www.nature.

com/scientificreports

OPEN ECC-based three-factor

authentication and key agreement
scheme for wireless sensor
networks
Wenfeng Huang

In wireless sensor networks (WSNs), protocols with authentication and key agreement functions can
enhance the security of the interaction between users and sensor nodes, guaranteeing the security of
user access and sensor node information. Existing schemes have various security vulnerabilities and
are susceptible to security attacks (e.g., masquerading user, password guessing, internal privilege,
and MITT attacks), so they cannot meet the anonymity requirements or achieve forward security. To
effectively improve the security performance of WSNs, an elliptic curve cryptography (ECC)-based
three-factor authentication and key agreement scheme for WSNs is proposed. The scheme is based
on the ECC protocol and combines biometrics, smart card and password authentication technology;
uses a challenge/response mechanism to complete the authentication between users, gateways,
and sensors; and negotiates a secure session key. The Burrows, Abadi and Needham logic for formal
security analysis proves the correctness and security of the scheme, and the informal analysis of
multiple known attacks proves that the scheme can resist various attacks and has high security
characteristics. The feasibility of the scheme has been analysed and verified with the ProVerif tool. The
efficiency analysis results show that the scheme is suitable for resource-constrained WSNs.

As wireless sensor networks (WSNs) are widely used in various application areas, securing their communication
has become one of the focuses of researchers. e confidentiality of information communication is a major chal-
lenge, and protecting the privacy of data from unauthorized access by attackers is a major problem facing Internet
of ings (IoT) WSNs1. Current schemes suffer from various security vulnerabilities in authentication and key
agreement functions and are susceptible to security attacks such as masquerading users, password guessing,
insider privileges, and MITM (Man-in-the-Middle), so they cannot satisfy anonymity requirements or achieve
forward security. In IoT WSNs, establishing user authentication protocols with session keys is an approach that
is widely used to solve the above problems. In this context, this study aims to address the security vulnerabilities
in existing WSNs, especially in the interaction between users and sensor nodes, to ensure the security of user
access and sensor node information.
e significance of this research lies in the following points: (1) Safeguarding communication security: WSNs
are widely used in environmental monitoring, health care, intelligent transportation, etc., which include data
communication that oſten involves personal privacy and important information. By improving the security of
authentication and key agreement, this study helps to secure user access and sensor node information against
potential attack risks. (2) Filling existing security holes: In this study, it is found that there are various vulnerabili-
ties in the current security protocols in WSNs, which may be subject to attacks such as camouflage and password
guessing. By combining elliptic curve cryptography and multifactor authentication techniques, this scheme is
expected to fill these loopholes and improve the overall security of WSNs. (3) Promotion of the development
of security in the field of WSNs: With the evolution of the IoT, the range of applications of WSNs is expanding.
Research on communication schemes with high security is crucial for the healthy development of WSNs. is
study aims to offer fresh insights and approaches for enhancing security in WSNs. (4) Positive impact on practi-
cal applications: Not only is the correctness and security of the scheme verified through formal BAN logic and
the ProVerif tool, but its ability to fight against a wide range of attacks through informal analysis is also verified.
is makes the scheme more likely to succeed in practical applications and provides strong technical support for
real-world deployments. (5) Suitable for resource-constrained environments: e results of the efficiency analysis

School of Information Engineering, Xiamen Ocean Vocational College, Xiamen 361100, Fujian, China. email:
hwꢀ[email protected]

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 1

www.nature.com/scientificreports/

show that the scheme is suitable for resource-constrained WSNs. is is a substantial advantage for sensor nodes
that have limited computational and storage resources and is expected to have a positive impact in the real world.
To effectively enhance the security performance of WSNs, this study proposes a three-factor authentication
and key agreement scheme based on elliptic curve cryptography (ECC). e scheme is based on the ECC pro-
tocol, combines biometric, smart card and cryptographic authentication techniques, uses a challenge/response
mechanism to complete the authentication between the user, the gateway and the sensor, and negotiates a secure
session key. e correctness and security of the scheme are validated through formal security analysis using BAN
logic. In addition, the scheme is verified as highly secure against various attacks through informal analysis of a
variety of known attacks. To ensure the feasibility of the research, the paper also provides an exhaustive analysis
and validation of the scheme using the ProVerif tool. e final efficiency analysis results show that the scheme is
suitable for resource-constrained WSNs and provides a feasible and efficient solution for secure communication
in WSNs. e purpose of this study is to promote the development of security in the field of WSNs and to provide
a more reliable protection mechanism for wireless sensor networks in practical applications.

Related works
In 2015, Lee et al.2 proposed a nontamper smart card authentication key protocol scheme based on anonymous
passwords. In 2017, Wu et al.3 noted that the scheme of Lee et al.2 is not resistant to smart card loss, spoofed
users, spoofed server attacks, and so forth. Wu et al. proposed an enhanced anonymous password authentication
key agreement scheme. In 2016, Jiang et al.4 proposed a two-factor authentication scheme based on ellipse curve
cryptography (ECC) for untraceable time vouchers in WSNs. In 2018, Li et al.5 found flaws in the work of Jiang
et al.4, such as the lack of a password detection and change mechanism and a clock synchronization problem.
us, Li et al. proposed a three-factor anonymous authentication scheme for WSNs in the IoT environment,
using a fuzzy commitment scheme and error correction code to process user biometric information; however,
the scheme proved to be unable to resist smart card loss attacks and achieve forward security. In 2022, Meriam
et al.6 performed an informal security analysis of the protocol of Li et al.5, and the results showed that it cannot
achieve anonymity and cannot resist session key leakage, internal, and other attacks. us, Meriam et al. proposed
a three-factor mutual authentication and key agreement protocol for IoT WSNs based on lightweight ECC, using
physically unclonable functions (PUFs) and ECC to improve security and effectively solve the security problem
of Li et a l.’s proposal5.
In 2017, Wu et al.7 proposed a user authentication scheme for WSNs based on the Internet of ings(IoT) and,
in the same year, an efficient authentication and key agreement scheme for multigateway WSNs in the deploy-
ment of the IoT8. In 2019, Bayat et al.9 noted that the scheme of Wu et al.7 could not withstand certain security
attacks. us, Bayat et al. proposed an analysis and improvement of the user authentication scheme of the IoT
based on ECC. In 2019, Guo et al.10 found that the scheme of Wu et al.8 was inefficient and instead proposed a
secure and efficient three-factor multigateway authentication protocol for WSNs; however, this scheme proved
to be unable to resist offline password guessing and other attacks. In 2017, Jung et al.11 proposed an efficient and
secure anonymous authentication scheme based on key agreement in WSNs. In the same year, Sravani et al.12
proposed an authentication key establishment scheme based on a secure signature for future IoT applications.
However, the scheme was not resistant to man-in-the-middle attacks and was too complex and inefficient13.
In 2021, Azrour et al.14 proposed a new, enhanced IoT authentication protocol based on the literature2,5, and9,
that could resist replay, internal, and other attacks. In 2021, Vinoth et al.15 proposed a multifactor authentication
key protocol scheme for industrial IoT security; however, this scheme could not deal with certain types of attacks,
such as sensor node capture and replay attacks. In 2021, Xue et al.16 proposed a lightweight three-factor authen-
tication and key agreement scheme for multigateway WSNs in the IoT based on a ummary of the literature10,14,
and 15 and proved the correctness and security of the proposed scheme through the BAN logic and BPR model.
However, the scheme could not guarantee the security of the user’s private key or negotiate a secure session key.

Motivation, contributions and road-map

Motivation
e motivation of this paper is to improve the security of wireless sensor networks (WSNs), especially to enhance
the authentication and key agreement features in the interaction between users and sensor nodes. Currently exist-
ing schemes suffer from various security vulnerabilities and are susceptible to security attacks such as masquer-
ading users, password guessing, internal privileges, and man-in-the-middle attacks. ese vulnerabilities make
it difficult for existing schemes to meet anonymity requirements and achieve forward security. In this article,
they propose an integrated authentication and key agreement scheme based on the ECC protocol is proposed,
combining multiple authentication techniques to improve the security performance of WSNs, and demonstrate
its feasibility and high level of security through formal and informal security analysis.

eir contribution

1) is paper proposes a three-factor authentication and key agreement scheme based on ECC for WSNs17.
e new scheme is based on the ECC key agreement mechanism and introduces the challenge/response
mechanism to establish authentication and key agreement mechanisms among users and gateways and
sensors of WSNs. e security of the scheme is guaranteed by the security characteristics of biometrics, the
elliptic curve discrete logarithm problem, and the one-way characteristics of the hash function.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 2

www.nature.com/scientificreports/

2) Aſter the authentication and key agreement between the user and the sensor is completed, a password update
and smart card logout scheme is proposed to assist users in better managing smart cards and enhance the
security of the scheme.
3) e proposed scheme is validated in several forms. e scheme’s security is assessed through a formal analysis
employing BAN logic. In addition, the nonformal security analysis proves the security performance of the
scheme and its resistance to various attacks. Furthermore, simulations using the ProVerif tool validate the
feasibility of the proposed scheme. Finally, the performance analysis shows that the scheme improves security
without increasing energy consumption.

e road-map of the paper is as follows

In Section “Mathematical preliminaries”, they reviewed some of the basics of math and information security and
defined the notations and descriptions and threat model used by the scheme. In Section “Safety analysis of exist-
ing schemes”, the advantages and some security vulnerabilities in the work of Xue et al.16 are discussed. Sections
“e proposed scheme” and “Security analysis” present the proposed scheme and the corresponding security
analysis, respectively. In Section “Efficiency analysis”, the performance of the proposed scheme is evaluated, and
finally, the whole paper is concluded in Section “Conclusions”.

