coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9be4bcaf7de35dcfb92a3e2195183b7a488ef6ad
opaque-lattice/papers_txt/Lightweight-batch-authentication-and-key-agreement_2025_Journal-of-Systems-A.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

1174 lines
142 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Journal of Systems Architecture 160 (2025) 103368
Contents lists available at ScienceDirect
Journal of Systems Architecture
journal homepage: www.elsevier.com/locate/sysarc
Lightweight batch authentication and key agreement scheme for IIoT
gateways
Xiaohui Ding a ,, Jian Wang a , Yongxuan Zhao b , Zhiqiang Zhang a
a
College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, 211106, China
b
Information Technology Research Center, China Academy of Aero-Engine Research, Beijing, 101304, China
ARTICLE INFO ABSTRACT
Keywords: Existing authentication and key agreement (AKA) schemes face two primary challenges in IIoT, where users
Industrial internet of things dynamically communicate with multiple industrial devices. The first is significant computational and com-
Batch authentication and key agreement munication overhead, along with security vulnerabilities. Another is inability to achieve gateway lightweight
Gateway lightweight
solutions. To address these issues, this paper proposes a gateway lightweight batch AKA scheme based on
elliptic curve cryptography for IIoT. When users access multiple industrial devices, they only need to send
a batch authentication request to the gateway. Based on this request, the gateway generates a time-limited
token combining Chinese Remainder Theorem (CRT), enabling users to efficiently complete AKA with multiple
devices in batch manner. Furthermore, the application of the CRT allows the gateway to efficiently update the
time-limited token when the users accessed devices change. Finally, due to the use of the time-limited token,
the entire scheme process requires only one round of interaction between the gateway and the user, ensuring
a lightweight nature of the gateway. The security of the proposed scheme is proved through formal security
proofs, heuristic analysis, and scyther tools. Performance analysis shows that, compared to the compared
schemes, the proposed scheme meets all listed security requirements with the lower computational and
communication overheads.
1. Introduction to retrieve data or directly control them. In practice, for a given in-
dustrial production task, users need to interact with multiple industrial
In recent years, advances in computer technology and wireless sen- devices, and the devices that need to be accessed or controlled will
sor networks have fueled the rapid development of Internet of Things change in real-time as the task progresses. Therefore, to achieve more
(IoT) technology. IoT is a self-organizing network of interconnected intelligent and efficient task completion, IIoT communication scenarios
devices that can interact without human intervention [1]. IoT terminal
exhibit two typical characteristics: first, users need to interact with
devices generate vast amounts of valuable data in real-time, positioning
multiple industrial devices; second, the industrial devices that users
IoT as the third wave of global informatization following the advent
need to access frequently change.
of computers and the Internet [2]. With the development of emerging
communication technologies such as 5G, the demand for IoT applica- In the IIoT, users interact with industrial devices, often requiring
tions continues to grow. It is estimated that by 2030, the number of the transmission of communication information over open channels,
IoT devices will exceed 100 billion [3]. IoT has been widely applied which introduces significant security risks. To ensure security, many
in smart agriculture, autonomous driving, smart healthcare, and in- researchers have proposed AKA schemes tailored for the IoT domain,
dustrial sectors, etc [4]. In the industrial field, it is referred to as the aimed at authentication the legitimacy of the identities of commu-
IIoT, industry 4.0, etc [5,6]. IIoT drives traditional industries toward nication entities and negotiating session keys to secure subsequent
intelligent and informatized development, enabling remote monitoring communications [812]. However, these schemes primarily focus on
and automatic control of industrial production, which significantly authentication and key agreement between single user and single de-
enhances production efficiency [7].
vice, resulting in one-to-one AKA schemes. If such schemes were to be
Fig. 1 illustrates a typical IIoT system model, which involves three
applied in the IIoT, users would need to repeatedly execute the scheme
main entities: users, gateways, and industrial devices. After being au-
to complete authentication and key agreement with multiple industrial
thenticated by the gateway, users can remotely access industrial devices
Corresponding author.
E-mail address: dingxiaohui@nuaa.edu.cn (X. Ding).
https://doi.org/10.1016/j.sysarc.2025.103368
Received 9 September 2024; Received in revised form 26 December 2024; Accepted 6 February 2025
Available online 15 February 2025
1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
updates. While batch processing offers greater flexibility, most schemes
primarily focus on batch identity or message authentication, failing to
achieve simultaneous batch authentication and key agreement. Some
AKA schemes with batch processing attributes for multi-terminal device
communication face security issues and potential single points of failure
in gateways. To the best of our knowledge, no existing scheme consid-
ers achieving batch authentication and key agreement between users
and multiple industrial devices while ensuring the lightweight nature
of the gateway.
In summary, it is necessary to design an AKA scheme that is bet-
ter suited to the unique communication scenarios of the IIoT. Such
a scheme should efficiently enable users to authenticate with and
establish session keys for multiple industrial devices, while also accom-
Fig. 1. IIOT system architecture.
modating minimal overhead when the industrial devices that a user
wishes to access changes. Additionally, the proposed scheme should
ensure the lightweight design of the gateway to prevent it from be-
coming a performance bottleneck for the entire system. Based on these
devices. This would lead to significant computational and communica-
requirements, this paper proposes a gateway lightweight batch AKA
tion overhead, making them unsuitable for resource-constrained IIoT
scheme for IIoT environments. The main contributions of this paper
environments [13,14].
are as follows:
To make the schemes more suitable for scenarios involving commu-
nication between users and multiple devices, researchers have proposed (1) Batch Authentication and Key Agreement: Based on ellip-
group-based AKA schemes [1517], batch authentication schemes [18 tic curve cryptography combined with the Chinese Remainder
22], and AKA schemes designed specifically for multi-device commu- Theorem and the concept of time-limited tokens, this paper
nication [13,14,23,24]. However, group-based AKA schemes require presents a batch AKA scheme. This scheme allows users to in-
all devices in the group to share a common group key, which makes dependently select and authenticate multiple industrial devices
them vulnerable to impersonation attacks by malicious devices. More- in batches. Users only need to send a single batch authentication
over, when the set of industrial devices accessed by the user changes, request to the gateway. In response, the gateway generates time-
group AKA schemes face challenges with group membership updates limited tokens using the Chinese Remainder Theorem. With the
and group key renewal. Compared to group schemes, batch schemes tokens, users can efficiently perform mutual authentication with
offer greater flexibility, allowing users to independently select multiple multiple industrial devices and negotiate different session keys
devices for batch authentication. However, most existing batch schemes with each device. This approach effectively addresses the high
focus only on batch message authentication [1820] and identity veri- computational and communication overhead associated with
fication [21,22], without considering the simultaneous implementation traditional one-to-one AKA schemes and mitigates the risk of
of batch authentication and key agreement. In recent years, researchers impersonation attacks due to shared group keys in group AKA
have proposed several AKA schemes with batch processing attributes schemes.
for multi-device communication environments [13,14,23,24]. These (2) Efficient Token Update: Due to the use of the Chinese Remain-
schemes enable users to efficiently complete authentication and key der Theorem, the gateway can efficiently update time-limited
agreement with multiple terminal devices simultaneously. However, tokens when the industrial devices that the user needs to access
the schemes presented in the [13,23,24] exhibit notable deficiencies change, thereby avoiding the challenges of group updates and
in resisting impersonation attacks and ensuring forward security. group key renewal encountered in group AKA schemes.
Zhang et al. [14] proposes a many-to many AKA scheme for ve- (3) Gateway Lightweight: Due to the use of time-limited tokens, in
hicular networks, allowing users to efficiently complete authentication the batch authentication and key negotiation process, gateway
with multiple cloud servers and negotiate different session keys for only needs to interact with user in one round to assist user
each. This scheme offers a high level of security. However, analysis complete the authentication and key agreement with multi-
reveals that the cost of implementing batch authentication and key ple industrial devices, without any direct interaction between
agreement between users and cloud servers is a significant compu- the gateway and the industrial devices, thereby ensuring the
tational and communication overhead borne by the trusted center, lightweight nature of the gateway. Furthermore, the scheme
which raises concerns about potential single points of failure. Although does not involve computationally intensive operations such as
existing schemes consider lightweight construction to accommodate the bilinear pairings, ensuring that the computational and commu-
resource-constrained IIoT environment, most of them focus primarily nication overhead for both users and industrial devices remains
on minimizing the computational load for users or end devices, with lightweight.
little attention given to the lightweight design of the gateway itself. (4) Security and Performance Analysis : The security of the pro-
In an IIoT system, the gateway is connected to a large number of posed scheme is demonstrated through formal security proofs,
industrial devices and must assist users in completing authentication heuristic analysis, and Scyther tools. Performance analysis shows
and key agreement with multiple devices. Therefore, the efficiency of that, compared to existing schemes, the proposed scheme meets
the gateway node directly affects the overall performance of the AKA all listed security requirements with the lower computational
schemes, making it crucial to consider the lightweight design of the and communication overheads and provides a significant advan-
gateway [25]. tage in terms of the lightweight nature of the gateway node.
Problem Statement: Existing AKA schemes are ineffective for com- The remainder of this paper is organized as follows: Section 2
munication scenarios in the IIoT, where users dynamically interact with reviews the related work. Section 3 presents the preliminaries and
multiple industrial devices. Traditional one-to-one AKA schemes face system model. Section 4 describes the detailed construction of the
significant computational and communication overhead issues. Group- proposed scheme. Section 5 provides the security proof and analysis of
based AKA schemes have security vulnerabilities, such as being unable the proposed scheme. A performance comparison between the proposed
to prevent impersonation attacks by malicious group devices, and they scheme and related schemes is presented in Section 6. Finally, Section 7
also encounter challenges related to group updates and group key concludes the paper.
2
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
2. Related work drones. Shen et al. [21] proposed a batch authentication scheme in
the vehicular network based on blockchain technology. In this scheme,
Existing AKA schemes focus on one-to-one AKA schemes for commu- a proxy vehicle selection algorithm is utilized to select proxy vehicles
nication between users and single terminal devices, as well as group responsible for batch authenticating vehicles within a designated area.
AKA schemes and batch processing schemes for communication with This effectively alleviates the authentication load when a large number
multiple terminal devices. of vehicles simultaneously connect to the same RSU. Additionally, the
In 2009, DAS et al. [26] first proposed a lightweight two-factor scheme employs a certificate-free mechanism and identity-based prefix
authentication scheme for wireless sensor networks (WSNs, a critical encryption algorithms to achieve efficient batch authentication and
component of IIoT), In their scheme, users authenticate themselves protect the identity privacy of proxy vehicles. However, the aforemen-
by entering a personal password and using a smart card. However, tioned schemes, as well as most existing batch processing schemes,
since the scheme relies solely on hash functions for security, it is primarily focus on batch message authentication [18,20] or batch
unable to effectively resist various attacks, such as denial-of-service identity authentication [22], failing to achieve simultaneous batch
(DoS) attacks. Consequently, several authentication or key management authentication and key agreement.
schemes for WSN communication have been proposed [2729]. With Recently, some AKA schemes with batch processing capabilities
the development of IoT technology, and in order to balance secu- have been proposed for multi-terminal communication scenarios [13,
rity and lightweight requirements, several ECC-based AKA schemes 14,23,24], but these schemes also have limitations in terms of ap-
for the IIoT have been proposed [1012]. Li et al. [11] designed a plicability and security. Cui et al. [23] proposed a scalable condi-
privacy-preserving AKA scheme for the IIoT based on elliptic curve tional privacy-preserving authentication scheme for multi-cloud envi-
cryptography. Since the user and the gateway do not store the same ronments, which is suitable for multi-terminal settings and demon-
secret value, the scheme is resistant to desynchronization attacks. strates high efficiency. However, analysis reveals that the session key
However, further analysis reveals that the session key generation in generation process in their scheme includes the identity information
this scheme does not involve long-term secret values, rendering it of the cloud server, allowing authenticated users to obtain the servers
vulnerable to ephemeral secret leakage attacks. Similarly, the user au- real identity. As a result, their scheme cannot effectively resist im-
thentication protocol proposed by Srinivas et al. [12] for the IoT-based personation attacks or man-in-the-middle attacks. Vinoth et al. [24]
intelligent transportation systems fails to effectively resist privileged utilized the Chinese Remainder Theorem and symmetric cryptography
insider attacks. In 2022, Chen et al. [10] proposed an ECC-based AKA to achieve authentication and key agreement between users and multi-
scheme for industrial control systems, which can resist most protocol ple IIoT devices. However, in their scheme, the session keys negotiated
attacks. However, further analysis reveals that the scheme lacks essen- between the user and multiple devices are identical, allowing devices to
tial properties such as malicious user traceability and terminal device impersonate each other, which presents a significant security vulnera-
update capabilities. Moreover, all of the aforementioned schemes are bility. Yang et al. [13] also constructed a one-to-many AKA scheme for
designed for one-to-one environments. Given the presence of a large the IIoT based on the Chinese Remainder Theorem, addressing the issue
number of industrial devices in the IIoT, deploying these schemes could in Vinoth et al. [24] scheme where the session keys between the user
result in excessive computational and communication overheads as well and multiple devices were identical. However, further analysis reveals
as single points of failure. Therefore, these schemes are not suitable for that both Yang et al. [13] and Vinoth et al. [24] lack forward security.
