PUF and Chaotic Map-Based Authentication Protocol for Underwater Acoustic Networks

Abstract

A secure and effective authentication and communication scheme between users and underwater sensors plays an important role in improving the detection and utilization of marine resources in underwater acoustic networks (UANs). However, due to the energy limitations and susceptibility to capture of underwater sensors and gateways, it is necessary to design a lightweight authentication protocol that can resist capture of sensors and gateways during attacks. In this paper, a lightweight authentication protocol for UANs based on the Physical Unclonable Function (PUF) and chaotic map is proposed. We used the advantages of PUF to resist sensors and gateways being captured in attacks and the chaotic map to achieve lightweight authentication because the computational cost of the chaotic map is almost one-third that of Elliptic Curve Cryptography (ECC). Additionally, we used the formal security proof in the random oracle model to prove the security of the proposed scheme. Our scheme was more secure and efficient compared with some other related schemes in terms of security and performance requirements, and the proposed scheme is suitable for UANs.

1. Introduction

The ocean area accounts for about 71% of the earth’s surface area. With the increasingly prominent contradiction between the global shortage of food, resources, and energy supply and the rapid population growth, the development of marine resources is inevitable for historical development. Using wireless sensor networks (WSNs) to perceive and monitor marine environment information can improve the utilization efficiency of marine resources, coordinate the allocation of marine and land resources, and realize the maximum utilization value of marine resources.

Due to the poor propagation of electromagnetic waves in seawater and since optical communications will be strongly affected by scattering, acoustic waves can enable communications over long-range links, so they provide the most obvious medium to enable underwater communication. Underwater wireless sensor networks are wireless communication networks based on acoustic signals, in which sensors are deployed underwater, where the environments are time-varying, called underwater acoustic networks (UANs). They use aircraft, submarines, or surface ships to randomly deploy a large number of cheap, miniature sensor nodes in the seawater. The nodes form a multi-hop self-organizing network system through underwater acoustic communication, which can cooperatively sense, collect, and process the information of the sensing objects in the network coverage area, and send it to the receiver. They are mainly used to carry out coordinated tasks, such as oceanographic data collection, pollution prediction, ocean mining, shipwreck avoidance, ocean monitoring, etc.

With the increasing use of UANs in industry and the military, the need to transmit sensitive information on insecure channels is also increasing. It is easy for adversaries to eavesdrop, intercept, modify, and delete the information, which leads to various attacks and causes huge losses [1]. Therefore, it is essential to control access to UANs’ information and services and ensure that sensitive information is securely exchanged between users and sensor nodes. At the same time, the UANs are required to be able to respond to the relevant information of the marine environment in real time, reflecting the real-time requirements of the UANs. Only by continuous and real-time monitoring of the changing state of the ocean can humans grasp the ocean data in time, develop, and use the data.

Authentication can ascertain the user legitimacy of using the network resource and establishing the session key between the user and the sensor node to protect the confidentiality and integrity of the data from the attacker. A number of security authentication and key agreement schemes have been proposed for terrestrial wireless sensor networks (TWSNs), but most of them are not applicable to UANs, due to the energy limitations and susceptibility to capture of underwater sensors and gateways. Therefore, a security mechanism specifically for UANs is needed [2].

1.1. Related Work

In 2019, Banerjee et al. [3] proposed a security-enhanced authentication and key agreement scheme for WSN, but their scheme cannot resist offline password guessing attacks, impersonation attacks, and does not achieve session key secrecy, identity unlinkability, and perfect forward secrecy. In 2020, Chen et al. [4] proposed an authentication scheme for WSN in IoT environments, but their scheme is vulnerable to offline password guessing attacks, impersonation attacks, and fails to achieve perfect forward secrecy, user anonymity, and unlinkability. In 2021, Shuai et al. [5] presented a lightweight authentication protocol for WSN environments using ECC to prevent various security issues. However, their scheme does not provide perfect forward security and suffers from desynchronization attacks and stolen-verifier attacks. Later, Kaur et al. [6] presented a two-factor user authentication protocol for smart homes using ECC. Yu et al. [7] presented that Kaur et al.’s scheme cannot resist impersonation attacks, session key disclosure attacks, and secure user authentication. They proposed a lightweight authentication scheme to overcome the security problems of Kaur et al.’s protocol. In 2021, Far et al. [8] proposed a user authentication protocol using fuzzy extractor and hash-chain in the IIoT environment. In 2023, Sahoo et al. [9] proposed a three-factor-based authentication scheme of 5G WSN for IoT systems and claimed that their scheme is secure. However, Xie et al. [10] pointed out that their scheme is vulnerable to user impersonation attacks, sensor node impersonation attacks, and capture attacks, and lacks user unlinkability and three-factor secrecy.

Recently, chaotic map has been widely concerned since it has better security and performance than traditional cryptography. The difficulty of the chaotic map’s Diffie–Hellman problem and its semi-group property make it feasible to establish secure session keys. In addition, the computation overhead of a Chebyshev polynomial is approximately 1/3 of the scalar multiplication on elliptic curves [11]. It significantly reduces the computing overhead and energy consumption of resource-constrained sensor nodes, which is more suitable for devices with a limited battery life and smaller computation power. In 2015, Lee et al. [12] proposed a three-party authenticated key agreement scheme based on chaotic maps without a password table. Jabbari et al. [13] showed that the scheme of Lee et al. fails to guarantee user anonymity and put forward an improved scheme. In 2016, Kumari et al. [14] introduced a two-factor authentication scheme for WSN using the chaotic map. However, the protocol of Kumari et al. suffers from sensor node impersonation attacks [15]. In 2018, Aghili et al. [16] proposed an efficient three-factor authentication scheme for WSN using the hash function. However, Wang et al. [17] showed that the scheme does not provide security against session key disclosure attacks, desynchronization attacks, sensor node impersonation attacks, and session-specific temporary information attacks. Besides, they presented an improvement protocol for WSN using chaotic maps. In 2019, Lee et al. [18] introduced a multi-server authentication protocol using extended chaotic maps. However, Kumar et al. [19] found that their protocol is insecure against user impersonation attacks, session-specific temporary information attacks, and time synchronization problems, and proposed another protocol based on extended chaotic maps. In 2021, Qi et al. [20] proposed a chaotic map-based authentication protocol for an industrial medical cyber-physical system. However, Ding et al. [21] showed that their protocol is vulnerable to identity guessing attacks, user impersonation attacks, trace attacks, desynchronization attacks, and lacks perfect forward secrecy, and they proposed a security-enhanced one.

Recently, how to resist capture attacks from physical devices has become a hot topic in authentication protocol research. Thanks to the application of Physically Unclonable Functions (PUF), many security authentication protocols have emerged that resist sensor capture attacks. In 2024, Xie et al. [22] proposed a multi-server authentication protocol based on PUF and chaotic maps to address the security issues of Yu et al.’s scheme [23]. Xie et al. [24] also proposed a PUF-based security authentication protocol to address the inability of Kumar et al.’s scheme [25] to resist capture attacks from roadside units. Oláh et al. [26] proposed a Blockchain- and PUF-based registration protocol for the Internet of Drones.

