IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO.

21, 1 NOVEMBER 2022 21493

An Authentication Protocol for Next Generation

of Constrained IoT Systems
Samad Rostampour , Nasour Bagheri , Ygal Bendavid, Masoumeh Safkhani , Saru Kumari ,
and Joel J. P. C. Rodrigues , Fellow, IEEE

Abstract—With the exponential growth of connected Internet I. I NTRODUCTION

of Things (IoT) devices around the world, security protection
N SUMMER 2019, five nations—including Canada and
and privacy preservation have risen to the forefront of design
and development of innovative systems and services. For low-
value IoT devices that identify and track billion of goods in
I the USA (Five Eyes partners)—signed a statement of
intent regarding the security of Internet of Things (IoT)
various industries—such as radio-frequency identification (RFID) network-connected devices [1], systems, and services. Given
tags—this involves multiple challenges in very constrained envi- the exponential growth of these interconnected devices around
ronments. IoT devices aim to design low-cost, low-complexity
infrastructure while enabling robust authentication protocols the world, all participants acknowledged that while offer-
with reduced latency and energy consumption. Given these chal- ing immense business opportunities, many of these connected
lenges, in this article, we present a new lightweight authentication devices lack basic security features. Such vulnerabilities could
protocol for IoT applications, employing an authenticated- potentially result in serious negative consequences, including
encryption (AE) cryptosystem with associated data (AEAD).
Since AEAD algorithms provide data confidentiality and mes-
providing profitg to hackers. Acknowledging that IoT device
sage integrity simultaneously, security analysis [Real-or-Random security is a global issue, they agreed to collaborate while
(RoR) and Scyther] results prove the robustness of the proposed imposing an obligation on manufacturers to develop “built-in
protocol against IoT threats. Furthermore, to measure the com- by design” consumer loT devices.
putation and communication cost, FPGA and ASIC simulations In the U.S., the IoT Cybersecurity Improvement Act of
using four different AEAD candidates of National Institute of
Standards and Technology (NIST) lightweight cryptography com- 2020 [2] was recently enacted by the Senate and House of
petition are executed. The implementation results [e.g., 4744 Representatives, with the intent of ensuring that all IoT devices
gate equivalent (GE) and 0.87-mw power] clearly show that owned or controlled by the Federal Government comply with
our novel design can be applied to a wide range of constrained minimum security standards, issued by the National Institute
IoT devices complying with low-cost, lightweight, and high-speed
of Standards and Technology (NIST) [3]. These IoT security
requirements.
standards, recommendations, and guidance, among others, are
Index Terms—Authentication, authenticated encryption (AE), mapping a wider landscape of initiatives intended to secure
Internet of Things (IoT), radio-frequency identification (RFID),
security. IoT [4]. Required security measures include authorization,
data protection, cryptography, secure interfaces, and network
services, among others.
This article will confine itself to authentication used for
Manuscript received 16 February 2022; revised 24 May 2022; accepted
3 June 2022. Date of publication 20 June 2022; date of current ver- identification and access management. In order to ensure con-
sion 24 October 2022. This work was supported in part by the Fundação fidentiality plus integrity, each IoT node accommodates two
para a Ciência e Tecnologia/Ministério da Ciência, Tecnologia e Ensino functions and two separate keys for encryption and integrity
Superior (FCT/MCTES) through national funds and when applicable co-
funded EU funds under Project UIDB/50008/2020, and in part by the Brazilian purposes, demanding more electronic resources than most
National Council for Scientific and Technological Development—CNPq under highly constrained devices possess [5]. Designing low-value
Grant /hbox313036/2020-9. (Corresponding author: Saru Kumari.)
Samad Rostampour is with the Department of Computer
IoT devices, such as billions of radio-frequency identifica-
Science, Vanier College, Montreal, QC H4L 3X9, Canada (e-mail: tion (RFID) tags used to identify and track goods in a
[email protected]). range of industries, involves multiple challenges, including:
Nasour Bagheri is with the CPS2 Laboratory, Department of Electrical 1) ensuring low cost and low complexity integrated circuits
Engineering, Shahid Rajaee Teacher Training University, Tehran 1678815811,
Iran (e-mail: [email protected]). (IC); 2) enabling robust authentication protocols with reduced
Ygal Bendavid is with the AOTI Department, UQAM University, Montreal, latency and energy consumption; and 3) operating in a very
QC H2L 2C4, Canada (e-mail: [email protected]).
Masoumeh Safkhani is with Department of Computer Engineering, Shahid
constrained environment.
Rajaee Teacher Training University, Tehran 1678815811, Iran (e-mail: Although the security landscape of IoT is on the move and
[email protected]). that considerable research progress has been made in secu-
Saru Kumari is with the Department of Mathematics, Chaudhary Charan
Singh University, Meerut 250004, India (e-mail: [email protected]).
rity fields, there is still a need for more affordable security
Joel J. P. C. Rodrigues is with the College of Computer Science and measures tailored to resource-constrained IoT devices [6]. On
Technology, China University of Petroleum, Qingdao 266555, China, and also the other hand, due to heterogeneity of IoT devices, combined
with the Instituto de Telecomunicações, 6201-001 Covilhã, Portugal (e-mail:
[email protected]). with resource limitations, not all cryptographic schemes can
Digital Object Identifier 10.1109/JIOT.2022.3184293 be used, calling for new and more effective security protocols
2327-4662 
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
21494 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 21, 1 NOVEMBER 2022

