A Novel Secure Authentication Protocol for IoT and Cloud Servers

,


Introduction
e internet of things (IoT) is a new network that provides numerous embedded devices to the Internet to share data. It is based on information and communication technologies. Embedded devices are becoming increasingly complicated as a result of the fast growth of technology, and they are employed in a broad variety of applications. e ability to relate such gadgets to huge resource pools, such as the cloud, is a significant advancement in modern technology. e integration of embedded devices and cloud servers enables the use of IoT in a wide range of commercial and government applications. However addressing the security issues, such as authentication and data privacy is important for the efficient integration of these two systems [1][2][3]. IoT has grown significantly over the years because of its relevance in smart applications. e internet of things (IoT) market was valued at USD 250.72 billion in 2019 and is expected to grow to USD 1,463.19 billion by 2027 [4]. is exponential advancement of IoT is governed by its role in developing applications that include smart parking, smart building, smart health, smart environment, smart agriculture, and smart homes [5,6]. Smart parking can be employed for effective monitoring of parking areas in the city, and smart building applications can be used for monitoring the structural health of a building in terms of vibrations and material conditions. IoT can also be used for real-time motoring the health and the hydraulic parameters of the water bodies and effective monitoring of road conditions in terms of climate conditions [5]. In terms of security and emergency applications, IoT nodes can be deployed for unauthorized perimeter access, detection of harmful chemical and radiation leaks, and detection of gas leaks in industrial surroundings [6]. For smart agriculture, the nodes can be employed for monitoring soil quality, climate control in the greenhouse, and smart irrigation. e various applications in smart homes include surveillance, remote monitoring of appliances, energy, and water conservation. In the medical field, IoT can be employed for developing applications that include wireless body area networks, geriatric assistance, and automatic monitoring of medical freezers [5].
A typical IoT-based smart application comprises a threetier architecture that includes perception tier, network and server tier, and application tier [5,7] as shown in Figure 1.
e physical parameters are perceived in the perception layer using IoT devices, and the data perceived are further relayed to the server tier. e server tier serves as a communication backbone, employing different communication technologies [7]. As IoT applications generate a large volume of data, the server tier includes features for storing and processing it. A variety of servers, including mobile, web, and real-time communication servers, provide middleware support at the server tier. As the perception layer generates a very large volume of data, cloud servers can also be used at this layer for data storage and management. Various endusers connect to the server tier for offline and online data analysis in the user tier [8,9]. e security of IoT-based smart applications is of paramount importance [10]. e communication between the server tier and client tier can be made secure using traditional security protocols. However, as IoT devices are resource-constrained, the communication between IoT devices in the perception tier and servers in the server tier becomes an emerging and active area of research [5].
Authentication and session key establishment are bedrock for all other security services between IoT nodes in the perception layer and the various servers in the server tier [11]. Many schemes have been suggested for securing communication between IoT devices and cloud servers. Liao and Hsiao [12] proposed a mutual authentication scheme with ID verifier protocol. However as indicated by [13], the scheme suffers from server impersonation attacks.
Kalra and Sood [14] presented a mutual authentication scheme based on ECC. e scheme is resilient to various attacks. However, the scheme has design issues in terms of mutual authentication, insider, and traceability attacks. Chang et al. [15] pointed out the limitations of Kalra and Sood and highlighted its weakness in terms of mutual authentication and mistress of the session key. Chang et al. suggested an improved scheme that overcame the limitations of Kalra and Sood. Kumari et al. [16] pointed out the deficiencies of Kalra and Sood in terms of insider attacks, device anonymity, session key agreement, and mutual authentication. Kumari et al. also suggested an ECC-based scheme to overcome these limitations. Wang et al. [17] highlighted the deficiencies of the Chang et al. scheme in terms of impersonation attacks and suggested an improved scheme. Recently, Rostampour et al. [11] proposed an ECCbased scheme for authentication of IoT edge devices with the cloud server. Rostampour  When connecting an embedded system to the cloud, security is the main consideration. Mutual authentication must also be established between the cloud server and the embedded devices. To address these security concerns, many authentication systems for IoT and cloud servers have been developed. However, there are several faults in the existing approaches that must be addressed. When memory and power are limited and greater security with a low key length is required, elliptic curve cryptography (ECC) is the best public-key cryptography solution [18,19]. e existing schemes presented in the literature have been analyzed under Dolev and Yoa (DY) [20,21]. However, the eCK [22] adversary model is a more stringent model for authentication key agreement schemes [23]. In this paper, a detailed review of the Rostampour et al. scheme has been made. e Rostampour et al. scheme has been formally validated using Scyther-Compromise [24] under the eCK adversary model. Scyther-Compromise validation depicts that the Rostampour et al. scheme is not secure under the eCK adversary model. Furthermore, an improved scheme for authentication and key agreement between IoT devices and the server under the eCK adversary model has also been proposed.

