An Identity-Based Anonymous Three-Party Authenticated Protocol for IoT Infrastructure

The rapid advancement in the field of wireless sensor and cellular networks have established a rigid foundation for the Internet of Things (IoT). IoT has become a novel standard that incorporates various physical objects by allowing them to collaborate with each other. A large number of services and applications emerging in the field of IoT that include healthcare, surveillance, industries, transportation, and security. A service provider (SP) offers several services that are accessible through smart applications from any time, anywhere, and any place via the Internet. Due to the open nature of mobile communication and the Internet, these services are extremely susceptible to various malicious attacks, e.g., unauthorized access from malicious intruders. Therefore, to overcome these susceptibilities, a robust authentication scheme is the finest solution. In this article, we introduce a lightweight identity-based remote user authentication and key agreement scheme for IoT environment that enables secure access to IoT services. Our introduced scheme utilizes lightweight elliptic curve cryptography (ECC), hash operations, and XOR operations. The theoretical analysis and formal proof are presented to demonstrate that our scheme provides resistance against several security attacks. Performance evaluation and comparison of our scheme with several related schemes for IoT environment are carried out using the PyCrypto library in Ubuntu and mobile devices. The performance analysis shows that our scheme has trivial storage and communication cost. Hence, the devised scheme is more efficient not only in terms of storage, communication, and computation overheads but also in terms of providing sufficient security against various malicious attacks.


Introduction
In the last few years, wireless networks have experienced tremendous growth. Nowadays, there are enormous networks associating from the cellular systems to noninfrastructure wireless systems such as sensor networks, mobile ad hoc networks, and the Internet of Things (IoT). The communication security is the key element for the success of wireless sensor applications [1,2], especially for sensitive applications that work in mission-critical and hostile areas. Therefore, the provision of reliable and efficient security in wireless networks has always been a challenging task due to various malignant attacks and resource-constrained environment. The hasty development of wireless communication and information technologies leads to a dramatic evolution of the Internet of Things (IoT) which is the combination of smart services and technologies that renders mutual communication among devices and users through the Internet. Since all data is shared between sensing devices and remote users via a network, therefore, it is necessary to design an efficient, secure, and lightweight remote-user authentication-based solution for an IoT environment. As far as the privacy and security of the network are concerned, mutual authentication is considered as a key element for safely accessing various IoT services. Hence, remote-user authentication becomes a vital component of various valuable services in mobile networks.
Besides confidentiality and authenticity, the exclusive features of the online valuable services raise various security questions for the remote authentication. In the environment of mobile networks where several invisible devices gather the client's identity information, the anonymity of the client is necessarily required to make sure that the identity information of the requesting client is only known to the requested service provider (SP) and the client [3][4][5]. Simultaneously, when the anonymity of the client is provided, SP always wants the client's nonrepudiation for preventing the clients from the denial of charges of their desired services. The efficiency in terms of both computation and communication is crucial for such kinds of remote-user authentication schemes, especially for IoT infrastructure.
The earliest schemes employed conventional public key cryptography (PKC) [6][7][8][9][10]. In these schemes, clients authenticate themselves to service providers using their signature. For hiding the real identity of the clients from eavesdropping, the clients' signature and clients' identifier are encrypted using mutual secret keys between the SP and clients. The certificate of clients' public key needs to be delivered to the SP that enables the signature's verification. On the other hand, a considerable disadvantage of this approach is on-demand verification and transmission of public key certificates that cause authentication latency [11] as well as a waste of unfavorable bandwidth. In addition, to attain the clients' anonymity, encryption is required that adds to the scheme's complexity. In order to remove the drawbacks that are due to public key certificates, the modern remote-user authentication schemes employ an identity-based cryptosystem (IBC) [12][13][14][15][16].
IBC is another form of PKC. The IBC concept was introduced by Shamir [17] in 1984 which is swiftly evolved after Franklin and Boneh's first identity-based security-provable encryption using pairings [18]. In the IBC concept, the identity (ID) of the client serves as a client's public key, and the private key generator (PKG) generates the private key. In IBC, a pair of predefined private or public keys are generated on the basis of the user's credentials such as phone, name, or email. By using the user's unique credential or identity, the public key can be determined easily, whereas the private key generator is responsible for the generation of private keys. For communicant entities, PKG generates identitybased certificates and forwards it to the other communicants. The users involved in communication can perform encryption, generate a signature, and communicate with other users when they receive their identity-based key certificates. IBC ensures the effortless production of public and private keys. IBC removes the verification and transmission of the public key certificates; therefore, it has become a compelling substitute to conventional PKC [19]. Thus, IBC is efficient in terms of storage and transfer of certificates/public keys in comparison with the classical public key infrastructure. That is why, for a resource-constraint environment, IBC is proved to be appealing. The main advantage of IBC is there is no need of certificates. There is no need of preenrollment. In the traditional public key cryptography system, if the key is compromised, then the keys need to be revoked. Also, for the decryption of messages for the future, it allows postdating.
In identity-based remote-user authentication schemes, the client produces an authenticator by using his identitybased private key. The client is authorized by the SP only if verification of the client's authenticator produces an absolute result. However, still, there are many issues that need to be resolved satisfactorily such as (i) some identity-based remote user authentication schemes consider the demand of the client's anonymity; (ii) many of those schemes introduce identity-based signature (IBS) solution and further using it as an authenticator of the client, but it remains unclear why the introduced IBS is employed rather than employing other existing IBS schemes; and (iii) no thorough quantitative argument has been given about the performance merits of such identity-based schemes over the former PKC-based schemes. Aiming to resolve the abovementioned problems, in this article, we propose an identity-based remote-user authentication scheme that targets to deliver valuable services in mobile networks. The novelty of the proposed scheme yields in its way of realizing the client's privacy without encryption operation.

