Blockchain-Based Robust Data Security Scheme in IoT-Enabled Smart Home

Anusha Vangala,Ashok Kumar Das,YoungHo Parkand Sajjad Shaukat Jamal

1Center for Security,Theory and Algorithmic Research,International Institute of Information Technology,Hyderabad,500032,India

2School of Electronics Engineering,Kyungpook National University,Daegu,41566,Korea

3Department of Mathematics,College of Science,King Khalid University,Abha,Saudi Arabia

Abstract: The recent surge in development of smart homes and smart cities can be observed in many developed countries.While the idea to control devices that are in home(embedded with the Internet of Things(IoT)smart devices)by the user who is outside the home might sound fancy,but it comes with a lot of potential threats.There can be many attackers who will be trying to take advantage of this.So,there is a need for designing a secure scheme which will be able to distinguish among genuine/authorized users of the system and attackers.And knowing about the details of when and what IoT devices are used by the user,the attacker can trace the daily activities of user and can plan an attack accordingly.Thus,the designed security scheme should guarantee confidentiality,anonymity and un-traceability.Most of the schemes proposed in the literature are either non-blockchain based which involves inherent problems of storing data in a single-server or assuming weaker attack models.In this work,we propose a novel scheme based on blockchain technology,assuming a stronger Canetti and Krawczyk (CK)-threat model.Through the formal and informal security,and comparative analysis,we show that the proposed scheme provides a superior security and more functionality features,with less communication cost and comparable computational cost as compared to other competent schemes.Moreover,the blockchain based simulation study on the proposed scheme has been conducted to show its feasibility in real-life application.

Keywords: Internet of things (IoT);smart home;ubiquitous computing;blockchain;security

1 Introduction

Now a days,almost all the utilities are enabled with the Internet connectivity.It benefits users of multiple domains to operate the resources remotely and know their status.Smart home is one such application of the Internet of Things(IoT),where the users can monitor the home appliances and can take decisions accordingly.The system helps in tackling numerous real-life problems,like robberies(by collecting the data from surveillance)and fire accidents(by collecting data from fire detecting sensors)and so on.However,it brings in several challenges which are to be handled and so,there is a need for designing a security scheme very carefully by considering all such challenges and making sure that no sensitive information is compromised.

Since there are many schemes in the literature which ensure secure communication between home gateway and IoT smart devices,we confine ourselves in designing the secure scheme which is subjected to the security aspects/hurdles that either of a user or the home gateway faces when they try to communicate with each other.The blockchain technology has been employed in order to enhance the security of a system.The blockchain has several inherent properties like decentralization,immutability and transparency.Thus,the blockchain technology provides high data integrity,and resilience against Denial-of-Service attacks(DoS)and several cyber security attacks when the data is simply stored in centralized databases.The immutability of the blockchain allows no adversary can update a block,insert fake information into a block or even delete a block once a block is added into the blockchain after running a consensus protocol among a group of nodes,called peer nodes,in a distributed Peer-to-Peer(P2P)blockchain network.To mitigate these issues,we aim to proposed a novel blockchain-based robust security scheme in an IoT-enabled smart home environment,which is light-weight by making the authentication and key establishment between the two authorized parties with minimal resources faster,and it will make a user in smart home deployment to feel that all the resources are at his disposal.

1.1 Network Model

A blockchain-based smart home system is shown in Fig.1.In this system,we have a trusted registration authority (RA),which takes the responsibility of registering all the authorized entities by providing the corresponding secret parameters of that entity in a secure channel.We maintain a gateway node which acts as a mediator between the network of devices at home and remote users operating through some smart devices with smart cards installed in it.Once the home gateway and the users register with the RA,the users will be installing a smart card in their device,which has some set of parameters (credentials) through which their secrets are hidden.A set of consensus nodes are maintained on a cloud that are responsible for verifying the blocks and adding the blocks into the blockchain stored using these cloud nodes.

1.2 Attack Model

The proposed scheme is evaluated under“Dolev-Yao(DY)threat model”[1],which considers an adversary has capabilities of modifying,replaying,dropping the transactions and requests in transit.The adversary can also impersonate the authorized user(s)and home gateway.The smart devices of the devices with installed smart cards can be lost and all the information from them can be extracted by the adversary.The scheme also adopts the “Canetti and Krawczyk (CK-adversary model)” [2],where the adversary has all the capabilities as in the DY threat model,and in addition,the session state information and previous session keys of the entities in the system can be leaked through the session hijacking attack.The home gateway node can be put under a locking system as in[3]in order to avoid physical capture attack by the adversary.In addition,some smart home IoT devices can be physically capture by the adversary as these devices cannot be always monitored in 24×7 time.The adversary can then extract all the credentials stored in a captured smart device using the power analysis attacks[4].

Figure 1:A general IoT network model of blockchain based smart home system

1.3 Research Contributions

In the following,some important contributions made in the research paper are listed:

• The proposed scheme is light-weight,which makes the authentication and key establishment between the two authorized parties with minimal resources faster,and it will make a user to feel that all the resources are at his disposal.The proposed scheme makes sure that the anonymity of a user is never compromised.In addition,the blockchain technology has been adopted with the scheme to make it highly robust for data storage in P2P blockchain network to provide high data integrity,and resilience against DoS and several cyber security attacks.

