A Privacy-Preserving Authentication and Key Agreement Scheme with Deniability for IoT

User authentication for the Internet of Things (IoT) is a vital measure as it consists of numerous unattended connected devices and sensors. For security, only the user authenticated by the gateway node can access the real-time data gathered by sensor nodes. In this article, an efficient privacy-preserving authentication and key agreement scheme for IoT is developed which enables the user, the gateway node and sensor nodes to authenticate with each other. Only the trusted gateway node can determine the real identity of user; however, no other entities can get information about user' identity by just intercepting all exchanged messages during authentication phase. The gateway cannot prove the received messages from the sender to a third party, and thus preserving the privacy of the sender. The correctness of the proposed scheme is proved to be feasible by using BAN logic, and its security is proved under the random oracle model. The execution time of the proposed scheme is evaluated and compared with existing similar schemes, and the results demonstrate that our proposed scheme is more efficient and applicable for IoT applications.