Privacy-Preserving ECC-Based AKA for Resource-Constrained IoT Sensor Networks with Forgotten Password Reset
Yicheng Yu, Kai Wei, Kun Qi, Wangyu Wu

TL;DR
This paper introduces a secure and efficient authentication protocol for IoT sensor networks that protects user privacy and allows password reset without re-registration.
Contribution
The novel contribution is a PUF-based ECC AKA protocol with a secure password update mechanism for resource-constrained IoT sensor networks.
Findings
The protocol is secure against common attacks according to formal analysis using BAN logic and ProVerif.
Dynamic pseudonyms and session randomness reduce identity-related information leakage.
The protocol has lower computational and communication overhead compared to existing solutions.
Abstract
Wireless sensor networks (WSNs) are extensively used in IoT applications. Secure access control and data protection are essential. Nonetheless, the wireless environment has an open nature. The limited resources of sensor devices render WSNs susceptible to a variety of security attacks, causing significant difficulties in the design phase of efficient authentication and key agreement (AKA) protocols. This study proposes a physically unclonable function (PUF)-based lightweight and secure AKA protocol for WSNs based on elliptic curve cryptography (ECC). A secure password update scheme is offered, which would allow legitimate users to reset forgotten passwords without re-registration. According to formal security analysis using BAN logic and ProVerif, the proposed protocol is secure against common attacks. Moreover, from an entropy perspective, the use of dynamic pseudonyms and fresh…
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7- —Scientific Research Startup Fund for Shenzhen High-Caliber Personnel of SZPT
- —Industry-University-Research Innovation Fund for Chinese Universities
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity in Wireless Sensor Networks · Advanced Authentication Protocols Security · Cryptography and Data Security
1. Introduction
WSNs are used in many scenarios, for example, monitoring the environment, enabling healthcare-related services, supporting automated industrial processes, and improving transportation intelligence [1,2]. In this case, a large number of sensor nodes are used for collecting sensitive data and sending those data to authentic users using wireless communication channels. The open nature of wireless transmission, the unattended deployment at the sensor node’s end, and the limited physical resources or capabilities of the sensor nodes make a prime target of various security issues like spoofing of node identities, replay-based intrusion, communication hijacking, and offline guessing of authentication secrets, etc. [3,4,5,6].
Authentication and Key Agreement ( ) protocols are therefore indispensable components for securing communications. A well-designed protocol which guarantees that only legitimate users and sensor nodes are able to access the network service and fresh session keys are established to secure the transmission of further packets. Nonetheless, the task of designing efficient and secure protocols for is challenging. On the one hand, sensor nodes have limited computation capability, memory, and battery power, which restricts the adoption of heavyweight cryptographic techniques. On the other hand, protocols are required to provide strong security properties, which not only offer mutual authentication but also privacy preservation, perfect forward secrecy, and robustness against known attacks under powerful adversaries [7,8]. In particular, privacy in IoT-based authentication can be intuitively understood from an entropy perspective, where higher uncertainty of user identities given the observed protocol messages implies stronger resistance to tracing and identity leakage.
In recent years, several schemes have been suggested to tackle these issues. Due to their ability to offer high security levels while using relatively small key sizes, elliptic curve cryptography ( ) has become increasingly popular in recent years. This makes suitable for , which often operate under severe resource constraints [3]. Moreover, hardware security mechanisms which use techniques such as (Physically Unclonable Functions) have been deployed to protect sensor node secrets from hardware cloning attacks [8]. The development of quantum computing has led to the emergence of post-quantum secure protocols which can potentially offer long-term security of against a quantum gains adversary [4].
Figure 1 illustrates a typical application. Three main components are involved: users, gateway nodes, and sensor nodes. Within such a framework, the sensed data are accessed by the users through gateway nodes that connect the users with the sensor nodes. Sensor nodes cooperatively perform data sensing and forwarding tasks, while the gateway node assists in authentication, access control, and key establishment. A practical deployment basically follows this interaction pattern that also shows the importance of using secure and lightweight protocols to protect the communications between various entities.
