A Privacy Preserving Authentication Scheme for Roaming in IoT-Based Wireless Mobile Networks

The roaming service enables a remote user to get desired services, while roaming in a foreign network through the help of his home network. The authentication is a pre-requisite for secure communication between a foreign network and the roaming user, which enables the user to share a secret key with foreign network for subsequent private communication of data. Sharing a secret key is a tedious task due to underneath open and insecure channel. Recently, a number of such schemes have been proposed to provide authentication between roaming user and the foreign networks. Very recently, Lu et al. claimed that the seminal Gopi-Hwang scheme fails to resist a session-specific temporary information leakage attack. Lu et al. then proposed an improved scheme based on Elliptic Curve Cryptography (ECC) for roaming user. However, contrary to their claim, the paper provides an in-depth cryptanalysis of Lu et al.’s scheme to show the weaknesses of their scheme against Stolen Verifier and Traceability attacks. Moreover, the analysis also affirms that the scheme of Lu et al. entails incorrect login and authentication phases and is prone to scalability issues. An improved scheme is then proposed. The scheme not only overcomes the weaknesses Lu et al.’s scheme but also incurs low computation time. The security of the scheme is analyzed through formal and informal methods; moreover, the automated tool ProVerif also verifies the security features claimed by the proposed scheme.

into a roaming agreement in order to facilitate their users. The user registers himself with the home network and, when he roams out of the coverage of his home network and enters into the coverage range of another network (foreign network having roaming agreement with home network), can access and enjoy the services of his home network through the foreign network. The roaming service is getting importance rapidly, due to millions of subscribers traveling abroad per year. The main issue restricting wide usage of roaming services is the security and privacy of the connecting parties. All the services provided are subject to communicate through an open/insecure wireless channel, causing an inherited effect on the security of such networks. The roaming process requires proper security mechanisms and is equally important for the three participants because the foreign networks cannot allow the user's resources and services to be used illegitimately and without payment, whereas the home network avoids becoming a source of illegal access to foreign network, and the user does not want to be charged for the services used by some adversary. Moreover, as per user's perspective, privacy and anonymity has gotten much importance. Without privacy and anonymity, the adversary can track user movements and current location [1,2]. The proper countering of security-related issues requires the development of customized authentication protocol, in which the authentication protocols not only verify the authenticity of the communicating parties but also ensure a session key for subsequent confidential data/services extended between the participating entities. The authentication is required when a user roams out of the coverage area of his home network and enters into the coverage area of a foreign network. The user has to get authenticated by the foreign network by the help of his home network. The successful authentication process can ensure that the access to the network is limited to legitimate users only [3].  In recent years, various authentication protocols were proposed [4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20] based on different cryptographic mechanisms. The schemes [15][16][17][18] are based on lightweight symmetric key primitives, as per the criteria laid down by Wang and Wang [21], the symmetric key mechanisms cannot provide privacy except for keeping a very large number of pseudo identities in smart-card with low memory or getting dynamic identity from home network at each login request. The schemes [4][5][6][7][12][13][14] based on bilinear pairing/modular exponentiation operations consume much more computation and in turn drains more battery power of already limited power wireless/mobile devices. Some of such schemes [8][9][10][11] are based on public but still low resource sucker Elliptic Curve Cryptography (ECC).
In 2009, Chang et al. [17] proposed an authentication scheme to secure GLOMONET. However, soon it was realized by Youn et al. [22] that the scheme proposed in Reference [17] could not achieve user anonymity. In 2012, Mun et al. [8] proposed and ECC based authentication scheme for roaming user on the principles of EC Diffie-Hellman problem (ECDHP). Soon after Mun et al.'s proposal, Reddy et al. [9] and Kim et al. [23] found various weaknesses in Mun et al.'s scheme, including insecurity against replay attacks. Reddy et al. [9] then proposed a slightly modified version to resist replay and other attacks against Mun et al.'s scheme. In 2017, another symmetric key based scheme for GLOMONET was proposed by Chaudhry et al. [18]. However, authors in Reference [24] found various weaknesses, including vulnerability to impersonation and related attacks in Chaudhry et al.'s scheme [18]. The scheme proposed by Lee et al. [24] is susceptible to traceability attack, as the dynamic identity is sent by the home agent during the session in plain text and this plain text dynamic identity sent through open channel can be used to trace future login requests. Recently, Gope and Hwang [25] proposed an authentication scheme for roaming user in GLOMONET using pseudo identity to counter DoS attack. Very recently in 2019, Lu et al. [26] pointed out various weaknesses in Gopi-Hwang's scheme, including its insecurity against known session-specific parameters in leakage attacks. Moreover, Lu et al. claimed the Password Renewal Phase of Gopi-Hwang as faulty, and they proposed an ECC based new scheme.