Motivation.
IoT serves the society with various opportunities in major fields of life, i.e., agriculture, warehousing, healthcare, and industry, that are accessible to everyone with flexibility and ease. However, this hasty development leads to the evolution of several challenges. Therefore, the fundamental motivational factors of our scheme are listed below: (i) IoT-based sensing devices serve with limited resources like memory, power, and battery. Therefore, an authentication scheme should have low communication and computation overheads (ii) Malicious attacks such as impersonation, replay, denial of services, and man-in-the-middle attacks have become enormous. Therefore, in order to resist against such attacks, the design of secure remoteuser authentication scheme is the key necessity (iii) Furthermore, due to some components of IoT devices like actuators and sensors that deal with the crucial data of users, IoT-based applications must provide more safety and security 1.2. Our Contribution. In this article, we have proposed an identity-based anonymous three-party authenticated protocol for IoT infrastructure. The main contributions of this article are as follows: (1) We have presented a three-party identity-based authentication for the secure communications among users in an IoT infrastructure. The proposed identity-based scheme is designed using simple operations such as XOR, hash, and point multiplication (2) The proposed protocol enables mutual authentication between users and gateway for establishing and sharing the session key (3) User's personal credentials such as email and phone are used to generate a public key (4) The proposed scheme ensures the secrecy of identity such that the identity is only revealed to gateway for 2 Journal of Sensors authentication purpose. No adversary can get the identity 1.3. Paper Organization. The rest of the paper is organized as follows. The related work is discussed in Section 2. The preliminaries related to our paper are presented in Section 3. The generic security issues in IoT architecture are delineated in Section 4. Our introduced scheme and detailed description are given in Section 6. Section 7 presents the respective security analysis formally and informally. Thereafter, a performance comparison is highlighted in Section 8. In the end, concluding remarks are given in Section 9.

