An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments

In recent years, the Internet of Things (IoT) has exploded in popularity. The smart home, as an important facet of IoT, has gained its focus for smart intelligent systems. As users communicate with smart devices over an insecure communication medium, the sensitive information exchanged among them becomes vulnerable to an adversary. Thus, there is a great thrust in developing an anonymous authentication scheme to provide secure communication for smart home environments. Most recently, an anonymous authentication scheme for smart home environments with provable security has been proposed in the literature. In this paper, we analyze the recent scheme to highlight its several vulnerabilities. We then address the security drawbacks and present a more secure and robust authentication scheme that overcomes the drawbacks found in the analyzed scheme, while incorporating its advantages too. Finally, through a detailed comparative study, we demonstrate that the proposed scheme provides significantly better security and more functionality features with comparable communication and computational overheads with similar schemes.


Introduction
Interest in the Internet of Things (IoT) has grown exponentially over recent years, and it is likely to continue growing for the foreseeable future [1]. The smart home as an important IoT application has also gained much interest in recent years. Adoption of home automation systems for monitoring and controlling various smart devices is at an all-time high [2,3]. The reduced operating expenses, coupled with the increased quality of life, encourage the users to rely on these more and more. A smart home reduces expenses while providing higher comfort, security and safety to the users [4]. Additionally, smart homes can provide the elderly and disabled with prompt medical care based on the readings of smart gadgets [5]. However, as a direct result of using these services, a large volume of private and sensitive data is being transmitted over insecure networks. Security and privacy are considered the fundamental requirements for consumer technology deployment [6].
Consider a smart gadget for monitoring a patient. In order to get medical services, the external user (for example, a doctor) needs to have direct access to data sensed by the sensors in the gadget monitoring the patient's body. Such information will invariably include current vital readings like blood sugar level, blood pressure, etc. For obvious reasons, this information needs to private and confidential. Similarly, data generated from the surveillance system, temperature and movement sensors, or control data for lighting or other appliances need to be secure and confidential. Devices in a smart home can be accessed through a gateway node that connects them to the Internet. To ensure data privacy and integrity, various entities, such as the users, the smart devices, and the gateway node need to generate session keys after their mutual authentication. The generated session keys can then be used for further communication without fear of data compromise.

Network and Threat Models
We follow the widely accepted network model for the proposed scheme, which is defined in the typical smart home architecture [7] shown in Figure 1. The smart devices connect to the public Internet through the gateway nodes (GW N). Users (U) and smart devices (SD) must be registered or enrolled with the registration authority RA before operating in the network. The RA is a fully trusted entity in the network. The registered mobile users can avail of the services provided by the already enrolled smart devices through the gateway node and negotiate the session keys after mutual authentication. We evaluate the proposed scheme under the de-facto standard "Dolev-Yao (DY) threat model" [8].
In the DY-threat model, an adversary, say A, has ultimate authority over the communication channel, and consequently he/she is capable of eavesdropping, modifying, dropping, or even inserting forged messages for any communicated messages. Furthermore, it is assumed that A can physically capture some smart devices, as monitoring the devices 24/7 is not possible, to extract the sensitive information stored in them using power analysis attacks [9]. Moreover, the smart card of a user can be lost or stolen, and the adversary A can also extract all the sensitive information stored in its memory using power analysis attacks [9]. Both the registration authority (RA) and the gateway node (GW N) are considered trusted in the smart home environment. Furthermore, we use the stronger threat model, known as the "Canetti and Krawczyk's (CK) adversary model" [10], wherein the adversary A, in addition to having all capacities of the DY-therat model, can also compromise ephemeral information like session-specific states and keys. Thus, in the presence of the CK-adversary, a user authentication scheme must be designed such that leakage of ephemeral secrets should have minimal impact on the security of unrelated entities in the authenticated key-exchange scheme [11].

Research Contributions
The main contributions are given below. • We first analyze the recently proposed anonymous authentication scheme by Shuai et al. [7] for the smart home environment and then highlight that their scheme fails to resist known attacks, such as privileged-insider attack, through offline password guessing and lost/stolen smart card attacks, user impersonation attacks, parallel session attacks, and password change attacks. • We present a more secure user authentication scheme that avoids the security pitfalls demonstrated in Shuai et al.'s scheme. • Through formal as well as informal security analysis, we show the resistance of the proposed scheme against various potential attacks needed in a smart home environment. • We then present a comparative study to demonstrate the superior security and functionality features of the proposed scheme relative to the existing relevant authentication schemes. • Finally, we provide a practical perspective on the applicability of the proposed scheme through a network simulator (NS3) simulation study.

