Lightweight Three-Factor-Based Privacy- Preserving Authentication Scheme for IoT-Enabled Smart Homes

Smart homes are an emerging paradigm of Internet of Things (IoT) in which users can remotely control various home devices via the internet anytime and anywhere. However, smart home environments are vulnerable to security attacks because an attacker can inject, insert, intercept, delete, and modify transmitted messages over an insecure channel. Thus, secure and lightweight authentication protocols are essential to ensure useful services in smart home environments. In 2021, Kaur and Kumar presented a two-factor based user authentication protocol for smart homes using elliptic curve cryptosystems (ECC). Unfortunately, we demonstrate that their scheme cannot resist security attacks such as impersonation and session key disclosure attacks, and also ensure secure user authentication. Moreover, their scheme is not suitable in smart home environments because it utilizes public-key cryptosystems such as ECC. Hence, we design a secure and lightweight three-factor based privacy-preserving authentication scheme for IoT-enabled smart home environments to overcome the security problems of Kaur and Kumar’s protocol. We prove the security of the proposed scheme by using informal and formal security analyses such as the ROR model and AVISPA simulation. In addition, we compare the performance and security features between the proposed scheme and related schemes. The proposed scheme better provides security and efficiency compared with the previous schemes and is more suitable than previous schemes for IoT-enabled smart home environments.


I. INTRODUCTION
With the advances in 5G communication and portable device technologies, smart homes are emerging as an exciting new paradigm of Internet of Things (IoT) and also it has attracted a lot of attention from both scientific and academic communities. Smart homes [1]- [3] are networking environments in which smart devices such as smart curtains, smart washing machines, smart light bulbs, smart TV, and smart door locks/control mechanisms can communicate with other devices, and also are remotely controlled.
In smart home environments, users are able to enjoy new smart functionalities and services such as a high level of comfort, and improved quality of life using a portable device. For example, if a user opens the door and enters the home, the smart home system starts working and turns on the The associate editor coordinating the review of this manuscript and approving it for publication was Zheng Yan . lights and boiler in the house. Moreover, the smart home can ensure convenient and efficient services to chronic diseases, disabled, and elderly people by identifying their health and behavioral patterns through smart devices. However, despite the multiple advantages of the smart home, it may cause serious privacy issues [4] since the collected data in smart devices are transmitted over an insecure channel. If collected data in smart devices is compromised, a malicious attacker can obtain the sensitive information of legitimate users, including daily habits and routines in the home, and also can utilize the information for criminal purposes. Moreover, the smart devices deployed in smart home environments are not suitable to apply public key cryptosystems (PKC) because it is resource-limited in terms of computation and communication overheads [5], [6]. Thus, secure and lightweight authentication and key agreement (AKA) schemes are essential to provide security and privacy for legitimate users [7]- [9].
In 2019, Shuai et al. [10] proposed a two-factor based anonymous authentication protocol for smart homes using elliptic curve cryptography (ECC). However, Kaur and Kumar [11] pointed out that Shuai et al.'s scheme [10] is vulnerable to replay, insider, session key disclosure, offline password guessing, and gateway bypass attacks. In 2021, Kaur and Kumar [11] presented cryptanalysis and improvement of a two-factor based authentication scheme for smart homes using ECC to enhance the security flaws of Shuai et al.'s scheme [11]. However, we prove that Kaur and Kumar's scheme [11] is still vulnerable to impersonation, session key disclosure attacks, and also cannot provide mutual authentication. Moreover, their scheme is not suitable for resource-limited devices because it utilizes ECC that generates high computation and communication overheads. Therefore, we design a secure and lightweight three-factor based privacy-preserving authentication scheme for IoT-enabled smart homes to resolve the security problems Kaur and Kumar's scheme [11]. The proposed AKA scheme additionally utilizes the fuzzy extractor mechanism to improve the security level of the two-factor AKA scheme. Even if two of the three factors are compromised, our AKA scheme is secure. Moreover, our scheme is suitable for resource-limited smart devices in smart home environments because it uses hash and XOR functions that generate low computation overheads.

