SEAI: Secrecy and Efficiency Aware Inter-gNB Handover Authentication and Key Agreement Protocol in 5G Communication Network

Recently, the Third Generation Partnership Project (3GPP) has initiated the research in the Fifth Generation (5G) network to fulfill the security characteristics of IoT-based services. 3GPP has proposed the 5G handover key structure and framework in a recently published technical report. In this paper, we evaluate the handover authentication mechanisms reported in the literature and identify the security vulnerabilities such as violation of global base-station attack, failure of key forward/backward secrecy, de-synchronization attack, and huge network congestion. Also, these protocols suffer from high bandwidth consumption that doesn’t suitable for energy-efficient mobile devices in the 5G communication network. To overcome these issues, we introduce Secrecy and Efficiency Aware Inter-gNB (SEAI) handover Authentication and Key Agreement (AKA) protocol. The formal security proof of the protocol is carried out by Random Oracle Model (ROM) to achieve the session key secrecy, confidentiality, and integrity. For the protocol correctness and achieve the mutual authentication, simulation is performed using the AVISPA tool. Also, the informal security evaluation represents that the protocol defeats all the possible attacks and achieves the necessary security properties.Moreover, the performance evaluation of the earlier 5G handover schemes and proposed SEAI handover AKA protocol is carried out in terms of communication, transmission, computation overhead, handover delay, and energy consumption. From the evaluations, it is observed that the SEAI handover AKA protocol obtains significant results and strengthens the security of the 5G network during handover scenarios.


Introduction
With the advancement of IoT-based services and applications, the academicians and researchers of 3GPP have recommended 5G communication technology of the cellular network from the recent past [1][2][3]. The 5G technology suggests advanced aspects related to LTE-A network as non-3GPP inter-working, the formative arrangement of User Plane (UP) operations which are described as logical networks (user and control plane operations) with different potentials [4]. Further, User Equipment (UE) may broadcast Non-Access Stratum (NAS) information to the core network of the 5G for session and mobility administration, that hasn't been attained in preceding cellular network technologies [5,6]. Moreover, these attributes identifies various aspects in the security framework of the 5G handover network. There are different handover services and applications as a vehicular management system, e-health care, and multimedia services, etc. because of the portability of numerous IoT devices/equipment in the 5G network [7][8][9][10].
Although, a key structure of 5G handover suffers from authentication complexities and various security susceptibilities [11]. In the handover key structure, an attacker can breach the secret session keys from genuine base-stations. Nonetheless, the partition of secret keys among base-stations avoids these issues at the time of handover. However, this approach neglects the negotiated key in one particular gNB from the other one. The source Next Generation (5G) Base-Station Node ( gNB s ) broadcasts session key to the target Next Generation (5G) Base-Station Node ( gNB t ). The gNB s obtains a fresh session key by adopting a one-way operation and obtains key backward secrecy (KBS). The KBS restrains gNB's from generating the preceding keys from the established key. Contrarily, the gNB's might learn the entire keys used in earlier sessions of handover. Correspondingly, the KFS (forward secrecy) is preserved to provide that the communicating participants place various specifications in obtaining the new key for subsequent gNB. Moreover, the current gNB doesn't form subsequent keys. The structure of the 5G handover key fails to establish KFS if an attacker negotiates an honest base-station. In this situation, gNB t doesn't provide fresh session keys because of de-synchronization. Hence, it demonstrates the security deficiencies in the handover key structure, and an attacker may negotiate prior keys between gNB and UE. The potential attacks may be sustained before the aforesaid modifications of the current key as the key specifications are obtained from preceding keys [12]. Furthermore, inter-gNB handover scheme in 5G networks degrades the transmission overhead because of numerous rounds of information transmission among the communicating participants. Hence, it is recommended to introduce a cost-efficient and attack resilient inter-gNB handover protocol in the 5G network.

Fundamental Security Properties of Handover Protocol
The security properties of the 5G handover are required to establish mutual authentication and shared secret key compliance between the communicating participants to satisfy the integrity for subsequent handover. The proposed 5G inter-gNB handover protocol must conclude the following properties.
• The protocol should maintain the privacy of the communicating participants during the authentication process. Only the home network can obtain the permanent identity of mobile devices.
• The protocol should maintain forward/backward secrecy with key re-freshness in each new handover authentication connection even if an attacker knows the private keys. • The protocol must establish robust secrecy during the authentication to reduce the possible attacks in the 5G network. • It is known that the UE is a low power resource device and the network channel has controlled frequency. Therefore, the protocol must be designed in a form that mandates the reduced overhead.
To achieve the necessary security properties during the handover process, 3GPP has introduced the handover mechanism [11]. However, the protocol incurs security vulnerabilities such as 1) several messages correspondence are needed to communicate with the AMF (serving network). Therefore, the 5G network reduces the transmission efficiency.
2) The 5G handover key derivation structure proposed by 3GPP brings out various gNB keys based on the horizontal/vertical key approach. Hence, the researchers have proposed various handover protocols in 5G communication networks [13][14][15][16][17]. Unfortunately, authentication complexity, high communication, and computation overhead are observed in these protocols. In addition, these protocols are susceptible to several security attacks. Hence, these handover protocols are not much suitable for efficient handover authentication in the 5G communication network.
To overcome these issues, we introduce Secrecy and Efficiency Aware Inter-gNB (SEAI) handover AKA protocol in 5G network. The proposed protocol avoids the problem of key escrow without involving any third party in establishing the secret keys. Also, the UE/gNB shows a secret correspondence of their identity by collision avoidance hash function and chooses secret keys in the handover initialization stage. The protocol doesn't execute the time-consuming exponentiation operations and shows less overhead. Moreover, the protocol doesn't transmit the secret keys over the public channel to preserve the handover key authentication.