Related Work
In the last decade, several authors investigated the issues of remote authentication for smart homes. Jeong et al. [12] suggested an authentication protocol for home networks based on "One-Time Passwords (OTPs)" and smart cards. However, their scheme not only transmitted the user identities in plaintext, but also did not provide mutual authentication. Vaidya et al. [13] designed a "remote authentication scheme using lightweight computation modules". Unfortunately, Kim et al. demonstrated that [13] was not only vulnerable to known attacks, but it also failed to provide "user anonymity" and "forward secrecy". To strengthen the security, Kim et al. presented an improved scheme [14] over the Vaidya et al. scheme. [13].
Vaidya et al. [15] presented an "Elliptic Curve Cryptography (ECC)" based device authentication scheme for smart home networks. However, their scheme was found to be susceptible to privilegedinsider, password guessing, and user impersonation attacks. Pradeep and Singh [16] proposed a secure three-factor authentication scheme for "ubiquitous computing devices" with a pass-phrase based device integrity check.
Li proposed a lightweight key establishment scheme [17] as a solution to the security issue in smart home energy management systems. Unfortunately, their scheme was not scalable as it requires the management of many keys and certificates. Around the same time, Han et al. [18] designed a key agreement scheme for a secure pairing process for smart home systems. But, their scheme depends on an always-online service by the manufacturer of the devices, which is an infeasible requirement. Additionally, neither the scheme [17] nor the scheme [18] provided "mutual authentication between user and smart devices". Santoso and Vun [19] suggested an "ECC -based authentication scheme for smart homes", where they presented the idea of using the Wi-Fi gateway as the central node of the system. Unfortunately, their scheme was vulnerable to privileged-insider attack, and consequently, it failed to guarantee user anonymity and untraceability properties.
Kumar et al. [4] designed a "lightweight anonymity preserving authentication scheme for smart home environments". However, their scheme failed to provide "mutual authentication between the user and the smart device". In their scheme, user anonymity and untraceability properties are also compromised.
Wazid et al. [20] suggested a lightweight remote user authentication scheme for the smart home environment which fulfills the design criteria for the smart home environment. Yu and Li [21] proposed another user authentication scheme for the smart home environment. However, their protocol did not necessitate a secure environment for user and device registration. Moreover, their scheme relied on bilinear pairing operations, and as a result, their scheme incurs exceptionally high overheads. Shuai et al. [7] designed an "ECC-based authentication scheme for the smart home environment". However, in this paper, we discuss the advantages and limitations of their scheme in detail. Naoui et al. [22], Fakroon et al. [23] and Dey and Hossain [24] also presented other user authentication schemes for the smart home environment.

Review of Shuai et al.'s Scheme
In this section, we briefly review Shuai et al.'s scheme. Their scheme has the following phases: (a) initialization phase, (b) registration phase, (c) login and authentication phase, and (d) password change phase. In this section, we only review the first three phases, and the details regarding the password change phase can be found in the scheme [7].

Initialization Phase
During initialization, the registration authority (RA) selects an elliptic curve E(F p ) of the form y 2 = x 3 + ax + b (mod p) of order p over finite field F p with a generator point P, where p is a large prime number and a, b ∈ Z p = {0, 1, · · · , p − 1} such that 4a 3 + 27b 2 = 0 (mod p). RA then creates a private key x and calculates the corresponding public key X = x · P. RA selects a "long term key K" and a "cryptographic one-way collision-resistant hash function h(·) * : {0, 1} * → Z * p ", where Z * p = {1, 2, · · · , p − 1}. RA commits x and K to the GW N and makes {E(F p ), P, X, h(·)} public. RA also picks and saves GID into gateway node's memory as its unique identity. In addition, RA generates SID d as a random unique identity for each smart device SD. These identities are saved to the respective smart devices SD.

Registration Phase
This phase comprises of the user registration as well as the smart device enrollment phases.

User Registration
A user U registers with the RA through the following steps: • Step 1. U first picks his/her identity ID u , password PW u and generates a random secret a. U then calculates pseudo-password HPW u = h(PW i ||a) and securely dispatches the credentials {ID u , HPW u } to RA.

•
Step 2. If ID u is already registered, RA rejects the request. Otherwise, RA computes K UG = h(ID u ||K), A 1 = K UG ⊕ HPW u . RA generates a random value TEMP in order to record the number of user login failures, and sets TEMP = 0. Next, RA writes {A i , TEMP} to a smart card SC u and securely issues SC u to the user U.

