An efficient anonymous authentication and key agreement scheme with privacy-preserving for smart cities

Internet of Things devices are responsible for collecting and transmitting data in smart cities, assisting smart cities to release greater potential. As Internet of Things devices are increasingly connected to smart cities, security and privacy have gradually become important issues. Recently, research works on mitigating security challenges of Internet of Things devices in smart cities mainly focused on authentication. However, in most of the existing authentication protocols, the trustworthiness evaluation of Internet of Things devices in smart cities is ignored. Considering the trustworthiness evaluation of Internet of Things devices is an important constituent of data source authentication, in this article, a cloud-aided trustworthiness evaluation mechanism is first designed to improve the credibility of the Internet of Things devices in smart cities. Furthermore, aiming at the problem that the user’s privacy is easy to leak in the process of authentication, an anonymous authentication and key agreement scheme based on non-interactive zero knowledge argument is proposed. The proposed scheme can ensure the privacy preservation and data security of Internet of Things devices in smart cities. The security analysis demonstrates that the proposed scheme is secure under q-SDH problem. The experimental simulation indicates that the performance of the proposal is greatly improved compared with other similar schemes.


Introduction
With the continuous increase of population in cities and the formation of new urban agglomerations, the problems caused by urbanization, such as traffic jams, environmental degradation, lack of resources, and the decline of residents' quality of life, have become increasingly prominent. The concept of smart cities was proposed to realize the sustainable development of the cities. 1 Information and communication technologies are showing an increasingly accelerating development trend in the world. 2 A series of key technologies, such as 5G network, Internet of Things (IoT), cloud computing, big data analysis, new generation geographic 1 School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing, China information systems, are gradually carried out from the proposal of the concept to the actual application landing. These technologies give birth to many emerging urban application scenarios and innovative management modes, bringing more opportunities for the construction of smart cities. 3 In the architecture of smart cities, the terminal perception layer provides the ability of intelligent perception of the physical environment and realizes the identification, data collection, monitoring, and control of the infrastructure within the scope of the city through sensing devices and sensor networks. 4 With the rapid development of IoT and mobile communication technologies, smart meters, smart cameras, wearable embedded devices, smart home appliances, and other terminal devices come into family life. Although a large number of IoT terminal devices provide people with convenient life, they also provide a broader attack platform and environment for attackers. 5 As shown in Figure 1, in smart cities, most of the data collected by these IoT devices is sensitive, attackers may eavesdrop or tamper with these data to obtain benefits, which may bring serious consequences. For example, smart meters collect electricity consumption data, which will expose the user's life behavior track once leaked; wearable embedded devices collect people's physiological data, which will endanger people's lives once leaked or tampered in the transmission process. To ensure the security of terminal communication services in smart cities, prevent the data collected by IoT devices from being eavesdropped on or tampered in the process of transmission, and avoid the damage or major security accidents to the business applications of the smart city caused by the leakage and tampering of data content, it is necessary to authenticate the devices and encrypt the transmitted data end-to-end. 6,7 Motivations In smart cities, IoT devices are facing a variety of serious security threats, such as replay attack, data tampering attack, device simulation attack, man-in-the-middle attack, and privacy leakage. 8 These security threats hinder the development of smart cities. Therefore, security is gradually becoming a key demand in the development of smart cities. 9 Device authentication is regarded as one of the basic security services to protect the IoT system in smart cities. It verifies the identity of the IoT devices involved in the communication, so as to provide appropriate access control for these IoT devices. 10,11 The key agreement provides end-to-end secure communication for smart cities and ensures the confidentiality and integrity of data in the process of data transmission. 12 To mitigate the security challenges in smart cities, we will start with authentication and key agreement to design a protocol suitable for IoT devices with limited computing power.

