The Internet of Things (IoT) has built an information bridge between people and the objective world, wherein wireless sensor networks (WSNs) are an important driving force. For applications based on WSN, such as environment monitoring, smart healthcare, user legitimacy authentication, and data security, are always worth exploring. In recent years, many multifactor user authentication schemes for WSNs have been proposed using smart cards, passwords, as well as biometric features. Unfortunately, these schemes are revealed to various vulnerabilities (e.g., password guessing attack, impersonation attack, and replay attack) due to nonuniform security evaluation criteria. Wang et al. put forward 12 pieces of widely accepted evaluation criteria by investigating quantities of relevant literature. In this paper, we first propose a lightweight multifactor authentication protocol for multigateway WSNs using hash functions and XOR operations. Further, BAN logic and BPR model are employed to formally prove the correctness and security of the proposed scheme, and the informal analysis with Wang et al.’s criteria also indicates that it can resist well-known attacks. Finally, performance analysis of the compared schemes is given, and the evaluation results show that only the proposed scheme can satisfy all 12 evaluation criteria and keep efficient among these schemes.

1. Introduction

As the third revolution of the information technology industry, Internet of Things (IoT) has been developing for over 20 years. During this period, more and more physical objects embedded with sensors and terminal devices are constantly connected to IoT to exchange information. For an instance, in wireless sensor networks (WSNs), tens of thousands of different sensors are deployed everywhere (e.g., architectures, bridges, and intelligent terminals). These devices collect the real-time data from surrounding environment or target objects and, at fixed periods, forward the collected data directly to nearby gateway nodes for further analysis. Then, application systems access the data through the network, to further provide various personalized services. In heterogeneous WSNs, any insecure terminal nodes possibly threaten the whole network’s security as the flexible access mode; potential vulnerabilities continually come forth due to the complexity of heterogeneous networks [1]. Thus, it is necessary to design an authentication protocol to ensure that only legitimate users have access to the network [2]. Generally, as far as sensor nodes are resource-constrained in some aspects such as low energy, insufficient computing capabilities, and lack of memory space, many expensive cryptographic primitives are not suitable. As a whole, the designed proposal for WSNs should be balanced well in both security and efficiency.

When it was 1981, Lamport [3] proposed the password-based authentication scheme, and in 1991, Chang and Wu [4] pioneered the smart card-based authentication scheme. Henceforth, achievements on single-factor identity authentication protocols for WSNs emerge in an endless stream. Until 2009, combining the smart card with password, Das [5] put forward a pioneering work on multifactor authentication protocols for WSNs. However, it was revealed to many weaknesses, i.e., destitution of mutual authentication, and vulnerabilities to password guessing attack, sensor node capture attack, and denial-of-service attack (DoS) [68]. Later, many multifactor authentication schemes that asserted high security and efficiency were proposed yet they were prone to various attacks [9, 10]. Xue et al. [11] presented a temporal-credential-based mutual authentication and key agreement scheme for WSNs. Soon afterwards, loopholes were pointed out in their scheme, i.e., vulnerabilities to offline password guessing attack, user tracing, impersonation attack, and stolen-verifier attack, as well as the lack of user anonymity [1214]. In recent years, biological information of human bodies, such as fingerprint and iris, has been excavated for authentication. With its unforgeability, uniqueness, and stability, biometric authentication technology is inherently convenient, reliable, and promising [15]. Yuan [16] took human’s fingerprint as a third factor to achieve user authentication for WSNs, which was lightweight. Nevertheless, their scheme was pointed out that it did not withstand offline password guessing attack, privileged insider attack, and gateway impersonation attack. Then, Li et al. [17] introduced a three-factor authentication scheme for WSNs using biometric features. Subsequently, their scheme was illustrated that it could not resist to stolen smart card attack and support forward secrecy [18]. Additionally, in the practical applications of WSNs, multiple gateways are usually deployed to jointly manage multiple areas. As such, the user can access any sensor node for the real-time data in any area. Research on multigateway-based authentication protocols is also a deserving discussion. Amin et al. [19] proposed a two-factor multiple gateways’ authentication protocol using hash functions. Later, Wu et al. [20] believed that their scheme did not realize mutual authentication and resist impersonation attack; then, they put forward a new scheme. And, Srinivas et al. [21] also found many flaws in [19], i.e., stolen smart card attack and sensor node spoofing attack, and then, they presented a three-factor authentication scheme using hash functions. However, their scheme was also revealed to vulnerability to sensor node capture attack and nonsupport for user anonymity. In 2019, Guo et al. [22] found that the scheme designed by Wu et al. [20] could not resist to stolen smart card attack and session key reveal attack. In order to address these drawbacks, Guo et al. [22] presented a new scheme based on biometric features. Recently, Vinoth et al. [23] proposed a secure multifactor authentication key agreement scheme for industrial IoT, which was insecure as they claimed. It actually could not deal with such attacks such as sensor node capture attack, DoS attack, and replay attack.