• The proposed scheme handles the challenging and risky smart card stolen attacks,and thus,a user needs not to be panic if he lost his smart card.The scheme is designed in such a way that it will resist many attacks,likestolen smart card attack,user impersonation attack,replay attack,gateway impersonation attack,man-in-the-middle attack,and Ephemeral Secret Leakage(ESL)attack,which make the scheme robust.We also consider a stronger notion of user anonymity where even gateway will not know the user’s actual identity.

• We show how the proposed scheme is resistant to various potential attacks under the DY and CK-adversary models.A detailed comparative analysis among the proposed scheme and other existing schemes show that the proposed scheme provides a superior security and more functionality features,with less communication cost and comparable computational cost as compared to other competent existing schemes in the literature.

• The practical implementation of the proposed scheme using the blockchain-based experimental study has been shown to exhibit the feasibility in real-life application.

1.4 Paper Outline

The remainder of this article is as follows.Section 2 describes an in-depth literature study on the related authentication protocols in an IoT environment.Various phases related to the proposed scheme have been discussed in Section 3.A detailed security analysis using both formal and informal security study has been done in Section 4 to show the robustness of the proposed scheme against various types of attacks in an IoT-enabled smart home environment.Section 5 provides a detailed comparative study on various security and functionality features,and communication and computational costs among the proposed scheme and other existing schemes.A blockchain-based implementation on the proposed scheme has been shown in Section 6.Finally,Section 7 provides some concluding remarks on this article.

2 Literature Survey

There has been extensive research on authentication schemes for smart home systems in the last decade.We study some of the most recent schemes relevant to the model developed in our proposed system.

Fakroon et al.[5]proposed an authentication scheme for a smart home system with smart devices to be accessed by users via gateway nodes.This scheme makes use of the user’s location that restricts users beyond distance from accessing the smart devices by considering it a malicious access.This scheme has low computation cost,but higher communication cost.It does not consider usage of blockchain.

Shuai et al.[6]proposed an authentication scheme based on elliptic curve cryptography for smart home environment.This scheme is vulnerable to privileged insider attack that can be launched using stolen smart card and offline password guessing attack,user impersonation attack,parallel session attack and password change attack.This scheme was improved by Banerjee et al.[7]to overcome its limitations by considering a stronger notion of threat model,called Canetti and Krawczyk model(CK-adversary model),where the session secret leakage is possible.They adopted smart card-based authentication for user and assumed a central registry to supply secrets to the gateway and the users.This scheme is not block-chain based,and hence,it has all inherent problems of storing the transactions in a single server and also this scheme does not provide anonymity of user at the gateway node.However,this scheme is secure against several attacks such as ESL attack and stolen smart card attack.The same scheme by Shuai et al.[6]was also cryptanalyzed by Kaur et al.[8]by exposing its vulnerability to insecure session key agreement,replay attack,and gateway node bypass attack in addition to the attacks identified by Banerjee et al.[7].The scheme by Shuai was also considered to be vulnerable against offline dictionary attack and it lacks forward secrecy as identified by Xu et al.[9].

Lin et al.[10]proposed a block-chain based mutual authentication scheme for smart home,where authentication of the users is done by using group signatures and session key establishment between user and the gateway with the help of the elliptic curve integrated encryption scheme (ECIES),and the gateway verification is done using keyed message authentication code(MAC)function generated using ECIES scheme.They confined the scope of the work to secure communication between a user and the gateway,and the same between the gateway and IoT devices are declared beyond the scope of their work.The attack model considered in their work is something like the DY threat model and it does not consider the scope for session secret leakage.Hence,their scheme is vulnerable to ESL attack under the CK-adversary model.

Naoui et al.[11]proposed a user authentication scheme,called LRP-SHAP,for smart home system with a user having a smartphone in a remote environment accessing the smart devices in the smart home via home energy manager (HEM).It uses a Wi-Fi or 4G/5G network for communication.It applies the elliptic curve and hashed message authentication code(HMAC)cryptographic operations in addition to hash functions and cookies for the authentication purpose.However,it has the extra overhead of storing cookies in addition to the parameters required for authentication.

From the above discussion,it is clear that most of the existing schemes are either vulnerable to various attacks including the ESL attack under the CK-adversary model or they are expensive in communication/computational costs.Thus,most of the schemes used in the literature for smart homes consider somewhat weaker notion of security and they are prone to ESL attack under the CKadversary model,while some of the recent works consider the CK-adversary model but they are either non-blockchain based approaches which will have an inherent disadvantage of storing transactions in a single server or there is no stronger notion of anonymity of user(in the gateway).Moreover,the discussed existing schemes do not adopt the blockchain technology.As a result,the existing schemes lack in providing high data integrity,and they are not resilience against DoS and several cyber security attacks.

To deal with this,we propose a security scheme which can solve these major issues,by adopting the prominent solutions of existing schemes as building blocks with the blockchain technology.The proposed scheme is based on block chain technology and assumes a stronger CK-adversary model.It makes a user anonymous even to the gateway,anonymous and un-traceable to the intruder,and it is also resistant to several attacks for smart home environment.

