www.nature.

com/scientificreports

OPEN ECC‑based three‑factor

authentication and key agreement
scheme for wireless sensor
networks
Wenfeng Huang
In wireless sensor networks (WSNs), protocols with authentication and key agreement functions can
enhance the security of the interaction between users and sensor nodes, guaranteeing the security of
user access and sensor node information. Existing schemes have various security vulnerabilities and
are susceptible to security attacks (e.g., masquerading user, password guessing, internal privilege,
and MITT attacks), so they cannot meet the anonymity requirements or achieve forward security. To
effectively improve the security performance of WSNs, an elliptic curve cryptography (ECC)-based
three-factor authentication and key agreement scheme for WSNs is proposed. The scheme is based
on the ECC protocol and combines biometrics, smart card and password authentication technology;
uses a challenge/response mechanism to complete the authentication between users, gateways,
and sensors; and negotiates a secure session key. The Burrows, Abadi and Needham logic for formal
security analysis proves the correctness and security of the scheme, and the informal analysis of
multiple known attacks proves that the scheme can resist various attacks and has high security
characteristics. The feasibility of the scheme has been analysed and verified with the ProVerif tool. The
efficiency analysis results show that the scheme is suitable for resource-constrained WSNs.

As wireless sensor networks (WSNs) are widely used in various application areas, securing their communication
has become one of the focuses of researchers. The confidentiality of information communication is a major chal-
lenge, and protecting the privacy of data from unauthorized access by attackers is a major problem facing Internet
of Things (IoT) W­ SNs1. Current schemes suffer from various security vulnerabilities in authentication and key
agreement functions and are susceptible to security attacks such as masquerading users, password guessing,
insider privileges, and MITM (Man-in-the-Middle), so they cannot satisfy anonymity requirements or achieve
forward security. In IoT WSNs, establishing user authentication protocols with session keys is an approach that
is widely used to solve the above problems. In this context, this study aims to address the security vulnerabilities
in existing WSNs, especially in the interaction between users and sensor nodes, to ensure the security of user
access and sensor node information.
The significance of this research lies in the following points: (1) Safeguarding communication security: WSNs
are widely used in environmental monitoring, health care, intelligent transportation, etc., which include data
communication that often involves personal privacy and important information. By improving the security of
authentication and key agreement, this study helps to secure user access and sensor node information against
potential attack risks. (2) Filling existing security holes: In this study, it is found that there are various vulnerabili-
ties in the current security protocols in WSNs, which may be subject to attacks such as camouflage and password
guessing. By combining elliptic curve cryptography and multifactor authentication techniques, this scheme is
expected to fill these loopholes and improve the overall security of WSNs. (3) Promotion of the development
of security in the field of WSNs: With the evolution of the IoT, the range of applications of WSNs is expanding.
Research on communication schemes with high security is crucial for the healthy development of WSNs. This
study aims to offer fresh insights and approaches for enhancing security in WSNs. (4) Positive impact on practi-
cal applications: Not only is the correctness and security of the scheme verified through formal BAN logic and
the ProVerif tool, but its ability to fight against a wide range of attacks through informal analysis is also verified.
This makes the scheme more likely to succeed in practical applications and provides strong technical support for
real-world deployments. (5) Suitable for resource-constrained environments: The results of the efficiency analysis

School of Information Engineering, Xiamen Ocean Vocational College, Xiamen 361100, Fujian, China. email:
[email protected]

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 1

Vol.:(0123456789)
 www.nature.com/scientificreports/

show that the scheme is suitable for resource-constrained WSNs. This is a substantial advantage for sensor nodes
that have limited computational and storage resources and is expected to have a positive impact in the real world.
To effectively enhance the security performance of WSNs, this study proposes a three-factor authentication
and key agreement scheme based on elliptic curve cryptography (ECC). The scheme is based on the ECC pro-
tocol, combines biometric, smart card and cryptographic authentication techniques, uses a challenge/response
mechanism to complete the authentication between the user, the gateway and the sensor, and negotiates a secure
session key. The correctness and security of the scheme are validated through formal security analysis using BAN
logic. In addition, the scheme is verified as highly secure against various attacks through informal analysis of a
variety of known attacks. To ensure the feasibility of the research, the paper also provides an exhaustive analysis
and validation of the scheme using the ProVerif tool. The final efficiency analysis results show that the scheme is
suitable for resource-constrained WSNs and provides a feasible and efficient solution for secure communication
in WSNs. The purpose of this study is to promote the development of security in the field of WSNs and to provide
a more reliable protection mechanism for wireless sensor networks in practical applications.

Related works
In 2015, Lee et al.2 proposed a nontamper smart card authentication key protocol scheme based on anonymous
passwords. In 2017, Wu et al.3 noted that the scheme of Lee et al.2 is not resistant to smart card loss, spoofed
users, spoofed server attacks, and so forth. Wu et al. proposed an enhanced anonymous password authentication
key agreement scheme. In 2016, Jiang et al.4 proposed a two-factor authentication scheme based on ellipse curve
cryptography (ECC) for untraceable time vouchers in WSNs. In 2018, Li et al.5 found flaws in the work of Jiang
et al.4, such as the lack of a password detection and change mechanism and a clock synchronization problem.
Thus, Li et al. proposed a three-factor anonymous authentication scheme for WSNs in the IoT environment,
using a fuzzy commitment scheme and error correction code to process user biometric information; however,
the scheme proved to be unable to resist smart card loss attacks and achieve forward security. In 2022, Meriam
et al.6 performed an informal security analysis of the protocol of Li et al.5, and the results showed that it cannot
achieve anonymity and cannot resist session key leakage, internal, and other attacks. Thus, Meriam et al. proposed
a three-factor mutual authentication and key agreement protocol for IoT WSNs based on lightweight ECC, using
physically unclonable functions (PUFs) and ECC to improve security and effectively solve the security problem
of Li et al.’s ­proposal5.
In 2017, Wu et al.7 proposed a user authentication scheme for WSNs based on the Internet of Things(IoT) and,
in the same year, an efficient authentication and key agreement scheme for multigateway WSNs in the deploy-
ment of the I­ oT8. In 2019, Bayat et al.9 noted that the scheme of Wu et al.7 could not withstand certain security
attacks. Thus, Bayat et al. proposed an analysis and improvement of the user authentication scheme of the IoT
based on ECC. In 2019, Guo et al.10 found that the scheme of Wu et al.8 was inefficient and instead proposed a
secure and efficient three-factor multigateway authentication protocol for WSNs; however, this scheme proved
to be unable to resist offline password guessing and other attacks. In 2017, Jung et al.11 proposed an efficient and
secure anonymous authentication scheme based on key agreement in WSNs. In the same year, Sravani et al.12
proposed an authentication key establishment scheme based on a secure signature for future IoT applications.
However, the scheme was not resistant to man-in-the-middle attacks and was too complex and i­ nefficient13.
In 2021, Azrour et al.14 proposed a new, enhanced IoT authentication protocol based on the l­ iterature2,5, ­and9,
that could resist replay, internal, and other attacks. In 2021, Vinoth et al.15 proposed a multifactor authentication
key protocol scheme for industrial IoT security; however, this scheme could not deal with certain types of attacks,
such as sensor node capture and replay attacks. In 2021, Xue et al.16 proposed a lightweight three-factor authen-
tication and key agreement scheme for multigateway WSNs in the IoT based on a ummary of the l­ iterature10,14,
and 15 and proved the correctness and security of the proposed scheme through the BAN logic and BPR model.
However, the scheme could not guarantee the security of the user’s private key or negotiate a secure session key.

Motivation, contributions and road‑map

Motivation
The motivation of this paper is to improve the security of wireless sensor networks (WSNs), especially to enhance
the authentication and key agreement features in the interaction between users and sensor nodes. Currently exist-
ing schemes suffer from various security vulnerabilities and are susceptible to security attacks such as masquer-
ading users, password guessing, internal privileges, and man-in-the-middle attacks. These vulnerabilities make
it difficult for existing schemes to meet anonymity requirements and achieve forward security. In this article,
they propose an integrated authentication and key agreement scheme based on the ECC protocol is proposed,
combining multiple authentication techniques to improve the security performance of WSNs, and demonstrate
its feasibility and high level of security through formal and informal security analysis.

Their contribution

1) This paper proposes a three-factor authentication and key agreement scheme based on ECC for W ­ SNs17.
The new scheme is based on the ECC key agreement mechanism and introduces the challenge/response
mechanism to establish authentication and key agreement mechanisms among users and gateways and
sensors of WSNs. The security of the scheme is guaranteed by the security characteristics of biometrics, the
elliptic curve discrete logarithm problem, and the one-way characteristics of the hash function.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 2

Vol:.(1234567890)
www.nature.com/scientificreports/

2) After the authentication and key agreement between the user and the sensor is completed, a password update
and smart card logout scheme is proposed to assist users in better managing smart cards and enhance the
security of the scheme.
3) The proposed scheme is validated in several forms. The scheme’s security is assessed through a formal analysis
employing BAN logic. In addition, the nonformal security analysis proves the security performance of the
scheme and its resistance to various attacks. Furthermore, simulations using the ProVerif tool validate the
feasibility of the proposed scheme. Finally, the performance analysis shows that the scheme improves security
without increasing energy consumption.