Core Technical Improvements
To overcome the above-raised issues, we propose the Secrecy and Efficiency Aware Inter-gNB (SEAI) handover AKA protocol in 5G communication network. The main improvements of the protocol compared to previous handover schemes are: 1. We investigate the current 5G handover key structure and analyze its security deficiencies such as bogus base-station attack and synchronization failure. 2. We introduce the SEAI handover AKA protocol to overcome the security deficiencies from the current handover protocols of the 5G communication network. In the proposed protocol, gNB t and UE establish mutual authentication at the time of handover execution without broadcasting the secret keys in the air. Moreover, the protocol mandates the KFS and KBS. 3. The confidentiality, integrity, and session key secrecy in the SEAI handover AKA protocol are proven secure by adopting ROM. Also, the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool presents correctness and verification of the protocol. Moreover, the attack and security analysis are provided for numerous security specifications. The analysis represents that the protocol averts the potential attacks.
4. The performance estimation of current and proposed handover protocols is calculated on the basis of communication, computation, and transmission overhead. The estimation results represent that the SEAI handover AKA protocol is efficient and secure compared to the previously proposed handover schemes. 5. The handover delay & key size is computed for the proposed and existing handover protocols based on hope count, number of users. Also, we analyze the protocols based upon the energy consumption during the handover authentication process.
The rest of the article is formed as follows: Sect. 2 illustrates the network model of 5G handover, key hierarchy, handover structure, and the existing handover methodologies. The security susceptibilities of the 5G handover protocol are discussed in Sect. 3. Section 4 discusses the proposed SEAI handover AKA protocol in the 5G network. The formal security proof using ROM, correctness, and informal analysis of the protocol are presented in Sect. 5. Section 6 demonstrates the performance estimation of 5G handover AKA protocols. Lastly, Sect. 7 concludes the article.

Overview and Existing Methodologies
The 5G network derives a fundamental security architecture of the LTE-A network. 3GPP has done some security design contributions in the 5G network after the performance and practical operations. Although, a novel handover authentication framework is required to mandate these modifications for the 5G network. In this section, we demonstrate the overview of the 5G handover framework, handover key structure, and key hierarchy. To obtain mutual authentication and overcome the bandwidth consumption from the 5G network, researchers and academicians have introduced numerous handover methodologies. We illustrate these protocols based on their security features and issues in this section also.

Network Model of 5G Communication Network in Handover
The communication in 5G network framework is established by the following participants as Access and Mobility Management Function (AMF)/Security Anchor Function (SEAF), Authentication Credential Repository and Processing Function (ARPF), Session Management Function (SMF), Policy Control Function (PCF), and Authentication Server Function (AUSF) as shown in Fig. 1 [18][19][20]. In this framework, UE establishes the connection with various gNBs and AMF maintains secure communication using Key AMF . Further, UE verifies the AUSF while subscription information is kept by the ARPF. For the authentication with UE, the ARPF stores the secure symmetric key S key . Also, ARPF computes the authentication vectors (AVs) by executing the cryptographic operations with the security parameters. The Security Policy Control Function (SPCF) consists of security to the SMF and AMF. The security credentials has the key length, integrity and confidentiality algorithm, and AUSF information. The Non-access Stratum(NAS) and AS layers maintain their communication traffic to establish gNB security [21]. Whenever UE communicates in the 5G network, the AS layer establishes the secrecy between the UE, NAS layer, and gNB. In addition, the N3-UP (path of user plane signaling) and N2-CP (path of control plane signaling) are established between UE & User Plane Function (UPF) and UE & AMF respectively [22]. These new updates are the autonomous paths for user/control planes and key algorithms (integrity and encryption).

Key Hierarchy
The 5G network key hierarchy is designed for the efficient structure of numerous keys among the participating entities in the communication [11]. The first transition key Key AUSF is computed by the ARPF to maintain secret communication between UE and ARPF. From this key, another transition key Key SEAF is computed between UE and AUSF to determine Key AMF . In addition, the key Key gNB is retrieved at AMF and send to the gNB. The UE establishes authentication compliance with AMF in support of AUSF/ARPF. The AMF and UE compute the Key AMF using Key SEAF ∕Key AUSF after obtaining the mutual authentication. The Key AMF is valid for the certain period computed for the successive AKA process and generates four sub-keys from it. The two sub-keys Key NASenc and Key NASint are computed for encryption verification and integrity respectively. UE and AMF derives the third sub-key Non-3GPP access Inter-working Function ( Key N3IWF ) from Key AMF for non-3GPP access. Moreover, UE and gNB generate the fourth sub-key Key gNB that computes another four keys. Firstly, two keys Key RRCenc and Key RRCint are required to authenticate the Radio Resource Control (RRC) signaling encryption and its integrity respectively. In addition, the keys Key UPenc and Key UPint are required to verify the UP data traffic encryption and integrity respectively. Also, Key gNB is renewed during handover whenever the UE enters into the coverage area of another gNB.

Handover Structure
In this section, we will demonstrate the Xn-based (inter-gNB) 5G handover structure. In the inter-gNB handover, AMF and UE obtain the authentication process to fulfill the security properties. For secure communication during handover, gNB s generates the Key NG−RAN � (preceding Key gNB ) for gNB t . Also, Key gNB is concatenated at handover key chaining before the subsequent AKA process [11]. By using the one-way hash, gNB s generates the next Key gNB from the present gNB and applies the current key from AMF. Then, AMF transmits these information to gNB t after accomplishing the inter-gNB handover and apply it for subsequent handover. NH Chaining Counter (NCC) and Next Hop (NH) are the key parameters in handover key chaining. AMF setups the next NH parameters generated from Key AMF for respective handover repeatedly. The communication mechanism of 5G inter-gNB handover is shown in Fig. 2 [11]. It is analyzed that the gNB s obtains the specific key parameters {NH NCC , NCC} from the preceding handover.