The change from hash-based operations to complex cryptographic primitive-based schemes greatly improved the security of TWSNs. However, the difference between TWSNs and UANs makes it impossible to directly use TWSN’s secure authentication mechanism for UANs. In 2019, Diamant et al. [27] proposed a cooperative authentication scheme for UANs, which relies on trusted nodes that independently assist in aggregating nodes during the authentication process. Later, Zhang et al. [28] presented a remote mutual authentication scheme based on chaotic maps for UANs. Based on the architecture of underwater wireless sensor networks, Kumar et al. [29] designed an authentication technique that establishes a session key for safe communication. In 2024, Tomović et al. [30] proposed a Blockchain-based Key Management Protocol for UANs, and Wang et al. [31] proposed a deep learning and random forest algorithm-based dynamic trust model for UANs.

1.2. Motivation and Contributions

It is shown that Zhang et al.’s scheme [28] cannot provide secure mutual authentication and establish the session key, and it fails to resist offline password guessing attacks and user impersonation attacks. In Kumar et al.’s scheme [29], the session key between the user and the Onshore Base Station cannot achieve perfect forward secrecy and may suffer from ID guessing attacks. On the other hand, their scheme cannot resist sensor node capture attacks and does not establish the session key between the user and the sensor node. Tomović et al.’s scheme [30] cannot resist sensor node capture attacks and cannot achieve anonymity.

Since almost all authentication protocols for UANs have one or more security flaws, designing a secure and effective lightweight authentication protocol for UANs is a challenge. Therefore, a secure and efficient lightweight authentication protocol for UANs is proposed, and the main contributions are as follows:

(1) Based on the uniqueness and randomness of Physical Uncontrollable Functions (PUF) and the fast computation of chaotic maps, a secure and efficient authentication protocol for UANs is proposed.

(2) The proposed scheme is proven secure under the random oracle model, which can achieve all known security properties, such as perfect forward secrecy, anonymity, and resistance to device capture attacks.

(3) The proposed scheme is more secure and efficient compared with some other related schemes in terms of security and performance requirements, and the proposed scheme is suitable for UANs.

The rest of this paper is constructed as follows: Section 2 provides the preliminaries and the threat model. The proposed authentication and key agreement scheme for UANs is presented in Section 3. Section 4 and Section 5 provide corresponding formal and informal analyses of the proposed scheme. The security and performance comparisons between the proposed scheme and other resource-constrained schemes are presented in Section 6. Section 7 is the conclusion.

2. Preliminaries

In this section, we will introduce the threat model used in this paper and review some basic definitions concerning the Chebyshev polynomial, chaotic maps, and PUF.

2.1. Threat Model

The proposed protocol adopted the widely accepted Dolev–Yao threat model (DY model) [32], in which any adversary has the ability to eavesdrop, intercept, modify, or delete the messages transmitted among users, gateways, and sensors. In addition, any adversary can extract all the sensitive information stored in the lost/stolen smart card of a legal user, $U_i$, using the side channel attack. Meanwhile, any adversary can capture the gateway and sensor nodes.

2.2. Chebyshev Polynomial

Definition 1 (Chebyshev polynomial):

The Chebyshev polynomial can be defined as (1) or (2), where $n\in N$, $n\ge 2,T_0\left(x\right)=1,T_1\left(x\right)=x$:

$$T_n\left(x\right)=\mathit{cos}\left(n·\mathit{arccos}\left(x\right)\right),x\in \left[-\mathrm{1,1}\right]$$

(1)

$$T_n\left(x\right)=2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right),n\ge 2$$

(2)

The semi-group property and chaos property are two primary properties of the Chebyshev polynomial [33].

Definition 2 (semi-group property):

The semi-group property of the Chebyshev polynomial $T_n\left(x\right)$ is defined as follows:

$$\begin{gathered} T_g\left(T_h\left(x\right)\right)=\mathit{cos}\left(g·\mathit{arccos}\left(\mathit{cos}\left(h·\mathit{arccos}\left(x\right)\right)\right)\right) \\ {T}_h\left(T_g\left(x\right)\right)=\mathit{cos}\left(h·\mathit{arccos}\left(\mathit{cos}\left(g·\mathit{arccos}\left(x\right)\right)\right)\right) \\ {T}_g\left(T_h\left(x\right)\right)=T_h\left(T_g\left(x\right)\right) \end{gathered}$$

(3)

where $g$ and $h$ are positive integers and $x\in \left[-\mathrm{1,1}\right]$.

Definition 3 (chaos property):

The Chebyshev polynomial map, $T_n\left(x\right):\left[-\mathrm{1,1}\right]\to \left[-\mathrm{1,1}\right]$ of degree $n>1$, is a chaotic map with invariant density as: $\partial =\frac{1}{\pi \sqrt{1-x^2}}$, for the Lyapunov exponent $\lambda =\mathit{ln}n$.

Definition 4:

Enhanced Chebyshev polynomial is expressed as:

$$T_n\left(x\right)=2x{T}_n\left(x\right)-T_{n-2}\left(x\right) mod q$$

(4)

where $q$ is a large prime and $x\in \left(-\infty ,+\infty \right)$. The enhanced chaotic maps still satisfy the semi-group property and chaos property.

Definition 5 (chaotic map-based discrete logarithm problem, CMDLP):

Considering$\alpha$ and$\beta$, it is computationally infeasible to compute an integer, $\lambda$, such that $T_{\lambda }\left(\alpha \right) mod q=\beta$.

Definition 6 (chaotic map-based Diffie–Hellman problem, CMDHP):

Considering $\alpha$,$T_{\lambda }\left(\alpha \right)$, and$T_{\beta }\left(\alpha \right)$, it is computationally infeasible to compute $T_{\lambda \beta }\left(\alpha \right)$.

2.3. Physically Unclonable Functions

As a new hardware security primitive, the Physically Unclonable Function (PUF) is a hardware function implementation circuit that relies on chip features, with uniqueness and randomness. By extracting process parameter deviations that are inevitably introduced during chip manufacturing, it achieves a function that uniquely corresponds to the excitation and response signals [34]. In our scheme, PUF was used to protect the information stored in the gateway and sensors.

3. The Proposed Scheme

Based on the fact that gateways and sensors in underwater acoustic networks are easily captured, the proposed scheme adopted PUF to protect the secret information stored in gateways and sensors. In order to achieve two-factor security, the user’s identity and password are verified using fuzzy authentication. To achieve lightweight and secure authentication, the semi-group property of Chebyshev polynomials was adopted to achieve perfect forward secrecy. The notations used in our scheme are listed in

Table 1. Notations.

