A three-factor anonymous user authentication scheme for Internet of Things environments

that its computation and communication costs are suitable for extremely low-cost IoT devices. © 2020 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license. ( http://creativecommons.org/licenses/by/4.0


Introduction
The Internet of Things (IoT) is composed of resourceconstrained nodes, and these densely scattered nodes in IoT environments provide continuous service, irrespective of time and location. Currently, IoT has been adopted for many applications, including healthcare, smart home, smart factory, and smart city. Furthermore, the advent of the fifth-generation (5G) cellular network and its commercialization has birthed the anticipation of a hyperlinked network to connect and share information not only between individual portable terminals but also between most (if not all) the objects we use in daily life. According to a study conducted by Park et al. [1] , by the year 2020, approximately 50 billion sensor devices across the world will be connected to IoT networks, and the number of these devices is expected to increase exponentially with the commercialization of 5G networks. According to the 5G vision requirements of the International Telecommunication Union Radio Communication Standards Sector (ITU-R) [2] , a massive IoT network accommodates approximately 1 million objects per km 2 (1 per m 2 ).
The development of IoT and massive IoT has tremendous potential, but these environments expose devices to a wide range of vulnerabilities due to an increased attack surface. Therefore, to protect user privacy in IoT environments, security properties such as (1) data security, (2) virtual network security, (3) service availability, and (4) data integrity must be provided [3] . In the network architecture, secure user authentication and key distribution mechanisms utilizing cryptography must support these IoT security requirements [4] . In IoT network, user nodes and sensor nodes that interact with each other are exposed to various threats. To strengthen the security of the IoT network, user authentication schemes must guarantee the following security and functional requirements [5,6]  (1) User anonymity : The authentication scheme must maintain anonymity to ensure user privacy. In essence, an attacker cannot uncover the actual identity of the user. (2) Unlinkability : The scheme must prevent the attacker from tracking the activity of the user, thereby guaranteeing unlinkability and enhancing user privacy. (3) Mutual authentication : The scheme must provide mutual authentication for participants to verify each other's legitimacy. (4) Session key agreement : In the authentication scheme, the session key used to encrypt and decrypt the message must be fresh, and forward secrecy must be assured. (5) Resilience to various attacks : The authentication scheme must achieve all key security goals and resist various known attacks.
When secret keys are exposed, all traffic in the network can be decrypted. Even when a key stored in physical memory is exposed through a side channel attack, a user authentication scheme must implement countermeasures that prevent the attacker from intruding and controlling the IoT network. The revocation mechanism is a simple and efficient countermeasure. With the revocation mechanism implemented, when a user's private key is lost or stolen, the administrator issues a new key to the user.
Lately, numerous authentication schemes have been proposed for enhanced security. In 2007, Dhillon and Kalra [7] presented a three-factor remote user authentication scheme that is efficient in terms of computational cost in resource-constrained IoT environments. However, we discovered some security defects in their scheme. In this study, we perform an investigation of the security of their scheme using cryptanalysis and propose a new authentication scheme that resolves the security issues. Through security analysis, we demonstrate that the proposed scheme ensures all security requirements, and through performance analysis, we demonstrate that the scheme is suitable in terms of computational and communication cost for application in IoT environments.
The remainder of this paper is organized as follows: In Section 2 , previous studies are explored. In Section 3 , the preliminary knowledge for this study is introduced for an understanding of the background. In Section 4 , Dhillon and Kalra's scheme [7] is reviewed, and the cryptanalysis performed on the scheme is presented in Section 5 . In Section 6 , the proposed scheme is presented. In Section 7 , we provide an informal and a formal security analysis of the proposed scheme. In Section 8 , we present the performance comparisons with the related schemes. Finally, the conclusions of this study are presented in Section 9 .