A. CONTRIBUTIONS
The main contributions of the proposed AKA scheme are summarized as follows: • We design a secure and lightweight three-factor based privacy-preserving user authentication scheme in IoT-enabled smart home environments to provide secure home services for legitimate users.
• The proposed AKA scheme resists various security attacks such as impersonation attack, and session key disclosure attack, and also provides the security functionalities such as mutual authentication, anonymity, and privacy.
• We perform formal (simulation) security of the proposed protocol using the Automated Verification of Internet Security Protocols and Applications (AVISPA) [12], [13], which evaluates security against various security attacks. Furthermore, we perform formal (mathematical) security analysis using the Real-or-Random (ROR) model [14] to evaluate the session key security of the proposed AKA scheme.
• We perform a comparative analysis of the proposed protocol and related schemes in terms of security features, computation costs, communication costs, and storage costs.

B. MOTIVATIONS
The major goal of this paper is to resolve the security weaknesses and inefficient efficiency present in Kaur and Kumar's scheme [11]. Their scheme does not provide the essential security functionalities such as session key disclosure attack, impersonation attack, and mutual authentication in IoT-enabled smart home environments. In addition, Kaur and Kumar's scheme [11] is not suitable for resource-constrained smart devices because it uses ECC, which generates high computation and communication overheads. These facts motivated us to propose a new secure and lightweight authentication protocol, which can provide the necessary security functionalities and effective efficiency and resolve security flaws that exist in IoT-enabled smart home environments. Thus, the proposed AKA scheme utilizes the fuzzy extractor mechanism to improve the security level of the two-factor AKA scheme and also ensures efficient performance because it utilizes only hash function and XOR operation that generate low computation and communication overheads.

C. ORGANIZATIONS
The structure of this paper is organized as follows. Section II presents the overview of related works for smart homes and Section III introduces the overview of the preliminaries. In Section IV, we review a detailed overview of Kaur and Kumar's scheme. In Section V and Section VI, we analyze the security flaws of Kaur and Kumar's scheme and proposes a secure and lightweight three-factor based privacy-preserving authentication scheme for IoT-enabled smart homes. Section VII presents the security analyzes of the proposed AKA scheme by using informal and formal security analysis. In Section VIII, we demonstrate the performance comparative analysis of the proposed AKA scheme with the previous schemes. Finally, we conclude this paper in Section IX.

II. RELATED WORKS
In the last few years, numerous AKA mechanisms have been presented to provide the security and privacy of users in various environments [1], [15]- [18]. In 2008, Jeong et al. [19] presented an AKA protocol to provide security in smart home environments using one-time password (OTP) and smart card. Jeong et al. [19] were claimed that their protocol ensures security from various security attacks. However, their protocol is vulnerable to potential security attacks such as smart card theft and insider attacks. In addition, their protocol is not provided mutual authentication between gateway and smart device and also is not achieved the untraceability and anonymity as the identity of the legitimate user is transmitted in plaintext over an open channel. Thus, their schemes [19] using smart card and OTP could not resist the various security attacks such as offline password guessing and smart card stolen attacks. In 2011, Vaidya et al. [20] presented a secure one-time password based AKA scheme using smart card in smart home environments. However, Kim et al. [ [21] also fails to ensure user anonymity and untraceability of the smart device and legitimate user. These two-factor based AKA schemes for smart home cannot prevent various security attacks such as offline password guessing and smart card stolen attacks.
In the past few years, many researchers have been proposed symmetric/asymmetric-based AKA schemes for smart homes [22]- [24] to overcome the above-mentioned security flaws. In 2011, Vaidya et al. [25] proposed an ECC-based secure and lightweight AKA scheme for smart home networks. However, their scheme [25] suffered from insider, impersonation, and offline password guessing attacks. In 2015, Santoso et al. [26] presented a secure AKA scheme using ECC in smart home environments. However, Santoso et al.'s scheme [26] is insecure against stolen verifier and insider attacks. In 2019, Shuai et al. [10] presented a two-factor based lightweight AKA mechanism for smart home with provable security using ECC. However, Kaur and Kumar [11] proved that Shuai et al.'s scheme [10] is insecure against insider, replay, session key disclosure, gateway bypass, and offline password guessing attacks. In 2020, Wazid et al. [27] presented the symmetric key cryptography and hash function based efficient AKA scheme for smart homes. However, Lyu et al. [28] claimed that Wazid et al.'s scheme [27] cannot resist compromised server and desynchronization attacks. These symmetric/asymmetric-based AKA schemes for smart homes are still cannot various security attacks, and also not suitable for the resource-limited smart devices in smart home environments since it requires high computational costs.
In 2021, Kaur and Kumar [11] proposed an enhanced two-factor based AKA scheme in smart home environments to overcome the security problems of Shuai et al.'s scheme [10]. They were claimed that their protocol can resist potential security attacks and also guarantees user anonymity, privacy, and mutual authentication. However, we proved that Kaur and Kumar's scheme also is vulnerable to impersonation and session key disclosure attacks, and does not achieve mutual authentication. Moreover, their scheme is not suitable for resource-constrained devices because it utilizes public-key cryptosystems such as ECC. Thus, we design a secure and lightweight three-factor based privacy-preserving AKA scheme for IoT-enabled smart homes to resolve the security flaws Kaur and Kumar's scheme [11].