The road‑map of the paper is as follows

In Section “Mathematical preliminaries”, they reviewed some of the basics of math and information security and
defined the notations and descriptions and threat model used by the scheme. In Section “Safety analysis of exist-
ing schemes”, the advantages and some security vulnerabilities in the work of Xue et al.16 are discussed. Sections
“The proposed scheme” and “Security analysis” present the proposed scheme and the corresponding security
analysis, respectively. In Section “Efficiency analysis”, the performance of the proposed scheme is evaluated, and
finally, the whole paper is concluded in Section “Conclusions”.

Mathematical preliminaries
Cryptanalysis
Cryptanalysis, a subset of cryptography, is the process of deciphering or breaking cryptographic systems. It uti-
lizes techniques such as mathematics, computer science, and engineering to unveil encrypted data. The primary
objective of cryptanalysis is to achieve unauthorized access to encrypted information by scrutinizing weaknesses
in encryption algorithms, key management, and security mechanisms. This involves activities such as password
guessing, analysing the mathematical aspects of encryption algorithms, identifying vulnerabilities in encryption
keys, and exploiting errors in implementation. The efficacy of cryptanalysis hinges on the intricacy and robust-
ness of the cryptosystem. This field plays a pivotal role in information security, contributing to the evaluation
and enhancement of cryptographic system strength.

­ CDH18
ECC and E
Elliptic Curve Cryptography (ECC) is a public key encryption algorithm that is widely used in the field of
cryptography. The security of ECC is based on the discrete logarithmic problem on elliptic curves, which is
considered to be difficult to solve; thus, encryption algorithms based on this mathematical puzzle provide a high
level of security. Compared to traditional RSA algorithms based on the integer factorization problem, ECC can
use shorter key lengths while providing the same level of security, thus reducing the computational and storage
requirements. Overall, elliptic curve cryptography is an important part of the modern field of cryptography and
provides a powerful tool for secure communication.
The elliptic Curve Diffie-Hellman key exchange (ECDH) is mainly used to establish secure shared encryp-
tion data in an insecure channel, generally exchanging private keys, which are generally used as "symmetric
encryption" keys by both parties for subsequent data transmission. ECDH is based on the premise that given a
point P on an elliptic curve and an integer k, it is easy to solve for Q = KP, but it is difficult to solve for K via Q, P.

BAN logic
BAN logic is a formal method for analysing and verifying cryptographic schemes, proposed by Burrows, Abadi,
and Needham (BAN) in ­198919. The basic idea of BAN logic is to convert messages in a cryptographic scheme into
a logical language representation and then use inference rules to derive the beliefs and goals of the participants
in the scheme. BAN logic can be used to find vulnerabilities in a scheme to improve its security and efficiency.
Table 1 shows the notations used by BAN ­logic20 and descriptions of these notations. The BAN logic rules
SK
↔
Q,P⊳{H}SK
used include: message meaning rule R1: P|≡PP|≡Q|∼H , random number verification rule R2: P|≡#(H),P|≡Q|∼H
P|≡Q|≡H ,
P|≡#(H)
arbitration rule R3: P|≡Q|≡H,P|≡Q|⇒H
P|≡H , freshness rule R4: P|≡#(H,G) , belief rule R5: P|≡(H,G)
P|≡G , and session secret key
rule R6: P|≡#(H),P|≡Q|≡H
SK .
P|≡P ↔ Q

Random oracle model

In 1993, Bellare and Rogaway formally proposed the Random Oracle Model (ROM) methodology, with which
the past purely theoretical research of provable security methodology quickly made significant progress in the

Notations Descriptions Notations Descriptions

P| ≡ H P believes H is true SK
P↔Q Both P and Q can use the shared key SK to communicate with each other
P⊳H P sees H and is capable of reading and repeating it P|∼H P once said H; at some time, P has sent the message containing H
H is fresh which means it was never sent before the current execution of the
#(H) P| ⇒ H P has control or jurisdiction over H
protocol
{H}K The ciphertext obtained by encrypting plaintext H with key K

Table 1.  Notations used by BAN logic and descriptions of these notations.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 3

Vol.:(0123456789)
 www.nature.com/scientificreports/

field of practical applications. A large number of fast and effective security programs have been proposed, and
at the same time, they also produced the "concrete security or exact security", which means that they no longer
only satisfy the asymptotic degree of security but can exactly obtain a more accurate security measure. Practical-
oriented provable security theory has been widely accepted by academia and industry.
Inside cryptography, a random oracle is a prediction machine (simply put, like a black box for the theory) that
returns a truly uniformly random output for any input, and for the same input, this prediction machine outputs
the same output in the same way every time (i.e., if the query is repeated, it responds in the same way every time
the query is submitted). In other words, a randomized prediction machine is a function that randomly maps all
possible inputs to outputs.
The stochastic prediction machine model is usually an idealized stand-in for the real hash function and has
its origins in the idea of viewing hash functions as pseudorandom. The stochastic prediction machine model
has the following properties:

1) Consistency: Inputs that are the same should produce matching outputs.
2) Computability: the output can be calculated within a polynomial time frame.
3) Uniform Distributability: The prediction machine’s output is evenly spread across the value space without
any overlaps.
4) In the stochastic prediction machine model, it is assumed that the adversary will not exploit the weakness
of the hash function to attack the cryptographic scheme.

Notations and descriptions

Table 2 shows the notations used in this paper and descriptions of these notations.

­ odel18
Threat m
In this article, the following threat models are used:

1) Communication conducted over a public channel is susceptible to eavesdropping, providing attackers with
an advantage.
2) Threats to any system can come from external entities or even legitimate users who may act as attackers.
3) Attackers have the capability to manipulate, erase, redirect, and replay intercepted messages, compromising
the integrity of the communication.
4) The attacker is assumed to possess knowledge of the protocol used in the authentication system.

Safety analysis of existing s­ chemes16

Scheme16 proposed an authentication and key agreement scheme for multigateway environments. In the scheme,
biometrics, a crucial element, is extracted and authenticated using a fuzzy extractor. The program consists of
the following six processes:

1) System initialization. The SA assigns identity IDhg, IDfg and private keys xhg, xfg to HGWN and FGWN and
establishes a shared key Khf. The HGWN and FGWN independently choose three random numbers, denoted
as Rh, Rf and Rfh, respectively.

Notations Descriptions Notations Descriptions

Ui and Ua User Ui and Ua E(Fp) Elliptic curve finite field E(Fp)
GWN Gateway node GWN P Base points on elliptic curves P
Sj Sensor node Sj ri and ru The private key ri and ru of the user Ui
IDi The identity IDi of the user Ui rg The private key rg of the gateway node GWN
IDhg The identity IDhg of the gateway node GWN rs The private key rs of the sensor node Sj
SIDj The identity SIDj of the sensor node Sj Ri and Ru The public key Ri and Ru of the user Ui
PWi The password PWi of the user Ui Rg The public key Rg of the gateway node GWN
BIOi The biological factor BIOi of the user Ui Rs The public key Rs of the sensor node Sj
SCi The smart card SCi of the user Ui · Elliptic curve point multiplication operation
SKu The negotiated session key SKu of the user Ui Gen The generation process of fuzzy extraction
SKs The negotiated session key SKs of the sensor node Sj Rep Recovery process of fuzzy extraction
The random secret information generated by fuzzy
KG Gateway node secret value KG αi
extraction αi of the user Ui
The auxiliary bit string generated by fuzzy extraction βi
List Number of user authentication βi
of the user Ui
‖ concatenation operator h(·) hash function
T Timestamp ⊕ XOR operator
ΔT Maximum permitted transmission delay mod Modular exponentiation

Table 2.  Notations used in this paper and descriptions of these notations.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 4

Vol:.(1234567890)
www.nature.com/scientificreports/

2) Registration. This stage comprises sensor registration and user registration. Both sensor nodes and users
are needed to register their fundamental details with the nearest HGWN gateway. After the registration, Ui
saves B1 = h(αi‖IDi‖PWi) ⊕ ri, B2 = h(HPWi‖αi‖IDi‖ri)mod n0 to SC, HGWN saves SIDj, and Sj saves xj.
3) Login. Ui inputs IDi, PWi, and BIOi, SC verifies the identity of Ui by calculating B2 = h(HPWi‖αi‖IDi‖ri)mod
n0, if the verification passes, Ui sends M1 = {TIDi, IDhg, SIDj, D0, D1, D2, D3, T1} over the public channel to
HGWN.
4) Authentication and key agreement.After receiving the communication request between Ui and SIDj, HGWN
initially verifies if the designated sensor Sj is within its communication range. If HGWN can retrieve SIDj
from its local database, it can proceed following Case 1, and the three parties, Ui, HGWN, and SIDj, per-
form authentication and key agreement; otherwise, it operates according to Case 2, and the four parties, Ui,
HGWN, FGWN, and SIDj, perform authentication and key agreement.
5) Password update. User enters his or her IDi, PWi, and BIOi, and SC verifies. If the verification passes, the user
enters new password PWi’, SC computes new B1′, B2′, and ei′ and saves.
6) Smart card logout. The user enters his or her IDi, PWi, and BIOi and SC verifies it. If the verification passes,
Ui sends M0 = {TIDi, βi, R0, T1} over the public channel to HGWN. HGWN verifies that Ki’ is equal to Ki by
computation. if the verification passes it deletes Ui’s information {IDi, Ki, honey_list}.