Related work
Since Lamport [8] first proposed a password-based authentication scheme, many related studies of two-factor authentication schemes have been proposed to improve the security and efficiency of various network environments [9][10][11] . In addition, twofactor authentication schemes using various cryptographic technologies such as symmetric key cryptography, asymmetric key cryptography, and hash functions have been studied to provide secure user authentication in a wireless sensor networks (WSNs) [12][13][14][15][16] .
In 2006, Wong et al. [17] first proposed a lightweight and dynamic password-based user authentication scheme for securely accessing WSNs. However, Das [18] claimed that the scheme proposed by Wong et al. [17] has security drawbacks (e.g., it cannot resist many logged-in users with the same login ID attacks and stolen-verifier attacks). To enhance the security of the scheme proposed by Wong et al. [17] , Das [18] proposed a two-factor user authentication sch-eme for strong authentication and session key establishment using the gateway (GW). Unfortunately, it was later revealed by Khan and Alghathbar [19] and He et al. [20] that the scheme proposed by Das [18] is vulnerable to various attacks, including impersonation, privileged-insider attacks, and GW-node bypassing, and it does not guarantee mutual authentication between the GW and sensor nodes. To resolve this security problem, Khan and Alghathbar [19] proposed an enhanced two-factor user authentication scheme and claimed that their scheme had several security advantages. However, Vaidya et al. [21] discovered that the Khan and Alghathbars scheme [19] is not secure against smartcard theft, forgery, and node capture attacks. In 2011, Yeh et al. [22] also reported vulnerabilities in the scheme presented by Das [18] and proposed a new user authentication scheme that uses smart cards for WSNs. Yeh et al. [22] applied the elliptic curve cryptography (ECC)-based mechanism to the scheme to make it suitable for higher security in WSNs. However, according to Xue et al. [23] , the scheme proposed by Yeh et al. [22] not only requires additional storage overhead but also requires increased computational resources. Then, Xue et al. [23] proposed a new scheme with strengthened security, but Li et al. [24] reported that various security weaknesses still remained [23] ; these included vulnerabilities to loss of a smart card, offline-password guessing, stolenverifier, insider, and many logged-in users with the same login ID attacks. Turkanovic et al. [25] presented an improved mutual authentication scheme to resolve these security challenges, ensuring essential features such as mutual authentication, key agreement, password security, and low computational costs, using hash and exclusive-OR (XOR) operations. Farash et al. [26] found security failures in the scheme proposed by Turkanovic et al. [25] ; they reported that the scheme does not guarantee untraceability and anony-mity of the sensor node. To overcome these security vulnerabilities, Farash et al. [26] proposed a user authentication scheme for WSNs, tailored for IoT. However, Kumari et al. [27] reported that the scheme proposed by Farash et al. [26] violates user and sensornode anonymity and is not secure against various attacks.
In Dhillon and Kalra's study [7] , they highlight that traditional two-factor authentication protocols are insecure in real-world situations when a password breach or loss of smart device occurs. Based on the IoT network model (See Section 3.1 ) applied to the schemes [25][26][27] described earlier in this section, Dhillon and Kalra [7] proposed a lightweight multi factor user authentication scheme using password, biometric, and mobile device. They claimed that their scheme is secure against offline password guessing, password change, denial of service, stolen mobile device, and impersonation attacks. However, we found that their solution is also insecure from a user impersonation attack via a stolen mobile device attack, and it does not provide a session key agreement and a revocation plan.
In this study, we perform a security analysis to demonstrate the security failures of the Dhillon and Kalras scheme [7] . We then propose an improved lightweight authentication scheme that uses only XOR, hash, and symmetric cryptography and is suitable for IoT environments.

Network model and authentication process
Currently, various IoT architecture models are being used to achieve security, scalability, and efficient computational cost. Xue et al. [23] introduced five resource-constrained communication mechanisms that address users, sensor nodes, and single or multiple gateways. We briefly describe the fifth network model applied to the Dhillon and Kalra's scheme [7] and our scheme, which shares the session key between the mobile node MN i and the sensor node N j . This mutual authentication is performed utilizing the gateway GW , as shown in Fig. 1 . The user authentication process is as follows: (1) MN i sends a login and authentication request to N j to access the IoT network. (2) Upon receipt of the request message, N j sends the received request to GW for MN i authentication. (3) GW checks the message received from N j , authenticates MN i , and responds to N j . (4) N j sends a response to MN i , and then MN i and N j mutually establish a session key via authentication.

