Analysis and Improvement on an Authentication Scheme for Wireless Sensor Networks in Internet of Things Environment

： Nowadays, Internet of Everything has become a major trend, and Internet of Things (IoT) has emerged. Wireless sensor net ‐ works (WSNs) are core technologies for IoT to sense the real world. Due to the unattended and resource-constrained characteristics of WSNs, it is a great challenge to design an efficient and secure authentication scheme for communication between users and sensor nodes in WSNs. Recently, Hu et al proposed an authentication scheme for WSNs in an IoT environment. They claimed that their scheme could maximize the balance between security and computational cost as well as efficiency, and be resistant to many known attacks. However, we find that the scheme is difficult to resist stolen smart card attack and denial-of-service attack. Moreover, during the login and key negotia ‐ tion phase of the scheme, Gateway (GWN) is unable to extract key values for subsequent computation based on the messages sent by the sensor nodes, which in turn leads to the inability to achieve mutual authentication and key agreement. To overcome these shortcomings, we propose an improved scheme. The proposed scheme enables real-time data exchange and transmission as well as secure communication be ‐ tween users and sensor nodes.


Introduction
The ability to bring physical things into the digital world is becoming increasingly possible because of the high level of development of wireless communication and smart device technologies [1] .A very significant opportunity for wireless sensor networks (WSNs) has been offered by the rise of Internet of Things (IoT) era and the development of communication technology.As a combination of wireless networks and IoT sensors, WSNs have attracted more and more attention worldwide because of the excellent performance in industrial control, smart home, environmental monitoring and other aspects [2] .
However, owing to the openness of the network and the broadcast nature of wireless communication, WSNs are facing a variety of threats that ordinary wireless networks may suffer from, such as replay attacks, information leakage, denial-of-service (DOS) attacks, in addition to the vulnerability of sensor nodes to physical access and disassembly until these sensor nodes are fully controlled by attackers.Sensor devices in WSNs are disposed in public environments to collect information in real time [3] .If one of the sensor nodes is compromised, its linkability will become a focal point.An attacker can use the compromised device as a springboard to attack other devices and systems.Coupled with the sensitive and critical nature of the transmitted data, the data must be protected by end-to-end services as it is transmitted between WSNs and entities outside of WSNs [4] .Therefore, it is crucial to provide an authentication scheme for WSNs that can guarantee secure communication between users and sensor nodes.In WSNs, the communication between devices requires the use of various protocols that will define the purpose of the communication, the sequence of steps to be performed during the communication, and the encryption techniques used to protect the transmitted information [5] .
In recent years, researchers have been developing efficient ways to merge WSNs into IoT environments and have done a lot of research on authentication schemes that balance efficiency and security in WSNs, but numerous schemes have security concerns [6] .In 2019, Ostad-Sharif et al [6] proposed a secure and lightweight authenticated key agreement scheme for WSNs, and they claimed that their scheme not only was efficient but also provided perfect forward secrecy and was resistant to common attacks.In 2020, Chen et al [7] pointed out that Ostad-Sharif et al  s scheme [6] not only had design errors in the login and authentication phase, which resulted in legitimately registered users not being able to access the system, but also did not provide password change and update capabilities.In 2021, Chunka et al [8] presented a smart card-based user authentication and session key agreement scheme.They claimed that their scheme not only was efficient but also was resistant to attacks such as sensor node capture attacks, gateway key leakage and so on.However, Lee et al [9] confirmed that Chunka et al  s scheme [8] was vulnerable to known session-specific temporary information attacks, identity/ password pair guessing attacks, impersonation attacks, etc.In 2022, Hu et al [10] proposed a two-factor authentication scheme for WSNs in IoT environment, and they claimed that their scheme could maximized the balance of security and computational cost as well as efficiency, and was able to resist many common attacks.However, we found that there were security risks in Hu et al  s scheme.Firstly, this scheme could not resist stolen smart card attacks and DOS attacks.Secondly, during the login and key agreement phase of Hu et als scheme, gateway (GWN) could not extract key values for subsequent computation based on the messages sent by the sensor nodes, resulting in the scheme  s failure to achieve mutual authentication and key agreement.
Hu et als authentication scheme is briefly reviewed in Section 1.In Section 2, we analyze the shortcomings of the Hu et als scheme.An improved scheme is given in Section 3. In Section 4, we analyze the security for the improved scheme.The performance evaluation for the proposed scheme in different metrics and the comparison with the same type of schemes are presented in Section 5.In Section 6, we conclude the paper.