Main contributions
The main contributions of this study can be summarized as follows: 1. A cloud-aided trustworthiness evaluation mechanism is designed. Trustworthiness evaluation provides reliable authorization basis for identity authentication. However, due to the limited computing and storage resources of IoT device, the trustworthiness evaluation cannot be completed by itself. Considering the powerful computing resources and storage capacity, cloud server is introduced to evaluate the reliability of IoT devices. The operation center will decide whether to authorize the IoT device according to the trustworthiness level value calculated by the cloud server, so as to achieve mutual trust between the IoT device and the operation center. 2. An anonymous authentication and key agreement protocol with privacy preservation is proposed. A non-interactive zero knowledge (NIZK) scheme is constructed to realize anonymous authentication and key agreement between operatiion center and IoT devices. As the properties of NIZK, the proposed scheme can protect the data security and privacy of IoT devices in smart cities. 3. Formal security analysis and experimental simulation are presented. Security analysis demonstrates that the proposed protocol can meet many security requirements such as anonymity, privacy preservation, mutual authentication, forward security, and unlinkability. Performance analysis shows that the proposed protocol requires much less time overhead than similar protocols, so the proposed protocol is more suitable for deployment in smart cities.
The remainder of this article is organized as follows: A detailed description of the related work is given in section ''Related works.'' The system model, security model, and security requirements of the proposed scheme are presented in section ''System model, security model and security requirements.'' The preliminaries required for the proposed scheme are described in section ''Preliminaries.'' ''The proposed scheme'' section elaborates the cloud-aided trustworthiness evaluation mechanism and anonymous authentication process. The section ''Security analysis'' provides provable security analysis and analysis of the security requirements for the proposed scheme. And the performance analysis of the proposed scheme is presented in the section ''Performance analysis.'' Finally, we give a conclusion and future work of this article in the section ''Conclusion.''

Related works
In recent years, IoT devices are widely used in various fields of smart cities. Its security has also received great attention. [13][14][15][16][17] For the secure authentication of IoT devices, scholars have done a lot of research. Now, the related work is sorted out as follows.
In 2014, aiming at security issues of implantable medical devices in wireless body area network environment, Liu et al. 18 proposed an authentication scheme based on certificateless signature. The scheme is proved to be secure against the existence forgery of adaptive chosen message attack in random oracle model. However, Xiong 19 pointed out that Liu et al.'s scheme could not resist the public key replacement attack and proposed an extensible certificateless remote authentication protocol with anonymity and forwarding security to solve this problem, but this scheme has the problem of member revocation. To solve this problem, in 2015, Xiong and Qin 20 proposed a remote authentication scheme which was constructed by incorporating an efficient revocation certificateless encryption scheme for short-term key disclosure and a certificateless signature scheme. The security analysis shows that the scheme satisfies anonymity, key escrow resistance, and revocability. However, Shim 21 pointed that the scheme was insecure against the adversary who knows a secret value. According to the secret value, the adversary can forge signatures. That is the scheme cannot resist signature forgery attack. In 2021, Wei et al. 22 proposed an efficient, secure, and privacy-preserving message authentication scheme. The scheme supports IoT devices in smart cities with different encryption systems (whether RSA or ElGamal), and allows offline/online computing, making it more versatile and efficient than previous solutions.
However, the process of identity authentication may reveal users' privacy. To protect the privacy of users, more and more scholars focus on anonymous authentication. In 2017, Dimitriou and Karame 23 proposed an anonymous authentication scheme based on the blind signature and the hash chain. Blind signature technology has the characteristic that the signer is invisible to the message signed by him, so as to protect the privacy of the sender. But this scheme cannot trace malicious senders. To solve this problem, Kong et al. 24 proposed an anonymous authentication scheme based on blind group signature. In this scheme, the group manager can trace the group signatures generated by the group members by using the group private key. But the scheme needs multiple interactions to ensure the security of authentication, resulting in huge computation and communication costs. Aiming at the low efficiency of authentication and resisting load modification attacks on the smart meter, Boyapally et al. 25 proposed an authentication scheme based on physically unclonable functions(PUF). The scheme uses lightweight cryptographic primitives, which makes the scheme feasible in resource-constrained IoT devices. Vasco et al. 26 proposed an authentication scheme based on oblivious pseudo random functions (OPRF), and further proposed a blind anonymous identity-based encryption scheme. The scheme will not disclose to the eavesdropper whether the execution is successful, so as to hide whether the sender's password is in the receiver's password set. In addition, the scheme provides a provable security model to capture the security and anonymity of sender and receiver. In most authentication schemes, the evaluation of the credibility of the devices in smart cities is not considered, which makes the authentication schemes lack reliability. Besides, designing a privacypreserving authentication protocol with low computational and communication overhead is also an urgent problem in smart cities.