Bio-hash function
Biometrics provides a unique identification method for addressing security vulnerabilities in specific user credentials that can be forgotten or stolen, such as pins, passwords, and tokens. Imprint biometric characteristics vary slightly with each input for various reasons, such as dry or cracked skin, or the presence of dust on the imprint sensors [28] . To solve the problem of high false rejection rates, in 2004, Jin et al. [29] proposed a method of two-factor authentication based on inner products between tokenized pseudorandom numbers and user-specific fingerprint features. They created a user-specific compact code set called a bio-hash code. The bio-hash code randomly maps the biometric feature to a binary string using a user-specific token of pseudo-random numbers. The bio-hash has been applied to a variety of recently proposed schemes [30,31] . Bio-hash technology is efficient for biometricsbased multi-factor authentication schemes because it is suitable for small capacity devices [32] .

Review of the dhillon and Kalra's scheme
In this section, we review Dhillon and Kalra's user authentication scheme [7] , which consists of three steps: (1) registration, (2) login and authentication, and (3) the password change phase. Table 1 lists all the notations used in this paper.

Registration phase for user
In this phase, MN i , a mobile node seeking to access the IoT service through a smart device application, registers with the GW , and the following operations are performed: (a) MN i selects its identity ID i and password PW i , inputs biometrics BIO i , generates a random number r i , and computes stores the received parameters along with r i . Table 1 Notations.

Symbol
Description Symmetric key encryption and decryption h ( · ) Hash function Private key of MN i K GN Secret key shared between N j and GW

Registration phase for IoT node
In this phase, N j registers with the GW , and the following operations are performed: (a) N j chooses a random number r j and computes MP j = insecure open wireless channel. (e) N j checks the freshness of T 2 . If it is fresh, N j stores z j and x j in the memory storage.

Login and authentication phase
In this phase, MN i , N j , and GW carry out mutual authentication to set up a session key. The detailed description of the login and authentication phase is as follows: GW then verifies whether y * j ? = y j . If they are equal, GW computes If they are equal, N j chooses a random number m j , and computes x *

Password change phase
In this phase, MN i performs the following process to change the password stored in its host mobile device:

Cryptanalysis of dhillon and Kalra's scheme
In this section, we conduct cryptanalysis of the Dhillon and Kalra's scheme [7] . For security analysis, we consider the following attacker capabilities: (1) The attacker A can control the public channel by eavesdropping, inserting, deleting, altering, or intercepting public messages. (2) If A somehow acquires a user's stolen or lost mobile device, he or she can perform a side channel attack to extract secret parameters from the device [33,34] .

Stolen mobile device attack
In the Dhillon and Kalra's scheme [7] , A can simultaneously obtains the identifier and password of MN i , from the stolen or lost users mobile device. A can perform offline guessing attacks using the following process: from the user's mobile device.  successfully found the correct identity and password. Otherwise, A chooses another ID * i and P W * i , and iterates steps (b) and (c) until the correct identity and password are found.
If they are the same, A proceeds to the next step.
After successfully guessing MN i 's ID i and PW i through the above process, A can not only perform an impersonation attack using y * i and z * i , but also use the guessed identity and password to access another authentication system, or hack the user's sensitive data.

User impersonation attack
A can impersonate a legitimate user using the y * i and z * i values through the guessing attack. Moreover, A can more easily calculate y i and z i values only with e i , f i , and x i values extracted from the user's mobile device without guessing ID * i and P W * i (e.g., y * i = x i e i and z * i = x i f i ). The Dhillon and Kalra's scheme [7] allows the impersonation of a legitimate user during the login authentication phase through the following process:

(a) A inputs ID A , PW A and BIO A and computes MP
(b) After this, A skips the calculation of the other parameters and instead injects the y * i and z * i into the local verification process. (c) If A passes the local verification process, he or she generates a random number n A and computes (e) Eventually, N j and GW proceed with the rest of the login and authentication phase normally. Consequently, A and N j establish a session key.