Related Work
The password-based authentication key exchange (PAKE) scheme [20][21][22][23][24][25][26] is one of the most generally known authentication key exchange (AKE) schemes, which can also be divided into three-party [27][28][29][30], two-party, and so on. In the AKE schemes, the three-party authentication key exchange (3PAKE) scheme based on password has the features of easy system maintenance, simple password, and strong expansibility. The 3PAKE scheme is extensively used in the network of modern communication. However, it is determined that the password has low entropy secret value and also prone to password guessing attack, due to the built-in issues related to the password. Therefore, due to the various problems faced by PAKE schemes, this paper reviews the identity-based schemes and introduces a threeparty identity-based authentication key exchange scheme for enhancing the security. The identity-based cryptography (IBC) [17] was developed in order to mitigate various issues associated with the conventional public key cryptography and PAKE schemes. The IBC applies the attributes of the user such as phone numbers or email addresses as public keys in order to diminish the difficulty of digital certificates, while the private key generator (PKG) creates the private keys. Therefore, the identification of user keys is critical and does not require to be revoked. Since then, the utilization of IBC remains popular for designing remote user authentication schemes. So, we review various identity-based schemes in order to find the research gap and security issues in the different infrastructures of the Internet of Things (IoT) such as edge and fog computing.
Roman et al. [31] presented the comparative summary of various security issues, challenges, and appropriate solutions for mobile edge computing (MEC) and fog computing. The readers who are interested in the details of privacy and security problems in the environment of fog computing for IoT, MEC, and mobile cloud computing (MCC) can consult [32][33][34][35], respectively. The literature emphasized the requirement of a secure mechanism for authentication. Yang and Chang [36] proposed an identity-based authentication key agreement (AKA) scheme using elliptic curve cryptosystem (ECC) for mobile devices. However, Yoon and Yoo [37] analyzed that the scheme [36] cannot resist masquerading attack and does not offer perfect forward secrecy. A pairing-free AKA scheme based on identity is introduced by Cao et al. [38] with a minimum exchange of messages. However, Cao et al. [38] fail to offer the user untraceability and anonymity like Yang and Chang's scheme.
Tsai and Lo [39] introduced another authentication scheme based on identity for the distributed services of MCC. Their scheme uses bilinear pairing which causes high computation, but bilinear computation is performed by the server, which has usually more computing power. However, Jiang et al. [40] analyzed that a server impersonation attack cannot be resisted by their scheme [39], and also, it does not offer an appropriate mechanism of mutual authentication. Jiang et al. did not propose any improved solution, although various solutions were proposed in [41,42].
Yang et al. [43] introduced an ECC-based scheme having the features of user untraceability and anonymity for the environment of MCC. In their scheme, a number of pseudo-IDs are assigned to a user, as well as each pseudo-ID is assigned a family of secret keys. The Access Service Network Gateway (ASN-GW) executes the predistribution process of keys. However, for each registered user, the ASN-GW requires to engender a large number of pseudo-IDs. So, the corresponding secret keys and many pseudo-IDs need to be stored by the mobile user which is impractical due to the constrained resources of mobile devices and also includes scalability issues.
Ibrahim [44] introduced an authentication scheme for the environment of fog computing, in which fog node and fog user authenticate each other. In their scheme [44], the public key infrastructure (PKI) is used to establish the secure communication channel between mobile users and registration authority, while symmetric encryption is utilized to protect the communication between fog nodes and mobile users. In their scheme, all the fog users' pregenerated secret keys are required to be stored by fog node which is also infeasible. Moreover, untraceability and anonymity are not guaranteed by their scheme. A mobile user authentication scheme is introduced by He et al. [45] for multiserver infrastructure. Their scheme uses self-certified public key cryptography which is basically identity-based cryptography. In 2017, a privacy-aware authentication scheme is introduced by Xiong et al. [46] for MCC services.
In 2019, Zhu and Geng [47] presented a three-party dynamic identity-based key exchange scheme. In 2019, Renuka et al. [48] crypt analyzed and found some attacks such as node capture, user phishing, and denial of service attacks in a three-factor authentication scheme devised by Das et al. [49] and presented an enhanced three-factor authentication scheme. Many other three-party schemes for the IoT environment have been presented [50,51] but still lack major security features and not suitable for resource constraint environment. In 2020, Ramadan et al. [52] presented an identity-based authentication scheme for 5G systems. Kumar et al. [53] proposed an identity-based authentication scheme for cloud computing in 2020. Recently, Farjana et al. [54] presented identity-based schemes; moreover, many other schemes [55][56][57][58][59][60] are presented recently. In general, the design of efficient and secure identity-based authentication schemes is still a challenging task. In this article, we propose the identity-based lightweight 3 Journal of Sensors remote user authentication scheme for the IoT infrastructure in order to offer the secure and efficient communication, so that all the flaws in the discussed literature can be minimized.

Preliminaries
This section includes the basics of elliptic curve cryptography such as one-way hash function, collision resistance, and threat model. The common notations used throughout the research work in Table 1 are also given in this section.

Elliptic Curve Cryptography (ECC).
There is a lot of public key cryptography techniques like Rivest Shamir Adleman (RSA), Diffie Hellman, and Digital Signature Algorithm (DSA). The majority of these techniques are heavy in computation. The ECC system's robustness can be anticipated based on the complexity of ECDLP (Elliptic Curve Discrete Logarithm Problem). Suppose E p ðe, f Þ: h 2 + eg + f mod p, ECC is based on random points chosen on an elliptic curve, whereas e, f ∈ Z p and 4e 3 + 27f 2 mod p ≠ 0 for p (large prime number). The curve is defined by both the points e, f . The former equation must be verified by the points ðg, hÞ over E p ðe, f Þ. Through repetitive addition, scalar multiplication is achieved such as qS = S + S + S + S + S + ⋯ ⋯ + S (q times), where S is a point over E p ðe, f Þ and q ∈ F p . The field parameters ðp, e, f , S, qÞ belongs to the field ðF p Þ.

Definition 1. Discrete logarithm problem aimed at ECDLP.
Two specified random points S, R ∈ E p ðe, f Þ, calculate a scalar ðqÞ such that S = qR. During the polynomial time ðtÞ, the benefits of U A adv is given as: Adv ECDLP 3.2. One-Way Hash Function. Hash functions are used to get an output (f ) of fixed size. Hash functions can be applied to any random argument or string (y) of any size such as f = h ðyÞ. A small change in y can make a huge difference in resultant f . Subsequent parameters should be found for a secure function of hash.
(1) If y is defined, then it is not difficult to calculate f = hðyÞ (2) If f = hðyÞ is defined, then it is impossible to find out y (3) If hðy 1 Þ = hðy 2 Þ is defined, then it is a tiresome task to know the specific input y 1 , y 2 . The defined property is also referred to as collision resistance Definition 2. Collision resistance characteristics aimed at hash function.
Hash function hð:Þ is secured by predefined collision resistance. The chances that an adversary ðU A adv Þ can find out a couple ðy 1 ≠ y 2 Þ as hðy 1 Þ = hðy 2 Þ is defined as Ad v hash U A adv ðtÞ = Prb½ðy 1 , y 2 Þ⇐ r U A adv : ðy 1 ≠ y 2 Þ and hðy 1 Þ = hðy 2 Þ , whereas U A adv is allowed to select a couple y 1 , y 2 randomly.
U A adv ' s advantage is determined over a random selection in polynomial time ðtÞ. Collision resistance is stated as Ad v hash ðtÞ ≤ ∈, whereas ∈>0 is an adequately small value.
3.3. Identity-Based Cryptography (IBC). IBC was introduced by Shamir in 1984 [17]. It is one of the types of public key cryptography. IBC has the following properties: (1) Identity-based cryptosystems use user's personal credentials such as email, name, or phone number for deriving public/private keys (2) The public key is generated by predefined user's identity or personal credentials (3) Third parties or trusted authorities as PKG are responsible for the generation of private keys (4) PKG generates identity-based certificates, and using these certificates, encryption, generation digital signatures, and mutual authentication are performed (1) U Aadv has full control over the public channel