Review of Hu et al􀆳s Scheme
In Hu et als scheme [10] , users and sensor nodes complete mutual authentication and agree on session keys with the help of GWN.The scheme consists of four phases: initialization phase, registration phase, login and key agreement phase, and password and expiration time update phase.The notations involved in the scheme and their definitions are shown in Table 1.

Intialization Phase
GWN chooses two random numbers K GU K GS Î Z q * as the private key of GWN.P is the generator in the elliptic curve.The public key of GWN is P pub and the calculation formula is P pub = K GU × P.

Registration Phase
The current phase consists of a user registration phase and a sensor node registration phase.In this phase, the data is transmitted over a secure channel.

Registration for users
When a new user wants to access the services provided by WSNs, he/she must register with the gateway at first.The details of the user registration phase are as follows.
Step 1 U i chooses ID i and PW i , generates a random number r i , and calculates Then, U i sends a message {ID i A i } to the GWN over a secure channel.
Step 2 Once GWN receives a message from U i , it selects an expiration time TE i for the temporary credentials of U i .

GWN calculates the public key
GWN will store {ID GWN TE i P pub h(×)PTC i } in a smart card SC and send SC to U i over a secure channel.
Step 3 , and stores {B i } in SC.

Registration for sensor nodes
Each sensor node must register with GWN and only once, and its registration phase consists of the following operations.
Step 1 GWN selects an identity SID j for the sensor node S j and calculates TC j = h(K GS ||SID j ).
GWN sends a message {TC j SID j } to S j over a secure channel.
Step 2 S j receives the message from GWN and stores {TC j SID j } .

Login and Key Agreement Phase
In this phase, U i and S j agree on a session key with the help of GWN, thus performing a mutually authenticated key agreement to ensure further secure communi-cation between them.The specific steps are as follows.
Step 1 U i inserts SC and enters his/her identity ID i and password PW i .SC then generates two random numbers N 1 and x 1 based on the stored information and the extracted entered by U i , and calculates where P pub = K GU × P is the public key of GWN, Step 2 After receiving the message and checks the validity of TE i .If it fails, GWN will reject U i s login request.Otherwise, GWN calculates GWN checks whether T 3 * = T 3 is correct or not.If not, GWN terminates the current phase.Otherwise, GWN generates three random numbers N 2 , x as well as x 2 and computes TC j = h(K GS ||SID j ), Then, GWN sends a message M 2 = {T 1 T 4 T 5 T 6 N 2 } to S j over a secure channel.
Step 3 After receiving the message from GWN, S j recovers and calculates S j checks whether T 6 * = T 6 holds or not.if it does, S j generates two random numbers N 3 , x 3 , and computes S j transmits a message M 3 ={T 9 T 10 } to GWN.
Step 4 After receiving the message from S j , GWN extracts ). U i checks whether T 8 * = T 8 holds or not.If it does, it means that U i and S j have successfully reached the session key.

Password and Expiration Time Update Phase
If U i wants to update or change his/her password, he/she inserts a smart card SC and enters ID i , PW i .After that, SC will calculate and then replaces B i with B i new .If GWN wants to update the expiration time TE i for TC i , GWN can reselect a TE i ' and recalculate in Step 4 of the login and key agreement phase.After that, U i can extract TE i ' and TC i ' from T 11 , update B i and TE i in his/her own smart card.

Security Analysis of Hu et al􀆳s Scheme
This section analyzes the security of Hu et al  s scheme [10] , and demonstrates that Hu et als scheme [9] has the following risks.

Vulnerability to Stolen Smart Card Attack and DOS Attack
If an attacker steals a smart card SC of one user U i , and then attempts to log in by inserting the SC and entering his/her own identity ID k and password PW k , since SC does not verify whether the current user has registered legally, based on the information {ID GWN TE i P pub h(×)B i } stored in SC, the attacker can directly perform a series of calculations by using equation (1) and then send M 1 ={T 1 'T 2 'T 3 '} to GWN.Al-though the attacker can neither pass the authentication of GWN nor participate in the subsequent operations, GWN has already carried out a series of calculations through equation ( 2), consuming a large amount of computational resources.If mass forged login requests are sent, GWNs resources will be exhausted, and GWN cannot process normal requests from legitimate users timely.In other words, legitimate users will not be able to get responses from the service. Generate