Mathematical preliminaries
Cryptanalysis
Cryptanalysis, a subset of cryptography, is the process of deciphering or breaking cryptographic systems. It uti-
lizes techniques such as mathematics, computer science, and engineering to unveil encrypted data. e primary
objective of cryptanalysis is to achieve unauthorized access to encrypted information by scrutinizing weaknesses
in encryption algorithms, key management, and security mechanisms. is involves activities such as password
guessing, analysing the mathematical aspects of encryption algorithms, identifying vulnerabilities in encryption
keys, and exploiting errors in implementation. e efficacy of cryptanalysis hinges on the intricacy and robust-
ness of the cryptosystem. is field plays a pivotal role in information security, contributing to the evaluation
and enhancement of cryptographic system strength.

ECC and ECDH18

Elliptic Curve Cryptography (ECC) is a public key encryption algorithm that is widely used in the field of
cryptography. e security of ECC is based on the discrete logarithmic problem on elliptic curves, which is
considered to be difficult to solve; thus, encryption algorithms based on this mathematical puzzle provide a high
level of security. Compared to traditional RSA algorithms based on the integer factorization problem, ECC can
use shorter key lengths while providing the same level of security, thus reducing the computational and storage
requirements. Overall, elliptic curve cryptography is an important part of the modern field of cryptography and
provides a powerful tool for secure communication.
e elliptic Curve Diffie-Hellman key exchange (ECDH) is mainly used to establish secure shared encryp-
tion data in an insecure channel, generally exchanging private keys, which are generally used as "symmetric
encryption" keys by both parties for subsequent data transmission. ECDH is based on the premise that given a
point P on an elliptic curve and an integer k, it is easy to solve for Q=KP, but it is difficult to solve for K via Q, P.

BAN logic
BAN logic is a formal method for analysing and verifying cryptographic schemes, proposed by Burrows, Abadi,
and Needham (BAN) in 198919. e basic idea of BAN logic is to convert messages in a cryptographic scheme into
a logical language representation and then use inference rules to derive the beliefs and goals of the participants
in the scheme. BAN logic can be used to find vulnerabilities in a scheme to improve its security and efficiency.
Table 1 shows the notations used by BAN logic20 and descriptions of these notations. e BAN logic rules
SK
used include: message meaning rule R1: P|≡PP|≡Q|∼H , random number verification rule R2: P|≡#P(H|≡)Q,P||≡≡HQ|
↔ Q,P⊳{H} SK
∼H ,
arbitration rule R3: P|≡Q|≡ H ,P |≡Q|⇒H
P |≡ H , freshness rule R4: PP|≡|≡##(H(H,G) ) , belief rule R5: P|≡P|(≡HG,G) , and session
secret key
rule R6: P|≡#(H),P|≡Q|≡H
SK .
P|≡P ↔ Q

Random oracle model

In 1993, Bellare and Rogaway formally proposed the Random Oracle Model (ROM) methodology, with which
the past purely theoretical research of provable security methodology quickly made significant progress in the

Notations Descriptions Notations Descriptions

SK
P| ≡ H P believes H is true P↔Q Both P and Q can use the shared key SK to communicate with each other
P⊳H P sees H and is capable of reading and repeating it P|∼H P once said H; at some time, P has sent the message containing H
H is fresh which means it was never sent before the current execution of the
#(H) P| ⇒ H P has control or jurisdiction over H
protocol
{H}K e ciphertext obtained by encrypting plaintext H with key K

Table 1. Notations used by BAN logic and descriptions of these notations.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 3

www.nature.com/scientificreports/

field of practical applications. A large number of fast and effective security programs have been proposed, and
at the same time, they also produced the "concrete security or exact security", which means that they no longer
only satisfy the asymptotic degree of security but can exactly obtain a more accurate security measure. Practical-
oriented provable security theory has been widely accepted by academia and industry.
Inside cryptography, a random oracle is a prediction machine (simply put, like a black box for the theory) that
returns a truly uniformly random output for any input, and for the same input, this prediction machine outputs
the same output in the same way every time (i.e., if the query is repeated, it responds in the same way every time
the query is submitted). In other words, a randomized prediction machine is a function that randomly maps all
possible inputs to outputs.
e stochastic prediction machine model is usually an idealized stand-in for the real hash function and has
its origins in the idea of viewing hash functions as pseudorandom. e stochastic prediction machine model
has the following properties:

1) Consistency: Inputs that are the same should produce matching outputs.
2) Computability: the output can be calculated within a polynomial time frame.
3) Uniform Distributability: e prediction machine’s output is evenly spread across the value space without
any overlaps.
4) In the stochastic prediction machine model, it is assumed that the adversary will not exploit the weakness
of the hash function to attack the cryptographic scheme.

Notations and descriptions

Table 2 shows the notations used in this paper and descriptions of these notations.

Threat model18
In this article, the following threat models are used:

1) Communication conducted over a public channel is susceptible to eavesdropping, providing attackers with
an advantage.
2) reats to any system can come from external entities or even legitimate users who may act as attackers.
3) Attackers have the capability to manipulate, erase, redirect, and replay intercepted messages, compromising
the integrity of the communication.
4) e attacker is assumed to possess knowledge of the protocol used in the authentication system.

Safety analysis of existing schemes16

Scheme16 proposed an authentication and key agreement scheme for multigateway environments. In the scheme,
biometrics, a crucial element, is extracted and authenticated using a fuzzy extractor. e program consists of
the following six processes:

1) System initialization. e SA assigns identity ID , ID and private keys x , x to HGWN and FGWN and
establishes a shared key Khf . e HGWN and FGWN hg independently
fg choosehgthree
fg random numbers, denoted
as Rh, Rf and Rf, respectively.

Notations Descriptions Notations Descriptions

Ui and Ua User Ui and Ua E(Fp) Elliptic curve finite field E(Fp)
GWN Gateway node GWN P Base points on elliptic curves P
Sj Sensor node Sj ri and ru e private key ri and ru of the user Ui
IDi e identity IDi of the user Ui rg e private key rg of the gateway node GWN
IDhg e identity IDhg of the gateway node GWN rs e private key rs of the sensor node Sj
SIDj e identity SIDj of the sensor node Sj Ri and Ru e public key Ri and Ru of the user Ui
PWi e password PWi of the user Ui Rg e public key Rg of the gateway node GWN
BIOi e biological factor BIOi of the user Ui Rs e public key Rs of the sensor node Sj
SCi e smart card SCi of the user Ui · Elliptic curve point multiplication operation
SKu e generation process of fuzzy extraction
e negotiated session key SKu of the user Ui Gen
SKs e negotiated session key SKs of the sensor node Sj Rep Recovery process of fuzzy extraction
K e random secret information generated by fuzzy
G Gateway node secret value KG αi
extraction αi of the user Ui

βi e auxiliary bit string generated by fuzzy extraction βi

List Number of user authentication
of the user Ui
‖ concatenation operator h(·) hash function
T Timestamp ⊕ XOR operator
ΔT Maximum permitted transmission delay mod Modular exponentiation

Table 2. Notations used in this paper and descriptions of these notations.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 4

www.nature.com/scientificreports/

2) Registration. is stage comprises sensor registration and user registration. Both sensor nodes and users
are needed to register their fundamental details with the nearest HGWN gateway. Aſter the registration, Ui
saves B1 = h(αi ‖IDi ‖PW)i ⊕ r i, B2 = h(HPW‖α i i‖ID i‖r i)mod n 0 to SC, HGWN saves SIDj , and Sj saves xj .
3) Login. Ui inputs IDi , PW,i and BIO i, SC verifies the identity of Ui by calculating B2 = h(HPW‖α i i‖ID i‖r i)mod
n0, if the verification passes, Ui sends M1 = {TIDi , IDhg , SIDj , D0 , D1 , D2 , D3 , T1 } over the public channel to
HGWN.
4) Authentication and key agreement.Aſter receiving the communication request between Ui and SIDj , HGWN
initially verifies if the designated sensor Sj is within its communication range. If HGWN can retrieve SIDj
from its local database, it can proceed following Case 1, and the three parties, Ui , HGWN, and SIDj , per-
form authentication and key agreement; otherwise, it operates according to Case 2, and the four parties, Ui ,
HGWN, FGWN, and SIDj , perform authentication and key agreement.
5) Password update. User enters his or her IDi , PW, i and BIOi , and SC verifies. If the verification passes, the user
enters new password PW’, i SC computes new B1 , B2 , and ei and saves.
′ ′ ′

6) Smart card logout. e user enters his or her IDi , PW,i and BIOi and SC verifies it. If the verification passes,
Ui sends M0 ={TIDi , βi , R0 , T1 } over the public channel to HGWN. HGWN verifies that Ki ’ is equal to Ki by
computation. if the verification passes it deletes Ui ’s information {IDi , Ki , honey_list}.

e existing scheme16 has some advantages in resisting password guessing, replay, and other attacks to achieve
two-way authentication and key agreement; however, there are also security vulnerabilities, such as the inability
to guarantee anonymity and the potential to suffer from MITT attacks. In this section, the advantages of the
scheme and the existence of security vulnerabilities are presented21.

