Privacy Preserving Scalable Authentication Protocol with Partially

Trusted Third Party for Distributed Internet-of-Things

Hiral S. Trivedi

and Sankita J. Patel

Department of Computer Engineering, Sardar Vallabhbhai National Institute of Technology, Surat 395007, India

Keywords:

Authentication, Anonymity, Security, Scyther, Scalability, Partially Trusted Third Party.

Abstract:

Internet-of-Things (IoT) has triggered substantial research in real-time applications of distributed networking

infrastructure involving disparate entities with heterogeneous protocol conﬁguration stacks. The disparate

characteristics of diverse infrastructures elevate the need for improved authentication in distributed IoT. The

distributed environment also ampliﬁes the requirement of effective scalability to eliminate halting or restarting

of a system whenever any fresh user joins an existing communication channel. Several security protocols

using fully trusted third party (TTP) and multi-authority based approaches have been proposed to facilitate

reliable distributed networks. These approaches while providing efﬁcient key agreement, have issues such

as key escrow and complete rights policy of fully TTP and compulsory user coordination of multi-authority

based systems. We propose a novel privacy preserving dynamic new user addition protocol with partially TTP

to address fully TTP issues, while achieving efﬁcient scalability to avoid resource wastage in distributed IoT.

Formal security analysis is exhibited using a real-or-random model and formal veriﬁcation under a scyther

security veriﬁcation tool. Finally, we present a performance evaluation to elucidate the utility of our protocol.

1 INTRODUCTION

Widespread IoT adoption has engendered connection

of physical objects with cyberspace enabling ubiq-

uitous computing through integrated disparate sys-

tems for information sharing via communication net-

works (Das et al., 2020). IoT advocacy in critical

sectors while facilitating pervasive services, has also

accentuated information security risk which necessi-

tates a robust authentication requirement for secure

and anonymous access to sensitive information. Also,

the primary challenges of efﬁcient scalability, unin-

terrupted communication channel, and cryptographic

resource wastage in developing effective distributed

systems are higher (Trivedi and Patel, 2020). Several

authors have designed fully TTP and multi-authority

based protocols, however they rarely jointly achieve

robust security and effective privacy. Conventional

mechanisms have shortcomings such as fully TTP in-

corporating complete rights policy and key escrow,

while multi-authority based approaches have compul-

sory user coordination and random authority appoint-

ment (Trivedi and Patel, 2020). As a result, none of

the standard approaches provide an amalgamated so-

lution to completely mitigate aforementioned limita-

tions. Hence, to satisfy dynamic scalability while pro-

https://orcid.org/0000-0002-2152-8264

viding reasonable trade-off between security and pri-

vacy, we proffer a combined key solution in our novel

generic protocol for dynamic fresh user addition with

a partially TTP approach. We also present our novelty

in achieving dynamic system scalability without inter-

rupting on-going communication channels for fresh

node addition. The TTP has partial involvement in

performing secure authentication with a fresh node

for veriﬁcation process. After successful veriﬁcation,

a fresh node is granted ﬁnal communication secret key

to participate in the system. We outline three major

challenges in designing our protocol as follows. Ro-

bust Security: Standard Public Key Cryptography

(PKC) has higher processing cost while, Symmetric

Key Cryptography (SKC) has secret key sharing and

trust issues. However, designing light-wight robust

authentication for IoT devices remains a challenge.

As per Ecrypt II report, a 128 bit symmetric key is

equivalent to security strength of 3,248 bit asymmet-

ric key (Babbage et al., 2009). Thereby, we prereg-

ister long-term secret for effective key sharing and

execute SKC based challenge/response game utiliz-

ing one-time dynamic alias identity, hash functions

and JSON Web Token (JWT). Privacy: An ideal

authentication protocol requires efﬁcient trade-off to

satisfy between robust security with strong identity

and effective privacy with weaker identity to preserve

anonymity (Wang, 2018). Complete Trust Policy:

812

Trivedi, H. and Patel, S.

Privacy Preserving Scalable Authentication Protocol with Partially Trusted Third Party for Distributed Internet-of-Things.

DOI: 10.5220/0010599508120818

In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 812-818

ISBN: 978-989-758-524-1

Fully TTP systems with complete rights over crypto-

graphic resources invoke security violations and key

escrow problems for encrypting parties.