Security Issues in IoT
In the design of IoT applications, IoT's security is the most important thing. Therefore, the major challenge which requires serious consideration is to provide strong security for IoT. In the Internet world, IoT has a very bright future. Thus, for the realization of services of modern technologies and their benefits, security requirements such as authentication and privacy are much important. Therefore, subsequent issues must be handled with consideration.

Common Vulnerabilities in IoT
Architecture. The devices of IoT existing in an abandoned environment require active inspection of every feasible condition in which the attacker can attack on devices of IoT. As per detailed scrutiny, we can wrap up the vulnerabilities of IoT as follows: (i) Impersonation Attack. A malignant hacker can masquerade as a service provider or a user by responding to an authentic request from old transmission between any two legal entities. Therefore, a malignant hacker can enjoy the same services as a legitimate user or service provider.
(ii) Denial of Service Attack. The attacker by flooding the network with previous login requests or information exchanged between two entities can reduce the network's performance and can make the services unavailable.
(iii) Eavesdropping Attack. The attacker can listen to private communication on a public channel and can misuse it later to attack a user or server.
(iv) Man-in-Middle Attack (MITM). The adversary can forge the message exchanged between the gateway and user, later using this information can impersonate as a legal gateway/server and user using different techniques.
(v) Parallel Session Attack. An attacker can eavesdrop the messages between the system of IoT and then attempts to generate a session to get the old data.
(vi) Gateway Node Bypassing Attack. To obtain IoT sensitive information and services without authen-tication of a gateway, an attacker can try to access the system by bypassing the gateway.
(vii) Stolen Smart Device Attack. An attacker can derive the user's personal data from smart devices and utilize it later to impersonate as a legitimate user of the network.
(viii) Offline Guessing Attack. Using an offline dictionary attack, the adversary can attempt to get access to the system of IoT by guessing all possible passwords.

Security Feature Requirements in IoT.
Many security features must be incorporated while designing the authentication schemes. The following is a list of important security features that can be exploited to design an efficient and secure scheme.
(i) User Anonymity. The participant's identity must be secured such that if an attacker tries to eavesdrop the message and intercept message during the login and authentication stage. If the identity is revealed, then the attacker can misuse it and the user's privacy is breached.
(ii) Mutual Authentication. Two participating entities must mutually authenticate each other to avoid security threats.
(iii) Availability. Whenever a user requires to access the system, all IoT resources should be available.
(iv) Confidentiality. The user's personal and sensitive information must be protected and should be visible only to legitimate users.
(v) Scalability. The system of authentication must be responsive to the modification occurring in the network, and the system should be allowed to grow dynamically according to the modifications that are being happened.
(vi) Forward Secrecy. The access to entities in any authentication scheme is granted by sharing the session key. That is why the old session keys cannot be used to initiate a new session.
(vii) Resistance to Attacks. A secure authentication scheme must resist the major security threats such as the Distributed Denial of Services (DDoS), MITM, impersonation, and stolen verifier attack.

System Setup
In an IoT infrastructure, gateway plays an important role to ensure the security in the network. Our presented model consists of two participants as shown in Figure 1, such as IoT nodes and gateway. In general, IoT nodes have limited resources in terms of computation, communication, and power. The IoT nodes aimed to communicate with each other by authenticating via a trusted gateway. As in Figure 1, IoT node (1) and IoT node (a) initiate a session 5 Journal of Sensors by sending a login request to the gateway. The gateway is responsible for establishing a secure communication between IoT nodes. Once the IoT nodes are authenticated by the gateway, the IoT nodes can then securely communicate with each other. Due to the public nature and limited resources, the IoT nodes face several security and privacy challenges. The generic three-party IoT infrastructure for remote-user authentication is demonstrated in Figure 1. Suppose a remote user wants to communicate with another remote user, then they both have to pass the authentication process. For this purpose of authentication, each entity will be verified through gateway node GWN. If both entities have been authenticated, then the GWN sends a challenge message to both entities. Upon receiving the challenge message, each entity authenticates the GWN and computes a session key. In the end, both users agreed on this common shared session key.