The existing ­scheme16 has some advantages in resisting password guessing, replay, and other attacks to achieve
two-way authentication and key agreement; however, there are also security vulnerabilities, such as the inability
to guarantee anonymity and the potential to suffer from MITT attacks. In this section, the advantages of the
scheme and the existence of security vulnerabilities are p­ resented21.

Advantages of the s­ cheme16

The advantages of the s­ chemes16 include the following:

1) The use of biometric-based fuzzy extraction technology effectively enhances the security of user login via
the three-factor authentication mechanism.
2) Security of the authentication process is ensured through use of the challenge/response m ­ echanism22.
3) The user’s secret xi and the sensor’s secret xj are calculated using the hash function, and they are not transmit-
ted in the public channel, which can prevent the secret from being cracked and ensure its forward security.
4) The honey list technique, which can prevent password guessing attacks by setting the number of logins and
avoid smart card loss attacks and offline guessing attacks, is adopted.
5) Replay attacks are avoided by setting the timestamp T.
6) Two-way authentication and key agreement are achieved as the negotiated session key SK contains a random
number of users, gateways, and sensors to improve the security of the negotiated ­key23.

Security vulnerabilities of the s­ cheme16

The scheme’16 security vulnerabilities include the following:

1) Unable to meet the anonymity requirement: During the registration process, Ui sends IDi to HGWN, Sj sends
SIDj to HGWN, and HGWN sends IDhg to Ui. Attackers intercept IDi, IDhg, and SIDj in the public channel
to easily obtain the identity IDs of the user, gateway, and node. Therefore, the scheme cannot guarantee
anonymity.
2) Unable to secure user p ­ arameters24: During the registration process, Ui sends {IDi, HPWi, βi} to the HGWN.
The attacker intercepts IDi in the public channel. During the login process, Ui sends M1 = {TIDi, IDhg, SIDj,
D0, D1, D2, D3, T1} to the HGWN. The attacker intercepts D2 in the public channel and calculates:
h(ru ||xi ) = IDi ⊕ D2 (1)
  The attacker intercepts D0 and calculates:
βi = D0 ⊕ h(xi ||ru ) (2)

Ki = h(IDi ||βi ) (3)

ei = HPWi ⊕ Ki ⊕ xi (4)
  The attacker obtains all the parameters of the user login.
3) Unable to secure user secrets xi and sensor secrets xj: During the registration process, Ui sends {IDi, HPWi,
βi} to HGWN and HGWN sends {TIDi, βi, ei, IDhg} to Ui. The attacker intercepts HPWi, IDi, βi, and ei in the
public channel and calculates:
Ki = h(IDi ||βi ) (5)

xi = HPWi ⊕ Ki ⊕ ei (6)
  The user secret xi is cracked. Attackers directly obtain sensor secret xj in the public channel.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 5

Vol.:(0123456789)
 www.nature.com/scientificreports/

4) Unable to secure user private key ru: During the login process, Ui sends M1{TIDi, IDhg, SIDj, D0, D1, D2, D3,
T1} to HGWN, and the attacker intercepts D1 in the public channel and can crack xi by point (3) above and
calculates:
ru = D1 ⊕ xi (7)
  The user private key ru is cracked.
5) Unable to secure gateway private key rhg and sensor private key rs: During the registration process, HGWN
sends {xj} to Sj. The attacker intercepts xj in the public channel. During the authentication process, the HGWN
sends M2 = {D0, D4, D5, D6, T2} to Sj and Sj sends M3 = {D7, D8, T3} to the HGWN. The attacker intercepts D4,
D7, T2, T4 in the public channel and can ­crack25:
rhg = D4 ⊕ h(xj ||T2 ) (8)
  The attacker crack:
rs = D7 ⊕ h(xj ||rhg ||T4 ) (9)
6) Unable to achieve secure two-way authentication: According to Points (2), (3), and (4) above, the attacker
cracks xi, ru, Ki, During the registration process, Ui sends {IDi, HPWi, βi} to the HGWN, and during the login
process, Ui sends M1 = {TIDi, IDhg, SIDj, D0, D1, D2, D3, T1} to the HGWN. The attacker intercepts TIDi, IDi,
SIDj, T1 in the public channel, and by calculating D3 = h(TIDi‖IDi‖SIDj‖ru‖xi‖Ki‖T1) can crack D3, so the
gateway authentication user algorithm is cracked. During registration, HGWN sends {xj} to Sj, during login,
Ui sends M1 = {TIDi, IDhg, SIDj, D0, D1, D2, D3, T1} to HGWN, and during authentication, HGWN sends
M2 = {D0, D4, D5, D6, T2} to Sj. According to Points (4) and (5) above, the attacker cracks ru, rhg and intercepts
SIDj, IDhg, xj, T2 in the public channel; D6 can be cracked by calculating:
D6 = h(SIDj ||IDhg ||ru ||rhg ||xj ||T2 ) (10)
  The sensor authentication gateway algorithm is cracked.
7) Unable to negotiate a secure session key: The negotiated key is SKs = h(ru‖rhg‖rs‖IDhg). During the login
process, Ui sends M1 = {TIDi, IDhg, SIDj, D0, D1, D2, D3, T1} to HGWN. According to Points (4) and (5) above,
the attacker breaks ru, rhg, rs and intercepts IDhg in the public channel, which can crack:
SKs = h(ru ||rhg ||rs ||IDhg ) (11)
  The scheme cannot negotiate a secure session key, and it has forward security problems.
8) Unable to resist MITT attacks: The attacker records all M1 = {TIDi, IDhg, SIDj, D0, D1, D2, D3, T1} sent to the
GWN, all M2 = {D4, D5, D6, T2} sent to Sj, and all xj sent to Sj by the gateway, and then calculates:
∗
rhg = D4 ⊕ h(xj∗ ||T2 ) (12)

ru∗ = D5 ⊕ h(rhg
∗
||xj∗ ||T2 ) (13)

For each group M1, the attacker calculates:

xi∗ = ru∗ ⊕ D1 (14)

βi∗ = D0 ⊕ h(xi∗ ||ru∗ ) (15)

IDi∗ = D2 ⊕ h(ru∗ ||xi∗ ) (16)

Ki∗ = h(IDi∗ ||βi∗ ) (17)

Whether D3 = h(TIDi‖IDi ‖SIDj‖ru ‖xi ‖Ki ‖T1) is equal to D3 is verified. If equal, the attacker can determine
* * * * *

user Ui with its corresponding Sj and obtain the values of the parameters ru, xi, and so on. The attacker starts a
new session with user Ui, selects rhg, rs, and TIDi′, and calculates:
SKhg = h(ru ||rhg ||rs ||IDhg ) (18)

D9 = rs ⊕ h(xi ||ru ) (19)

D10 = rhg ⊕ h(ru ||xi ) (20)

xi′ = h(TIDi′ ||xhg ) ⊕ Rh (21)

D11 = TIDi′ ⊕ h(xi ||IDi ||ru ) (22)

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 6

Vol:.(1234567890)
www.nature.com/scientificreports/

D12 = xi′ ⊕ h(TIDi′ ||xi ) (23)

D13 = h(SKhg ||xi′ ||TIDi′ ||Ki ||T4 ) (24)

The attacker sends M4 = {D9, D10, D11, D12, D13, T4} to Ui. Ui calculates:
rs∗ = D9 ⊕ h(xi ||ru ) (25)

∗
rhg = D10 ⊕ h(ru ||xi ) (26)

SKu∗ = h(ru ||rhg

∗
||rs∗ ||IDhg ) (27)

TIDi′∗ = D11 ⊕ h(xi ||IDi ||ru ) (28)

xi′∗ = D12 ⊕ h(TIDi′∗ ||xi ) (29)

′* ′*
Ui verifies whether D13 = h(SKhg ‖x ‖TIDi ‖Ki‖T4) is equal to D13. If equal, according to the rule, the user
* *

accepts this SK as the agreement key and the attacker successfully implements the MITT attack.

The proposed scheme

In this section, an ECC-based three-factor authentication and key agreement scheme for WSNs is proposed, the
improvement measures of the scheme are introduced, and then a specific implementation scheme, including
system initialization, node registration, user registration, two-way authentication and key agreement, pass-
word update, and smart card logout, is ­proposed17. The proposed scheme operates under the following security
assumptions:

1) The gateway is securely impenetrable and has unlimited computation, storage, and communication capabili-
ties.
2) The WSN network is a bidirectional channel, and nodes can communicate normally.
3) The WSN network employs asymmetric encryption, meaning it utilizes both public and private keys.
4) Upon successful completion of the key agreement in the WSN network, the user and the sensor node can
establish communication using the session key.