•
Step 3. On receiving the smart card SC u , U calculates A 2 = a ⊕ h(ID u ||PW u ) and A 3 = h(ID u ||HPW u ), and appends A 2 and A 3 to the smart card SC u . The smart card SC u finally contains the credentials {A 1 , A 2 , A 3 , TEMP}.

Device Enrollment
The steps for smart device, SD's enrollment with the RA:

•
Step 1. SD first securely transmits its identity SID d to RA.

•
Step 2. If SD is already enrolled, the request is rejected by the RA. Otherwise, RA computes K GS = h(SID d ||K) and securely sends the secret key K GS to SD.

•
Step 3. On receiving the reply, SD saves the secret key K GS in its memory.

Login and Authentication Phase
For a registered user U to access a smart device SD, he/she must first establish a session key SK after" mutual authentication between U, SD and GW N". The steps for login, and authentication and session key establishment phase are as follows: • Step 1. User U first enters his/her identity ID u and password PW u , and calculates a * = A 2 ⊕ h(ID u ||PW u ), HPW * u = h(PW u ||a * ) and A * 3 = h(ID u ||HPW * u ). Only if the check A * 3 = A 3 holds, the login is successful. In case of a failed login attempt, the smart card SC u of the user U updates TEMP = TEMP + 1. This value records the login attempts and if it exceeds a pre-defied threshold, the user U is considered as compromised and is suspended till he/she re-registers.
After a successful login, the smart card SC u generates two random numbers R 1 and w ∈ Z * p , and computes K GU = A 1 ⊕ HPW u , A 4 = w · P, A 5 = w · X, DID u = ID u ⊕ A 5 , M 1 = (R 1 ||SID d ) ⊕ K UG and V 1 = h(ID u ||R 1 ||K UG ||M 1 ), and sends the login request message DID u , Step 2. On receiving the login request DID u , . Only if the condition V * 1 = V 1 holds, GW N believes the legitimacy of the login request. GW N then generates a random number R 2 ∈ Z * p and computes Finally, GW N sends the authentication request message M 2 , V 2 to SD via public channel. • Step 3. On receiving the message M 2 , and finally transmits the authentication reply message M 3 , V 3 to GW N.

•
Step 4. On receiving the message M 3 , SD is authenticated by the GW N, and also the session key SK is established between U and SD.

Security Vulnerabilities in Shuai et al.'s Scheme
In this section, we cryptanalyze the scheme proposed by Shuai et al. and observe that in the presence of a passive/active adversary, it is vulnerable to several potential attacks. We detail the possible attacks below.

Privileged-Insider Attack through Offline Password Guessing and Lost/Stolen Smart Card Attacks
Suppose an adversary A, who is also a privileged insider user, acts as an adversary, say A. In this case, A knows the credentials ID u and HPW u of a legitimate registered user U which are submitted to the RA during the user registration phase (see Section 2.2.1), where HPW u = h(PW i ||a) and a is a random secret. Moreover, if A can acquire the lost/stolen smart card SC u of the user U, using the "power analysis attacks" [9], [25], the adversary A can extract all the credentials {A 1 , A can then guess a password, say PW u . Using the guessed password PW u , and ID u and A 2 , A further can calculate HPW u = h(PW u || (A 2 ⊕ h(ID u ||PW u ))), and verify if the condition HPW u = HPW u is valid or not. If the condition holds, it means that A is successful in guessing the user U's correct password. Hence, it is clear that the low-entropy guessed passwords are easily guessed and verified in Shuai et al.'s scheme. As a result, Shuai et al.'s scheme is vulnerable to privileged-insider attack with the help of both offline password guessing and lost/stolen smart card attacks.

User Impersonation and Parallel Session Attacks
A privileged insider adversary A with the knowledge of registration information ID u and HPW u , and extracted A 1 from the stolen smart card SC u of a valid registered user U (discussed in Section 3.1) can easily compute secret key K GU = A 1 ⊕ HPW u . Consequently, A can forge the login request message DID u , A 4 , M 1 , V 1 to the GW N in order to impersonate the user U due to the following reason. Since each smart device SD sends its identity SID d to the RA, the privileged insider adversary A of the RA also knows it. Now, A can generate two random numbers R 1 and w ∈ Z * p , and compute As a result, the adversary A is able to send a valid login request message DID u , A 4 , M 1 , V 1 to the GW N. Thus, a privileged adversary can impersonate a legal registered user U in Shuai et al.'s scheme.
We consider another attack, where privileged insider adversary A of the RA, who has calculated K GU from the previous attack, can intercept the message M4, V4 that is sent from the GW N to a user U. A, having the knowledge of K UG and ID U , can calculate (GID||R 2 ||R 3 ) = M4 ⊕ K GU and the session key SK = h(ID u ||GID ||SID d ||R 1 ||R 2 ||R 3 ). Thus, A can independently calculate the session key SK making the scheme of Shuai et al. vulnerable to the parallel session attack.