As all mentioned above, these schemes are exposed to various vulnerabilities constantly, which in fact are trapped into a “break-propose-break” cycle. Security properties of one scheme is determined by an evaluation standard system, thereby researchers always find new flaws under different systems. In 2018, on the basis of the previous research studies, Wang and Wang [24] summarized and put forward security criteria for two-factor authentication protocols, which are recognized by the industry at present. In these criteria, 12 pieces of independent and fundamental rules are contained that multifactor authentication protocols shall satisfy. Specific content of the criteria can be referred to [24]; we call it “12-Criteria” here for the sake of convenience.

In terms of 12-Criteria, most existing multifactor authentication protocols cannot satisfy all. This paper will put forward a new lightweight three-factor authentication and key agreement scheme for multigateway WSNs, and main contributions are summed up as below:(1)We first reanalyse Guo et al.’s protocol [22]. And, in accordance with 12-Criteria, we further point out some vulnerabilities and drawbacks that still exist in their scheme, including no repairability, improper treatment of biological factors, offline password guessing attack, and lack of forward secrecy.(2)In the light of the 12-Criteria, we put forward a new lightweight three-factor authentication and key agreement scheme for the multigateway environment. In our scheme, biometric features, as an important factor, are extracted and validated by fuzzy extractor [25]. And, honey_list [24] is introduced to assist the effective smart card logout.(3)Formal and informal security analyses are given amply to prove the correctness and security of the proposed scheme, and comparisons with similar research studies show that this new scheme achieves a superior balance between security and efficiency.

The reminder of this paper is organized as follows. The relevant background is introduced in Section 2. In Section 3, discussions of some security flaws in Guo et al.’s work [22] are given. The proposed protocol and the corresponding security analysis are presented in Sections 4 and 5, respectively. The performance of the proposed protocol is evaluated in Section 6, and finally, the whole paper is concluded in Section 7.

2. Preliminaries

This section briefly introduces some necessary notations, system model, and adversary model, as well as preknowledge about formal proofs.

2.1. Notations

The related notations used in this paper are described in Table 1.

2.2. System Model

A multigateway system model is illustrated in Figure 1, wherein three roles, i.e., users, gateway nodes (GWNs), and sensor nodes, are included. Considering the distance measure, the relatively close node is referred to the home gateway node (HGWN), while the opposite is the foreign gateway node (FGWN). The communication processes are summarized as follows.

While a legitimate user attempts to communicate with the sensor node, first he needs to login successfully and send a message to inform HGWN. After the reception of the message, HGWN first checks its database with the key information of the target sensor node as an index. Here, two cases would be taken into an account. Case 1 is presented in steps ➀–④, wherein if the target sensor node exists in the database, HGWN authenticates the user and sends a message to the sensor node. Then, the sensor node authenticates HGWN and returns a message. After the complete verification of the returned message, HGWN returns a message to the user. Similarly, once the message is verified correctly by the user, the three parties can derive a common session key for further communication. While Case 2 is shown in steps 1–8, that is, the target sensor node does not exist in the database, HGWN broadcasts the request message to other nodes. When FGWN receives that and finds that the wanted sensor node exists in its database, it sends a message to HGWN. Then, HGWN returns a message to the user. After a complete authentication process, the user, FGWN, and the sensor node can negotiate the very session key.

2.3. Notations and Formulas of Ban Logic

The Burrows-Abadi-Needham logic [26], BAN logic for short, plays a positive and effective role when proving that one scheme can support authentication and key agreement among communicating participants. Formally, it needs three steps including idealization of interaction messages in the protocol, initial assumptions according to specific situations, and achievements of expected goals by inference rules. We first present the basic notations of BAN logic in Table 2.