Contributions.
e major highlights of the paper are as follows: (a) A review of the Rostampour et al. scheme has been made carried out. e scheme has been modeled on Scyther-Compromise and analyzed under the eCK adversary model. (b) An ECC-based authentication scheme for IoT and cloud servers has been designed. e designed scheme provides better functionality and security specifications. (c) e proposed scheme has been modeled on Scyther-Compromise. e results indicate that the scheme is safe under the eCK adversary model. (d) e soundness and correctness of the proposed protocol have also been evaluated using BAN [25] logic.

Paper
Organization. e remainder of the paper is laid out as follows. e preliminaries are presented in Section 2. Section 3 reviews the Rostampour et al. scheme and discusses its formal security verification under the eCK adversary model. In Section 4, the design of the proposed ECC-based scheme for authentication between IoT devices and cloud servers is presented. In Section 5, an informal security analysis has been carried out. Section 6 provides the simulation details of formal security analysis using the Scyther under the eCK adversary model. In Section 7, security analysis using BAN logic has been carried out. Finally, Section 8 presents the comparison of the proposed scheme with other relevant schemes in terms of functional and security specifications.

Notations.
e notations used in the paper are tabulated in Table 1.

Adversary
Model. An adversary model formulates the potential capabilities an attacker can have. Various adversary models exist that include Dolev and Yoa (DY) [20,21], Canetti-Krawczyk (CK), and extended Canetti-Krawczyk models (eCK) models [22]. In all the models, the communication channel is completely insecure; however, they differ in their adversary query capabilities. In DY threat model, the communication parties are considered to be honest and can run multiple sessions with each other. e communication channel is completely insecure and totally under the adversary's control, with the ability to record, delete, replay, redirect, rearrange, and completely control message schedule. e adversary can act as an active adversary in the middle and lead various man-in-the-middle attacks. e CK and eCK models are the most widely accepted models for authentication and key agreement protocols. In this adversary model, an attacker has abilities to compromise PRNG and get access to the secret randomness of the session. It is also assumed that an adversary can compromise the session and get access to it. An attacker can also get access to the long-term keys [26]. e major difference between the CK model and the eCK model is that in the eCK model, the adversary is capable of accessing ephemeral secrets, thus leading to an ephemeral-secret-key-leakage attack. An ephemeral key leakage indicates the weaknesses of a random number generator where the attacker can determine the randomness generated correctly with a high probability [26]. [27] and Miller [28] introduced elliptical curve cryptography (ECC). ECC is a powerful cryptographic technology. It establishes security between key pairs for public-key encryption using elliptic curve mathematics. ECC has grown in popularity in recent years due to its smaller key size and ability to maintain security. is trend is expected to continue as the need for devices to be secure develops in response to the rising size of keys, putting pressure on limited mobile resources. is is why it is vital to understand elliptic curve cryptography in context of low power devices [29]. When compared to RSA, ECC is highly efficient with low overheads. With a key size of 160 bits, elliptical curve cryptography provides the same level of security as RSA with a key size of 1,024 bits, making it  ideal for devices with limited resources [29]. Over a finite prime field F p , an elliptical curve E P (a, b) is defined as follows [29]:

Elliptical Curve Cryptography. Koblitz
where ▲ = (4a 3 + 27b 2 ! � 0). Some of the essential definitions related to elliptical curve cryptography are listed below [29]: (a) Point addition: point addition (+) between any two where C(x R , y R ) is a reflection of the point at which the line joining A(x A , y A ), and B(x B , y B ) intersects the curve E P (a, b). e algebraic computation is given as follows: (b) Scalar multiplication: for any scalar number X and A(x, y) ∈ E(a, b), the scalar multiplication is defined as follows: (c) Elliptical discrete logarithmic property (ECDLP): , ECDLP is a computational problem to find a scalar n such that R(x, y) � n.G(x, y). ECDLP has been a prominent field of research in cryptography over many decades, and it is the essential foundation for elliptic curve cryptography (ECC) and pairing-based cryptography. ECDLP has exponential time complexity.

Scyther Simulation.
Scyther is a tool for validating and verifying security protocols that was created by Cremers [24]. It is a software that provides security risk assessments and attack simulation capabilities. Scyther uses an infinite number of sessions to verify security protocols. Scyther also allows multiprotocol assaults to be verified. Figure 2 depicts the Scyther Tool's design in its most basic form. To verify and validate a security protocol in Scyther, it is modeled using Scyther protocol description language (SPDL). e tool accepts the SPDL model to be validated as well as simulation settings. As an output, the Scyther tool generates a summary report showing if the necessary security assertions are valid. If an attack is discovered, it generates a trace pattern in the form of a visual graph or an XML representation. An SPDL model of security protocol comprises roles that define the communication pattern of sender and receiver principals. e term claim is used to specify the various security requirements. Claim secret declares the parameters that must remain confidential from the adversary. e claim alive ensures that the claimant is executing events with the intended party. Nisynch ensures that all the intended messages in the session are sent and received in a synchronized manner, whereas Niagree indicates that the communicating parties agree on the messages exchanged. Finally, the weakagree ensures resilience against impersonation attacks. SKR claim indicates whether the session key designated using SKR can be revealed using the session key adversary rule. To verify this claim, the session key rule in the adversary model setting must be enabled. More details about Scyther are given in [24]. e adversary model by default in the Scyther standard version is Dolev and Yoa. e Scyther-Compromise provides extended support for various adversary models as compared to the standard Scyther version. In this paper, Scyther-Compromise version 0.9.2 has been used.

Review of Rostampour Et Al.'s Scheme.
e Rostampour et al. scheme comprises two phases given as below: (1) Registration phase (2) Login and authentication phase

Registration Phase.
e registration phase is carried out between the device and the server over a secure channel. e steps are given below: (i) D i generates a random number X i and computes PID i as (4): D i sends PID i to the server Sas follows: (ii) e server generates a random number R i and calculates (7) and (8): Server stores PID i , ET, and CK i in a secure database.

Wireless Communications and Mobile Computing
(iii) e server sends CK i ′ to the device as follows: e device Di stores CK i along with generated PID i .

Login and Authentication Phase
(i) D i generates a random number N i and computes (10)- (12): And sends it to the server as follows: (ii) e server finds the entry of D i in its database and verifies P 2 ≠ CK i .P 1 . If the evaluation is false, then the process stops, and if true, then the device is authenticated. (iii) e server generates a random number N 2 and computes (14) and (15): Also, it sends it to the device as follows: . If the evaluation is false, then the process stops, and if true, then the device is authenticated. e device computes V i as in the following equation and sends it to the server: (v) e server receives V i and verifies V i ≠ N 2 . PPID i . If the evaluation is false, then the process stops, and if true, then the device is authenticated. (vi) e server computes its session key: SK � N 2 .P 1 , and the device computes its session key: e schematics of the Rostampour et al. scheme are given in Figure 3.

