A Lightweight Anonymous Authentication and Key Negotiation Scheme in Smart Home Environments

: With the rapid development of Internet of Things (IoT) technology, smart home users can access and control smart devices re ‐ motely to enjoy convenient and efficient services. However, sensitive data collected by smart devices is vulnerable to attacks such as eaves ‐ dropping and simulation when transmitted through public channels. At the same time, the security of resource-constrained smart devices is low, and attackers may use the controlled devices to carry out malicious operations further. To address the aforementioned existing security issues, this paper proposes a lightweight user anonymous authentication scheme for resource-constrained smart home environments. At the same time, the security analysis is carried out to further prove the proposed scheme 􀆳 s security. Finally, the performance analysis between the proposed scheme and the existing similar schemes proves that the proposed scheme has advantages in calculation cost and safety char ‐ acteristics.


Introduction
In recent years, applications based on Internet of Things (IoT) technology, such as smart homes, intelligent healthcare, and smart cities, have received much attention [1] .Among them, smart home systems optimize household resources through remote control smart devices, such as monitoring the operation status of monitoring devices, remotely starting or shutting down de-vices, and monitoring the working status of safety monitoring devices.The first value of the smart home is the convenience and comfort of living [2] ; for example, you can use voice or an APP to control the lighting, curtains, and other equipment at home or monitor the temperature and humidity at home in real-time through our terminal devices.The second value is safety, for example, the ability to monitor the home in real-time so that in the event of an accident, users can be informed of the situation at home and seek help from the relevant personnel.
The third value is energy saving, as the smart home can actively or passively adjust the devices time and area of use according to users  frequency of use and habits.Smart homes simplify our lives while relying on technological development, making life more convenient and less stressful [3] .
However, with the development of smart homes, user data and privacy become the focus of attackers [4] .In a smart home environment, entities communicate over a common channel, and messages can be maliciously eavesdropped, inserted, or deleted by an attacker.This allows adversaries to attempt various security attacks, including man-in-the-middle (MITM), user impersonation, and replay attacks [5][6][7] .Through these attacks, an attacker can access a user  s true identity and information, thus threatening the users anonymity and privacy [8] .In addition, an attacker can perform a device capture attack by capturing physically accessible smart devices, thereby compromising the entire system [9] .
In the past few years, various security threats, such as monitoring electricity usage and malicious control appliances, have continuously occurred in actual smart home environments, severely affecting the trust in smart homes.At the same time, robust encryption algorithms are unsuitable for deployment in smart home environments due to the resource-constrained nature of most smart devices.
In order to improve the security of various network environments, scholars at home and abroad have carried out many related researches [10] .In 1981, Lamport [11] first proposed a remote user authentication scheme using a password table and claimed that the scheme was secure.In 2000, Hwang and Li [12] discovered that Lamport  s scheme was vulnerable to a password table modification attack.They then proposed a remote user authentication scheme based on the El Gamal public key encryption method without using a password table.So far, there have been many remote user authentication schemes.In 2008, Jeong et al [13] proposed an authentication scheme specifically for home networks.However, this scheme does not protect user identity and is vulnerable to attacks such as smart card loss attacks and node capture attacks.In 2019, Shuai et al [14] proposed a smart home environment certification scheme based on elliptic curve cryptograpy (ECC).However, Xu et al [15] pointed out that Shuai et al s scheme had security problems, such as offline password guessing attacks and internal privilege attacks.In 2021, Kaur and Kumar [16] proposed a scheme based on two-factor authentication and claimed their scheme was resistant to potential security attacks.However, in the same year, Yu et al [17] proved that the scheme proposed by Kaur and Kumar was not resistant to key leakage attacks and impersonation attacks and could not meet the security requirements of mutual authentication.Yu et al [17] proposed a smart home three-factor anonymous authentication scheme using lightweight symmetric encryption primitives and claim that their scheme is resistant to various known security attacks.
To sum up, in order to ensure security and reduce the cost of computing, storage, and other resources required by authentication schemes, scholars have carried out relatively sufficient research.Therefore, a lightweight, anonymous authentication scheme is essential to counteract security issues and securely use smart home services.
The contributions of this paper are summarized as follows: 1) An authentication and key negotiation scheme is proposed to address the security and privacy issues inherent in traditional smart home security schemes [18] .
2) Timestamps and random numbers are incorporated into the design to help stop many attacks, such as replay attacks and denial of service attacks.
3) The performance and security of the proposed scheme was compared with other schemes.The results show that the proposed scheme outperforms similar schemes regarding security and computational cost.
The rest of the paper is organized in the following way.Section 1 shows the proposed scheme.Section 2 contains the security analysis of the proposed scheme.Section 3 includes the performance of the proposed scheme, and finally, Section 4 is the conclusion.

