A Secure Anonymous D2D Mutual Authentication and Key Agreement Protocol for IoT Environments

Internet of Things (IoT) is a developing technology in our time that is prone to security problems as it uses wireless and shared networks. A challenging scenario in IoT environments is Device-to-Device (D2D) communication that an authentication server as a trusted third-party, does not involve in the authentication and key agreement process. It is only involved in the process of allocating long-term secret keys and their update. A lot of authentication protocols have been suggested for such situations. This article demonstrated that three state-of-the-art related protocols failed to remain anonymous, insecure against key compromise impersonation (KCI) attack, and clogging attack. To counter the pitfalls of them, a new D2D mutual authentication and key agreement protocol is designed here. The proposed protocol is anonymous, untraceable, and highly secure. Moreover, there is no need for a secure channel to generate a pair of private and public keys in the registration phase.) Formal security proof and security analysis using BAN logic, Real-Or-Random (ROR) model, and Scyther tool showed that our proposed protocol satisfied security requirements. Furthermore, communication cost, computation cost, and energy consumption comparisons denoted our schema has better performance, compared to other protocols.


introduction
The promising prospect of 5G cellular networks and future-generation 6G networks and their wide applications in different areas make it hard to design them. Millions of people and devices are linked to each other with the Internet of Everything (IoE), often through wireless networks [1]. Therefore, they face many security risks. Different architectures have been proposed for IoT and IoE networks which consider communication infrastructures, communication range, computational power, and transmission capacity of IoT/IoE devices. Some include smart transportation systems, smart healthcare systems, internet of vehicles (IoV), electric vehicular network, distributed heterogeneous environment without surveillance, industrial applications, smart satellite communications, and UAV control [2].
Device-to-device (D2D) and machine-to-machine (M2M) communications have attracted great scholarly attention in this regard. Due to the lack of an authentication server as a trusted third party, this communication faces many challenges [3,4]. In mutual key-agreement protocols, a third-party authentication server is used in registration and initialization phases to load credentials, long keys, and other secret parameters. Two IoT devices can identify each other and share a secure session key without a trusted authority (TA). However, data transmitted in the public channels can be eavesdropped on by an adversary who performs some attacks such as violation of confidentiality, location forgery attack, user/devise impersonation, node compromise attack, and geographical position revealing. It can also breach anonymity and untraceability [5].
Alzahrani et al. [6] proposed an ECC-based key-agreement protocol for D2D communications in IoV networks that does not need a TA in the authentication and key-agreement phase. They analyzed and revealed security pitfalls of protocols by Islam and Biswas [7] and Mandal et al. [8]. In this article, we demonstrate that the protocol proposed by Alzahrani et al. [6] suffers from some problems in design and is insecure against insider attacks, key compromise attack, and fails to provide anonymity. On the other hand, the proposed protocol by Li et al. [9] for D2D-based communication is elaborated here and is shown to be vulnerable against key compromise attack and replay attack. Furthermore, it does not support anonymity and untraceability. Also, Chaudhry et al.' protocol [10] cannot counter the clogging attack. Thus, a novel protocol for D2D communications without the presence of a trusted third party to improve protocols by Alzahrani et al. [6], Chaudhry et al. [10], and Li et al. [9] is proposed here. The proposed protocol is highly efficient and secure. Also, it does not need a private channel in the registration phase for generating private-public keys. It also provides key update capability.

Motivation
Secure and effective interaction in Device-to-Device (D2D) and Machine Type Communication (MTC), without involving a trusted authority, is essential for 5G, 6G, and its application. Exclusion of a trusted authority from authentication and key-agreement process may decrease delay and overhead, but may also bring about security challenges and impaired resistance against known attacks. This article offers a mutual authentication protocol between two IoT devices that are anonymous and untraceable while being effective and secure, making it a proper model for resource-restrained IoT devices. Here, IoT devices communicate with the trusted server only when they register or update the password in the network. Moreover, the private key is calculated by the IoT device and a single point failure problem is resolved.

