An efficient anonymous authentication and key agreement scheme with privacy-preserving for smart cities

Abstract

Internet of Things devices are responsible for collecting and transmitting data in smart cities, assisting smart cities to release greater potential. As Internet of Things devices are increasingly connected to smart cities, security and privacy have gradually become important issues. Recently, research works on mitigating security challenges of Internet of Things devices in smart cities mainly focused on authentication. However, in most of the existing authentication protocols, the trustworthiness evaluation of Internet of Things devices in smart cities is ignored. Considering the trustworthiness evaluation of Internet of Things devices is an important constituent of data source authentication, in this article, a cloud-aided trustworthiness evaluation mechanism is first designed to improve the credibility of the Internet of Things devices in smart cities. Furthermore, aiming at the problem that the user’s privacy is easy to leak in the process of authentication, an anonymous authentication and key agreement scheme based on non-interactive zero knowledge argument is proposed. The proposed scheme can ensure the privacy preservation and data security of Internet of Things devices in smart cities. The security analysis demonstrates that the proposed scheme is secure under q-SDH problem. The experimental simulation indicates that the performance of the proposal is greatly improved compared with other similar schemes.

Keywords

Smart cities non-interactive zero knowledge trustworthiness evaluation anonymous authentication

Introduction

With the continuous increase of population in cities and the formation of new urban agglomerations, the problems caused by urbanization, such as traffic jams, environmental degradation, lack of resources, and the decline of residents’ quality of life, have become increasingly prominent. The concept of smart cities was proposed to realize the sustainable development of the cities.¹ Information and communication technologies are showing an increasingly accelerating development trend in the world.² A series of key technologies, such as 5G network, Internet of Things (IoT), cloud computing, big data analysis, new generation geographic information systems, are gradually carried out from the proposal of the concept to the actual application landing. These technologies give birth to many emerging urban application scenarios and innovative management modes, bringing more opportunities for the construction of smart cities.³

In the architecture of smart cities, the terminal perception layer provides the ability of intelligent perception of the physical environment and realizes the identification, data collection, monitoring, and control of the infrastructure within the scope of the city through sensing devices and sensor networks.⁴ With the rapid development of IoT and mobile communication technologies, smart meters, smart cameras, wearable embedded devices, smart home appliances, and other terminal devices come into family life. Although a large number of IoT terminal devices provide people with convenient life, they also provide a broader attack platform and environment for attackers.⁵ As shown in Figure 1, in smart cities, most of the data collected by these IoT devices is sensitive, attackers may eavesdrop or tamper with these data to obtain benefits, which may bring serious consequences. For example, smart meters collect electricity consumption data, which will expose the user’s life behavior track once leaked; wearable embedded devices collect people’s physiological data, which will endanger people’s lives once leaked or tampered in the transmission process. To ensure the security of terminal communication services in smart cities, prevent the data collected by IoT devices from being eavesdropped on or tampered in the process of transmission, and avoid the damage or major security accidents to the business applications of the smart city caused by the leakage and tampering of data content, it is necessary to authenticate the devices and encrypt the transmitted data end-to-end.^6,7

Figure 1.

IoT devices in smart cities transmitting data to the operation center in the presence of adversaries.

Motivations

In smart cities, IoT devices are facing a variety of serious security threats, such as replay attack, data tampering attack, device simulation attack, man-in-the-middle attack, and privacy leakage.⁸ These security threats hinder the development of smart cities. Therefore, security is gradually becoming a key demand in the development of smart cities.⁹ Device authentication is regarded as one of the basic security services to protect the IoT system in smart cities. It verifies the identity of the IoT devices involved in the communication, so as to provide appropriate access control for these IoT devices.^10,11 The key agreement provides end-to-end secure communication for smart cities and ensures the confidentiality and integrity of data in the process of data transmission.¹² To mitigate the security challenges in smart cities, we will start with authentication and key agreement to design a protocol suitable for IoT devices with limited computing power.

Main contributions

The main contributions of this study can be summarized as follows:

A cloud-aided trustworthiness evaluation mechanism is designed. Trustworthiness evaluation provides reliable authorization basis for identity authentication. However, due to the limited computing and storage resources of IoT device, the trustworthiness evaluation cannot be completed by itself. Considering the powerful computing resources and storage capacity, cloud server is introduced to evaluate the reliability of IoT devices. The operation center will decide whether to authorize the IoT device according to the trustworthiness level value calculated by the cloud server, so as to achieve mutual trust between the IoT device and the operation center.

An anonymous authentication and key agreement protocol with privacy preservation is proposed. A non-interactive zero knowledge (NIZK) scheme is constructed to realize anonymous authentication and key agreement between operatiion center and IoT devices. As the properties of NIZK, the proposed scheme can protect the data security and privacy of IoT devices in smart cities.

Formal security analysis and experimental simulation are presented. Security analysis demonstrates that the proposed protocol can meet many security requirements such as anonymity, privacy preservation, mutual authentication, forward security, and unlinkability. Performance analysis shows that the proposed protocol requires much less time overhead than similar protocols, so the proposed protocol is more suitable for deployment in smart cities.

The remainder of this article is organized as follows: A detailed description of the related work is given in section “Related works.” The system model, security model, and security requirements of the proposed scheme are presented in section “System model, security model and security requirements.” The preliminaries required for the proposed scheme are described in section “Preliminaries.”“The proposed scheme” section elaborates the cloud-aided trustworthiness evaluation mechanism and anonymous authentication process. The section “Security analysis” provides provable security analysis and analysis of the security requirements for the proposed scheme. And the performance analysis of the proposed scheme is presented in the section “Performance analysis.” Finally, we give a conclusion and future work of this article in the section “Conclusion.”

Related works

In recent years, IoT devices are widely used in various fields of smart cities. Its security has also received great attention.^13–17 For the secure authentication of IoT devices, scholars have done a lot of research. Now, the related work is sorted out as follows.