3 The Proposed Scheme

In this section,we first discuss the main motivation behind the proposal of our blockchain-based security scheme for smart home environment.We then discuss different phases relevant to the proposed scheme.

3.1 Notations

Various notations and their significance are provided in Tab.1,which are used throughout the paper.

Table 1:Notations and their significance

Table 1:Continued

3.2 Description of Various Phases

In the following subsection,we now discuss the details of the various phases involved in the proposed blockchain-based security scheme for ubiquitous computing environment,called BlockUbiHome.

3.2.1 Setup Phase

In this phase,the trusted RA sets up the system by generating various public and private parameters by executing the below steps:

• Step 1.The RA selects a non-singular elliptic curveEq(a,b)of the form:y2=x3+ax+bover a finite(Galois)fieldGF(q),where a and b are constants chosen fromZq={0,1,2,...,q-1},4a3+27b2≠0(mod q)andqis a large prime such that the“Elliptic Curve Discrete Logarithm Problem(ECDLP)”is intractable,a base pointGinEq(a,b)and a“collision-resistant one-way hash function”H(.).

• Step 2.The RA then randomly picks its actual identity AIDRAand a unique secret key(SKRA)fromZ*q={1,2,...,q-1}.The RA generates a pseudo-random identity(PRIDRA)=H(AIDRA||SKRA) and makes it available to all participating entities in the system.The also makes the public information{Eq(a,b),G,H(•)}as public.

3.2.2 One-time Registration Phase

This phase is executed by the RA before the actual communication procedure with both gateway node and the user.

1)User registration phase:The user registration phase occurs as follows.

•Step 1.A userUselects an actual identity (AIDu),a secret key SKU,a password PwdU,temporal identity SIDUand registration timestamp RTSU,and calculates pseudorandom identity of the userUas PRIDU=H(AIDu||SKU||PwdU||RTSU)and sends the credentials{PRIDU,SIDU}to the RA via secure channel.

•Step 2.After receiving the credentials of the userU,the RA computes a secret XRA=H(SIDU||PRIDU||SKRA||AIDRA),stores it in a smart card and returns the smart card to the userUvia secure channel.

•Step 3.After receiving the smart card from theRA,the userUenters personal biometric bioUat the sensor of a particular terminal and obtains(σU,τU)using the“fuzzy extractor probabilistic generation functionGen(.)”,that is,Gen(bioU)=(σU,τU).Ucomputes YU=XRA⊕H(PwdU||σU||AIDU)and generates a randomαU∈Z*qtoderiveRpwdU=H(αU||PwdU||AIDU)and RbioU=H(σU||AIDU||αU).Next,the following parameters are generated:αU’=αU⊕H(PwdU||σU),RpwdU’=RpwdU⊕H(PRIDU||σU||PwdU)and RbioU’=RbioU⊕H(σU||PRIDU||AIDU||PwdU).The local authentication parameter is computed as ZU=H(αU|| RpwdU|| RbioU|| AIDU).The userU’s private key is generated as prU∈Z*qand the corresponding public parameter as PubU=prU• G,wherex•G=G+G+...+G(xtimes)represents the elliptic curve point(scalar)multiplication,that is,the point G added to itselfxtimes.The user U then stores the parameters{αU’,RpwdU’,RbioU’,AIDU,Gen(.),Rep(.),H(.),Eq(a,b),G,,τU,et}into a smart card,whereetis an“error tolerance threshold value used in the fuzzy extractor deterministic reproduction functionRep(.)”.

2)Gateway registration phase:Like the user registration phase,the gateway registration phase occurs as follows.

•Step 1.The RA selects an actual identity (AIDHGW) of the home gateway,registration timestamp RTSHGWand secret key SKHGW∈Zq*,and calculates pseudo-random identity of gateway(PRIDHGW)as PRIDHGW=H(AIDHGW||SKRA||RTSHGW).It also computes a long term secret of the home gateway (LTSHGW) as LTSHGW=H(AIDHGW|| SKHGW|| SKRA|| RTSHGW).The RA sends the registration credentials＜PRIDHGW,LTSHGW,(PRIDU,SIDU)＞to the home gateway via secure channel.

•Step 2.After receiving the registration credentials from the RA,the gateway selects its private key as prHGW∈Z*q,generates the corresponding public parameter as PubHGW=prHGW•G and stores{PRIDHGW,LTSHGW,(PRIDU,SIDU),(prHGW,PubHGW)}in its secure database in order to avoid stolen verifier attack.

3.2.3 Login Phase

To login to the smart home network,a registered userUneeds the following steps:

•Step 1.Uinserts his smart card and initiates the process by providing his actual identity AIDU,secret password PwdU,his/her bio-metrics bioU’at the sensor of a specific terminal,say mobile device.

•Step 2.The smart card regenerates the biometric secret keyσUusing “fuzzy extractor deterministic reproduction functionRep(.)”as Rep(bioU’,τU)=σUprovided that the “Hamming distance between the original registered biometric and current entered biometric is less than or equal to the error tolerance threshold valueet”,and computesαU=αU’⊕H(PwdU||σU),RpwdU=RpwdU’⊕H(PRIDU||σU||PwdU),RbioU=RbioU’⊕H(σU||PRIDU||AIDU||PwdU)and ZU’=H(αU||RpwdU||RbioU||AIDU).The smart then checks if ZU’=ZU.If it is so,the user login is successful.Otherwise,this phase is terminated.

