Professional Documents
Culture Documents
An Enhanced RFID-Based Authentication Protocol Using PUF For Vehicular Cloud Computing
An Enhanced RFID-Based Authentication Protocol Using PUF For Vehicular Cloud Computing
Research Article
An Enhanced RFID-Based Authentication Protocol using PUF for
Vehicular Cloud Computing
Received 8 March 2022; Revised 2 May 2022; Accepted 19 May 2022; Published 30 July 2022
Copyright © 2022 Vikas Kumar et al. This is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
RFID (radio frequency identification) is an Internet of Things (IoT) enabling technology. All physical devices can be
connected to the Internet of Things thanks to RFID. When RFID is extensively utilized and fast increasing, security and
privacy concerns are unavoidable. Interception, manipulation, and replay of the wireless broadcast channel between the tag
and the reader are all possible security threats. Unverified tags or readers provide untrustworthy messages. IoT requires
a safe and consistent RFID authentication system. PUFs are also physical one-way functions made up of the unique
nanoscopic structure of physical things and their reactivity to random occurrences. PUF includes an unclonable feature that
takes advantage of physical characteristics to boost security and resistance to physical attacks. We analyze the security of the
RSEAP2 authentication protocol that has been recently proposed by Safkhani et al., a hash-based protocol, and elliptic curve
cryptosystem-based protocol. Our security analysis clearly shows important security pitfalls in RSEAP2 such as mutual
authentication, session key agreement, and denial-of-service attack. In our proposed work, we improved their scheme and
enhanced their version using physically unclonable function (PUF), which are used by the proposed protocol in tags. This
research proposes a cloud-based RFID authentication technique that is both efficient and trustworthy. To decrease the RFID
tag’s overhead, the suggested authentication approach not only resists the aforementioned typical assaults and preserves the
tag’s privacy, but also incorporates the cloud server into the RFID system. According to simulation results, our approach is
efficient. Moreover, according to our security study, our protocol can withstand a variety of attacks, including tracking,
replay, and desynchronization assaults. Our scheme withstands all the 18 security features and further consumes the
computation cost as 14.7088 ms which is comparable with the other schemes. Similarly, our scheme consumes the
communication cost as 672 bits during the sending mode and 512 bits during the receiving mode. Overall, the performance
of our proposed method is equivalent to that of related schemes and provides additional security features than existing
protocols. Mutual authentication, session key generation, and ephemeral session security are all achieved. Using the real-or-
random concept, we formalize the security of the proposed protocol.
identification need intimate touch, which is inflexible. mobile computing, and VCC authentication protocols are
Currently, some of these identification methods are unable reviewed in this section and are shown in Table 1. Also, the
to protect personal information [1]. In contrast, RFID is details of PUF-based recent works are given in Table 2.
a noncontact automatic identification technology that does
not need mechanical or visual contact between the system
and the target, and security protections can help keep user 2.1. Problem Definition. Security protocols, such as au-
information private. Because of these advantages, RFID has thentication methods, are supposed to ensure the confi-
emerged as one of the most promising IoT technologies [2]. dentiality, integrity, and availability (CIA triangle) of
An RFID system consists of RFID tags, RFID readers, security. The parties to the protocols must be able to au-
and a database server. Tag-affixed objects are uniquely thenticate and synchronize with one another at any moment.
identifiable, and their identifying information is saved. They Desynchronization attacks can break this condition by
communicate with the reader using radio waves. In a typical blocking protocol messages or forcing protocol parties to
RFID system, the database server is a local back-end server. modify their shared secret values to different values, pre-
When RFID devices generate a large number of data, venting the parties from authenticating each other and
back-end servers’ performance is limited. Cloud computing destroying service availability. Many protocols have been
overcomes this problem in the IoT context. As a result, the developed in the literature to satisfy CIA security standards;
integration of the cloud platform with the RFID system is however, multiple instances of attacks [2, 10–14] against
required [2, 3]. RFID systems’ reliability and data processing them show that they have failed to achieve the needed se-
capabilities have dramatically enhanced since the in- curity. As a result, attempts to build a secure protocol are still
troduction of cloud computing. Almost all of the data ac- continuing, and new attacks are emerging that provide
quired by RFID sensors are processed on the cloud, which designers fresh insight into how to (not) design a protocol.
can aid in the resolution of issues such as data loss and As a result of these assaults and security evaluations, the
latency [4]. In the IoT, the most commonly used public protocols have progressed.
cloud servers are only semi-trustworthy. Because of the
properties described above, the RFID system is vulnerable to
attack. As a result, IoT necessitates the use of a secure and 2.2. Motivation and Contributions. In recent years, a number
reliable RFID authentication system. of key agreement and authentication techniques have been
Similarly, a number of protocols based on physically created. Most of these protocols have a greater calculation
unclonable functions (PUFs) have been proposed [12–14]. cost, making them unsuitable with devices with limited
PUFs are, in reality, physical one-way functions derived resources. We also noticed that the literature reviewed above
from the unique nanoscopic structure of physical things did not take into account the physical factors of security for
(e.g., integrated circuits, crystals, magnets, lenses, solar cells, vehicle RFID communication systems in VCC situations.
or papers) and their reactivity to random occurrences. The However, in the automotive RFID communication envi-
quirks in the manufacturing process of the items are re- ronment, the necessity of PUF receives a lot of attention in
sponsible for the innate uniqueness of the structure and the literature.
reactivity. It enables for both the unique identification and A PUF-based protocol is capable of dealing with physical
authentication of an object. Furthermore, it is considered security risks. Even stealing the PUF from the on-board
that copying an object’s PUF (and hence the object itself ) is memory will not allow an attacker to obtain it. As a result, for
impossible, which might be seen as a security-by-design VCC, we developed a PUF-enabled RFID-based authenti-
feature that prevents impersonation and cloning attacks. As cation protocol. The following are some of the many con-
a result, PUFs are regarded as a trustworthy and well-known tributions made by this research:
physical security method for developing IoT authentication (1) To build an authentication protocol for VCC com-
protocols. Physical devices are protected by PUF-based munication, the system and threat models are de-
protocols, which are resistant to physical attacks and provide fined first.
multilayer protection. Furthermore, even if the device is
stolen, the attacker will not be able to use the PUF. However, (2) We created a PUF-enabled RFID-based authenti-
the majority of proposed VANET solutions are still subject cation mechanism using the hypothesized attack
to different security concerns such as replay attacks, im- model.
personation attacks, forgery attacks, and non-repudiation
(3) To keep the proposed protocol’s cost minimal, only
attacks. As a result, it is critical to build a viable VANET
fundamental cryptographic operations such as ECC,
solution to address the existing issues.
XOR, concatenation, and hash function are used.
