Untraceable and Unclonable Sensor Movement in the Distributed IoT Environment

This disruptive era has had a significant impact on the development of technologies in human beings, such as the Internet of Things (IoT). IoT allows people and devices to transmit their data, and hence intelligent environments, such as intelligent healthcare systems, smart transportation, smart city, and so on, are invented. Unfortunately, the wireless-based communication used by IoT offers opportunities for an adversary to eavesdrop, delete, and alter the data transmitted to each device. In addition, the adversary can perform severe attacks, such as cloning, impersonation, and others. On the other hand, IoT opens a new challenge for achieving security properties in preserving privacy in untraceable and unclonable device movement. This article proposes the unclonable and untraceable sensor movement in distributed IoT environments to resolve the aforementioned problems. The informal and formal analyses are used to ensure that our proposed protocol has achieved security features and is withstood various attacks. A comparison with the related protocols in the computational complexity will make our proposed protocol suitable for the IoT environment.


I. INTRODUCTION
T HE distributed Internet-of-Things (IoT) environment is an IoT environment consisting of several wireless sensor networks (WSNs); connectivity between WSN and IoT devices can provide remote access and heterogeneous device communications. Several companies have utilized distributed IoT environments, for example, [1] international business machine (IBM) with Smart Planet utilizes sensors as a primary component applied in a smart water management system and smart city. The other project is the HP lab with Central Nervous System for the Earth (CeNSE) by utilizing sensors as a primary component.
On the other hand, by utilizing 6LowPAN, it can integrate the components of WNSs, such as sensors with web services of simple object access protocol (SOAP) and representational state transfer (REST) [2], [3], and the other communication services, such as WhatsApp, Line, email, blogs, and so on [4], [5]. However, many challenges must be carefully considered.
One of the challenges is related to the security and privacy problem. For example, sensor movement in the distributed IoTbased healthcare system, in which the patients with the body sensor network want to move from one room to the other room or from one hospital building to the others for treatments by keeping the patients' privacy. While the patients' body sensor can prove their legitimacy, their movements should remain secret for security reasons. Several security features must be fulfilled to securely provide WSNs as part of the IoT environment [6]. However, this article focuses on untraceable and unclonable sensor movement. The proposed protocol also considers achieving the standards of security features, such as mutual authentication, perfect forward and backward secrecy, and withstand various kinds of attacks including reply, denialof-service (DoS), and other attacks. Moreover, this article also uses lightweight cryptography, such as XOR-operation and one-way-hash-function. In addition, the physical unclonable function (PUF) is used to achieve a noncloning device.
This article is further organized as follows. Section II presents a literature review and contribution. Section III presents the proposal details, and Section IV discusses the informal analysis. Section V explains the performance and comparison analysis. Sections VI-VIII, respectively, discuss the formal analysis using BAN logic, the real or random (RoR) unclonable devices. Therefore, the previous schemes cannot withstand cloning attacks.
Several researchers [20], [21], [22] have introduced the physical unclonable function (PUF) as an alternative for withstanding cloning attacks. However, [23], [24], and [25] describe that the PUF is vulnerable to the modeling attack or machine-learning attack; the attacker collects the challenge-response and predicts the new challenge-response, PUF violation, and cloning attacks. However, we argue that the modeling attack or machine-learning attack cannot collect many challenge-response pairs from the protocol security systems. Remember that the responses are secret, so the modeling attack cannot predict the new challenge-response. Therefore, the PUF, which does not stand alone, in a security system, is still relevant to be utilized in withstanding the cloning attacks. In addition, we adopt [26] and [27] to avoid machine-learning attacks where the sensor is equipped with weak and strong PUF, whereas [26] and [27] utilize weak PUF to prevent the machine-learning attack. Our authentication protocol uses weak PUF and updates the challenge-response pairs in every session; hence, the machine-learning attack cannot obtain future responses even if the attacker gets a challenge from a public channel. We can argue that our scheme is safe under machine-learning attacks (the detailed discussion is given in Section IV-B6).
This article endeavors to resolve the problems that cannot be achieved by the previous scheme [10], [15], and [19]. The contributions of this proposal are explained as follows.
1) Designing a new protocol using PUF, with the main contributions of both untraceable and unclonable sensors. 2) Achieving mutual authentication, perfect forward, and backward secrecy.
3) The proposed authentication protocol can withstand various kinds of attacks, such as reply, DoS, impersonation, and cloning attacks. 4) BAN logic is used to ensure that the authentication protocol has achieved secure mutual authentication. In addition, the RoR model and the Scyther tool are used to ensure the proposed protocol withstands various attacks. 5) A comparison of security features and computational complexity ensures that the proposal is secure and has low computational complexity.