TABLE I
on different parts of IoT-based systems [7]. Nonetheless, in C OMPARISON OF R ELATED W ORKS ; U SED S YNONYMOUS : CM:
a multilayer IoT architecture, securing the physical device C OMMUNICATION ; CP: C OMPUTATION ; W G : W EIGHT; M T: M ETHOD ;
layer is critical. Therefore, authentication is one of the main AA: A PPROVED ATTACK ; AD: A PPLICATION D OMAIN ; UL: U LTRALIGHT;
L: L IGHT; H V: H EAVY; P ER : P ERMUTATION ; MI OT: M EDICAL I OT; I O D:
important parts in security, because it is the gateway of a I OT D RONE ; IT: I NTELLIGENT T RANSPORT; SG: S MART G RID ; E D C:
device to introduce in a network, explaining the quest for E DGE C OMPUTING ; AUTH : AUTHENTICATION ; H: H ASH ; BC:
research community to design authentication protocols, break B LOCKCHAIN ; SA: S ECURE ACCESS ; CC: C LOUD C OMPUTING
them, and redesign more reliable ones to protect the system
from attacks [8]. The importance of this matter is reflected
in a bibliometric analysis on IoT, from Furstenau et al. [9]
who identified the cluster authentication methods as the most
developed and important motor themes in IoT research, due
to its performance in terms of core documents, h-index, and
sum citation. Additionally, the most cited subthemes, security
and privacy, as well as RFID have attracted a lot of attention
with regards to low-cost encryption methods. Our research
is in line with this call for future research toward security
and optimization and goes beyond RFID with the possibil-
ity to use our scheme with other edge computing and other
resource-constrained IoT devices [10].
Given these challenges, many encryption models have been
developed over the years, using or combining various tech-
niques. Among these solutions, the recent use of authenticated
encryption (AE) with associated data (AEAD) schemes has
emerged as a successful avenue in research on securing IoT
applications [11]. The NIST has initiated a lightweight cryp-
tography initiative intended to develop a novel cryptographic
algorithm suitable for use in these “small electronics” and 3) We demonstrate that our protocol is more efficient than
has shown great interest in AEAD. Therefore, by initiating other protocols proposed in the latest literature on IoT
this “call for lightweight cryptography,” the NIST is seek- authentication solutions by analyzing communication
ing a novel, creative, and standard cryptographic algorithm. and computation costs.
This is motivated by the fact that an AEAD model can pro-
vide confidentiality and integrity simultaneously in one key,
contributing to a reduction in resource requirements, which II. R ELATED W ORKS
will be an essential need for the next generation of IoT Unauthorized access and confidential information leakage
devices [11]. are extremely common issues in IoT systems. This is an
The goal of this research article is to propose a novel important concern when designing an authentication protocol
lightweight authentication protocol based on AEAD encryp- involving highly constrained devices with resource restrictions
tion schemes to be used for securing highly constrained IoT and hardware limitations [26], [27]. Thus, various research
devices. The proposed protocol is able to host any NIST efforts have focused on the design of secure authentication pro-
AEAD candidate and provides an infrastructure for upcoming tocols for constrained IoT systems in various domains. Given
novel cryptographic algorithms. that the main goal of this study is to present a lightweight
In order to provide a platform for the next generation of authentication protocol that is able to provide confidentiality
cryptographic algorithms, our contributions are summarized and integrity simultaneously, the protocols proposed in the lit-
as follows. erature are classified into two groups. In the first group, the
1) Our AEAD-based novel lightweight authentication pro- main objective is designing a protocol with minimum possi-
tocol contributes here to the latest literature on IoT ble weight and overheads. On the other hand, the objective
security that can provide confidentiality and integrity of the second group is to prevent the message manipulation
simultaneously with only one encryption key compared and tampering by providing integrity along with confidential-
with other existing protocols. ity. Therefore, in Table I, each protocol is evaluated based
2) We prove that the proposed protocol is able to act as a on communication overhead, computation overhead, proto-
chassis for all NIST candidates (as the next generation col’s weight, and encryption method in the security module.
of cryptographic algorithms) by demonstrating its com- Moreover, if the protocol has an approved reported attacked,
patibility with a wide range of IoT platforms. This was it is mentioned in the comparison table. It is worth noting that
achieved by conducting FPGA and ASIC simulations because most of the protocols in the literature review have
with four selected AEAD schemes while taking into been published in 2021, there is not enough time to publish
account differing hardware metrics, such as energy con- articles on their security evaluation. In Table I, down-arrow
sumption, area, and latency (via NIST-identified criteria (↓) and up-arrow (↑) show low and high amount of each
to assess lightweight cryptographic algorithms [11]). feature. In addition, the protocol weight means the amount

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
ROSTAMPOUR et al.: AUTHENTICATION PROTOCOL FOR NEXT GENERATION OF CONSTRAINED IoT SYSTEMS 21495

of the hardware requirement [e.g., number of gate equiva- remote connection in IoT drone applications between a drone
lent (GE) and electronic components] that is categorized into and a control room, Tanveer et al. presented a robust and
ultralightweight protocols, lightweight protocols, and heavy lightweight authenticated key management protocol. To guar-
or nonlightweight protocols. The security module of heavy- antee the message confidentiality on the wireless channel, they
weight protocols accommodates more than 10K gates, the utilized an ECC cryptosystem along with hash functions. In
lightweight protocols need less than 10K gates, and ultra- addition, to avoid message manipulation and provide message
lightweight protocols only utilize bitwise operations, such as integrity, they employed an AEAD algorithm. However, the
XOR, concatenation, and rotation [28]. The checkmark sym- combination of these secure methods (i.e., ECC, Hash, and
bol () indicates an approved attacked already published and AEAD) is able to provide an acceptable security level, this
the times symbol (×) means has not been published yet. combination burdens high communication and computation
In presenting a new function based on rotation and XOR overhead on the devices. Physical unclonable functions (PUF)
operation, Fan et al. [12] proposed an authentication proto- are another method to ensure message integrity in the com-
col for IoT-based systems in medical applications. However, munication protocols. PUFs have emerged as one of the most
Aghili et al. [13] proved that this protocol was not resistant cost-effective solutions in terms of hardware because their
against secret disclosure attacks, providing an improved ver- nature is lightweight. Therefore, PUFs are suitable candidates
sion with a new permutation function. By evaluating the Aghili for protecting integrity in the lightweight protocol. On the
protocol, Safkhani et al. [14] revealed that this protocol was other hand, due to PUFs having a simple structure, the system
also vulnerable to traceability and passive secret disclosure needs another module to provide confidentiality and it could
attacks. In fact, many ultralightweight mutual authentication increase the computational cost. With the aim of designing a
protocols (UMAPs) based on bit-oriented functions have been resistant protocol to physical attacks, Banerjee et al. proposed
proposed in the literature and most of them proved to be a physically secure lightweight anonymous user authentica-
vulnerable in the year after their publication, suggesting that tion protocol for IoT. In order to achieve a physically secure
bitwise operations alone cannot resist all types of attacks [29]. protocol, the authors utilized a PUF module. In addition, to
In order to increase the security level, generally, asymmet- meet confidentiality requirements, they combined hash func-
ric cryptosystems can be used, but at the same time, this tions and bitwise operations. However, based on their security
increases the complexity and cost of the protocol. Utilization analysis result, the protocol is robust against various attacks;
of elliptic curve cryptography (ECC) is a prevalent method in it has high communication and computation costs. Therefore,
authentication protocols, and researchers have put forth some using this protocol in constrained IoT devices looks difficult.
lightweight algorithms [30]. In this context, Kumar et al. sug- Li et al. suggested a PUF-based protocol for end-to-end mutual
gested an ECC-based protocol for IoT systems in smart grid authentication and key exchange communications by combin-
named ECCAuth [15]. The authors claimed that ECCAuth ing a PUF module with certificateless public-key cryptography
establishes a secure connection among all parts of the system on the elliptic curve. Although this protocol in comparison
in order to transfer data confidentiality and to protect user pri- to other server-based protocols provides better communica-
vacy. Yu et al. [16] revealed ECCAuth’s security flaws against tion and computation cost, still needs many resources and
masquerade, device stolen, and session key disclosure attacks. produces more overheads for highly constrained IoT devices.
Another group of research activities focused on providing mes- Blockchain is another technology recently used in the secu-
sage integrity along with confidentiality. Because manipulating rity domain in different applications, such as authentication
a message without knowing its content can still be a secu- control and money transactions [31]. At its most basic, it
rity threat for IoT systems. For example, in order to provide can provide a collection of records that is strongly resistant
a lightweight message broadcast protocol resistant to unau- against alteration and protected using cryptography and math.
thorized access and message tampering, Nakkar et al. [17], For instance, Bera et al. [23] proposed a blockchain-based
in using a hybrid solution means hash and AE (i.e., using access control protocol in IoT-enabled smart grid systems to
encrypt then MAC with two keys), presented a lightweight provide a secure environment for transferring customers’ pri-
secure authentication for IoT-based applications broadcasting vate data to utility centers. Jangirala et al. [24] also designed
smart emergency systems. With the aim of reducing the com- a blockchain-enabled authentication protocol by combining
putational cost and latency, the system put the computational a lightweight cryptographic algorithm and bitwise functions.
loads on the edge side and deducted the communication mes- However, Trinh et al. [19] showed its vulnerabilities to secret
sages. Xiao et al. [18] introduced a lightweight protocol based disclosure and traceability attack. Because of complex mathe-
on a block cipher algorithm that can be used in RFID appli- matics and sophisticated equations, the blockchain has costly
cations and compatible with electronic product code (EPC) computation and implementation costs. Due to the capabilities
models. While the authors claimed that their AEAD-based of blockchain technology in privacy and security protection,
protocol could resist against IoT threats, Trinh et al. [19] Wang et al. [32] presented an authentication protocol for
proved its vulnerability and proposed an improved protocol. medical applications. They stated that the proposed protocol
After proving security flaws in Fan and Aghili protocols, is able to protect the physical layer and centralized servers
Safkhani et al. also explored the usage of AEAD as a secure in wireless medical sensor networks. Thus, the authors uti-
authentication protocol for medical IoT applications with [14] lized PUF and blockchain to address both mentioned (i.e.,
the aim of providing an acceptable security level as well physical layer and centralized servers) challenges. Although
as minimum resource usage. In order to establish a secure because of using a complex cryptography method, this system