In light of these observations, we present a secure and efficient protocol for using -based cryptographic techniques, smart-card-assisted user authentication, and -based security of sensor nodes. We aim for strong security properties alongside lightweight computation and modest communication overhead. By combining logic analysis, security verification, and efficiency evaluation, we confirm that the proposed scheme can be applied effectively in practical environments.
The major contributions are as follows:
- We present a lightweight protocol for which achieves mutual authentication and establishes a secure session key.
- A -based mechanism is deployed to enhance resistance of sensor nodes against physical attacks.
- The proposed protocol and its security properties are analyzed using logic and .
- We evaluate the computational and communication costs and demonstrate the efficiency of the proposed scheme compared with existing related protocols.
- We design a secure and user-friendly password update mechanism that allows legitimate users to reset forgotten passwords without requiring re-registration [9], while ensuring the overall security of the system remains intact.
2. Related Works
Due to various constraints such as limited computational power, energy constraints, and open wireless channels, the establishment of a secure session is very challenging. To overcome the challenges, protocols are applied. Many lightweight and robust schemes with strong security characteristics like mutual authentication, anonymity, forward secrecy, low computation, and communication overhead have been proposed over recent years.
A significant piece of work explores the use of Elliptic Curve Cryptography for efficient authentication. Huang et al. developed a three-factor -based protocol which uses biometrics, smart card, and password with formal security verification and attack resistance, which is ideally suited to resource-constrained environments [3]. To reduce overhead and improve anonymity, Li and Hu’s lightweight -based protocol resists ephemeral secret leakage attack [7]. Many -based designs have also been proposed which can withstand offline guessing or replay attack during the session key negotiation [10]. Simultaneously, protocol proposals for lightweight two-factor have occurred that are based on chaotic and symmetric which are provably secure and lightweight [11].
Hybrid approaches that combine symmetric and asymmetric mechanisms to optimize energy consumption and throughput have also been explored. For instance, secure hybrid data transmission protocols integrate key management and message authentication to support efficient node authentication and data integrity [12]. Broader surveys of security and authentication mechanisms highlight the limitations of existing protocols and underscore the ongoing need for lightweight schemes that maintain strong security features in diverse deployment contexts [13].
Architectural innovations such as multi-gateway schemes seek to improve scalability and flexibility in . Yang et al. present a multi-gateway structure that allows dynamic access for sensors and users across network regions with reduced computation and communication costs relative to earlier schemes [14]. Beyond structural enhancements, hardware-assisted authentication mechanisms using Physically Unclonable Functions ( ) have been investigated. Tyagi and Kumar introduce -based protocols combined with to bolster resistance against smart card loss and physical attacks [8], and further work integrates with chaotic maps to achieve dynamic pseudonym generation and resistance to modeling attacks [15].
The emergence of post-quantum secure schemes is due to quantum computing threats. Singh and Mishra suggest an protocol for resisting a quantum attacker that relies on the security of Ring Learning With Errors (RLWE) [4]. Advanced frameworks combine lightweight cryptography with context-aware key management to adapt AKA to both classical and post-quantum threat environments [16].
Aside from these particular designs, smart-card based authentication and fuzzy-extractor-based authentication schemes defend against card loss and impersonation attacks with minimal overhead to sensor nodes [17]. Together, these works demonstrate the recent diversity of research on -based multi-factor schemes, lightweight symmetric and chaotic protocols, multi-gateway structures, -assisted schemes, and post-quantum view.
3. Preliminaries
3.1. System Model
The system model of the proposed protocol is illustrated in Figure 2. The wireless sensor network consists of three types of entities: users , a gateway node , and multiple sensor nodes .
The trusted authority is the gateway node responsible for initializing the network, registering users, and registering sensor nodes. In the registration stage, the user as well as sensor nodes submit their identity-related information to the gateway in a secure manner which provides and distributes the corresponding credentials. Once deployed, the gateway facilitates the authentication and key agreement between the users and sensor nodes but not in data transmission.
