Journal of Systems Architecture 160 (2025) 103368 Contents lists available at ScienceDirect Journal of Systems Architecture journal homepage: www.elsevier.com/locate/sysarc Lightweight batch authentication and key agreement scheme for IIoT gateways Xiaohui Ding a ,∗, Jian Wang a , Yongxuan Zhao b , Zhiqiang Zhang a a College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, 211106, China b Information Technology Research Center, China Academy of Aero-Engine Research, Beijing, 101304, China ARTICLE INFO ABSTRACT Keywords: Existing authentication and key agreement (AKA) schemes face two primary challenges in IIoT, where users Industrial internet of things dynamically communicate with multiple industrial devices. The first is significant computational and com- Batch authentication and key agreement munication overhead, along with security vulnerabilities. Another is inability to achieve gateway lightweight Gateway lightweight solutions. To address these issues, this paper proposes a gateway lightweight batch AKA scheme based on elliptic curve cryptography for IIoT. When users access multiple industrial devices, they only need to send a batch authentication request to the gateway. Based on this request, the gateway generates a time-limited token combining Chinese Remainder Theorem (CRT), enabling users to efficiently complete AKA with multiple devices in batch manner. Furthermore, the application of the CRT allows the gateway to efficiently update the time-limited token when the user’s accessed devices change. Finally, due to the use of the time-limited token, the entire scheme process requires only one round of interaction between the gateway and the user, ensuring a lightweight nature of the gateway. The security of the proposed scheme is proved through formal security proofs, heuristic analysis, and scyther tools. Performance analysis shows that, compared to the compared schemes, the proposed scheme meets all listed security requirements with the lower computational and communication overheads. 1. Introduction to retrieve data or directly control them. In practice, for a given in- dustrial production task, users need to interact with multiple industrial In recent years, advances in computer technology and wireless sen- devices, and the devices that need to be accessed or controlled will sor networks have fueled the rapid development of Internet of Things change in real-time as the task progresses. Therefore, to achieve more (IoT) technology. IoT is a self-organizing network of interconnected intelligent and efficient task completion, IIoT communication scenarios devices that can interact without human intervention [1]. IoT terminal exhibit two typical characteristics: first, users need to interact with devices generate vast amounts of valuable data in real-time, positioning multiple industrial devices; second, the industrial devices that users IoT as the third wave of global informatization following the advent need to access frequently change. of computers and the Internet [2]. With the development of emerging communication technologies such as 5G, the demand for IoT applica- In the IIoT, users interact with industrial devices, often requiring tions continues to grow. It is estimated that by 2030, the number of the transmission of communication information over open channels, IoT devices will exceed 100 billion [3]. IoT has been widely applied which introduces significant security risks. To ensure security, many in smart agriculture, autonomous driving, smart healthcare, and in- researchers have proposed AKA schemes tailored for the IoT domain, dustrial sectors, etc [4]. In the industrial field, it is referred to as the aimed at authentication the legitimacy of the identities of commu- IIoT, industry 4.0, etc [5,6]. IIoT drives traditional industries toward nication entities and negotiating session keys to secure subsequent intelligent and informatized development, enabling remote monitoring communications [8–12]. However, these schemes primarily focus on and automatic control of industrial production, which significantly authentication and key agreement between single user and single de- enhances production efficiency [7]. vice, resulting in one-to-one AKA schemes. If such schemes were to be Fig. 1 illustrates a typical IIoT system model, which involves three applied in the IIoT, users would need to repeatedly execute the scheme main entities: users, gateways, and industrial devices. After being au- to complete authentication and key agreement with multiple industrial thenticated by the gateway, users can remotely access industrial devices ∗ Corresponding author. E-mail address: dingxiaohui@nuaa.edu.cn (X. Ding). https://doi.org/10.1016/j.sysarc.2025.103368 Received 9 September 2024; Received in revised form 26 December 2024; Accepted 6 February 2025 Available online 15 February 2025 1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 updates. While batch processing offers greater flexibility, most schemes primarily focus on batch identity or message authentication, failing to achieve simultaneous batch authentication and key agreement. Some AKA schemes with batch processing attributes for multi-terminal device communication face security issues and potential single points of failure in gateways. To the best of our knowledge, no existing scheme consid- ers achieving batch authentication and key agreement between users and multiple industrial devices while ensuring the lightweight nature of the gateway. In summary, it is necessary to design an AKA scheme that is bet- ter suited to the unique communication scenarios of the IIoT. Such a scheme should efficiently enable users to authenticate with and establish session keys for multiple industrial devices, while also accom- Fig. 1. IIOT system architecture. modating minimal overhead when the industrial devices that a user wishes to access changes. Additionally, the proposed scheme should ensure the lightweight design of the gateway to prevent it from be- coming a performance bottleneck for the entire system. Based on these devices. This would lead to significant computational and communica- requirements, this paper proposes a gateway lightweight batch AKA tion overhead, making them unsuitable for resource-constrained IIoT scheme for IIoT environments. The main contributions of this paper environments [13,14]. are as follows: To make the schemes more suitable for scenarios involving commu- nication between users and multiple devices, researchers have proposed (1) Batch Authentication and Key Agreement: Based on ellip- group-based AKA schemes [15–17], batch authentication schemes [18– tic curve cryptography combined with the Chinese Remainder 22], and AKA schemes designed specifically for multi-device commu- Theorem and the concept of time-limited tokens, this paper nication [13,14,23,24]. However, group-based AKA schemes require presents a batch AKA scheme. This scheme allows users to in- all devices in the group to share a common group key, which makes dependently select and authenticate multiple industrial devices them vulnerable to impersonation attacks by malicious devices. More- in batches. Users only need to send a single batch authentication over, when the set of industrial devices accessed by the user changes, request to the gateway. In response, the gateway generates time- group AKA schemes face challenges with group membership updates limited tokens using the Chinese Remainder Theorem. With the and group key renewal. Compared to group schemes, batch schemes tokens, users can efficiently perform mutual authentication with offer greater flexibility, allowing users to independently select multiple multiple industrial devices and negotiate different session keys devices for batch authentication. However, most existing batch schemes with each device. This approach effectively addresses the high focus only on batch message authentication [18–20] and identity veri- computational and communication overhead associated with fication [21,22], without considering the simultaneous implementation traditional one-to-one AKA schemes and mitigates the risk of of batch authentication and key agreement. In recent years, researchers impersonation attacks due to shared group keys in group AKA have proposed several AKA schemes with batch processing attributes schemes. for multi-device communication environments [13,14,23,24]. These (2) Efficient Token Update: Due to the use of the Chinese Remain- schemes enable users to efficiently complete authentication and key der Theorem, the gateway can efficiently update time-limited agreement with multiple terminal devices simultaneously. However, tokens when the industrial devices that the user needs to access the schemes presented in the [13,23,24] exhibit notable deficiencies change, thereby avoiding the challenges of group updates and in resisting impersonation attacks and ensuring forward security. group key renewal encountered in group AKA schemes. Zhang et al. [14] proposes a many-to many AKA scheme for ve- (3) Gateway Lightweight: Due to the use of time-limited tokens, in hicular networks, allowing users to efficiently complete authentication the batch authentication and key negotiation process, gateway with multiple cloud servers and negotiate different session keys for only needs to interact with user in one round to assist user each. This scheme offers a high level of security. However, analysis complete the authentication and key agreement with multi- reveals that the cost of implementing batch authentication and key ple industrial devices, without any direct interaction between agreement between users and cloud servers is a significant compu- the gateway and the industrial devices, thereby ensuring the tational and communication overhead borne by the trusted center, lightweight nature of the gateway. Furthermore, the scheme which raises concerns about potential single points of failure. Although does not involve computationally intensive operations such as existing schemes consider lightweight construction to accommodate the bilinear pairings, ensuring that the computational and commu- resource-constrained IIoT environment, most of them focus primarily nication overhead for both users and industrial devices remains on minimizing the computational load for users or end devices, with lightweight. little attention given to the lightweight design of the gateway itself. (4) Security and Performance Analysis : The security of the pro- In an IIoT system, the gateway is connected to a large number of posed scheme is demonstrated through formal security proofs, industrial devices and must assist users in completing authentication heuristic analysis, and Scyther tools. Performance analysis shows and key agreement with multiple devices. Therefore, the efficiency of that, compared to existing schemes, the proposed scheme meets the gateway node directly affects the overall performance of the AKA all listed security requirements with the lower computational schemes, making it crucial to consider the lightweight design of the and communication overheads and provides a significant advan- gateway [25]. tage in terms of the lightweight nature of the gateway node. Problem Statement: Existing AKA schemes are ineffective for com- The remainder of this paper is organized as follows: Section 2 munication scenarios in the IIoT, where users dynamically interact with reviews the related work. Section 3 presents the preliminaries and multiple industrial devices. Traditional one-to-one AKA schemes face system model. Section 4 describes the detailed construction of the significant computational and communication overhead issues. Group- proposed scheme. Section 5 provides the security proof and analysis of based AKA schemes have security vulnerabilities, such as being unable the proposed scheme. A performance comparison between the proposed to prevent impersonation attacks by malicious group devices, and they scheme and related schemes is presented in Section 6. Finally, Section 7 also encounter challenges related to group updates and group key concludes the paper. 