IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO.

5, 1 MARCH 2024 8105

Privacy-Preserving Mutual Authentication Protocol

With Forward Secrecy for IoT–Edge–Cloud
Mohamed Seifelnasr , Student Member, IEEE, Riham AlTawy , Senior Member, IEEE,
Amr Youssef , Senior Member, IEEE, and Essam Ghadafi, Senior Member, IEEE

Abstract—The three-tier IoT–Edge–Cloud paradigm enables IoTs to meet the required QoS besides other benefits, such as
low-end devices to use the computation capabilities of the more location awareness and scalability.
powerful edge nodes to meet efficiency constraints for real- Mutual authentication (MA) protocols in the IoT–Edge–
time applications. Many symmetric-key-based schemes rely on
an online trusted cloud admin (CA) to establish session keys Cloud paradigm [3] can be categorized into symmetric
between IoT devices and edge nodes. In this study, we propose key-based protocols and asymmetric key-based protocols.
a new provably-secure mutual authentication privacy-preserving Symmetric key-based protocols are characterized by high effi-
protocol with forward secrecy (MAPFS), which eliminates the ciency and low computation complexity. Nevertheless, they
requirement for an online CA during IoT authentication. To require preshared key parameters between the communicating
achieve anonymity, our construction utilizes zero-knowledge
proofs and randomizes the IoT authentication request. The secu- entities which is unrealistic with the enormous number of the
rity of our construction is based on the well-studied discrete IoTs. One approach to address this challenge is the utilization
logarithm and decisional Diffie–Hellman assumptions in elliptic of a cloud admin (CA), which maintains a secret key for each
curve groups. We formally prove that MAPFS ensures mutual entity where the role of the CA involves authenticating the
authentication and semantic security for session keys. We also communicating entities and deriving session keys. On the other
evaluate MAPFS performance in terms of the communication
overhead, storage requirements, and computation complexity. hand, in asymmetric key-based protocol, public key encryption
Finally, we test the performance of MAPFS on a Raspberry is not used very often for data encryption since public key
Pi 4 and compare it against other certificate-less protocols. encryption is costly [4]. Instead, entities public key are used
Index Terms—Anonymity, edge computing, elliptic curve to establish a session key. Then, by adopting a well-known
cryptography (ECC), IoT, mutual authentication (MA), zero- symmetric encryption scheme, fast and secure communications
knowledge proof (ZKP). become feasible. However, in certificate-based protocols [5],
anonymity can be achieved through anonymous authenticated
schemes, such as ring/group signature schemes [6], [7]. In
I. I NTRODUCTION such schemes, both the IoT device and the edge node should
ONVENTIONAL cloud computing paradigm suffers
C from a single point of failure. Moreover, low-end devices,
henceforth referred to by IoTs cannot meet the required
have access to public keys of registered IoT devices in the
anonymity set for signature generation and verification which
requires either extra communication between IoT devices or
Quality of Service (QoS) due to the high latency in the storage requirements. Moreover, registration of a new IoT
propagation of data between the IoT device and the cloud. device to the system requires updating all IoT devices and
Researchers recommend migrating to the three-tier IoT–Edge– edge nodes with the public key of the new IoT device which
Cloud paradigm due to its distributed nature where IoTs can further affects the system’s scalability.
benefit from the computation of the nearby edge nodes [1], [2]. In order to address the aforementioned problems in anony-
The IoT–Edge–Cloud paradigm ensures low latency, enabling mous authenticated schemes, we adopt a certificate-less public-
key cryptography (CL-PKC) authentication and key agreement
Manuscript received 20 June 2023; revised 15 August 2023; accepted
16 September 2023. Date of publication 26 September 2023; date of current scheme where the generation of the private keys and public
version 21 February 2024. This work was supported in part by the Natural keys are split between the IoT device and the key genera-
Sciences and Engineering Research Council of Canada (NSERC) and in part tion center (KGC) [8]. Li et al. [9] proposed an elliptic curve
by the Fonds de Recherche du Québec Nature et Technologies (FRQNT).
(Corresponding author: Riham AlTawy.) cryptography (ECC)-based MA and key exchange protocol
Mohamed Seifelnasr is with the Department of Computer Engineering, for IoTs. The proposed protocol achieves MA and forward
Helwan University, Cairo 11792, Egypt, and also with the Concordia Institute secrecy property. The MA property ensures the legitimacy of
for Information Systems Engineering, Concordia University, Montreal, QC
H3G 1M8, Canada (e-mail: [email protected]). the transacting entities while forward secrecy property ensures
Riham AlTawy is with the Department of Electrical and Computer the security of the past session keys in case of the compromise
Engineering, University of Victoria, Victoria, BC V8P 5C2, Canada (e-mail: of long-term secrets. However, Li’s protocol failed to main-
[email protected]).
Amr Youssef is with the Concordia Institute for Information Systems tain the privacy of the IoTs since the communicating entities
Engineering, Concordia University, Montreal, QC H3G 1M8, Canada (e-mail: have to send their identities for completing the authentication
[email protected]). process. Similarly, Ying and Nayak [10] proposed an ECC-
Essam Ghadafi is with the School of Computing, Newcastle University,
NE4 5TG Newcastle Upon Tyne, U.K. (e-mail: [email protected]). based MA and key establishment protocol in 5G networks.
Digital Object Identifier 10.1109/JIOT.2023.3318180 The proposed protocol achieves MA and forward secrecy.
2327-4662 
c 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 8106 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 5, 1 MARCH 2024

Regarding anonymity, the protocol obfuscates the real identity intractable ECDL and ECDDH problems. Section IV presents
of the IoT device. However, it suffers from linkability where the syntax and the security model for the system. Section V
an external adversary can link the authentication requests of contains the details of our construction. Formal security anal-
the IoT device since it has the same pseudo-anonymous iden- ysis of MAPFS with respect to MA and session key secrecy is
tity. Therefore, in this article, we consider the anonymity of presented in Section VI. Section VII presents the performance
the sender and the unlinkability of the authentication request evaluation with respect to the storage requirements, computa-
with respect to the serving edge node. tion complexity, and communication cost. Finally, our work is
Goals: Motivated by the aforementioned protocols, in this concluded in Section VIII.
work, we continue this line of research and further aim to
achieve the following goals.
1) Design a privacy-preserving MA protocol for the IoT– II. L ITERATURE R EVIEW
Edge–Cloud paradigm where an external adversary or Numerous MA symmetric key-based protocols [11], [12],
edge node, controlled by a malicious network admin, [13], [14], [15], [16] have been proposed for IoT communi-
cannot efficiently identify, or co-relate the incoming cation. Most of these protocols utilize lightweight operations,
requests. such as XoR and hash functions. Hence, these protocols have
2) Enable scalability of the scheme without the overhead the advantage of low-computation complexity which makes
of updating all other IoT devices and edge nodes with them suitable for low-end devices. However, the key distri-
public keys of new IoT devices. bution and management of the symmetric-key-based schemes
Our Contributions: This article has the following impose a burden on practical applications of these protocols,
contributions: especially with the increasing number of IoT devices.
1) We propose MAPFS, a MA privacy-preserving protocol To address the key distribution and management shortcom-
with forward secrecy for the IoT–Edge–Cloud. MAPFS ings in the symmetric-key schemes, asymmetric key-based
is resilient to replay attacks; also, it achieves forward and protocols, such as [17] and [18] are proposed. Such pro-
backward secrecy properties and it ensures unlinkability tocols require only the communicating entities to exchange
between IoT requests with respect to the edge node. keying materials to establish the session keys. The applicabil-
2) Based on the computationally intractable EC discrete ity of such protocols in the IoT has one major inconvenience,
logarithm problem (ECDLP) and EC decisional Diffie– which is the computation cost and energy consumption.
Hellman assumption (ECDDH), we formally prove the Subsequently, more efforts were exerted to realize ECC-based
secrecy of the session key, and the MA property of the authentication protocols that achieve the required security level
protocol. with smaller parameters [19]. Li et al. [20] proposed a MA and
3) We provide performance evaluations for MAPFS and key exchange protocol for wireless sensor networks based on
compare it with other protocols in terms of the execution ECC. Later, Shi and Gong [21] pointed out that the proposed
time. protocol in [20] does not provide MA or forward secrecy
4) We perform experiments on a 1.5 GHz 64-bit Quad-core and proposed a more secure ECC-based protocol. However,
ARM Cortex-A72 processor to validate the soundness of Choi et al. [22] showed that the protocol in [21] is vulnerable
our proposed protocol. Moreover, we make our code for to session key attacks. In order to achieve a 2-factor authentica-
the implementation public on the GitHub repository. tion protocol, Chang and Le [23] proposed a MA scheme using
In MAPFS, the IoT device sends an authentication token a smart card, which requires a small overhead and achieves for-
to a nearby edge node to prove its legitimacy. To achieve ward secrecy property. However, the proposed protocol could
unlinkability between the authentication tokens of the same not resist stolen smart card attacks and tracking attacks as indi-
IoT device, the IoT device randomizes such authentication cated in [24]. All the aforementioned symmetric-key-based
tokens. Such randomization process is essential as it pro- protocols necessitate the presence of an online trusted third
vides the unlinkability between the authentication requests and party during the authentication process.
prevents the external adversaries and the edge nodes from CL-PKC schemes proposed in [9], [10], [25], [26], [27],
correlating the authentication requests and profiling the IoT [28], [29], [30], and [31] allow low-end devices to per-
device. Considering the attack scenario where an adversary form the authentication without the need for an online CA.
builds another system (i.e., a different TTP with a different Protocols in [28], [30], [31], [32], [33], and [34] are based on
public key) that acts like our proposed system and sends a heavy bilinear-pairing operations, are not suitable for limited-
randomized request that will pass the verification on the edge resource low-end devices. Gayathri et al. [26] proposed an
node side, the IoT device provides a zero-knowledge proof efficient certificate-less protocol that does not require bilinear-
(ZKP) of knowledge of the random value, without disclosing pairing operations. However, the proposed scheme does not
it, that relates the randomized authentication request to the achieve the confidentiality of the transmitted messages from
public parameter of our system. In case of a misbehaving IoT the sensor nodes. More authentication protocols that do not
device, a TTP can do a linear search on the transmitted request require bilinear-pairing operations are presented in [9] and
to get the real identity of the misbehaving IoT device. [25]. Nevertheless, the sender identity has to be sent in the
The remainder of this article is organized as follows. clear on the wireless channel between the IoT and the edge
Section II briefly reviews the related work and provides back- node. The schemes proposed in [10], [27], and [29] guaran-
ground on secure hash functions and the computationally tee the anonymity of the sender against an external adversary