Formal Validation of Rostampour Et Al.'s Scheme Using
Scyther under the eCK Adversary Model.
e SPDL model of the Rostampour et al. protocol is shown in Figure 4. e SPDL modeling comprises two roles: role I and role R. role I models the communication of the D i , and role R models the S. D i sends P 1 , P 2 , PPID i to the S using send_1(). e S receives the P 1 , P 2 , PPID i using recv_1() function. S sends P 3 , P 4 to the D i using send_2(). e D i receives the P 3 , P 4 using recv_2() function. Finally, D i sends V i to the S using send_3(). e S receives the V i using recv_3() function. e claim_i1 in role I and claim_r1 in role I and R indicates that the N 1 , N 2 must remain secret during the communication.
e claim_i2 and claim_r2 in roles I and R indicate that SK � N 1 , N 2 , G can be revealed using the session key adversary rule. claim_r3, claim_r4, claim_r3, and claim_r4 are to verify whether the authentication in terms of Nisynch and Niagree is maintained.
e SPDL model has been initially executed under Dolev and Yoa setting as shown in Figure 5. e Scyther-Compromise verification results of the Rostampour et al. scheme under the Dolev and Yoa setting indicate that the scheme is safe and does not have any attacks. Subsequently, the model was executed under the eCK adversary setting shown in Figure 6.
e Scyther verification results under eCK are shown in Figure 7.
e results indicate that the scheme is not safe. e attack trace is shown in Figure 8. e attack trace indicates that the Rostampour et al. scheme under the eCK adversary model is not resilient to session key reveal attack; thus, the adversary can reveal the session key. is is primarily due to the design issue in the Rostampour et al. scheme for computing the session key. In the Rostampour et al. scheme, the session key is computed as SK � N1.N2.G. e session key (SK) depends only on short-term session secrets N1 and N2. SK must also be dependent on long-term term secrets so that the reveal of short-term secrets does reveal session key.

Proposed Scheme
e proposed scheme comprises two phases that include     e registration phase includes the registration of an IoT device with the server. As with other schemes, the registration is performed on a secure channel [11]. e need for a secure channel for registration is highlighted as there is no preshared secret in the IoT device or any trusted third party is employed. e steps taken between the device and the server during the registration are listed as below: (i) Device D i chooses its private key K i and its identity I Di. (ii) e device calculates PID i as in (19) and sends PID i it to the server: (iii) e server calculates the hash of PID i and splits its private key X S into two unequal halves X 1 S , X 2 S such that X 1 S ≠ X 2 S . e server further computes (20) and (21): e server stores PID i , CK 1 i , CK 2 i and sends CK 1 i , CK 2 i to the device as follows: (v) e device receives and stores the parameters CK 1 i , CK 2 i along with PID i in its memory.

Login and Authentication
Phase. During this phase, the device initiates to log in to the server. Subsequently, the server authenticates the device, and if the device is authenticated, a session key is subsequently established between the device and the server. e steps undertaken between the device and the server during the login and authentication phase is shown as below: (i) Device D i chooses its ephemeral secret S i and calculates P 1 and P 2 as (23) and (24): e device sends P 1 and P 2 to the server as follows:  (iii) e server chooses its ephemeral secret S s and calculates P 3 and P 4 as (26) and (27): (iv) e server computes its session key (SK) with D i as follows: (v) Server sends P 3 , P 4 to the device as follows: (vi) e device receives P 3 , P 4 from the server and authenticates it as follows:

Wireless Communications and Mobile Computing
(vii) e device computes its session key with S as follows: e schematics of the proposed scheme are given in Figure 9.