2 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 2. Related work drones. Shen et al. [21] proposed a batch authentication scheme in the vehicular network based on blockchain technology. In this scheme, Existing AKA schemes focus on one-to-one AKA schemes for commu- a proxy vehicle selection algorithm is utilized to select proxy vehicles nication between users and single terminal devices, as well as group responsible for batch authenticating vehicles within a designated area. AKA schemes and batch processing schemes for communication with This effectively alleviates the authentication load when a large number multiple terminal devices. of vehicles simultaneously connect to the same RSU. Additionally, the In 2009, DAS et al. [26] first proposed a lightweight two-factor scheme employs a certificate-free mechanism and identity-based prefix authentication scheme for wireless sensor networks (WSNs, a critical encryption algorithms to achieve efficient batch authentication and component of IIoT), In their scheme, users authenticate themselves protect the identity privacy of proxy vehicles. However, the aforemen- by entering a personal password and using a smart card. However, tioned schemes, as well as most existing batch processing schemes, since the scheme relies solely on hash functions for security, it is primarily focus on batch message authentication [18,20] or batch unable to effectively resist various attacks, such as denial-of-service identity authentication [22], failing to achieve simultaneous batch (DoS) attacks. Consequently, several authentication or key management authentication and key agreement. schemes for WSN communication have been proposed [27–29]. With Recently, some AKA schemes with batch processing capabilities the development of IoT technology, and in order to balance secu- have been proposed for multi-terminal communication scenarios [13, rity and lightweight requirements, several ECC-based AKA schemes 14,23,24], but these schemes also have limitations in terms of ap- for the IIoT have been proposed [10–12]. Li et al. [11] designed a plicability and security. Cui et al. [23] proposed a scalable condi- privacy-preserving AKA scheme for the IIoT based on elliptic curve tional privacy-preserving authentication scheme for multi-cloud envi- cryptography. Since the user and the gateway do not store the same ronments, which is suitable for multi-terminal settings and demon- secret value, the scheme is resistant to desynchronization attacks. strates high efficiency. However, analysis reveals that the session key However, further analysis reveals that the session key generation in generation process in their scheme includes the identity information this scheme does not involve long-term secret values, rendering it of the cloud server, allowing authenticated users to obtain the server’s vulnerable to ephemeral secret leakage attacks. Similarly, the user au- real identity. As a result, their scheme cannot effectively resist im- thentication protocol proposed by Srinivas et al. [12] for the IoT-based personation attacks or man-in-the-middle attacks. Vinoth et al. [24] intelligent transportation systems fails to effectively resist privileged utilized the Chinese Remainder Theorem and symmetric cryptography insider attacks. In 2022, Chen et al. [10] proposed an ECC-based AKA to achieve authentication and key agreement between users and multi- scheme for industrial control systems, which can resist most protocol ple IIoT devices. However, in their scheme, the session keys negotiated attacks. However, further analysis reveals that the scheme lacks essen- between the user and multiple devices are identical, allowing devices to tial properties such as malicious user traceability and terminal device impersonate each other, which presents a significant security vulnera- update capabilities. Moreover, all of the aforementioned schemes are bility. Yang et al. [13] also constructed a one-to-many AKA scheme for designed for one-to-one environments. Given the presence of a large the IIoT based on the Chinese Remainder Theorem, addressing the issue number of industrial devices in the IIoT, deploying these schemes could in Vinoth et al. [24] scheme where the session keys between the user result in excessive computational and communication overheads as well and multiple devices were identical. However, further analysis reveals as single points of failure. Therefore, these schemes are not suitable for that both Yang et al. [13] and Vinoth et al. [24] lack forward security. real-world IIoT communication environments. According to the work of Wang et al. [25] and Ma et al. [30], to achieve To make AKA schemes more suitable for multi-device commu- forward security, a scheme must perform at least two public key cryp- nication scenarios, several group AKA schemes [15–17] have been tographic operations on the device side. Since neither Yang et al. [13] proposed in recent years. Mandal et al. [15] introduced a certificateless nor Vinoth et al. [24] schemes deploy public key operations on the authenticated group key agreement protocol based on elliptic curve industrial devices, they fail to meet the forward security requirement. cryptography, which ensures the non-repudiation of communication Zhang et al. [14] proposed a secure and efficient many-to-many messages between senders and receivers, and establishes a group key AKA scheme for vehicular networks. The scheme allows vehicle users for subsequent communication. To enhance practicality, the protocol to perform batch authentication and key agreement with multiple also supports the dynamic addition and revocation of group members cloud servers, while resisting various known protocol attacks. However, and considers the forward security of the session key. Xu et al. [16] de- further analysis reveals that the efficiency of the batch authentication signed a quantum-resistant identity-based group authentication scheme and key agreement comes at the cost of significant computational and for IoT environments with concurrent access by numerous devices. communication overhead for the trusted center (which is equivalent The scheme is constructed using lattice-based aggregate signature al- to the gateway in an IIoT environment). Most existing schemes, when gorithms and identity-based encryption algorithms, achieving quantum designed, focus primarily on minimizing the computational overhead security while facilitating group authentication for multiple devices, for users and end devices, with little attention given to the lightweight and effectively addressing the issues related to certificate management. nature of the gateway. In 2023, Wang et al. [25] proposed a lightweight Wu et al. [17] proposed a lightweight group AKA protocol for the user authentication scheme for cloud-assisted IoT environments. The IIoT environment, based on symmetric bivariate polynomials, which scheme achieves gateway lightweighting by offloading most of the achieves both authentication and group session key agreement. Com- computational and communication burdens from the gateway to the pared to previous group AKA protocols, their scheme is more efficient. cloud server. However, it requires the cloud server to be fully trusted Although group AKA schemes are more suitable for multi-device com- during the authentication and key agreement process, which introduces munication scenarios compared to one-to-one AKA schemes, they face an overly strong security assumption. Moreover, the scheme does not challenges in updating group keys when the industrial devices accessed consider adaptation to multi-device application environments, making by the user frequently change. Additionally, since all group devices it unsuitable for scenarios involving frequent communication between share the same group key, these schemes cannot effectively prevent users and multiple industrial devices in IIoT environments. impersonation attacks by malicious devices. In summary, existing schemes applied in IIoT environments, where The batch mode is more flexible than the group mode and is better users dynamically communicate with multiple industrial devices, en- suited for real-world communication scenarios in the IIoT. Pu et al. [19] counter issues related to usability, security, and the lightweight nature proposed a lightweight message aggregation authentication protocol for of gateways. Regarding usability, traditional one-to-one AKA schemes drone networks, which is constructed using pairing-based cryptography suffer from excessive computational and communication overhead, and physically unclonable functions. This protocol enables secure and while group AKA schemes face complexities related to group up- efficient data transmission between a base station and a group of dates and group key updates. Moreover, batch identity authentication 3 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 and batch message authentication schemes fail to achieve simulta- neous batch authentication and key agreement. In terms of security, both group AKA schemes and existing batch processing attribute AKA schemes designed for multi-terminal communication scenarios exhibit deficiencies in critical security attributes such as resistance to imper- sonation attacks and forward security. Furthermore, existing schemes rarely consider the lightweight requirements for gateway. In conclusion, existing schemes fail to achieve batch authentication and key agreement between users and multiple industrial devices while ensuring the lightweight nature of the gateway. In the IIoT, ensuring secure and efficient communication between users and multiple de- vices, as well as avoiding single points of failure in gateway, are critical issues that require urgent solutions. Therefore, it is essential to propose a gateway lightweight batch AKA scheme suitable for the IIoT. 3. Preliminary, system model, threat model and security objec- tives This section first introduces the fundamental concepts required for constructing the proposed scheme. Then, the system model and security objectives of the proposed scheme are presented. 