An Enhanced RFID-Based Authentication Protocol using PUF for Vehicular Cloud Computing

Department of Mathematics, SSV College Hapur, Hapur, Uttar Pradesh, India Jindal Global Business School, O. P. Jindal Global University, Sonipat, Haryana 131001, India Department of Mathematics, Ch. Charan Singh University, Meerut, U P, India Department of Computer Engineering, Ajay Kumar Garg Engineering College, Ghaziabad 201009, India College of Computer Science and Engineering, Shandong University of Science and Technology, Qingdao, Shandong, China


Introduction
Recognition technologies are deserving of our attention as they are both essential parts of the Internet of ings. Recognition of barcodes, optical characters, biometric identity, and magnetic card identification and contact IC card identification are all examples of traditional automated identification technologies. However, when employed in the IoT, they have a number of drawbacks. Bar codes, for example, can only hold a limited amount of data; optical character recognition is too expensive; biological recognition is flawed; and magnetic card and contact IC card identification need intimate touch, which is inflexible. Currently, some of these identification methods are unable to protect personal information [1]. In contrast, RFID is a noncontact automatic identification technology that does not need mechanical or visual contact between the system and the target, and security protections can help keep user information private. Because of these advantages, RFID has emerged as one of the most promising IoT technologies [2].
An RFID system consists of RFID tags, RFID readers, and a database server. Tag-affixed objects are uniquely identifiable, and their identifying information is saved. ey communicate with the reader using radio waves. In a typical RFID system, the database server is a local back-end server.
When RFID devices generate a large number of data, back-end servers' performance is limited. Cloud computing overcomes this problem in the IoT context. As a result, the integration of the cloud platform with the RFID system is required [2,3]. RFID systems' reliability and data processing capabilities have dramatically enhanced since the introduction of cloud computing. Almost all of the data acquired by RFID sensors are processed on the cloud, which can aid in the resolution of issues such as data loss and latency [4]. In the IoT, the most commonly used public cloud servers are only semi-trustworthy. Because of the properties described above, the RFID system is vulnerable to attack. As a result, IoT necessitates the use of a secure and reliable RFID authentication system.
Similarly, a number of protocols based on physically unclonable functions (PUFs) have been proposed [12][13][14]. PUFs are, in reality, physical one-way functions derived from the unique nanoscopic structure of physical things (e.g., integrated circuits, crystals, magnets, lenses, solar cells, or papers) and their reactivity to random occurrences. e quirks in the manufacturing process of the items are responsible for the innate uniqueness of the structure and reactivity. It enables for both the unique identification and authentication of an object. Furthermore, it is considered that copying an object's PUF (and hence the object itself ) is impossible, which might be seen as a security-by-design feature that prevents impersonation and cloning attacks. As a result, PUFs are regarded as a trustworthy and well-known physical security method for developing IoT authentication protocols. Physical devices are protected by PUF-based protocols, which are resistant to physical attacks and provide multilayer protection. Furthermore, even if the device is stolen, the attacker will not be able to use the PUF. However, the majority of proposed VANET solutions are still subject to different security concerns such as replay attacks, impersonation attacks, forgery attacks, and non-repudiation attacks. As a result, it is critical to build a viable VANET solution to address the existing issues.

Literature and Related Works
Several RFID authentication schemes have used elliptic curve cryptography in recent years (ECC). Due to the difficulties of resolving the discrete logarithm problem (DLP), ECCs have demonstrated their efficiency in assuring security and privacy. e state-of-the-art of ECC-based RFID, mobile computing, and VCC authentication protocols are reviewed in this section and are shown in Table 1. Also, the details of PUF-based recent works are given in Table 2.

Problem Definition.
Security protocols, such as authentication methods, are supposed to ensure the confidentiality, integrity, and availability (CIA triangle) of security. e parties to the protocols must be able to authenticate and synchronize with one another at any moment. Desynchronization attacks can break this condition by blocking protocol messages or forcing protocol parties to modify their shared secret values to different values, preventing the parties from authenticating each other and destroying service availability. Many protocols have been developed in the literature to satisfy CIA security standards; however, multiple instances of attacks [2,[10][11][12][13][14] against them show that they have failed to achieve the needed security. As a result, attempts to build a secure protocol are still continuing, and new attacks are emerging that provide designers fresh insight into how to (not) design a protocol. As a result of these assaults and security evaluations, the protocols have progressed.

