Anonymous Authentication Scheme for Intercommunication in the Internet of Things Environments

Authentication and privacy protection are important security mechanisms for keeping things safe in the Internet of Things environments. In particular, an anonymous authentication scheme is a privacy preserving authentication technique which provides both authentication and privacy preservation. An authentication scheme with anonymity in mobility networks was proposed recently. However, it was proven that it failed to provide anonymity against passive adversaries and malicious users and security against known session key attacks and side channel attacks. We propose an anonymous authentication scheme for intercommunication between the things in the Internet of Things environments. The proposed scheme provides not only anonymity and security, but also untraceability for the thing. Moreover, we only use low cost functions, such as hash functions and exclusive-OR operations in consideration of limited computing power of the thing.


Introduction
As the Internet of Things (IoT) market is expanding recently, the importance of trustworthy IoT products and services is increasing. Zhang et al. [1] discussed IoT security issues just in time. To preserve IoT security, authentication and privacy preservation are some of the major mechanisms and a few authentication schemes in IoT are proposed [2,3]. And improvements and drawbacks of those schemes are presented [4][5][6]. Since a lot of systems and things in IoT environments are connected to the Internet for intercommunication, apparently they can be exposed to hacker's attacks anytime and anywhere.
Systems of IoT infrastructure, such as a computer, a gateway, and a server system, have high computing power, enough memory, and wide communication bandwidth. On the contrary, things like a tag, a sensor, and a device deployed at the end of IoT environments have limited computing capacity and resource. Therefore, the convergence of symmetric and asymmetric cryptosystems and lightweight cryptographic protocols is necessary to guarantee the whole IoT security.
Various things interconnected in IoT environments produce a lot of transmitting data. These data may contain user's behavior, taste, and preference as well as private information. Hence, an adversary can abuse user's information or do some damage through tapping, leaking, modifying, and destroying them. It is clear that privacy protection is one of the most important issues of IoT security. Because only human beings can have privacy, privacy preservation is not originally applied to things. However, things also need to have security measures to prevent privacy invasion in case they deal with human beings' information. For such a reason, anonymity and anonymous authentication are essential to preserve privacy and security of all objects in IoT environments.
Many anonymous authentication schemes in wireless environments, proofs of weaknesses, and countermeasures have been proposed [7][8][9][10][11][12][13][14]. Particularly, Chang et al. [15] proposed an efficient authentication scheme with anonymity for roaming service in global mobility networks. Since their scheme only uses low cost functions, such as hash functions and exclusive-OR operations, it is suitable for batterypowered mobile devices. However, Youn et al. [16] showed 2 International Journal of Distributed Sensor Networks that Chang et al. 's scheme does not provide anonymity and security in certain situations. In other words, it fails to preserve anonymity against passive adversaries and malicious users as well as security against known session key attacks and side channel attacks. Since then, to make up the security faults proven by Youn et al., a few enhanced schemes have been proposed [17][18][19]. Also, anonymous authentication schemes with unlinkability that guarantee not to link one user and his/her messages have been followed [20][21][22].
In this paper, we suppose that IoT components are a thing, a gateway, and a registration server. The thing senses, handles, and transmits various information. All things need to be registered for the registration server before being deployed in IoT environments. The registration server keeps and manages the thing's identity. Also, it maintains a trustworthy relationship with the gateway to response to gateway's request for authenticating the thing. No one but the thing and the registration server can know the thing's identity because the thing certainly knows its identity and the registration server takes the thing's identity when the thing registers for it. The gateway authenticates the thing in relation to the registration server without knowing the thing's identity. And it makes the thing be able to communicate with other things through a secure way. The thing accomplishes mutual authentication and key agreement with the gateway through an anonymous authentication method when it connects to the gateway for the first time. At this time, the gateway which does not know the thing's identity can authenticate the thing with the aid of the registration server. Centering around one gateway, a number of things consist of their own domain. Things in the same domain can do anonymous authentication and session key sharing through the same gateway.
We propose a novel authentication scheme that guarantees anonymity, security, and untraceability in IoT environments by remedying the defects of Chang  The remainder of this paper is organized as follows. We review the related works in Section 2 and present our scheme in Section 3. In Section 4, we analyze security of our scheme. Finally, a concluding remark is given in Section 5.