Symbol	Description
$U_i$	The $i^{th}$ user
${GWN}_k$	The $k^{th}$ gateway node
${Sn}_j$	The $j^{th}$ sensor node
SC	Smart card of user $U_i$
${id}_i$, ${pw}_i$	Identity and password of $U_i$, respectively
${Gid}_k$	Identity of the $k^{th}$ gateway node
$S_K$	Secret key of the ${GWN}_k$
${Sid}_j$	Identity of the $j^{th}$ sensor node
$S_j$	Secret key of the ${Sn}_j$
$rug$, $ru$	Two random numbers selected by $U_i$
$r$	The random number selected by ${GWN}_k$
$T_i$	Timestamp
$\mathsf{\Delta }T$	The allowable maximum transmission time interval
$M_1\parallel M_2$	Data $M_1$ concatenates with data $M_2$
$M_1⨁M_2$	XOR operation of $M_1$ and $M_2$
$h\left(.\right)$	A secure one-way hash function
$E_k\left(.\right)/D_k\left(.\right)$	Symmetric encryption/decryption using the key $k$

.

3.1. Initialization Phase

The initialization phase is executed offline by the gateway. Gateway ${GWN}_k$ randomly chooses $S_K$ as its master key, ${Gid}_k$ as its identity, a large prime number $q$, and a secure one-way hash function $h\left(.\right)$. Meanwhile, the gateway chooses a challenge $C_G$, and computes the corresponding response, $R_G=PUF1\left(C_G\right)$, $GSK=S_K⨁h\left(R_G\right)$, or $M_0=T_{S_K}\left(x\right) mod q$. Then, the gateway chooses $x\in \left(-\infty ,+\infty \right)$, and publishes the public parameters {$q$, $x$, $h\left(.\right)$}. In the same way, the gateway chooses ${Sid}_j$ as the identity of the sensor node ${Sn}_j$, and computes $S_j=h\left({Sid}_j\parallel {Gid}_k\parallel S_K\right)$ according to the topological relationship for the sensor node ${Sn}_j$. The gateway sends {${Gid}_k,{Sid}_j$, $S_j$} to ${Sn}_j$, and stores {$M_0,{Gid}_k$, $C_G$, ${Sid}_j, PUF1\left(\right), GSK$}.

The sensor node ${Sn}_j$ chooses a challenge $C_S$, and computes the corresponding response $R_S=PUF2\left(C_S\right)$ and $SNJ=S_j⨁h\left(R_S\right)$, and stores {${Gid}_k,{Sid}_j,SNJ,C_S, PUF2\left(\right)$}.

3.2. User Registration Phase

The user performs the following steps to be a legal user through a secure channel.

Step 1: The user $U_i$ freely selects the identity ${id}_i$ and password ${pw}_i$, and sends the registration request message {${id}_i$, $h\left({id}_i\parallel {pw}_i\right)$} to the ${GWN}_k$ through a secure channel.

Step 2: After receiving the registration request message, the ${GWN}_k$ computes $M_1=h\left({id}_i\parallel S_K\right)⨁h\left({id}_i\parallel {pw}_i\right)$, where $x\in \left(-\infty ,+\infty \right)$. Then, the ${GWN}_k$ stores {$h\left(.\right)$, $M_0$, $M_1$} in a smart card (SC) and safely issues the SC to the user $U_i$.

Step 3: The user $U_i$ computes $M_3=h\left({id}_i\parallel M_0\parallel {pw}_i\right)mod{n}_0$, where $n_0\in (2^4,2^8)$, and stores {$h\left(.\right)$, $M_0$, $M_1,M_3,n_0$}

3.3. Login Phase

In order to login to the ${GWN}_k$ and access the data from the ${Sn}_j$, the user $U_i$ needs to execute the following steps:

After inserting the SC into the card reader of a specific terminal device, $U_i$ enters its identity ${id}_i$ and password ${pw}_i$, computes ${M_3}^{\prime }=h\left({id}_i\parallel M_0\parallel {pw}_i\right)mod n_0$, and checks whether ${M_3}^{\prime }=M_3$ is correct or not. If yes, the SC generates two random numbers, $rug$ and $ru$, and computes $M_2=M_1⨁h\left({id}_i\parallel {pw}_i\right)$, $K_U=T_{ru}\left(x\right)mod q$, $K_{U-G}=T_{ru}\left(M_0\right) mod q$, $M_4=h\left(T_1\parallel M_2{\parallel rug\parallel id}_i\right)$, and $M_5=E_{K_{U-G}}\left({id}_i\parallel {{Sid}_j\parallel rug\parallel M}_4\right)$, where $T_1$ is the current timestamp. Then, the SC sends the login request message, {$K_U$, $M_5$, $T_1$}, to the ${GWN}_k$.

3.4. Authentication and Key Management Phase

This phase allows the user to accomplish mutual authentication and session key agreement between the user and the sensor node through the help of the gateway node, and the steps are described as follows.

Step 1: After receiving the login request message, {$K_U$, $M_5$, $T_1$}, the ${GWN}_k$ first computes whether $T_2-T_1\le \Delta T$ holds, where $T_2$ is the current timestamp. If the timestamp verification holds, ${GWN}_k$ continues to execute the next step, otherwise, the login request is denied.

Step 2: The ${GWN}_k$ computes $K_{U-G}=T_{S_K}\left(K_U\right) mod q$, $M_6=D_{K_{U-G}}\left(M_5\right)=${${id}_i$, ${Sid}_j$, $rug$, $M_4$}.

Step 3: The ${GWN}_k$ computes $S_K=GSK⨁h\left(PUF1\left(C_G\right)\right),$ $M_2^{\prime }=h\left({id}_i\parallel S_K\right)$, $M_4^{\prime }=h\left(T_1\parallel M_2^{\prime }\parallel rug\parallel {id}_i\right)$.

Step 4: The ${GWN}_k$ checks whether $M_4^{\prime }=M_4$ is correct or not. If the equation holds, the $U_i$ and ${GWN}_k$ are successfully authenticated by each other, otherwise, ${GWN}_k$ terminates this session instantaneously.

Step 5: The ${GWN}_k$ chooses a random nonce $r$, computes $S_j=h\left({Sid}_j\parallel {Gid}_k\parallel S_K\right)$, $M_7=E_{S_j}\left(h\left({id}_i\parallel r\right)\parallel {Gid}_k\parallel {Sid}_j\parallel K_U\parallel T_2\right)$, and delivers the message {$M_7$,$T_2$} to the sensor node ${Sn}_j$.

Step 6: Upon obtaining the message {$M_7$, $T_2$} at timestamp $T_3$, the ${Sn}_j$ checks whether ${ T}_3-T_2\le \Delta T$ is correct. If it holds, they move to the next step, otherwise, this session is terminated instantaneously.

Step 7: The ${Sn}_j$ computes $S_j=NJ⨁h\left(PUF2\left(C_S\right)\right)$, $M_8=D_{S_j}\left(M_7\right)=\{h\left({id}_i\parallel r\right),{Gid}_k$, ${Sid}_j$, $K_U\}$.

