A Provably Secure Three-Factor Authentication Protocol for Wireless Sensor Networks

The wireless sensor network is a network composed of sensor nodes self-organizing through the application of wireless communication technology. The application of wireless sensor networks (WSNs) requires high security, but the transmission of sensitive data may be exposed to the adversary. Therefore, to guarantee the security of information transmission, researchers propose numerous security authentication protocols. Recently, Wu et al. proposed a new three-factor authentication protocol for WSNs. However, we find that their protocol cannot resist key compromise impersonation attacks and known sessionspecific temporary information attacks. Meanwhile, it also violates perfect forward secrecy and anonymity. To overcome the proposed attacks, this paper proposes an enhanced protocol in which the security is verified by the formal analysis and informal analysis, Burross-Abadii-Needham (BAN) logic, and ProVerif tools. The comparison of security and performance proves that our protocol has higher security and lower computational overhead.


Introduction
With the development of artificial intelligence technologies [1][2][3], the application of sensors has become more common, and the demand for high-end sensors is also increasing day by day. Sensors have developed from wired sensors to today's wireless sensors, and wireless sensors are the most common category in daily applications. The wireless sensor network [4,5] is a self-organizing network formed by multiple functional nodes through wireless communication. These functional nodes include a large number of sensor nodes and gateway nodes. Sensor nodes perceive, collect, process, and transmit the information of the perceived object through the scope covered by the wireless sensor network.
Wireless body area network [6] usually installs sensors on clothes or attached to the human body and can also be implanted into the skin to monitor the user's physical activ-ities and the state of body functions. The physical health data monitored by the sensors are sent to the cloud server for storage and analysis through the Internet of Things (IoTs). Users can view these data through the Internet and understand the physical condition, to achieve the purpose of early treatment of illnesses and reduce the number of deaths due to diseases. Wireless sensors are used in the growth of crops to monitor environmental factors such as humidity, temperature, and light that affect crop growth. The data monitored by the sensors are sent to the gateway node, which can send the data to the user to understand the growth status of crops, achieve the harvesting effect, and increase the income of farmers. The data collected by wireless sensor networks, whether used in military, medical, or other environments, is sensitive and private [7][8][9][10][11][12][13], so it is important to establish a secure authentication mechanism. Figure 1 shows a typical architecture in the wireless sensor network.
In most authentication mechanisms of the wireless sensor networks, there are three components: user, sensor node, and gateway node. This paper will adopt such a structure, after the user logs in to the network, the data in the sensor are obtained through the gateway, and message authentication and key exchange are completed in this process. Since WSN is an open network, only using the password as a factor for encryption authentication will lead to a large number of vulnerabilities. In 2009, Das [14] proposed a protocol for encryption and authentication in wireless sensor network environments with a password and smart card. In 2010, Khan and Alghathbar [15] considered that in the protocol [14], users could not update their passwords and would be subject to internal privilege attacks. To solve these security vulnerabilities, they improved the protocol based on [14]. Chen and Shih [16] believed that [14] had security flaws in mutual authentication. To solve these flaws, they proposed a mutual authentication protocol that could be robust in wireless sensor networks. Vaidya et al. [17] found that Das's protocol [14] could be attacked by stolen smart card attacks, password guessing attacks, and other attacks, so Vaidya et al. improved a two-factor authentication protocol in the WSN environment. In 2016, Vaidya et al. [18] believed that [14][15][16] would be subject to stolen smart card attacks and sensor impersonation attacks and proposed two-factor authentication based on the key agreement in WSNs. Kim et al. [19] pointed out that [18] cannot resist gateway node bypass attacks and user impersonation attacks and eliminated these security flaws by improving the scheme. With the rapid development of WSNs, more and more two-factor schemes have been proposed in the wireless sensor network environments [20][21][22][23].
To solve the security vulnerabilities in two-factor authentication (such as stolen smart card attacks and password guessing attacks), biometric data is added as the third factor to the authentication scheme of the wireless sensor network. In 2010, Yuan et al. [24] found that Wong et al.'s dynamic authentication scheme [25] was vulnerable to the threat of the same ID and the stolen-verifier attack. They proposed a scheme based on biometric user authentication in the wireless sensor network environment. In 2011, Yoon and Yoo [26] found that Yuan et al.'s scheme [24] would be subject to an insider attack and impersonation attack and also had message integrity problems. Then, they proposed a wireless sensor network authentication scheme based on the smart card and biometric without the password. In 2013, Althobaiti et al. [27] pointed out that Yoon et al.'s scheme [26] would be subject to denial of service attacks and proposed an efficient authentication protocol based on biometric for WSNs. In 2015, Das [28] proposed a three-factor user authentication scheme for distributed WSNs. In 2017, Das [29] also proposed a new user authentication scheme based on biometrics. In the same year, Maurya and Sastry [30] considered that [29] would be attacked by a stolen smart card and proposed efficient user authentication protocols for WSNs and the IoTs. In 2018, Wu et al. [31] believed that both [28,29] had security vulnerabilities such as offline password guessing attacks, user impersonation attacks, and violation of perfect forward security and then proposed an improved threefactor scheme. In the same year, Das et al. [32] proposed an authentication scheme based on biometrics to protect user privacy in the cloud environment. Then, Ryu et al. [33] pointed out that [31] could not provide user anonymity and was also subject to user impersonation attacks. In 2019, Hussain and Chaudhry [34] found that [32] would be subject to the smart card stolen attacks and traceability attacks and could not provide perfect forward security. In the same year, Chen et al. [35] proposed an improved three-factor authentication scheme under the medical wireless sensor network.
Recently, Wu et al. [36] believed that [32,35] were attacked by the off-line password guessing attacks. Therefore, they proposed a new three-factor authentication protocol for wireless sensor networks with the concept of the Internet of Things and claimed that the protocol has higher security advantages. However, we found that their protocol cannot resist key compromise impersonation attacks, violates perfect forward security, cannot provide anonymity, and cannot resist known session-specific temporary information attacks. This paper presents an improved three-factor authentication protocol for provable security. Through the formal analysis in the Real-Or-Random (ROR) model and the informal analysis, the security of the protocol is proved. Further, we also prove the security through BAN logic and ProVerif tools. The comparison of security and performance proves that the improved protocol has higher security and lower computational overhead.