A user can access the sensed data via the gateway after performing mutual authentication and session key establishment of target sensor nodes. On successful authentication, a session key is established between the user and the sensor node for designated secure communication, as shown in Figure 2.
3.2. Threat Model
The protocol’s security analysis follows the Dolev–Yao adversarial model [18]. The adversary is assumed to have complete control of the public communication channel, where they can eavesdrop, intercept, modify, replay, and forge messages. However, the adversary cannot break standard cryptographic primitives, such as one-way hash functions and elliptic curve cryptographic operations.
Moreover, the adversary can physically take over the sensor nodes or steal user smart cards to get the stored data. Nonetheless, it is assumed that it is infeasible for malicious parties to extract sensitive secrets from cryptographic primitives, or solve the elliptic curve discrete logarithm problem.
3.3. Cryptographic Primitives
One-way hash function: We adopt a cryptographic to derive authentication values and maintain message integrity. It is assumed to be collision-resistant and pre-image-resistant.Elliptic Curve Cryptography ( ): Consider an elliptic curve over the finite field . Let G denote a cyclic additive group of prime order q generated by P. The security of the -based computations is grounded on the intractability of the elliptic-curve discrete logarithm problem ( ).Physical Unclonable Function ( ): A [19] is a hardware-rooted primitive that outputs device-unique, hard-to-predict responses for supplied challenges. It is utilized to protect sensor node secrets against physical attacks and cloning.
4. Proposed Protocol
The proposed protocol comprises six main phases: the initialization phase, the user registration phase, the sensor node registration phase, the mutual authentication phase, the password update phase, and the forgotten password reset phase. The gateway node executes the operations required in the first three phases. The mutual authentication phase is designed to achieve bidirectional identity verification between the user and the sensor node, and to negotiate a secure session key for ensuring the confidentiality and integrity of subsequent communications. If a password change is needed, the password update phase allows the password to be modified securely. In addition, for scenarios where a user forgets the password, the protocol provides a forgotten password reset phase, allowing the user to reset the password without providing the original one.
4.1. Initialization Phase
During the system initialization phase, the gateway node performs the offline setup of relevant parameters and selects security functions. selects an elliptic curve E defined over a finite field , and chooses an additive group G on E of order q, where P denotes a generator of G. Then, generates a private key x and computes the corresponding public key . Finally, chooses a master key K and a secure cryptographic hash function . The public parameters are subsequently published.
4.2. User Registration Phase
Before obtaining sensor-collected data, a user is required to enroll with the gateway. The registration steps are outlined below. When a user needs to access data collected by sensor nodes in the system, they must first complete registration with the gateway node. The process of the user registration phase is shown in Figure 3 and outlined below:
- Credential Setup. User chooses an identity and a corresponding password , and generates a random number . then computes and sends the parameter to the gateway over a secure channel. After obtaining , verifies whether is already registered. If it exists, is requested to choose a different identity; otherwise, computes and , stores in the user table, writes into a smart card , and delivers securely to .
- Local Verification Setup. After receiving , computes and . M is chosen as a sufficiently large integer (e.g., , where ) to prevent efficient offline verification of guessed ( , ) pairs.
- Forgotten Password Reset Support. To support scenarios where the user forgets the password, the protocol further provides a forgotten password reset initialization based on security questions. User selects N pairwise coprime positive integers , , …, , and N security questions , , …, , then provides the corresponding answers , , …, . Subsequently, a secret S is constructed based on the Chinese Remainder Theorem such that it satisfies: . Finally, computes and writes the parameters into .
4.3. Sensor Node Registration Phase
Prior to deployment in the operational area, a new sensor node must also complete registration with . The sensor registration phase binds each sensor node to the gateway and establishes a long-term credential protected by the PUF, which prevents physical cloning attacks. The sensor node registration process is shown in Figure 4, and the specific steps are described below:
- Registration request. The sensor node picks an identity and a random challenge , then generates the corresponding response via a Physical Unclonable Function ( ). Subsequently, transmits and to over a secure channel.