•Step 3.Ugenerates a random secret rU∈Z*q,a timestamp TU,and computes RU=H(rU||σU||αU||PwdU||TU)•G and SU=H(PRIDU||RpwdU||RbioU||XRA||TU)⊕H(PRIDU||RU||PubU||H(rU||σU||αU||PwdU||TU)•PubHGW)along with a signature SignrU=H(rU||σU||αU||PwdU||TU)+H(SU||PRIDU||RU)*prU(modq)and sends the login request message Msg1:＜SIDU,SU,RU,SignrU,TU＞to the gateway HGW via public channel.

This phase is summarized in Fig.2.

Figure 2:Login phase of a user U

3.2.4 Authentication and Key Establishment Phase

In this phase,both the home gateway,HGW and the user,Umutually authenticate each other and set up a common session key between them for secure data exchange.This is achieved by executing the following steps:

•Step 1.The gateway(HGW)receives Msg1atT′Uand verifies the timestamp|T′U-TU|≤ΔT.If it is valid,it extracts PRIDUusing the received SIDUfrom its memory and verifies the signature as SignrU•G=RU+H(SU||PRIDU||RU)•PubU.If it is so,the HGW extracts H(PRIDU||RpwdU||RbioU||XRA||TU)=SU⊕H(PRIDU||RU||PubU||prHGW•RU).

•Step 2.The HGW then generates a random secret rG∈Z*qand current timestamp TGto compute RG=H(rG||LTSHGW||PRIDHGW||prHGW||TG)•G and the session key SKGU=H(H(PRIDU||RpwdU||RbioU||XRA||TU)||H(rG||LTSHGW||PRIDHGW||prHGW||TG)•RU).A signature is also generated as SignrG=H(rG||LTSHGW||PRIDHGW||prHGW||TG)+H(RG||PubHGW||PRIDHGW||SKGU||TG)*prHGW(mod q).A new temporal session identity SIDUnewis generated for the userUand encrypted as SID*U=SIDnUew⊕H(RG||RU||SKGU||PubHGW||PubU).The gateway HGW finally sends the message Msg2:＜RG,SID*U,SignrG,TG＞to the userUvia public channel.

•Step 3.The userUreceives Msg2at timeT′Gand verifies the timestamp by|T′G-TG|≤ΔT.If it is satisfied,Ucomputes the session key as SKUG=H(H(PRIDU||RpwdU||RbioU||XRA||TU)||(H(rU||σU||αU||PwdU||TU)•RG)).The signature is then verified as SignrG•G=RG+H(RG||PubHGW||PRIDHGW||SKUG||TG)•PubHGW.If the signature is valid,the new session identity of the user is extracted as SIDnUew=SID*U⊕H(RG||RU||SKUG||PubHGW||PubU)and it is then updated in the userU’s smart card corresponding toSIDU.

•Step 4.The userUgenerates current timestamp TVand computes a session key verifier as SKVUG=H(SKUG||TV)and sends the acknowledgment message Msg3:＜SKVUG,TV＞to the home gateway,HGW via open channel.

•Step 5.When HGW receives theMsg3at timeT′V,it verifies the timestamp as |T′V-TV| ≤ΔT.If this is verified as correct,the HGW computes its own session key verifier asSKVGU=H(SKGU||TV).If it is found thatSKVUG=SKVGU,the session keySKGUis stored in the home gateway HWG’s secure memory.Simultaneously,the session keySKUGis also stored by the userU’s smart card memory.

This overall phase is finally briefed in Fig.3.

Figure 3:Authentication and key agreement among a user(U)and the home gateway node(HGW)

3.2.5 Secure Data Aggregation Phase

After the successful authentication and key establishment between a user and the gateway node,the transactions can be now sent in encrypted way using the established session key,along with the hash of transactions which will ensure privacy,integrity,and authentication between the communication parties.In this way,the in-charge gateway HGW will securely gather all the transactions,which will be used in forming the blocks for mining into the blockchain.

3.2.6 Block Addition Phase

Once the home gateway (HGW) receives the transactions from the authorized users,it will be routing then to one of the consensus nodes of private blockchain,and once the transactions threshold is reached,the consensus node,being the leader (miner) node in the Peer-to-Peer (P2P) blockchain network,creates a block with the useful parameters which make it immutable.The transactions(Txi)in the block are encrypted with the public key of HGW in order to ensure privacy.Then using the votingbased Practical Byzantine Fault Tolerance (PBFT) consensus algorithm [12],the leader determines whether to add or discard the block.The structure of a block is shown in Fig.4.A constructed block has two parts:a)block header and 2)block payload.The block header contains the following fields:

•Block version (BV):It is a unique version number attached to each created block into the blockchain.

•Previous block hash (PBH):For creating the chain of blocks into the blockchain,the hash value (using Secure Hash Algorithm (SHA-256) [13]which produces 256-bit hash output) of the previous block of a current block is calculated.

