Chaotic Map-Based Authentication and Key Agreement Protocol with Low-Latency for Metasystem

1  Introduction

With the arrival of 5G, the rapid development of artificial intelligence and cloud computing technology [1] has accelerated the realization of the metaverse. People can enter the virtual world and interact with others in the form of metaverse avatars [2] through virtual reality (VR) [3] headsets. This will change the organization and operation of existing societies by combining virtual reality. However, new challenges are also brought in protecting the privacy and security of the avatars. Different from the real world, the metaverse will not only face passive attacks and eavesdropping attacks but also more active attacks will be launched to gain the benefits of the virtual world. Therefore, preserving the security and privacy of the avatar [4] is a current issue that needs to be addressed urgently.

Identity verification is an essential part of either the real world or the metaverse. In the real world, authentication is also applied in multiple environments. Under the industrial IoT environment [5], the user and sensing device authenticate and negotiate a session key for communication. In the metaverse, users represent themselves virtually by creating avatars and can access a variety of services through these avatars. However, in the current metaverse environment, any user has the freedom to create any avatar as their virtual representative. This property provides an avenue for malicious users to create avatars and cause serious security issues during metaverse interactions. Therefore, it is essential to design an AKA protocol that allows users to securely access available services in the metaverse and remain safe against other security threats. In the metaverse, meta-users and virtual devices verify each other’s identity legitimacy and generate session key for communication transfer to protect the privacy of the users as well as the devices.

Although the metaverse can provide a variety of services, it is vulnerable to a variety of attacks that can threaten security. First, each communication in the metasystem may be maliciously attacked by an adversary. Attackers can illegally enter the virtual world of the meta-user or tamper with transmitted data by attacking the metasystem’s communication channels. In addition, performance is a significant aspect of the user experience, besides the security aspect. Ryu et al. [6] presented a mutual authentication scheme using Elliptic Curve Cryptography (ECC) to offer secure communication between users and servers as well as secure interactions between avatars and avatars of the platform. Thakur et al. [7] proposed a secure ECC-based authentication scheme utilizing a fuzzy extractor for more secure user-server and avatar-avatar interactions. However, the high computational cost of the above literature makes them unsuitable for deployment into the metaverse.

1.1 Main Contributions

To solve the above problems, a chaotic mapping-based AKA protocol is proposed to protect the privacy of metaverse avatars, which can achieve secure communication between VR headset and tactile devices. Biometric of metaverse user is adopted as one of the authentication factors to improve the security of metaverse avatars which can resist malicious impersonation of the avatar. Further, user anonymity is achieved even if the tactile device is corrupted without any valid information. Finally, the proposed protocol is analyzed through experimental simulations and the experimental results show that it can be applied to privacy protection for metaverse avatars with better performance. The main contributions are summarized as follows:

1. User anonymity is considered to resist malicious attackers or corrupted tactile devices impersonating metaverse avatars when logging into a VR headset. To ensure the legitimacy of the avatar, the VR headset needs to verify the user’s identity and complete collaboration with the tactile device. It means multi-party authentication needs to be completed between the user, headset, and tactile device before entering the metaverse. Based on the semi-group attribute of the Chebyshev polynomial, the session key is established after multi-party authentication. Malicious attackers cannot obtain user information from VR device communication even if launching Man-in-the-middle (MITM), impersonation, and forgery attacks.

2. The security of the session key established between the VR headset and tactile devices has been formally proven under the ROR model. Additionally, informal proofs substantiate its resilience against both passive and active attacks. This paper adopts the robust DY threat model to define the capabilities of the adversary. Malicious attacker not only has access to information stored locally in sensor-based VR tactile devices through powerful analysis but also has absolute control over the information transmitted on the public channel. Without loss of generality, impersonation attacks on users, edge nodes, and tactile devices are analyzed in Section 5.1. The analysis results show that the proposed protocol can protect the security and privacy of metaverse avatars effectively despite strong attackers.

