Analysis and Improvement of PUF ‐ based Secure Anonymous User Authentication Scheme in Smart Home Environment

: With the rapid development of IoT technology, smart home is attracting much attention due to its convenience and comfort. In 2022, CHO et al. proposed an anonymous user authentication scheme using PUFs in smart home environment. However, this paper conducts a security analysis and finds that CHO et al.'s scheme cannot resist tracking attacks, replay attacks and cannot reach session keys. In order to overcome the shortcomings of CHO et al.'s scheme, this paper proposes an improved PUF-based secure anonymous user authentication scheme. After security analysis and comparison with related authentication schemes in terms of security and computational cost, it is demonstrated that the improved scheme is resistant to a variety of attacks and can achieve secure and efficient authentication.


Introduction
In recent years, Internet of Things (IoT) technology has developed rapidly, and smart home, as a typical application of IoT, has attracted much attention because of its convenient and comfortable features [1]. Smart home system can control various household appliances through mobile phones, TVs, computers and other devices to achieve remote control and management of household appliances and improve people's quality of life. At the same time, smart home system can realize comprehensive monitoring of home security system, which enables people to enjoy a more comfortable, healthy and happy life under the premise of ensuring home security.
However, as communication between entities in the smart home environment relies on common channel, which is vulnerable to eavesdropping and impersonation attacks [2][3][4][5]. The security of the smart home is an issue. Also, in smart home environment, attackers can use controlled devices to perform malicious acts due to the low security of resourceconstrained smart devices. Therefore, authentication as well as communication security in smart home environment is very important.
In 1981, Lamport et al. [6] proposed a remote user authentication scheme using a password table. In recent years, with the popularity of IoT applications, scholars have proposed many authentication schemes for smart home environment [7][8][9][10]. In 2021, Zou et al. proposed an authentication scheme based on elliptic curve cryptography (ECC) in smart home environment, and in 2022, CHO et al. [11] claimed that Zou et al.'s [12] authentication scheme is vulnerable to forgery and session key compromise attacks and proved that the scheme of Zou et al. does not guarantee mutual authentication between home users and home devices. Then, CHO et al. proposed a secure anonymous authentication scheme using physical unclonable functions (PUFs) [13]. However, after analysis, this paper found several security problems in CHO et al.'s scheme. Firstly, a maliciously controlled home device is able to compute the key credentials for mutual authentication between the user and the gateway as well as the user's updated pseudo-identity. Secondly, certain messages delivered via the public channel are not authenticated. Thirdly, no timestamp is used in CHO et al.'s scheme, which does not guarantee the freshness of the delivered messages. Finally, the gateway does not know the identity of the device when the home device sends a request to the gateway. Therefore, the scheme of CHO et al. is not secure.
In order to overcome the shortcomings of CHO et al's scheme, an improved scheme is proposed in this paper. In the user registration phase of the improved scheme, the key credentials for mutual authentication between the user and the gateway are further protected. In the login and authentication phase, the updated pseudo-identity of the user calculated by the gateway is improved, timestamps are added, etc. Also, this paper compares the security and computational cost of the improved scheme with existing similar schemes.

Contribution
The contributions of this paper are summarized as follows: (1) The scheme of CHO et al. [11] is improved, and the security and privacy problems inherent in smart home security schemes are solved.
(2) Time stamps and random numbers are added to the improved scheme to enhance the security of the scheme.
(3) The security and computational cost of the improved scheme are compared with other similar schemes. The results show that the improved scheme is superior to other similar schemes in terms of security and computational cost.

Organization
The rest of the paper is organized in the following way. Section II reviews the scheme of CHO et al. [11], Section III analyses the safety problems in the CHO et al.'s scheme, Section IV proposes a new and improved scheme, Section V analyses the safety of the improved scheme, and Section VI analyses the performance of the improved scheme. Finally, Section VII is the conclusion.

Review of CHO et al.'s Scheme
In this section, the paper quickly reviews CHO et al.'s scheme. In this scheme, four entities are included: registration center (RC), user (U i ), gateway (GW), and home device (HD j ). In this case, U i and HD j are register through RC, and GW helps U i and HD j to authenticate with each other and agree on a session key.
The scheme of CHO et al. [11] consists of five phases namely: system establishment phase, home device registration phase, user registration phase, login and authentication phase and password update phase. For the sake of brevity, we do not describe password update phase here. The symbols used in this paper and their definitions are shown in Table 1.