1.1 Related Work

(Das et al., 2020) proposed elliptic curve cryptogra-

phy (ECC) based RFID authentication protocol to en-

sure tag’s security and privacy. However, the scheme

has higher computational requirements. (Gope and

Sikdar, 2018) and (Saeed et al., 2018) proposed light-

weight privacy preserving authentications. Utiliz-

ing fuzzy extractor, physically unclonable function

and PKC based certiﬁcate-less schemes result in high

processing and storage costs. (Chen et al., 2019)

and (Zhang et al., 2019) introduced light-weight pri-

vacy preserving authentication incorporating PKC

and SKC algorithms. However, complete trust and

information leakage in their schemes violate secu-

rity and privacy policies. (Kang et al., 2016) pro-

posed a zero-knowledge based mutual authentication

which overlooked secure device registration. (Vi-

jayakumar et al., 2018) utilized anonymous certiﬁ-

cates/signatures in their protocol but overlooked cal-

culating communication cost and packet delivery ra-

tio. (Chang and Le, 2015) enhanced (Turkanovi

et al., 2014) vulnerable scheme by proposing ECC

based authentication. However, their approach is

still vulnerable to side-channel, brute-force and stolen

smart-card attacks. (Lai et al., 2014) proposed privacy

preserving authentication using PKC difﬁe-hellman

techniques. However, location and time-based pri-

vacy are not considered. (Lin et al., 2015) highlighted

impersonation attacks that cheat central server while

preserving anonymity in (Alcaide et al., 2013) authen-

tication protocol. (Khan et al., 2011)’s enhanced pro-

tocol version of (Wang et al., 2009) enabled insider

attack due to password based weak security level.

1.2 Our Contributions

Our contributions are: First, Partial Rights Pol-

icy: To eliminate complete rights and knowledge

sharing, we adopt partially TTP located outside the

premises of Smart Homes (SH). Second, Robust Se-

curity: Auto shared key updation in correspondence

to JWT session expiry time is designed to boost se-

curity. Third, Complete Anonymity: We calculate

one-time dynamic alias-identity over encrypted iden-

tities to preserve complete anonymity of authenticated

users. Fourth, Dynamic Scalability: Partially TTP is

responsible only for verifying fresh node legitimacy

by performing secure authentication to allow partici-

pation in the existing communication channel. This

prevents frequent halting and restarting of securely

conﬁgured systems to alleviate communication and

computational costs. To the best of our knowledge,

this paper proposes the ﬁrst authentication protocol

that jointly addresses partial rights policy, robust se-

curity, complete anonymity, and dynamic scalability.

Prerequisites for our indigenous protocol model are

discussed in Section 2. Section 3 presents privacy pre-

serving secure authentication protocol with partially

TTP. Security analysis and veriﬁcation are hypothe-

sized in Section 4. Performance evaluation and con-

clusions are elucidated in Section 5 and Section 6.

2 PRELIMINARIES

1. Indistinguishable Encryption Under Chosen

Plain-text Attack (IND-CPA): This formally states

that two different encryptions of same plain-text

do not produce similar cipher-text for symmetric

encryption (Trivedi and Patel, 2020): Deﬁnition 1:

This illustrates single/multiple (SI

/ML

) eaves-

dropper in a random oracle. The X encryption

oracles are (E

,..,E

) with encryption keys

(Ek

,Ek

,..,Ek

), respectively. The advantage func-

tion of SI

/ML

is Adv

IND−CPA

(Φ) = 2 Prob



←

: (b

←

);θ ←

{0,1};γ ←

(bθ) : SI

(γ) = θ)



− 1 and Adv

IND−CPA

(Φ) =

2Prob



← E

,..,E

;(b

←

);θ ←

{0,1};γ ←

(bθ),..,γ

←

(bθ) :

(γ

,..,γ

) = θ)



− 1. The Φ is a secure

symmetric cipher whose encryption is IND-CPA.

It safeguards against (SI

/ML

) eavesdropper if



Adv

IND−CPA

(Φ),Adv

IND−CPA

(Φ)



is negligible in

the Φ for any probabilistic polynomial time.