Wireless Communications and Mobile Computing
The framework of the rest of this paper is as follows. In the second and third sections, we give a brief review and cryptanalysis of the protocol proposed by Wu et al. Section 4 describes the improved protocol in detail. Section 5 is the security proof of the improved protocol. Section 6 is the comparison of performance and security. Section 7 is the summary of the whole paper.

Review of Wu et al.'s Protocol
Wu et al.'s protocol [36] mainly includes two phases: registration and authentication and key exchange. The symbols and descriptions used in this paper are shown in Table 1.
2.1. Registration. Sensor Node Registration. Sensor S j selects its own identity SID j and sends SID j to gateway node GW N. Then, GWN selects x as the master key and computes S M j = hðSID j jjxÞ. Finally, GWN sends SM j to S j .
User Registration. User U i selects his own ID i and sends it to the system administrator SA. Then, SA checks whether ID i exists in its database. If it exists, reject the request. Otherwise, SA selects SCN i , PID i and computes B 1 = hðPID i jjxÞ, B 2 = h ðSCN i jjxÞ. The values fB 1 , B 2 , SCN i , PID i , Hð⋅Þg are stored in a smart card SC and ID i is stored in SA's database. Finally, SA sends SC to U i . Upon receiving the smart card, U i enters his PW i , B i , selects r 0 , and computes C 0 = HðB i Þ, Then, U i stores fC 1 , C 2 , C 3 g to SC and deletes fB 1 , B 2 g from SC. Note that, all communications in this phase are based on a secure channel.