Password Change Attack
Suppose a privileged insider of the RA being an adversary A after learning the password PW u from the previously discussed attack in Section 3.1 can simply execute the password update phase to change a legal registered user U's password if the smart card SC u of U is being stolen by A. For this purpose, A has the credentials {A 1 , A 2 , A 3 , TEMP} stored in the memory of SC u , where Next, A chooses his/her own password, say PW u and calculates HPW u = h(PW u ||a),

The Proposed Scheme
In this section, we present a more secure "anonymous authentication and session key establishment scheme" for smart home environments, which is free from all the mentioned security vulnerabilities discussed in Section 3. The important phases of our scheme are discussed below.

Initialization Phase
This phase is similar to that presented in Section 2.1. Note that during initialization, the registration authority (RA) also generates a "long term key K" and a " collision-resistant cryptographic one-way hash function h(·) * : {0, 1} * → Z * p ". RA then commits K to GW N and makes {h(·)} public.

Registration Phase
The registration phase details the procedure for dynamic device enrollment and user registration.

Dynamic Device Enrollment
Any time after initialization, a smart device SD can be enrollment with the RA via secure channel through the following steps: • Step 1. SD first securely transmits its identity SID d to RA.

•
Step 2. If SD is already enrolled, the request is rejected by the RA. Otherwise, RA computes the secret key K GS = h(SID d ||h(K)), and securely sends K GS to SD and makes SID j public. • Step 3. On receiving the reply from the RA, SD saves the secret key K GS in its memory.

Mobile User Registration
After system initialization, a mobile user U can be registered with the RA via secure channel.
In our scheme, we use the fuzzy extractor method for user biometric verification [26]. This step is necessary to reduce false negatives during biometric verification. A fuzzy extractor comprises of the following two procedures: • Gen: It is a "probabilistic generation function" that computes a pair (σ u , τ u ) from the user biometrics information. The resultant σ u is the "biometric secret key" and τ u is the "public reproduction parameter" necessary for reconstruction of σ u from Bio u , a noisy biometric reading from the same user. Formally, (σ u , τ u ) = Gen(Bio u ). • Rep: It is a "deterministic reproduction method" which constructs the original biometric secret key σ i using a noisy biometrics reading, Bio u and the public reproduction parameter τ i provided the Hamming distance HD between Bio u and Bio u is less than or equal to a pre-defined error tolerance threshold value, say ∆ t . Formally, The following steps are involved in this phase: • Step 1. U selects his/her identity ID u and securely sends {ID u } to RA.

•
Step 2. If ID u is already registered, RA rejects the request. Otherwise, RA generates R g , DID u ∈ Z p and computes K UG = h(ID u ||h(R g ||K)), and also sets TEMP = 0. After that RA commits the tuple DID u , ID u , R g to the user_data table in the gateway node GW N. RA also writes the credentials {K UG , DID u , TEMP} to a smart card SC u , and securely issues SC u to the user U.

•
Step 3. After getting SC u , U provides a password PW u and imprints biometric template Bio u at the sensor of a specific terminal. U uses the probabilistic fuzzy generator function Gen(Bio u ) to calculate the biometric secret ket σ u and a public reproduction parameter τ u as , and replaces K UG and DID u in the smart card with A 1 , A 2 , A 3 , τ u . The smart card SC u finally contains the credentials The user registration phase is also briefed in Figure 2.

Login and Authentication Phase
A registered user U through the following steps can anonymously establish a session key with a smart device SD once mutual authentication in presence of the gateway node GW N is successful.