GWN Cannot Extract Key Values
Hu et al [10] claimed that their scheme satisfied user anonymity, meaning that the users identity ID i was only included in T 2 , T 3 , T 4 , T 5 and not transmitted over a public channel.However, GWN not only served multiple sensor nodes and users simultaneously, but also received a huge amount of messages.
Since the identity of the sensor node and the identity of the specific user were missing in the message M 3 ={T 9 T 10 } sent by the sensor node to GWN, GWN was unable to recognize which sensor node was trying to contact which user after receiving M 3 .Therefore, GWN could not determine which temporary credential was used to calculate equation (3).Then, the following operations cannot work.

Failure Mutual Authentication and Key Agreement
As described in Section 2.2, GWN cannot obtain SID j and ID i from the message M 3 ={T 9 T 10 } sent by S j during login and key agreement phase, so GWN is unable to compute equation (3), much less conduct further authentication by verifying whether T 10 * = T 10 or not.It means that Hu et als scheme [10] cannot continue to work.Therefore, the scheme fails to achieve mutual authentication and key agreement.

The Proposed Scheme
To overcome the shortcomings in Hu et al  s scheme [10] , this paper presents an improved scheme.Firstly, proposed scheme adds a user  s pseudo-identity PID i in the registration phase of users for the transmission of identity information in a public channel.The pseudo-identity is dynamic and updated promptly after each communication.Secondly, the proposed scheme incorporates a key authentication in the login phase of user, where the smart card verifies whether the current user is the legitimate registered one.Finally, the proposed scheme adds some necessary identity information in the transmitted messages.This measure ensures that GWN, upon receiving a message from a sensor node, can clearly know which sensor node wants to communicate with which user.
The proposed scheme satisfies mutual authentication and effectively enhances the anonymity of users.In addition, the proposed scheme not only resists the stolen smart card attacks and DOS attacks mentioned above, but also solves the problem that GWN cannot extract key values.For the sake of brevity, this section only describes the initialization phase, the registration phase, and the login and key agreement phase.The specific steps are as follows.

Initialization Phase
GWN selects an additive group G of order q and a generator P of G on an elliptic curve E. GWN chooses two private keys K GU Î Z q * and K GS Î Z q * , and computes its public key P pub = K GU × P .

Registration Phase
Any user and sensor can register with GWN.Unregistered entities are not able to communicate subsequently.The above approach can effectively guarantee the security of data transmission, thereby ensuring the network security of the whole system.This phase is divided into a user registration phase and a sensor node registration phase.

Registration of users
When a new user wants to access an IoT service and communicate with one of the sensor nodes, he/she must first register with GWN and obtain his/her SC through a secure channel.GWN stores the user  s registration information in order to verify his/her identity during the login phase.In Fig. 1, this phase is divided into three steps and the process is as follows.
Step 1 User U i selects his/her unique identity ID i and password PW i , generates a random number r i Î Z q * , and calculates A i and pseudo-identity PID i according to equation (4).Then, U i sends a registration message {ID i A i PID i } to the GWN over a secure channel.ì í î Step 2 GWN receives the registration message from U i and chooses an expiration time TE i for U i .GWN calculates its own public key P pub , the user  s temporary credentials TC i and PTC i by equation (5).GWN stores { ID i TE i PID i } into its own database and embeds { ID GWN  TE i  P pub  h (×) PTC i } into a smart card SC.GWN then issues SC to U i over a secure channel.
Step 3 Once the SC is received, U i performs equation (6) for the calculation in order to create the values required for the authentication in the next stage.After that, U i stores {A i B i C i } in SC and removes PTC i .As of now, the values stored in SC are

Registration of sensor nodes
Any sensor node that interacts with GWN for the first time must register first.The registration process of sensor nodes is shown in Fig. 2, with the following steps.

Step 1
For a newly installed sensor node S j , GWN first selects an identity SID j for it and calculates the temporary credential TC j by TC j = h(K GS ||SID j ) .
Step 2 S j receives a message {SID j TC j } sent from GWN over a secure channel and stores {SID j TC j } in memory.