Related Works
In this section, we review Chang  Their assumption is that each FA and each HA share and store a long term session key using any secure method, such as the Diffie-Hellman key agreement protocol.
Then HA issues a smart card containing {ID MN , ID HA , , ℎ( ), ℎ(⋅)} and delivers it to MN in a secure way.

Authentication Phase.
It is assumed that MN wants to take a roaming service from FA. Before providing services, FA tries to authenticate MN through HA. To achieve this, MN, FA, and HA perform the authentication phase as follows.
(1) MN inserts his/her smart card into the device and enters a password PW MN * .
(2) Smart card generates a nonce MN randomly and computes the parameter as shown in  After checking the identities and exchanging nonces between MN, FA, and HA, they accomplish the following steps for anonymous authentication. (7) MN who receives 4 computes the shadow identity SID, the parameter 1 , the session key SK, and the parameter 2 sequentially such that (9) Upon receiving 5 , FA checks 1 and computes the following hashing value 2 . And then it sends the message 6 = {SID, 1 , 2 , MN , 2 , ID FA } to HA: (10) After receiving 6 , HA checks ID FA and 2 firstly. And it checks the format of MN's identity after computing ID MN as follows: (11) HA computes * and 1 * as demonstrated in (7) to check whether 1 * is equal to 1 . The equivalence between 1 * and 1 implies that the selected PW MN in the registration phase is the same as the password PW MN * that MN enters in the authentication phase: * = ℎ (ID MN ‖ ) ⊕ MN , (12) HA computes the parameter 1 after obtaining the session key SK from 2 . And it computes the parameter 3 and the hashing value 3 to send the message (1) Upon receiving 7 , FA obtains the following session key SK from 1 after checking 3 : And it computes the parameter 2 as follows to send the message 8 = { 3 , 2 } to MN: (2) After receiving 8 , MN computes the following 3 * and checks whether 3 * and 3 are equal or not: The fact that two values are equal means MN confirms FA as a valid foreign agent.
(3) MN computes SK * as follows: from 2 to check the equivalence between SK * and SK that MN computes in the authentication phase: According to the sameness of two values, MN confirms that he/she shares the authenticated session key with FA.
(4) Since then, MN and FA use SK when they want to communicate with one another through a secure channel.  And it is easy to perform a bruteforce search of a valid identity since it is short and has a certain format. In addition, there exists an adversary who can execute side channel attacks.

Anonymity against Passive Adversaries.
A passive adversary can obtain 2 and 2 by eavesdropping messages between MN, FA, and HA. The adversary chooses a candidate identity ID to compute SK and 2 as follows: If 2 and 2 are equal, the adversary can recognize that the candidate identity is the same as MN's real identity. Therefore, the adversary can know MN's identity.

Anonymity against Malicious Mobile User.
It is supposed that MN is a malicious mobile user who has a valid smart card issued by HA. MN accomplishes the normal authentication phase with HA to get the nonce HA generated by HA. And then he/she computes SID using his/her identity ID MN as follows: MN eavesdrops SID once again to compute ID MN using SID and SID . ID MN is calculated as follows: Thus, a legal but malicious user can obtain other's identity.
International Journal of Distributed Sensor Networks

Security against Known Session Key
Attacks. An adversary can get a user's identity when a former session key shared between MN and FA is revealed. The adversary obtains 2 by eavesdropping and computes the verification value Flg using 2 and a revealed SK such that The adversary also computes another verification value Flg after choosing a candidate identity ID in the following manner: If Flg equals Flg , the adversary can ensure that the guessed identity and the MN's real identity are consistent.

Security against Side Channel
Attacks. Let us suppose that an adversary who can execute side channel attacks obtains a valid smart card issued by HA. The adversary can acquire ℎ( ) from the smart card and take SID and HA from messages in the authentication phase. Then it is possible that the adversary discovers MN's identity by computing as follows: Hence, Chang et al. 's scheme can be totally broken by side channel attacks.