System model, security model, and security requirements
In this section, the system model, security model, and the security requirements in the proposed scheme are presented. Table 1 lists some of the symbols used in the proposed scheme.

System model
The system model is shown in Figure 2. First of all, before the IoTD sends registration request to the OC, it needs to collect its own trustworthiness attribute(TA) information and send it to the CS. The CS calculates its trustworthiness level(TL) and returns it to the IoTD. Second, the IoTD signs the TL and sends the report to the OC. To prevent cheating, the OC requests the TL of the device from the CS for comparison. And the authorized tag is granted to the IoTD whose TL falls within its acceptable range. Among them, the CS is semi-trusted, it may deliberately reduce the TL value of the IoTD to prevent the authentication and key agreement between legitimate IoTD and OC; the IoTD is semi-trusted, it may deliberately improve its TL value to cheat the OC; the OC is also semi-trusted, it may be curious about the privacy of data in the IoTD.

Security model
We define the security model of the proposed anonymous authentication scheme for smart cities by a game. The game is played by an adversary A (seen as a probabilistic polynomial-time(ppt) Turing machine) and a challenger C. Let P x O denotes the instance x of a participant O, where O is an IoTD or OC. In this game, adversary A sends a series of queries and challenger C answers as follows: In the query, adversary A sends a hash query about message M j , and challenger C responds this query by randomly picking R j 2 Z Ã p and records the tuple M j , R j À Á in the list L h i . Extract ID i ð Þ: In this query, adversary A makes an extract query on identity ID i of an IoTD. Challenger C answers this query with the authorized tag of that identity. Send P x O , M j À Á : In this query, adversary A makes a send query on message M j . Challenger C executes the protocol according to message M j and returns the corresponding execution result to adversary A.
: If challenger C has accepted, adversary A can obtain a session key K on P In this query, adversary A makes a corrupt query on identity ID i of an IoTD. Challenger C answers this query with the authorized tag of that identity.
: When A sends the query to C, challenger C randomly picks b 2 f0, 1g. If b = 1, challenger C outputs a true session key K. If b = 0, randomly answers an element that has same bits as true session key to A.
When the adversary A performs the above queries within a limited period of time, he he makes a guess about the value b and returns b 0 as his answer. It is defined that adversary A wins the game if he guesses correctly, that is b 0 = b. And it is defined that the The private key of OC, IoTD, CS U, X, Y The public key of OC, IoTD, CS q The set of trustworthiness attribute information z inst (t) The instantaneous TL value for the IoTD at time t z(t À ) The previous TL value for the IoTD l The TL value of the IoTD T The authorized tag for the IoTD K The session key between IoTD and OC Figure 2. System model.
advantage of adversary A breaking the authenticated key agreement(AKA) security of the scheme S as Definition 1. q-SDH assumption. With the public parameter pp = (G, p, g) generated by Gen 1 k ð Þ, the q-Strong Diffie-Hellman (q-SDH) assumption 27 holds if for all ppt A, we have where c 2 Z p .

