes which is the most important part of the session key. And then P principal also believes that user shares a session key ”K” with Q.

We employ the following notations in verifying the the security properties.

• $\gamma |\equiv \sigma :\gamma$ believes $\sigma$
• $\gamma ⊲\sigma :\gamma$ sees $\sigma$
• $\gamma |\sim \sigma :\gamma$ once said $\sigma$, some time ago.
• $\gamma |\Rightarrow \sigma :\gamma$ has got jurisdiction over $\sigma$
• #($\sigma$): The message $\sigma$ is to be taken as fresh.
• ($\sigma$)${\sigma }^{{}^{\prime }}$: The formulae $\sigma$ is hashed in combination with formulae ${\sigma }^{{}^{\prime }}$.
• $(\sigma ,{\sigma }^{{}^{\prime }}):\sigma$ or ${\sigma }^{{}^{\prime }}$ being the part of message $(\sigma ,{\sigma }^{{}^{\prime }})$.
• ${(\sigma ,{\sigma }^{{}^{\prime }})}_k\to \gamma :\sigma$ or ${\sigma }^{{}^{\prime }}$ is encrypted with symmetric or asymmetric key K of $\gamma$.
• $\gamma \stackrel{K}{⟷}{\gamma }^{{}^{\prime }}:\gamma$ and ${\gamma }^{{}^{\prime }}$ can securely contact using the shared key K.

The following are the assumptions for the BAN logic analysis.

• $A1$: $D_i|\equiv \#(t_i)$
• $A2$: $D_j|\equiv \#(t_j)$
• $A3$: $D_i|\equiv (D_i\stackrel{SK}{⟷}{D}_j)$
• $A4$: $D_j|\equiv (D_i\stackrel{SK}{⟷}{D}_j)$
• $A5:D_i|\Rightarrow K_i$
• $A6$: $D_j|\Rightarrow K_i$

The following goals serve as the target for proving this analysis.

• Goal 1: $D_j|\equiv (D_i\stackrel{SK}{⟷}{D}_j)$
• Goal 2: $D_j|\equiv D_i|\equiv (D_i\stackrel{SK}{⟷}{D}_j)$
• Goal 3: $D_i|\equiv (D_i\stackrel{SK}{⟷}{D}_j)$
• Goal 4: $D_i|\equiv D_j|\equiv (D_i\stackrel{SK}{⟷}{D}_j)$

The protocol’s generic form is illustrated as under.

• M1: $D_i\to D_j:AI{D}_i,{\tau }_i,y_i,t_i$
• M2: $D_j\to D_i:AI{D}_j,{\tau }_j,R_j,t_j$:
• M3: $D_i\to D_j:R_i:$

The idealized form of the protocol is designed as follows.

• $M1$: $D_i\to D_j:\{{(IDi)}_{a_i},x.G,(I{D}_j,t_i)(a_i,I{D}_i),t_i\}$
• $M2$: $D_j\to D_i:\{{(I{D}_j)}_{a_i},y.G,{(a_i,{\tau }_i,{\tau }_j,I{D}_i,I{D}_j,t_j)}_k,t_j\}$
• $M3$: $D_i\to D_j:\{{(I{D}_i,I{D}_j,K)}_{SK}\}$

Considering the first and third message of the idealized form:

• $M1$: $D_i\to D_j:\{{(I{D}_i)}_{a_i},x.G,{(I{D}_j,t_i)}_{(ai,I{D}_i)},t_i\}$
• $M3$: $D_i\to D_j:\{{(I{D}_i,I{D}_j,K)}_{SK}\}$

By Applying seeing rule, we get,

• $S1$: $D_j⊲\{{(I{D}_i)}_{a_i},x.G,{(I{D}_j,t_i)}_{(ai,IDi)},t_i\}$
• $S2$: $D_j⊲\{{(I{D}_i,I{D}_j,K)}_{SK}\}$

According to S1, S2, A3 and message meaning rule,

• $S3$: $D_j|\equiv \{{(IDi)}_{a_i},x.G,{(I{D}_j,t_i)}_{(a_i,I{D}_i)},ti\}$
• $S4$: $D_j|\equiv \{{(I{D}_i,I{D}_j,K)}_{SK}\}$