Scheme improvement measures

1) The authentication scheme is designed using an ECC key agreement protocol to ensure the forward security
of the scheme.
2) The user ID is replaced by the user identifier TID after the hashing operation, all IDs are forbidden to be sent
explicitly, and no direct XOR calculation can be performed to ensure the anonymity of the scheme.
3) Random numbers ru and rs are forbidden to be sent in clear text, and no direct XOR calculation can be
performed to ensure secure two-way authentication and key agreement and resist MITT ­attacks26.
4) More complex parameters are selected to improve the security of the session key.
5) The relevant parameters in the SC card are updated after two-way authentication and key agreement to ensure
that the scheme is resistant to internal ­attacks27.

Specific implementation plan

1) System Initialization
  At the very beginning, the system needs to be initialized. GWN selects E(Fp), P, h(.) and the secret value
KG, publicly release E(Fp), P, h(.), save KG.
2) Node Registration
  After the system is initialized, the node can start registering. Node Sj applies for registration to the GWN,
which selects the unique SIDj of the node, calculates xj = h(SIDj‖KG), and writes {SIDj, xj} to node Sj.
3) User Registration
  After the system is initialized, the user can start registering. The user registration process is shown in Fig. 1.
• Step R1: User Ui inputs ID i, PWi, BIO i, chooses random number r i ∈ Z p*, calculates Ri = r i·P,
Gen(BIOi) = (αi, βi), TIDi = h(IDi‖αi‖ri), HPWi = h(PWi‖αi), and Ui sends {TIDi, HPWi, Ri} to GWN.
• Step R2: The gateway GWN chooses a random number rg ∈ Zp* and calculates Rg = rg·P. After the GWN
receives the Ui message, it calculates xi = h(TIDi‖KG), Ki = h(TIDi‖HPWi), Rig = rg·Ri, ei = xi ⊕ Rig ⊕ Ki, sets
the number of logins List = 0, saves {TIDi, HPWi, List = 0}. Write {Rg, ei} to smart card SCi and issue to Ui.
• Step R3: User Ui receives the smart card SCi, calculates Ki = h(TIDi‖HPWi), Rig = ri·Rg, xi = ei ⊕ Rig ⊕ Ki,
B1 = h(IDi‖αi‖PWi) ⊕ ri, B2 = h(HPWi‖IDi‖αi‖ri)mod n0, and writes {B1, B2, βi} to the smart card SCi.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 7

Vol.:(0123456789)
 www.nature.com/scientificreports/

Figure 1.  Registration phase.

Figure 2.  The authentication and key agreement phase 1.

4) Authentication and Key Agreement

  After node and user registration is complete, the user, GWN, and node can start authentication and key
agreement. Figures 2 and 3 shows the authentication and key agreement phase.
• Step A1: User Ui inputs ID i , PWi , BIO i , smart card SC i calculates α i * = Rep(BIO i , β i ),
r i* = B 1 ⊕ h(ID i‖α i*‖PWi), HPWi* = h(PWi‖α i*), B 2* = h(HPWi*‖ID i‖α i*‖r i*)mod n 0, SCi verifies
whether B2* is equal to B2 and continues it is; otherwise, terminate. User Ui chooses a random num-
ber ru ∈ Zp* and calculates Ru = ru·P, Rig = ri·Rg, Ki = h(TIDi‖HPWi), xi = ei ⊕ Rig ⊕ Ki, TIDi′ = h(IDi‖αi‖
ru), Cu = h(Ru‖xi′), D0 = ru·Rg, D1 = h(D0‖TIDi‖HPWi), D2 = TIDi′ ⊕ (D1‖xi), choose time T1, calculate
D3 = h(TIDi′‖D0‖xi‖Ki‖T1). Ui sends {Ru, D2, D3, TIDi, T1} to the GWN.
• Step A2: The gateway GWN receives the message and selects T2, verifies whether |T2 − T1| is less than or
equal to △T and continues if it is, otherwise terminates. The GWN calculates D0* = rg·Ru, xi = h(TIDi‖KG),
D1* = h(D0*‖TIDi‖HPWi), TIDi′* = D2 ⊕ (D1*‖xi), Ki = h(TIDi‖HPWi), D3* = h(TIDi′*‖D0*‖xi‖Ki‖T1), verifies
whether D3* is equal to D3 and continues if it is, List plus one; otherwise, it is terminated. GWN calcu-
lates xi′* = h(TIDi′*‖KG), Cu* = h(Ru‖xi′*), D4 = rg ⊕ h(SIDj‖xj‖T2), D5 = Cu ⊕ h(rg‖xj), D6 = TIDi′ ⊕ h(SIDj‖rg),
D7 = h(TIDi′‖SIDj‖Cu‖rg‖xj‖T2), and the GWN sends {Ru, Rg, D4, D5, D6, D7, T2} to Sj.
• Step A3: The sensor Sj receives the message and selects T3, verifies whether |T3 − T2| is less than or
equal to △T and continues it is; otherwise, it is terminated. Sj selects a random number rs ∈ Zp*, cal-
culates Rs = rs·P, rg* = D4 ⊕ h(SIDj‖xj‖T2), Cu* = D5 ⊕ h(rg*‖xj), TIDi’* = D6 ⊕ h(SIDj‖rg*), D7* = h(TIDi′*‖SI

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 8

Vol:.(1234567890)
www.nature.com/scientificreports/

Figure 3.  The authentication and key agreement phase 2.

Dj‖Cu*‖rg*‖xj‖T2), verifies whether D7* is equal to D7 and continues if it is; otherwise, it is terminated.
Cs = h(Rs‖xj), Rsu = rs·Ru, SKs = h(SIDj‖rg‖Rsu‖Cu‖Cs‖TIDi′), D8 = rs·Rg, D9 = h(SIDj‖rg‖D8‖xj‖Cs‖T3),
D10 = h(SIDj‖SKs‖rg‖TIDi′) is calculated, and Sj sends {Rs, D9, D10, T3} to the GWN.
• Step A4: The gateway GWN receives the message and selects T4, verifies whether |T4 − T3| is less than
or equal to △T and continues if it is; otherwise, it is terminated. The GWN calculates Cs* = h(Rs‖xj),
D8* = rg·Rs, D9* = h(SIDj‖rg‖D8*‖xj‖Cs*‖T3), verifies whether D9* is equal to D9 and continues if it is;
otherwise, it is terminated. D11 = rg ⊕ h(D0‖xi′‖T4), D12 = Cs ⊕ h(xi′‖rg), D13 = SIDj ⊕ h(D12‖xi′‖rg),
Ki′ = h(TIDi′‖HPWi), ei′ = xi′ ⊕ Rug ⊕ Ki′, D14 = h(TIDi′‖xi′‖Ki′‖rg‖Cs‖SIDj‖D0‖T4) is calculated and {TIDi′,
Ki′, List} is updated, and the GWN sends {Rs, ei′, D10, D11, D12, D13, D14, T4} to Ui.
• Step A5: User Ui receives the message and selects T5, verifies whether |T5 − T4| is less than or equal to
△T and continues it is; otherwise, it is terminated. Ui calculates Ki′ = h(TIDi′‖HPWi), xi′* = ei′ ⊕ Rug ⊕ Ki′,
Cu* = h(Ru‖xi′*), rg* = D11 ⊕ h(D0‖xi′*‖T4), Cs* = D12 ⊕ h(xi′*‖rg*), SIDj* = D13 ⊕ h(D12‖xi′*‖rg*), D14* = h(TIDi
′
‖xi′*‖Ki′‖rg*‖Cs*‖SIDj*‖D0‖T4), verifies whether D14* is equal to D14 and continues if equal; otherwise,
it is terminated. Rus = ru·Rs, SKu = h(SIDj‖rg‖Rus‖Cu‖Cs‖TIDi′), D10* = h(SIDj‖SKu‖rg‖TIDi′) is calculated,
whether D10* is equal to D10 is verified, and it continues if it is; otherwise, it is terminated. This com-
pletes the two-way authentication and negotiates the session key SK for user Ui and sensor Sj. Finally,
Ui calculates B1′ = h(IDi‖αi‖PWi) ⊕ ru, B2′ = h(HPWi‖IDi‖αi‖ru)mod n0 with B1′, B2′, ei′ replacing B1, B2, ei
within the smart card SCi.
5) Password Update.
  Users can also perform a password update at any time after completing the authentication and key agree-
ment. The password update process is shown in Fig. 4.
• Step P1: User Ui inputs ID i , PWi , BIO i , smart card SC i calculates α i * = Rep(BIO i ,β i ),
ru* = B1 ⊕ h(IDi‖αi*‖PWi), HPWi* = h(PWi‖αi*), B2* = h(HPWi*‖IDi*‖αi*‖ru*)mod n0, verifies whether
B2* is equal to B2 and continues if it is; otherwise, it is terminated. SCi calculates TIDi = h(IDi‖αi‖ru),
Ki = h(TIDi‖HPWi), Rug = ru·Rg, xi = ei ⊕ Rug ⊕ Ki.
• Step P2: User Ui enters the new password PWinew, smart card SCi calculates HPWinew = h(PWinew‖αi),
K inew = h ( T I D i‖ H P Winew) , e inew = R ug ⊕ K inew ⊕ x i, B 1new = h ( I D i‖ α i‖ P Winew) ⊕ r u,
B2new = h(HPWinew‖IDi‖αi‖ru)mod n0, replacing B1,B2,ei in smart card SCi with B1new, B2new, einew, and the
password update is completed.
6) Smart Card Logout
  Smart Card Logout can be performed when the user’s Smart Card is no longer in use. The smart card
logout process is shown in Fig. 5.
• Step S1: User Ui inputs ID i, PWi, BIO i, calculates α i* = Rep(BIO i,β i), r u* = B 1 ⊕ h(ID i‖α i*‖PWi),
HPWi* = h(PWi‖αi*), B2* = h(HPWi*‖IDi‖αi*‖ru*)mod n0, verifies whether B2* is equal to B2 and continues
if it is; otherwise, it is terminated. Ki = h(TIDi‖HPWi), Rug = ru·Rg, xi = ei ⊕ Rug ⊕ Ki is calculated, time T1
is chosen, Lo = xi ⊕ h(Ki‖T1) is calculated, and Ui sends {TIDi, Lo, T1} to the GWN.
• Step S2: The gateway GWN receives the message and selects T2, verifies whether |T2 − T1| is less than or
equal to △T and continues if it is; otherwise, it is terminated. The GWN calculates Ki′ = h(TIDi‖HPWi),
xi* = Lo ⊕ h(Ki′‖T1), xi = h(TIDi‖KG), verifies whether xi* is equal to xi and continues if it is; otherwise,

