Resource limitation is quite popular in many Internet of Things (IoT) devices and eavesdropping on the identities of IoT devices could reveal the sensitive information; therefore, high efficiency (computation and communication) and anonymity protection are two desirable properties in IoT authentication and in device-to-device (D2D) authentication. Conventionally, dynamic pseudonyms are widely adopted to protect the device identity privacy in IoT authentication and in D2D communications; however, the conventional mechanisms of pseudonym-renewing and pseudonym-bound-public-keys updating could be very costly or be vulnerable to the desynchronization-based denial-of-service (DoS) attacks. In this paper, we propose a novel 2-level composite hashing (2LCH) mechanism to mitigate the problems, and propose the 2LCH-based anonymous IoT and D2D authentication schemes. The schemes simultaneously achieve high efficiency and strong anonymity for such environments; once two devices successfully complete one instance of the server-assist anonymous authentication, they can run several instances of the direct D2D anonymous authentication without the involvement of the server. The merits of the schemes include: (1) high efficiency in terms of computation and communication; (2) easy and efficient generation/synchronization of dynamic pseudonyms; (3) robustness to both desynchronization-based DoS attacks and the unreliable connections; (4) easy application to the existent IoT architectures and standards; and (5) formal security verification.