- Gateway credential assignment. Upon receiving and , first verifies whether the same is already present in the sensor node information table. If a duplicate is found, is notified to regenerate its identity information. Otherwise, computes the key , records and in the sensor node information table, and finally sends back to through the secure channel. With , computes its local key and stores it securely.
4.4. Mutual Authentication Phase
When a user needs to access data collected by sensor nodes, both the user and the sensor node must perform bidirectional authentication with the assistance of the gateway node. A shared session key is also negotiated to ensure the confidentiality of subsequent communications. Since the long-term credentials are established during registration, mutual authentication is completed through four message exchanges ( – ), as follows:
** : User ⇒ Gateway (Login request)**. The user inputs the identity and corresponding password , and inserts the smart card into the terminal. The terminal first performs local password verification by computing:
and verifies whether matches . If they do not match, the terminal rejects the login request. Otherwise, the terminal obtains the current timestamp , generates random numbers w and , selects the identity of the sensor node to be accessed. It successively computes:
Finally, the terminal sends:
to the gateway node .** : Gateway ⇒ Sensor (Authentication challenge)**. Upon receiving , first verifies the validity of timestamp , then uses its private key x to compute:
checks the validity of by querying the user information table, then computes:
compares whether equals . If they are not equal, terminates the session. Otherwise, generates timestamp , set , , and computes:
retrieves the challenge and sends:
to .** : Sensor ⇒ Gateway (Sensor response)**. After receiving , sensor node first checks the validity of timestamp . Then, it generates its response and computes:
If the authentication session is terminated. Otherwise, generates random number and computes:
where is the current timestamp and is the session key. Finally, returns
to .** : Gateway ⇒ User (Session confirmation)**. Upon receiving , checks the validity of timestamp and computes:
If matches , obtains the current timestamp and computes:
and returns the message:
to user . After receiving , checks the validity of timestamp , and computes:
If is verified to match , generates the session key:
thereby completing mutual authentication with sensor node .
The process of the mutual authentication phase described above is illustrated in Figure 5.
4.5. Password Update Phase
During the password update phase, the user can modify their password offline without interacting with the gateway node. Figure 6 is a flowchart of the process, and the specific steps are as follows:
- User inserts into a terminal and enters the identity , the original password , and the new password .
- The terminal computes , , and , and verifies whether the stored in the smart card matches the computed . If they do not match, the password update request is rejected. Otherwise, the terminal successively computes , , , , , and , and updates the original parameters , , , and in the smart card to , , and , respectively.
4.6. Forgotten Password Reset Phase
When a user forgets their password and needs to log in, they can securely restore access through the following procedure, as shown in Figure 6.
The user inserts into a terminal, enters the correct identity , and provides accurate answers to all preset security questions , , thereby recovering the secret value S based on the Chinese Remainder Theorem ( ).Subsequently, computes the original password and the parameter , inputs the new password , and successively calculates , , , and . Finally, the stored values , , and in are updated to the newly computed , , , and , respectively, thereby completing the secure reset of the forgotten password to .
5. Security Analysis
5.1. Formal Security Analysis
We evaluate the proposed protocol through two widely used formal methods: logic and . Using BAN logic, we prove that mutual authentication holds and that a session key is successfully set up. Essential security requirements (e.g., session-key confidentiality and authentication) are then machine-checked in under the Dolev–Yao adversary model. The two complementary approaches provide a formal assessment of the protocol’s security that is comprehensive and rigorous.
5.1.1. BAN Logic-Based Security Analysis
logic is a belief-based reasoning framework that is commonly adopted to analyze authentication protocols [20]. A set of inference rules abstract actual protocol messages into their idealized form and derive the principals’ beliefs. For convenience, the notation set and the main inference rules are listed in Table 1 and Table 2 separately. Likewise, the idealized messages, assumptions, and step-by-step derivations allowing the authentication goal to be realized are summarized in Table 3. This reasoning shows that and each accept a newly generated session key and also accept that the other party accepts it, which implies mutual authentication and a secure key-agreement outcome.