The Contributions
Quite recently, in 2019, Lu et al. [26] found some weaknesses in Gopi-Hwang [25] authentication scheme for roaming users. To combat, Lu et al. proposed a new roaming user authentication scheme using ECC and claimed that their proposal extends required security features and resists known attacks. Contrary to their [26] claim, the cryptanalysis in this article shows that the roaming scheme presented in Reference [26] cannot protect the remote user against Stolen Verifier and Traceability attacks. Moreover, the analysis also affirms that the scheme of Lu et al. entails incorrect login and authentication phases and is prone to scalability issues. Therefore, an improved scheme based on ECC is designed by just modifying some of the steps in Lu et al.'s proposal. The scheme not only overcomes the weaknesses of Lu et al.'s scheme but also incurs low computation time. The proposed scheme entails following merits: • The scheme provides provable security under the hardness of ECDLP (elliptic-curve discrete logarithm and elliptic-cure deffie-Hellman problems.

•
The scheme provides security and anonymity under automated security model of ProVerif.

•
The scheme provides authentication among user and foreign network with the help of home network.

•
The scheme achieves low computation power as compared with baseline scheme presented in Reference [26].

Security Requirements
The user friendly security requirements for a roaming user authentication scheme are as follows: 1.
The mobile roaming user should have facility to change his password credentials in an easy manner and he should be facilitated not to memorize a complicated and/or long password.

2.
Along with traditional security requirements, The scheme should ensure user privacy and anonymity. Any insider/outsider, including foreign agents, should remain unaware regarding the original identity of the roaming user. Moreover, current location of the user should not be exposed to anyone with some previous knowledge.

3.
Home network should facilitate the authentication process between user and foreign network.

4.
The authentication should result into a shared secret key among user and foreign network for subsequent confidential communication over insecure link.

5.
The scheme should at least resist all known attacks.

Adversarial Model
The common model for adversary capabilities, as mentioned in Reference [27][28][29][30][31], is adopted and explained below: Adversary (MU a ) fully controls the link and can listen, modify, replay a message from all the legal communicating parties. MU a is also able to inject a self created false message.

2.
MU a can easily get identity related information.

3.
MU a knows all public parameters.

4.
Being an insider, MU a can extract verifier table stored in home network database.

5.
Home Network's private key is considered as secret and no other entity can extract the key. 6.
The pre-shared key between home and foreign networks is assumed to be secure.

Review of the Scheme of Lu et al.
A brief review of Lu et al.'s roaming user authentication scheme is explained here. Before moving further, please refer to Table 1 for understanding the notations used in this paper. The three main phases of Lu et al.'s scheme are detailed in below subsections:

Home Network Agent Setup Phase
For system-setup purposes, Home Network Agent HA z selects an Elliptic curve E p (a, b) : y 2 = x 3 + ax + b mod p, where a, ∈ F p a finite field, such that 4a 3 + 27b 2 = 0, along with an infinite point O. HA then selects a base point P over E p (a, b). HA z selects a secret key S h and computes public key P h = S h P. HA z also selects irreversible Hash and keyed MAC functions h(), H(), Mac k (), along with symmetric encryption/decryption algorithms E k (), D k ().

Registration Phase
Step LRP1: The mobile user MU x selects identity/password pair {ID mx , PW mx }, along with r mx (generated randomly), and computes PWU hz = h(PW mx , r mx ). MU x sends the pair {ID mx , PWU hz } to HA z .
Step LRP2: Upon reception of {ID mx , PWU hz } to HA z pair from MU x , HA z generates random x 1 , x 2 and r mx and stores ID mx and a sequence number SNum mx against i th registration request of MU x . HA z then computes PID mx = h(h(ID mx , x 1 ), x 2 ), K xz = h(PID mx , S h ), α hz = E PWU hz (K xz ), and β hz = h(h(ID mx ), PWU hz ). HA z then sends a smart-card containing {α hz , β hz , PID mx } to MU x . HA z stores K xz in a verifier table maintained by HA z .