3. To further verify that the protocol can protect the privacy and security of the avatar effectively, security was further analyzed using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. To provide a robust level of security for the proposed protocol, rigorous testing was performed using the AVISPA tool. This tool allowed us to simulate active attacks and thoroughly evaluate the protocol’s resistance to these attacks. The test results indicate that it provides efficient protection against replay and man-in-the-middle attacks. Based on the successful completion of these tests, it can be confidently asserted that the protocol is capable of withstanding a variety of active attacks and can offer a robust level of security for its intended use cases.

4. For security and performance, the proposed protocol is compared with related works and the result shows that the proposed protocol has better usability for Metasystem. The proposed protocol has undergone thorough analysis and comparison with other related works in terms of security and performance. The comparison results show that the proposed protocol has better usability, making it a more reliable and efficient means of authentication for secure communication in Metasystem. Overall, the comparison analysis highlights the strengths and advantages of the proposed protocol and confirms its potential as a leading solution in secure communication for Metasystem.

1.2 Related Works

Although the exploration and development of metaverse is still in the infancy phase, some works on metaverse [8,9] have already been proposed. Additionally, several works [10–14] have discussed security and privacy issues in the metaverse. As relevant technologies are deeply explored, research on the metaverse has involved multiple areas. Park et al. [15] discussed the three components involved in the metaverse and review representative applications in the metaverse in terms of user interaction, and implementation. Wang et al. [2] analyzed what security threats the metaverse will face in terms of security and privacy.

However, the issue of security in the metaverse has been of considerable concern. Rafique et al. [16] found that virtual reality systems work by presenting interactive views on head-mounted displays. To make virtual reality systems more secure, they also propose possible countermeasures. O’Brolcháin et al. [17] focused on two core ethical issues that may exist in virtual reality and social networks, namely threats to privacy (information printing, physical privacy, associative privacy) and threats to autonomy (freedom, knowledge, authenticity). They also proposed some countermeasures to address the threats to privacy. Falchuk et al. [18] concentrated on the technological underpinnings that contribute to an increased level of privacy for VR participants while immersed in social VR in their article.

Authentication is the first line of defense against access by illegal meta-users in the metaverse, which protects the meta-user’s avatar [19] from unauthorized intrusion, therefore authentication is an integral part of the metaverse. Yang et al. [20] proposed a two-factor authentication framework based on chameleon signature and biometric authentication to suggest a secure meta-universe environment. In addition, the authentication framework is shown to guarantee the consistency and traceability of virtual identities after security analysis. Yu et al. [21] proposed a multi-server-based authentication key agreement to protect the user’s private information, which can achieve user untraceability. Although it reduced the communication and computation overheads compared to partially related works. However, it transmits 7 times, which cannot effectively guarantee the freshness of the message. Zheng et al. [22] proposed a three-party authentication key agreement based on chaotic mapping, considering the security needs of real applications, in which user anonymity is achieved.

2  Preliminaries

In this section, descriptions of the preliminaries are given and the notations are illustrated in Table 1.

2.1 Fuzzy Extractor

Fuzzy extractor is widely accepted technique for extracting biometric characteristics. In this technique, it mainly contains generation and restoration functions. Now, we give the formal definitions of the two functions as follows:

GEN(BIO)→(σ,τ): GEN(⋅) is the generating function of the fuzzy extractor. When the biometric BIO is input, the function outputs a secret value σ about the biometric and a recovery parameter τ.

REP(BIO∗,τ)→σ: REP(⋅) is the restoration function of the fuzzy extractor. When the biometric BIO∗ and the recovery parameter τ are input, the function outputs the secret value σ∗ about the biometric BIO∗.

2.2 Chebyshev Chaotic-Map

Chebyshev chaotic-map is a chaotic mapping function for generating a pseudo-random sequence of numbers. The formal definitions of Chebyshev chaotic-map are given as follows:

Definition 1: Tr(p) represents the Chebyshev polynomial and is drawn up as Tr(p)=cos(n⋅cos−1(p)), where r is randomly sampled in Z+ and p∈[−1,1]. What’s more, Chebyshev polynomials satisfy the following characteristic.

