A Provably Secure Anonymous Authenticated Key Exchange Protocol Based on ECC for Wireless Sensor Networks

In wireless sensor networks, users sometimes need to retrieve real-time data directly from the sensor nodes. Many authentication protocols are proposed to address the security and privacy aspects of this scenario. However, these protocols still have security loopholes and fail to provide strong user anonymity. In order to overcome these shortcomings, we propose an anonymous authenticated key exchange protocol based on Elliptic Curves Cryptography (ECC). The novel protocol provides strong user anonymity such that even the gateway node and the sensor nodes do not know the real identity of the user. The security of the proposed protocol is conducted in a well-defined security model under the CDH assumption. Compared with other related protocols, our protocol is efficient in terms of communication and enjoys stronger security. The only disadvantage is that our protocol consumes more computation resources due to the usage of asymmetric cryptography mechanisms to realize strong anonymity. Consequently, our protocol is suitable for applications which require strong anonymity and high security in wireless sensor networks.


Introduction
1.1.Background.As an important part of Internet of things, wireless sensor networks (WSNs) draw more and more attentions from the industrial and the researchers.Typically, a WSN is composed of numerous tiny sensor nodes.These sensor nodes can be deployed in unattended or hostile environments to collect valuable data of interest.For example, a large amount of visual data such as images and videos can be collected by visual sensor nodes [1].These nodes have the characteristics of easy deployment, low cost, and high mobility [2].Due to these merits, WSNs are very useful in many application scenarios, such as natural disaster prevention, machine health monitoring, air temperature monitoring, health care monitoring, and battlefield surveillance.
Usually, the data collected by the sensor nodes will be transmitted to and aggregated by a gateway node periodically.Whenever a user wants to get access to the aggregated data from the gateway node, he will authenticate himself to the gateway node.However, in some application scenarios such as health care monitoring and battlefield surveillance, users have great needs to access the data directly from the sensor nodes.Under such circumstances, the user first sends a request to the gateway node for accessing the real-time data.The gateway will authenticate whether the user is valid or not.If the user is valid, a common session key will be established between the user and the sensor node with the help of the gateway node.The session key can later be used to protect confidentiality and integrity of the data [3].

Related Work.
In order to address the security aspects under the above-mentioned application scenario, many authentication protocols are proposed [4][5][6][7].In 2009, Das [8] proposed a two-factor user authentication protocol, which is claimed to have strong authentication and session key establishment and achieves efficiency.Unfortunately, Khan et al. [9] soon found that Das's protocol is vulnerable to the gateway node bypassing attack and the privileged-insider attack.Besides, Das's protocol also fails to provide password update and mutual authentication.Khan et al. also presented 1. 3. Motivation and Contribution.Until now, there are many authentication protocols designed for protection of security and privacy when accessing real-time data in WSNs.However, there are still some problems which are not solved.Firstly, most of these protocols only have informal heuristic security arguments.It is quite common such that a protocol which is claimed to be secure is soon found to be vulnerable to several attacks.What is worse, the improved protocol still has many vulnerabilities.Secondly, the existing protocol pays little attention to user's privacy.Only few protocols provide user anonymity and these protocols only achieve weak anonymity; i.e., the real identity is hidden to an adversary but is known to the gateway node and sometimes even the sensor node knows the real identity of the user.Last but not least, the existing protocols rely on efficient XOR, symmetric encryption, and hash operations to provide better efficiency.Although these protocols can meet the characteristics of constrained storage, computation, and communication capabilities of sensor nodes, they fail to provide strong security guarantee.For security-critical applications such as battlefield surveillance, security and privacy are more important than the computation and communication efficiency.
In this paper, we investigate the design of anonymous and strongly secure authenticated key exchange protocol in WSNs.We propose an efficient authenticated key exchange protocol for the scenario in which the user wants to access the real-time data directly from the sensor node.The novel protocol has the following advantages.First of all, our protocol enjoys formal security proof in a well-defined security model.The security is conducted in the random oracle model under the CDH assumption.Second, our protocol provides the strongest anonymity in the sense the real identity of the user is only known to himself.Neither the gateway node nor the sensor node can obtain any information of the user's identity, not to mention the adversary.Thirdly, our protocol achieves more security attributes than other related protocols.Consequently, it is more secure than other related protocol and is particularly suitable for securitycritical applications in WSNs.The only disadvantage is that it needs more computation resources.However, security and privacy are more important than the computation efficiency in security-critic application.So our protocol is suitable for security-critical applications in WSNs.
The rest of the paper is organized as follows.In Section 2, we present the security model and some preliminaries.We describe the details of the proposed protocol in Section 3. The security proof is given in the random oracle model in Section 4. The performance comparison with other related protocols is summarized in Section 5. We conclude this paper in Section 6.