The basic formulas of BAN logic are described as follows.(i)(R1) Message-meaning rule: if P concludes that the secret K or Y is shared with Q and sees or , then P believes Q once said X:(ii)(R2) Freshness rule: if P believes X is fresh, then P believes (X, Y) is also fresh:(iii)(R3) Belief rule: if P believes X and Y, then P believes the combination of X and Y:(iv)(R4) Nonce-verification rule: if P believes that X is fresh and Q once said X, then P believes that Q believes X:(v)(R5) Jurisdiction rule: if P believes Q has jurisdiction over X and Q believes X, then P believes X:(vi)(R6) Seeing rule: if P once received a formula and knew the associated key, then P once saw the components of the formula:(vii)(R7) Session key rule: if P believes X is fresh and Q believes X, then P believes he shares the key K with Q:

2.4. Adversary Model

Combing with the 12-Criteria, we list pieces of widely accepted valid assumptions to show the capabilities of an adversary , accordingly to analyse the security of the authentication and key agreement protocols.(i)When entities in WSN communicate with each other over an insecure wireless channel, can eavesdrop and intercept all messages transmitted over a public channel and is capable of tempering with and deleting the intercepted messages. In addition, can participate in running the protocol as a legitimate entity.(ii)In reality, users’ devices and sensors are usually equipped with the hardware to prevent reading and tempering with data illegally [27], but to adhere to the extreme-adversary principle [28], it is reasonable to assume that when the user’s device or the sensor is captured by , has the ability to obtain the data stored in the memory of the captured sensors through side channel attack [24].(iii) is capable of enumerating the Cartesian products of the user’s identity and password. Besides, in the n-factor authentication protocol, can obtain factors at most.(iv)Only when evaluating the forward secrecy of the protocol, can obtain the long-term private key of a gateway node or a sensor node.

2.5. Security Model

To formalize our proposed proposal later, the BPR model [29] can be introduced in this section, i.e., depictions of the random oracle model and definition of authentication and key-exchange (AKE) security.Participants. The authentication protocol involves three communication participants, i.e., the user, HGWN/FGWN, and sensor node. Each participant has many diverse instances which are called oracles. For a specific session, the three entities are instanced into , , and , respectively. Here, let denote any instance.Queries. can only interact with honest participants through oracle queries and attempt to collect the returned messages to break the protocol. Thus, the following queries simulate ’s abilities in practice.(i): it simulates the passive attack, through which can obtain all messages among the three communicators during a normal interaction.(ii): it represents the active attack, which allows intercepts, forges the message, further sends it to , and obtains the corresponding response.(iii): it models abuse of the session key. Once accepts the current session and generates a session key SK, it will return SK to ; otherwise, return .(iv): it simulates that can corrupt any two of the three factors of a legal user , but not at the same time. (1) If , can obtain and all parameters stored in SC; (2) if , can receive and all parameters stored in SC; (3) if , can get and .(v): it represents the semantic security of the session key. Flip a coin b at random; if , it returns the session key of ; if , returns a random number equal in length to the session key to . If the session key of does not exist, it returns . It is noted that it can only be invoked once at any time for fresh sessions.Partners. Let sid denote the session identifier; pid is the session identifier of partners. and are partners if and only if (1) they are both authenticated successfully; (2) they both have the same sid; (3) pid of is , while pid of is .Freshness. A fresh satisfies that (1) is accepted and owns its session key; (2) does not query to or its partner; (3) since runs, queries to or its partner once at most.

Definition 1. (AKE security) Given denotes an event, that is, makes queries to several new accepted instances and can guess the right satisfying . Then, the advantage of breaking the AKE security of can be defined as . For any adversary capable of breaking in probability polynomial time (PPT), is negligible; then, we say achieves AKE security.