In 2014, aiming at security issues of implantable medical devices in wireless body area network environment, Liu et al.¹⁸ proposed an authentication scheme based on certificateless signature. The scheme is proved to be secure against the existence forgery of adaptive chosen message attack in random oracle model. However, Xiong¹⁹ pointed out that Liu et al.’s scheme could not resist the public key replacement attack and proposed an extensible certificateless remote authentication protocol with anonymity and forwarding security to solve this problem, but this scheme has the problem of member revocation. To solve this problem, in 2015, Xiong and Qin²⁰ proposed a remote authentication scheme which was constructed by incorporating an efficient revocation certificateless encryption scheme for short-term key disclosure and a certificateless signature scheme. The security analysis shows that the scheme satisfies anonymity, key escrow resistance, and revocability. However, Shim²¹ pointed that the scheme was insecure against the adversary who knows a secret value. According to the secret value, the adversary can forge signatures. That is the scheme cannot resist signature forgery attack. In 2021, Wei et al.²² proposed an efficient, secure, and privacy-preserving message authentication scheme. The scheme supports IoT devices in smart cities with different encryption systems (whether RSA or ElGamal), and allows offline/online computing, making it more versatile and efficient than previous solutions.

However, the process of identity authentication may reveal users’ privacy. To protect the privacy of users, more and more scholars focus on anonymous authentication. In 2017, Dimitriou and Karame²³ proposed an anonymous authentication scheme based on the blind signature and the hash chain. Blind signature technology has the characteristic that the signer is invisible to the message signed by him, so as to protect the privacy of the sender. But this scheme cannot trace malicious senders. To solve this problem, Kong et al.²⁴ proposed an anonymous authentication scheme based on blind group signature. In this scheme, the group manager can trace the group signatures generated by the group members by using the group private key. But the scheme needs multiple interactions to ensure the security of authentication, resulting in huge computation and communication costs. Aiming at the low efficiency of authentication and resisting load modification attacks on the smart meter, Boyapally et al.²⁵ proposed an authentication scheme based on physically unclonable functions(PUF). The scheme uses lightweight cryptographic primitives, which makes the scheme feasible in resource-constrained IoT devices. Vasco et al.²⁶ proposed an authentication scheme based on oblivious pseudo random functions (OPRF), and further proposed a blind anonymous identity-based encryption scheme. The scheme will not disclose to the eavesdropper whether the execution is successful, so as to hide whether the sender’s password is in the receiver’s password set. In addition, the scheme provides a provable security model to capture the security and anonymity of sender and receiver. In most authentication schemes, the evaluation of the credibility of the devices in smart cities is not considered, which makes the authentication schemes lack reliability. Besides, designing a privacy-preserving authentication protocol with low computational and communication overhead is also an urgent problem in smart cities.

System model, security model, and security requirements

In this section, the system model, security model, and the security requirements in the proposed scheme are presented. Table 1 lists some of the symbols used in the proposed scheme.

Table 1.

Notations in the proposed scheme.

Symbol	Description
IoTD	IoT device
OC	Operation center
CS	Cloud server
TL	Trustworthiness level
$μ$ , $x$ , $y$	The private key of OC, IoTD, CS
$U$ , $X$ , $Y$	The public key of OC, IoTD, CS
$ϑ$	The set of trustworthiness attribute information
$ζ^{inst} (t)$	The instantaneous TL value for the IoTD at time $t$
$ζ (t^{-})$	The previous TL value for the IoTD
$l$	The TL value of the IoTD
$T$	The authorized tag for the IoTD
$K$	The session key between IoTD and OC

System model

The system model is shown in Figure 2. First of all, before the IoTD sends registration request to the OC, it needs to collect its own trustworthiness attribute(TA) information and send it to the CS. The CS calculates its trustworthiness level(TL) and returns it to the IoTD. Second, the IoTD signs the TL and sends the report to the OC. To prevent cheating, the OC requests the TL of the device from the CS for comparison. And the authorized tag is granted to the IoTD whose TL falls within its acceptable range. Among them, the CS is semi-trusted, it may deliberately reduce the TL value of the IoTD to prevent the authentication and key agreement between legitimate IoTD and OC; the IoTD is semi-trusted, it may deliberately improve its TL value to cheat the OC; the OC is also semi-trusted, it may be curious about the privacy of data in the IoTD.

Figure 2.

System model.

Security model

We define the security model of the proposed anonymous authentication scheme for smart cities by a game. The game is played by an adversary $A$ (seen as a probabilistic polynomial-time(ppt) Turing machine) and a challenger $C$ . Let $Π_{Ω}^{χ}$ denotes the instance $χ$ of a participant $Ω$ , where $Ω$ is an IoTD or OC. In this game, adversary $A$ sends a series of queries and challenger $C$ answers as follows:

$h_{i} (M_{j})$ : In the query, adversary $A$ sends a hash query about message $M_{j}$ , and challenger $C$ responds this query by randomly picking $R_{j} \in Z_{p}^{*}$ and records the tuple $(M_{j}, R_{j})$ in the list $L_{h_{i}}$ .

Extract $(I D_{i})$ : In this query, adversary $A$ makes an extract query on identity $I D_{i}$ of an IoTD. Challenger $C$ answers this query with the authorized tag of that identity.

Send $(Π_{Ω}^{χ}, M_{j})$ : In this query, adversary $A$ makes a send query on message $M_{j}$ . Challenger $C$ executes the protocol according to message $M_{j}$ and returns the corresponding execution result to adversary $A$ .

Reveal $(Π_{Ω}^{χ})$ : If challenger $C$ has accepted, adversary $A$ can obtain a session key $K$ on $(Π_{Ω}^{χ})$ . Otherwise, returns ⊥ to $A$ .

Corrupt $(I D_{i})$ : In this query, adversary $A$ makes a corrupt query on identity $I D_{i}$ of an IoTD. Challenger $C$ answers this query with the authorized tag of that identity.

Test $(Π_{Ω}^{χ})$ : When $A$ sends the query to $C$ , challenger $C$ randomly picks $b \in {0, 1}$ . If $b = 1$ , challenger $C$ outputs a true session key $K$ . If $b = 0$ , randomly answers an element that has same bits as true session key to $A$ .

When the adversary $A$ performs the above queries within a limited period of time, he he makes a guess about the value $b$ and returns $b'$ as his answer. It is defined that adversary $A$ wins the game if he guesses correctly, that is $b' = b$ . And it is defined that the advantage of adversary $A$ breaking the authenticated key agreement(AKA) security of the scheme $Σ$ as ${Adv}_{Σ}^{A} (E_{AKA}) = | \Pr [b' = b] - \frac{1}{2} |$ .