B. Preliminaries
This section briefly presents the preliminary background of the PUF.
1) Physically Unclonable Function: The PUF is a unique property of circuit mapping the challenge C to response R in a chip manufacturing process [28]. Formally, C is inputted into the PUF to produce R where R = PUF(C). Significantly, PUFs are hard to clone [29]. The PUF is divided into two types: nonideal and ideal PUF. Nonideal PUFs may produce a different response with a similar input challenge C into PUFs due to the temperature. The fuzzy extractor (FE) is used to ensure the stability of the PUF output [30], [31]. Meanwhile, the ideal PUF may produce a similar response with similar challenges inputted into the PUF. Even if the factor of nonstable temperature occurs, in the last few years, researchers have developed an ideal PUF, ensuring a 0% bit-error rate [32], [33], [34], [35]. However, in reality, the noise definitely occurs. Therefore, in this article, the nonstable PUF and FE are utilized to yield the stability of the PUF's output [36].
2) Fuzzy Extractor: The FE has two functions: FE.Gen() and FE.Rec(). FE.Gen() is the probabilistic function to generate the fixed key K u and helper data hd from the input noisy response R i , where (K u , hd) = FE.Gen(R i ). FE.Rec() is the deterministic function to reconstruct K u from helper data hd and noisy input The successful FE is based on the similarity of original data and noisy data. Therefore, in this article, we use the FE to obtain a fixed key K u from the noisy response, where (K u , hd) = FE.Gen(R i ) [30], [31].

C. Definition
This section briefly presents the definitions of the secure Hash Function, PUF, and FE.

1) Definition 1 (Collision-Resistant One-Way Hash Function):
Formally, the definition of collision resistant-one-way hash function h : {0, 1} * → {0, 1} n denotes the mathematical model of the hash function output, where the arbitrary length input of a bit into a hash function yields a fixed-length output's bit. The definition of adversary advantage to find the collision in time t is denoted by Adv Hash , Pr(X) represents a probabilistic of X randomly; x 1 , x 2 are strings randomly selected by A. The maximum execution time t of the adversary (φ, t) success for attacking collision hash h(·) is denoted by Adv Hash A (t) ≤ φ. 2) Definition 2 (PUF Function Is Secure): The secure PUF can be achieved, for example, PUF 1 produces output responses of R 1 , R 2 ∈ {0, 1} k with at least d 1 variation for two input challenges of C 1 , C 2 ∈ {0, 1} k , and if an input challenge C 1 produces distinct output responses of R 1 , R 2 ∈ {0, 1} k with at least d 2 variation for any two different PUFs (PUF 1 , PUF 2 ). Therefore, Pr[HD(PUF 1 (C 1 ), PUF 1 (C 2 )) > d 1 ] = 1 − ε, Pr[HD(PUF 1 (C 1 ), PUF 2 (C 1 )) > d 2 ] = 1 − ε. ε is a negligibly small value, the adversary selects the challenges randomly denoted by C 1 , C 2 , HD is Hamming distance, and d 1 , d 2 are the PUF's error tolerance thresholds.
3) Definition 3 (FE Is Secure): FE (d, λ) is secure if K u = FE.Rec(hd, R i ), with hamming distance R i and R, comes near d, and if FE.Gen generates a cryptography key with minentropy R equal to minimum λ, where K u random distribution of {0, 1} k . The helper data can cause a loss of min-entropy if used repeatedly; hence, the helper data must be kept secret during the authentication protocol process.

III. PROPOSED SCHEME
This section presents the proposed authentication protocol as shown as a flowchart in Fig. 1, starting from System architecture, Assumptions, Notations, Registration phase between Cluster Head and Home IoT Server, Registration between Sensor and Home IoT Server, Authentication in intercluster movement phase (as shown in Fig. 2), authentication in inter-network movement phase (as shown in Fig. 3), Updated

A. System Architecture
Our system structure adopts the authentication protocol proposed by Gope and Hwang [10]. For convenience, several terms are introduced, such as SN, CH, HIoTS, and cloud server (CS). SN collects the data from users, CH Forward data to HIoTS; HIoTS is a database to store the data from the sensor and CH in each WSN, and CS manages HIoTS.