3.1. Preliminary Elliptic Curve Cryptosystems: elliptic curve cryptosystems were first proposed by miller [31] and koblite [32] et al. Given a large prime 𝑝 and a finite field F𝑝 , choose a parameter 𝑎, 𝑏 ∈ F𝑝 to generate an elliptic curve 𝐸 ∶ 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏𝑚𝑜𝑑 𝑝 based on F𝑝 . Let 𝑂 be an infinity point on 𝐸, then 𝑂 and all points on 𝐸 form an additive cyclic group 𝐺 of order 𝑃 generating element 𝑞. Fig. 2. system model. Elliptic Curve Discrete Logarithm Problem (ECDL)[14]: Given two random points 𝑃 , 𝑄 ∈ 𝐺 on elliptic curve 𝐸 where 𝑄 = 𝑥𝑃 , 𝑥 ∈ 𝑍𝑞∗ . Then the ECDL problem refers to the difficulty of finding a positive integer 𝑥 in probabilistic polynomial time (PPT) when points 𝑃 and 𝑄 3.2. System model are known. Elliptic Curve Computation Diffie–Hellman problem (ECCDH) The system model of the proposed gateway lightweight batch AKA [33]: Given point 𝑃 , 𝑥𝑃 , 𝑦𝑃 ∈ 𝐺, where 𝑥, 𝑦 ∈ 𝑍𝑞∗ . Then for any PPT scheme for the IIoT is shown in Fig. 2. The system consists of four types adversary the advantage of computing 𝑥𝑦𝑃 ∈ 𝐺 without knowing 𝑥, 𝑦 of entities: a trusted authority, a gateway, users, and industrial devices. is negligible. The detailed descriptions of each entity are as follows: One-Way Collision-Resistant Hash Function: One-way collision- Trusted Authority(TA): TA is a fully reliable entity, typically op- resistant hash function is a deterministic algorithm that is irreversible erated by a government authority, with sufficient computational and and collision-resistant. It takes as input a binary string of arbitrary storage capabilities. Its primary responsibilities include generating and length and outputs a deterministic length binary string. publishing system parameters, registering users and industrial devices, Chinese Remainder Theorem(CRT): The CRT [13,34] is an impor- and authorizing gateways. Additionally, the TA is responsible for hold- tant theorem in number theory that has been used to solve a system of ing malicious users accountable. congruence equations in the modulo-invariant case, where the system of congruence equations takes the following form: User: Users must register at TA, after which they can communicate ( ) with the gateway and industrial devices using smart mobile devices. ⎧ ⎪ 𝑥 ≡ 𝑎1 ( mod 𝑚1 ) When users wish to access industrial data collected by the devices or ⎪ 𝑥 ≡ 𝑎2 mod 𝑚2 directly manipulate them, they need to complete mutual authentication ⎨ (1) ⎪ ⋮ with the industrial devices and negotiate a session key for secure sub- ( ) ⎪ 𝑥 ≡ 𝑎𝑛 mod 𝑚𝑛 sequent communication. The user sends a batch authentication request ⎩ Let 𝑚1 , 𝑚2 , … 𝑚𝑛 be two mutually prime positive integers, and to the gateway. Upon verifying the legitimacy of the user’s identity, 𝑎1 , 𝑎2 , … 𝑎𝑛 be any given 𝑛 positive integers. Then, for a positive integer the gateway issues a time-limited token, enabling the user to complete 𝑎𝑖 , 𝑖 ∈ [1, 𝑛], the general solution of the system of congruence equations authentication and key agreement with the industrial devices using the is: token. 𝑥 = 𝑎1 𝑡1 𝑀1 + 𝑎2 𝑡2 𝑀2 + ⋯ + 𝑎𝑛 𝑡𝑛 𝑀𝑛 + 𝑘𝑀 Gateway: The gateway is a fully trusted entity that requires autho- ∑ 𝑛 rization from TA. It is generally considered to possess greater computa- (2) = 𝑎𝑖 𝑡𝑖 𝑀𝑖 + 𝑘𝑀 , 𝑘 ∈ Z tional and storage capabilities than industrial devices. The gateway is 𝑖=1 responsible for issuing time-limited tokens to users and assisting them ∏𝑛 where 𝑀 = 𝑚1 × 𝑚2 × ⋯ × 𝑚𝑛 = 𝑖=1 𝑚𝑖 is the product of integers in completing batch authentication and key agreement with multiple 𝑚1 , 𝑚2 , … 𝑚𝑛 , 𝑀𝑖 (= 𝑀∕𝑚𝑖) denotes the product of (𝑛 − 1) integers except industrial devices. 𝑚𝑖 , and 𝑀𝑖 𝑡𝑖 ≡ 1 mod𝑚𝑖 , 𝑖 ∈ [1, 𝑛]. The CRT states that the system of Industrial device: Industrial devices register at TA and use time- primary congruence equations has the following unique solution in the limited tokens to complete authentication and key agreement with case of mode 𝑀: users. Upon successful authentication and key agreement, the devices ( 𝑛 ) ∑ can securely transmit the collected industrial data to users after en- 𝑥= 𝑎𝑖 𝑡𝑖 𝑀𝑖 mod 𝑀 (3) crypting it with the session key, or they can execute corresponding 𝑖=1 industrial tasks based on user instructions. 4 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 3.3. Threat model and security objectives • Threat model This paper uses the standard Dolev–Yao (DY) model [35,36] to as- sess the security of the proposed AKA scheme. The DY model stipulates that an adversary  can control the insecure public communication channel between the parties and can read, modify, delete, forge, re- play, or even inject false information into the channel. Additionally, when considering forward security, the adversary not only possesses all the capabilities defined in the DY model but can also acquire secret credentials, session states, and session keys from the communicating entities. Therefore, forward security must ensure that a compromise of the system does not affect the security of previous sessions. This paper assumes that in the IIoT environment, the gateway is a fully trusted entity, while users and industrial devices are considered untrusted participants. Fig. 3. User registration phase. • Security objectives Based on the above threat model, the proposed scheme in this paper should meet the following security objectives: 4.2. Industrial device registration (1) Mutual authentication and key agreement: The scheme should TA selects its identity information 𝑆 𝐼 𝐷𝑗 for industrial device 𝑆 𝐷𝑗 , enable mutual authentication between the user and industrial randomly chooses 𝑥𝑗 ∈ 𝑧∗𝑞 as the private key of the industrial de- devices, ensuring that only authenticated users can access the ( ) vice, and calculates 𝑆 𝐾𝑆 𝐷𝑗 = ℎ 𝑠 ∥ 𝑆 𝐼 𝐷𝑗 as the long-term session data collected by the industrial devices. Additionally, the scheme should facilitate the negotiation of specific session keys between { between the }device and the gateway. TA sends the parameter key 𝑥𝑗 , 𝑆 𝐼 𝐷𝑗 , 𝑆 𝐾𝑆 𝐷𝑗 securely to the industrial device (e.g., by offline the user and industrial devices for secure communication in { } subsequent interactions. registration), and 𝑆 𝐷𝑗 secretly stores the parameter 𝑥𝑗 , 𝑆 𝐼 𝐷𝑗 , 𝑆 𝐾𝑆 𝐷𝑗 (2) User anonymity: To ensure the privacy of the user’s identity, to complete the registration. information transmitted over public channels should not reveal the user’s true identity. 4.3. User registration (3) Forward security: The scheme should achieve forward security, meaning that even if an adversary obtains the long-term secret User ( 𝑢𝑖 selects)his identity 𝐼 𝐷𝑖 , password 𝑃 𝑊𝑖 and computes 𝑈 𝑃 𝑊𝑖 values of the participants and the session state or session keys = ℎ1 𝐼 𝐷𝑖 ∥ 𝑃 𝑊𝑖 , randomly selects 𝑎 ∈ 𝑧∗𝑞 , and securely sends the { } of the current session, they should not be able to compute the registration request parameter 𝑈 𝑃 𝑊𝑖 ⊕ 𝑎, 𝐼 𝐷𝑖 to TA. session keys of previous sessions. After receiving the registration request, the TA randomly selects the (4) Unlinkability: The scheme should ensure unlinkability, meaning current timestamp 𝑇𝑐 and a random number 𝑎𝑖 ∈ 𝑧∗𝑞 , then calculates ( ) that an adversary should not be able to link two different mes- 𝑘𝑖 = ℎ 𝐼 𝐷𝑖 ∥ 𝑠 ∥ 𝑇𝑐 ∥ 𝑎𝑖 , 𝐴𝑖 = 𝑈 𝑃 𝑊𝑖 ⊕ 𝑎 ⊕ 𝑘𝑖 . Randomly select 𝑦𝑖 ∈ 𝑧∗𝑞 sages transmitted over the public channel to the same user or as the user’s private( key, compute ) 𝑌 = 𝑦⋅𝑃 as the user’s public key, and industrial device. compute 𝑆 𝐾𝑢𝑖 = ℎ 𝑠 ∥ 𝐼 𝐷𝑖 as the long-term session key between the { } (5) Resistance to Various Attacks: The scheme should be capable user and the gateway. TA returns the parameter 𝑦𝑖 , 𝐴𝑖 , 𝑆 𝐾𝑢𝑖 safely of withstanding common protocol attacks, such as replay at- to the user. { } tacks, spoofing attacks, privileged insider attacks, and man-in- After receiving the parameters 𝑦𝑖 , 𝐴𝑖 , 𝑆 𝐾𝑢𝑖 returned by TA, the the-middle attacks, etc. ( ) user calculates 𝑘𝑖 = 𝑈 𝑃 𝑊𝑖 ⊕ 𝑎 ⊕ 𝐴𝑖 , 𝐵𝑖 = ℎ1 𝑘𝑖 ∥ 𝐼 𝐷𝑖 ∥ 𝑈 𝑃 𝑊𝑖 and 𝐶𝑖 = { } 𝑈 𝑃 𝑊𝑖 ⊕𝑘𝑖 . The user securely stores the parameter 𝑦𝑖 , 𝐵𝑖 , 𝐶𝑖 , 𝑆 𝐾𝑢𝑖 , 𝑝𝑎𝑟𝑎𝑚𝑠 4. Proposed scheme in their mobile smart device (such as smartphone) complete the regis- tration process (see Fig. 3). The scheme consists of seven formalized algorithms, which are system establishment, industrial device registration, user registration, 4.4. Gateway authorization gateway authorization, authentication and key agreement, industrial device update, and malicious user tracking. The main symbols used in TA authorizes the gateway, TA sends the gateway private key the scheme are described in Table 1. 𝑠 and the system parameter 𝑝𝑎𝑟𝑎𝑚𝑠 to the gateway, { and sends the } industrial device and user registration parameters 𝑥𝑗 , 𝑆 𝐼 𝐷𝑗 , 𝑆 𝐾𝑆 𝐷𝑗 , { } 4.1. System establishment 𝑦𝑖 , 𝐼 𝐷𝑖 , 𝑆 𝐾𝑢𝑖 to the gateway. TA inputs the system security parameters 𝜆 and generates the sys- 4.5. Authentication and key agreement phase tem parameters accordingly. TA generates an additive cyclic group 𝐺 based on non-singular elliptic curves, whose order is 𝑞 and the group • Login phase generator element is 𝑃 . Randomly select 𝑚𝑠𝑘 ∈ 𝑧∗𝑞 as the system To communicate with industrial devices, a user must first log into master key and compute 𝑚𝑝𝑘 = 𝑚𝑠𝑘 ⋅ 𝑃 as the system’s master public their smart terminal device. User enters identity 𝐼 𝐷𝑖 and password key. Randomly select secure hash functions ℎ ∶ {0, 1}∗ → 𝑧∗𝑞 , ℎ1 ∶ ( ) 𝑃 𝑊𝑖 , the smart devices calculates 𝑈 𝑃 𝑊𝑖 = ℎ1 𝐼 𝐷𝑖 ∥ 𝑃 𝑊𝑖 , 𝑘𝑖 = 𝐶𝑖 ⊕ {0, 1}∗ → {0, 1}𝑙 . Choose 𝐺𝐼 𝐷 as the identity of the gateway, choose ( ) ? 𝑠 as the gateway private key and compute 𝑃 𝐾 = 𝑠 ⋅ 𝑃 as the gateway 𝑈 𝑃 𝑊𝑖 , 𝐵𝑖 ′ = ℎ1 𝑘𝑖 ∥ 𝐼 𝐷𝑖 ∥ 𝑈 𝑃 𝑊𝑖 . Verify 𝐵𝑖 ′ = 𝐵𝑖 , If they are not public key. Finally TA announces the system parameters 𝑝𝑎𝑟𝑎𝑚𝑠 ∶ equal, smart device rejects the user’s login, otherwise user successfully { } 𝐺, 𝑃 , 𝑚𝑝𝑘, ℎ, ℎ1 , 𝐺𝐼 𝐷, 𝑃 𝐾 . logs into smart device (see Fig. 4). 5 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 Table 1 Notations and Definitions. Notations Definitions 𝜆 Security parameter 𝐺 An elliptic curve cycle additive group 𝑃 A generator of 𝐺 𝑞 The order of 𝐺 𝑚𝑝𝑘, 𝑚𝑠𝑘 System master public–private key pair ℎ Hash function 𝑠, 𝑃 𝐾 Gateway public–private key pair 𝑥𝑗 Industrial device private key 𝑆 𝐾𝑆 𝐷𝑗 Long-term session key between industrial devices and the gateway 𝑦𝑖 , 𝑌 User public–private key pair 𝑆 𝐾𝑢𝑖 Long-term session key between user and the gateway 𝑎, 𝑎𝑖 , 𝑟, 𝑟𝑖 , 𝑟𝑗 , 𝑟𝑔 Random number 𝑃 𝐼 𝐷𝑖 User’s pseudonym 𝑇𝑖 Timestamp 𝑇 𝑆 𝐾, 𝑇 𝑆 𝐾 ∗ Temporary secret value 𝑆𝐾 Session key Fig. 4. Authentication and key agreement phase. • Authentication and key agreement its pseudonym and stores it in the revocation list. The tracking of malicious users will be explained later.) If 𝐼 𝐷𝑖 is not in the ( ) revocation list, gateway computes 𝑆 𝐼 𝐷𝑗 = ℎ 𝑀2 ∥ 𝑀1 ⊕ 𝑀3 , (1) User 𝑢𝑖 randomly selects 𝑟𝑖 ∈ 𝑧∗𝑞 , picks the current timestamp 𝑇1 , ( ) 𝑀(4 ′ = computes 𝑟∗𝑖 = ℎ 𝑟𝑖 ∥ 𝑆 𝐾𝑢𝑖 ∥ 𝑇1 , 𝑀1 = 𝑟∗𝑖 ⋅ 𝑃 𝐾, 𝑀2 = 𝑟∗𝑖 ⋅ 𝑃 . 𝑢𝑖 ) ? ℎ 𝑃 𝐼 𝐷𝑖 ∥ 𝑀1 ∥ 𝑆 𝐾𝑢𝑖 ∥ 𝑇1 ∥ 𝑆 𝐼 𝐷𝑗 , verifies 𝑀4 ′ = 𝑀4 . If veri- compute their own temporary pseudonym 𝑃 𝐼 𝐷𝑖 = 𝐼 𝐷𝑖 ⊕ ℎ(𝑟∗𝑖 ⋅ fication fails, returned error termination symbol ⊥. Otherwise, 𝑃 𝐾). 𝑢𝑖 communicate under a pseudonym, which enables con- gateway selects the current timestamp 𝑇2 , queries terminal reg- ditional privacy protection of their identity. 𝑢𝑖 computes 𝑀3 = ( ) { } istration tuple information based on user’s identity request list ℎ 𝑀2 ∥ 𝑀1 ⊕ 𝑆 𝐼 𝐷𝑗 , where 𝑆 𝐼 𝐷𝑗 = 𝑆 𝐼 𝐷0 , … , 𝑆 𝐼 𝐷𝑛 . The ∏𝑛 ( ) 𝑆 𝐼 𝐷𝑗 , and computes 𝜕 𝑔 = 𝑥 , 𝑑𝑗 = 𝜕 𝑔∕𝑥𝑗 , 𝑑𝑗 × 𝑘𝑗 = user can select multiple industrial devices to access in a batch, ∑𝑛 𝑗=1 𝑗 1𝑚𝑜𝑑 𝑥𝑗 , 𝑣𝑎𝑟𝑗 = 𝑑𝑗 × 𝑘𝑗 , 𝑄 = 𝑖=1 𝑣𝑎𝑟𝑗 . Gateway randomly selects and after the authentication and key agreement phase, negotiate ( ) 𝑘𝑑 , 𝑟 ∈ 𝑧∗𝑞 , computes 𝛾𝑑 = 𝑘𝑑 × 𝑄, computes 𝑇 𝑆 𝐾 = ℎ 𝑟 ∥ 𝑠 ∥ 𝑇2 , distinct session keys with each( device for subsequent communi- ) ( ) ( ) cation. 