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 SEIFELNASR et al.: PRIVACY-PRESERVING MUTUAL AUTHENTICATION PROTOCOL WITH FORWARD SECRECY 8107

by obfuscating its identity. However, the service provider (i.e.,

the receiver) can link and relate the incoming requests. The
aforementioned protocols assign the low-end IoT devices to
a certain serving edge node which does not fit the dynamic
nature of the IoT sensors. Certificate-less schemes in [10],
[28], [30], [32], and [33] achieve anonymity of the sender
with respect to the serving edge node. Nonetheless, none of
the certificate-less protocols mentioned above ensure session Fig. 1. IoT–Edge–Cloud paradigm.
unlinkability with respect to the serving edge node.
Table I provides a comparison of the security properties of the shared secret key S; S = aR = bQ = abP. Both entities,
our proposed protocol, MAPFS, against other related ones. In Alice and Bob get the same value for S, and the shared key
our comparison, we consider the MA, the anonymity of the is established.
sender and the unlinkability of the IoT requests from external Definition 2 (Elliptic-Curve Decisional Diffie–Hellman
adversaries and edge nodes. Additionally, we consider other Problem (ECDDHP) [19]): Let E be an elliptic curve over
functional properties, such as scalability, where adding an IoT the finite field Fp . Given the point P ∈ G with order q and
device is easy by issuing an authentication token to the new the points X = xP, Y = yP, and Z = zP ∈ G, the ECDDHP
device without requiring protocol reinitialization or reregis- is the problem of determining whether Z = xyP, equivalently,
tration of other IoT devices. Our protocol, MAPFS, achieves whether z = xy mod q.
MA, sender anonymity and session unlinkability. Note that Definition 3 (Negligible Function [38]): Given a security
PUF-based protocols [9], [15], [16] require the presence of a parameter λ, a function (λ) : Z − → R is said to be negligible
PUF circuit for running the protocol. If the PUF circuit is not in λ if for all d > 0, there exists λd ∈ Z such that (λ) ≤ 1/λd
present, the protocol cannot be executed, and it will lose its for all λ > λd .
hardware compromise resilience security property. Schnorr ZKP [39]: Given a statement X where ∃ x s.t. X =
xP, a Schnorr ZKP of Knowledge enables the prover to con-
vince the verifier of the knowledge of the witness x without
III. P RELIMINARY revealing its value to the verifier. Schnorr protocol is a  pro-
Throughout our work, we utilize the ECC system, which is a tocol that consists of three interactions between the prover and
modern family of public-key cryptosystems based on the alge- verifier. These interactions are: 1) commit; 2) challenge; and
braic structures of the elliptic curves over finite fields. ECC 3) response. A noninteractive Schnorr ZKP in the Fiat–Shamir
security is based on the assumed difficulty of the ECDLP [19], Heuristic transformation [40] allows the prover to combine
[36]. ECC-based schemes are characterized by smaller key the commit, challenge, and response phases in one interaction.
sizes, low arithmetic requirements, and shorter operand lengths This transformation involves using a secure cryptographic hash
compared to RSA systems. Let p be a prime number and let function to issue the challenge.
Fp denote the field of the integers modulo p. An elliptic curve Schnorr Signature [41]: A noninteractive Schnorr signature
E is defined over the finite field Fp by the set of the points over the message m runs as follows. The prover generates
(x, y) ∈ Fp ×Fp satisfying non singular elliptic curve equation the commitment R = rP where r ← − Zq and uses the Fiat–
y2 = x3 + ax + b mod p such that 4a3 + 27b2 = 0 mod p plus Shamir Heuristic transformation for computing the challenge
the point at infinity O. Then, the additive elliptic curve cyclic
 c = H(R, m). Then, it computes the response s = r + cx where
group G is defined as G = {(x, y) : x, y ∈ Fp ∧(x, y) ∈ E} O. ?
the signature σ = (R, s). The verifier checks if sP = R + cX
Let P ∈ E is the generator point of the group G of order q. hold.
Note that, we use lowercase letters for representing scalar val-
ues in Zq and uppercase letters for EC points in the group G. IV. S YSTEM M ODEL AND T HREAT M ODEL
The ECDLP problem is defined as follows.
Definition 1 (ECDLP): Let E be an elliptic curve over the In what follows, we present our system model and threat
finite field Fp and let the points R and S be points in G of model. Additionally, we provide a list of abbreviations used
order q, the ECDLP is the problem of finding an integer r throughout the paper in Table I.
such that R = rS.
The Elliptic Curve Diffie–Hellman (ECDH) [37]: ECDH A. System Model
is a key agreement protocol that enables two entities, Alice We adopt the IoT–Edge–Cloud paradigm as illustrated in
and Bob, having an elliptic curve public-private key pair, to Fig. 1. Our system model is composed of the IoT layer, the
establish a shared secret key over an insecure channel. ECDH edge layer, and the cloud layer. Edge nodes are connected to
is based on the ECDLP instead of the conventional discrete log the cloud layer through the core network. The role of each
problem (DLP). It works as follows. The two communicating layer is detailed as follows.
entities, Alice and Bob agree on an elliptic curve E. Alice 1) IoT Layer: Such layer is composed of the sensor/IoT
selects an integer a ← − Zq∗ , computes Q = aP and sends Q devices, which are limited-resource devices with Internet
to Bob. On the other hand, Bob selects an integer b ← − Zq∗ , connectivity and enrolled in many applications (e.g.,
computes Q = bP, computes R = bP, and sends R to Alice. transportation, healthcare, virtual reality, . . . , etc.). IoT
Alice and Bob receives R and Q, respectively, and computes devices sense and gather the needed information and

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 8108 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 5, 1 MARCH 2024

TABLE I
C OMPARISON W ITH OTHER R ELATED P ROTOCOLS

TABLE II
send most of the data to the edge layer to benefit from N OTATION TABLE
the computation power of the IoT gateway in order to
meet the expected QoS requirements.
2) Edge Layer: An intermediate layer between the IoT and
cloud layers. It brings a part of the cloud computing
infrastructure closer to the end-users in the form of IoT
gateways to improve the latency of real-time applications.
The computation-capable edge nodes can be a router, a
switch, or a proxy server [42]. It offers computation
offloading services to limited-resource IoT devices.
3) Cloud Layer: A top layer that provides scalable com-
puting resources, storage, and services that complement
edge computing. It enables data storage, complex data
analytics, machine learning, and other resource-intensive
tasks that cannot be efficiently performed at the edge
nodes.
Moreover, in our protocol, we make use of a TTP which is
the KGC that is responsible for initializing the system param-
eters and issuing the signing keys for IoT devices and IoT
gateways, in the registration phase.