Advantages of the scheme16

e advantages of the schemes16 include the following:

1) e use of biometric-based fuzzy extraction technology effectively enhances the security of user login via
the three-factor authentication mechanism.
2) Security of the authentication process is ensured through use of the challenge/response mechanism22.
3) e user’s secret xi and the sensor’s secret xj are calculated using the hash function, and they are not transmit-
ted in the public channel, which can prevent the secret from being cracked and ensure its forward security.
4) e honey list technique, which can prevent password guessing attacks by setting the number of logins and
avoid smart card loss attacks and offline guessing attacks, is adopted.
5) Replay attacks are avoided by setting the timestamp T.
6) Two-way authentication and key agreement are achieved as the negotiated session key SK contains a random
number of users, gateways, and sensors to improve the security of the negotiated key23.

Security vulnerabilities of the scheme16

e scheme’16 security vulnerabilities include the following:

1) Unable to meet the anonymity requirement: During the registration process, Ui sends IDi to HGWN, Sj sends
SIDj to HGWN, and HGWN sends IDhg to Ui . Attackers intercept IDi , IDhg , and SIDj in the public channel
to easily obtain the identity IDs of the user, gateway, and node. erefore, the scheme cannot guarantee
anonymity.
2) Unable to secure user parameters24: During the registration process, Ui sends {IDi , HPW,
i βi } to the HGWN.
e attacker intercepts IDi in the public channel. During the login process, Ui sends M1 = {TIDi , IDhg , SIDj ,
D0, D1, D2, D3, T1} to the HGWN. e attacker intercepts D2 in the public channel and calculates:
h(ru ||xi ) = IDi ⊕ D (1)
2
e attacker intercepts D0 and calculates:
β = D0 ⊕ h(xi ||ru ) (2)
i

K = h(IDi ||βi ) (3)

i

ei = HPWi ⊕ Ki ⊕ x (4)
i
e attacker obtains all the parameters of the user login.
3) Unable to secure user secrets xi and sensor secrets xj : During the registration process, Ui sends {IDi , HPW,i
βi } to HGWN and HGWN sends {TIDi , βi , ei , IDhg } to Ui . e attacker intercepts HPW, i IDi , βi , and ei in the
public channel and calculates:
K = h(IDi ||βi ) (5)
i

xi = HPWi ⊕ Ki ⊕ e (6)
i
e user secret xi is cracked. Attackers directly obtain sensor secret xj in the public channel.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 5

www.nature.com/scientificreports/

4) Unable to secure user private key ru: During the login process, Ui sends M1{TIDi , IDhg , SIDj , D0 , D1 , D2 , D3 ,
T1} to HGWN, and the attacker intercepts D1 in the public channel and can crack xi by point (3) above and
calculates:
ru = D 1 ⊕ x (7)
i
e user private key ru is cracked.
5) Unable to secure gateway private key rhg and sensor private key rs : During the registration process, HGWN
sends {xj } to Sj . e attacker intercepts xj in the public channel. During the authentication process, the HGWN
sends M2 ={D0, D4, D5, D6 , T2 } to Sj and Sj sends M3 ={D7 , D8 , T3 } to the HGWN. e attacker intercepts D4 ,
D7, T2, T4 in the public channel and can crack25:
rhg = D 4 ⊕ h(x j||T 2) (8)
e attacker crack:
rs = D7 ⊕ h(xj ||rhg ||T4 ) (9)
6) Unable to achieve secure two-way authentication: According to Points (2), (3), and (4) above, the attacker
cracks xi , ru , Ki , During the registration process, Ui sends {IDi , HPW,i βi } to the HGWN, and during the login
process, Ui sends M1 ={TIDi, IDhg, SIDj , D0 , D1 , D2 , D3 , T1 } to the HGWN. e attacker intercepts TIDi , IDi ,
SIDj , T1 in the public channel, and by calculating D3 = h(TIDi ‖IDi ‖SIDj ‖ru ‖xi ‖Ki ‖T1 ) can crack D3 , so the
gateway authentication user algorithm is cracked. During registration, HGWN sends {xj } to Sj , during login,
Ui sends M1 = {TIDi , IDhg , SIDj , D0 , D1 , D2 , D3 , T1 } to HGWN, and during authentication, HGWN sends
M2 ={D0, D4, D5 , D6 , T2 } to Sj . According to Points (4) and (5) above, the attacker cracks ur , hg
r and intercepts
SIDj , IDhg , xj , T2 in the public channel; D6 can be cracked by calculating:
D6 = h(SIDj ||IDhg ||ru ||rhg||x j||T 2) (10)
e sensor authentication gateway algorithm is cracked.
7) Unable to negotiate a secure session key: e negotiated key is SKs = h(ru ‖rhg ‖rs ‖IDhg ). During the login
process, Ui sends M1 ={TIDi , IDhg , SIDj , D0 , D1 , D2 , D3 , T1 } to HGWN. According to Points (4) and (5) above,
the attacker breaks ru, rhg, rs and intercepts IDhg in the public channel, which can crack:
SKs = h(ru ||rhg ||rs ||IDhg) (11)
e scheme cannot negotiate a secure session key, and it has forward security problems.
8) Unable to resist MITT attacks: e attacker records all M1 ={TIDi , IDhg , SIDj , D0 , D1 , D2 , D3 , T1 } sent to the
GWN, all M2 ={D 4, D 5, D 6, T2} sent to Sj , and all xj sent to Sj by the gateway, and then calculates:
r∗hg = D ⊕ h(x∗j ||T2 ) (12)
4

r∗u = D ⊕ h(rhg
∗
||xj∗ ||T2 ) (13)
5

For each group M1, the attacker calculates:

x∗i = r∗u ⊕ D (14)
1

βi∗ = D 0 ⊕ h(x ∗i ||r ∗u) (15)

ID∗i = D ⊕ h(r∗u ||x∗i ) (16)

2

Ki∗ = h(ID i∗||β i∗) (17)

Whether D3 = h(TIDi ‖IDi ‖SIDj ‖ru ‖xi ‖Ki ‖T1 ) is equal to D3 is verified. If equal, the attacker can determine
* * * * *

user Ui with its corresponding Sj and obtain the values of the parameters ru, xi , and so on. e attacker starts a
new session with user Ui , selects rhg , rs , and TIDi ′, and calculates:
SKhg = h(ru ||rhg||rs ||IDhg) (18)

D = r s ⊕ h(xi ||ru ) (19)

9

D10 = rhg ⊕ h(r u||x )i (20)

x′i = h(TID′i ||x hg) ⊕ Rh (21)

D11 = TID ′i ⊕ h(x i||ID ||r

i )u (22)

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 6

www.nature.com/scientificreports/

D12 = x ′i ⊕ h(TID ′i||x )i (23)

′ ′
D13 = h(SKhg||x ||TID
i ||K
i ||T
i )4 (24)
e attacker sends M4 = {D9, D , D , D , D , T4 } to Ui . Ui calculates:
10 11 12 13
r ∗s = D ⊕ h(xi ||ru ) (25)
9

r ∗hg = D10 ⊕ h(r u||x i) (26)

SK∗u = h(ru ||r ∗hg||r ∗s||ID hg ) (27)

TID′∗
i = D11 ⊕ h(x i||ID ||r
i )u (28)

xi′∗ = D12 ⊕ h(TID i′∗||x )i (29)

Ui verifies whether D 13* = h(SKhg*‖x′*‖TID i′*‖K i‖T 4) is equal to D 13. If equal, according to the rule, the user
accepts this SK as the agreement key and the attacker successfully implements the MITT attack.

The proposed scheme

In this section, an ECC-based three-factor authentication and key agreement scheme for WSNs is proposed, the
improvement measures of the scheme are introduced, and then a specific implementation scheme, including
system initialization, node registration, user registration, two-way authentication and key agreement, pass-
word update, and smart card logout, is proposed17. e proposed scheme operates under the following security
assumptions:

1) e gateway is securely impenetrable and has unlimited computation, storage, and communication capabili-
ties.
2) e WSN network is a bidirectional channel, and nodes can communicate normally.
3) e WSN network employs asymmetric encryption, meaning it utilizes both public and private keys.
4) Upon successful completion of the key agreement in the WSN network, the user and the sensor node can
establish communication using the session key.