3. Cryptanalysis of Guo et al.’s Scheme

The scheme designed by Guo et al. [22] is composed of five parts, including system setup, registration, login, authentication, and password change. Here, we have to leave out the review of their scheme due to space constraints, and readers can refer to [22]. Thus, on the basis of the aforementioned assumptions, security flaws in their scheme are analysed in this section later.No Sound Repairability. As a usual case, those discarded smart cards are not in the safe keeping of users. If unfortunate, his smart card is captured by an attacker . possibly launches the offline password guessing attack. Therefore, it is essential to provide a method to cancel the smart card of the user in multifactor authentication protocols.Improper Treatment of Biometric Factors. As described in this protocol, after the user enters his biometric factor , SC calculates which is a key parameter to verify the true identity of the user. In practice, however, a certain error bit always occurs in the extraction of biometric features (e.g., fingerprint and iris) by reading devices, that is, biometric features extracted each time are not always identical. Therefore, calculated by SC may not equal to that obtained during the user’s registration phase, which may result in the failed authentication even if the user has input the right password.Offline Password Guessing Attack. In the login phase, is assumed to have the ability to obtain two of the three authentication factors. Given that has accessed the user’s identity and biometric factor , then he can launch offline password guessing attack as the following process. guesses a possible password , calculates , , and , and checks whether the equation holds. can repeat these operations until the calculated equals to . Finally, can succeed in obtaining the user’s correct .Lack of Forward Secrecy. Given that the long-term secret key of the GWN is revealed, can grab the private key of the sensor and further restore previous session keys.(i)Case 1:(1) obtains of HGWN and eavesdrops the message to gain the identity of the user-pointed communication object . Then, computes .(2) eavesdrops messages and and then calculates , , , and . In this way, the session key can be derived by as .(ii)Case 2:(1) obtains of FGWN and computes after eavesdropping the message .(2) eavesdrops messages and and then calculates , , , and . Thus, can figure out with ease.

4. The Proposed Scheme

In this section, we present a lightweight three-factor authentication and key agreement scheme for multigateway WSNs in IoT, which involves users, sensor nodes, HGWNs, and FGWNs. Our scheme includes 6 phases: system initialization, registration, login, authentication and key agreement, password update, and smart card logout.

4.1. System Initialization

SA assigns the identity and private key to HGWN, similarly, and to FGWN, and to the sensor . Then, SA sets up a shared key for the communication between HGWN and FGWN. Beyond that, HGWN and FGWN need to select three random numbers , , and , respectively.

4.2. Registration

As shown in Figure 2, this phase involves two parts, sensor registration and user registration. Both sensor nodes and users need to register their essential information with the closest gateway, namely, HGWN.

4.2.1. Sensor Registration

Step 1: . sends its identity to HGWN over a private channel, and HGWN stores to its database for checking whether or not is registered.Step 2: . HGWN calculates and sends to via a private channel. After the reception of , saves it secretly.

4.2.2. User Registration

Step 1: .inputs his username , the password , and his biometric information . Next, he chooses a number at random and then computes and .Step 2: .HGWN selects a pseudoidentity for and calculates , , and . Then, HGWN stores into its database and to SC, where records the number of the user logon failures.Step 3: computes and , where . Next, stores into his SC.

4.3. Login

Step 1: first inputs , , and ; then, SC computes , , and and checks whether holds. If so, turn to the next step; otherwise, return a logon failure message and terminate this session.Step 2: . SC chooses a timestamp and a random number and then calculates , , , , , and .

