An Efficient ECC-Based Authentication Scheme against Clock Asynchronous for Spatial Information Network

With the rapid development of mobile communication technology, the spatial information networks (SIN) have been used for various space tasks’ coverage in commercial, meteorology, emergency, and military scenarios. In SIN, one basic issue is to achieve mutual authentication and secret communication among the participants. Although many researches have designed authentication schemes for SIN, they have not considered the situation where the clock is not synchronized as the broad coverage space in wireless environment. In this paper, we disclose several ﬂaws of Altaf et al.’s scheme (2020), in which the main weakness is that a malicious user can easily obtain the master key of the network control center after launching the oﬄine password-guessing attack. Then, we design an authentication scheme against clock asynchronous for SIN by utilizing elliptic curve cryptosystem (ECC) and identity-based cryptography (IBC). Based on a brief introduction to the main design ideas of our scheme, the security protocol analysis tools of Scyther and AVISPA are used to prove that the scheme can resist various existing active and passive attacks. We further discuss our scheme that provides ﬁve essential requirements of security properties to design a robust scheme for SIN and is superior in terms of resistance to security functionality and computational performance by comparison with two other representative schemes. As a result, our scheme will be workable and eﬃcient security for mobile users in the actual environment.


Introduction
As the pace of human exploration has spread across the entire Earth and even the deep universe, spatial information networks (SIN) have been proposed to meet the rapidly growing needs of mobile communications. SIN is a backbone communication network composed of multiple satellites in orbit and a satellite constellation, which is intrinsically a radio-based transmission medium in the wireless mobile environment [1]. It can provide communication and broadcasting services for various space tasks in professional, commercial, military, and emergency scenarios as it overcomes the shortcomings of geographic and environment limitations in traditional personal communication systems (e.g., LTE-A networks and Wi-Fi) [2]. erefore, users will be more willing to access SIN to obtain network services, which has become a hot spot in global research today. In SIN, the typical model is the low-earth-orbit satellite communications (LSC) system [2,3], which consists of the low Earth orbit satellites (LEOS), the ground station/ gateway (G), the network control center (NCC), and mobile users (U), as shown in Figure 1.
Recently, quite a lot of access authentication protocols have been designed for LSC system [4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22], but many schemes in the literature only provide unilateral or ineffective properties. For detailed literature research introduction, we refer readers to [21]. In 2020, Altaf et al. [22] proposed a lightweight authentication scheme for LSC system and claimed that it is protected against all possible security threats. However, we discover that their scheme is vulnerable to several drawbacks. Firstly, it has offline password-guessing attack because the smartcard records sensitive data during the registration phase. After lunching the above attack, a malicious user can easily get the secret number of the master control server, which is a crucial parameter to the entire system. Secondly, it is a common weakness that most protocols apply the freshness of timestamp to verify the validity of the message, which are not suitable for clock asynchronous environment as highly exposed links and extremely high propagation delay in SIN [23][24][25]. To overcome the shortcomings, we utilize elliptic curve cryptosystem (ECC) and identity-based cryptography (IBC) to design an efficient authentication scheme against clock asynchronous for SIN.
On the basis of analyzing the related scheme, we summarize several essential requirements of security and functionality which should be premeditated for designing a robust scheme in LSC system: (1) Valid mutual authentication: All joined entities in a communication system should identify each other and communicational messages should be authenticated to come from the original sender. Compared with identity authentication, information authentication should be verified more carefully because it is usually overlooked and eavesdropped in a LSC system. (2) Data confidentiality and integrity: It is well accepted to keep the data secrecy. Apart from that, the data integrity is also crucial. To protect the data integrity, an effective scheme should have the ability to detect the data manipulation including insertion, deletion, and substitution. (3) No sensitive data maintained by the NCC and U: In order to achieve mutual authentication between the NCC and U, a simple scheme should avoid sensitive data stored in both terminals, such as the verifier table in NCC's terminal and the values stored in U's mobile device. (4) Perfect session key secrecy: All session keys used to encrypt the exchange data between the NCC and U are kept in secret and the compromise of session keys does not divulge the forward/backward session keys. (5) User's privacy: Any information of U should be protected from outsiders and some vital information, such as password, should be even kept secret from NCC. (6) Fast computation and few communication costs: On one hand, large storages and high calculations will be worthless in U's lightweight equipment as its resource is constrained; on the other hand, due to the need for multiple forwarding and exposure to the wireless environment, the fewer communication costs each time, the better.  e rest of this paper is organized as follows. Section 2 provides necessary techniques used in this paper. In Section 3, we review Altaf et al.'s scheme and point out the security weaknesses in detail. e proposed scheme is introduced in Section 4. Results and discussion of our scheme are given in Section 5. Finally, we draw some concluding remarks of this paper in Section 6. (ECC). ECC was firstly put forward by Miller [26] and Koblitz [27] to design public key cryptosystem. It gives more security with less bit size key and faster computation than traditional public key cryptography. For example, Hankerson et al. [28] pointed out that 160-bit ECC and 1024-bit RSA or DLP has the same security level in practice. Hence, it has been widely used in several cryptographic schemes to provide desired level of security and adequate computational efficiency [29][30][31][32].

