A lightweight D2D security protocol with request-forecasting for next-generation mobile networks

5G-assisted device-to-device (D2D) communication plays an instrumental role in minimizing latency, maximizing resource utilization, improving speed, and boosting system capacity. However, the technology confronts several challenges to realize its enormous potential fully. Security and privacy concerns are at the top of the list that can jeopardize the regular operation of D2D communication by executing various assaults such as free-riding and impersonation. Although several researchers suggested different solutions to these concerns, most are too heavy for resource-constrained devices or are vulnerable to security risks. Consequently, we proposed a lightweight and provably secure D2D communication protocol comprising initialization, device discovery, and link setup phases. The protocol is light in terms of computational overhead and communication latency while verifiably secure through formal security analysis. The protocol relies on a new network function, called D2D Security Management Function (DSMF), located near the devices to facilitate secure communication and improve performance. Moreover, we used deep learning-based UE trust score forecasting to better handle and prioritize communication requests when the network is overloaded. The comparative analysis against state-of-the-art security schemes concerning computational and communication overheads shows that our protocol is a superior alternative for resource-constrained IoT devices wishing to perform D2D communication in a 5G network.


Introduction
With the fast progression of the technology and its widespread adoption, it is anticipated that mobile users' needs would lead to the development of a variety of applications and services based on the interconnection of large-scale devices. 5G enables a wide range of applications to benefit from faster connections, more scalable settings for machine-to-machine operations, such as symmetric key encryption and message authentication codes. Furthermore, we developed a deep learning-based solution to address the request prioritizing problem, reducing network strain when the proposed protocol runs across ultra-dense D2D networks. We used the sequence-to-sequence regression Long Short-Term Memory (LSTM) model to anticipate UE trust levels to identify which UEs must be addressed with priority when network traffic is high. The main contributions of the paper are summarized as follows: • We proposed a lightweight and provably secure D2D communication protocol with initialization, device discovery, and link setup phases. • We proposed a new network function called DSMF near the UEs for efficient D2D communication.
• We used deep learning-based forecasting that predicts UE trust scores for request prioritization to lessen network loads. • We formally evaluated the security of the protocol through two formal verification approaches (BAN-Logic (Burrows et al., 1989) and Scyther (Cremers, 2008)). • We compared the proposed protocol against state-of-the-art D2D security protocols.
The remainder of this paper proceeds as follows. In Sections 2 and 3, the article discusses related works and the system model of 5G-based D2D communication, respectively. Section 4 discusses D2D communication security and privacy. We provide the suggested protocol and its formal security evaluation in Sections 5 and 6, respectively. Section 7 provides the results of the comparative analysis, and Section 8 concludes the paper.

Related work
Different researchers offered various ways to solve the security and privacy problems in D2D communication. For example, Baskaran and Raja (2017) suggested a D2D authentication and secret key sharing protocol to guard against security risks in the Long-Term Evolution Advanced (LTE-A) environment. However, because the MME (Mobility Management Entity) computes the user's public-key pair, the user's private key's reliability is insufficient. Furthermore, the protocol is designed exclusively for D2D communication in an LTE-A network environment, making it unsuitable for the current 5G cellular networks. Seok et al. (2020) proposed a D2D AKA protocol that employs ECDH and digital signatures in a 5G IoT network. Despite the study's importance of being the first to handle D2D communication in a 5G setting, it does not take user authentication into account while negotiating the ECDH key. As a result, the protocol is vulnerable to security risks, particularly the free-riding and Man-In-The-Middle (MITM) attacks. Chow and Ma (2020) designed a security protocol to address the problems identified in Seok et al. (2020). By looking for nearby users in the 5G network and subsequent mutual authentication and secure key agreement procedures, the protocol ensures anonymity through Globally Unique Temporary Identifier (GUTI) while preventing eavesdropping, replay, MITM, and free-riding attacks. However, like in Baskaran and Raja (2017), the user's public key pair is generated by the AMF, and the protocol does not carry out the key confirmation procedure. Moreover, there is a risk of a DoS (Denial of Service) attack because of the digital signature's lack of timeliness.  Baskaran and Raja (2017) • D2D AKA protocol in LTE-A environments.
• Lack of trust in users' private key since the MME computes the key pair instead of the users. • Does not consider or not designed for the 5G cellular networks. Seok et al. (2020) • D2D AKA protocol using ECDH and digital signatures.
• Does not consider user authentication while performing ECDH based key exchange. • Vulnerable to free-riding and MITM attacks. Chow and Ma (2020) • Proposed to address the vulnerabilities of Seok et al. (2020).
• Ensures anonymity and prevents eavesdropping, replay, MITM, and free-riding attacks. • No key confirmation procedure.
• Potentially vulnerable to DoS attacks.
Other studies suggested certificateless approaches for 5G-based D2D communications. Shang et al. (2019Shang et al. ( , 2020, for instance, proposed a protocol designed to support the D2D group communication in 5G cellular networks leveraging Certificateless Public Key Cryptography (CL-PKC) with ECC and Digital Signatures. Besides, other researchers proposed a D2D communication security approach using ID-based encryption. However, ID-based encryption lacks practicality and is not optimal for IoT environments because of the heavy characteristics of public keys cryptography. The related works that are proposed to protect D2D communication are summarized in Table 1.
The studies presented above are unsuitable enough for 5G network-based D2D communication or fail to meet critical security criteria. Thus, this article offers a novel security protocol suited for D2D communication while simultaneously meeting different security requirements. More significantly, following the primary authentication of the 5G network, our approach makes the best use of the trust developed by UE and AMF. The suggested security protocol, as a result, enables safe and efficient D2D authentication and key agreement.