B. Threat Model
In our paper, we adopt the Canetti–Krawczyk (CK) adver-
sary model [43]. In this model, the adversary A can eavesdrop,
insert, modify, and drop messages on the communicating
channel. Moreover, it has access to the memory of the com-
municating entities (i.e., IoT devices and IoT gateways).
Therefore, the stored information in the memory of the IoT used to authenticate the IoT gateway to the IoT device, and
device and the IoT gateway is vulnerable to memory leakage vice versa. The IoT gateway uses a signing key, issued by the
attacks. Based on the information revealed to A, we define the KGC, to sign its authentication message for the IoT device.
adversary attacks as follows. Similarly, the IoT device uses a signing key to sign its authen-
1) Session State Reveal: A gets access to the ephemeral tication message. In order to maintain the unlinkability of
secrets for the current session. the IoT requests, the protocol randomizes the authentication
2) Session Key Query: A gets access to the current session message of the IoT device by multiplying it with a random
key of the communicating entities. number. Furthermore, the Schnorr ZKP is used to prove the
3) Party Corruption: A has access to the long-term keys knowledge of the random number that relates the randomized
of the communicating entity. authentication token to our public system parameters.
Our protocol consists of a setup phase, registration phase,
V. P ROTOCOL D ESIGN MA and key agreement phase, and revocation phase. The
Our protocol, MAPFS, makes use of two-party ECDH details of each phase are listed as follows.
key exchange [37], Schnorr ZKP of discrete log knowl-
edge [39], and Schnorr signature [41]. The Diffie–Hellman A. Setup Phase
protocol enables the IoT device and the IoT gateway to estab- In this phase, the service provider deploys IoT gateways.
lish the session key. However, the ECDH is an unauthenticated Then, the KGC publishes the system public parameters, i.e.,
key agreement protocol. Therefore, the Schnorr signature is the used hash functions, the utilized elliptic curve, and the

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 SEIFELNASR et al.: PRIVACY-PRESERVING MUTUAL AUTHENTICATION PROTOCOL WITH FORWARD SECRECY 8109

Fig. 3. IoT device registration.

Fig. 2. IoT gateway registration.

the secret key hx in the computation of ha to prevent the

KGC public key. The KGC selects the system parameters as
exhaustive searching by an external adversary and identifying
follows. The KGC chooses a 256-bit prime number p and an
the IoT device identity through hashing the public parame-
elliptic curve E over the finite field Fp . The KGC chooses a
ters IDa , <Xa , Ya >, Pubgc , in the IoT authentication request,
point P ∈ E of order q as the generator point. It randomly
r if hx is not included. Furthermore, the KGC includes the
selects sgc ←− Zq∗ as its secret key and computes the public term ya in the signing key of the anonymous IoT device
points Pubgc = sgc P. Also, it selects the collision-resistant in order to provide a ZKP of the knowledge of the dis-
one-way hash functions H0 : G → Zq∗ , H1 : {0, 1}128 × G × crete log, ha , of the randomized points P3 to the base point
G × G → Zq∗ , H2 : {0, 1}128 × G × G × G × {0, 1}256 → Zq∗ , P1 . Without a valid value of ha that links P3 = ha P1 ,
H3 : G × G → Zq∗ , H4 : G × G × G × G × G × G × G → Zq∗ , the KGC cannot revoke the identity of a misbehaving IoT
H5 : {0, 1}256 → Zq∗ . Finally the public parameters of the device.
system (E, p, q, P, H0 , H1 , H2 , H3 , H4 , H5 , Pubgc ) are To enhance the scalability and alleviate the bottleneck
published while sgc is kept secret. problem during the registration of IoT devices, we allowed
an IoT device to send its registration data <IDa ||Xa ||hx > and
B. Registration Phase a symmetric key sk to the KGC through deployed gateways
(i.e., note that, in this case, the public key of the KGC Pubgc
We assume that the registration phase runs in a secure envi-
is assumed to be embedded on the IoT device). Afterward, the
ronment. Fig. 2 illustrates the registration phase between the
KGC decrypts the incoming data and generates the partial pub-
gatewayw and the KGC. The IoT gateway randomly selects
r lic key Ya for the IoT device along with the signing key σa and
xw ← − Zq∗ as its partial private key and computes the partial
the ha = H2 (IDa ||Xa |||Pubgc ||Ya ||hx ). Then, it does symmetric
public key Xw = xw P. Then, the IoT gateway sends its iden-
encryption using the secret sk for <IDa ||Xa ||σa ||Ya ||ha > and
tity IDw along with the partial public key Xw to the KGC.
r sends the encrypted data to the IoT device through edge nodes
After that, the KGC randomly selects yw ← − Zq∗ and com- along with the integrity term M1 = H(IDa ||Xa ||σa ||Ya ||ha ).
putes the partial public key Yw = yw P (i.e., the two partial The IoT device decrypts the incoming message and verifies
keys Xw , Yw are generated by the IoT gateway and the KGC, ? ?
M1 = H(IDa ||Xa ||σa ||Ya ||ha ) and σa P = Pubgc + ha Ya + Ya .
respectively, and serve as the public key of the gateway). Then,
Then, the IoT device stores σa , xa , and ha in its memory. This
the KGC computes hw = H1 (IDw ||Xw ||Pubgc ||Yw ) to bind the
solution enhances the scalability and alleviates the bottleneck
public parameters IDw , Xw , Pubgc , and Yw , together. Then,
problem during the registration of IoT devices but it requires
the KGC issues the signing key σw = sgc + hw yw which
? the public key of the KGC to be embedded in the IoT device.
is verified on the gateway by validating σw P = Pubgc + Another alternative to enhance the scalability and alleviate
H1 (IDw ||Xw |||Pubgc ||Yw )Yw . Note that, the KGC includes the the bottleneck problem is to utilize a hierarchical structure
secret sgc to indicate issuing of the signing key by the KGC comprising a root KGC and sublocal KGCs [44]. This archi-
and binds the hw value with the partial private key of the gate- tecture enables IoT devices to register with their respective
way yw to indicate that this signing key is issued to the IoT sublocal KGCs, providing a more distributed and efficient
gateway with public key Yw . approach.
Similar to the registraion of IoT gateway, the KGC includes
sgc and ha ya in the IoT signing key to indicate issuing of
such signing key by the KGC. Moreover, the KGC relates the C. Mutual Authentication and Key Agreement Phase
ha with the partial private key of the IoT device ya to indi- Consider a session i between IoTa and gatewayw , as shown
cate that this signing key is issued to the IoT device with in Fig. 4, the IoTa randomly generates the random nonces r1 ,
public key Ya as shown in Fig. 3. However, since our proto- r2 , r3 , and r4 where r1 is used in deriving the IoT one-time
col is privacy-preserving and the IoT authentication request public key A = r1 Xa , r2 is used in randomizing the IoT signing
should be unlinkable, the registration phase of the IoT device key, σa while r3 and r4 are used in generating the ZKP com-
is a little bit different from the gateway registration. The mitments T1 and T2 . The IoT sends “Hello” message along
KGC computes the ha = H2 (IDa ||Xa |||Pubgc ||Ya ||hx ) to bind with the IoT one-time public-key A to the IoT gateway. Then,
the IoT identity IDa , the IoT public key <Xa , Ya >, and the the IoT gateway generates r5 and computes the one-time pub-
KGC public key Pubgc , together. Moreover, the KGC includes lic key W = r5 Xw . Afterwards, it computes Ig and the gateway

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 8110 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 5, 1 MARCH 2024

Fig. 4. Mutual authentication phase.