No provision for agreement of session key
In Dhillon and Kalra scheme [7] , MN i and N j set up the session key SK , but they do not check to see whether the random numbers n i and m j included in the session key are correct, or they established the session key SK correctly after the mutual authentication. The protocol of reference [38,39] provides a session key agreement. The reason for ensuring the agreement of the session key is as follows: If, for some reason, an error occurs in the parameter value used to establish the session key, an erroneous session key may cause a communication failure. For this reason, the two nodes that set up the session key must perform a mutual process of checking whether the session key has been correctly calculated.

No provision for revocation
Revoking a user's stolen or lost mobile device is necessarily essential for authentication schemes in IoT environments [40] . If MN i 's legitimate mobile device is lost or stolen, an efficient revocation mechanism should be implemented to prevent future misuse of mobile devices and leakage of personal information. To support this mechanism, the server must maintain the users real identity to detect invalid mobile devices [41] . However, Dhillon and Kalra [7] did not consider this feature in their scheme.

Proposed scheme
We suggest a three factor anonymous user authentication scheme for IoT environments. The proposed scheme contains the following four phases: (1) registration, (2) login and authentication, (3) password change, and (4) user-revocation phase.

Registration of user
The registration phase of the proposed scheme for MN i is depicted in Fig. 2 and comprises the following operations: (e) Finally, MN i stores the received parameters, < PID i , x i , y i , r GU > , in the mobile device.

Registration of IoT node
The registration phase of the proposed scheme for the sensor node N j is depicted in Fig. 3 and consists of the following operations: (a) N j selects random number r j and computes MP j = and checks whether MP * j and MP j are the same. If they are, GW computes x j = h (NID j || K GN ) and (e) N j stores < y j > in the memory storage.

Login and authentication phase
In this phase, MN i and N j mutually authenticate each other with the support of GW to establish a session key. The login and authentication phase that are depicted in Fig. 4 are as follows: (c) N j checks the freshness of T 1 . If it is fresh, N j generates a random number n j and computes and If SV i and SV j are the same, MN i and N j successfully establish the same session key.

Password change phase
In this phase, MN i s password is changed on its mobile device.

Revocation phase
To recover the secret parameters, MN i performs a revocation mechanism for the mobile device as follows:

Informal security analysis
In this section, we perform an informal security analysis of the proposed scheme under the introduced attacker model to prove that it is secure against the various attacks that threaten the security and sustainability of IoT networks.

User anonymity
In the proposed scheme, we generate PID i by encrypting MN i 's identity ID i and a random number r D with the secret key K G , i.e., P I D i = E K G (I D i || r D ) . It is different for each session because r D is also changed simultaneously. After GW authenticates MN i , GW changes the existing PID i to a new P ID new i and transmits it to MN i . Therefore, even if A eavesdrops the public messages M 1 −4 on the public channel or extracts the secret parameters < PID i , x i , y i , r GU > stored on the mobile device, the proposed scheme satisfies user anonymity because there is no way for A to recognize the real identity ID i .

User untraceability
MN i sends a message M 1 that includes PID i , UN i , and UZ i to N j via a public channel on which A can eavesdrop in the login and authentication phase. Because these parameters contain random values, such as n i and r D , that change and are different for each session, A cannot track the user's actions in the login and authentication phase, i.e., there is no message with the same value on the network. Therefore, the proposed scheme ensures the users untraceability.

Resistance to stolen mobile device attack
In the proposed scheme, to guess the user's ID i and PW i (personal identification information), A must have knowledge of the secret key K GU . However, K GU is not directly stored on the mobile device; it is protected with the hash function and is not sent via the public channel as plain text. Furthermore, even if we assume that A somehow obtains the secret key K GU , he or she cannot guess PW i without H ( BIO i ), which is unique to the user. Therefore, the proposed scheme resists stolen mobile device attacks.

Mutual authentication
MN i and N j authenticate each other with the assistance of GW in the login and authentication phase. Only a legal MN i can calculate A i using his or her information, which is again used by GW to confirm that MN is valid. Only if this verification process is completed, the next step can be performed. In addition, N j , who calculates a valid x j , can only be authenticated from GW . The verification process for N j is performed immediately when GW receives the message M 2 . MN i determines whether N j is legitimate by checking the fact that the message that N j returns to MN i contains valid information related to the random number n i that MN i has sent to GW . Therefore, the proposed scheme guarantees mutual authentication because all three participants check the validity of one another throughout the login and authentication process.