Security requirements
In this scheme, the following security goals should be realized: 1. Mutual authentication: A malicious adversary will fake a legitimate IoTD to obtain the corresponding services. At the same time, due to the privacy of the data collected and transmitted by the IoTD, the malicious attacker will fake the legitimate OC to request private data. To ensure the security for smart cities, the proposed scheme should achieve mutual authentication. 2. Session key aggrement: To ensure the data security in smart cities, the proposed scheme should achieve session key agreement. Session key can provide guarantee for subsequent data security communication between IoTD and other communicating parties. 3. Privacy preservation: The data in the IoTD have high privacy. Once the data are leaked, it will cause serious consequences. To protect the privacy of data in IoTD, the proposed scheme should achieve privacy preservation, that is, any unauthorized entities cannot get the data in plaintext, and the authorized third parties cannot disclose the user's privacy according to the accepted data. 4. Perfect forward security: To protect the data security, the designed scheme need satisfy perfect forward security, that is, although the attacker obtains the current session key, he cannot recover the previous session keys. 5. Resistance of other attacks: What is more, the proposed protocol should be able to resist multiple attacks. Such as replay attack, man in the middle attack, forgery attack, and so on.

Preliminaries
In this section, a basic definition of the cryptographic primitives required for the proposed protocol is given.

S-Protocol
Let R = f(s, w)g be a binary relation, where s is a statement owned by both the prover and verifier, and w is a witness that only the prover has. A three-move interaction protocol p = (a, c, z) between a prover P and a verifier V is a S-protocol for relation R if the following three properties hold 28 : 1. Completeness: If P inputs a statement s and a witness w, and s, w satisfy the relation R, then V always accepts P.

NIZK arguments
None-interactive zero-knowledge proofs (NIZKs) make a prover P to prove a statement s satisfies the relation of R = f(s, w)g without interacting with the verifier V in zero-knowledge. A pair of PPT algorithms (P, V) for a language L 2 NP is a NIZK argument system if the following properties hold: 1. Completeness: For any statement s 2 L(jsj = k) and the corresponding witness w, it has Pr g f0, 1g plog(k) ; p P(g, s, w) : V(g, s, p) = 1 h i = 1 2. Soundness: If s 6 2 L, then for any P Ã , the following probability is negligible: 3. Zero-knowledge: There is a PPT simulator S, such that any s 2 L and the corresponding witness w, the following two distributed computations are indistinguishable: A NIZK argument can be constructed by transforming a S-Protocol using Fait-Shamir heuristic. 29 The proposed scheme In this section, we will demonstrate the proposed scheme in detail from the following phases. The detailed process of anonymous authentication and key agreement is shown in Figure 3.

Setup
In this scheme, each IoTD maps its information to a specific and unique identity ID. Bying executing the Setup algorithm, the public parameters as generated as follows: 1. First, on input security parameter k, the OC outputs a three-tuple (G, p, g), where G is a multiplicative group of prime p generated by g. 2. Second, the OC randomly picks m 2 Z Ã p as its private key and calculates U = g m as its public key. The IoTD randomly selects x 2 Z Ã p as its private key and calculates X = g x as its public key. And the CS picks random value y 2 Z Ã p as its private key and calculates Y = g y as its public key. 3. Finally, the OC chooses cryptographic hash functions h 1 : (0, 1) Ã ! Z Ã p , h 2 : f0, 1g Ã ! f0, 1g k , where k is the length of session key, and publishes public parameters G, p, g, U , X , Y , h 1 , h 2 ð Þ .

Trustworthiness level computation
Pouryazdan et al. 30 proposed a vote-based trustworthiness management system. The detailed process of trustworthiness level computation is presented in their scheme. This method is also used in the proposed scheme. Before IoTD sends registration to OC, it needs to ask the CS to calculate its TL value, the detailed process is given below: 1. First, the IoTD collects a set of attribute values which can reflect its reliability, and sends the set to the CS. The set is q = a 1 , a 2 , a 3 , . . . , a m f g , where q stands for the set of trustworthiness attribute information and a 1 , a 2 , a 3 , . . . , a m stands for different parameters collected by sensors about IoTD. 2. Second, when receiving the set q, the CS computes the instantaneous TL value for the IoTD by the equation as follows Because the importance of each attribute is different, we use weight a i to measure the i th set q. Based on the instantaneous TL value, the TL value is calculated as follows where d represents the proportion of TL value at time t À in the calculation of TL value at time t. Dt denotes time interview between t and t À . u denotes the annealing rate of TL values previously calculated as time changing.
1. Third, the CS encrypts the TL value l of the IoTD with public key X and sends it to the IoTD.