Existing Methodologies
Cao et al. [13] discussed the privacy-preserving handover authentication protocol for 5G HetNets using the Software Defined Network (SDN). The protocol obtains the mutual authentication and key agreement between base-stations and mobile devices without any other entities. Also, the protocol overcomes the system authentication complexity and minimizes bandwidth consumption. However, similar to the 3GPP-5G handover AKA protocol, the protocol fails to avoid the de-synchronization of communicating entities that lead to DoS attack because of sequence number (SQN) mismatch. In the protocol, it is considered that the SQN is maintained between base-station and UE. In one registration, the value of SQN is used for entire the n connections and increases the value by one at UE/base-station. An adversary may attempt a bogus registration attempt by using previous messages and SQN value become inconsistent. If the genuine UE attempts to create the connection with the target base-station, the session keys and message authentication code are not matched. Therefore, the genuine UE will be unauthorized to access the network during handover. To avoid the above issues, Sharma et al. [14] proposed the handover authentication protocol that maintains the privacy-preservation and key secrecy. Also, the protocol avoids all the security susceptibilities and withstands security attacks. However, numerous message correspondence with the base-station and terminal (UE) carries handover breach and increases the overhead because the serving network is very far from base-station. Hence, the protocol incurs authentication complexity. Also, the source base-station computes numerous keys for target base-stations that enhance the probability of dodging the secret keys. Zhang et al. [15] introduced the Elliptic Curve Cryptography (ECC)-based handover authentication protocol by using chameleon hash function key pairs to avoid the authentication complexity. However, the protocol obtains all the security characteristics but suffer from identity privacy preservation and MitM attack. Also, the protocol exhibits a huge network and transmission overhead due to the additional use of point multiplication key operations. Han et al. [16] designed the efficient handover AKA to enhance security properties and maintain mutual authentication. Also, the protocol incurs less overhead and establishes the key secrecy. However, the protocol suffers from DoS attack similar to Cao's protocol. Due to the use of Extensible Authentication Protocol (EAP)-AKA [23], the proposed protocol suffers from identity privacy preservation and security vulnerabilities such as redirection and MitM attack. Recently, Kumar et al. [17] designed the ECC-based handover authentication protocol for 5G-wireless LAN networks. The protocol obtains mutual authentication and most of the security properties such as key forward/backward secrecy, anonymity. However, the protocol fails to preserve the identity of the communicating participants and suffers from redirection, MitM attack. In addition, the protocol incurs huge communication and computational overhead due to the additional use of point multiplication functions during the handover authentication process.
From the existing handover methodologies, it is noticed that these protocols are susceptible to various known attacks and exhibit huge network overhead. Also, the protocols fail to provide the key secrecy and suffer from authentication complexity. Therefore, the above-discussed protocols are not well suited for efficient handover development in the 5G communication network. To avoid these problems, we introduce the SEAI handover AKA protocol in the 5G network to obtain necessary security requirements. The SEAI protocol is free from the problem of key escrow as there is no entanglement of any third party in establishing the secret keys. Also, the communicating participants send their identity securely in the handover process and don't transmit the secret keys in the public channel during the handover agreement. The protocol operates the key operations using the point multiplication functions and enhances its efficiency compared to the existing protocols. Moreover, the protocol avoids potential attacks and provides all the security properties.

Security Weaknesses in 5G Handover Mechanism
This section illustrates the security susceptibilities in the 5G handover mechanism proposed by the 3GPP and other various researchers. These security problems represent various adversities in the steady communication of the 5G handover network. Let consider, an attacker ATT impersonates the genuine base-station (gNB) and implants the forged basestation gNB ATT in the communication network. ATT may approach its stored parameters by massive attacks as gNB is implanted very far to the AMF.

De-synchronization Attack
ATT can install the gNB ATT that performs the Denial-of-Service (Dos) and leads to desynchronization during the 5G handover. The prime target of gNB ATT is to build the bogus information of NCC and dodge the imminent keys. The ATT can impose to gNB t to disturb the key forward secrecy by performing horizontal key operations. The value of NCC can be compromised by manipulating the information between gNB s and gNB t in the 5G handover mechanism. The gNB ATT chooses a large prime number to impersonate the NCC and transmits to gNB t during second handover response as shown in Fig. 2.
ATT sends the original and false NCC to UE for maintaining the synchronization. The NCC value in path shifting information is negligible than that obtained by gNB ATT . In addition, the gNB t and UE generate future handover keys on the basis of present Key gNB in place of NH NCC+1 . Therefore, gNB ATT may not obtain the following Key gNB because of forward secrecy failure. The gNB acquires the following key of Key NG−RAN � from Key gNB because ATT can know ARFC-DL and PCIA. Moreover, ATT impersonates the UE by sending the original value of NCC and executes de-synchronization. ATT can damage the NCC by disguising the information AMF to gNB t . The gNB t fails to accommodate to the fresh value of NCC because bogus information has a lesser value of NCC compared to the initial one. To overcome the above security concerns, the Internet Protocol Security scheme is applied in path shifting and its confirmation message. Although, numerous links of IPSec with gNBs are prescribed to establish in these transmitted messages with AMF.
ATT may deploy the de-synchronization by information flooding/drop to block the gNB t from recovering the NCC. Accordingly, the gNB t may not modify the NCC and synchronization of the keys is not established. ATT may know the secret handover information from the communicating parties from gNB ATT and degrades the network efficiency.

Verification Failure
The 5G inter-gNB handover mechanism needs various request/response message communication rounds with the AMF and gNB s ∕gNB t that suffers from handover explosion. Also, it increases the overhead because the AMF is installed far from gNB. Hence, the 5G handover network suffers from authentication complexity/verification failure. The gNB s generates legitimate keys for numerous gNB t from the current one by using required specifications in the 5G handover mechanism. For explanation, gNB s may obtain the Key NG−RAN �� between the UE and gNB t from Key NG−RAN � . Once the gNB s is attacked, the ATT knows all the subsequent keys. Therefore, the key backward secrecy is not obtained in the current 5G handover communication.

Proposed SEAI Handover AKA Protocol
In this section, we discuss the SEAI handover AKA protocol to avoid the security deficiencies from the previously proposed handover protocols. The proposed protocol has three stages: a) establishment stage; b)handover initialization stage and c) handover authentication stage. The methodology of Elliptic Curve Cryptography (ECC) is illustrated in the establishment stage. UE is authenticated at AMF and gNB s defines the handover request/ response information to UE for preceding communication in the initial authentication stage. Moreover, the gNB t and UE executes the handover authentication stage when UE arrives in the area of gNB t . The used notations and their meaning in the proposed protocol are reported in Table 1.