Contribution
We analyzed protocols by Alzarani et al. [6], Chaudhry et al. [10], and Li et al. [9] in terms of security issues. Then, we proposed a mutual key-agreement protocol that includes four phases: (i) initialization, (ii) registration and long secret key generation, (iii) authentication and key agreement, (iv) public and private keys updating. The contributions of this article are listed below :

I)
A two-party authenticated key agreement protocol is proposed to solve the key escrow problem without the involvement of an online Trusted Third-Party (TTP) authentication server.

II)
Mutual authentication phase is done without a TA, and registration and the key updating phase are done in an insecure channel.

III)
Three State-of-the-art related works and their security flaws are investigated.

IV)
Strict formal security verification is achieved using the Scyther tool and BAN logic in the proposed protocol. V) Resistance to different kinds of attacks is elaborated with the help of informal security verification. VI) Evaluation of network performance, including communication/computation overheads and energy consumption, demonstrates that our proposed protocol is more effective compare to other protocols.

Organization
The rest of the article is organized as follows: Section 2 provides a review of the literature.

Literature review
Amin et al. [11] proposed a mutual key-agreement protocol between users and the cloud server for distributed and mobile cloud environments. They used bilinear pairing in the authentication phase which is not suitable for D2D communications because of excessive overhead. A lightweight authentication protocol based on hash and XOR operations for wearable devices was introduced by Das et al. [12]. But the protocol is not secure against desynchronization and offline guessing attacks. In [13], a protocol was designed for IoT environments that supports anonymity but allows forged nodes to penetrate into the network. Wu et al. [14] offered a mutual key agreement protocol for smart power grids to be applied on smart meter and smart service provider, but it is insecure against known session-specific temporary information attack. D2D communications are significant used in vehicular ad-hoc networks, especially vehicle-to-vehicle (V2V) communication. Li et al. [9] presented an identity-based V2V key agreement scheme. But it is not anonymous and provides no subtle mechanism to identify the vehicles. A mutual design was offered for body sensor networks by Shuai et al. [15]. A similar V2V protocol for IoT-based industrial environments was proposed by Lara et al. [16]. Islam [17] introduced a twofactor lattice-based encryption protocol for post-quantum cryptography to solve discrete logarithm problems and factoring problems in quantum environments. In order to reduce evaluation overhead and authenticate public keys, and to solve the key escrow problem, Islam and Biswas [7] designed an ECC-based key agreement protocol along with the self-certified public key for two-party communications. Mandal et al. [8] improved the security issues of Islam and Biswas' protocol. Nevertheless, Alzahrani et al. [6] showed that both protocols by Islam-Biswas [7] and Mandal et al. [8] suffered from key compromise impersonation attacks and do not ensure the anonymity of IoT devices. Chaudhry et al. [10] improved Das et al.'s [18] protocol (LACKA-IoT) and proposed iLACKA-IoT to access IoT-based cloud systems for D2D communication. They showed that LACKA-IoT was insecure to man-in-the-middle attack and device impersonation attack. Table 1 has provided explanations for previous methods and features.  [18] In this article, we analyze the protocols by Alzahrani et al. [6], Li et al. [9], and Chaudhry et al. [10] to demonstrate their security deficiencies. Our proposed protocol features an acceptable computational and communication overhead which, considering the real-time nature of D2D systems and resource scarcity, greatly improves performance. Table 2 summarizes symbols and corresponding definitions used in this article. One-way and collision-resistant and cryptographic hash function defined by: ℎ{0,1} * → ℎ{0,1} with arbitrary length inputs and fixed length outputs.

Detailed review
In this section, protocols proposed by Alzahrani et al. [6], Chaudhry et al [10], and Li et al [9] are discussed in detail in terms of security against known attacks.

Threat model
In our model, IoT devices communicate through a public channel. The following security issues are concerned with the adversary: The adversary cannot distinguish and .