The Proposed Scheme
In this section, we elaborated on our proposed identity-based scheme which upholds user anonymity, user untraceability, perfect forward secrecy, key agreement, and mutual authentication. The introduced scheme comprises of these phases: Section 6.1 the registration phase and Section 6.2 the login and authentication phase. These two phases are described below in detail.
6.1. Registration Phase. If a user U a wants to communicate with another user U b , then they both have to pass the authentication process. For authentication, each entity will be verified by GW N . If both entities are authenticated, then they can share the session key. The complete registration process of the user U i of the proposed scheme is described in detail in this subsection. Figure 2 shows the registration phase of the proposed scheme. The registration process consists of the following steps: RG-Step 1. U i chooses his/her ID i and the arbitrary number l i1 .
RG-Step 2. GW N upon receiving the registration requests ðID i , hðID i ⊕ l i1 ÞÞ from U i , then calculates the following values: RG-Step 3. On receiving Y i from GWN, U i calculates the following values: After calculating these values, stores fA i , Y i , Z i g in T P M i s.

Login and Authentication
Phase. The complete process of login and authentication of the introduced scheme as presented in Figure 3 is elaborated in this subsection which consists of the following steps: AT-Step 1. Both U a and U b input their identity (ID a , ID b ), respectively. Then, U a calculates the following values on the basis of the credentials stored in tamper proof on-board memory T P M i of the mobile device [62,63]:  Journal of Sensors Further computation generates a random number l a2 and calculates the following values: whereas U b calculates the following values on the basis of the credentials entered during the registration process.
Further, U b generates a random number l b2 and computes the following values: After calculating these values, U a and U b send login request fauth a , Q a , PID a g and fauth b , Q b , PID b g, respectively, towards the gateway.
AT-Step 2. After receiving login requests from U a , the GWN calculates the following values for U a : xQ a = l a2 xG = l a2 Pub, Also, calculate the following values for U b upon receiving the login request Further, the GW N generates l GWN and calculate the following values as:

GWN Ub
Login and authentication phase: Generatea random number l a2 Q = l a2 G PID a = (ID a ‖MID b ) ⊕ l a2 pub auth a = h(ID a ‖MID b ‖ID GWN ‖V a ) Login and authentication phase: Generates l GWN M GWN = (ID GWN ‖x‖l GWN ) Generate a random number l b2 AT-Step 3. After the calculation of the above values, G W N sends fauth GWN1 , Q b , N GWN1 g and fauth GWN2 , Q a , N GWN2 g to U a and U b , respectively. U a then calculates the following values along with the session key: Also, U b on the basis of the received parameters faut h GWN2 , Q a , N GWN2 g calculates the following values along with the session key: Finally, GW N computes a shared session key as: Hence, both the entities U a and U a authenticate themselves via GW N and consequently shared a session key for subsequent communication.

Security Analysis
This section presents the formal and informal security analysis of the proposed scheme. We have used Real-Or-Random (ROR) [64] in order to prove the security of the proposed scheme. Furthermore, informal security analysis shows that the proposed scheme provides resilience against all known attacks.
7.1. Informal Security Analysis. The security of the proposed scheme is analyzed informally in this section. The informal security analysis represents the proposed scheme's correctness and ensures that it resists various attacks.
7.1.1. Identity Security. The abundance of resourceconstrained devices among the advanced communication infrastructures has made the existing protocol incompatible for diverse real-time applications like IoT and smart grid. Therefore, the demand for lightweight solutions is on the peak, IBC is one of them. It is a new way to solve these prob-lems without any complex computation. That is why it has grabbed the attention of the researchers. For achieving confidentiality, the personal information for identification should be sent via a secure channel. The respective U i has the private key corresponding to his/her own ID i . Also, identity security includes the availability of identity. If a U i 's identity is revoked by GWN, even then, the U i has control over his I D i and the relevant claims, which states that the U i still can use his/her ID i in other applications.

Key Agreement.
After completing the successful process of mutual authentication, a common session key SK is shared between the users. This shared session key is established through SK ab = hðMID a kMID b k ID GWN kkÞ. Hence, our scheme offers a successful key agreement.  During the login and authentication stage, the identity of I D a of user U a is not transmitted in plain text; instead, the pseudoidentity PID a is sent over the public channel. Furthermore, the identity of U a is not stored in temper proof onboard memory/storage. That is why adversary cannot retrieve the identity of U a without having the private key. So, our proposed scheme provide user anonymity.
7.1.5. User Untraceability. During the design of the authentication scheme, untraceability is considered as an important factor. The proposed scheme provides user's untraceability because in each login session U a computes unique PID a , it is clear that U a does not transmit the same dynamic identity instead every time session-specific random number is used to calculate PID a . So, it cannot be guessed by any adversary that two different sessions are established by the same or different users.
7.1.6. Perfect Forward Secrecy. In our introduced scheme, if U A adv is able to know the secret parameters such as the secret key of GW N , even then, he cannot determine the former session keys. In the proposed scheme, arbitrary numbers f l a1 , l a2 g are used to compute the valid value of k that is further used in the computation of SK ab . Due to the usage of random numbers, different session keys are generated in each session. So, even after getting the secret parameter, the adversary cannot guess the previous session keys.