Establishment Stage
In order to achieve the authentication between gNB t and UE in the SEAI handover AKA protocol, we are applying ECC [24]. Let be a security parameter, a prime number w and an elliptic curve E(F w ) over F w with w elements. Here, two elements a, b are designated in E over F w of an equation Moreover, finite field of integers modulo prime q is the Z q and Z q * is multiplicative subgroup of Z q . Also, the cyclic group C has the generator P. The ARPF initializes the SEAI handover AKA stage as following.
1. The ARPF selects the secure one way collision resistant hash functions: 2. Furthermore, ARPF distributes/publishes these system specifications/public parameters PK = {KDF, P, C, w, q, H 1 , H 2 , H 3 , H 4 , H 5 } to all the entities that establish the communication in initial and handover authentication stage.
As the protocol believes in the elliptic curve discrete logarithmic problem (ECDLP) assumption [25,26]. It is admitted that the ECDLP computation is not feasible in polynomial-time and the key of ECC (size: 256 bits) obtains the same secrecy as RSA (size: 3072 bits).
1. Note-(a): Let, C be a group of q prime order and point P. xP ∈ C is an element, where x ∈ Z q * . It is computationally difficult to derive x from xP and P. 2. Note-(b): Let, C be a group of q prime order and point P. xP, yP, P ∈ C are the elements where x, y ∈ Z q * . It is computationally difficult to derive the xyP by using any polynomial time algorithm.

Handover Initialization Stage
In this stage, UE is verified at AUSF and AMF followed by ARPF [4]. During the verification process, some handover specifications are confined to message authentication requests/ responses of the original 5G-AKA protocol. These specifications in 5G-AKA don't mitigate the efficiency of the network. In the SEAI handover AKA protocol, the AMF sends the secret keys to gNB s and then, gNB s broadcasts the information to UE for subsequent handover after accomplishing the UE's verification. The descriptive explanation of the handover initialization is exhibited in Fig. 3 and step-wise discussion is as follows:

Authentication Stage of Handover
When UE moves into the range of gNB t , the gNB t and UE initiate mutual authentication and key agreement mechanism. Here, UE uses the RHI UE which is retrieved in the handover initialization stage. The inter-gNB handover follows the traditional handover authentication mechanism. Figure 4 represents the flow of the authentication messages in the SEAI handover AKA mechanism. The illustration of the handover authentication steps is shown below.
• Step-1: When UE is in the area of gNB t , it obtains public parameters of associated gNBs and another specifications such as cell ID (ECI), PLMN-ID, location area identity (LAI), PCI of gNB t . After this, UE chooses a random nonce n UE ∈ Z q * and generates N UE = n UE .P . Then, UE retrieves MAC UE and sends the N UE ||RHI UE ||MAC UE ||inau UE to gNB t ; where, the inau UE has the related specifications as ECI, PLMN ID , PCI of gNB t and targeted LAI.
• Step-2: Now, gNB t retrieves the Key UE gNB s by applying RHI UE . It also confirms the authenticity of RHI UE from T exp . If it is not verified, gNB t rejects the handover query. After this, gNB t computes and checks the MAC UE by using Key UE gNB s . If it verifies, gNB t accepts the acknowledged MAC UE that is transferred from genuine UE. Or, authentication is rejected. • Step-3: After this, gNB t chooses a random nonce n gNB t ∈ Z q * and retrieves n gNB t .P = N gNB t . Moreover, it generates the MAC gNB t for UE and session key Key UE gNB t . Also, it sends the handover message MAC gNB t ||N gNB t ||ID gNB t ||inau gNB t to the UE. The inau gNB t has the specifications as ID AMF , ECI, PLMN ID , and PCI.

Security Analysis
This section discusses that the proposed protocol fulfills the security requirements in the ROM. The used assumptions and security model are shown in this proof. The correctness of the protocol is obtained from the AVISPA tool. Also, the informal analysis of protocol is discussed for various security attacks.

Security Model
For the resistance of identified attacks in the SEAI protocol, we are using a provable security mechanism. We are showing the security proof based on the modeling introduced by [27].

Participants
The protocol Π executes with numerous number of associated participants in 5G network where the participant could be a client W ∈ or server N ∈ . The set is considered that only a single server is involved at one time.

Attacker Model
It is considered that the attacker ATT completely controls the network, which initiates the communication sessions among the participants [28]. The ATT can execute the following queries as: The query forms passive attacks where an adversary dodges the legitimate operations among the instances of client Π i The result of the query is the exchange of messages at the time of the genuine operation of Π. Send_Client(Π i W , m ): The attacker may use this query to trace the message and update it or forward to the client Π i W . The result of the query is the information that the client Π i W might compute upon acceptance of message m. Moreover, an attacker is granted to start the protocol by appealing to Send_Client(Π i W 1 , (W 1 , Start)). Send_Server(Π i N , m ): The query builds active attacks counter to server. The result of the query is the information that the server Π i N might compute upon acceptance of message m.
Reveal(Π i W ): The query builds identified session key attack. An attacker executes the query to achieve the secret keys of instance Π i W .

Corrupt(W):
The query sends the long-term secret/private keys to an attacker for participant W.
Test(Π i W ): An attacker can build this type of query only one time to a fresh instance. On the response of the query, random number e ∈ 0, 1 is chosen. If e = 1 , session key obtained by Π i W is send. Or, return the consistently chosen random number.

Fresh Instances
An instance Π i W is fresh if following condition satisfies: (i) Π i W is accepted; (ii) Π i W or its corresponding partner hasn't run the Reveal query after acceptance; (iii) client's corresponding partner with Π i W , hasn't run the Corrupt query.

Protocol Security
The security of proposed protocol Π is formed by game Game protocol (Π, ATT . The objective of ATT is know e correctly in test query. The advantage of ATT can be written as: The protocol Π is secure if Adv protocol Π (ATT) is negligibly higher than O(q se ) , where q se is the number of Send queries.