?
signature σz = Ig σw + r5 xw such that Ig = H3 (A||W). Such verified by the IoT gateway by checking σt P = Ia (P1 +
σz will be verified by the IoT device by checking σz P =
? P2 + P3 ) + A. Also, the IoT computes the ZKP responses
Ig Pubgc + Ig H1 (IDw ||Xw ||Pubgc ||Yw )Yw + W. Upon receiv- s1 = r2 Ia + r3 , s2 = ha Ia + r4 . Later on, the IoT gateway
?
ing the IoT gateway message, <W, IDw , Xw , Yw , σz >, the IoT verifies these ZKP responses by checking s1 Pubgc = Ia P2 +T1
device verifies the received σz . Upon the successful verifica- ?
and s2 P1 = Ia P3 +T2 . The IoT device sends points P1 , P2 , P3
tion of the received σz and authenticating the IoT gateway, the along with the commitments T1 , T2 , IoT signature σt and ZKP
IoT device computes the session key Ks = H0 (r1 xa W); other- response s1 , s2 to the IoT gateway. Then, the IoT gateway ver-
wise, it terminates the session with such IoT gateway. After ifies the IoT signature σt and the ZKP responses s1 and s2 for
that, it computes the instantaneous base point P1 = r2 Ya , authenticating the IoT device.
and randomized points P2 = r2 Pubgc and P3 = r2 ha Ya .
For the ZKP, the IoT device computes the two commitments
T1 = r3 Pubgc and T2 = r4 P1 to prove the knowledge of D. Revoking the Anonymity of Misbehaving IoTs
r2 (resp. ha ) in the statement ∃ r2 s.t. P2 = r2 Pubgc (resp. Since the protocol is privacy-preserving and the IoT gateway
∃ ha s.t. P3 = ha P1 ). After that, the IoT device computes cannot identify the sender IoT, it is required that the KGC can
Ia = H4 (A||P1 ||P2 ||P3 ||T1 ||T2 ||W). Then, the IoT computes retrieve the identity of an IoT request in case of misbehavior.
the randomized signature σt = Ia r2 σa + r1 xa that will be The KGC achieves this by performing a linear search and
computing P3 = hj P1 where 1 ≤ j ≤ n and n is the total

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 SEIFELNASR et al.: PRIVACY-PRESERVING MUTUAL AUTHENTICATION PROTOCOL WITH FORWARD SECRECY 8111

number of the registered IoTs. Upon successful passing of the transmitted messages during an honest protocol execu-
check, the identity of the IoT device is determined as IDj . tion between the protocol participants, namely, the IoT
Then, the KGC sends <IDj , yj , Xj , Yj , hj > to the deployed device IoTa and the IoT gateway Gw .
IoT gateways. An IoT gateway stops serving the IoT 4) SSReveal(O, S): This query allows A to obtain the
device with IDj by checking P3 = hj P1 . If it holds, internal state of the protocol participant O during the
the IoT device is banned from the computation offloading execution of the protocol in session S, including any
service. relevant internal variables such as r1 , r2 , r3 , and r4 for
the IoT device and r5 for the IoT gateway.
5) SKReveal(O, S): This query allows A to determine
VI. S ECURITY A NALYSIS the session key (i.e., Ks in our protocol) held by the
In this section, we analyze the security properties of participant O during the session S.
MAPFS. We start by modeling the adversarial capabilities. 6) Corrupt(O): This query allows A to obtain the long-
Then, we prove the semantic security (SS) of our key exchange term secrets used by the participant O in the protocol,
protocol and its MA property. Furthermore, we show MAPFS such as xa , σa , and ha for the IoT device and xw and σw
resilience to replay attacks and how MAPFS maintains the for the IoT gateway.
perfect forward secrecy and backward secrecy properties. MA: Intuitively, we say that MAPFS ensures MA, if it is
infeasible for A to impersonate an IoT device to an honest
gateway, and it is also infeasible for A to impersonate a gate-
A. Adversary Model way to an honest IoT device. The MA security of a MAPFS
We adopt the CK-threat model where a PPT A has access to scheme supporting n IoT devices and m gateways is modeled
the public wireless communication channel and can eavesdrop, by an experiment Auth, where A attempting to impersonate
modify, and inject messages. Moreover, in this model, A can IoTj (resp. gateway Gj ) is allowed to invoke the Send query
get access to the information in the participant’s memory, such with {IoT1 , IoT2 , . . . , IoTn } - {IoTa } (resp. {G1 , G2 , . . . , Gm }
as the long-term secrets (i.e., xa , σa , hx , ha in case of an IoT - {Gj }). At the end, A wins if it outputs a valid login message
device and xw , σw in case of an IoT gateway) or the internal for the target IoT device IoTa or the target IoT gateway Gw .
state variables (i.e., r1 , r2 , r3 , and r4 in case of an IoT device The advantage of A is denoted by AdvAuth MAPFS (A).
and r5 in case of an IoT gateway) used in deriving the session The session key Ks of O is said to be fresh if the following
key. Therefore, the leakage of these secrets inside the IoT conditions hold: 1) no SKReveal has been invoked on O or
device memory should have the least effect on the security of its partner and 2) at most one corrupt query, either SSReveal
the protocol. or Corrupt has been invoked by A on O or its partner. It
In our proposed protocol, we define the session identifier is reasonable that if A gets the secret parameters of both the
S = H3 (A||W) as the hash value of the IoT device one- protocol participants, A can compute the session key [9], [45].
time public key A and the gateway one-time public key W. SS: The SS of MAPFS is violated if A distinguishes a fresh
Moreover, the protocol participants, IoTa and IoT gatewayw , session key Ks from a random sequence. The SS of MAPFS is
are said to be partners if the following conditions are met: modeled by an indistinguishability experiment SSec where A
1) the two participants are in the accept state; 2) they have repeatedly invokes Execute, SSReveal, Corrupt, SKReveal
the same session identifier Si = <A||W>; and 3) the partner on some protocol participants for nq times. Finally, in the chal-
identifier of IoTa is IoT gatewayw and vice versa [45]. We lenge phase, an unbiased coin c is flipped. If the flipped coin
model the adversary capabilities in interacting with the proto- c = 1, a fresh session key Ks for a valid protocol transcript
col participant O (i.e., IoT device or the IoT gateway) by the T of MAPFS partners is output to A; otherwise, a random
following queries. key of the same length is output. A responds by outputting a
1) H( ): The hash function is simulated as a random oracle. bit c . A wins the experiment if c = c. The advantage of A
For each simulation Hi , a list Li is maintained to keep is denoted by AdvSSecMAPFS (A).
the input ini and the output outi . When queried by A, if
the input ini is found in the stored list Li , the output outi B. Security Analysis
r
is returned; otherwise, a random string outi ← − {0, 1}li Using the security model discussed before, in what fol-
is returned where li is the output length of the hash lows, we prove that MAPFS achieves both MA and SS in
function Hi and the entry ini and outi is added to the the random oracle model.
stored list Li . Theorem 1: Under the assumption of the intractability of
2) Send(S, m, O): It is used to model the adversary’s active ECDLP, MAPFS is MA-secure where for any PPT adversary
attacks on the system, such as replay attacks, imper- MAPFS (A) ≤ .
A, AdvAuth
sonation attacks, and injection attacks. It allows the Proof: We proceed by showing that for any PPT adver-
adversary to act as a legitimate entity and send a mes- sary A, the advantage of A in impersonating an IoT device is
sage m to the protocol participant O in the session S. It negligible. We show that if A can break the IoT-to-Gateway
responds according to the protocol specifications, which authentication, it can be used as a subroutine in adversary B
depend on its role and current internal state. who can break the ECDLP. Given the EC point Q = sP such
r
3) Execute(IoTa , Gw ): It is used to model the adversary’s that s ←− Zq∗ , B simulates the protocol and solves the ECDLP
passive attacks by generating the transcript T of the as follows.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 8112 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 5, 1 MARCH 2024

r
In the initialization phase, B initializes the protocol and sets message). Also, B generates r, yw ← − Zq∗ and computes
the public key Pubgc = Q. Also, it sets the IoT device IoTa Yw = yw P, A = rP, hw = H1 (IDw ||Xw ||Pubgc ||Yw ) where
as the target device for A (i.e., it is required to impersonate IDw and Xw are the normal parameters for the gateway w
the IoT device IoTa and generate a valid login message). B in our protocol. Then, B initializes the lists Lw = {yw } and
r
generates r, ya ← − Zq∗ and computes Ya = ya P, A = rP, ha = L1 = {hw }.
H2 (IDa ||Xa ||Pubgc ||Ya ||hx ), where IDa and Xa are the normal In the training phase, A performs the Send query to
parameters for IoTa in our protocol. Also, B initializes the send <“Hello”, A> to the protocol participants SG =
lists LIoT = {}, L2 = {} and stores hx , ya in LIoT and ha in {G1 , G2 , . . . , Gm } to obtain the gateway authentication tuple
L2 . It also performs the Send query to send <“Hello”, A > <W, IDw , Xw , Yw , σz >. Note that, the target IoT gateway
on the protocol participant, IoT gateway w, to get the tuple Gw ∈ / SG .
<W, IDw , Xw , Yw , σz >. After the training phase, B notifies A to send a valid login
In the training phase, A performs the Send query to send message for the target IoT gateway Gw . Suppose A success-
the tuple <W, IDw , Xw , Yw > to the protocol participants SI = fully submits a valid login message <W, IDw , Xw , Yw , σz >
{IoT1 , IoT2 , · · · , IoTn } to obtain the IoTs authentication to impersonate the target IoT gateway w. Then, the following
tuple <P1 , P2 , P3 , σt , T1 , T2 , s1 , s2 >. Note that, the condition holds:
target IoT device IoTa ∈ / SI .  
After the training phase, B notifies A to send a σz = Ig sgc + yw hw + r5 xw (4)
valid login message for the target IoT device IoTa .
where Ig = H3 (A||W).
Suppose A successfully submits a valid login message
According to the forking lemma, B and A can repeat the
<P1 , P2 , P3 , σt , T1 , T2 , s1 , s2 > for the target IoT device
above game with the same randomness r5 and a different
IoTa . Then, the following conditions hold:
hash oracle H until A outputs another valid login message
 