III. PRELIMINARIES
We introduce the overview of the preliminaries to enhance the readability of this article.

A. THREAT MODEL
This section presents the widely-known Dolev-Yao (DY) model [29] to demonstrate the security of the proposed AKA scheme. In the DY model, the capabilities of a malicious adversary are as follows.
• In this model, a malicious adversary (MA) can insert, delete, eavesdrop, replay, modify transmitted messages over an insecure channel.
• If a smart card of the legitimate user is stolen, its secret credentials can be extracted by MA using power-analysis attacks [30]- [32].
• The smart devices can be tampered, and physically captured by MA in the registration phase. Thus, MA can extract the secret credentials stored in its memory [33]- [35].
• MA can attempt offline identity and offline password guessing attacks. Thus, MA can guess the real identity and password of the legitimate user simultaneously.
• After getting the secret credentials of the smart device and smart card, MA may try potential security attacks such as offline guessing, session key disclosure, impersonation, and privileged insider attacks [36], [37].

B. FUZZY EXTRACTOR
This section introduces the basic concepts of the fuzzy extractors [38]. The fuzzy extractors are a cryptographic method using user biometric to perform a secure authentication and it consists of the two operations as the generator Gen(·) and reproduction Rep(·) which are denoted as follows:

Rep(·):
Given a noisy biometric input BIO, Rep(·) reproduces γ i using value β i , which is public reproduction related with BIO.

C. SYSTEM MODEL
This section introduces the system model for IoT-enabled smart homes in Figure 1. The proposed system model consists of four entities: the registration authority, user, gateway, and smart device. The detailed descriptions of each entity are as follows: • Registration authority (RA): The registration authority is a trusted authority and is responsible for the registration of participants.
• Gateway: The gateway manages the collected data in smart devices to provide useful home services for legitimate users. In addition, the gateway is a powerful entity and serves as a bridge between the smart device and legitimate user.
• User: The authorized user by the registration authority can access useful home services through the gateway using a portable device at anytime and anywhere.
• Smart Devices: The smart devices (e.g. sensors and things) deployed in smart homes are resource-limited, collect a large amount of real-time data and transmit the collected data to the legitimate user.

IV. REVIEW OF KAUR AND KUMAR's SCHEME
We review Kaur and Kumar's scheme [11] for smart homes. Their scheme consists of three phases: 1) initialization, 2) registration and 3) mutual authentication. The symbols used in this paper are as shown in Table 1.

A. INITIALIZATION PHASE
The registration authority RA performs the initialization tasks as follows: • IP-1: RA selects an elliptic curve E on the basic field F p and forms an additive group AG of the order p generated by G.
• IP-2: After that, RA generates a private key z and public key PK = z·G and also selects a master key K G for GW .
• IP-3: RA stores z and K G in the memory of GW , and then loads system public parameters , AG, G, PK , h(·)} in GW and SD j , which are publicly known to all U i .
• IP-4: Finally, RA selects the identities of SD j and also stores it in the memory of SD j .

B. REGISTRATION PHASE
This phase includes the user and smart device registration phases. The detailed descriptions are as below:

1) USER REGISTRATION PHASE
U i performs the following steps with RA to register in the system.
• URP-1: U i chooses a ID i and a PW i and generates a random number r. After that, U i calculates RID i = h(ID i ||r), RPW i = h(PW i ||r), and transmits it to RA via a secure channel.
• URP-2: RA verifies whether RID i chosen by U i is already assigned or not. If it is already assigned U i is asked to select a new identity. Otherwise, RA computes RA keeps track of number of attempts taken in T while logging in which initially have the zero value in it. RA stores the credential {B 1 , T } in smart card (SC) and trasmits it to U i .