Definition 1

q-SDH assumption. With the public parameter $pp = (G, p, g)$ generated by $Gen (1^{κ})$ , the $q$ -Strong Diffie-Hellman ( $q$ -SDH) assumption²⁷ holds if for all ppt $A$ , we have

\Pr [\begin{matrix} pp \leftarrow Gen (1^{κ}), μ \overset{$}{\leftarrow} Z_{p} : \\ (c, g^{1 / (μ + c)}) \leftarrow A (g, g^{μ}, \dots, g^{μ^{q}}) \end{matrix}] \leq negl (κ)

where $c \in Z_{p}$ .

Definition 2

AKA secure. It is defined that the proposed solution is AKA secure if the ${Adv}_{Σ}^{N} (E_{AKA})$ is negligible.

Security requirements

In this scheme, the following security goals should be realized:

Mutual authentication: A malicious adversary will fake a legitimate IoTD to obtain the corresponding services. At the same time, due to the privacy of the data collected and transmitted by the IoTD, the malicious attacker will fake the legitimate OC to request private data. To ensure the security for smart cities, the proposed scheme should achieve mutual authentication.

Session key aggrement: To ensure the data security in smart cities, the proposed scheme should achieve session key agreement. Session key can provide guarantee for subsequent data security communication between IoTD and other communicating parties.

Privacy preservation: The data in the IoTD have high privacy. Once the data are leaked, it will cause serious consequences. To protect the privacy of data in IoTD, the proposed scheme should achieve privacy preservation, that is, any unauthorized entities cannot get the data in plaintext, and the authorized third parties cannot disclose the user’s privacy according to the accepted data.

Perfect forward security: To protect the data security, the designed scheme need satisfy perfect forward security, that is, although the attacker obtains the current session key, he cannot recover the previous session keys.

Resistance of other attacks: What is more, the proposed protocol should be able to resist multiple attacks. Such as replay attack, man in the middle attack, forgery attack, and so on.

Preliminaries

In this section, a basic definition of the cryptographic primitives required for the proposed protocol is given.

$Σ$ -Protocol

Let $R = {(s, w)}$ be a binary relation, where $s$ is a statement owned by both the prover and verifier, and $w$ is a witness that only the prover has. A three-move interaction protocol $π = (a, c, z)$ between a prover $P$ and a verifier $V$ is a $Σ$ -protocol for relation $R$ if the following three properties hold²⁸:

Completeness: If $P$ inputs a statement $s$ and a witness $w$ , and $s$ , $w$ satisfy the relation $R$ , then $V$ always accepts $P$ .

Special soundness: Given two accepting transcripts $(a, c, z), (a, c', z')$ for any statement $s$ , where $c \neq c'$ , there exists a PPT algorithm Extr can calculate the witness $w$ which satisfies the relation $R$ .

Special honest verifier zero knowledge: On input $s$ and a challenge $c$ , there exists a PPT algorithm Simu can outpus a transcript with the same probability distribution as transcripts in the real world. Formally speaking, for every $s$ and $w$ that satisfy the relation $R$ and every $c \in {0, 1}^{κ}$ it holds that

{Simu (s, c)} \equiv {< P (s, w), V (s, c) >}

where $simu (s, c)$ denotes the simulated transcript, and $< P (s, w), V (s, c) >$ represents the real output transcript.

NIZK arguments

None-interactive zero-knowledge proofs (NIZKs) make a prover $P$ to prove a statement $s$ satisfies the relation of $R = {(s, w)}$ without interacting with the verifier $V$ in zero-knowledge. A pair of PPT algorithms ( $P$ , $V$ ) for a language $L \in NP$ is a NIZK argument system if the following properties hold:

1. Completeness: For any statement $s \in L (| s | = κ)$ and the corresponding witness $w$ , it has

\Pr [γ \leftarrow {0, 1}^{plog (κ)}; π \leftarrow P (γ, s, w) : V (γ, s, π) = 1] = 1

2. Soundness: If $s \notin L$ , then for any $P^{*}$ , the following probability is negligible:

\begin{matrix} \Pr [γ \leftarrow {0, 1}^{ploy (κ)}; π \leftarrow P^{*} (γ, s) : V (γ, s, π) = 1] \\ \leq negl (κ) \end{matrix}

3. Zero-knowledge: There is a PPT simulator $S$ , such that any $s \in L$ and the corresponding witness $w$ , the following two distributed computations are indistinguishable:

\begin{matrix} | \Pr [γ \leftarrow {0, 1}^{plog (κ)}; π \leftarrow P (γ, s, w) : V (γ, s, π)] - \\ \Pr [(γ, π) \leftarrow S (s) : (γ, s, π)] \leq neg 1 (κ) \end{matrix}

A NIZK argument can be constructed by transforming a $Σ$ -Protocol using Fait–Shamir heuristic.²⁹

The proposed scheme

In this section, we will demonstrate the proposed scheme in detail from the following phases. The detailed process of anonymous authentication and key agreement is shown in Figure 3.

Figure 3.

Authentication and key agreement phase.

Setup

In this scheme, each IoTD maps its information to a specific and unique identity $ID$ . Bying executing the Setup algorithm, the public parameters as generated as follows:

First, on input security parameter $κ$ , the OC outputs a three-tuple $(G, p, g)$ , where $G$ is a multiplicative group of prime $p$ generated by $g$ .

Second, the OC randomly picks $μ \in Z_{p}^{*}$ as its private key and calculates $U = g^{μ}$ as its public key. The IoTD randomly selects $x \in Z_{p}^{*}$ as its private key and calculates $X = g^{x}$ as its public key. And the CS picks random value $y \in Z_{p}^{*}$ as its private key and calculates $Y = g^{y}$ as its public key.

Finally, the OC chooses cryptographic hash functions $h_{1} : (0, 1)^{*} \to Z_{p}^{*}$ , $h_{2} : {0, 1}^{*} \to {0, 1}^{k}$ , where $k$ is the length of session key, and publishes public parameters $(G, p, g, U, X, Y, h_{1}, h_{2})$ .

Trustworthiness level computation

Pouryazdan et al.³⁰ proposed a vote-based trustworthiness management system. The detailed process of trustworthiness level computation is presented in their scheme. This method is also used in the proposed scheme. Before IoTD sends registration to OC, it needs to ask the CS to calculate its TL value, the detailed process is given below:

First, the IoTD collects a set of attribute values which can reflect its reliability, and sends the set to the CS. The set is $ϑ = {a_{1}, a_{2}, a_{3}, \dots, a_{m}}$ , where $ϑ$ stands for the set of trustworthiness attribute information and $a_{1}, a_{2}, a_{3}, \dots, a_{m}$ stands for different parameters collected by sensors about IoTD.