1. Recursiveness: Tr(p)=2pTr−1(p)−Tr−2(p), where r≥2, T0(p)=1 and T1(p)=p.

2. Semi-group: Tm(Tr(p))=cos(m⋅cos−1(cos(r⋅cos−1(p))))=cos(mr⋅cos−1(p))=Tmr(p), where m,r←RZ+ and p∈[−1,1].

Definition 2: Chaotic-map discrete logarithm (CMDL): For a given number p∈[−1,1] and the related Chebyshev polynomial Tr(p), the CMDL problem confirms that it is hard for probabilistic polynomial time (PPT) adversary to compute r. In other words, the probability of an adversary A solving the CMDL problem in a finite time span is negligible.

AdvACMDL=Pr[A(p,Tr(p))=r]≤ε(1)

3  Formal Definition

3.1 System Model

Suppose a scenario exists where a patient has a sudden illness that requires surgery. However, specialized surgical treatment is not available where the patient is located. The relevant experienced physician can access the metasystem through the terminal and operate on the patient through the sensory device. Under the above scenario, there are three entities in the proposed metasystem communication network as shown in Fig. 1. The detailed description of each entity is given as follows.

Figure 1: System model

Meta-user (Mui): Meta-users access the meta-system and connect VR tactile devices by logging in to their VR headset device Vhi. Before Mu joined the metasystem, it needs to send registration information to the edge node to complete the registration through the secure channel. When the legitimate meta-user has successfully logged into the system, Vhi sends an authentication message to the edge node over the public channel.

Edge node (En): In this paper, En is responsible for offline-registration of Vtdj and online registration of Mu. When En received the authentication message from Vhi, En verifies its legitimacy and computes a novel authentication message to send to Vtdj. It is worth mentioning that edge node is assumed to be a trusted entity. This is sensible because the edge nodes are deployed by authorities in reality.

VR tactile device (Vtdj): Offline-registration is required to be completed through En before Vtdj can be deployed. When receiving an authentication message from En, Vtdj verifies its legitimacy and generates a novel authentication message to send to Vhi. Finally, the session key is generated between Vhi and Vtdj.

3.2 Adversary Model

In this paper, the popular DY adversary model is adopted, in which a strong adversary A is defined. The adversary has absolute control of the metasystem network under the DY model, specific capabilities are defined as follows.

Information transmitted over public channels can be obtained by adversaries, and even more can be deleted and modified. Notably, Vhi and Vtdj communicate on a public channel.

VR tactile devices in metasystem can be captured by A and information in the devices can be extracted by powerful analytical tool.

3.3 Security Model

We prove session key security under the widely-used ROR model, which is applied in formal proofs of many authentication protocols. The detailed description of the ROR security model is provided and shown as follows:

Participants. For better identification, the θ1th, θ2th and θ3th of Mui, En and Vtdj are defined as PMuiθ1, PEnθ2 and PVtdjθ3.

Acceptance. A participant Pθ is accepted if it enters the accepted state after receiving the final intended protocol message. The links of communication messages constitute the session identifiers.

Partnering. Two participants Pθ1 and Pθ2 are partners if they both meet the following conditions. 1) Pθ1 and Pθ2 are in the accepted state. 2) Pθ1 and Pθ2 completed mutual authentication and shared an identifier. 3) Pθ1 and Pθ2 are mutual partners.

Freshness. If the session key between Mui and Vtdj has not been obtained by an adversary A, the participants PMuiθ1 and PVtdjθ3 are fresh. A is assumed to have absolute control of the metasystem communication network. A can modify and delete information transmitted on the public channel and further access the following oracles.

Execute(PMuiθ1,PEnθ2,PVtdjθ3): A can obtain information about interactions between PMuiθ1, PEnθ2 and PVtdjθ3 in public channel through this oracle. A can launch an eavesdropping attack with this query.

Reveal(Pθ): A can obtain sk generated between Pθ and its partner through this oracle.

Send(Pθ,m): A can send m to the participant Pθ through this oracle and can further obtain a response related to m. A can launch an active attack with this query.

Corruptheadset(PMuiθ1): A can obtain all the parameters stored in the VR headset through this oracle. A can launch a VR headset device loss attack with this query.

Corruptheadset(PVtdjθ3): A can obtain all the parameters stored in the VR tactile device through this oracle. A can launch a VR tactile device loss attack with this query.