PUF is also used to protect against recognized
2. Literature and Related Works physical security risks.
Several RFID authentication schemes have used elliptic (4) Our approach ensures that possible security threats
curve cryptography in recent years (ECC). Due to the dif- are avoided, based on formal and informal security
ficulties of resolving the discrete logarithm problem (DLP), assessments.
ECCs have demonstrated their efficiency in assuring security (5) The results of the performance study show that our
and privacy. The state-of-the-art of ECC-based RFID, protocol is superior to other similar protocols.
Security and Communication Networks 3
Table 1: Summary of cryptographic techniques applied and limitations of previous existing user authentication mechanisms.
Scheme Year Cryptographic techniques Advantages Drawbacks/limitations
(i) Uses “one-way cryptographic hash (i) Fits for vehicular cloud (i) Fails to preserve “revocability”
Jiang et al. [3] 2018
function” networking environment (ii) Prone to “replay attack”
(i) Does not support “revocability
(i) Based on “RFID”
(i) Applicable in IoT and password/biometric update”
Alamr et al. [5] 2018
(ii) Applies “ECC cryptographic technique” environment (ii) Vulnerable to “data integrity
(iii) Uses “to support IoT” and key compromise”
(i) Fails to preserve
(i) Based on “RFID technology” uses “one- (i) Does not fit for generic
Dinarvand and “impersonation and key
2019 way cryptographic hash function” IoT networking
Barati [6] compromise”
environment
(ii) Based on “ECC cryptographic technique” (ii) No “formal security” analysis
(i) Based on “three factors (user mobile
(i) Does not support “revocability
device, user password, and personal
and password/biometric update”
biometrics” (i) Applicable in industrial
Bagga et al. [1] 2018
(ii) Applies “ECC cryptographic technique” IoT environment
(ii) Vulnerable to “known session
(iii) Uses “fuzzy extractor for biometric
key attack”
verification”
(i) Based on “three factors (smart card, user
password, and biometrics)” uses “one-way (i) Fails to preserve “revocability”
(i) Fits for generic IoT
Kumar et al. [7] 2020 cryptographic hash function”
networking environment
(ii) Based on “fuzzy extractor for biometric
(ii) No “formal security” analysis
verification”
(i) Based on “three factors (user mobile
(i) Does not support “revocability
device, user password, and personal
and password/biometric update”
biometrics” (i) Applicable in cloud
Jiang et al. [4] 2018
(ii) Applies “ECC cryptographic technique” environment
(ii) Vulnerable to “known session
(iii) Uses “fuzzy extractor for biometric
key attack”
verification”
Hosseinzadeh (i) Based on “RFID systems” uses “one-way (i) Fits for IoT networking (i) Fails to preserve “revocability”
2020
et al. [8] cryptographic hash function” environment (ii) No “session key agreement”
(i) Based on “RFID systems and quadratic
residue” uses “Gong-Needham-Yahalom (i) Fits for healthcare (i) Fails to preserve “revocability”
Zhu [9] 2020
(GNY) logic” environment
(ii) Confined to “healthcare system” (ii) Desynchronization issues
(i) Based on “RFID systems” uses “arithmetic (i) Does not have to freedom to
(i) Fits for communicating
calculation of ECC” connect with the cloud server
Gabsi et al. [10] 2021 reader to reader
(ii) Not suitable for cloud
(ii) Based on “ECC cryptographic system” environment
environment
(i) Based on “three factors (user mobile
(i) Does not support “revocability
device, user password, and personal
and password/biometric update”
biometrics” (i) Applicable in industrial
Mishra et al. [11] 2018
(ii) Applies “ECC cryptographic technique” IoT environment
(ii) Vulnerable to “known session
(iii) Uses “fuzzy extractor for biometric
key attack”
verification”
(i) Fails to establish “mutual
authentication”
(i) Based on “RFID and ECC cryptosystem” (i) Fits for IoT networking (i) No proper “session key
Safkhani et al. [2] 2021
Uses “one-way cryptographic hash function” environment agreement”
(ii) Could not resist “denial-of-
service”
2.3. Roadmap of Article. The rest of the article is structured performance analysis is presented in Section 8. Section 9
as follows: The preliminaries are presented in Section 3. The concludes the article.
RSEAP2 system is described in detail in Section 4. We give
a security study of the RSEAP2 protocol as well as various 3. Definitions and Mathematical Preliminaries
efficient and strong attacks against it in Section 5. The
improved protocol is presented in Section 6. In Section 7, we The key size comparison between the public-key crypto-
provide a verifiable security analysis of our approach. The systems like ECC and RSA shows that the communication
4 Security and Communication Networks
Table 2: Continued.
Cryptographic techniques and
Scheme Year Advantages Drawbacks/limitations
environment
(i) The proposed protocols use
lightweight cryptographic
operations, including a one-way
Lightweight fog computing-based cryptographic hash function, the
Lee and Chen authentication protocols using barrel shifter physically unclonable This study is restricted to fog
2021
[23] physically unclonable functions for function (BS-PUF) environment
Internet of medical Things (ii) This study ensures the security of
the sensors and fog nodes and to
avoid a computational burden on
devices
(i) This article discusses the supply
chain’s security critical application
areas and presents a detailed survey
of the security issues in the existing
supply chain architecture This study is a survey work and fails
A survey on supply chain security:
(ii) Various emerging technologies, to address the security features and
Hassija et al. [24] 2021 application areas, security threats,
such as blockchain, machine how they can be applied for the AKA
and solution architectures
learning (ML), and physically protocols
unclonable functions (PUFs) as
solutions to the vulnerabilities in the
existing infrastructure of the supply
chain
messages can utilize the elliptic curve cryptosystem to reduce (b) “Elliptic curve computational Diffie–Hellman
the communication bandwidth. The key size comparison problem (ECCDHP)”: If g is the generator of G
between ECC and RSA is given in Table 3. and α.g, β.g are supplied (g, α.g, β.g), then
computing α.β.g in G is difficult.