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
21496 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 21, 1 NOVEMBER 2022

More specifically, we examine the authentication process

between a tag (layer 1) and a reader (layer 2). In this case,
we consider the passive UHF RFID tag as the most critical
IoT node, in which case the structure of its integrated circuit
(e.g., memory, tag controller and security module, and front
end) must be developed in a highly constrained environment
while enabling robust authentication.
2) Adversary Model: The adversary model, employed to
evaluate our proposed AEAD protocol follows Canetti and
Krawczyk’s adversary model (CK-adversary model) [34], is
the most suitable to consider forward secrecy over other related
models such as Dolev-Yao (DY) [35]. In the CK-adversary
model, the attacker is able to intercept a public channel,
eavesdrop messages, and delete or modify transferred data or
inject fake packets. Moreover, if the security of a party is
compromised with the disclosure of secret information, the
information revealed must not cause a compromise in the
secrecy of other parties [24].

B. Authenticated Encryption Cryptosystem

The fundamental objective of cryptographic techniques is
to ensure secure and private information by preventing an
adversary from accessing it during the communication or
Fig. 1. Architecture of an RFID/IoT system.
data storage processes. This objective is accomplished via
encryption systems. However, as with any cryptosystem used
is able to provide acceptable security, in terms of protocol’s to secure communication in online applications, the system
weight and overheads is not a good candidate for low-cost becomes susceptible to adversarial attacks. An adversary
IoT devices. Zhang et al. [25] also applied a similar approach can, for instance, manipulate and forward ciphertexts to the
in a different subject (cloud-edge IoT systems). They intro- receiver. In the event that the attacks are successful, several
duced a privacy-aware authentication protocol for multiserver operations will inevitably collapse, enabling the attacker to
IoT systems by using PUF and blockchain technologies. This decrypt the messages entirely.
protocol needs high communication and computation loads The two main objectives of information security are pri-
and requires lots of hardware resources in comparison to vacy and authentication. Numerous applications provide these
other lightweight protocols. As discussed in this literature security parameters simultaneously. For example, in the com-
review, moving from simple authentication protocols (e.g., monly used transport layer security (TLS), a general technique
ultralightweight functions) to more advanced protocols (e.g., is used, such as the Encrypt-then-MAC, Encrypt-and-MAC,
asymmetric and blockchain) increases the level of security but and MAC-then-Encrypt strategies [36]. AE is a cryptographic
also rises the complexity of the hardware. Therefore, it is nec- system supporting both secrecy and authentication. The typi-
essary to propose a novel protocol that can be secure and cal strategy for AE is to employ generic compositions. This
lightweight at the same time. method employs two algorithms: one for confidentiality and
the other for authenticity. However, this approach is inefficient
for many applications, since it necessitates two independent
III. P RELIMINARIES
algorithms with two different keys, as well as separate runs
A. System Models through the message [37], [38]. The difficulties of generic
1) Authentication Model: As presented in Fig. 1, an IoT compositions are resolved by dedicated AE algorithms. AEAD
system is a multilayer infrastructure composed of: 1) an enables the system to check the validity and integrity of
automatic identification of the “objects” layer; 2) a data cap- some nonencrypted associated data, such as routing data. The
ture/sensing layer; 3) a data communication layer; 4) a (local NIST-funded CAESAR competition, as well as the ongoing
or cloud) computing platform; and 5) a data management NIST competition for standardization of lightweight AEAD
layer where processed IoT data interact with back-end systems. schemes—known as NIST-LWC—have sparked a great deal of
Although securing each layer of any IoT-based infrastructure interest in the cryptography world in designing a specialized
is equally important [33], within the context of this article, AEAD. The final CAESAR portfolio was organized into three
we focus on the data capture/sensing layer, where highly con- use cases, namely: lightweight applications, high-performance
strained IoT devices—such as passive UHF RFID tags—are applications, and defense in depth applications. For the pur-
used in an increasing number of applications and sectors. poses of this article, Ascon was the first choice for portfolio
Therefore, the proposed protocol establishes a secure channel for constrained envenoming, and ACORN was the second that
between an IoT device and an IoT reader (i.e., two red boxes). we also use Ascon among them in this article.

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
ROSTAMPOUR et al.: AUTHENTICATION PROTOCOL FOR NEXT GENERATION OF CONSTRAINED IoT SYSTEMS 21497

AEAD. In this instance, the sole danger is mistakenly repeat-

ing a nonce that follows the birthday bound. More precisely:
if the nonce length is n, after q protocol runs the adversary’s
advantage to observe a repeated nonce is q · 2−n/2 , which is
negligible in practice. As a result, it is critical to generate
nonces at random during protocol construction, but it may not
be a major risk to be concerned with the nonce-respecting
quality of AEAD schemes, as long as we do not provide
chosen plaintext access to the adversary.
In pursuant of meeting the above-mentioned require-
ments and to attain acceptable cryptographic algorithms for
constrained devices, as of February 2019, NIST has offi-
cially introduced a new procedure to assess and standard-
ize lightweight cryptographic algorithms [11]. Essentially, its
main focus is on evaluating design efficiency related to hard-
ware metrics, such as energy consumption, area, and latency.
Fig. 2. Generalized structure of an authenticated encryption with associated Among the submitted candidates, 56 schemes were accepted
date and Ascon as a concrete example. (a) AEAD module generic structure.
(b) Encryption mode of Ascon [39], Pa and Pb are building permutations of in the first round, only 32 were passed to the second round and
Ascon. ten schemes has been announced as the finalist. For this arti-
cle, we have selected four candidates from the second round
to demonstrate that the proposed protocol is applicable in
AEAD takes a plaintext and possibly associated data of arbi- practical environments. The selected schemes are Ascon [39],
trary length upper bounded to a fixed value, a key, and a nonce, GIFT-COFB [41]. ForkAE [42], and SKINNY-AEAD [43],
giving a ciphertext and a Tag/MAC-value. Its encryption and where Ascon and GIFT-COFB are also among the finalists.
decryption functions are, respectively, as follows: where K, N, So far, there is no serious known potential threat against any
A, P, C, and MAC are key, nonce, associated data, plaintext, of these schemes, and to be more specific, each of them
ciphertext, and MAC-value, respectively: belongs to a different approach to designing a specialized
AE.EK (N, A, P) = (C, MAC). AEAD scheme.
AE.DK (N, A, C, MAC) = (P, ⊥).
IV. AEAD-BASED P ROPOSED P ROTOCOL
A generalized structure of an AEAD in encryption mode The proposed protocol leverages the advantages of AEAD
is depicted in Fig. 2(a), along with the encryption mode of encryption schemes in its design to simultaneously provide
Ascon [39]. This scheme is generally initialized with public confidentiality and integrity in IoT applications. The proposed
but ephemeral values, such as initial value (IV) and nonces (N), protocol consists of two phases, namely: 1) initialization and
and also preshared secret key (K) to process the associate data 2) authentication; which are discussed as follows. Notations
A = A1  · · · As followed by plaintext P = P1  · · · Pt . The used are listed in Table II.
output will be the ciphertext C = C1  · · · Ct and the mes-
sage integrity parameter MAC. As illustrated in Fig. 2(b), the A. Initialization Phase
MAC generator is a built-in component of an AEAD mod-
ule that generally receives the output of the last step of an In this phase, the required parameters are produced and
encryption process and produces the related MAC. It is worth stored in the protocol parties (i.e., tag, reader, and database).
mentioning that in this picture, 0∗ signifies a zero string of The database can be hosted in two different models, as
the required length; c and r denote the rate and capacity por- an integrated memory with the reader or a remote dedi-
tions of the input to the underlying permutation, respectively, cated server. In Fig. 3, an integrated database is considered;
as in previous sponge-based systems [40]. Devoting a bigger although the security analysis section evaluates two different
fraction to c improves security but reduces efficiency, and vice models. Because an AEAD scheme is a symmetric cryp-
versa. tosystem, both sides (i.e., sender and recipient) use a shared
The nonce value should not be repeated in most one-pass secret key. The database assigns a tuple to each tag, includ-
AEAD schemes, such as the one illustrated in Fig. 2; such ing the tag’s ID (IDti ), the old and new pseudonym tag’s
ti , IDSti ), and the old and new tag’s encryption
ID (IDSold new
schemes are known as nonce-respecting schemes. If we do not
respect the nonce in pure cryptography—where the adversary key (Kti , Kti ). These values are also stored in the tag’s
old new