Guess(Pθ): A can obtain the semantic security of sk between Mui and Vtdj through this oracle. Before starting, a guess g∈{0,1} is output and sent to A. Pθ returns sk in case g=1 or a random number in case g=0 when sk is fresh. Otherwise, the output is ⊥.

4  Proposed Protocol

There are four phases in our protocol. We will give the detailed construction of each phase in this section. Before adding an entity to the meta-system, initialization and entity registrations need to be completed. Then, the session key is generated between the meta-user and the device after verifying each other’s identities. The update of the authentication factor is additionally considered to prevent privacy breaches due to loss of passwords. The detailed construction of each stage is shown as follows.

4.1 Initial Phase

First of all, En will start to initiate the metasystem and pre-deploy for VR tactile devices. Vtdj selects the device identifier IDVtdj and generates random number cj. Then, the pseudo-identifier PVDj=H(IDVtdj‖cj) is computed by Vtdj and sent to En. For each PVDj, En chooses a long-term secret γj and computes H(α‖γj), where α is En’s master key and H(α‖γj) is sent to Vtdj as a response over the secure channel. Meanwhile, En stores <PVDj,H(α‖γj),p> in local database, where p is the public parameter chosen by En.

4.2 Offline-Registration Phase

Meta-user access to the metaverse via a VR headset means that the legitimate meta-user needs to complete meta-user registration to gain permission. As shown in Fig. 2, the offline registration phase for meta-users can be divided into the following 3 steps.

Figure 2: Meta-user registration

Step 1: Vhi chooses IDi, PWi and reads retinal biometrics of meta-users BIOi, after which the random numbers ai and bi are further generated. Then, Vhi computes GEN(BIOi)=(σi,τi), RIDi=H(IDi‖σi‖ai) and RPWi=H(IDi‖σi‖ai). Meta-user registration information {RIDi,RPWi} is sent to En via the secure channel.

Step 2: After receiving the registration message from Vhi, En selects the long-term secret βi and computes Ai=RPWi⊕RIDi⊕H(α‖βi). As a registration response, {Ai,p} is sent to Vhi through the secure channel. Notably, <RIDi,H(α‖βi)> is likewise stored in En’s database.

Step 3: Vhi computes Bi=ai⊕H(IDi‖PWi), Ci=bi⊕H(σi‖ai) and Di=H(IDi‖PWi‖σi‖bi) when receiving Ai from En. Then, the information {Ai,Bi,Ci,H(⋅),GEN(⋅),REP(⋅),τi,p} associated with IDi is stored in Vhi’s database.

4.3 Login and Authentication Phase

Once the meta-user wants to access the metaverse and collaborate with the VR tactile devices, a secure session key needs to be established between Vhi and Vtdj. Before establishing the session key, authentication is required to prevent attackers from obtaining private information about the meta-user. As shown in Fig. 3, the login and registration phase can be divided into the following 7 steps.

Figure 3: Login and authentication

Step 1: Vhi computes σi∗=REP(BIOi,τi), ai∗=Bi⊕H(IDi‖PWi), bi∗=Ci⊕H(σi∗‖PWi) and Di∗=H(IDi‖PWi‖σi∗‖bi∗), when meta-user inputs IDi, PWi and BIOi. Vhi verifies whether Di∗=Di holds, where Di is the information stored in Vhi’s database associated with IDi.

Step 2: If the above equation holds, Vhi computes RIDi∗=H(IDi‖σi∗‖ai∗), RPWi∗=H(PWi‖bi∗), Ai∗=Ai⊕RPWi∗⊕RIDi∗, Ei=Ai∗⊕Tri(p) and Fi=H(Ei‖RIDi∗‖Ai∗‖Tri(p)‖T1), where ri is randomly chosen by Vhi and T1 is the timestamp. After the computation is completed, the authentication information {Ei,RIDi∗,Fi,T1} is sent to En through the public channel.

Step 3: En verifies whether |T1 ′−T1|≤ΔT holds when receiving {Ei,RIDi∗,Fi,T1} from Vhi. If the above equation holds, En computes Tri∗(p)=Ei⊕H(α‖βi) and Fi∗=H(Ei‖RIDi∗‖H(α‖βi)‖Tri∗(p)‖T1). Then, En verifies whether Fi∗=Fi holds when Fi∗ has been computed.