Login & Authentication Phase
Step LLA1: After inserting smart-card, MU x inputs ID mx and PW mx , the smart-card computes PWU hz = h(PW mx , r mx ) and verifies h(h(ID mx ), h(r mx , PWU hz )) ? = β hz . Terminates the session if verification is unsuccessful. Otherwise, generates time-stamp T 1 , random N mx and computes K xz = D PWU hz (α hz ), A mx = N mx P + H(K xz , ID mx , ID hz )P, B mx = E K xz (ID mx , T 1 , PID mx ) and Step LLA2: FA y upon reception of request, checks freshness of T 1 and generates fresh time-stamp T 2 , random N f y . FA y then computes A f y = N f y P + H(K yz , ID f y , T 2 )P, B f y = Mac (N f y P) x (ID hz , T 1 ) and sends M f h2 = {M u f 1 , A f y , B f y , T 2 } to HA z .
Step LLA3: HA z verifies freshness of T 2 after receiving message from FA y . Rejects the message, if T 2 is not fresh. Otherwise, HA z based on PID mx extracts corresponding shared key K xz from verifier database and decrypts B mx to get ID mx . HA z verifies originality of ID mx by comparing with the once stored in verifier in a tuple consisting of ID mx , PID mx and K xz . Upon successful verification, HA z computes N mx P = A mx − H(K xz , ID mx , ID hz )P and verifies whether C mx ? = Mac K xz (N mx P, ID mx , T 1 ). Upon successful verification, HA z computes N f y P = A f y − H(K yz , ID f y , T 2 )P and then checks B f y ?
= Mac (N f y P) x (ID hz , T 1 ). On success, HA z updates K yz = K yz ⊕ h(ID f y , N f y P, T 3 ) and computes A hz = N mx P + H(ID mx )P + H(K yz , ID hz , N f y P)P, B hz = Mac K yz (N f y P, N mx P + H(ID mx P, T 3 )). HA z also updates K xz = K xz ⊕ h(ID mx , N mx P, T 3 ) and computes C hz = N f y P + H(K xz , ID hz , N mx P)P, D hz = Mac K xz (ID f y , N f y P, T 3 , PID mx ). HA then sends M h f 3 = {A hz , B hz , C hz , D hz , T 3 } to FA y and increments SNum mx .
Step LLA4: FA y checks freshness of T 3 after receiving response of HA z . On success, FA y computes N mx P + H(ID mx )P = A hz − H(K yz , ID hz , N f y P)p. FA y then verifies validity of B hz and on success, computes C f y = Mac (N mx P+H(ID mx P)) x (ID f y , N f y P, T 3 , T 4 , C mx ).The session key is computed as SK = h(N f y (N mx P + H(ID mx )P)). Then, FA y sends Step LLA5: Upon reception, MU x verifies freshness of T 3 and T 4 and on success, computes N f y P = C hz − H(K xz , ID hz , N mx P)P. MU x further checks validity of D hz and C f y , if both holds, MU x computes session key SK = h((N mx + H(ID mx ))N f y P), D mx = Mac N mx +H(ID mx )P x (C f y , N f y P) and sends M u f 5 = {D mx , T 5 } to FA y .
Step LLA6: FA y verifies freshness of T 5 and checks validity of D mx . If it holds, FA y treats MU x as legitimate user and now further communication between FA y and MU x may be carried out using the shared key SK = h(N f y (N mx P + H(ID mx )P)).

Cryptanalysis of the Scheme of Lu et al.
In this section, cryptanalysis of the Lu et al.'s scheme is accomplished, under the realistic assumptions made in the adversarial model of Section 1.3. The following subsections show that the scheme of Lu et al. carries severe weaknesses, including in security against Stolen Verifier and known Session Specific variables attacks. Moreover, the scheme does not provide untraceability and has scalability issues. More seriously, the scheme also entails correctness issues, such incorrectness may stop authentication process before completion and legitimate user may experience denial of services. The following subsections explain the weaknesses:

Stolen Verifier Attack
Let MU a be a dishonest insider and based on his capabilities, as mentioned in Section 1.3, can steal the verifier table with tuples {ID mx , PID mx , K xz }. Using the verifier parameters, MU a can impersonate as any roaming mobile user registered with home agent. The attack is simulated as follows: Step IA1: MU a generates time-stamp T a1 , random N ma , and computes: Step IA2: FA y upon reception of request, checks freshness of T a1 , as well as generates fresh time-stamp T 2 and random N f y . FA y then computes: Step IA3: HA z verifies freshness of T 2 after receiving message from FA y and accepts the message as T 2 is fresh. HA z based on PID mx extracts K xz and ID mx from the verifier table and computes: HA z compares the decrypted ID mx from Equation (6) with the one extracted from verifier table. The attacker MU a will pass this test as both values are same. Now, HA z computes: HA z checks: HA z authenticates MU x on the basis of equality of Equation (8). MU a will also pass this test, as all parameters in computation of C ma were in access to MU a and were correctly calculated at the time of computation of C ma by MU a . Now, HA z computes: HA z then checks: As FA y is legitimate; therefore, it will pass the check of Equation (10). Hence, HA z computes: C hz = N f y P + H(K xz , ID hz , N mx P)P, HA z then updates: Finally, HA sends M h f 3 = {A hz , B hz , C hz , D hz , T 3 } to FA y and increments SNum mx .
Step IA4: FA y checks freshness of T 3 and computes: FA y then verifies validity of B hz and, on success, computes: Step IA5: MU a intercepts the message and computes: MU a sends M A5 = {D ma , T A5 } to FA y .
Step IA6: FA y verifies freshness of T A5 and checks validity of D ma . As T A5 is freshly generated, so it will pass the test. Similarly, MU a has access to all parameters used for computation of D ma , so it will also pass the test. Therefore, MU a has also deceived the FA y and passed the authentication. Now, MU a can easily communicate with FA j on behalf of MU x using the shared key SK = h(N f y (N ma P + H(ID mx )P)).

Traceability
Along with security, user anonymity/privacy is of vital interest, if compromised the attacker can foresee victim related important information, including his lifestyle, habits, shopping preferences, and sensitive location-related information of the mobile user. Ensuring (1) identity hiding and (2) untraceability are primary goals of privacy protection. Identity hiding refers to concealing original idntity of the user on public network, and untraceability ensures that no one can predict that two different sessions are requested by a single user. In the scheme of Lu et al., a static parameter PID mx is used as pseudo identity of MU x , which remains the same for all sessions. Although it provides identity hiding, it lacks untraceability. Therefore, anyone just listening to the public channel can affirm whether or not different sessions are initiated by a single user.

Incorrectness
In Lu et al.'s scheme, the HA z updates the pre-shared keys K xz with MU x and K yz with FA y during each session as shown in Equation (15) and (16), whereas these keys are not updated on other sides, i.e., MU x and FA y . Hence, the subsequent authentication request will fail and the scheme can work for a single time authentication, which is not required in any scenario, especially in IoT-based systems.

Scalability Problem
Due to storage of verifier table on HA z , the scheme may suffer scalability issues. Moreover, finding corresponding entries from a large verifier table may cause delay in delay sensitive scenarios.

Proposed scheme
This section explains our improved authentication scheme for roaming user in IoT-based wireless networks, the reasons effecting Lu et al.'s security are considered in designing phase of our improved scheme. The storage of verifier table with entries consisting of tuple {ID mx , PID mx , K xz } is the hitch giving space to insecurities. Moreover, the verifier also results in delaying the authentication process. In Lu et al.'s scheme, HA z updates the pre-shared keys K xz with MU x and K yz with FA y during each session, whereas these keys (K xz , K yz ) are not updated on other sides, i.e., MU x and FA y . Therefore, the authentication may fail in subsequent sessions. Proposed scheme handles this incorrectness by removing this step, as updation of these keys is an unnecessary step. The proposed scheme avoids usage of any verifier stored on HA z to provide scuffle-free security. Moreover, the proposed scheme modifies some steps in registration and login/authentication phases. The working of the proposed scheme is shown in Figure 2. Following subsections explain the phases of the scheme:

System Setup Phase
For system-setup purposes, Home Network Agent HA z selects an Elliptic curve E p (a, b) : y 2 = x 3 + ax + b mod p, where a, b ∈ F p a finite field, such that 4a 3 + 27b 2 = 0, along with an infinite point O. HA then selects a base point P over E p (a, b). HA z selects a secret key S h and computes public key P h = S h P. HA z also selects two hash functions h(), H(), as well as a keyed MAC functions Mac k (), along with symmetric encryption/decryption algorithms E k (), D k ().
Note: The details of cryptographic primitives, including Hash, keyed MAC, etc., can be found in Reference [32].