Second, when receiving the set $ϑ$ , the CS computes the instantaneous TL value for the IoTD by the equation as follows

ζ^{inst} (t) = \frac{\sum_{i = 1}^{m} α_{i} a_{i}}{m}

Because the importance of each attribute is different, we use weight $α_{i}$ to measure the $i$ th set $ϑ$ . Based on the instantaneous TL value, the TL value is calculated as follows

ζ (t) = (1 - \frac{δ}{θ . (1 + Δ t)}) \cdot ζ^{inst} (t) + \frac{δ}{θ . (1 + Δ t)} \cdot ζ (t^{-})

where $δ$ represents the proportion of TL value at time $t^{-}$ in the calculation of TL value at time $t$ . $Δ t$ denotes time interview between $t$ and $t^{-}$ . $θ$ denotes the annealing rate of TL values previously calculated as time changing.

Third, the CS encrypts the TL value $l$ of the IoTD with public key $X$ and sends it to the IoTD.

Authorized tags generation

Data storage and processing on the CS is secure, but there is a situation that the CS deliberately reduces the TL value $l$ of an IoTD to prevent the successful registration of legitimate applicants. To prevent this, IoTD needs to sign on the value $l$ to prove that the assessment is acceptable. If the value $l$ is not within its acceptable trustworthiness level range, it will be rejected. If there is no confirmation from IoTD, the TL value assessment is invalid.

When receiving the TL value $l$ , the IoTD picks a random number $b \in Z_{p}$ and signs it by the following equations if it accepts the value

v_{1} = (g^{b} mod p) mod q

v_{2} = [b^{- 1} (h_{1} (l) + x v_{1})] mod q

Encrypted the value $l$ by the public key of OC, then sends the ciphertext, the signature $(v_{1}, v_{2})$ and identity $ID$ to the OC.

Upon receiving the data package, the OC decrypts using its private key and acquires $l$ . Then it calculates $w = {(v_{2})}^{- 1} mod q$ , $u_{1} = [h_{1} (l) w] mod q$ , $u_{2} = v_{1} w mod q$ , and $ω = [(g^{u_{1}} X^{u_{2}}) mod p] mod q$ . Checks whether $ω = v_{1}$ holds. If the verfication is successful, the OC will send the identity $ID$ to the CS and ask the CS to return the TL value $l$ of the $ID$ . If the value returned is the same as the value sent by IoTD, and the value $l$ shows that the IoTD is trustworthy, the OC will compute $λ = h_{1} (ID)$ and generate a tag $T = g^{\frac{1}{μ + λ}}$ for the IoTD, where $λ \in Z_{p} \ {- μ}$ . To prove the validity of the tag, the OC also needs to send a NIZK proof $π \leftarrow NIZK {(μ) : T^{μ} = T^{- λ} g \land g^{μ} = U}$ to the IoTD. The detailed process is described below:

First, the OC picks a random number $r \in Z_{p}$ , and sets $R_{1} = T^{r}$ , $R_{2} = g^{r}$ , then computes $c = h_{2} (g, U, λ, T, R_{1}, R_{2})$ and $z = r + c μ mod p$ . After that, the OC outputs a proof $π = (c, z)$ and sends $(T, π)$ to the IoTD through secure channel.

Second, when the IoTD receives $(T, π)$ from OC, it computes $λ = h_{1} (ID)$ , and computes the following equations to verify the proof

\begin{matrix} R_{1}' = T^{z + c λ} g^{- c} \\ R_{2}' = g^{z} U^{- c} \\ c' = h_{2} (g, U, λ, T, R_{1}', R_{2}') \end{matrix}

Checks whether $c' = c$ holds. If this equation holds, the tag will be stored in IoTD for subsequent authentiaction.

Session key agreement

This phase can be divided into the following steps:

Step 1: The OC randomly selects a number $m \in Z_{p}^{*}$ and computes $M = g^{m}$ . Then the OC signs message $M$ with private key $μ$ and generates a signature $σ_{1}$ . It sends $(M, σ_{1})$ to the IoTD.

Step 2: When the IoTD receives $(M, σ_{1})$ , it verifies the validity of the signature $σ_{1}$ by OC’s public key $U$ . If it passes, the IoTD randomly selects a number $n \in Z_{p}^{*}$ and computes $N = g^{n}$ . The IoTD needs to send message $N$ to the OC. To show its legal identity and maintain its anonymity, the IoTD produces a proof $σ_{2}$ . In particular, the IoTD chooses a random number $a \in Z_{p}^{*}$ and computes $A = T^{a}$ . After that, the IoTD selects random number $r_{1}, r_{2} \in Z_{p}$ and calculates the following equations to generate a proof $σ_{2}$

\begin{matrix} Φ = A^{- r_{1}} g^{r_{2}} \\ k = h_{2} (g, A, Φ, N, t) \\ s_{1} = r_{1} + k λ mod p \\ s_{2} = r_{2} + ka mod p \end{matrix}

The IoTD generates proof $σ_{2} = (k, s_{1}, s_{2})$ and calculates the session key $K = h_{2} (M, σ_{1}, N, σ_{2}, M^{n})$ . Finally, the IoTD sends $(A, N, σ_{2}, t)$ to the OC.

Step 3: When the OC receives $(A, N, σ_{2}, t)$ from the IoTD, it first checks the freshness of the timestamp $t$ . If the timestamp has already been used, which means that an adversary launched a replay attack during the data transmission, the packet is ignored. Otherwise, the OC parses $σ_{2}$ into $(k, s_{1}, s_{2})$ and calculates the following equations to verify the validity of the proof

\begin{matrix} Γ = A^{λ} \\ Φ' = A^{- s_{1}} Γ^{- k} g^{s_{2}} \\ k' = h_{2} (g, A, Φ', N, t) \end{matrix}

If $k = k'$ dose not hold, it means message $N$ is modified by an adversary in the course of data transmission or the IoTD is not an authorized legal entity, the OC will ignore the packet. Otherwise, it means message $N$ is coming from a legitimate entity. Then the OC can successfully share the session key $K = h_{2} (M, σ_{1}, N, σ_{2}, N^{m})$ with the IoTD.