Step 4: If the above equation holds, En computes Gj=RVDj⊕Tri∗(p), Kj=H(H(α‖βi)‖Tri∗(p))⊕nj, Xj=H(α‖βi)⊕nj and Lj=H(Gj‖Kj‖RVDj‖Tri∗(p)‖nj‖T2), where nj is randomly chosen by En and T2 is the timestamp. After the computation is completed, the authentication information {Gj,Kj,Xj,Lj,T2} is sent to Vtdj through the public channel.

Step 5: Vtdj verifies whether |T2 ′−T2|≤ΔT holds when receiving {Gj,Kj,Xj,Lj,T2} from En. If the above equation holds, Vtdj computes Tri∗(p)=Gj⊕RVDj∗, nj∗=Xj⊕H(α∗‖γj∗) and Lj∗=H(Gj‖Kj‖RVDj∗‖Tri∗(p)‖nj∗‖T2). Then, Vtdj verifies whether Lj∗=Lj holds when Lj∗ has been computed.

Step 6: If the above equation holds, Vtdj computes Kj∗=Kj⊕nj∗, RVDjnew=Kj∗⊕H(IDVtdj‖cjnew), Mj=H(RIDi∗‖Tri∗(p))⊕Tmj∗(p), sk=H(RIDi∗‖RVDjnew‖Kj∗‖Tmj(Tri∗(p))‖T3) and Vj=H(Mj‖RVDjnew‖sk‖T3), where mj is randomly chosen by En and T3 is the timestamp. After the above parameters have been calculated, Vtdj replaces RVDj by RVDjnew in Vtdj’s database and sends {Mj,Vj,RVDjnew,T3} to Vhi through the public channel.

Step 7: Vhi verifies whether |T3 ′−T3|≤ΔT holds when receiving {Mj,Vj,RVDjnew,T3} from Vhi. If the above equation holds, Vhi computes Tmj∗(p)=Mj⊕H(RIDi∗‖Tri(p)), RVDjnew∗=RVDjnew⊕H(H(α‖βi)‖Tri(p)), sk∗=H(RIDi∗‖RVDjnew∗‖H(H(α‖βi)‖Tri(p))‖Tri(Tmj∗(p))‖T3), and Vj∗=H(Mj‖RVDjnew‖sk∗‖T3). After the above parameters have been calculated, Vhi verifies whether Vj∗=Vj holds. If so, Vhi stores sk∗.

4.4 Factors Update Phase

Considering the practical needs of users who have lost their passwords or whose biometrics need to be updated, factors update is also designed. As shown in Fig. 4, the factors update phase can be divided into the following 3 steps.

Figure 4: Factors update

Step 1: Vhi computes σi∗=REP(BIOi,τi), ai∗=Bi⊕H(IDi‖PWi), bi∗=Ci⊕H(σi∗‖PWi) and Di∗=H(IDi‖PWi‖σi∗‖bi∗), when meta-user inputs IDi, PWi and BIOi. Vhi verifies whether Di∗=Di holds, where Di is the information stored in Vhi’s database associated with IDi.

Step 2: Vhi computes GEN(BIOinew)=(σinew,τinew), Binew=Bi⊕H(IDi‖PWi)⊕H(IDi‖PWinew) Ainew=Ai⊕H(IDi‖σinew‖ai)⊕H(PWi‖bi)⊕H(IDi‖σinew‖ai)⊕H(PWinew‖bi), Cinew=Ci⊕H(σi‖ai)⊕H(σi‖ai) and Dinew=H(IDi‖PWinew‖σinew‖bi).

Step 3: Replace Ai,Bi,Ci,Di by Ainew, Binew, Cinew and Dinew in Vtdj’s database when the above computation is completed.

5  Security Analysis

In this section, formal and informal proofs are given to prove security. The detailed proofs are described as follows.