Proposed Scheme
We propose a lightweight anonymous authentication and key negotiation scheme for a smart home environment that includes four entities: the user, the home gateway, the smart device, and the authority.Among them, the gateway is a bridge for mutual authentication and key negotiation between the user and the smart device, and the authority is a fully trusted third-party entity responsible for generating essential parameters during the system set up phase and for registering the user and the smart device.For ease of understanding, we show the symbols used in the scheme in Table 1.

Set Up Phase
At this phase, the authority generates security parameters for GW and SD j .
Step 1 The TA selects a unique identity ID G for the GW, generates a private key K G , and stores ID G , K G in the memory of GW.
Step 2 The TA selects a unique identity ID j for the SD j , generates a private key K S , and stores ID j , K S in the memory of SD j .

Registration Phase
At this phase, U i and SD j send registration requests to TA.After receiving registration requests, the TA will generate confidential credentials for U i and SD j .At this stage, the message is transmitted through a secure channel, as shown in Fig. 1 and Fig. 2.

User registration phase
Step 1 The U i selects unique ID i and PW i , imprints BIO i , generates r i Î Z * q , computes Gen (BIO i ) = (σ i , τ i ), PPW i = h (PW i ‖ σ i ), and PID i = h (ID i ‖ σ i ), and sends {ID i , PID i , PPW i , r i } to TA through a private channel.
Step 2 The TA computes and stores {ID i , PID i , r i } in the memory of GW, and sends {Y i } to U i .

Smart device registration phase
Step 1 The SD j generates r j Î Z * q , and computes PID j = h (ID j ‖ r j ) and sends PID j , r j to TA through a private channel.
Step 2 The TA computes X j = h (PID j ‖ K G ‖ r j ), Y j = X j ⊕r j , and stores PID j , r j in the memory of GW, and sends Y j to SD j .
Step 3 SD j now computes B 1 = r i ⊕h (PID j ‖ K S ) and, discloses PID j to the U i and stores {Y j , B 1 } in the memory of SD j .

Login and Authentication Phase
Once the registration phase is complete, U i and SD j achieve mutual authentication with the assistance of GW by the following steps.After successful authentication, a   session key is negotiated between U i and SD j , as shown in Fig. 3.

Fig. 3 Login and authentication phase
Step 1 U i inputs ID i the validity of V * 4 = ?V 4 , and if the validation is not successful, the session is terminated.Otherwise, U i authenticates the identity of SD j and negotiates a session key with SD j , and U i calculates the new pseudo-identity as

Anonymity
The proposed scheme generates PID i by encrypting the U i  s identity ID i with the secret value σ i .After GW successfully authenticates the U i , GW changes the existing PID i to a new PID i new and transfers it to the U i .Even if the attacker eavesdrops on messages transmitted through a public channel, he cannot identify the U i s true identity ID i .Therefore, the proposed solution satisfies user anonymity.

Untraceability
The U i sends a message to SD j over a public channel containing {M 1 , V 1 , T 1 , PID i }, which the attacker can eavesdrop on during the login and authentication phases.Because these parameters are related to random numbers and timestamps, such as n i and T 1 , which differ from session to session, the attacker cannot track a U i  s actions during the login and authentication phases.Therefore, the proposed scheme guarantees untraceable U i .

Mutual Authentication
With GWs assistance, U i and SD j authenticate each other in the login and authentication phase.When GW receives message {M 1 , V 1 , T 1 , PID i , M 2 , V 2 , T 2 , PID j }, the authentication process for SD j is immediately executed.The next step can only be performed after this verification process is successful.U i authenticates the identity of SD j by checking that the message SD j returns to U i con-tains valid information related to the random number n i that U i sends to GW.Therefore, the scheme guarantees mutual authentication between entities.