Assumption
The CDH assumption can be stated by two experiments, Exp1 CDH

Security Proof
Theorem: Let proposed protocol Π runs the q se number of Send queries, q ex number of Execute queries, and q hash number of hash queries. Then CDH assumption holds the following Proof: The proof has a combination of games, initiating from real attack G 1 and finishing at game G 5 where an attacker has no power. In each game, we set Succ i as event that ATT knows e correctly in test query.
Game G 1 : This is the real attack by ATT in protocol. In this game, the entire instances of participants are formed as real run/execution in ROM. As per the definition of Succ i , we have Game G 2 : This is very similar game to Game G 1 except the simulation of hash oracles h by constructing hash records h rec with input/output entries. By executing h inp query, the output result is generated from the h rec , otherwise randomly select the Output ∈ {0, 1} l and transmit to the ATT with storing new entry of input/output in h rec . Moreover, we simulate the oracles of the entire queries. As per the knowledge of ATT , the game G 2 is indistinguishable from real attack (game G 1 ). Therefore, Game G 3 : Here, we simulate the entire instances of game G 2 , except we omit the game by which collisions may appear on transcripts as (Msg UE , Msg AMF ) , (MAC UE , MAC gNB t ) , and hash values in the protocol. As per the definition of birthday paradox, in the result of h instances, the probability of collisions is q hash 2 l+1 . Also, collisions probability in the transcripts is no more than (q se + q 2 ex ) 2q . Therefore, Hence, it is observed that the game is indistinguishable from game G 3 . So, Game G 5 : Here, we update the simulation queries of Send_Client instances for randomly chosen session in G 3 . In this game, we choose another way for computing the value of Key gNB t , Key UE so it will be autonomous for handover acknowledgment value and keys. When Send_Client(Π j gNB t , (N UE ||RHI UE ||MAC UE ||SUCI||inau UE ) ) and Send_Client(Π i UE , (MAC gNB t ||N gNB t ||ID gNB t ||inau gNB t ) ) are requested Key gNB t = Key UE = T z ( ) (for UE and gNB t ), where z ∈ Z q * . The difference between game G 5 and G 4 is: By considering a successful attacker ATT to analyze G 5 and G 4 , we make the CDH fixer Φ . The difference between G 5 and G 4 is the way of calculation of Key gNB t , Key UE for chosen session. Firstly, Φ obtains the CDH value (xP, yP, Z). As G 5 and G 4 , the fixer Φ chooses a )), then the probability is 1 q ex . Hence, the Φ simulates all instances query without having information of x, y. From this, analyzer ATT may generate N UE = x.P, y.P = N gNB t but not the correct Key gNB t , Key UE . In case, Z = xyP , this setting for the analyzer is similar to G 4 . In case, Z = zP , this setting for the analyzer is similar to G 5 . Lastly, if analyzer ATT interacts with G 4 , the fixer Φ decides that Z = xyP . And, if ATT interacts with G 5 , the fixer Φ decides that Z ≠ xyP . Hence, eq. (6) holds. In this game, the keys Key gNB t , Key UE are independent and random with secret keys. Therefore, three possibilities can be arises where an attacker analyzes the random and secret session keys as: Case-1: Attacker queries (zP, SUCI, ID gNB t ) to h. Then, this event obtains in 2q hash l .
Case-2: Attacker requests Send_Client query excepting Send_Client(Π j gNB t , m ) and impersonates UE to gNB t . If an attacker, tries to impersonate UE in random session by generating MAC UE and got success, it will make the discrepancy but the probability is less than to 1 2 l . As there are maximum 2(q se + q ex ) sessions, then the total probability that this event is obtained will be less than to 2(q se + q ex ) 2 l .
Case-3: Attacker requests Send_Client query excepting Send_Client(Π i UE , m ) and masquerades the gNB t to UE. Similar to Case-2:, the probability of this event is obtained less than to 2(q se + q ex ) 2 l . Therefore, from above three cases; By combining the eq. from (1) to (7), the results are: q se + q ex 2 l , q hash l }}

Correctness of the Protocol
The proposed SEAI-AKA handover protocol is simulated using the AVISPA tool to prove its correctness. The protocol is programmed coded in classic High-Level Protocol Specification Language (HLPSL) to define its characteristics [29]. AVISPA tool simulates the protocol in numerous backends as On-the-Fly Model Checker (OFMC) and SAT-based Model-Checker (SATMC). There are two participants titled gNB and UE in the protocol. We have programmed the fundamental role of these participants in HLPSL and simulated the mechanism by adopting the AVISPA tool. The HLPSL program of the communicating participants is demonstrated in the Appendix-A. Also, the objectives of the protocol are described in Fig. 5. The simulation of the protocol is implemented by applying the OFMC backend with a restricted number of terms. Essentially, the OFMC simulates handover protocol, and then attacker fetches the information from preceding executions. Therefore, OFMC obtains the session complexity and avoids replay attack without executing different sessions between communicating participants. Also, OFMC checks whether the genuine participants can execute the protocol by seeking the passive attacker and broadcasts the instructions of a few sessions to the attacker between genuine participants [30]. The test outputs show that the protocol dodges replay attack. The output of OFMC back-end model is represented in Fig. 6. The keyword SAFE in result proves the correctness of the protocol. Moreover, the protocol averts from the MitM attack by adopting the tests of OFMC back-end. Therefore, the SEAI handover AKA protocol gains the essential security characteristics and dodges the known attacks from the 5G network.