Proposed Registration Phase
Step PRP1: The mobile user MU x selects identity/password pair {ID mx , PW mx }, along with r mx (generated randomly), and computes PWU hz = h(PW mx , r mx ). MU x sends the pair {ID mx , PWU hz } to HA z .
Step PRP2: Upon reception of {ID mx , PWU hz } to HA z pair from MU x , HA z . HA z then computes U hz = h(ID mx , S h ), α hz = U hz ⊕ PWU hz , and β hz = h(h(ID mx ), PWU hz ). HA z then sends a smart-card containing {α hz , β hz , P h = S h P} to MU x .
Step PRP3: Upon reception of smart-card, MU x computes R mx = r mx ⊕ PW mx inserts r mx . Finally, the smart-card contains: {α hz , β hz , r mx , h(), H(), E k , D k , Mac k , P h = S h , P}.

Login & Authentication Phase
Step PLA1: After inserting smart-card, MU x inputs ID mx and PW mx ,the smart-card computes r mx = R mx ⊕ PW mx and PWU hz = h(PW mx , r mx ).
The smart-card then verifies Terminates the session if verification is unsuccessful. Otherwise, generates time-stamp T 1 , random N mx and computes U hz = α hz ⊕ PWU hz , A mx = N mx P, B mx = N mx P h , PID mx = A mx ⊕ ID mx and C mx = Mac U hz (N mx P, ID mx , Step PLA2: FA y upon reception of request, checks freshness of T 1 and generates fresh time-stamp T 2 , random N f y . FA y then computes A f y = N f y P + H(K yz , ID f y , Step PLA3: HA z verifies freshness of T 2 after receiving message from FA y . Rejects the message, if T 2 is not fresh. Otherwise, HA z computes A mx = S −1 h B mx and ID mx = A mx ⊕ PID mx . HA z verifies originality of ID mx stored in subscribers identity table. Upon successful verification, HA z computes U hz = h(ID mx , S h ) and verifies C mx ? = Mac U hz (N mx P, ID mx , T 1 )). Upon successful verification, HA z computes N f y P = A f y − H(K yz , ID f y , T 2 )P and then checks B f y ? = Mac (N f y P) x (ID hz , T 1 ). On success, HA z computes A hz = N mx P + H(ID mx )P + H(K yz , ID hz , N f y P)P, B hz = Mac K yz (N f y P, N mx P + H(ID mx P, T 3 )). HA z computes C hz = N f y P + H(U hz , ID hz , N mx P)P, D hz = Mac U hz (ID f y , N f y P, T 3 , PID mx ). HA then sends M h f 3 = {A hz , B hz , C hz , D hz , T 3 } to FA y .
Step PLA4: FA y checks freshness of T 3 after receiving response of HA z . On success, FA y computes N mx P + H(ID mx )P = A hz − H(K yz , ID hz , N f y P)P. FA y then verifies validity of B hz and on success, computes C f y = Mac (N mx P+H(ID mx P)) x (ID f y , N f y P, T 3 , T 4 , C mx ).The session key is computed as SK = h(N f y (N mx P + H(ID mx )P)). Then, FA y sends M f u4 = {C f y , C hz , D hz , T 3 , T 4 } to MU x .
Step PLA5: Upon reception, MU x verifies freshness of T 3 and T 4 and on success, computes N f y P = C hz − H(U hz , ID hz , N mx P)P. MU x further checks validity of D hz and C f y , if both holds, MU x computes session key SK = h((N mx + H(ID mx ))N f y P), D mx = Mac (N mx +H(ID mx )P) x (C f y , N f y P) and sends M u f 5 = {D mx , T 5 } to FA y .
Step PLA6: FA y verifies freshness of T 5 and checks validity of D mx . If it holds, FA y treats MU x as legitimate user and now further communication between FA y and MU x may be carried out using the shared key SK = h(N f y (N mx P + H(ID mx )P)).