II)
The adversary is unlikely to retrieve from ℎ( ).

III)
The adversary can eavesdrop, modify, remove, and duplicate messages transmitted in the public channel.

IV)
The adversary can act as an insider to obtain secret parameters of other members in order to implement attacks. V) The adversary can compromise all network entities and obtain all temporary as well as permanent credentials.

Review of Alzahrani et al.'s protocol
Alzahrani et al. [6] proposed an ECC-based key agreement protocol for IoT-based environments without TA intervention. The protocol included three phases: Initial system setup, registration, and authentication, which are described below.
3.1.1. Initial system setup phase. The server (a trusted third authority) calculates private key and public key = as ∈ * . It then publishes system parameters { ⁄ , ℎ(.), , } in the public space; where is the base point, ℎ(.) is one-way hash function, and ⁄ is the Elliptical curve on finite field of order . is met, it stores pair of ( , ) in its memory.
3.2.3. Authentication and key agreement phase. This phase is established between and and shown in Fig.  1. Step 1. chooses a random number ∈ * and calculates values of = and = where is the public key of . Then, it calculates pseudo-ID = ⨁ and calculates as = ℎ( ∥ ∥ ∥ ∥ 1 ) where 1 is the current timestamp of the message. Finally, the message < , , , 1 > is sent to .
Step 2. checks for verifies the freshness of the message and calculates = * ⨁ , and sends it to * .
Step 3. Upon the reception of , * obtains = * ⨁ . * eavesdrops all transmissions from to other devices and obtains = ⨁ . Applying XOR operation, it achieves . Hence, protocol secrecy is violated.
Step 4. Once the insider obtains , he applies XOR operation on ⨁ to obtain of the device. Thus, Alzahrani et al.'s protocol loses anonymity and untraceability. To solve this problem, a temporary ID is suggested to be used for communications.

Key
Compromise Impersonation (KCI) attack. Once a key is compromised by the adversary, the replay attack could run as follows.
Step 1. Similar to the insider attack, the adversary obtains the key and IDs of nodes. then selects ϵ * and calculates = , , and transmits the message < , , , > to .
Step 2. receives the first message and authenticates . Thus, the adversary can easily forge a device. Hence, their protocol is vulnerable against key compromise impersonation attack.

Review of Li et al.'s protocol
The proposed protocol by Li et al. includes three phases as described below.

Registration phase. The vehicle selects an
and sends it to TA through a secure channel. TA chooses a random number * and calculates = . It then calculates ℎ = ℎ 1 ( ∥ ) and = + ℎ ( ) and transmits the pair ( , ) to through a secure channel. checks whether or not = ? + ℎ 1 ( ∥ ) . If the condition holds, it accepts = as its public key.
3.3.3 Key agreement phase. This phase occurs between the vehicles and without an intervention of a thirdparty server. This phase is demonstrated in Fig. 2.
Step 2. Upon reception of the message, selects a random number * and = and sends the message < , , > to . At the same time, it obtains the public key of as = + ℎ 1 ( ∥ ) and calculates = ℎ 2 ( ) and the session key Step 3. receives the message < , , > and obtains public key = + ℎ 1 ( ∥ ) , and calculates = ℎ 2 ( ) and obtains the session key = ℎ 3 ( ∥ ∥ ∥ ∥ ). 3.4.2. Clogging attack. It is a subclass of DoS attacks wherein the adversary clogs the receiver and wastes its communication and computation sources in an attempt to paralyze the receiver [8]. In Li et al.'s protocol, the adversary runs the clogging attack as follows: Step 1. Adversary captures the first message < , , > in key agreement phase. then selects a random nonce * and calculates = , and transmits the message < , , > to .
Step 4. receives the message and calculates This attack desynchronizes the agreed session key between the agents, i.e., ≠ . Adversary performs a multiplication operation of ECC and makes the two agents and run 11 scalar multiplication, 2 point addition, and 6 hash function. This causes a huge loss of time and costs that is only recognized by desynchronized session key after transmission of encrypted data. Step 1. The adversary obtains , and and uses them to obtain public key as = + ℎ 1 ( ∥ ) . Then, selects a random nonce * and calculates = , and transmits the message < , , > to .
Step 2. Upon receiving the message, retrieves the public key because there are no changes in and . Then, session keys and will be equal as follows: Therefore, once is revelaed, the adversary can forge a node.