Scheme improvement measures

1) e authentication scheme is designed using an ECC key agreement protocol to ensure the forward security
of the scheme.
2) e user ID is replaced by the user identifier TID aſter the hashing operation, all IDs are forbidden to be sent
explicitly, and no direct XOR calculation can be performed to ensure the anonymity of the scheme.
3) Random numbers ru and rs are forbidden to be sent in clear text, and no direct XOR calculation can be
performed to ensure secure two-way authentication and key agreement and resist MITT attacks26.
4) More complex parameters are selected to improve the security of the session key.
5) e relevant parameters in the SC card are updated aſter two-way authentication and key agreement to ensure
that the scheme is resistant to internal attacks27.

Specific implementation plan

1) System Initialization
At the very beginning, the system needs to be initialized. GWN selects E(Fp), P, h(.) and the secret value
KG, publicly release E(Fp), P, h(.), save KG .
2) Node Registration
Aſter the system is initialized, the node can start registering. Node Sj applies for registration to the GWN,
which selects the unique SIDj of the node, calculates xj = h(SIDj ‖KG ), and writes {SIDj , xj } to node Sj .
3) User Registration
Aſter the system is initialized, the user can start registering. e user registration process is shown in Fig. 1.
• Step R1: User Ui inputs ID i , PWi , BIOi , chooses random number ri ∈ Zp *, calculates Ri = ri ·P,
Gen(BIOi)=(αi , βi ), TIDi = h(IDi ‖αi ‖ri ), HPWi = h(PW‖α
i i ), and Ui sends {TIDi , HPW,
i Ri } to GWN.
• Step R2: e gateway GWN chooses a random number rg ∈ Zp* and calculates Rg = rg·P. Aſter the GWN
receives the Ui message, it calculates xi = h(TIDi ‖KG ), Ki = h(TIDi ‖HPW), i Rig = rg ·Ri , ei = xi ⊕ Rig ⊕ Ki , sets
the number of logins List=0, saves {TIDi , HPW,i List= 0}. Write {R g, e i} to smart card SCi and issue to Ui .
• Step R3: User Ui receives the smart card SCi , calculates Ki = h(TIDi ‖HPW), i R ig = r i·Rg, xi = ei ⊕ Rig ⊕ Ki ,
B1 = h(IDi ‖αi ‖PW)i ⊕ r i, B2 = h(HPW‖ID
i i‖α i‖r i)mod n 0, and writes {B1, B2, βi } to the smart card SCi .

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 7

www.nature.com/scientificreports/

Figure 1. Registration phase.

Figure 2. e authentication and key agreement phase 1.

4) Authentication and Key Agreement

Aſter node and user registration is complete, the user, GWN, and node can start authentication and key
agreement. Figures 2 and 3 shows the authentication and key agreement phase.
• Step A1: User Ui inputs ID i, PW i , BIOi , smart card SCi calculates αi * = Rep(BIO i , β i ),
r i* = B 1 ⊕ h(ID i ‖αi*‖PWi ), HPWi * = h(PWi ‖αi *), B2 * = h(HPWi *‖IDi ‖αi *‖ri *)mod n0 , SCi verifies
whether B2* is equal to B 2 and continues it is; otherwise, terminate. User U i chooses a random num-
ber ru ∈ Zp * and calculates Ru = ru ·P, Rig = ri ·Rg , Ki = h(TIDi ‖HPWi ), xi = ie ⊕ R ig ⊕ iK , TID i
′
i ‖α
= h(ID i ‖
ru), Cu = h(Ru ‖xi ′), D0 = ru ·Rg , D1 = h(D0 ‖TIDi ‖HPWi ), D2 = TIDi ′ ⊕ (D 1 ‖x
i ), choose time 1T , calculate
D3 = h(TIDi ′‖D0‖xi ‖Ki ‖T1 ). Ui sends {Ru , D2 , D3 , TIDi , T1 } to the GWN.
• Step A2: e gateway GWN receives the message and selects T2 , verifies whether |T2 − T1 | is less than or
equal to △T and continues if it is, otherwise terminates. e GWN calculates D0 * = rg ·Ru , xi = h(TIDi ‖KG ),
D1* = h(D0*‖TIDi ‖HPW), i TID i = D2 ⊕ (D1 ‖xi ), Ki = h(TIDi ‖HPW),
′* *
i D3 = h(TIDi ‖D0 ‖xi ‖Ki ‖T1 ), verifies
* ′* *

whether D3* is equal to D 3 and continues if it is, List plus one; otherwise, it is terminated. GWN calcu-
lates xi ′* = h(TIDi ′*‖KG ), Cu * = h(Ru ‖xi ′*), D4 = rg ⊕ h(SIDj ‖xj ‖T2 ), D5 = Cu ⊕ h(rg ‖xj ), D6 = TIDi ′ ⊕ h(SID j ‖r
g ),
D7 = h(TIDi ′‖SIDj ‖Cu ‖rg ‖xj ‖T2 ), and the GWN sends {Ru , Rg , D4 , D5 , D6 , D7 , T2 } to Sj .
• Step A3: e sensor Sj receives the message and selects T3, verifies whether |T3 − T2 | is less than or
equal to △T and continues it is; otherwise, it is terminated. Sj selects a random number r s ∈ Zp *, cal-
culates Rs = rs·P, rg* = D4 ⊕ h(SIDj ‖xj ‖T2 ), Cu * = D5 ⊕ h(rg *‖xj ), TIDi ’* = D6 ⊕ h(SIDj ‖rg *), D7 * = h(TIDi ′*‖SI

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 8

www.nature.com/scientificreports/

Figure 3. e authentication and key agreement phase 2.

Dj ‖Cu *‖rg*‖xj‖T2), verifies whether D7 * is equal to D7 and continues if it is; otherwise, it is terminated.
Cs = h(Rs ‖xj ), Rsu = rs ·Ru , SKs = h(SIDj ‖rg ‖Rsu ‖Cu ‖Cs ‖TIDi ′), D8 = rs ·Rg , D9 = h(SIDj ‖rg ‖D8 ‖xj ‖Cs ‖T3 ),
D10 = h(SIDj ‖SKs ‖rg ‖TIDi ′) is calculated, and Sj sends {Rs , D9 , D , T3 } to the GWN.
• Step A4: e gateway GWN receives the message and selects T104, verifies whether |T4 − T3 | is less than
or equal to △T and continues if it is; otherwise, it is terminated. e GWN calculates Cs * = h(Rs ‖xj ),
D8* = rg·Rs , D9 * = h(SIDj ‖rg ‖D8 *‖xj ‖Cs *‖T3 ), verifies whether D9 * is equal to D9 and continues if it is;
otherwise, it is terminated. D11 = rg ⊕ h(D0 ‖xi ′‖T4 ), D12 = Cs ⊕ h(xi ′‖rg ), D13 = SIDj ⊕ h(D12 ‖xi ′‖rg ),
Ki ′ = h(TIDi ′‖HPW), i e i = xi ⊕ Rug ⊕ Ki , D14 = h(TIDi ‖xi ‖Ki ‖rg ‖Cs ‖SIDj ‖D0 ‖T4 ) is calculated and {TID
′ ′ ′ ′ ′ ′
i ,
′

Ki , List} is updated, and the GWN sends {Rs , ei , D10 , D11 , D12 , D13 , D14 , T4 } to Ui .
′ ′

• Step A5: User Ui receives the message and selects T5 , verifies whether |T5 − T4 | is less than or equal to
△T and continues it is; otherwise, it is terminated. Ui calculates Ki ′ = h(TIDi ′‖HPW), i xi = ei ⊕ R ⊕ Ki ,
′* ′ ′

Cu* = h(Ru‖x i′*), rg* = D 11 ⊕ h(D 0‖x i′*‖T 4), Cs* = D 12 ⊕ h(x i′*‖r g*), SID j* = D 13 ⊕ h(D 12‖x i′*‖rg*), D 14* =ugh(TID
′
‖xi ′*‖Ki ′‖rg *‖Cs*‖SID j*‖D0‖T4), verifies whether D * is equal to D and continues if equal; otherwise,i
it is terminated. Rus = ru·Rs , SKu = h(SIDj ‖rg ‖Rus ‖Cu ‖C 14 s ‖TIDi ′), D10 * 14
= h(SIDj ‖SKu ‖rg ‖TIDi ′) is calculated,
whether D10 is equal to D10 is verified, and it continues if it is; otherwise, it is terminated. is com-
*

pletes the two-way authentication and negotiates the session key SK for user Ui and sensor Sj . Finally,
Ui calculates B1′ = h(IDi ‖αi ‖PW)i ⊕ r u, B 2′ = h(HPW‖ID i i‖α i‖r u)mod n 0 with B 1 , B 2 , e i replacing B 1, B 2, e
′ ′ ′

within the smart card SCi . i

5) Password Update.
Users can also perform a password update at any time aſter completing the authentication and key agree-
ment. e password update process is shown in Fig. 4.
• Step P1: User Ui inputs ID i, PW i , BIO i , smart card SC i calculates α i * = Rep(BIO i,β i),
ru* = B1 ⊕ h(IDi ‖αi *‖PWi ), HPWi * = h(PWi ‖αi *), B2 * = h(HPWi *‖IDi *‖αi *‖ru *)mod n0 , verifies whether
B2* is equal to B 2 and continues if it is; otherwise, it is terminated. SC i calculates TID i = h(IDi ‖αi ‖ru ),
Ki = h(TIDi ‖HPW), i R ug = r u·R g, x i = e i ⊕ R ug ⊕ K i.
• Step P2: User Ui enters the new password PWinew, smart card SC icalculates HPW new i = h(PW i ‖α ),i
new

K i = h ( T I D i‖ H P W i ) , e i = R ug⊕ K i ⊕ x , i B 1 = h ( I D i‖ α i‖ P W i ) ⊕ r u,
new new new new new new

B2new = h(HPWinew‖ID ‖α i i‖r u)mod n 0, replacing B 1,B 2,e i in smart card SC i with B 1 , B 2 , e i , and the
new new new

password update is completed.