System model
The system model for 5G-based D2D communication consists of various components and links based on the 5G reference architecture (TS23.501, 2021). The main elements of this model are the UE, 5G Radio Access Network (RAN), DSMF, and the 5G Core Network, as shown in Figure 1. Moreover, the communication path comprises the back-haul (between UE and 5G-RAN) and front-haul (between 5G RAN and the 5G Core) links. Here, we provide a brief description of each component.
Concerning D2D communication, each UE performs a primary authentication to achieve mutual authenticity with the 5G network. Devices can also carry out the primary authentication via non-3GPP technology through Non-3GPP Interworking Function (N3IWF), making the procedure independent of the underlying radio access technology.
5G-AKA (5G Authentication and Key Agreement) or EAP-AKA' (Extensible Authentication Protocol) serve as the preferred primary authentication in 5G. The procedure involves different virtual network functions, residing in both serving and home networks, like Access and Mobility Management Function (AMF), Security Anchor Function (SEAF), Authentication Server Function (AUSF), Unified Data Management (UDM), Authentication Credential AMF is the first network function in the core network to receive all UE connections through gNB or N3IWF. Besides managing essential services such as registration, mobility, and connection, it supports the confidentiality and integrity of signalling data while protecting the subscribers' privacy. In proximity with AMF, SEAF plays a critical role in providing the authentication functionality for UE to be authenticated to its home network via the AMF in the serving network.
AUSF primarily carries out the authentication function in the home network for the 3GPP and non-3GPP access. In authenticating the UE, AUSF delivers a key (K SEAF ) to the SEAF, where the latter derives the K AMF for the AMF. AMF then uses this key to maintain the confidentiality and integrity of the messages exchanged between itself and the UE while also computing K gNB that UE and the corresponding gNB will utilize to safeguard future communications.
UDM oversees several services such as registration and deregistration, retrieval of user subscription data, and supply of updated authentication-related subscriber data. Moreover, it accommodates the ARPF to pick an authentication method while also computing keying materials for AUSF. When UDM/ARPF receives the authentication request containing Subscription Concealed Identifier (SUCI), it is sent to SIDF to decrypt it and return the Subscription Permanent Identifier (SUPI). Receiving SUPI, AMF generates the 5G Globally Unique Temporary Identifier (5G-GUTI) and communicates it to the UE for subsequent requests. The primary use of 5G-GUTI is to identify the UE globally and uniquely without revealing its permanent identity. Moreover, 5G-GUTI embeds the Globally Unique AMF Identifier (GUAMI), which helps identify a particular AMF and the network.
In 5G, gNB is functionally split into three parts: Radio Unit (RU), Distribution Unit (DU), and Centralized Unit (CU), with RU being the nearest to UE and CU the farthest. There can be a variety of ways to place these components depending on the deployment model. This system model adopted a scenario where RU resides at the cell site and the CU and DU colocated at the edge. Our newly designed network function, DSMF, also resides at the edge to facilitate D2D communication. We will describe the detailed operation of DSMF in the proposed protocol section.
There are three distinct paths concerning the communication links: the first is the primary authentication line that the UE communicates with the 5G Core Network via 5G-RAN. The second is the DSMF assisted link setup path in which DSMF receives D2D communication requests from UEs and provides keys for protecting the channel between the UEs. The final one is for the actual D2D communication between UEs with the established keys.