•
Step 1. U first inputs his/her identity ID u and password PW u , and imprints his/her biometric Bio u at the sensor of a particular terminal. The smart card SC u of U then uses public τ u to compute σ u from Bio u as σ u = Rep(Bio u , τ u ), and proceeds to calculate DID u = A 1 ⊕ h(ID u ||PW u ||σ u ) and A * 2 = h(DID u ||ID u ||σ u ||PW u ). If the condition A * 2 = A 2 holds, the login is treated as successful one. In case of a failed login attempt, the smart card SC u increments TEMP and aborts the phase. On the other side, if it exceeds a pre-defined threshold, the user U is considered as compromised, and is suspended till he/she re-registers.
After a successful login, SC u generates two random numbers R 1 and w ∈ Z * p , and calculates , and dispatched the login request message DID u , M 1 , V 1 to the GW N via public channel. • Step 2. After receiving the login request DID u , M 1 , V 1 , the GW N looks up ID u , R g using DID u from its user_data table, and computes , the request is considered as invalid, and the process is aborted instantly. Otherwise, the GW N generates a new random number R g ∈ Z * p and calculates K GS = h(SID d ||h(K)), Step 3. On receiving the message M 2 , the request is considered as failed, and it is then aborted. On the other side, SD picks a random number R d ∈ Z * p , computes the session key Next, SD transmits the authentication reply message M 3 , V 3 to GW N via public channel. • Step 4. On receiving the message M 3 , , the request is considered as invalid and the process is aborted immediately. Otherwise, the GW N generates another random number DID u ∈ Z * p and computes M 4 = (DID u ||C 1 ||R d ) ⊕ K UG , K UG = h(ID u ||C 1 ) and V 4 = h(DID u ||C 1 ||R d ||K UG ). GW N then updates the tuple DID u , ID u , R g in its user_data table, and sends the ackowledgement message M 4 , V 4 to the U via open channel. • Step 5. On receiving the message M 4 , V 4 from GW N, the user U recovers (DID u ||C 1 ||R d ) = M4 ⊕ K UG , and then computes K UG = h(ID u ||C 1 ) and V * 4 = h(DID u ||C 1 ||R d ||K UG ). If V * 4 = V 4 , the login is considered as failed one and it is aborted immediately. Otherwise, the user U computes the session key SK = h(h(ID u ||R u ||C 1 )||R d ||SID d ) and the updated values for The login and authentication phase is finally briefed in Figure 3.

Remark 1.
An adversary might block the message M 4 , V 4 during the communication happen in the login and authentication phase. As DID u and R g have already been updated on the gateway node GW N, the subsequent login attempts by the user U will fail. This attack can be prevented, if the gateway node GW N also maintains the old values of DID u and R g until the next successful authentication happens.

User U
Gateway node GW N Smart device SD Enter ID u , PW u and Bio u . Compute σ u = rep(Bio u , τ u ),

Password and Biometric Update Phase
To update "password and/or biometric", a registered user U inputs identity ID u along with the existing password PW i u and imprints biometric Bio u , and then logins with the steps similar to that described in the "login and authentication phase" discussed in Section 4.3.

Smart Card Revocation Phase
A "lost or stolen smart card" can be revoked by requesting for a new smart card by a registered authorized user U to the registration authority RA via secure channel. Hence, the steps are identical to those for the mobile user registration phase as discussed in Section 4.2.2.

Security Analysis
In this section, through the widely accepted "Real-Or-Random (ROR) model" [27], the formal security analysis of the proposed scheme is presented. Furthermore, through the formal security verification tool, called AVISPA [28], the proposed scheme's resistance to "man-in-the-middle and replay attacks" is verified. In addition, a through informal (non-mathematical) analysis presented in Section 5.3 demonstrates the proposed scheme's resistance to various other known attacks.