Elliptic Curve Cryptosystem
In this section, we just give a simple description of the ECC defined over a prime field F p . A nonsingular or secure elliptic curve F p (a, b) over F p is defined by an equation can form a cyclic additive elliptic curve group, where point O is identity element of G p . Let P be a base of G p with an order n, since nP � O for the smallest integer n > 0. e point multiplication on group G p is defined as kP � P + P + · · · + P(k times). Details of elliptic curve group properties are given in [28].

Computational Problem
(1) Discrete logarithm problem (DLP): Assume that g is a generator of Z * p , where Z * p is a finite multiplicative cycle group and p is a prime number. Given b, g ∈ Z * p , find a number a ∈ Z * p such that b � g a ( mod p) is difficult.
(2) Elliptic curve discrete logarithm problem (ECDLP): Consider two points Q, P ∈ G p ; then find a number k ∈ [1, n − 1] such that Q � kP is impossible, where G p is cyclic additive elliptic curve group. (3) Computational Diffie-Hellman problem (CDHP) on ECC: Assume that there are three known points P, aP, bP for a, b ∈ [1, n − 1] , where all belong to group G p . en, the computation of abP is also hard to G p . (4) Collision attack assumption 1 (k-CAA1) [30]: Assume that there exist a positive integer k and some values then it is even difficult to explore the value (h 0 + x) − 1 P.

Adversarial Model.
In this section, we give the threat attack model, where the main reference is Dolev-Yao adversary threat model [33]. In 5.1, we will use this model to simulate the attack on our proposed scheme with the formalization tool Scyther. e result of the attack path is shown in Figure 2. e detailed descriptions of Dolev-Yao adversary threat model are as follows: (1) Adversary can eavesdrop and intercept all messages passing through the network. (2) Adversary can store and send the intercepted or selfconstructed messages. (3) Adversary can participate in the operation of the protocol as a legal subject. In addition to this, since our scheme uses smart cards, we assume that the attacker has the following capability, which can be used to launch offline password-guessing attacks [34]. However, we will give the detailed description of how the proposed scheme can prevent this attack in the overall design idea of our scheme in Section 5.1. (4) e power analysis or side-channel attacks can help the attacker to extract the secret information stored in user's smart card.