Replay Attack.
In a replay attack, an adversary stores the messages exchanged between the communicating parties and retransmits them in the future to gain illegitimate access. In the proposed protocol, three messages are exchanged between the device and the server:

(34)
Let us assume during the initiation of the login and authentication phase, an adversary can eavesdrop on the messages and stores (P 1 , P 2 , P 3 , P 4 ) and E SK [H(SK)] for a replay attack. Let an adversary (A) replay stored (P 1 , P 2 ) of the previous session to gain illegitimate access as follows: When the server receives (P 1 , P 2 ), it validates the request and generates (P 3 , P 4 ) with a new ephemeral random secret. e adversary receives (P 3 , P 4 ) a new ephemeral secret. To validate (P 3 , P 4 ) and subsequently generate a session key SK, the adversary needs to know PID i and the ephemeral random secret previously used for computing (P 1 , P 2 ). e adversary does not have access to either due to the exponential time complexity of ECDLP [30][31][32]. As the adversary cannot generate a legitimate session key SK of the current session, E SK [H(SK)] cannot be computed by the adversary. Moreover, if the adversary replays the old E SK [H(SK)], the server will not authenticate it as the current SK is based on the fresh ephemeral random secret of the server. us, the design of the scheme thwarts replay attacks.

Impersonation Attack.
In an impersonation attack, an adversary tries to impersonate a legitimate device. e login and authentication phase starts by computing (P 1 , P 2 ) For computing (P 1 , P 2 ), an adversary must have access and knowledge of (CK 1 i , CK 2 i ) and H(PID i ). e (CK 1 i , CK 2 i ) and H(PID i ) are shared between the device and the server over a secure channel. Moreover, even if the adversary eavesdrop on (P 1 , P 2 ) of any previous login and authentication session between the device and the server, the (CK 1 i , CK 2 i ) and H(PID i ) cannot be extracted from (P 1 , P 2 ) due to the computational difficulty of ECDLP. us, without the knowledge of (CK 1 i , CK 2 i ) and H(PID i ), a valid (P 1 , P 2 ) cannot be computed as such an adversary cannot impersonate any legitimate device by computing a malicious (P 1 , P 2 ).

Traceability Attack.
In a traceability attack, the message with constant values may reveal the context of communication or the communication pattern. To avoid traceability attacks, messages exchanges must be randomized by incorporating pseudorandom numbers. In the proposed protocol, the ephemeral random secrets (S i , S s ) induce the required randomness in the messages for each login session.
us, the traceability attack is mitigated in the proposed scheme.

Message Integrity Attack.
e message exchanged between the device and the server cannot be masqueraded. During the communication, the following messages are exchanged between the device and the server: P 1 , P 2 , P 3 P 4 and E SK [H(SK)]. Let us say an adversary intercepts the P 1 , P 2 , P 3 P 4 and E SK [H(SK)] and wants to create malicious: P S 1 , P S 2 , P S 3 , P S 4 . However, to create P S 1 , P S 2 , P S 3 , P S 4 , the adversary must have access to X S and K i . e adversary does not have access to X S and K i . Moreover, extraction of the private key of X S from P 1 , P 2 , P 3 P 4 is having exponential time complexity due to the computational complexity of ECDLP.
us, the integrity of P 1 , P 2 , P 3 P 4 is upheld by the computational infeasibility of ECDLP. Moreover, the message E SK [H(SK)] can also not be altered as it is protected by a symmetric encryption technique and one-way hash.

Man-in-the-Middle Attack.
In a man-in-the-middle attack, an attacker can eavesdrop, disguise, and change communication in the middle by forging the key established between the device and the server. An adversary would be successful in executing the man in the middle attack if the adversary in the middle of the communication can create malicious: P S 1 , P S 2 , P S 3 P S 4 . However, to create malicious P S 1 , P S 2 , P S 3 P S 4 , the adversary must be able to forge (CK 1 i , CK 2 i ) as follows: Device Authentication Successful Figure 9: Schematics of the proposed scheme.

Wireless Communications and Mobile Computing 11
To forge (CK 1 i , CK 2 i ), adversary must have access to X S . e adversary does not have access to X S . Moreover, from P 1 , P 2 , P 3 P 4 , X S cannot be extracted due to the exponential complexity of ECDLP. As the adversary cannot forge P 1 , P 2 , P 3 P 4 and proper authentication is employed prior to the key establishment, the man-in-the-middle attack is mitigated in the proposed scheme.