σt = Ia r2 sgc + ya ha + ya + r1 xa <W, IDw , Xw , Yw , σz > such that
s1 = r 2 Ia + r3  
σz = Ig sgc + yw hw + r5 xw (5)
s2 = ha Ia + r4 (1)
from (4) and (5)
where Ia = H4 (A||P1 ||P2 ||P3 ||T1 ||T2 ||W). According to the
 −1  
forking lemma [46], [47], B and A can repeat the above game Ig − Ig σz − σz = sgc + hw yw .
with the same random nonces r1 , r2 , r3 , and r4 and a different
hash oracles H until A outputs another valid login message Then, B gets the yw for the target IoT gateway from the list
<P1 , P2 , P3 , σt , T1 , T2 , s1 , s2 > such that Lw and responds with s = ((Ig − Ig )−1 (σz − σz ) − hw yw ) as a
  solution for the ECDLP for the given point Q. However, under
σt = Ia r2 sgc + ya ha + ya + r1 xa the hardness assumption of the ECDLP, B does not exist and
s1 = r2 Ia + r3 accordingly, an A who can produce a valid login message to
s2 = ha Ia + r4 (2) the IoT gateway cannot exist.
It follows that the probability of A in violating IoT-to-
from (1) and (2) Gateway authentication is negligible and the probability of
 −1   A in violating Gateway-to-IoT authentication is negligible.
r2 = I a − Ia s1 − s1
 −1   Thus, the advantage of A in violating the MA property of
ha = Ia − Ia s2 − s2 the protocol is negligible, and MAPFS is MA-secure.
 −1   Theorem 2: Under the intractability assumption of
Ia − Ia σt − σt = r2 sgc + r2 ha ya + r2 ya . (3)
ECDDH, MAPFS is SS-secure where for any PPT adversary
B gets ya for the target IoT device IoTa from the list LIoT MAPFS (A) ≤ .
A, AdvSSec
and responds with s = r2 −1 ((Ia − Ia )−1 (σt − σt ) − r2 ha ya − Proof: Let us assume that a PPT adversary A can guess
r2 ya ) as a solution for the ECDLP for the given point Q. the bit involved in SSec, then we show that there exists an
However, under the assumption of the intractability of the adversary B who can solve the ECDDH problem as in the
ECDLP, B does not exist and accordingly, A who can produce following game between A and B.
a valid login message to the IoT gateway cannot exist. Given the points X = xP, Y = yP, and Z such that Z = xyP
r
Furthermore, we show that the advantage of A in imper- if b = 1 and Z = zP, otherwise, where x, y, and z ← − Zq∗ .
sonating an IoT gateway is negligible. We show that if A can In the initialization phase, B sets Pubgc as the public key
break the Gateway-to-IoT authentication, it can be used by B of the CA and sets the IoT device IoTa and the IoT gateway
who can break the ECDLP. Given the EC point Q = sP such Gw for protocol interaction.
r
that s ← − Zq∗ , B simulates the protocol and solves the ECDLP In the training phase, A repeats the following for nq times:
as follows. 1) A performs Execute query to get the protocol transcript
In the initialization phase, B initializes the protocol and Ti between the IoT device IoTa and the IoT gateway
sets the public key Pubgc = Q. Also, it sets the IoT gate- Gw for protocol instances πi with session identifier Si ,
way w as the target device for A (i.e., it is required to where i is the iteration number and i = 1, 2, . . . , nr
impersonate the IoT gateway w and generate a valid login where nr is the total number of the iterations.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 SEIFELNASR et al.: PRIVACY-PRESERVING MUTUAL AUTHENTICATION PROTOCOL WITH FORWARD SECRECY 8113

2) A invokes Corrupt on either the IoT device IoTa or the gateway public key W = r5 Xw . These fresh A, W are used
IoT gateway Gw . Moreover, A invokes SSReveal on the in the computation of the integrity terms Ig = H3 (A||W) and
protocol instance πi . Ia = H4 (A||P1 ||P2 ||P3 ||T1 ||T2 ||W) which are embedded in the
3) A invokes the SKReveal query on the protocol instance gateway signature σz = Ig σw + r5 xw and the IoT signature
πi to get the computed session key Ks . σt = Ia r2 σa + r1 xa .
In the challenge phase, B simulates the protocol with A Therefore, a replay attack, in a session S will not be
to produce a valid protocol transcript T as follows. B ran- valid since A has to include the fresh A , W generated by
r r r
domly generates σ1 ← − Zq∗ , Ia ← − Zq∗ , and ha ← − Zq∗ and the the IoT device and the gateway, during the new session S ,
random nonces r1 , r2 , r3 , and r4 ←
r
− Zq∗ . Then, it computes in the IoT signature σt and the gateway signature σz such
that σt P = Ia (P1 + P2 + P3 ) + A and σz P = Ig Pubgc +
Ya = (Ia + ha Ia )−1 ((σ1 P − Ia Pubgc − r1 r2−1 X). After that, B
Ig H1 (IDw ||Xw ||Pubgc ||Yw )Yw + W . This replay attack, using
computes the points A = r1 X, P1 = r2 Ya , P2 = r2 Pubgc ,
the old σt and σz , is not valid under the preimage resistance
P3 = r2 ha Ya , T1 = r3 Pubgc , and T2 = r4 P1 and the responses
property of the hash function and MAPFS is secure against
s1 = r2 Ia +r3 mod q and s2 = ha Ia +r4 mod q. Then, it outputs
replay attacks. This returns for the fact that the new σt and σz
<“Hello”, A > as the first message M1 of the protocol tran-
have to include the new Ia = H4 (A ||P1 ||P2 ||P3 ||T1 ||T2 ||W )
script T . To generate the second message M2 from the IoT
and Ig = H3 (A ||W ) of the new A , W .
gateway to the IoT device in the protocol transcript T , B ran-
r r r r 2) Unlinkability of the IoT Requests: Upon authenticating
domly generates σ2 ← − Zq∗ , Ig ←
− Zq∗ , hw ← − Zq∗ , and r5 ← − Zq∗ .
−1 with the IoT gateway, the IoT device sends the transcript
Then, it computes Yw = (Ig hw ) (σ2 P − Ig Pubgc − r5 Y). After
<A, P1 , P2 , P3 , T1 , T2 , s1 , s2 > where A = r1 Xa ,
that, B produces the points W = r5 Y and adds <A, W> to
P1 = r2 Ya , P2 = r2 Pubgc , P3 = r2 ha Ya , T1 = r3 Pubgc , and
L3 as input to the hash query with output Ig and adds, also,
T2 = r4 P1 . Since all the sent parameters are randomized by
<IDw , Xw , Pubgc , Yw > to L2 as input to the hash query with
r1 , r2 , r3 , and r4 , the IoT request is computationally indis-
output hw . Then, it outputs <W, IDw , Xw , Yw , σz > as the
tinguishable from random sequence. Moreover, an exhaustive
second message M2 from the IoT gateway to the IoT device
search over the registered IoT devices, to identify the request-
in the protocol transcript T . After that, the IoT device adds
ing IoT device or correlate the IoT requests, is not applicable
<A, P1 , P2 , P3 , T1 , T2 , W> to L4 as input to the hash query
without knowing ya or ha of each IoT device which are known
with output Ia . Then, it outputs <P1 , P2 , P3 , σt , T1 , T2 , s1 , s2 >
only to the CA. Therefore, the advantage of A in violating the
as the third message M3 from the IoT device to the IoT
unlinkability of the IoT requests is negligible and A cannot
gateway in the protocol transcript T .
relate the IoT requests.
Next, B outputs the transcript T and the string H0 (r1 r5 R) to
3) Perfect Forward Secrecy: This property is maintained if
A where T is indistinguishable from the transcripts produced
the compromise of the long-term key or the current session
in the training phase. Specifically, A validates M2 of the out-
? key does not lead to the leakage of the past session keys [48].
put transcript T by checking σz P = Ig Pubgc + Ig hw Yw + W Here, in our protocol, the session key Ks = H0 (r5 xw A) =
where A checks list L3 for the entry <A, W> to get Ig and H0 (r1 xa W) = H0 (r1 r5 xa xw P) where r1 and r5 are two ran-
check the L1 for the entry <IDw , Xw , Pubgc , Yw > to get dom nonces generated by the IoT device and the IoT gateway,
hw . Also, A validates the third message M3 of the out- respectively. Therefore, the protocol is said to achieve per-
?
put transcript T by checking σt P = Ia (P1 + P2 + P3 ) + A, fect forward secrecy since the computation of the session key
? ?
s1 Pubgc = Ia P2 + T1 and s2 P1 = Ia P3 + T2 , where A checks depends on the long-term key xa , xw of the IoT device and the
L4 for the entry <A, P1 , P2 , P3 , T1 , T2 , W> to get Ia . IoT gateway as well as the fresh randoms r1 , r5 generated by
Assuming a PPT adversary A who can break the SS of the the IoT device and the IoT gateway during the new session.
proposed protocol and outputs c = 1 if the string H0 (r1 r5 R) 4) Backward Secrecy: This property is maintained when
is the session key and c = 0, otherwise. B gets the bit c an adversary who has access to the protocol state values (i.e.,
from A and passes it as his guess bit b and wins the ECDDH r1 , r2 , r3 , r4 , A, P1 , P2 , P3 , r5 , W) cannot compute the
game. Under the hardness ECDDH, there is no adversary B previous session keys [49]. The computation of the session key
who can win the ECDDH with a nonnegligible probability, of the session i depends on the randoms generated by the IoT
therefore, there is no such an adversary A who can break the gateway and the IoT device during the session i where Ks =
SS of MAPFS. H0 (r1 r5 xa xw P). Therefore, compromising the IoT device state
value during session i does not leak any information about the
session key of the sessions i − 1, i − 2, . . . , 2, 1. Hence,
C. MAPFS Freshness, Anonymity, Backward Secrecy, and MAPFS achieves the backward secrecy property.
Forward Secrecy Properties
1) MAPFS Freshness: MAPFS would be vulnerable to
replay attacks if an adversary A can use an old generated VII. P ERFORMANCE E VALUATION
IoT signature σt or gateway signature σz to impersonate either It is important to consider the efficiency of the proposed
the IoT device or the IoT gateway. protocol by analyzing its performance in terms of the 1) com-
In our protocol, the IoT device starts the session with munication overhead which consists of messages exchanged
“Hello” message along with a fresh one-time IoT public key between the communicating entities before the actual transfer
A = r1 Xa . The IoT gateway replies with a fresh one-time of information, i.e., these are the messages exchanged between