B. Assumptions
Several assumptions are presented as follows.
1) The sensor is equipped with PUF and FE.Rec().
3) PUF and FE onboard are in the sensor, if an attacker attempts to tamper, PUF and FE will be destroyed. 4) The sensor has constrained resources. 5) CH and HIoTS do not have constrained resources.

C. Notations of Cryptographic Functions
This section presents the notations of cryptographic functions. In addition, based on the aforementioned assumptions, the sensors are equipped with PUF; hence, the scheme uses this facility (as shown in Table I).

D. Registration of CH via Secure Channel
In this section, registration of CH has been presented via a secure channel and each step in this phase is as follows.
Step 1: CH selects its identity ID ch and sends ID ch , Reg Req to the HIoTS.
Step 2: HIoTS generates the shared key K ch for CH, and HIoTS, stores K ch , ID ch , and then sends K ch to CH.
Step 3: Finally, CH stores K ch , ID ch .

E. Registration of Sensor via a Secure Channel
In this section, registration of SN is presented via a secure channel and each step in this phase is as follows, Step 1: Sensor sends identity and registration-request ID s , Reg Req to HIoTS.
Step 2: HIoTS generates a challenge C s , pseudo-identity PID sh to achieve anonymity of the sensor to communicate with HIoTS, pseudo-identities synchronization PID Syn = {pid 1 , pid 2 , . . . , pid n }, and challenges for synchronization C Syn = {c 1 , c 2 , . . . , c n }, and then HIoTS sends C s , C Syn , PID sh , and PID Syn to SN.
Step 3: SN generates a response R s = PUF(C s ) and responses for synchronization Step 4: , and then sends hd s and hd Syn to SN.
Step 5: SN receives hd s and hd Syn and then stores PID sh , PID Syn , hd s , and hd Syn .
If synchronization loss occurs, SN replaces PID sh and hd s by PID Syn and hd Syn and runs similarly to the authentication phase.

F. Authentication in Intercluster Movement Phase
This section presents the phase of authentication in intercluster movement and each step at this phase is as follows. Step Step 2: After receiving Step 3: , updates pseudo-identity in every session for preserving privacy, by generating new pseudo-identity and protected by h(ID s ||k s ), where PID sh = PID new sh ⊕ h(ID s ||k s ) and computes and HIoTS then sends M 3 :

G. Authentication in Internetwork Movement Phase
This section presents the phase of authentication in the internetwork movement and each step at this phase is as follows.
SN first sends SN then moves to other networks; C-HIoTS is helped by O-HIoTS to authenticate SN movement and communication between C-HIoTS and O-HIoTS via the secure channel. The details of these steps are presented as follows.

H. Updated Challenge-Response Phase
This section discusses the updated challenge-response.
Step 1: HIoTS generates a nonce N 1 , selects challengesecret key generated from the response (C S , k s ), and pseudoidentity PID sh . HIoTS considers updating the challenge C new s , encrypts the new challenge using the response C new enc , and computes the authentication code HIoTS then sends it to SN.
Step 2: SN generates the response and sends N 2 and V 2 to HIoTS.

IV. INFORMAL ANALYSIS AND COMPARISON
This section presents the informal analysis using intuitive reasoning to show that the scheme has achieved the security features. This section also compares the capabilities to withstand many kinds of attacks with the previous authentication protocols proposed by Gope and Hwang [10], Kothmayr et al. [15], and Porambage et al. [19].