Altaf et al.'s Scheme and Its Weaknesses
is section reviews Altaf et al.'s scheme [22] and points out its flaws. As shown in Figure 1, there are mainly 3 types of participants in their scheme: a mobile (U i ), network control center (NCC s ), and the low-Earth-orbit satellites (LEOS q ). e notations used in this paper are defined in Table 1.  3.1.1. Registration Phase. When wanting to get the servers from NCC s , U i has to register to NCC s as in the following steps: Step 1: U i chooses his/her identity ID i and password P i and generates a random number n i . en, U i calculates After that, U i sends the registration message 〈ID i , P i 〉 to NCC s via a secure channel.
Step 2: After receiving request message from U i , NCC s computes the following operations: Step 1: U i inserts SC i and enters his/her ID * i , Step 2: On receiving the login message from U i , LEOS q forwards the message 〈PID i , Step 3: When getting the message, NCC s checks the freshness of timestamp by verifying the condition (T 1 − T s ) ≤ ?ΔT. If ΔT is not permissible to the NCC s , this session is terminated; otherwise, NCC s computes to send 〈W s , Auth s , T 2 , ID LEOS q 〉 to LEOS q finally.
Hash function: Mathematical Problems in Engineering Step 4: Upon receiving response message, LEOS q forwards 〈W s , Auth s , T 2 〉 to U i .
Step 5: After receiving the message, U i checks the freshness of timestamp by verifying ( Auth * s � Auth s , U i and NCC s achieve mutual authentication and negotiate a shared secret key.

Remark 1.
ere are two flows in this phase of Altaf et al.'s protocol. e first is the inconsistency operation between the flow chart display in Figure 4 of P * . e second is that NCC s should append LEOS q 's identity information when sending this message 〈W s , Auth s , T 2 , ID LEOS q 〉 to LEOS q , instead of LEOS q sending its own identity to U i , because LEOS q only needs to have identity confirmation with NCC s in the LSC system.

Security Analysis of Altaf et al.'s Scheme.
In this section, we carefully make security analysis of Altaf et al.'s scheme [22]. Firstly, we review the adversarial model in their article, which supposed that A dv has the following abilities when attacking the efficiency and security of their scheme: (1) Adv can access the full public communication channel to modify, replay, amend, and intercept the confidential information. (2) Adv can extract the secret information stored in user's smart card with the help of power analysis. (3) Adv can cheat the user by making the legitimate member of that system.
Network control center NCC s Knows ID i , P i , mpk Knows msk, mpk 1) Chooses ID i , P i and n i 1) Enters ID i * , P i * and compute Generates b i and calculates: Login and authentication phase Secure channel Public channel

Offline Password-Guessing Attack.
is section describes how a malicious attacker can obtain the private key msk of NCC s after launching the above attack in Altaf et al.'s protocol. e details are given in the following steps: Step 1: According to the adversarial model of (3), Adv can register in network control center like a normal user.
arbitrary selection of identity ID Adv , password P Adv , and a random number n Adv . en, Adv records the values 〈P Adv , ID Adv 〉 and sends 〈ID Adv , P Adv 〉 to NCC s .
Step 2: After receiving the login message from Adv , en, it will issue a smart card SC Adv recoding the values 〈Y Adv , M Adv , h(·)〉 to Adv.
Step 3: Based on the adversarial model of (1), Adv can extract the values Y Adv and h(·) after getting SC Adv .
Next, Adv computes X Adv � Y Adv ⊕P Adv and records the value X Adv .
Although this algorithm may take a long time to execute, Adv will be willing to keep trying as network control center NCC s utilizes the private key for authenticating all the users, which is a crucial parameter to the whole system. erefore, the protocol proposed by Altaf et al. is vulnerable to the above attack. e same attack can be also implemented in Sharif et al.'s scheme [21].

Inability to Deal with the Clock Asynchronous
Situation. In Altaf et al.'s scheme, the validity of the message