Security Model
In this section, we briefly recall the security model presented in [21,22].The security of our protocol will be conducted in this formal security model.
Protocol Participants.The participants of an authentication and key exchange protocol for real-time data retrieval in WSNs involves users , a gateway node , and a sensor node   .Each user  registers with the gateway node and each sensor node   shares a common secret key with the gateway node.
Protocol Execution.All the participants are modeled as a PPT Turing machine.The i-th instance of a participant  is denoted by   .All the communication channels are managed by a probabilistic polynomial time adversary A. The adversary A can intercept, delay, modify, and even forge a message at will.The capabilities of the adversary are captured through oracle queries.The adversary can make the following oracle queries: (vi) V(  ): this query can only be asked to a user instance or a sensor node instance.If the instance   accepts the session and generates a session key, A will get the session key.Otherwise, A will get the symbol ⊥ which means the instance   does not hold a session key.
(vii) (  ): this query does not capture any real attack ability of A but is used to measure the security of the session key held by instance   .Upon receiving this query, the simulator will flip a coin .If the result is 1, then it returns the real session key to A. If the result is 0, the simulator will send a random session key of the same length with the real session key to A. A has to distinguish if the key is real or random.In other words, A has to guess the coin flip result.
The session identification (sid) is defined as the transcripts shared between a user instance and a sensor node instance.The partner identification (pid) of an instance is defined to be the participant with whom the instance wants to establish a common session key.We say a user instance   and a sensor node instance    are partners if the following conditions are satisfied: (1) these two instances both accept and generate the same session key; (2) these two instances share the same sid; (3) the pid of   is   and the pid of    is ; and (4) no other instances accept the same sid with   and    .
If the adversary A asks both (, ) and (, ), the user  is said to be fully corrupted.When defining the AKE security of the session key, we do not consider the corruption of the gateway node.This is because once the gateway node is corrupted; there is nothing we can do to guarantee the security of the protocol.A user instance or a sensor node instance   is said to be fresh if (1) A does not send V queries to the instance or its partner; and (2) the user or the sensor node is not fully corrupted by A. AKE Security.The security of the session keys is captured by the AKE security.The adversary A is restricted to ask  queries to fresh instances only; otherwise the adversary A can trivially win the attack game.The adversary A is given access to all the oracle queries; the only restriction is that A only can ask one  query to a fresh instance.The adversary A needs to guess the hidden bit  used by the simulator when answering the  query.If A correctly guesses the random bit, then we say A wins the AKE security game.We denote this event by .With respect to the distribution of the passwords, we use the Zipf 's law put forward by Wang et al. [21] instead of assuming a uniform distribution.The adversary A's advantage in attacking the AKE security of a protocol P, when passwords are chosen according to the Zipf 's law of a dictionary , is defined as follows: An authentication and key exchange protocol P is said to be AKE secure if for all PPT adversary A, the advantage V  P,D (A) is only negligible larger than   ⋅     , where   and   are Zipf parameters and   is the number of active attack sessions.Moreover,   and   are constants depending on the password data set and can be calculated by linear regression.

Description of the Protocol
In this section, we describe the proposed anonymous authenticated key exchange protocol based on ECC for WSNs.The most important benefit of ECC is that it provides the same level of security with a smaller key size compared to other cryptography mechanisms such as RSA.So it suits the needs of the resource-constrained nature of the WSN.Our protocol has three phases: the setup phase, the registration phase, the authentication, and key exchange phase.The detailed steps of each phase are described in the following.The symbols used in this paper are summarized in Table 1.