Authentication and Key
Exchange. U i inserts SC and enters ID i , PW i , and B i . Then, the smart card selects N 1 , T 1 and computes C 0 = HðB i Þ, GWN first checks whether T 1 is valid. If it times out, the request is terminated. Otherwise, GWN calculates B 1 = hðP ID i jjxÞ, N 1 = D 1 ⊕ B 1 , ID i = D 2 ⊕ hðPID i kN 1 kT 1 Þ and then searches for ID i in its database. If it is not found, terminates. Otherwise, GWN computes SCN i = D 3 ⊕ hðID i kN 1 kT 1 Þ, B 2 = hðSCN i jjxÞ, SID j = D 4 ⊕ hðB 2 kN 1 kT 1 Þ, and verifies D 5 = ? hðID i kPID i kSCN i kN 1 kSID j Þ. If the verification holds, GWN selects T 2 and calculates SM j = hðSID j jjxÞ, D 6 = N 1 ⊕ hðID g kSM j kT 2 Þ, and D 7 = hðN 1 kSM j kSID j Þ. Finally, GWN sends M 2 = fD 6 , D 7 , ID g , T 2 g to S j .
S j first checks whether T 2 is valid. If it times out, the communication is terminated. Otherwise, S j calculates N 1 = D 6 ⊕ hðID g kSM j kT 2 Þ and verifies D 7 = ? hðN 1 kSM j kSID j Þ. If the verification holds, S j selects T 3 , N 2 and computes SK s = hðN 1 jjN 2 Þ, D 8 = N 1 ⊕ N 2 , and D 9 = hðSK s kSM j kID g kSID j k T 3 Þ. Finally, S j sends M 3 = fD 8 , D 9 , T 3 g to GWN.
GWN first checks whether T 3 is valid. If it times out, the communication is terminated. Otherwise, GWN calculates

Cryptanalysis of Wu et al.'s Protocol
In this section, we found that Wu et al.'s protocol [36] is subject to key compromise impersonation attacks and known session-specific temporary information attacks. Meanwhile, their protocol violates perfect forward secrecy and anonymity.
Here, we define the capabilities of adversary A according to the literature [29,35,37].
(1) Messages transmitted over public channels can be eavesdropped, intercepted, modified, and replayed by A (2) A may try to guess the user's password and identity in polynomial time Note that stealing the smart card and obtaining the longterm key cannot be performed at the same time in our proposed following attacks.
3.1. Key Compromise Impersonation Attacks. Key compromise impersonation attacks [38] mean that adversary A knows the long-term key of one entity and tries to impersonate the other entity. Here, we assume that A obtains the longterm private key x of GWN. After intercepting M 1 = fPID i , In the following, we show that A can impersonate S j to establish a session key with U i by the above values.
(1) A intercepts M 2 = fD 6 , D 7 , ID g , T 2 g and selects a random number N 2 ′ and timestamp T A . Then, A computes SK A = hðN 1 jjN 2 ′Þ, (2) GWN checks whether T A is valid. If it times out, the communication is terminated. Otherwise, GWN calculates N 2 ′ = D 8 ′ ⊕ N 1 , SK g = hðN 1 jjN 2 ′Þ, and verifies D 9 ′ = hðSK g kSM j kID g kSID j kT A Þ. The following steps are similar to the authentication phase in Subsection It is easy to see that the result is true Thus, U i believes that he can establish a session key

Violating Perfect Forward Secrecy and Anonymity.
By the similar attack approach in Subsection 3.1, suppose that A gets x and intercepts M 1 , M 3 . Then, A can recover In other words, Wu et al.'s protocol violates perfect forward secrecy and anonymity.

Known Session-Specific Temporary Information Attacks.
Here, assume that the adversary A gets the temporary value N 1 and intercepts M 3 = fD 8 , D 9 , T 3 g. Then, A can recover the current session key SK = hðN 1 In the next section, A may intercept messages M 1 ′, M 3 ′, and M 4 ′ to recover ′Þ can be computed. Thus, under a known session-specific temporary information attack approach, we can conclude that Wu et al.'s protocol not only violates "perfect forward secrecy" but also not provides "backward secrecy."

Improved Protocol
In order to fix our proposed security flaws of Wu et al.'s protocol [36], an enhanced protocol is present.

4.1.
Registration. Sensor Node Registration. S j selects SID j , s j and sends fSID j , s j g to GWN via a secure channel. Then, G WN calculates SM j = hðSID j ks j kxÞ, s 1 = s j ⊕ SM j , and stores s j in its database. Finally, GWN sends s 1 to S j . After receiving s 1 , S j computes SM j = s j ⊕ s 1 and stores it in its memory.
User Registration.
whether ID i exits its database. If so, deleting the relevant records in the database and reregister. Otherwise, SA selects g i and computes A 1 = hðg i kHID i kxjjID i Þ, A 2 = A 1 ⊕ P i , and A 3 = hðHID i jjP i Þ. Then, SA stores fA 2 , A 3 g in SC and sends SC to U i via a secure channel. Meanwhile, fHID i , ID i , g i g is stored in SA's database. After receiving SC, U i stores τ i in SC.
The sensor node registration phase and the user registration phase are shown in Figure 2.