A. Informal Analysis
This section presents the details of security feature analysis as follows.
1) Mutual Authentication: All parties identify the identity of other parties by the possession of the shared key K ch and secret key generated from the response k s as well as, respectively, check the nonce N s , N h , and N c to ensure freshness. Therefore, our scheme achieves mutual authentication.
2) Sensor Anonymity and Untraceability: In our scheme, the sensor uses a one-time pseudonym PID sh to communicate with HIoTS. The attacker cannot obtain a real identity, even when the attacker intercepts all messages in a public channel. Additionally, even if the attacker captures the device and receives the PID sh . Our scheme still preserves privacy because PID sh are updated every session and protected by h(ID s ||k s ), where k s and ID s are secret, so the attacker cannot obtain the h(ID s ||k s ) and the new PID sh from the device. Therefore, our scheme achieves sensor anonymity and untraceability.
3) Perfect Forward and Backward Secrecy: Even if the attacker steals the sensor and obtains all data from the sensor, intercepts all messages from a public channel. The attacker cannot get both past and future responses. Therefore, this proposed protocol achieves perfect forward and backward secrecy.
4) Resolved Synchronization Loss Problems: If a synchronization loss occurs, the sensor replaces PID sh by pid 1 , and the IoT Home server replaces C s by c 1 , the sensor generates r 1 = PUF(c 1 ) and (k 1 ) = FE.Rec(r 1 , hd 1 ). The step mentioned above is running the same as the authentication phase; subsequently, the sensor deletes pid 1 in PID Syn = {pid 1 , pid 2 , . . . , pid n }. Our protocol still operates and completes the task even if desynchronization occurs. Therefore, our scheme resolves the synchronization loss problem.

B. Attack Analysis
This section presents the details of the attack analysis as follows.
1) Withstanding From Impersonation Attack: The attacker cannot reveal a future response even if the attacker steals the sensor; hence, the attacker cannot impersonate the sensor. Therefore, our proposal withstands impersonation attacks.
2) Withstanding From Reply Attack: In our scheme, a message updates in every session, for example, M 1 , if an attacker intercepts a message in a public channel, for example, M 1 and resends M 1 , HIoT will be easily detected based on PID new sh , a new nonce.
3) Withstanding From Cloning Attack: In our scheme, the sensor is equipped with PUF; therefore, our protocol withstands a cloning attack.

4) Withstanding From DoS Attack:
The evidence that our protocol withstands DoS attacks. For instance, the attacker sends many data, and desynchronization occurs. Our protocol uses a synchronization {challenge and pseudo-identity); hence, our protocol still operates and completes the task even if desynchronization occurs. Therefore, we argue that our protocol withstands a DoS attack.

5) Withstanding From Tracking Attack:
Based on the achievement of the sensor's anonymity and untraceability, our protocol can withstand a tracking attack.
6) Withstanding From Machine-Learning Attack: The evidence is that our protocol resists the machine-learning attack; the device in our protocol is equipped with weak PUF, and it can avoid machine-learning attacks [26], [27]. In addition, our protocol updates challenge-response in every session. Even if the attacker eavesdrops on all messages from the public channel, including the challenge, the attacker cannot generate the new {challenge, response} as material to conduct a machine-learning attack. Therefore, our protocol resists the machine-learning attack.

C. Comparison
This section presents a comparison between our proposed scheme with the previous protocol authentication offered by Gope and Hwang [10], Kothmayr et al. [15], Porambage et al. [19], and Aman et al. [37] in terms of security features and capability to resist attack. The comparison is presented in the table below. Table II shows that the scheme of Kothmayr et al. [15] fails to achieve all security features of SF1-SF5. The scheme of Porambage et al. [19] fails to achieve SF2, SF3, and SF5, but their scheme achieves SF1 and SF4. The authentication protocol of Gope and Hwang [10] has the security features of SF1, SF2, and SF4 but does not achieve SF3 and SF5. Aman et al. [37] achieved SF1 and SF5 but did not achieve SF2, SF3, and SF4. Only our protocol can achieve all security features (SF1-SF5).