Backward Secrecy.
In the introduced scheme, if U A adv is able to find the secret parameters of GW N , even then, he cannot find the future sessions. In the proposed scheme, the calculation of valid Sk ab requires arbitrary number fl a1 , l a2 g. Due to these random numbers, the session key is specific for every session; thus, U A adv cannot find future session keys.
7.1.8. Privileged Insider and Stolen Verifier Attack. During the registration phase, U i transmit ID i and l i1 through the private channel to GW N , where arbitrary number l i1 is generated by U i . Furthermore, for U i ' s identity, no table is preserved, for authentication GW N uses x his secret key. Thus, no insider U A adv can get access to the user's identity and credentials. Hence, the introduced scheme resists stolen verifiers and privileged insider attacks.
7.1.9. User Masquerading Attack. Suppose U A adv tries to masquerade a legal U a by means of sending a legal login request message on behalf of U a to the GW N . In order to produce an original login message fauth a , Q a , PID a g, the adversary needs to calculate valid auth a = hðID a ∥MID b ∥ID GWN ∥V a Þ. It is not possible for the adversary to calculate auth a because U A adv does not know ID a of U a . Likewise, the other user is also secured from impersonating by an adversary. So, the proposed scheme has the ability to withstand the user masquerading attack.
7.1.10. GW N Masquerading Attack. Suppose an attacker U A adv tries to impersonate a legal server GW N by means of sending a legal challenge message on the behalf of GW N to the user. In order to produce an original challenge message fauth GWN , Q a , N GWN g, the adversary needs to calculate the valid auth GWN1 = ? hðID a ∥ID GWN ∥V a ∥M GWN Þ. However, this operation is computationally expensive because for determining V a = hðx∥MID a Þ, it needs a private key of GW N . So, the proposed scheme has the ability to withstand the user masquerading attack. 7.1.11. Man-in-the-Middle Attack (MITM). Suppose U A adv forges the login message fauth a , Q a , PID a g sent by U a to G W N , still, any tampering in the login request message will easily be identified while determining auth a = hðID a ∥MID b ∥ ID GWN ∥V a Þ. U A adv requires the user's identity which is unknown to adversary. Likewise, the other user is also secure against this attack. So, the proposed scheme is secured against MITM. 7.1.12. Replay Attack. If U A adv intercepts the request message fauth a , Q a , PID a g of U i and later replays the intercept message, the calculation of Q a and PID a includes a random number l a which is session specific. Because of the random number, the values of the entities will always be different for every session. Hence, a replay attack is not possible on the proposed scheme.
7.1.13. Parallel Session Attack. Suppose the scheme's parallel session is tried to be constructed by U A adv , but this scenario is not possible in the proposed scheme as a unique identity is utilized. Therefore, even one valid session cannot be run by U A adv to masquerade a legitimate user. Thus, a parallel session attack can be efficiently resisted by the proposed scheme.
7.1.14. No Clock Synchronization. In the proposed scheme, session-specific random numbers are used in every session instead of a time stamp. So, no clock synchronization is required.
7.2. Formal Security Analysis. In this subsection, we prove that our scheme is AKA-Secure if the ECDHP is a hard problem. We present this proof under the (BRP) [64,65] and Abdalla et al.'s [66] security model.