Desynchronization attack: If a protocol’s authentica- MR1 � PWT, IDTi , TSR1 to S. Once S received M1 , verifies
tion is reliant on shared values, an adversary may cause the timestamp, that is |TSR2 − TSR1 |? ≤ tTS xΔT at the first.
desynchronization difficulties. If the shared data are Next, it generates sni Fq and sets it as the Ti ’s serial number,
updated by the server but the tag is not, the server computes XTi � h(sni ‖IDTi ‖xS ), ATi � h(PWT‖
might be unable to validate the tag in the future. At- (XTi ⊕IDTi )), BTi � XTi ⊕PWT, and stores sni corresponding
tempts to desynchronize should be avoided at all costs. to IDTi . It then sends tuple MR2 � ATi ,
Untraceability: Untraceability in the RFID communi- BTi , sni , g, xs .g, G, h(.)} to Ti . The tag Ti stores
cation system means that no one can track the par- ATi , BTi , sni , g, xs .g, G, h(.).
ticipants’ activity patterns or their relayed messages. The description of the protocol is as follows:
Session key agreement: A session key agreement L1. Ti uses it credentials (IDTi , pwTi , RTi ), computes
will be made between users and their mobile PWT � h(IDTi ‖(pwTi ⊕RTi )), X∗Ti � BTi ⊕PWT, and
devices, as well as the network control centre, fol- ?
verifies A∗Ti � h(PWT‖(X∗Ti ⊕IDTi )). If verification is
lowing the successful deployment of the proposed successful, Ti generates α ∈ F∗q , calculates α.g and
protocol. W1 � h((α.g)⊕(X∗Ti ‖IDTi )‖TSLA1 ), and sends
Confidentiality: The security of RFID communications M1 � (IDTi ‖W1 )⊕α.xs .g, α.g, TSLA1 to the reader Rj .
between the tag and the reader is ensured by encrypting
L2. The reader checks the timestamp, that is,
shared secrets on the public channel.
|TSLA2 − TSLA1 |? ≤ tTR ΔT, generates β ∈ F∗q , computes
Perfect forward secrecy: This is utilized in the au- β.g, and then sends M2 � M1 , TSLA3 ,
thentication protocol architecture to keep previously β.g, (h((TSLA1 ‖TSLA3 ) ⊕(xRi .g))‖IDRj )⊕β.xs .g} to S.
transmitted messages private, so that an adversary who
obtains the entities private and public keys will be L3. Once S received M2 , it verifies the timestamps, that
unable to deduce a past session key. is, |TSLA4 − TSLA1 |? ≤ tTS xΔT and |TSLA4 −
Availability: The authentication and key agreement TSLA3 |? ≤ tRS × ΔT. Next S extracts h∗ (TSLA1 ‖
mechanism between the RFID tag and the RFID TSLA3 ⊕(xRi .g))‖RID∗i �
back-end database server operates continuously in h((TSLA1 ‖TSLA3 ⊕(xRi .g))‖RIDi , retrieves xRi .g from
an RFID system. To accomplish the characteristic of the database, and evaluates h((TSLA1 ‖TSLA3 ⊕(xRi .g))
accessibility, the shared secret information between to authenticate Rj . After the successful authentication
the RFID tag and the RFID back-end database server on Rj parameters, S extracts ID∗T ‖W∗1 , verifies
?
must be updated in most authentication procedures. W∗1 � h((α.g)⊕(X∗T ‖ID∗T )‖TSLA1 ), retrieves the related
However, security issues such as denial-of-service sni using ID∗T , computes X∗T � h(sni ‖ID∗T ‖xs ), and
?
(DoS) or desynchronization attacks may cause this verifies W∗1 � h((((α.g) ⊕(X∗T ‖ID∗T ))‖TSLA1 ). Further
process to be disrupted. As a result of these prob- generating c ∈ F∗q , computing the session key SKST �
lems, the RFID system’s efficiency may be jeopar- h ((ID∗T ⊕XT )‖(α.β.c.g⊕
dized. Hence, this issue should be considered while xs .α.g)‖(sni ⊕(TSLA1 ‖TSLA5 ))), W2 � h(ID∗T ‖SKST ),
creating an authentication mechanism. and sending M3 � W2 ⊕h (RIDi ‖β.c.g),
c.g, TSLA5 , h(RIDi ‖TSLA5 ‖β.c.g)} to Rj .
L4. Rj verifies the timestamp, that is,
4. RSEAP2 Protocol |TSLA5 − TSLA3 |? ≤ tSR xΔT and h(RIDi ‖TSLA5 ‖β.c.g)
to authenticate S. Subsequently, it extracts W2 and then
We offer a brief explanation of RSEAP2 [2] in this section.
sends M4 � W2 , β.c.g, TSLA5 to Ti .
The tag Ti and the cloud database server S interact through
the reader Rj to establish a session key SKST in this protocol. L5. Similarly, Ti verifies the timestamp, that is,
It is divided into two parts. The tag enrollment or startup |TSLA7 − TSLA1 |? ≤ tST xΔT and |TSLA5 − TSLA1 |? ≤
phase is the first step, in which the tag talks with S via tRT xΔT, and then computes SKTS �
a secure connection to provide the needed data. The login h((IDT ⊕XT )‖(α.β.c.g⊕xs .α.g)‖(sni ⊕(TSLA1 ‖TSLA5 )))
?
and authentication phase is the second phase of the protocol, and checks W∗2 � h(IDT ‖SKTS ). If so, it sets SKTS as the
and it is used to perform mutual authentication and share session key.
the session key SKST � SKTS . This part of the communi-
cation takes place via a public network. We have made use of 5. Security Analysis of RSEAP2
the notations as shown in Table 4.
In the initialization phase of RSEAP2, the server S 5.1. Inefficient Mutual Authentication Attack. On receiving
chooses an elliptic curve E(Fq ) over Fq and a generator g the message M2 from the reader Rj , the cloud database
over G. It also selects xs F∗q as its secret key and its public key server S extracts and computes to validate the user and
will be xs .g. Any tag Ti which aims to register with S inputs reader. The details are as follows:
its IDTi and pwTi , generates a random value RTi Fq , com- (1) The cloud server performs the computations and
putes PWT � h(IDTi ‖(pwTi ⊕RTi )), and sends the tuple validates the timestamps such as
8 Security and Communication Networks
|TSLA4 − TSLA1 |? ≤ tTS xΔT and |TSLA4 − TSLA3 |? ≤ (2) Now you can see that the tag Ti did not retrieve or
tRS × ΔT. has the potential to draw out the value
(α.β.c.g⊕xs .α.g) but still perform the computation
(2) Next S extracts h∗ ((TSLA1 ‖TSLA3 ⊕(xRi .g))‖RID∗i � to validate the session key.
h((TSLA1 ‖TSLA3 ⊕(xRi .g))‖RIDi , retrieves xRi .g from
the database, and evaluates This validation never gets successful as it is a known fact
h((TSLA1 ‖TSLA3 ⊕(xRi .g)) to authenticate Rj . that without the proper parameters and values the verifi-
cation fails and the tag and the cloud server cannot establish
(3) After the successful authentication on Rj parameters, the session key for the future communications. Thus, this
S extracts ID∗T ‖W∗1 , verifies scheme holds the inefficiency to perform session key
∗? ∗ ∗
W1 � h((α.g)⊕(XT ‖IDT )‖TSLA1 ), retrieves the re- establishment.
lated sni using ID∗T , computes X∗T � h(sni ‖ID∗T ‖xs ),
?