According to A1, S3, S4 freshness conjucatenation, and nonce verification rules, we get

• $S5$: $D_j|\equiv D_i|\equiv \{{(I{D}_i)}_{ai},x.G,{(IDj,t_i)}_{(a_i,I{D}_i)},t_i\}$
• $S6$: $D_j|\equiv D_i|\equiv \{{(I{D}_i,I{D}_j,K)}_{SK}\}$

According to A6, S5, S6 and Jurisdiction rule

• $S6$: $D_j|\equiv \{{(IDi)}_{ai},x.G,{(I{D}_j,t_i)}_{(a_i,I{D}_i)},t_i\}$
• $S7$: $D_j|\equiv \{{(I{D}_i,I{D}_j,K)}_{SK}\}$

According to A3, S6, S7, and session key rule, we get

• $S8$: $D_j|\equiv D_i|\equiv D_i\stackrel{SK}{⟷}{D}_j$ (Goal 2)

According to A6, S8, and Jurisdiction rule

• $S9$: $D_j|\equiv D_i\stackrel{SK}{⟷}{D}_j$ (Goal 1)

Considering the second idealized form as:

• $M2$: $D_j\to D_i:\{{(I{D}_j)}_{a_i},y.G,{(a_i,{\tau }_i,{\tau }_j,I{D}_i,I{D}_j,t_j)}_K,t_j\}$

By applying seeing rule, we get

• $S10$: $D_i⊲:\{{(IDj)}_{a_i},y.G,{(a_i,{\tau }_i,{\tau }_j,I{D}_i,I{D}_j,t_j)}_K,t_j\}$

According to S10, A4 and message meaning rule,

• $S11$: $D_i|\equiv D_j\sim \{{(I{D}_j)}_{a_i},y.G,{(a_i,{\tau }_i,{\tau }_j,I{D}_i,I{D}_j,t_j)}_K,t_j\}$

According to A2, S11, freshness conjucatenation, and nonce verification rules we get,

• $S12$: $D_i|\equiv D_j|\equiv \{{(I{D}_j)}_{ai},y.G,{(a_i,{\tau }_i,{\tau }_j,I{D}_i,I{D}_j,t_j)}_K,tj\}$

According to A5, S12, and Jurisdiction rule

• $S13$: $D_i|\equiv \{{(I{D}_j)}_{ai},y.G,{(a_i,{\tau }_i,{\tau }_j,I{D}_i,I{D}_j,t_j)}_K,t_j\}$

According to A4, S13, and session key rule, we get

• $S14$: $D_i|\equiv D_j|\equiv D_i\stackrel{SK}{⟷}{D}_j$ (Goal 4)

According to A5, S14, and Jurisdiction rule

• $S15$: $D_i|\equiv D_j\stackrel{SK}{⟷}{D}_i$ (Goal 3)

The above BAN logic analysis formally proves that the proposed protocol achieves mutual authentication and the session key SK is mutually established between $D_i$ and $D_j$.

7.3. Security Features Analysis

Following subsections provide a discussion on attack resilience of the proposed protocol:

7.3.1. Key Compromise Impersonation Attack

By KCIA, if an adversary $\mathcal{A}$ gets long private key of a device say ${\mathcal{D}}_a$ can impersonate himself as anyother device say ${\mathcal{D}}_b$ of the system to the victim ${\mathcal{D}}_a$. In proposed protocol if $\mathcal{A}$ gets the long term private key $d_a=r_a+H(I{D}_a\parallel x_a)$, cannot impersonate himself as anyother device say ${\mathcal{D}}_b$ to the victim ${\mathcal{D}}_a$. To launch KCIA $\mathcal{A}$ can be the initiator or the responder, and for responding role $\mathcal{A}$ can intercept the message $\{(AI{D}_a,{\tau }_a,{\gamma }_a,t_a)\}$ sent by the ${\mathcal{D}}_a$ to ${\mathcal{D}}_b$. $\mathcal{A}$ cannot compute ${\alpha }_a=d_b{\tau }_b$ as it requires private key $d_b$ of ${\mathcal{D}}_b$. The inability of computing ${\alpha }_a$ is also extended to compute the identity $I{D}_a$ of initiator. Moreover, $\mathcal{A}$ cannot compute $K=K_b=y{Q}_b+d_b{\tau }_a$ because with known $d_a$ and the public key $Q_b$, finding $y{Q}_b+d_b{\tau }_a$ is elliptic curve discrete logarithm (ECDLP)—a hard problem. Hence $\mathcal{A}$ will also fail to compute $R_b$ and $SK$ as both also requires the knowledge of K. Similarly, in initiator case, $\mathcal{A}$ can compute ${\tau }_a=xG$, ${\alpha }_a=x{Q}_b$ and $AI{D}_a={\alpha }_a\oplus I{D}_i$ (With supposition that all identities are known to adversary). Similarly, after receiving the return message from ${\mathcal{D}}_b$, the adversary can also compute $I{D}_b$, but computing $K=K_a=x{Q}_b+d_a{\tau }_b$ is again intractable ECDLP. Therefore, the proposed protocol provides resistance against KCIA.

7.3.2. Device Anonymity

The proposed scheme provides device anonymity and un-traceability [38,39]. In the proposed scheme, ${\mathcal{D}}_a$ sends his pseudo calculated identity $AI{D}_a={\alpha }_a\oplus I{D}_a$, any adversary just by listening the channel can get this pseudo identity and to compute original identity $I{D}_a$, the adversary needs to know ${\alpha }_a$, which is not sent on communication channel. The adversary can get ${\tau }_a=xG$ but computing ${\alpha }_a$ from ${\tau }_a$ needs the private key of the receiver ${\mathcal{D}}_b$, same private key is required to get the original identity $I{D}_b$ from pseudo calculated identity $AI{D}_b$. Moreover, the temporary $ID$ is dynamically computed for each session. The proposed scheme provides identity hiding as well as resistance to traceability attack.

7.3.3. Man-in-Middle Attack

For two devices (${\mathcal{D}}_a$ and ${\mathcal{D}}_b$), the proposed protocol exchanges ${\tau }_a=xG$ and ${\tau }_b=yG$ and generates $K=x{d}_{b}G+y{d}_{a}G$ and session key $SK=H(I{D}_a\parallel I{D}_b\parallel {\tau }_a\parallel {\tau }_b\parallel K)$ using two private keys $d_a$ and $d_b$, and two session specific parameters x and y generated each participant. Since the devices can authenticate $R_a$ and $R_b$ very easily, a valid session key $SK$ is generated.Therefore, to get authenticated from other side, the attacker $\mathcal{A}$ requires the private key of the 2^nd participant as well as session specific temporary parameter generated on other side. Even if $\mathcal{A}$ can generate session specific parameter but computing private key out of public key is the hard ECDLP problem and computing $x{d}_{b}G+y{d}_{a}G$ from $d_{a}G$ and $d_{b}G$ is ECC Diffie-Hellman problem (ECDHP), which is also a hard problem. Thus, the proposed protocol provides protection against MIM attack.

7.3.4. Known-Key Attacks

Known-key-attack (KKA) is a cryptographic attack in which an adversary can access the ciphertext. Known-key-attacks can be attempted successfully by an adversary when the palintext is related with the ciphertext and the adversary could trace the plaintext by just performing backtracking. A $2PAKA$ protocol holds KKA property if a disclosure of whole or part of previously generated keys occur and such disclosure may not help to generate other past or future session keys. In the proposed protocol, each key is formed using private keys of both interconnected devices as well as their random numbers generated solely for formation of each session key and if an attacker $\mathcal{A}$ by some means gets one or more generated session keys, it may have no advantage in computing any other safe past or future keys and to expose any past or future keys $SK=H(I{D}_a||I{D}_b||{\tau }_a||{\tau }_b||K)$, $\mathcal{A}$ needs to compute K, $R_a$ and $R_b$ which are based on private keys and session specific parameters and are unknown to $\mathcal{A}$. Hence, proposed protocol resists KKS attack.