System Establishment Phase.
Before deploying GW and HD j , RC generates t as the master key for the gateway GW and C j as the challenge value for HD j . Afterwards, RC stores C j securely in the memory of HD j . RC selects the hash function, and generates b as the secret value for HD j .

Home Device Registration Phase.
Step 1. HD j calculates where SID j is the unique identity of HD j and transmits {SID j , C j , X j } to RC over a secure channel. Step2

User Registration Phase.
Step 1. U i selects ID i and PW i and generates random number r i , then calculates the ( ) and transmits {ID i , PID i } to RC over a secure channel. Step the smart card.

Login and Authentication Phase.
Step and verifies that V i ' is equal to V i . If it is not equal, this phase is terminated. Otherwise, U i generates random number a 1 and calculates ( ) , and Step 3. After receiving {RID i , M 3 , M 4 , V 2 }, HD j calculates and checks whether V 2 ' is equal to V 2 , and terminates this phase if it is not. Otherwise, HD j generates random number a 3 and calculates ( ) and transmits {M 5 , V 3 } to GW.
Step 4. After receiving {M 5 , V 3 }, GW calculates , and checks whether V 3 ' is equal to V 3 , and terminates this phase if it is not. Otherwise, GW calculates Step 5. After receiving {M 6 , V 4 }, U i computes

Tracking Attack
In the login and authentication phase of the CHO et al.'s [11] Since DID j , K UGi and PID i are invariant, M 1 can be tracked. Furthermore, GW transmits RID i and to HD j via the public channel in the second step of the login and authentication phase, and then HD j calculates After obtaining a 2 , HD j is able to calculate Assuming that HD j is controlled, a malicious attacker can perform a tracking attack on U i when it next authenticates with other home devices.

Replay Attack
Since no timestamp is used in the scheme of CHO et al. [11] to guarantee the freshness of the transmitted messages, an attacker can intercept {RID i , M 3 , M 4 , V 2 } transmitted by GW to the HD j in the second step of the login and authentication phase, and thereafter pretends that GW transmits again to HD j .
? V V , the verification can be passed and HD j will continue with subsequent computations. Therefore, the scheme of CHO et al. [11] is not resistant to replay attacks.

Man in the Middle Attack.
In the second step of the login and authentication phase, . Since the SK computed by HD j and GW do not match, GW fails in verifying V 3 ' and terminates this phase. As a result, HD j and U i cannot agree on a session key.

Not Working Properly.
In the third step of the login and authentication phase, CHO et al.'s [11] scheme does not work properly because {M 5 , V 3 } transmitted from HD j to GW lacks the identity information of U i and HD j . When HD j transmits {M 5 , V 3 } to GW, GW computes 3 5 However, GW does not know which HD j is transmitting the message at this point. If GW wants to find PD j and PU i , it must ask HD j for its identity information as well as that of U i with whom it has agreed on a session key. The message {M 5 , V 3 } sent by HD j to GW is clearly missing RID i , DID j . Therefore, the scheme does not work properly.

Proposed Scheme
In order to overcome the security vulnerabilities of the CHO et al.'s scheme, an improved scheme is proposed in this paper. The system establishment and home device registration phases of the improved scheme are the same as those of CHO et al.'s scheme, so we only describe user registration phase and login and authentication phase in this section, as follows.

User Registration Phase.
U i is registered via its own mobile device and the registration process is as follows: The detailed process is shown in Figure 1.

Login and Authentication Phase.
In this phase, U i and HD j achieve mutual authentication with the assistance of GW and agree on a session key SK, which is used to complete future confidential communication between U i and HD j . The specific steps are as follows: Step , and compares it with V i stored in the mobile device, if they are equal, U i logs in successfully. The mobile device then initiates the authentication process, the mobile device generates random number a 1 and timestamp T 1 , calculates ( ) and finally, transmits {RID i , M 3 , M 4 , V 2 , T 2 } to HD j over the public channel.
? V V , and if the verification passes, GW authentication is successful. HD j generates random number a 3 and timestamp T 3 , computes ( ) and transmits {M 5 , V 3 , T 3 , RID i , DID j } to GW over the public channel.

Fig 2. Login and authentication phase
Step 4. Upon receiving

Security Analysis
In this section, the paper presents security analysis of the improved scheme, demonstrating that our scheme is secure and resistant to known attacks.