Authorized tags generation
Data storage and processing on the CS is secure, but there is a situation that the CS deliberately reduces the TL value l of an IoTD to prevent the successful registration of legitimate applicants. To prevent this, IoTD needs to sign on the value l to prove that the assessment is acceptable. If the value l is not within its acceptable trustworthiness level range, it will be rejected. If there is no confirmation from IoTD, the TL value assessment is invalid. When receiving the TL value l, the IoTD picks a random number b 2 Z p and signs it by the following equations if it accepts the value Encrypted the value l by the public key of OC, then sends the ciphertext, the signature v 1 , v 2 ð Þ and identity ID to the OC.
Upon receiving the data package, the OC decrypts using its private key and acquires l. Then it calculates w = v 2 ð Þ À1 mod q, u 1 = h 1 (l)w ½ mod q, u 2 = v 1 w mod q, and v = g u 1 X u 2 ð Þmod p ½ mod q. Checks whether v = v 1 holds. If the verfication is successful, the OC will send the identity ID to the CS and ask the CS to return the TL value l of the ID. If the value returned is the same as the value sent by IoTD, and the value l shows that the IoTD is trustworthy, the OC will compute l = h 1 (ID) and generate a tag T = g 1 m + l for the IoTD, where l 2 Z p nfÀmg. To prove the validity of the tag, the OC also needs to send a NIZK proof p NIZK (m) : T m = T Àl g^g m = U È É to the IoTD. The detailed process is described below: 1. First, the OC picks a random number r 2 Z p , and sets R 1 = T r , R 2 = g r , then computes c = h 2 g, U , l, T , R 1 , R 2 ð Þand z = r + cm mod p. After that, the OC outputs a proof p = (c, z) and sends (T , p) to the IoTD through secure channel. 2. Second, when the IoTD receives (T , p) from OC, it computes l = h 1 (ID), and computes the following equations to verify the proof Checks whether c 0 = c holds. If this equation holds, the tag will be stored in IoTD for subsequent authentiaction.

Session key agreement
This phase can be divided into the following steps: Step 1: The OC randomly selects a number m 2 Z Ã p and computes M = g m . Then the OC signs message M with private key m and generates a signature s 1 . It sends M, s 1 ð Þto the IoTD.
Step 2: When the IoTD receives M, s 1 ð Þ, it verifies the validity of the signature s 1 by OC's public key U . If it passes, the IoTD randomly selects a number n 2 Z Ã p and computes N = g n . The IoTD needs to send message N to the OC. To show its legal identity and maintain its anonymity, the IoTD produces a proof s 2 . In particular, the IoTD chooses a random number a 2 Z Ã p and computes A = T a . After that, the IoTD selects random number r 1 , r 2 2 Z p and calculates the following equations to generate a proof s 2 F = A Àr 1 g r 2 k = h 2 (g, A, F, N , t) The IoTD generates proof s 2 = k, s 1 , s 2 ð Þand calculates the session key K = h 2 M, s 1 , N , s 2 , M n ð Þ . Finally, the IoTD sends A, N , s 2 , t ð Þto the OC.
Step 3: When the OC receives A, N , s 2 , t ð Þfrom the IoTD, it first checks the freshness of the timestamp t. If the timestamp has already been used, which means that an adversary launched a replay attack during the data transmission, the packet is ignored. Otherwise, the OC parses s 2 into k, s 1 , s 2 ð Þand calculates the following equations to verify the validity of the proof If k = k 0 dose not hold, it means message N is modified by an adversary in the course of data transmission or the IoTD is not an authorized legal entity, the OC will ignore the packet. Otherwise, it means message N is coming from a legitimate entity. Then the OC can successfully share the session key K = h 2 M, s 1 , N , s 2 , N m ð Þ with the IoTD.