7.3.5. Unknown Key Share Attack (UKS)

By UKS, An entity, say ${\mathcal{D}}_x$ believes that a correct session key with other device ${\mathcal{D}}_y$ is accomplished and on other hand another device say ${\mathcal{D}}_y$ wrongly believes that the key is established with $\mathcal{A}$ instead of ${\mathcal{D}}_x$. In the proposed protocol, the session key computed on both sides is same and it requires the privates keys as well as identities of both the participants. Therefore, the proposed protocol is secure from UKS.

7.3.6. Backward/Forward secrecy

A protocol satisfies forward secrecy [40,41], if the private key of one or more participant but not all or some of the previously generated sessions keys are compromised, it may not effect future sessions keys. Similarly, in a protocol if compromise of current session key or some of the private keys cannot help to expose any previous session key, the protocol is said to be forward secure. The protocol is said to posses perfect forward secrecy if the compromise of all private keys have no effect on previously generated session keys. In the proposed protocol, even if the private keys of both participants are known to an adversary, he cannot compute any previously generated session key due to the inclusion of the session specific random parameters. Hence our device to device AKA provides $PFS$.

7.3.7. Known Session Specific Information Attack (KSSIA)

Resistance to KSSIA implies that, the exposure of all session parameters ($x,y$) to $\mathcal{A}$, may not expose the session key. In the proposed device authentication protocol, both devices ${\mathcal{D}}_a$ and ${\mathcal{D}}_b$ compute $SK=H(I{D}_a||I{D}_b||{\tau }_a||{\tau }_b||K)$. $\mathcal{A}$ can reveal $SK$ if and only if he knows $K=K_a=x{Q}_b+y{Q}_a$ or $K=K_b=y{Q}_a+x{Q}_b$. Knowing only the pair $(x,y)$ may not help $\mathcal{A}$ to derive $K_a$ or $K_b$. Therefore, the proposed protocol resists KSSIA.

7.3.8. Key Off-Set/Replicating Attack

The key replicating attack $(KRA)$ is a distinction of MIM attack, where one or more active adversaries intercept and modify the exchanged information between devices ${\mathcal{D}}_a$ and ${\mathcal{D}}_b$ in such a way that the modification results into agreement of an incorrect session key. In our proposed protocol the ${\mathcal{D}}_a$ and ${\mathcal{D}}_b$ exchange ${\tau }_a$ and ${\tau }_b$. $\mathcal{A}$ can modify some values by offset $ϵ$ and produces $ϵ{\tau }_a$ and $ϵ{\tau }_b$. Nevertheless, $\mathcal{A}$ remains unable to compute $SK$ that is agreed by ${\mathcal{D}}_a$ and ${\mathcal{D}}_b$, as $\mathcal{A}$ requires the knowledge of the private keys $d_a$ and/or $d_b$. Hence, the proposed device to device key is resistance to key off-set/replicating attack $(KOA/KRA)$.

7.3.9. No Key Control

The session key $SK=H(I{D}_a||I{D}_b||{\tau }_a||{\tau }_b||K)$ computed between ${\mathcal{D}}_a$ and ${\mathcal{D}}_b$ contains equal share of both participants, i.e., both participants add their session parameters as well as their private keys. Therefore, none of the participant has any control on session key formation and proposal provides No Key Control (NKC) property.

7.3.10. Replay Attack

Our proposed protocol is free from replay attack (RA). Any adversary can replay any old message say $\{AI{D}_a,{\tau }_a,{\gamma }_a,t_a\}$ exchanged between to legal devices. However, the timestamp $t_a$ is also a part of message in plain text as well as hidden in ${\gamma }_a$. The receiver can easily detect the freshness and discard the message in case it is replayed. Same is the case, if against any request, the adversary replays an old reply message say $\{AI{D}_j,{\tau }_j,R_j,t_j\}$, the initiator will easily detect the replay and will discard the message.