Formal Security Analysis through Real-Or-Random Model
The ROR model proposed in [27] is widely accepted for security analysis of authentication and key agreement schemes. We describe the ROR model and then utilize the same to analyze the proposed scheme formally.
• Participants: Let the oracles π u U , π d SD and π g GW N denote the uth, dth and gth instances of a user U, a smart device SD and the gateway node GW N, respectively. • Partnering: Two oracles π u U and π d SD are said to be partnered provided they share the same communication session-id sid, and the partial transcript of the exchanged messages is unique. • Freshness: π u U and π d SD are considered fresh as long as the session key SK between U and SD remains unexposed to an adversary A.
• Adversary: The ROR model defines the DY adversary A. Formally, the adversary A can execute the queries described below.
-Execute(π u , π d ): This query is modeled as an eavesdropping attack. Therefore, this query allows A to intercept the messages exchanged among U, SD, and GW N. Test(π u , π d ): As per the "indistinguishability in the ROR model" [27], the semantic security of the session key SK between U and SD can be determined by this query. To initiate, A tosses an "unbiased coin" whose outcome, say c, determines the output of the Test query. If SK is fresh, the oracle π u or π d produces SK, if c = 1. Otherwise, if c = 0, the oracle produces a random number. In all other cases, the returned value will be null.
• Semantic security of the session key: As per the ROR model, to compromise the semantic security of the session key, A must be able to differentiate an instance's actual session key from a random key. A can perform a limited number of CorruptSC(π u ) and CorruptSD(π d ) queries, but can execute as many Test(·) queries as desired.
If Adv PS,A (t) represents the advantage of A in compromising the semantic security of the proposed scheme PS, we have, Adv PS,A (t) = |2.Pr[SCS] − 1|, where SCS is an event of A's success. • Random oracle: All participating entities including A can invoke the "cryptographic one-way hash function", h(·), which is further modeled as a random oracle, say HO.
Accounting to Wang et al.'s important findings [30] regarding the Zipf's law on passwords, Theorem 1 defines the "semantic security of the proposed scheme". Theorem 1. Let a polynomial time adversary A attempts to break the semantic security of the proposed scheme P under the ROR model in time t. If the chosen passwords follow the Zipf's law [30], and the bit-lengths of the biometric secret key σ u and the user identity ID u are l 1 and l 2 , respectively, A's advantage in compromising the semantic security of the proposed scheme PS is where q h , q s and |Hash| represent the number of hash queries, the number of Send queries and the range of h(·), respectively, and C and s are the Zipf's parameters [30].
Proof. We design our proof on the lines of the proofs that presented in [11,31,32]. Four sequential games, say G i , i ∈ [0 − 3], are played. The event SCS i represents that an adversary A can successfully guess the bit c in the game G i . The details regarding all the games are given below.
• Game G 0 : This game models a real attack on the semantic security of the proposed scheme PS by A. As initially the bit c is guessed, • Game G 1 : This game models as an eavesdropping attack by A on PS. Through the Execute(π u , π d ) query, A can intercept the messages DID u , M 1 , V 1 , M 2 , V 2 , M 3 , V 3 and M 4 , V 4 . A can query the Test oracle and attempt to determine if the received result is the actual session key. As the session key is SK = h(h(ID u ||R u ||h(R g ||K))||R d ||SID d ), and to compute the same A must learn short term secret keys (R u , R g and R d ) as well as long term secrets (ID u , SID d and K). Therefore, A gains no additional advantage for wining this game. Consequently, it follows that • Game G 2 : This game models as an active attack through use of the Send and hash queries. A attempts to beguile a legitimate entity into accepting a modified message. As discussed previously, A can repeat the queries to the oracles in order to induce hash collisions. However, since all the messages contain random nonces, hash coalitions cannot be induced on h(·) by A. It is worth noticing that both the games G 1 and G 2 are identical except for the Send and hash queries in the game G 2 . Thus, through the use of birthday paradox, we have, • Game G 3 : An extension to G 2 , the game G 3 is the final game and it simulates the CorruptSC and CorruptSD queries. Querying these oracles, A can learn {A 1 , A 2 t, A 3 , τ u , TEMP} and {K GS }, respectively. The probability of A to correctly guess the biometric secret key σ i of bit-length l 1 and the user identity ID u of bit-length l 2 are 1 2 l 1 and 1 2 l 2 , respectively [33]. As the user chosen passwords tend to follow the Zipf's law, by utilizing trawling guessing attacks, A's advantage will be over 0.5 when q s = 10 7 or 10 8 [30]. If A can utilize a user's personal information for the targeted guessing attacks, he/she will have an advantage over 0.5 when q s ≤ 10 6 [30]. In practical implementation, only a finite number of erroneous password attempts are permitted to the adversary A. Therefore, the games G 3 and G 2 are identical except for the guessing attacks. Thus, we can formulate the following relation as in [32]: However, A must guess a bit c after executing the Test query to win the game G 3 . Therefore, it follows that |Pr[SCS 3 ] = 1 2 .