real-world IIoT communication environments. According to the work of Wang et al. [25] and Ma et al. [30], to achieve
To make AKA schemes more suitable for multi-device commu- forward security, a scheme must perform at least two public key cryp-
nication scenarios, several group AKA schemes [1517] have been tographic operations on the device side. Since neither Yang et al. [13]
proposed in recent years. Mandal et al. [15] introduced a certificateless nor Vinoth et al. [24] schemes deploy public key operations on the
authenticated group key agreement protocol based on elliptic curve industrial devices, they fail to meet the forward security requirement.
cryptography, which ensures the non-repudiation of communication Zhang et al. [14] proposed a secure and efficient many-to-many
messages between senders and receivers, and establishes a group key AKA scheme for vehicular networks. The scheme allows vehicle users
for subsequent communication. To enhance practicality, the protocol to perform batch authentication and key agreement with multiple
also supports the dynamic addition and revocation of group members cloud servers, while resisting various known protocol attacks. However,
and considers the forward security of the session key. Xu et al. [16] de- further analysis reveals that the efficiency of the batch authentication
signed a quantum-resistant identity-based group authentication scheme and key agreement comes at the cost of significant computational and
for IoT environments with concurrent access by numerous devices. communication overhead for the trusted center (which is equivalent
The scheme is constructed using lattice-based aggregate signature al- to the gateway in an IIoT environment). Most existing schemes, when
gorithms and identity-based encryption algorithms, achieving quantum designed, focus primarily on minimizing the computational overhead
security while facilitating group authentication for multiple devices, for users and end devices, with little attention given to the lightweight
and effectively addressing the issues related to certificate management. nature of the gateway. In 2023, Wang et al. [25] proposed a lightweight
Wu et al. [17] proposed a lightweight group AKA protocol for the user authentication scheme for cloud-assisted IoT environments. The
IIoT environment, based on symmetric bivariate polynomials, which scheme achieves gateway lightweighting by offloading most of the
achieves both authentication and group session key agreement. Com- computational and communication burdens from the gateway to the
pared to previous group AKA protocols, their scheme is more efficient. cloud server. However, it requires the cloud server to be fully trusted
Although group AKA schemes are more suitable for multi-device com- during the authentication and key agreement process, which introduces
munication scenarios compared to one-to-one AKA schemes, they face an overly strong security assumption. Moreover, the scheme does not
challenges in updating group keys when the industrial devices accessed consider adaptation to multi-device application environments, making
by the user frequently change. Additionally, since all group devices it unsuitable for scenarios involving frequent communication between
share the same group key, these schemes cannot effectively prevent users and multiple industrial devices in IIoT environments.
impersonation attacks by malicious devices. In summary, existing schemes applied in IIoT environments, where
The batch mode is more flexible than the group mode and is better users dynamically communicate with multiple industrial devices, en-
suited for real-world communication scenarios in the IIoT. Pu et al. [19] counter issues related to usability, security, and the lightweight nature
proposed a lightweight message aggregation authentication protocol for of gateways. Regarding usability, traditional one-to-one AKA schemes
drone networks, which is constructed using pairing-based cryptography suffer from excessive computational and communication overhead,
and physically unclonable functions. This protocol enables secure and while group AKA schemes face complexities related to group up-
efficient data transmission between a base station and a group of dates and group key updates. Moreover, batch identity authentication
3
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
and batch message authentication schemes fail to achieve simulta-
neous batch authentication and key agreement. In terms of security,
both group AKA schemes and existing batch processing attribute AKA
schemes designed for multi-terminal communication scenarios exhibit
deficiencies in critical security attributes such as resistance to imper-
sonation attacks and forward security. Furthermore, existing schemes
rarely consider the lightweight requirements for gateway.
In conclusion, existing schemes fail to achieve batch authentication
and key agreement between users and multiple industrial devices while
ensuring the lightweight nature of the gateway. In the IIoT, ensuring
secure and efficient communication between users and multiple de-
vices, as well as avoiding single points of failure in gateway, are critical
issues that require urgent solutions. Therefore, it is essential to propose
a gateway lightweight batch AKA scheme suitable for the IIoT.
3. Preliminary, system model, threat model and security objec-
tives
This section first introduces the fundamental concepts required for
constructing the proposed scheme. Then, the system model and security
objectives of the proposed scheme are presented.
3.1. Preliminary
Elliptic Curve Cryptosystems: elliptic curve cryptosystems were
first proposed by miller [31] and koblite [32] et al. Given a large prime
𝑝 and a finite field F𝑝 , choose a parameter 𝑎, 𝑏 ∈ F𝑝 to generate an
elliptic curve 𝐸 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏𝑚𝑜𝑑 𝑝 based on F𝑝 . Let 𝑂 be an infinity
point on 𝐸, then 𝑂 and all points on 𝐸 form an additive cyclic group
𝐺 of order 𝑃 generating element 𝑞. Fig. 2. system model.
Elliptic Curve Discrete Logarithm Problem (ECDL)[14]: Given
two random points 𝑃 , 𝑄𝐺 on elliptic curve 𝐸 where 𝑄 = 𝑥𝑃 , 𝑥𝑍𝑞 .
Then the ECDL problem refers to the difficulty of finding a positive
integer 𝑥 in probabilistic polynomial time (PPT) when points 𝑃 and 𝑄 3.2. System model
are known.
Elliptic Curve Computation DiffieHellman problem (ECCDH) The system model of the proposed gateway lightweight batch AKA
[33]: Given point 𝑃 , 𝑥𝑃 , 𝑦𝑃𝐺, where 𝑥, 𝑦𝑍𝑞 . Then for any PPT scheme for the IIoT is shown in Fig. 2. The system consists of four types
adversary the advantage of computing 𝑥𝑦𝑃𝐺 without knowing 𝑥, 𝑦 of entities: a trusted authority, a gateway, users, and industrial devices.
is negligible. The detailed descriptions of each entity are as follows:
One-Way Collision-Resistant Hash Function: One-way collision- Trusted Authority(TA): TA is a fully reliable entity, typically op-
resistant hash function is a deterministic algorithm that is irreversible erated by a government authority, with sufficient computational and
and collision-resistant. It takes as input a binary string of arbitrary storage capabilities. Its primary responsibilities include generating and
length and outputs a deterministic length binary string.
publishing system parameters, registering users and industrial devices,
Chinese Remainder Theorem(CRT): The CRT [13,34] is an impor-
and authorizing gateways. Additionally, the TA is responsible for hold-
tant theorem in number theory that has been used to solve a system of
ing malicious users accountable.
congruence equations in the modulo-invariant case, where the system
of congruence equations takes the following form: User: Users must register at TA, after which they can communicate
( ) with the gateway and industrial devices using smart mobile devices.
𝑥𝑎1 ( mod 𝑚1 ) When users wish to access industrial data collected by the devices or
𝑥𝑎2 mod 𝑚2 directly manipulate them, they need to complete mutual authentication
⎨ (1)
⎪ ⋮ with the industrial devices and negotiate a session key for secure sub-
( )
𝑥𝑎𝑛 mod 𝑚𝑛 sequent communication. The user sends a batch authentication request
Let 𝑚1 , 𝑚2 , … 𝑚𝑛 be two mutually prime positive integers, and to the gateway. Upon verifying the legitimacy of the users identity,
𝑎1 , 𝑎2 , … 𝑎𝑛 be any given 𝑛 positive integers. Then, for a positive integer the gateway issues a time-limited token, enabling the user to complete
𝑎𝑖 , 𝑖 ∈ [1, 𝑛], the general solution of the system of congruence equations authentication and key agreement with the industrial devices using the
is: token.
𝑥 = 𝑎1 𝑡1 𝑀1 + 𝑎2 𝑡2 𝑀2 + ⋯ + 𝑎𝑛 𝑡𝑛 𝑀𝑛 + 𝑘𝑀 Gateway: The gateway is a fully trusted entity that requires autho-
𝑛 rization from TA. It is generally considered to possess greater computa-
(2)
= 𝑎𝑖 𝑡𝑖 𝑀𝑖 + 𝑘𝑀 , 𝑘 ∈ Z tional and storage capabilities than industrial devices. The gateway is
𝑖=1 responsible for issuing time-limited tokens to users and assisting them
∏𝑛
where 𝑀 = 𝑚1 × 𝑚2 ×× 𝑚𝑛 = 𝑖=1 𝑚𝑖 is the product of integers
in completing batch authentication and key agreement with multiple
𝑚1 , 𝑚2 , … 𝑚𝑛 , 𝑀𝑖 (= 𝑀∕𝑚𝑖) denotes the product of (𝑛 1) integers except industrial devices.
𝑚𝑖 , and 𝑀𝑖 𝑡𝑖 ≡ 1 mod𝑚𝑖 , 𝑖 ∈ [1, 𝑛]. The CRT states that the system of Industrial device: Industrial devices register at TA and use time-
primary congruence equations has the following unique solution in the limited tokens to complete authentication and key agreement with
case of mode 𝑀: users. Upon successful authentication and key agreement, the devices
( 𝑛 )
∑ can securely transmit the collected industrial data to users after en-
𝑥= 𝑎𝑖 𝑡𝑖 𝑀𝑖 mod 𝑀 (3)
crypting it with the session key, or they can execute corresponding
𝑖=1
industrial tasks based on user instructions.
4
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
3.3. Threat model and security objectives
• Threat model
This paper uses the standard DolevYao (DY) model [35,36] to as-
sess the security of the proposed AKA scheme. The DY model stipulates
that an adversary  can control the insecure public communication
channel between the parties and can read, modify, delete, forge, re-
play, or even inject false information into the channel. Additionally,
when considering forward security, the adversary not only possesses
all the capabilities defined in the DY model but can also acquire secret
credentials, session states, and session keys from the communicating
entities. Therefore, forward security must ensure that a compromise of
the system does not affect the security of previous sessions. This paper
assumes that in the IIoT environment, the gateway is a fully trusted
entity, while users and industrial devices are considered untrusted
participants.
Fig. 3. User registration phase.
• Security objectives
Based on the above threat model, the proposed scheme in this paper
should meet the following security objectives: 4.2. Industrial device registration
(1) Mutual authentication and key agreement: The scheme should
TA selects its identity information 𝑆 𝐼 𝐷𝑗 for industrial device 𝑆 𝐷𝑗 ,
enable mutual authentication between the user and industrial
randomly chooses 𝑥𝑗𝑧𝑞 as the private key of the industrial de-
devices, ensuring that only authenticated users can access the ( )
vice, and calculates 𝑆 𝐾𝑆 𝐷𝑗 = 𝑠𝑆 𝐼 𝐷𝑗 as the long-term session
data collected by the industrial devices. Additionally, the scheme
should facilitate the negotiation of specific session keys between { between the }device and the gateway. TA sends the parameter
key
𝑥𝑗 , 𝑆 𝐼 𝐷𝑗 , 𝑆 𝐾𝑆 𝐷𝑗 securely to the industrial device (e.g., by offline
the user and industrial devices for secure communication in { }
subsequent interactions. registration), and 𝑆 𝐷𝑗 secretly stores the parameter 𝑥𝑗 , 𝑆 𝐼 𝐷𝑗 , 𝑆 𝐾𝑆 𝐷𝑗
(2) User anonymity: To ensure the privacy of the users identity, to complete the registration.
information transmitted over public channels should not reveal
the users true identity. 4.3. User registration
(3) Forward security: The scheme should achieve forward security,
meaning that even if an adversary obtains the long-term secret User
( 𝑢𝑖 selects)his identity 𝐼 𝐷𝑖 , password 𝑃 𝑊𝑖 and computes 𝑈 𝑃 𝑊𝑖
values of the participants and the session state or session keys = 1 𝐼 𝐷𝑖𝑃 𝑊𝑖 , randomly selects 𝑎𝑧𝑞 , and securely sends the
{ }
of the current session, they should not be able to compute the registration request parameter 𝑈 𝑃 𝑊𝑖𝑎, 𝐼 𝐷𝑖 to TA.
session keys of previous sessions. After receiving the registration request, the TA randomly selects the
(4) Unlinkability: The scheme should ensure unlinkability, meaning current timestamp 𝑇𝑐 and a random number 𝑎𝑖𝑧𝑞 , then calculates
( )
that an adversary should not be able to link two different mes- 𝑘𝑖 = 𝐼 𝐷𝑖𝑠𝑇𝑐𝑎𝑖 , 𝐴𝑖 = 𝑈 𝑃 𝑊𝑖𝑎𝑘𝑖 . Randomly select 𝑦𝑖𝑧𝑞
sages transmitted over the public channel to the same user or as the users private( key, compute
) 𝑌 = 𝑦⋅𝑃 as the users public key, and
industrial device. compute 𝑆 𝐾𝑢𝑖 = 𝑠𝐼 𝐷𝑖 as the long-term session key between the
{ }
(5) Resistance to Various Attacks: The scheme should be capable user and the gateway. TA returns the parameter 𝑦𝑖 , 𝐴𝑖 , 𝑆 𝐾𝑢𝑖 safely
of withstanding common protocol attacks, such as replay at- to the user. { }
tacks, spoofing attacks, privileged insider attacks, and man-in- After receiving the parameters 𝑦𝑖 , 𝐴𝑖 , 𝑆 𝐾𝑢𝑖 returned by TA, the
the-middle attacks, etc. ( )
user calculates 𝑘𝑖 = 𝑈 𝑃 𝑊𝑖𝑎𝐴𝑖 , 𝐵𝑖 = 1 𝑘𝑖𝐼 𝐷𝑖𝑈 𝑃 𝑊𝑖 and 𝐶𝑖 =
{ }
𝑈 𝑃 𝑊𝑖 ⊕𝑘𝑖 . The user securely stores the parameter 𝑦𝑖 , 𝐵𝑖 , 𝐶𝑖 , 𝑆 𝐾𝑢𝑖 , 𝑝𝑎𝑟𝑎𝑚𝑠
4. Proposed scheme in their mobile smart device (such as smartphone) complete the regis-
tration process (see Fig. 3).