5.1.2. ProVerif-Based Formal Verification
To strengthen the security claims, we employ [21] to perform automated formal verification under the Dolev–Yao adversary model, where the adversary can fully manipulate the public channel. The code of the protocol is publicly available at [22].
In the model, the user, gateway, and sensor node are specified as concurrent processes communicating over a public channel. Fresh nonces and session-related parameters are generated using new, while cryptographic operations are abstracted as symbolic functions. To model authentication behavior, event statements are inserted at key protocol stages, where UGbegin(t), UGend(t), GUbegin(t), and GUend(t) denote the initiation and completion of the user–gateway authentication, and GSbegin(t), GSend(t), SGbegin(t), and SGend(t) represent the corresponding gateway–sensor interactions. These events enable to reason about agreement between protocol participants.
Authentication is verified using injective correspondence queries, such as query inj-event(UGend(t)) ==> inj-event(UGbegin(t)), which assert that whenever a party completes a session, there exists a unique matching session initiation by the peer, thereby providing strong resistance against replay and impersonation attacks. In addition, secrecy properties are specified using confidentiality queries of the form query not attacker(x).
As shown in Figure 7, all authentication and secrecy queries are successfully verified by . Specifically, the results confirm injective authentication between the user, gateway, and sensor node in all protocol phases, as each end event is associated with a unique corresponding begin event. Moreover, the secrecy queries not attacker(svalueA[]) and not attacker(svalueB[]) are satisfied, indicating that the attacker cannot derive the modeled sensitive values from protocol executions. Therefore, the verification results in Figure 7 provide formal evidence that the scheme achieves mutual authentication and preserves the confidentiality of critical security parameters under an active adversary model.
5.2. Informal Security Analysis
In this part, we present an informal security discussion for the proposed authentication scheme. The analysis demonstrates that the protocol achieves the desired security goals and withstands various well-known attacks under the Dolev–Yao adversarial model, where an adversary can observe, intercept, alter, replay, or forge public-channel messages, but is assumed unable to compromise standard cryptographic primitives.
5.2.1. User Anonymity
The actual identity of the user is never transmitted in plaintext on the public channel. Instead, we set a dynamic pseudonym , where is a random number (dependent on the session) with the public key (system) X. Since w is freshly chosen in each authentication session, the value of changes dynamically even for the same user. An external adversary cannot derive or decipher the real identity without knowledge of the private key x of . Thus, the proposed protocol preserves user anonymity against both passive eavesdroppers and active adversaries.
5.2.2. Untraceability
The protocol achieves untraceability by making sure that all user-related authentication parameters are not the same for different sessions. In particular, the messages that are transmitted include session-specific random elliptic curve points and dynamic pseudonyms using fresh random values and w. Moreover, authentication messages such as bind the identity-related information with timestamps and ephemeral randomness. Since these parameters are statistically independent across sessions, an adversary cannot correlate multiple executions of the protocol to trace a specific user even if all communication messages are recorded.
5.2.3. Mutual Authentication
Through the chained checking of authentication messages, protected by system master key derivatives, the protocol enables mutual authentication among the user, the gateway, and the sensor node. The gateway authenticates the user by validating , where and K is the gateway’s master key. Only the holder of K must have an ability to generate a valid . The sensor node validates the gateway by evaluating . Here, , which was securely recovered using the sensor’s secret key and response. Lastly, the user authenticates the gateway by verifying the message , which includes the fresh sensor-generated value . As a result, strong mutual authentication will be established among all entities, which will detect any forged and/or modified authentication message.
5.2.4. Session Key Agreement
Once mutual authentication completes, the user and the sensor node independently compute a shared session key. The user computes , while the sensor computes . Due to the properties of elliptic curve scalar multiplication, . Since the ephemeral secrets and are never transmitted over the public channel, an adversary cannot derive the session key even with full access to all exchanged messages.
5.2.5. Perfect Forward Secrecy
The proposed protocol offers perfect forward secrecy: each session key is derived from ephemeral random values and , which never get reused in different protocol executions. Even if long-term secrets of the user, sensor node or gateway (i.e., K, x, or stored credentials) are compromised at some stage, session keys established prior are secure, as recovering those would necessitate solving the to extract ephemeral secrets from the past.