Anonymity and Untraceability
Section 3.1 of this paper refers to a tracing attack on the CHO et al.'s [11] scheme. In this case, attacker A can intercept the message {RID i , M 1 , M 2 , V 1 } transmitted by U i to GW, because M 1 is invariant, attacker A can perform a tracing attack on U i . Furthermore, attacker A can take control of HD j and use its a 2 which calculated in the third step of the login and authentication phase and the RID i received from GW to calculate the updated U i 's identity RID i new . Thus, the next time U i authenticates with other home devices, a tracking attack is carried out.
However, the improved scheme concatenates the timestamp T 1 in the calculation of the message M 1 , so that M 1 is different for each transmission. Also, GW uses a random number a 4 that only the U i can compute when updating the pseudo-identity of U i . Therefore, in the improved scheme, even the same user has different identity information in different sessions. From the above analysis, it is easy to see that the improved scheme achieves anonymity and untraceability of the user.

Mutual Authentication.
In the login and authentication phase, U i and HD j authenticate each other with the assistance of the GW. Firstly, GW verifies that V 1 ' is equal to V 1 , if it is, then both U i and GW have the correct secret credentials K Ui and GW successfully authenticates U i 's identity. Similarly, HD j , GW and U i authenticate ? V V and ' 4 4 ? V V respectively in each session. When all authentication passes, the three achieve mutual authentication and compute the session key. Thus, the improved scheme provides mutual authentication between U i , GW, and HD j .

Impersonation Attack.
Since attacker A does not know the secret credentials K Ui and K Dj for authentication between U i and HD j and GW, it cannot successfully impersonate legitimate U i and HD j to generate authentication request and response messages, so the improved scheme can resist impersonation attacks.

Replay Attack.
In the improved scheme, because each received message is authenticated with a timestamp, attacker A cannot perform a replay attack. For example, U i adds the current timestamp T 1 to each message transmitted, GW will determine whether 1 c T T T    holds, if it does, it will continue to authenticate the other messages received, otherwise, it will terminate this phase.

Man in the Middle Attack
Section 3.3 of this paper mentions a man-in-the-middle attack on the CHO et al.'s scheme [11]. In this case, attacker A can tamper with M 4 by intercepting the message {RID i , M 3 , M 4 , V 2 } transmitted by GW to HD j in the second step of the login and authentication phase, and making it impossible for U i and HD j to agree on a session key. However, in the improved scheme, M 4 is added to the authentication message V 2 , and if attacker A intercepts and tampers with message M 4 , HD j will fail at authentication and terminate this phase. Thus, the improved scheme is resistant to man-in-the-middle attacks.

Forward Confidentiality
The session key computed between U i and HD j may be corrupted by attacker A. However, attacker A cannot find significant correlations between past, present and future session keys because they contain random numbers a 1 , a 2 and a 3 that are different in each session of the improved scheme. Thus, the improved scheme guarantees forward security.

Performance Evaluation
In this section, the performance of the improved scheme is evaluated and we compare it with the schemes of Naoui et al. [14], Shuai et al. [15], Zou et al. [12], and CHO et al. [11] in terms of both safety characteristics and computational cost.

Security Features
As shown in Table 2, the security features of the improved solution were compared with the other solutions. The result shows that the other solutions have one or more security vulnerabilities. Therefore, the security of the improved scheme has a great advantage over the other schemes.

Computation Cost
In this subsection, this paper uses T h , T f , T epm , T puf , and T s to denote the consumption time for one-way hash functions, fuzzy extractors, ECC point multiplication, PUF, and symmetric key encryption/decryption, respectively.
According to the scheme of Xia et al. [1], each time is defined as T h =0.0026ms, T f =1.989ms, T epm =1.989ms, T p =0.12ms and T s =0.00325ms. Table 3 depicts the computational costs of the improved scheme compared to several other schemes for different entities in the login and authentication phase. Although the improved scheme has a slightly higher computational cost than CHO et al.'s scheme, it is more secure than CHO et al.'s scheme and can resist various attacks. In addition, the improved scheme also has an advantage in terms of computational cost compared to several other schemes, satisfying the requirement of lightweight and able to be applied to resource-constrained smart home environment.

Summary
In this paper, we first review the scheme of CHO et al. and perform a security analysis on it, pointing out that it cannot resist a variety of malicious attacks such as tracking attacks and replay attacks. To address these security problems, we propose an improved PUF-based secure anonymous authentication scheme in a smart home environment, and demonstrate that the improved scheme is secure and has a low computational cost.