Analysis of Chaudhry et al.'s protocol
In Chaudhry et al.'s protocol, a TA selects and private key * and uses random nonce * to calculate the certificate of private key , as = , = ( + ) , = ( + )ℎ( ∥ ) + where is private key of TA. These are used in D2D authentication and key agreement between two IoT devices. An authentication and key agreement phase in this protocol is shown in Figure 3. Step 2. Upon reception of the message, checks its freshness ? = ′′ + + ℎ( ∥ ) + to ensure: The condition is met and the adversary can deceive and breach message integration. This waste resources because it will perform 4 ECC multiplication operations and 2 hash functions to transmit the message < , , 2 , , , , > to . Then, will do some more calculations and realize that the session key is different, implying that clogging attack has been successful.
3.5.3. Lack of perfect forward secrecy. Once the adversary compromises , of , s/he obtains agreed session keys in authentication phase. This is because is fixed and retrievable in mutual authentication between and . The following elaborates on this attack: Step 1. Step 2.
Step 3. Adversary uses to obtain , and then calculates = , = − , and = . Thus, the session key from the earlier session is recalled. In the same way, the keys of the future sessions can be obtained. Hence, Chaudhry et al.'s protocol fails to support perfect forward/backward secrecy. 4. System description and proposed protocol 4.1 Network model 6G technology is not limited to cellular mobile networks and is aimed at expanding digital communications. However, improve effectiveness in the real-time communication and dense IoT networks requires reducing computational and communication overhead. However, adversaries and insiders can penetrate into the network due to the use of insecure channels and temporary connections for high network mobility. Thus, in addition to promoting performance, security, and privacy issues need to be considered.
The proposed model includes three major entities: IoT devices, Trusted authority (TA), and an adversary. IoT devices are 6G communication devices that communicate with their peers or far servers with no human involvement. In fact, they provide Machine Type Communication (MTC).
TA provides offline information for IoT devices. Considering scalability and widespread use of 6G networks, it is more optimal for devices to register online in their preferred network. These IoT devices include sensors embedded on smart vehicles, sensors in smart houses, smart health systems, UAVs, smart agriculture, and other single-hop or hierarchical networks.

Communication model
An IoT device may communicate with another device or a TA through channels including Bluetooth, Wi-Fi, ZigBee, cellular spectrum, optical fiber, etc. We analyze the most challenging communication scenario between two devices and TA-free authentication.

Proposed protocol
In this section, a mutual key agreement and authentication protocol for IoT devices without the intervention of a Trusted Authority (TA) is proposed. It includes four phases: initial system configuration, registration and key generation, authentication and key agreement, public and private keys updating. TA intervenes in initialization, the long-secret key generating, and updating phases to allocate device-specific public keys. To avoid key escrow problem, in case the TA's key is disclosed, the private keys of devices are not exposed. This is because each device separately calculates its private key. The proposed protocol uses ECC encryption, one-way hash function, and XOR operation. ECC-based encryption is advantageous for its high security compared to symmetric encryption and short key length compared to asymmetric encryption such as RSA. This increases computational performance and security features. All the phases in the protocol, except the first phase, are done in a public channel that is accessible to the invader. A summary of the first and second phases of the proposed protocol is demonstrated in Figure 5.