2) SMART DEVICE REGISTRATION PHASE
SD j performs the following steps with RA to register in the system.
• SDRP-1: SD j selects a SID j and transmits it to RA via a secure channel.
• SDRP-2: RA verifies whether SID j already assigned to other SD j or not. If SD j is already assigned registration request is terminated. Otherwise, RA computes X GS = h(SID j ||K G ) and transmits it to SD j .
• SDRP-3: Finally, SD j stores X GS in memory of SD j .

C. MUTUAL AUTHENTICATION PHASE
In this phase, U i and SD j must establish a common session key with the help of GW to access secure home services. We describe the detailed mutual authentication phase of Kaur and Kumar's scheme [11] as follows: • MAP-1: U i first enters ID i and PW i and calculates If the condition is correct, U i generates a random numbers x 1 and c, and selects the identity SID j of SD j with whom U i wants to connect. U i calculates generates a random number x 3 and computes a session • MAP-4: On getting the messages from SD j , GW computes If it is valid, the mutual authentication between U i and SD j is successful, and also a common session key is established between them.

V. CRYPTANALYSIS OF KAUR AND KUMAR's SCHEME
In this section, we perform the cryptanalysis of Kaur and Kumar's scheme [11]. Kaur and Kumar [11] claimed that their scheme can prevent various security attacks, and also provide mutual authentication. Unfortunately, we prove that their scheme cannot resist potential security attacks such as impersonation and session key disclosure attacks, and also does not ensure mutual authentication.

A. IMPERSONATION ATTACK
Referring to Section III-A, if MA captures SD j , MA can extract the secret parameters {SID j , X GS } stored in its memory. In addition, MA can insert, delete, eavesdrop, replay, and modify the exchanged messages over an insecure channel. The detailed descriptions of this attack are as below.
GW over a public channel.
• Step 2: After obtaining the messages, GW computes If the condition is valid, GW generates a timestamp T 4 and computes If it is correct, MA impersonate as SD j successfully and also shares the common session key SK MA with U i successfully.

B. SESSION KEY DISCLOSURE ATTACK
In this attack, MA can calculate a session key SK = h(RID i ||GID i ||SID j ||x 1 ||x 2 ||x 3 ) between U i and SD j .
According to Section III-A, MA can extract the secret parameters {SID j , X GS } stored in SD j . Then, MA computes (RID i ||GID i ||x 1 ||x 2 ) = N 2 ⊕ X GS ⊕ T 2 and x 3 = N 3 ⊕ X GS ⊕ T 3 . MA can calculate a session key SK = h(RID i ||GID i ||SID j ||x 1 ||x 2 ||x 3 ) successfully. Therefore, Kaur and Kumar's scheme is insecure to session key disclosure attacks.

C. MUTUAL AUTHENTICATION
Kaur and Kumar claimed that their scheme provides mutual authentication among U i , GW , and SD j . However, according to Section V-A and V-B, MA can calculate the authentication request message W 2 = h(RID i ||GID i ||X GS ||x 1 ||x 2 ) and response message W 3 = h(x 3 ||X GS ||SK ) successfully. Thus, Kaur and Kumar's scheme does not provide a secure mutual authentication.

VI. PROPOSED SCHEME
We design a secure and lightweight three-factor based privacy-preserving AKA scheme for IoT-enabled smart homes to enhance the security weaknesses of Kaur and Kumar's scheme [11]. The proposed AKA scheme consists of four phases: 1) initialization, 2) registration, 3) mutual authentication, and 4) password and biometric update. The detailed descriptions are as follows:

A. INITIALIZATION PHASE
In the proposed scheme, the pre-configured during manufacturing production or reconfigured during maintenance, a master key is assumed to be pre-shared in the tamper-resistant memory of the security module such as the trusted platform module (TPM). Before GW and SD j are deployed in smart home environments, RA first generates a master key K G and then stores it in the tamper-resistant memory of GW . SD j chooses a SID j and sends it to RA via a secure channel. Then, RA checks whether SID j . If it is correct, RA stores it in the tamper-resistant memory of GW and then generates a master key K SD of SD j and stores it in the tamper-resistant memory of SD j .

B. REGISTRATION PHASE
This phase includes the user and smart device registration phases. The detailed descriptions are as below:

2) SMART DEVICE REGISTRATION PHASE
SD j performs the following steps with RA to provide the useful home services.
• SDRP-1: SD j generates a random number b j and computes PID j = h(SID j ||b j ). Then, SD j transmits {b j , PID j } to RA over a secure channel.
• SDRP-2: RA computes X GS = h(PID j ||K G ||b j ). After that, RA stores {PID j , b j } in secure database of GW and transmits {X GS } to SD j via a secure channel.