2. Architecture: Partially TTP having own private

network is located outside the premises of SH units

and a new user wishing to participate in an estab-

lished communication channel of SH units. It is as-

sumed that inter-network SH units are securely con-

nected for continuous communication. A dynamic

new user addition is executed using legitimate par-

tially TTP which holds signature long-term secret for

identity veriﬁcation. In addition, we assume partially

TTP is a resource rich entity while new users have re-

source limited devices to perform authentication on a

secure channel. We restrict TTP to validate a fresh

user’ identity and maintain complete anonymous au-

thenticated user database with partial information to

constrain knowledge sharing and complete rights pol-

icy. Fig.1 illustrates our design architecture and Table

1 describes the notations.

Privacy Preserving Scalable Authentication Protocol with Partially Trusted Third Party for Distributed Internet-of-Things

813

3. Adversary Model is as follows. Conﬁdential-

ity: An A

con f

cannot intercept, tamper or modify the

and T

JW T

that are secure under our short term

secret r

and preregistered long term secret H

T T P |= T T P

↔ NU

∧ T T P |= T T P

C k T

JW T

∧

T T P

 T

JW T

T T P|=(T T P∪NU

)CkT

JW T

Authentication: An A

auth

cannot impersonate valid

and a T

JW T

as r

is XORed using H

. Semantic

security is achieved by encrypting T

JW T

with SH

and

XORing SH

with r

T T P|=T T P

←→NU

C T

JW T

T T P|=NU

 T

JW T

Integrity: An A

int

has negligible probability to tam-

per valid SH

and T

JW T

. A T

JW T

session time

will expire while brute-forcing a 128 bit SH

requir-

ing 5.784e+35 nanoseconds (ns) (Trivedi and Patel,

2020). Immediately after a T

JW T

expires, the TTP will

update the SH

and T

JW T

and discard the old values.

T T P|=(T

JW T

)∧T T PCT

JW T

(T )T

JW T

T T P|=#(T

JW T

)

Replay Attack: Data blocks are appended with

unique random numbers and time-stamps which

prevent an A

rep

to respond to old messages.

T T P|=#(T

JW T

)∧T T PC(T

JW T

)C(T

JW T

)

T T P|=#(T

JW T

)

Anonymity: We preserve anonymity by calculating

one-time dynamic alias identity over encrypted iden-

tities such that a new user identity remains anony-

mous for an A

anony

and TTP in the system model.

I |= θ(NU

,r,m) ⇒ P

[¬θ(i,a)]

Table 1: Notations used in our approach.

Acronym Description

/..../r

Securely generated pseudo random numbers

New user’s encrypted identity

New user’s one-time alias identity

T T P

,T TP

TTP’s encrypted identity & alias identity

T T P

TTP’s master key

New user’s password & Hash of password

New user’s secret device identiﬁcation

Hash of secret device identiﬁcation

H(·) One-way hash function

Aid

Fresh anonymous identiﬁcation

Symmetric encryption/decryption functions

/.../t

Times-stamps

JW T

Symmetric shared key & ID-based JWT

Calculated hash values

A Adversary

⊕,k,⊥ XOR, Concatenation & Termination operations

3 PROPOSED PROTOCOL

1. Registration Phase.

• TTP Registration: T T P generates an encrypted

identity T T P

and r

to calculate T T P

H(T T P

k r

) and T T P

= S

(T T P

)

T T P

• New User Registration: Step 1: NU generates

, NU

and r

to calculate H

= (r

k NU

After that NU computes NU

= S

(NU

)

and transmits (NU

) to T T P.

Step 2: After receiving (NU

) from NU,

TTP calculates NU

= S

(NU

)

and veri-

ﬁes if NU

is in the database. If yes, T T P gen-

erates F

= H(NU

k H

k t

) and

transmits (T T P

) to NU.

Step 3: Upon receiving (T T P

), NU fur-

ther retrieves F

by calculating hash of legiti-

mate registered H

and stores this data.

2. Secure Authentication Phase.

• Step 1: [NU → T T P (NU

)]: Upon ob-

taining (T T P

), NU retrieves H

H(NU

). Given the parameters (NU

NU calculates F

= H(NU

k H

) and transmits (NU

) to T T P.