6) Smart Card Logout
Smart Card Logout can be performed when the user’s Smart Card is no longer in use. e smart card
logout process is shown in Fig. 5.
• Step S1: User Ui inputs IDi , PWi , BIOi , calculates αi * = Rep(BIOi ,βi ), ru * = B1 ⊕ h(IDi ‖αi *‖PWi ),
HPWi* = h(PW‖α i), B 2 = h(HPW ‖ID ‖α i‖r u)mod n ,0 verifies whether B 2 is equal to B 2and continues
* * * * * *
i i i
if it is; otherwise, it is terminated. Ki = h(TIDi ‖HPW), i R ug = r u·R g, x i = e i ⊕ R ug ⊕ Ki is calculated, time T
is chosen, Lo = xi ⊕ h(Ki ‖T1 ) is calculated, and Ui sends {TIDi , Lo , T1 } to the GWN. 1
• Step S2: e gateway GWN receives the message and selects T2 , verifies whether |T2 − T1 | is less than or
equal to △T and continues if it is; otherwise, it is terminated. e GWN calculates Ki ′ = h(TIDi ‖HPW), i
xi * = Lo ⊕ h(Ki ′‖T1 ), xi = h(TIDi ‖KG ), verifies whether xi * is equal to xi and continues if it is; otherwise,

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 9

www.nature.com/scientificreports/

Figure 4. Password update.

Figure 5. Smart card logout.

it is terminated. Finally, the messages associated with Ui{TIDi , HPW,i List} are deleted, and smart card
revocation is completed.

Security analysis
is section provides a formal security analysis of the scheme using BAN logic. e informal security analysis is
performed through Propositions 1 to 11 for a variety of known attacks. e security analysis proves the correct-
ness of the scheme; it can resist various security attacks and has high security characteristics28.

Formal analysis based on BAN logic

Next, BAN logic is used to demonstrate the security of the scheme.

1) Goals SK SK
G1: Sj | ≡ Ui ↔ Sj G2: Sj |≡ Ui | ≡ Ui ↔ S
G3:Ui | ≡ Sj ↔ Ui G4:Ui ꢀ ≡ Sj ꢀ
SK SK j
ꢀ ꢀ≡ Sj ↔ U
2) Idealized Forms i
M1:Ui → GWN : Ru , D2 , T1 , TIDi , < TIDi ′ , D0 , ik >
′
M2: GWN → Sj : Ru , Rg , D4 , D5 , D 6 ,T2 , < TID x
i , iU i| ≡ uC g, r x>j
M3: Sj → GWN : Rs , D10 , T3 , < D8 , gr , jS | ≡ sC >xj
M4: GWN → Ui : ei′ , Rs , D10 , D11 , D12 , D13 , 4T , < TID
′ ′
i ,i x ,0D g, r j, S | ≡s C ′>
3) Assumptions x xj
k
i
A1: GWN| ≡ Ui ↔i GWN A2: Sj | ≡ GWN ↔ S
j

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 10

www.nature.com/scientificreports/

x k′
A3: GWN| ≡ Sj ↔j GWN A4:U | ≡ GWN ↔i U i
A5: GWN| ≡ #(Cu ) A6: Sj | ≡ #ꢀ rg ꢁ
A7: GWN| ≡ #(Cs ) A8:Ui | ≡ #i rg ꢁ
ꢀ
A9: GWN|≡ U | ⇒< D3 > A10: Sj |≡ GWN| ⇒< D7 >
A11: GWNꢀ ꢀ≡ Si jꢀ
ꢀ⇒< D 9 > A12:U |≡ i GWN| ⇒< D 14 >
A13: Sj | ≡ #(Cu ) A14:Ui | ≡ #(Cs )
SK
A15: Sj |≡ Ui | ∼ Ui ↔ S A16:Ui ꢀ
ꢀ≡ Sj ꢀ
SK
∼Ui ↔ S
ꢀ
4) Main Proofs j j
From M1, they can get S1: GWN⊳ < D3 > x .
From S1, A1, R1, they can get S2: GWN|≡ U i
i | ∼< D3 >.
From A5, R4, they can get S3: GWN| ≡ #(< D3 >).
From S2, S3, R2, they can get S4: GWN|≡ Ui | ≡< D3 >.
From S4, A9, R3, they can get S5: GWN| ≡< D3 >.
From M2, they can get S6: Sj ⊳ < D7 > x .
j
From S6, A2, R1, they can get S7: Sj |≡ GWN|∼ < D7 >.
From A6, R4, they can get S8: Sj | ≡ #(< D7 >).
From S7, S8, R2, they can get S9: Sj |≡ GWN| ≡< D7 >.
From S9, A10, R3, they can get S10: Sj | ≡< D7 >.
From S10, R5, they can get S11: Sj |≡ Ui | ≡ Cu .
ꢀ ′ꢁ
SK = h SIDj ||r g||R su||C u||C ||TID
s
.i
SK
From S11, A13, SK, R6, they can get S12: Sj | ≡ Ui ↔ S , they have achieved G1.
j SK
From S12, A13, A15, R2, R4, they can get S13: Sj |≡ Ui | ≡ Ui ↔ S , they have achieved G2.
From M3, they can get S14: GWN⊳ < D9 > j . x j

From S14, A3, R1, they can get S15: GWNꢀ ꢀ ꢀ

≡ Sj ꢀ∼ < D9 >.
From A7, R4, they can get S16: GWN| ≡ #(< D9 >).
From S15, S16, R2, they can get S17: GWNꢀ ꢀ≡ Sj ꢀ
ꢀ≡< D9 >.

From M4, they can get S19:Ui ⊳ < D14 >k′ .

From S17, A11, R3, they can get S18: GWN| ≡< D 9 >.
i
From S19, A4, R1, they can get S20: Ui |≡ GWN|∼ < D14 >.
From A8, R4, they can get S21: Ui | ≡ #(< D14 >).
From S20, S21, R2, they can get S22: Ui |≡ GWN| ≡< D14 >.
From S22, A12, R3, they can get S23: Ui | ≡< D14 >.
From S23, R5, they can get S24: Ui ꢀꢀ ≡ Sj ꢀꢀ≡ Cs.
ꢀ ′ꢁ
SK = h SIDj ||r g||R us||C u||C ||TID
s
.i
From S24, A14, SK, R6, they can get S25: Ui | ≡ Sj ↔SK iU , they have achieved G3.
From S25, A14, A16, R2, R4, they can get S26:Ui | ≡ Sj | ≡ Sj ↔SK iU , they have achieved G4.

In summary, according to the BAN logic rules, the security objectives G1 to G4 of this scheme have been
achieved, and the security of the scheme has been proven.

Formal analysis based on the random oracle model

Theorem 1 In a scenario where an adversary attacker (A) operates within probabilistic polyno-
mial time (PPT) against a protocol (P) in a random oracle, A is allowed to make up to qs Send
∗ k
(ꢀ , m) queries, qe Execute (ꢀiꢀꢀ
, , ) queries,
j and qh oracle queries. Let D denote the pass-
I U GWN S
word space, which follows a Zipf distribution with parameters C′ and s′16. Additionally, l repre-
sents the output length of the hash function and AKE represents authenticated key agree-
ment. In the context of the random oracle model, the probability P of A successfully
compromising the protocol in PPT is defined as follows:

ꢂ qs + q ꢃ2
AKE ꢀqs1 ′ s′
q
s ꢁ q
s q2h e

AdvP (A) = 2|Pr[S 4]−Pr[S 0]| ≤ max 2lα − , 2C qs , 2l−1 + 2l−1

+ + (30)
2l p− 1
Proof: e scheme is divided into five games, labelled Gi (i =1, 2, 3, 4, 5). In each game, there is a condition
denoted as Si , indicating that A successfully predicts a bit b before advancing in the game.
G0: It mimics a real attack in the random oracle model, where A has full access to all oracles. Hence,
AdvAP KE(A) = 2Pr[S0 ] − 1 (31)

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 11

www.nature.com/scientificreports/

Figure 6. Define the channels, variables, constants, operations and events.