Security and privacy issues
Various threats hinder the regular interactions between peers in D2D communication. Unfortunately, the security and privacy component of the D2D communication environment was largely overlooked by both industry and academia (Adnan & Ahmad Zukarnain, 2020). Some of the most common security threats and attacks that are executed on D2D communications are eavesdropping, tampering, masquerading, replay attack, and free-riding attacks (Haus et al., 2017).
An attacker can eavesdrop on the transmitted information within D2D communication to execute a range of attacks such as tampering (in which an adversary modifies the eavesdropped messages while infecting genuine peers by disseminating malicious materials). Cryptographic solutions are often employed to thwart such security threats. Specific to D2D, different authors provided solutions to address these issues (Haus et al., 2017;Wang et al., 2018). On the other hand, a masquerading attack enables an attacker to impersonate an honest D2D peer to deceive the other. Ensuring mutual authenticity among devices wishing to exchange information through D2D communication in both cellular and ad-hoc connectivity can serve a good purpose in mitigating such threats. A passive attack that retransmits or delays a message communicated between devices is a replay attack, which can be effectively alleviated by guaranteeing message freshness. The free-riding attack, particularly common to D2D communication, happens when a malicious D2D peer receives data or service but denies contributing its part. Building cooperative incentive structures to establish fairness and assuring availability in such structures are necessary to protect the communication from such attacks (Zhang & Lin, 2017). A practical solution to resolve a free-riding attack, for example, is provided in Baskaran and Raja (2017).
In addition to security, different privacy issues concerning information, identity, and location also threaten D2D communications (Gandotra et al., 2017). Aside from security concerns, devices in D2D communication take privacy very seriously. It is significant due to the versatility of devices participating in the hybrid communication setup. Hence, the communication system should enable privacy measures to protect the "what," "who," and "where" of the devices. These three vital privacy elements correspond to the anonymity of information exchanged, the identity of devices, and location (Zhang & Lin, 2017).

Threat model
D2D communications, as mentioned in the previous subsection, pose many security issues, primarily because the devices operate wirelessly where an adversary has access to a vast quantity of sensitive information (ciphered or plain). As a result, anyone with malevolent purpose and technical competence can exploit these flaws to conduct an assault, therefore bringing the dangers to light. Consequently, recognizing and modelling the risks posed to these communication systems are essential for the devices to function correctly in the event of a threat.
We picked the strongest opponent anticipated in the Dolev-Yao (DY) threat model (Dolev & Yao, 1983) capable of intercepting messages transmitted from/to UE to/from the 5G network and among the UEs. Furthermore, the attacker can originate or receive transmissions on behalf of authorized devices or a network under this paradigm. Essentially, the adversary is regarded as the channel itself, with minor exceptions such as the inability to correctly guess the keys used to encrypt and authenticate messages transmitted between legitimate entities, the failure to retrieve messages from a message digest, or the inability to correctly guess the random numbers utilized in the protocol within the time range allowed.

Security and privacy requirements
Despite their broad uses and rising popularity, IoTs have been associated with a slew of security and privacy issues, according to several researches (Caputo et al., 2020;He et al., 2021;Liu et al., 2020;Schafer & Edwards, 2017;Wong & Yiu, 2020). D2D communication, which is expected to be utilized by resource constrained IoT devices, should consider the appropriate security and privacy requirements for the aforementioned possible concerns. The following are the security criteria for D2D communication as identified in Zhang and Lin (2017).
• Lightweight cryptographic operation: an authentication and key agreement protocol should fully acknowledge the limited resources concerning power, processing, storage, and communication posed on D2D communication. • Anonymity: it should be difficult, if not impossible, to reveal the information, location, and identity of devices through messages sent and received during the device discovery process. • Mutual Authentication: the devices participating in the D2D communication should know whom they are talking to and vice versa. • Confidentiality: after a successful key exchange, the attacker should not obtain the key and the plain data protected by it. • Integrity: an unauthorized user should not modify the protected message transmitting between the D2D users. • Perfect Forward Secrecy: an attacker should not obtain the D2D session participants' current session keys from the previous session key. The k th timestamp GUTI UE (i) The Global Unique Temporary Identifier of the UE(i) ID DSMF The unique identifier of DSMF The ECDH private and public key pair domain parameters p-the prime number, a & b-the coefficients of the elliptic curve, G-the base point, n-the order of the subgroup, and h-the cofactor of the subgroup. · scalar multiplication SK The ECDH session key