5.2.6. Forgotten Password Reset
A secure forgotten password reset mechanism is supported by the protocol. After successfully reconstructing the secret using the pre-selected security credential, the user can reset the password. Also, a password-related verifier is not revealed over the public channel. The reset process does not recover the old password; it does not destroy long-lived secrets or previous session keys. Consequently, the suggested scheme offers a secure approach for resetting forgotten passwords.
5.2.7. Resistance to Impersonation Attack
An adversary generates a valid authentication value to impersonate a legitimate user. This requires knowing , along with a fresh random value. It is impossible if the gateway’s master key is inaccessible. In a similar context, the impersonation of a sensor node needs the generation of valid and . These values depend on that can be recovered with the help of a sensor’s and its secret key. In conclusion, the protocol efficiently safeguards against impersonation attempts.
5.2.8. Resistance to Stolen Smart Card Attack
The adversary cannot get any other information from the stolen smart card other than some hashed and masked parameters. Credential verification must pass local verification with the correct password; it is also necessary to execute the protocol successfully to generate valid gateway-authenticated messages. This means that having a smart card by itself may not impersonate the user. Thus, it may resist stolen smart card attacks.
5.2.9. Resistance to Offline Password Guessing Attack
The scheme prevents offline password-guessing attacks. Even when an adversary obtains smart-card–stored data through a physical access attack or a side-channel attack, it is still not feasible to uniquely verify guessed identity–password pairs offline. The local verification value is obtained using the modular operator, preventing an adversary from efficiently verifying guessed identity–password pairs offline. As a result, an adversary must try online login attempts to find out if a guess pair is correct. The gateway can easily detect and restrict such online attempts through monitoring and access control mechanisms. As a consequence, the proposed scheme effectively prevents offline password guessing attacks and confines the adversary to detectable online attacks.
5.2.10. Resistance to Known Session-Specific Temporary Information Attack
Even if all session-specific temporary data (including and ) are revealed, the impact is limited to that session only. The session key is created from session-dependent values beside the long-term secrets K, x, , which include the gateway master key, gateway private key, and sensor secret, respectively, which remain secured. Because new random values are generated with every session, one session’s compromise does not compromise the security of any other session. As such, the designed protocol withstands attacks that rely on exposure of session-only temporary information.
5.2.11. Resistance to Replay Attack
Every authentication message contains timestamps ( , , , ) and fresh random numbers. Before processing received messages, the gateway, sensor, and user validate their freshness. Any replayed messages will fail to satisfy the timestamp verification or the authentication hash check, so replay attacks are prevented.
6. Performance Analysis
We assess the protocol’s performance in terms of computational complexity and communication overhead. Since the initialization, registration, and password update phases are executed infrequently, the performance evaluation primarily focuses on the mutual authentication phase, which represents the most critical operation in practical deployments. Furthermore, we compare our protocol with the ECC-based three-factor AKA scheme by Huang et al. [3], the industrial IoT authentication protocol by Zhao et al. [23], the anonymous signature-based scheme of Vangala et al. [24], and the privacy-controlled ECC protocol REPACA proposed by Kumar et al. [25].
6.1. Computational Performance Analysis
During the mutual authentication phase, three entities are involved: the user , the gateway node , and the sensor node . The dominant cryptographic operations performed by these entities include: One-way hash operation, and elliptic curve scalar point multiplication, denoted as and , respectively. Other operations, such as XOR, concatenation, and timestamp comparison, incur negligible computational cost compared to and and are therefore excluded from the analysis.
During the authentication phase, the user performs the following operations:
- Three elliptic curve point multiplications to compute , and .
- Seven hash operations for message authentication and session key generation, including the computation of , , , , , , and .
Hence, the total user-side computational cost is: ;
The gateway node is responsible for identity recovery, authentication verification, and message forwarding. During the authentication phase, it performs:
- One elliptic curve point multiplication to compute .
- Eight hash operations to verify message integrity and authenticity, including , , , , , , , and .