Security analysis

Provable security

Through the above security model, a formal security analysis is given in this subsection as follows:

Theorem 1

If the $q$ -SDH assumption holds in $G$ , then no ppt adversary $A$ against the proposed authentication scheme can forge an authorized tag to pass the OC’s verification with non-negligible probability.

Proof

If there exists an adversary $A$ can forge an authorized tag that successfully passes the verification by the OC with non-negligible probability $ε$ , then we can prove that there exists a challenger $C$ can solve the $q$ -SDH problem with non-negligible probability.

Given a $q$ -SDH instance $(g, g^{μ}, \dots, g^{μ^{q}}) \in {(G^{*})}^{q + 1}$ for some unknown $μ \in Z_{p}^{*}$ , $C$ aims to output $(c, g^{\frac{1}{μ + c}})$ for some $c \in Z_{p} \ {- μ}$ . $C$ chooses a string $I D^{*}$ as the target IoTD’s identity. Then $C$ randomly picks $λ_{1}, λ_{2}, \dots, λ_{q - 1} \in Z_{p}$ . Let

\begin{matrix} f (x) = Π_{j = 1}^{q - 1} (x + λ_{j}) = \sum_{j = 0}^{q - 1} a_{j} x^{j} \\ f_{i} (x) = \frac{f (x)}{(x + λ_{i})} = Π_{j = 1, j \neq i}^{q - 1} (x + λ_{j}) = \sum_{j = 0}^{q - 2} b_{i, j} x^{j} \end{matrix}

Using the tuple and technique of Boneh-Boyen,²⁷ $C$ can compute

\begin{matrix} g' = Π_{j = 0}^{q - 1} {(g^{μ^{j}})}^{a_{j}} = g^{f (μ)} \\ U = Π_{j = 1}^{q} {(g^{μ^{j}})}^{a_{j - 1}} = g^{μ f (μ)} = {(g')}^{μ} \\ T_{i} = Π_{j = 0}^{q - 2} {(g^{μ^{j}})}^{b_{i, j}} = g^{f_{i} (μ)} = g^{\frac{f (μ)}{(μ + λ_{i})}} = {(g')}^{\frac{1}{μ + λ_{i}}} \end{matrix}

Finally, $C$ maintains list $L_{Ex} = {(λ_{i}, T_{i})}_{i = 1}^{q - 1}$ as authorized tags and responses tuples $(G, p, g', U)$ to $A$ . $C$ answers $A$ ’s queries as follows:

$h_{i} (M_{j})$ -Query: Challenger $C$ maintains a list $L_{h_{l}} = (M_{j}, R_{j})$ , where $j = 1, 2$ . When $A$ sends a hash query, $C$ checks if $(M_{j}, R_{j})$ has exists in $L_{h_{l}}$ . If exists, returns the tuple. Otherwise, $C$ randomly picks $R_{j} \in Z_{p}^{*}$ , records the tuple $(M_{j}, R_{j})$ in the list $L_{h_{l}}$ and returns $R_{j}$ to $A$ .

Extract $(I D_{i})$ -Query: If $I D_{i} = I D^{*}$ , $C$ outputs ⊥ to $A$ . Otherwise, returns $(λ_{i}, T_{i})$ according list $L_{Ex}$ .

Send $(Π_{Ω}^{χ}, M_{j})$ -Query: Challenger $C$ checks if $I D_{i} = I D^{*}$ first. If so, $C$ aborts the game. Otherwise, $C$ answers this query according the following results:

-when $A$ makes a query on $(Π_{Ω}^{χ}, start)$ , $C$ randomly picks number $a$ , $n$ , computes $N = g^{n}$ and $A = T^{a}$ . And picks two random number $r_{1}, r_{2} \in Z_{p}$ , computes $Φ = A^{- r_{1}} g^{r_{2}}$ , $k = h_{2} (g, A, Φ, N, t)$ , $s_{1} = r_{1} + k λ mod p$ , $s_{2} = r_{2} + ka mod p$ since $C$ knows authorized tag $(λ, T)$ . Then $C$ sends ${A, N, σ = (k, s_{1}, s_{2}), t}$ to $A$ .

-when $A$ makes a query on $(Π_{Ω}^{χ}, auth)$ , $C$ first verifies the freshness of time $t$ , and checks the correctness of $σ$ according to the message generated by $(Π_{Ω}^{χ}, start)$ . If $auth$ is not valid then $C$ aborts it. Otherwise, $C$ answers $A$ according to the execution of scheme as $C$ knows authorized tags of these IoTDs.

Reveal $(Π_{Ω}^{χ})$ -Query: $C$ outputs ⊥ if $Π_{Ω}^{χ}$ is not accepted. Otherwise, returns the session key according list $L_{h_{2}}$ .

Corrupt $(I D_{i})$ -Query: $C$ searches list $L_{Ex} = {(λ_{i}, T_{i})}_{i = 1}^{q - 1}$ and then outputs corresponding result to $A$ .

Test $(Π_{Ω}^{χ})$ -Query: $C$ chooses random element that has the same bit length as the true session key and sends to $A$ .

Finally, $A$ outputs a forgery $(λ^{*}, T^{*})$ , $C$ sets $(λ, T) = (λ^{*}, T^{*})$ . If $(λ, T)$ is a successful forgery, that is, $(λ, T) \notin {{(λ_{i}, T_{i})}_{i = 1}^{q - 1}}$ and $A^{μ + λ} = g'$ . Let $f (x) = f' (x) (x + λ) + θ$ for some $θ \in Z^{*}$ , and write $f' (x) = \sum_{j = 0}^{q - 2} ζ_{j} x^{j}$ . As $T = {(g')}^{\frac{1}{μ + λ}} = g^{\frac{f (μ)}{μ + λ}} = g^{\frac{f' (μ) (μ + λ) + θ}{λ + μ}} = g^{f' (μ) + \frac{θ}{λ + μ}}$ , so $C$ can calculate $g^{\frac{1}{λ + μ}} = {(\frac{T}{g^{f' (μ)}})}^{\frac{1}{θ}}$ with $g^{f' (μ)} = Π_{j = 0}^{q - 2} {(g^{μ^{j}})}^{ζ_{j}}$ . That is $C$ can solve the $q$ -SDH problem. Let $E_{1}$ denotes the event that $C$ aborts the send-Query, $E_{2}$ denotes the event that $A$ forges an authorized tag. Then the advantage that challenger $C$ solves the $q$ -SDH problem is $\Pr [E_{1} \land E_{2}] = \Pr [E_{1}] \Pr [E_{2} | E_{1}] = ε \cdot {(1 - \frac{1}{q_{s} + 1})}^{q_{s}} = \frac{ε \cdot q_{s}^{q_{s}}}{{(q_{s} + 1)}^{q_{s}}}$ . As the advantage that $C$ solves the q-SDH problem is non- negligible, which conflicts with the reality. Thus, the proposed scheme is AKA secure.