Formal Security Verification through AVISPA Simulation
AVISPA is an automated software tool for the formal verification of security-sensitive protocols and applications [28]. AVISPA implements the Dolev-Yao (DY) threat model and verifies whether a scheme is resistant to replay and man-in-the-middle attacks. A security protocol to be verified needs to be modeled in the associated "High Level Protocol Specification Language (HLPSL)" [34]. AVISPA provides a translator, known as HLPSL2IF, for translating HLSPL into the Intermediate Format (IF). The IF can be interpreted by one of the available four backends to generate a report in the Output Format (OF). The structure of the OF contains following: • SUMMARY: It states if the tested protocol is "safe", "unsafe", or if the analysis was "inconclusive". A more detailed report on AVISPA and HLPSL is available at in [28]. The four backends available with AVISPA are [28]: (a) "On-the-fly Model-Checker (OFMC)", (b) "Constraint-Logic-based Attack Searcher (CL-AtSe)", (c) "SAT-based Model-Checker (SATMC)", and (d) "Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)". Among these, OFMC and CL-AtSe are most widely accepted, and we evaluate the proposed scheme under these backends to formally verify its resistance to the "man-in-the-middle and replay attacks".
We have implemented the proposed scheme in HLSPL and defined the necessary roles for a user U, a smart device SD, and the GW N for the different phases of the proposed scheme. We have also specified the roles for the session, goal, and environment as per the HLPSL specification. Finally, we have simulated the proposed scheme using the "SPAN, the Security Protocol ANimator for AVISPA tool'' [35]. Figure 4 presents the simulation results under the widely-used OFMC and CL-AtSe backends. The simulation results clearly demonstrate that the proposed scheme is safe against the "man-in-the-middle and replay attacks".

Informal Security Analysis
In the following, we demonstrate that the proposed scheme is secure against various known attacks.

Replay Attack
Assuming an adversary A replays the old message M 1 to GW N, GW N will reject the replayed message after it detects that R u is not fresh. Similarly, all messages are composed of random nonces, which can be further verified for their freshness. Thus, the proposed scheme is resilient against replay attack.

Forgery Attack
An adversary A can attempt to forge the message DID u , M 1 , V 1 to the GW N. However, M 1 is encrypted with the secret key K UG , and V 1 is also encapsulated with DID U and M 1 against forgery. A cannot forge this message. Similarly, other messages cannot be forged either, and the proposed scheme is resilient against forgery attack.

Impersonation Attack
Assuming an adversary A, after capturing the messages from a successful login an authentication attempts, to impersonate the user U. But, as DID u is of single-use and V 1 encapsulates ID U and M 1 against forgery, A cannot simply modify the captured messages with his/her own R u to impersonate U. Similarly, A's attempt to impersonate the GW N will fail because he/she will be unable to generate M 2 , V 2 and M 4 , V 4 without the knowledge of K GS and K UG , respectively. As a result, the proposed scheme is resilient against impersonation attacks.

Man-in-the-Middle Attack
Assuming an adversary A attempts to execute a man-in-the-middle attack by capturing and modifying the login message from U to GW N. Nevertheless, the message cannot be forged or modified without knowledge of the secret credentials. Thus, the "man-in-the-middle attack" is also protected in the proposed scheme.

Loss of Smart Card and Offline Guessing Attack
Assuming an adversary A recovers a lost smart card, he/she can learn the values A 1 , A 2 , A 3 , τ u and TEMP through the "power analysis attacks". Of these, except for TEMP and τ u , none is in plaintext and it is combination of the secret identity, password, and biometrics. It is worth noticing that τ u and TEMP are the public reconstruction parameter for biometrics and failed login attempts counter, respectively, which are not sensitive. For A to subvert the proposed scheme through the offline guessing attack, he/she will have to simultaneously guess ID u , PW u , and σ u , which is "computationally infeasible" task. Thus, the proposed scheme is resilient against the "loss of smart card and offline guessing attacks".

Privileged-Insider Attack
Assuming an adversary A is a privileged-insider, he/she can eavesdrop during the registration phase and learn user identity ID u . Now, assume that he/she has subverted the user's smart card SC u to recover the stored values . It is clear that even if ID u is known, in order to subvert the scheme with the available information, A must simultaneously guess password PW u and biometric secret key σ u , which is computationally infeasible. As a result, the privileged-insider attack is protected in the proposed scheme.

Ephemeral Secret Leakage (ESL) Attack
Assume adversary A learns one or both of the session specific secrets (R u , R g , R d ) through the session hijacking attack under the CK-adversary model. Since the session key SK = h(h(ID u ||R u ||C 1 )||R d ||SID d ) is derived from the user secret identity ID u and the GW N's long term secret of K in addition to (R u , R g , R d ), A cannot subvert the session key SK without any long term secrets. Thus, the proposed scheme is secure against ESL attack.