Proposed Scheme
To provide anonymity and security, the proposed scheme that improves Chang et al. 's scheme makes up for the weak points shown by Youn et al. Also, it guarantees untraceability for things by using different anonymized identities all the time.
Since it minimizes the number of transmitting messages and computations, it is suitable for IoT environments. Figure 2 presents IoT network environments applied to our scheme. A registration server and a gateway accomplish mutual communication through the Internet while they preserve a trustworthy relationship. The registration server maintains secret information of things. The gateway forms its own domain to combine the things that existed in its permissible range. And it makes the things link up with their registration server. The things collect and produce various information and exchange data one another if necessary. Depending on the number of things in a domain, several base stations are required to provide stable communication channel. Base stations do not participate in the join phase directly. They just act as mediators between the things and the gateway. If the stability of communications channel is guaranteed, a lot of things can work in one domain. It is because the thing only computes low cost functions, while relatively high cost computations are up to the gateway. In other words, a domain can be expanded regardless of the number of things.
The proposed scheme consists of three phases: registration, join, and communication. In each phase, the thing , the gateway , and the registration server are involved. We 6 International Journal of Distributed Sensor Networks

Notations
Descriptions Thing Registration server Gateway of a domain SID Shadow identity of an entity VID Virtual identity of an entity Private key of an entity Timestamp generated by an entity assume and share a common secret key using a secure method, such as the Diffie-Hellman key agreement protocol in advance. And let us suppose that a time synchronization is established between , , and .
In the registration phase, registers for in a safe way. registered for normally joins 's domain in the join phase. In that phase, can authenticate through . The things that successfully joined 's domain cannot trust each other yet, whereas they already build a trustworthy relationship with through sharing of a common secret key. When the things want to communicate with each other safely, they carry out authentication and session key establishment processes through . Table 2 indicates additional notations used in our scheme. We use notations in both Tables 1 and 2.

Registration Phase. Firstly, registers for and issues
's virtual identity. receives secret information from and stores them safely. Figure 3 shows the registration phase between and .
(2) generates 's private key and an initial timestamp . And it computes 's virtual identity VID as follows: Due to the private key, the virtual identity hides the real identity perfectly. The registration server is supposed to use the virtual identity to verify the thing's real identity. The virtual identity is essential element to make the proposed scheme provide anonymity.

Join
Phase. Let us suppose wants to join 's domain in order to take services from . Then tries to authenticate through to provide services. We define as the common secret key shared between and in advance. , , and perform the following authentication and key establishment steps. Figure 4 presents the join phase.
(1) generates a timestamp to compute the following shadow identity SID using VID and ℎ( ): The virtual identity already concealed the thing's real identity in the registration. In this step, the shadow identity hides the virtual identity again. While the shadow identity of Chang et al. 's scheme hides the real identity directly, our shadow identity contains the virtual identity instead of the real identity. It means the proposed scheme provides anonymity, even if the shadow identity is revealed.
(2) sends the join request message 1 = {JoinReq., SID , ID , } to , where the message header JoinReq. means requests to authenticate and to provide a common secret key for joining .
(3) After receiving 1 , checks and generates a timestamp . And it computes the hashing value 1 using the preshared common secret as follows: And it sends the authentication request message 2 = {AuthReq., SID , ID , 1 , , } to . The message header AuthReq. indicates requests to authenticate . (4) Upon receiving 2 , checks ID to determine whether it is an ally or not and checks to verify the validity of time period. And it computes the following 1 * to check whether it is equal to 1 : If results are all valid, generates a timestamp .
(5) computes VID * using received information and ℎ( ) as follows: And it retrieves the secret information [ID , VID , , ] from its database using VID * as a keyword. If it is impossible to get VID same as VID * , then rejects 's request for authentication and stops communication with .
This step makes every virtual identity supposed to be used only once. In other words, it guarantees the freshness of all virtual identities and it finally provides unlinkability of the proposed scheme.
(7) After the renewal of the virtual identity, computes the common secret key supposed to be shared between and using 's private key . Also, it computes the verification values 1 , 2 , and 3 for and the verification value 4 for as follows: Since the common secret key is derived from a secret hashing value ℎ( ) and changing timestamps, the secrecy and the freshness of the common secret key are always guaranteed.
(8) computes the following hashing value 2 and sends the message 3 = {ID , 1 , 2 , 3 , 4 , 2 , } to : (9) After receiving 3 , checks and 2 . If they are all valid, computes the verification value 5 after computing the common secret key . And it sends the message 4 = {ID , 1 , 2 , 3 , 5 , , } to . and 5 are as shown in the following formulas: (10) Upon receiving 4 , computes the following 1 * after checking : The fact that 1 * is the same as 1 implies that recognizes the fact that checked ID .
(11) computes * and 2 * such that * = ℎ (ℎ ( ) ‖ ID ‖ ID ‖ ‖ ) , to check the equivalence between 2 * and 2 . The sameness of two values means that trusted by computes the common secret key which is supposed to be shared between and . (12) computes the virtual identity VID and the verification value 3 * as follows: And it checks whether 3 * is equal to 3 . The equality indicates computes 's new virtual identity VID normally. And then stores its new virtual identity VID securely. As a result, the virtual identity is renewed by replacing the existing VID with the new VID . (13) checks the equivalence between 5 * and 5 after computing 5 * as shown in The valid verification of 5 * implies that and share the common secret key successfully.