IoT device registration and key generation
This phase occurs between IoT device and trusted server TA in a public channel as follows: Step RKG1. selects the random nonce * and unique .
Step RKG3. Upon receiving the message < , , >, retrieves = ⨁ℎ( ∥ ) and calculates its private key as = + , then verifies =? to ensure accuracy of its calculations. After that, it retrieves = − ℎ( ) and Checks the validity of =? ℎ( ∥ ∥ ). I=If the equality test is satisfied, and are considered to be legal pairs of private and public keys. The public key and are equal, as below.  and need to authenticate each other and agree on a shared session key to establish a secure connection. Then, they encrypt their information by the session key and publish that in the public channel. Authentication and key agreement are done in the public channel where adversaries may be present. This phase is described below in three steps.
Step AKA2: → : < , , , > Upon receiving the message < , , , 1 >, checks its freshness by verifying the condition | 1 ′ − 1 | < ∆ , where 1 ′ is the time of message delivery. If the condition is met, calculates = and ′ = ℎ( )⨁ , where is the private key of . It then checks =? ℎ( ′ ∥ ∥ ∥ 1 ) to verify the equality authentication test. If the condition is not met, it immediately aborts the session; otherwise, verifies the message and as a legal entity. selects and random nonce * , and calculates = , = , and = ℎ( )⨁ . After that, it calculates = ℎ( ∥ ∥ ) using public key of , the value of in its memory, secret nonce , and of the first message. Next, it calculates temporary session key = ℎ( ′ ∥ ∥ ∥ 2 ) where 2 is the current timestamp of message generated by . It also calculates = ℎ( ∥ ∥ 2 ) to preserve message integrity, and transmits the message < , , , 2 > to through a public channel.
Step  Figure 8. demonstrate this phase.

Security analysis and efficiency
In this section, the proposed protocol is analyzed formally and informally to demonstrate the mutual authentication between two participants and shares a secure and temporary session key that is safe against well-known attacks.

Security proof
Real-or-Random (ROR) model [10,18,19] is used to prove semantic security of the proposed protocol and to obtain session key security (SK-security), as shown in theorem 1.  uses this query to obtain ephemeral secret parameters and of to perform ephemeral secret leakage attack.

(
). By running this query, the adversary obtains long-static secret parameters and of .
( ). By querying this, all static and dynamic secret parameters of ( , , and ) are delivered to the adversary. The objective is to implement a successful insider attack to capture the whole network.

(
). Once this is requested, flips the coin = {0, 1}. If = 1, it returns the original ID to . Otherwise, it generates a string of random bits of similar length and returns in response.

(
). The adversary needs to have successfully implemented ( ) to run this query in an attempt to obtain the session key and disrupt semantic security. Upon receiving the query, returns if the key has not been generated. Otherwise, it flips a neutral coin. If adversary's guess ( ′ ) and flipped coin ( ) are equal, it yields the session key to the adversary. Otherwise, it generates a random value of similar length and returns it in response.

(
). It removes the session key generated by .
Definition 5. (Semantic security). To simulate semantic security of the proposed protocol, we designed a series of consecutive and undistinguishable games between the adversary and oracle . The adversary issues different queries to to successfully lunch an attack. The adversary tries to guess the flipped coin through a query to increase his chance of winning. This query is asked when is in state and the session is fresh and not expired. returns when session key is generated and = ′ .
The advantage of the adversary in breaching our protocol in the semantic security model is ( ) = |Pr[ ( )] − 1|, where ( ) ≤ and > 0 is a trivial value.

Theorem
Suppose a probabilistic polynomial adversary at time that seeks to breach semantic security of the proposed protocol. If can issue maximum , ℎ ℎ, and queries, its advantage for winning the proposed protocol in consecutive games | = 1, … ,8 will be less than the following value because of the one-way hash function ℎ(.) and difficulty of ECCDHP. The output string of hash oracle is λ. And is the number of uncompromised instances of in the network. The adversary's likelihood to breach the semantic security of the proposed protocol is calculated as follows: Eventually, the adversary's likelihood to compromise the whole network is calculated as follows:

Proof
To prove the robustness of the proposed protocol, the following games | = 1, … ,8 are simulated between the adversary and .
( ) is the chance of winning ℎ game by the adversary and Pr[ ( )] is the probability of winning at time in game . returns a response based on or state of the query. The games are simulated based on ROR as follows: Game . It simulates a real attack to the protocol. The adversary needs to correctly guess the flipped coin. Thus, the probability of winning for in real protocol with random oracles is Game . The adversary simulates and queries in a real attack to obtain < 1 > and < 2 > messages, or tries to forge . Thus, the probability of winning for the adversary is Game . It simulates a situation in which the adversary wins the game because of hash oracle collision. When issues the query, returns the appropriate response from and lists that store transcripts and hash records, respectively. The game is over when random numbers or hash oracles collide. Based on birthday paradox, the probability of collision for hash oracles and random numbers is Game . This game aims at breaking perfect forward secrecy using ( ). tries to obtain 's temporal secret parameters. The probability of adversary's winning the game is undistinguishable from the previous game as Game . This game is over when the adversary obtains the original ID of oracle by issuing a ( ) query. needs to calculate = ℎ( ∥ ), = , and = ℎ( )⨁ . Assuming the nonce , the difference between this game and the previous one is The adversary's advantage to break security of the proposed protocol by guessing the coin inside query is ( ) = 2 Pr[ = ′ ] − 1 where ′ is the adversary's guess. Since the adversary is unable to distinguish real and random session keys, without issuing a ℎ query with accurate entries we have Pr[ 7 ( )] = 1/2. Therefore, the theorem is proves based on formulas 3-9.
Game . The adversary implements ( ) to obtain all static and dynamic secret parameters of . The aim is to perform a privileged-insider attack and compromise the whole network. In fact, by capturing one device, seeks to capture the whole network. Since oracle instances are independent from each other, the probability of seizing one instance is independent from others. Thus, the adversary needs to compromise all oracle instances to capture the whole network. Therefore, his chance is trivial as follows: Table 3 shows signs and symbols of BAN logic [20], and the following rules are used in the BAN logic to prove mutual authentication between two IoT devices and .  The proposed protocol is based on following assumptions.

Formal security analysis by BAN logic
The process of mutual authentication aims to obtain the following goals Messages are transmitted between and in a public channel. The idealized message has the following specifications , } Based on 4, message 1, applying the message-meaning rule 1, and the fact that receives the first message, we have Using 2, 1, the freshness rule 4, and the nonce verification rule 2, we have Based on 6, 2, and message 2, we have We achieve the first goal by applying the belief rule 5 on 3.
: | ≡ ↔ Based on receiving the message 2 at , 3 and 2, we have Using 1, 4, the message freshness, and the nonce verification, we achieve 5.

: |≡ | ≡ ↔
Eventually, based on 7, 3, and by assuming the correctness of the third goal, we achieve the fourth goal.

Scyther tool
Scyther tool is widely used for analyzing security protocols [21,22]. In this section, we show that the proposed protocol meets security claims like " ", " ℎ", " ", " ", and " " for aliveness, non-injective synchronization, non-injective agreement, minimum agreement, and confidentiality, respectively. Moreover, confidentiality of session key is preserved and IoT device IDs remain secret. Scyther code and evaluation results are given below in Fig 9 and   their secrecy is preserved. Thus, the proposed protocol is highly anonymous and untraceable.