Session key agreement
After the login and authentication process, N j generates the session key SK ji using both random numbers of MN i and N j , calculates SV j , and sends SV j to MN i . Then, MN i also computes SK ij and SV i , using its own parameters and N j 's random number extracted from the received message. Then, MN i checks if they share the same session key by checking whether SV i and SV j are equal. Because both parties need to calculate the session key correctly to complete the above process, the proposed scheme ensures a session key agreement.

Resistance to user impersonation attack
In the proposed scheme, A cannot disguise the user because the scheme resists a stolen mobile device attack through a local user verification process and mutual authentication. Therefore, as a secure session key agreement is guaranteed, the proposed scheme resists user impersonation attacks.

Resistance to replay attack
Even if A eavesdrops on messages M 1 −4 from the communication that is in the public channel and replays them, A cannot calculate the correct session key SK . To compute the session key SK , A would need to know n i or m j , and to know these, A needs GW 's secret key K G and K GU . As there is no way for A to know the secret keys of GW from the message transmitted through the public channel, the proposed scheme is safe from replay attacks.

Local user verification
At the login and authentication phase of the proposed scheme, the mobile device checks the legitimacy of the user. Users who have entered the correct ID i , PW i , and BIO i through the user verification process can perform the following authentication procedure. Therefore, the proposed scheme can block unauthorized access of A because the individual BIO mi is unique.

Resistance to stolen-verifier attack
In the proposed scheme, GW does not directly receive MN i 's credentials such as PW mi and H ( BIO i ). Furthermore, GW maintains the database with RID i encrypted with its private key to confirm the legitimacy of the user, i.e., even if A steals the users registered information from the database for impersonation, it is difficult for A to know the actual identity of MN i . Therefore, the proposed scheme is secure against stolen-verifier attacks.

Resistance to privileged-insider attack
The privileged-insider can attempt to impersonate a user by using a registration request message obtained at the user registration phase or additionally obtaining the stolen or lost mobile device of a user [47] .
In the registration phase of the proposed scheme, MN i sends ID i and PWB i , which contains PW i and H ( BIO mi ), to GW . However, an insider in a GW cannot guess MN i s PW i without BIO i if A , as a malicious insider, extracts all the parameters < PID i , x i , y i , r GU > stored in the device after he/she gets the stolen or lost mobile device of a user.
The insider needs BIO i or the private key K GU for MN i to impersonate the user. It is impossible to determine BIO i , which is an individual's biological characteristics, and if a security mechanism is applied that prevents insiders from knowing the secret key for users in GW 's system, the insider cannot impersonate the user in any way.
Therefore, the insider cannot impersonate MN i to access and communicate with N j in the proposed scheme. Furthermore, in the password change phase of the proposed sch-eme, MN i can change his or her password with PWB i without the help of GW . The proposed scheme withstands privi-leged-insider attacks because it is impossible for the insider to know a MN i 's password.

User-friendly password change
A user's password can be changed from his or her end without server intervention. We apply this mechanism to the proposed scheme to allow the user to replace an old password with a new one after the user verification phase is executed. Therefore, the proposed scheme provides a user-friendly password changing process.

Forward secrecy
The computed session key between MN i and N j can be corrupted by A . However, he or she cannot find significant correlations between the past, present, and future session keys because they contain random numbers n i and m j that are different in each session in the proposed scheme. Therefore, the proposed scheme guarantees forward security.

Resistance to sensor node impersonation attack
In this attack, we assume that A eavesdrops on the messages M 4 during the authentication and key agreement phase from the public channel and attempts to generate other messages M 4 = < P ID new i , L j , SV j , T 2 > to send them to MN i . However, to generate M 3 , A needs n j and F j . Therefore, A cannot impersonate a valid sensor node N j in the proposed scheme. As a result, the proposed scheme is also secure against a sensor node impersonation attack.