4.4. Authentication and Key Agreement

After the reception of ’s request to communicate with , HGWN first confirms whether the specified sensor is located within its communication range. Specifically, if HGWN can query its local database for , then the authentication can be conducted as described in Case 1 (see Figure 3); otherwise, run as shown in Case 2 (see Figure 4).(i)Case 1:Step 1: after receiving , HGWN records the current timestamp . If is true, then is valid; otherwise, this session would be closed up. Next, HGWN computes , , , , and and verifies whether the equation is true; if so, it turns into the next step; otherwise, it sets and returns a logon failure message to . Note that once , ’s account would be frozen, and the session is also terminated.Step 2: . HGWN selects randomly and then computes , , , and .Step 3: After the reception of , records the timestamp and checks the freshness of . Next, calculates and and checks whether the equation ; if so, it turns to the next step; otherwise, it terminates the current session.Step 4: . chooses a random number and computes , , and .Step 5: when receiving from , HGWN records the present timestamp and verifies the freshness of . Next, HGWN calculates and and checks whether holds; if so, it turns to the next step; otherwise, it aborts this session.Step 6: . HGWN chooses a new pseudonym for and continues to compute , , , , , and .Step 7: after the reception of , takes down the current timestamp and checks the validity of . Next, computes , , , , and and verifies whether the equation matches; if so, then it turns to the next step; otherwise, it discontinues the session.Step 8: SC calculates and substitutes for .(ii)Case 2:Step 1: similarly, after the reception of , HGWN takes down the current timestamp . If , then is valid; otherwise, the session is discontinued. Next, HGWN computes , , , , and and verifies . If the equation holds, HGWN runs the next step; otherwise, it sets , returns a logon failure message to , and aborts the session.Step 2: HGWN broadcasts to other gateway nodes.Step 3: . FGWN finds in its database, then records the present timestamp , and computes and .Step 4: . When receiving from FGWN, HGWN takes down the timestamp and verifies the freshness of . HGWN selects a new pseudonym and calculates , , , , , and .Step 5: after receiving , records the time stamp and checks the validity of . Then, computes , , and and checks . If the equation holds, continues the next step; otherwise, it terminates the session.Step 6: . selects a random number and computes .Step 7: after the reception of , FGWN records and verifies the freshness of . Next, FGWN computes and further checks whether matches. If so, FGWN continues the next step; otherwise, it discontinues the session.Step 8: . FGWN selects at random and computes , , , and .Step 9: after the reception of , takes down the timestamp and verifies the freshness of . Next, calculates and and checks the equation . If the equation holds, turns to the next step; otherwise, it terminates the session.Step 10: . selects at random and computes , , and .Step 11: once receiving , FGWN takes down and verifies the freshness of . Further, FGWN computes and and checks whether the equation is true; if so, it continues the next step; otherwise, it terminates the session.Step 12: . FGWN computes , , and .Step 13: after receiving , thereupon records the timestamp and checks the validity of . Further, computes , , and and checks whether the equation holds; if so, it continues the next step; otherwise, it discontinues the session.Step 14: SC computes and replaces with .

4.5. Password Update

Step 1: first inputs his , , and . SC computes , , and and checks the equation . If the equation holds, the next step can be run; otherwise, a logon failure message would be returned and the login request also would be terminated.Step 2: inputs a new password , and SC computes , , , , and and then replaces with .

4.6. Smart Card Logout

Step 1: inserts his smart card SC and inputs , as well as . Further, SC computes , , and and checks whether matches; if so, it turns to Step 2; otherwise, it returns a logon failure message and terminates this session.Step 2: . selects the current timestamp , thereupon computes , , and .Step 3: after the reception of , HGWN records the timestamp . If is true, then is fresh. Then, HGWN computes and and continues to check whether . If the equation holds, it runs the next step; otherwise, it aborts the session.Step 4: HGWN deletes all local records of .

5. Security Analysis

This section provides a rigorous security analysis for the proposed authentication scheme. On the basis of 12-Criteria, informal analysis first discusses how the proposed scheme resists against some well-known attacks. Second, the well-popular BAN logic is utilized to validate the correctness of the proposed scheme as well as the feasibility for authentication and key negotiation. Finally, the BPR model-based formal security proof demonstrates the security of the proposed scheme well.