is assumed to have more flexible access to the primitives and memory.

can execute chosen ciphertext assault—the nonce value can
also be repeated by the opponent, which may affect the secu- B. Authentication Phase
rity of the AEAD scheme against differential-based attacks. 1) The reader generates a random number (Nr ), sends a
However, in the context of protocol, the nonce is created at Hello message and Nr to the tag, and starts a timer (Tr ).
random during the protocol process, and the adversary nor- 2) After receiving Hello and Nt , the tag generates Nt ran-
mally does not have chosen plain text access to the employed domly and uses the AEAD encryption module to encrypt

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
21498 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 21, 1 NOVEMBER 2022

Fig. 3. Authentication and key agreement phase of the proposed protocol.

TABLE II
N OTATIONS 6) Upon receiving the messages, the reader first checks the
timer to verify the freshness of the received messages
in a valid time interval.
7) Afterward, based on the received IDSti , it looks up the
database and fetches related (IDti ) and Kti ) if exist.
8) With the retrieved data, the reader runs the AEAD
function and computes AE.EKti (Nt , IDSti , (Nr IDti 
IDSti N) t). Next, c1 , c2 , c3 , c4 , and MAC are extracted
from {Nt , (c1 c2 c3 c4 ), MAC }.
9) The received MAC is compared to MAC and if the
comparison is true, the tag is authenticated.
10) By using three parts of the ciphertext (c1 , c2 , c4 ), the
reader sets the ephemeral session key as SK = c4 ,
updates the tag’s records as IDSold ti = IDSti , Kti = Kti ,
old
new
IDSti 
= c1 , Kti new 
= c2 and updates its database
accordingly. Then, c3 is transferred to the tag.
11) The tag checks its timer (Tr ) to verify the freshness of
the received data in a valid time interval. If the verifi-
cation is passed, because it already has calculated c3 ,
only compares c3 with c3 . If the comparison holds, the
reader is authenticated and the tag set the ephemeral
session key as SK = c4 and updates IDSti = c1 and
Kti = c2 .

V. S ECURITY A NALYSIS
data. It puts Nt as the nonce, IDSti as the associated
A. Informal Analysis
data, (Nr IDti IDSti Nt ) as the plaintext, and Kti as the
encryption key. The structure of the protocol and the messages transferred
3) After receiving Hello and Nt , the tag generates Nt ran- are analyzed informally against the following attacks.
domly and uses the AEAD encryption module to encrypt Mutual Authentication: In the proposed protocol, to authen-
data. It puts Nt as the nonce, IDSti as the associated ticate a tag, the reader compares the received MAC with
data, (Nr IDti IDSti Nt ) as the plaintext, and Kti as the the calculated MAC where {Nt , (c1 c2 c3 c4 ), MAC } =
encryption key. AE.EKti (Nt , IDSti , (Nr IDti IDSti Nt )). If the comparison
4) Then, it obtains {Nt , (c1 c2 c3 c4 ), MAC} as the output holds, the tag is authenticated. Moreover, after receiving
of the AEAD module where Nt is the associated data, c3 , the tag verifies the timer Tr and compares c3 with
?
c1 , c2 , c3 , and c4 are four parts of the cipher text, and its c3 as c3 = c3 to authenticate the reader. Therefore,
MAC is the authenticated message. the proposed protocol provides a mutual authentication
5) The tag transfers Nt IDSti and MAC to the reader. method.

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
ROSTAMPOUR et al.: AUTHENTICATION PROTOCOL FOR NEXT GENERATION OF CONSTRAINED IoT SYSTEMS 21499