C. MUTUAL AUTHENTICATION PHASE
The registered U i and SD j must establish a common session key with the help of GW to utilize secure home services. Figure 2 shows the mutual authentication phase of the proposed AKA scheme and also the detailed processes are as follows: • MAP-1: U i inputs ID i , PW i and imprints BIO. Then, = M GS . If it is valid, SD j generates a r SD and T 3 . After that, SD j generates a random nonce r SD and a timestamp T 3 . Then, SD j computes M 4 , and M SG = h(SID j ||r SD ||X GS ||SK ||T 3 ). Finally, SD j transmits {M 4 , M SG , T 3 } to GW via a public channel.
• MAP-4: After getting the messages from SD j , GW = M GU . if it is valid, the mutual authentication between U i and SD j is successful, and also a common session key is established between them.

D. PASSWORD AND BIOMETRIC UPDATE PHASE
If an authorized user wants a new password and biometric, and biometric, U i can easily update their own old password and old biometric. The detailed descriptions are as follows: PBUP-1: U i first inputs a identity ID i , a old password PW old i , and imprints a old biometric BIO old . PBUP-2: After that, SC computes γ i = Rep(BIO old , β i ),

VII. SECURITY ANALYSIS
We assess the security of the proposed AKA scheme by utilizing informal security and formal security analyzes, including ROR model and AVISPA.

A. INFORMAL SECURITY ANALYSIS
The security of the our scheme is proved by performing the informal security analysis. We demonstrate that our scheme VOLUME 9, 2021 can withstand various security attacks, and also ensure user anonymity and mutual authentication.

1) IMPERSONATION ATTACK
When MA wants to masquerade a legal U i , MA must calculate the authentication request messages {M 1 , M 2 , M UG , T 1 } and response messages {M 5 , M GU , T 4 }. However, it is difficult to generate the authentication request and response messages because MA does not know a secret key X GU , a random nonce r U , and a pseudo-identity RID i . Therefore, our protocol prevents impersonation attacks since MA cannot generate the authentication request message and response of the legal user successfully.

2) SESSION KEY DISCLOSURE ATTACK
Referring to Section III-A, we assume that MA can steal the smart card and extract all secret credentials {A 2 , A 3 , A 4 } in the memory. In the proposed AKA scheme, MA should obtain the random nonces {r U , r GW , r SD } to generate session key SK = h(r U ||r GW ||r SD ||RID i ||GID i ||SID j ) successfully. However, MA cannot calculate a SK because X GU and X GS are masked with GW 's master key K G and random numbers {a i , b j } by using hash function. Moreover, the random nonces {r U , r GW , r SD } cannot be obtained since MA does not know the secret keys {X GU , X GS }, Hence, the proposed AKA scheme is resilient against session key disclosure attacks.

3) SMART DEVICE CAPTURE ATTACK
Assuming that the smart device is physically captured by MA, MA can extract all secret parameters {B 1 , B 2 } in the memory, where B 1 = h(SID j ||K SD ) ⊕ b j and B 2 = h(K SD ||b j ) ⊕ X GS . However, MA cannot calculate X GS without knowing the SD's master key K SD , identity SID j , and random number b j . And also, MA cannot calculate a session key SK since MA does not know a SD j 's secret key X GS , a GW 's master key K G , and a SD j 's real identity SID j . Thus, the proposed AKA scheme is secure against smart device capture attacks.

4) REPLAY ATTACK
Suppose that MA intercepts all exchanged messages

6) OFFLINE PASSWORD GUESSING ATTACK
Suppose that smart card is stolen or lost, MA can extract the sensitive information {A 2 , A 3 , A 4 } stored in the memory, Consequently, MA is computationally infeasible to derive the real password of the legitimate user from {A 2 , A 3 , A 4 } without the knowledge of γ i and RPW i .

7) PERFECT FORWARD SECRECY
The security for perfect forward secrecy means that the past session key SK will not be disclosed even if the long-term secret key of communication entities is revealed. However, if GW 's master key K G and SD j 's secret key K SD are compromised, MA cannot compute the session key SK = h(r U ||r GW ||r SD ||RID i ||GID i ||SID j ) without knowledge of SID j , b j , X GU , and X GS . Thus, our protocol is resilient to perfect forward secrecy.