Offline Password Guessing Attack
Suppose the attacker tries to guess the real password PW i of legal U i .In order to pass the authentication of the terminal device, the attacker must know the unique biometric information BIO i and real identity ID i of the legitimate user, but the BIO i cannot be obtained.Moreover, according to Section 2.1, the attacker cannot get the ID i based on the intercepted message, so it is difficult for the attacker to guess the real PW i .Therefore, offline password guessing attack is not feasible in the proposed scheme.

Session Key Disclosure Attack
The attacker wants to obtain {M 3 } and random number {n s , n i } to calculate a public session key SK = h (M 3 || n s || n i ).However, the correct session key SK cannot be calculated because the random numbers n s and M 3 are subject to secret values by using hash and XOR functions σ i .The random number n i is protected by X j and K S using hash and XOR functions.Therefore, the scheme is safe against session key disclosure attack, because the attacker failed to calculate the public session key SK between U i and SD j .

Impersonation Attack
If the attacker tries to impersonate legitimate U i and SD j , the attacker must generate authentication request messages or authentication response messages.However, the attacker does not know the key credentials for authentication, X i and X j .Therefore, the proposed scheme can resist impersonation attacks because the attacker cannot successfully generate authentication requests and response messages for legitimate U i and SD j .

Replay Attack
Suppose the attacker eavesdrops on the messages transmitted on the public channel during the login and mutual authentication phase.If the attacker resends and reuses all the messages transmitted in the previous session, the entity receiving the message will check the freshness of the current timestamp.In addition, all messages are masked with new random numbers by using Hash and XOR functions.Therefore, this scheme can prevent replay attacks.

Verifier Stolen Attack
The proposed scheme is immune to a stolen verifier attack by a possible malicious attacker.Even if the attacker obtains the verification table {PID i , r i }, {PID j , r j } stored in the gateway, the attacker must know GWs private key K G for computing X i , X j and recovering further information.Therefore, the proposed scheme is resistant to stolen verifier attacks.

Man in the Middle Attack
In the proposed scheme, if the attacker attempts to manipulate messages transmitted through a public channel between different entities, it will be detected when the entities verify V 1 , V 2 , V 3 , and V 4 .If the attacker attempts to modify the parameters of intermediate messages, it will not succeed in these malicious attempts.Hence, the proposed scheme can resist man-in-themiddle attacks successfully.

Forward Confidentiality
The attacker may obtain the session key calculated between U i and SD j .However, the attacker cannot infer the previous session key based on the session key obtained this time.Because the random numbers n i and n s contained in them differ in each session of the proposed scheme.Therefore, the proposed scheme ensures forward security.

Performance Evaluation
In order to evaluate the performance of the proposed scheme, we compare it with other similar schemes in terms of computational cost and security features in this section.

Computation Cost
In this section, we compare the computation cost of the proposed scheme with several similar schemes [14,17,19,20] in recent years.According to Xia et al  s scheme [19] , we use Th, Tf, Tepm, Tpuf, and Ts to denote the consumption time of one-way Hash functions, fuzzy extractors, ECC point multiplication, physical unclonable functions (PUF), and symmetric key encryption/decryption, respectively as shown in Table 2.
Table 3 depicts the computational overhead of the different entities in the login and authentication phases of the proposed scheme compared with several other schemes.By calculation, the scheme of Zou et al [20] has the highest overhead of 11.980 8 ms, while the proposed scheme has a computational overhead of 2.074 8 ms.It is clear that the proposed scheme has a significant advantage over other solutions in terms of computation cost, satisfies the requirement of lightweight, and is suitable for resource-constrained smart home environments.

Security Features
As shown in Table 4, we have compared the security characteristics of the proposed scheme with other schemes.The result indicates that other schemes have one or more security vulnerabilities.For example, Yu et als scheme [17] is not resistant to replay attacks and so on.Therefore, the proposed scheme also has an advantage regarding security features.

Conclusion
This paper proposes a lightweight anonymous identity authentication scheme in the smart home environment.Security analysis shows that the proposed scheme is resistant to all known attacks.By comparing the proposed scheme with similar schemes in recent years in terms of computational cost and security features, the proposed scheme is shown to be a lightweight and efficient authentication scheme.

Table 1 Symbols and definition
and replaces {PID i , A 1 , Auth i } with {PID i