HMAC(K, M)
The keyed-hash message authentication code with key K and message M.
The symmetric key encryption of message M under key K.

Proposed protocol
The proposed protocol comprises three stages, UE Initialization Phase, Device Discovery Phases, and Link Setup Phase, and different participants like UE, DSMF, AMF/SEAF, and ARPF/UDM. In designing this protocol, we took the following essential assumptions.
• Each DSMF belongs to the 5G serving network.
• The AMF/SEAF knows the unique identifier of the DSMF (ID DSMF ) and DSMF has the unique identifier of the SEAF (ID SEAF ) before the run of the protocol. • Each DSMF shares a secret key K SEAF−DSMF with its 5G serving network's SEAF.
• Once the primary authentication concludes, UE(i) shares the session key K SEAF -UE(i) with the corresponding SEAF. • To provide privacy and anonymity, the proposed protocol counts on 5G-GUTI, which is temporarily assigned to each UE after the primary authentication and periodically updated. Table 2 shows the different notations and their meanings as used in the protocol.

UE initialization phase
The first stage of the D2D communication is the initialization of UE, as shown in Figure 2. It starts with the primary authentication (through 5G-AKA or EAP-AKA') to allow the 5G network and UE to authenticate mutually. The resulting keys and keying materials are then utilized to secure the subsequent communications. Moreover, each UE is assigned with the temporary identifier GUTI, which conceals its SUPI and is updated regularly. Aside from the "normal" course of actions in D2D communication, two important cases require the instantiation of this phase: expired ticket and new GUTI assignment. While the former case refers to the expiration of the lifetime of a ticket generated for a particular UE, the latter refers to different scenarios where an AMF decides to change the current GUTI. According to TS 133 501 (V16.7.1) (TS33.501, 2021), there can be at least three such cases where AMF can issue a new GUTI to the UE: during registration request message (initial registration, mobility registration update, or periodic registration update), service request message in response to paging, and a message from lower layers about the resumption of an RRC connection for a UE in IDLE mode. Figure 2 illustrates the message flows in this phase.

(1-1) D2D-InitReq
After the 5G primary authentication, the devices that want to communicate through D2D send the D2D-InitReq message to AMF/SEAF independently. These messages include random integers n 1 and m 1 from UE(i) and UE(i+1), respectively.

(1-2) D2D-InitRes
Upon receiving the D2D-InitReq message, AMF/SEAF generates random nonce for each of the requesting devices (i.e. n 2 and m 2 for UE(i) and UE(i+1), respectively, in this case). Next, it computes a session key K UE(i)-DSMF (or K UE(i+1)−DSMF ) and a ticket T(UE(i)) (or T(UE(i+1))) as shown in Figure 2. Finally, it sends the D2D-InitRes containing ID DSMF , LT i (or LT (i+1) ), T(UE(i)) (or T(UE(i+1))), and the random nonce n 1 and n 2 (or m 1 and m 2 ) for each of the requesting devices. Each device then checks if the received nonce is the same as it sent out in the D2D-InitReq message. If the verification succeeds, the devices compute the session keys and store them with the received tickets and lifetime, which concludes the UE initialization phase of the D2D protocol.

Device discovery phase
Once the 5G network authenticates the UEs and the necessary materials (session keys and tickets) for D2D communication are ready, the device discovery phase proceeds.