Authentication and Key Exchange. U i inserts SC and enters
Upon receiving M 1 , GWN first checks whether T 1 is valid. If the times out, the communication is terminated. Otherwise, GWN according to HID i finds the corresponding fID i , g i g in its database and computes If the verification holds, GWN generates N 2 , T 2 and computes SM j = hðSID j ks j kxÞ, Upon receiving M 2 , S j first checks whether T 2 is valid. If the times out, the communication is terminated. Otherwise, Upon receiving M 3 , GWN first checks whether T 3 is valid. If times out, the communication is terminated. Otherwise, G WN computes N 3 = C 8 ⊕ hðN 1 jjN 2 Þ, SK g = hðN 1 kN 2 kN 3 k HID j kSID j Þ and verifies C 9 = ? hðSK g kSM j kSID j jjT 3 Þ. If the verification holds, GWN generates T 4 and computes C 10 = N 2 ⊕ hðA 1 kP i kN 1 jjT 4 Þ, Upon receiving M 4 , U i first checks whether T 4 is valid. If times out, the communication is terminated. Otherwise, U i computes N 2 = C 10 ⊕ hðA 1 kP i kN 1 jjT 4 Þ, N 3 = C 8 ⊕ hðN 1 jj N 2 Þ, SK u = hðN 1 kN 2 kN 3 kHID j kSID j Þ and verifies C 11 = ? hðSK u kA 1 kP i kID i kT 4 Þ. If the verification holds, SK u = SK g = SK s is set as a session key used to communicate between U i , GWN, and S j .
The authentication and key exchange phase is shown in Figure 3.

Correctness by BAN Logic.
In this subsection, we use BAN logic to show the correctness of our improved protocol. As far as the proposed protocol is concerned, we need to prove that U i , S j , and GWN share a session key SK through rigorous logical analysis. The symbols and rules used for BAN logic are referred to [39][40][41].