•Merkle Tree Root (MTR):It is created as the hash value of all the transactions present in a block.Note that the Merkle tree is considered as ahash treeis a tree in which each“leaf node”is labelled with the cryptographic hash value of a data block containing the digital information.On the other side,each node that is not a leaf node is also labelled with the cryptographic hash value of the labels of its child nodes.Thus,a hash tree(Merkle tree)is treated as a generalization of a“hash list”and a“hash chain”.

•Timestamp(T):The time when a block was created.

•Owner of block(BO):It represents an entity in the network who has created the block.

•Public key of signer (PubHGW):The public key of the home gateway being the signer is used to verify the signature on the current block hash (CBlock).CBlock is used to create the signature using the“Elliptic Curve Digital Signature Algorithm(ECDSA)signature verification function”with the help of the private key prHGWof HGW.

•List of encrypted transactions:A list of ntencrypted transactions is inserted as block payload.Here,the encryption is done using the public key PubHGWto provide confidentiality or privacy of the transactions which can be viewed by the HGW only.

To verify a block,we need three level verification process:1)Merkle tree root verification helps to checks whether any transactions in the block are modified or not;2)current block hash verification helps to check whether any block header fields,and the transactions are proper or not;and 3)block signature verification using the ECDSA verification algorithm helps in verifying whether the overall block is authentic or not.

When an authorized user wants to remotely operate the smart devices at his home,he must provide his secret credentials and biometric details,through which the smart card authenticates him as a genuine user and will allow him in exchanging a secret session key.The user then passes all the essential parameters needed to the home gateway for constructing a session key.Through the authentication and key establishment phase of the scheme,the home gateway and the user will share a secret session key.Using the shared session key,the user can encrypt the transactions(with the necessary details of IoT device and commands to it)and can send the transactions to the home gateway securely through the secure data aggregation phase.The home gateway decrypting the transactions will send the commands to the appropriate IoT device(s)and through the block addition phase of the scheme,the transactions will be added into the blockchain.The results from IoT devices are also encrypted with the same key and will be passed to the user.

Figure 4:Structure of a block in blockchain

The overall working flow diagram of the proposed smart home system including the block addition phase is summarized in Fig.5.In the process flow diagram of the proposed scheme,two types of communication are performed through a) private/secure channel and b) public (open) channel.Here,the private channel is used for registration of the entities in a smart home environment.For instance,a user in smart home can register with the trusted RA in person by submitting the registration credentials to the RA and then receive a smart card from the RA.On the other side,the public channel is used for all other communications excluding the registration phase.

Figure 5:Process flow diagram of the proposed smart home system

4 Security Analysis

In this section,through both the formal and informal security analysis,we show the robustness of the proposed scheme against various potential attacks that are possible in case of a smart home environment.

4.1 Formal Security Analysis

This section analyses the proposed scheme using the widely adopted Real-Or-Random (ROR)oracle model[14]as follows.

The ROR model models a one-way cryptographic hash function H(•)as a random oracleHash.LetΛUw1andΛHGWw2denote the instances of the participants user and the home gateway in the proposed scheme,respectively.The ROR analysis uses the queries defined in Tab.2.

Table 2:Queries and their significance

Definition 1 (Semantic security):A polynomial time adversaryAmay have an advantage AdvABlockUbiHome(polyt)to derive the session key SKUG(=SKGU)for the proposed scheme BlockUbiHome given by AdvABlockUbiHome(polyt)=|2Pr[bitg-bitc]-1|wherePr[E]represents the probability of event E andbitg,bitcare the guessed and correct bits.

Theorem 1.Let AdvABlockUbiHome(polyt)be the advantage of a polynomial time adversaryAin deriving the session key SKUG(=SKGU) for the proposed scheme BlockUbiHome such that bitscountbe the number of bits in the biometric secret keyσUunder the Zipf’s law,then

where qhash,qsendand|Hash|represent“the number of hash queries,send queries and the range space of H(•)”,is the advantage of an adversaryAin breaking the ECDDHP problem and C’,s’are Zipf’s parameters[15].

Proof.Four games,i=0,1,2,3 that involves the adversaryAtrying to win the game by correctly guessing random bit in gamedenoted by the eventand the corresponding advantage denoted byThe games and the corresponding probability of A in winning each game are defined as follows:

•GameA0:In the first game,Atries to pick a bit randomlybitcrandomly that gives the adversary advantage against the proposed scheme as

•GameA1:In the second game,the adversaryAattempts to derive the session key by running theExecutequery to eavesdrop on the messages Msg1=＜SIDU,SU,RU,SignrU,TU＞and Msg2=＜RG,SID*U,SignrG,TG＞during the authentication key agreement phase.The session key is constructed as SKGU=H(H(PRIDU||RpwdU||RbioU||XRA||TU)||H(rG||LTSHGW||PRIDHGW||prHGW||TG)•RU)=H(H(PRIDU||RpwdU||RbioU||XRA||TU)||H(rU||σU||αU||PwdU||TU)•RG)=SKUG.The session key is constructed using the temporal secrets rU,rGand the longterm secretsσU,αU,PwdU,LTSHGW,XRA,RpwdU,RbioUand prHGW.These credentials cannot be obtained from the eavesdropped messages.Auses the Reveal and Test queries to check if the derived session key is the original session key used by the entities or is a random key.Since the intercepted messages cannot help in deriving the session key SKGU=(SKUG),GameA1andGameA0are indistinguishable under the eavesdropping attack leading to the conclusion:

•GameA2:In the third game,adversaryAlaunches an active attack using the CorruptUD query,wherein the user device is stolen or lost andAhas obtained all the secret user credentialsαU’,RpwdU’,RbioU’,AIDU.However,these credentials alone cannot help in deriving the secret key asAwould require the parameters rU,rG,SKU,PwdU,σU,αU,RpwdU,RbioU.At mostbitscountnearly random bits can be extracted using the fuzzy extractor method,which gives the approximate probability of guessingσUto beThus,in the absence of“password/biometrics guessing attacks’’,the gamesGameA1andGameA2becomes identical.Based on Zipf’s law for user-selected passwords,the following relation may be derived:

•GameA3:In this fourth game,the adversaryAtries to emulate the hash operation and the elliptic curve multiplication operation so as to obtain the corresponding results during the authentication scheme.For this,Asimulates theHashrandom oracle and simulates hash queries.In addition,it needs to solve the elliptic curve decisional Diffie-Hellman problem(ECDDHP)to derive the session key.In the proposed scheme,RU=H(rU||σU||αU||PwdU||TU)•G and SU=H(PRIDU||RpwdU||RbioU||XRA||TU) ⊕H(PRIDU||RU||PubU||H(rU||σU||αU||PwdU||TU) • PubHGW) and RG=H(rG||LTSHGW||PRIDHGW||prHGW||TG)•G are available in public channel.To derive the session key SKGU=H(H(PRIDU||RpwdU||RbioU||XRA||TU) ||RU• H(rG||LTSHGW||PRIDHGW||prHGW||TG))=H(H(PRIDU||RpwdU||RbioU||XRA||TU)||H(rU||σU||αU||PwdU||TU)•RG)=SKUG,adversaryAneeds to solve ECDDHP to extract H(rU||σU||αU||PwdU||TU) and H(rG||LTSHGW||PRIDHGW||prHGW||TG) from RU,RGand their product RU•RG.Let the adversary A’s advantage in solving ECDDHP be.Also,Aneeds to query the random oracle to obtain the collision of hash results H(rU||σU||αU||PwdU||TU),H(rG||LTSHGW||PRIDHGW||prHGW||TG)and H(PRIDU||RpwdU||RbioU||XRA||TU) usingqhashnumber of queries.Applying the birthday paradox,for the hash collision over the ECDDHP advantage of the adversary we obtain:

After the games are played,the adversary now guesses the correct bitbitc,which has an advantage given by

Considering Eqs.(1)-(5),we get

Multiplying both sides by 2 in Eq.(6),we get

4.2 Informal Security Analysis

The informal security analysis proves that the proposed scheme is resistant to various known attacks.

Proposition 1.The proposed schemeBlockUbiHomeis secure against ESL Attack.

Proof.In the proposed scheme,the computed session key is constructed as SKGU=H(H(PRIDU||RpwdU||RbioU||XRA||TU) ||RU• H(rG||LTSHGW||PRIDHGW||prHGW||TG))=H(H(PRIDU||RpwdU||RbioU||XRA||TU) ||H(rU||σU||αU||PwdU||TU) • RG)=SKUG.The session key is constructed using the temporal secrets rU,rGand the long term secretsσU,αU,PwdU,LTSHGW,XRA,RpwdU,RbioUand prHGW.If only the long-term secrets are revealed,then the short-term secrets protect the session key from compromise.Similarly,if the short-term secrets are compromised,then the longterm secrets ensure that the session key is protected.

Proposition 2.The proposed schemeBlockUbiHomeis secure against privileged insider attack.

Proof.The home gateway node registration phase does not require the gateway to share any of its credentials.All the required parameters are pre-loaded by the registration authority into the gateway node’s secure memory.The registration of the user ensures that AIDU,SKU,and RTSUare not revealed to the registration authority.The user credentials created do not use any parameters generated by the RA.The only parameter XRAis used in the session key construction but not in any user credentials.In addition,usage of random secretαUensures that the identity and password of the user cannot be guessed by the attacker due to the one-way property of the collision-resistant hash function.Thus,privileged insider attack cannot be successful against the proposed scheme.

Proposition 3.The proposed schemeBlockUbiHomeis resilient against replay attack.

Proof.Consider that the messages Msg1:＜SIDU,SU,RU,SignrU,TU＞,Msg2:＜RG,SID*U,SignrG,TG＞and Msg3:＜SKVUG,TV＞are intercepted by the adversaryAduring the authentication phase of the schemeBlockUbiHome.Amay try to replay the same messages by capturing these messages and resending them to the destination entity.In such as case,as per the designed scheme,the destination entity will verify the freshness of the timestamp and find that these are replayed messages and discard them.Thus,the proposed scheme resists replay attack.

Proposition 4.The proposed schemeBlockUbiHomeis resilient against man-in-the-middle attack.