G1: In G1 , A conducts a passive attack, intercepting messages through the Excute(*) query and attempting to
guess the output of the Test (ꢀ j
S ) query. However, the impossibility of deducing SK= h(SIDj ‖rg ‖Rus ‖Cu ‖Cs ‖TIDi )
′

means that A’s advantage in a successful attack does not increase. Hence,
Pr[S ] = Pr[S0] (32)
1
G2: A is allowed to make Send (ꢀ∗ , m) and H queries to persuade the legitimate communicator with forged
I
messages. e simulation concludes only if A manages to discover collisions and successfully constructs con-
vincing messages. e probabilities of their occurrence, based on the birthday paradox29, are (q2h/2l+1) and
((qs + qe)2/2(p-1)). Hence,
q2h (qs + qe )2
|Pr[S ] − Pr[S1]| ≤ + (33)
2 2l+1 2(p − 1)
G3: is game is distinct from the earlier games because if A successfully guesses the correct authentication
Factors D3, D7, D9 , and D14 . e simulation concludes if H queries are not utilized. It is identical to the previous
games in all aspects, except for situations where correct authentication is refused. Hence,
qs
|Pr[S3] − Pr[S2]| ≤ (34)
2
l
G4: In this game, A can acquire more information through the Corrupt (ꢀ i
U , a) query. A successfully guesses
αi with a length of lα , with a probability of (qs /2α ). Additionally, A successfully guesses the victim’s password with
l

s′
a probability of C′qs .  e likelihood of A guessing the correct xi is (qs /2l). Hence,
ꢀqs qs ꢁ
|Pr[S ] − Pr[S3]| ≤ max l , C′qs′s , 2l (35)
4 2α

1
Pr[S4 ] = (36)
2
Based on Eqs. (31) to (36), they can infer either Conclusion (30) or Conclusion (37):
ꢂ qs + q ꢃ2
AKE ꢀqs ′ s′
q
s ꢁ q
s q2h e

AdvP (A) = 2|Pr[S 4]−Pr[S ]|

0 ≤ max 1 , 2C qs , + + + (37)
2lα − 2l−1 2l−1 2l p− 1

Formal security verification via ProVerif30

is section presents the formal security verification of the proposed scheme by using the Pi calculus-based simu-
lation tool ProVerif. To date, ProVerif has been used to verify many protocols and demonstrate their correctness

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 12

www.nature.com/scientificreports/

Figure 7. e process of Ui.

Figure 8. e process of GWN.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 13

www.nature.com/scientificreports/

Figure 9. e process of Sj.

Figure 10. Define the queries and simulate the scheme.

Figure 11. Outputs of the Proverif verification.

and robust properties, so ProVerif is used in this study to rectify the secrecy and authentication properties of
the focal protocol.
e channels, variables, constants, operations and events are defined as shown in Fig. 6:
According to the proposed scheme execution, they define the process of Ui as shown in Fig. 7:
e process of GWN is modeled as shown in Fig. 8:
e process of Sj is modeled as shown in Fig. 9:
e queries are defined and the whole scheme is simulated as executing in parallel as shown in Fig. 10:
e outputs of the ProVerif verification is shown in Fig. 11:
Results (1) and (2) indicate the secrecy of the proposed scheme because of the failing query attack on session
keys SKS and SKU. Moreover, Results (3) and (4) confirm the successful mutual authentication between Ui and
Sj . In other words, the proposed scheme not only provides the secrecy of the session key, but also achieves the
authentication property by verifying the correspondence assertions in the Dolev-Yao model.

Informal analysis
is scheme can resist many common attacks and effectively address the shortcomings of existing schemes. e
proof of this is as follows:

Proposition 1 e scheme has anonymity.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 14

www.nature.com/scientificreports/

Proof All identity ID in the scheme are not transmitted in clear text in the public channel, and the identity iden-
tifiers TIDi = h(IDi ‖αi ‖ri ) and TIDi ′ = h(IDi ‖αi ‖ru ) are used to replace the ID for transmission17. Assuming that
the attacker intercepts TIDi , according to the one-way property of the hash function, the attacker cannot resolve
IDi 31. In addition, even if the attacker intercepts both TIDi and TIDi′, it is impossible to determine whether the
two parameters come from the same ID; hence, the scheme has anonymity.

Proposition 2 e scheme is resistant to registered legitimate user attacks.

Proof Suppose attacker Ua registers legitimate user ID a and calculates TID a = h(IDa‖αa‖ra). Ua registers with
gateway GWN, which calculates xa = h(TIDa ‖KG ), Ka = h(TIDa ‖HPWa ). e TIDa generated by the attacker based
on IDa is different from the TID s of other legitimate users, and the x and K generated by registering to GWN
through TIDa are also different. erefore, the scheme can resist registered legitimate user attacks by generating
new identity information TIDs , and the attacker cannot obtain messages to any other legitimate user by register-
ing a legitimate user.

Proposition 3 e scheme is resistant to smart card loss attacks and offline guessing attacks17.

Proof Suppose that a user’s smart card is lost or stolen, and the attacker obtains the card and the information
it contains, B 1 = h(IDi ‖αi ‖PWi ) ⊕ ri , B2 = h(HPW i ‖IDi ‖α
i ‖r
i )mod 0n , by differential energy attack, because B
and B2 are hash functions with one-way security. However, the attacker is unable to extract the password PW1i
of user Ui from it. Second, if the attacker wishes to obtain the user’s password PWi through offline password
guessing, he or she needs to have the biometric trait αi and the private key ri, however, the attacker is not in
possession of αi and ri , and therefore, the attacker is unable to carry out an offline password guessing attack32.
Again, B2 = h(HPW‖ID i i‖α i ‖ri )mod n0 , when n0 is taken large enough, the number of password guesses grows
exponentially and it is not feasible to obtain the password by offline guessing. Finally, the gateway records the
number of user authentication List, and it is impossible for an attacker to complete an offline guessing attack
within a limited number of guesses. erefore, the scheme resists smart card loss attacks and offline guessing
attacks by means of hash functions, biometrics, modulo arithmetic, and recording the number of authentication
times, which are infeasible regardless of whether the attacker tries to extract the password from the smart card
or crack the password through offline guessing.

Proposition 4 e scheme is resistant to spoofed user attacks.

Proof To disguise a user login gateway, the attacker needs to send {Ru , D2 , D3 , TIDi , T1 } to the gateway,
where Ru = ru ·P, TIDi ′ = h(IDi ‖αi ‖ru ), Cu = h(Ru ‖xi ′), D0 = ru ·Rg , D1 = h(D0 ‖TIDi ‖HPWi ), D2 = TID 1 ‖x
i ⊕ (D
′
i ),
D3 = h(TIDi ′‖D0‖Cu‖xi ‖Ki ‖T1 ); the attacker needs to master the user’s private key ru , identifier TIDi , password
PW,i biometric α i, secret x i, key parameters Ki , and so on, so it is clear that the attacker cannot master the above
parameters at the same time and cannot make a spoofed user attack. erefore, the scheme can resist spoofed
user attacks by setting various parameters.

Proposition 5 e scheme is resistant to internal attacks.

Proof ere is a possibility that insiders leak user information at the gateway. In the user registration stage, the
user’s registered password PWi is protected by HPWi = h(PW‖α i i), and the insider may obtain HPW.i Based on
the unidirectional nature of the hash function, the insider is unable to compute PWi by HPWi = h(PW‖α i
33
i) . In
addition, HPWi also contains the user’s biometric αi, and the insider cannot obtain αi to guess the correct PWi
by offline guessing. erefore, the scheme can resist internal attacks by setting HPW. i

Proposition 6 e scheme is resistant to tampering attacks.

Proof Suppose the attacker tampers with the message sent by the user to the gateway, and the gateway receives
the message and needs to verify whether D3 * = h(TIDi ′‖D0 *‖Cu ‖xi ‖Ki ‖T1 ) is equal to D3 . To crack D
3 , the attacker
needs to have both the user’s private key ru , identifier IDi , password PW,i secret xi, and key parameter Ki 34, etc.
e above parameters are not propagated in plaintext over the public channel, and the attacker cannot verify
them through the gateway. erefore, the scheme makes it impossible for an attacker to authenticate D3 by setting
multiple parameters. e scheme is resistant to tampering attacks.

Proposition 7 e scheme is resistant to replay attacks.

Proof A replay attack occurs when an attacker sends a packet that has been received by the target for the purpose
of spoofing the system. All the messages sent in the two-way authentication process contain the timestamp T, and
all parties need to verify whether the time difference is less than △T aſter receiving the message. If the attacker
carries out replay attacks, the replayed message can be recognized by verifying the timestamp. e scheme resists
replay attacks by adding timestamps.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 15

www.nature.com/scientificreports/

Xue et al.16 Mo et al.39 Deng et al.40 Meriam et al.6 Proposed Scheme

Year 2021 2022 2022 2022 2022
Forward security × × × × √
Resist KSSTI attacks × × × √ √
Resist internal privilege attacks √ × √ × √
Resist offline dictionary attacks √ √ √ √ √
Clock synchronization √ × √ × √
Anonymity × √ √ √ √
Resist MITM attacks × × √ √ √
Resist user registration attacks × √ √ √ √

Table 3. Comparison of security features. Remarks: √: Yes×: No.

Proposition 8 e scheme is resistant to MITT attacks.