Communication Phase.
The things located in 's domain authenticate each other and share session keys to communicate in a secure way. We assume that 1 and 2 already shared common secret keys called 1 and 2 , respectively, with in the join phase. 1 performs the following communication phase to share a session key with 2 . The communication phase is presented in Figure 5.
(1) 1 generates a timestamp 1 and computes the new shadow identity SID 1 as shown in to substitute the existing shadow identity SID 1 . (2) 1 computes the verification value 6 and the hashing value 3 as follows: And it sends the communication request message The message header CommReq. stands for 1 's request for communicating with 2 .
(3) Upon receiving 5 , 2 generates a timestamp 2 after checking 1 and computes its new shadow identity SID 2 , the verification value 7 , and the hashing value 4 such that International Journal of Distributed Sensor Networks Renew SID T 1 to SID T 1 , SID T 2 to SID T 2 And it sends the authentication request message 6 = {AuthReq., SID 1 , SID 2 , 6 , 7 , 3 , 4 , 1 , 2 } to . The message header AuthReq. means that 2 requests to authenticate 1 .
(4) After receiving 6 , firstly checks 2 , SID 1 , and SID 2 to confirm that 1 and 2 were authenticated by itself in the join phase. And then it checks that 3 * is equal to 3 and 4 * is equal to 4 after computing the following 3 * , 4 * : And it replaces the existing shadow identities SID 1 and SID 2 with SID 1 and SID 2 . It stores SID 1 and SID 2 securely in its database. According to this step, the freshness of all shadow identities is guaranteed.

10
International Journal of Distributed Sensor Networks As a result, it preserves unlinkability of the proposed scheme. (6) generates a timestamp 12 and computes the session key SK and the parameters 1 and 2 using 1 and 2 as follows: (38) (7) computes the verification and the hashing values, such as 8 , 9 , 5 , and 6 as shown in And then it sends the messages 7 = {ID , 2 , 9 , 6 , 12 } to 2 and 8 = {ID , 1 , 8 , 5 , 12 } to 1 . (8) Upon receiving 7 , 2 checks 12 and 6 and computes the following session key SK * shared with 1 using the common secret key 2 and the received 2 : After that, it checks the equivalence between the computed 9 * and the received 9 , where 9 * is calculated by the following equation: If the result is valid, 2 recognizes the fact that computed the session key SK. (9) Meanwhile, after receiving 8 , 1 also checks the validities of 12 and 5 at first. Then it computes the session key SK * using 1 and 1 and the verification value 8 * using SK * as follows: 1 confirms the sameness of 8 * and 8 to check the session key SK computed by . Finally, 1 shares the session key SK with 2 successfully.

Security Analysis
In this section, we prove the proposed scheme is secure against particular attacks. The assumptions are as follows: an adversary can eavesdrop any messages transmitted between , , and and he/she can obtain a legitimate thing normally registered for .

Anonymity.
Our scheme provides anonymity against an adversary who acquires a valid thing.

Anonymity in Join
Phase. An adversary can eavesdrop 's shadow identity SID and the timestamp from the message 1 in the join phase. If the adversary obtains a valid thing registered for , he/she can have a knowledge of the secret information [ID , VID , , ℎ( ), ID ] stored in . Thus, the adversary can get 's virtual identity VID by computing VID = SID ⊕ ℎ(ℎ( ) ‖ ) using SID and from 1 and ℎ( ) from . To acquire 's real identity ID from VID (= ℎ(ID ‖ ‖ )), the adversary guesses a candidate identity ID firstly, and then he/she tries to check the equivalence between ID and ID . Since an identity is short and has a certain format, it is guessable. However, the adversary cannot check whether VID = ℎ(ID ‖ ‖ ) is satisfied or not without knowing 's private key and the timestamp . Therefore, it is impossible for the adversary to check whether the real identity is equal to the candidate identity or not.