] and calculates
Login and authentication phase

5) Calculates
Checks β s * = ?β s , Updates N 0 to N 1 Figure 4: Implementation of two stages in our scheme.
timestamp transmitted from U i , T s is the current timestamp of CNN s , and ΔT is an estimated time delay by the system. As we all know, the propagation delay is usually large between the satellite and the ground. Even for low-Earth-orbit (LEO) satellites, there is a propagation delay of 10 to 40 milliseconds due to the transmission distance of 500 to 2,000 kilometers [2]. What is more, since the satellite only forwards the authentication message, the protocol at least needs two signal transmission delays between U i and CNN s (the uplink between mobile user and satellite and the downlink between satellite and ground station, regardless of transmission delay between gateway and NCC i , based on Figure 1), which will result in unacceptable access delay. us, it is very difficult for the entire system to estimate a uniform time delay, which may cause widespread denial of service for users. Apart from that, users in some professional fields, such as scientists who perform north-south pole expeditions, may not be able to synchronize time with their mobile terminals due to the inability to communicate with synchronous satellites or other reasons in the actual environment. Obviously, Altaf et al.'s scheme is unable to deal with this clock asynchronous situation, while SIN covers all corners of the Earth and even deep space. Moreover, none of the existing schemes [19][20][21] take this situation into consideration.

Our Protocol
We introduce a novel authentication and key agreement protocol against clock asynchronous for SIN in this section. e proposed scheme mainly utilizes elliptic curve cryptosystem (ECC) and identity-based cryptography (IBC) to achieve sufficient security and authentication. ere are 4 phases in our enhanced protocol: (1) initialization phase, (2) registration phase, (3) login and authentication phase, and (4) password-change phase. e detailed implementation of the middle two stages is shown in Figure 4.

Initialization Phase.
Since our scheme is based on ECC, this phase is different from prerelevant schemes which can be divided into four steps as follows: Step 1: NCC s chooses a secure elliptic curve equation E p (a, b) and a generator point P of the cyclic additive elliptic curve group G p with order n , where p is an x-bit prime number.
Step 2: NCC s selects a random number k ∈ [1, n − 1] as its private key and computes the corresponding public key K � kP.
Step 4: NCC s publishes E p (a, b), n, P, K, h(·), kdf as the system parameters and keeps its master key k secret.

Registration
Phase. If a mobile user U i wants to register to the system, this phase is performed only once as follows: Step 1: U i freely chooses a valid identity ID i and password P i to enter into his/her mobile device, such as a smartphone. e identity ID i can be combined by any one of U i 's name, e-mail address, social security number, or other identity attributes as his/her public key for a unique signature. Next, the device collects U i 's biometric B i to . en, the device sends the message 〈ID i , v i 〉 to NCC s through a secure channel.
Step 2: After receiving the message, the server first calculates h(ID i ) to check whether ID i has been registered in the verifier table. If it has been registered, U i is asked to select a new identity. Otherwise, NCC s calculates the following operations: After that, NCC s inserts 〈N 0 , h(ID i )〉 into the verifier table (VT) and delivers the message M 0 � 〈N 0 , l i , m i 〉 to U i via the secure channel, where N 0 is a nonce.
Step 3: On getting the response message, U i stores the values 〈N 0 , l i , m i 〉 in his/her mobile device for later use in the login process.
Remark 2. e nonce N 0 is a unique value randomly generated by NCC s and is frequently used to avoid the replay attack. Here, we further apply it as a mechanism to combat the asynchronous clock scenario, which will be discussed at the end of Section 4.3.
Input: X Adv , ID Adv and h(·). Output: msk , which is the private key only known to NCC s . (1) Adv generates a random number and takes it as key msk tmp (2) AdvComputes X tmp � h(ID Adv � � � � � msk tmp ) (3) If X tmp �� X A dv then Return (msk tmp ) else Go to 1 until correct key is obtained ALGORITHM 1: Offline password-guessing attack.

Mathematical Problems in Engineering
Remark 3.
ere may be two approaches for NCC s to deliver the message M 0 to U i : One way is offline method where NCC s records M 0 into a smartcard and issues it to U i . e other way is online method where NCC s connects to U i through the Internet Key Exchange Protocol version 2 (IKEv2) [35] or Secure Socket Layer (SSL) Protocol [33]. e message will be encrypted for transmission.