8) ANONYMITY AND UNTRACEABILITY
Assuming that MA intercepts all transmitted messages during AKA phase. MA is impossible to compute the U i 's identity ID i , pseudo-identity RID i , the SD j 's identity SID j and pseudoidentity PID j without knowing secret credentials {X GU , X GS }. Hence, the proposed scheme provides anonymity for U i and SD j . Moreover, the timestamps and random nonces are different in any session, that is the transmitted messages in each session are unique and dynamic, so MA cannot trace U i and SD j from different sessions. Therefore, the proposed AKA scheme achieves untraceability for U i and SD j .

B. FORMAL SECURITY ANALYSIS
The security of the proposed AKA scheme is proved by using formal security analysis such as ROR model and AVISPA simulation.

1) ROR MODEL
This section evaluates a SK security of the proposed AKA protocol from MA by performing ROR model [14]. We first briefly introduce the ROR model prior to demonstrate SK security for our protocol.
In our scheme, there are three participants: the user P t 1 U , gateway P t 2 GW , and smart device P t 3 SD , where P t 1 U , P t 2 GW , and P t 3 SD are instances t th 1 of U i , t th 2 of GW j , and t th 3 of SD j , respectively. In Table 2, we introduce overviews of each query such as Execute(), CorruptSC(), Send(), Reveal(), and Test() to perform ROR model. In addition, we use an one-way hash function Hash as the random oracle and also utilize Zipf's law [39] to prove SK security.
Theorem. Adv AKA MA denotes the advantages of MA in violating SK security for our protocol. Then, we have the following inequality.
Hash, q h , and q send are the number of Hash queries, the range space of the hash function h(·), and Send() query respectively. Furthermore, C, s, and l b are the Zipf's parameters [39].
Proof. We describe a sequence of four games denoted by GM i (i = 0, 1, 2, 3) played by MA. We indicate that Adv AKA MA,GM i is the probability of MA winning the GM i . All games are described as belows: Game GM 0 : This game represents the real security attacks executed by MA against the proposed AKA scheme. MA must guess a bit c correctly to win the game. We obtain the following result: • Game GM 1 : This game is modeled that MA simulates eavesdropping attacks in which exchanged messages are intercepted during AKA process performing Execute(). After getting exchanged messages, MA performs Reveal() and Test() queries to check whether it is a SK or a random number. MA needs secret credentials such as K G , X GU , and X GS to derive SK = h(r U ||r GW ||r SD ||RID i ||GID i ||SID j ). Hence, MA does not at all help in increasing the winning probability of this game by intercepting on the exchanged messages. Based on this game, the following is obtained: . Furthermore, the random nonces r U , r GW , and r SD are not revealed from the exchanged messages since the random nonces are also protected by hash function h(·). By applying the birthday paradox, we obtain the following result: • Game GM 3 : This game is modeled by using CorruptSC(). In GM 3 , the MA is able to extract the secret credentials {A 2 , A 3 , A 4 } in the SC memory using poweranalysis attacks. Generally, the legitimate user uses the low-entropy password. Using stored secret credentials Based on this game, the following is obtained: After GM 0−3 are played successfully, MA tries to guess the correct bit c to win the game by using Test(). Therefore, we obtain the following result: By applying Eq. (1), (2) and (5), we get the following result: By applying Eq. (4), (5) and (6), we obtain the following result using the triangular inequality: Multiplying both sides of Eq. (7) by the factor of two, the following result is obtained: In the past few years, numerous studies using AVISPA simulation have been proposed [40]- [42]. AVISPA simulation is a role-based security validation tool that demonstrates whether the authentication protocol is secure against potential security attacks based on DY model [29]. This simulation mechanism is implemented using High-Level Protocol Specification Language (HLPSL) [43] to generate input format (IF) of the back-ends, including Constraint Logic-based Attack Searcher (CL-AtSE), SAT-based Model Checker (SATMC), Tree Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP), and On-the-Fly Model Checker (OFMC). IF is provided as the input to one of the four back-ends, which produces the output format (OF). In addition, OF indicates the security of the proposed AKA scheme.
To analyze the security of the AKA scheme, we express based on a rule-oriented HLPSL. The detailed HLPSL specifications for AVISPA can be found in [12], [13]. The specification roles for the user U i , the gateway GW , and the smart device SD, and the mandatory roles for the environments, sessions, and security goals are implemented in HLPSL. Because XOR operations are not supported for  TA4SP and SATMC back-ends, AVISPA simulation results for two back-ends are not included. We simulate the proposed AKA scheme using the Security Protocol ANimator (SPAN) as shown in Figure 3. In addition, we demonstrate that our scheme resists replay and MITM attacks using OFMC and CL-AtSe back-ends as shown in Figure 4.