The Registration Phase.
If a user  wants to access the data collected by the sensor nodes in the WSN,  has to register himself to the gateway node.For a pictorial illustration of the user registration, please refer to Figure 1.The detailed steps are described in the following.
Step 1.The user  randomly chooses his identity   and his password   from the password dictionary. sends his identity   to the gateway node  through a secure channel.
Step 2. When the gateway node  receives the registration request from the user,  verifies the validity of the    identity   .If it is valid and there is no other user in its database registers using the same identity,  first computes the credential  = (1/(  +  1 (  ))).Then  chooses a random number  ∈  *  and computes  =  1 (,   ,  1 (  ), ,  1 ,  2 ) and  = ( +   )mod , where  1 = ,  2 = .At last,  sends the registration message (, , ) to the user  through a secure channel.
The registration of the sensor node is rather simple compared with the user registration.The sensor node   sends the registration request to the gateway node  through a secure channel.Upon receiving the request, the gateway node  will compute a symmetric key  (,  ) =  3 (,   ,   ) and send the symmetric key  (,  ) to   through a secure channel.

The Authentication and Key Exchange
Phase.Suppose a user  wants to get the real-time data from the sensor node   ,  has to execute the authentication and key exchange phase with the gateway node  and the sensor node   .During this phase, the user , the gateway node , and the sensor node   will authenticate each other.At the end of this phase, a session key will be established between  and   to protect the upcoming data transmission.The detailed steps Sensor Node S i (K (GN,S  ) ) (2) (label, X, T GN , Autℎ GN ) T * GN − T GN ≤ T?
x ∈ Z * n , X = xP label = (ID GN , ID S  ) a, r m , r a ∈ Z * n T = a, R 3 = r a P − r m T c 1 = H 1 (P, T, R 3 , X, label) s m = r m + c 1 H 1 (ID U ) mod n s a = r a + c 1 a mod n (1)(label, X, T, c 1 , s m , s a ) of the authentication and key exchange phase are described as follows.For a pictorial illustration, please refer to Figure 2.
Step 3. Upon receiving the message (, ,   , ℎ  ) from  at time  *  , the sensor node   first checks whether | *  −  | ≤ △, where △ is the expected time interval for the transmission delay.If this is true,   then verifies the validity of the authenticator ℎ  using its private key  (,  ) .If the authenticator is valid,   chooses a random number  ∈  *  and computes  = .  then computes the authenticator ℎ   =  5 ( (,  ) , , ,   ,    , ), where    is the current timestamp of   .  computes the Diffie-Hellman key  =  and the session key  =  0 (, , , ).Finally,   sends the message (  , ,    , ℎ   ) to the gateway node .
Step 4. Upon receiving the message (  , ,    , ℎ   ) from   at time  *   ,  first checks whether | *   −    | ≤ △, where △ is the expected time interval for the transmission delay.If this is true,  then computes the shared key with the sensor node  (,  ) =  3 (,   ,   ) and verifies the validity of the authenticator ℎ   .If the verification is successful,  computes   =  1 (, , ,  1 ,   ,   , ) and signs the random number   using his private key   ; the signature is denoted by   .Finally,  sends the message (,   ) to the user .
Step 5. Upon receiving the message (,   ) from ,  first verifies the validity of the signature   . computes the random number  *  =  1 (, , ,  1 ,   ,   , ) and checks if   is a valid signature for  *  singed by .If the verification is successful,  computes the Diffie-Hellman key  =  and the session key  =  0 (, , , ). will accept the session and wait for the upcoming communication.