Motivation and Contributions.
In recent years, a number of key agreement and authentication techniques have been created. Most of these protocols have a greater calculation cost, making them unsuitable with devices with limited resources. We also noticed that the literature reviewed above did not take into account the physical factors of security for vehicle RFID communication systems in VCC situations. However, in the automotive RFID communication environment, the necessity of PUF receives a lot of attention in the literature. A PUF-based protocol is capable of dealing with physical security risks. Even stealing the PUF from the on-board memory will not allow an attacker to obtain it. As a result, for VCC, we developed a PUF-enabled RFID-based authentication protocol. e following are some of the many contributions made by this research: (1) To build an authentication protocol for VCC communication, the system and threat models are defined first.
(2) We created a PUF-enabled RFID-based authentication mechanism using the hypothesized attack model.
(3) To keep the proposed protocol's cost minimal, only fundamental cryptographic operations such as ECC, XOR, concatenation, and hash function are used. PUF is also used to protect against recognized physical security risks. (4) Our approach ensures that possible security threats are avoided, based on formal and informal security assessments. (5) e results of the performance study show that our protocol is superior to other similar protocols. e rest of the article is structured as follows: e preliminaries are presented in Section 3. e RSEAP2 system is described in detail in Section 4. We give a security study of the RSEAP2 protocol as well as various efficient and strong attacks against it in Section 5. e improved protocol is presented in Section 6. In Section 7, we provide a verifiable security analysis of our approach. e performance analysis is presented in Section 8. Section 9 concludes the article.

Definitions and Mathematical Preliminaries
e key size comparison between the public-key cryptosystems like ECC and RSA shows that the communication (ii) Applies "ECC cryptographic technique" (ii) Vulnerable to "known session key attack" (iii) Uses "fuzzy extractor for biometric verification" Safkhani et al. [2] 2021 (i) Based on "RFID and ECC cryptosystem" Uses "one-way cryptographic hash function" (i) Fits for IoT networking environment (i) Fails to establish "mutual authentication" (i) No proper "session key agreement" (ii) Could not resist "denial-ofservice" (ii) Applies "ECC cryptographic technique" (ii) Vulnerable to "mutual authentication attack" and "known session key attack" (iii) Uses "fuzzy extractor for biometric verification" Zhang et al. [18] 2020 Key distribution in wireless sensor networks It did not only save the storage overhead, but also provided perfect resilience against sensor capture attacks is cannot resist anonymity, traceability, and forward secrecy attacks Mall et al. [19] 2022 is approach is a survey on PUFbased authentication and key agreement protocols for IoT, WSN, and smart grids (i) is survey paper can be utilized to understand the technologies such as IoT, WSN, and smart grids and the way to address the AKA in these technologies is study fails to address the security pitfalls which can integrate all these technologies (ii) Systematically and taxonomically examine and discuss with pros and cons of AKA applications to the fast-growing areas of IoT, WSNs, and smart grids based on a meticulous survey of existing literature Liu et al. [20] 2021 Key distribution for dynamic sensor networks Compared with traditional key predistribution schemes, the proposal reduces the storage overhead and the key exposure risks and thereby improves the resilience against node capture attacks is study cannot be applied to the current technologies such as IoT and cloud computing Mukhopadhyay [21] 2016 e key size comparison between ECC and RSA is given in Table 3.

Background of ECC.
"Let E denotes an elliptic curve over the prime finite field F q , where q be the large prime number. An equation of elliptic curve over F q is given by v 2 � u 3 + αu + βmodq, where α, β ∈ F q . e elliptic curve is said to be nonsingular if 4α 3 where the point Φ is known as asymptotic point which work as the identity element or zero element in G." Some operations on the group G are as follows [2,7]: then scalar multiplication in G is defined as: η.∨ � ∨ + ∨ + ∨ + · · · + ∨(η − times). (4) If g is the generator of G with order η, then η.g � Φ.

Physically Unclonable Function.
e PUF hardware primitive accepts a challenge C and generates the matching response R from the physical properties of its integrated chip (IC) and C. A PUF may easily be thought of as a one-way function R � PUF(C) since both the accepted challenge C and the produced answer R are bit strings [14].
In essence, PUF security is based on the fact that, even if various ICs use the same production processes, each IC will be somewhat different owing to manufacturing variances. e following are the characteristics of PUF [15]: (i) Uniqueness: A PUF cannot be duplicated; (ii) Unidirectionality: In the real manufacturing circuit, the variances between input and output function mapping are both fixed and unpredictable. It is the hardware counterpart of the one-way function in this regard; (iii) Invulnerability: Any effort to tamper with the device containing the PUF will cause the PUF to modify its behaviour and, as a result, it will be destroyed [14]; 3.3. Network Model. Figure 1 represents the architecture which we applied for the design of communication among the participants. e RFID tag communicates with the is study is restricted to fog environment (ii) is study ensures the security of the sensors and fog nodes and to avoid a computational burden on devices

Hassija et al. [24] 2021
A survey on supply chain security: application areas, security threats, and solution architectures (i) is article discusses the supply chain's security critical application areas and presents a detailed survey of the security issues in the existing supply chain architecture is study is a survey work and fails to address the security features and how they can be applied for the AKA protocols (ii) Various emerging technologies, such as blockchain, machine learning (ML), and physically unclonable functions (PUFs) as solutions to the vulnerabilities in the existing infrastructure of the supply chain Security and Communication Networks roadside RFID reader and thereby the communication passes through the vehicular cloud server. In order to communicate efficiently, the communication parties have to undergo the authentication and key agreement phase to establish a session key. More details regarding how the participants actually take part in the authentication and key agreement and communication process is discussed in the next section.