Informal Analysis
In this section, we discuss various malicious attacks to show that the SEAI handover protocol is not vulnerable to the probable attacks.
• KFS/KBS: To preserve the KFS/KBS, the secret keys must not be acknowledged in the preceding and successive sessions even if it is compromised. In the protocol, UE achieves the RHI UE and Key UE gNB s from gNB s and AMF respectively in a secure communication even if ATT generates the required public keys. Moreover, ATT aims to achieve MAC UE ∕MAC gNB t for self-verification at any participant. However, ATT can't obtain these authentication values as n UE and n gNB t are random values at unique communication of handover. ATT needs the information of private keys to generate the preceding and following session keys of Key UE gNB t . However, it fails to obtain these values as ECDLP is computationally hard. Also, the protocol doesn't follow the key chain framework and interaction with gNB s . Therefore, ATT will never have the information of earlier/subsequent private keys.
• Key Escrow Problem: The UE or gNB t select the secret keys in each handover authentication. To compute these secret keys, there is no association of the third party such as a key generation center (KGC)/private key generator (PKG). Therefore, the protocol avoids the key escrow problem. • DoS Attack: The ATT may transmit a large number of false handover requests to UE or gNB t in the authentication stage to drain its network bandwidth. In the protocol, gNB t obtains the Key UE gNB t , MAC gNB t , and transfers the sequence message S 2 to the UE (as presented in Fig. 4). UE generates Key UE gNB t and authenticates MAC gNB t . After this, it sends the MAC cfm to gNB t . If the authentication is not successful, an authentication reject information is send to UE. As per the ECDLP infeasibility assumption, it is impractical for ATT to obtain the secret keys of the communicating participants. Hence, the proposed protocol avoids the DoS attack. • Privacy-Preservation: In the proposed protocol, UE transmits the SUCI to the ARPF followed by AMF as SUPI can't be transmitted over the communication channel and SUCI is applied to form this. The ARPF decrypts the SUCI value by SIDF. Hence, the identity of the UE is achieved in the proposed protocol. In addition, the ID gNB s is never transmitted from AMF to UE for computing the Key UE gNB s , RHI UE . Suppose, ATT computes the ID gNB t transmitted from gNB t to UE and attempts to compute the bogus MAC gNB t . However, an attacker can't derive the private keys due to the computationally infeasibility assumption of ECDLP. Therefore, only legitimate UE can accept the ID gNB t from gNB t . • Replay Attack: In the authentication stage of handover mechanism, replay attack couldn't be initiated as each corresponding message has the chosen private keys. Let consider, ATT transmits duplicate informations to gNB t /UE. Then, the communicating participants instantly verify that the information is achieved previously by them as secret/random keys are unique in every communication of handover. Also, ATT couldn't obtain the genuine ||ID gNB t ||inau gNB t ||n UE .N gNB tATT ) . As, the ATT doesn't have the information of UE's/gNB t secret key, so it is not possible for to obtain valid MAC UE /MAC gNB t . Hence, ATT can't achieve the authentic handover message to execute MitM attack in the network. • Eavesdropping Attack: In the handover establishment stage, the UE and AMF authenticate to each other. AMF transmits the Key UE gNB s to gNB s and then gNB s broadcasts RHI UE to the UE. The chosen secret keys are private in all over the handover operations. Hence, ATT couldn't compute the secret session keys even though he/she calculates the universal/public specifications of the UE and gNB s . In the handover authentication stage, the universal and handover specifications are transmitted between gNB t and UE in the public channel.
The analysis of SEAI handover AKA protocol and existing 5G protocols is presented in Table 2 based on numerous security characteristics. It can be defined that the current 5G handover protocol achieves the mutual authentication between the communicating participants in the authentication mechanism. Although, the protocol doesn't obtain the KFS/KBS and deteriorates from authentication complication. Also, the protocol fails to avoid DoS attack. The Cao's-AKA protocol doesn't obtain the KFS/KBS and defeats from DoS, redirection, and eavesdropping attack. Also, Sharma's-AKA protocol fails to achieve the key secrecy and avoid system complexity. Additionally, the protocol is vulnerable to redirection attack. Zhang's-AKA protocol can't preserve the identity during the handover authentication; hence, it is susceptible to several security attacks. Similar to Zhang's protocol, Han's-AKA protocol has numerous security weaknesses and can't establish identity privacy preservation. Furthermore, Kumar's-AKA protocol obtains most of the security characteristics but can't prevent the MitM and eavesdropping attack from the communication network. Different from the current protocols, the proposed SEAI handover AKA protocol executes the key procedures adopting the ECC. The protocol accomplishes the KFS/KBS in the authentication mechanism. Moreover, the protocol resist all the potential attacks and free from the authentication complication. Therefore, the proposed protocol is relatively better compared to the existing protocols as it gains all the crucial security characteristics.

Performance Estimation
The performance of the proposed SEAI handover AKA protocol is estimated for the existing 5G handover schemes in terms of computation, communication, and transmission overhead. Additionally, we compute the handover delay, key size, and energy consumption for the handover protocols based on various parameters. The analysis represents that the proposed protocol gains all security objectives with adequate competence.

Computation Overhead
For the estimation of computation overhead of handover protocols at the handover authentication and initialization stage, elapsed time of various security functions is executed at OpenSSL written in C library [31] operating on 4 GB memory machine with Intel Core i5-7200U 4 GHz processor for gNB and 2.50 GHz processor for UE. Hence, the elapsed time (in ms) is: point multiplication ( T pmul )= 0.441, hash ( T hh )=0.0087, AES encryption/ decryption ( T aes )=0.071, modular exponentiation ( T moe )=0.629, arithmetic operation ( T art )=0.0021, multiplication operation ( T mul )=0.0033 (for gNB); T pmul : 1.023, T hh =0.0194, T aes =0.109 ms, T moe =1.277 ms, T art =0.0074 ms, T mul =0.0091 ms (for UE). The computational overhead of current and proposed handover protocols is presented in Table 3. Also, the graphical presentation is shown for the comparison of handover protocols in terms of computation overhead in Figs. 7 and 8. The current 3GPP-5G handover protocol accepts the hash operations and symmetric cryptography that generates the overhead at each communicating participant in inter-gNB handover. However, the protocol fails to avoid the de-synchronization that derives the DoS attack and complex handover process. In the Cao's-AKA protocol, UE and base-station execute the hash operation for integrity and AES for encryption/decryption operations. The protocol shows less overhead compared to the proposed scheme however, Cao's handover protocol is not secure against eavesdropping and redirection attacks. Also, the Han's-AKA protocol has less computation overhead compared to the SEAI handover AKA protocol as it executes only hash operations during handover operations but suffers from DoS and MitM attack. Both the Zhang's-AKA and Kumar's-AKA protocol operate the handover authentication using point multiplication, arithmetic, and multiplication operations. Moreover, the Sharma's-AKA protocol execute the handover authentication by time-consuming modular exponentiation operations. Hence, these protocols aren't recommended for the development of efficient handover authentication protocol in the 5G communication network. Different from above schemes, the proposed SEAI handover AKA protocol establishes mutual authentication and key agreement between the gNB t and UE by adopting Table 3 Estimated analysis of handover protocols