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 8114 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 5, 1 MARCH 2024

TABLE III TABLE IV

S UMMARY OF O UR P ERFORMANCE A NALYSIS AVERAGE C RYPTOGRAPHIC OVERHEAD T IME U SING 1000 RUNS

the IoT device and IoT gateway to achieve the MA and session
key establishment; 2) storage requirement on the IoT device
and the IoT gateway, i.e., the secrets stored on the IoT device authentication request of the IoT device. For computing the
and the IoT gateway to achieve MA and session key deriva- session key, the IoT gateway does one scalar multiplication.
tion; and 3) computation cost which involves the operations During the authentication process, the IoT gateway does three
that are done by the IoT device and the IoT gateway during hash operations to compute the Ia , Ig , and session key.
the authentication process and session establishment. In our
performance analysis, we assume 128-bit random values and
C. Communication Overhead
128-bit ID. Also, we assume a 256-bit elliptic curve which typ-
ically provides nearly a 128-bit security level [50]. In order The IoT device initiates the authentication process by send-
to perform the hash functions H0 , H1 , H2 , H3 , H4 which ing “Hello” message along with a 2 × 128-bit randomized EC
incur EC points in their domains, we use the x and y coor- point A. The IoT gateway responds with a 9×128-bit message
dinates for the representation of the EC points. Moreover, as <W, IDw , Xw , Yw , σz >. In turn, the IoT device replys with
the codomains for the hash function are in Zq , we perform 16×128-bit message <P1 , P2 , P3 , σt , T1 , T2 , s1 , s2 >. Thus, in
modular q operation on the output of the hash function where total, the communication overhead between the IoT device and
q is a 256-bit. The summary of our performance analysis is the IoT gateway is 27 × 128 bits (i.e., 432 bytes).
presented in Table III. Compared with other protocols in [26], [28], [30], [31],
[32], [33], and [34], MAPFS has the highest communication
A. Storage Requirements overhead. However, protocols in [26], [28], and [34] which
require 96, 64, 128 bytes, respectively, do not offer MA.
The IoT device needs to store the 256-bit private key xa , the
Meanwhile, protocols in [30], [31], [32], and [33] require 192,
128-bit identity IDa , the 256-bit signing key σa , the 256-bit
192, 352, and 240 bytes, respectively, but fail to ensure the IoT
ha , and the 256-bit public keys Xa and Ya which is equivalent
unlinkability from the serving IoT gateway, as seen in Table I.
to a storage of 11 × 128 bits.
This creates a vulnerability that allows an external attacker to
On the other side, the IoT gateway needs a 9 × 128 storage
compromise the IoT gateway and profile the IoT device.
space to keep the 128-bit private key xw , the 256-bit signing
key σw , the 128-bit identity IDw , and the 256-bit public keys
Xw and Yw . D. Execution Time
In our comparison, we consider the average time required
B. Computation Cost by each operation as shown in Table IV and the number of
In the authentication process, the IoT device generates the the required cryptographic operatios on both the IoT device
random nonces r1 , r2 , r3 , and r4 and does six scalar point and gateway sides as reported in Table V. Note that, we
multiplications to compute the randomized points A, P1 , P2 , neglect modular operations (i.e., multiplication and addition)
and P3 , and the commitments T1 and T2 . For computing σt , as they require microsecond execution time. For measuring
the IoT device does one hash operation to compute the Ia . the average execution time, we use a Raspberry Pi 4 Model
For verifying the authentication token of the IoT gateway, B/8GB embedded with a 1.5 GHz 64-bit Quad-core ARM
the IoT device does two hash operations, three scalar point Cortex-A72 processor running the Raspbian 64-bit operating
multiplications, and two point additions. Additionally, the IoT system. We run the cryptographic primitives for 1000 times to
device does one hash operation and one scalar multiplication compute the average execution time. Moreover, we illustrate
for computing the session key. the variations of our measurements in a box plot in Fig. 5.
On the other side, the IoT gateway generates the ran- For more resource-constrained IoT devices that are beyond
dom nonce r5 and performs one scalar point multiplication the Raspberry Pi capabilities, the Arm Cortex M0 48 MHz
to compute W. Moreover, the IoT gateway does eight scalar ATECC508A HW accelerated as in [35] and [52] can be con-
point multiplications and four point additions to verify the sidered. It offers 0.113 ms AES timing, 0.361 ms Hash timing,

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 SEIFELNASR et al.: PRIVACY-PRESERVING MUTUAL AUTHENTICATION PROTOCOL WITH FORWARD SECRECY 8115

Fig. 5. Box plot for the overhead timing of the cryptographic primitives.