Formal Validation of the Proposed Protocol
Using Scyther e designed protocol has been modeled using SPDL to validate its security on Scyther-Compromise under the eCK adversary model. e SPDL model of the proposed protocol is shown in Figure 10. e role Device and role Server model the communication pattern of the D i and S, respectively. e role Device initiates the login and authentication phase by sending (P 1 , P 2 ) using the send_1 function. On receiving (P 1 , P 2 ) using the recv1 function, the role server sends (P 3 , P 4 ) using send_2 functions to the device. Finally, the device sends E SK [H(SK)] to the server using the send_3 function. e claim_i1 in role Device and claim_r1 in role Server indicate that the X S and K i must remain secret during the communication. e claim_i2 in role Device and claim_r2 in role Server indicate whether SK � X S .K i .ID i .G.S i .S s can be revealed using the session key adversary rule. claim_r3, claim_r4, claim_r3, and claim_r4 is to verify whether the authentication in terms of Nisynch and Niagree is maintained.
e SPDL model of the designed protocol was simulated on the compromise 0.9 under the eCK adversary model as indicated in Figure 6. e verification results are shown in Figure 11. From Figure 11, we can infer that the protocol is safe and does not have any attack under the stringent eCK adversary model.

Formal Security Analysis Using BAN Logic
Burrows et al. proposed BAN logic to validate the soundness and correctness of a security protocol. is section employs BAN logic to determine the security validity of the proposed scheme. D and S denote the communicating principles, where K I and X S denote their private keys, respectively. e BAN notations are tabulated in Table 2 [31], and the BAN postulates are given in Table 3. Besides that, as derived in [33], synthesis rules are tabulated in Table 4. (2), (A1), and (R1), we get (3) D| ≡ S| ∼ P 1 , P 2 K I S I is a part of P 1 , P 2 ; thus, as per (A3) and (R6), we get (4) D| ≡ #(P 1 , P 2 )

Security Comparison.
e security comparison of the proposed scheme with relevant existing schemes is shown in Table 5. Kalra and Sood [14] do not support any security resistance. Chang et al. [15] are not resilient to traceability and impersonation attack. Kumari et al. [16] support only AK3 and AK4 features. Among the existing schemes, Rostampour et al.'s [11] scheme is the only scheme that supports AK1-AK5. However, from Table 5, we can infer that Kalra and Sood [14], Chang et al. [15], Kumari et al. [16], Wang et al. [17], and Rostampour et al. [11] have not been evaluated under the eCK adversary model. e formal validation of Rostampour et al. [11] under eCK adversary indicates that the scheme is not safe under the eCK model. e proposed scheme supports all the security requirements from AK1 to AK5 and is also safe under the eCK model.

Computation and Communication Overhead.
e comparison in terms of computational and communication overhead is shown in Table 6. e time complexities of various critical operations considered include T ECM : scalar multiplication, T EADD : point addition, T HASH : one-way hash, T SENC /T SDEC : symmetric encryption, and T inv : multiplicative inverse. T ECM is the most computationally intense operation. As IoT devices are resource constraints in nature, the computational overhead on these devices plays an important role in determining the efficiency of the scheme as the server is considered computationally more powerful. From Table 6, we can infer that a computational overhead of 4 T ECM for the IoT device and 8 T ECM in total is required in the proposed scheme.
e highest device overhead is that of the M is fresh ⟶ P r D P r is the public parameter calculated using the private key of D D ⟶ S K S SK is the key between D and S X { } SK SK is the key used to encrypt X (F1/F2) If F1 is true, then F2 is true Message-meaning rule Session key rule Rule no. Synthesis rule S1 Rostampour et al. scheme with 7 T ECM and the lowest is that of Kalra and Sood [14]. However, from Table 5, we can infer that none of the security specifications are supported by Kalra and Sood [14]. In terms of scalar multiplication (T ECM ) overhead, the proposed scheme is required the same no of scalar multiplication as compared to other schemes considered for comparison. e communication cost is estimated based on the number of bits transmitted. We consider an elliptical curve E(a,b) of 160 bit. e size of an ECC point P(x,y) on the 160 bit curve is 320 bits (X[160], Y[160]). e symmetric encryption considered generates a ciphertext of 128 bit. In the proposed scheme, 03 messages are exchanged that include (P 1 , P 2 ), (P 3 , P 4 ), and E SK [H(SK)].