The scheme consists of seven formalized algorithms, which are
system establishment, industrial device registration, user registration, 4.4. Gateway authorization
gateway authorization, authentication and key agreement, industrial
device update, and malicious user tracking. The main symbols used in TA authorizes the gateway, TA sends the gateway private key
the scheme are described in Table 1. 𝑠 and the system parameter 𝑝𝑎𝑟𝑎𝑚𝑠 to the gateway, { and sends the }
industrial device and user registration parameters 𝑥𝑗 , 𝑆 𝐼 𝐷𝑗 , 𝑆 𝐾𝑆 𝐷𝑗 ,
{ }
4.1. System establishment 𝑦𝑖 , 𝐼 𝐷𝑖 , 𝑆 𝐾𝑢𝑖 to the gateway.
TA inputs the system security parameters 𝜆 and generates the sys- 4.5. Authentication and key agreement phase
tem parameters accordingly. TA generates an additive cyclic group 𝐺
based on non-singular elliptic curves, whose order is 𝑞 and the group • Login phase
generator element is 𝑃 . Randomly select 𝑚𝑠𝑘 ∈ 𝑧𝑞 as the system
To communicate with industrial devices, a user must first log into
master key and compute 𝑚𝑝𝑘 = 𝑚𝑠𝑘 ⋅ 𝑃 as the systems master public
their smart terminal device. User enters identity 𝐼 𝐷𝑖 and password
key. Randomly select secure hash functions {0, 1}𝑧𝑞 , 1 ( )
𝑃 𝑊𝑖 , the smart devices calculates 𝑈 𝑃 𝑊𝑖 = 1 𝐼 𝐷𝑖𝑃 𝑊𝑖 , 𝑘𝑖 = 𝐶𝑖
{0, 1} → {0, 1}𝑙 . Choose 𝐺𝐼 𝐷 as the identity of the gateway, choose ( ) ?
𝑠 as the gateway private key and compute 𝑃 𝐾 = 𝑠𝑃 as the gateway 𝑈 𝑃 𝑊𝑖 , 𝐵𝑖 = 1 𝑘𝑖𝐼 𝐷𝑖𝑈 𝑃 𝑊𝑖 . Verify 𝐵𝑖 = 𝐵𝑖 , If they are not
public key. Finally TA announces the system parameters 𝑝𝑎𝑟𝑎𝑚𝑠 equal, smart device rejects the users login, otherwise user successfully
{ }
𝐺, 𝑃 , 𝑚𝑝𝑘, , 1 , 𝐺𝐼 𝐷, 𝑃 𝐾 . logs into smart device (see Fig. 4).
5
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
Table 1
Notations and Definitions.
Notations Definitions
𝜆 Security parameter
𝐺 An elliptic curve cycle additive group
𝑃 A generator of 𝐺
𝑞 The order of 𝐺
𝑚𝑝𝑘, 𝑚𝑠𝑘 System master publicprivate key pair
Hash function
𝑠, 𝑃 𝐾 Gateway publicprivate key pair
𝑥𝑗 Industrial device private key
𝑆 𝐾𝑆 𝐷𝑗 Long-term session key between industrial devices and the gateway
𝑦𝑖 , 𝑌 User publicprivate key pair
𝑆 𝐾𝑢𝑖 Long-term session key between user and the gateway
𝑎, 𝑎𝑖 , 𝑟, 𝑟𝑖 , 𝑟𝑗 , 𝑟𝑔 Random number
𝑃 𝐼 𝐷𝑖 Users pseudonym
𝑇𝑖 Timestamp
𝑇 𝑆 𝐾, 𝑇 𝑆 𝐾 Temporary secret value
𝑆𝐾 Session key
Fig. 4. Authentication and key agreement phase.
• Authentication and key agreement its pseudonym and stores it in the revocation list. The tracking
of malicious users will be explained later.) If 𝐼 𝐷𝑖 is not in the
( )
revocation list, gateway computes 𝑆 𝐼 𝐷𝑗 = 𝑀2 ∥ 𝑀1 ⊕ 𝑀3 ,
(1) User 𝑢𝑖 randomly selects 𝑟𝑖𝑧𝑞 , picks the current timestamp 𝑇1 ,
( ) 𝑀(4 =
computes 𝑟𝑖 = 𝑟𝑖𝑆 𝐾𝑢𝑖𝑇1 , 𝑀1 = 𝑟𝑖𝑃 𝐾, 𝑀2 = 𝑟𝑖𝑃 . 𝑢𝑖 ) ?
𝑃 𝐼 𝐷𝑖𝑀1 ∥ 𝑆 𝐾𝑢𝑖𝑇1 ∥ 𝑆 𝐼 𝐷𝑗 , verifies 𝑀4 = 𝑀4 . If veri-
compute their own temporary pseudonym 𝑃 𝐼 𝐷𝑖 = 𝐼 𝐷𝑖(𝑟𝑖
fication fails, returned error termination symbol ⊥. Otherwise,
𝑃 𝐾). 𝑢𝑖 communicate under a pseudonym, which enables con-
gateway selects the current timestamp 𝑇2 , queries terminal reg-
ditional privacy protection of their identity. 𝑢𝑖 computes 𝑀3 =
( ) { } istration tuple information based on users identity request list
𝑀2 ∥ 𝑀1 ⊕ 𝑆 𝐼 𝐷𝑗 , where 𝑆 𝐼 𝐷𝑗 = 𝑆 𝐼 𝐷0 , … , 𝑆 𝐼 𝐷𝑛 . The ∏𝑛 ( )
𝑆 𝐼 𝐷𝑗 , and computes 𝜕 𝑔 = 𝑥 , 𝑑𝑗 = 𝜕 𝑔𝑥𝑗 , 𝑑𝑗 × 𝑘𝑗 =
user can select multiple industrial devices to access in a batch, ∑𝑛 𝑗=1 𝑗
1𝑚𝑜𝑑 𝑥𝑗 , 𝑣𝑎𝑟𝑗 = 𝑑𝑗 × 𝑘𝑗 , 𝑄 = 𝑖=1 𝑣𝑎𝑟𝑗 . Gateway randomly selects
and after the authentication and key agreement phase, negotiate ( )
𝑘𝑑 , 𝑟𝑧𝑞 , computes 𝛾𝑑 = 𝑘𝑑 × 𝑄, computes 𝑇 𝑆 𝐾 = 𝑟𝑠𝑇2 ,
distinct session keys with each( device for subsequent communi- ) ( ) ( )
cation. 𝑢𝑖 computes 𝑀4 = 𝑃 𝐼 𝐷𝑖𝑀1 ∥ 𝑆 𝐾𝑢𝑖𝑇1 ∥ 𝑆 𝐼 𝐷𝑗 . 𝑀5 = 𝑆 𝐾𝑢𝑖𝑀2 ⊕ 𝑇 𝑆 𝐾, 𝑀6 = 𝑀5 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑢𝑖
Subsequently, 𝑢𝑖 sends 𝑚𝑠𝑔1 = 𝐺(𝐼 𝐷, 𝑀7 = )
{ } 𝑀2 ∥ 𝑀5 ∥ 𝑀6 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑢𝑖𝑇2 ∥ 𝐺𝐼 𝐷 , 𝑀8 =
𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 to the gateway. ( ) ( )
(2) After receiving the message sent by user, gateway first checks 𝑘𝑑𝑀2 ∥ 𝑆 𝐾𝑆 𝐷𝑗𝑇 𝑆 𝐾, 𝑀9 = 𝑀8 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑆 𝐷𝑗
the validity of the timestamp by 𝑇1 𝑇1 ≤ ∇𝑇 , where 𝑇1 is ( ) ( )
𝑃 𝐼 𝐷𝑖𝐺𝐼 𝐷 , 𝑀10 = 𝑀2 ∥ 𝑀8 ∥ 𝑀9 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑆 𝐷𝑗𝑃 𝐼 𝐷𝑖𝐺𝐼 𝐷 .
the time gateway received 𝑚𝑠𝑔1 . If timestamp is valid, gateway { }
Generates two messages 𝑚𝑠𝑔2 = 𝑇2 , 𝑀5 , 𝑀6 , 𝑀7 , 𝑚𝑠𝑔3 =
computes 𝑀1 = 𝑠𝑀2 , 𝐼 𝐷𝑖 = 𝑃 𝐼 𝐷𝑖(𝑀1 ), and checks if 𝐼 𝐷𝑖 { }
𝑇2 , 𝑀2 , 𝑀8 , 𝑀9 , 𝑀10 , 𝛾𝑑 . Where 𝑚𝑠𝑔3 is the time-limited token,
exists in revocation list. (NOTE: Gateway maintains a revocation
and gateway sends 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 to user.
list for storing the identity of malicious users. When a user has
malicious behavior, gateway recovers its real identity based on
6
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
(3) After receiving the message, user first opens the message 𝑚𝑠𝑔2 key no longer exists in 𝑄 . Similarly, the new industrial devices added
and checks the validity of timestamp by 𝑇2 𝑇2 ≤ ∇𝑇 , where to the list can use their private keys to recover the new secret value
𝑇2 is the time when the user receives
( 𝑚𝑠𝑔2 , 𝑚𝑠𝑔
)3 . If timestamp 𝑘𝑑 through a modulo operation, and then complete the subsequent
is valid, users computes 𝑇 𝑆 𝐾 = 𝑆 𝐾𝑢𝑖𝑀2 ⊕ 𝑀5 , 𝐺𝐼 𝐷 = authentication and key agreement process.
( ) (Note: 𝑣𝑎𝑟𝑗 represents multiple industrial devices. For example,
𝑀5 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑢𝑖𝑀6 , 𝑀7 =
( ) when the identity list includes newly added industrial devices 𝑆 𝐼 𝐷3 ,
? ( )
𝑀2 ∥ 𝑀5 ∥ 𝑀6 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑢𝑖𝑇2 ∥ 𝐺𝐼 𝐷 . and verify 𝑀7 = 𝑆 𝐼 𝐷5 , 𝑆 𝐼 𝐷7 , then 𝑄 = 𝑄+ 𝑣𝑎𝑟3 + 𝑣𝑎𝑟5 + 𝑣𝑎𝑟7 . If devices 𝑆 𝐼 𝐷4 , 𝑆 𝐼 𝐷8
( )
𝑀7 . If verification fails, returned the error termination symbol are not in the new identity request list, then 𝑄 = 𝑄 𝑣𝑎𝑟4 + 𝑣𝑎𝑟8 .)
⊥. Otherwise, user selects the current timestamp 𝑇3 , randomly
selects 𝑟𝑔𝑧𝑞 , computes 𝑀11 = 4.7. Malicious user tracking
( ) ( )
𝑀2 ∥ 𝑇 𝑆 𝐾𝑟𝑔 , 𝑀12 = 𝑀2 ∥ 𝑀11 ∥ 𝑟𝑔𝑇 𝑆 𝐾𝑃 𝐼 𝐷𝑖𝑇3 ,
{ }
and generates the message 𝑚𝑠𝑔4 = 𝑇3 , 𝑀11 , 𝑀12 , 𝑃 𝐼 𝐷𝑖 . User When gateway detects the malicious behavior of user 𝑃 𝐼 𝐷𝑖 , gate-
broadcasts{ the received time-limited} token way can recover its real identity 𝐼 𝐷𝑖 by compute 𝐼 𝐷𝑖 = 𝑃 𝐼 𝐷𝑖 ⊕ℎ(𝑠𝑀2 ),
𝑚𝑠𝑔3 = 𝑇3 , 𝑀2 , 𝑀8 , 𝑀9 , 𝑀10 , 𝛾𝑑 from the gateway and the then add its real identity to the revocation list, and submit the real
{ }
generated message 𝑚𝑠𝑔4 = 𝑇3 , 𝑀11 , 𝑀12 , 𝑃 𝐼 𝐷𝑖 to the industrial identity 𝐼 𝐷𝑖 of the malicious user to TA.
devices in the area.