Formal Security Analysis.
In this section, we perform a formal security analysis of the improved protocol in ROR model [42][43][44][45][46][47][48]. The proposed protocol involves three entities, U i , S j , and GWN. We use Π x U ,, and Π z GWN to represent the xth instance of U i , the yth instance of S j , and the zth instance of GWN, respectively. Here, we define that adversary A has the ability to initiate the following query. Note (v) TestðOÞ: if A executes this query, it flips a coin C. If C = 1, then can get the correct session key; if C = 0, A gets a random string of the same length as the session key Theorem 1. In the ROR model, assume that A can make Ex ecute, Send, Hash, Corrupt, and Test queries. Then, the advantage of A to break the proposed protocol P in polynomial time ξ is Adv P A ðξÞ ≤ q send /2 l−2 + 3q 2 hash /2 l−1 + 2 max fC ′ ⋅ q s′ send , q send /2 l g, where q send is the number of times to execute Send queries, q hash is the number of times to execute Hash queries, C ′ and s ′ are two constants [49], and l is the bits of biological information.
Proof. We prove this theorem by following game sequences GM 0 to GM 5 . Succ GM n A ðξÞ is defined by the probability that A succeeds in GM n , which is the probability that C = 1. The detailed simulations of queries in real attacks are shown in Tables 2 and 3. The details are as follows.
GM 0 : Flip C to start the game. GM 0 is a game played without any queries. Therefore, we can get the probability of A successfully breaking P as GM 1 : The difference between GM 1 and GM 0 is that GM 1 adds the Execute query. In GM 1 , A just gets messages M 1 = fHID i , C 1 , C 2 , C 3 , C 4 , T 1 g, M 2 = fHID i , C 5 , C 6 , C 7 , T 2 g, M 3 = fC 8 , C 9 , T 3 g, and M 4 = fC 8 , C 10 , C 11 , T 4 g. After GM 1 is over, A queries the session key through Te st, but N 1 , N 2 , and N 3 are all confidential to A. Therefore, 7 Wireless Communications and Mobile Computing the probability of GM 1 and GM 0 is equal, that is, GM 2 : The difference between GM 2 and GM 1 is that GM 2 adds the Send query. According to Zipf's law [49], we can get | Pr Succ The difference between GM 3 and GM 2 is that GM 3 adds the Hash query and deletes the Send query. According to the birthday paradox, we can get |Pr Succ GM 4 : In this game, we discuss the security of the session key in two cases. The first is to obtain the long-term private key x of Π z GWN to verify the perfect forward security; the second is to get temporary information to verify whether the known session-specific temporary information attacks can be resisted.
(1) Perfect forward security. A uses Π z GWN to try to get the private key x of GWN or uses Π x U or Π y S to try to get a secret value in the registration phase (2) Known session-specific temporary information attacks.
A uses either Π x U or Π y S or Π z GWN to try to obtain the temporary information of the corresponding party In both cases, A can only compute the session key through Send and Hash queries. For the first case, if A only knows the private key x of GWN, or a secret value of Π x U or Π y S in the registration phase, it cannot get the temporary information N 1 , N 2 , and N 3 in SK = hðN 1 kN 2 kN 3 kHID j k SID j Þ. For the second case, we assume that A gets N 1 , but N 2 and N 3 are kept secret. Similarly, if N 2 or N 3 is leaked, the session key cannot be calculated. Therefore, we have |Pr Succ GM 5 : In this game, A uses CorruptðΠ x U Þ to get the parameters fA 2 , A 3 , τ i g stored in the SC and attempts to launch the stolen smart card attacks and the offline password guessing attacks. Suppose A gets HID i according to M 1 , and Then, the query is answered by On a query Send Π z GWN , HID i , C 1 , C 2 , C 3 , C 4 , T 1 ð Þ ð Þ and assume that Π z GWN is a normal state to perform the following operations. Compute A i , ID i , N 1 , SID j , C 4 , and check A 1 . If equal, select N A2 , T A2 , and compute SM j , C 5 , C 6 , C 7 . Then, the query is answered by On a query Send Π y S , HID i , C 5 , C 6 , C 7 , T 2 ð Þ À Á , assuming that Π y S is a normal state, do the following. Compute N 2 , N 1 , C 7 , check C 7 . If equal, select N A3 , T A3 , and compute SK s , C 8 , C 9 . Then, the query is answered by On a query Send Π z GWN , C 8 , C 9 , T 3 ð Þ ð Þ and assume that Π z GWN is a normal state to perform the following operations. Compute N 3 , SK g , C 9 , and check C 9 . If equal, select T A4 , and compute C 10 , C 11 . Then, the query is answered by On a query, assuming that Π x U is a normal state, we perform the following operations. Compute N 2 , N 3 , SK u , C 11 , the instance Π x U checks C 11 ; if not equal, it will be terminated. Otherwise, compute SK = h N 1 N 2 k kN 3 HID j SID j À Á . Finally, the user instance accepts and terminates. On a Execute query, we use the simulation of Send query to do the following operations: Þ . This query is answered by For a record string, r ð Þthat appears in the Hash string ð Þquery, return r = Hash string ð Þ. Otherwise, select an element r, add the record string, r ð Þto the list, and return r.
On a query Corrupt Π x U ð Þ, and if Π x U is accepted, the query is answered by the parameter A 2 , A 3 , τ i f gin the smart card.
On a Test query, flip a coin C to get the result of SK. If C = 1, return SK; otherwise, return a string of the same length.

Wireless Communications and Mobile Computing
However, B i , PW i , and ID i are all confidential to A. The probability that A can guess the biological information of the l bits is 1/2 l [50]. In Zipf's law [49], the probability of guessing the password is more than 0.5 when q send ≤ 10 6 . Therefore, we get | Pr Succ where C ′ and s ′ are constants depending on the size of the password. GM 6 : The purpose of this game is to verify whether it can resist impersonation attacks. The difference between GM 6 and GM 5 is that when GM 6 initiates hðN 1 kN 2 kN 3 k HID j kSID j Þ query to guess the session key, the game is terminated. Therefore, we have |Pr Succ Since the probability of GM 6 success and failure is equal, the probability of A successfully guessing the session key is According to formulas (1) to (8), we can get Thus, we have Adv P A ðξÞ ≤ q send /2 l−2 + 3q 2 hash /2 l−1 + 2 max fC′ ⋅ q s ′ send , q send /2 l g. 5.3. Informal Security Analysis 5.3.1. Replay Attacks. The replay attacks are to send the sent message repeatedly, to launch some other attacks to interfere with normal communication. First, if M 1 is replayed, the session key cannot be successfully established between the user and the sensor, because the message cannot be validated by GWN, and further, because each round g i and N 1 will be refreshed. So, let us see what happens when fM 2 , M 3 , M 4 g are replayed? If M 2 is replayed, the sensor passes the verification, and the same session key is established as the previous round, but the user will not verify this message because g i or A 1 will be updated every round. If M 3 or M 4 is replayed, the user will not pass the verification, and the session will be terminated for the same reason as that of M 2 . Therefore, our improved protocol is resistant to replay attacks.