V. PERFORMANCE ANALYSIS AND COMPARISON
This section presents a comparison between our proposed scheme with the previous authentication protocols proposed by Gope and Hwang [10], Kothmayr et al. [15], and Porambage et al. [19] in terms of computational complexity and execution time of the cryptographic operations. The comparison is presented in Table III. We have conducted a simulation on a virtual machine using the Operating System of Linux Ubuntu 20.4.1 Intel core i7  [31], [39], while RSA refers to the scheme [15], [40], the AES and MAC refer to [37], and the ECC based on [19], [41], and our simulation use Java Cryptography Architecture (JCA) library [42].
The execution time for each cryptography algorithm is as follows (as shown in Table III Kothmayr et al. [15] have a computational complexity of the sensor in which T cert gen/ver + T RSA , CH is N/A, HIoTS is T cert gen/ver + T RSA , and the total result is 80.754 s. Meanwhile, Porambage et al. [19] have a computational complexity of the sensor in which T cert gen/ver + 2T h + T mp , CH is T cert gen/ver + T h , HIoTS is T h , and the total result is 60.126 s. In Gope and Hwang [10], the sensor gets the computational complexity 4T h , CH obtains 2T h , HIoTS has the computational complexity 4T h , and the total result is 1.898 s. Our scheme has the result of a sensor T FE.Rec + T PUF + 4T h , CH 2T H , and HIoTS gets T FE.Gen + 3T H , and the total result is 8.614 s. The protocol of Aman et al. [37] has a computational complexity of the HIoTS obtains 2T SD +2T SE +4T MAC +2T H , Cluster Head is N/A, and the sensor has 2T PUF +2T SD +T SE +3T MAC +T H and the total of computational time is 24.657 s.
The diagram in Fig 4 shows that our protocol has a lower execution time than that of schemes of Kothmayr et al. [15], Porambage et al. [19], and Aman et al. [37]. Hence, our protocol has a low execution time and fulfills the achievement of all security features of SF1-SF5.

VI. FORMAL ANALYSIS USING BAN LOGIC
This section direct explains our proving secure mutual authentication under BAN logic. The detailed theory of BAN logic [43]. The proof of Formal analysis of our protocol is as follows.

A. Ideal Protocol
We have created the ideal protocol and omitted the first process.

B. Logical Formula
This section presents the logical formula as follows.

C. Goal
This section presents the goals as follows.

D. Assumption
This section presents the assumptions as follows.

E. Proof Protocol Analysis Using BAN Logic
Proof 1: Based on Step 2, the message meaning of A1 is obtained as follows shown in the equation at the top of the next page.
Because HIoTS believes that HIoTS and SN share a private identity, HIoTS sees that {PID sh , N s , ID h } ID s is recognized by the identity of the sensor ID s , and SN believes that HIoTS once said (PID sh , N s , ID h ).
Proof 2: Using Proofs 1 and A2, the freshness is obtained as follows: N s , (PID sh , N s , ID h )) . (N s , (PID sh , N s , ID h )) are fresh.

Because HIoTS believes that N s is fresh, HIoTS believes
Proof 3: Using Proof 2, the nonce verification is obtained as follows shown in the equation at the top of the next page.
Because HIoTS believes that SN once said (PID sh , N s , ID h ) and HIoTS believes that N s is fresh, HIoTS believes that (N s , (PID sh , N s , ID h )) are fresh.
Proof 4: Using Proof 3, the belief rules are obtained as follows: Because HIoTS believes that SN once said (N s , (PID sh , N s , ID h )) and HIoTS believes that N s is fresh, HIoTS believes that SN believes (N s , (PID sh , N s , ID h ))

Because
HIoTS believes that SN believes (N s , (PID sh , N s , ID h )), HIoTS believes that SN believes (PID sh , N s , ID h ).
Proof 5: Based on Step 2, the message meaning of A3 is obtained as follows shown in the equation at the top of the next page.
Because HIoTS believes that CH and HIoTS share key K ch , HIoTS sees that ({ID ch Proof 6: Using Proofs 5 and A4, the freshness is obtained as follows:

Because HIoTS believes that N c is fresh, HIoTS believes
Proof 7: Using Proof 6, the nonce verification is obtained as follows shown in the equation at the top of the next page.
Because HIoTS believes that CH once said (ID ch , N c , {PID sh , N s , ID h } ID s ), HIoTS believes thatN c is fresh, and HIoTS believes that (N c , (ID ch , N c , {PID sh , N s , ID h } ID s )) are fresh.
Proof 8: Using Proof 7, the belief rules are obtained as follows shown in the equation at the top of the next page.
Because HIoTS believes that CH once said (N c , (ID ch , N c , {PID sh , N s , ID h } ID s )), HIoTS believes that N c is fresh, and HIoTS believes that CH believes (N c , (ID ch , N c , {PID sh , N s , ID h } ID s )) as shown in the equation at the top of the next page.
Because HIoTS believes that CH believes (N c , (ID ch , N c , {PID sh , N s , ID h } ID s )) and HIoTS believe that CH believes (ID ch , N c , {PID sh , N s Proof 9: Based on step 3, the message meaning of A5 is obtained as follows shown in the equation at the bottom of the next page.
Because CH believes that CH and HIoTS share key K ch , CH sees that . Proof 10: Using Proofs 9 and A6, the freshness is obtained as follows: ) are fresh. Proof 11: Using Proof 10, the nonce verification is obtained as follows shown in the equation at the bottom of the next page.
Because CH believes that HIoTS once said (N c , Proof 12: Using Proof 7, the belief rules are obtained as follows shown in the equation at the bottom of the next page. Because CH believes that HIoTS once said  N s , (PID sh , N s , ID h )) Because SN believes that HIoTS believes (N s , N h , (PID new sh , N h ,C s )), SN believes that HIoTS believes (PID new sh , N h , C s ). Based on formal analysis using the BAN logic and referring to Goals 1-4, our scheme achieves secure mutual authentication between SN, current CH (CCH), and HIoT. Therefore, all parties recognize the other party's identity by possessing the shared key K ch , k s and checking freshness based on N s , N h , and N c .