Step 8: The ${Sn}_j$ chooses a random number, $rs$, and computes $M_9=T_{rs}\left(x\right) mod q$, $SK=h\left(T_{rs}\left(K_U\right)\parallel K_U\parallel M_9\parallel {Gid}_k{\parallel Sid}_j\parallel h\left({id}_i\parallel r\right)\right)$, $M_{10}=h\left({Gid}_k\parallel {Sid}_j\parallel SK\parallel M_9\parallel T_3\right)$, and $M_{11}=h\left(S_j\parallel M_9\parallel M_{10}\parallel T_3\parallel h\left({id}_i\parallel r\right)\right)$. Then, the ${Sn}_j$ delivers the message {$M_9$,$M_{10}$, $M_{11}$, $T_3$} to ${GWN}_k$.

Step 9: Upon obtaining the message {$M_9$, ${ M}_{10}$, $M_{11}$, $T_3$} at timestamp $T_4$, the ${Sn}_j$ checks whether${ T}_4-T_3\le \mathsf{\Delta }T$ holds. If yes, they move to the next step, otherwise, this session is terminated instantaneously.

Step 10: ${GWN}_k$ first verifies the correctness of $M_{11}$, and then computes $M_{12}=h\left(rug\parallel M_9\parallel M_{10}\parallel T_4\right)$, $M_{13}=E_{rug}\left(r\parallel M_{12}\right)$, and sends {$M_9$, $M_{10}$, $M_{13}$, $T_3{,T}_4$} to the user $U_i$.

Step 11: Upon receiving the message {$M_9$, ${ M}_{10}$, ${\mathrm{M}}_{13}$, ${ T}_3{ ,T}_4$} at timestamp $T_5$, the SC checks whether $T_5-T_4\le \Delta T$, decrypts $M_{13}$, obtains $r$ and $M_{12}$, and checks the correctness of $M_{12}$. If yes, they proceed to the next step, otherwise, this session is terminated instantaneously.

Step 12: The SC computes $SK=h\left(T_{ru}\left(M_9\right)\parallel K_U\parallel M_9\parallel {Gid}_k\parallel {Sid}_j\parallel h\left({id}_i\parallel r\right)\right)$, $M_{10}^{\prime }=h\left({Gid}_k\parallel {Sid}_j\parallel SK\parallel M_9\parallel T_3\right)$, and checks whether $M_{10}^{\prime }=M_{10}$ holds. If the equation holds, a session key, $SK$, is established.

The Login and authentication process is shown in

Table 2. Login and authentication phase.

${\mathit{U}}_{\mathit{i}}$	${\mathit{G}\mathit{W}\mathit{N}}_{\mathit{k}}$	${\mathit{S}\mathit{n}}_{\mathit{j}}$
$\mathrm{i}\mathrm{n}\mathrm{s}\mathrm{e}\mathrm{r}\mathrm{t} SC \mathrm{a}\mathrm{n}\mathrm{d} \mathrm{i}\mathrm{n}\mathrm{p}\mathrm{u}\mathrm{t} {id}_i,{pw}_i$
$\mathrm{R}\mathrm{C} \mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{u}\mathrm{t}\mathrm{e}$ ${M_3}^{\prime }=h\left({id}_i\parallel M_0\parallel {pw}_i\right)mod n_0$ Checks whether ${M_3}^{\prime }=M_3$
$M_2=M_1⨁h\left({id}_i\parallel {pw}_i\right)$
$\mathrm{c}\mathrm{h}\mathrm{o}\mathrm{o}\mathrm{s}\mathrm{e} \mathrm{t}\mathrm{w}\mathrm{o} \mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\mathrm{o}\mathrm{m} \mathrm{n}\mathrm{u}\mathrm{m}\mathrm{b}\mathrm{e}\mathrm{r}\mathrm{s} rug \mathrm{a}\mathrm{n}\mathrm{d} ru$
$K_U=T_{ru}\left(x\right)mod q$
$K_{U-G}=T_{ru}\left(M_0\right)mod q$
$M_4=h\left(T_1\parallel M_2\parallel rug\parallel {id}_i\right)$
$M_5=E_{K_{U-G}}\left({id}_i\parallel S{id}_j\parallel rug\parallel M_4\right)$
$\hspace{1em}\stackrel{{ \{ K}_U, M_5, T_1 \} }{\to }$	$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{f}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{s} \mathrm{o}\mathrm{f} {\mathrm{T}}_1$
	$\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{u}\mathrm{t}\mathrm{e} K_{U-G}=T_{S_K}\left(K_U\right)mod q$
	$M_6=D_{K_{U-G}}\left(M_5\right)$ $S_K=GSK⨁h\left(PUF1\left(C_G\right)\right)$
	$M_2^{\prime }=h\left({id}_i\parallel S_K\right)$
	$M_4^{\prime }=h\left(T_1\parallel M_2^{\prime }\parallel rug\parallel {id}_i\right)$
	$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k} \mathrm{w}\mathrm{h}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{r} M_4^{\prime }=M_4$
	$S_j=h\left({Sid}_j\parallel {Gid}_k\parallel S_K\right)$
	$\mathrm{c}\mathrm{h}\mathrm{o}\mathrm{o}\mathrm{s}\mathrm{e} \mathrm{a} \mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\mathrm{o}\mathrm{m} \mathrm{n}\mathrm{u}\mathrm{m}\mathrm{b}\mathrm{e}\mathrm{r} r$
	$M_7=E_{S_j}\left(h\left({id}_i\parallel r\right)\parallel {Gid}_k\parallel {Sid}_j\parallel K_U\parallel T_2\right)$	$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{f}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{s} \mathrm{o}\mathrm{f} {\mathrm{T}}_2$
	$\hspace{1em}\stackrel{ \left\{,M_7 ,T_2 \right\} }{\to }$	$S_j=NJ⨁h\left(PUF2\left(C_S\right)\right)$
		$M_8=D_{S_j}\left(M_7\right)$
		$\mathrm{c}\mathrm{h}\mathrm{o}\mathrm{o}\mathrm{s}\mathrm{e} \mathrm{a} \mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\mathrm{o}\mathrm{m} \mathrm{n}\mathrm{u}\mathrm{m}\mathrm{b}\mathrm{e}\mathrm{r} rs$
		$M_9=T_{rs}\left(x\right)mod q$
		$SK=h\left(T_{rs}\left(K_U\right)\parallel K_U\parallel M_9\parallel {Gid}_k\parallel {Sid}_j\parallel h\left({id}_i\parallel r\right)\right)$
		$M_{10}=h\left({Gid}_k\parallel {Sid}_j\parallel SK\parallel M_9\parallel T_3\right)$
		$M_{11}=h\left(S_j\parallel M_9\parallel M_{10}\parallel T_3\parallel h\left({id}_i\parallel r\right)\right)$
	$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{f}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{s} \mathrm{o}\mathrm{f} T_3$	$\hspace{1em}\stackrel{ \left\{ M_9 , M_{10} , M_{11} , T_3 \right\} }{\leftarrow }$
	$\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{c}\mathrm{o}\mathrm{r}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{t}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{s} \mathrm{o}\mathrm{f} M_{11}$
	$\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{u}\mathrm{t}\mathrm{e} M_{12}=h\left(rug\parallel M_9\parallel M_{10}\parallel T_4\right)$
	$M_{13}=E_{rug}\left(r\parallel M_{12}\right)$
$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{f}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{s} \mathrm{o}\mathrm{f} T_4$	$\hspace{1em}\stackrel{ \left\{ M_9 , M_{10} , M_{13} , T_{3 ,}{T}_4 \right\} }{\leftarrow }$
$\mathrm{d}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}{M}_{13}\mathrm{a}\mathrm{n}\mathrm{d} \mathrm{o}\mathrm{b}\mathrm{t}\mathrm{a}\mathrm{i}\mathrm{n} \mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d} M_{12}$
$\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{c}\mathrm{o}\mathrm{r}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{t}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{s} \mathrm{o}\mathrm{f} M_{12}$
$\mathrm{S}\mathrm{K}=\mathrm{h}\left({\mathrm{T}}_{\mathrm{r}\mathrm{u}}\left(M_9\right)\parallel K_U\parallel M_9\parallel {Gid}_k\parallel {Sid}_j\parallel h\left({id}_i\parallel r\right)\right)$
$M_{10}^{\prime }=h\left({Gid}_k\parallel {Sid}_j\parallel SK\parallel M_9\parallel T_3\right)$
$\mathrm{c}\mathrm{h}\mathrm{e}\mathrm{c}\mathrm{k} M_{10}^{\prime }=M_{10}$
$\mathrm{i}\mathrm{f} \mathrm{i}\mathrm{t} \mathrm{h}\mathrm{o}\mathrm{l}\mathrm{d}\mathrm{s},\mathrm{t}\mathrm{h}\mathrm{e} \mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n} \mathrm{k}\mathrm{e}\mathrm{y} \mathrm{i}\mathrm{s} \mathrm{S}\mathrm{K}.$