3.4.
reat Model. e "CK-adversary model" is widely regarded as the "current de facto standard model in modeling key-exchange protocols." Using the "CK-adversary model," the adversary A can "deliver messages (as in the DY model)," and in addition, A can also "compromise other information, such as session state, private keys, and session keys." "Since the sessions as procedures run inside a party, the internal state of a session is well-defined. An important point here is that what information is included in the local state of a session. For instance, the information revealed in this way may be the exponent used by a party. Typically, the revealed information will include all the local state of the session and its subroutines, except for the local state of the subroutines that directly access the long-term secret information." erefore, it is important that "the leakage of some forms of secret information, such as session ephemeral (short-term) secrets or session key, should have the least possible effect on the security of other secret credentials of the communicating entities in an authenticated key-exchange protocol." We demonstrate that the proposed technique is secure against well-known attacks and offers session key security and strong credentials' privacy under the CK-adversary model through a comprehensive formal security analysis.

Security Requirements for an IoT-Based RFID Communication System.
To the best of our knowledge and based on the available literature, many authentication algorithms for RFID communication systems have been proposed in recent years. e best ways for making RFID systems appropriate for a wide variety of applications are authentication and key agreement. Several forms of security threats might arise during the transfer of messages between RFID tags and readers.
Any authentication mechanism attempting to secure a viable RFID-based system should meet the following security requirements: Impersonation attack: By repeating a message recorded from the channels, an attacker might try to imitate genuine protocol participants (such as the cloud database server, RFID reader, or RFID tag). At all costs, any impersonation should be avoided.
Replay attack: In this attack, an outsider tries to deceive other certified participants by restating intercepted data. is attack is aimed at a user whose data have been intercepted by an untrustworthy third party. Mutual authentication: e authentication procedure takes place between the RFID tag and the back-end database server. Messages are exchanged across an unprotected communication route between the tag, reader, and server.
is is the most crucial feature of any authentication system. Mutual authentication must also be accomplished with all three RFID system players present.
Tag anonymity: is is the most critical and required security criterion to reduce forgeries and assure security. Furthermore, the RFID authentication method retains its anonymity if an opponent is unable to trace an RFID tag during message transmission over a public channel. ere are two types of anonymity, namely strong anonymity and weak anonymity. Furthermore, in order to protect their security and privacy, participants in IoT communication do not reveal their true identities. Man-in-the-middle attack: In this attack, an adversary listens to the transmitted data before attempting to remove or change the data supplied to recipients. Insider attack: Any insider can play the role of adversary in the RFID communication system. Desynchronization attack: If a protocol's authentication is reliant on shared values, an adversary may cause desynchronization difficulties. If the shared data are updated by the server but the tag is not, the server might be unable to validate the tag in the future. Attempts to desynchronize should be avoided at all costs. Untraceability: Untraceability in the RFID communication system means that no one can track the participants' activity patterns or their relayed messages.
Session key agreement: A session key agreement will be made between users and their mobile devices, as well as the network control centre, following the successful deployment of the proposed protocol.
Confidentiality: e security of RFID communications between the tag and the reader is ensured by encrypting shared secrets on the public channel. Perfect forward secrecy: is is utilized in the authentication protocol architecture to keep previously transmitted messages private, so that an adversary who obtains the entities private and public keys will be unable to deduce a past session key. Availability: e authentication and key agreement mechanism between the RFID tag and the RFID back-end database server operates continuously in an RFID system. To accomplish the characteristic of accessibility, the shared secret information between the RFID tag and the RFID back-end database server must be updated in most authentication procedures. However, security issues such as denial-of-service (DoS) or desynchronization attacks may cause this process to be disrupted. As a result of these problems, the RFID system's efficiency may be jeopardized. Hence, this issue should be considered while creating an authentication mechanism.