𝑢𝑖 computes 𝑀4 = ℎ 𝑃 𝐼 𝐷𝑖 ∥ 𝑀1 ∥ 𝑆 𝐾𝑢𝑖 ∥ 𝑇1 ∥ 𝑆 𝐼 𝐷𝑗 . 𝑀5 = ℎ 𝑆 𝐾𝑢𝑖 ∥ 𝑀2 ⊕ 𝑇 𝑆 𝐾, 𝑀6 = ℎ 𝑀5 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑢𝑖 ⊕ Subsequently, 𝑢𝑖 sends 𝑚𝑠𝑔1 = 𝐺(𝐼 𝐷, 𝑀7 = ) { } ℎ 𝑀2 ∥ 𝑀5 ∥ 𝑀6 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑢𝑖 ∥ 𝑇2 ∥ 𝐺𝐼 𝐷 , 𝑀8 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 to the gateway. ( ) ( ) (2) After receiving the message sent by user, gateway first checks ℎ 𝑘𝑑 ∥ 𝑀2 ∥ 𝑆 𝐾𝑆 𝐷𝑗 ⊕ 𝑇 𝑆 𝐾, 𝑀9 = ℎ 𝑀8 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑆 𝐷𝑗 ⊕ the validity of the timestamp by 𝑇1 ′ − 𝑇1 ≤ ∇𝑇 , where 𝑇1 ′ is ( ) ( ) 𝑃 𝐼 𝐷𝑖 ∥ 𝐺𝐼 𝐷 , 𝑀10 = ℎ 𝑀2 ∥ 𝑀8 ∥ 𝑀9 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑆 𝐷𝑗 ∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝐺𝐼 𝐷 . the time gateway received 𝑚𝑠𝑔1 . If timestamp is valid, gateway { } Generates two messages 𝑚𝑠𝑔2 = 𝑇2 , 𝑀5 , 𝑀6 , 𝑀7 , 𝑚𝑠𝑔3 = computes 𝑀1 = 𝑠 ⋅ 𝑀2 , 𝐼 𝐷𝑖 = 𝑃 𝐼 𝐷𝑖 ⊕ ℎ(𝑀1 ), and checks if 𝐼 𝐷𝑖 { } 𝑇2 , 𝑀2 , 𝑀8 , 𝑀9 , 𝑀10 , 𝛾𝑑 . Where 𝑚𝑠𝑔3 is the time-limited token, exists in revocation list. (NOTE: Gateway maintains a revocation and gateway sends 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 to user. list for storing the identity of malicious users. When a user has malicious behavior, gateway recovers its real identity based on 6 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 (3) After receiving the message, user first opens the message 𝑚𝑠𝑔2 key no longer exists in 𝑄′ . Similarly, the new industrial devices added and checks the validity of timestamp by 𝑇2′ − 𝑇2 ≤ ∇𝑇 , where to the list can use their private keys to recover the new secret value 𝑇2′ is the time when the user receives ( 𝑚𝑠𝑔2 , 𝑚𝑠𝑔 )3 . If timestamp 𝑘′𝑑 through a modulo operation, and then complete the subsequent is valid, users computes 𝑇 𝑆 𝐾 = ℎ 𝑆 𝐾𝑢𝑖 ∥ 𝑀2 ⊕ 𝑀5 , 𝐺𝐼 𝐷 = authentication and key agreement process. ( ) (Note: 𝑣𝑎𝑟𝑗 represents multiple industrial devices. For example, ℎ 𝑀5 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑢𝑖 ⊕ 𝑀6 , 𝑀7 ′ = ( ) when the identity list includes newly added industrial devices 𝑆 𝐼 𝐷3 , ? ( ) ℎ 𝑀2 ∥ 𝑀5 ∥ 𝑀6 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑢𝑖 ∥ 𝑇2 ∥ 𝐺𝐼 𝐷 . and verify 𝑀7 ′ = 𝑆 𝐼 𝐷5 , 𝑆 𝐼 𝐷7 , then 𝑄′ = 𝑄+ 𝑣𝑎𝑟3 + 𝑣𝑎𝑟5 + 𝑣𝑎𝑟7 . If devices 𝑆 𝐼 𝐷4 , 𝑆 𝐼 𝐷8 ( ) 𝑀7 . If verification fails, returned the error termination symbol are not in the new identity request list, then 𝑄′ = 𝑄 − 𝑣𝑎𝑟4 + 𝑣𝑎𝑟8 .) ⊥. Otherwise, user selects the current timestamp 𝑇3 , randomly selects 𝑟𝑔 ∈ 𝑧∗𝑞 , computes 𝑀11 = 4.7. Malicious user tracking ( ) ( ) ℎ 𝑀2 ∥ 𝑇 𝑆 𝐾 ⊕ 𝑟𝑔 , 𝑀12 = ℎ 𝑀2 ∥ 𝑀11 ∥ 𝑟𝑔 ∥ 𝑇 𝑆 𝐾 ∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝑇3 , { } and generates the message 𝑚𝑠𝑔4 = 𝑇3 , 𝑀11 , 𝑀12 , 𝑃 𝐼 𝐷𝑖 . User When gateway detects the malicious behavior of user 𝑃 𝐼 𝐷𝑖 , gate- broadcasts{ the received time-limited} token way can recover its real identity 𝐼 𝐷𝑖 by compute 𝐼 𝐷𝑖 = 𝑃 𝐼 𝐷𝑖 ⊕ℎ(𝑠⋅𝑀2 ), 𝑚𝑠𝑔3 = 𝑇3 , 𝑀2 , 𝑀8 , 𝑀9 , 𝑀10 , 𝛾𝑑 from the gateway and the then add its real identity to the revocation list, and submit the real { } generated message 𝑚𝑠𝑔4 = 𝑇3 , 𝑀11 , 𝑀12 , 𝑃 𝐼 𝐷𝑖 to the industrial identity 𝐼 𝐷𝑖 of the malicious user to TA. devices in the area. (4) After industrial device in the region receives the message, it 5. Security analysis first opens the message 𝑚𝑠𝑔4 and checks the validity of times- tamp by 𝑇3′ − 𝑇3 ≤ ∇𝑇 , where 𝑇3′ is the time when industrial This section provides a security proof and analysis of the proposed device receives 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 . If timestamp is valid, industrial de- batch authentication and key agreement scheme. First, the security vice meets the authentication conditions opens the time-limited of the scheme is formally proven using the Real-Or-Random (ROR) token message 𝑚𝑠𝑔3 and uses its own private key to obtain model [37]. Next, heuristic analysis is employed to demonstrate the the secret value ( 𝑘𝑑 by calculating )𝑘𝑑 = 𝛾𝑑 𝑚𝑜𝑑 𝑥𝑗 . Next, com- scheme’s resilience against various protocol attacks. Finally, the ad- ( ) pute 𝑇 𝑆 𝐾 = ℎ 𝑘𝑑 ∥ 𝑀2 ∥ 𝑆 𝐾𝑆 𝐷𝑗 ⊕ 𝑀8 , 𝑃 𝐼 𝐷𝑖 ∥ 𝐺𝐼 𝐷 = vanced protocol verification tool Scyther is used to validate the security ( ) ℎ 𝑀8 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑆 𝐷𝑗 ⊕ 𝑀9 , and of the proposed scheme. ( ) The ROR model is widely used in the formal security proofs of AKA 𝑀10 ′ = ℎ 𝑀2 ∥ 𝑀8 ∥ 𝑀9 ∥ 𝑇 𝑆 𝐾 ∥ 𝑆 𝐾𝑆 𝐷𝑗 ∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝐺𝐼 𝐷 and schemes. Formal security proofs can characterize the capabilities of ? verify 𝑀10 ′ = 𝑀10 . If verification fails, returned error termina- adversaries in both passive and active attacks, demonstrating that the ( ) tion symbol ⊥. Otherwise, compute 𝑟𝑔 = ℎ 𝑀2 ∥ 𝑇 𝑆 𝐾 ⊕ 𝑀11 , scheme can provide secure authentication and semantic security. How- 𝑀12 = ′ ever, formal security proofs cannot fully capture the attack capabilities ( ) ? of adversaries in real-world environments. ℎ 𝑀2 ∥ 𝑀11 ∥ 𝑟𝑔 ∥ 𝑇 𝑆 𝐾 ∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝑇3 and verify 𝑀12 ′ = 𝑀12 . Heuristic security analysis can adequately consider the attack ca- If verification passes, the industrial device authenticates both pabilities of adversaries in real-world environments, as well as the the user and the gateway. Industrial device picks the current security requirements of the scheme. Therefore, heuristic analysis is timestamp 𝑇4 , randomly selects 𝑟𝑗 ∈ 𝑧∗𝑞 , computes 𝑇 𝑆 𝐾 ∗ = ( ) ( ) often used in conjunction with formal security proofs to jointly assess ℎ 𝑟𝑗 ∥ 𝑇 𝑆 𝐾 , 𝑀13 = ℎ 𝑀2 ∥ 𝑇 𝑆 𝐾 ⊕ 𝑇 𝑆 𝐾 ∗ , 𝑀14 = 𝑟𝑗 ⋅ ( ) the security of the scheme. However, heuristic analysis heavily relies 𝑀2 , 𝑀15 = 𝑟𝑗 ⋅ 𝑃 , 𝑀16 = ℎ 𝑀13 ∥ 𝑀15 ∥ 𝑇 𝑆 𝐾 ∥ 𝑇 𝑆 𝐾 ∗ ∥ 𝑇4 . ( ∗ ) on the experience of the analyst, which introduces the risk of human Computes the session key 𝑆 𝐾 = ℎ 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾 oversight in the analysis. with the user 𝑢𝑖 . Industrial device generates message 𝑚𝑠𝑔5 = { } The Scyther tool is widely used for the analysis of authentication 𝑇4 , 𝑀2 , 𝑀13 , 𝑀15 , 𝑀16 and sends message 𝑚𝑠𝑔5 to the user 𝑢𝑖 . schemes, providing a range of statements to test the security properties (5) After receiving the message, user opens the message 𝑚𝑠𝑔5 and of the schemes. Secret statements are used to assess key security, while checks the validity of timestamp by 𝑇4′ − 𝑇4 ≤ ∇𝑇 . If timestamp ( ) authentication statements primarily evaluate the scheme’s resistance to is valid, computes 𝑇 𝑆 𝐾 ∗ = ℎ 𝑀2 ∥ 𝑇 𝑆 𝐾 ⊕ 𝑀13 , 𝑀16 ′ = ( ) ? various attacks, such as replay attacks, impersonation attacks, and man- ℎ 𝑀13 ∥ 𝑀15 ∥ 𝑇 𝑆 𝐾 ∥ 𝑇 𝑆 𝐾 ∗ ∥ 𝑇4 , and verify 𝑀16 ′ = 𝑀16 . in-the-middle attacks. However, similar to formal security proofs, the If verification fails, returned the error termination symbol ⊥. Scyther tool cannot fully capture the attack capabilities of adversaries Otherwise, user computes the session key 𝑆 𝐾 = in real-world environments. ( ) ℎ 𝑀2 ∥ 𝑀13 ∥ 𝑟∗𝑖 ⋅ 𝑀15 ∥ 𝑇 𝑆 𝐾 ∗ . At this point, user and indus- In summary, the three analysis methods each have their own advan- trial device have completed mutual authentication and agree- tages and disadvantages. Security proofs and the Scyther tool represent ment a session key for subsequent communication. formal analysis approaches, which effectively mitigate the analytical errors introduced by human factors in heuristic analysis. However, 4.6. Time-limited token update formal methods cannot fully capture the capabilities of attackers and the security properties that the scheme must satisfy, whereas heuristic As the production tasks progress, the industrial devices that the user analysis can effectively address this limitation. It is well known that de- needs to access may change in real-time. Compared to the current list of signing a secure AKA scheme and proving its security is a complex task. accessed devices, the user may need to access new devices or no longer Therefore, we employ these three mainstream approaches to analyze need access to certain devices. In this case, the user sends a new batch and prove the security of the scheme proposed in this paper, aiming authentication request, which includes the identity list of the newly to complement each method’s strengths and weaknesses to minimize { } requested industrial devices, denoted as 𝑆 𝐼 𝐷𝑗 ′ = 𝑆 𝐼 𝐷0 , … , 𝑆 𝐼 𝐷𝑛 , security oversights. to the gateway. If the list contains new industrial device identities, the gateway computes 𝑄′ = 𝑄 + 𝑣𝑎𝑟𝑗 . If certain devices are not included in 5.1. Formal security proof the new identity request list, the gateway computes 𝑄′ = 𝑄−𝑣𝑎𝑟𝑗 . Then gateway randomly selects a new secret value 𝑘′𝑑 ∈ 𝑧∗𝑞 and computes • Security model 𝛾𝑑′ = 𝑘′𝑑 × 𝑄′ to complete the update of the time-limited token. After the update completed, the deleted industrial device will not be able Before proving the security of the scheme in this paper, the defini- to recover the secret value 𝑘′𝑑 by modulo operation because its private tion of each basic primitive in the ROR model is first given [37]: 7 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 (1) Participants: In the scheme of this paper, there are three partic- the security of the scheme  session key in PPT time is: ipants, namely user, gateway, and industrial device. During the 2 2 (𝑞𝑠 +𝑞𝑒 )2 𝑞ℎ2 +2(2𝑞ℎ +𝑞𝑠 ) +3(𝑞ℎ +𝑞𝑠 ) 𝐴𝑑 𝑣 (𝑡) ≤ 2( + protocol execution, they are instantiated as 𝑈𝑖 , 𝑆 𝐷𝑗 , and 𝐺𝑊  𝑃 ( )2 ) 2𝑙 (5) respectively. Let 𝑈𝑖𝑎 denote the instance 𝑎 of user 𝑈𝑖 , 𝑆 𝐷𝑗𝑏 denote +𝑞ℎ 𝑞𝑠 + 𝑞𝑒 + 1 ⋅ 𝐴𝑑 𝑣𝐸  𝐶 𝐶 𝐷𝐻 (𝑡) the instance 𝑏 of industrial device 𝑆 𝐷𝑗 , 𝐺𝑊 𝑐 denote the instance 𝑐 of gateway 𝐺𝑊 . Define six different games to prove the security of the scheme, (2) partnering: Let 𝑠𝑖𝑑 denote the session identifier, if there is a denoted 𝐺0 − 𝐺5 . The games start at 𝐺0 and end at 𝐺5 . In these partnership between instance 𝑈𝑖𝑎 and instance 𝑆 𝐷𝑗𝑏 , then they games, the adversary’s advantage is gradually reduced to zero. 𝑆 𝑢𝑐 𝑐𝑖 [ ] satisfy the following three conditions: they are both in the and 𝑃 𝑟 𝑆 𝑢𝑐 𝑐𝑖 respectively denote the event and probability that  accepted state; they share the same session identifier 𝑠𝑖𝑑; they makes a successful guess in game 𝐺𝑖 , 𝑖 ∈ [0, 5]. are partners with each other. Game 𝐺0 : Game 𝐺0 simulates the real attack of adversary  on (3) Freshness: Freshness is a fundamental concept that defines pro- the proposed scheme  under the ROR model, which can be obtained tocol security. Freshness means that instances 𝑈𝑖𝑎 and 𝑆 𝐷𝑗𝑏 are according to the definition of semantic security: Freshness if a session key 𝑆 𝐾 has been agreement between user [ ] 𝐴𝑑 𝑣  (𝑡) = 2𝑃 𝑟 𝑆 𝑢𝑐 𝑐0 − 1. (6) 𝑈𝑖 and industrial device 𝑆 𝐷𝑗 and 𝑆 𝐾 has not been compromised to an adversary. Game 𝐺1 : Game 𝐺(1 simulates eavesdropping attacks. Compared ) The DY model defines that an adversary can take full control of with game 𝐺0 , 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 , 𝐺𝑊 𝑐 query is added to 𝐺1 .  