.

3.5. Password Update Phase

For the security consideration, a legal user should be allowed to update the personal password. In this phase, when the user wants to update his password, ${pw}_i$, to a new password, ${pw}_i^{new}$, the user needs to enter his identity, ${id}_i$, old password, ${pw}_i$, and new password, ${pw}_i^{new}$, after inserting the SC into the card reader. The SC computes ${M_3}^{\prime }=h\left({id}_i\parallel M_0\parallel {pw}_i\right)mod n_0$, and checks whether ${M_3}^{\prime }=M_3$ is correct or not. If yes, the SC computes $M_1^{new}=M_1⨁h\left({id}_i\parallel {pw}_i\right)⨁h\left({id}_i\parallel {pw}_i^{new}\right)$ and replaces $M_1$ with $M_1^{new}$.

4. Formal Security Analysis

This section will formally analyze the security of the proposed scheme. The results demonstrated that our scheme was proven secure. The notions of the model used in this paper are defined as follows:

Participants: In the proposed scheme, $\mathcal{P}$, denoted as $P$, the participants include the user $U$, the gateway $GW$, and the sensor node $Sn$. In the $i^{th}$ instance, the participants, the user, the gateway, and the sensor node are denoted as $IN{S}_P^i$, $IN{S}_U^i$, $IN{S}_{GW}^i$, and $IN{S}_{Sn}^i$, respectively.

States of Oracle: Oracle in our scheme has three states: $ACCEPT$, $REJECT$, and $\perp$. If an oracle receives a correct request message, the state is $ACCEPT$, if the request message is illegal, the state is $REJECT$. When the above conditions do not occur, the state is $\perp$.

We defined that if the oracle $IN{S}_U^i$ ($IN{S}_{Sn}^i$) is $ACCEPT$, and the session key $S{K}_U^i$ ($S{K}_{SN}^i$) has been negotiated with $IN{S}_P^i$, then $IN{S}_U^i$ ($IN{S}_{Sn}^i$) obtains its session identity $SI{D}_U^i$ ($SI{D}_{Sn}^i$), and the corresponding participant identity $PI{D}_{Sn}^i$ ($PI{D}_U^i$).

Partnering: If the following conditions are satisfied, $IN{S}_U^i$ and $IN{S}_{Sn}^i$ are $ACCEPT$, and the session key has been negotiated, then $IN{S}_U^i$ and $IN{S}_{Sn}^i$ are considered as partners.

• The session key $S{K}_U^i$ generated by $IN{S}_U^i$ equals $IN{S}_{Sn}^i$’s session key, $S{K}_{SN}^i$.
• $IN{S}_U^i$ and $IN{S}_{Sn}^i$ are in the same session; that is, $SI{D}_U^i=SI{D}_{Sn}^i$.
• The participant identities of $IN{S}_U^i$ and $IN{S}_{Sn}^i$ are equal to $IN{S}_{Sn}^i$ and $IN{S}_U^i$, respectively.

Queries: To simulate multiple attacks, queries are defined as follows:

Execute ($IN{S}_P^i$): Execute simulates the eavesdropping attack, and $A$ executes this query to obtain all the transcripts.

Send ($IN{S}_P^i$, $message$): This query simulates the sending operation executed by the adversary, $A$. The message is sent to oracle $IN{S}_P^i$; if the message is correct, $IN{S}_P^i$ responds to $A$ based on $\mathcal{P}$, otherwise, the message is neglected.

Reveal ($IN{S}_P^i$): If the session key has been negotiated, $IN{S}_{Sn}^i$ and $IN{S}_U^i$ are in $ACCEPT$, and the query Test has not been executed yet. The query Reveal will reveal the session key when it is executed. Otherwise, the output is null.

Corrupt ($IN{S}_U^i$): This query simulates a corruption attack. It will return the message $\left\{h\left(.\right),M_0,M_1\right\}$ to the adversary, which is stored in the smart card.

Test ($IN{S}_P^i$): This query is allowed to be executed at most once. The query generates a random bit $r$; if $r=1$ and the session key has been generated, the session key is sent to the adversary. Otherwise, $A$ receives a random number.

Freshness: An instance $IN{S}_P^i$ can be identified as fresh if it satisfies the following conditions:

• Reveal query has not been executed.
• Corrupt is executed at most once.
• $IN{S}_{Sn}^i$ and $IN{S}_U^i$ are in $ACCEPT$.

Semantic Security: As the definition of the Test query shows, $r$ determines if the output is the session key. Furthermore, $A$ generates a random bit $r_a$; if $r_a=r$, $A$ knows the correctness. The possibility is $Ad{v}_{\mathcal{P}}^A=\left|2\mathrm{Pr}\left[r=r_a\right]-1\right|=\left|2\mathrm{Pr}\left[suc\left(A\right)\right]-1\right|$. If $Ad{v}_{\mathcal{P}}^A\ge \eta$, $\mathcal{P}$ is not secure, where $\eta$ is sufficiently small.