Analysis of the security requirements

In this subsection, we will show that proposed protocol meets all the security requirementsmentioned above. The security analysis is shown as follows.

Mutual authentication

When the IoTD sends a registration request to the OC, the OC will assign authorized tag for it who has high trustworthiness level value. And the OC generates a proof $π = (c, z)$ to prove that the tag comes from a legal entity. The IoTD authenticates the validity of the tag from OC by $R_{1}' = T^{z + c λ} g^{- c}$ , $R_{2}' = g^{z} U^{- c}$ , and $c' = h_{2} (g, U, λ, T, R_{1}', R_{2}')$ . Besides, before to send message $N$ , each IoTD uses its authorized tag to produce a proof for that message. Upon receiving a message report, the OC verifies that the message $N$ is from a legitimate IoTD by $Γ = A^{λ}$ , $Φ' = A^{- s_{1}} Γ^{- k} g^{s_{2}}$ , and $k' = h_{2} (g, A, Φ', N, t)$ . The soundness of NIZK makes sure that only who has an authorized tag can be accepted by the OC. Thus in this phase, the OC can authenticate the IoTD. The mutual authentication can be guaranteed in the proposed scheme. What is more, the message report $(N, t)$ is hashed by $k = H_{2} (g, A, Φ, N, t)$ , if a malicious adversary $A$ modifies the IoTD’s message report, the OC will discover it and refuse the message report. Therefore, the authentication and data integrity are both assured in the proposed scheme.

Session key agreement

As $K = h_{2} (M, σ_{1}, N, σ_{2}, M^{n})$ and $K = h_{2} (M, σ_{1}, N, σ_{2}, N^{m})$ , the IoTD and OC can calculate a session key with same value. Then they can use the session key for secure communication. Besides, the proposed scheme has been proved AKA secure under $q$ -SDH problem. Therefore, the proposed scheme support secure session key agreement.

Privacy-preserving

Only entities with session keys $K = h_{2} (M, σ_{1}, N, σ_{2}, N^{m})$ can decrypt the data report from IoTD, which makes any unauthorized entities can’t get the data in plaintext. What is more, the zero knowledge of NIZK makes sure that the OC cannot link the accepted message $N$ to a specific IoTD. As the authorized tag $T_{i}$ is randomized by a random number in the way of $A_{i} = T_{i}^{a_{i}}$ , the randomized tag $A_{i}$ belongs to an IoTD takes different ways when performing a new round of key agreement, leading to the privacy protection of IoTD and the resistance to dictionary attacks. Although the session key is leaked, the malicious adversary $A$ acquires data report in the form of plaintext. As we have randomize the tag by a dynamic random number, and the zero knowledge property also ensures that no one can retrieve useful information about IoTD’s identity from the tag, so the adversary $A$ cannot link this report to a specific IoTD. Therefore, the privacy preservation can be guaranteed in this scheme.

Perfect forward security

If the adversary intercepts the report $(M, σ_{1})$ and ${A, N, σ_{2} = (k, s_{1}, s_{2}), t}$ transmitted between the IoTD and OC during authenticaition phase, he cannot compute a session key because he cannot solve DL problem.³¹ Furthermore, even the current session key is leaked, it will not affect the security of the previous session communication, then this protocol provides forward security. Since the current session key is calculated as $K = h_{2} (M, σ_{1}, N, σ_{2}, N^{m})$ . Even if the current session key is compromised by an adversary, as the random number $m$ is dynamically updated with every session, it will not impact the secrecy of past session keys. Thus, the proposed scheme satisfies forward security.

Resistance of other attacks

As this protocol injects a timestamp $t$ during message transmission, any malicious behavior that wants to launch a replay attack will be detected. As mutual authentication is guaranteed in the key agreement process, the proposed protocol can resist man-in-the-middle attacks. Besides, we have proved that no ppt adversary can forge a valid tag to pass the OC’s verfication under $q$ -SDH problem, so the proposed authentication scheme can be resistance of forgery attack.

Performance analysis

In this section, first, a comparison about features of the proposed scheme with those of other schemes is given. Second, the communication overhead of the proposed scheme is analyzed. Finally, the computational cost is discussed and the time cost of authorized tag generration and session key exchange is described.

Features comparison

In this subsection, the comparison between the proposed scheme, revocable and scalable certificateless remote authentication (RSCR²⁰), threshold-based anonymous identification (TAI³²), and conditionally anonymous ring signature (CRS³³) is given. As displayed in Table 2, only the proposed scheme can satisfy all of these features. By generating NIZK proofs, the proposed scheme satisfies the mutual authentication and privacy-preserving. As the hash function is collision resistant, the data integrity is guaranteed in the proposed scheme. As the $q$ -SDH assumption holds in $G$ , the proposed scheme can resist forgery attack. Also, because it satisfies the mutual authentication, it can resist man-in-middle attacks, so the proposed scheme supports secure session key agreement. The detailed explanation is presented in section “Security analysis.” Besides, because the proposed scheme is relatively small in communication and computational overhead compared with other similar schemes, so the proposed scheme achieves scalability.

Table 2.

Features comparison.