(4) After industrial device in the region receives the message, it 5. Security analysis
first opens the message 𝑚𝑠𝑔4 and checks the validity of times-
tamp by 𝑇3 𝑇3 ≤ ∇𝑇 , where 𝑇3 is the time when industrial This section provides a security proof and analysis of the proposed
device receives 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 . If timestamp is valid, industrial de- batch authentication and key agreement scheme. First, the security
vice meets the authentication conditions opens the time-limited of the scheme is formally proven using the Real-Or-Random (ROR)
token message 𝑚𝑠𝑔3 and uses its own private key to obtain model [37]. Next, heuristic analysis is employed to demonstrate the
the secret value ( 𝑘𝑑 by calculating )𝑘𝑑 = 𝛾𝑑 𝑚𝑜𝑑 𝑥𝑗 . Next, com- schemes resilience against various protocol attacks. Finally, the ad-
( )
pute 𝑇 𝑆 𝐾 = 𝑘𝑑𝑀2 ∥ 𝑆 𝐾𝑆 𝐷𝑗𝑀8 , 𝑃 𝐼 𝐷𝑖𝐺𝐼 𝐷 = vanced protocol verification tool Scyther is used to validate the security
( )
𝑀8 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑆 𝐷𝑗𝑀9 , and of the proposed scheme.
( ) The ROR model is widely used in the formal security proofs of AKA
𝑀10 = 𝑀2 ∥ 𝑀8 ∥ 𝑀9 ∥ 𝑇 𝑆 𝐾𝑆 𝐾𝑆 𝐷𝑗𝑃 𝐼 𝐷𝑖𝐺𝐼 𝐷 and schemes. Formal security proofs can characterize the capabilities of
?
verify 𝑀10 = 𝑀10 . If verification fails, returned error termina- adversaries in both passive and active attacks, demonstrating that the
( )
tion symbol ⊥. Otherwise, compute 𝑟𝑔 = 𝑀2 ∥ 𝑇 𝑆 𝐾𝑀11 , scheme can provide secure authentication and semantic security. How-
𝑀12 = ever, formal security proofs cannot fully capture the attack capabilities
( ) ? of adversaries in real-world environments.
𝑀2 ∥ 𝑀11 ∥ 𝑟𝑔𝑇 𝑆 𝐾𝑃 𝐼 𝐷𝑖𝑇3 and verify 𝑀12 = 𝑀12 .
Heuristic security analysis can adequately consider the attack ca-
If verification passes, the industrial device authenticates both
pabilities of adversaries in real-world environments, as well as the
the user and the gateway. Industrial device picks the current
security requirements of the scheme. Therefore, heuristic analysis is
timestamp 𝑇4 , randomly selects 𝑟𝑗𝑧𝑞 , computes 𝑇 𝑆 𝐾 =
( ) ( ) often used in conjunction with formal security proofs to jointly assess
𝑟𝑗𝑇 𝑆 𝐾 , 𝑀13 = 𝑀2 ∥ 𝑇 𝑆 𝐾𝑇 𝑆 𝐾 , 𝑀14 = 𝑟𝑗
( ) the security of the scheme. However, heuristic analysis heavily relies
𝑀2 , 𝑀15 = 𝑟𝑗𝑃 , 𝑀16 = 𝑀13 ∥ 𝑀15 ∥ 𝑇 𝑆 𝐾𝑇 𝑆 𝐾 𝑇4 .
(
) on the experience of the analyst, which introduces the risk of human
Computes the session key 𝑆 𝐾 = 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾
oversight in the analysis.
with the user 𝑢𝑖 . Industrial device generates message 𝑚𝑠𝑔5 =
{ } The Scyther tool is widely used for the analysis of authentication
𝑇4 , 𝑀2 , 𝑀13 , 𝑀15 , 𝑀16 and sends message 𝑚𝑠𝑔5 to the user 𝑢𝑖 .
schemes, providing a range of statements to test the security properties
(5) After receiving the message, user opens the message 𝑚𝑠𝑔5 and
of the schemes. Secret statements are used to assess key security, while
checks the validity of timestamp by 𝑇4 𝑇4 ≤ ∇𝑇 . If timestamp
( ) authentication statements primarily evaluate the schemes resistance to
is valid, computes 𝑇 𝑆 𝐾 = 𝑀2 ∥ 𝑇 𝑆 𝐾𝑀13 , 𝑀16 =
( ) ?
various attacks, such as replay attacks, impersonation attacks, and man-
𝑀13 ∥ 𝑀15 ∥ 𝑇 𝑆 𝐾𝑇 𝑆 𝐾 𝑇4 , and verify 𝑀16 = 𝑀16 . in-the-middle attacks. However, similar to formal security proofs, the
If verification fails, returned the error termination symbol ⊥. Scyther tool cannot fully capture the attack capabilities of adversaries
Otherwise, user computes the session key 𝑆 𝐾 = in real-world environments.
( )
𝑀2 ∥ 𝑀13 ∥ 𝑟𝑖𝑀15 ∥ 𝑇 𝑆 𝐾 . At this point, user and indus- In summary, the three analysis methods each have their own advan-
trial device have completed mutual authentication and agree- tages and disadvantages. Security proofs and the Scyther tool represent
ment a session key for subsequent communication. formal analysis approaches, which effectively mitigate the analytical
errors introduced by human factors in heuristic analysis. However,
4.6. Time-limited token update formal methods cannot fully capture the capabilities of attackers and
the security properties that the scheme must satisfy, whereas heuristic
As the production tasks progress, the industrial devices that the user analysis can effectively address this limitation. It is well known that de-
needs to access may change in real-time. Compared to the current list of signing a secure AKA scheme and proving its security is a complex task.
accessed devices, the user may need to access new devices or no longer Therefore, we employ these three mainstream approaches to analyze
need access to certain devices. In this case, the user sends a new batch and prove the security of the scheme proposed in this paper, aiming
authentication request, which includes the identity list of the newly to complement each methods strengths and weaknesses to minimize
{ }
requested industrial devices, denoted as 𝑆 𝐼 𝐷𝑗 = 𝑆 𝐼 𝐷0 , … , 𝑆 𝐼 𝐷𝑛 , security oversights.
to the gateway. If the list contains new industrial device identities, the
gateway computes 𝑄 = 𝑄 + 𝑣𝑎𝑟𝑗 . If certain devices are not included in 5.1. Formal security proof
the new identity request list, the gateway computes 𝑄 = 𝑄𝑣𝑎𝑟𝑗 . Then
gateway randomly selects a new secret value 𝑘𝑑𝑧𝑞 and computes • Security model
𝛾𝑑 = 𝑘𝑑 × 𝑄 to complete the update of the time-limited token. After
the update completed, the deleted industrial device will not be able Before proving the security of the scheme in this paper, the defini-
to recover the secret value 𝑘𝑑 by modulo operation because its private tion of each basic primitive in the ROR model is first given [37]:
7
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
(1) Participants: In the scheme of this paper, there are three partic- the security of the scheme  session key in PPT time is:
ipants, namely user, gateway, and industrial device. During the 2 2
(𝑞𝑠 +𝑞𝑒 )2 𝑞2 +2(2𝑞 +𝑞𝑠 ) +3(𝑞 +𝑞𝑠 )
𝐴𝑑 𝑣 (𝑡) ≤ 2(
+
protocol execution, they are instantiated as 𝑈𝑖 , 𝑆 𝐷𝑗 , and 𝐺𝑊𝑃
( )2 ) 2𝑙 (5)
respectively. Let 𝑈𝑖𝑎 denote the instance 𝑎 of user 𝑈𝑖 , 𝑆 𝐷𝑗𝑏 denote +𝑞 𝑞𝑠 + 𝑞𝑒 + 1 ⋅ 𝐴𝑑 𝑣𝐸
𝐶 𝐶 𝐷𝐻 (𝑡)
the instance 𝑏 of industrial device 𝑆 𝐷𝑗 , 𝐺𝑊 𝑐 denote the instance
𝑐 of gateway 𝐺𝑊 . Define six different games to prove the security of the scheme,
(2) partnering: Let 𝑠𝑖𝑑 denote the session identifier, if there is a denoted 𝐺0 𝐺5 . The games start at 𝐺0 and end at 𝐺5 . In these
partnership between instance 𝑈𝑖𝑎 and instance 𝑆 𝐷𝑗𝑏 , then they games, the adversarys advantage is gradually reduced to zero. 𝑆 𝑢𝑐 𝑐𝑖
[ ]
satisfy the following three conditions: they are both in the and 𝑃 𝑟 𝑆 𝑢𝑐 𝑐𝑖 respectively denote the event and probability that 
accepted state; they share the same session identifier 𝑠𝑖𝑑; they makes a successful guess in game 𝐺𝑖 , 𝑖 ∈ [0, 5].
are partners with each other. Game 𝐺0 : Game 𝐺0 simulates the real attack of adversary  on
(3) Freshness: Freshness is a fundamental concept that defines pro- the proposed scheme  under the ROR model, which can be obtained
tocol security. Freshness means that instances 𝑈𝑖𝑎 and 𝑆 𝐷𝑗𝑏 are according to the definition of semantic security:
Freshness if a session key 𝑆 𝐾 has been agreement between user [ ]
𝐴𝑑 𝑣
 (𝑡) = 2𝑃 𝑟 𝑆 𝑢𝑐 𝑐0 1. (6)
𝑈𝑖 and industrial device 𝑆 𝐷𝑗 and 𝑆 𝐾 has not been compromised
to an adversary. Game 𝐺1 : Game 𝐺(1 simulates eavesdropping attacks. Compared
)
The DY model defines that an adversary can take full control of with game 𝐺0 , 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 , 𝐺𝑊 𝑐 query is added to 𝐺1 .  moni-
{ }
the open channel and eavesdrop to obtain public parameters on the toring the communication information 𝑚𝑠𝑔1 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 ,
{ } { }
open channel. In addition, the adversary can modify or replay messages 𝑚𝑠𝑔2 = 𝑇2 , 𝑀5 , 𝑀6 , 𝑀7 , 𝑚𝑠𝑔3 = 𝑇2 , 𝑀2 , 𝑀8 , 𝑀8 , 𝑀10 , 𝛾𝑑 , 𝑚𝑠𝑔4 =
{ } { }
exchanged in the open channel and forge new messages to spoof other 𝑇3 , 𝑀11 , 𝑀12 , 𝑃 𝐼 𝐷𝑖 , 𝑚𝑠𝑔5 = 𝑇( 4 , 𝑀2 , 𝑀13 , 𝑀15 ,)𝑀16 between the
instances. Adversary  can perform the following queries: three participants through 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 , 𝐺𝑊 𝑐 query, and finally
determines whether the value of the 𝑇 𝑒𝑠𝑡 query output is a real session
(1) 𝐻 𝑎𝑠 (⋅): When  performs a hash query, it returns a random
key or a random string. In the scheme of this paper, the process of
value of (fixed length. ) ( )
computing the session key 𝑆 𝐾 = 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾 contains
(2) 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 , 𝐺𝑊 𝑐 : The query simulates eavesdropping
the secret values 𝑟𝑗 and 𝑇 𝑆 𝐾 . Therefore, it is obvious that  cannot
attack.  can obtain all the messages transmitted by 𝑈𝑖 , 𝑆 𝐷𝑗 , compute 𝑆 𝐾 between user and industrial device by monitoring to the
𝐺𝑊 on ( the open channel ) by monitoring. message. Compared with 𝐺0 , monitoring message cannot increase the
(3) 𝑆 𝑒𝑛𝑑 𝑈𝑖𝑎 𝑆 𝐷𝑗𝑏 𝐺𝑊 𝑐 , 𝑚 : The query simulates an active attack. probability of  winning the game 𝐺1 , which can be obtained:
 sends message 𝑚 to instance 𝑈𝑖𝑎 𝑆 𝐷𝑗𝑏 𝐺𝑊 𝑐 . If 𝑚 is valid, | [ ] [ ]|
|𝑃 𝑟 𝑆 𝑢𝑐 𝑐1 𝑃 𝑟 𝑆 𝑢𝑐 𝑐0 | = 0. (7)
the instance responds and replies to the message; otherwise, the | |
instance( ignores )this query.
Game 𝐺2 : Game 𝐺2 describes the ability of adversary  to attack
(4) 𝑅𝑒𝑣𝑒𝑎𝑙 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 : This query simulates the disclosure of session
actively. Compared with 𝐺1 , adversary  in 𝐺2 will actively join the
key. When  executes this query, the session key 𝑆 𝐾 established session by executing 𝑆 𝑒𝑛𝑑 query and 𝐻 𝑎𝑠 query, and try to forge
between instances 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 will revealed to the adversary.