Provable security
Through the above security model, a formal security analysis is given in this subsection as follows: Theorem 1. If the q-SDH assumption holds in G, then no ppt adversary A against the proposed authentication scheme can forge an authorized tag to pass the OC's verification with non-negligible probability.
Proof. If there exists an adversary A can forge an authorized tag that successfully passes the verification by the OC with non-negligible probability e, then we can prove that there exists a challenger C can solve the q-SDH problem with non-negligible probability.
Given a q-SDH instance g, g m , Á Á Á , g m q À Á 2 G Ã ð Þ q + 1 for some unknown m 2 Z Ã p , C aims to output c, g 1 m + c for some c 2 Z p nfÀmg. C chooses a string ID Ã as the target IoTD's identity. Then C randomly picks l 1 , l 2 , Á Á Á , l qÀ1 2 Z p . Let Using the tuple and technique of Boneh-Boyen, 27 C can compute g qÀ1 i = 1 as authorized tags and responses tuples G, p, g 0 , U ð Þ to A. C answers A's queries as follows: h i M j À Á -Query: Challenger C maintains a list L h l = M j , R j À Á , where j = 1, 2. When A sends a hash query, C checks if M j , R j À Á has exists in L h l . If exists, returns the tuple. Otherwise, C randomly picks R j 2 Z Ã p , records the tuple M j , R j À Á in the list L h l and returns R j to A.
Extract ID i ð Þ-Query: If so, C aborts the game. Otherwise, C answers this query according the following results: -when A makes a query on P x O , start À Á , C randomly picks number a, n, computes N = g n and A = T a . And picks two random number r 1 , r 2 2 Z p , computes F = A Àr 1 g r 2 , k = h 2 (g, A, F, N , t), s 1 = r 1 + kl mod p, s 2 = r 2 + ka mod p since C knows authorized tag (l, T).
-when A makes a query on P x O , auth À Á , C first verifies the freshness of time t, and checks the correctness of s according to the message generated by P x O , start À Á . If auth is not valid then C aborts it. Otherwise, C answers A according to the execution of scheme as C knows authorized tags of these IoTDs.
Reveal P x O À Á -Query: C outputs ? if P x O is not accepted. Otherwise, returns the session key according list L h 2 .
Corrupt ID i ð Þ-Query: C searches list L Ex = l i , T i ð Þ f g qÀ1 i = 1 and then outputs corresponding result to A.
Test P x O À Á -Query: C chooses random element that has the same bit length as the true session key and sends to A.
Finally, A outputs a forgery l Ã , That is C can solve the q-SDH problem. Let E 1 denotes the event that C aborts the send-Query, E 2 denotes the event that A forges an authorized tag. Then the advantage that challenger C solves the q-SDH problem is As the advantage that C solves the q-SDH problem is non-negligible, which conflicts with the reality. Thus, the proposed scheme is AKA secure.