Proof According to the challenge/response mechanism, both the user and the gateway or the sensor and the
gateway need to verify each other’s identity. According to Propositions 4 and 6, which have already been proven,
the attacker cannot disguise the user or tamper with the message, so the attacker cannot launch a MITT attack
disguised as an intermediary. e same can be proven for the communication between sensors and gateways. In
addition, timestamps and random numbers are fresh and cannot be forged by an MITT attack35. erefore, an
attacker cannot disguise him- or herself as an MITT to launch an attack. e scheme makes it impossible for the
attacker to accomplish MITT attacks by authenticating the user, gateway, and sensor.

Proposition 9 e scheme is resistant to Denning-Sacco attacks36.

Proof Suppose the attacker steals the agreement key SK= h(SIDj ‖rg ‖Rsu ‖Cu ‖Cs ‖TIDi ′). SK is the hash function’s
hash value37, and according to its one-way property, the attacker cannot obtain the parameters in SK. In addition,
the parameters in SK such as user private key ru, gateway private key rg, sensor private key rs , Cu , and Cs are not
transmitted in the public channel, and the attacker cannot complete the Denning-Sacco attack.erefore, the
scheme resists Denning-Sacco attacks by performing hash transformations on the session key SK and by making
SK have more complex parameters.

Proposition 10 e scheme has forward security.

Proof Assuming that the attacker intercepts the public keys Ru and Rs of the user and the sensor, the calculation
of SK also requires ru , rg , rs , Cu , and Cs . None of these parameters are transmitted in the public channel, and they
cannot be obtained by the attacker. An attacker trying to calculate rs and ru by Rs = rs *P and Ru = rs *P, or sr *Ru and
Rs*ru by Rs *Ru cannot do so because the above computations involve ECCDLP mathematical puzzles. erefore,
the scheme is forward-safe.

Proposition 11 e scheme enables both two-way authentication and key agreement.

Proof The scheme through D 3 = h(TIDi ′‖D0 ‖Cu ‖xi ‖Ki ‖T1 ) and D14 = h(TIDi ′‖xi ′‖Ki ′‖rg ‖Cs ‖SIDj ‖D0 ‖T4 )
achieves two-way authentication of the user and the gateway and through D7 = h(TIDi ′‖SIDj ‖Cu ‖rg ‖xj ‖T2 ) and
D9 = h(SIDj ‖rg ‖D8 ‖xj ‖Cs ‖T3 ) achieves two-way authentication of the gateway and the sensor, while the session
key SKs = h(SIDj ‖rg ‖Rsu ‖Cu ‖Cs ‖TIDi ′) = h(SIDj ‖rg ‖Rus ‖Cu ‖Cs ‖TIDi ′) = SK
u is negotiated during the authentica-
tion process.

Table 3 shows the security comparison of each scheme. It can be seen that this scheme has better security.

Efficiency analysis
e sensor nodes of WSNs have the characteristics of limited resources and low computation. In this section,
they analyze the performance of scheme in analysed from two aspects—computation overhead and communica-
tion overhead—and the scheme is proven to be suitable for resource-constrained WSNs through comparisons
with other schemes38.

Computational overhead
e computational overhead is mainly considered for recovering biometric features, point multiplication, modu-
lar exponentiation, symmetric encryption/decryption, hashing, and so forth. e computational overhead of
XOR and concatenation is very small and negligible compared to other operations. Referring to the literature15,
the computational elapsed time is shown in Table 4; the comparison of computational overheads of each scheme
is shown in Table 5.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 16

www.nature.com/scientificreports/

Notations Descriptions Time consuming (ms)

TFE Time of recover biometric features 1.989
Tecm Time of point multiplication operation 1.989
Tmm Time of Modular exponentiation operation 0.171
TE/D Time of symmetric encryption/decryption operations 0.00325
Th Time of hash operation 0.0026

Table 4. e notations, descriptions, and time consuming required for computational time.

Ui GWN Sj 合计
Xue et al.16 13Th +1TFE 18Th 6Th 37Th +1TFE
Mo et al.39 2Tecm +12Th +1TFE 10Th +1TE/D 2T +5Th +1TE/D 4T +27Th +2TFE +1TFE
ecm ecm
Deng et al.40 2Tecm +14Th +1TFE 13Th 2Tecm +7Th 4Tecm +34Th +1TFE
Meriam et al.6 4Tecm +8Th + TE/D 2T +5Th + TE/D 2T ecm+2Th 8Tecm +15Th +2TE/D
ecm
Proposed scheme 5Tecm +22Th +1TFE 4Tecm +18Th 3Tecm +8Th 12Tecm +48Th +1TFE

Table 5. Comparison of computational overhead.

From the computational time consumption in Table 4, it can be seen that the TFE and ecmT time consumption is
high, and the TFE of each scheme is similar, so the focus is on the point multiplication operation T
ecm . is scheme
uses the ECC-based key agreement scheme, and the point multiplication operation overhead is higher than that
of other schemes, but it has higher security compared to other schemes that only use hash computation or sym-
metric encryption and decryption schemes. WSNs focus on the computational overhead of resource-constrained
sensor nodes. e computational overhead of the sensor nodes is increased only once compared to schemes6,39,
and40, which also have point multiplication operations. is scheme does not put too much pressure on sensor
computation. Although the other schemes have less computational overhead, the present scheme is more effec-
tive in dealing with various security threats and is more suitable for high security systems.

Communication overhead
e communication overhead is mainly for the data lengths of identity, hash value, fuzzy extractor public data,
random numbers, timestamp, points of elliptic curve (public key), and symmetric encryption/decryption data.
To facilitate the comparison, each data length in this scheme is set uniformly. e specific values are shown in
Table 6, the comparison of communication overheads of each scheme is shown in Table 7, and the specific com-
munication overhead quantization diagrams are shown in Figs. 12 and 1341.

Notations Descriptions Length(bit)

LID Identity length 32
Lh Hash value length 160
LFE Fuzzy extractor public data length 128
Lr Random number length 128
LT Timestamp length 32
LECC Points of elliptic curve (public key) length 160
LE/D Symmetric encryption/decryption data length 128

Table 6. e notations, descriptions, and lengths required for communication data.

Ui GWN Sj Total
Xue et al.16 3LID +1LFE +6Lh +1LT 1LID +1LFE +11Lh +1LT 1LID +2Lh +1LT 5LID +2LFE +19Lh +3LT
Mo et al.39 1LID +7Lh +1LT 1LECC +1LE/D +1LFE +5Lh +3LT 1LECC +2Lh +1LT 1LID +2LECC +1LE/D +1LFE +14Lh +5LT
Deng et al.40 1LECC +5Lh 2LECC +10Lh 1LECC +2LFE 4LECC +15Lh +2LFE
Meriam et al.6 1LECC +4LE/D +3Lh +1LT 2LECC +2Lh +2LT 1LECC +1Lh +1LT 4LECC +4LE/D +6Lh +4LT
Proposed scheme 2LECC +4Lh +1LT 3LECC +10Lh +2LT 1LECC +2Lh +1LT 6LECC +16Lh +4LT

Table 7. Communication overhead comparison.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 17

www.nature.com/scientificreports/

Figure 12. Total communication overhead comparison.

Figure 13. Comparison of node communication overhead.

is scheme is based on ECC, and as the communication process needs to send each party’s public key several
times, the communication overhead is slightly higher than with other schemes. For the communication overhead
of resource-constrained sensor nodes, this scheme is the same as scheme39 and slightly higher than schemes6,16
and40, but still within the tolerance range of sensor nodes and suitable for WSNs.

Conclusions
is paper examines multifactor authentication for WSNs. First, related schemes from recent years are intro-
duced, and based on this, the scheme of Xue et al.16 is examined, with a focus on its advantages and security
vulnerabilities. en, a three-factor authentication and key agreement scheme based on ECC is proposed for
WSNs. e security of the scheme is demonstrated by the BAN logical and informal analysis, and efficiency
analysis shows that the scheme is used for resource-constrained WSNs. Overall, the proposed scheme effectively
improves the security performance of WSNs based on efficiency and has good application value. Due to the
use of ECC dot-multiplication operations, the computational energy consumption of the scheme is still higher
compared to the scheme with only hash operations; therefore, in the next step of this research, the efficiency of
the scheme needs to be further improved to guarantee security.

Data availability
e authors confirm that the data supporting the findings of this study are available within the article and its
supplementary materials.

Received: 4 September 2023; Accepted: 14 January 2024

References
1. Mishra, D. et al. Efficient authentication protocol for secure multimedia communications in IoT-enabled wireless sensor networks.
Multimed. Tools Appl. 77, 18295–18325 (2018).
2. Lee, Y. & Kim, H. Anonymous password-based authenticated key agreement scheme with non-tamper resistant smart cards. Int.
J. Secur. Appl. 9(11), 419–428 (2015).