( ) legitimate messages to deceive the scheme participating entities.  has
(5) 𝐶 𝑜𝑟𝑟𝑢𝑝𝑡 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 : This query simulates the ability of an adver- the possibility to construct a valid message only when a collision is
sary to corrupt an instance. When  executes this query,  has detected, which in turn destroys the semantic security of . The scheme
access to all the secret parameters of the participating instances. in this paper has two types of collisions in the phase of authentication
( ) and key agreement:
(6) 𝑇 𝑒𝑠𝑡 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 : This query simulates the semantic security of
(1) The hash function collides on output, and its maximum prob-
the session key 𝑆 𝐾 between instances 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 . When  exe- 𝑞2
cutes this query, the simulator flips a random coin 𝑏 ∈ {0, 1}. If ability is: 2𝑙 .
( )
𝑏 == 1, the simulator returns to  the session key; if 𝑏 == 0, it (2) The random number in message 𝑚𝑠𝑔1 , 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5
2
returns a random string of the same length as the session key. (𝑞 +𝑞 )
experiences a collision, and its maximum probability is: 𝑠 2𝑝 𝑒 .
Semantic security[38]: In the ROR model, the goal of the adversary
Therefore, unless a collision occurs, 𝐺2 and 𝐺1 are indistinguishable.
 is to distinguish whether a real session key or a random number is
According to the birthday paradox, we have:
returned by the 𝑇 𝑒𝑠𝑡 query.  can query the instance 𝑈𝑖𝑎 , 𝑆 𝐷𝑗𝑏 with the ( )2
PPT number of 𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒, 𝑆 𝑒𝑛𝑑, 𝑅𝑒𝑣𝑒𝑎𝑙, 𝐶 𝑜𝑟𝑟𝑢𝑝𝑡, 𝑇 𝑒𝑠𝑡, when the query | [ ] [ ]| 𝑞2 𝑞𝑠 + 𝑞𝑒
|𝑃 𝑟 𝑆 𝑢𝑐 𝑐2 𝑃 𝑟 𝑆 𝑢𝑐 𝑐1 | ≤ 𝑙 + (8)
is finished,  outputs a bit 𝑏 , and only when 𝑏 = 𝑏,  wins this | | 2 2𝑝
game. Let 𝑆 𝑢𝑐 𝑐 denote that  wins the game, and let  denote the AKA
Game 𝐺3 : In Game G3,  tries to forge a valid message that can be
scheme constructed in this paper, then the advantage of  in breaking
verified by guessing the secret parameter. Specifically,  tries to forge
the semantic security of  is:
the following message:
𝐴𝑑 𝑣𝑎𝑘𝑎
 ()
= 2𝑃 𝑟 [𝑆 𝑢𝑐 𝑐] 1. (4)
(1) The adversary successfully forged the message 𝑚𝑠𝑔1 . In this case,
 needs to make 𝐻 𝑎𝑠 query to compute 𝑚𝑠𝑔1 . Therefore, 
• Security proof make the following query:
{( ) ( ) }
𝑀2 ∥∗∥ 𝑆 𝐼 𝐷𝑗 , 𝑃 𝐼 𝐷𝑖 ∥∗∥∗∥ 𝑇1 ∥ 𝑆 𝐼 𝐷𝑗 , 𝑀4 . And the prob-
(𝑞 +𝑞 )2
ability of success in this event is denoted as: 2𝑙 𝑠 .
Theorem 1. Let  denote the adversary that breaks the scheme  in
PPT time 𝑡 and  be a cipher space that obeys the distribution of Zipfs (2) The adversary successfully forged the message 𝑚𝑠𝑔2 . Similar to
law [39]. 𝑞 , 𝑞𝑠 , 𝑞𝑒 denote the number of 𝐻 𝑎𝑠 queries, 𝑆 𝑒𝑛𝑑 queries, above,  needs to make
{ 𝐻 𝑎𝑠 query to compute 𝑚𝑠𝑔2 .  make }
( ) ( )
𝐸 𝑥𝑒𝑐 𝑢𝑡𝑒 queries respectively. |𝐻 𝑎𝑠| and 𝑙 represent the output space of the the following query: (
∗∥ 𝑀2 ∥∗ , 𝑀5 ∥∗∥∗∥ 𝐺𝐼 𝐷 ,
) .
hash function (⋅) and the output length of the random prediction machine. 𝑀2 ∥ 𝑀5 ∥ 𝑀6 ∥∗∥∗∥ 𝑇2 ∥ 𝐺𝐼 𝐷 , 𝑀7
𝐴𝑑 𝑣𝐸 𝐶 𝐶 𝐷𝐻 (𝑡) denotes the advantage of adversary  solving 𝐸 𝐶 𝐶 𝐷𝐻 And the probability of success in this event is denoted as:
(2𝑞 +𝑞𝑠 )2
difficult problem in PPT time. Then the advantage of adversary  breaking 2𝑙
.
8
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
(3) The adversary successfully forged the message 𝑚𝑠𝑔3 .  needs to on the CRT, only the industrial device that meets the authen-
make
{ the following 𝐻 𝑎𝑠 query: } tication conditions can recover the secret value 𝑘𝑑 based on
( ) ( )
∗∥ 𝑀2 ∥∗∥∗ , 𝑀8 ∥∗∥∗∥ 𝑃 𝐼 𝐷𝑖𝐺𝐼 𝐷 , its own private key as well as 𝛾𝑑 to complete the subsequent
( ) . And the proba-
𝑀2 ∥ 𝑀8 ∥ 𝑀9 ∥∗∥∗∥ 𝑃 𝐼 𝐷𝑖𝐺𝐼 𝐷 , 𝑀10 authentication.
(2𝑞 +𝑞𝑠 )2 Authentication between the user and the industrial device: the
bility of success in this event is denoted as: 2𝑙
.
industrial device directly authenticates the user via 𝑀12 in mes-
(4) The adversary successfully forged the message 𝑚𝑠𝑔4 .  needs to sage 𝑚𝑠𝑔4 , because message 𝑀12 contains the secret value 𝑇 𝑆 𝐾.
make the following 𝐻 𝑎𝑠 query:
{( ) ( ) } similarly, the user directly authenticates the industrial device via
𝑀2 ∥∗∥∗ , 𝑀2 ∥ 𝑀11 ∥∗∥∗∥ 𝑃 𝐼 𝐷𝑖𝑇3 , 𝑀12 . And the prob- 𝑀16 in message 𝑚𝑠𝑔5 .
(𝑞 +𝑞 )2 ( )
ability of success in this event is denoted as: 2𝑙 𝑠 . (2) Session key agreement: Session key 𝑆 𝐾 = 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾
(5) The adversary successfully forged the message 𝑚𝑠𝑔5 .  needs to is agreement between the user and the industrial device, which
make the following 𝐻 𝑎𝑠 query: contains the secret values 𝑇 𝑆 𝐾 and 𝑀14 . Except for both parties
{( ) ( ) }
𝑀2 ∥∗∥∗ , 𝑀2 ∥ 𝑀13 ∥ 𝑀15 ∥∗∥∗∥ 𝑇4 , 𝑀16 . And the proba- of the session, no third party can obtain the session key.
(𝑞 +𝑞 )2 (3) User anonymity: Users use pseudonym 𝑃 𝐼 𝐷𝑖 = 𝐼 𝐷𝑖 ⊕ℎ(𝑟𝑖 ⋅𝑃 𝐾) to
bility of success in this event is denoted as: 2𝑙 𝑠 .
communicate, effectively protect their identity 𝐼 𝐷𝑖 , realize user
Thus, unless  successfully forges all of the above messages, 𝐺3 is anonymity. At the same time, when the user has violated the
indistinguishable from 𝐺2 , we have: law, the gateway can recover the users real identity 𝐼 𝐷𝑖 through
( )2 ( )2 the 𝐼 𝐷𝑖 = 𝑃 𝐼 𝐷𝑖(𝑠𝑀2 ) to complete the tracking. Therefore,
| [ ] [ ]| 2 2𝑞 + 𝑞𝑠 + 3 𝑞 + 𝑞𝑠
|𝑃 𝑟 𝑆 𝑢𝑐 𝑐3 𝑃 𝑟 𝑆 𝑢𝑐 𝑐2 | ≤ (9) the scheme in this paper guarantees the anonymity of the user
| | 2𝑙 while realizing the conditional privacy protection of the user.
Game 𝐺4 : In game 𝐺4 ,  tries to compute the session key 𝑆 𝐾. (4) Forward security: forward security means that the compromise
Since the session key is constructed based on the ECCDH problem, the of the current system does not affect the security of previous
difficulty for  to compute the session key in PPT time is equivalent to sessions. Assuming that all users long-term secret values are
solving the ECCDH problem in PPT time.  chooses the ECCDH tuple compromised, the attacker obtains the message 𝑀2 , 𝑀13 through
( )
𝑟𝑖 𝑃 , 𝑟𝑗 𝑃 with probability 𝑞1 , thus we have: passive attack listening, and the session key is computed as
( )
| [ ] [ ]|
𝑆 𝐾 = 𝑀2 ∥ 𝑀13 ∥ 𝑀14 ∥ 𝑇 𝑆 𝐾 . Therefore, if the adversary
|𝑃 𝑟 𝑆 𝑢𝑐 𝑐4 𝑃 𝑟 𝑆 𝑢𝑐 𝑐3 | ≤ 𝑞𝐴𝑑 𝑣𝐸 𝐶 𝐶 𝐷𝐻
(𝑡) (10)
| |  wants to calculate the session key 𝑆 𝐾, he still needs to know the
secret value 𝑀14 , 𝑇 𝑆 𝐾 , which is never transmitted in the open
Game 𝐺5 : The game 𝐺5 considers the forward security of scheme .
channel. 𝑇 𝑆 𝐾 only both sides of the communication know that
In this game,  can execute 𝑆 𝑒𝑛𝑑 queries as well as 𝐶 𝑜𝑟𝑟𝑢𝑝𝑡 queries to
the adversary needs to solve the ECCDH problem if he wants
obtain the long-term secret values stored by the user and the industrial
( ) 1 to calculate 𝑀14 through 𝑀2 , 𝑀13 , but the ECCDH problem is
device. The probability that tuple 𝑟𝑖 𝑃 , 𝑟𝑗 𝑃 in a session is , thus
(𝑞𝑠 +𝑞𝑒 )2 unsolvable in PPT time. Therefore, the proposed scheme in this
we have: paper satisfies forward security.
| [ ] [ ]| ( )2
|𝑃 𝑟 𝑆 𝑢𝑐 𝑐5 𝑃 𝑟 𝑆 𝑢𝑐 𝑐4 | ≤ 𝑞 𝑞𝑠 + 𝑞𝑒𝐴𝑑 𝑣𝐸 𝐶 𝐶 𝐷𝐻
(𝑡) (11) (5) Resistance to replay attacks : In the scheme of this paper, times-
| | 
tamps and random numbers are used to resist replay attacks.
Based on Eqs. (6)(11), we obtained the result: Even if an adversary can intercept the communication messages
2 2
(𝑞 +𝑞 )2 𝑞 2 +2(2𝑞 +𝑞𝑠 ) +3(𝑞 +𝑞𝑠 ) in the open channel and replay them, the replayed messages
𝐴𝑑 𝑣 (𝑡) ≤ 𝑠 2𝑃 𝑒 +
 (( )2 )2 𝑙
(12) cannot be verified due to the presence of timestamps and random
+𝑞 𝑞𝑠 + 𝑞𝑒 + 1 ⋅ 𝐴𝑑 𝑣𝐸
𝐶 𝐶 𝐷𝐻 (𝑡)
numbers.