5.1 Formal Proof

Assume that A is the PPT adversary to break our protocol. qs, qh, |Hash|, |D|, and l denote the number of Send query, the number of Hash oracle, the range space of h(), the size of the password dictionary D, and bits of σi, respectively.

Theorem 1: The advantage of A in breaking the sk security be shown as follows:

Adv𝒜(PPT)≤qh2|Hash|+qs2l−1⋅|D|+2AdvACMDL(PPT)(2)

Proof. We prove Theorem 1 through five games, which are described in detail as follows.

Game0: In Game0, real attack is launched by A breaking our protocol under the ROR model. Then, the probability for A prevailing in Game0 is summarized as follows:

Adv𝒜(PPT)=|2AdvGame0−1|(3)

Game1: Game1 is simulated as an eavesdropping attack. In Game1, A can obtain the authentication information {Ei,RIDi∗,Fi,T1}, {Gj,Kj,Xj,Lj,T2} and {Mj,Vj,RVDjnew,T3} transmitted over the public channel by accessing the Execute(PMuiθ1,PEnθ2,PVtdjθ3). Then, A visits Guess(Pθ) oracle to verify whether sk established between Vhi and Vtdj is a session key or a random number, where sk=H(RIDi∗‖RVDjnew∗‖H(H(α‖βi)‖Tri(p))‖Tri(Tmj∗(p))‖T3), RVDjnew=Kj∗⊕H(IDVtdj‖cjnew), Kj∗=Kj⊕nj∗, Kj=H(H(α‖βi)‖Tri∗(p))⊕nj and Tmj∗(p)=Mj⊕H(RIDi∗‖Tri(p)). A needs to obtain H(α‖βi), IDVtdj, nj and cjnew to forge sk. However, the information exposed on public channels did not leak these parameters. Therefore, A will not increase the probability of winning through Game1. Then, the probability for A prevailing in Game1 is summarized as follows:

AdvGame1=AdvGame0(4)

Game2: In Game2, A can access the Send(Pθ,m) and Hash oracle compared to Game1. It means that A can launch an active attack through these oracles in this game, attempting to fabricate messages to blind the participants. Although A can launch a hash query to verify the collision, each parameter contains random numbers, IDi, PWi and secrets associated with En. However, the information exposed on public channels did not leak these parameters. Therefore, A will not increase the probability of collision through Game2. Then, the probability for A prevailing in Game2 is summarized as follows:

|AdvGame2−AdvGame1|≤qh22|Hash|(5)

Game3: In Game3, A can access the Corruptheadset(PVtdjθ3) oracle compared to Game2. A can access information {Ai,Bi,Ci,H(⋅),GEN(⋅),REP(⋅),τi,p} in Vhi which is related to Meta-user, where Ai=RPWi⊕RIDi⊕H(α‖βi), Bi=ai⊕H(IDi‖PWi), Ci=bi⊕H(σi‖ai) and Di=H(IDi‖PWi‖σi‖bi). A needs to know the temporary secret ai, σi and bi to guess IDi and PWi. Assume that A can guess incorrectly at most qs times and the probability for A prevailing in Game3 is summarized as follows:

|AdvGame3−AdvGame2|≤qs2l⋅|D|(6)

Game4: In Game4, A tries to compute sk by analyzing the captured {Ei,RIDi∗,Fi,T1}, {Gj,Kj,Xj,Lj,T2} and {Mj,Vj,RVDjnew,T3} and solving the CMDL. A needs to get Tri(Tmj(x)) and H(H(α‖βi)‖Tri(p)) to compute sk=h(CIDj∥Ts(Tu(x))∥TS3∥v∗), where ri and mj are respectively chosen by Vhi and Vtdj. It is clear from the above computations that A is difficult to compute Tri(Tmj(p)) without ri and mj even if it obtains p. Therefore, it requires A to solve the CMDL to obtain ri and mj from Tri(p) and Tmj(p), respectively. Then, the probability for A prevailing in Game4 is summarized as follows:

|AdvGame4−AdvGame3|≤AdvACMDL(PPT)(7)

A makes a guess g after accessing Guess(Pθ) oracle. Then, the probability for A prevailing in Game4 is summarized as follows:

AdvGame5=1/2(8)

The probabilities from Game0, Game1 and Game4 can be derived using the following expression:

12AdvA(PPT)=|AdvGame0−1/2|=|AdvGame1−AdvGame4|(9)

Through the trigonometric inequality, we can obtain the following equation:

|AdvGame2−AdvGame5|≤qh22|Hash|+qs2l⋅|D|+AdvACMDL(PPT)(10)

Finally, Theorem 1 can be proved from the above equation and the final conclusion drawn.