Replay Attack: In order to perform a replay attack, with- These readers can, in addition, be used for secure communi-
out knowing the content of the message, the adversary must cations since they are able to establish virtual private network
first: 1) has to store the data being exchanged via the chan- (VPN) connections and support all encryption algorithms.
nel and subsequently 2) send the stored messages either to Thus, by following our protocol, the transferred messages are
the tag or the reader as a valid response. Should the adver- fully protected and the protocol remains secure through a pub-
sary replay the stored data IDSti , Nt , and MAC to the reader, lic channel between the server and the reader. Finally, there
he will only pass the first step and IDSti will be discovered. is no significant impact on security for our AEAD protocol,
However, by examining MAC in {Nt , (c1 c2 c3 c4 ), MAC } = whether the database server is local or cloud based.
AE.EKti (Nt , IDSti , (Nr IDti IDSti Nt )), we find that this com- Ephemeral-Secret-Leakage Security: In “ephemeral secret
parison is not feasible since Nr employed is not fresh in the leakage (ESL)” attack under the CK-adversary model [34],
stored message and is unequal to the current reader value. it is assumed the session-dependent ephemeral values are
We can therefore ascertain that the protocol is fully resistant leaked and the adversary should not be able to derive the
against replay attacks. session key SK or other ephemeral session keys or long therm
Secret Disclosure Attack: This type of attack occurs when secrets. In the proposed protocol, {Nt , (c1 c2 c3 c4 ), MAC } =
sensitive or confidential information such as encryption keys AE.EKti (Nt , IDSti , (Nr IDti IDSti Nt )) is computed and after
or identification numbers cannot be protected by the tag or the verification of the received MAC, the ephemeral session key is
reader against unauthorized users. Within the proposed proto- set to be SK = c4 . Given that the session key is generated using
col, Kti and IDti are the key confidential and important tag’s both session-dependent nonces, i.e., Nt and Nr , semipermanent
parameters. Therefore, if an attacker gains access or is able values, i.e., Kti , and long-term secret value IDti , the adversary is
to disclose these parameters, he may be able to have access not able to retrieve the current or the previous ephemeral values,
to the system. In view of the fact that on public channels i.e., Nt and Nr . In addition, even if SK leaks, the adversary
all transferred messages are encrypted by an AEAD mod- advantage equals the advantage extracted from the public c3 .
ule and given that essential parameters are not transmitted as As a result, revealing an ephemeral session key has no effect
cleartexts, it is infeasible for an attacker to discover useful on the master key Kti or other ephemeral session keys. Thus,
information on confidential values when eavesdropping trans- the proposed protocol is secure against the ESL attack.
ferred packets. Thus, the proposed protocol is not vulnerable
to secret disclosure attacks.
Traceability and Anonymity: For this type of attack, the B. Formal Analysis
adversary requires a fixed and instant value in order to detect a 1) Formal Security evaluation in Real-or-Random Oracle
tag. In our proposed protocol, the tag transfers MAC, Nt , and Model: A system has provable security in cryptography if its
IDSti so that MAC is randomized by Nt and Nr as well as IDSti security objectives can be articulated formally in an adversarial
are updated after each successful session. While IDSti is con- model, rather than heuristically, with unambiguous assump-
stant and may be used to trace a tag, it is impossible to be used tions that the adversary has access to the target system as
for traceability attacks after a successful session. It should be well as sufficient computational resources. The primitives are
noted that IDSti is employed in the proposed AEAD protocol also regarded secure to a defined bound in such a proof. The
to provide scalability. Consequently, regardless of the number theoretical model for this purpose include certain proofs of
of the tag reads, the reader can locate related tags within its security. Among various theoretical models, such as the ran-
database in constant time. Assuming a tag has completed a dom oracle model, where real cryptographic hash functions are
successful session and receives a new “Hello” message with represented by an idealization and real or random model, the
an iterative Nr , if it generates a new Nt and calculates a new find-then-guess model, the left-or-right model, and so on, the
AEAD message and MAC, the attacker will be unable to find Real-or-Random (RoR) is more appropriate for our security
similarities amongst various messages from a tag. Therefore, assumption, where the idea is that an adversary cannot distin-
the protocol is robust against traceability attacks. Furthermore, guish the encryption of a specific text from the encryption of
it is also possible to hide IDSti in the message sent by the tag. an equal-length string of garbage [44]. More specifically, if the
Therefore, even though the tag has not participated in a suc- adversary cannot identify the encryption of the sent data from
cessful session, the tag will be nonetheless untraceable to the random strings, the protocol has no information leakage and
adversary. In this case, however, the reader must conduct an could be proven safe. Hence, to ensure the semantic security of
exhaustive search to locate the target tag in its database, which the proposed protocol, in this section, we use the RoR model
is not scalable. to provide proof of security of the proposed protocol, similar
Back-End Channel Security: Two models can be adopted to the framework used in [45]–[47].
for the back-end channel between the server and the reader. Assuming that the cryptographic protocol P is executed
The channel can either be considered public or private, in between a client U and the server S ∈ S. In this protocol,
the latter case, it would be inaccessible to the adversary. U could be either honest or malicious and holds a secret/key
Since commercial off the shelf (COTS) handheld readers password KU . The server S keeps kS [U] as an entry related
(e.g., ZEBRA MC3390 RFID series mobile computers or to U, which is a transformation of KU . Through a security
Honeywell/Intermec IP 30 readers) are equipped with high- analysis, one should assume that KU could be known by the
performance hardware components and the latest Android adversary if U is a malicious client. Two clients Ui and Uj are
operating system, all encryption algorithms are supported. called partners if they share the same session identifications.

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
21500 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 21, 1 NOVEMBER 2022

In RoR semantic security, it is assumed that a random bit

b is chosen at the beginning of the semantic security game
and the adversary’s advantage in guessing its value through
the attack game is considered as its capability to distinguish
the under test cryptographic protocol P from an ideal protocol.
Through this process, we consider an adversary (A), which can
passively or actively control any communications between the
protocol parties, over a public channel. A is capable of running Fig. 4. Adversary’s prospective in G0 .
the following queries.
1) Execute (U, S) query that is used to define the pas-
sive adversary A. In this query type, the adversary can Proof: It is assumed that the tag T communicates with the
eavesdrop the exchanged messages between Ui and S. reader R in an authentication session of P and the adversary
2) Send (U/S, m) query that is used to define an active A is aiming to compromise its security in the RoR semantic
adversary. In this query type, the adversary can intercept security model. To bound A’s advantage to distinguish P from
a message and then either modify it or simply forward an ideal protocol Ran, similar to [46] and [47], a series of
it to U/S. games G is defined that are started from Ran and ended at
Gn
3) Reveal (U) query is used to access the secretes of Ui . P. On each game Gn , we determine AdvRoR− D ,P (t, R) as the
4) Test (Ui ) query is used to verify the adversary’s guess A’s advantage to guess the hidden bit b involved in the Test
of b. If b = 1, then the session key of Ui is returned; queries of the RoR model through that game.
otherwise, a random key of the same size is returned. Game G0 : As it is depicted in Fig. 4, this game exactly
Assuming that A has access to the Execute, Send, and Test defines Ran world associated with the simulator S and
G0
to output his/her guess of the hidden bit b as b0 . The A’s AdvRoR−
D ,Ran (t, R) = 0.
advantage to win the semantic security game in the RoR sense, Game G1 : In this game, following Fig. 5, to produce the
tag’s responses they are taken from P world, while the reader
D ,P (t, R)
by guessing the correct value of b, is denoted by AdvRoR
and defined as follows [46], [47]: responses are taken from Ran world. Given that each ses-
sion is randomized by Nr and Nt and the only nonrandom
D ,P (t, R)
AdvRoR value, exclude IDSt , is the MAC value, which is now com-
= ((Pr(A → b0 = 1 : b = 1) − (Pr(A → b0 = 1 : b = 0))) puted by the used AEAD, hence, this modification has no
and the under test protocol P provides semantic security in impact on the A’s advantage, as long as it cannot distinguish
the RoR model if the produced MAC from a true random string. Following this
argument:
D ,P (t,R) < ε(.)
AdvRoR
G1 RoR−G
AdvRoR−
D ,Ran (t, R) ≤ AdvD ,Ran (t, R) + q.εAEAD
0
when ε(.) is a negligible function of the secret parameters.
Following the framework that has been used in [45]–[47], where q = qexe + qsend + qtest
the theorem below in Section V-B1 shows the semantic secu-
G2 RoR−G1
rity of the proposed protocol in the RoR model. Through the AdvRoR−
D ,Ran (t, R) ≤ AdvD ,Ran (t, R) + q.εAEAD .
proof, to rule out trivial advantages of A, it is assumed that
Game G2 : Following Fig. 6, G2 exactly represents the
the structure of the transferred messages, for example, their
implementation of P and we can conclude that
block size, in the ideal world Ran and the real world P are
the same. Hence, it is possible to associate a simulator S with
D ,P (t; qexe ; qtest ; qsend )
AdvRoR
the proof, which helps to adapt the returned values on the
= AdvRoR
D ,P (t, R) − AdvD ,Ran (t, R)
RoR
adversary’s queries in both worlds. Hence, in the world Ran,
G2 RoR−G
the simulator rule is just to forward the protocol’s response to = AdvRoR−
D ,Ran (t, R) − AdvD ,Ran (t, R)
0