VII. ANALYSIS FORMALLY USING THE ROR MODEL
In this section, we have also proven the security analysis formally using the RoR model. The analysis results are as follows.
Our RoR model has three participants: SN (SN i ), current CH (CCH i ), and HIoTs as follows.
1) Participants: π sn SN i , π cch CCH i , and π hiots HIoTs are the oracles of sn, cch, and hiots related to SN (SN i ), current CH (CCH i ), and HIoT. 2) Partnering: The partnering is achieved if and only if "fulfilling two conditions": 1) communication between π sn SN i and π hiots HIoTs based on communication session-id sid and 2) the uniqueness of all messages transmitted between π sn SN i and π hiots HIoTs . 3) Freshness: The freshness is achieved if the adversary cannot divulge the session key SK between π sn SN i and π hiots HIoTs . 4) Adversary: The adversary A has capabilities with the Dolev-Yao (DY) adversary model [44], where the adversary can fully control the transmitted message in the public channels. The adversary A can perform eavesdropping, altering, deleting, and also accessing the queries as follows.
1) Execute(π sn , π hiots ): The equation denotes that the adversary can intercept all communication in the public channels between SN and HIoTS. The model is called an eavesdropping attack.
2) Send(π sn , m): Where the adversary has the capability of sending a message to a participant, for example, π sn , the adversary can both receive and reply. This query is called an active attack.
3) CorruptSensor(π sn ): The adversary captures the sensor and can extract the credential stored from the sensor's memory called a stolen or lost device/smart card attack. d) Test(π sn , π hiots ): The semantic security is determined by establishing the session key SK between SN π sn and HIoTS π hiots by following the indistinguishability of the RoR model [45]. The adversary first tosses an unbiased coin c and then results in an outcome of the toss. If c = 1 denotes the new share key is fresh, the adversary does not reveal (π sn , π hiots ), the session key SK. Otherwise, if the new share key is not fresh, π sn , π hiots returns a null and denotes the outcome of a random key.