8. Performance Analysis

This section shows the comparative performance measure of the proposed protocol with existing protocols [13,31,32,36,37] in terms of computation and communication efficiency. Following notations and their running time computed by Kilinic and Yanik [42] on a Dual CPU $E2200$ with 2.20 GHz speed and with 2048 MB of RAM, were used for computation cost analysis:

• $T_{exp}\approx 3.85$ ms: Cost of modular exponentiation
• $T_{em}\approx 2.226$ ms: Cost of Point multiplication over ECC
• $T_{ea}\approx 0.0288$ ms: Cost of Point multiplication over ECC
• $T_h\approx 0.0023$ ms: Cost of hash function
• $T_{pb}\approx 5.811$ ms: Cost of bilinear pairing operation
• $T_{ed}\approx 0.0046$ ms: Cost of symmetric encryption

Table 3. Communication and Computation cost.

Protocol	Bytes Exchanged	Computation Cost	Running Time
Holbl-Walzer I [13]	258	$8T_{bp}$	$46.48$ ms
Holbl-Walzer II [13]	258	$6T_{bp}$	$34.866$ ms
Wang et al. [36]	66	$2T_{bp}+4T_{em}$	$20.5262$ ms
Ni et al. [37]	132	$2T_{bp}+2T_{em}+2T_{exp}$	$23.7742$ ms
Islam-Biswas [31]	120	$6T_{em}+6T_h$	$13.3698$ ms
Mandal et al. [32]	252	$4T_{em}+11T_{syd}+12T_h$	$8.9822$ ms
Proposed	168	$8T_{em}+2T_{ea}+6T_h$	$13.42$ ms

shows a comprehensive performance comparisons; referring the table, the proposed scheme completed the key exchange process by performing $6T_{em}+2T_{ea}+8T_h$ operations and with running time ≈ 13.42 ms. Mandal et al.’s protocol accomplished the same with $4T_{em}+11T_{syd}+12T_h$ operations and a running time of $\approx 8.9822$ ms. The protocol proposed by Islam-Biswas completed it in $\approx 13.3698$ ms by performing $6T_{em}+6T_h$ operations. Wang et al.’s protocol performed $2T_{bp}+4T_{em}$ operations and completed the authentication process in $\approx 20.5262$ ms. Holbl-Walzer protocols [13] accomplished authentication in $8T_{bp}$ and $6T_{bp}$ respectively with running time ≈ 46.48 ms and ≈ 34.866 ms respectively. The proposed protocol funished the authentication with slight higher computation time as compared with Mandal et al. and Islam-Biswas protocols, whereas it was efficient as compared with other related protocols. For communication cost, we considered an ECC point of size 160 bits, the output of hash function (SHA-1) is 160 bits and for simplicity identity was also taken as 160 bit, with timestamps of 32 bits length. The communication cost of the proposed protocol was just 168 bytes in comparison with Mandal et al.’s 252 bytes, Islam-Biswas’s 120, Ni et al.’s 132 bytes, Wang et al.’s 66 bytes and Holbl-Walzer’s 258 bytes. The communication cost of the proposed protocol was less than Mandal et al. and Holbl-Wazler’s protocols and more than Islam-Biswas, Ni et al. and Wang et al.’s protocols. Therefore, the proposed protocol achieved a good trad-off between computation and communication efficiencies.

9. Conclusions

In this paper, we have simulated key compromise impersonation attack (KCIA) on two recent ECC and self certified public key based authentication protocols. It has been shown that both the protocols of Islam-Biswas and Mandal et al. are not only insecure against KCIA, but also lacking anonymity. We then proposed an improved protocol to resist KCIA and related known attacks and to provide anonymity and related important security features. Proposed scheme is tailored to work in IoT-based fast moving vehicular networks and does not require involvement of a third party for sharing a key between two smart vehicles. The security of proposed scheme is analyzed through formal and informal methods. Although, proposed protocol accomplishes the authentication with slight high computation and communication costs as compared with related protocols but it provides resistance against all known attacks and encompasses all required security features. Hence, the proposed protocol is best suited for key exchange in device to device using certificates.