TABLE V
P ERFORMANCE C OMPARISON BASED ON THE C OMPUTATION C OMPLEXITY

0.722 ms HMAC timing, and 2 ms random number generator

timing.
We show the total computation-overhead time of the used
cryptographic primitives in our protocol MAPFS compared
to other related protocols, [28], [30], [31], [32], [33], [34] in
Fig. 6. MAPFS has the lowest computation time compared
to other protocols and it provides the unlinkability of the IoT
request with respect to the IoT gateway beside other security
properties.
Our prototype is available as open-source on the
GitHub repository https://github.com/LabCryptoLab/MAPFS.
This repository includes the Python implementation of the dif-
ferent cryptographic primitives using the bplib, fastecdsa, and
crypto libraries for the bilinear pairing, EC operations, and
encryption systems, respectively. Additionally, the repository
includes a socket programming implementation to simulate
the flow of messages between the IoT device and the IoT
gateway. The client, a Raspberry Pi 4, played the role of the Fig. 6. Evaluations of the overhead associated with cryptographic primitives
IoT device, and the server, an Intel laptop 11th Gen Core i7- in schemes [28], [30], [31], [32], [33], [34] and MAPFS.
11800H clocked at 2.3 GHz with 16 GB RAM, acted as the
IoT gateway. for computation offloading services in the IoT–Edge–Cloud
paradigm. MAPFS achieves anonymity of the IoT device,
session unlinkability, and perfect forward secrecy for the estab-
VIII. C ONCLUSION AND F UTURE W ORK lished session key with revocation ability for the misbehaving
In this article, we proposed MAPFS, a privacy-preserving IoT device. Our protocol distinguishes itself from certificate-
MA protocol between the IoT device and the IoT gateway based anonymous authenticated schemes in that anonymity

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 8116 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 5, 1 MARCH 2024

can be achieved without additional communication or storage [15] M. Seifelnasr, M. Nakkar, A. Youssef, and R. AlTawy, “A lightweight
overheads. authentication and inter-cloud payment protocol for edge computing,”
in Proc. IEEE 9th Int. Conf. Cloud Netw. (CloudNet), 2020, pp. 1–4.
MAPFS makes use of ECC for achieving an efficient [16] M. Seifelnasr, R. AlTawy, and A. Youssef, “Efficient inter-cloud authen-
128-bit security level. To achieve anonymity of the IoT device tication and micropayment protocol for IoT edge computing,” IEEE
and unlinkability property, MAPFS randomizes the authen- Trans. Netw. Service Manag., vol. 18, no. 4, pp. 4420–4433, Dec. 2021.
[17] J. Y. Chun, J. Y. Hwang, and D. H. Lee, “A note on leakage-resilient
tication token of the IoT. Moreover, it makes use of ZKP authenticated key exchange,” IEEE Trans. Wireless Commun., vol. 8,
to prove the knowledge of the random nonce that binds the no. 5, pp. 2274–2279, May 2009.
authentication token to MAPFS published public parameters. [18] M. M. Fouda, Z. M. Fadlullah, N. Kato, R. Lu, and X. S. Shen,
“A lightweight message authentication scheme for smart grid com-
We have formally proved that under intractable ECDLP and munications,” IEEE Trans. Smart grid, vol. 2, no. 4, pp. 675–685,
ECDDH, MAPFS is MA secure and ensures the secrecy Dec. 2011.
of the session key. Moreover, we have analyzed the pro- [19] D. Hankerson, A. Menezes, and S. Vanstone, “Elliptic curve arithmetic,”
in Guide to Elliptic Curve Cryptography. New York, NY, USA: Springer,
tocol’s unlinkability, perfect forward secrecy, and backward 2004.
secrecy. Furthermore, we evaluated MAPFS in terms of stor- [20] C.-T. Li, C.-Y. Weng, and C.-C. Lee, “An advanced temporal credential-
age requirement, communication overhead, and computation based security scheme with mutual authentication and key agreement for
wireless sensor networks,” Sensors, vol. 13, no. 8, pp. 9589–9603, 2013.
cost requirements. Finally, we compared the execution time [21] W. Shi and P. Gong, “A new user authentication protocol for wire-
of our protocol with other closely related protocols. less sensor networks using elliptic curves cryptography,” Int. J. Distrib.
Finally, it should be noted that in MAPFS, IoT devices Sensor Netw., vol. 9, no. 4, 2013, Art. no. 730831.
[22] Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, and D. Won, “Security
register with the KGC to obtain their signing keys. For future enhanced user authentication protocol for wireless sensor networks using
work, we plan to investigate registration techniques that bet- elliptic curves cryptography,” Sensors, vol. 14, no. 6, pp. 10081–10106,
ter fit the distributed nature of the edge computing paradigm 2014.
[23] C.-C. Chang and H.-D. Le, “A provably secure, efficient, and flexible
during the registration phase. authentication scheme for ad hoc wireless sensor networks,” IEEE Trans.
Wireless Commun., vol. 15, no. 1, pp. 357–366, Jan. 2016.
[24] X. Li, J. Peng, J. Niu, F. Wu, J. Liao, and K.-K. R. Choo, “A robust and
R EFERENCES energy efficient authentication protocol for industrial Internet of Things,”
IEEE Internet Things J., vol. 5, no. 3, pp. 1606–1615, Jun. 2018.
[1] W. Shi, J. Cao, Q. Zhang, Y. Li, and L. Xu, “Edge computing: Vision [25] P. Tedeschi, S. Sciancalepore, A. Eliyan, and R. Di Pietro, “LiKe:
and challenges,” IEEE Internet Things J., vol. 3, no. 5, pp. 637–646, Lightweight certificateless key agreement for secure IoT communica-
Oct. 2016. tions,” IEEE Internet Things J., vol. 7, no. 1, pp. 621–638, Jan. 2020.
[2] B. Varghese, N. Wang, S. Barbhuiya, P. Kilpatrick, and [26] N. Gayathri, G. Thumbur, P. R. Kumar, M. Z. U. Rahman, P. V. Reddy,
D. S. Nikolopoulos, “Challenges and opportunities in edge com- and A. Lay-Ekuakille, “Efficient and secure pairing-free certificate-
puting,” in Proc. IEEE Int. Conf. Smart Cloud (SmartCloud), 2016, less aggregate signature scheme for healthcare wireless medical sensor
pp. 20–26. networks,” IEEE Internet Things J., vol. 6, no. 5, pp. 9064–9075,
[3] J. Zhou, Z. Cao, X. Dong, and A. V. Vasilakos, “Security and privacy Oct. 2019.
for cloud-based IoT: Challenges,” IEEE Commun. Mag., vol. 55, no. 1, [27] J. Shen, Z. Gui, S. Ji, J. Shen, H. Tan, and Y. Tang, “Cloud-
pp. 26–33, Jan. 2017. aided lightweight certificateless authentication protocol with anonymity
[4] S. Uludag, K.-S. Lui, W. Ren, and K. Nahrstedt, “Secure and scalable for wireless body area networks,” J. Netw. Comput. Appl., vol. 106,
data collection with time minimization in the smart grid,” IEEE Trans. pp. 117–123, Mar. 2018.
smart grid, vol. 7, no. 1, pp. 43–54, Jan. 2016. [28] A. Karati, S. H. Islam, and M. Karuppiah, “Provably secure and
[5] R. Hummen, J. H. Ziegeldorf, H. Shafagh, S. Raza, and K. Wehrle, lightweight certificateless signature scheme for IIoT environments,”
“Towards viable certificate-based authentication for the Internet of IEEE Trans. Ind. Informat., vol. 14, no. 8, pp. 3701–3711, Aug. 2018.
Things,” in Proc. 2nd ACM Workshop Hot Topics Wireless Netw. Security [29] D. Abbasinezhad-Mood and M. Nikooghadam, “An anonymous ECC-
Privacy, 2013, pp. 37–42. based self-certified key distribution scheme for the smart grid,” IEEE
Trans. Ind. Electron., vol. 65, no. 10, pp. 7996–8004, Oct. 2018.
[6] R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in
[30] Y. Li, Q. Cheng, X. Liu, and X. Li, “A secure anonymous identity-based
Proc. Adv. Cryptol.: 7th Int. Conf. Theory Appl. Cryptol. Inf. Security
scheme in new authentication architecture for mobile edge computing,”
Gold Coast, 2001, pp. 552–565.
IEEE Syst. J., vol. 15, no. 1, pp. 935–946, Mar. 2021.
[7] D. Chaum and E. Van Heyst, “Group signatures,” in Proc. Adv. Cryptol.
[31] Y. Jiang, K. Zhang, Y. Qian, and L. Zhou, “Anonymous and efficient
EUROCRYPT’91: Workshop Theory Appl. Cryptogr. Technol., 1991,
authentication scheme for privacy-preserving distributed learning,” IEEE
pp. 257–265.
Trans. Inf. Forensics Security, vol. 17, pp. 2227–2240, 2022.
[8] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryp- [32] X. Jia, D. He, N. Kumar, and K.-K. R. Choo, “A provably secure and effi-
tography,” in Proc. Asiacrypt, vol. 2894, 2003, pp. 452–473. cient identity-based anonymous authentication scheme for mobile edge
[9] S. Li, T. Zhang, B. Yu, and K. He, “A provably secure and practical computing,” IEEE Syst. J., vol. 14, no. 1, pp. 560–571, Mar. 2020.
PUF-based end-to-end mutual authentication and key exchange protocol [33] X. Jia, M. Luo, K.-K. R. Choo, L. Li, and D. He, “A redesigned identity-
for IoT,” IEEE Sensors J., vol. 21, no. 4, pp. 5487–5501, Feb. 2021. based anonymous authentication scheme for mobile edge computing,”
[10] B. Ying and A. Nayak, “Lightweight remote user authentication pro- IEEE Internet Things J., vol. 9, no. 12, pp. 10108–10120, Jun. 2022.
tocol for multi-server 5G networks using self-certified public key [34] J. Chen, L. Wang, M. Wen, K. Zhang, and K. Chen, “Efficient certifi-
cryptography,” J. Netw. Comput. Appl., vol. 131, pp. 66–74, Apr. 2019. cateless online/offline signcryption scheme for edge IoT devices,” IEEE
[11] Z. Xu, C. Xu, W. Liang, J. Xu, and H. Chen, “A lightweight mutual Internet Things J., vol. 9, no. 11, pp. 8967–8979, Jun. 2022.
authentication and key agreement scheme for medical Internet of [35] M. Nakkar, R. AlTawy, and A. Youssef, “Lightweight broadcast authen-
Things,” IEEE Access, vol. 7, pp. 53922–53931, 2019. tication protocol for edge-based applications,” IEEE Internet Things J.,
[12] K.-H. Wang, C.-M. Chen, W. Fang, and T.-Y. Wu, “On the security of vol. 7, no. 12, pp. 11766–11777, Dec. 2020.
a new ultra-lightweight authentication protocol in IoT environment for [36] J. Hoffstein, J. Pipher, and J. H. Silverman, An Introduction to
RFID tags,” J. Supercomput., vol. 74, no. 1, pp. 65–70, 2018. Mathematical Cryptography, vol. 1. New York, NY, USA: Springer,
[13] H. Chung, K.-C. Choi, and M.-S. Jun, “A design of key agreement 2008.
scheme between lightweight devices in IoT environment,” in Proc. Adv. [37] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE
Comput. Sci. Ubiquitous Comput., 2016, pp. 224–229. Trans. Inf. Theory, vol. IT-22, no. 6, pp. 644–654, Nov. 1976.
[14] M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication [38] M. Bellare, “A note on negligible functions,” J. Cryptol., vol. 15, no. 4,
and key agreement scheme for heterogeneous ad hoc wireless sensor pp. 271–284, 2002.
networks, based on the Internet of Things notion,” Ad Hoc Netw., vol. 20, [39] C.-P. Schnorr, “Efficient signature generation by smart cards,” J.
pp. 96–112, Sep. 2014. Cryptol., vol. 4, no. 3, pp. 161–174, 1991.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.
 SEIFELNASR et al.: PRIVACY-PRESERVING MUTUAL AUTHENTICATION PROTOCOL WITH FORWARD SECRECY 8117