Adv𝒜(PPT)=2|AdvGame1−AdvGame4|≤qh2|Hash|+qs2l−1⋅|D|+2AdvACMDL(PPT)(11)

5.2 Informal Proof

Privileged-insider attack. In the meta-user registration phase, Vhi sends RIDi,RPWi to En to complete registration, where RIDi=H(IDi∥σi∥ai) and RPWi=H(PWi∥bi). Assume that there exists an internal adversary A who has obtained RIDi,RPWi, and that it is unable to obtain IDi and PWi from RIDi,RPWi without ai and bi. Additionally, PWi and σi are just as impossible to be stolen due to the one-way character of H(⋅). Overall, the proposed protocol will not leak any user-related information under the privileged-insider attack.

Anonymity and untraceability. As shown in Section 4.3, information {Ei,RIDi∗,Fi,T1}, {Gj,Kj,Xj,Lj,T2} and {Mj,Vj,RVDjnew,T3} exposed on the public channel without leaking credentials about meta-user. Similarly, the messages stored in the database of Vhi have not disclosed the credentials of the meta-user. Assume that A can launch an eavesdropping attack to obtain {Ei,RIDi∗,Fi,T1}, {Gj,Kj,Xj,Lj,T2} and {Mj,Vj,RVDjnew,T3}. However, A wants to get the IDi which requires obtaining the secret H(α‖βi), H(α‖γj) and the numbers ri, nj, mj and cjnew chosen randomly by Vhi, En and Vtdj. Finally, {Ei,RIDi∗,Fi,T1}, {Gj,Kj,Xj,Lj,T2} and {Mj,Vj,RVDjnew,T3} transmitted on the public channel is the result of the computation of H(⋅), and it is difficult for A to recover the IDi. Therefore, the proposed protocol can achieve anonymity and untraceability.

Stolen headset attack. Assume the headset Vhi of meta-user is stolen by A and the information {Ai,Bi,Ci,H(⋅),GEN(⋅),REP(⋅),τi,p} stored in Vhi ′s database is captured, where Ai=RPWi⊕RIDi⊕H(α‖βi), Bi=ai⊕H(IDi‖PWi), Ci=bi⊕H(σi‖ai), Di=H(IDi‖PWi‖σi‖bi), {H(⋅),GEN(⋅),REP(⋅)} are one-way functions. From the above information, A who guesses the IDi and PWi correctly needs to know ai and bi. However, A wants to recover the correct ai from Bi will need IDi and PWi. Therefore, A cannot guess IDi and PWi correctly from the information stored in Vhi. In summary, the proposed protocol can resist stolen headset attack.

Replay attack. Assume A captures and replies the messages {Ei,RIDi∗,Fi,T1}, where Ei=H(α‖βi)⊕Tri(p), RIDi∗=H(IDi‖σi∗‖ai∗) and Fi=H(Ei‖RIDi∗‖Ai∗‖Tri(p)‖T1). However, timestamp T1 will be verified by the setting threshold △T and A cannot calculate sk∗=H(RIDi∗‖RVDjnew‖H(H(α‖βi)‖Tri(p))‖Tri(Tmj∗(p))‖T3) without ri, nj, mj and cjnew. Therefore, it can resist replay attack.

MITM attack. Assume A can launch the MITM attack to capture information {Ei,RIDi∗,Fi,T1}, {Gj,Kj,Xj,Lj,T2} and {Mj,Vj,RVDjnew,T3} and attempt to impersonate a valid entity. In the case of {Ei,RIDi∗,Fi,T1}, A modifies it in an attempt to trick En into believing that A is a legitimate user. It means that A needs to forge Ei=H(α‖βi)⊕Tri(p), RIDi∗=H(IDi‖σi∗‖ai∗) and Fi=H(Ei‖RIDi∗‖Ai∗‖Tri(p)‖T1). Although A can select ri∗ and compute Tri∗(x), A cannot forge Ei=H(α‖βi)⊕Tri∗(p) and RIDi∗=H(IDi‖σi∗‖ai∗) without H(α‖βi) and ai∗. The same is true for other authentication information, A entities cannot be authenticated without knowing the long-term secret values.