Login and Authentication Phase.
is part introduces the user login system process and the mutual authentication between U i and the NCC s . e detailed description is as follows: Step 1: When U i intends to communicate with others or get service from NCC s via the LSC system, U i provides ID * i , P * i , and B * i to his/her mobile device. e device computes and it determines whether m * i � ?m i or not, where m i has been recorded in the device. If m * i � m i , the device randomly selects b i ∈ [1, n − 1] and calculates the operations as follows: en, the device sends M 1 � 〈PID i , α i , Q i , N 0 〉 to LEOS q .
Step 2: After getting the message, LEOS q forwards 〈PID i , α i , Q i , N 0 , ID LEOS q 〉 to NCC s .
Step 3: When obtaining the message, NCC s calculates Next, NCC s uses N 0 to find the matching h(ID i ) in the verifier table. If it is not found, NCC s refuses the request of U i ; otherwise, it computes and it checks α * i � ?α i . If α * i � ?α i , NCC s authenticates CS and generates a nonce N 1 to compute the operations en, NCC s records nonce N 1 next to N 0 in the verifier table and sends 〈β s , N 1 , ID LEOS q 〉 to LEOS q .
Step 4: After getting the message, LEOS q forwards M 2 � 〈β s , N 1 〉 to U i .
Step 5: On receiving the reply message from LEOS q , U i computes en, U i checks β * s � ?β s . If β * s � β s , U i confirms that NCC s are authentic and updates N 0 as N 1 in the mobile device. As a result, U i and NCC s realize mutual authentication and negotiate a shared secret key: Remark 4. We briefly derive the consistency operations in this phase as follows: Remark 5. In Step 3, NCC s records nonce N 1 next to N 0 rather than updating N 1 as N 0 . is means that NCC s keeps N 0 until receiving U i 's next login message including the value N 1 . At this time, NCC s will produce a new nonce N 2 and then will update N 1 to N 0 and N 2 to N 1 . In a word, NCC s always keep two fresh numbers related to U i in the verifier table except the first login. e designed mechanism mainly fights against the denial of service attack due to the nonce between U i and NCC s being out of sync. We call this scenario "desynchronization challenge" as shown in Figure 5. "Successful authentication" means that U i has authenticated NCC s and updated N 0 to N 1 . en, U i can apply the shared secret key SK to encrypt the next traffic with NCC s , namely, "Data Exchange Phase." e failure indicates U i cannot authenticate NCC s because the message M 3 was tampered with by an attacker or interfered with the poor wireless environment. en, "desynchronization challenge" is invoked. Since NCC s still holds the fresh number N 0 , U i can continue to send login request information with N 0 .

Password-Change Phase.
Whenever U i wants to update his/her password P i to a new P new i , this phase is activated without communication with NCC s . Firstly, U i provides ID * i , P * i , and B * i to his/her mobile device and asks for changing the password. en, the device will automatically perform as follows: Step 1: Step 2: Finally, the device replaces the original 〈l i , m i 〉 with 〈l new i , m new i 〉 in the memory separately.

Results and Discussion
is section discusses security analysis of our protocol. Firstly, we give the overall design ideas of the proposed protocol. en, the two security protocol analysis tools of Scyther and AVISPA simulate the implementation of our scheme. We further analyze how the proposed scheme can fulfill the five essential properties. Finally, the performance comparisons of our protocol with others are described briefly.