(6) Resistant to impersonation attack:
The above proof procedure implies that after all the prediction ma- Resistance to user impersonation attack: To successfully imper-
chines have been simulated,  does not gain any additional advantage sonation as a user, adversary needs to construct an authenticated
to win the game. Therefore, the scheme proposed in this paper is safe { }
message 𝑚𝑠𝑔1 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 . The construction of
under the ROR model. authentication message 𝑀4 requires a long-term session key
𝑆 𝐾𝑢𝑖 between the user and the gateway, which is unavailable
5.2. Heuristic security analysis to the adversary, and thus the adversary is not able to forge an
authenticated message, so the proposed scheme is resistant to
(1) Mutual authentication: In the scheme proposed in this paper, user impersonation attack.
all participating entities have completed mutual authentication. Resistance to gateway impersonation attack: To successfully im-
The details are analyzed as follows: personation as gateway, adversary needs to construct authen-
Authentication between the user and the gateway: the gateway { } {
tication messages 𝑚𝑠𝑔2 = 𝑇2 , 𝑀5 , 𝑀6 , 𝑀7 , 𝑚𝑠𝑔3 = 𝑇2 , 𝑀2 ,
accomplishes the direct authentication of the user through 𝑀4 }
𝑀8 , 𝑀8 , 𝑀10 , 𝛾𝑑 . Similar to the above, constructing authentica-
in message 𝑚𝑠𝑔1 . Because message 𝑀4 contains the session key
( ) tion messages 𝑀7 , 𝑀10 requires a long term session key 𝑆 𝐾𝑢𝑖 ,
𝑆 𝐾𝑢𝑖 between the gateway and user and 𝑀1 , 𝑀2 is a pair 𝑆 𝐾𝑆 𝐷𝑗 , so the adversary is unable to construct valid authentica-
of plain ciphertexts constructed by the public key algorithm, tion messages, and the proposed scheme is resistant to gateway
other users are unable to forge message 𝑀4 . Similarly, user impersonation attack.
accomplishes direct authentication to the gateway via 𝑀7 in Resistance to industrial device impersonation attack: To success-
message 𝑚𝑠𝑔2 , since message 𝑀7 also contains the session key fully impersonation as an industrial device, adversary needs to
𝑆 𝐾𝑢𝑖 and the secret value 𝑇 𝑆 𝐾 cryptographically protected by { }
construct an authentication message 𝑚𝑠𝑔5 = 𝑇4 , 𝑀2 , 𝑀13 , 𝑀15 , 𝑀16 ,
𝑆 𝐾𝑢𝑖 . where the construction of the authentication message 𝑀16 re-
Authentication between the gateway and the industrial device: quires the secret values 𝑇 𝑆 𝐾 and 𝑇 𝑆 𝐾 . 𝑇 𝑆 𝐾 is computed
the industrial device authenticates the gateway directly by from 𝑇 𝑆 𝐾, which requires secret values 𝑘𝑑 , 𝑆 𝐾𝑆 𝐷𝑗 . Therefore,
means of 𝑀10 in message 𝑚𝑠𝑔3 , since message 𝑀10 contains the adversary cannot construct a valid authentication message,
the session key 𝑆 𝐾𝑆 𝐷𝑗 between the gateway and the indus- and the proposed scheme is resistant to industrial device imper-
trial device. The gateway indirectly authenticates the industrial sonation attacks.
device through 𝛾𝑑 in the message 𝑚𝑠𝑔3 . This is because based
9
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
(7) Resisting privileged internal attacks: During the user registra-
tion process, the user sends the registration request parame-
{ }
ters 𝑈 𝑃 𝑊𝑖𝑎, 𝐼 𝐷𝑖 to the TA, where 𝑈 𝑃 𝑊𝑖 , 𝑎𝑖 , 𝐼 𝐷𝑖 is the
pseudo-password, the random number, and the users identity,
respectively. Due to the randomness of the random number and
the unidirectionality of the hash function, it is difficult for the
privileged adversary inside the TA to recover the users real
password 𝑃 𝑊𝑖 based on the registration parameters, and thus the
proposed scheme in this paper can resist the privileged internal
attack.
(8) Resistance to man-in-the-middle attack: adversary can monitor
to obtain messages 𝑚𝑠𝑔1 , 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 transmitted in
the open channel and try to spoof 𝑈𝑖 , 𝐺𝑊 , 𝑆 𝐷𝑗 by modifying
these messages. However, for an adversary to generate a legit-
imate message 𝑚𝑠𝑔1 , it needs to obtain a random secret value
𝑟𝑖 and a long-term secret value 𝑆 𝐾𝑢𝑖 . Therefore, the adversary
cannot generate a legitimate message 𝑚𝑠𝑔1 . Similarly, an adver-
sary cannot generate a legitimate message 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 .
Therefore, the scheme proposed in this paper is resistant to
man-in-the-middle attacks.
(9) Unlinkability: In the scheme proposed in this paper, the user
communicates using a temporary pseudonym, and the identity
information of the industrial devices is not transmitted over
the public channel. All messages transmitted over the public
channel are encrypted using random numbers, timestamps, or
secret values. Due to the randomness of the random numbers
and timestamps, an adversary cannot distinguish whether two
different messages originate from the same entity. Therefore, the
proposed scheme ensures unlinkability.
5.3. Verification based on scyther tool
Fig. 5. Formal verification results under the tset of scyther tool.
This section uses the protocol verification tool Scyther [40] to
validate the security of the proposed scheme. Scyther is widely used for
the security verification and analysis of protocols. It employs a black- simulation results Fig. 5 shows that the scheme proposed in this paper
box approach, allowing users to evaluate whether the protocol meets satisfies all the above declared security features. scyther tool does not
the declared security goals and properties from their perspective [41]. find any attack on this papers scheme under DY model.
Scyther models the roles in a protocol and their message sending and
receiving behaviors using the SPDL language. Scyther supports nine 6. Performance analysis
common adversary models, including DY, CK, and eCK, and verifies the
security of the protocol based on these models, analyzing whether the This section provides a comparative analysis of the proposed scheme
protocol has any security vulnerabilities. with existing scheme [13,14,2325], in terms of security and functional
Scyther proposed a set of statements to test the security properties features, computational overhead, and communication overhead. The
of a protocol, including the secret statement 𝑆 𝑒𝑐 𝑟𝑒𝑡, and several ver- compared schemes are all recently proposed AKA schemes for the IIoT
ification statements 𝐴𝑙𝑖𝑣𝑒, 𝑊 𝑒𝑎𝑘𝑎𝑔 𝑟𝑒𝑒, 𝑁 𝑖𝑎𝑔 𝑟𝑒𝑒, 𝑁 𝑖𝑠𝑦𝑛𝑐 [42]. Secret or the Vehicular Networks (a specific IoT application). Among them,
statements are mainly used to test the confidentiality of an identity the schemes proposed in [13,14,23,24] are designed for multi-devices
or keys. Authentication statements are used to check for the presence communication scenarios with batch processing capabilities, while the
of various attacks, such as replay attacks, impersonation attacks, and scheme in [25] considers the issue of gateway lightweighting in IoT en-
man-in-the-middle attacks. This section analyzes the security of the vironments. In the comparison of security and functional features, the
scheme in this paper using the standard DY model, which defines that ability of each scheme to resist various protocol attacks is evaluated, in-
an adversary can monitor, steal, replay or even modify the information cluding unlinkability, forward security, and resistance to replay attacks.
transmitted in the open channel. Additionally, the functional features met by each scheme are compared,
The results of this paper scheme verified using scyther tool are such as user anonymity, suitability for multi-device communication sce-
shown in Fig. 5. For the authentication and key agreement phase of narios, and gateway lightweight. The computational and communica-
this papers scheme the tripartite participants user, gateway, and indus- tion overhead section compares the computational and communication
trial device are defined as roles 𝑈 𝐼, 𝐺𝑊 , and 𝑆 𝐷𝐽 respectively. The costs of each scheme in the context of multi-device communication.
information sent and received by each role during the authentication These factors are essential criteria for assessing whether a scheme can
and key agreement phases is modeled using the SPDL language, and be safely and efficiently applied in real-world IIoT environments.
the security and authentication statements for each role are verified.
For example, for the role 𝑈 𝐼, there are four secret statements and 6.1. Comparison of security and functional features
four authentication statements. Where 𝐾 𝑒𝑦 represents the session key
between the 𝑈 𝐼 and the 𝑆 𝐷𝐽 . 𝑠𝑘(𝑈 𝐼) represents the private key of Firstly, we compare the security and functional features of the
the 𝑈 𝐼. 𝑘(𝑈 𝐼 , 𝐺𝑊 ) represents the long-term session key between the schemes, with the results shown in Table 2. Upon analysis, only the pro-
𝑈 𝐼 and the 𝐺𝑊 . The authentication statement, on the other hand, is posed scheme in this paper meets all 13 security and functional require-
to verify the security features that the scheme has. According to the ments. Although Wang et al. [25] scheme addresses the lightweight
10
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
Table 2
Comparison of security and functional features.
Scheme [24] Scheme [23] Scheme [13] Scheme [25] Scheme [14] Our scheme
𝑆 𝐺1 ✓ ✓ ✓ ✓ ✓ ✓
𝑆 𝐺2 ✓ ✓ ✓ ✓ ✓ ✓
𝑆 𝐺3 ✓ ✓ ✓ ✓ ✓ ✓
𝑆 𝐺4 𝑁𝐴𝑁𝐴 𝑁𝐴 ✓ ✓
𝑆 𝐺5 ✓ ✓ ✓ ✓ ✓ ✓
𝑆 𝐺6 ✗ ✓ ✗ ✓ ✓ ✓
𝑆 𝐺7 ✓ ✓ ✓ ✓ ✓ ✓
𝑆 𝐺8 ✓ ✓ ✓ ✓ ✓ ✓
𝑆 𝐺9 ✓ ✓ ✗ ✓ ✓ ✓
𝑆 𝐺10 ✓ ✗ ✓ ✓ ✓ ✓
𝑆 𝐺11 ✓ 𝑁𝐴 ✓ ✓ 𝑁𝐴
𝑆 𝐺12 ✓ ✓ ✓ 𝑁𝐴 ✓ ✓
𝑆 𝐺13 𝑁𝐴 𝑁𝐴 𝑁𝐴𝑁𝐴
𝑆 𝐺1 : Mutual authentication. 𝑆 𝐺2 : Key agreement. 𝑆 𝐺3 : User anonymity. 𝑆 𝐺4 : Malicious user tracking. 𝑆 𝐺5 :
Unlinkability. 𝑆 𝐺6 : Forward security. 𝑆 𝐺7 : Resistant to replay attacks. 𝑆 𝐺8 : Resistant to impersonation
attack. 𝑆 𝐺9 : Resistant privileged internal attack. 𝑆 𝐺10 : Resistance to man-in-the-middle attack. 𝑆 𝐺11 :
Terminal device update. 𝑆 𝐺12 : Suitable for Multi-Device Scenarios. 𝑆 𝐺13 : Gateway Lightweighting. 𝑁𝐴
Means not consider the functional feature.
Table 3 times using the MIRACL library to obtain the average computation
Computation time for cryptographic operations (Milliseconds).
time, thereby reducing measurement errors. The average computation
Operations 𝑇𝑒𝑐 𝑚 𝑇𝑒𝑐 𝑎 𝑇𝑚 𝑇𝑠𝑒 𝑇𝑠𝑑 𝑇 times for various cryptographic operations are presented in Table 3.
Computation time 0.7587 0.0048 0.0072 0.0114 0.0122 0.0015 Where, 𝑇𝑒𝑐 𝑚 , 𝑇𝑒𝑐 𝑎 , 𝑇𝑚 , 𝑇𝑠𝑒 , 𝑇𝑠𝑑 , 𝑇 represent the computation times
for various operations: point multiplication in group 𝐺, point addition
in group 𝐺, multiplication in group 𝑍𝑞 , symmetric encryption (AES-
nature of the gateway, it does not consider its application in multi- CBC), symmetric decryption (AES-CBC), and hash function operations,
devices communication scenarios and is therefore unsuitable for the respectively. As the computational overhead of the XOR operation is
IIoT environment. The other schemes [13,14,23,24], while considering negligible, it is not considered when comparing computational costs.
multi-devices communication scenarios, still present certain security In addition, according to the work of Wang et al. [25], the calculation
and usability issues. The schemes proposed by Vinoth et al. [24] and time of fuzzy biometric extraction is 𝑇𝑏𝑇𝑒𝑐 𝑚 .
Yang et al. [13] lack forward security and do not consider the func-
tional feature of malicious user tracking; additionally, Yang et al. [13] • Computational Overhead in Multi-Device Communication
scheme is vulnerable to privileged insider attacks. Cui et al. [23] Scenarios
scheme fails to resist man-in-the-middle attacks and does not account In the proposed scheme, three main entities are involved during
for the functional feature of terminal device updates. The scheme the authentication and key agreement phase: the user, the gateway,
by Zhang et al. [14] offers high security but does not consider the and the industrial devices. During this phase, when user intends to
terminal device update feature, making it ineffective in scenarios where authenticate and negotiate keys with 𝑛 industrial devices, they first
the users accessed devices frequently change. Moreover, none of the send a batch authentication request message 𝑚𝑠𝑔1 to the gateway. Upon
aforementioned AKA schemes for multi-terminal devices [13,14,23,24] receiving the gateways response 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , the user must perform
take the lightweight nature of the gateway into account. In summary, the necessary computations and broadcast message 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 to the
only the proposed scheme in this paper satisfies all 13 security and 𝑛 industrial devices. At this point, the computational overhead for the
functional requirements, making it more suitable for the IIoT envi- user is denoted as 8𝑇 + 2𝑇𝑒𝑐 𝑚 . Finally, in the key agreement phase,
ronment where users frequently communicate with multiple industrial the user needs to process the responses 𝑚𝑠𝑔5 from the 𝑛 industrial
devices. devices simultaneously to compute different session keys 𝑆 𝐾. There-
fore, the computational cost for the user in the key agreement phase
6.2. Comparison of computation overhead is 3𝑛𝑇 + 𝑛𝑇𝑒𝑐 𝑚 . The total computational overhead for the user during
the entire authentication and key agreement process in the proposed
This section compares the computational overhead of the proposed scheme is (3𝑛 + 8) 𝑇 + (𝑛 + 2) 𝑇𝑒𝑐 𝑚 . In the proposed scheme, due to
scheme with the comparison schemes [13,14,2325]. Since the regis- the application of the Chinese Remainder Theorem and time-limited
tration or authorization login phase is performed only once throughout tokens, the gateway only needs to handle the batch authentication
the entire process, this subsection focuses solely on the computational request message from the user without interacting directly with the
overhead during the authentication and key agreement phase. Addi- industrial devices. Consequently, the total computational overhead for
tionally, considering that users in the IIoT frequently communicate with the gateway is 10𝑇 + 𝑇𝑒𝑐 𝑚 . Each industrial device, however, must
multiple industrial devices, the comparison here will emphasize the process the authentication message from the user and compute the
computational overhead in multi-device communication scenarios to session key independently. Therefore, in a multi-device scenario, the
( )
better reflect real-world IIoT environments. computational overhead for 𝑛 industrial devices is 9𝑇 + 2𝑇𝑒𝑐 𝑚 𝑛. The
To achieve a 128-bit security level, construct an additive cyclic total computational overhead of the proposed scheme during the au-
group 𝐺 generated by an elliptic curve 𝐸 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏𝑚𝑜𝑑 𝑝, thentication and key agreement phase in a multi-device communication
where the order of the group is 𝑝 and the generator is 𝑞. Here, 𝑝 scenario is (12𝑛 + 18) 𝑇 +(3𝑛 + 3) 𝑇𝑒𝑐 𝑚 . The computational overheads for
and 𝑞 are 256-bit prime numbers. Experiments were conducted on a the authentication and key agreement phase of other schemes in multi-
personal computer to measure the computational overhead of crypto- terminal device communication scenarios are presented in Table 4, with
graphic operations based on the MIRACL library [43]. The experimental the analysis method being the same as that of the proposed scheme, and
environment was configured with a 12th Gen Intel(R) Core(TM) i5- thus not further elaborated here.