Thus, the computational cost at the gateway node is: .
Given the limited computational capability of sensor nodes, the proposed scheme is designed to minimize their cryptographic burden. During the authentication phase, the sensor node performs:
- Two elliptic curve point multiplications to compute and the shared secret component .
- Three hash operations for message authentication and session key derivation.
Hence, the computational cost at the sensor node is: .
The computational performance evaluation in this work follows the standard analytical cost estimation methodology widely adopted in lightweight studies. Specifically, the execution times of basic cryptographic primitives are taken from the benchmark results reported in Srinivas et al. [26], obtained on a platform equipped with a 2.4 GHz CPU and 4 GB RAM: the time required for symmetric encryption/decryption ms, the execution time of a one-way hash function ms, the time for point multiplication ms, the time for point addition ms, and the execution time of the fuzzy extractor Gen/Rep function , which is assumed to be approximately equal to .
In our system model, the gateway node is assumed to be a relatively resource-rich entity (e.g., an edge server or base station), whereas sensor nodes are resource-constrained devices. Although operations are still required at the sensor side, the proposed protocol is designed to keep the sensor-side computational workload at a minimal level compared with existing schemes, thereby ensuring feasibility in practical environments.
User–gateway–sensor interactions are simulated analytically by sequentially following the authentication message flow ( – ) and counting the dominant operations executed by each participant. The total protocol cost is obtained by multiplying the operation counts by the corresponding benchmark execution times, providing a fair and reproducible comparison with related protocols.
Table 4 summarizes the computational cost comparison for the authentication phase, contrasting our scheme with four representative related protocols. As shown in Table 4, the proposed protocol exhibits the lowest overall computational cost among the compared schemes, achieving 108.4 ms per authentication session. The computational workload distribution of the proposed protocol is balanced: the gateway performs lightweight verification and forwarding, while the sensor node avoids excessive public-key operations. Such a design is particularly suitable for practical deployments, where sensor-side energy consumption and latency are critical. Overall, the comparison indicates that the proposed scheme achieves competitive efficiency while retaining strong security properties.
6.2. Communication Performance Analysis
The communication performance is evaluated by comparing the total number of transmitted bits exchanged during the authentication phase. To ensure a fair comparison, the following assumptions are adopted for data length:
- Timestamp: 32 bits.
- Random number: 256 bits.
- Hash output: 256 bits.
- Identity (ID): 128 bits.
- Elliptic curve point: 256 bits.
- challenge: 128 bits.
During the authentication phase, four rounds of message exchanges are involved:
- from to .
- from to .
- from to .
- from to .
In these messages, , , , and denote hash values, while , , , and represent timestamps. In addition, corresponds to a point on the elliptic curve, and denotes the challenge. The values , , , , and are obtained through XOR operations, whose lengths are determined by the longer operands involved, resulting in bit-lengths of 256 bits, 384 bits, 384 bits, 512 bits, and 384 bits, respectively. Consequently, the total communication cost of the authentication phase amounts to bits.
The communication cost comparison between the proposed scheme and the related schemes is summarized in Table 5. As summarized in Table 5, the proposed protocol requires four message rounds, which is consistent with the compared schemes and is generally regarded as a reasonable trade-off between security and latency in scenarios. Although Kumar et al. [25] report a slightly lower communication cost (3200 bits), the proposed protocol achieves substantially lower computational cost and supports richer security functionality. Therefore, from a system-level perspective, the proposed protocol offers a favorable performance trade-off.
7. Discussion
The proposed protocol presents a flexible security and efficiency trade-off for wireless sensor networks. The security of the cryptographic techniques is based on the well-established mathematics of elliptic curves. In particular, the sensor node only requires a few elliptic curve operations and hash computations during the authentication phase, which effectively reduces energy consumption.
The storage of long-term secrets in memory is avoided and physical capture and key extraction attacks are prevented to enhance the security of the sensor nodes using Physical Unclonable Functions. Furthermore, in the context of , dynamic pseudonyms and session-dependent randomness achieve user anonymity and untraceability.