RSEAP2 Protocol
We offer a brief explanation of RSEAP2 [2] in this section. e tag T i and the cloud database server S interact through the reader R j to establish a session key SK ST in this protocol. It is divided into two parts. e tag enrollment or startup phase is the first step, in which the tag talks with S via a secure connection to provide the needed data. e login and authentication phase is the second phase of the protocol, and it is used to perform mutual authentication and share the session key SK ST � SK TS .
is part of the communication takes place via a public network. We have made use of the notations as shown in Table 4.
In the initialization phase of RSEAP2, the server S chooses an elliptic curve E(F q ) over F q and a generator g over G. It also selects x s F * q as its secret key and its public key will be x s .g. Any tag T i which aims to register with S inputs its ID Ti and pw Ti , generates a random value R Ti F q , computes PWT � h(ID Ti ‖(pw Ti ⊕R Ti )), and sends the tuple M R1 � PWT, ID Ti , TS R1 to S. Once S received M 1 , verifies the timestamp, that is |TS R2 − TS R1 | ? ≤ t TS xΔT at the first. Next, it generates sn i F q and sets it as the T i 's serial number, computes e description of the protocol is as follows: L2.
e reader checks the timestamp, that is, If so, it sets SK TS as the session key.

Inefficient Mutual Authentication Attack.
On receiving the message M 2 from the reader R j , the cloud database server S extracts and computes to validate the user and reader. e details are as follows: (1) e cloud server performs the computations and validates the timestamps such as Security and Communication Networks (3) After the successful authentication on R j parameters, ) the authenticity of the user. But the conflict here is that the cloud server fails to compute the proper session key to pass it on to the tag for the validation. e reason is that the cloud server could not retrieve the random values generated by the tag and reader such as α, β ∈ F * q , and in the session key the cloud server uses (α.β.c.g⊕x s .α.g) value without the knowledge of the random numbers. ough the cloud server performs this computation, it would be certainly a garbage value which the tag cannot validate at any given point of time. us, this scheme holds the inefficiency to perform mutual authentication.

Inefficient Session Key Establishment Attack.
On receiving the message m 3 from the cloud server, the tag performs the mutual authentication verification. But, the verification gets fails. e details are as follows: (1) As discussed in the above Section 5.1, we understood that the cloud server fails to compute the authentic session key. However, on receiving the message from the cloud server, T i verifies the timestamp, that is, (2) Now you can see that the tag T i did not retrieve or has the potential to draw out the value (α.β.c.g⊕x s .α.g) but still perform the computation to validate the session key.
is validation never gets successful as it is a known fact that without the proper parameters and values the verification fails and the tag and the cloud server cannot establish the session key for the future communications. us, this scheme holds the inefficiency to perform session key establishment.

Denial-of-Service Attack.
According to RSEAP2's scheme, the legitimate participants tries to communicate to each other and get the services as and when required, but from the security flaw as shown above in Sections 5.1 and 5.2, we understood that the scheme fails to establish the session key and mutual authentication.
is shows the enough conclusive evidence that the scheme fails to provide services to the participants thought the tag and readers are the legitimate participants in the system. Hence, this scheme is prone to the denial-of-service attack.

Our Proposed Scheme
is section presents the proposed secure authentication protocol and the program architecture which is divided into a tag, a reader, and a cloud server for parallel processing, with each component working independently. In this architecture as shown in Figure 2, the tag initiates the communication by computing the validating message and transmits the validating message with a virtual ID to the reader. Upon receiving the message, it challenges the reader to validate the message.
us, the reader computes the validating message and transmits the validating message with the virtual ID to the cloud server for further process. Once the message is received by the cloud server, it validates the reader message thereby the cloud server authenticates the reader and tag. After the successful authentication, it computes the session key to establish the key. Further, at the next stage, the reader receives the Ack1 and Ack2 from the cloud server as an acknowledgment. en the check happens in the next stage, where the tag receives Ack1 from the reader Finally, once the check is successful, the tag establish the session key and end the process (see process flow diagram in Figure 2). In this section, we present our proposed scheme. In the initialization phase, the server S chooses an elliptic curve E(F q ) over F q and a generator g over G. It also selects x s ∈ F * q as its secret key and its public key will be x s · g. Any tag T i which aims to register with S, inputs its ID Ti , pw Ti  e illustration of the tag registration and reader registration is shown in Table 5 and Table 6, respectively.

Login and Authentication Phase.
To access the services from S, T i needs to establish a session key with S. e following steps are followed by T i , R j , and S during this phase. e illustration is shown in Table 7

Formal Security Analysis
Formal security examination strategies are usually used to inspect and evaluate diverse check plans. According to literature [25], various security assessment systems can be used Security and Communication Networks   to evaluate authentication methods. In this article, we used ROR security theories.