Informal security analysis
It is proved in this section that the proposed protocol provides security measures for D2D key agreement protocol. Table 4 compares the proposed protocol with other existing protocols in features and resisting known attacks. . In addition, if private key is not stored in , the adversary cannot compromise that node. Thus, the proposed protocol is secure against device compromise attack, while [6,7,8,9]  5.3.8. Perfect Forward/Backward Secrecy. If an adversary obtains the session key in a session, he will not have access to other session keys in other session because session keys are computed independently, including random nonces ( and ) and temporary and that change in each authentication session. Therefore, the proposed protocol preserves perfect forward backward secrecy. 5.3.9. Impersonation Attack. To successfully perform this attack and forge IoT devices, the adversary needs to duplicate messages = ℎ( ∥ ∥ ∥ 1 ) and = ℎ( ∥ ∥ 2 ) to be certified by the shared protocol. An adversary can never generate a valid message to forge an authorized device in the network because it does not have access to private key and original . Our proposed protocol is able to withstand impersonation attack. 5.3.10. Known-Key Attack. When an IoT device shares a secure session key with another device in the network, an adversary who seizes the key cannot obtain the keys of other devices because each key has its own specific parameters , , , , and temporary . To overcome this challenge, the adversary must solve Elliptic Curve Discrete Logarithm (ECDL) problem, ECDHP problem, and one-way hash function, which is practically infeasible. 5.3.11. Key Escrow Problem. If private key of TA is disclosed, other keys remain secret because only TA is involved in key generation process and the private key = + = ( + ) + consists of random nonce * that is unknown to TA. Therefore, the proposed protocol solves key escrow problem and single point of failure.
5.3.12. Self-Certification Mechanism. Each IoT device stores = in its memory in registration phase, and does not need an online trusted third-party TA in authentication and key agreement phase. Therefore, our protocol solves key escrow problem, single-point of failure, and has a great performance in certificate generation and verification process. 5.3.14. Other features. Many protocols neglect updating long secret credentials. Nevertheless, our protocol offers a secure authentication and key agreement session between IoT devices while updating paired private and public keys of each device in the presence of a TA in a pubic channel. This increases its applicability. Moreover, registration phase of this protocol is done in an insecure channel that increases its scalability. Das et al. [18] Alzahrani et al. [6] ( / ), point addition ( ), and point scalar multiplication on elliptic curve ( ) is 0.00032, 0.0056, 0.0044, and 0.0171 sec [23,18]. Computation and communication costs of our protocol are 0.14128 sec and 1344 bits, respectively. Table 5 compares our protocol with existing ones in terms of communication and computation overheads. It shows that the proposed protocol has lower computational overhead than other related protocols. However, it resists KCI attack, replay attack, insider attack, clogging attack, and provides anonymity (see Table 4). In [9], only one session key is shared and no authentication mechanism is applied. Security is an essential factor in IoT networks and overhead pays its due for that. Our protocol is compared with others in terms of computational overhead and communication overhead in Fig 11.  The performance of the proposed protocol, compared to existing protocols, in terms of energy consumption for 500 authentication and key agreement sessions for IoT devices in a 100×100 m 2 environment is simulated in Matlab R2017a. Results are shown in Fig. 12. Increased number of sessions leads to increase energy consumption in [10] and [18]. But the proposed protocol offers the most optimal performance because energy management in ubiquity 6G networks is important along with security issues. Our protocol improves performance to 20-65%.

Conclusion
Widespread use of IoT technologies and lack of comprehensive standard protocols for IoT environments call for new authentication and key agreement protocols. The present study examined the flaws of mutual authentication and key agreement protocols for D2D communications in IoT networks. It also proposed a new protocol include four phases: system initialization, IoT device registration, authentication and key agreement, key pair updating. Our protocol could overcome security issues and resist well-known attacks such as KCI attack, replay attack, insider attack, and provide strong anonymity. Also, it used public channels in IoT device registration and public/private key updating phases. BAN logic, ROR model, and Scyther tool were used for security analysis. The protocol performance was also compared with other protocols in terms of computational, communication overhead, and energy consumption and showed to have a better performance than other compared protocols. Finally, a blockchain-based group authentication protocol in D2D communications while provides anonymity is proposed for future work.

Compliance with ethical standards
Conflict of interest. The authors declare that they have no conflict of interest.
Ethical approval. This article does not contain any studies with human participants or animals performed by any of the authors.
Informed consent. Informed consent was obtained from all individual participants included in the study.