The proposed protocol enhances its features with secure password update function and forgotten password reset. This is different from existing related ones. At the same time, it keeps competitive computational and communication efficiency. The design strikes a good balance among security, usability, and efficiency.
In addition to the analytical performance evaluation, it is important to consider parameter configuration in real deployment scenarios. The gateway node may adopt the widely used elliptic curve secp256r1 to balance security and computational efficiency. Since sensor nodes only perform two scalar multiplications per authentication session, the proposed protocol remains feasible for resource-constrained environments. Furthermore, the timestamp tolerance window can be set to 2–5 s depending on network latency conditions. A 128-bit challenge length is recommended to enhance resistance against modeling attacks while maintaining low storage overhead. These deployment-oriented considerations further support the applicability of the proposed scheme in practical -based systems.
The proposed protocol is built on , whose security relies on the elliptic curve discrete logarithm problem. It is known that large-scale quantum computers running Shor’s algorithm may threaten -based schemes. Therefore, the current design mainly targets classical security in resource-constrained environments. Nevertheless, the protocol framework is modular, and -based key establishment can be replaced by post-quantum primitives (e.g., lattice-based approaches) in future extensions. This will be considered as an important direction for long-term security.
8. Conclusions
In this study, we proposed a secure and efficient protocol for . The proposed protocol guarantees secure mutual authentication as well as session key establishment. It also offers strong privacy protection. This was achieved through -based smart card user authentication and -assisted sensor authentication.
The proposed protocol was shown to be secure against impersonation, replay, offline password guessing, and stolen smart card attack through formal verification using logic and along with informal security analysis. Performance results show that our protocol reduces computation compared with several prior schemes, while keeping communication overhead at an acceptable level.
Therefore, the protocol is well suited to practical scenarios requiring secure, privacy-preserving, and lightweight authentication. Future work on the scheme will include more complex architectures of the network and further improvement in robustness on deployment.
Future work will extend the proposed scheme in two directions: (i) conducting simulation-based evaluations to measure authentication delay and energy consumption under varying node densities and network scales, and (ii) integrating lightweight post-quantum key agreement primitives to improve long-term security against quantum adversaries.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Akyildiz I.F. Su W. Sankarasubramaniam Y. Cayirci E. Wireless sensor networks: A survey Comput. Netw.20023839342210.1016/S 1389-1286(01)00302-4 · doi ↗
- 2Ahmim M. Ouafi N. Ullah I. Ahmim A. Chefrour D. Almukhlifi R. LSAP-Io HT: Lightweight Secure Authentication Protocol for the Internet of Healthcare Things Comput. Mater. Contin.2025855093511610.32604/cmc.2025.067641 · doi ↗
- 3Huang W. ECC-based three-factor authentication and key agreement scheme for wireless sensor networks Sci. Rep.202414178710.1038/s 41598-024-52134-z 38245561 PMC 10799882 · doi ↗ · pubmed ↗
- 4Singh M. Mishra D. Post-quantum secure authenticated key agreement protocol for wireless sensor networks Telecommun. Syst.20238410111310.1007/s 11235-023-01043-z · doi ↗
- 5Roman R. Zhou J. Lopez J. On the features and challenges of security and privacy in distributed internet of things Comput. Netw.2013572266227910.1016/j.comnet.2012.12.018 · doi ↗
- 6Zhou Y. Chen L. Zhao X. Yang Z. An anonymous authentication scheme with controllable linkability for vehicle sensor networks Comput. Model. Eng. Sci.20201251101111810.32604/cmes.2021.013289 · doi ↗
- 7Li M. Hu S. A lightweight ECC-based authentication and key agreement protocol for Io T with dynamic authentication credentials Sensors 202424796710.3390/s 2424796739771704 PMC 11679686 · doi ↗ · pubmed ↗
- 8Tyagi G. Kumar R. An efficient user authentication and key agreement scheme for wireless sensor networks using physically unclonable function Int. J. Inf. Secur.20242393596210.1007/s 10207-023-00770-3 · doi ↗