Schemes	The proposed scheme	RSCR	TAI	CRS
Mutual authentication	✓	✗	✓	✗
Session key agreement	✓	✗	✗	✗
Privacy-preserving	✓	✓	✓	✓
Unforgeability	✓	✗	✓	✗
Data integrity	✓	✓	✗	✓
Scalability	✓	✓	✓	✗

Communication overhead

To show the superiority of the proposed scheme, other similar schemes are compared with the scheme. It is assumed that the number of IoTDs is $n$ . First, the communication cost of the authorized tags that are distributed to the IoTD is analyzed. The tag issued by the OC is in the shape of $T ∥ c ∥ z$ and its size is $| G | + 2 | Z_{p}^{*} |$ , in which $| G |$ represents the length of element in $G$ , $| Z_{p}^{*} |$ represents the length of element in $Z_{p}^{*}$ . Besides, the communication cost of message report for key agreement that is generated by the IoTD and sent to the OC is discussed. The message report for the IoTD is in the shape of $A ∥ k ∥ s_{1} ‖ s_{2} ‖ N ∥ t$ and its size is $2 | G | + 3 | Z_{p}^{*} | + | t |$ , where $| t |$ represents the length of timestamp. We compare the proposed scheme with other similar schemes TAI³² and CRS³³ in terms of the communication cost from the IoTD to the OC. The result is shown in Figure 4. Because in CRS, each device needs the public keys of all other peer devices to participate to achieve its anonymity, so its overhead increases as the number of devices increases. In addition, because the proposed protocol only needs a shorter proof to complete identity authentication when generating zero-knowledge proofs, the proposed protocol has less communication overhead compared to similar scheme TAI that uses zero-knowledge to complete anonymous authentication.

Figure 4.

IoTD to OC communication cost.

Computational complexity

In this subsection, we denote $H$ as hash operation, $P$ as weil pairing operation, $E$ as modular exponentiation operation and $M$ as modular multiplication operation. Then the computational complexity of authorized tag generation at the OC side is $2 H$ + $3 E$ + $M$ , the tag authentication at the device side is $2 H$ + $4 E$ + $3 M$ , the zero knowledge proof generation at the IoTD side is $H$ + $3 E$ + $3 M$ , and the proof authenticaition at the OC side is $H$ + $4 E$ + $M$ . The proposed scheme and the compared schemes are simulated on pairing-based cryptography (PBC) library to compare their performance.

Execution time demonstrates the complexity of the proposal, which can be evaluated by time cost of the tag authentication and zero knowledge proof generation at the IoTD side, authorized tag generation and proof authenticaition at the OC side. First, we compare the time cost of the authorized tag generation and proof authentication at the OC side with other similiar schemes. The computational complexity of authorized tag generation phase in TAI is $H$ + $2 P$ + $3 M$ , in CRS is $P$ + $4 E$ + $nM$ . And the computational complexity of proof authentication phase in TAI is $2 H$ + $2 P$ + $4 E$ + $8 M$ , in CRS is $2 P$ + $3 E$ + $nM$ . In our simulation, the time cost of the two phases at the OC are separately simulated. It can be seen from Figures 5 and 6 that the time of tag generation and proof authentication in these proposals increase linearly with the number of IoTDs, but the time cost on these two phases in the proposed scheme is much less than the time required for the TAI and CRS. This is because, the schemes TAI and CRS require more expensive operations than the proposed scheme, such as pairing operations. Then, we compare the time cost of the tag authentication and zero knowledge proof generation at the IoTD side with other similiar schemes. The computational complexity of tag authentication phase in TAI is $2 P$ + $2 M$ , in CRS is $2 P$ + $E$ + $nM$ . And The computational complexity of zero knowledge proof generation phase in TAI is $2 H$ + $P$ + $3 E$ + $8 M$ , in CRS is $(4 n - 1) E$ . From Figures 7 and 8, we can see that with the number of IoTDs increases, the time cost of tag authentication and zero knowledge proof generation in the proposed scheme and in TAI both keep constant, but the the proposed scheme has better performance than the TAI. The time cost of these two phases in CRS increases linearly with the number of IoTDs, that is, because the IoTD needs to use other peer devices’public keys to generate its signature.

Figure 5.

Time cost of OC for tag generation.

Figure 6.

Time cost of OC for proof authentication.

Figure 7.

Time cost of IoTD for tag authentication.

Figure 8.

Time cost of IoTD for proof generation.

Therefore, from the perspective of practicability, the proposed scheme is more applicable to smart cities.

Conclusion

In this article, we first propose a cloud-aided trustworthiness evaluation mechanism. According to the trustworthiness evaluation calculated by CS, the OC decide whether to authorize tag to IoTD, hence mutual trust between IoTD and OC is guaranteed in the proposed scheme. In addition, an efficient anonymous authentication and key agreement scheme based on non-interactive zero knowledge is proposed. Based on this scheme, the OC can authenticate the validity of IoTD without revealing its identity, hence privacy preservation of IoTD is guaranteed in the proposed scheme. And the session key prevents attackers acquiring data in plaintext, hence data security of IoTD is guaranteed in the proposed scheme. Security analysis indicates that the proposal can satisfy many security properties, such as anonymity, privacy preservation, mutual authenticaition, forward security, and unlinkability. The result of performance evaluation demonstrates that the proposal is more suitable for deployment in smart cities.

However, how to seek a balance between privacy protection and regulation is a problem worthy of discussion in the data security protection of the smart city. In the future, we will study how to design a revocation mechanism which can revoke malicious entities while keeping the anonymity of legitimate entities in smart cities.

Footnotes

Handling Editor: Dr Yanjiao Chen

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by the National Natural Science Foundation of China under Grant Nos U1836115, 61672295, 61922045, 61672290, and 61877034; the Natural Science Foundation of Jiangsu Province under Grant No. BK20181408; the Jiangsu Key Laboratory of Big Data Security and Intelligent Processing, Nanjing University of Posts and Telecommunications under Grant No. DSIP1901; the Peng Cheng Laboratory Project of Guangdong Province PCL2018KP004; the CICAEET fund; and the PAPD fund. Besides, this work is also supported by FCT/MCTES through national funds and when applicable co-funded EU funds under the Project UIDB/50008/2020; and by the Brazilian National Council for Scientific and Technological Development—CNPq, via Grant No. 313036/2020-9.

ORCID iDs

Xueya Xia

Pandi Vijayakumar

References

Shen

Tang

Zhu

, et al. Privacy-preserving support vector machine training over blockchain-based encrypted IoT data in smart cities. IEEE Internet Things J 2019; 6(5): 7702–7712.

Xie

Tang

Huang

, et al. A survey of blockchain technology applied to smart cities: research issues and challenges. IEEE Commun Surv Tut 2019; 21(3): 2794–2830.

Hammi

Khatoun

Zeadally

, et al. IoT technologies for smart cities. IET Netw 2018; 7(1): 1–13.