Theorem 2.
Let the proposed scheme be denoted as P p . If U A adv is an attacker who builds at most q send Send queries, q rvl Reveal queries, q exe Execute queries, q hash Hash queries and succeed the game having benefit Adv AKA P p ðU A adv Þ, then an algorithm that should be existed, which can efficiently resolve ECDHP hard problem on group G having benefit Adv ECDHP Proof. Suppose, for the base point G and elliptic group E p there exists an ECDHP instance ðP, aP, bPÞ, we make a challenge C r who wishes to calculate abp using U A adv as a function. The function that is taken as an arbitrary oracle in the proposed scheme is referred to as hash h(.). In order to record the hash queries and their answer, C r maintains a hash list and is referred to as a L hash : To make it simple, we use three transcripts between entities, which are as follows: mU a = auth a , Q a , PID a f g , After simulating the scheme, C rs answers the queries questioned by U A advs as follows: (i) Hash Query. after getting the hash query with input m from U A adv , C r scans the L Hash :C r returns r to U A adv if entry ðm, rÞ ∈ L Hash ; otherwise, C r selects r randomly and gives r back to U A adv and adds ðm, rÞ in to L Hash (ii) Send Query.
(1) C r simulates U A adv ' s response in the following way after getting SendðU A adv , StartÞ: selects a random numbers l a1 , l a2 and computes Q a = l a2 G, PID a = ðID a ∥MID b Þ ⊕ l a2:pub , auth a = hðID a ∥ MID b ∥ID GWN ∥V a Þ and returns back fauth a , Q a , PID a g as response 10 Journal of Sensors (2) Upon the reception of query SendðU b , ðauth a , Q a , PID a ÞÞ, assume that U b is in accurate state. U b ′s response is simulated by C r as follows: selects random numbers l b1 , l b2 and computes (3) Upon getting SendðGWNðauth a , Q a , PID a ÞÞ, suppose that GW N is in true state, then the response of Send query is simulated by C r as follows: computes xQ a = l a2 xG = l a2 pub, ðID a ∥MI D b Þ = PID a ⊕ l a2 pub, MID a = hðID a Þ, and auth a = hðID a ∥MID b ∥ID GWN ∥hðx∥MID a ÞÞ: Furthermore, GWN generates l GWN and computes N GWN 1 =M GWN ⊕V a , auth GWN 1 = hðID a ∥ID GWN ∥V a ∥ M GWN Þ and response back with fauth GWN 1 , Q b , N GWN 1 g.
(4) After receiving query SendðGWN, ðauth b , Q b , PID b ÞÞ and assuming GW N as a correct state, C r simulates GW N ' s response as follows: com- and return fauth GWN a , Q a , N GWN 2 g as response (5) In the end, the session key is shared among the participants if checks auth GWN 1 = ? hðID a ∥I D GWN ∥V a ∥M GWN Þ and auth GWN 2 = ? hðID b ∥I D GWN ∥V b ∥M GWN Þ are hold true. Otherwise, the session will be terminated (iii) Execute Query. While getting execute query ðU a , GWN, U b Þ, C r simulates the send query as follows: C r returns m U a g , m U b g and m g U a U b as an answer.
(1) On getting a query CorruptðU i , fID i gÞ, C r responds V i = hðx∥MID i Þ (2) On receiving query CorruptðGWN, fV i gÞ, C r responds all information stored in temper proof onboard storage/memory (v) Reveal query: after getting a query RevealðU i Þ, C r responds SK ab if the instance is accepted; otherwise, ⊥ will be responded.
(vi) Test query: upon the reception of query TestðU i Þ, toss up a coin b ∈ f0, 1g. The right session key SK ab will be returned if b = 1. Otherwise, an arbitrary value of the same size will be returned.
A game sequence G a0 , G a1 ::⋯G a5 is defined next. For every game G ai , assume S i is an event that U Aadv wins the game, which means U Aadv predicted b successfully. The following is the description: Game G a0 . This game is the original attack game constructed by (BRP) [64,65] and Abdalla et al.'s [66] security model, where the hash functions are modeled as a random oracle. According to the definition, we got: Game G a1 . G a1 is similar to G a0 , but the difference is that hash queries are entertained by scanning the L hash by C r . G a1 remains indistinguishable from G a0 until the queries are answered similarly in G a0 . Hence, we got Game G a2 . G a2 is similar to G a1 . But, the difference is that G a2 ' s simulation terminates if subsequent events occur: (i) Event_1. Collision of hash queries during simulation.
(ii) Event_2. Collision on the simulation of transcripts m U a g , m U b g , m g U a U b : As per the concept of birthday paradox, we got P r ½Even t 1 ≤ q 2 hash /2 l+1 . For transcript m g U a U b , the collision probability of Event 2 is ðq send + q exe Þ 2 /2 P 2 , while the probability Game G a3 . G a3 is almost similar to G a2 , but the difference is that, U A adv may know the authentication value auth a , aut h b , auth GWN 1 and auth GWN 2 without knowing the hash oracle. Thus, we got Game G a4 . In G a4 , G a3 is modified as follows: (i) U a scans L Hash for ID a . If the entries exist, then calculate fauth a , Q a , PID a g (ii) GWN verifies the legitimacy of U a . If it holds, then GWN scans for fauth a , Q a , PID a g in the Send list. Otherwise, the session aborts. G a4 will succeed if U A adv guess the authentication parameters without a hash oracle. So GAME G a5 . In G a5 , the G a4 is modified as follows: (i) U a randomly chooses l a2 and computes Q a = l a2 G, PID a = ðID a ∥MID a Þ ⊕ l a2 pub, and auth a = hðID a ∥MI D a ∥ID GWN ∥Y a ⊕ hðID a ∥l a1 ÞÞ and stores fauth a , Q a , PID a g in L Hash

Mo and Chen [73]
Journal of Sensors (ii) U b randomly selects l b2 and computes Q b2 = l b2 G, Now, the updated G a5 is indistinguishable from G a4 until U A adv asks a hash oracle on abP, whose probability is 1/q hash . So GAME G a6 : In this game, if U A adv asks a hash query for abP then test query will be terminated.
The probability of obtaining the session key here is q 2 hash /2 l+1 , So U A adv has no advantage in G a6 : The resultant of all equations that we got is:

Functionality Comparison and Performance Analysis
In this section, we compared our proposed scheme with related schemes [67][68][69][70][71][72][73] in terms of resource utilization (storage, communication, and computation cost) and security functionality. The detailed description is as follows.