moni- { } the open channel and eavesdrop to obtain public parameters on the toring the communication information 𝑚𝑠𝑔1 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 , { } { } open channel. In addition, the adversary can modify or replay messages 𝑚𝑠𝑔2 = 𝑇2 , 𝑀5 , 𝑀6 , 𝑀7 , 𝑚𝑠𝑔3 = 𝑇2 , 𝑀2 , 𝑀8 , 𝑀8 , 𝑀10 , 𝛾𝑑 , 𝑚𝑠𝑔4 = { } { } exchanged in the open channel and forge new messages to spoof other 𝑇3 , 𝑀11 , 𝑀12 , 𝑃 𝐼 𝐷𝑖 , 𝑚𝑠𝑔5 = 𝑇( 4 , 𝑀2 , 𝑀13 , 𝑀15 ,)𝑀16 between the instances. Adversary  can perform the following queries: three participants through 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 , 𝐺𝑊 𝑐 query, and finally determines whether the value of the 𝑇 𝑒𝑠𝑡 query output is a real session (1) 𝐻 𝑎𝑠ℎ (⋅): When  performs a hash query, it returns a random key or a random string. In the scheme of this paper, the process of value of (fixed length. ) ( ) computing the session key 𝑆 𝐾 = ℎ 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾 ∗ contains (2) 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 , 𝐺𝑊 𝑐 : The query simulates eavesdropping ∗ the secret values 𝑟𝑗 and 𝑇 𝑆 𝐾 . Therefore, it is obvious that  cannot attack.  can obtain all the messages transmitted by 𝑈𝑖 , 𝑆 𝐷𝑗 , compute 𝑆 𝐾 between user and industrial device by monitoring to the 𝐺𝑊 on ( the open channel ) by monitoring. message. Compared with 𝐺0 , monitoring message cannot increase the (3) 𝑆 𝑒𝑛𝑑 𝑈𝑖𝑎 ∕𝑆 𝐷𝑗𝑏 ∕𝐺𝑊 𝑐 , 𝑚 : The query simulates an active attack. probability of  winning the game 𝐺1 , which can be obtained:  sends message 𝑚 to instance 𝑈𝑖𝑎 ∕𝑆 𝐷𝑗𝑏 ∕𝐺𝑊 𝑐 . If 𝑚 is valid, | [ ] [ ]| |𝑃 𝑟 𝑆 𝑢𝑐 𝑐1 − 𝑃 𝑟 𝑆 𝑢𝑐 𝑐0 | = 0. (7) the instance responds and replies to the message; otherwise, the | | instance( ignores )this query. Game 𝐺2 : Game 𝐺2 describes the ability of adversary  to attack (4) 𝑅𝑒𝑣𝑒𝑎𝑙 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 : This query simulates the disclosure of session actively. Compared with 𝐺1 , adversary  in 𝐺2 will actively join the key. When  executes this query, the session key 𝑆 𝐾 established session by executing 𝑆 𝑒𝑛𝑑 query and 𝐻 𝑎𝑠ℎ query, and try to forge between instances 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 will revealed to the adversary. ( ) legitimate messages to deceive the scheme participating entities.  has (5) 𝐶 𝑜𝑟𝑟𝑢𝑝𝑡 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 : This query simulates the ability of an adver- the possibility to construct a valid message only when a collision is sary to corrupt an instance. When  executes this query,  has detected, which in turn destroys the semantic security of . The scheme access to all the secret parameters of the participating instances. in this paper has two types of collisions in the phase of authentication ( ) and key agreement: (6) 𝑇 𝑒𝑠𝑡 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 : This query simulates the semantic security of (1) The hash function ℎ collides on output, and its maximum prob- the session key 𝑆 𝐾 between instances 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 . When  exe- 𝑞2 cutes this query, the simulator flips a random coin 𝑏 ∈ {0, 1}. If ability is: 2ℎ𝑙 . ( ) 𝑏 == 1, the simulator returns to  the session key; if 𝑏 == 0, it (2) The random number in message 𝑚𝑠𝑔1 , 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 2 returns a random string of the same length as the session key. (𝑞 +𝑞 ) experiences a collision, and its maximum probability is: 𝑠 2𝑝 𝑒 . Semantic security[38]: In the ROR model, the goal of the adversary Therefore, unless a collision occurs, 𝐺2 and 𝐺1 are indistinguishable.  is to distinguish whether a real session key or a random number is According to the birthday paradox, we have: returned by the 𝑇 𝑒𝑠𝑡 query.  can query the instance 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 with the ( )2 PPT number of 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒, 𝑆 𝑒𝑛𝑑, 𝑅𝑒𝑣𝑒𝑎𝑙, 𝐶 𝑜𝑟𝑟𝑢𝑝𝑡, 𝑇 𝑒𝑠𝑡, when the query | [ ] [ ]| 𝑞ℎ2 𝑞𝑠 + 𝑞𝑒 |𝑃 𝑟 𝑆 𝑢𝑐 𝑐2 − 𝑃 𝑟 𝑆 𝑢𝑐 𝑐1 | ≤ 𝑙 + (8) is finished,  outputs a bit 𝑏′ , and only when 𝑏′ = 𝑏,  wins this | | 2 2𝑝 game. Let 𝑆 𝑢𝑐 𝑐 denote that  wins the game, and let  denote the AKA Game 𝐺3 : In Game G3,  tries to forge a valid message that can be scheme constructed in this paper, then the advantage of  in breaking verified by guessing the secret parameter. Specifically,  tries to forge the semantic security of  is: the following message: 𝐴𝑑 𝑣𝑎𝑘𝑎  () = 2𝑃 𝑟 [𝑆 𝑢𝑐 𝑐] − 1. (4) (1) The adversary successfully forged the message 𝑚𝑠𝑔1 . In this case,  needs to make 𝐻 𝑎𝑠ℎ query to compute 𝑚𝑠𝑔1 . Therefore,  • Security proof make the following query: {( ) ( ) } 𝑀2 ∥∗∥ 𝑆 𝐼 𝐷𝑗 , 𝑃 𝐼 𝐷𝑖 ∥∗∥∗∥ 𝑇1 ∥ 𝑆 𝐼 𝐷𝑗 , 𝑀4 . And the prob- (𝑞 +𝑞 )2 ability of success in this event is denoted as: ℎ 2𝑙 𝑠 . Theorem 1. Let  denote the adversary that breaks the scheme  in PPT time 𝑡 and  be a cipher space that obeys the distribution of Zipf’s (2) The adversary successfully forged the message 𝑚𝑠𝑔2 . Similar to law [39]. 𝑞ℎ , 𝑞𝑠 , 𝑞𝑒 denote the number of 𝐻 𝑎𝑠ℎ queries, 𝑆 𝑒𝑛𝑑 queries, above,  needs to make { 𝐻 𝑎𝑠ℎ query to compute 𝑚𝑠𝑔2 .  make } ( ) ( ) 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 queries respectively. |𝐻 𝑎𝑠ℎ| and 𝑙 represent the output space of the the following query: ( ∗∥ 𝑀2 ∥∗ , 𝑀5 ∥∗∥∗∥ 𝐺𝐼 𝐷 , ) . hash function ℎ (⋅) and the output length of the random prediction machine. 𝑀2 ∥ 𝑀5 ∥ 𝑀6 ∥∗∥∗∥ 𝑇2 ∥ 𝐺𝐼 𝐷 , 𝑀7 𝐴𝑑 𝑣𝐸 𝐶 𝐶 𝐷𝐻 (𝑡) denotes the advantage of adversary  solving 𝐸 𝐶 𝐶 𝐷𝐻 And the probability of success in this event is denoted as:  (2𝑞ℎ +𝑞𝑠 )2 difficult problem in PPT time. Then the advantage of adversary  breaking 2𝑙 . 8 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 (3) The adversary successfully forged the message 𝑚𝑠𝑔3 .  needs to on the CRT, only the industrial device that meets the authen- make { the following 𝐻 𝑎𝑠ℎ query: } tication conditions can recover the secret value 𝑘𝑑 based on ( ) ( ) ∗∥ 𝑀2 ∥∗∥∗ , 𝑀8 ∥∗∥∗∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝐺𝐼 𝐷 , its own private key as well as 𝛾𝑑 to complete the subsequent ( ) . And the proba- 𝑀2 ∥ 𝑀8 ∥ 𝑀9 ∥∗∥∗∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝐺𝐼 𝐷 , 𝑀10 authentication. (2𝑞ℎ +𝑞𝑠 )2 Authentication between the user and the industrial device: the bility of success in this event is denoted as: 2𝑙 . industrial device directly authenticates the user via 𝑀12 in mes- (4) The adversary successfully forged the message 𝑚𝑠𝑔4 .  needs to sage 𝑚𝑠𝑔4 , because message 𝑀12 contains the secret value 𝑇 𝑆 𝐾. make the following 𝐻 𝑎𝑠ℎ query: {( ) ( ) } similarly, the user directly authenticates the industrial device via 𝑀2 ∥∗∥∗ , 𝑀2 ∥ 𝑀11 ∥∗∥∗∥ 𝑃 𝐼 𝐷𝑖 ∥ 𝑇3 , 𝑀12 . And the prob- 𝑀16 in message 𝑚𝑠𝑔5 . (𝑞 +𝑞 )2 ( ) ability of success in this event is denoted as: ℎ 2𝑙 𝑠 . (2) Session key agreement: Session key 𝑆 𝐾 = ℎ 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾 ∗ (5) The adversary successfully forged the message 𝑚𝑠𝑔5 .  needs to is agreement between the user and the industrial device, which make the following 𝐻 𝑎𝑠ℎ query: contains the secret values 𝑇 𝑆 𝐾 ∗ and 𝑀14 . Except for both parties {( ) ( ) } 𝑀2 ∥∗∥∗ , 𝑀2 ∥ 𝑀13 ∥ 𝑀15 ∥∗∥∗∥ 𝑇4 , 𝑀16 . And the proba- of the session, no third party can obtain the session key. (𝑞 +𝑞 )2 (3) User anonymity: Users use pseudonym 𝑃 𝐼 𝐷𝑖 = 𝐼 𝐷𝑖 ⊕ℎ(𝑟∗𝑖 ⋅𝑃 𝐾) to bility of success in this event is denoted as: ℎ 2𝑙 𝑠 . communicate, effectively protect their identity 𝐼 𝐷𝑖 , realize user Thus, unless  successfully forges all of the above messages, 𝐺3 is anonymity. At the same time, when the user has violated the indistinguishable from 𝐺2 , we have: law, the gateway can recover the user’s real identity 𝐼 𝐷𝑖 through ( )2 ( )2 the 𝐼 𝐷𝑖 = 𝑃 𝐼 𝐷𝑖 ⊕ ℎ(𝑠 ⋅ 𝑀2 ) to complete the tracking. Therefore, | [ ] [ ]| 2 2𝑞ℎ + 𝑞𝑠 + 3 𝑞ℎ + 𝑞𝑠 |𝑃 𝑟 𝑆 𝑢𝑐 𝑐3 − 𝑃 𝑟 𝑆 𝑢𝑐 𝑐2 | ≤ (9) the scheme in this paper guarantees the anonymity of the user | | 2𝑙 while realizing the conditional privacy protection of the user. Game 𝐺4 : In game 𝐺4 ,  tries to compute the session key 𝑆 𝐾. (4) Forward security: forward security means that the compromise Since the session key is constructed based on the ECCDH problem, the of the current system does not affect the security of previous difficulty for  to compute the session key in PPT time is equivalent to sessions. Assuming that all users’ long-term secret values are solving the ECCDH problem in PPT time.  chooses the ECCDH tuple compromised, the attacker obtains the message 𝑀2 , 𝑀13 through ( ) 𝑟𝑖 𝑃 , 𝑟𝑗 𝑃 with probability 𝑞1 , thus we have: passive attack listening, and the session key is computed as ( ) | [ ] [ ]| ℎ 𝑆 𝐾 = ℎ 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾 ∗ . Therefore, if the adversary |𝑃 𝑟 𝑆 𝑢𝑐 𝑐4 − 𝑃 𝑟 𝑆 𝑢𝑐 𝑐3 | ≤ 𝑞ℎ ⋅ 𝐴𝑑 𝑣𝐸 𝐶 𝐶 𝐷𝐻 (𝑡) (10) | |  wants to calculate the session key 𝑆 𝐾, he still needs to know the secret value 𝑀14 , 𝑇 𝑆 𝐾 ∗ , which is never transmitted in the open Game 𝐺5 : The game 𝐺5 considers the forward security of scheme . channel. 𝑇 𝑆 𝐾 ∗ only both sides of the communication know that In this game,  can execute 𝑆 𝑒𝑛𝑑 queries as well as 𝐶 𝑜𝑟𝑟𝑢𝑝𝑡 queries to the adversary needs to solve the ECCDH problem if he wants obtain the long-term secret values stored by the user and the industrial ( ) 1 to calculate 𝑀14 through 𝑀2 , 𝑀13 , but the ECCDH problem is device. The probability that tuple 𝑟𝑖 𝑃 , 𝑟𝑗 𝑃 in a session is , thus (𝑞𝑠 +𝑞𝑒 )2 unsolvable in PPT time. Therefore, the proposed scheme in this we have: paper satisfies forward security. | [ ] [ ]| ( )2 |𝑃 𝑟 𝑆 𝑢𝑐 𝑐5 − 𝑃 𝑟 𝑆 𝑢𝑐 𝑐4 | ≤ 𝑞ℎ 𝑞𝑠 + 𝑞𝑒 ⋅ 𝐴𝑑 𝑣𝐸 𝐶 𝐶 𝐷𝐻 (𝑡) (11) (5) Resistance to replay attacks : In the scheme of this paper, times- | |  tamps and random numbers are used to resist replay attacks. Based on Eqs. (6)–(11), we obtained the result: Even if an adversary can intercept the communication messages 2 2 (𝑞 +𝑞 )2 𝑞 2 +2(2𝑞ℎ +𝑞𝑠 ) +3(𝑞ℎ +𝑞𝑠 ) in the open channel and replay them, the replayed messages 𝐴𝑑 𝑣 (𝑡) ≤ 𝑠 2𝑃 𝑒 + ℎ  (( )2 )2 𝑙 (12) cannot be verified due to the presence of timestamps and random +𝑞ℎ 𝑞𝑠 + 𝑞𝑒 + 1 ⋅ 𝐴𝑑 𝑣𝐸  𝐶 𝐶 𝐷𝐻 (𝑡) numbers. (6) Resistant to impersonation attack: The above proof procedure implies that after all the prediction ma- Resistance to user impersonation attack: To successfully imper- chines have been simulated,  does not gain any additional advantage sonation as a user, adversary needs to construct an authenticated to win the game. Therefore, the scheme proposed in this paper is safe { } message 𝑚𝑠𝑔1 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 . The construction of under the ROR model. authentication message 𝑀4 requires a long-term session key 𝑆 𝐾𝑢𝑖 between the user and the gateway, which is unavailable 5.2. Heuristic security analysis to the adversary, and thus the adversary is not able to forge an authenticated message, so the proposed scheme is resistant to (1) Mutual authentication: In the scheme proposed in this paper, user impersonation attack. all participating entities have completed mutual authentication. Resistance to gateway impersonation attack: To successfully im- The details are analyzed as follows: personation as gateway, adversary needs to construct authen- Authentication between the user and the gateway: the gateway { } { tication messages 𝑚𝑠𝑔2 = 𝑇2 , 𝑀5 , 𝑀6 , 𝑀7 , 𝑚𝑠𝑔3 = 𝑇2 , 𝑀2 , accomplishes the direct authentication of the user through 𝑀4 } 𝑀8 , 𝑀8 , 𝑀10 , 𝛾𝑑 . Similar to the above, constructing authentica- in message 𝑚𝑠𝑔1 . Because message 𝑀4 contains the session key ( ) tion messages 𝑀7 , 𝑀10 requires a long term session key 𝑆 𝐾𝑢𝑖 , 𝑆 𝐾𝑢𝑖 between the gateway and user and 𝑀1 , 𝑀2 is a pair 𝑆 𝐾𝑆 𝐷𝑗 , so the adversary is unable to construct valid authentica- of plain ciphertexts constructed by the public key algorithm, tion messages, and the proposed scheme is resistant to gateway other users are unable to forge message 𝑀4 . Similarly, user impersonation attack. accomplishes direct authentication to the gateway via 𝑀7 in Resistance to industrial device impersonation attack: To success- message 𝑚𝑠𝑔2 , since message 𝑀7 also contains the session key fully impersonation as an industrial device, adversary needs to 𝑆 𝐾𝑢𝑖 and the secret value 𝑇 𝑆 𝐾 cryptographically protected by { } construct an authentication message 𝑚𝑠𝑔5 = 𝑇4 , 𝑀2 , 𝑀13 , 𝑀15 , 𝑀16 , 𝑆 𝐾𝑢𝑖 . where the construction of the authentication message 𝑀16 re- Authentication between the gateway and the industrial device: quires the secret values 𝑇 𝑆 𝐾 and 𝑇 𝑆 𝐾 ∗ . 