1) Semantic Security of Session Key:
In the RoR model, the adversary must have the ability to distinguish both actual and random session keys. The adversary is repeated for running Test() queries π sn or π hiots and stores the testing result in a bit c. If c = c denotes that the adversary is a winner, where c represents the bit randomly guessed by the adversary. The ability of the adversary to break semantic security from the Authentication Key Agreement protocol P in t specific time is defined Adv AKE P,A (t) = |2. Pr[SUCCESS] − 1|, where SUCCESS represents an event that adversary A wins the game. 2) Random Oracle: In our RoR model, the collision h(·) and secure PUF(·) can be accessed by the adversary and each participant. 3) Security Proof: By relying on the aforementioned Definitions 1-3 in Section II-C and acknowledging Zipf's law [46], Theorem 1 results in the semantic security of the proposed protocol as follows. Theorem 1: Let the adversary run an attack in the proposed protocol P at the polynomial time under the RoR model. The user-chosen passwords based on Zipf's law [46], l 1 and l 2 , are the bits in the secret key generated from the response, that is, k s , and ID s is a secret user identity. The estimation of adversary advantage breaks the semantic security of the protocol and reveals a new share key between SN and HIoTS as follows: where q h , q p , and q s are, respectively, the numbers of Hash query, PUF query, and Sends query. |Hash| is the range space of h(·), |PUF| is range space of PUF(·), and C and s are Zipf's parameters [46]. Proof: In this article, we adopt similar proofs presented by Gope et al. [47] and Roy et al. [48], [49]. G j denotes five sequence games, where j ∈ [0, 4]. Adversary A successes the guess bit c in game G j and is represented by SUCCESS. The detail of the game as follows.
Game G 0 : The game is considered an actual attack on protocol P by Adversary A under the RoR model. The beginning of game G 0 is as follows: Game G 1 : Game 1 is an eavesdropping attack, Adversary A activates Execute(π sn , π hiots ), hence A can intercept all transmitted messages, such as M 1 : After that, adversary A executes the test to verify whether or not the result is the actual secret response or a random number. In our protocol, the response is generated from the challenge, where R s = PUF(C s ), and keys are generated from response (k s ) = FE.Rec(R s , hd s ). Only a legitimate SN can compute k s . Therefore, the probability of Adversary A winning in G 1 by eavesdropping attack is not increased. Consequently, the results are as follows: Game G 2 : Game 2 simulates the Send q h and Hash |Hash| queries by modeling an active attack, where Adversary A attempts to defraud the legitimate participants to accept the messages are modified by adversary A. Because all transmitted messages of M A 1 , M A 2 , M A 3 , and M A 4 are constructed using responses, and no collision occurs when adversary A activates Send query q h by helping h(·) query (see Definition 1). Based on the birthday paradox, the result is as follows: Game G 3 : This game has a similar argument with G 2 but the difference between G 3 and G 2 is that G 3 simulates the Send and PUF queries. Based on the secure PUF in Definition 2, the relationship is as follows: Game G 4 : In this final game, the adversary activates Corrupt Sensor, where Adversary A can extract PID sh and PID Syn , from the sensor. However, the adversary cannot obtain an identity and secret key. The probability of guessing the secret key k s of l 1 bits and identity ID s of l 2 bits are (1/2 l 1 ) and (1/2 l 2 ), respectively [46]. In addition, the adversary can guess the password based on Zipf's law [46]. If only guess the password, the adversary has an advantage of >0.5 when q s = 10 7 or 10 8 [46]. Therefore, if the attacker guesses the password based on the user's identity, the adversary has an advantage of > 0.5 when q s ≤ 10 6 [46]. In actual conditions, the system does not allow many to try the incorrect passwords. Therefore, the game G 3 and G 4 have to indicate nothingness of the guessing attack. Thus, the result is as follows: In the final session, after activating the Test query, Adversary A must guess a bit c to win game G 4 . Therefore, the result is as follows: Based on (1), (2), and (6) We get the following result by applying the triangle inequality and using (3)-(5), as in (8), shown at the top of the page.
Finally, we get the necessary result by solving (7) and (8) Adv AKE P,A (t) ≤ VIII. FORMAL ANALYSIS USING SCYTHER TOOL This article also uses the Scyther tool as a formal analysis for validating the proposed protocol. The Scyther tool is developed based on Python programming to verify the protocol security [50], [51], [52], and [53]. This tool also follows the Delov-Yao (DY) adversary model [44]. There are two steps for evaluating the protocol using this tool. In Step 1, the protocol modeling is based on the Security Description Language (SPDL), and then Step 2 runs the tool to show the protocol security claims. Fig. 5 is a verification result from the Scyther tool; it denotes that the Scyther tool cannot find the attack. Hence, it can be said that our protocol withstands various attacks based on the Scyther tool claim. Due to the limited size, this article does not show our protocol's programming model.

IX. CONCLUSION
This article proposes a new protocol by preserving the untraceable and unclonable sensor movement using the PUF to improve the security features and resolve the distributed IoT environment problems. Based on the informal analysis, our proposed scheme has fulfilled the security features, such as Mutual Authentication, Untraceability, Anonymity, and protection against impersonation attacks, as well as protection from cloning attacks (SF1-SF5). In addition, the formal analysis using the BAN logic ensures that our scheme achieves secure mutual authentication. The results of the RoR model and the Scyther tool show that our proposed scheme withstands various kinds of attacks as well as proves and strengthens our informal analysis. On the other hand, based on the computational complexity comparison, our protocol obtains a lower computational cost than the schemes proposed by Kothmayr et al. [15], Porambage et al. [19], and Aman et al. [37]. Therefore, our scheme is more suitable to be applied in the distributed IoT environment.

ACKNOWLEDGMENT
The author would like to thank the editors and all anonymous referees for their valuable inputs and suggestions.