Proof.Consider that the messages Msg1:＜SIDU,SU,RU,SignrU,TU＞,Msg2:＜RG,SID*U,SignrG,TG＞and Msg3:＜SKVUG,TV＞are captured and tampered by the adversaryAduring transit in the public channel.In Msg1and Msg2,the parameters are all verified by the signatureSignrUandSignrG,respectively.The messageMsg3is intended to verify if the session keys computed at both sides are equal.Hence,the computation of the verifier itself ensures that MiTM fails as the session keys themselves are never exchanged directly.

Proposition 5.The proposed schemeBlockUbiHomeis resilient against impersonation attacks.

Proof.Consider that the messages Msg1:＜SIDU,SU,RU,SignrU,TU＞,Msg2:＜RG,SID*U,SignrG,TG＞and Msg3:＜SKVUG,TV＞are intercepted by the adversaryAduring the authentication phase of the schemeBlockUbiHome.The following cases are studied:

•User impersonation attack:To launch this attack,the adversaryAtries to impersonate the user U.For this,Agenerates rAU,TAUand computes RAU=H(rAU||σU||αU||PwdU||TAU)·G,SAU=H(PRIDU||RpwdU||RbioU||XRA||TAU)⊕H(PRIDU||PubU||H(rAU||σU||αU||PwdU||TAU)·PubHGW)and SignArU=H(rAU||σU||αU||PwdU||TAU)⊕H(SU||PRIDU||RU)*prU(mod q).However,it can be observed that the long term secrets RpwdU,RbioU,XRA,σU,αU,PwdUshould be known toAin order to order to produce a valid message MsgA1:＜PRIDU,RAU,SAU,SignrU,TAU.Hence,the proposed schemeBlockUbiHomeis resistant to user impersonation attack.

•Home gateway node impersonation attack:For the adversaryAto impersonate the home gateway,it needs to first generate a random secret as rAG∈Z*p,and also to create a fresh timestamp TAG,and then to compute the parameters like RAG=H(rAG||LTSHGW||PRIDHGW||prHGW||TAG)·G,SKAGU=H(H(PRIDU||RpwdU||RbioU||XRA||TAU)||RU||H(rG||LTSHGW||PRIDHGW||prHGW||TAG))and the signature to be calculated using the private key prHGWof the HGW as follows:prHGW(modq)To fabricate the message Msg3:＜RAG,SignArG,SID*UA,TAG＞,Arequires the long-term secrets PRIDHGW,prHGWand LTSHGW.Hence,the schemeBlockUbiHomeis secure against this impersonation attack.

Proposition 6.The proposed schemeBlockUbiHomeis resilient against DoS attack.

Proof.The fuzzy extractor method used in the scheme employs the Hamming distance concept that helps avoid false acceptance and false rejection rates.This method is better in comparison to the one-way hash functions,perceptual hashing and biohashing,which cannot generate unique results from user biometric data even though they have reduced output error.In addition,the usage of timestamps in ensures message freshness and does not allow the same message from the same sender to be repeatedly received.This ensures that safety against DoS attack.

Proposition 7.The proposed schemeBlockUbuiHomeachieves anonymity and untraceability.

Proof.The messages Msg1:＜SIDU,SU,RU,SignrU,TU＞,Msg2:＜RG,SID*U,SignrG,TG＞and Msg3:＜SKVUG,TV＞in the authentication phase use only pseudorandom and temporal identities PRIDUand SID*Uof the user and hence no message can be traced to the original sender.Hence,the proposed scheme achieves anonymity and untraceability.

Proposition 8.The proposed scheme is resilient against stolen smart card attack.

Proof.The user stores the credentialsαU′,RpwdU′,,AIDUon the smart card during the registration phase.However,none of these credentials reveal the secret parametersσU,αU,PwdU,andSKUdirectly to the adversaryA.In addition,offline biometric guessing attacks are infeasible on the 160-bit long identities and secret credentials.Hence,Acannot obtain any information from the stolen smart card,making the scheme secure against such attacks.

5 Comparative Study

This section performs thorough analysis of the proposed scheme and compares it with other schemes,such as the schemes of Fakroon et al.[5],Shuai et al.[6]and Naoui et al.[11]for costs undergone like the analysis done in the existing schemes[16-20].

5.1 Testbed Experimentation with MIRACL

The proposed scheme is examined through its execution time with the help of the open source SDK“Multiprecision Integer and Rational Arithmetic Cryptographic Library(MIRACL)”[21]based on C/C++that gives the execution times of all required cryptographic operations.The notations for representing the cryptographic operations as denoted asThfor SHA-256 hashing,Tecmfor elliptic curve multiplication,Tecafor elliptic curve addition,Tencfor symmetric key encryption using AES-128,Tdecrfor symmetric key decryption using AES-128,Texpfor exponentiation,andTbpfor bilinear pairing operation.

Two scenarios have been considered as follows.

Scenario 1:The platform for a server is taken as “Ubuntu 18.04.4 LTS,with memory:7.7 GiB,processor:Intel Core i7-8565U CPU@1.80 GHz X 8,OS Type:64-bit and disk:966.1 GiB”.100 runs have been executed for each cryptographic operation to record the“maximum,minimum and average run time in milliseconds”for each operation.The results are tabulated in Tab.3.