5.3.2.
Privileged-Insider Attacks. In this paper, we specify that privileged insiders only have access to the content stored in the gateway database. In other words, privileged insiders can get fHID i , ID i , g i g, but to calculate sensitive information such as A 1 and A 3 , they also need to obtain private information such as P i and gateway key x, while P i = hðσ i kPW i kID i Þ. Therefore, our improved protocol is resistant to privilegedinsider attacks.

5.3.3.
Three-Factor Secrecy. The three factors are password, smart card, and biometric information. According to the previous analysis, A 1 and P i are the key parameters for launching an attack to compute the session key. Now, let A get any two of the three factors.
(1) Password and smart card. Even if A knows the password and can extract the parameters from SC, he cannot be able to calculate A 1 and P i for any attack (2) Password and biometrics. If A gets the password and biometrics and wants to compute A 1 , he needs to know A 2 and P i . However, A 2 is stored on a smart card (3) Biometrics and smart card. After A obtains the biometric and smart card, he/she needs to know the information about PW i and ID i to calculate P i , so A cannot compute A 1 = A 2 ⊕ P i Therefore, our protocol provides three-factor secrecy.

User Anonymity.
The real identity of the user only appears in the registration phase, as well as the authentication phase. However, in the authentication phase, the user enters his/her identity only when he/she logs in. During the authentication process, HID i is always protecting the user's identity. Therefore, our protocol provides anonymity.

ProVerif.
ProVerif [30,32,[50][51][52][53] is a formal simulation tool for automatic verification of cryptographic protocols developed by Bruno Blanchet and based on the Dolev-Yao model. It can describe various cryptographic primitives such as public-key cryptography, shared key cryptography, and hash function, and the syntax used is easy to master. In this paper, we use the ProVerif tool to verify whether the proposed protocol has vulnerabilities. If there are vulnerabilities, the ProVerif tool will return an attack sequence. The specific operation is as follows.
Our protocol involves three parties communicating with the user, sensor, and gateway, in addition to using two channels, an encrypted channel and a public channel. The symbols, functions, and related definitions involved in ProVerif are described in Figure 4(a).

Wireless Communications and Mobile Computing
The proposed protocol involves 6 events, namely, User-Started(), UserAuthed(), SensorAcGWN(), GWNAcUser(), GWNAcSensor(), and UserAcGWN(), which, respectively, indicate that the user starts authentication, the user completes the authentication, the sensor completes the authentication to the gateway, the gateway completes the authentication to the user, the gateway completes the authentication to the sensor, and the user completes the authentication to the gateway. For the security of the proposed protocol, ProVerif will verify the user anonymity, the security of the session key, and the reasonableness of the authentication process. Figure 4(b) shows these events and queries. Figure 5(a) shows the operations performed by the user and the sensor in the ProVerif. Figure 5(b) shows the operation of the gateway in the ProVerif. Figure 5(c) shows the results obtained after using the ProVerif tool to complete the verification. According to Figure 5(c), it is obvious that the proposed protocol can provide user anonymity and session key security, while the authentication process is executed in sequence.