CMDLP: The chaotic map-based discrete logarithm problem (CMDLP) is distributed as: considering $x,y\in Z_P^{\mathrm{*}}$, where $y=T_r\left(x\right)mod p$. Computing $r$ is computationally hard. The advantage of CMDLP is $Ad{v}_A^{CMDLP}=2\mathrm{Pr}\left[A\left(x,y\right)=r:r\in Z_P^{\mathrm{*}},y=T_r\left(x\right)mod p\right]$.

Theorem 1.

Assume $A$ is the adversary that tries to break $\mathcal{P}$ in PPT. $A$ is allowed to execute multiple Execute and Send queries. The Test query is permitted to execute at most once. We identified $q_{se}$, $q_h$, $q_{Send}$, and $q_{Exe}$ as the execute numbers of symmetric encryption, hash operation, Send, and Execute queries, respectively. $l_{se}$, $l_h$, $n$, and $l_{pw}$ are the lengths of the output of symmetric encryption, hash operation, transcript, and password, respectively. The advantage of breaking $\mathcal{P}$ by $A$ in PPT is:

$$Ad{v}_{\mathcal{P}}^A\le \frac{q_{se}^2}{2^{l_{se}}}+\frac{q_h^2}{2^{l_h}}+\frac{(q_{Send}+q_{Exe}{)}^2}{n}+\frac{q_{Send}}{2^{l_{pw}-1}}+2Ad{v}_A^{CMDLP}$$

Proof. 

We assume that the adversary $A$ tends to break the scheme $\mathcal{P}$ in the probabilistic polynomial time (PPT). Meanwhile, we define games, denoted as $Gam{e}_i\left(0\le i\le 4\right)$, to simulate multiple attacks launched by $A$. According to $Gam{e}_i$, the event $E{v}_i\left(0\le i\le 4\right)$ represents that $A$ breaks $\mathcal{P}$ in $Gam{e}_i$. The games are defined as:

$Gam{e}_0$: This game simulates the real attack launched by $A$. First, $A$ guesses the random bit $r$; hence, we have:

$$Ad{v}_{\mathcal{P}}^A=\left|2\mathrm{Pr}\left[E{v}_0\right]-1\right|$$

(5)

$Gam{e}_1$: This game simulates the eavesdropping attack. $A$ executes multiple Execute queries and at most one Test query. After obtaining the output of the Test query, $A$ has to figure out if the output is the session key according to the captured transcripts, $\left\{K_U,M_5,M_7,M_9,M_{10},M_{11},M_{13},T_i\right\}$. Here, $K_U=T_{ru}\left(x\right)mod q$, $M_5=E_{K_{U-G}}\left({id}_i\parallel S{id}_j\parallel rug\parallel M_4\right)$, $M_7=E_{S_j}\left(h\left({id}_i\parallel r\right)\parallel {Gid}_k\parallel {Sid}_j\parallel K_U\parallel T_2\right)$, $M_9=T_{rs}\left(x\right)mod q$, $M_{10}=h\left({Gid}_k\parallel {Sid}_j\parallel SK\parallel M_9\parallel T_3\right)$, $M_{11}=h\left(S_j\parallel M_9\parallel M_{10}\parallel T_3\parallel h\left({id}_i\parallel r\right)\right)$, $M_{13}=E_{rug}\left(r\parallel M_{12}\right)$, and timestamps. $SK=h\left(T_{rs}\left(K_U\right)\parallel K_U\parallel M_9\parallel {Gid}_k\parallel {Sid}_j\parallel h\left({id}_i\parallel r\right)\right)=h\left(T_{ru}\left(M_9\right)\parallel K_U\parallel M_9\parallel {Gid}_k\parallel {Sid}_j\parallel h\left({id}_i\parallel r\right)\right)$. This session key is based on CMDLP, and $A$ cannot compute $SK$ according to the messages or figure out the relationship between the session key and the transcripts because the one-way hash function, random numbers, and timestamps are used. Therefore, we have:

$$\mathit{Pr}\left[E{v}_0\right]=\mathit{Pr}\left[E{v}_1\right]$$

(6)

$Gam{e}_2$: This game simulates $A$ and executes the Execute and Send queries to launch the collision attacks among transmitted messages. These messages are symmetric encrypted or hashed. According to the birthday paradox, the probability of collision of the symmetric encryption is $\frac{q_{se}^2}{2^{l_{se}+1}}$. The probability of hash collision is $\frac{q_h^2}{2^{l_h+1}}$. The collision probability of transcripts is $\frac{(q_{send}+q_{exec}{)}^2}{2n}$. Therefore, we have:

$$\mathit{Pr}\left[E{v}_2\right]-\mathit{Pr}\left[E{v}_1\right]\le \frac{q_{se}^2}{2^{l_{se}+1}}+\frac{q_h^2}{2^{l_h+1}}+\frac{(q_{Send}+q_{Exe}{)}^2}{2n}$$

(7)

$Gam{e}_3$: This game simulates that after the Corrupt query is executed, $\mathrm{A}$ launches guessing attacks on the password. $\mathrm{A}$ can obtain {$h\left(.\right)$, $M_0$, $M_1$} stored in the smart card. Here, $M_0=T_{rk}\left(x\right) mod q$ and $M_1=h\left({id}_i\parallel G_k\right)⨁h\left({id}_i\parallel {pw}_i\right)$. The probability of guessing the password by $A$ is $\frac{1}{2^{l_{pw}}}$; therefore, we have:

$$\mathit{Pr}\left[E{v}_3\right]-\mathit{Pr}\left[E{v}_2\right]\le \frac{q_{Send}}{2^{l_{pw}}}$$

(8)

$Gam{e}_4$: This game simulates that $A$ calculates $SK$ according to $M_9=T_{rs}\left(x\right)mod q$ and $K_U=T_{ru}\left(x\right)mod q$, which are transmitted openly. According to the definition, we have:

$$\mathit{Pr}\left[E{v}_4\right]-\mathit{Pr}\left[E{v}_3\right]\le Ad{v}_A^{CMDLP}$$

(9)

The probability of guessing the random bit $r$ is $1/2$, which is equal to the probability of guessing the session key. We have:

$$\mathit{Pr}\left[E{v}_4\right]=\frac{1}{2}$$

(10)

Combining (5) to (10), we have: $\frac{1}{2}Ad{v}_{\mathcal{P}}^A\le \frac{q_{se}^2}{2^{l_{se}+1}}+\frac{q_h^2}{2^{l_h+1}}+\frac{(q_{Send}+q_{Exe}{)}^2}{2n}+\frac{q_{Send}}{2^{l_{pw}}}+Ad{v}_A^{CMDLP}$.