and verifies W∗1 � h(((α.g)⊕(X∗T ‖ID∗T ))‖TSLA1 ) the
authenticity of the user. 5.3. Denial-of-Service Attack. According to RSEAP2’s
scheme, the legitimate participants tries to communicate to
(4) It further generates c ∈ F∗q and computes the session each other and get the services as and when required, but
key SKST � h((ID∗T ⊕XT )‖(α.β.c.g⊕xs .α.g)‖(sni from the security flaw as shown above in Sections 5.1 and 5.2,
⊕(TSLA1 ‖TSLA5 ))). we understood that the scheme fails to establish the session
But the conflict here is that the cloud server fails to key and mutual authentication. This shows the enough
compute the proper session key to pass it on to the tag for the conclusive evidence that the scheme fails to provide services
validation. The reason is that the cloud server could not to the participants thought the tag and readers are the le-
retrieve the random values generated by the tag and reader gitimate participants in the system. Hence, this scheme is
such as α, β ∈ F∗q , and in the session key the cloud server prone to the denial-of-service attack.
uses (α.β.c.g⊕xs .α.g) value without the knowledge of the
random numbers. Though the cloud server performs this 6. Our Proposed Scheme
computation, it would be certainly a garbage value which the
tag cannot validate at any given point of time. Thus, this This section presents the proposed secure authentication
scheme holds the inefficiency to perform mutual protocol and the program architecture which is divided into
authentication. a tag, a reader, and a cloud server for parallel processing,
with each component working independently. In this ar-
chitecture as shown in Figure 2, the tag initiates the com-
5.2. Inefficient Session Key Establishment Attack. On re-
munication by computing the validating message and
ceiving the message m3 from the cloud server, the tag
transmits the validating message with a virtual ID to the
performs the mutual authentication verification. But, the
reader. Upon receiving the message, it challenges the reader
verification gets fails. The details are as follows:
to validate the message. Thus, the reader computes the
(1) As discussed in the above Section 5.1, we understood validating message and transmits the validating message
that the cloud server fails to compute the authentic with the virtual ID to the cloud server for further process.
session key. However, on receiving the message from Once the message is received by the cloud server, it validates
the cloud server, Ti verifies the timestamp, that is, the reader message thereby the cloud server authenticates
|TSLA7 − TSLA1 |? ≤ tST xΔT and |TSLA5 − TSLA1 |? ≤ the reader and tag. After the successful authentication, it
tRT xΔT, and then computes SKTS � h((IDT computes the session key to establish the key. Further, at the
⊕XT )‖(α.β.c.g⊕ xs .α.g)‖(sni ⊕(TSLA1 ‖TSLA5 ))) and next stage, the reader receives the Ack1 and Ack2 from the
?
checks W∗2 � h(IDT ‖SKTS ). If so, it sets SKTS as the cloud server as an acknowledgment. Then the check happens
session key. in the next stage, where the tag receives Ack1 from the reader
Security and Communication Networks 9
and simultaneously the reader checks the received Ack2. LA4: After receiving the response from S, Rj checks
?
Finally, once the check is successful, the tag establish the TSLA5 , verifies W4 � h(IDRj ‖ARj ‖TSLA5 ‖pidRj ), and
session key and end the process (see process flow diagram in sends M4 � W3 , β.g, TSLA5 to Ti .
Figure 2). LA5: On receiving the response from Rj , Ti verifies
In this section, we present our proposed scheme. In the TSLA5 , computes SKTS � h((IDTi ⊕ATi )‖(α.β.g‖α.xs .g)
initialization phase, the server S chooses an elliptic curve ‖t(sni ⊕(TSLA1 ‖TSLA5 ))), and checks
E(Fq ) over Fq and a generator g over G. It also selects ?
W∗3 � h(α.β.g‖SKTS ‖ATi ‖pidTi ). On successful verifi-
xs ∈ F∗q as its secret key and its public key will be xs · g. Any cation, Ti sets SKTS as the session key.
tag Ti which aims to register with S, inputs its IDTi , pwTi ,
generates challenge CTi , computes αTi � PUF(CTi ),
paTi � αTi ⊕h(IDTi ‖pwTi ), and sends the tuple 6.2. Revocation and Reissue Phase. To revoke the access of Ti ,
MR1 � IDTi , αTi , CTi to S. Once S received MR1 , verifies in S checks for the availability of IDTi during the subsequent
the records whether IDTi exists or not. If the IDTi is new, it login attempts. The tag will be given or refused access on the
generates sni ∈ Fq , computes pidTi � sni · xs · g, basis of the check. Since all dynamic identities have a finite
ATi � h((αTi ⊕IDTi )‖pidTi ), and stores pidTi , CTi , sni , αTi lifetime, it is also impossible to continuously use the same
dynamic identity.
corresponding to IDTi . It then sends tuple MR2 � pidTi , ATi
In addition, the next steps to get new credentials are
to Ti . The tag Ti computes PWT � h(IDTi ‖(pwTi ⊕αTi )‖paTi )
crucial when a tag Ti from an approved registered user is
and stores PWT, pidTi , paTi , ATi . Similarly, reader Rj aims to
stolen/lost.
register with S, generates challenge CRj , computes
αRj � PUF(CRj , paRj � CRj ⊕IDRj ), and sends RR1: The tag keeps the same IDTi , but chooses
a password pwRTi and generates challenge CRTi to
MR3 � IDRj , αRj , paRj to the cloud database server S. S compute αRTi � PUF(CRTi ), paRTi � αRTi ⊕h(IDTi ‖pwRTi ).
computes pidRj by its private key and CRj � paRj ⊕IDRj , Further submitting the revocation request
α∗Rj � PUF(CRj ), ARj � h((α∗Rj ⊕IDRj )‖pidRj ); sends MRR1 � IDTi , αRTi , CRTi to the cloud database server S
MR4 � pidRj , ARj ; and stores pidRj , IDRj , CRj , αRj in its through secure channel.
database. Further Rj also stores pidRj , paRj , ARj . The il- RR2: On receiving the request, S checks the database for
the availability of ARTi � h((αRTi ⊕IDTi )‖pidRTi ) where
lustration of the tag registration and reader registration is
pidRTi is computed by private key of S. If ARTi is not
shown in Table 5 and Table 6, respectively.
available, the cloud database server computes and sends
MRR2 � pidRTi , ARTi to Ti over the secure channel.
RR3: Finally, for each tag, the cloud server S issues the
6.1. Login and Authentication Phase. To access the services new credentials.
from S, Ti needs to establish a session key with S. The
following steps are followed by Ti , Rj , and S during this RR4: After receiving the new credentials, Ti completes
phase. The illustration is shown in Table 7. the registration process as processed in the registration
phase.
LA1: The tag logs on by (IDTi , pwTi ), computes
α∗Ti � paTi ⊕h(IDTi ‖pwTi ), verifies
?