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 9

Vol.:(0123456789)
 www.nature.com/scientificreports/

Figure 4.  Password update.

Figure 5.  Smart card logout.

it is terminated. Finally, the messages associated with Ui{TIDi, HPWi, List} are deleted, and smart card
revocation is completed.

Security analysis
This section provides a formal security analysis of the scheme using BAN logic. The informal security analysis is
performed through Propositions 1 to 11 for a variety of known attacks. The security analysis proves the correct-
ness of the scheme; it can resist various security attacks and has high security c­ haracteristics28.

Formal analysis based on BAN logic

Next, BAN logic is used to demonstrate the security of the scheme.

1) Goals SK SK
  G1: Sj | ≡ Ui ↔ Sj G2: Sj |≡ Ui | ≡ Ui ↔ Sj
SK SK
  G3: Ui | ≡ Sj ↔ Ui G4: Ui ≡ Sj  ≡ Sj ↔ Ui
 
2) Idealized Forms
  M1: Ui → GWN : Ru , D2 , T1 , TIDi , < TIDi′ , D0 , ki >xi
  M2: GWN → Sj : Ru , Rg , D4 , D5 , D6 , T2 , < TIDi′ , Ui | ≡ Cu , rg >xj
  M3: Sj → GWN : Rs , D10 , T3 , < D8 , rg , Sj | ≡ Cs >xj
  M4: GWN → Ui : ei′ , Rs , D10 , D11 , D12 , D13 , T4 , < TIDi′ , xi′ , D0 , rg , Sj | ≡ Cs >ki′
3) Assumptions xi xj
  A1: GWN| ≡ Ui ↔ GWN A2: Sj | ≡ GWN ↔ Sj

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 10

Vol:.(1234567890)
www.nature.com/scientificreports/

xj ki′
  A3: GWN| ≡ Sj ↔ GWN A4: Ui | ≡ GWN ↔ Ui
  A5: GWN| ≡ #(Cu ) A6: Sj | ≡ # rg 
 
  A7: GWN| ≡ #(Cs ) A8: Ui | ≡ # rg
  A9: GWN|≡  Ui |⇒< D3 > A10: Sj |≡ GWN| ⇒< D7 >
  A11: GWN ≡ Sj  ⇒< D9 > A12: Ui |≡ GWN| ⇒< D14 >
  A13: Sj | ≡ #(Cu ) A14: Ui | ≡ #(Cs )
SK SK
  A15: Sj |≡ Ui | ∼ Ui ↔ Sj A16: Ui ≡ Sj ∼Ui ↔ Sj
 
4) Main Proofs
 From M1, they can get S1: GWN⊳ < D3 >xi.
 From S1, A1, R1, they can get S2: GWN|≡ Ui | ∼< D3 >.
 From A5, R4, they can get S3: GWN| ≡ #(< D3 >).
 From S2, S3, R2, they can get S4: GWN|≡ Ui | ≡< D3 >.
 From S4, A9, R3, they can get S5: GWN| ≡< D3 >.
 From M2, they can get S6: Sj ⊳ < D7 >xj.
 From S6, A2, R1, they can get S7: Sj |≡ GWN|∼ < D7 >.
 From A6, R4, they can get S8: Sj | ≡ #(< D7 >).
 From S7, S8, R2, they can get S9: Sj |≡ GWN| ≡< D7 >.
 From S9, A10, R3, they can get S10: Sj | ≡< D7 >.
 From S10, R5, they can get S11: Sj |≡ Ui | ≡ Cu.
SK = h SIDj ||rg ||Rsu ||Cu ||Cs ||TIDi′ .
 

SK
 From S11, A13, SK, R6, they can get S12: Sj | ≡ Ui ↔ Sj , they have achieved G1.
SK
 From S12, A13, A15, R2, R4, they can get S13: Sj |≡ Ui | ≡ Ui ↔ Sj , they have achieved G2.
 From M3, they can get S14: GWN⊳ < D9 >xj.
 From S14, A3, R1, they can get S15: GWN ≡ Sj ∼ < D9 >.
 
 From A7, R4, they can get S16: GWN| ≡ #(<  D9 >).
 From S15, S16, R2, they can get S17: GWN ≡ Sj  ≡< D9 >.
 From S17, A11, R3, they can get S18: GWN| ≡< D9 >.
 From M4, they can get S19: Ui ⊳ < D14 >ki′.
 From S19, A4, R1, they can get S20: Ui |≡ GWN|∼ < D14 >.
 From A8, R4, they can get S21: Ui | ≡ #(< D14 >).
 From S20, S21, R2, they can get S22: Ui |≡ GWN| ≡< D14 >.
 From S22, A12, R3, they can get S23:
 Ui | ≡< D14 >.
 From S23, R5, they can get S24: Ui ≡ Sj  ≡ Cs.
SK = h SIDj ||rg ||Rus ||Cu ||Cs ||TIDi′ .
 

SK
 From S24, A14, SK, R6, they can get S25: Ui | ≡ Sj ↔ Ui , they have achieved G3.
SK
 From S25, A14, A16, R2, R4, they can get S26: Ui | ≡ Sj | ≡ Sj ↔ Ui , they have achieved G4.

In summary, according to the BAN logic rules, the security objectives G1 to G4 of this scheme have been
achieved, and the security of the scheme has been proven.

Formal analysis based on the random oracle model

Theorem 1 In a scenario where an adversary attacker (A) operates within probabilistic polyno-
mial time (PPT) against a protocol (P) in a random oracle, A is allowed to make up to qs Send
∗ i k j
( , m) queries, qe Execute ( , , ) queries, and qh oracle queries. Let D denote the pass-
   
I U GWN S
word space, which follows a Zipf distribution with parameters C′ and s′16. Additionally, l repre-
sents the output length of the hash function and AKE represents authenticated key agree-
ment. In the context of the random oracle model, the probability P of A successfully
compromising the protocol in PPT is defined as follows:

2
q2h

 q
′ s′ qs
 qs qs + qe
AdvAKE
P (A)
s
= 2|Pr[S4 ]−Pr[S0 ]| ≤ max l −1 , 2C qs , l−1 + l−1 + l + (30)
2α 2 2 2 p−1
Proof: The scheme is divided into five games, labelled Gi(i = 1, 2, 3, 4, 5). In each game, there is a condition
denoted as Si, indicating that A successfully predicts a bit b before advancing in the game.
G0: It mimics a real attack in the random oracle model, where A has full access to all oracles. Hence,

AdvAKE
P (A) = 2Pr[S0 ] − 1 (31)

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 11

Vol.:(0123456789)
 www.nature.com/scientificreports/

Figure 6.  Define the channels, variables, constants, operations and events.