Computational Overhead Comparison.
We have evaluated our scheme and related schemes to determine the computational efficiency. For this purpose, we have considered hash function hð:Þ and point multiplication PM. Cryptographic operations have been implemented at the server end on a desktop device, whereas operations at U i end are    [67] 672 Challa et al. [68] 1024 Ma et al. [69] 672 Taher et al. [70] 1536 Chandrakar and Om [71] 1856 Lu et al. [72] 768 Mo and Chen [73] 2464 13 Journal of Sensors implemented using a mobile device. The specifications of both devices are listed in Tables 2 and 3. The time taken by hash and point multiplication on the system is 0.001032 and 0.002672 milliseconds (ms), respectively, whereas the time taken by hash and point multiplication on the system is 4 and 8 milliseconds (ms), respectively. The computation cost of the related and proposed schemes [67][68][69][70][71][72][73] is presented in Table 4. Table 4 shows that the proposed scheme requires 44.0094 ms for computation. The time required by [67][68][69][70][71][72][73] is also mentioned in Table 4.
If we present the Table 4 results graphically we can observe the proposed scheme is efficient in terms of computation as compared to [67,68,[71][72][73] and slightly greater than [69,70].
In Figure 4, the vertical axis (Y-axis) shows the time required in millisecond (ms), whereas schemes are presented on horizontal axis (X-axis). Figure 4 visually demonstrates the total time taken for the computation of the operations.

Communicational Overhead Comparison.
We compared our proposed scheme with the related schemes [67][68][69][70][71][72][73] in terms of communicational expenses in this subsection. The communication structure of the proposed and related schemes [67][68][69][70][71][72][73] is demonstrated in Table 5 on the basis of scheme architecture. The communication structure in Table 5 shows the way in which communicating entities interact with each other and how they exchange messages. In Table 5, the symbol represents U i : users, S j : sensor node, TA: trusted authority, CS: server.
Considering the communication structure demonstrated the Table 5, we computed the communication cost as presented in Table 6. For conventional comparison, we assumed identities (ID i , ID GWNs ), random numbers, and point multiplication require 160 bits respectively, whereas we assumed 256 bits for hash, secrete, and public keys (x, Pub). The total bits required for communication by the proposed scheme is 2016 bits, whereas Table 6 shows the proposed scheme requires the least number of bits as compared to the related schemes [67][68][69][70][71][72][73].
The time taken for communication stated in Table 6 is graphically presented in Figure 5. The bits required for communication are displayed on the vertical axis (y-axis) and the schemes on the horizontal axis (x-axis). The proposed scheme requires less number of bits than [67][68][69][70][71][72][73] for communication.

Storage Overhead
Comparison. The number of bits required to store parameters in smart devices (i.e., temper proof onboard memory/storage) is referred to as storage cost. In this subsection, we have compared our scheme with related schemes [67][68][69][70][71][72][73] for evaluating the storage efficiency. Table 7 depicts the storage cost comparison of proposed and related schemes. It is evident from the table that the proposed scheme's storage cost is equal to [67] and less than [68][69][70][71][72][73].
The storage cost mentioned in Table 7 is graphically presented in Figure 6. In Figure 6, the vertical axis (y-axis) presents the number of bits, whereas the horizontal axis (x -axis) presents the schemes. Figure 6 clearly shows that the proposed scheme's storage cost is less from [68][69][70][71][72][73] and equals to [67].
8.4. Security Functionality. In this subsection, we have discussed the proposed and related schemes in terms of security functionality. It is clear from Table 8 that the proposed scheme provides aided security as compared to related schemes.
Upon evaluating Tables 4, 6-8 we can state that the proposed scheme is efficient in terms of resource utilization; also, the proposed scheme provides aided and reliable security features. Thus, minimum resource utilization and enhanced Challa et al. [68] Ma et al. [69] Taher et al. [70] Chandrakar and Om [71] Lu et al. [72] Mo and Chen [73]  14 Journal of Sensors security features make the proposed authentication scheme efficient and suitable for the underlying infrastructure.

Conclusion
We have proposed an identity-based three-party lightweight remote user authentication scheme, for an IoT environment. We have demonstrated with the help of informal security analysis that the proposed scheme does not let any attacker to penetrate the system. We have shown that the proposed scheme has a vigorous capability to resist various attacks. In addition, formal security proof of the proposed scheme is given using Real-Or-Random (ROR); it shows that there exists secure mutual authentication between the remote users through a gateway in IoT infrastructure. Furthermore, the storage, computation, and communication cost of our scheme is far less than various related schemes. Hence, our proposed scheme is more efficient and reliable for IoT infrastructure as compared to various existing schemes.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no conflicts of interest.