PWT� h(IDTi ‖(pwTi ⊕α∗Ti )‖paTi ), generates α ∈ F∗q to 6.3. Tag’s Password/Update Phase. A registered tag Ti can
compute W1 � h((α.g.αTi )⊕(A∗Ti ‖IDTi )‖TSLA1 ), and update his/her current password and follow the steps
sends M1 � (pidTi ‖ATi ‖W)⊕α.xs .g, α.g, TSLA1 to Rj . without contacting S:
LA2: On receiving the request, Rj verifies TSLA1 ; PU1: The tag logs on by (IDTi , pwTi ), computes
computes CRj � paRj ⊕IDRj , αRj � PUF(CRj ), and α∗Ti � paTi ⊕h(IDTi ‖pwTi ), and verifies
?
W2 � h(αRj ‖ARj ‖TSLA3 ); and sends PWT� h(IDTi ‖(pwTi ⊕α∗Ti )‖paTi ). Upon unsuccessful
M2 � M1 , TSLA3 , (W2 ‖pidRj ) to S. verification, this process gets terminated by Ti . Oth-
LA3: On receiving the request, S verifies TSLA1 and erwise, Ti uses new password.
TSLA3 ; extracts M1 , TSLA3 , (W2 ‖pidRj ); validates
?
PU2: Ti picks pwnew Ti ; computes αTi � PUF(CTi ),
new
W2 � h(αRj ‖h((αRj ⊕IDRj )‖pidRj )‖TSLA3 ); and extracts panew new
Ti � αTi ⊕h(IDTi ‖pwTi ), and PWT � h(IDTi ‖
(pid∗Ti ‖A∗Ti ‖W∗1 ) to verify new
(pwTi ⊕αTi )‖paTi ); new
and stores {PWTnew ,
?
W∗1 � h((α.g.αTi )⊕(A∗Ti ‖IDTi )‖TSLA1 ) and on success, pidTi , panew
Ti , A Ti } to complete the process.
generates β ∈ F∗q , computes
∗
SKST � h((IDTi ⊕ATi )‖(α.β.g‖xs .α.g)‖
(sni ⊕(TSLA1 ‖TSLA5 ))), 7. Formal Security Analysis
W3 � h(α.β.g‖SKST ‖ATi ‖pidTi ), Formal security examination strategies are usually used to
W4 � h(IDRj ‖ARj ‖TSLA5 ‖pidRj ), and sends inspect and evaluate diverse check plans. According to lit-
M3 � W3 , W4 , TSLA5 , β.g as a response to Rj . erature [25], various security assessment systems can be used
10 Security and Communication Networks
PWT � h(IDTi ‖(pwTi ⊕αTi )‖paTi ), deletes (IDTi , CTi , αTi ) and stores PWT, pidTi , paTi , ATi
Stores pidTi , IDTi , CTi , sni , αTi
(m1, m2)←r A. The attack of (η, t)-adversary of A to the session key is SKST � h((ID∗Ti ⊕ATi )‖(α.β.g‖
resistance of collision of h(·) indicates that the maximum xs .α.g)‖t(sni ⊕(TSLA1 ‖TSLA5 ))) � SKTS . It is worth
runtime of th to the AdvHash
A (th ) ≤ η. noting that the key to session security is dependent on
both α and β “temporary secrets” and T′i and S’ for long-
Definition 3. Consider an elliptic curve Eq (u, v) and a point term secretions that cannot be disregarded by eaves-
P, the ECDDHP is “for a quadruple 〈P, uv1 .P, uv2 .P, uv3 .P〉, drops of the messages M1 , M2 , M3 , and M4 . Therefore,
decide whether uv3 � uv1 · uv2 or it is a uniform value,” this “eavesdropping attack” does not give any advan-
where uv1 , uv2 , uv3 ∈ Z∗q (�\{1, 2, . . ., q − 1\}). tage/increase of winning probability of A in G1 . This
To make ECDDHP intractable, the chosen prime q needs shows G0 and G1 games become “indistinguishable,”
to be at least 160-bit number. and thus obtains the following result:
Rfid−PUF Rfid−PUF
Theorem 1. Suppose our scheme (Rfid − PUF) runs in AdvA,G1 � AdvA,G0 . (2)
“polynomial time tp ” and the adversary A is working to gain
advantage on Rfid − PUF. If queryh , |Hash|, and G2 : In this game, the hash searches are simulated. Both
AdvECDDHP
A (tp ) indicate the “cardinality of hash queries,” ATi and TSLA1 are altered in the M1 message. Similarly,
“size of one-way hash function h(·),” and “A’s advantage in M2 , M3 , and M4 are also equally unexpected, as they
breaching ECDDHP in t ime tp (see Definition III-A),” re- include random timestamps and random numbers,
spectively, and chosen passwords follow the Zipf’s law [26], such as ARj , αRj , TSLA3 , pid∗Ti , sni , and TSLA5 are equally
then the bit-lengths of the PUF key PUF(C ∗ ) where ∗ refers unforeseeable. So, no collision occurs when A does
to Ti /Rj and the tag identity IDTi are l1 and l2 , respectively, c′ hash queries. Since both G1 and G2 are “in-
and sc′ are the Zipf’s parameters [26] respectively, A’s ad- distinguishable” except for the inclusion of the G2
vantage in compromising the semantic security of the pro- simulations, we obtain birthday paradox outcomes as
Rfid−PUF
posed scheme Rfid − PUF is AdvA (tp )
≤ 2AdvECDDHP (tp ) + (query2h /|Hash|) + 2 max(querys /2l1 ), 2
A
sc′ AdvRfid−PUF − AdvRfid−PUF ≤ queryh . (3)
(querys /2l2 ), c′ · querys }. A,G2 A,G1
2|Hash|
AdvRfid−PUF − AdvRfid−PUF ≤ AdvECDDHP t W1 � h((α.g)⊕(A∗Ti ‖IDTi )‖TSLA1 ). Only (pidTi ‖ATi ‖W1 ) of
A,G3 A,G2 A p
this message can be utilized to identify the tag. On each
query query ′
(4) session, the variables alpha and TSLA1 masked and ran-
+ max l s , l s , β′ · querysβ
s . domized the token described above. The attacker has no
21 22
control over any of these values. If a collision happens on the
Now, all the relevant queries related to the above games specified value by Ti in the worst-case scenario, the ad-
are executed, and then the Reveal query is executed along versary could detect it by monitoring the alpha.g fraction of
with Test query to guess the random bit c. Thus, we get M1 , and then Ti could be monitored. However, the
1 adversary’s advantage in finding a collision after N protocol
Rfid−PUF
AdvA,G3 � . (5) sessions is O(N2 /|F∗q |), which is modest enough in practice.
2
Furthermore, M1 makes no mention of Rj or S.
Combining equations (1), (2), and (5) derives: The reader Rj delivers M2 � M1 , TSLA3 , (W2 ‖pidRj )
to S, where (W2 ‖pidRj ) may be used to monitor the reader
1 Rfid−PUF Rfid−PUF 1
· AdvA
tp � AdvA,G0 − and determine whether the W2 fraction has a collision.