ROR Model-Based
Proof. Under this model, adversaries say that A has access to a set of executing entity queries including CorruptTi (T i ), Test (P t ), , Execute (T i , S j ), and Reveal (P t ), which perform simulation to check the real attack. e query descriptions of such queries are given in Table 8. e ROR model components are as follows: (i) Participants: e associated participants with the proposed scheme are the tag T i , reader R j , or a cloud server S j . e instances t 1 and t s of T i and S j are marked as P t 1 T i and P t 2 S j which are known as oracles.
(ii) Accepted state: If the peer points achieve an accepted status when the final communication has been authenticated, the instance "P t " comes under "accepted state." For the ongoing session, sid is a P t session ID created in a sequence by PPt after the sent and received messages were rearranged. (iii) Partnering: e following things must be accomplished to be partnered between P t 1 and P t 2 : (1) ey are in "accepted states." (2) ey possess the same sid. Further also "authenticate mutually with each other." (3) ey are also "mutual partners of each other." (iv) Freshness: P t 1 T i or P t 2 S j is fresh when the constructed session key between T i and S j is not leaked to A using the Reveal (P t ) query listed in Table 8. e proposed scheme undergoes "semantic security" as defined in Definition 1.

Definition 1. If Adv
Rfid−PUF A (t p ) is the "advantage of an adversary A running in polynomial time t p in breaching the semantic security of Rfid − PUF to extract the session key (SK TS ) among a tag T i and a cloud server S j ," Adv Furthermore, Definition 2 is about "collision-resistant one-way hash function" and Definition 3 is about "elliptic curve decisional Diffie-Hellman problem (ECDDHP)," for briefing Rfid − PUF.

Definition 2.
A "deterministic function," say h: , is a "one-way collision-resistant hash function" if it produces fixed length of l b bits output string h(m) ∈ 0, 1 { } l b as "hash value or message digest" upon an arbitrary length input string m ∈ 0, 1 { } * . Let an adversary A want to find a hash collision. en, the "advantage" of A in attacking "hash collision" is provided by Adv Hash Pr(X) here shows the chance that the pair will be randomly picked by A in the case of "random event X" and Verifies TS LA1 and TS LA3 Extracts Verifies TS LA5 and computes to set SK TS as the session key (m1, m2)← r A. e attack of (η, t)-adversary of A to the resistance of collision of h(·) indicates that the maximum runtime of t h to the Adv Hash Definition 3. Consider an elliptic curve E q (u, v) and a point P, the ECDDHP is "for a quadruple 〈P, uv 1 .P, uv 2 .P, uv 3 .P〉, decide whether uv 3 � uv 1 · uv 2 or it is a uniform value," where uv 1 , uv 2 , uv 3 ∈ Z * q (�\{1, 2, . . ., q − 1\}). To make ECDDHP intractable, the chosen prime q needs to be at least 160-bit number. Theorem 1. Suppose our scheme (Rfid − PUF) runs in "polynomial time t p " and the adversary A is working to gain advantage on Rfid − PUF. If query h , |Hash|, and Adv ECDDHP A (t p ) indicate the "cardinality of hash queries," "size of one-way hash function h(·)," and "A's advantage in breaching ECDDHP in t ime t p (see Definition III-A)," respectively, and chosen passwords follow the Zipf's law [26], then the bit-lengths of the PUF key PUF(C * ) where * refers to T i /R j and the tag identity ID T i are l 1 and l 2 , respectively, c ′ and sc ′ are the Zipf's parameters [26] respectively, A's advantage in compromising the semantic security of the proposed scheme Rfid − PUF is Adv

Proof.
is proof is presented in the similar way as presented by authentication protocols. Here four games are played, such as G k , (k � 0, 1, 2, 3) related to the evidence where G 0 is the starting and G 3 is the finishing game. We define Succ G k A as "an event wherein A can guess the random bit c in the game G k correctly" and also the "advantage of A in winning the game G k as Adv ." e detailed study of these games is as follows: G 0 : G0 is the same as the real ROR model protocol. erefore, the semantic security of Rfid − PUF is defined in Definition 1.