Performance Comparison
In this section, we analyze the security and performance efficiency of the advanced protocol with that of [32,35,36]. Table 4, we demonstrate the security comparison. It is easy to see that our protocol is secure against well-known attacks. Das et al.'s protocol [32] cannot resist offline password guessing attacks and stolen smart card attacks. Meanwhile, their protocol does not provide perfect forward security and user anonymity. Although Chen et al.'s protocol [35] satisfies the last three vulnerabilities A5, A8, and A9, it still cannot resist the offline password guessing attacks. Wu et al.'s protocol [36] can resist offline password guessing attacks, but it is vulnerable to known session-specific temporary information attacks, impersonation attacks, and cannot provide perfect forward security and user anonymity.
(b) Process 11 Wireless Communications and Mobile Computing the computational cost of XOR and join operations is too small, it can be ignored in comparison. Here, compare the consumption of login authentication and the key exchange phase. T f represents the time to execute a fuzzy extraction function. T h represents the time to perform a hash operation. T s represents the time to perform the symmetric encryption/decryption operation. Table 5 shows the computational cost comparison. The results show that the fuzzy extraction function T f is used once in the total computational cost of each protocol. In addition, Das et al.'s protocol [32], Wu et al.'s protocol [36], and our protocol all use hash operations. However, our protocol has the least number of hash operations. Chen et al.'s protocol [35] not only performed 18 hashing operations but also performed four symmetric encryption/decryption operations, consuming 4T s . As we all know, the cost of symmetric encryption/decryption operation is very higher than the cost of hash operation. In other words, our improved protocol has a lower computational cost and provides higher security than previous protocols.

Communication Cost
Comparison. The performance is analyzed from the communication cost of protocols. We accept that the random number and identity are 160 bits, hash operation and the length of the ciphertext for symmetric encryption are 256 bits, and the timestamp is 32 bits.
In Das et al.'s protocol [32], the messages in the login and authentication phase are Msg 1 = fTID i ′ , X i , Y i , Z i , T 1 g, Ms g 2 = fX gw , Y gw , Z gw , T 2 g, and Msg 3 = fV j , W j , T 3 g, where TID i ′ is an identity, fX i , Y i , X gw , Y gw , V j g belong to random strings, fZ i , Z gw , W j g are hash values, and fT 1 , T 2 , T 3 g are timestamps. The total communication cost of [32] is 1824 bits.
In Chen et al.'s protocol [35], the messages in the login and authentication phase are fM 1 g, fM 2 , N g g, and fM 3 , C DID j , Ack, N j g, where fM 1 , M 2 g are ciphertexts, fN g , CDI D j , Ackg are random strings, and M 3 is a hash value. The total communication cost of [35] is 1248 bits.
In our protocol, the messages in the authentication phase are M 1 = fHID i , C 1 , C 2 , C 3 , C 4 , T 1 g, M 2 = fHID i ,   Chen et al.'s protocol [35] Wu et al.'s protocol [36] Our protocol : known session-specific temporary information attacks; A2: user impersonation attacks; A3: sensor impersonation attacks; A4: man-in-themiddle attacks; A5: stolen smart card attacks; A6: off-line password guessing attacks; A7: privileged-insider attacks; A8: perfect forward secrecy; A9: user anonymity. The "√" denotes that this protocol can resist the attack. The "×" denotes that the protocol cannot resist the attack. Chen et al.'s protocol [35] Wu et al.'s protocol [36] Our protocol Wireless Communications and Mobile Computing C 5 , C 6 , C 7 , T 2 g, M 3 = fC 8 , C 9 , T 3 g, and M 4 = fC 8 , C 10 , C 11 , T 4 g, where fC 1 , C 2 , C 3 , C 5 , C 6 , C 8 , C 10 g are random strings, fHID i , C 4 , C 7 , C 9 , C 11 g are hash values, and fT 1 , T 2 , T 3 , T 4 g are timestamps. The total communication cost of our protocol is 2944 bits. The communication cost comparison is shown in Table 6. According to Table 6, we can see that the number of rounds of Das et al.'s and Chen et al.'s protocol is less than the one of Wu et al.'s and our protocol. It is obvious that the communication cost of the first two protocols is lower. However, in Table 5, it can be seen that the computational costs of the first two protocols are relatively high. Although our protocol has a slightly higher communication cost than [36], the efficiency in practical application is almost the same. Furthermore, in Table 4, Wu et al.'s protocol [36] cannot resist known session-specific temporary information attacks and impersonation attacks and cannot provide perfect forward security and user anonymity.

Conclusion
In this paper, we have described the protocol of Wu et al. and found that their protocol was unable to resist known sessionspecific temporary information attacks, violated perfect forward and backward security, and could not provide user anonymity. In order to solve the vulnerabilities, we proposed a provably secure three-factor authentication protocol, which is proved to be secure by formal and informal security analysis, and the BAN logic, and the ProVerif tool. Finally, through the comparison of performance and security, our protocol can better ensure security and efficiency. In future work, we will work to further improve the security and performance of protocols in wireless sensors.

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare no conflict of interest.