2 2
Similarly, after N protocol executions, the adversary has an
Rfid−PUF
� AdvA,G1
Rfid−PUF
− AdvA,G3 advantage of O(N2 /|F∗q |) in detecting a collision. As a result,
(6) the opponent’s chances of success are slim.
Rfid−PUF
≤ AdvA,G1
Rfid−PUF
− AdvA,G2 M3 � W3 , W4 , TSLA5 , β.g is sent by the server S, where
Rfid−PUF
W3 � h(α.β.g‖‖SKST ‖ATi ‖pidTi ),
+ AdvA,G2
Rfid−PUF
− AdvA,G3 . W4 � h(IDRj ‖ARj ‖TSLA5 ‖pidRj ). The reader Rj and the
server S, on the other hand, in each of the W3 and W4 tokens
Next, combining equations (3), (4), and (6) provide the are randomized in each session. As a result, an adversary is
following result: unable to retrieve data that could aid in the breach of the
1 Rfid−PUF query2h protocol’s location privacy.
· AdvA tp ≤ + AdvECDDHP
A t p Finally, Rj sends M4 � W3 , β.g, TSLA5 to Ti . The
2 2|Hash|
% adversary’s only target in this communication could be W3 .
querys querys ′ This token is a function of SKTS �
+ max l1
, l , β′ · querysβ
s .
2 2 2 h((IDTi ⊕ATi )‖(α.β.g‖xs .α.g)‖t(sni ⊕(TSLA1 ‖TSLA5 ))),
(7) which is randomized by Ti , Rj , and S on each session.
Overall, the location privacy of all of our entities (i.e.,
Finally, the equation (7) is multiplied by 2 on both sides Ti , Rj , and S) is guaranteed by our protocol. □
to get
Rfid−PUF ECDDHP query2h Proposition 2. Mutual authentication and session key
AdvA tp ≤ 2AdvA tp +
|Hash| agreement
querys querys ′
+ 2 max l1
, l , β′ · querysβ
s . Proof. It is obvious that the pairs (S, Ti ) and (S, Rj ) are
2 2 2
mutually authenticated if a legitimate tag Ti connects with
(8) an honest server S through a valid reader Rj and within
□ acceptable time thresholds. However, we do not require
mutual authentication between the reader Rj and the tag Ti
7.2. Informal Security Analysis in this protocol. In more detail, S is the source of trust for Ti ,
while Rj is only a gateway to S. The following is a list of the
Proposition 1. Location privacy (non-traceability) session key’s correctness and mutual agreement:
Correction Proof:
Proof. The tag Ti simply transmits the message
M1 � (pidTi ‖ATi ‖W1 )⊕α.xs .g, α.g, TSLA1 , with
Because the tag and the server have mutual authenti- Proposition 6. Replay attack
cation, S has already authenticated Rj , and Ti may trust the
reader Rj . As a result, our technique ensures mutual au- Proof. In a replay attack, the adversary attempts to use
thentication and establishes suitable session key a previously traded message at a later time t′ . Any message
agreement. □ received outside of the threshold time (a preset factor of ΔT )
is likely to be rejected in our protocol. Aside from that, the
Proposition 3. Physical security one-way hash function ensures the integrity of timestamps.
As a result, replay attacks against our protocol are impos-
Proof. . Any alteration or damage to the device with built-in sible. Finally, the adversary may break the tag’s anonymity if
PUF will cause PUF to respond differently or the device to he extracted xs.g from the α.xs.g and α.g pair. It is most
become unavailable, according to PUF’s characteristics. It is likely the same as solving ECCDHP, which is known to be
impossible to collect any relevant information in an ac- a difficult task (see Section 3.1). □
cessible environment since car sensors do not preserve any
information. Physical attacks, aside from rendering the Proposition 7. Impersonation attack
hardware components in the proposed protocol ineffective, Tag:
are unable to extract any relevant information. As a result,
the suggested protocol can ensure the system’s physical Proof. Due to the integrity of TSLA1 , the only way to spoof
security. □ the tag is to construct a valid M1 . It is not possible, however,
without guessing or computing a valid W1 � h((α.g)⊕
Proposition 4. Achieving forward secrecy (A∗Ti ‖IDTi )‖TSLA1 ), where TSLA1 is the attack time’s time-
stamp. The enemy also lacks ATi and IDTi . As a result, the
Proof. In our proposed scheme, the session key is computed adversary’s chance of successfully impersonating the tag is
as SKTS � 2−n , where n is the hash function’s bit-length. To put it
h((IDTi ⊕ATi )‖(α.β.g‖xs .α.g)‖t(sni ⊕(TSLA1 ‖TSLA5 ))). This another way, the repeat attack is a waste of time.
session key is established between the tag Ti and the server S. Reader: □
If A wishes to compromise the session key, A requires the
knowledge of the session-specific random values α, β, fixed Proof. Because the integrity of TSLA3 is guaranteed in our
value αTi , and the identities of the participants involved in protocol, the adversary cannot replay messages to imper-
the session key establishment. Now, even if pwTi , paTi are sonate a reader. As a result, generating a legitimate
compromised by A, due to the lack of knowledge of CTi or W2 ‖pidRj is the only way to impersonate the Rj in front of S.
random values α, β and fixed value αTi , attacker fails to The opponent, on the other hand, lacks
compute W1 . Thus, A does not gain any advantage even if he W2 � h(αRj ARj TSLA3 ), W2 , and ARj . Even if she/he obtains
compromises pwTi , paTi . Therefore, A cannot compute the the values W2 , pidRj , and ARj in some other way, she/he
previous/current/future session keys. □ must extract αRj from M2 in order to determine IDRj . It
necessitates reverse engineering of the one-way hash
Proposition 5. Message authentication function, which is a difficult challenge that makes the assault
impracticable. As a result, impersonating Rj to S is not
Proof. In this protocol, the server authenticates M1 and M2 . feasible under this protocol.
The reader Rj authenticates S, M3 partially and the tag Ti Server: □
totally. The use of random integers and the one-way hash
function ensure the integrity of all messages. Any alteration Proof. To impersonate the server S in front of Rj , the ad-
to the conveyed message causes the receiver to reject the versary would have to compute W3 , W4 , TSLA5 , β.g, where
message. W3 � h(α.β.g‖SKST ‖ATi ‖pidTi ) and W4 � h(IDRj
For instance, consider M1 � (pidTi ‖ATi ‖W1 )⊕α.xs . ‖ARj ‖TSLA5 ‖pidRj ). pidRj , IDRj , xs .α.g would be required.
g, α.g, TSLA1 } message, where W1 � h((α.g)⊕(A∗Ti ‖IDTi )‖ Aside from xs .α.g, β.α.g, which is contributed by Ti through
TSLA1 ), which should be authenticated by S. sending α.g, this token is randomized by xs .α.g, β.α.g.