That is:

$$Ad{v}_{\mathcal{P}}^A\le \frac{q_{se}^2}{2^{l_{se}}}+\frac{q_h^2}{2^{l_h}}+\frac{(q_{Send}+q_{Exe}{)}^2}{n}+\frac{q_{Send}}{2^{l_{pw}-1}}+2Ad{v}_A^{CMDLP}$$

(11)

□

5. Informal Security Analysis

5.1. Offline Password Guessing Attack

Since the information in smart cards can be retrieved by side channel attacks, such as power analysis attacks, stolen smart card attacks should be considered when designing authentication schemes using smart cards. In our scheme, if the SC is stolen by an adversary, it can retrieve the information stored in the SC and eavesdrops on the message transferred on the public channel. Though the adversary can guess the user’s identity and password and obtain $M_2$, he still cannot know the random nonce $rug$, and can not verify whether $M_4=h\left(T_1\parallel M_2{\parallel rug\parallel id}_i\right)$ is correct or not. Therefore, the adversary cannot know whether his guessed identity and password are correct or not. On the other hand, if an adversary wants to guess ${id}_i$ and ${pw}_i$ to satisfy $M_3=h\left({id}_i\parallel M_0\parallel {pw}_i\right)mod n_0$, there are $2^{32}$ candidates for the (${id}_i$, ${pw}_i$) pair when n = 256. Moreover, the adversary cannot know which pair is correct. Thus, our scheme can withstand the stolen smart card attack and offline password guessing attack.

5.2. Mutual Authentication

In our scheme, only the legitimate user with the correct identity and password can pass the verification. In the authentication and key agreement phase, $U_i$ transmits message {$K_u$, $M_5$, $T_1$} via the public channel, and only ${GWN}_k$ can recover the encryption key $K_{U-G}$ to decrypt $M_5$ and obtain {${id}_i$, ${Sid}_j$, $rug$, $M_4$}. If ${GWN}_k$ verifies $M_4$ successfully, the user can authenticate ${GWN}_k$ by checking the correctness of $M_{12}$, so our scheme achieves mutual authentication between $U_i$ and ${GWN}_k$. In the same way, ${GWN}_k$ transmits the encrypted data $M_7$ to the sensor node, and only the sensor node can decrypt the message and verify the correctness of ${GWN}_k$ to achieve mutual authentication between ${GWN}_k$ and ${Sn}_j$. Thus, it could provide mutual authentication among the user, the gateway, and the sensor node.

5.3. User Impersonation Attack

In our scheme, if an adversary wants to impersonate the user, he must know the message, $M_2$, which can verify the legitimacy of the user. However, $M_2$ is protected by the user’s identity and password, and the adversary cannot verify whether his guessed identity and password are correct or not. Therefore, our scheme can withstand the impersonation attack.

5.4. Man-in-the-Middle Attack

An adversary, $A$, could intercept messages transferred on a public channel. In our scheme, an adversary, $A$, needs to make the ${GWN}_k$ believe that it is from the user, $U_i$. However, the adversary, $A$, cannot pass the verification without the identity, ${id}_i$, and password, ${pw}_i$, to calculate $M_2$. Meanwhile, only the ${GWN}_k$ can calculate $K_{U-G}$ to decrypt $M_5$ and encrypted messages with the encryption key $S_j$ to the sensor node ${Sn}_j$, so the adversary cannot impersonate the user and the gateway node. In the same way, the adversary cannot impersonate the sensor node since the adversary does not know $S_j$ to decrypt the encrypted message. Therefore, the scheme can withstand the man-in-the-middle attack successfully.

5.5. Malicious Insider Attack

If a malicious insider attacker can impersonate a user, $U_i$, he must know $h\left({id}_i\parallel S_k\right)$ of the user $U_i$. In our scheme, the $U_i$’s password is protected by the collision-resistant one-way hash function $h\left(.\right)$, and according to the analysis in Section 5.1, the adversary cannot obtain ${pw}_i$ and $h\left({id}_i\parallel {pw}_i\right)$. Therefore, the attacker cannot compute $h\left({id}_i\parallel S_k\right)$ from $M_1$. Meanwhile, it cannot obtain $h\left({id}_i\parallel S_k\right)$ from the gateway node and the sensor node. Therefore, our scheme can withstand the malicious insider attack.

5.6. Replay Attack

In our scheme, we used timestamp and the random number to resist replay attacks. In each session of the scheme, random numbers, $ru$, $rs$, and $rug$, are generated by the user and the sensor node to establish the session keys, and the session keys of each session are calculated relying on these random numbers. Meanwhile, these messages are protected by the encryption algorithm and hash function. Therefore, our scheme can withstand the replay attack.

5.7. Perfect Forward Secrecy

This secrecy means that the disclosure of a long-term master key will not lead to past session key disclosure. In the proposed scheme, if the ${GWN}_k$’s long-term private key, $S_k$, is leaked to the attacker, it does not help the adversary to reveal the past session keys. The session key is computed as $SK=h\left(T_{ru}\left(M_9\right)\parallel K_U\parallel M_9\parallel {Gid}_j\parallel {Sid}_j\parallel {h(id}_i\parallel r)\right)=h\left(T_{rs}\left(K_U\right)\parallel K_U\parallel M_9\parallel {Gid}_j\parallel {Sid}_j\parallel {h(id}_i\parallel r)\right)$. The parameters $ru$ and $rs$ are generated randomly and uniquely for every session. Meanwhile, it is computationally infeasible to compute $T_{rs}\left(T_{ru}\left(x\right)\right)$ according to $T_{rs}\left(x\right)$ and $T_{ru}\left(x\right)$ due to the hardness of CMDHP. Therefore, our scheme can achieve perfect forward secrecy.

5.8. Known Session Key Attack

If the implementation of the authentication scheme can generate a unique session key, and the compromise of the key has no effect on other session keys, the authentication scheme can provide known session key security. In the proposed scheme, the session key, SK, is unique to each session run because the random numbers $ru$ and $rs$ are generated randomly and independently by the user and the sensor node. Therefore, our scheme can provide known session key security.

5.9. Anonymity and Non-Traceability

Our scheme provides user anonymity, as an adversary cannot obtain or eavesdrop on the user identity, ${id}_i$, in the login and authentication phase because the identity, ${id}_i$, is transferred in encrypted form by an encryption key $K_{U-G}$ and ${GWN}_k$ is a trusted entity. Meanwhile, the encryption key is generated randomly for every new session, so the message is dynamic for each session, and it is unable to distinguish between different users. Therefore, our scheme achieves user anonymity and cannot be traced.

5.10. Immunity from Bergamo et al.’s Attack

If both $T_s\left(x\right)$ and $\mathrm{x}$ are known, then one can determine $s^{\prime }$, such that $T_{s^{\prime }}\left(x\right)=T_s\left(x\right)$. More precisely, $s^{\prime }=\frac{\mathit{arccos}\left(T_s\left(x\right)\right)+2k\pi }{\mathit{arccos}\left(x\right)}fork\in Z^{+}$. However, this attack cannot happen according to the paper of Zhang et al. [33], because Bergamo et al.’s attack [35] is based on the value range $\mathrm{x}\in \left[-\mathrm{1,1}\right]$. Our proposed scheme uses the enhanced Chebyshev polynomial, $T_n\left(x\right)=2x{T}_n\left(x\right)-T_{n-2}\left(x\right) mod q$, where q is a large prime and $x\in \left(-\mathrm{\infty },+\mathrm{\infty }\right)$, so our proposed scheme can avoid Bergamo et al.’s attack.