Security Analysis
This section explains the automated formal security validation of the proposed algorithm using popular tool ProVerif, as well as under the hardness assumptions of ECDLP, collision resistant property of one-way hash, and hardness of symmetric encryption algorithm. The section then solicits the informal discussion on required security, supplemented by the security features comparisons with existing related schemes.

Formal Security Analysis
For the purpose of formal security analysis of our protocol, we define formal interpretations of repetition and chose the cipher-text attack (IDN-CCA) of the symmetric cryptographic algorithm, secure hash collision-resistant function, and ECDLP as follows: Definition 1. Given (Σ, Ω, Φ) is the algorithm of symmetric key and cipher-text CP = ENC key (k), the IDN-CCA's definition is considered as hard problem if ADV IDN−CCA A (t a1 ) ≤ a1 , in which ADV IDN−CCA A (t a1 ) describes an A's benefit in finding the string p ∈ Ω (the set of plain-texts) of antecedent messages from the given CP ∈ Σ (the set of cipher-texts) also algorithm of symmetric key with key k ∈ Φ (the set of enc/dec keys) which is unknown, for any small enough a1 > 0 [32].

Definition 2.
Given an elliptic curve based point G = yP over E p (x, y), the interpretation of the ECDLP is considered as hard problem if ADV ECDLP C (t a2 ) ≤ a2 , in which ADV ECDLP C (t a2 ) describes the benefit of an A in discovering the integer y ∈ Z * q from G and P which are given, for any small enough a2 > 0 [32].

Definition 3. Given the output O = H(y), the interpretation of the function of hash is considered as hard problem if ADV H
A (t a3 ) ≤ a3 , in which ADV H A (t a3 ) describes the benefit of an A in extracting the input y ∈ {0, 1} * from H(y) which is given, for any small enough a3 > 0 [32]. For the formal analysis of security, we have defined random oracles [33] which are as follows: Reveal 1: This oracle will output plain-text k unconditionally from cipher-text CP = ENC key (k) that is given. Reveal 2: This oracle will output integer y unconditionally from yP and P that are publicly given values. Reveal 3: This oracle will output the input y from O that is the corresponding value of hash.   , whereas the maximal is taken overall attacker A with time of execution t 2 and number of queries q R2 made to Reveal2 and q R3 made to Reveal3 oracles. The enhanced protocol is provably protected in the random oracle model across A for the values of hash of session key SK if Adv Hash,ECDLP A (t 2 ; q R2 ; q R3 ) ≤∈ 2 ,for any appropriately small ∈ 2 > 0. Examine the experiment EXPE2 Hash,ECDLP A shown in Algorithm 2, A can successfully extract the values of hash of session key SK if he has the capability to convert the hash function and solve the ECDLP. Though, as by the Definition 2 and Definition 3, Adv ECDLP A (t 2 ) ≤∈ 3 , Adv Hash A (t 3 ) ≤∈ 4 , for any appropriately small ∈ 3 > 0, ∈ 4 > 0. Thus, we get Adv Hash,ECDLP

and Adv Hash
A (t 3 ) ≤∈ 4 . So, concluded that the enhanced protocol is provably protected against an attacker for extracting session key SK and foreign agent.
So, concluded that the enhanced protocol is provably protected against an attacker for extracting session key SK and foreign agent.

Algorithm 2 EXP R2 ECDLP,HASH
A Intercept the authentication message

Automated Security Analysis with ProVerif
We have chosen prevailing software tool ProVerif for performing an automated security perusal. The ProVerif is developed over the concept of applied π calculus. It is able to test and simulate all cryptographic operations such