• Step 2: T T P → NU (r

,SH

JW T

): Upon re-

ceiving (NU

), T T P veriﬁes F

= F

If F

= F

, NU

s login request is accepted,

else rejected. Assuming that NU

s request is ac-

cepted, T T P will generate a SH

, r

and T

JW T

A challenge/response game is enabled through

four stages:1) T T P computes SH

= (SH

⊕ r

2) T T P encrypts T

JW T

= S

JW T

)

. 3) r

is XORed with H(NU

) such that r

= (r

⊕

). 4) T T P computes Q

= H(1 k r

k SH

JW T

k t

) and transmits (r

,SH

JW T

) to

NU.

• Step 3: [NU → T T P (NU

)]: When obtain-

ing (r

,SH

JW T

), NU executes: 1) NU re-

trieves r

= (r

⊕ H

). 2) NU retrieves SH

Figure 1: Our proposed generic distributed IoT architecture.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

814

(SH

⊕r

). 3) NU retrieves T

JW T

= S

JW T

)

4) NU calculates Q

= H(2 k r

k SH

k T

JW T

k t

)

and transmits (NU

) to T T P.

• Step 4: [T T P → NU (T T P

)]: Upon receiv-

ing NU

s response, T T P veriﬁes Q

= Q

. If

= Q

is true, all the values (r

= r

,SH

JW T

= T

JW T

) have been correctly retrieved.

If Q

6= Q

, then it will directly discard the values

and ⊥ the protocol. Assuming the response has

been matched and T T P has veriﬁed the NU, T T P

will transmit Q

= H(3 k r

k SH

k T

JW T

k t

) and

T T P

to complete the protocol.

4 SECURITY ANALYSIS

We prove theoretical analysis and semantic security

as per (Chang and Le, 2015). We also demonstrate

scyther results in Fig. 2 and Fig. 3 experimented on

100 runs with 10 patterns per claim which prove that

our protocol is secure against typical security attacks.

ROR Model: The components of ROR model are as

follows: i) Participants - u, p of main entities NU

and T T P identiﬁed as Π

, Π

T T P

. ii) Partnering -

T T P

of T T P is partnering with Π

and vice-versa.

The calculated one-time alias identity NU

is unique

and anonymous for each session in which Π

is a

participant. iii) Freshness - Assumes that for a given

reveal query Π

T T P

, if SH

is not leaked by an A, than

, Π

T T P

is fresh. iv) Adversary - A can access all

communicated messages to perform malicious activ-

ities. The queries executed by an A are: 1) Execute:

, Π

: It is modeled when an A eavesdrops on com-

municated messages between NU and T T P. 2) Send:

,msg: It is an active attack, where an A transmits

a msg to an instance Π

and accordingly gets a revert

from Π

. 3) Reveal: Π

: It reveals current SH

be-

tween Π

and partner Π

to an A . 4) Corrupt Π

It enables an A for obtaining all the secrets such as

to leak current SH

. 5) Test Π

: It is

a request by an A to Π

to guess a valid SH

and Π

replies within the probabilistic polynomial time such

that it returns SH

if c

= 1, or some other random

value if c

= 0. 6) Hash H(·): A one-way hash func-

tion denoted as H is a random oracle accessible to

an A and all entities. 7) Semantic security SH

: It

is modeled for an A to guess valid SH

by executing

test queries from random ﬂipping. An A wins only if

value of c

= c. Event S

is modeled if an A wins the

game. The semantic security of proposed protocol is

deﬁned as: Adv

= |2Prob[S] − 1|. The protocol is

secure if, Adv

≤ ε for small ε > 0.

Theorem 1. An A running in polynomial time t

against our secure authentication protocol in a de-

ﬁned random oracle model. Let D, q

send

,H,|D|

and



Adv

IND−CPA

(Φ), Adv

IND−CPA

(Φ)



be uni-

formly distributed password dictionary with num-

ber of hash queries q

, number of send queries

send

, H range of hash function and |D| the size

of D as the advantage of an A breaking IND-

CPA secure Φ. We state that



Adv

IND−CPA

(Φ) =

Adv

IND−CPA

(Φ),Adv

IND−CPA

(Φ)



. Assuming no en-

tity is compromised to have Adv

≤

|H|

2qsend

|D|

Proof: To construct G

: [0,4], where i : [0, 4] is the se-

quence of games demonstrating the probability of an

A’s advantage to break the security and S

is a seman-

tic security event of our protocol. G

: Illustrates an

active attack by an A choosing bit c of a coin at the

beginning in random oracle model. We deﬁne this as:

Adv

= 2Prob





− 1.