𝑇 𝑆 𝐾 ∗ is computed the industrial device authenticates the gateway directly by from 𝑇 𝑆 𝐾, which requires secret values 𝑘𝑑 , 𝑆 𝐾𝑆 𝐷𝑗 . Therefore, means of 𝑀10 in message 𝑚𝑠𝑔3 , since message 𝑀10 contains the adversary cannot construct a valid authentication message, the session key 𝑆 𝐾𝑆 𝐷𝑗 between the gateway and the indus- and the proposed scheme is resistant to industrial device imper- trial device. The gateway indirectly authenticates the industrial sonation attacks. device through 𝛾𝑑 in the message 𝑚𝑠𝑔3 . This is because based 9 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 (7) Resisting privileged internal attacks: During the user registra- tion process, the user sends the registration request parame- { } ters 𝑈 𝑃 𝑊𝑖 ⊕ 𝑎, 𝐼 𝐷𝑖 to the TA, where 𝑈 𝑃 𝑊𝑖 , 𝑎𝑖 , 𝐼 𝐷𝑖 is the pseudo-password, the random number, and the user’s identity, respectively. Due to the randomness of the random number and the unidirectionality of the hash function, it is difficult for the privileged adversary inside the TA to recover the user’s real password 𝑃 𝑊𝑖 based on the registration parameters, and thus the proposed scheme in this paper can resist the privileged internal attack. (8) Resistance to man-in-the-middle attack: adversary can monitor to obtain messages 𝑚𝑠𝑔1 , 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 transmitted in the open channel and try to spoof 𝑈𝑖 , 𝐺𝑊 , 𝑆 𝐷𝑗 by modifying these messages. However, for an adversary to generate a legit- imate message 𝑚𝑠𝑔1 , it needs to obtain a random secret value 𝑟∗𝑖 and a long-term secret value 𝑆 𝐾𝑢𝑖 . Therefore, the adversary cannot generate a legitimate message 𝑚𝑠𝑔1 . Similarly, an adver- sary cannot generate a legitimate message 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 . Therefore, the scheme proposed in this paper is resistant to man-in-the-middle attacks. (9) Unlinkability: In the scheme proposed in this paper, the user communicates using a temporary pseudonym, and the identity information of the industrial devices is not transmitted over the public channel. All messages transmitted over the public channel are encrypted using random numbers, timestamps, or secret values. Due to the randomness of the random numbers and timestamps, an adversary cannot distinguish whether two different messages originate from the same entity. Therefore, the proposed scheme ensures unlinkability. 5.3. Verification based on scyther tool Fig. 5. Formal verification results under the tset of scyther tool. This section uses the protocol verification tool Scyther [40] to validate the security of the proposed scheme. Scyther is widely used for the security verification and analysis of protocols. It employs a black- simulation results Fig. 5 shows that the scheme proposed in this paper box approach, allowing users to evaluate whether the protocol meets satisfies all the above declared security features. scyther tool does not the declared security goals and properties from their perspective [41]. find any attack on this paper’s scheme under DY model. Scyther models the roles in a protocol and their message sending and receiving behaviors using the SPDL language. Scyther supports nine 6. Performance analysis common adversary models, including DY, CK, and eCK, and verifies the security of the protocol based on these models, analyzing whether the This section provides a comparative analysis of the proposed scheme protocol has any security vulnerabilities. with existing scheme [13,14,23–25], in terms of security and functional Scyther proposed a set of statements to test the security properties features, computational overhead, and communication overhead. The of a protocol, including the secret statement 𝑆 𝑒𝑐 𝑟𝑒𝑡, and several ver- compared schemes are all recently proposed AKA schemes for the IIoT ification statements 𝐴𝑙𝑖𝑣𝑒, 𝑊 𝑒𝑎𝑘𝑎𝑔 𝑟𝑒𝑒, 𝑁 𝑖𝑎𝑔 𝑟𝑒𝑒, 𝑁 𝑖𝑠𝑦𝑛𝑐 ℎ[42]. Secret or the Vehicular Networks (a specific IoT application). Among them, statements are mainly used to test the confidentiality of an identity the schemes proposed in [13,14,23,24] are designed for multi-devices or keys. Authentication statements are used to check for the presence communication scenarios with batch processing capabilities, while the of various attacks, such as replay attacks, impersonation attacks, and scheme in [25] considers the issue of gateway lightweighting in IoT en- man-in-the-middle attacks. This section analyzes the security of the vironments. In the comparison of security and functional features, the scheme in this paper using the standard DY model, which defines that ability of each scheme to resist various protocol attacks is evaluated, in- an adversary can monitor, steal, replay or even modify the information cluding unlinkability, forward security, and resistance to replay attacks. transmitted in the open channel. Additionally, the functional features met by each scheme are compared, The results of this paper scheme verified using scyther tool are such as user anonymity, suitability for multi-device communication sce- shown in Fig. 5. For the authentication and key agreement phase of narios, and gateway lightweight. The computational and communica- this paper’s scheme the tripartite participants user, gateway, and indus- tion overhead section compares the computational and communication trial device are defined as roles 𝑈 𝐼, 𝐺𝑊 , and 𝑆 𝐷𝐽 respectively. The costs of each scheme in the context of multi-device communication. information sent and received by each role during the authentication These factors are essential criteria for assessing whether a scheme can and key agreement phases is modeled using the SPDL language, and be safely and efficiently applied in real-world IIoT environments. the security and authentication statements for each role are verified. For example, for the role 𝑈 𝐼, there are four secret statements and 6.1. Comparison of security and functional features four authentication statements. Where 𝐾 𝑒𝑦 represents the session key between the 𝑈 𝐼 and the 𝑆 𝐷𝐽 . 𝑠𝑘(𝑈 𝐼) represents the private key of Firstly, we compare the security and functional features of the the 𝑈 𝐼. 𝑘(𝑈 𝐼 , 𝐺𝑊 ) represents the long-term session key between the schemes, with the results shown in Table 2. Upon analysis, only the pro- 𝑈 𝐼 and the 𝐺𝑊 . The authentication statement, on the other hand, is posed scheme in this paper meets all 13 security and functional require- to verify the security features that the scheme has. According to the ments. Although Wang et al. [25] scheme addresses the lightweight 10 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 Table 2 Comparison of security and functional features. Scheme [24] Scheme [23] Scheme [13] Scheme [25] Scheme [14] Our scheme 𝑆 𝐺1 ✓ ✓ ✓ ✓ ✓ ✓ 𝑆 𝐺2 ✓ ✓ ✓ ✓ ✓ ✓ 𝑆 𝐺3 ✓ ✓ ✓ ✓ ✓ ✓ 𝑆 𝐺4 𝑁∕𝐴 ✓ 𝑁∕𝐴 𝑁∕𝐴 ✓ ✓ 𝑆 𝐺5 ✓ ✓ ✓ ✓ ✓ ✓ 𝑆 𝐺6 ✗ ✓ ✗ ✓ ✓ ✓ 𝑆 𝐺7 ✓ ✓ ✓ ✓ ✓ ✓ 𝑆 𝐺8 ✓ ✓ ✓ ✓ ✓ ✓ 𝑆 𝐺9 ✓ ✓ ✗ ✓ ✓ ✓ 𝑆 𝐺10 ✓ ✗ ✓ ✓ ✓ ✓ 𝑆 𝐺11 ✓ 𝑁∕𝐴 ✓ ✓ 𝑁∕𝐴 ✓ 𝑆 𝐺12 ✓ ✓ ✓ 𝑁∕𝐴 ✓ ✓ 𝑆 𝐺13 𝑁∕𝐴 𝑁∕𝐴 𝑁∕𝐴 ✓ 𝑁∕𝐴 ✓ 𝑆 𝐺1 : Mutual authentication. 𝑆 𝐺2 : Key agreement. 𝑆 𝐺3 : User anonymity. 𝑆 𝐺4 : Malicious user tracking. 𝑆 𝐺5 : Unlinkability. 𝑆 𝐺6 : Forward security. 𝑆 𝐺7 : Resistant to replay attacks. 𝑆 𝐺8 : Resistant to impersonation attack. 𝑆 𝐺9 : Resistant privileged internal attack. 𝑆 𝐺10 : Resistance to man-in-the-middle attack. 𝑆 𝐺11 : Terminal device update. 𝑆 𝐺12 : Suitable for Multi-Device Scenarios. 𝑆 𝐺13 : Gateway Lightweighting. 𝑁∕𝐴 Means not consider the functional feature. Table 3 times using the MIRACL library to obtain the average computation Computation time for cryptographic operations (Milliseconds). time, thereby reducing measurement errors. The average computation Operations 𝑇𝑒𝑐 𝑚 𝑇𝑒𝑐 𝑎 𝑇𝑚 𝑇𝑠𝑒 𝑇𝑠𝑑 𝑇ℎ times for various cryptographic operations are presented in Table 3. Computation time 0.7587 0.0048 0.0072 0.0114 0.0122 0.0015 Where, 𝑇𝑒𝑐 𝑚 , 𝑇𝑒𝑐 𝑎 , 𝑇𝑚 , 𝑇𝑠𝑒 , 𝑇𝑠𝑑 , 𝑇ℎ represent the computation times for various operations: point multiplication in group 𝐺, point addition in group 𝐺, multiplication in group 𝑍𝑞∗ , symmetric encryption (AES- nature of the gateway, it does not consider its application in multi- CBC), symmetric decryption (AES-CBC), and hash function operations, devices communication scenarios and is therefore unsuitable for the respectively. As the computational overhead of the XOR operation is IIoT environment. The other schemes [13,14,23,24], while considering negligible, it is not considered when comparing computational costs. multi-devices communication scenarios, still present certain security In addition, according to the work of Wang et al. [25], the calculation and usability issues. The schemes proposed by Vinoth et al. [24] and time of fuzzy biometric extraction is 𝑇𝑏 ≈ 𝑇𝑒𝑐 𝑚 . Yang et al. [13] lack forward security and do not consider the func- tional feature of malicious user tracking; additionally, Yang et al. [13] • Computational Overhead in Multi-Device Communication scheme is vulnerable to privileged insider attacks. Cui et al. [23] Scenarios scheme fails to resist man-in-the-middle attacks and does not account In the proposed scheme, three main entities are involved during for the functional feature of terminal device updates. The scheme the authentication and key agreement phase: the user, the gateway, by Zhang et al. [14] offers high security but does not consider the and the industrial devices. During this phase, when user intends to terminal device update feature, making it ineffective in scenarios where authenticate and negotiate keys with 𝑛 industrial devices, they first the user’s accessed devices frequently change. Moreover, none of the send a batch authentication request message 𝑚𝑠𝑔1 to the gateway. Upon aforementioned AKA schemes for multi-terminal devices [13,14,23,24] receiving the gateway’s response 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , the user must perform take the lightweight nature of the gateway into account. In summary, the necessary computations and broadcast message 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 to the only the proposed scheme in this paper satisfies all 13 security and 𝑛 industrial devices. At this point, the computational overhead for the functional requirements, making it more suitable for the IIoT envi- user is denoted as 8𝑇ℎ + 2𝑇𝑒𝑐 𝑚 . Finally, in the key agreement phase, ronment where users frequently communicate with multiple industrial the user needs to process the responses 𝑚𝑠𝑔5 from the 𝑛 industrial devices. devices simultaneously to compute different session keys 𝑆 𝐾. There- fore, the computational cost for the user in the key agreement phase 6.2. Comparison of computation overhead is 3𝑛𝑇ℎ + 𝑛𝑇𝑒𝑐 𝑚 . The total computational overhead