G1: In G1, A conducts a passive attack, intercepting messages through the Excute(*) query and attempting to
j
guess the output of the Test ( S ) query. However, the impossibility of deducing SK = h(SIDj‖rg‖Rus‖Cu‖Cs‖TIDi′)
means that A’s advantage in a successful attack does not increase. Hence,
Pr[S1 ] = Pr[S0 ] (32)
G2: A is allowed to make Send ( I , m) and H queries to persuade the legitimate communicator with forged
∗
messages. The simulation concludes only if A manages to discover collisions and successfully constructs con-
vincing messages. The probabilities of their occurrence, based on the birthday p ­ aradox29, are ( qh2/2l+1) and
((qs + qe) /2(p-1)). Hence,
2

q2h (qs + qe )2
|Pr[S2 ] − Pr[S1 ]| ≤ + (33)
2l+1 2(p − 1)
G3: This game is distinct from the earlier games because if A successfully guesses the correct authentication
Factors D3, D7, D9, and D14. The simulation concludes if H queries are not utilized. It is identical to the previous
games in all aspects, except for situations where correct authentication is refused. Hence,
qs
|Pr[S3 ] − Pr[S2 ]| ≤ (34)
2l
G4: In this game, A can acquire more information through the Corrupt ( U , a) query. A successfully guesses
i
αi with a length of lα, with a probability of (qs/2lα). Additionally, A successfully guesses the victim’s password with
s′
a probability of C′qs . The likelihood of A guessing the correct x is (q /2l). Hence,
i s
q qs 
s
|Pr[S4 ] − Pr[S3 ]| ≤ max , C′qs′s , (35)
2lα 2l

1
Pr[S4 ] = (36)
2
Based on Eqs. (31) to (36), they can infer either Conclusion (30) or Conclusion (37):
2
q2h

 q
′ s′ qs
 qs qs + qe
AdvAKE
P (A) = 2|Pr[S4 ]−Pr[S0 ]| ≤ max
s
, 2C q s , + + + (37)
2lα −1 2l−1 2l−1 2l p−1

­ roVerif30
Formal security verification via P
This section presents the formal security verification of the proposed scheme by using the Pi calculus-based simu-
lation tool ProVerif. To date, ProVerif has been used to verify many protocols and demonstrate their correctness

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 12

Vol:.(1234567890)
www.nature.com/scientificreports/

Figure 7.  The process of Ui.

Figure 8.  The process of GWN.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 13

Vol.:(0123456789)
 www.nature.com/scientificreports/

Figure 9.  The process of Sj.

Figure 10.  Define the queries and simulate the scheme.

Figure 11.  Outputs of the Proverif verification.

and robust properties, so ProVerif is used in this study to rectify the secrecy and authentication properties of
the focal protocol.
The channels, variables, constants, operations and events are defined as shown in Fig. 6:
According to the proposed scheme execution, they define the process of Ui as shown in Fig. 7:
The process of GWN is modeled as shown in Fig. 8:
The process of Sj is modeled as shown in Fig. 9:
The queries are defined and the whole scheme is simulated as executing in parallel as shown in Fig. 10:
The outputs of the ProVerif verification is shown in Fig. 11:
Results (1) and (2) indicate the secrecy of the proposed scheme because of the failing query attack on session
keys SKS and SKU. Moreover, Results (3) and (4) confirm the successful mutual authentication between Ui and
Sj. In other words, the proposed scheme not only provides the secrecy of the session key, but also achieves the
authentication property by verifying the correspondence assertions in the Dolev-Yao model.

Informal analysis
This scheme can resist many common attacks and effectively address the shortcomings of existing schemes. The
proof of this is as follows:

Proposition 1 The scheme has anonymity.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 14

Vol:.(1234567890)
www.nature.com/scientificreports/

Proof All identity ID in the scheme are not transmitted in clear text in the public channel, and the identity iden-
tifiers TIDi = h(IDi‖αi‖ri) and TIDi′ = h(IDi‖αi‖ru) are used to replace the ID for t­ ransmission17. Assuming that
the attacker intercepts TIDi, according to the one-way property of the hash function, the attacker cannot resolve
IDi31. In addition, even if the attacker intercepts both TIDi and TIDi′, it is impossible to determine whether the
two parameters come from the same ID; hence, the scheme has anonymity.

Proposition 2 The scheme is resistant to registered legitimate user attacks.

Proof Suppose attacker Ua registers legitimate user IDa and calculates TIDa = h(IDa‖αa‖ra). Ua registers with
gateway GWN, which calculates xa = h(TIDa‖KG), Ka = h(TIDa‖HPWa). The TIDa generated by the attacker based
on IDa is different from the TIDs of other legitimate users, and the x and K generated by registering to GWN
through TIDa are also different. Therefore, the scheme can resist registered legitimate user attacks by generating
new identity information TIDs, and the attacker cannot obtain messages to any other legitimate user by register-
ing a legitimate user.

Proposition 3 The scheme is resistant to smart card loss attacks and offline guessing a­ ttacks17.

Proof Suppose that a user’s smart card is lost or stolen, and the attacker obtains the card and the information
it contains, B1 = h(IDi‖αi‖PWi) ⊕ ri, B2 = h(HPWi‖IDi‖αi‖ri)mod n0, by differential energy attack, because B1
and B2 are hash functions with one-way security. However, the attacker is unable to extract the password PWi
of user Ui from it. Second, if the attacker wishes to obtain the user’s password PWi through offline password
guessing, he or she needs to have the biometric trait αi and the private key ri, however, the attacker is not in
possession of αi and ri, and therefore, the attacker is unable to carry out an offline password guessing a­ ttack32.
Again, B2 = h(HPWi‖IDi‖αi‖ri)mod n0, when n0 is taken large enough, the number of password guesses grows
exponentially and it is not feasible to obtain the password by offline guessing. Finally, the gateway records the
number of user authentication List, and it is impossible for an attacker to complete an offline guessing attack
within a limited number of guesses. Therefore, the scheme resists smart card loss attacks and offline guessing
attacks by means of hash functions, biometrics, modulo arithmetic, and recording the number of authentication
times, which are infeasible regardless of whether the attacker tries to extract the password from the smart card
or crack the password through offline guessing.

Proposition 4 The scheme is resistant to spoofed user attacks.

Proof To disguise a user login gateway, the attacker needs to send {Ru, D2, ­D3, TIDi, T1} to the gateway,
where Ru = ru·P, TIDi′ = h(IDi‖αi‖ru), Cu = h(Ru‖xi′), D0 = ru·Rg, D1 = h(D0‖TIDi‖HPWi), D2 = TIDi′ ⊕ (D1‖xi),
D3 = h(TIDi′‖D0‖Cu‖xi‖Ki‖T1); the attacker needs to master the user’s private key ru, identifier TIDi, password
PWi, biometric αi, secret xi, key parameters Ki, and so on, so it is clear that the attacker cannot master the above
parameters at the same time and cannot make a spoofed user attack. Therefore, the scheme can resist spoofed
user attacks by setting various parameters.

Proposition 5 The scheme is resistant to internal attacks.

Proof There is a possibility that insiders leak user information at the gateway. In the user registration stage, the
user’s registered password PWi is protected by HPWi = h(PWi‖αi), and the insider may obtain HPWi. Based on
the unidirectional nature of the hash function, the insider is unable to compute PWi by HPWi = h(PWi‖αi)33. In
addition, HPWi also contains the user’s biometric αi, and the insider cannot obtain αi to guess the correct PWi
by offline guessing. Therefore, the scheme can resist internal attacks by setting HPWi.

Proposition 6 The scheme is resistant to tampering attacks.

Proof Suppose the attacker tampers with the message sent by the user to the gateway, and the gateway receives
the message and needs to verify whether D3* = h(TIDi′‖D0*‖Cu‖xi‖Ki‖T1) is equal to D3. To crack D3, the attacker
needs to have both the user’s private key ru, identifier IDi, password PWi, secret xi, and key parameter Ki34, etc.
The above parameters are not propagated in plaintext over the public channel, and the attacker cannot verify
them through the gateway. Therefore, the scheme makes it impossible for an attacker to authenticate D3 by setting
multiple parameters. The scheme is resistant to tampering attacks.

Proposition 7 The scheme is resistant to replay attacks.

Proof A replay attack occurs when an attacker sends a packet that has been received by the target for the purpose
of spoofing the system. All the messages sent in the two-way authentication process contain the timestamp T, and
all parties need to verify whether the time difference is less than △T after receiving the message. If the attacker
carries out replay attacks, the replayed message can be recognized by verifying the timestamp. The scheme resists
replay attacks by adding timestamps.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 15

Vol.:(0123456789)
 www.nature.com/scientificreports/

Xue et al.16 Mo et al.39 Deng et al.40 Meriam et al.6 Proposed Scheme

Year 2021 2022 2022 2022 2022
Forward security × × × × √
Resist KSSTI attacks × × × √ √
Resist internal privilege attacks √ × √ × √
Resist offline dictionary attacks √ √ √ √ √
Clock synchronization √ × √ × √
Anonymity × √ √ √ √
Resist MITM attacks × × √ √ √
Resist user registration attacks × √ √ √ √

Table 3.  Comparison of security features. Remarks: √: Yes × : No.

Proposition 8 The scheme is resistant to MITT attacks.

Proof According to the challenge/response mechanism, both the user and the gateway or the sensor and the
gateway need to verify each other’s identity. According to Propositions 4 and 6, which have already been proven,
the attacker cannot disguise the user or tamper with the message, so the attacker cannot launch a MITT attack
disguised as an intermediary. The same can be proven for the communication between sensors and gateways. In
addition, timestamps and random numbers are fresh and cannot be forged by an MITT ­attack35. Therefore, an
attacker cannot disguise him- or herself as an MITT to launch an attack. The scheme makes it impossible for the
attacker to accomplish MITT attacks by authenticating the user, gateway, and sensor.