Resistance to known session-specific temporary information attack
If the random numbers n i and m j are known to A , he or she can attempt to compute the session key SK = h (h (ID i || n i ) || n i || m * j ) . However, it require the knowledge of ID i or F j = h (ID i || n j ) from public messages M 2 and M 4 . As we explained in Section 7.1.1 earlier, the proposed scheme ensures user anonymity through which ID i is encrypted by the secret key K GU . In addition, F j is protected by x j that is not transmitted as plain text. There is no way for A to get ID i and the related parameters involving SK . Therefore, the proposed scheme resists the known session-specific temporary information attack.

Provisional revocation phase
In the proposed scheme, MN i sends a revocation request to GW with < I D old > when their mobile device is stolen or lost or when the secret parameters are exposed. Because GW maintains RID i and MID i in the database, when a revocation request is received from MN i , GW computes RI D old i = E K G (I D old i ) and compares that the pairs ( RID i , MID i ) and (RI D old i , MI D old i ) are same, to determine whether MN i is a valid user. Since MID i contains MN i 's ID i and BIO i , which is unique to the user, GW can only reissues the secret parameters to a legitimate user for recovery purposes. Thus, the proposed scheme can handle an unexpected case using provisional revocation.

Formal analysis using proverif
ProVerif is an automation tool for cryptographic protocol analysis, and it supports various cryptographic primitives such as symmetric and asymmetric encryptions, digital signatures, and hash functions. The principle by which ProVerif proves the security of a protocol by inputting and verifying the security attributes of the cryptographic primitives is introduced in the manual [48] . ProVerif is widely used by many researchers [49][50][51] to validate the security analysis of the key agreement and authentication schemes for various network environments. In this section, we verify the security of the proposed scheme using ProVerif, introduce ProVerif code as a description of the proposed scheme, and present the analysis results.
The execution of all the code described in Appendix A verifies the accuracy of all the events and queries and generates the simulation results presented in Fig. 5 . All the authentication parameters, i.e., the queries and events between MN i , N j , and GW in the proposed scheme, perform successful mutual authentication and securely establish the session key as a result. Therefore, the proposed scheme can be considered secure for simulated attacks.

Formal analysis using the random oracle model
In this section, a formal security analysis of the proposed scheme is performed using a random oracle model. To this end, we first define a one-way hash function. A one-way hash function h : {0, 1} * → {0, 1} n maps data of an input x ∈ {0, 1} * of arbitrary size to a bit string of fixed size h ( x ) ∈ {0, 1} n . The properties of a one-way hash function are as follows: (1) Pre-image resistance : Given y = h (x ) , it is computationally difficult to find an input x .
(2) Second pre-image resistance : Given x = x , it is computa- (3) Collision resistance : It is computationally difficult to find two different inputs x and x such that h (x ) = h (x ) .

Theorem 1.
Assuming that the one-way hash function, h ( · ), behaves like an oracle, the proposed scheme is proven secure against A because it guarantees secure protection of MN i 's identity ID i and GW's private key K G .
Reveal : Given the hash value y = h (x ) , the random oracle shall output the hash input value x unconditionally.
Extract : Given the encrypted message C = E K X (P ) , the random oracle shall output the plain text P unconditionally.
Proof. In the proposed scheme, we apply a method similar to that used for the formal security proof in [52,53] . We assume that A runs the experimental algorithm to derive ID mi and K G that are shown in Algorithm 1 , EXP 1 A HASH for the proposed  6. Call the Extract oracle.
Accept ID i as the correct identity 9.
if (P ID i = P ID i ) then