for the user during the entire authentication and key agreement process in the proposed This section compares the computational overhead of the proposed scheme is (3𝑛 + 8) 𝑇ℎ + (𝑛 + 2) 𝑇𝑒𝑐 𝑚 . In the proposed scheme, due to scheme with the comparison schemes [13,14,23–25]. Since the regis- the application of the Chinese Remainder Theorem and time-limited tration or authorization login phase is performed only once throughout tokens, the gateway only needs to handle the batch authentication the entire process, this subsection focuses solely on the computational request message from the user without interacting directly with the overhead during the authentication and key agreement phase. Addi- industrial devices. Consequently, the total computational overhead for tionally, considering that users in the IIoT frequently communicate with the gateway is 10𝑇ℎ + 𝑇𝑒𝑐 𝑚 . Each industrial device, however, must multiple industrial devices, the comparison here will emphasize the process the authentication message from the user and compute the computational overhead in multi-device communication scenarios to session key independently. Therefore, in a multi-device scenario, the ( ) better reflect real-world IIoT environments. computational overhead for 𝑛 industrial devices is 9𝑇ℎ + 2𝑇𝑒𝑐 𝑚 𝑛. The To achieve a 128-bit security level, construct an additive cyclic total computational overhead of the proposed scheme during the au- group 𝐺 generated by an elliptic curve 𝐸 ∶ 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏𝑚𝑜𝑑 𝑝, thentication and key agreement phase in a multi-device communication where the order of the group is 𝑝 and the generator is 𝑞. Here, 𝑝 scenario is (12𝑛 + 18) 𝑇ℎ +(3𝑛 + 3) 𝑇𝑒𝑐 𝑚 . The computational overheads for and 𝑞 are 256-bit prime numbers. Experiments were conducted on a the authentication and key agreement phase of other schemes in multi- personal computer to measure the computational overhead of crypto- terminal device communication scenarios are presented in Table 4, with graphic operations based on the MIRACL library [43]. The experimental the analysis method being the same as that of the proposed scheme, and environment was configured with a 12th Gen Intel(R) Core(TM) i5- thus not further elaborated here. 1235U @1.30 GHz processor, 16 GB of RAM, and the Ubuntu 22.04 As shown in Table 4, Vinoth et al. [24] scheme, which is based on operating system. Each cryptographic operation was executed 1,000 symmetric cryptography, and Yang et al. [13] scheme, which does not 11 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 Table 4 Computational overhead for each scheme in multi-device communication scenarios. scheme User/Vehicle Gateway/TA 𝑛 Industrial device/Smart device/CSP Total computation overhead ( ) [23] (5𝑛 + 3) 𝑇ℎ + (𝑛 + 2) 𝑇𝑒𝑐 𝑚 (7𝑛 + 3) 𝑇ℎ + (𝑛 + 1) 𝑇𝑒𝑐 𝑚 7𝑇ℎ + 3𝑇𝑒𝑐 𝑚 𝑛 (19𝑛 + 6) 𝑇ℎ + (5𝑛 + 3) 𝑇𝑒𝑐 𝑚 6𝑇ℎ + (2𝑛 + 2)𝑇𝑚 (4𝑛 + 15)𝑇ℎ + (2𝑛 + 2)𝑇𝑚 [24] 9𝑇ℎ + 𝑇𝑠𝑑 (4𝑇ℎ + 𝑇𝑠𝑒 + 𝑇𝑠𝑑 )𝑛 +2𝑇𝑠𝑒 + 𝑛𝑇𝑠𝑑 +(𝑛 + 2)𝑇𝑠𝑒 + (2𝑛 + 1)𝑇𝑠𝑑 (7 + 𝑛)𝑇ℎ + 2𝑇𝑒𝑐 𝑚 (2𝑛 + 9)𝑇ℎ + 𝑇𝑒𝑐 𝑚 (9𝑛 + 16)𝑇ℎ + 3𝑇𝑒𝑐 𝑚 + (2𝑛 + 1)𝑇𝑚 [13] (6𝑇ℎ + 𝑇𝑚 + 𝑇𝑠𝑒 + 𝑇𝑠𝑑 )𝑛 +𝑇𝑚 + 𝑇𝑠𝑒 + 𝑇𝑠𝑑 +𝑛𝑇𝑚 + 2𝑇𝑠𝑒 + (𝑛 + 1)𝑇𝑠𝑑 +(𝑛 + 3)𝑇𝑠𝑒 + (2𝑛 + 2)𝑇𝑠𝑑 [25] 8𝑛𝑇ℎ + 3𝑛𝑇𝑒𝑐 𝑚 + 𝑇𝑏 19𝑛𝑇ℎ + 𝑛𝑇𝑒𝑐 𝑚 4𝑛𝑇ℎ + 2𝑛𝑇𝑒𝑐 𝑚 31𝑛𝑇ℎ + 6𝑛𝑇𝑒𝑐 𝑚 + 𝑇𝑏 (5𝑛 + 4) 𝑇ℎ (2 + 8𝑛) 𝑇ℎ (20𝑛 + 6) 𝑇ℎ + (5𝑛 + 3) 𝑇𝑒𝑐 𝑚 [14] 7𝑛𝑇ℎ + 3𝑛𝑇𝑒𝑐 𝑚 + (𝑛 + 2) 𝑇𝑒𝑐 𝑚 + 𝑇𝑠𝑒 + (1 + 𝑛) 𝑇𝑒𝑐 𝑚 + 𝑇𝑠𝑒 +2𝑇𝑠𝑒 (3𝑛 + 8) 𝑇ℎ ( ) (12𝑛 + 18) 𝑇ℎ Our scheme 10𝑇ℎ + 𝑇𝑒𝑐 𝑚 9𝑇ℎ + 2𝑇𝑒𝑐 𝑚 𝑛 + (𝑛 + 2) 𝑇𝑒𝑐 𝑚 + (3𝑛 + 3) 𝑇𝑒𝑐 𝑚 User/Vehicle denotes Uesr, Vehicle user in Vehicular Networks. Gateway/TA denotes trusted entity. Industrial Device/Smart Device/CSP denotes Industrial device, Smart Device in IOT, Cloud server in Vehicular Networks. Fig. 6. The Comparisons of Computational overhead. deploy public-key cryptographic operations on industrial devices, have during the authentication and key agreement phase, we have plotted lower computational overhead compared to the proposed scheme and a graph (as shown in Fig. 6) illustrating the computational overheads other schemes based on public-key cryptography [13,14,25]. However, of each entity and the total computational overheads as the number their schemes suffer from significant security deficiencies. It is well of devices increases. The results show that the total computational known that schemes solely based on symmetric cryptography cannot overhead of the proposed scheme in a multi-device communication sce- effectively ensure a high level of security. According to the work nario is lower than that of other compared schemes. The computational of Wang et al. [25], since these schemes do not deploy public-key overhead at the user is close to the schemes proposed in [14,23], and operations on industrial devices, they fail to provide forward security. better than the scheme in [25]. The computational overhead at the in- dustrial device is close to the scheme proposed in [25], and better than To more clearly demonstrate the computational cost comparison the schemes in [14,23]. This is primarily because, to ensure forward between the proposed scheme and the other public-key cryptography- security, the scheme requires at least two public key operations to be based schemes [14,23,25] in a multi-device communication scenario 12 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 Table 5 Comparison of communication overheads for each scheme. Scheme User/Vehicle Gateway/TA Industrial device/Smart device/CSP Total communication overhead Multi-device scenarios total communication overhead [24] 100𝑏𝑦𝑡𝑒 216𝑏𝑦𝑡𝑒 52𝑏𝑦𝑡𝑒 368𝑏𝑦𝑡𝑒 (184 + 184𝑛) 𝑏𝑦𝑡𝑒 [23] 168𝑏𝑦𝑡𝑒 200𝑏𝑦𝑡𝑒 300𝑏𝑦𝑡𝑒 668𝑏𝑦𝑡𝑒 (136 + 532𝑛) 𝑏𝑦𝑡𝑒 [13] 116𝑏𝑦𝑡𝑒 172𝑏𝑦𝑡𝑒 52𝑏𝑦𝑡𝑒 340𝑏𝑦𝑡𝑒 (168 + 172𝑛) 𝑏𝑦𝑡𝑒 [25] 160𝑏𝑦𝑡𝑒 480𝑏𝑦𝑡𝑒 96𝑏𝑦𝑡𝑒 736𝑏𝑦𝑡𝑒 (736𝑛)𝑏𝑦𝑡𝑒 [14] 112𝑏𝑦𝑡𝑒 164𝑏𝑦𝑡𝑒 268𝑏𝑦𝑡𝑒 544𝑏𝑦𝑡𝑒 (112 + 432𝑛) 𝑏𝑦𝑡𝑒 Our scheme 444𝑏𝑦𝑡𝑒 280𝑏𝑦𝑡𝑒 164𝑏𝑦𝑡𝑒 888𝑏𝑦𝑡𝑒 (724 + 164𝑛) 𝑏𝑦𝑡𝑒 deployed at the industrial device side. Both the proposed scheme and 6.3. Comparison of communication overhead the scheme in [25] deploy two ECC point multiplications at the device side, while the schemes in [14,23] deploy three point multiplications. This section compares the communication overhead of the proposed As the computational overhead of the scheme is mainly influenced by scheme with the comparison schemes [13,14,23–25] during the au- the number of point multiplications, the computational overhead at thentication and key agreement phase. To achieve 128-bit security, the industrial device in the proposed scheme is close to the scheme the elliptic curve parameter 𝑞 is chosen with a length of 32 bytes, in [25]. Similarly, since point multiplication operations are deployed at making the elements in the group 𝐺 64 bytes long. It is assumed that the industrial device side to compute the session key, in order to ensure the output length of the hash function, the length of the timestamp, the secure negotiation of the session key and achieve a balance between the length of ciphertext for symmetric encryption/decryption, and the security and efficiency, the proposed scheme deploys a certain amount length of random numbers are 32 bytes, 4 bytes, 16 bytes, and 16 bytes, of point multiplication operations at the user side. This results in the respectively. computational overhead at the user being similar to that of the schemes The proposed scheme involves four rounds of communication dur- proposed in [14,23]. However, overall, the computational overhead ing the authentication and key agreement phase, with the communica- at both the user and industrial device in the proposed scheme still tion messages for each round as follows: 𝑚𝑠𝑔1 , (𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 ), { } meets the lightweight requirements. Furthermore, due to the use of the (𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 ), 𝑚𝑠𝑔5 . 𝑚𝑠𝑔1 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 , which 𝑃 𝐼 𝐷𝑖 , 𝑀3 Chinese Remainder Theorem and time-limited tokens in the proposed , 𝑀4 is the output of hash function, 𝑇1 is timestamp, and 𝑀2 belongs scheme, the computational overhead at the gateway node remains to group 𝐺. Therefore, the communication overhead of message 𝑚𝑠𝑔1 constant regardless of the number of industrial devices accessed by the is ||𝑚𝑠𝑔1 || = (32 + 4 + 64 + 32 + 32) = 164𝑏𝑦𝑡𝑒𝑠. Similarly, the com- user in a multi-device communication scenario. Therefore, compared munication overheads of 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 are 100𝑏𝑦𝑡𝑒𝑠, 180𝑏𝑦𝑡𝑒𝑠, to other schemes, the proposed scheme has a significant advantage 100𝑏𝑦𝑡𝑒𝑠, and 164𝑏𝑦𝑡𝑒𝑠, respectively. in gateway lightweighting, effectively avoiding the issue of gateway In the multi-device communication scenario, due to the use of the single-point failure, and is more suitable for IIoT environments where Chinese Remainder Theorem and time-limited tokens, a user only needs users frequently communicate with multiple devices. to send three messages 𝑚𝑠𝑔1 , 𝑚𝑠𝑔3 , and 𝑚𝑠𝑔4 to access 𝑛 industrial de- Further, in practical applications, the computational overhead of vices. Similarly, the gateway only needs to communicate with the user hash operations is closely related to the byte length of the input data, by sending two messages 𝑚𝑠𝑔2 , and 𝑚𝑠𝑔3 . However, since each of the and different hash operations in the scheme have(different input) data 𝑛 industrial devices needs to complete mutual authentication with the lengths. For instance, when calculating 𝑟∗𝑖 = ℎ 𝑟𝑖 ∥ 𝑆 𝐾𝑢𝑖 ∥ 𝑇1 , the user and negotiate a distinct session key, the 𝑛 devices must collectively input length of this hash operation is 68 bytes. This is because, to send 𝑛 messages 𝑚𝑠𝑔5 . In the multi-device communication scenario, achieve 128-bit security, the elliptic curve parameter 𝑞 has a length of the total communication overhead of the proposed scheme during 32 bytes, the hash function’s output length is 32 bytes, and the length the authentication and key agreement phase is (724+164𝑛) 𝑏𝑦𝑡𝑒. The of the timestamp is 4 bytes. The analysis of the input data byte length communication overhead of the other schemes [13,14,23–25] is shown for the other hash operations follows the same logic, which will not be in Table 5, with the analysis method being the same as that used for reiterated here. the proposed scheme and thus not elaborated further here. To provide To more accurately and clearly evaluate the computational over- a clear comparison of the communication overheads of each scheme head of the proposed scheme, we fully implemented it using the Miracl in a multi-device scenario, we select 𝑛 = 25. The results show that, library. The experimental platform used is the same as that employed when 𝑛 = 25, the communication overheads for the respective schemes for measuring the time of various cryptographic operations as described are 35.94kb, 26.11kb, 9.12kb, 8.56kb, and 21.20kb. In comparison, earlier. We set 𝑛=10, meaning that we assessed the computational over- the communication overhead of the proposed scheme in this scenario head incurred by the user, gateway, and each industrial device during is 8.71kb. Thus, the proposed scheme demonstrates a relatively low batch authentication and key agreement when the user communicates communication overhead compared to the other schemes, making it with 10 industrial devices. According to the experiment, the computa- suitable for real-world IIoT environments. tional overhead at the