Overall Design Idea of Our Scheme.
In our protocol, we utilize two symmetric keys between U i and NCC s . e first symmetric secret key is x s , which is established by calculating S i � (k + h(ID i )) − 1 P � (x s , y s ) during the user registration process. In addition to the authentication of both parties, x s is also used to verify the integrity of the messages M 0 , M 1 , and M 2 and generate the shared secret key SK, which is used to encrypt information in the data exchange phase. If Adv wants to obtain x s , it can only be obtained through brute-force calculation, because x s is protected by U i 's real identity ID i and NCC s 's master key k. However, according to 4th difficult calculation problem K-CAA1 in Section 2.3, it is impossible for Adv to launch brute-force calculation to get this value, such as the offline passwordguessing attack used in our attack on Altaf et al.'s scheme. e second symmetric cipher is x v , which is secured by calculating ECDLP and CDHP on ECC. On the one hand, Adv obtains Q i by intercepting the message M 1 through the public channel. According to ECDLP, Adv cannot obtain the value of b i by calculating Q i � b i P, and it is also impossible to obtain the server's master key k by operating K � kP. On the other hand, if Adv obtains Q i and K, it is also impossible to obtain V i , because, according to Q i � b i P and K � kP to find Q i � b i (kP), this is equivalent to calculating CDHP on ECC.
e key x v is mainly used to protect U i 's real identity ID i and to realize the verification of the server signature by computing V * i � kQ i .

Simulation Analysis Using Scyther and AVISPA.
is section presents simulation of the proposed protocol using widely accepted security protocol analysis tools of Scyther and AVISPA. During simulating the implementation of the scheme, Scyther can detect the reachability of the message among participants and discover the attack path initiated by a pretender. e AVISPA simulation tool sets up various attack models internally to test whether the protocol is SAFE or UNSAFE. e detailed instructions of Scyther can be found in [36,37] and those of AVISPA can be found in [38,39], and comparison of these analysis tools can be found in [40].

Simulation Code Description.
is section introduces the use of Scyther formal language SPDL (Security Protocol Description Language) and AVISPA formal language HLPSL (High-Level Protocol Specification Language) to model our scheme.
(1) Simulation code in Scyther SPDL: Figure 6 presents the simulation code of our protocol with the Scyther SPDL. Two hash functions and a simulated elliptic curve function (ECC) are defined at the beginning of SPDL simulation code. e ECC is modeled as public key encryption, where NCC s has a private key k. Next, 3 roles in the scheme are defined: "role I″ simulates U i ; "role R" presents NCC s ; "role LEOS" indicates LEOS. Here, we take U i role as an example to introduce the SPDL code, which is mainly presented on the left of Figure 6. After defining the variables required for session protocol, user-side operations are mainly represented by the collection of events. e "send" and "recv" events mean that U i sends a message and receives one, respectively. Lines 16 to 19 indicate the event where U i receives the message M 0 from NCC s and checks m * i � ?m i during the login phase. Among them, the 16th line indicates that the symmetric secret key x s is modeled as ECC function with parameters of NCC s 's private key k and U i 's identity ID i ; line 17 presents that U i obtains x s by l i ; then, U i can receive M 0 and check m * i � ?m i , indicated on line 18 and line 19, respectively. Apart from that, the 28th line adds the matching of the verification β s , which ensures that the attacker cannot construct the message autonomously; the "claim" event in the 30th line is used to describe the authentication of roles and the confidentiality of variables.

Mathematical Problems in Engineering
(2) Simulation code in AVISPA HLPSL: In the HLPSL modeling of our protocol, we first formalize the protocol in CAS+ specification language, as shown in Figure 7(a), and then use the SPAN (Security Protocol ANimator for AVISPA) to automatically convert the CAS+ file into the HLPSL format code in Figure 7(b). e following briefly describes the simulation CAS+ code of our scheme. After defining variables in Figure 7(a), the modeling is basically the same as the Scyther modeling, and the XOR and ECC operations are both expressed by approximate operations. en, using the Alice-Bob message format, the protocol execution process is clear. Among them, "J", "L," and "S" present U i , LEOS, and NCC s , respectively; "�>" means encrypted channel, "->" means open channel, and "'" represents the inverse function; for example, "Ks'" is the private key of NCC s , while "ks" is the public key here. In lines 19 to 21, each line represents the parameters U i , LEOS, and NCC s known during the protocol execution process. e 28th line defines the knowledge of intruder when attacking the security of our scheme. After generating the HLPSL format file from the CAS+ file, we manually add the verification target "secret(KD-F(ECC(inv(Ks).H(IDi)).N0.N1),sec1,J,S)" in both U i and NCC s roles and then generate the final HLPSL format code that simulates our protocol. Since the number of HDLS language lines after conversion is relatively large, here we only give U i role code in Figure 7(b).