Security Proof
In this section, we present the security proof of our protocol.The security proof is conducted in the security model presented in Section 2.
Theorem 1. Suppose P is the anonymous authentication and key exchange protocol for WSN described in the previous section and A is a PPT time adversary against the AKE security of P who runs in time  and makes at most   queries of Send oracle to different instances.If the signature scheme used in our protocol is existential unforgeable against adaptive chosen message attacks, the hash functions   (⋅)( = 0, 2, . . ., 5) are all modeled as random oracles; then under the CDH assumption, the advantage of the adversary A in violating the AKE security of the protocol P is at most Proof.We use the hybrid experiments technique to prove Theorem 1.These hybrid experiments start with the real attack scenario.We gradually change the simulation rules in each experiment.In the last experiment, the advantage of the adversary in distinguishing the session key is negligible.We also estimate the advantage difference of the adversary between two hybrid experiments and the advantage of the adversary in breaking the AKE security can be calculated.We denote the adversary's advantage in hybrid   using V  (A).
Experiment  0 .This is the real attack scenario defined in the security model.In this experiment, the adversary has access to all the oracles.According to the definition of A's advantage, we have the following result: Experiment  1 .In this experiment, we simulate all the hash function   (⋅)( = 0, 1, . . ., 5) by maintaining hash lists Λ   ( = 0, 1, . . ., 5) using the following rules: (i) On a query   (), if a record (, , ) exists in Λ   , then return .Otherwise, the output  is chosen according to the following rule:   .
In addition to these lists, we also simulate six private hash oracles    ( = 0, 1, . . ., 5) by maintaining hash lists ∧    ( = 0, 1, . . ., 5).We will use these private hash functions in the following hybrid experiments.It is well known that a hash function can be simulated perfectly in PPT time using the above rules; thus, we have Experiment  2 .In this experiment, we cancel the sessions if some unlikely collisions occur in these sessions.To be more specific, if some collisions occur in the simulation of the hash functions or on the transcripts of ((, , ,  1 ,   ,   ,   )), we will terminate the session and let the adversary win.Based on the birthday paradox, we have the following result: Experiment  3 .In this experiment, we modify the simulation rules of sessions by  queries.Whenever we need to compute the session key in a passive session, we use the private hash oracle   0 instead of  0 .Moreover, the Diffie-Hellman key  is not used as an input.In other words, the session key of a passive session is computed as  =   0 (, , ).The adversary can distinguish the experiment  3 and the previous experiment  2 if and only if the adversary sends a hash query (, , , ) to the hash oracle  0 in which ,  is generated in a passive session and  = (, ).However, if the adversary can issue such a query, we can use the ability of the adversary to solve the CDH problem.
Given a CDH instance (, ), we can embed the instance to all the passive session using the self-reducibility of the CDH problem.In order to do so, we choose four random numbers  0 ,  0 ,  1 ,  1 ∈  *  for each passive session.In simulation the transcripts, we simply set  =  0  +  0  and  =  1  +  1 .All other transcripts are simulated as usual until the computation of the session key.The session key is computed as  =   0 (, , ).If an adversary can distinguish between this experiment and the previous one, then a query (, , , ) must be issued to the hash oracle  0 .We can compute the Diffie-Hellman value of (, ) by selecting a random record (0, (, , , ), ) in ∧  0 and computing Under the intractability assumption of the CDH problem, we have In the last experiment, we can see that all the session keys of passive sessions are chosen randomly from the domain and all the active sessions are terminated without accepting.The only way for the adversary to succeed is to steal the terminal of the user and recover the credential by guessing the password.The adversary has to verify the correctness of the recovered credential by executing the protocol.Consequently, we have     V 7 (A)     ≤   ⋅     . (11)