: Illustrates an eavesdropping attack using exe-

cute query (Π

, Π

) to retrieve SH

. The compu-

tation of SH

is T T P : SH

= (SH

⊕ r

), T T P :

JW T

= S

JW T

)

, T T P : r

= (r

⊕ H

) and

T T P : Q

= H(1 k r

k SH

k T

JW T

k t

). This requires

an A to calculate r

, which is secured under non-

transmitted H

, to retrieve SH

and T

JW T

. With-

out possessing both the secrets, an A has negligible

probability of wining this game. We deﬁne this as:

Adv



Prob(S

)



= Adv



Prob(S

)



: Illustrates modiﬁcation in game G

with q

send

and H functions. An A forwards a fabricated message

to convince the honest party to accept. This causes an

A to check collisions in the hash digest by executing

. Our protocol incorporates collision-resistant H(·)

function to safeguard H

= H(NU

), T T P : r

⊕H

), and T T P : Q

= H(1 k r

k SH

k T

JW T

). All secrets, identities and messages are appended

with random numbers and timestamps to mitigate col-

lisions using q

send

and q

queries. The result of birth-

day paradox is: Adv

|Prob[S

] − Prob[S

]| ≤

(2|H|)

: Illustrates an A using dictionary attacks to eas-

ily guess low-entropy passwords NU

. To prevent

such illegal access, our authentication system restricts

multiple incorrect password attempts which is much

smaller than |D| in a random oracle. We deﬁne this

as: Adv

= |Prob[S

] − Prob[S

]| ≤

send

|D|)

: An A intercepts NU smart-device after success-

fully gaining access to NU

. An A cannot derive SH

and T

JW T

even after gaining access to NU smart de-

vice due to non-transmission of long-term secret in

the communication channel. The SH

and T

JW T

are

secured under symmetric encryption cipher Φ. We

state that Φ is IND-CPA secure as per Deﬁnition 1.

We deﬁne this as: Adv

= |Prob[S

] − Prob[S

]| ≤

Privacy Preserving Scalable Authentication Protocol with Partially Trusted Third Party for Distributed Internet-of-Things

815

Adv

IND−CPA

(Φ)(l). Finally after computing G

;[0,4],

an A guesses bit c of a coin to win this game after

launching a test query Prob[s

] =

. Thus, we obtain

Adv

≤

|H|

send

m−1

.|D|

+ 2Adv

IND−CPA

(Φ)(l).

Theorem 2. Our proposed protocol preserves conﬁ-

dentiality, authenticity and anonymity.

Proof: A new user’s NU

is preregistered and in-

dependently computed on both the sensing modules

such that, H

= H(NU

). Also, our robust secu-

rity design will enable TTP to auto-update SH

while

brute forcing 128 bit symmetric key which takes

5.784e+35 ns. Non-transmission of long-term secret

prevents an A to retrieve data blocks such as

T T P : SH

= (SH

⊕r

), T T P : T

JW T

= S

JW T

)

T T P : r

= (r

⊕ H

). This will increase compu-

tational hardness for an A to prove Q

= H(1 k r

k T

JW T

k t

) and Q

= H(2 k r

k SH

k T

JW T

k t

Therefore, this will manipulate an A with invalid SH

key values. Furthermore, we generate one-time dy-

namic alias identity over an encrypted identity such as

T T P : T T P

= S

(T T P

)

T T P

and NU : NU

(NU

)

to provide sufﬁcient randomness and

anonymity for each new user. Hence, we achieve

stated objective of theorem 2. 

Figure 2: Code snippet in .spdl using scyther.

Theorem 3. Our proposed protocol safeguards

against impersonation and replay attacks.