Communication Overhead
In order to measure the communication overhead of the current and proposed protocols, we fix |p| = 1024 and |q| = 256 because the ECC key indicates identical security. The |n|=|#E(F n )| = 256 and E(F n ):#E(F n ) = 256 bits prime order q. Moreover, Table 4 represents the specification list and their costs/value [32]. To estimate the overhead, we measure the broadcasted information between the communicating participants in the current and proposed handover AKA protocols. In Table 3, the overhead of the protocols is measured. Also, the graphical presentation is shown for the comparison of handover protocols in terms of communication overhead in Fig. 9.
Although, the overhead of the SEAI handover AKA protocol is larger than the 3GPP-5G handover mechanism. However, the 3GPP-5G protocol deteriorates from key negotiation issue, DoS attack, and authenticity complexity. In the Cao's-AKA protocol, UE communicates to the target and future base-station for accomplishing mutual authentication respectively. The UE and base-stations share the message authentication codes, capability messages, and handover tickets in 1884 bits. Although, the protocol incurs less communication overhead during the handover initialization stage compared to SEAI handover AKA scheme because keys and identity are generated directly from the handover module. Also, the protocol suffers from lack of forward key secrecy and DoS attack. In Sharma's-AKA protocol, the terminal and new/previous hub communicate with each other during handover authentication. The terminal transmits the sequence number, message authentication code, and various handover request/response. At the same time, the authentication server communicates with new and previous hubs in 2978 bits. Han's-AKA protocol follows the EAP-AKA scheme during the initial authentication of UE and base-station. In the handover stage, the UE and base-station obtain the authentication parameters and use additional counter hash values. Also, the protocol fails to preserve the identity during the authentication process.
The Zhang's-AKA protocol establishes mutual authentication between the communicating participants. Firstly, UE transmits its one-time trapdoor hash key, secret, public keys, expiration time, and identity. Then, the target base-station sends its handover specifications to the UE with a shared secret key, and UE approves handover acknowledgment by transmitting the secret key. Similar to Zhang's-AKA protocol, Kumar's-AKA protocol accomplishes mutual authentication between the communicating participants. Firstly, UE transmits its secret, public keys, passwords, and pseudo-identity. Then, the target base-station sends its random number, secret keys, and public parameters to UE with a shared secret key, and UE accepts the handover message successfully. The prime objective of the proposed SEAI handover AKA protocol is to avoid the overhead at the communicating participants and evolve the security capabilities at the time of handover. Hence, we designed the handover protocol by adopting the ECC procedure. Our protocol setups the session key secrecy and Key UE gNB t is attained between gNB t and UE without any ambiguous handover system. The UE and gNB t maintain the secure mutual authentication in the protocol and there is no transmission of the secret session key in the public channel. Thus, the protocol is very efficient and secure compared to the current handover schemes.

Transmission Overhead
It is studied that the conventional cost of the message authentication between i) gNB s ∕gNB t and UE is unit; ii) gNB s and gNB t is unit; and iii) AMF and gNB s ∕gNB t is Δ unit to measure transmission overhead of the proposed and current handover protocols. As the gNB is implanted a very long distance from AMF; hence the overhead of unit has the scope as 0 < < . Also, the overhead of is greater than the cost of Δ . The transmission overhead of proposed and existing handover AKA protocols is demonstrated in Table 5. Hence, it is noticed that the overhead of proposed SEAI handover AKA protocol is less compared to most of the existing protocols. Although, Kumar's scheme has less transmission overhead but suffers from huge communication and computation overhead because of additional point multiplication operations during handover. In the handover authentication stage of proposed protocol, 3 communication messages are required between gNB t and UE. Although, only 2 messages are enough to establish mutual authentication between gNB t and UE. The third correspondence message is transmitted from the UE to approve the handover key agreement with gNB t .

Handover Delay
In this section, the handover delay is computed for the proposed SEAI handover AKA protocol and other existing schemes when the user is executing various handover between base-station/nodes. The handover delay for each handover scheme in A by parameter HD A as f * [33,34]. In this scenario, t is the is the authentication or reauthentication process that is executed in each scheme. P t is the ratio for executing the mechanism t, and T A is the handover scheme. Here, suppose A is the A 5G then Additionally, the Laplace transformation of HD A can be written as [35]. For the handover AKA protocols, it can be written as E(HD 5G ) = − d ds f * HD 5G (s)|s = 0. Figure 10 represents the handover delay of the SEAI handover AKA protocol and existing schemes concerned by increasing the hop count between the base-station/nodes and server. The handover delay of the proposed protocol is far less compared to the existing schemes because of executing a similar re-authentication process in each hop. Figure 11 shows the performance of the SEAI handover AKA protocol compared to the existing schemes in terms of the number of users and handover delay in milliseconds. As the Fig. 10 Handover delay with hop count number of users is increasing in each scheme, the handover delay is also increased. The proposed protocol obtains comparatively less handover delay to the Kumar's, Sharma's, Cao's, and Zhang's handover schemes. The proposed SEAI handover AKA scheme reduces the handover delay by 14%, 25%,30%, and 60% compared to Kumar's, Sharma's, Cao's, and 3GPP-5G handover AKA schemes respectively.

Key Size
In this section, the size of the key is determined which are computed at the execution of handover AKA schemes. The size of computed and transferred keys has an important impact on the storage overhead as other parameters such as private/public key pair, time-stamp, identification parameters have a similar impact compared to an alternative approach. The sum of the key size is calculated for all the handover AKA protocols based on hop count as shown in Fig. 12. From, the Fig. 12, it is observed that the SEAI handover AKA protocol has a very competitive key size with an increasing number of hop counts compared to Han's protocol. The key size of the SEAI handover AKA protocol will be the same with an increasing number of hop counts. In the Kumar's, Cao's, and Sharma's handover AKA schemes, the key size is larger compared to the other protocols, and key size is increased at the following re-authentication processes. Additionally, in the Kumar's, Cao's, and Sharma's handover AKA protocols, the users roam to the previously visited base-station/node (hops (H) 2 to 8), and some additional keys may be generated in the home server and during the re-authentication process. Also, the keys are generated and stored at every hop count. Similarly, the Figs. 13 and 14 represent the key size of the handover AKA protocols for the number of users and user movements. Also, it can be noticed that the SEAI handover AKA protocol has far better key size results compared to the existing handover schemes.