1235U @1.30 GHz processor, 16 GB of RAM, and the Ubuntu 22.04 As shown in Table 4, Vinoth et al. [24] scheme, which is based on
operating system. Each cryptographic operation was executed 1,000 symmetric cryptography, and Yang et al. [13] scheme, which does not
11
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
Table 4
Computational overhead for each scheme in multi-device communication scenarios.
scheme User/Vehicle Gateway/TA 𝑛 Industrial device/Smart device/CSP Total computation overhead
( )
[23] (5𝑛 + 3) 𝑇 + (𝑛 + 2) 𝑇𝑒𝑐 𝑚 (7𝑛 + 3) 𝑇 + (𝑛 + 1) 𝑇𝑒𝑐 𝑚 7𝑇 + 3𝑇𝑒𝑐 𝑚 𝑛 (19𝑛 + 6) 𝑇 + (5𝑛 + 3) 𝑇𝑒𝑐 𝑚
6𝑇 + (2𝑛 + 2)𝑇𝑚 (4𝑛 + 15)𝑇 + (2𝑛 + 2)𝑇𝑚
[24] 9𝑇 + 𝑇𝑠𝑑 (4𝑇 + 𝑇𝑠𝑒 + 𝑇𝑠𝑑 )𝑛
+2𝑇𝑠𝑒 + 𝑛𝑇𝑠𝑑 +(𝑛 + 2)𝑇𝑠𝑒 + (2𝑛 + 1)𝑇𝑠𝑑
(7 + 𝑛)𝑇 + 2𝑇𝑒𝑐 𝑚 (2𝑛 + 9)𝑇 + 𝑇𝑒𝑐 𝑚 (9𝑛 + 16)𝑇 + 3𝑇𝑒𝑐 𝑚 + (2𝑛 + 1)𝑇𝑚
[13] (6𝑇 + 𝑇𝑚 + 𝑇𝑠𝑒 + 𝑇𝑠𝑑 )𝑛
+𝑇𝑚 + 𝑇𝑠𝑒 + 𝑇𝑠𝑑 +𝑛𝑇𝑚 + 2𝑇𝑠𝑒 + (𝑛 + 1)𝑇𝑠𝑑 +(𝑛 + 3)𝑇𝑠𝑒 + (2𝑛 + 2)𝑇𝑠𝑑
[25] 8𝑛𝑇 + 3𝑛𝑇𝑒𝑐 𝑚 + 𝑇𝑏 19𝑛𝑇 + 𝑛𝑇𝑒𝑐 𝑚 4𝑛𝑇 + 2𝑛𝑇𝑒𝑐 𝑚 31𝑛𝑇 + 6𝑛𝑇𝑒𝑐 𝑚 + 𝑇𝑏
(5𝑛 + 4) 𝑇 (2 + 8𝑛) 𝑇 (20𝑛 + 6) 𝑇 + (5𝑛 + 3) 𝑇𝑒𝑐 𝑚
[14] 7𝑛𝑇 + 3𝑛𝑇𝑒𝑐 𝑚
+ (𝑛 + 2) 𝑇𝑒𝑐 𝑚 + 𝑇𝑠𝑒 + (1 + 𝑛) 𝑇𝑒𝑐 𝑚 + 𝑇𝑠𝑒 +2𝑇𝑠𝑒
(3𝑛 + 8) 𝑇 ( ) (12𝑛 + 18) 𝑇
Our scheme 10𝑇 + 𝑇𝑒𝑐 𝑚 9𝑇 + 2𝑇𝑒𝑐 𝑚 𝑛
+ (𝑛 + 2) 𝑇𝑒𝑐 𝑚 + (3𝑛 + 3) 𝑇𝑒𝑐 𝑚
User/Vehicle denotes Uesr, Vehicle user in Vehicular Networks.
Gateway/TA denotes trusted entity.
Industrial Device/Smart Device/CSP denotes Industrial device, Smart Device in IOT,
Cloud server in Vehicular Networks.
Fig. 6. The Comparisons of Computational overhead.
deploy public-key cryptographic operations on industrial devices, have during the authentication and key agreement phase, we have plotted
lower computational overhead compared to the proposed scheme and a graph (as shown in Fig. 6) illustrating the computational overheads
other schemes based on public-key cryptography [13,14,25]. However, of each entity and the total computational overheads as the number
their schemes suffer from significant security deficiencies. It is well of devices increases. The results show that the total computational
known that schemes solely based on symmetric cryptography cannot overhead of the proposed scheme in a multi-device communication sce-
effectively ensure a high level of security. According to the work nario is lower than that of other compared schemes. The computational
of Wang et al. [25], since these schemes do not deploy public-key overhead at the user is close to the schemes proposed in [14,23], and
operations on industrial devices, they fail to provide forward security. better than the scheme in [25]. The computational overhead at the in-
dustrial device is close to the scheme proposed in [25], and better than
To more clearly demonstrate the computational cost comparison the schemes in [14,23]. This is primarily because, to ensure forward
between the proposed scheme and the other public-key cryptography- security, the scheme requires at least two public key operations to be
based schemes [14,23,25] in a multi-device communication scenario
12
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
Table 5
Comparison of communication overheads for each scheme.
Scheme User/Vehicle Gateway/TA Industrial device/Smart device/CSP Total communication overhead Multi-device scenarios total
communication overhead
[24] 100𝑏𝑦𝑡𝑒 216𝑏𝑦𝑡𝑒 52𝑏𝑦𝑡𝑒 368𝑏𝑦𝑡𝑒 (184 + 184𝑛) 𝑏𝑦𝑡𝑒
[23] 168𝑏𝑦𝑡𝑒 200𝑏𝑦𝑡𝑒 300𝑏𝑦𝑡𝑒 668𝑏𝑦𝑡𝑒 (136 + 532𝑛) 𝑏𝑦𝑡𝑒
[13] 116𝑏𝑦𝑡𝑒 172𝑏𝑦𝑡𝑒 52𝑏𝑦𝑡𝑒 340𝑏𝑦𝑡𝑒 (168 + 172𝑛) 𝑏𝑦𝑡𝑒
[25] 160𝑏𝑦𝑡𝑒 480𝑏𝑦𝑡𝑒 96𝑏𝑦𝑡𝑒 736𝑏𝑦𝑡𝑒 (736𝑛)𝑏𝑦𝑡𝑒
[14] 112𝑏𝑦𝑡𝑒 164𝑏𝑦𝑡𝑒 268𝑏𝑦𝑡𝑒 544𝑏𝑦𝑡𝑒 (112 + 432𝑛) 𝑏𝑦𝑡𝑒
Our scheme 444𝑏𝑦𝑡𝑒 280𝑏𝑦𝑡𝑒 164𝑏𝑦𝑡𝑒 888𝑏𝑦𝑡𝑒 (724 + 164𝑛) 𝑏𝑦𝑡𝑒
deployed at the industrial device side. Both the proposed scheme and 6.3. Comparison of communication overhead
the scheme in [25] deploy two ECC point multiplications at the device
side, while the schemes in [14,23] deploy three point multiplications. This section compares the communication overhead of the proposed
As the computational overhead of the scheme is mainly influenced by scheme with the comparison schemes [13,14,2325] during the au-
the number of point multiplications, the computational overhead at thentication and key agreement phase. To achieve 128-bit security,
the industrial device in the proposed scheme is close to the scheme the elliptic curve parameter 𝑞 is chosen with a length of 32 bytes,
in [25]. Similarly, since point multiplication operations are deployed at making the elements in the group 𝐺 64 bytes long. It is assumed that
the industrial device side to compute the session key, in order to ensure the output length of the hash function, the length of the timestamp,
the secure negotiation of the session key and achieve a balance between the length of ciphertext for symmetric encryption/decryption, and the
security and efficiency, the proposed scheme deploys a certain amount length of random numbers are 32 bytes, 4 bytes, 16 bytes, and 16 bytes,
of point multiplication operations at the user side. This results in the respectively.
computational overhead at the user being similar to that of the schemes The proposed scheme involves four rounds of communication dur-
proposed in [14,23]. However, overall, the computational overhead ing the authentication and key agreement phase, with the communica-
at both the user and industrial device in the proposed scheme still tion messages for each round as follows: 𝑚𝑠𝑔1 , (𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 ),
{ }
meets the lightweight requirements. Furthermore, due to the use of the (𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 ), 𝑚𝑠𝑔5 . 𝑚𝑠𝑔1 = 𝑃 𝐼 𝐷𝑖 , 𝑇1 , 𝑀2 , 𝑀3 , 𝑀4 , which 𝑃 𝐼 𝐷𝑖 , 𝑀3
Chinese Remainder Theorem and time-limited tokens in the proposed , 𝑀4 is the output of hash function, 𝑇1 is timestamp, and 𝑀2 belongs
scheme, the computational overhead at the gateway node remains to group 𝐺. Therefore, the communication overhead of message 𝑚𝑠𝑔1
constant regardless of the number of industrial devices accessed by the is ||𝑚𝑠𝑔1 || = (32 + 4 + 64 + 32 + 32) = 164𝑏𝑦𝑡𝑒𝑠. Similarly, the com-
user in a multi-device communication scenario. Therefore, compared munication overheads of 𝑚𝑠𝑔2 , 𝑚𝑠𝑔3 , 𝑚𝑠𝑔4 , 𝑚𝑠𝑔5 are 100𝑏𝑦𝑡𝑒𝑠, 180𝑏𝑦𝑡𝑒𝑠,
to other schemes, the proposed scheme has a significant advantage 100𝑏𝑦𝑡𝑒𝑠, and 164𝑏𝑦𝑡𝑒𝑠, respectively.
in gateway lightweighting, effectively avoiding the issue of gateway In the multi-device communication scenario, due to the use of the
single-point failure, and is more suitable for IIoT environments where Chinese Remainder Theorem and time-limited tokens, a user only needs
users frequently communicate with multiple devices. to send three messages 𝑚𝑠𝑔1 , 𝑚𝑠𝑔3 , and 𝑚𝑠𝑔4 to access 𝑛 industrial de-
Further, in practical applications, the computational overhead of vices. Similarly, the gateway only needs to communicate with the user
hash operations is closely related to the byte length of the input data, by sending two messages 𝑚𝑠𝑔2 , and 𝑚𝑠𝑔3 . However, since each of the
and different hash operations in the scheme have(different input) data 𝑛 industrial devices needs to complete mutual authentication with the
lengths. For instance, when calculating 𝑟𝑖 = 𝑟𝑖𝑆 𝐾𝑢𝑖𝑇1 , the user and negotiate a distinct session key, the 𝑛 devices must collectively
input length of this hash operation is 68 bytes. This is because, to send 𝑛 messages 𝑚𝑠𝑔5 . In the multi-device communication scenario,
achieve 128-bit security, the elliptic curve parameter 𝑞 has a length of the total communication overhead of the proposed scheme during
32 bytes, the hash functions output length is 32 bytes, and the length the authentication and key agreement phase is (724+164𝑛) 𝑏𝑦𝑡𝑒. The
of the timestamp is 4 bytes. The analysis of the input data byte length communication overhead of the other schemes [13,14,2325] is shown
for the other hash operations follows the same logic, which will not be in Table 5, with the analysis method being the same as that used for
reiterated here. the proposed scheme and thus not elaborated further here. To provide
To more accurately and clearly evaluate the computational over- a clear comparison of the communication overheads of each scheme
head of the proposed scheme, we fully implemented it using the Miracl in a multi-device scenario, we select 𝑛 = 25. The results show that,
library. The experimental platform used is the same as that employed when 𝑛 = 25, the communication overheads for the respective schemes
for measuring the time of various cryptographic operations as described are 35.94kb, 26.11kb, 9.12kb, 8.56kb, and 21.20kb. In comparison,
earlier. We set 𝑛=10, meaning that we assessed the computational over- the communication overhead of the proposed scheme in this scenario
head incurred by the user, gateway, and each industrial device during is 8.71kb. Thus, the proposed scheme demonstrates a relatively low
batch authentication and key agreement when the user communicates communication overhead compared to the other schemes, making it
with 10 industrial devices. According to the experiment, the computa- suitable for real-world IIoT environments.