user side during the batch authentication and key agreement phase is 8.5487 ms, the gateway’s computational overhead 7. Conclusion is 0.7433 ms, and the computational overhead for each industrial device is 1.4625 ms. The experimental results show that when the This paper proposes a batch AKA scheme for the IIoT environ- user performs batch authentication and key agreement with multiple ment, designed based on elliptic curve cryptography combined with the industrial devices, the computational overhead on the industrial de- Chinese Remainder Theorem and the concept of time-limited tokens. vices and the gateway is lightweight. On the other hand, since the user The scheme enables batch authentication between a user and multiple needs to negotiate different session keys with each industrial device, industrial devices and establishes distinct session keys for secure sub- the computational overhead on the user side is higher than that of the sequent communications. It satisfies the lightweight requirements for gateway and industrial devices. Overall, the computational overhead of the gateway and all entities, making it suitable for resource-constrained the proposed scheme is acceptable for all communication entities in the IIoT environments. The security of the proposed scheme is demon- IIoT environment. strated through formal proofs, heuristic analysis, and verification using 13 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 the Scyther tool. Performance analysis indicates that, compared to [18] M. Zhang, J. Zhou, G. Zhang, M. Zou, M. Chen, EC-BAAS: Elliptic curve-based existing schemes, the proposed scheme meets all specified security batch anonymous authentication scheme for Internet of Vehicles, J. Syst. Archit. requirements with lower computational and communication overheads 117 (2021) 102161. and shows a significant advantage in lightweight operation at the [19] C. Pu, K.-K.R. Choo, A lightweight aggregate authentication protocol for Inter- net of Drones, in: 2024 IEEE 21st Consumer Communications & Networking gateway node. Conference, CCNC, IEEE, 2024, pp. 143–151. [20] W. Mao, P. Jiang, L. Zhu, Locally verifiable batch authentication in IoMT, IEEE CRediT authorship contribution statement Trans. Inf. Forensics Secur. (2023). [21] H. Shen, T. Wang, J. Chen, Y. Tao, F. Chen, Blockchain-based batch au- Xiaohui Ding: Writing – review & editing, Writing – original draft, thentication scheme for Internet of Vehicles, IEEE Trans. Veh. Technol. Formal analysis. Jian Wang: Writing – review & editing, Formal anal- (2024). ysis. Yongxuan Zhao: Writing – review & editing. Zhiqiang Zhang: [22] C. Maurya, V.K. Chaurasiya, Efficient anonymous batch authentication scheme Writing – review & editing. with conditional privacy in the Internet of Vehicles (IoV) applications, IEEE Trans. Intell. Transp. Syst. 24 (9) (2023) 9670–9683. Declaration of competing interest [23] J. Cui, X. Zhang, H. Zhong, J. Zhang, L. Liu, Extensible conditional privacy protection authentication scheme for secure vehicular networks in a multi-cloud environment, IEEE Trans. Inf. Forensics Secur. 15 (2019) 1654–1667. The authors declare that they have no known competing finan- [24] R. Vinoth, L.J. Deborah, P. Vijayakumar, N. Kumar, Secure multifactor authen- cial interests or personal relationships that could have appeared to ticated key agreement scheme for industrial IoT, IEEE Internet Things J. 8 (5) influence the work reported in this paper. (2020) 3801–3811. [25] C. Wang, D. Wang, Y. Duan, X. Tao, Secure and lightweight user authentication Data availability scheme for cloud-assisted Internet of Things, IEEE Trans. Inf. Forensics Secur. (2023). Data will be made available on request. [26] M.L. Das, Two-factor user authentication in wireless sensor networks, IEEE Trans. Wirel. Commun. 8 (3) (2009) 1086–1090. [27] A. Barati, A. Movaghar, M. Sabaei, RDTP: Reliable data transport protocol in References wireless sensor networks, Telecommun. Syst. 62 (2016) 611–623. [28] P. Alimoradi, A. Barati, H. Barati, A hierarchical key management and authenti- [1] S. Li, L.D. Xu, S. Zhao, The Internet of Things: a survey, Inf. Syst. Front. 17 cation method for wireless sensor networks, Int. J. Commun. Syst. 35 (6) (2022) (2015) 243–259. e5076. [2] I. Zhou, I. Makhdoom, N. Shariati, M.A. Raza, R. Keshavarz, J. Lipman, M. Abolhasan, A. Jamalipour, Internet of Things 2.0: Concepts, applications, and [29] S.A. Khah, A. Barati, H. Barati, A dynamic and multi-level key management future directions, IEEE Access 9 (2021) 70961–71012. method in wireless sensor networks (WSNs), Comput. Netw. 236 (2023) 109997. [3] S.H. Shah, I. Yaqoob, A survey: Internet of Things (IOT) technologies, applica- [30] C.-G. Ma, D. Wang, S.-D. Zhao, Security flaws in two improved remote user tions and challenges, in: 2016 IEEE Smart Energy Grid Engineering, SEGE, IEEE, authentication schemes using smart cards, Int. J. Commun. Syst. 27 (10) (2014) 2016, pp. 381–385. 2215–2227. [4] M.S. Azhdari, A. Barati, H. Barati, A cluster-based routing method with authen- [31] V.S. Miller, Use of elliptic curves in cryptography, in: Conference on the Theory tication capability in vehicular Ad Hoc networks (VANETs), J. Parallel Distrib. and Application of Cryptographic Techniques, Springer, 1985, pp. 417–426. Comput. 169 (2022) 1–23. [32] N. Koblitz, Elliptic curve cryptosystems, Math. Comp. 48 (177) (1987) 203–209. [5] E. Sisinni, A. Saifullah, S. Han, U. Jennehag, M. Gidlund, Industrial Internet of [33] W. Diffie, M.E. Hellman, New directions in cryptography, in: Democratizing Things: Challenges, opportunities, and directions, IEEE Trans. Ind. Inform. 14 Cryptography: The Work of Whitfield Diffie and Martin Hellman, 2022, pp. (11) (2018) 4724–4734. 365–390. [6] P.K. Malik, R. Sharma, R. Singh, A. Gehlot, S.C. Satapathy, W.S. Alnumay, D. Pelusi, U. Ghosh, J. Nayak, Industrial Internet of Things and its applications in [34] J. Zhang, J. Cui, H. Zhong, Z. Chen, L. Liu, PA-CRT: Chinese remainder theorem industry 4.0: State of the art, Comput. Commun. 166 (2021) 125–139. based conditional privacy-preserving authentication scheme in vehicular Ad-Hoc [7] W.Z. Khan, M. Rehman, H.M. Zangoti, M.K. Afzal, N. Armi, K. Salah, Industrial networks, IEEE Trans. Dependable Secur. Comput. 18 (2) (2019) 722–735. Internet of Things: Recent advances, enabling technologies and open challenges, [35] D. Dolev, A. Yao, On the security of public key protocols, IEEE Trans. Inform. Comput. Electr. Eng. 81 (2020) 106522. Theory 29 (2) (1983) 198–208. [8] A.G. Mirsaraei, A. Barati, H. Barati, A secure three-factor authentication scheme [36] B. Authentication, EAP-DDBA: Efficient anonymity proximity device discovery for IoT environments, J. Parallel Distrib. Comput. 169 (2022) 87–105. and batch authentication mechanism for massive D2D communication devices in [9] L. Khajehzadeh, H. Barati, A. Barati, A lightweight authentication and au- 3GPP 5G HetNet, 2020. thorization method in IoT-based medical care, Multimedia Tools Appl. (2024) [37] M. Abdalla, P.-A. Fouque, D. Pointcheval, Password-based authenticated key 1–40. exchange in the three-party setting, in: Public Key Cryptography-PKC 2005: 8th [10] Y. Chen, F. Yin, S. Hu, L. Sun, Y. Li, B. Xing, L. Chen, B. Guo, ECC-based International Workshop on Theory and Practice in Public Key Cryptography, Les authenticated key agreement protocol for industrial control system, IEEE Internet Diablerets, Switzerland, January 23-26, 2005. Proceedings 8, Springer, 2005, pp. Things J. 10 (6) (2022) 4688–4697. 65–84. [11] X. Li, J. Niu, M.Z.A. Bhuiyan, F. Wu, M. Karuppiah, S. Kumari, A robust ECC-based provable secure authentication protocol with privacy preserving for [38] C.-C. Chang, H.-D. Le, A provably secure, efficient, and flexible authentication industrial Internet of Things, IEEE Trans. Ind. Inform. 14 (8) (2017) 3599–3609. scheme for ad hoc wireless sensor networks, IEEE Trans. Wirel. Commun. 15 (1) [12] J. Srinivas, A.K. Das, M. Wazid, A.V. Vasilakos, Designing secure user authen- (2015) 357–366. tication protocol for big data collection in IoT-based intelligent transportation [39] D. Wang, H. Cheng, P. Wang, X. Huang, G. Jian, Zipf’s law in passwords, IEEE system, IEEE Internet Things J. 8 (9) (2020) 7727–7744. Trans. Inf. Forensics Secur. 12 (11) (2017) 2776–2791. [13] Y. Ming, P. Yang, H. Mahdikhani, R. Lu, A secure one-to-many authentication [40] C. Cremers, The Scyther Tool, University of Oxford, Department of Computer and key agreement scheme for industrial IoT, IEEE Syst. J. (2022). Science, 2024, http://www.cs.ox.ac.uk/people/cas.cremers/scyther. (Accessed 08 [14] J. Zhang, H. Zhong, J. Cui, Y. Xu, L. Liu, SMAKA: Secure many-to-many Sep 2024). authentication and key agreement scheme for vehicular networks, IEEE Trans. [41] J. Cao, M. Ma, Y. Fu, H. Li, Y. Zhang, CPPHA: Capability-based privacy- Inf. Forensics Secur. 16 (2020) 1810–1824. protection handover authentication mechanism for SDN-based 5G HetNets, IEEE [15] S. Mandal, S. Mohanty, B. Majhi, CL-AGKA: Certificateless authenticated group Trans. Dependable Secur. Comput. 18 (3) (2019) 1182–1195. key agreement protocol for mobile networks, Wirel. Netw. 26 (4) (2020) 3011–3031. [42] C. Lai, Y. Ma, R. Lu, Y. Zhang, D. Zheng, A novel authentication scheme [16] P. Xu, H. Wu, X. Tao, C. Wang, D. Chen, G. Nan, Anti-quantum certificateless supporting multiple user access for 5G and beyond, IEEE Trans. Dependable group authentication for massive accessing IoT devices, IEEE Internet Things J. Secur. Comput. (2022). (2024). [43] Miracl, MIRACL core, 2024, https://github.com/miracl/core. (Accessed: 08 Sep [17] S. Wu, C. Hsu, Z. Xia, J. Zhang, D. Wu, Symmetric-bivariate-polynomial-based 2024). lightweight authenticated group key agreement for industrial Internet of Things, J. Internet Technol. 21 (7) (2020) 1969–1979. 14 X. Ding et al. Journal of Systems Architecture 160 (2025) 103368 Xiaohui Ding is currently working toward the Ph.D. degree Yongxuan Zhao received his Master’s degree in Manage- at the College of Computer Science and Technology, Nanjing ment from Beijing Institute of Technology, Beijing, China University of Aeronautics and Astronautics, Nanjing, China. in 2013. He is currently a researcher and director of the His research interests include applied cryptography, IIoT Information Technology Research Center of China Academy security, and authentication and key agreement protocols. of Aero-Engine Research. His research interests include in- formation technology, industrial digital transformation and IIoT security. Zhiqiang Zhang is currently working toward the Ph.D. Jian Wang received his M.S. degree in engineering from degree at the College of Computer Science and Technol- Southeast University, Nanjing, China in 1992. and received ogy, Nanjing University of Aeronautics and Astronautics, the Ph.D. degree s in Nanjing University in 1998. He ever Nanjing, China. His research interests include public key is a postdoc at Tokyo University from 2000 to 2002. He is cryptography and privacy-preserving protocols. currently a Professor at the College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics. His research interests include applied cryptog- raphy, cryptographic protocol and malicious tracking. He has published more than 60 papers in international journals and conferences. 15