Mutual authentication. In metasystem, Vhi, En and Vtdj verify each other’s legitimacy. First, En verifies the legitimacy of Vhi by checking whether Fi∗=Fi holds, where Fi=H(Ei‖RIDi∗‖Ai∗‖Tri(p)‖T1). Then, Vtdj verifies the legitimacy of En by checking whether Li∗=Li holds, where Li=H(Gj‖Kj‖RVDj‖Tri∗(p)‖nj‖T2). Finally, Vhi verifies the legitimacy of Vtdj by checking whether Vi∗=Vi holds, where Vi=H(Mj‖RVDjnew‖sk‖T3).

Meta-user impersonation attack. Assume A steals the headset Vhi of the meta-user and accesses the information {Ai,Bi,Ci,H(⋅),GEN(⋅),REP(⋅),τi,p} in the local database through powerful analytical tools. Further, A intercepts {Ei,RIDi∗,Fi,T1} sent by Vhi to En and tries to forge a valid message to fool En into believing it is a legitimate Meta-user. It means that A needs to forge Ei=Ai∗⊕Tri(p), RIDi∗=H(IDi‖σi∗‖ai∗) and Fi=H(Ei‖RIDi∗‖Ai∗‖Tri(p)‖T1), where Ai∗=H(α‖βi) and ai∗=Bi⊕H(IDi‖PWi). Although A can generate ri∗ randomly and compute Tri∗(p), the valid secret A∗=H(α‖βi) and PIDi∗=H(IDi‖σi∗‖ai∗) cannot be calculated without IDi, σ, α and βi. More importantly, the forged H(α∗‖βi∗) cannot be verified by En. Therefore, it can resist Meta-user impersonation attack effectively.

Edge node impersonation attack. Assume A intercepts {Gj,Kj,RIDi∗,Lj,T2} sent by En to Vtdj and tries to forge a valid message to fool Vtdj into believing it is a legitimate edge node. It means that A needs to forge Gj=RVDj⊕Tri∗(p), Kj=H(H(α‖βi)‖Tri∗(p))⊕nj, Xj=H(α‖γj)⊕nj and Lj=H(Gj‖Kj‖RVDj‖Tri∗(p)‖nj‖T2), where RVDj=H(IDVtdj‖cj) and nj=Xj⊕H(α‖γi). Although A can generate nj∗ randomly, the valid secret Xj=H(α‖γj)⊕nj and Kj=H(H(α‖βi)‖Tri∗(p))⊕nj cannot be calculated without α, βi, and γj. More importantly, the forged H(α∗‖γj∗) cannot be verified by Vtdj. Therefore, it can resist Edge node impersonation attack effectively.

Tactile device impersonation attack. Assume A intercepts {Mj,Vj,RVDjnew,T3} sent by Vtdj to Vhi and tries to forge a valid message to fool Vhi into believing it is a legitimate tactile device. It means that A needs to forge Mj=H(RIDi∗‖Tr∗), Kj=H(H(α‖βi)‖Tri∗(p))⊕nj, Xj=H(α‖γj)⊕nj and Lj=H(Gj‖Kj‖RVDj‖Tri∗(p)‖nj‖T2), where Kj∗=H(H(α‖βi)‖Tri∗(p)) and RVDjnew=H(H(α‖βi)‖Tri∗(p))⊕H(IDVtdj‖cjnew). Although A can generate mj∗ randomly and compute Tmj∗∗(p), the valid secret Kj∗=H(H(α‖βi)‖Tri∗(p)) cannot be calculated without α, and βi. More importantly, the forged H(α∗‖βj∗) cannot be verified by Vhi. Therefore, it can resist Tactile device impersonation attack effectively.