Anonymity in Communication Phase.
In the communication phase, an adversary can get 1 's shadow identity SID 1 and its timestamp 1 from the message 5 or 6 and ℎ( ) from a legitimate thing . By using them, the adversary can gain 1 's virtual identity VID 1 (= SID 1 ⊕ ℎ(ℎ( ) ‖ 1 )) as he/she does in the join phase. Then the adversary tries to confirm whether VID 1 = ℎ(ID 1 ‖ 1 ‖ 1 ) is satisfied or not by guessing a candidate identity ID 1 . Unfortunately, the adversary cannot check the equivalence between the real identity and the candidate identity without knowing 1 and 1 . For that reason, the adversary gets no information related to 1 's identity.

Untraceability.
The proposed scheme provides untraceability for a thing. Because all transmitting messages always include the unique shadow and virtual identities in the join and the communication phases, an adversary cannot know the fact that all messages are originated from the same thing.

Untraceability in Join
Phase. If a common secret key shared between and is renewed periodically or tries to join many different s, an adversary can collect all shadow identities from 's join request messages in every session by eavesdropping. Besides, the adversary who has a valid thing can obtain 's virtual identity VID by computing VID = SID ⊕ ℎ(ℎ( ) ‖ ) because he/she can know SID , ℎ( ), and . Meanwhile, if the shadow identity or the virtual identity always has a same value in every session, the adversary can recognize that one thing sends the join request message repeatedly while he/she cannot know that thing's real identity. In other words, the adversary can trace the fact that a certain thing requests to join continuously. However, the whole shadow identities are all different, since they include a unique timestamp. And the registration server always issues the new virtual identity to renew the old one in every session. Therefore, the join request message sent by the thing includes the different shadow identity all the time.
It means the proposed scheme guarantees untraceability for the thing.

Untraceability in Communication
Phase. The shadow identity in the communication phase also includes a unique timestamp. And everything always computes the new shadow identity and sends it to the gateway when they request to communicate. The gateway stores this new shadow identity to use it in the next session only if it checks that the old shadow identity is valid. Thus, shadow identities in every session have a uniqueness. Due to this, an adversary cannot trace the action of the thing in the communication phase.

Replay Attacks.
Although an adversary resends past transmitting messages after collecting them in a certain session, participants involved in the join and the communication phases can detect a retransmission and stop to communicate with each other.

Replay Attacks in Join
Phase. In the join phase, an adversary can gather the messages 1 , 2 , 3 , and 4 between , , and . When the adversary resends the old message 1 = {JoinReq., SID , ID , } to , checks a time interval between a current time and . And it rejects the join request if the time interval exceeds a predefined value. In addition, can also recognize the old message 2 = {AuthReq., SID , ID , 1 , , } sent by the adversary by checking the time period between a current time and . In this case, absolutely breaks a connection.

Replay Attacks in Communication
Phase. An adversary who collects the messages 5 , 6 , 7 , and 8 in the communication phase sends 5 to 2 and 6 to . After receiving the message, 2 and can know whether the message is resent or not by checking a timestamp and a current time. As a result, resending old messages is always detectable.

Forgery Attacks.
In our scheme, an adversary cannot forge messages to perform the valid join and communication phases.

Forgery Attacks in Join
Phase. When the message 1 = {JoinReq., SID , ID , } forged from 1 by an adversary is sent to in the join phase, makes 2 = {AuthReq., SID , ID , 1 , , } and sends it to . Then computes VID * = SID ⊕ ℎ(ℎ( ) ‖ ) using ℎ( ) that is the hashing value of its private key and tries to search 's secret information using VID * as a keyword. Since there is no matched virtual identity in 's database, stops to communicate with after recognizing that 2 is originated from the forged message.

Impersonation Attacks.
The proposed scheme is secure against attacks that an adversary who obtains a shadow identity of the thing impersonates that thing.