Rfid−PUF
G 1 : In this game, we model for the "eavesdropping attack" in which A can intercept all the communicated messages M 1 � (pid Ti ‖A Ti ‖W 1 )⊕α.x s .g, α.g, TS LA1 , LA5 , β.g}, and M 4 � W 3 , β.g, TS LA5 while executing "authentication and key agreement phase" in Section A using Execute query as discussed in Table 8. To confirm whether the "calculated session key SK TS between T i and S is real or a random number," A can execute both Reveal and Test queries. e established session key is SK ST � h((ID * Ti ⊕A Ti )‖(α.β.g‖ x s .α.g)‖t(sn i ⊕(TS LA1 ‖TS LA5 ))) � SK TS . It is worth noting that the key to session security is dependent on both α and β "temporary secrets" and T i ′ and S' for longterm secretions that cannot be disregarded by eavesdrops of the messages M 1 , M 2 , M 3 , and M 4 . erefore, this "eavesdropping attack" does not give any advantage/increase of winning probability of A in G 1 . is shows G 0 and G 1 games become "indistinguishable," and thus obtains the following result: (2) G 2 : In this game, the hash searches are simulated. Both A Ti and TS LA1 are altered in the M 1 message. Similarly, M 2 , M 3 , and M 4 are also equally unexpected, as they include random timestamps and random numbers, such as A Rj , α Rj , TS LA3 , pid * Ti , sn i , and TS LA5 are equally unforeseeable. So, no collision occurs when A does hash queries. Since both G 1 and G 2 are "indistinguishable" except for the inclusion of the G 2 simulations, we obtain birthday paradox outcomes as G 3 : e CorruptTi (T i ) query was implemented in this final game. erefore, the opponent A is extracted depending on the performance of the query for the credentials A Ti , pid Ti , α Ti , α Rj , A Rj , pid Rj from a compromised tag T i . e A probability to properly guess the PUF(C * ) physically unclonable function secret key of l 1 bit-length and ID Ti user identity of l 2 bit-length are query s /2 l 1 and query s /2 l 2 , respectively. e advantage of A is more than 0.5, if query s � 10 7 or 10 8 , since the passwords of the users selected tend to obey the law of Zipf's, by using assaults via trawling. If A can exploit user's personal data for a targeted assault, then query s ≤ 10 6 gives him an edge over 0.5.
Furthermore, A will have all the intercepted messages M 1 , M 2 , M 3 , and M 4 . To derive the session key SK ST � h((ID * Ti ⊕A Ti )‖(α.β.g‖x s .α.g)‖t(sn i ⊕(TS LA1 ‖TS LA5 ))) � SK TS shared between T i and S, A needs to calculate h(α Rj ⊕ID Rj ), (A * Ti ‖ID Ti ) which in a polynomially restricted time t p is computationally costly owing to the intractability of ECDDHP. Since G 2 and G 3 games are "indistinguishable," the following is excepted to include the question and ECDDHP of CorruptTi (T i )

Query
Significance A can extract the stored credentials by compromised tag T i 's memory is supports A in intercepting communications between T i and S j Reveal (P t ) is allows A to obtain the SK ST (� SK TS ) session key from P t and its partner Test (P t ) It allows A to request P t for the session key SK TS (� SK ST ) and is probably a consequence of a flickered "unbiased coin c" P t output Proof. e tag Ti simply transmits the message M 1 � (pid Ti ‖A Ti ‖W 1 )⊕α.x s .g, α.g, TS LA1 , with Only (pid Ti ‖A Ti ‖W 1 ) of this message can be utilized to identify the tag. On each session, the variables alpha and TS LA1 masked and randomized the token described above. e attacker has no control over any of these values. If a collision happens on the specified value by T i in the worst-case scenario, the adversary could detect it by monitoring the alpha.g fraction of M 1 , and then T i could be monitored. However, the adversary's advantage in finding a collision after N protocol sessions is O(N 2 /|F * q |), which is modest enough in practice. Furthermore, M 1 makes no mention of R j or S. e reader R j delivers M 2 � M 1 , TS LA3 , (W 2 ‖pid Rj ) to S, where (W 2 ‖pid Rj ) may be used to monitor the reader and determine whether the W 2 fraction has a collision. Similarly, after N protocol executions, the adversary has an advantage of O(N 2 /|F * q |) in detecting a collision. As a result, the opponent's chances of success are slim.
e reader R j and the server S, on the other hand, in each of the W 3 and W 4 tokens are randomized in each session. As a result, an adversary is unable to retrieve data that could aid in the breach of the protocol's location privacy.
Finally, R j sends M 4 � W 3 , β.g, TS LA5 to T i . e adversary's only target in this communication could be W 3 .
is token is a function of SK TS � h((ID Ti ⊕A Ti )‖(α.β.g‖x s .α.g)‖t(sn i ⊕(TS LA1 ‖TS LA5 ))), which is randomized by T i , R j , and S on each session.
Overall, the location privacy of all of our entities (i.e., T i , R j , and S) is guaranteed by our protocol.

Proposition 2. Mutual authentication and session key agreement
Proof. It is obvious that the pairs (S, T i ) and (S, R j ) are mutually authenticated if a legitimate tag T i connects with an honest server S through a valid reader R j and within acceptable time thresholds. However, we do not require mutual authentication between the reader R j and the tag T i in this protocol. In more detail, S is the source of trust for T i , while R j is only a gateway to S. e following is a list of the session key's correctness and mutual agreement: Correction Proof:

Security and Communication Networks
Because the tag and the server have mutual authentication, S has already authenticated R j , and T i may trust the reader R j . As a result, our technique ensures mutual authentication and establishes suitable session key agreement.