5.1. Informal Analysis

Resistance to Insider Attack. In multifactor authentication schemes, the user’s password, as a second factor, is of vital for the server/gateway to authenticate the user. The server/gateway in its usual sense is worth trusting, while it is facing a real possibility that insiders may disclose users’ sensitive information. At the registration phase, ’s password is masked by to transmit to HGWN. Though has the ability to obtain , he cannot guess the correct . That is because is a random number, only known to , and and derived information from ’s biometric factors are also secret. Additionally, the two parameters never appear in any communication channel, and does not possess the ability to crack hash functions. As a consequence, the proposed scheme can resist insider attack.Resistance to Password Guessing Attack. Assuming that has generated the Cartesian products of and maliciously obtained the biometric factors and SC through the reading device, then can calculate , , and and further check whether the equation holds to find out a correct password. It is noted that there are [24] passwords satisfying the equation, the attempts of which are enormous, thus the offline password guessing attack bounds to fail. Furthermore, records the number of user logon failure when HGWN verifies the identity of , which makes it extremely unlikely that can guess the right password through online password guessing within finite attempts. Clearly, the proposed scheme can resist diverse password guessing attacks.Resistance to Replay Attack. It is known that has the ability to eavesdrop and intercept messages over the public channel. So, may retransmit the eavesdropped or intercepted messages in a new round of the protocol implementation, to make the other party believe that “he” is legitimate to communicate with him. In the proposed protocol, however, the timestamp is employed to demonstrate the freshness of each message, so as to filter out old messages intercepted by . For an instance, has intercepted , where , and at time , he attempts to resend to HGWN for login. However, can only change the timestamp in the message but not that in , thus the launched replay attack bounds to fail. This instance illustrates that the proposed scheme can withstand replay attack.User Anonymity. In terms of user anonymity, it is required that cannot find out the true identities of users or trace their communication trajectories. In this scheme, each user is assigned a pseudonym , and after a round of key negotiation, his pseudonym will be updated with a new pseudonym . Moreover, the calculation of depends on ’s private key and identity , neither of which is exposed to the open channel. Therefore, cannot trace the communication trajectory of the user via the pseudonym. As analysed above, user anonymity is effective.Forward Secrecy. According to the proposed protocol, ’s and ’s private keys are both calculated by a random number and the gateway node’s long-term key. It helps that even if the long-term key of the gateway node is leaked for some reason, cannot figure out ’s or ’s private key due to no idea of the random number. As the session key depends on , , as well as , three of which are severally masked by private keys of three parties, cannot compute the right SK at all. Consequently, the presented scheme supports forward secrecy.Effective Smart Card Logout. For those smart cards not used any more, improper handling may pose a huge safety hazard. On the basis of the smart card logout method described in this protocol, must enter his right , , and simultaneously while cancelling his SC, so as to prevent from launching malicious cancellation after the smart card is lost. In addition, cannot achieve password guessing attack and obtain three authentication factors at the same time, so there is no way for to masquerade as a legitimate user to cancel the smart card. Hence, the smart card logout method presented in this protocol is effective and secure.

5.2. Formal Analysis Based on BAN Logic

In the light of BAN logic, a detailed analysis in this section will illustrate that the interacting parties (, , and ) can achieve mutual authentication and negotiate a common session key properly and securely. The analytic procedures for two cases in the proposed scheme are described as follows.

5.2.1. Security Analysis for Case 1

(i)Goals:(ii)Idealized forms:(iii)Assumptions:(iv)Main proofs:From and R6, we can know .From S1, , and R1, we can get .From S2, , R2, and R4, we can get .From S3, , and R5, we can get .From , R2, and , we can get .From S3, S5, and R7, we can get .Here, we have achieved G3.From S6, , and R4, we can get .Then, G4 has been also achieved.From and R6, we can know .From S8, , and R1, we can gain .From S9, , R2, and R4, we can gain .From S10 and R3, we can gain .From S11, , and R5, we can gain .From , R2, and , we can gain .From S11, S13, and R7, we can gain . Here, G7 has been proved.From S14, , and R4, we can gain .So, G8 has been also gained.Fromand R6, we can get .From S16, , and R1, we can get .From S17, , R2, and R4, we can get .From S18 and R3, we can get .Here, we have achieved G6.From S19, , and R5, we can get .So, G5 has been also gained.From and R6, we can gain .From S21, , and R1, we can obtain .From S22, , R2, and R4, we can obtain .From S23 and R3, we can obtain .So, we have achieved G2.From S24, , and R5, we can obtain .Finally, we have gained G1.

5.2.2. Security Analysis for Case 2

(i)Goals:(ii)Idealized forms:(iii)Assumptions:(iv)Main proofs:From and R6, we obtain .From S26, , and R1, we obtain .From S27, , R2, and R4, we obtain .From S28, , and R5, we obtain .From , R2, and , we obtain .From S28, S30, and R7, we obtain .So, G3 has been achieved.From S31, , and R4, we obtain .Here, G4 has been also obtained.From and R6, we get.From S33, , and R1, we get .From S34, , R2, and R4, we get .From S35 and R3, we get .From S36, , and R5, we get .From , R2, and , we get .From S36, S38, and R7, we get . Here, we have proved G7.From S39, , and R4, we get .Here, we have achieved G8.From and R6, we gain.From S41, , and R1, we gain .From S42 and R3, we gain .From , R2, and , we gain .From S43, S44, R2, and R4, we gain .Here, we have achieved G6.From , S45, and R5, we gain .So, we have also achieved G5.From and R6, we know .From S47, , and R1, we get .From S48 and R3, we get .From , R2, and , we get .From S49, S50, R2, and R4, we get