Energy Overhead.
To compare estimated energy consumed on an IoT device, the time consumed by various critical operations as indicated in [34] on a MicaZ mote [35] is shown in Table 7. e energy is consumed using E � V * I * T, where V is the voltage, I is the current drawn, and T is the time taken for the operation. ough Kalra and Sood [12] have the lowest energy overhead for the IoT device, it has a high communication overhead and suffers from various security limitations that include AK1, AK2, AK3, AK4, and AK5. Kalra and Sood [12] have not been evaluated under the eCK model. Chang et al. [15], Kumari et al. [16], and Wang et al. [17] have the energy overheads of 271.44 mJ, 271.2 mJ, and 271.68 mJ, respectively. However, Chang et al. [15], Kumari et al. [16], and Wang et al. [17] do not suffice to all security requirements and have not been modeled under the eCK model. e designed scheme supports all the security specifications and is the only scheme that is formally validated under the eCK adversary model. us, with the computational requirement of 278.16 mJ and   [14] 3 T ECM + 4 T HASH 4T ECM + 5 T HASH 8T ECM + 9 T HASH 1,760 Chang et al. [15] 4T ECM + 4 T HASH 4T ECM + 4 T HASH 8T ECM + 8 T HASH 1,632 Kumari et al. [16] 4T ECM + 3 T HASH 4T ECM + 4 T HASH 8T ECM + 7 T HASH 1,760 Wang et al. [17] 4T ECM + 5 T HASH 4T ECM + 3 T HASH 8T ECM + 8 T HASH 1,632 Rostampour et al. [11] 7T ECM + T EADD 6T ECM + T EADD 13 T ECM +2 T EADD 1,920 Proposed scheme T ECM + T EADD + 2 T HASH + T SENC /T SDEC + T inv 4 T ECM + T EADD + 2 T HASH + T SENC /T SDEC + T inv 8 T ECM + 2T EADD + 4 T HASH + 2 T SENC /T SDEC + 2 T inv 1,408 Chang et al. [16] Kumari et al. [17] Wang et al. [18] Rostampour et al. [12] Proposed Scheme Figure 12: Energy overhead comparison.
Wireless Communications and Mobile Computing 15 communication overhead of 1,408 bits, the proposed scheme supports all the security requirements and is also safe under eCK adversary.

Conclusion
Authentication between IoT devices in the perception layer and the cloud server is critical for developing secure IoTbased smart applications. e existing schemes presented for authenticated key agreements between IoT devices and the cloud services have not been validated using the eCK adversary model. Recently, Rostampour et al. presented a scheme for authenticated key agreement between IoT devices and the cloud server that is secure under the Dolev and Yoa model. A formal security validation of Rostampour et al. has been carried out using Scyther-Compromise under the eCK model. e verification indicates that the scheme susceptible to session key disclosure attacks under the eCK model. A lightweight ECC-based authentication technique for IoT devices and the cloud server has been presented in this paper. e Scyther-Compromise simulation indicates that the proposed scheme is secure under the eCK model. BAN logic analysis and evaluation indicate that the design of the proposed scheme is sound and correct. e overhead analysis indicates that the proposed scheme requires 199.44 mJ and 512 bits less in terms of energy and communication overhead as compared to the scheme presented by Rostampour et al.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare no conflicts of interest.