Login and Key Agreement Phase
In this stage, the legally registered user U i can share a session key with registered sensor node S j that wants to register via GWN [11] .As shown in Fig. 3, U i authenticates with S j mutually and establishes a session key for secure communication with the help of GWN.The detailed steps are described below.
Step 1 U i inserts the smart card SC and enters his/ her identity ID i and password PW i .After that, SC uses equation (7) for the calculation.ì í î SC checks A i * = A i holds or not.If this check fails, SC will reject the user  s login request.Otherwise, it means that this user is the legitimate holder of SC, and also indicates r i * = r i .Then, SC recovers the temporary credentials TC i for U i and computes pseudo-identity PID i by equation (8).ì í î After that, SC selects two random numbers N 1 Î Z q * , x 1 Î Z q * and calculates the values F 1 , F 2 , F 3 according to equation (9).U i sends message Step 2 Once GWN receives the message M 1 from U i , it extracts the values needed for subsequent authentication according to equation (10).
GWN verifies the effectiveness of TE i .If the verification fails, GWN rejects U i s login request.Otherwise, GWN calculates the TC i and F 3 * by equation (11).ì í î GWN verifies whether F 3 * = F 3 holds or not.GWN rejects U i s login request if the condition fails.Or else, it proves that U i is a legitimate user who has registered with GWN.Then, GWN selects three random numbers N 2 Î Z q * , x Î Z q * , x 2 Î Z q * and calculates the temporary credentials TC j of S j and three values F 4 , F 5 , F 6 according to equation (12).
Lately, GWN sends a message M 2 = {F 1 F 4 F 5 F 6 N 2 PID i } to S j over a public channel.
Step 3 Upon receiving the message M 2 , S j calculates a series of values according to equation (13) .ì í î ï ï ï ï ï ï ï ï S j verifies whether F 6 * = F 6 holds or not, and aborts the current phase if equation is not matched.Otherwise, S j generates two random numbers N 3 Î Z q * , x 3 Î Z q * and calculates the session key SK ji and a set of values by equation (14).
S j sends a message M 3 ={F 9 F 10 SID j PID i } to GWN over a public channel.
Step 4 As soon as GWN receives M 3 , it extracts the values to be used for the subsequent operation and the validation value F 10 * by equation (15).ì í î GWN verifies whether F 10 * = F 10 holds or not.

Fig. 3 Login and key agreement phase
the condition fails, this session is aborted immediately.Otherwise, GWN updates PID i by equation ( 16) and calculates some values.
GWN then sends a message M 4 ={F 11 F 12 F 13 } to U i over a public channel.
Step 5 After receiving the message from GWN, U i extracts the updated pseudo-identity PID i new * and calculates F 12 * through equation (17) .
U i checks whether F 12 * = F 12 holds or not.U i terminates the session on the mismatch of equality.Otherwise, it indicates that U i authenticates GWN and the accuracy of the transmitted message, and also means that Then, U i recovers and calculates some values by equation ( 18).
U i verifies whether F 8 * = F 8 holds or not.If the verification fails, U i terminates the current session immediately.Otherwise, it means that U i and S j have successfully negotiated a session key, which can be used to secure subsequent communications.

Security Analysis
The most basic requirement of any authentication scheme is security.In this section, we give a security analysis of the proposed scheme.The proposed scheme provides mutual authentication, satisfies user anonymity and untraceability, and is resistant to many common attacks as described below.

User Anonymity
For the sake of ensuring users privacy, the authentication scheme must guarantee anonymity.In the proposed scheme, the identity ID i of U i is neither transmitted in a public channel nor stored in SC.As shown in equation ( 19), the proposed scheme encrypts ID i with a random number r i chosen by U i thereby generating the user s pseudo-identity PID i .In the login and key agreement phase, the proposed scheme transmits the identity information in the public channel as PID i instead of ID i , and even if an attacker intercepts PID i , he/she cannot crack ID i due to the protection of h(• ) with a random number r i .In summary, the proposed scheme satisfies user anonymity.