11.
Accept K G as the correct secret key 12 if (P ID i = P ID i ) then

10.
Accept r GU and K G as the correct r GU and K G of MN i 11. Compute 12. Compute if (y i = y i ) then

14.
Accept The basic notations of BAN logic is as follows.
(2) U | ≡ C : Condition C is believed by U  To prove mutual authentication of the proposed scheme, we use the following five rules of BAN logic.
(1) Rule 1: Message-meaning rule: : If U trusts that the key K is shared with S, U sees the C combined with K , then U trusts S once said C .
(2) Rule 2: Nonce-verification rule: U |≡#(C) ,U |≡S|∼C U|≡S|≡C : If U trusts that C 's freshness and U trusts S once said C , then U trusts that S trusts C .  has jurisdiction over C , and U trusts that S trusts a condition C , then U also trusts C .
Since the main goal of the proposed scheme is to establish a session key between MN i and N j through mutual authentication, we must satisfy the following four goals.
(1) Goal 1: The four messages transmitted in the proposed scheme can be converted into the idealized form as follows.
(1) Using . This is reduced as . This is reduced as . This is reduced as: To derive the goals of the proposed scheme, we define the following assumptions.
We describe the main proof of the proposed scheme using the BAN logic rules, messages and assumptions as follows. From Goals 1, 2, 3, and 4 that we achieved above, we see that MN i and N j establish a session key through secure mutual authentication.

Performance analysis
In this section, we compare the computational and communication costs for the proposed scheme with other related schemes that have the same communication mechanism in IoT networks. We conducted a comparative analysis based on the computational cost and the amount of communication incurred during the login and authentication process.
We considered the 320-bit ECC (Elliptic multiplication) T e , the 128-bit Advanced Encryption Standard (AES) algorithm T s , and the 160-bit hash function T h . We did not consider the XOR operation because it is negligible.
We assumed that the mobile node and gateway are computing environments on the following computing environments and evaluated the execution time of cryptographic operations. We refer to the experimental results of Abbasinezhad-Mood and Nikooghadam [60] for each cryptographic execution time on the following sensor node: (1) Mobile node: Galaxy Note 9 Device, AP; Octa-Core Processor 2.7GHz + 1.7GHz, 8G memory, OS; Android 9.0, and Android Studio and Software Development Kits (SDK) tools. Based on our measurement results and the experimental results of Abbasinezhad-Mood and Nikooghadam [60] , the cryptographic time of the mobile node, sensor node, and gateway are as follows: (1) Mobile node: T e ≈ 29.48 μs, T s ≈ 76.2 μs, and T h ≈ 106.38 μs (2) Sensor node: T e ≈ 1263 μs and T h ≈ 15.5 μs (3) Gateway: T e ≈ 2226 μs, T s ≈ 5.4097 μs, and T h ≈ 4.9465 μs We summarize the results of the performance comparison in Table 3 . It indicates that the Turkanovic et al.'s scheme [25] has significantly less computational complexity than other schemes. However, it has already been revealed by Farash et al. [26] that the Turkanovic et al. scheme [25] is vulnerable to various attacks. The computational costs of the schemes proposed by Das et al. [42] , Chang et al. [43] , Yang et al. [44] , and Wu et al. [46] are inferior to that of the proposed scheme. Our comparison shows that the Banerjee et al.'s scheme [45] has the second-best performance. However, as shown in Table 2 , their scheme does not include a revocation phase.
Using the method presented in [61,62] , we compared the communications cost of the login and authentication phase. We assume that the lengths of the identity, timestamp, and random Table 2 Comparison of security requirements. Fig. 6 presents the process definitions and identifiers of the proposed scheme. Here, we define the public and secure channels used between each party; predefined constants; secret key; session key; exclusive-OR, hash, and bio-hash functions; symmetric key cipher; and concatenation operation; and the start and end of communication between each node to be verified for the correspondence relationship of messages. Fig. 7 shows the overall MN i process code for the proposed scheme. We model the registration phase on lines 39-42 and the login and authentication phase on lines 43-60. Fig. 8 shows the overall N j process code for the proposed scheme. We model the registration phase on lines 62-67 and the login and authentication phase on lines 68-91.     9. ProVerif code for the overall mobile node process. Fig. 9 shows the overall GW process code for the proposed scheme. We model the registration phase on lines 93-108 and the login and authentication phase on lines 109-126.

Appendix A
The code shown in Fig. 10 is intended to model the attacker's capabilities and verify the equivalencies of interprocess. Lines 128-129 verify whether the session keys SK ij and SK ji are secure against the attacker. Lines 130-132 verify whether the internodal relationships of the proposed scheme are in the accurate procedure.