(2-1) D2D-Broadcast
When devices receive the required materials, such as session keys, lifetimes, and tickets, for D2D communication, they can prepare a broadcast message for device discovery. The set of domain parameters is assumed to be shared between the communicating devices before executing the protocol. For instance, as shown in Figure 3, UE(i) prepares a broadcast message for device discovery by first generating the ECDH private-key public-key pair. It picks a random integer d i in the interval [1 ... n-1] as its private key and computes the public key Q i = d i ·G using scalar multiplication. Next, it forms and broadcasts the D2D-Broadcast message including GUTI UE(i) , ID DSMF , Q i , ts 1 , T(UE(i)), HM 1 , where HM 1 is the HMAC value computed over the entire message using K UE(i)−DSMF . The primary purpose of including HM 1 is to protect the broadcast message from message tampering and to allow DSMF to prevent resource exhaustion attacks.

Link setup phase
As a final stage of the proposed protocol, this phase assists the communicating peers to securely exchange keys that will protect the link for subsequent communication.

(3-1) D2D-DevFound and (3-2) D2D-ConnRes
When receiving a D2D-ConnReq message (i.e. by UE(i+1) for this case), DSMF first checks the freshness of the timestamp ts 1 . If that succeeds, it uses K SEAF −DSMF to decrypt the received tickets into their original information. The lifetimes of both tickets LT i and LT (i+1) are then validated. Meanwhile, DSMF verifies the two devices' authenticity through the received temporary identities, GUTI UE(i) and GUTI UE(i+1) , which are then compared with the identities decrypted from the tickets. In turn, it applies the decrypted session keys K UE(i+1)−DSMF and K UE(i)−DSMF to check the validity of the two HMAC values HM 2 and HM 1 , respectively. Once all the verification tests are passed, DSMF successfully authenticates UE(i) and UE(i+1) and believes that they wish to communicate with each other directly. This leads DSMF to compute ts 2 = ts 1 +1 and choose a session key K UE(i)−UE(i+1) for the involved UEs. Subsequently, it distributes this session key to UE(i) (through the D2D-DevFound message) and UE(i+1) (via the D2D-ConnRes message) as shown in the steps (3-1) and (3-2) of Figure 3, respectively. Note that such secure key distribution is achieved through the values EDevFound (encrypted with K UE(i)−DSMF ) and EConnRes (encrypted with K UE(i+1)−DSMF ).

(3-4) D2D-AuthRes
When UE(i) receives the D2D-DevFound message from DSMF, it decrypts the included EDev-Found into ID DSMF , GUTI UE(i) , GUTI UE(i+1) , ts 2 , K UE(i)−UE(i+1) and verifies ts 2 . In addition, upon receipt of the D2D-AuthReq message from UE(i+1), it obtains GUTI UE(i) , GUTI UE(i+1) , Q i+1 , ts 3 by extracting AReqBody from that message. Afterward, it checks ts 3 followed by verification of HM 4 with K UE(i)− UE(i+1) . At this point, if the above test is successful, UE(i) will believe that UE(i+1) not only possesses K UE(i)−UE(i+1) but also wishes for direct communication. Such a belief allows UE(i) to compute the ECDH session key SK = HMAC(d i ·Q i+1 , GUTI UE(i) , GUTI UE(i+1) , "D2D Session Key") while preventing resource exhaustion attack. UE(i) then validates HM 3 with the newly generated session key SK. If this validation holds, it will be sure that UE(i+1) owns SK. Eventually, it concludes the link setup phase of the proposed protocol by responding to the D2D-AuthReq message. To do so, it first computes HM 5 = HMAC(SK, GUTI UE(i) , GUTI UE(i+1) , ts 3 )), forms the D2D-AuthRes message as GUTI UE(i) , GUTI UE(i+1) , ts 3 , HM 5 , and sends back to UE(i+1). UE(i) deletes the ECDH private key from its memory to support the perfect forward secrecy. On receiving the D2D-AuthRes message, UE(i+1) validates ts 3 and HM 5 . If this validation holds, then the link setup phase successfully concludes. In addition, UE(i+1) is sure that its correspondent is ready for direct secure communication based on SK. Consequently, both devices can start to communicate over the established secure channel securely.