Simulation Results.
is section first presents the simulation results of our protocol using Scyther, which is shown in Figure 8. Figure 8(a) is the output report for verifying the reachability of messages among participants and Figure 8(b) presents the attack path search result of shared session secret key SK. All the analysis results prove that there is no problem in our formalization process, which means that U i and NCC s can securely convey the message and believe in the confidentiality of the negotiated shared session key SK in our scheme. en, we verify whether there is an adversary attack on the protocol, that is, the vulnerability of the protocol message being obtained by the adversary. Figure 2 shows output path under the Dolev-Yao adversary threat model [41]. e analysis result indicates that, in the process of mutual authentication between U i and NCC s , the protocol has a LEOS impersonation attack because LEOS only forwards message and has not been authenticated in the scheme. However, due to the limitations of the nonce N 0 and the nonce N 1 and the verification message codes α i and β s , the attacker cannot construct the message independently and can only replay the message between U i and NCC s this time. erefore, Scyther test results show that our proposed protocol does not have any threat under various active and passive attacks.
Next, we introduce the results of AVISPA analysis. e two back-end analysis results of OFMC and Atse provided by AVISPA are shown in Figure 9, which are both safe (SUM-MARY SAFE). ese demonstration results indicate that our protocol can achieve the expected security goals. Figure 10 shows the protocol flow chart under intruder simulation. e intruder can obtain the knowledge after the simulation attack is presented in Figure 11. From Figure 11, we can see that Adv obtains values such as N 0 , N 1 , and ID LEOS q by eavesdropping messages transmitted via open channel, but there is no effective attack path. us, AVISPA test results also prove that our scheme can resist the various existing active and passive attacks.

Security Properties Analysis.
is section describes the essential security properties of our scheme, which we summarize above for designing a robust scheme for a LSC system. α * i � α i are all guaranteed by the symmetric keys x v and x s , where only real U i can calculate these two secret values as analyzed in the previous section. So, NCC s can effectively authenticate U i . Simultaneously, U i authenticates NCC s by verifying β * s � ?β s , which directly involves U i 's real identity ID i and the symmetric keys x s . ID i and x s are only calculated by knowing NCC s 's master key k. erefore, our scheme provides valid mutual authentication to avoid the impersonation attack.

Data Confidentiality and Integrity.
e proposed scheme needs to protect three types of data: the random number b i selected by U i , the identity ID i of U i , and the shared session key SK. b i is protected by ECDLP as discussed in 5.1; ID i is encrypted and transmitted by the symmetric   secret key x v through the operation PID i � x v ⊕ID i ; SK is bound with ID i and the symmetric key x s in one-way key derivation operation SK � kdf( us, the new scheme ensures the data confidentiality and integrity in all aspects.

No Sensitive Data Maintained by NCC s and U i .
ere are only 〈N 0 , h(ID i )〉 in NCC s 's verifier tables and 〈N 0 , l i , m i 〉 stored in U i 's device in our scheme. N 0 is just a nonce and is refreshed every session. As for h(ID i ), Adv may obtain the user's identity ID through offline passwordguessing attacks after penetrating attack to the NCC s 's inside. However, it is meaningless for the entire system as Adv cannot acquire any clues about the U i 's password and NCC s 's master key. For data stored in U i 's mobile device, l i and m i are only used in the beginning of U i 's login phase and neither reveals the key parameters of the system. So, none of sensitive data are maintained by NCC s and U i in our scheme.

Perfect Session Key Secrecy.
e shared session key is

User's Privacy.
e scheme mainly involves three types of personal privacy of U i : identity ID i , password P i , and biometric B i . At first, U i registers by submitting , in order to keep the secret password P i and biometric B i of U i from NCC s . en, during the login and authentication phase, the pseudoidentity PID i , which is derived from PID i � x v ⊕ID i , is transmitted via public channel instead of the real ID i . erefore, any privacy information related to U i is enclosed in our scheme.