Analysis of the security requirements
In this subsection, we will show that proposed protocol meets all the security requirementsmentioned above. The security analysis is shown as follows.
Mutual authentication. When the IoTD sends a registration request to the OC, the OC will assign authorized tag for it who has high trustworthiness level value. And the OC generates a proof p = (c, z) to prove that the tag comes from a legal entity. The IoTD authenticates the validity of the tag from OC by R 0 1 = T z + cl g Àc , R 0 2 = g z U Àc , and c 0 = h 2 g, U , l, T, R 0 1 , R 0 2 À Á . Besides, before to send message N, each IoTD uses its authorized tag to produce a proof for that message. Upon receiving a message report, the OC verifies that the message N is from a legitimate IoTD by G = A l , F 0 = A Às 1 G Àk g s 2 , and k 0 = h 2 g, A, F 0 , N , t ð Þ . The soundness of NIZK makes sure that only who has an authorized tag can be accepted by the OC. Thus in this phase, the OC can authenticate the IoTD. The mutual authentication can be guaranteed in the proposed scheme. What is more, the message report (N , t) is hashed by k = H 2 (g, A, F, N, t), if a malicious adversary A modifies the IoTD's message report, the OC will discover it and refuse the message report. Therefore, the authentication and data integrity are both assured in the proposed scheme.
Session key agreement. As K = h 2 M, s 1 , N , s 2 , M n ð Þand K = h 2 M, s 1 , N , s 2 , N m ð Þ , the IoTD and OC can calculate a session key with same value. Then they can use the session key for secure communication. Besides, the proposed scheme has been proved AKA secure under q-SDH problem. Therefore, the proposed scheme support secure session key agreement.
Privacy-preserving. Only entities with session keys K = h 2 M, s 1 , N , s 2 , N m ð Þcan decrypt the data report from IoTD, which makes any unauthorized entities can't get the data in plaintext. What is more, the zero knowledge of NIZK makes sure that the OC cannot link the accepted message N to a specific IoTD. As the authorized tag T i is randomized by a random number in the way of A i = T a i i , the randomized tag A i belongs to an IoTD takes different ways when performing a new round of key agreement, leading to the privacy protection of IoTD and the resistance to dictionary attacks. Although the session key is leaked, the malicious adversary A acquires data report in the form of plaintext. As we have randomize the tag by a dynamic random number, and the zero knowledge property also ensures that no one can retrieve useful information about IoTD's identity from the tag, so the adversary A cannot link this report to a specific IoTD. Therefore, the privacy preservation can be guaranteed in this scheme.
Perfect forward security. If the adversary intercepts the report M, s 1 ð Þand A, N , s 2 = k, s 1 , s 2 ð Þ, t f g transmitted between the IoTD and OC during authenticaition phase, he cannot compute a session key because he cannot solve DL problem. 31 Furthermore, even the current session key is leaked, it will not affect the security of the previous session communication, then this protocol provides forward security. Since the current session key is calculated as K = h 2 M, s 1 , N , s 2 , N m ð Þ . Even if the current session key is compromised by an adversary, as the random number m is dynamically updated with every session, it will not impact the secrecy of past session keys. Thus, the proposed scheme satisfies forward security.
Resistance of other attacks. As this protocol injects a timestamp t during message transmission, any malicious behavior that wants to launch a replay attack will be detected. As mutual authentication is guaranteed in the key agreement process, the proposed protocol can resist man-in-the-middle attacks. Besides, we have proved that no ppt adversary can forge a valid tag to pass the OC's verfication under q-SDH problem, so the proposed authentication scheme can be resistance of forgery attack.

Performance analysis
In this section, first, a comparison about features of the proposed scheme with those of other schemes is given. Second, the communication overhead of the proposed scheme is analyzed. Finally, the computational cost is discussed and the time cost of authorized tag generration and session key exchange is described.

Features comparison
In this subsection, the comparison between the proposed scheme, revocable and scalable certificateless remote authentication (RSCR 20 ), threshold-based anonymous identification (TAI 32 ), and conditionally anonymous ring signature (CRS 33 ) is given. As displayed in Table 2, only the proposed scheme can satisfy all of these features. By generating NIZK proofs, the proposed scheme satisfies the mutual authentication and privacy-preserving. As the hash function is collision resistant, the data integrity is guaranteed in the proposed scheme. As the q-SDH assumption holds in G, the proposed scheme can resist forgery attack. Also, because it satisfies the mutual authentication, it can resist man-in-middle attacks, so the proposed scheme supports secure session key agreement. The detailed explanation is presented in section ''Security analysis.'' Besides, because the proposed scheme is relatively small in communication and computational overhead compared with other similar schemes, so the proposed scheme achieves scalability.