User Untraceability
U i sends a login message M 1 ={F 1 F 2 F 3 PID i } to GWN through a public channel, and an attacker can intercept M 1 .However, as equation (20) shows, {F 1 F 2 F 3 } are all related to the random numbers x 1 or N 1 , and the random numbers are different in each session.Similarly, the random numbers make PID i vary from session to session.That is, all values in M 1 cannot be associated with a specific user.Therefore, the attacker cannot trace the user  s actions during the login and key agreement phase.Meanwhile, after GWN authenticates S j in the login and key agreement phase, it updates PID i by equation ( 21) and transmits it to U i , which means that U i  s pseudo-identity is dynamic.Usually, an attacker intercepts messages from different sessions and tries to find the relationship between them to determine whether they belong to the same device [12] .In the proposed scheme, GWN does not transmit PID i new directly through a public channel after it updates PID i , but protects PID i new by equation ( 22) before transmitting F 11 .In this way, attacker cannot obtain the correlation between PID i and PID i new by intercepting both of them.As shown above, proposed scheme not only satisfies user untraceability, but also enhances user anonymity because of dynamic identity.

Mutual Authentication
The three parties involved in the communication, i.e., U i , GWN, and S j , must authenticate each other to ensure the legitimacy of either party.In the login phase, SC authenticates the currently logged-in user as the legitimate holder of SC by verifying A i in equation (23).GWN authenticates U i by verifying F 3 in equation (23), in particular TC i contained therein, before responding to U i s login request.GWN authenticates S j by checking F 10 in equation ( 23) according to integrity and accuracy, es-pecially TC j contained therein.S j achieves authentication of GWN by examining F 6 in equation ( 23), especially h(ID i ||TE i ||x) contained therein.U i authenticates GWN by verifying F 12 in equation ( 23), and verifies that the session key reached with S j is consistent by checking F 8 .In conclusion, if the whole authentication process can be completed, the participants can trust each other, which means that proposed scheme supports mutual authentication.

Resistance to Replay Attack
Although the proposed scheme still does not use timestamps as Hu et als scheme [10] , all values transmitted in a public channel are added with random numbers N 1 , x 1 , N 2 , x, x 2 , N 3 , x 3 chosen randomly by U i , S j , and GWN in the login and key agreement phase, and these random numbers vary from session to session.Even if an attacker intercepts messages M 1 , M 2 , M 3 , M 4 over a public channel and replays them, the attacker cannot compute the correct session key.As shown in equation (24), if the attacker wants to compute the session key, he/ she must know F 7 at first.However, he/she cannot obtain F 7 in the session key from the intercepted messages.It is because the attacker must first obtain the random number x 3 chosen by S j and the base point P of the elliptic curve in order to compute F 7 , but he/she cannot know these values from the messages transmitted over the public channel, so the attacker cannot compute the session key.It follows that the proposed scheme is able to resist replay attacks.

Resistance to Man-in-the-Middle(MITM) Attack
If an attacker tries to eavesdrop, manipulate, or intercept messages transmitted in the public channel, he/ she will be detected by the mutual authentication mechanism at each entity involved in the communication.As shown in Sections 4.3 and 4.4, such a malicious attempt will not succeed even if the attacker attempts to replay or tamper with the values in the transmitted message.Thus, the proposed scheme is resistant to MITM attacks.

Resistance to DOS Attack
An attacker may send a large number of fake request messages to the target device multiple times in an attempt to prevent legitimate users from accessing the service, resulting in the target device being unable to provide normal service.In the proposed scheme, SC verifies the U i s login information.In equation ( 25), ID i and PW i are the identity and password entered by U i , and r i is recovered from h(•) and C i , both of which are stored in SC inserted by U i .Therefore, SC can verify whether U i is the legitimate holder of SC or not by verifying A i .In addition to this, each message in the proposed scheme authenticates the sender before proceeding to the next operation.If authentication is successful, the session will proceed normally.Otherwise, it will be terminated immediately.Thus, the proposed scheme is resistant to DOS attacks.ì í î

Perfect Forward Secrecy
In the proposed scheme, a new session key will be generated between U i and S j after each communication is completed.If this session key is corrupted by an attacker, however, the attacker cannot find significant correlation between past, present and future session keys because the random numbers x 1 and x 3 contained in each session key change from session to session.As a result, the proposed scheme achieves perfect forward secrecy.

Resistance to Impersonation Attack
An attacker may impersonate U i to launch an attack.In the proposed scheme, U i communicates by using a pseudo-identity PID i , which is updated at the end of each authentication phase.Therefore, it is difficult for the attacker to impersonate a legitimate user using some outdated pseudo-identity.Even if the attacker happens to guess the identity of U i , he/she can never send a valid message to the GWN to prove his/her identity.It is because the attacker cannot know the temporary credential TC i and the expiration time TE i issued by GWN to the legitimate user.In summary, the proposed scheme is able to resist impersonation attacks.