Performance Comparisons.
In the following, we concretely compare our protocol with the other two protocols [21,22] in terms of resistance to security functionality and computational performance. In 2019, Sharif et al. [21] compared their proposed protocol with 6 other related protocols in detail in terms of security features and computing performance and claimed that their protocol had obvious advantages in security features. Similarly, Altaf et al. [22] pointed out that their protocol had great advantages compared with the other 4 protocols in 2020. So, we simply give a comparison with these two representative articles. Moreover, Sharif et al.'s scheme is also designed using elliptic curve cryptography, and Altaf et al.'s scheme also uses public key and secret key algorithms, which is not specified in their article.
In Table 2, we list the 6 general security properties and 2 security attacks for designing a robust authentication protocol for SIN. In addition to the above 6 functions, the newly proposed protocol can resist other attacks, such as impersonation attack, DoS attack, man-in-the-middle attack, smart card loss attack, and replay attack. e results in Table 2 show the superiorities of our protocol in terms of resisting offline password-guessing attack and against clock asynchronous situation.
As we all know, NCC s always has no limitation with enough powerful servers. Although the most expensive operation is the point multiplication elliptic curve in the related protocol, it takes only 46 microseconds to execute the 160-bit elliptic curve point multiplication on the Intel Core-i7 processor [42]. erefore, we only compare the efficiencies of different operations in U i 's mobile device in Table 3, which refers to Table 11 in [21]. For the convenience of evaluating the computational cost, we assume that the public key and secret key algorithms in Altaf et al.'s scheme [22] are also elliptic curve cryptography, as mainly considering 160-bit ECC has the same security level as 1024-bit RSA or DLP in practice. In addition, it is generally accepted that XOR operation execution time can be ignored, as it consumes very little time.
Furthermore, we have considered communication cost in the last line of Table 4. We suppose that each length of parameter is roughly the same in [21]: the size of a random number/nonce to be 64 bits, a hash output to be 256 bits, an identifier/timestamp to be 32 bits, and an ECC point to be 384 bits for the communication cost as we also use this length in calculation time. In our scheme, the LEOS receives M 1 � 〈PID i , α i , Q i , N 0 〉 from U i 's login request message and sends M 2 � 〈β s , N 1 〉 to U i at last. us, the total communication cost bits of M 1 � 〈32, 256, (384, 384), 64〉 and M 2 � 〈256, 64〉 are 1440 bits. Table 4 demonstrates that our protocol is more efficient than the other two protocols as it uses the least times and far less communication cost bits.

Concluding Remarks
In this article, we deeply study the authentication schemes for SIN. We disclose that Altaf et al.'s protocol has fatal security drawbacks and point out that many protocols in the literature cannot handle the clock asynchronous situation. Because SIN mainly transmits information through wireless signals and covers a wide range of services, it often happens when users' mobile devices cannot achieve clock asynchronous situation in the actual environment. To overcome these security challenges, we introduced a lightweight pseudonym identity-based authentication and key agreement scheme using ECC and IBC. To strengthen the security of our scheme, we first introduced the main ideas of the entire protocol design. en, the security protocol analysis tools of AVISPA and Scyther are both utilized to simulate the proposed scheme and the analysis results prove that our scheme can resist the various existing attacks. We further discussed essential security properties of the proposed scheme, which meets the requirements to design a robust scheme for a LSC system. Moreover, we concretely compare our protocol with the relatsed protocols in terms of security requirements, computational performance, and computational cost. All the results show that our protocol is superior to the other two representative protocols. Actually, our protocol will be well suited for mobile users in SIN.

Data Availability
e corresponding author shall keep the analysis and full simulation code set. If necessary, the data set can be requested from the corresponding author for reasonable requirements.

Conflicts of Interest
e authors declare that they have no conflicts of interest.