Average Handover Cost
To evaluate the average handover cost of the handover AKA protocols, the wireless network model and mobility model are adopted as per [36,37] respectively. It is considered that the network model is the 5G, WLAN-5G inter-networking domain and sizes of each subnet are similar. The average handover rate ( j ) is calculates as j = (v.P(i))∕(Π.L(i)) , where j is the user group index, v is the UE's average velocity (varies from 2 to 4km/h) in the 5G and WLAN-5G communication network. The perimeter P(i) of the respective network can be computed as P(i) = (12i + 6).R . Here i is the cells number, R is the radius of subnet. The roaming area L(i) is computed as L(i) = (2.6R 2 )(3i(i + 1) + 1) . Therefore, the average handover cost (AHC) can be calculated as AHC t = j .C t . The cost of each scheme C t = C t,s + C t,p , where C t,s and C t,p is the signaling and processing cost respectively. The AC t,s for each scheme can be computed for each handover protocol as: where C t,s is the transmission cost of wireless links. The calculation of each scheme C t,p is the execution cost of each node C n,p . For example, C t,p for 3GPP-5G handover scheme can be shown as C 5G,p = C UE,p + C gNB s ,p + C gNB t ,p , where,C UE,p = 4C Key + C Enc + C Dec + C Ver , SEAI C t,s = 3C ws + 1H 5G C t,s = 5C ws + 2H Cao C t,s = 8C ws + 2H Sharma C t,s = 12C ws + 2H Zhang C t,s = 4C ws + 1H Han C t,s = 8C ws + 1H Kumar C t,s = 3C ws + 2H C gNB s ,p = 2C Key + C Hash , and C gNB t ,p = C Key + C Enc + C Dec + C Ver . The C Key , C Enc , C Dec , C Ver , C Hash are the costs of key computation, encryption, decryption, verification, and hash operation respectively. Therefore, C t,p for all the handover AKA schemes can be computed as: The value of i is considered 10,C ws is set to 10. The costs such as C Key , C Enc , C Dec , C Ver , C Hash are set to one unit. The results achieved from the handover cost evaluations of each schemes are shown in Figs. 15,16, and 17 at varying value of v from 2 to 4km/h. Also, the value of R is 0.1 km and H is 1 to 7 hop count. As the values of v and H increase, the average cost of existing handover AKA schemes is also increases compared to the SEAI handover AKA protocol. Therefore, the proposed protocol can be recommended for the IoT-enabled services in various handover scenarios as the handover cost is significantly reduced. Moreover, the AHC increases from 60 to 357 when H increases from 1 to 7 in the 3GPP-5G handover AKA scheme. However, the AHC remains the same with varying values of v and H in the proposed scheme. The reduction of handover cost in the SEAI handover AKA SEAI C t,p = 3C Key + C Enc + C Dec + 2C Ver + 7C Hash 5G C t,p = 7C Key + 2C Enc + 2C Dec + 2C Ver + C Hash Cao C t,p = 7C Key + 3C Enc + 3C Dec + 3C Ver + 7C Hash Sharma C t,p = 8C Key + 2C Enc + 2C Dec + 2C Ver + 8C Hash Zhang C t,p = 5C Key + 2C Enc + 2C Dec + 2C Ver + 4C Hash Han C t,p = 6C Key + 2C Enc + 2C Dec + 2C Ver Kumar C t,p = 7C Key + 2C Enc + 2C Dec + 2C Ver + 6C Hash   Fig. 15 Average handover cost at v = 2 km/h scheme raises 34%, 23%, and 15% compared to the 3GPP-5G, Cao's, Sharma's handover AKA protocol respectively.

Energy Consumption
The current cellular networks manage massive users; hence, the computation of energy consumption is one of the essential performance estimation metrics. The reduction of the computed keys and exchanged messages at the authentication process represent the energy consumption [38,39]. Generally, the total energy consumption in wireless networks can be computed as Total Energy = N.M + FC , where N is the total bits transmitted/received by the UE, M is the incremental value, and FC is the fixed cost. The fixed and incremental value are coefficients which are obtained in [40]. The energy consumption is computed as per number of bits received and transmitted by the UE as Energy trans = 0.48N + 431 ; Energy rec = 0.12N + 316 . The above-mentioned equations are adopted to compute the energy consumed by UE in each user movement. The calculations are utilized in the proposed and existing handover AKA protocols. For instance, the energy consumption of SEAI handover AKA scheme is Energy trans =1088; Energy rec =928. Figure 18 shows that the energy consumption in the previously proposed handover schemes is increased when UE roams into another base-station/node (inter/intra handover) in the 5G or WLAN-5G communication networks. Moreover, the proposed handover AKA scheme reduces the energy consumption 78%, 31%, and 54% compared to the Cao's, Sharma's, and Kumar's protocol respectively.

Conclusion
In this article, we introduced the secrecy and efficiency aware inter-gNB handover AKA protocol in 5G communication network to avoid the potential security susceptibilities as key negotiation, DoS & bogus base-station attack, and huge authentication complexity. In the proposed SEAI handover AKA protocol, mutual authentication is accomplished with a Fig. 18 Energy consumption in user movement secret key between gNB and UE. Also, the protocol forms the forward/backward secrecy and averts the network complexities. In addition, simulation of the protocol is presented by the AVISPA tool to prove the correctness. To obtain the session key secrecy, confidentiality, and integrity, the formal security proof of the protocol is carried out by the ROM. The security analysis is examined with corresponding numerous security specifications and obtains the security across potential attacks. The performance estimation clarifies that the protocol is far valuable compared to the current 5G handover schemes based on various overhead analysis. Also, the handover delay, key size, and energy consumption of the proposed SEAI handover AKA protocol are very much competitive compared to the existing handover schemes. Hence, we expect that the proposed protocol will enhance the performance and security of the 5G communication network in numerous handover applications.