Request forecasting
A potential network load is expected in DSMF as it processes numerous D2D connection requests. After checking, verifying, and computing different values and cryptographic operations, DSMF prepares two responses (one for the D2D-ConnRes and another for D2D-DevFound) for each request of a UE. As a result, DSMF must prioritize requests to reduce the heavy burden it endures. To reduce the burden of the network, when the proposed protocol works in an ultradense D2D communication scenario, deep learning-based solutions can be applied to prioritize the requests. Among several possibilities explored in this direction of research to understand if the inclusion of deep learning solutions can fasten the applicability of the proposed protocol, the sequence-to-sequence regression LSTM model (Pełka & Dudek, 2020) is adopted. In this model, trust is used as a factor of prediction and forecasting, as shown in Figure 4, with the help of time-series forecasting using a deep learning tool in MATLAB. The model uses four-fifths of the data sequence for training and the leftover fifth for testing. Features and responses are one as only one series (Trust score) must be forecasted. The number of hidden units in each LSTM layer is set to 100 and trained for 400 epochs at a learning rate of 0.005 and learning dropping at 225. However, the choice of deep learning model is not an ideology behind this paper; rather, the focus is to consider request (priority) forecasting for better serving the network when the proposed protocol is used for secure communications.
The trust-movement of the UE's is calculated by assigning the highest value of 1 (i.e. Tr [(UE(i)] (0) = 1) initially when the network initiates and the UE connects itself for the first time to the network. Then, based on the three phases of the protocol, a trust value is calculated for the active instances of the UE. Next, the LSTM forecasting is used to rank the requests of the UE when the network is overwhelmed, and D2D communication may degrade. The trust of a UE is calculated as a normalized score by taking the average of the score at the previous instance and the current instance, such that: Where K t is the number of key updates performed when broadcasting. D t is the number of device discovery requests leading to additional delays because of connection failures. L t is the non-responsive time of the UE used to calculate a point until which prediction is possible before the network keys kick in and the network is reset with primary authentication, which does not affect the privacy of the UE. For the simplicity, the non-responsive time is considered the communication latency incurred by the proposed protocol. It helps to build a complete active profile of the UE. γ 1 , γ 2 , and γ 3 are the precedence constants for the associated properties of the UE within the protocol. In the case of multiple features, these can be extended further, ensuring that their cumulative upper bound is 1. The forecast of trust value for a given interval is collected, and then the average values of the UEs' trust are compared and ranked to determine the UEs' priority. This ranking assists in determining which UE's must be handled with priority when the network load is high, and many broadcast requests are pending to be handled with the limited handling capacity of the DSMF. Algorithm 1 helps capture the exact idea of priority forecasting of UEs for countering overheads and enabling D2D communications even if the network is overwhelmed. Additionally, the conceptualization of request (priority)-forecasting is supported by a simulated scenario where synthetic data is generated for two UEs and possibilities of handling their requests in order are demonstrated in Figure 5. This data is generated by random allocation of metrics as given in Table 3 for UE(i) and UE(i+1). Table 3. Settings for request-forecasting.

Symbol Value
Instances 1000 (excluding 1) D 1-5 K 1-10 L 10. 48, 10.73, 10.98, 11.23, 11.48, 11.73 γ 1 0.3 γ 2 0.2 γ 3 0.5 Figure 5. Trust Score complete data for UE(i) and UE(i+1). Based on the sequence-to-sequence regression LSTM, the forecast values of UE(i) and UE(i+1) can be identified as shown in Figure 6, which shows that the mean trust score in the predictive interval for UE(i) (0.134) is higher than UE(i+1) (0.125). Thus, this priority can be used to handle the requests when the network is overloaded. However, to make this approach successful, the network load should be forecasted accurately to an extent. Then a similar interval can be used to forecast requests from the UEs and decide if the UE must be handled with priority. Forecasting of the network load is crucial as it will determine the model for the priority ranking of UEs. Alongside, the historical data of the UE will also assist in accurately forecasting the trust score, which makes the comparison useful and deterministic. The open problem here is that how many data points should be used to forecast the trust score for the UE as deep learning itself poses an issue of slow convergence rate. Table 4 summarizes each phase of the proposed protocol along with their functions, message protection mechanisms and involved entities and keys.
In summary, the proposed protocol brings crucial performance and security benefits by • Reducing the latency and burden of the 5G core network by adopting DSMF and issuing a ticket for each UE. • Lessening the network load of DSMF by forecasting requests based on trust levels of UEs.
• Optimizing computational overhead via ECDH based lightweight key exchange and best use the trust established between UE and SEAF during the primary authentication to generate the session key and the corresponding ticket. • Preserving privacy by anonymizing the identities of the UEs through 5G-GUTI.
• Guaranteeing protection of session keys by ensuring perfect forward secrecy through ephemeral ECDH algorithm. Moreover, each UE's ECDH private key is removed from its memory immediately after the key exchange to prevent an attacker from recovering the session key.