tional overhead at the user side during the batch authentication and key
agreement phase is 8.5487 ms, the gateways computational overhead 7. Conclusion
is 0.7433 ms, and the computational overhead for each industrial
device is 1.4625 ms. The experimental results show that when the This paper proposes a batch AKA scheme for the IIoT environ-
user performs batch authentication and key agreement with multiple ment, designed based on elliptic curve cryptography combined with the
industrial devices, the computational overhead on the industrial de- Chinese Remainder Theorem and the concept of time-limited tokens.
vices and the gateway is lightweight. On the other hand, since the user The scheme enables batch authentication between a user and multiple
needs to negotiate different session keys with each industrial device, industrial devices and establishes distinct session keys for secure sub-
the computational overhead on the user side is higher than that of the sequent communications. It satisfies the lightweight requirements for
gateway and industrial devices. Overall, the computational overhead of the gateway and all entities, making it suitable for resource-constrained
the proposed scheme is acceptable for all communication entities in the IIoT environments. The security of the proposed scheme is demon-
IIoT environment. strated through formal proofs, heuristic analysis, and verification using
13
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
the Scyther tool. Performance analysis indicates that, compared to [18] M. Zhang, J. Zhou, G. Zhang, M. Zou, M. Chen, EC-BAAS: Elliptic curve-based
existing schemes, the proposed scheme meets all specified security batch anonymous authentication scheme for Internet of Vehicles, J. Syst. Archit.
requirements with lower computational and communication overheads 117 (2021) 102161.
and shows a significant advantage in lightweight operation at the [19] C. Pu, K.-K.R. Choo, A lightweight aggregate authentication protocol for Inter-
net of Drones, in: 2024 IEEE 21st Consumer Communications & Networking
gateway node.
Conference, CCNC, IEEE, 2024, pp. 143151.
[20] W. Mao, P. Jiang, L. Zhu, Locally verifiable batch authentication in IoMT, IEEE
CRediT authorship contribution statement Trans. Inf. Forensics Secur. (2023).
[21] H. Shen, T. Wang, J. Chen, Y. Tao, F. Chen, Blockchain-based batch au-
Xiaohui Ding: Writing review & editing, Writing original draft, thentication scheme for Internet of Vehicles, IEEE Trans. Veh. Technol.
Formal analysis. Jian Wang: Writing review & editing, Formal anal- (2024).
ysis. Yongxuan Zhao: Writing review & editing. Zhiqiang Zhang: [22] C. Maurya, V.K. Chaurasiya, Efficient anonymous batch authentication scheme
Writing review & editing. with conditional privacy in the Internet of Vehicles (IoV) applications, IEEE
Trans. Intell. Transp. Syst. 24 (9) (2023) 96709683.
Declaration of competing interest [23] J. Cui, X. Zhang, H. Zhong, J. Zhang, L. Liu, Extensible conditional privacy
protection authentication scheme for secure vehicular networks in a multi-cloud
environment, IEEE Trans. Inf. Forensics Secur. 15 (2019) 16541667.
The authors declare that they have no known competing finan-
[24] R. Vinoth, L.J. Deborah, P. Vijayakumar, N. Kumar, Secure multifactor authen-
cial interests or personal relationships that could have appeared to
ticated key agreement scheme for industrial IoT, IEEE Internet Things J. 8 (5)
influence the work reported in this paper. (2020) 38013811.
[25] C. Wang, D. Wang, Y. Duan, X. Tao, Secure and lightweight user authentication
Data availability scheme for cloud-assisted Internet of Things, IEEE Trans. Inf. Forensics Secur.
(2023).
Data will be made available on request. [26] M.L. Das, Two-factor user authentication in wireless sensor networks, IEEE Trans.
Wirel. Commun. 8 (3) (2009) 10861090.
[27] A. Barati, A. Movaghar, M. Sabaei, RDTP: Reliable data transport protocol in
References wireless sensor networks, Telecommun. Syst. 62 (2016) 611623.
[28] P. Alimoradi, A. Barati, H. Barati, A hierarchical key management and authenti-
[1] S. Li, L.D. Xu, S. Zhao, The Internet of Things: a survey, Inf. Syst. Front. 17
cation method for wireless sensor networks, Int. J. Commun. Syst. 35 (6) (2022)
(2015) 243259.
e5076.
[2] I. Zhou, I. Makhdoom, N. Shariati, M.A. Raza, R. Keshavarz, J. Lipman, M.
Abolhasan, A. Jamalipour, Internet of Things 2.0: Concepts, applications, and [29] S.A. Khah, A. Barati, H. Barati, A dynamic and multi-level key management
future directions, IEEE Access 9 (2021) 7096171012. method in wireless sensor networks (WSNs), Comput. Netw. 236 (2023) 109997.
[3] S.H. Shah, I. Yaqoob, A survey: Internet of Things (IOT) technologies, applica- [30] C.-G. Ma, D. Wang, S.-D. Zhao, Security flaws in two improved remote user
tions and challenges, in: 2016 IEEE Smart Energy Grid Engineering, SEGE, IEEE, authentication schemes using smart cards, Int. J. Commun. Syst. 27 (10) (2014)
2016, pp. 381385. 22152227.
[4] M.S. Azhdari, A. Barati, H. Barati, A cluster-based routing method with authen- [31] V.S. Miller, Use of elliptic curves in cryptography, in: Conference on the Theory
tication capability in vehicular Ad Hoc networks (VANETs), J. Parallel Distrib. and Application of Cryptographic Techniques, Springer, 1985, pp. 417426.
Comput. 169 (2022) 123. [32] N. Koblitz, Elliptic curve cryptosystems, Math. Comp. 48 (177) (1987) 203209.
[5] E. Sisinni, A. Saifullah, S. Han, U. Jennehag, M. Gidlund, Industrial Internet of
[33] W. Diffie, M.E. Hellman, New directions in cryptography, in: Democratizing
Things: Challenges, opportunities, and directions, IEEE Trans. Ind. Inform. 14
Cryptography: The Work of Whitfield Diffie and Martin Hellman, 2022, pp.
(11) (2018) 47244734.
365390.
[6] P.K. Malik, R. Sharma, R. Singh, A. Gehlot, S.C. Satapathy, W.S. Alnumay, D.
Pelusi, U. Ghosh, J. Nayak, Industrial Internet of Things and its applications in [34] J. Zhang, J. Cui, H. Zhong, Z. Chen, L. Liu, PA-CRT: Chinese remainder theorem
industry 4.0: State of the art, Comput. Commun. 166 (2021) 125139. based conditional privacy-preserving authentication scheme in vehicular Ad-Hoc
[7] W.Z. Khan, M. Rehman, H.M. Zangoti, M.K. Afzal, N. Armi, K. Salah, Industrial networks, IEEE Trans. Dependable Secur. Comput. 18 (2) (2019) 722735.
Internet of Things: Recent advances, enabling technologies and open challenges, [35] D. Dolev, A. Yao, On the security of public key protocols, IEEE Trans. Inform.
Comput. Electr. Eng. 81 (2020) 106522. Theory 29 (2) (1983) 198208.
[8] A.G. Mirsaraei, A. Barati, H. Barati, A secure three-factor authentication scheme [36] B. Authentication, EAP-DDBA: Efficient anonymity proximity device discovery
for IoT environments, J. Parallel Distrib. Comput. 169 (2022) 87105. and batch authentication mechanism for massive D2D communication devices in
[9] L. Khajehzadeh, H. Barati, A. Barati, A lightweight authentication and au- 3GPP 5G HetNet, 2020.
thorization method in IoT-based medical care, Multimedia Tools Appl. (2024)
[37] M. Abdalla, P.-A. Fouque, D. Pointcheval, Password-based authenticated key
140.
exchange in the three-party setting, in: Public Key Cryptography-PKC 2005: 8th
[10] Y. Chen, F. Yin, S. Hu, L. Sun, Y. Li, B. Xing, L. Chen, B. Guo, ECC-based
International Workshop on Theory and Practice in Public Key Cryptography, Les
authenticated key agreement protocol for industrial control system, IEEE Internet
Diablerets, Switzerland, January 23-26, 2005. Proceedings 8, Springer, 2005, pp.
Things J. 10 (6) (2022) 46884697.
6584.
[11] X. Li, J. Niu, M.Z.A. Bhuiyan, F. Wu, M. Karuppiah, S. Kumari, A robust
ECC-based provable secure authentication protocol with privacy preserving for [38] C.-C. Chang, H.-D. Le, A provably secure, efficient, and flexible authentication
industrial Internet of Things, IEEE Trans. Ind. Inform. 14 (8) (2017) 35993609. scheme for ad hoc wireless sensor networks, IEEE Trans. Wirel. Commun. 15 (1)
[12] J. Srinivas, A.K. Das, M. Wazid, A.V. Vasilakos, Designing secure user authen- (2015) 357366.
tication protocol for big data collection in IoT-based intelligent transportation [39] D. Wang, H. Cheng, P. Wang, X. Huang, G. Jian, Zipfs law in passwords, IEEE
system, IEEE Internet Things J. 8 (9) (2020) 77277744. Trans. Inf. Forensics Secur. 12 (11) (2017) 27762791.
[13] Y. Ming, P. Yang, H. Mahdikhani, R. Lu, A secure one-to-many authentication [40] C. Cremers, The Scyther Tool, University of Oxford, Department of Computer
and key agreement scheme for industrial IoT, IEEE Syst. J. (2022). Science, 2024, http://www.cs.ox.ac.uk/people/cas.cremers/scyther. (Accessed 08
[14] J. Zhang, H. Zhong, J. Cui, Y. Xu, L. Liu, SMAKA: Secure many-to-many Sep 2024).
authentication and key agreement scheme for vehicular networks, IEEE Trans.
[41] J. Cao, M. Ma, Y. Fu, H. Li, Y. Zhang, CPPHA: Capability-based privacy-
Inf. Forensics Secur. 16 (2020) 18101824.
protection handover authentication mechanism for SDN-based 5G HetNets, IEEE
[15] S. Mandal, S. Mohanty, B. Majhi, CL-AGKA: Certificateless authenticated group
Trans. Dependable Secur. Comput. 18 (3) (2019) 11821195.
key agreement protocol for mobile networks, Wirel. Netw. 26 (4) (2020)
30113031. [42] C. Lai, Y. Ma, R. Lu, Y. Zhang, D. Zheng, A novel authentication scheme
[16] P. Xu, H. Wu, X. Tao, C. Wang, D. Chen, G. Nan, Anti-quantum certificateless supporting multiple user access for 5G and beyond, IEEE Trans. Dependable
group authentication for massive accessing IoT devices, IEEE Internet Things J. Secur. Comput. (2022).
(2024). [43] Miracl, MIRACL core, 2024, https://github.com/miracl/core. (Accessed: 08 Sep
[17] S. Wu, C. Hsu, Z. Xia, J. Zhang, D. Wu, Symmetric-bivariate-polynomial-based 2024).
lightweight authenticated group key agreement for industrial Internet of Things,
J. Internet Technol. 21 (7) (2020) 19691979.
14
X. Ding et al. Journal of Systems Architecture 160 (2025) 103368
Xiaohui Ding is currently working toward the Ph.D. degree Yongxuan Zhao received his Masters degree in Manage-
at the College of Computer Science and Technology, Nanjing ment from Beijing Institute of Technology, Beijing, China
University of Aeronautics and Astronautics, Nanjing, China. in 2013. He is currently a researcher and director of the
His research interests include applied cryptography, IIoT Information Technology Research Center of China Academy
security, and authentication and key agreement protocols. of Aero-Engine Research. His research interests include in-
formation technology, industrial digital transformation and
IIoT security.
Zhiqiang Zhang is currently working toward the Ph.D.
Jian Wang received his M.S. degree in engineering from degree at the College of Computer Science and Technol-
Southeast University, Nanjing, China in 1992. and received ogy, Nanjing University of Aeronautics and Astronautics,
the Ph.D. degree s in Nanjing University in 1998. He ever Nanjing, China. His research interests include public key
is a postdoc at Tokyo University from 2000 to 2002. He is cryptography and privacy-preserving protocols.
currently a Professor at the College of Computer Science
and Technology, Nanjing University of Aeronautics and
Astronautics. His research interests include applied cryptog-
raphy, cryptographic protocol and malicious tracking. He
has published more than 60 papers in international journals
and conferences.
15
Reference in New Issue View Git Blame Copy Permalink