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 18

www.nature.com/scientificreports/

3. Wu, M., Chen, J. & Wang, R. An enhanced anonymous password-based authenticated key agreement scheme with formal proof.
Int. J. Netw. Secur. 19(5), 785–793 (2017).
4. Jiang, Q. et al. An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks.
J. Netw. Comput. Appl. 76, 37–48 (2016).
5. Li, X. et al. A three-factor anonymous authentication scheme for wireless sensor networks in internet of things nvironments. J.
Netw. Comput. Appl. 103, 194–204 (2018).
6. Meriam, F., Hassan, E. G. & Ahmed, T. A lightweight ECC-based three-factor mutual authentication and key agreement protocol
for WSNs in IoT. Int. J. Adv. Comput. Sci. Appl (IJACSA) 13(6), 491–501 (2022).
7. Wu, F., Xu, L., Kumari, S. & Li, X. A privacy-preserving and provable user authentication scheme for wireless sensor networks
based on Internet of ings security. J. Ambient Intell. Humaniz. Comput. 8(1), 101–116 (2017).
8. Wu, F. et al. An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment.
J. Netw. Comput. Appl. 89, 72–85 (2016).
9. Bayat, M., Atashgah, M. B., Barari, M. & Aref, M. R. Cryptanalysis and improvement of a user authentication scheme for internet
of things using elliptic curve cryptography. Int. J. Netw. Secur. 21(6), 897–911 (2019).
10. Guo, H., Gao, Y., Xu, T., Zhang, X. & Ye, J. A secure and efficient three-factor multi-gateway authentication protocol for wireless
sensor networks. Ad Hoc Netw. 95, 101965 (2019).
11. Jung, J., Moon, J., Lee, D., Won, D. & Akkaya, K. Efficient and security enhanced anonymous authentication with key agreement
scheme in wireless sensor networks. Sensors 17(3), 644 (2017).
12. Sravani, C. et al. Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access 5, 3028–
3043 (2017).
13. Singh, M. & Mishra, D. Post-quantum secure authenticated key agreement protocol for wireless sensor networks. Telecommun.
Syst. 84(1), 101–113 (2023).
14. Azrour, M., Mabrouki, J., Guezzaz, A. & Farhaoui, Y. New enhanced authentication protocol for internet of things. Big Data Min.
Anal. 4(1), 1–9 (2021).
15. Vinoth, R., Deborah, L. J., Vijayakumar, P. & Kumar, N. Secure multifactor authenticated key agreement scheme for industrial IoT.
IEEE Internet ings J. 8(5), 3801–3811 (2021).
16. Xue, L., Huang, Q., Zhang, S., Huang, H. & Wang, W. A lightweight three-factor authentication and key agreement scheme for
multigateway WSNs in IoT. Secur. Commun. Netw. 2021, 1–15 (2021).
17. Liu, Z., Li, Z., Zhang, Q., Dong, S., Liu, J. & Zhao, Y. Two-factor authentication and key agreement schemes for smart home fin-
gerprint characteristics. Mobile Inf. Syst. (2022).
18. Srinivas, J., Mishra, D., Mukhopadhyay, S. & Kumari, S. Provably secure biometric based authentication and key agreement protocol
for wireless sensor networks. J. Ambient. Intell. Humaniz. Comput. 9, 875–895 (2018).
19. Liu, S. M., Ye, J. Y. & Wang, Y. L. Improvement and security analysis on symmetric key authentication protocol Needham-Schroeder.
Appl. Mech. Mater. 513, 1289–1293 (2014).
20. Lai, C., Ma, Y., Lu, R., Zhang, Y. & Zheng, D. A novel authentication scheme supporting multiple user access for 5g and beyond.
IEEE Trans. Depend. Secure Comput. 2022, 1–16 (2022).
21. Yang, Y., Zheng, X., Guo, W., Liu, X. & Chang, V. Privacy-preserving fusion of IoT and big data for e-health. Future Gener. Comput.
Syst. 86, 1437–1455 (2018).
22. Tyagi, P., Kumari, S., Alzahrani, B. A., Gupta, A. & Yang, M. H. An enhanced user authentication and key agreement scheme for
wireless sensor networks tailored for IoT. Sensors 22, 8793 (2022).
23. Liu, S., Li, X., Wu, F., Liao, J. & Lin, D. A novel authentication protocol with strong security for roaming service in global mobile
networks. Electronics 8(9), 939 (2019).
24. Ansari, A. A., Gera, P., Mishra, B. & Mishra, D. A secure authentication framework for WSN-based safety monitoring in coal
mines. Sādhanā 45, 1–16 (2020).
25. Chen, C. M., Liu, S., Chaudhry, S. A., Chen, Y. C. & Khan, M. A. A lightweight and robust user authentication protocol with user
anonymity for IoT-based healthcare. Comput. Model. Eng. Sci. 130(4), 307–329 (2022).
26. Chen, Y., López, L., Martínez, J. F.&Castillejo, P. A lightweight privacy protection user authentication and key agreement scheme
tailored for the internet of things environment: Lightpriauth. J. Sens. (2018).
27. Guo, J. & Du, Y. A secure three-factor anonymous roaming authentication protocol using ECC for space information networks.
Peer Peer Netw. Appl. 14(2), 898–916 (2021).
28. Sani, S. A., Dong, Y., Yeoh, P. L., Wei, B. & Vucetic, B. A lightweight security and privacy-enhancing key establishment for internet
of things applications. In2018 IEEE International Conference on Communications (ICC) (2018).
29. Boyko, V., MacKenzie, P. & Patel, S. Provably secure password-authenticated key exchange using Diffie-Hellman. In Advances
in Cryptology—EUROCRYPT 2000: International Conference on the eory and Application of Cryptographic Techniques Bruges,
Belgium, 14–18 May, 2000 Proceedings 19 156–171 (Springer, 2000).
30. Mo, J. & Chen, H. A lightweight secure user authentication and key agreement protocol for wireless sensor networks. Secur. Com-
mun. Netw. 2019, 1–17 (2019).
31. Zhou, Z., Wang, P. & Li, Z. A quadratic residue-based RFID authentication protocol with enhanced security for TMIS. J. Ambient
Intell. Humaniz. Comput. 10(9), 3603–3615 (2019).
32. Kumar, D., Grover, H. S., Kaur, D., Verma, A. & Kumar, B. An efficient anonymous user authentication and key agreement protocol
for wireless sensor networks. Int. J. Commun. Syst. 34(5), e4724 (2021).
33. Kamil, I. A. & Ogundoyin, S. O. A lightweight mutual authentication and key greement protocol for remote surgery application
in Tactile Internet environment. Comput. Commun. 170, 1–18 (2021).
34. Khalid, H., Hashim, S. J., Ahmad, S. M. S., Hashim, F. & Chaudhary, M. A. Robust multi-gateway authentication scheme for
agriculture wireless sensor network in society 5.0 smart communities. Agriculture 11(10), 1020 (2021).
35. Alharbi, M. H. & Alhazmi, O. H. User authentication scheme for internet of things using near field communication. Int. J. Reliab.
Qual. Saf. Eng. 27(5), 2040012 (2020).
36. Abbas, G., Tanveer, M., Abbas, Z. H., Waqas, M. & Baker, T. A secure remote user authentication scheme for 6LoWPAN-based
Internet of ings. Plos One 16(11), e0258279 (2021).
37. Yeh, H., Chen, T., Liu, P., Kim, T. & Wei, H. A secured authentication protocol for wireless sensor networks using elliptic curves
cryptography. Sensors 11, 4767–4779 (2011).
38. Zhang, S., Du, X. & Liu, X. An efficient and provable multifactor mutual authentication protocol for multigateway wireless sensor
networks. Secur. Commun. Netw. 2021, 1–17 (2021).
39. Mo, J., Hu, Z. & Shen, W. A provably secure three-factor authentication protocol based on chebyshev chaotic mapping for wireless
sensor network. IEEE Access 10, 12137–12152 (2022).
40. Deng, D. Research on key technologies of authentication and secret key management based on non-traditional certificates in WSN.
Univ. Electron. Sci. Technol. (2022).
41. Jo, H. R., Pak, K. S., Kim, C. H. & Zhang, I. J. Cryptanalysis and improved mutual authentication key agreement protocol using
pseudo-identity. Plos One 17(7), e0271817 (2022).

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 19

www.nature.com/scientificreports/

Acknowledgements
e author would like to thank his esteemed college leaders for their support of his scientific work and his col-
leagues Yanwu Di, Si Chen, Chaoyang Huang, Wenliang Liu, and Yan Li for their contributions to this work.
is work was supported by the research project "Research on Key Management Scheme for Clustered Wireless
Sensor Networks" (Grant Number [KYZ202203]) of Xiamen Ocean Vocational College (China).

Author contributions
W.H. independently conceived and designed the study; prepared the materials, collected and analyzed the data;
and wrote the first and final draſts of the manuscript.

Competing interests
e author declares no competing interests.

Additional information
Correspondence and requests for materials should be addressed to W.H.
Reprints and permissions information is available at www.nature.com/reprints.
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and
institutional affiliations.
Open Access is article is licensed under a Creative Commons Attribution 4.0 International
License, which permits use, sharing, adaptation, distribution and reproduction in any medium or
format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the
Creative Commons licence, and indicate if changes were made. e images or other third party material in this
article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the
material. If material is not included in the article’s Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from
the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

© e Author(s) 2024

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 20