Formal security evaluation
This section employs a formal security verification technique to assess the security of the proposed D2D security protocol and ensures that it meets the security criteria. The main

D2D-ConnRes
The same session key sent to the D2D communication initiator in the previous message is also sent to the UE that sent the connection request message during device discovery phase.

D2D-AuthReq
Having the new session key, the UE can send an authentication request to the initiator of the D2D communication.

D2D-AuthRes
The broadcaster sends the authentication response, showing that it possesses the session key.

SK
objective here is to provide a strict and thorough method of verifying the validity of the protocol by using logical inferences and model checking techniques. Accordingly, BAN-logic (Burrows et al., 1989) and Scyther (Cremers, 2008) are often used to conduct the formal verification of security protocols (Ahamad & Khan Pathan, 2021;Zhou et al., 2011). The proposed protocol also uses these mechanisms to carry out the formal security analysis.

Formal verification with BAN-Logic
Named after its three inventors Burrows, Abadi, and Needham, BAN-Logic is a set of rules used to formally analyse security protocols through a series of procedures referred to as Idealization, Assumption, Goal, and Derivation.
As the first step, to make it appropriate for the subsequent phases, the suggested protocol is changed into an idealized form where the flow of messages between distinct roles is transformed and expressed using BAN-Logic notations. Only protected messages (like ciphered texts, digitally signed messages, and message authentication codes) transform into an idealized form. Next, appropriate assumptions that may not be explicitly stated in the protocol are declared to help complete the proofs. Subsequently, different security goals like mutual authentication, secure key exchange, replay attack protection, Etc., are stated using BAN-Logic notation. Finally, the derivations step proceeds by using the idealizations, assumptions, and BAN-Logic rules to prove the goals.
Tables 5 and 6 summarize the notations and rules of BAN-Logic, respectively. In addition, a new rule, Diffie-Hellman Rule (DH), is defined to derive the exchange of session key SK. The DH rule states that when a role P believes that another role Q sends the Diffie-Hellman public key and P believes its Diffie-Hellman public key, P can believe the Diffie-Hellman session key.
The derivation process for the proposed D2D protocol is illustrated in Figure 7. In the Table 5. BAN-Logic Notations.
Notation Meaning V is sent not seen before (i.e. it is fresh) The entities E 1 and E 2 shares the secret key SK E 1 S ⇔ E 2 E 1 and E 2 shares the secret S {V} SK V is encrypted with SK V, W V is combined with the statement W     (D32) show the derived goals corresponding to (G1) to (G8), respectively. As per the result, since all goals were derived successfully, the protocol can be considered secure against attacks that violate the security goals. Table 7 summarizes the security requirements specified in Section 4 with the BAN-Logic derivation results.

Formal verification with Scyther
The former formal verification method has some limitations in performing validation (Boyd & Mao, 1993), which calls for automated verification mechanisms to compensate for the limitation and provide complete formal verification. In this section, we use the automated security verification tool called Scyther to validate the proposed protocol. In utilizing Scyther to formally analyse security schemes such as the D2D security protocol, the protocol is first converted into SPDL (Security Protocol Description Language) (Cremers & Mauw, 2012). The protocol modelled in SPDL contains distinct participants/roles like UE1, UE2, DSMF, and SEAF. Each role includes different behaviour such as generating nonce, computing session keys and transporting messages. The verification codes used in this section are shown in Table 8, while the verification result is shown in Figure 8.
The results from both BAN-logic and Scyther show that the proposed protocol is secure against attacks that proceed by violating the security requirements set.