5.11. Sensor Node and Gateway Capture Attacks

In the proposed scheme, all sensor nodes, ${Sn}_j$, and gateways, ${GWN}_k$, are deployed with PUF to protect the stored secret information, so our scheme can resist sensor node and gateway capture attacks.

6. Performance Comparison

This section will analyze and compare the proposed scheme with other related schemes [5,7,8,13,28,29,30] in terms of security and computation costs, which are presented in

Table 3. Comparison of computation costs.

	User (A)	Gateway Node/Server	Sensor Node/User (B)	Total	Execution Cost
[5]	7$T_h$ + 2$T_s$	4$T_h$	$10T_h+2T_s$	21$T_h$ + 4$T_s$	3.668 ms
[7]	11$T_h$ + 1$T_s$ + 1$T_f$	11$T_h$	7$T_h$	29$T_h$ + 1$T_s$ + 1$T_f$	10.57 ms
[8]	9$T_h$ + 2$T_e$ + 1$T_f$	10$T_h$ + 1$T_e$	5$T_h$	24$T_h$ + 3$T_e$ + 1$T_f$	33.784 ms
[13]	4$T_h$ + 4$T_c$ + 2$T_s$	4$T_h$ + 4$T_c$ + 4$T_s$	4$T_h$ + 3$T_c$ + 2$T_s$	12$T_h$ + 11$T_c$ + 8$T_s$	39.22 ms
[28]	11$T_h$ + 3$T_c$ + 1$T_s$	11$T_h$ + 3$T_c$ + 2$T_s$	5$T_h$ + 3$T_c$ + 1$T_s$	27$T_h$ + 9$T_c$ + 4$T_s$	31.832 ms
[29]	5$T_h$	5$T_h$ + $T_m$	3$T_h$ + $T_m$	13$T_h$ + $2T_m$	33.036 ms
[30]	-	1$T_h$ + 3$T_e$ + ${2T}_s$	1$T_h$ + 2$T_e$ + $T_s$	2$T_h$ + 5$T_e$ + $3T_s$	42.006 ms
Our scheme	$6T_h$ + $3T_c$ + 2$T_s$	5$T_h$ + 1$T_c$ + 3$T_s$	3$T_h$ + 2$T_c$ + 1$T_s$	14$T_h$ + 6$T_c$ + 6$T_s$	22.816 ms

and

Table 4. Comparison of security features.

	[5]	[7]	[8]	[13]	[28]	[29]	[30]	Our Scheme
Anonymity	T	T	F	T	T	T	F	T
Non-traceability	T	T	T	T	T	T	T	T
Mutual authentication	T	T	T	T	F	F	T	T
Resist malicious insider attack	T	T	T	T	F	T	T	T
Resist offline password guessing attack	T	T	T	T	F	T	T	T
Resist stolen smart card attack	T	T	T	F	F	T	T	T
Resist replay attack	T	T	F	F	T	T	T	T
Resist impersonation attack	F	F	F	F	F	T	T	T
Perfect forward secrecy	F	F	F	T	T	F	T	T
Known session key secrecy	T	T	T	T	T	F	T	T
Resist sensor node capture attack	F	F	F	T	F	F	F	T

.

The client program is written based on JAVA and deployed on a mobile phone, with the environment (Version: Android 13, Hardware: MediaTek Dimensity 8100, 8GB of RAM, Mali-G610 MC6 GPU), and the cryptographic operations are based on JAC library. The server program is written based on Python and deployed on the Ubuntu virtual machine (Version: 22.04.3 LTS, Hardware: 64-bit AMD 860K CPU @ 3.7GHz 8GB RAM), and the cryptographic operations are based on the gmpy2 library and pycrypto library. The sensor program is written based on Python and deployed on the Raspberry Pi 4B (Broadcom BCM2711, 1.5 GHz, 64-bit, ARM Cortex-A72, RAM: 2GB LPDDR4-3200 RAM). According to the requirements of the protocol, the interaction at the registration stage is based on a secure channel, so we used the WebSocket library to construct the secure channel. WebSocket is a protocol that enables full-duplex communication over a single TCP connection and supports TLS. The interaction at the authentication stage is based on an open channel and is implemented using sendto in the WebSocket library. Sendto directly sends data based on UDP, which has higher efficiency compared to TCP.

All the above devices were tested under the WIFI 1000 Mbps environment. We tested the transmission and reception delay during the registration and authentication, respectively. Here, we took the average value in the relevant schemes. Taking 512-bit data in the TLS channel in the registration stage and 2048-bit data in the open channel in the authentication stage as examples, a total of 1000 tests were conducted to obtain the average values.

Table 5. Transmission delay.

	Registration (512 Bits, TLS)	Verification (2048 Bits, Public)
Phone Server	$11.382 \mathsf{\mu }\mathrm{s}$	$7.142 \mathsf{\mu }\mathrm{s}$
Sensor Server	$13.451 \mathsf{\mu }\mathrm{s}$	$7.129 \mathsf{\mu }\mathrm{s}$
Phone Sensor	-	$6.974 \mathsf{\mu }\mathrm{s}$

shows the test results. The measured results indicated that the time overhead for a single transmission and reception was on the microsecond level ($1 \mathsf{\mu }\mathrm{s}=10^{-3} \mathrm{m}\mathrm{s}=10^{-6} \mathrm{s}$). The transmission delay was much lower than the hardware operation, so in the analysis of time complexity, we ignored the transmission delay.

Since the time for computing the XOR operation and string concatenation could be ignored, as compared with other cryptographic primitive-based operations, we only considered the time to calculate the one-way hash function ($T_h$), deterministic reproduction function of fuzzy extractor ($T_f$), Chebyshev chaotic map polynomial ($T_c$), elliptic curve point multiplication ($T_e$), modular multiplication ($T_m$), and symmetric encryption/decryption ($T_s$). In the environment of Windows 7 64-bit AMD 860K CPU @ 3.7GHz 8GB RAM, the computational times were approximately 0.068 ms, 8.038 ms, 3.084 ms, 8.038 ms, 16.076 ms, and 0.56 ms, respectively.

From Table 3, Table 4 and Table 5, we can see that our scheme had a lower computation cost and higher security.

7. Conclusions

Few lightweight, underwater acoustic network authentication schemes have been designed due to the change in the data transmission environment and propagation medium. Thus, this work proposed a lightweight authentication and key agreement scheme for UANs, which adopted PUF to protect the secret information stored in the gateway and sensors, used the fuzzy verifier to achieve two-factor secrecy, and used the semi-group property of Chebyshev polynomials to achieve lightweight authentication and perfect forward secrecy. We used the widely accepted formal security proof in the random oracle model to prove the security of our scheme. Compared to existing schemes, the proposed protocol had higher security and improved the computational efficiency by 39.52% compared to the best existing solutions, with perfect forward security. As a result, the proposed scheme is efficient and more suitable for battery-powered devices in the underwater acoustic networks.