the adversary and vice versa. However, in the world P, the ≤ 2.q.εAEAD .
simulator has access to the random oracle and also knows the
P’s structure. Hence, its response to A will be adjusted to Hence, the proof has been completed in this way.
minimize its advantage. In this way, we are able to overcome To provide a more precise insight on the adversary’s advan-
the A’s advantage from the transferred IDSt , which is constant tage after q queries, it worth noting that the adversary’s
as long as the tag and the reader have not participated in a advantage to distinguish ForkAE from an ideal primitive after
successful session of the protocol. q queries is upper bounded by (q2 /2n ) + (q.2n /[(2n − 1)2 ]).
Theorem 1: Let AEAD be the used AEAD scheme, for which It means that the adversary’s advantage to distinguish P
the the adversary’s advantage to distinguish it from an ideal from an ideal protocol and compromise its semantic secu-
scheme is q.εAEAD and also assume that number of A’s queries rity in RoR model after q queries is upper bounded by
to Execute, Send, and Test oracles on the proposed protocol D (q2 /2n−1 ) + (q.2n+1 /[(2n − 1)2 ]). For example, for q = 260
2
is bounded by qexe , qsend , and qtest , respectively. Then and n = 128, the adversary’s advantage is (26 0 /2128 ) +
(2 .2 /[(2 ) ]) ∼
60 128 127 2 −7
= 2 , which follows the birthday bound.
D ,P (t; qexe ; qtest ; qsend ) ≤ 2.q.εAEAD
AdvRoR
In addition, given that the adversary cannot distinguish the trans-
where q = qexe + qtest + qsend . ferred messages over the protocol from random values with

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
ROSTAMPOUR et al.: AUTHENTICATION PROTOCOL FOR NEXT GENERATION OF CONSTRAINED IoT SYSTEMS 21501

Fig. 5. Adversary’s prospective in G1 .

Fig. 6. Adversary’s prospective in G2 .

VI. P ERFORMANCE A NALYSIS

In the previous section, we presented our new secure and
lightweight authentication protocol able to accommodate any
AEAD cryptosystem scheme (Section IV). To obtain a better
understanding of the impacts of using various AEAD schemes
and demonstrate that our protocol is compatible with various
models and applicable in practical environments, we selected
four candidates (ForkAE, Ascon, GIFT-COFB, and SKINNY-
AEAD) of the 32 that were qualified for the second round of
the NIST competition.
To evaluate the hardware requirements of an IoT node (e.g.,
a tag) equipped with our protocol, we simulated the FPGA
and ASIC implementation. The FPGA implementation allowed
measurement of very low-level information and fundamental
building blocks of the tag [e.g., Lookup Table (LUT) and
Fig. 7. Security evaluation of the proposed protocol through Scyther. Flipflop]. ASIC implementation was also performed, which
enabled comparison of the four candidates via the GE indi-
cator. This step was also useful for defining the requirements
nonnegotiable advantage, it also cannot achieve nonnegotiable for manufacturing the IC. The Xilinx Vivado (design suite
advantage to reveal the session key or trace the entities also. 2017.7) synthesis tool was used for FPGA implementation of
2) Formal Security Evaluation Using Scyther Tool: To be the proposed cryptography algorithms with the Xilinx Spartan-
more certain, we also modeled the proposed protocol via the 7 FPGA, since it supports a wide range of cryptographic
Scyther tool [48]. Scyther is a protocol security analysis tool standards.
written in Python. To model a protocol in the Scyther tool, The results are reported in Table III. As an example, a por-
the various roles of the protocol—namely, the roles of tags tion of the schematic model for Ascon-AEAD is presented in
and readers in our protocol—are written in security proto- Fig. 8, consisting of the encryption module, the PRNG, and
col description language (SPDL) and then the Scyther tool the concatenation function, which are all used for the hardware
analyzes the security of the protocol in its different attack implementation. In addition, for this process, the key length
scenarios in the adversary model, using either written claims and data length of the encryption module are considered, at
or its own automated claims (in case of no claims existence). 128 bit and 64 bit, respectively.
As we can see in Fig. 7, the proposed protocol successfully For the ASIC implementation, we used a 90-nm CMOS
overcomes all of the attack scenarios with the Scyther tool. technology. The goal of the implementation is to maximize
As we can see in Fig. 7, the proposed protocol successfully performance while using a minimum area for the circuit.
overcomes all of the attack scenarios in the Scyther tool. This is measured by the GE indicator, the area overhead, the

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
21502 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 21, 1 NOVEMBER 2022

TABLE III
FPGA AND ASIC I MPLEMENTATION R ESULTS

Fig. 8. Schematic of Ascon-AEAD circuit.

delay, and the power consumption. The results are reported in For the communication cost, we consider the number of trans-
Table III. The results clearly demonstrate that the proposed ferred bits (Tb) on the communication channel between an IoT
protocol is compatible with all encryption models, while node and an IoT reader. The computation cost is measured by
providing a high performance level. using four main functions, including AEAD, Hash, and ECC
For example, if we consider the “delay” as a key and PUF modules as common encryption/decryption modules
performance indicator for real-time IoT applications, by using mentioned in all protocols.
our protocol and following the Ascon cryptography mod- More specifically, when looking at the communication cost,
ule, a given tag has a 0.58-ns response time. However, if given that the transferred messages are Nr , IDSti , Nt , and MAC
“requirements for power-consumption” for low-power IoT with 64 bit length and c3 with 22 bit, the total amount of
devices is the indicator, then both Ascon and ForkAE schemes Tb is 64 + 64 + 64 + 64 + 22 = 278. Thus, our protocol
are clearly good candidates. has a significant difference with the blockchain-enabled proto-
Therefore, according to the technical requirements of orga- cols in Table IV, i.e., [23] and [25] and is also approximately
nizations developing constrained IoT devices, our proposed 40% better than the other best candidates with AEAD or PUF
protocol can provide a suitable environment for different appli- modules.
cations where security is required. It is worth noting that by For the computation costs, this calculated based we used
using optimized tools for ASIC implementation the GE num- assumptions that ones presented by Tanveer et al. [20], by
ber will be less than our results: upon practical commercial using a Raspberry PI-3 (RPI-3B) with Quad-Core @1.2 GHz,
implementation, will perform better still [39]. 1 GB of RAM, Ubuntu 16.04 LTS. Let TAE , TH , TECC , and
Table IV compares communication and computation TPUF denote the time cost for an AEAD scheme, a general
costs between our protocol and the ones presented in hash, ECC point multiplication, and fuzzy extractors for PUF.
previous research, including: Trinh et al. [19] AEAD model, As the results show, the blockchain-enabled protocols not
Tanveer et al. [20] hybrid method (AE, Hash, and ECC), only burden high communication cost but also need impor-
Li et al. [22] PUF method, Bera et al. [23] blockchain method, tant hash function operations and encryption processes. For
and Zhang et al. [25] hybrid method with PUF and blockchain. instance, Bera et al. [23] protocol suggested for smart grid

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
ROSTAMPOUR et al.: AUTHENTICATION PROTOCOL FOR NEXT GENERATION OF CONSTRAINED IoT SYSTEMS 21503