Alavi

Jiao

Buttlar

, et al. Internet of things-enabled smart cities: state-of-the-art and future trends. Measurement 2018; 129: 589–606.

Hui

TKL

Sherratt

Sánchez

. Major requirements for building smart homes in smart cities based on internet of things technologies. Fut Gener Comput Syst 2017; 76: 358–369.

Vijayakumar

Azees

Chang

, et al. Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks. Cluster Comput 2017; 20(3): 2439–2450.

Lee

Hwang

Liao

. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Trans Ind Electron 2006; 53(5): 1683–1687.

Ning

Liu

Yang

. Aggregated-proof based hierarchical authentication scheme for the internet of things. IEEE Trans Parall Distrib Syst 2015; 26(3): 657–667.

Gharaibeh

Salahuddin

Hussini

, et al. Smart cities: a survey on data management, security, and enabling technologies. IEEE Commun Surv Tut 2017; 19(4): 2456–2501.

10.

Vijayakumar

Azees

Kannan

, et al. Dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks. IEEE Trans Intell Transp Syst 2016; 17(4): 1015–1028.

11.

Chen

Lee

. A two-factor authentication scheme with anonymity for multi-server environments. Secur Comm Netw 2015; 8: 1608–1625.

12.

Mir

Weide

TVD

Lee

. A secure user anonymity and authentication scheme using AVISPA for telecare medical information systems. J Med Syst 2015; 39(9): 89.

13.

Wei

Zeadally

Vijayakumar

, et al. An intelligent terminal based privacy-preserving multi-modal implicit authentication protocol for internet of connected vehicles. IEEE Trans Intell Transp Syst. Epub ahead of print 7 July 2020. DOI: 10.1109/TITS.2020.2998775.

14.

Gope

Gheraibia

Kabir

, et al. A secure IoT-based modern healthcare system with fault-tolerant decision making process. IEEE J Biomed Health Inform 2021; 25(3): 862–873.

15.

Azees

Vijayakumar

Deboarh

. EAAP: efficient anonymous authentication with conditional privacy-preserving scheme for vehicular ad hoc networks. IEEE Trans Intell Transp Syst 2017; 18(9): 2467–2476.

16.

Manickam

Shankar

Perumal

, et al. Secure data transmission through reliable vehicles in vanet using optimal lightweight cryptography. In: Hassanien

Elhoseny

(eds) Cybersecurity and secure information systems. Cham: Springer, 2019, pp.193–204.

17.

Vijayakumar

Chang

Deborah

, et al. Computationally efficient privacy preserving anonymous mutual and batch authentication schemes for vehicular ad hoc networks. Fut Gener Comput Syst 2018; 78: 943–955.

18.

Liu

Zhang

Chen

, et al. Certificateless remote anonymous authentication schemes for wirelessbody area networks. IEEE Trans Parall Distrib Syst 2014; 25(2): 332–342.

19.

Xiong

. Cost-effective scalable and anonymous certificateless remote authentication protocol. IEEE Trans Inform Foren Sec 2014; 9(12): 2327–2339.

20.

Xiong

Qin

. Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Trans Inform Foren Sec 2015; 10(7): 1442–1455.

21.

Shim

. Comments on “revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks.” IEEE Trans Inform Foren Sec 2018; 15: 81–82.

22.

Wei

Phuong

TVX

Yang

. An efficient privacy preserving message authentication scheme for internet-of-things. IEEE Trans Ind Inform 2021; 17(1): 617–626.

23.

Dimitriou

Karame

. Enabling anonymous authorization and rewarding in the smart grid. IEEE Trans Depend Secure Comput 2017; 14(5): 565–572.

24.

Kong

Shen

Vijayakumar

, et al. A practical group blind signature scheme for privacy protection in smart grid. J Parall Distrib Comput 2020; 136: 29–39.

25.

Boyapally

Mathew

Patranabis

, et al. Safe is the new smart: PUF-based authentication for load modification-resistant smart meters. IEEE Trans Depend Secure Comput. Epub ahead of print 6 May 2020. DOI: 10.1109/TDSC.2020.2992801.

26.

Vasco

MIG

Pozo

ALPD

Soriente

. A key for John Doe: modeling and designing anonymous password-authenticated key exchange protocols. IEEE Trans Depend Secure Comput 2021; 18: 1336–1353.

27.

Boneh

Boyen

Short signatures without random oracles. In: Proceedings of the EUROCRYPT 2004, Interlaken, 2–6 May 2004, pp.56–73. Berlin: Springer.

28.

Zhao

Deng

Zang

, et al. Practical zero-knowledge arguments from protocols. In: Proceedings of the international workshop on internet and network economics, Hong Kong, China, 15–17 December 2005, pp.288–298. Berlin: Springer.

29.

Fiat

Shamir

. How to prove yourself: practical solutions to identification and signature problems. In: Proceedings of the conference on the theory and application of cryptographic techniques, Santa Barbara, CA, 11–15 August 1986, pp.186–194. Berlin: Springer.

30.

Pouryazdan

Kantarci

Soyata

, et al. Anchor-assisted and vote-based trustworthiness assurance in smart city crowdsensing. IEEE Access 2016; 4: 529–541.

31.

Shor

. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput 1997; 26(5): 1484–1509.

32.

Sui

Niedermeier

de Meer

. TAI: a threshold-based anonymous identification scheme for demand-response in smart grids. IEEE Trans Smart Grid 2016; 9(4): 3496–3506.

33.

Zeng

Jiang

Qin

. An efficient conditionally anonymous ring signature in the random oracle model. Theor Comput Sci 2012; 461: 106–114.

An efficient anonymous authentication and key agreement scheme with privacy-preserving for smart cities

Abstract

Keywords

Introduction

Motivations

Main contributions

Related works

System model, security model, and security requirements

System model

Security model

Definition 1

Definition 2

Security requirements

Preliminaries

Σ -Protocol

NIZK arguments

The proposed scheme

Setup

Trustworthiness level computation

Authorized tags generation

Session key agreement

Security analysis

Provable security

Theorem 1

Proof

Analysis of the security requirements

Mutual authentication

Session key agreement

Privacy-preserving

Perfect forward security

Resistance of other attacks

Performance analysis

Features comparison

Communication overhead

Computational complexity

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iDs

References

$Σ$ -Protocol