TSLA4 − TSLA1 ? ≤ ΔT is checked by the server S first. As Solving a ECCDHP problem, which is a difficult problem,
a result, if the adversary replicates the message, S will reject would be required for the disclosure of α and xs . Even if the
it. Then, S extracts (pid∗Ti ‖A∗Ti ‖W∗1 ), retrieves the related sni adversary reveals the band and adapts it appropriately, the
value using IDTi and αTi , and computes and verifies adversary still needs to know IDTi due to TSLA5 in
?
W∗1 � h((α.g.αTi )⊕(A∗Ti ‖IDTi )‖TSLA1 ) to accept the message. h(α.β.g‖SKST ‖ATi ‖pidTi ), which is not the case. As a result,
It is clear that any modification in TSLA , α.g, or cheating Rj and successfully mimicking S gives the opponent
(pid∗Ti ‖A∗Ti ‖W∗1 ) renders the probability of W∗1 ? � W1 to a 2− n advantage. Furthermore, impersonating S in front of
2− n , where n is the hash length, for example 256 − bit for Rj is a prerequisite for impersonating S in front of Ti . As
SHA − 256. The other messages in the protocol can be a result, the attacker cannot effectively impersonate the
reasoned about in the same way. As a result, our protocol server S in front of Ti using Rj . Only M4 � W3 , β.g, TSLA5 ,
ensures message authentication between the parties where W3 � h(α.β.g‖SKST ‖ATi ‖pidTi ). Unlikely as it may
involved. □ seem, the attacker lacks IDTi . As a result, the adversary’s
Security and Communication Networks 15
advantage in committing this impersonation attack is h((IDTi ⊕ATi )‖(α.β.g‖xs .α.g)‖t(sni ⊕(TSLA1 ‖TSLA5 ))). The
negligible (i.e., 2−n ). □ SK-security of the proposed scheme relies on the secret
credentials as discussed in the following two cases:
Proposition 8. Offline password guessing attack
Case 1. Let us consider A knows the ephemeral (short-
term) secret credentials α and β. It is computationally
Proof. The rationale for security against this attack is nearly
infeasible for A to create the valid session key SKTS
comparable to that of RSEAP2. In a nutshell,
without the knowledge of the long-term secrets ARj,
PWT � h(IDTi ‖(pwTi ⊕αTi )‖paTi ) calculates the tag’s tem-
ATi , αRj , and xs .
porary password. Even if the adversary could estimate PWT,
the value αTi , which is a random integer created by the tag Ti , Case 2. We assume that the long-term secrets ARj, ATi ,
is still required. As a result, the opponent who could not αRj , and xs some or all of them are revealed to A, and
foresee αTi will be defeated by this assault. □ the attacker A’s task to generate SKTS without the
ephemeral secret credentials α and β this again turns
Proposition 9. Desynchronization attack out to be computationally infeasible task.
This shows that A can generate a valid session key SKTS
Proof. Because there is no updating phase of shared pa- only if both the ephemeral and long-term secret credentials
rameters after the protocol execution concludes, our pro- are revealed. Furthermore, if a particular session is com-
posed technique is immune to desynchronization assaults. promised, the session key established in previous/future
The attacker may only block the M4 message if the tag Ti is sessions are completely different to the compromised session
used to set the session key SKTS /SKST . Because Ti has not key due to the application of both long-term secrets and
received M4 in a timely manner, this entity may need to newly generated random nonces, which are secret and not
restart the login and authentication step in order to rees- revealed to A. Therefore, both forward as well as backward
tablish the session key. We wish to underline that the secrecy along with the SK-security are preserved in the
aforementioned situation is distinct from an impersonation proposed scheme. Moreover, in the proposed scheme, with
assault—as previously stated, an adversary cannot imper- the help of the session hijacking attack, a session key is
sonate a valid tag. In addition, the tag Ti must start the leaked in a particular session; it has no affect to compromise
protocol; otherwise, the server S would reject the the security of other previous as well as future sessions. By
request. □ summing up all these cases, the proposed scheme is secure
against the ESL attack. □
Proposition 10. Insider attack
8. Observations and Performance Analysis
Proof. In the initialization phase of our scheme, Ti sends
MR1 � IDTi , αTi , CTi to S and receives MR2 � pidTi , ATi We use the implementation results in [2] “(CPU: Intel(R)
in return. Further computes, where Core(TM)2T6570 2.1 GHz, Memory: 4G, OS: Win7 32-bit,
PWT � h(IDTi ‖(pwTi ⊕αTi )‖paTi ). Likely, the chances for Software: Visual C++ 2008, MIRACL C/C++ Library)” to
an insider attacker to disclose pwTi are almost null (i.e., estimate the computation time. Because SHA-2 occupies
2−n ). □ 15.8 cycles per bytes [27], it takes
Tfun
h � 0.0004 ∗ (15.8/11.4) � 0.0005 milliseconds to com-
Proposition 11. Man-in-the-middle attack pute. To be clear, the number Tfunh corresponds to a single
call to the SHA-2 compression function (fun). The SHA-2
Proof. To carry out a successful man-in-the-middle attack, compression function has a message-block length of 512 bits.
an adversary must be able to impersonate a protocol entity We built the new protocol in detail to reduce the amount of
or modify a message without being discovered. Nonetheless, calls to this compression function, particularly on the tag
the aforementioned attack will fail in our suggested protocol side, which is the most limited device. Finally, the time
for the following reasons. For starters, as we explained in required to calculate scalar multiplication on ECC-160,
Section 7, the adversary’s advantage in impersonating the represented by TEMP , is 7.3529 milliseconds, whereas the
tag, the reader, or the server is insignificant. Second, we have time required to calculate a chaotic map is TCH � TEMP [28].
shown (5) that any change to the transmitted message causes The needed time for encryption/decryption of a symmetric
the receiver to reject the received message. Finally, we scheme TSym varies depending on the employed symmetric
demonstrated how an opponent cannot properly relay encryption method; however, the stated time for AES
a message to deceive about his distance or replay an earlier is TSym � 0.1303 milliseconds. The details are shown in
message in Sections 6. As a result, the suggested protocol is Table 9.
impenetrable to a man-in-the-middle assault. □ The hash function output, nonces, timestamps, tag/
reader identities, a symmetric encryption output block,
Proposition 12. Ephemeral secret leakage (ESL) attack: and elliptic curve points all have bit widths of
160, 160, 32, 160, 128, and 320 bits, respectively, for the
Proof. As described in the Proposition 2, both Ti and S performance analysis. We compare the computational
establish a common session key during the execution of the and communication expenses of RSEAP2 with our
proposed scheme. The session key is computed as SKTS � method in Table 10. Because tags are the most limited
16 Security and Communication Networks
40
37.4205
35
30
Computation cost (ms)
25
22.0632 22.1935 22.0617
20
15 14.7078 14.7088
10
0
Jiang et al. Kumar et al. Jiang et al. Mishra et al. Safkhani et al. Our
Protocols
2500
2080
2000
Communication cost (bits)
1536
1500 1376
1184 1184
1000 896
500
0
Jiang et al. Kumar et al. Jiang et al. Mishra et al. Safkhani et al. Our
Protocols
devices in the system, we focus our investigation on them. reduction in power consumption, which is a critical
There are no major changes in consuming time when metric in such devices. Finally, in Table 11, we compare
compared to RSEAP2, as shown in Figure 3, simply and contrast the security qualities afforded by comparable
a minor improvement in our approach. Our scheme is systems with our scheme (see Figure 5 for an instance). To
much more efficient than RSEAP2 in terms of bits sent summarize, the new protocol is more efficient and secure
(and received), as shown in Figure 4. It entails a significant than the old one.