TABLE IV
C OMMUNICATION AND C OMPUTATION C OST C OMPARISON

rate over the next few years. At the same time, while both
consumers and industries are witnessing how this technology
trend is transforming our society, the cybersecurity threats will
continue to gain significance. This is even more concerning
when we know that the proportion of unmanaged IoT devices
used in enterprises “under the radar of IT security” outnumber
that of managed devices [49].
In this article, we have therefore worked on an encryp-
tion model employing AEAD encryption schemes for secur-
Fig. 9. Runtime comparison. ing IoT devices by enabling robust authentication protocols
with reduced latency and energy consumption, alongside the
applications, which utilizes 22 hash operations and 8 ECC requirements of low communication and computational costs
operations, whose cost is very different from that of our pro- in a very constrained environment. While this research focuses
tocol. In addition, in [25], by adding a PUF module to the on the core security of an IoT node, additional components,
system, the communication cost as well as the computation such as temperature, moisture, or pH sensors, that increase
cost increase. Even in comparison with other AEAD models, the hardware requirement of a tag do not affect a tag’s weight
such as the one proposed by Trinh et al. [19]—which has only from the security aspect.
six AEAD operations—our protocol has the lowest cost, with In our research, four different schemes considered by the
only two encryption processes—0 Hash and 0 PUF—while NIST for lightweight cryptographic standards were selected, in
also ensuring an acceptable level of security with minimum order to prove that the structure of our authentication protocol
overhead. could be used in other applications with the same performance
Moreover, in order to estimate the runtime of the protocol, requirements. The performance analysis results showed that
the experimental time complexities of the various crypto- the novel protocol performs better than other recently pub-
graphic primitives are employed. The runtime of an ECC lished protocols in different domains. Further research should
process, a Hash function, an AEAD scheme, and a Fuzzy be done in this direction, building on reliable IoT cyberse-
Extractor for PUF modules are, respectively, considered 2.42, curity frameworks and standards to secure any layer of an
0.381, 0.415, and 2.42 ms. As illustrated in Fig. 9, the runtime IoT system and validate the performance in real live applica-
of our protocol is equal to 0.83 ms: in comparison with other tions found in different scenarios and sectors, such as smart
protocols, it is a fast and noncomplex solution. cities, healthcare, supply chain management, industry 5.0, or
To conclude this section: first, we can see that the novel precision agriculture.
authentication protocol based on AEAD schemes proposed
in this research can more efficiently satisfy the lightweight
requirements for secure solutions in constrained IoT devices. R EFERENCES
Second, the results prove that it is applicable in various IoT [1] “Guidance Statement of Intent Regarding the Security of the Internet
domains with minimum resource consumption. In addition, of Things.” U.K.-Government. [Online]. Available: https://www.
the source code of the implementations and Scyther security gov.uk/government/publications/five-country-ministerial-communique/
statement-of-intent-regarding-the-security-of-the-internet-of-things,
evaluation are available on GitHub.1 (Accessed: May 1, 2022).
[2] “IoT Cybersecurity Improvement Act of 2020.” U.S.-Congress. [Online].
Available: https://www.congress.gov/bill/116th-congress/house-
VII. D ISCUSSION AND C ONCLUSION bill/1668/text (Accessed: May 1, 2022).
Every year billions of IoT connected devices are introduced [3] U.S.Congress, “Congressional Record (2020),” in Proc. Debates 116th
in the market, and while the numbers may differ, research and Congr., 2020, p. 7045. Accessed: May 1, 2022. [Online]. Available:
https://www.congress.gov/116/crec/2020/11/17/CREC-2020-11-17.pdf
consulting firms, such as Gartner, Forrester Consulting, Frost [4] “Good Practices for IoT and Smart Infrastructures Tool.” ENISA-
and Sullivan, Grand View Research, or IoT Analytics agree on Organization. [Online]. Available: https://www.enisa.europa.eu/topics/
the fact that the global IoT market size is projected to expand iot-and-smart-infrastructures/iot/good-practices-for-iot-and-smart-
infrastructures-tool (Accessed: May 1, 2022).
at a two to three digits compound annual growth (CAGR) [5] H. Li, V. Kumar, J.-M. Park, and Y. Yang, “Cumulative message authen-
tication codes for resource-constrained IoT networks,” IEEE Internet
1 https://github.com/withoutcode/AEAD-Authentication-Protocol Things J., vol. 8, no. 15, pp. 11847–11859, Aug. 2021.

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.
21504 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 21, 1 NOVEMBER 2022