Automated Security Analysis with ProVerif
We chose the prevailing software tool ProVerif [34,35] for performing an automated security perusal. The ProVerif is developed over the concept of applied π calculus [36]. It is able to test and simulate many cryptographic operations, such as encryption/decryption, symmetric/asymmetric cryptosystems, hashes, signatures, etc. It can substantiate the characteristics of secrecy and authenticity. Complete protocol as given in Figure 2 is implemented and verified in ProVerif. Three channels as shown in Figure 3a are introduced in the implementation. The secure channel sch1 is dedicated for facilitating registration between mobile user and home agent, whereas two public channels pch2 and pch3 have been introduced for commencing communication between mobile user and home agent with foreign agent. Subsequently, variables and constants are also defined in Figure 3a. To keep the mobile user anonymous, its identity IDmx is kept private, whereas identities of home and foreign agents, i.e., IDhz and IDfy, respectively, are public. Mobile user's password PWmx, shared keys Kxz, Kyz between mobile user-home agent and foreign agent-home agent, respectively, are assumed as private. Sh and Ph are considered as the private public key pairs of home agent. The Constructors are specified to simulate cryptographic operations and functions. Thereafter, destructor and equation are specified to simulate inverse and decryption.  Every participant can be described through two events a begin and an end event. The protocol authenticity is realized through exposing the respective relationship between begin and end interval of the related event initiated by the specific participant. If end event is not reached it simply means the protocol terminated unsuccessfully and scheme is incorrect. In Figure 3b, three distinct processes are implemented and simulated on behalf of three participants. These participants includes pMuser, pHagt, and pFagt, which are defined and implemented as shown in Figure 2 and described in Section 4. The proposed scheme is simulated as an unbounded parallel execution of user, home and foreign networks processes.
The subsequent four queries are defined in Figure 3c to substantiate the security and correctness of our protocol. The query attacker simulates an actual attack to expose the session key, whereas another 3 queries inj-event corresponds to begin and end event of 3 processes, i.e., user, home, and foreign networks. If any of these queries results false, it implies the scheme is incorrect. The abilities of an attacker are evaluated by executing the Not-attacker (SK) predicate, where SK is private. It is assumed that public parameters are accessible to the attacker. The Not-attacker is also applied over SK. Moreover, three successive queries on inj-event affirms the association between initiation and termination of events corresponding to each of these processes, i.e., user, home, and foreign networks. The outcome of the discussed queries are shown in Figure 3d.
It is observed through results 1, 2, and 3 in Figure 3d that each process initiated and terminated successfully, which substantiates the correctness of our scheme, whereas result 4 Not-attacker (SK) affirms that session key is secure against security threats. Hence, our protocol maintains authenticity and secrecy during its execution.

Security Requirements
The security requirement of the proposed scheme and a comparison of the proposed scheme with related competing schemes [9,12,14,25,26] is detailed in following subsections. Table 2 also illustrates the comparisons and confirms that only the proposed scheme provides all the required features and resists known attacks, whereas competing schemes lacks either some features or ensuring against some known attack.

Mutual Authentication
The proposed scheme, through HA z (the home agent) provides mutual authentication between MN x ( the mobile node) and FA y (the foreign agent). HA z authenticates MN x by validating C mx ? = Mac U hz (N mx P, ID mx , T 1 )), computation of valid/legal C mx requires an adversary to have access to the secret parameter of MN x , i.e., U hz = h(ID mx , S h ), as well as valid/legal N mx P, which can only be extracted though A mx by the use of secret key (S h ) of HA z . Neither U hz nor N mx P can be computed by any adversary, which implies that only valid MN x can pass this test. Moreover, HA z authenticates FA y by validating B f y ? = Mac (N f y P) x (ID hz , T 1 ). The computation of valid/legal B f y requires an adversary to extract N f y P, which can by computed by public parameter A f y = N f y P + H(K yz , ID f y , T 2 )P sent by FA y . The computation of A f y requires an adversary to have access to the pre-shared secret key K yz among HA z and FA y . No adversary, insider/outsider can have access to the pre-shared secret key. Therefore, only legal/valid FA y can pass this test. Similarly, FA y authenticates HA z validating B hz ? = Mac K yz (N f y P, N mx P + H(ID mx )P, T 3 ), the computation of valid B hz requires an adversary to have access to pre-shared secret key K yz between HA z and FA y . Moreover, the adversary also needs to compute the valid/legal, corresponding N f y P against the parameter A f y = N f y P + H(K yz , ID f y , T 2 )P sent on public channel earlier by FA y to HA z , the computation of A f y again requires the use of pre-shared secret key K yz . Therefore, only valid HA z can pass this test. likewise, MN x authenticates: 1) HA z by validating D hz ? = Mac U hz (ID f y , N f y P, T 3 , PID mx ) and 2) FA y by verifying C f y ? = Mac (N mx P+H(ID mx P)) x (ID f y , N f y P, T 3 , T 4 , C mx ). To generate a valid/legal D hz , an adversary requires having access to secret parameter U hz of MN x , as well as computation of valid/legal N f y P, both of which can be performed only by legal HA z . Likewise, to generate valid C f y , an adversary requires to compute valid/legal N mx P + H(ID mx P, N f y P and C mx . All the mentioned parameters can only be computed by legal FA y . Hence, mutual authentication among MN x and FA y through HA z is essential trait of the proposed scheme.