Communication overhead
To show the superiority of the proposed scheme, other similar schemes are compared with the scheme. It is assumed that the number of IoTDs is n. First, the communication cost of the authorized tags that are distributed to the IoTD is analyzed. The tag issued by the OC is in the shape of T k c k z and its size is jGj + 2 Z Ã p , in which jGj represents the length of element in G, Z Ã p represents the length of element in Z Ã p . Besides, the communication cost of message report for key agreement that is generated by the IoTD and sent to the OC is discussed. The message report for the IoTD is in the shape of A k k k s 1 s 2 k kN k t and its size is 2jGj where jtj represents the length of timestamp. We compare the proposed scheme with other similar schemes TAI 32 and CRS 33 in terms of the communication cost from the IoTD to the OC. The result is shown in Figure 4. Because in CRS, each device needs the public keys of all other peer devices to participate to achieve its anonymity, so its overhead increases as the number of devices increases. In addition, because the proposed protocol only needs a shorter proof to complete identity authentication when generating zero-knowledge proofs, the proposed protocol has less communication overhead compared to similar scheme TAI that uses zeroknowledge to complete anonymous authentication.

Computational complexity
In this subsection, we denote H as hash operation, P as weil pairing operation, E as modular exponentiation operation and M as modular multiplication operation.
Then the computational complexity of authorized tag generation at the OC side is 2H + 3E + M, the tag authentication at the device side is 2H + 4E + 3M, the zero knowledge proof generation at the IoTD side is H + 3E + 3M, and the proof authenticaition at the OC side is H + 4E + M. The proposed scheme and the compared schemes are simulated on pairing-based cryptography (PBC) library to compare their performance. Execution time demonstrates the complexity of the proposal, which can be evaluated by time cost of the tag authentication and zero knowledge proof generation at the IoTD side, authorized tag generation and proof authenticaition at the OC side. First, we compare the time cost of the authorized tag generation and proof authentication at the OC side with other similiar schemes. The computational complexity of authorized tag generation phase in TAI is H + 2P + 3M, in CRS is P + 4E + nM. And the computational complexity of proof authentication phase in TAI is 2H + 2P + 4E + 8M, in CRS is 2P + 3E + nM. In our simulation, the time cost of the two phases at the OC are separately simulated. It can be seen from Figures 5  and 6 that the time of tag generation and proof   authentication in these proposals increase linearly with the number of IoTDs, but the time cost on these two phases in the proposed scheme is much less than the time required for the TAI and CRS. This is because, the schemes TAI and CRS require more expensive operations than the proposed scheme, such as pairing operations. Then, we compare the time cost of the tag authentication and zero knowledge proof generation at the IoTD side with other similiar schemes. The computational complexity of tag authentication phase in TAI is 2P + 2M, in CRS is 2P + E + nM. And The computational complexity of zero knowledge proof generation phase in TAI is 2H + P + 3E + 8M, in CRS is (4n À 1)E. From Figures 7 and 8, we can see that with the number of IoTDs increases, the time cost of tag authentication and zero knowledge proof generation in the proposed scheme and in TAI both keep constant, but the the proposed scheme has better performance than the TAI. The time cost of these two phases in CRS increases linearly with the number of IoTDs, that is, because the IoTD needs to use other peer devices'public keys to generate its signature.
Therefore, from the perspective of practicability, the proposed scheme is more applicable to smart cities.

Conclusion
In this article, we first propose a cloud-aided trustworthiness evaluation mechanism. According to the trustworthiness evaluation calculated by CS, the OC decide whether to authorize tag to IoTD, hence mutual trust between IoTD and OC is guaranteed in the proposed scheme. In addition, an efficient anonymous authentication and key agreement scheme based on non-interactive zero knowledge is proposed. Based on this scheme, the OC can authenticate the validity of IoTD without revealing its identity, hence privacy preservation of IoTD is guaranteed in the proposed scheme. And the session key prevents attackers acquiring data in plaintext, hence data security of IoTD is guaranteed in the proposed scheme. Security analysis indicates that the proposal can satisfy many security properties, such as anonymity, privacy preservation, mutual authenticaition, forward security, and unlinkability. The result of performance evaluation demonstrates that the proposal is more suitable for deployment in smart cities.
However, how to seek a balance between privacy protection and regulation is a problem worthy of discussion in the data security protection of the smart city. In the future, we will study how to design a revocation mechanism which can revoke malicious entities while keeping the anonymity of legitimate entities in smart cities.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.