VIII. PERFORMANCE ANALYSIS
This section analyzes the comparative analysis of our scheme with the related schemes [10], [11], [27] in terms of the computation, communication, and storage costs, and security features.

A. COMPUTATION COSTS
We evaluate the computation costs of the proposed AKA with related schemes [10], [11], [27] in terms of MU i , GW , and SD j during AKA process. According to [11], [44], the execution times of each operation are acquired based on a desktop with a Windows 8 Intel(R) Core TM I7-4710HQ 2.50 GHZ, 8 GB Memory. Moreover, the software development environment was implemented using Visual C++ 2010, MIRACL C/C++ Library. We denote the execution times of the following parameters based on [44]. T ed , T ecc , and T h denote the execution times for symmetric encryption/decryption (≈ 0.0215 ms), ECC point multiplication (≈ 0.4276 ms), and hash function (≈ 0.0052 ms), respectively. Moreover, It is also assumed that the execution time for fuzzy extractor T fe is equal to T ecc presented in [11]. In Table 3, we show the comparison results of the computation overhead and execution times between the proposed AKA scheme and those of related schemes. Consequently, our protocol has the lowest computation overhead of those compared with the previous schemes [10], [11], [27].

B. COMMUNICATION COSTS
We analyze the communication costs of the proposed AKA with previous schemes [10], [11], [27] during AKA process. We assume the communication costs of the following parameters based on Shuai et al.'s scheme [10]. The length of timestamp, random nonce, secret key, hash function, message authentication code, identity, pseudo-identity, symmetric encryption/decryption, and ECC point multiplication are as 32 bits, 160 bits, 160 bits, 160 bits, 160 bits, 128 bits, 128 bits, 256 bits, and 320 bits, respectively. In Table 4, we show the comparison results of the communication cost between the proposed scheme and previous schemes. Consequently, the proposed AKA scheme provides a superior communication cost compared with the related schemes [10], [11], [27].

C. STORAGE COSTS
We compare the storage costs for the basis of bytes stored in smart card of the proposed AKA and related schemes [10], [11], [27]. We assume the storage costs of the following parameters. We assume that the bits for the length of the secret parameters presented in Section VIII-B are equal to the storage costs. Table 5 presents the comparison results of the storage cost between the proposed scheme and previous schemes. Although the storage cost of the proposed AKA is somewhat higher than Kaur and Kumar [11], it ensures   superior security, computation cost, and communication cost than other related schemes [10], [27].

D. SECURITY FEATURES
This section evaluates the security features of the proposed AKA scheme compared to previous schemes [10], [11], [27]. Table 6 shows that previous schemes suffer from various security attacks, including offline password guessing, replay, and impersonation attacks, and so on, and also does not provide mutual authentication and user anonymity. In contrast, the proposed AKA scheme resists various security attacks, and also provides forward secrecy, mutual authentication, and user anonymity. Hence, the proposed AKA scheme offers more security and functionality features compared with previous schemes [10], [11], [27].

IX. CONCLUSION
We proved that Kaur and Kumar et al.'s scheme is insecure to various security attacks such as impersonation and session key disclosure attacks, and also does not ensure mutual authentication. We design a lightweight three-factor based privacy-preserving authentication scheme for IoT-enabled smart homes to overcome the security flaws of Kaur and Kumar et al.'s scheme. We demonstrated that the proposed AKA scheme resists various security threats, and also allows user anonymity, untraceability, and mutual authentication. We then proved using well-known accepted AVISPA simulation and ROR model that the proposed AKA scheme is secure against various security attacks. Moreover, we compared the computation, communication, and storage costs of the proposed AKA scheme with other related schemes. Thus, the proposed AKA scheme improved security and privacy, and also ensured the low computation, communication, and storage costs compared with the other related schemes using only fuzzy extractor, hash, and XOR functions, which generate low computation and communication costs. Our scheme is suitable for IoT-enabled smart home environments because it is more secure and lightweight than existing schemes.