Parallel Session Attack
For an adversary A to successfully execute a parallel session attack, he/she needs to compose the session key SK = h(h(ID u ||R u ||C 1 )||R d ||SID d ) by eavesdropping on the authentication related messages. But, no secrets are compromised regardless of lost smart card attack or privileged insider attack. As a result, the proposed scheme is secure against a parallel session attack.

Stolen Verifier Attack
As the gateway node GW N maintains the tuple DID u , ID u , R g for each user U. Of these, DID u and R g are the distict random nonces. Exposure of ID u is equivalent to a privileged-insider attack. However, the proposed scheme is resistant against privileged-insider attack. Thus, a stolen verifier attack is not a threat to the proposed scheme.

Smart Card Impersonation Attack
Smart card impersonation attack can only be executed by an adversary A, if he/she can learn the secret values ID u , PW u and σ u in a user's smart card. Nevertheless, the secret values are not compromised through a lost smart card even in the presence of a privileged insider attacker. The proposed scheme is then secure against smart card impersonation attack.

Anonymity and Untracability
Assume that an adversary A eavesdrops and monitors the messages from a successful login and authentication. None of the eavesdropped values {DID u , M 1 , M 2 , M 3 , M 4 , V 1 , V 2 , V 3 , V 4 }, contains any plaintext information useful for identifying the user U or the smart device SD. Thus, the proposed scheme provides anonymity. Furthermore, all of the eavesdropped values are composed of some random nonces, and consequently these are always unique across different authentication sessions. Thus, the proposed scheme also provides anonymity and untracability.

Computation Costs Comparison
For computation cost analysis, we denote T bp , T m , T b and T h as the time needed for computing "bilinear pairing", "ECC multiplication", "fuzzy extractor function Gen(·)/Rep(·) for biometric verification" and "hashing" operations, respectively. Based on experimental results reported in [36], we have T bp ≈ 32.713 ms (milliseconds), T m ≈ 13.405 ms, T b ≈ T m = 13.405 ms and T h ≈ 0.056 ms, respectively. Table 2 briefs the computational costs for the proposed scheme and other existing schemes. It is clear that the presented scheme has a significantly less computation cost as compared to that for the schemes of Shuai et al. [7]. With the exception of Fakroon et al. [23], which might incur a greater computation cost, the proposed scheme has the lowest computation cost.

Security and Functionality Features Comparison
Finally, in Table 3, the functionality of the proposed scheme and other existing schemes are compared. From this table, it is apparent that the proposed scheme provides better security and functionality features features as compared to those for other existing schemes. Moreover, from the Tables 1 and 2, we can see that the proposed scheme requires less computation and communication overheads as compared to other schemes.

Practical Impact Study through NS3 Simulation
To estimate the practicability of the proposed scheme, we have performed a simulation study. We have utilized the most recent iteration of the widely accepted network simulator tool, NS3 (3.28). We run our simulation on a Linux workstation. For our simulation, we specify the location of the gateway node (GW N) at the origin of the coordinate system. The smart devices are considered at random positions 20 to 100 m from the GW N. The users are permitted to move across a square of 150 m side centered around the gateway GW N with a maximum speed of 3 m per second. Users attempt to establish session keys with all available devices. Communication is measured across the IEEE 802.11 2.4 GHz channel. We have then simulated several scenarios with differing number of users and smart devices. The details regarding the simulation parameters are presented in Table 4. Any parameters that are not explicitly mentioned here are assumed to have their default values as defined by the NS3.  Figure 5a,b presents the network throughput and end-to-end delay for the proposed scheme, respectively, under different scenarios. The network throughput is calculated according to the formula: whereas the end-to-end delay is computed with the formula: Here, N p is the total number of packets received, |byte| is the number of bytes in each packet, T sum represents the total time taken, and T s i and T r i are the transmission and receiving time of the ith packet, respectively. The simulation results demonstrate the expected correlation between the number of participants, the network throughput and also the end-to-end delay.

Conclusions
We first discussed the issue of anonymous user authentication in smart home environments. We then cryptanalyzed the recently proposed user authentication scheme and discovered its several security vulnerabilities. Furthermore, we proposed a more secure and robust authentication scheme for anonymous user authentication and key agreement in smart homes to erase the security pitfalls found in the existing Shuai et al.'s scheme, while retaining its advantages at the same time. The security analysis and performance comparison show that the proposed scheme can provide better security and more functionality features at low communication and computation overheads, when compared these with other recent existing schemes. In our future work, we plan to investigate the possibility of extending the proposed scheme to support remote registration as it is designed in the scheme proposed by Yu and Li [21] at a more acceptable communication and computation overheads.