Proof: The computational hardness in deriving

[T T P : r

= (r

⊕ H

)] will increase the computa-

tional complexity in deciphering T

JW T

with SH

due

to dynamic SH

updation that is directly proportional

to T

JW T

session expiry time. Since time-stamps are

Figure 3: Scyther simulation results for security veriﬁca-

tion.

appended with data blocks T T P : F

= H(NU

k H

k t

), NU : F

= H(NU

k H

k t

), T T P : Q

= H(1 k r

k SH

k T

JW T

k t

)

and NU : Q

= H(2 k r

k SH

k T

JW T

k t

). If,

− t ≤ δt, where t’ is data block received time and

t is data block generation time. If time difference is

less than δt the data block is accepted else, rejected.

Hence, we achieve stated objective of theorem 3. 

5 PERFORMANCE ANALYSIS

Table 2 and Table 3 present empirical analysis with

P 1:(Das et al., 2020), P 2:(Kang et al., 2016),

P 3:(Khan et al., 2011), P 4:(Saeed et al., 2018)

and P 5:(Zhang et al., 2019). We assume com-

munication and computational parameters such as

hashing: T

= 0.0005 sec of 160 bit, Symmetric

encryption/decryption:T

E/D

= 0.0087 sec, shared key,

random number, JWT and pseudo random function:

= 0.0003 sec of 128 bits, XOR: T

= 0.002 sec,

ECC multiplication: T

= 0.063075 sec of 320 bits,

identities and password of 64 bits, and timestamps

of 16 bits. Energy consumption is calculated with

3(W ) of power as (E

= Power

×Time

sec

). As ob-

served our performance is superior to P 2, P 4 and P 5.

P 1 and P 3 have lower costs and energy consumption

than ours. The minimal increase in overall perfor-

mance is acceptable given that our protocol achieves

dynamic system expansion, mitigates system restart-

ing and cryptographic wastage, and preserves robust

security with effective privacy.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

816

Table 2: Computation and communication costs with energy consumption.

Protocols User node Gateway node Sensor node Total running cost Messages Total cost Energy

P 1 2T

+ 2T

— 2T

+ 2T

+ 4T

= 0.0264 sec. 3 0384 bits 763.6 mJ

P 2 2T

+ T

+ 2T

E/D

+2T

+3T

E/D

+3T

+4T

+ 3T

+ 7T

+ 9T

= 0.0825 sec. 4 1856 bits 247.2 mJ

P 3 2T

+ T

— 10T

+ 9T

12T

+ 10T

= 0.026 sec. 4 1200 bits 78 mJ

P 4 3T

+ T

— 3T

+ T

= 0.38715 sec. 3 2464 bits 1166.1 mJ

P 5 7T

+ T

— 9T

+ T

+ 2T

16T

+ 2T

= 0.04285 sec. 4 1600 bits 128.4 mJ

Ours 3T

+ T

+ 2T

— 2T

+ T

+ 2T

+ T

E/D

+ 4T

= 0.0279 sec. 4 1088 bits 83.7 mJ

Table 3: Features comparison.

Features P 1 P 2 P 3 P 4 P 5 Ours

Dynamic scalability 5 5 5 5 5 3

Anonymity 3 5 3 3 3 3

Robust security 3 5 5 3 3 3

No complete rights policy 5 5 5 5 5 3

Symmetric key cryptography 5 5 3 5 3 3

Formal analysis using ROR model 5 5 5 3 3 3

Security veriﬁcation 5 5 5 5 5 3

Safe against impersonation attacks 3 3 3 3 3 3

Safe against replay attacks 3 3 3 3 3 3

IND-CPA secure 5 5 5 3 3 3

Pairing-free scheme 3 5 5 3 3 3

Efﬁcient token updation 5 5 5 5 5 3

Efﬁcient shared key updation 5 5 5 5 5 3

Number of factors used 2 2 2 2 2 2

6 CONCLUDING REMARKS

In this paper, we propose privacy preserving au-

thentication protocol for dynamic system expansion

with partially TTP. Our protocol achieves superior

trade-off between robust security and effective pri-

vacy by adopting one-time alias identity with dy-

namic JWT and shared key updation during authenti-

cation. To achieve dynamic and anonymous scalabil-

ity we mitigate complete rights policy and knowledge

sharing with TTP. Empirical analysis demonstrates

that our proposed protocol is light-weight with addi-

tional security features as compared to similar mod-

eled schemes.