Proposition 9 The scheme is resistant to Denning-Sacco ­attacks36.

Proof Suppose the attacker steals the agreement key SK = h(SIDj‖rg‖Rsu‖Cu‖Cs‖TIDi′). SK is the hash function’s
hash ­value37, and according to its one-way property, the attacker cannot obtain the parameters in SK. In addition,
the parameters in SK such as user private key ru, gateway private key rg, sensor private key rs, Cu, and Cs are not
transmitted in the public channel, and the attacker cannot complete the Denning-Sacco attack.Therefore, the
scheme resists Denning-Sacco attacks by performing hash transformations on the session key SK and by making
SK have more complex parameters.

Proposition 10 The scheme has forward security.

Proof Assuming that the attacker intercepts the public keys Ru and Rs of the user and the sensor, the calculation
of SK also requires ru, rg, rs, Cu, and Cs. None of these parameters are transmitted in the public channel, and they
cannot be obtained by the attacker. An attacker trying to calculate rs and ru by Rs = rs*P and Ru = rs*P, or rs*Ru and
Rs*ru by Rs*Ru cannot do so because the above computations involve ECCDLP mathematical puzzles. Therefore,
the scheme is forward-safe.

Proposition 11 The scheme enables both two-way authentication and key agreement.

Proof The scheme through D 3 = h(TID i′‖D 0‖Cu‖x i‖Ki‖T 1) and D 14 = h(TID i′‖x i′‖Ki′‖rg‖C s‖SID j‖D 0‖T 4)
achieves two-way authentication of the user and the gateway and through D7 = h(TIDi′‖SIDj‖Cu‖rg‖xj‖T2) and
D9 = h(SIDj‖rg‖D8‖xj‖Cs‖T3) achieves two-way authentication of the gateway and the sensor, while the session
key SKs = h(SIDj‖rg‖Rsu‖Cu‖Cs‖TIDi′) = h(SIDj‖rg‖Rus‖Cu‖Cs‖TIDi′) = SKu is negotiated during the authentica-
tion process.

Table 3 shows the security comparison of each scheme. It can be seen that this scheme has better security.

Efficiency analysis
The sensor nodes of WSNs have the characteristics of limited resources and low computation. In this section,
they analyze the performance of scheme in analysed from two aspects—computation overhead and communica-
tion overhead—and the scheme is proven to be suitable for resource-constrained WSNs through comparisons
with other ­schemes38.

Computational overhead
The computational overhead is mainly considered for recovering biometric features, point multiplication, modu-
lar exponentiation, symmetric encryption/decryption, hashing, and so forth. The computational overhead of
XOR and concatenation is very small and negligible compared to other operations. Referring to the ­literature15,
the computational elapsed time is shown in Table 4; the comparison of computational overheads of each scheme
is shown in Table 5.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 16

Vol:.(1234567890)
www.nature.com/scientificreports/

Notations Descriptions Time consuming (ms)

TFE Time of recover biometric features 1.989
Tecm Time of point multiplication operation 1.989
Tmm Time of Modular exponentiation operation 0.171
TE/D Time of symmetric encryption/decryption operations 0.00325
Th Time of hash operation 0.0026

Table 4.  The notations, descriptions, and time consuming required for computational time.

Ui GWN Sj 合计
Xue et al.16 13Th + 1TFE 18Th 6Th 37Th + 1TFE
Mo et al.39 2Tecm + 12Th + 1TFE 10Th + 1TE/D 2Tecm + 5Th + 1TE/D 4Tecm + 27Th + 2TFE + 1TFE
Deng et al.40 2Tecm + 14Th + 1TFE 13Th 2Tecm + 7Th 4Tecm + 34Th + 1TFE
Meriam et al.6 4Tecm + 8Th + TE/D 2Tecm + 5Th + TE/D 2Tecm + 2Th 8Tecm + 15Th + 2TE/D
Proposed scheme 5Tecm + 22Th + 1TFE 4Tecm + 18Th 3Tecm + 8Th 12Tecm + 48Th + 1TFE

Table 5.  Comparison of computational overhead.

From the computational time consumption in Table 4, it can be seen that the TFE and Tecm time consumption is
high, and the TFE of each scheme is similar, so the focus is on the point multiplication operation Tecm. This scheme
uses the ECC-based key agreement scheme, and the point multiplication operation overhead is higher than that
of other schemes, but it has higher security compared to other schemes that only use hash computation or sym-
metric encryption and decryption schemes. WSNs focus on the computational overhead of resource-constrained
sensor nodes. The computational overhead of the sensor nodes is increased only once compared to s­ chemes6,39,
­and40, which also have point multiplication operations. This scheme does not put too much pressure on sensor
computation. Although the other schemes have less computational overhead, the present scheme is more effec-
tive in dealing with various security threats and is more suitable for high security systems.

Communication overhead
The communication overhead is mainly for the data lengths of identity, hash value, fuzzy extractor public data,
random numbers, timestamp, points of elliptic curve (public key), and symmetric encryption/decryption data.
To facilitate the comparison, each data length in this scheme is set uniformly. The specific values are shown in
Table 6, the comparison of communication overheads of each scheme is shown in Table 7, and the specific com-
munication overhead quantization diagrams are shown in Figs. 12 and 1341.

Notations Descriptions Length(bit)

LID Identity length 32
Lh Hash value length 160
LFE Fuzzy extractor public data length 128
Lr Random number length 128
LT Timestamp length 32
LECC Points of elliptic curve (public key) length 160
LE/D Symmetric encryption/decryption data length 128

Table 6.  The notations, descriptions, and lengths required for communication data.

Ui GWN Sj Total
Xue et al.16 3LID + 1LFE + 6Lh + 1LT 1LID + 1LFE + 11Lh + 1LT 1LID + 2Lh + 1LT 5LID + 2LFE + 19Lh + 3LT
Mo et al.39 1LID + 7Lh + 1LT 1LECC + 1LE/D + 1LFE + 5Lh + 3LT 1LECC + 2Lh + 1LT 1LID + 2LECC + 1LE/D + 1LFE + 14Lh + 5LT
Deng et al.40 1LECC + 5Lh 2LECC + 10Lh 1LECC + 2LFE 4LECC + 15Lh + 2LFE
Meriam et al.6 1LECC + 4LE/D + 3Lh + 1LT 2LECC + 2Lh + 2LT 1LECC + 1Lh + 1LT 4LECC + 4LE/D + 6Lh + 4LT
Proposed scheme 2LECC + 4Lh + 1LT 3LECC + 10Lh + 2LT 1LECC + 2Lh + 1LT 6LECC + 16Lh + 4LT

Table 7.  Communication overhead comparison.

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 17

Vol.:(0123456789)
 www.nature.com/scientificreports/

Figure 12.  Total communication overhead comparison.

Figure 13.  Comparison of node communication overhead.

This scheme is based on ECC, and as the communication process needs to send each party’s public key several
times, the communication overhead is slightly higher than with other schemes. For the communication overhead
of resource-constrained sensor nodes, this scheme is the same as s­ cheme39 and slightly higher than s­ chemes6,16
­and40, but still within the tolerance range of sensor nodes and suitable for WSNs.

Conclusions
This paper examines multifactor authentication for WSNs. First, related schemes from recent years are intro-
duced, and based on this, the scheme of Xue et al.16 is examined, with a focus on its advantages and security
vulnerabilities. Then, a three-factor authentication and key agreement scheme based on ECC is proposed for
WSNs. The security of the scheme is demonstrated by the BAN logical and informal analysis, and efficiency
analysis shows that the scheme is used for resource-constrained WSNs. Overall, the proposed scheme effectively
improves the security performance of WSNs based on efficiency and has good application value. Due to the
use of ECC dot-multiplication operations, the computational energy consumption of the scheme is still higher
compared to the scheme with only hash operations; therefore, in the next step of this research, the efficiency of
the scheme needs to be further improved to guarantee security.

Data availability
The authors confirm that the data supporting the findings of this study are available within the article and its
supplementary materials.

Received: 4 September 2023; Accepted: 14 January 2024

References
1. Mishra, D. et al. Efficient authentication protocol for secure multimedia communications in IoT-enabled wireless sensor networks.
Multimed. Tools Appl. 77, 18295–18325 (2018).
2. Lee, Y. & Kim, H. Anonymous password-based authenticated key agreement scheme with non-tamper resistant smart cards. Int.
J. Secur. Appl. 9(11), 419–428 (2015).