[40] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions Riham AlTawy (Senior Member, IEEE) received the
to identification and signature problems,” in Proc. Conf. Theory Appl. B.Sc. and M.Sc. degrees from AAST, Alexandria,
Cryptogr. Technol., 1986, pp. 186–194. Egypt, in 2005 and 2008, respectively, and the Ph.D.
[41] C.-P. Schnorr, “Efficient identification and signatures for smart cards,” degree from Concordia University, Montreal, QC,
in Proc. Conf. Theory Appl. Cryptol., 1989, pp. 239–252. Canada, in 2016.
[42] N. Hassan, S. Gillani, E. Ahmed, I. Yaqoob, and M. Imran, “The role of She is currently an Assistant Professor with the
edge computing in Internet of Things,” IEEE Commun. Mag., vol. 56, Department of Electrical and Computer Engineering,
no. 11, pp. 110–115, Nov. 2018. University of Victoria, Victoria, BC, Canada.
[43] R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and Previously, she was an NSERC Postdoctoral Fellow
their use for building secure channels,” in Proc. Int. Conf. Theory Appl. with the Department of Electrical and Computer
Cryptogr. Technol., 2001, pp. 453–474. Engineering, University of Waterloo, Waterloo, ON,
[44] L. Wei, J. Cui, H. Zhong, I. Bolodurina, and L. Liu, “A lightweight and Canada. Her research interests focus on IoT security, blockchains, and
conditional privacy-preserving authenticated key agreement scheme with lightweight cryptography.
multi-TA model for fog-based VANETs,” IEEE Trans. Depend. Secure
Comput., vol. 20, no. 1, pp. 422–436, Jan./Feb. 2023.
[45] S. H. Islam, “Provably secure dynamic identity-based three-factor pass- Amr Youssef (Senior Member, IEEE) received the
word authentication scheme using extended chaotic maps,” Nonlin. Dyn., B.Sc. and M.Sc. degrees from Cairo University,
vol. 78, no. 3, pp. 2261–2276, 2014. Cairo, Egypt, in 1990 and 1993, respectively, and
[46] D. Pointcheval and J. Stern, “Security arguments for digital signatures the Ph.D. degree from Queens University, Kingston,
and blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000. ON, Canada, in 1997.
[47] D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in He is currently a Professor with the Concordia
Proc. Int. Conf. Theory Appl. Cryptogr. Technol., 1996, pp. 387–398. Institute for Information Systems Engineering
[48] C. Cremers and M. Feltz, “Beyond eCK: Perfect forward secrecy under (CIISE), Concordia University, Montreal, QC,
actor compromise and ephemeral-key reveal,” in Proc. Eur. Symp. Res. Canada. Before joining CIISE, he worked with
Comput. Security, 2012, pp. 734–751. Nortel Networks, Ottawa, ON, Canada; the Center
[49] C.-C. Lee, M.-S. Hwang, and I.-E. Liao, “Security enhancement on a for Applied Cryptographic Research, University of
new authentication scheme with anonymity for wireless environments,” Waterloo, Waterloo, ON, Canada; IBM, New York, NY, USA; and Cairo
IEEE Trans. Ind. Electron., vol. 53, no. 5, pp. 1683–1687, Oct. 2006. University. He has more than 230 referred journal and conference publica-
[50] “Standards for efficient cryptography.” Accessed: Jan. 20, 2022. tions in areas related to his research interests. He also served on more than 60
[Online]. Available: https://www.secg.org/sec2-v2.pdf/ technical program committees of cryptography and data security conferences.
[51] “bplib 0.0.6.” Accessed: Nov. 26, 2021. [Online]. Available: https://pypi. His research interests include cryptology, cybersecurity, and cyber–physical
org/project/bplib/ systems security.
[52] “Wolfssl.com.” Accessed: Nov. 26, 2021. [Online]. Available: https:// Prof. Youssef was the Co/Chair of Africacrypt 2013 and Africacrypt 2020,
www.wolfssl.com/docs/benchmarks/ the conference Selected Areas in Cryptography (SAC 2014, SAC 2006, and
SAC 2001).

Essam Ghadafi (Senior Member, IEEE) received

the B.Sc. degree in computer science from the
Mohamed Seifelnasr (Student Member, IEEE) University of Tripoli, Tripoli, Libya, in 1998, and
received the B.Sc. degree in communication, elec- the M.Sc. degree in advanced computing and the
tronics and computer engineering from Helwan Ph.D. degree in cryptography and information secu-
University, Cairo, Egypt, in 2012, and the M.Sc. rity from the University of Bristol, Bristol, U.K., in
degree in computer science from Huazhong 2008 and 2012, respectively.
University of Science and Technology, Wuhan, He worked as a Postdoctoral Researcher with the
Hubei, China, in 2018. He is currently pursu- University of Bristol and University College London,
ing the Ph.D. degree with the Concordia Institute London, U.K. He is currently a Senior Lecturer
for Information Systems Engineering (CIISE), of Cyber Security with Newcastle University,
Concordia University, Montreal, QC, Canada. Newcastle upon Tyne, U.K. He led and participated in various research
His current research interests include Internet-of- projects. His experience also includes supervising the Ph.D. students. His
Things and edge computing security. research interests include cryptography and information security.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on September 13,2024 at 13:20:43 UTC from IEEE Xplore. Restrictions apply.