[6] E. Schiller, A. Aidoo, J. Fuhrer, J. Stahl, M. Ziörjen, and B. Stiller, [29] M. Khalid, U. Mujahid, M. N.-U. Islam, H. Choi, I. Alam, and
“Landscape of IoT security,” Comput. Sci. Rev., vol. 44, May 2022, S. Sarwar, “Ultralightweight resilient mutual authentication protocol for
Art. no. 100467. IoT based edge networks,” J. Ambient Intell. Humanized Comput., to be
[7] M. N. Khan, A. Rao, and S. Camtepe, “Lightweight cryptographic pro- published.
tocols for IoT-constrained devices: A survey,” IEEE Internet Things J., [30] B. Hammi, A. Fayad, R. Khatoun, S. Zeadally, and Y. Begriche,
vol. 8, no. 6, pp. 4132–4156, Mar. 2021. “A lightweight ECC-based authentication scheme for Internet of
[8] T. Nandy et al., “Review on security of Internet of Things authentication Things (IoT),” IEEE Syst. J., vol. 14, no. 3, pp. 3440–3450,
mechanism,” IEEE Access, vol. 7, pp. 151054–151089, 2019. Sep. 2020.
[9] L. B. Furstenau et al., “Internet of Things: Conceptual network structure, [31] P. Chithaluru, F. Al-Turjman, T. Stephan, M. Kumar, and L. Mostarda,
main challenges and future directions,” Digit. Commun. Netw., to be “Energy-efficient blockchain implementation for cognitive wireless com-
published. munication networks (CWCNs),” Energy Rep., vol. 7, pp. 8277–8286,
[10] P. Chithaluru, F. Al-Turjman, M. Kumar, and T. Stephan, “MTCEE- Nov. 2021.
LLN: Multilayer threshold cluster-based energy-efficient low-power and [32] W. Wang et al., “Blockchain and PUF-based lightweight authentication
lossy networks for industrial Internet of Things,” IEEE Internet Things protocol for wireless medical sensor networks,” IEEE Internet Things
J., vol. 9, no. 7, pp. 4940–4948, Apr. 2022. J., vol. 9, no. 11, pp. 8883–8891, Jun. 2022.
[11] “Lightweight Cryptography (LWC) Standardization Project.” [33] M. El-Hajj, A. Fadlallah, M. Chamoun, and A. Serhrouchni, “A survey
NIST. [Online]. Available: https://csrc.nist.gov/Projects/lightweight- of Internet of Things (IoT) authentication schemes,” Sensors, vol. 19,
cryptography/round-2-candidates (Accessed: Sep. 24, 2020). no. 5, p. 1141, 2019.
[12] K. Fan, W. Jiang, H. Li, and Y. Yang, “Lightweight RFID protocol for [34] R. Canetti and H. Krawczyk, “Universally composable notions
medical privacy protection in IoT,” IEEE Trans. Ind. Informat., vol. 14, of key exchange and secure channels,” in EUROCRYPT (Lecture
no. 4, pp. 1656–1665, Apr. 2018. Notes in Computer Science, 2332), L. R. Knudsen, Ed. Berlin,
[13] S. F. Aghili, H. Mala, P. Kaliyar, and M. Conti, “SecLAP: Secure Germany: Springer, 2002, pp. 337–351. [Online]. Available:
and lightweight RFID authentication protocol for medical IoT,” Future https://doi.org/10.1007/3-540-46035-7_22
Gener. Comput. Syst., vol. 101, pp. 621–634, Dec. 2019. [35] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE
[14] M. Safkhani, S. Rostampour, Y. Bendavid, and N. Bagheri, “IoT in med- Trans. Inf. Theory, vol. TIT-29, no. 2, pp. 198–208, Mar. 1983.
ical & pharmaceutical: Designing lightweight RFID security protocols [36] M. Bellare and C. Namprempre, “Authenticated encryption: Relations
for ensuring supply chain integrity,” Comput. Netw., vol. 181, Nov. 2020, among notions and analysis of the generic composition paradigm,” J.
Art. no. 107558. Cryptol., vol. 21, no. 4, pp. 469–491, 2008.
[15] N. Kumar, G. S. Aujla, A. K. Das, and M. Conti, “ECCAuth: A secure [37] J. Alizadeh, M. R. Aref, and N. Bagheri, “JHAE: An authenticated
authentication protocol for demand response management in a smart grid encryption mode based on JH,” IACR Cryptol. ePrint Arch., Lyon,
system,” IEEE Trans. Ind. Informat., vol. 15, no. 12, pp. 6572–6582, France, Rep. 193/2014, 2014.
Dec. 2019. [38] J. Alizadeh, M. R. Aref, and N. Bagheri, “Artemia: A family of provably
[16] S. Yu et al., “Privacy-preserving lightweight authentication protocol for secure authenticated encryption schemes,” ISC Int. J. Inf. Security, vol. 6,
demand response management in smart grid environment,” Appl. Sci., no. 2, pp. 125–139, 2014.
vol. 10, no. 5, p. 1758, 2020. [39] C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer. “Ascon,
[17] M. Nakkar, R. Altawy, and A. Youssef, “Lightweight broadcast authen- Lightweight Authenticated Encryption and Hashing.” [Online].
tication protocol for edge-based applications,” IEEE Internet Things J., Available: https://csrc.nist.gov/CSRC/media/Projects/Lightweight-
vol. 7, no. 12, pp. 11766–11777, Dec. 2020. Cryptography/documents/round-1/spec-doc/ascon-spec.pdf (Accessed:
[18] L. Xiao, H. Xu, F. Zhu, R. Wang, and P. Li, “SKINNY-based RFID Feb. 15, 2020).
lightweight authentication protocol,” Sensors, vol. 20, no. 5, p. 1366, [40] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche, “On the indifferen-
2020. tiability of the sponge construction,” in EUROCRYPT (Lecture Notes in
[19] C. Trinh et al., “A novel lightweight block cipher-based mutual authen- Computer Science, 4965), N. P. Smart, Ed. Berlin, Germany: Springer,
tication protocol for constrained environments,” IEEE Access, vol. 8, 2008, pp. 181–197. [Online]. Available: https://doi.org/10.1007/978-3-
pp. 165536–165550, 2020. 540-78967-3_11
[20] M. Tanveer, A. U. Khan, N. Kumar, and M. M. Hassan, “RAMP- [41] S. Banik et al. “GIFT-COFB Authenticated Encryption.” [Online].
IoD: A robust authenticated key management protocol for the Internet Available: https://www.isical.ac.in/∼lightweight/COFB/ (Accessed:
of Drones,” IEEE Internet Things J., vol. 9, no. 2, pp. 1339–1353, May 1, 2022).
Jan. 2022. [42] E. Andreeva et al. “ForkAE.” [Online]. Available: https://www.esat.
[21] S. Banerjee, V. Odelu, A. K. Das, S. Chattopadhyay, J. J. P. C. Rodrigues, kuleuven.be/cosic/forkae/ (Accessed: May 1, 2022).
and Y. Park, “Physically secure lightweight anonymous user authen- [43] C. Beierle et al. “SKINNY Family of Block Ciphers.” [Online].
tication protocol for Internet of Things using physically unclonable Available: https://sites.google.com/site/skinnycipher/home (Accessed:
functions,” IEEE Access, vol. 7, pp. 85627–85644, 2019. May 1, 2022).
[22] S. Li, T. Zhang, B. Yu, and K. He, “A provably secure and practical [44] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete security
PUF-based end-to-end mutual authentication and key exchange protocol treatment of symmetric encryption,” in Proc. 38th Annu. Symp. Found.
for IoT,” IEEE Sensors J., vol. 21, no. 4, pp. 5487–5501, Feb. 2021. Comput. Sci. (FOCS), Miami Beach, FL, USA, Oct. 1997, pp. 394–403.
[23] B. Bera, S. Saha, A. K. Das, and A. V. Vasilakos, “Designing blockchain- [Online]. Available: https://doi.org/10.1109/SFCS.1997.646128
based access control protocol in IoT-enabled smart-grid system,” IEEE [45] M. Abdalla, P.-A. Fouque, and D. Pointcheval, “Password-based
Internet Things J., vol. 8, no. 7, pp. 5744–5761, Apr. 2021. authenticated key exchange in the three-party setting,” in Proc. 8th
[24] S. Jangirala, A. K. Das, and A. V. Vasilakos, “Designing secure Int. Workshop Theory Pract. Public Key Cryptogr., Les Diablerets,
lightweight blockchain-enabled RFID-based authentication protocol for Switzerland, Jan. 2005, pp. 65–84.
supply chains in 5G mobile edge computing environment,” IEEE Trans. [46] M. Safkhani, N. Bagheri, S. Kumari, H. Tavakoli, S. Kumar, and J. Chen,
Ind. Informat., vol. 16, no. 11, pp. 7081–7093, Nov. 2020. “RESEAP: An ECC-based authentication and key agreement scheme for
[25] Y. Zhang, B. Li, B. Liu, Y. Hu, and H. Zheng, “A privacy-aware IoT applications,” IEEE Access, vol. 8, pp. 200851–200862, 2020.
PUFs-based multiserver authentication protocol in cloud-edge IoT [47] M. Hosseinzadeh et al., “An enhanced authentication protocol for RFID
systems using blockchain,” IEEE Internet Things J., vol. 8, no. 18, systems,” IEEE Access, vol. 8, pp. 126977–126987, 2020.
pp. 13958–13974, Sep. 2021. [48] C. J. F. Cremers, “The Scyther tool: Verification, falsification, and analy-
[26] M. F. Aziz, A. N. Khan, J. Shuja, I. A. Khan, F. G. Khan, and sis of security protocols,” in Proc. Int. Conf. Comput.-Aided Verif., 2008,
A. U. R. Khan, “A lightweight and compromise-resilient authentication pp. 414–418.
scheme for IoTs,” Trans. Emerg. Telecommun. Technol., vol. 33, no. 3, [49] “State of Enterprise IoT Security in North America: Unmanaged and
p. e3813, 2022. Unsecured.Leadership Paper Commissioned by Armis Inc.” Forrester-
[27] A. Adeel et al., “A multi-attack resilient lightweight IoT authentication Consulting. Sep. 2019. [Online]. Available: https://info.armis.com/rs/
scheme,” Trans. Emerg. Telecommun. Technol., vol. 33, no. 3, p. e3676, 645-PDC-047/images/State-Of-Enterprise-IoT-Security-Unmanaged-
2022. And-Unsecured.pdf (Accessed: May 1, 2022).
[28] S. Sundaresan, R. Doss, S. Piramuthu, and W. Zhou, “A robust grouping [50] A. E. Omolara et al., “The Internet of Things security: A survey encom-
proof protocol for RFID EPC C1G2 tags,” IEEE Trans. Inf. Forensics passing unexplored areas and new insights,” Comput. Security, vol. 112,
Security, vol. 9, pp. 961–975, 2014. Jan. 2022, Art. no. 102494.

Authorized licensed use limited to: UNIVERSITE DE MONASTIR. Downloaded on March 01,2024 at 10:57:36 UTC from IEEE Xplore. Restrictions apply.