REFERENCES

Alcaide, A., Palomar, E., Montero-Castillo, J., and Rib-

agorda, A. (2013). Anonymous authentication

for privacy-preserving iot target-driven applications.

computers & security, 37:111–123.

Babbage, S., Catalano, D., Cid, C., de Weger, B., Dunkel-

man, O., Gehrmann, C., Granboulan, L., Lange, T.,

Lenstra, A. K., Mitchell, C., et al. (2009). Ecrypt

yearly report on algorithms and keysizes. Technical

report.

Chang, C.-C. and Le, H.-D. (2015). A provably secure, ef-

ﬁcient, and ﬂexible authentication scheme for ad hoc

wireless sensor networks. IEEE Transactions on wire-

less communications, 15(1):357–366.

Chen, Y., Xu, W., Peng, L., and Zhang, H. (2019). Light-

weight and privacy-preserving authentication protocol

for mobile payments in the context of iot. IEEE Ac-

cess, 7:15210–15221.

Das, M. L., Kumar, P., and Martin, A. (2020). Secure and

privacy-preserving rﬁd authentication scheme for in-

ternet of things applications. Wireless Personal Com-

munications, 110(1):339–353.

Gope, P. and Sikdar, B. (2018). Lightweight and privacy-

preserving two-factor authentication scheme for iot

devices. IEEE Internet of Things Journal, 6(1):580–

589.

Kang, J., Park, G., and Park, J. H. (2016). Design of

secure authentication scheme between devices based

on zero-knowledge proofs in home automation ser-

vice environments. The Journal of Supercomputing,

72(11):4319–4336.

Khan, M. K., Kim, S.-K., and Alghathbar, K. (2011). Crypt-

analysis and security enhancement of a ‘more efﬁcient

& secure dynamic id-based remote user authentication

scheme’. Computer Communications, 34(3):305–309.

Lai, C., Li, H., Liang, X., Lu, R., Zhang, K., and Shen, X.

(2014). Cpal: A conditional privacy-preserving au-

thentication with access linkability for roaming ser-

vice. IEEE Internet of Things Journal, 1(1):46–57.

Lin, X.-J., Sun, L., and Qu, H. (2015). Insecurity of

an anonymous authentication for privacy-preserving

iot target-driven applications. computers & security,

48:142–149.

Saeed, M. E. S., Liu, Q.-Y., Tian, G., Gao, B., and Li, F.

(2018). Remote authentication schemes for wireless

body area networks based on the internet of things.

IEEE Internet of Things Journal, 5(6):4926–4944.

Trivedi, H. S. and Patel, S. J. (2020). Design of secure

authentication protocol for dynamic user addition in

distributed internet-of-things. Computer Networks,

178:107335.

Turkanovi

c, M., Brumen, B., and H

olbl, M. (2014). A novel

user authentication and key agreement scheme for het-

erogeneous ad hoc wireless sensor networks, based

on the internet of things notion. Ad Hoc Networks,

20:96–112.

Vijayakumar, P., Chang, V., Deborah, L. J., Balusamy, B.,

and Shynu, P. (2018). Computationally efﬁcient pri-

vacy preserving anonymous mutual and batch authen-

tication schemes for vehicular ad hoc networks. Fu-

ture generation computer systems, 78:943–955.

Wang, Y.-y., Liu, J.-y., Xiao, F.-x., and Dan, J. (2009). A

more efﬁcient and secure dynamic id-based remote

user authentication scheme. Computer communica-

tions, 32(4):583–585.

Privacy Preserving Scalable Authentication Protocol with Partially Trusted Third Party for Distributed Internet-of-Things

817

Wang, Z. (2018). A privacy-preserving and account-

able authentication protocol for iot end-devices with

weaker identity. Future Generation Computer Sys-

tems, 82:342–348.

Zhang, L., Zhao, L., Yin, S., Chi, C.-H., Liu, R., and Zhang,

Y. (2019). A lightweight authentication scheme with

privacy protection for smart grid communications. Fu-

ture Generation Computer Systems, 100:770–778.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

818