Proposition 3. Physical security
Proof. . Any alteration or damage to the device with built-in PUF will cause PUF to respond differently or the device to become unavailable, according to PUF's characteristics. It is impossible to collect any relevant information in an accessible environment since car sensors do not preserve any information. Physical attacks, aside from rendering the hardware components in the proposed protocol ineffective, are unable to extract any relevant information. As a result, the suggested protocol can ensure the system's physical security.

Proposition 4. Achieving forward secrecy
Proof. In our proposed scheme, the session key is computed as is session key is established between the tag T i and the server S. If A wishes to compromise the session key, A requires the knowledge of the session-specific random values α, β , fixed value α Ti , and the identities of the participants involved in the session key establishment. Now, even if pw Ti , pa Ti are compromised by A, due to the lack of knowledge of C Ti or random values α, β and fixed value α Ti , attacker fails to compute W 1 . us, A does not gain any advantage even if he compromises pw Ti , pa Ti . erefore, A cannot compute the previous/current/future session keys. e reader R j authenticates S, M 3 partially and the tag T i totally. e use of random integers and the one-way hash function ensure the integrity of all messages. Any alteration to the conveyed message causes the receiver to reject the message.
For instance, consider , which should be authenticated by S. TS LA4 − TS LA1 ? ≤ ΔT is checked by the server S first. As a result, if the adversary replicates the message, S will reject it. en, S extracts (pid * Ti ‖A * Ti ‖W * 1 ), retrieves the related sn i value using ID Ti and α Ti , and computes and verifies to accept the message. It is clear that any modification in TS LA , α.g, or (pid * Ti ‖A * Ti ‖W * 1 ) renders the probability of W * 1 ? � W 1 to 2 − n , where n is the hash length, for example 256 − bit for SHA − 256. e other messages in the protocol can be reasoned about in the same way. As a result, our protocol ensures message authentication between the parties involved.
□ Proposition 6. Replay attack Proof. In a replay attack, the adversary attempts to use a previously traded message at a later time t ′ . Any message received outside of the threshold time (a preset factor of ΔT ) is likely to be rejected in our protocol. Aside from that, the one-way hash function ensures the integrity of timestamps. As a result, replay attacks against our protocol are impossible. Finally, the adversary may break the tag's anonymity if he extracted xs.g from the α.xs.g and α.g pair. It is most likely the same as solving ECCDHP, which is known to be a difficult task (see Section 3.1). Aside from x s .α.g, β.α.g, which is contributed by T i through sending α.g, this token is randomized by x s .α.g, β.α.g. Solving a ECCDHP problem, which is a difficult problem, would be required for the disclosure of α and x s . Even if the adversary reveals the band and adapts it appropriately, the adversary still needs to know ID Ti due to TS LA5 in h(α.β.g‖SK ST ‖A Ti ‖pid Ti ), which is not the case. As a result, cheating R j and successfully mimicking S gives the opponent a 2 − n advantage. Furthermore, impersonating S in front of R j is a prerequisite for impersonating S in front of T i . As a result, the attacker cannot effectively impersonate the server S in front of T i using R j . Only M 4 � W 3 , β.g, TS LA5 , where W 3 � h(α.β.g‖SK ST ‖A Ti ‖pid Ti ). Unlikely as it may seem, the attacker lacks ID Ti . As a result, the adversary's advantage in committing this impersonation attack is negligible (i.e., 2 −n ).

Proposition 8. Offline password guessing attack
Proof.
e rationale for security against this attack is nearly comparable to that of RSEAP2. In a nutshell, PWT � h(ID Ti ‖(pw Ti ⊕α Ti )‖pa Ti ) calculates the tag's temporary password. Even if the adversary could estimate PWT, the value α Ti , which is a random integer created by the tag T i , is still required. As a result, the opponent who could not foresee α Ti will be defeated by this assault.

Proposition 9. Desynchronization attack
Proof. Because there is no updating phase of shared parameters after the protocol execution concludes, our proposed technique is immune to desynchronization assaults. e attacker may only block the M 4 message if the tag T i is used to set the session key SK TS /SK ST . Because T i has not received M 4 in a timely manner, this entity may need to restart the login and authentication step in order to reestablish the session key. We wish to underline that the aforementioned situation is distinct from an impersonation assault-as previously stated, an adversary cannot impersonate a valid tag. In addition, the tag T i must start the protocol; otherwise, the server S would reject the request. Further computes, where PWT � h(ID Ti ‖(pw Ti ⊕α Ti )‖pa Ti ). Likely, the chances for an insider attacker to disclose pw Ti are almost null (i.e., 2 −n ).