Comparative analysis of D2D protocols
This section performs a comparative analysis of different D2D protocols concerning computational overhead and communication latency. Accordingly, we computed the overheads associated with the computation and communication for Seok et al. (2020), Chow and Ma (2020), Baskaran and Raja (2017), and our protocol as shown in Tables 9 and 10, respectively.  The computational overhead comparison indicates that all the three protocols use computationally demanding public-key operations like digital signature and verification. The protocols are designed for D2D communication over 5G, so they must be convenient for resource constrained IoT devices. Hence, by relying heavily on secure hash operations rather than public-key encryption or digital signatures, the proposed protocol enhances performance for D2D communication peers.
Notably, the proposed protocol lessens the load on the 5G core while simultaneously lowering the communication latency by adopting DSMF and issuing a ticket for each UE. In 14C HH + 2C KG + 2C DH + 4C SM C KG : cost for performing a key generation, C DH : cost of carrying out a Diffie-Hellman procedure, C HH : cost of computing hash functions, C SM : cost associated with symmetric encryption/decryption, C SS : cost for carrying out digital signature, C SV : cost of verifying digital signature.  addition, the computationally lightweight characteristic of the protocol is realized through an ECDH based lightweight key exchange and 5G primary authentication-initiated trust. The communication overhead comparison is carried out by measuring the roundtrip time required for the UEs to communicate with each other and with the 5G network. In the communication overhead analysis, η denotes the cost of performing a round trip time in a cell (the communication cost among UEs and between a UE and gNB), and δ identifies the total cost incurred due to the communication latency between a gNB and the core network. Here, we assumed that the RU and DU are collocated, and we computed η as the roundtrip time from/to UE to/from RU/DU. We also calculated δ as the sum of the roundtrip times among RU/DU, CU, and core network with this assumption. Finally, numerical values for η and δ from (Brown, 2018) are introduced in the formulae shown in Table 10. Figure 9 depicts the result of the communication overhead for different values of n (total number of devices). As displayed in the figure, Seok et al. (2020) showed the lowest cost. However, the protocol is vulnerable to free-riding and MITM attacks (as it does not consider user authentication while negotiating the ECDH key) besides using heavy cryptographic algorithms (like digital signature signing and verification). Moreover, the remaining two protocols exhibit a higher latency, which makes our protocol preferable.

Conclusion
IoT has altered a broad number of application sectors, bringing substantial benefits to a diverse use case (Liang et al., 2020a(Liang et al., , 2020bXiao et al., 2021;Zhang et al., 2021;Zheng et al., 2021). About D2D communications in 5G cellular networks, IoT applications can benefit significantly from decreased communication delay, enhanced computing resource usage, improved connection speed, and increased system capacity. However, to reap these benefits of D2D communication, various challenges, such as security and privacy, must be tackled. Accordingly, this paper designed a lightweight and secure D2D communication protocol that heavily relies on the trust established during the 5G primary authentication. The protocol leverages this trust to use cryptographically lighter operations, like HMAC, to secure the channel between the communicating entities. Besides, to facilitate secure communication of devices and enhance performance (especially communication latency), a new network function (DSMF) is located near the UE. We also used LSTM-based UE trust forecasting to prioritize communication requests to lessen the network load on DSMF. In addition, we provided a formal security verification of the proposed protocol against five essential security requirements (mutual authenticity, secure key exchange, confidentiality, integrity, and perfect forward secrecy) using BAN-Logic and Scyther. The anonymity of UEs, an essential privacy requirement in D2D communication, is also realized through the 5G-GUTI. The results from both formal approaches show that the protocol satisfies these security requirements. Finally, we presented a comparative analysis of our protocol against the state-of-the-art D2D security protocols concerning computational overhead and communication latency. Consequently, our protocol is found to be a better choice for computationally limited IoT devices wishing to execute a D2D communication in 5G as it is secured and efficient at the same time. While our primary focus is on resource-limited UEs, devices with no computational restrictions may still use the protocol and save time and energy while benefiting from the provably secure environment.
As part of our future work, we would like to address two critical challenges. The first one is related to how the protocol behaves when a UE is assigned with a new GUTI. New GUTI assignments can happen during the link setup and/or after a successful link setup. For the former case, a UE that received a ticket from AMF/SEAF with GUTI1 in the UE initialization phase and attempting to execute the link setup phase (particularly steps (3-3) and (3-4) in Figure 3) with a freshly allocated GUTI2 would fail since the two GUTIs are different. For the latter case, even if secure communication can be achieved with the original GUTI, a UE may be assigned with a new GUTI. Hence, although the devices can still interact using the DSMF-generated key, there may be some security/privacy concerns because the original GUTI is no longer associated with the UE (or both UEs). The second point is about using actual 5G-based D2D communication data for more accurate request predictions. Furthermore, testing with and comparing different deep learning methods on such data might increase the efficiency of the present system.

Disclosure statement
No potential conflict of interest was reported by the author(s).