Impersonation Attacks in Join
Phase. An adversary who tries to impersonate the valid thing easily obtains 's shadow identity SID from the message 1 in the join phase. The adversary makes the message 1 = {JoinReq., SID , ID , } using the obtained SID and a timestamp generated by him/her in a new session. And he/she sends 1 to . After receiving 1 , decides 1 is a valid request message because and 1 are verified successfully. And then sends the message 2 = {AuthReq., SID , ID , 1 , , } to . Checking , ID , and 1 by is also successful. computes VID * from the received SID by computing the equation VID * = SID ⊕ ℎ(ℎ( ) ‖ ) = VID ⊕ℎ(ℎ( ) ‖ )⊕ℎ(ℎ( ) ‖ ). There is no equivalent virtual identity to VID * in its database. Surely, recognizes it is an abnormal case and rejects 's request.

Known Session Key
Attacks. Disclosure of a common secret key in the join phase or a session key in the communication phase does not affect revelations about the thing's identity, other common secret keys, and other session keys.

Known Session Key Attacks in Join Phase. A common secret key shared between
and is computed using a timestamp in the join phase. Because a timestamp always has a different value, every common secret key is unique. Although an adversary knows (= ℎ(ℎ( ) ‖ ID ‖ ID ‖ ‖ )), he/she cannot obtain the thing's identity and the common secret key in other sessions. The reasons are as follows. Firstly, the adversary still cannot get thing's identity ID from without knowing 's secret information ℎ( ). Moreover, let us suppose the adversary tries to get other common secret keys in the next session after computing ℎ( ‖ ) = 4 ⊕ using 4 and . In that next session, the adversary eavesdrops 4 (= ⊕ ℎ( ‖ )) and computes ⊕ ℎ( ‖ ) ⊕ ℎ( ‖ ) =

Known Session Key Attacks in Communication Phase.
All session keys in the communication phase are independent since all of them include their own unique timestamps. If the session key SK shared between 1 and 2 is revealed to an adversary in a certain session, he/she can compute ℎ( 1 ‖ SID 2 ‖ 1 ) = 1 ⊕ SK using 1 and the revealed SK. In the next session, the adversary eavesdrops 1 (= SK ⊕ ℎ( 1 ‖ SID 2 ‖ 1 )) and tries to compute SK ⊕ ℎ( . Since 1 is not equal to 1 , ℎ( 1 ‖ SID 2 ‖ 1 ) and ℎ( 1 ‖ SID 2 ‖ 1 ) are not erased. Therefore, there is no way to obtain the new session key SK from the old session key SK.

Performance Analysis
This section partially compares the performance of our scheme with those of Chang et al. 's and Lee's [22] schemes. Since the environment, the component, and the composition of ours and others' are all different, we firstly select similar factors in all schemes and evaluate them. Table 3 shows the performance comparison results. In Table 3, Hash denotes a hash operation, XOR denotes an exclusive-OR operation, and rounds denote communication rounds. We evaluate the number of hash and exclusive-OR operations. We compare the join phase of our scheme and the authentication and session key establishment phases of other schemes, because each phase has similar purpose and procedure. In addition, we only focus on the operations on the part of the limited computing power devices, such as a thing and a mobile user. Since the performance of the whole scheme depends on the capability of those devices, we do not compare the whole operations.
As Table 3 shows, our scheme requires less or the same exclusive-OR operations in the join phase. Namely, the computation complexity of ours is a little better than others' .  Table 3. Definitely, hash operations and communication rounds in the communication phase are less than those in the join phase. The thing accomplishes the communication phase more often than the join phase, so the less number of operations and communication rounds in the communication phase is remarkable. As a result, our scheme provides advantages of the communication complexity as well as the computation complexity.

Conclusions
In this paper, we propose a novel anonymous authentication scheme that ensures the things in IoT environments can communicate with one another safely. The proposed scheme uses the virtual identity of the thing to make it be anonymized and authenticated at the same time. To provide untraceability, we keep the uniqueness of all shadow and virtual identities. Namely, duplicated shadow and virtual identities are never used in every session through the renewal process. Even if the valid virtual identity issued by the registration server is revealed, an adversary cannot obtain the real identity from that virtual identity. It is impossible for an adversary to perform replay, forgery, and impersonation attacks. Moreover, he/she cannot know the valid common secret key shared between the registration server, the gateway, and the thing, even though a specific common secret key is exposed. The valid session key shared between two things is also safe when a particular session key is disclosed to an adversary. We only use low cost functions, such as hash functions and exclusive-OR operations in consideration of fast computation and low energy consumption of the thing. In conclusion, our scheme is suitable for IoT environments as a secure and efficient authentication mechanism.