Performance Analysis
In this section, we evaluate the computation and communication costs and the security attributes of our protocol with other related protocols with user anonymity [16][17][18][19].In terms of computation, let "  " denote the time of one modular exponentiation computation, "  " denote the time cost of one point multiplication computation on elliptic curve, '  " denote the time of one hash function computation, and "  " denote the time of one symmetric encryption/decryption operation.According to [24],   ≈ 1.169,   ≈ 0.508,   ≈ 0.069, and   ≈ 0.069.Moreover, we only evaluate the computation cost of the authentication and key exchange phase because the registration phase is a one-time job.In terms of communication cost, we assume the length of the identity is 32 bits, the secure parameter  is 160 bits, the length of the timestamp is 64 bits, an element of cyclic group of ECC can be represented with 320 bits, and an element of cyclic group of RSA can be presented with 1024 bits.We also instantiate the signature scheme using the famous ECDSA signature scheme [25].The performance of communication and computation is summarized in Table 2.We can see from Table 2 that our protocol is inefficient in terms of computation.However, the communication performance of the compared protocols is more or less the same.The computation cost of our protocols mainly arises from the strong user anonymity; i.e., no one except the user knows his real identity in our protocol, while the gateway node knows the user's real identity in other protocols.Table 3 summarizes security properties of the proposed protocol with related protocols.It can be seen from Table 3 that our protocol provides all the security features.Moreover, our protocol is the only one which provides strong user anonymity and formal security proof.Considering the computation cost, communication cost, and security attributes as a whole, our protocol outperforms to other protocols.Consequently, the proposed protocol is more suitable for security and privacy critic applications scenarios in WSNs.

Figure 1 :
Figure 1: Registration phase of mobile user.

Figure 2 :
Figure 2: Authentication and key exchange phase.
,   ,    ): the execution query captures the passive eavesdrop ability of A. In reply to this oracle query, A will get all the transcripts of the authentication instance executed among a user instance   , a gateway node instance   , and a sensor node instance    .(ii) (  , ): the send query captures the active attack ability of A. Through the (  , ) query, A sends a modified or forged message  to instance   in the name of another participant instance.(  ): this query captures the compromise of a sensor node   .The adversary A will get the secret key and control the sensor node through this query.

)
[23]riment  4 .In this experiment, we begin to deal with the active sessions.For a (, (,   )) query, if the signature   is a valid signature for this active session, we simply terminate the simulation and let the adversary win.Since the user  is honest in this session, the message (, ,  1 ,   ,   ) is generated by the user .Besides, we cancel the experiment in which the collision occurs in the output of the hash functions and the transcripts in  2 , so the signature   is valid if it is a signature for the random number   .The adversary wins the game in this experiment if and only if a new signature is forged.The signature scheme used in our protocol is existential unforgeable against the chosen message attacks, so the advantage of the adversary A in forging a signature for a new random number is negligible.Experiment  5 .In this experiment, we continue to deal with the active sessions.For a (, (  , ,    , ℎ   )) query, if the sensor node   is uncorrupted, the timestamp    is within the transmission delay and ℎ   is a valid authenticator; then we simply terminate the simulation and let the adversary win the attack game.Since the sensor node   is uncorrupted, the symmetric key  (,  ) is unknown to the adversary.Moreover, the timestamp    makes the replay attack impossible.The adversary can only produce a valid authenticator ℎ   by issuing a query ( (,  ) , , ,   ,    , ) to the hash oracle  5 or the adversary correctly guesses the output of the hash function  5 without asking the corresponding message.(,  ) and ℎ   are two random values chosen from {0, 1}  ; the success probability of the adversary is negligible.Consequently we have the following equation: Experiment  6 .In this experiment, we deal with the active sessions once again.For a (  , (, ,   , ℎ  )) query, if the timestamp   is within the transmission delay and ℎ  is a valid authenticator, then we simply terminate the simulation and let the adversary win the attack game.Since the gateway node is not allowed to be corrupted, the symmetric key  (,  ) is unknown to the adversary and the timestamp   ensures the adversary cannot replay an old authenticator.The adversary can only produce a valid authenticator ℎ  by issuing a query ( (,  ) , , ,   ) to the hash oracle  4 or the adversary correctly guesses the output of the hash function  4 without asking the corresponding message.(,  ) and ℎ   are two random values chosen from {0, 1}  ; the success probability of the adversary is negligible.Similarly with the previous experiment, we have the simulation and the adversary is claimed successful.However, the success probability of the adversary in producing a fake proof is bounded by the presentation of an algebraic MAC.With a similar analysis with[23], we get the following result:     V 7 (A) − V 6 (A)     ≤  () .
Experiment  7 .In this experiment, we change the simulation rule of  queries for the last time.For a (, (, , ,  1 ,   ,   )) query, the gateway node will first check the validity of the credential proof.If the credential proof is valid and the message is forged by the adversary, we then terminate