Resistance to Stolen Smart Card Attack
If the attacker steals the smart card SC, then he/she may impersonate U i to log in, insert SC, and then enter his/her own identity and password.However, the attacker cannot pass the authentication of equation (26).That is, even if the attacker steals SC and leaks the data stored inside, he/she still cannot obtain the important authentication information.So the proposed scheme is resistant to stolen smart card attacks.

Resistance to Known Session Key Attack
If an attacker wants to use an old or compromised session key for a session, the scheme is considered vulnerable to known session key attacks.As shown in equation (27), the session key in the proposed scheme contains random numbers x 1 and x 3 that are refreshed with each communication, so the attacker is hard to know F 1 and F 7 .Meanwhile, due to the complexity of computational Diffie-Hellman problem (CDH), it is infeasible for the attacker to obtain new information from the old session key and extract {x 1 x 3 } from {F 1 F 7 }.

Resistance to Off-Line Password Guessing Attack
Suppose an attacker tries to guess PW i of the legitimate user using the stolen smart card or any previously transmitted message, so as to pass the verification of equation ( 27), he/she must know the real identity ID i and r i * of the legitimate user.However, the attacker cannot obtain ID i based on the intercepted message.Moreover, r i is an independent and unique random number chosen arbitrarily by the legitimate user during the registration phase.The user must extract r i * at the login stage based on the registered ID i and PW i as well as C i stored in the SC in order to pass the verification of equation ( 27).
That is, even if the attacker guesses PW i correctly by chance, it will not be able to pass the verification of SC.Therefore, the proposed scheme can resist the off-line password guessing attacks.

No Key Control
Each entity in the session cannot compute the session key separately by controlling the key negotiation process.Not only x 1 and x 3 , but also F 1 and F 7 are chosen and computed independently by U i and S j , respectively.As shown in equation ( 27), if U i does not extract F 7 created by S j based on the received message M 4 , then SK ij cannot be computed.Similarly, if S j does not extract F 1 created by U i based on M 2 , then SK ji cannot be computed.

Performance Analysis
This section presents a comparison of Hu et al  s scheme [10] with the proposed scheme and other schemes of the same type in terms of both performance and security features.

Implementation Setup
We refer to the experimental results of Xie et al [13] .To make it easier, we only consider four main cryptographic operations: ① one-way Hash function, ② point multiplication, ③ symmetric encryption and decryption, and ④ fuzzy extraction function.We do not consider the XOR operation because it can be neglected.The encryption times of the Hash function, encryption/decryption, point multiplication in elliptic curves, and fuzzy extraction function are denoted as T h , T s , T e , and T f , and the estimated time are 0.068, 0.56, 2.501, and 2.501 ms, respectively.

Computation Comparisons
Table 3 shows the comparison of proposed scheme Table 3 Computational cost of the schemes Scheme Hu et al [10] Sutrala et al [14] Xie et al [15] Srinivas et al [16] Sahoo et al [17] Proposed with other similar schemes.Although proposed scheme has a slightly longer running time than Hu et al  s scheme [10] , it has better security and can effectively improve the security flaws of Hu et al  s scheme [10] .Moreover, the computational cost of proposed scheme is significantly lower than the schemes of Sutrala et al [14] , Xie et al [15] , Srinivas et al [16] and Sahoo et al [17] .

Comparison of Safety Features and Functions
Table 4 shows that the existing schemes do not meet all the security requirements, and the proposed scheme provides sufficient security advantages compared to other schemes and is suitable for wireless sensor networks in the IoT environment.

Conclusion
In this paper, we review a two-factor authentication scheme proposed by Hu et al for WSNs in an IoT environment, and point out some flaws of it.Then, we propose an improved scheme that addresses Hu et al  s scheme security concerns, and takes into account computational efficiency.We demonstrate the security of proposed scheme through security analysis, and show that proposed scheme is resistant to a wide range of known attacks and meets all security requirements.In addition, we compare and analyze the performance of proposed scheme and Hu et al  s scheme as well as similar schemes in recent years.The analysis results show that proposed scheme achieves desired efficiency and is compatible with low-cost, restricted IoT devices.

Fig. 1
Fig. 1 Registration of users