Correctness
The proposed scheme correctly accomplishes the process of authentication between MN x and FA y through HA z . Unlike Lu et al.'s scheme, in the proposed scheme, HA z does not unnecessarily updates (K xz , K yz ) after each successful login. More precisely, the proposed schemes does not require any verifier table for any user; therefore, no entry can be modified by HA z . Due to non-usage of verifier table by HA z , the user request does not involve fining and comparing with verifier entries, which helps in minimizing the delay. Hence, the proposed scheme provides correct and secure authentication process.

User Anonymity/Untraceability
Unfortunately and despite their claim, in the scheme of Lu et al. the pseudo identity PID mx remains same not only for multiple but for all sessions. In the proposed scheme, on every login/authentication request MN x selects a new random variable N mx and computes the dynamic pseudo identity PID mx = N mx P ⊕ ID mx . Therefore, the proposed scheme not only provides identity hiding but also untraceability/unlinkability.

Perfect Forward Secrecy:
The session key SK = h(N f y (N mx P + H(ID mx )P)) computed after successful authentication among MN x or FA y contains the share from both, i.e., N mx from MN x and N f y from FA y . Both N mx and N f y are generated freshly for each session. Moreover, neither MN x nor FA y having full control on key generation. Even if one or more shared keys from previous session/s are compromised, the adversary may not be able to compute any future session key. Hence, the proposed scheme provides perfect forward secrecy.

User Forgery Attack
As described in Section 5.3.1, the HA z authenticates the user by validating C mx and valid/legal C mx can only be computed by legal MN x . Moreover, FA y authenticates MN x by validating D mx ? = Mac (N mx +H(ID mx )P) x (C f y , N f y P), an adversary requires to compute N mx P, as well as N f y P. Only legal MN x can compute it's own secretly generated parameter N mx P and extract N f y P out of N f y P = C hz − H(U hz , ID hz , N mx P)P, which requires the usage of secret parameter U hz of MN x . Therefore, the proposed scheme strongly resists user forgery attack.

Stolen Verifier and Insider Attack
The home agent HA z , in the proposed scheme does not store any information relating to the credentials of, including password, MN x ; rather, HA z is free of any verifier table. The only information stored is the public identities of the users. Moreover, during registration process, MN x sends PWU hz = h(PW mx , r mx ), along with ID mx , to HA z . The password is concealed in one-way hash function, along with a random number. Therefore, no deceitful insider gets any information relating to password and is having no advantage. Hence, the proposed scheme resists insider attacks. Moreover, without verifier table, the stolen verifier is impossible in the proposed scheme.

Stolen Smart-Card Attack
In the proposed scheme, the smart-card contains {α hz , β hz , r mx , h(), H(), E k , D k , Mac k , P h = S h , P}, where, the user related information is stored in α hz , β hz and r mx parameters, where α hz = U hz ⊕ PWU hz , and β hz = h(h(ID mx ), PWU hz ). Extracting password information from α or β requires inverse to hash function, which by definition is a hard problem. Moreover, user secret parameter U hz is also concealed with PWU hz , and without password information, it is computationally infeasible to compute U hz . Therefore, the proposed scheme resists stolen smart-card attacks.

Known Session-Specific Parameters Attack
The adversary in the proposed scheme may not able to compute session key even if, he gets the session parameters N mx and N f y , as the session key also requires the hashed identity concealed in an elliptic curve point H(ID mx )P. Computation of ID mx needs to break on way property of hash, as well as elliptic curve discrete logarithm problem. Therefore, the proposed scheme resists known session-specific parameters attack.

Conclusions
In this paper, we identified weaknesses of Lu et al.' scheme against stolen verifier and traceability attacks. We also identified that their scheme has correctness issues besides scalability. To combat the weaknesses, we proposed an improved scheme for IoT-based wireless networks. The formal, informal, and automated security analysis has proven that our scheme with stands the known attacks, whereas the performance analysis has shown that our scheme is more efficient and practical as compared with Lu et al.'s scheme. The proposed scheme is more practical in roaming scenarios.