Proposition 11. Man-in-the-middle attack
Proof. To carry out a successful man-in-the-middle attack, an adversary must be able to impersonate a protocol entity or modify a message without being discovered. Nonetheless, the aforementioned attack will fail in our suggested protocol for the following reasons. For starters, as we explained in Section 7, the adversary's advantage in impersonating the tag, the reader, or the server is insignificant. Second, we have shown (5) that any change to the transmitted message causes the receiver to reject the received message. Finally, we demonstrated how an opponent cannot properly relay a message to deceive about his distance or replay an earlier message in Sections 6. As a result, the suggested protocol is impenetrable to a man-in-the-middle assault. □ Proposition 12. Ephemeral secret leakage (ESL) attack: Proof. As described in the Proposition 2, both T i and S establish a common session key during the execution of the proposed scheme. e session key is computed as SK TS � h((ID Ti ⊕A Ti )‖(α.β.g‖x s .α.g)‖t(sn i ⊕(TS LA1 ‖TS LA5 ))). e SK-security of the proposed scheme relies on the secret credentials as discussed in the following two cases: Case 1. Let us consider A knows the ephemeral (shortterm) secret credentials α and β. It is computationally infeasible for A to create the valid session key SK TS without the knowledge of the long-term secrets ARj, A Ti , α Rj , and x s . Case 2. We assume that the long-term secrets ARj, A Ti , α Rj , and x s some or all of them are revealed to A, and the attacker A's task to generate SK TS without the ephemeral secret credentials α and β this again turns out to be computationally infeasible task.
is shows that A can generate a valid session key SK TS only if both the ephemeral and long-term secret credentials are revealed. Furthermore, if a particular session is compromised, the session key established in previous/future sessions are completely different to the compromised session key due to the application of both long-term secrets and newly generated random nonces, which are secret and not revealed to A. erefore, both forward as well as backward secrecy along with the SK-security are preserved in the proposed scheme. Moreover, in the proposed scheme, with the help of the session hijacking attack, a session key is leaked in a particular session; it has no affect to compromise the security of other previous as well as future sessions. By summing up all these cases, the proposed scheme is secure against the ESL attack.

Observations and Performance Analysis
We use the implementation results in [2] "(CPU: Intel(R) Core(TM)2T6570 2.1 GHz, Memory: 4G, OS: Win7 32-bit, Software: Visual C++ 2008, MIRACL C/C++ Library)" to estimate the computation time. Because SHA-2 occupies 15.8 cycles per bytes [27], it takes T fun h � 0.0004 * (15.8/11.4) � 0.0005 milliseconds to compute. To be clear, the number T fun h corresponds to a single call to the SHA-2 compression function (fun). e SHA-2 compression function has a message-block length of 512 bits. We built the new protocol in detail to reduce the amount of calls to this compression function, particularly on the tag side, which is the most limited device. Finally, the time required to calculate scalar multiplication on ECC-160, represented by T EMP , is 7.3529 milliseconds, whereas the time required to calculate a chaotic map is T CH � T EMP [28]. e needed time for encryption/decryption of a symmetric scheme T Sym varies depending on the employed symmetric encryption method; however, the stated time for AES is T Sym � 0.1303 milliseconds. e details are shown in Table 9.
e hash function output, nonces, timestamps, tag/ reader identities, a symmetric encryption output block, and elliptic curve points all have bit widths of 160, 160, 32, 160, 128, and 320 bits, respectively, for the performance analysis. We compare the computational and communication expenses of RSEAP2 with our method in Table 10. Because tags are the most limited devices in the system, we focus our investigation on them.
ere are no major changes in consuming time when compared to RSEAP2, as shown in Figure 3, simply a minor improvement in our approach. Our scheme is much more efficient than RSEAP2 in terms of bits sent (and received), as shown in Figure 4. It entails a significant reduction in power consumption, which is a critical metric in such devices. Finally, in Table 11, we compare and contrast the security qualities afforded by comparable systems with our scheme (see Figure 5 for an instance). To summarize, the new protocol is more efficient and secure than the old one.

Concluding Remarks
In this article, we designed a PUF and RFID-based authentication protocol for vehicular cloud computing environment which ensure the secure communication among the participating entities such as tag, reader, and the cloud server. e uniqueness property of PUF and ECC allows significant functional advantages in ensuring and designing the secure key establishment and communication. Our proposed protocol efficiently supports for the revocation and reissue features and tag's friendly password update/change mechanism. Using the provable random oracle model, we presented the advantages of an adversary in violating the security features. Moreover, through the informal security analysis, we have shown that the proposed scheme successfully prevents all the well-known security attacks for authentication protocols. Our scheme withstands all the 18 security features and further consumes the computation cost of 6T fun h + 2T EMP � 14.7088 ms which is comparable with the other schemes. Similarly, our scheme consumes the communication cost as 672 bits during the sending mode and 512 bits during the receiving mode. Overall, the performance of our proposed scheme is comparable with the related schemes and provides more security features compared to the other related existing protocols.

Data Availability
No data collection method is applied.

Conflicts of Interest
e authors declare that they have no conflicts of interest.