Table 3:Execution costs using MIRACL library for cryptographic primitives

Scenario 2:The platform for a user device/smart device is considered as follows:“Raspberry Pi 3 B+Rev 1.3,with CPU:64-bit,Processor:1.4 GHz Quad Core,4-cores,Memory(RAM):1GiB,and OS:Ubuntu 20.04 LTS,64-bit”[22]Once again,100 runs are executed for each operation to record the maximum,minimum and average run-time for each operation.The results are also tabulated in Tab.3.

5.2 Computational Costs Comparison

The proposed scheme is evaluated to obtain a computation cost of 11Th+5Tecm+2Tecaat the user and 7Th+5Tecm+2Tecaat the home gateway node.The comparison of computation costs is shown in Tab.4.

Table 4:Communicational costs comparison

5.3 Communication Costs Comparison

The result of hash function (using SHA-256) takes 256 bits,and the result of “symmetric key encryption/decryption function using AES-128”[23]takes 128 bits.Choice of ECC is taken such that 160-bit ECC provides the same security as 1024-bit RSA algorithm.A given point on the elliptic curve takes 320 bits with each coordinate taking 160 bits.The proposed scheme is evaluated to obtain a communication cost of 1984 bits in 3 messages.The comparison of communication costs is shown in Tab.5.The proposed schemeBlockUbiHomeis observed to take the least communication cost among all compared schemes.

Table 5:Communication costs comparison

5.4 Security and Functionality Features Comparison

The proposed scheme is compared with the relevant schemes to understand how many of the required security features and functionality features are supported by each scheme.It can be concluded from Tab.6 that even though the scheme has slightly higher computational cost,its communication cost is very low and it achieves more features compared to the other schemes.

Table 6:Security and functionality features comparison

6 Implementation of Blockchain:Simulation Study

The blockchain simulations were performed on a platform“Ubuntu 20.04.3 LTS(Focal Fossa),64-bit OS with Intel®Core™i7-6820HQ CPU @ 2.70 GHz,32 GiB RAM” using the “Practical Byzantine Fault Tolerance (PBFT)” consensus algorithm [12].The main advantages of using the blockchain simulations for the proposed scheme are to show the effects of computational time needed for three cases:a) a varied number of transactions per each block,b) a varied number of P2P nodes in the blockchain network,and c) a varied number of blocks to be mined in P2P blockchain network.These will measure the effectiveness of the proposed scheme with respect to utilization of the blockchain technology with the traditional user authentication and key agreement procedures in a smart home environment.

The home gateway after receiving a transaction from an authorized user will pass the transaction to a consensus Node for storing it into the blockchain.We can make the consensus node build a block,only after receiving some threshold number of transactions,so that storage overhead will be decreased.It creates a block which has the parameters essential to make the system achieve immutable and nontampering.The transactions in the block are encrypted with its public key to ensure privacy[24].It now requests leader for adding the block to the Network.Then using the PBFT algorithm for consensus,the leader determines whether to add or discard the block.

The size of the block＜BV,PBH,MTR,T,BO,Signer Public Key,List of Transactions,Block Sign,CBH＞can be computed as＜32,256,256,32,160,160,nt* 160,160,256＞totaling to about 1472+nt* 160 bits.The simulation is conducted on VS CODE 2019 programming platform with Nodejs language.The following scenarios are taken into account:

Case 1:The number of peer nodes in the network is taken to be 10 and the no of transactions is taken to be 15 in each block.The time for computation as the number of blocks mined is increased from 5 to 25 in steps of 5 as shown in Fig.6.

Figure 6:Simulation results:Number of blocks mined vs.computational time(in s)

Case 2:The number of peer nodes is taken to be 5 and the number of blocks mined is fixed at 10 while the number of transactions in each block is increased from 5 to 25 in steps of 5 to note the change in computation time as shown in Fig.7.

Figure 7:Simulation results:Number of transactions per block vs.computational time(in s)

Case 3:The number of peer nodes is varied from 10 to 30 in steps of 5 while the number of blocks mined is fixed at 10 and the number of transactions per block is fixed at 15.The respective computation time is noted during this variation as shown in Fig.8.

Figure 8:Simulation results:Number of P2P nodes vs.computational time(in s)

7 Conclusion and Future Work

The proposed research work presents a novel authentication protocol for smart home system using blockchain technology.A user can be remotely authenticated by the home gateway network using the proposed scheme.Once authenticated,the user may send any commands or instructions to be executed by a network of devices via the home gateway.Since the user is authenticated before sending commands,any malicious user is restricted from sending harmful commands to the home network.The proposed scheme is analyzed through a detailed analysis of the computation cost,communication cost and security features.In addition,an implementation of the blockchain shows only a linear variation in the increase of execution time with change in the peer nodes or number blocks or number transactions in each block.Future work includes lattice-based cryptographic techniques that can be embedded with the blockchain technology for smart home environment[25].

Acknowledgement:The authors would like to thank their universities for the support provided during this research.The authors would also like to thank the anonymous reviewers and the associate editor for their valuable feedback.

Funding Statement:This work was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education under Grant 2020R1I1A3058605.The authors also extend their gratitude to the Deanship of Scientific Research at King Khalid University for funding this work through research groups program under Grant Number R.G.P.1/399/42.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.