Security and Communication Networks 17
15 15
14
Data Availability
12
12
10
10 No data collection method is applied.
9
8
6 Conflicts of Interest
4
2 The authors declare that they have no conflicts of interest.
0
Jiang et al. Kumar et al. Jiang et al. Mishra et al. Safkhani et al. Our
Protocols Acknowledgments
Figure 5: Security attribute comparison. This study did not receive any funding in any form.
[6] N. Dinarvand and H. Barati, “An efficient and secure RFID [21] D. Mukhopadhyay, “PUFs as promising tools for security in
authentication protocol using elliptic curve cryptography,” internet of things,” IEEE Design & Test, vol. 33, no. 3,
Wireless Networks, vol. 25, no. 1, pp. 415–428, 2019. pp. 103–115, 2016.
[7] V. Kumar, M. Ahmad, D. Mishra, S. Kumari, and M. K. Khan, [22] W. Wang, C. Qiu, Z. Yin et al., “Blockchain and PUF-based
“RSEAP: RFID based secure and efficient authentication lightweight authentication protocol for wireless medical
protocol for vehicular cloud computing,” Vehicular Com- sensor networks,” IEEE Internet of Things Journal, vol. 9, 2021.
munications, vol. 22, Article ID 100213, 2020. [23] T.-F. Lee and W.-Y. Chen, “Lightweight fog computing-based
[8] M. Hosseinzadeh, O. H. Ahmed, S. H. Ahmed et al., “An authentication protocols using physically unclonable func-
enhanced authentication protocol for RFID systems,” IEEE tions for internet of medical things,” Journal of Information
Access, vol. 8, 2020. Security and Applications, vol. 59, Article ID 102817, 2021.
[9] F. Zhu, “Secmap: a secure RFID mutual authentication [24] V. Hassija, V. Chamola, V. Gupta, S. Jain, and N. Guizani, “A
protocol for healthcare systems,” IEEE Access, vol. 8, p. 192, survey on supply chain security: application areas, security
2020. threats, and solution architectures,” IEEE Internet of Things
[10] S. Gabsi, Y. Kortli, V. Beroulle, Y. Kieffer, A. Alasiry, and Journal, vol. 8, no. 8, pp. 6222–6246, 2020.
B. Hamdi, “Novel ECC-based RFID mutual authentication [25] X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and
protocol for emerging IoT applications,” IEEE Access, vol. 9, K.-K. R. Choo, “A three-factor anonymous authentication
2021. scheme for wireless sensor networks in internet of things
[11] D. Mishra, V. Kumar, D. Dharminder, and S. Rana, “SFVCC: environments,” Journal of Network and Computer Applica-
tions, vol. 103, pp. 194–204, 2018.
chaotic map-based security framework for vehicular cloud
[26] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s
computing,” IET Intelligent Transport Systems, vol. 14, no. 4,
law in passwords,” IEEE Transactions on Information Fo-
pp. 241–249, 2020.
rensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
[12] U. Chatterjee, R. S. Chakraborty, and D. Mukhopadhyay, “A
[27] W. Dai, “Crypto++ 5.6. 0 benchmarks,” 2009, https://www.
PUF-based secure communication protocol for IoT,” ACM
cryptopp.com/benchmarks.html.
Transactions on Embedded Computing Systems, vol. 16, no. 3,
[28] J. Srinivas, A. K. Das, N. Kumar, and J. J. P. C. Rodrigues,
pp. 1–25, 2017. “Tcalas: temporal credential-based anonymous lightweight
[13] M. N. Aman, K. C. Chua, and B. Sikdar, “Mutual authenti- authentication scheme for internet of drones environment,”
cation in IoT systems using physical unclonable functions,” IEEE Transactions on Vehicular Technology, vol. 68, no. 7,
IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1327–1340, pp. 6903–6916, 2019.
2017.
[14] Q. Jiang, X. Zhang, N. Zhang, Y. Tian, X. Ma, and J. Ma,
“Three-factor authentication protocol using physical
unclonable function for IoV,” Computer Communications,
vol. 173, pp. 45–55, 2021.
[15] H. Xu, X. Chen, F. Zhu, and P. Li, “A novel security au-
thentication protocol based on physical unclonable function
for RFID healthcare systems,” Wireless Communications and
Mobile Computing, vol. 2021, Article ID 8844178, 14 pages,
2021.
[16] P. Gope and B. Sikdar, “Privacy-aware authenticated key
agreement scheme for secure smart grid communication,”
IEEE Transactions on Smart Grid, vol. 10, no. 4, pp. 3953–
3962, 2018.
[17] Y.-N. Cao, Y. Wang, Y. Ding, H. Zheng, Z. Guan, and
H. Wang, “A PUF-based lightweight authenticated metering
data collection scheme with privacy protection in smart grid,”
in Proceedings of the 2021 IEEE Intl Conf on Parallel &
Distributed Processing with Applications, Big Data & Cloud
Computing, Sustainable Computing & Communications, So-
cial Computing & Networking (ISPA/BDCloud/SocialCom/
SustainCom), pp. 876–883, IEEE, New York City, NY, USA,
October 2021.
[18] Z. Zhang, Y. Liu, Q. Zuo, L. Harn, S. Qiu, and Y. Cheng,
“PUF-based key distribution in wireless sensor networks,”
Computers, Materials & Continua, vol. 64, no. 2, pp. 1261–
1280, 2020.
[19] P. Mall, R. Amin, A. K. Das, M. T. Leung, and K.-K. R. Choo,
“PUF-based authentication and key agreement protocols for
IoT, WSNS and smart grids: a comprehensive survey,” IEEE
Internet of Things Journal, vol. 9, 2022.
[20] Y. Liu, Y. Cui, L. Harn et al., “PUF-based mutual-authenti-
cated key distribution for dynamic sensor networks,” Security
and Communication Networks, vol. 2021, Article ID 5532683,
13 pages, 2021.