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 18

Vol:.(1234567890)
www.nature.com/scientificreports/

3. Wu, M., Chen, J. & Wang, R. An enhanced anonymous password-based authenticated key agreement scheme with formal proof.
Int. J. Netw. Secur. 19(5), 785–793 (2017).
4. Jiang, Q. et al. An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks.
J. Netw. Comput. Appl. 76, 37–48 (2016).
5. Li, X. et al. A three-factor anonymous authentication scheme for wireless sensor networks in internet of things nvironments. J.
Netw. Comput. Appl. 103, 194–204 (2018).
6. Meriam, F., Hassan, E. G. & Ahmed, T. A lightweight ECC-based three-factor mutual authentication and key agreement protocol
for WSNs in IoT. Int. J. Adv. Comput. Sci. Appl (IJACSA) 13(6), 491–501 (2022).
7. Wu, F., Xu, L., Kumari, S. & Li, X. A privacy-preserving and provable user authentication scheme for wireless sensor networks
based on Internet of Things security. J. Ambient Intell. Humaniz. Comput. 8(1), 101–116 (2017).
8. Wu, F. et al. An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment.
J. Netw. Comput. Appl. 89, 72–85 (2016).
9. Bayat, M., Atashgah, M. B., Barari, M. & Aref, M. R. Cryptanalysis and improvement of a user authentication scheme for internet
of things using elliptic curve cryptography. Int. J. Netw. Secur. 21(6), 897–911 (2019).
10. Guo, H., Gao, Y., Xu, T., Zhang, X. & Ye, J. A secure and efficient three-factor multi-gateway authentication protocol for wireless
sensor networks. Ad Hoc Netw. 95, 101965 (2019).
11. Jung, J., Moon, J., Lee, D., Won, D. & Akkaya, K. Efficient and security enhanced anonymous authentication with key agreement
scheme in wireless sensor networks. Sensors 17(3), 644 (2017).
12. Sravani, C. et al. Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access 5, 3028–
3043 (2017).
13. Singh, M. & Mishra, D. Post-quantum secure authenticated key agreement protocol for wireless sensor networks. Telecommun.
Syst. 84(1), 101–113 (2023).
14. Azrour, M., Mabrouki, J., Guezzaz, A. & Farhaoui, Y. New enhanced authentication protocol for internet of things. Big Data Min.
Anal. 4(1), 1–9 (2021).
15. Vinoth, R., Deborah, L. J., Vijayakumar, P. & Kumar, N. Secure multifactor authenticated key agreement scheme for industrial IoT.
IEEE Internet Things J. 8(5), 3801–3811 (2021).
16. Xue, L., Huang, Q., Zhang, S., Huang, H. & Wang, W. A lightweight three-factor authentication and key agreement scheme for
multigateway WSNs in IoT. Secur. Commun. Netw. 2021, 1–15 (2021).
17. Liu, Z., Li, Z., Zhang, Q., Dong, S., Liu, J. & Zhao, Y. Two-factor authentication and key agreement schemes for smart home fin-
gerprint characteristics. Mobile Inf. Syst. (2022).
18. Srinivas, J., Mishra, D., Mukhopadhyay, S. & Kumari, S. Provably secure biometric based authentication and key agreement protocol
for wireless sensor networks. J. Ambient. Intell. Humaniz. Comput. 9, 875–895 (2018).
19. Liu, S. M., Ye, J. Y. & Wang, Y. L. Improvement and security analysis on symmetric key authentication protocol Needham-Schroeder.
Appl. Mech. Mater. 513, 1289–1293 (2014).
20. Lai, C., Ma, Y., Lu, R., Zhang, Y. & Zheng, D. A novel authentication scheme supporting multiple user access for 5g and beyond.
IEEE Trans. Depend. Secure Comput. 2022, 1–16 (2022).
21. Yang, Y., Zheng, X., Guo, W., Liu, X. & Chang, V. Privacy-preserving fusion of IoT and big data for e-health. Future Gener. Comput.
Syst. 86, 1437–1455 (2018).
22. Tyagi, P., Kumari, S., Alzahrani, B. A., Gupta, A. & Yang, M. H. An enhanced user authentication and key agreement scheme for
wireless sensor networks tailored for IoT. Sensors 22, 8793 (2022).
23. Liu, S., Li, X., Wu, F., Liao, J. & Lin, D. A novel authentication protocol with strong security for roaming service in global mobile
networks. Electronics 8(9), 939 (2019).
24. Ansari, A. A., Gera, P., Mishra, B. & Mishra, D. A secure authentication framework for WSN-based safety monitoring in coal
mines. Sādhanā 45, 1–16 (2020).
25. Chen, C. M., Liu, S., Chaudhry, S. A., Chen, Y. C. & Khan, M. A. A lightweight and robust user authentication protocol with user
anonymity for IoT-based healthcare. Comput. Model. Eng. Sci. 130(4), 307–329 (2022).
26. Chen, Y., López, L., Martínez, J. F.&Castillejo, P. A lightweight privacy protection user authentication and key agreement scheme
tailored for the internet of things environment: Lightpriauth. J. Sens. (2018).
27. Guo, J. & Du, Y. A secure three-factor anonymous roaming authentication protocol using ECC for space information networks.
Peer Peer Netw. Appl. 14(2), 898–916 (2021).
28. Sani, S. A., Dong, Y., Yeoh, P. L., Wei, B. & Vucetic, B. A lightweight security and privacy-enhancing key establishment for internet
of things applications. In2018 IEEE International Conference on Communications (ICC) (2018).
29. Boyko, V., MacKenzie, P. & Patel, S. Provably secure password-authenticated key exchange using Diffie-Hellman. In Advances
in Cryptology—EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques Bruges,
Belgium, 14–18 May, 2000 Proceedings 19 156–171 (Springer, 2000).
30. Mo, J. & Chen, H. A lightweight secure user authentication and key agreement protocol for wireless sensor networks. Secur. Com‑
mun. Netw. 2019, 1–17 (2019).
31. Zhou, Z., Wang, P. & Li, Z. A quadratic residue-based RFID authentication protocol with enhanced security for TMIS. J. Ambient
Intell. Humaniz. Comput. 10(9), 3603–3615 (2019).
32. Kumar, D., Grover, H. S., Kaur, D., Verma, A. & Kumar, B. An efficient anonymous user authentication and key agreement protocol
for wireless sensor networks. Int. J. Commun. Syst. 34(5), e4724 (2021).
33. Kamil, I. A. & Ogundoyin, S. O. A lightweight mutual authentication and key greement protocol for remote surgery application
in Tactile Internet environment. Comput. Commun. 170, 1–18 (2021).
34. Khalid, H., Hashim, S. J., Ahmad, S. M. S., Hashim, F. & Chaudhary, M. A. Robust multi-gateway authentication scheme for
agriculture wireless sensor network in society 5.0 smart communities. Agriculture 11(10), 1020 (2021).
35. Alharbi, M. H. & Alhazmi, O. H. User authentication scheme for internet of things using near field communication. Int. J. Reliab.
Qual. Saf. Eng. 27(5), 2040012 (2020).
36. Abbas, G., Tanveer, M., Abbas, Z. H., Waqas, M. & Baker, T. A secure remote user authentication scheme for 6LoWPAN-based
Internet of Things. Plos One 16(11), e0258279 (2021).
37. Yeh, H., Chen, T., Liu, P., Kim, T. & Wei, H. A secured authentication protocol for wireless sensor networks using elliptic curves
cryptography. Sensors 11, 4767–4779 (2011).
38. Zhang, S., Du, X. & Liu, X. An efficient and provable multifactor mutual authentication protocol for multigateway wireless sensor
networks. Secur. Commun. Netw. 2021, 1–17 (2021).
39. Mo, J., Hu, Z. & Shen, W. A provably secure three-factor authentication protocol based on chebyshev chaotic mapping for wireless
sensor network. IEEE Access 10, 12137–12152 (2022).
40. Deng, D. Research on key technologies of authentication and secret key management based on non-traditional certificates in WSN.
Univ. Electron. Sci. Technol. (2022).
41. Jo, H. R., Pak, K. S., Kim, C. H. & Zhang, I. J. Cryptanalysis and improved mutual authentication key agreement protocol using
pseudo-identity. Plos One 17(7), e0271817 (2022).

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 19

Vol.:(0123456789)
 www.nature.com/scientificreports/

Acknowledgements
The author would like to thank his esteemed college leaders for their support of his scientific work and his col-
leagues Yanwu Di, Si Chen, Chaoyang Huang, Wenliang Liu, and Yan Li for their contributions to this work.
This work was supported by the research project "Research on Key Management Scheme for Clustered Wireless
Sensor Networks" (Grant Number [KYZ202203]) of Xiamen Ocean Vocational College (China).

Author contributions
W.H. independently conceived and designed the study; prepared the materials, collected and analyzed the data;
and wrote the first and final drafts of the manuscript.

Competing interests
The author declares no competing interests.

Additional information
Correspondence and requests for materials should be addressed to W.H.
Reprints and permissions information is available at www.nature.com/reprints.
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and
institutional affiliations.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International
License, which permits use, sharing, adaptation, distribution and reproduction in any medium or
format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the
Creative Commons licence, and indicate if changes were made. The images or other third party material in this
article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the
material. If material is not included in the article’s Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from
the copyright holder. To view a copy of this licence, visit http://​creat​iveco​mmons.​org/​licen​ses/​by/4.​0/.

© The Author(s) 2024

Scientific Reports | (2024) 14:1787 | https://doi.org/10.1038/s41598-024-52134-z 20

Vol:.(1234567890)