1. Introduction
The ocean area accounts for about 71% of the earth’s surface area. With the increasingly prominent contradiction between the global shortage of food, resources, and energy supply and the rapid population growth, the development of marine resources is inevitable for historical development. Using wireless sensor networks (WSNs) to perceive and monitor marine environment information can improve the utilization efficiency of marine resources, coordinate the allocation of marine and land resources, and realize the maximum utilization value of marine resources.
Due to the poor propagation of electromagnetic waves in seawater and since optical communications will be strongly affected by scattering, acoustic waves can enable communications over long-range links, so they provide the most obvious medium to enable underwater communication. Underwater wireless sensor networks are wireless communication networks based on acoustic signals, in which sensors are deployed underwater, where the environments are time-varying, called underwater acoustic networks (UANs). They use aircraft, submarines, or surface ships to randomly deploy a large number of cheap, miniature sensor nodes in the seawater. The nodes form a multi-hop self-organizing network system through underwater acoustic communication, which can cooperatively sense, collect, and process the information of the sensing objects in the network coverage area, and send it to the receiver. They are mainly used to carry out coordinated tasks, such as oceanographic data collection, pollution prediction, ocean mining, shipwreck avoidance, ocean monitoring, etc.
With the increasing use of UANs in industry and the military, the need to transmit sensitive information on insecure channels is also increasing. It is easy for adversaries to eavesdrop, intercept, modify, and delete the information, which leads to various attacks and causes huge losses [
1]. Therefore, it is essential to control access to UANs’ information and services and ensure that sensitive information is securely exchanged between users and sensor nodes. At the same time, the UANs are required to be able to respond to the relevant information of the marine environment in real time, reflecting the real-time requirements of the UANs. Only by continuous and real-time monitoring of the changing state of the ocean can humans grasp the ocean data in time, develop, and use the data.
Authentication can ascertain the user legitimacy of using the network resource and establishing the session key between the user and the sensor node to protect the confidentiality and integrity of the data from the attacker. A number of security authentication and key agreement schemes have been proposed for terrestrial wireless sensor networks (TWSNs), but most of them are not applicable to UANs, due to the energy limitations and susceptibility to capture of underwater sensors and gateways. Therefore, a security mechanism specifically for UANs is needed [
2].
1.1. Related Work
In 2019, Banerjee et al. [
3] proposed a security-enhanced authentication and key agreement scheme for WSN, but their scheme cannot resist offline password guessing attacks, impersonation attacks, and does not achieve session key secrecy, identity unlinkability, and perfect forward secrecy. In 2020, Chen et al. [
4] proposed an authentication scheme for WSN in IoT environments, but their scheme is vulnerable to offline password guessing attacks, impersonation attacks, and fails to achieve perfect forward secrecy, user anonymity, and unlinkability. In 2021, Shuai et al. [
5] presented a lightweight authentication protocol for WSN environments using ECC to prevent various security issues. However, their scheme does not provide perfect forward security and suffers from desynchronization attacks and stolen-verifier attacks. Later, Kaur et al. [
6] presented a two-factor user authentication protocol for smart homes using ECC. Yu et al. [
7] presented that Kaur et al.’s scheme cannot resist impersonation attacks, session key disclosure attacks, and secure user authentication. They proposed a lightweight authentication scheme to overcome the security problems of Kaur et al.’s protocol. In 2021, Far et al. [
8] proposed a user authentication protocol using fuzzy extractor and hash-chain in the IIoT environment. In 2023, Sahoo et al. [
9] proposed a three-factor-based authentication scheme of 5G WSN for IoT systems and claimed that their scheme is secure. However, Xie et al. [
10] pointed out that their scheme is vulnerable to user impersonation attacks, sensor node impersonation attacks, and capture attacks, and lacks user unlinkability and three-factor secrecy.
Recently, chaotic map has been widely concerned since it has better security and performance than traditional cryptography. The difficulty of the chaotic map’s Diffie–Hellman problem and its semi-group property make it feasible to establish secure session keys. In addition, the computation overhead of a Chebyshev polynomial is approximately 1/3 of the scalar multiplication on elliptic curves [
11]. It significantly reduces the computing overhead and energy consumption of resource-constrained sensor nodes, which is more suitable for devices with a limited battery life and smaller computation power. In 2015, Lee et al. [
12] proposed a three-party authenticated key agreement scheme based on chaotic maps without a password table. Jabbari et al. [
13] showed that the scheme of Lee et al. fails to guarantee user anonymity and put forward an improved scheme. In 2016, Kumari et al. [
14] introduced a two-factor authentication scheme for WSN using the chaotic map. However, the protocol of Kumari et al. suffers from sensor node impersonation attacks [
15]. In 2018, Aghili et al. [
16] proposed an efficient three-factor authentication scheme for WSN using the hash function. However, Wang et al. [
17] showed that the scheme does not provide security against session key disclosure attacks, desynchronization attacks, sensor node impersonation attacks, and session-specific temporary information attacks. Besides, they presented an improvement protocol for WSN using chaotic maps. In 2019, Lee et al. [
18] introduced a multi-server authentication protocol using extended chaotic maps. However, Kumar et al. [
19] found that their protocol is insecure against user impersonation attacks, session-specific temporary information attacks, and time synchronization problems, and proposed another protocol based on extended chaotic maps. In 2021, Qi et al. [
20] proposed a chaotic map-based authentication protocol for an industrial medical cyber-physical system. However, Ding et al. [
21] showed that their protocol is vulnerable to identity guessing attacks, user impersonation attacks, trace attacks, desynchronization attacks, and lacks perfect forward secrecy, and they proposed a security-enhanced one.
Recently, how to resist capture attacks from physical devices has become a hot topic in authentication protocol research. Thanks to the application of Physically Unclonable Functions (PUF), many security authentication protocols have emerged that resist sensor capture attacks. In 2024, Xie et al. [
22] proposed a multi-server authentication protocol based on PUF and chaotic maps to address the security issues of Yu et al.’s scheme [
23]. Xie et al. [
24] also proposed a PUF-based security authentication protocol to address the inability of Kumar et al.’s scheme [
25] to resist capture attacks from roadside units. Oláh et al. [
26] proposed a Blockchain- and PUF-based registration protocol for the Internet of Drones.
The change from hash-based operations to complex cryptographic primitive-based schemes greatly improved the security of TWSNs. However, the difference between TWSNs and UANs makes it impossible to directly use TWSN’s secure authentication mechanism for UANs. In 2019, Diamant et al. [
27] proposed a cooperative authentication scheme for UANs, which relies on trusted nodes that independently assist in aggregating nodes during the authentication process. Later, Zhang et al. [
28] presented a remote mutual authentication scheme based on chaotic maps for UANs. Based on the architecture of underwater wireless sensor networks, Kumar et al. [
29] designed an authentication technique that establishes a session key for safe communication. In 2024, Tomović et al. [
30] proposed a Blockchain-based Key Management Protocol for UANs, and Wang et al. [
31] proposed a deep learning and random forest algorithm-based dynamic trust model for UANs.
1.2. Motivation and Contributions
It is shown that Zhang et al.’s scheme [
28] cannot provide secure mutual authentication and establish the session key, and it fails to resist offline password guessing attacks and user impersonation attacks. In Kumar et al.’s scheme [
29], the session key between the user and the Onshore Base Station cannot achieve perfect forward secrecy and may suffer from ID guessing attacks. On the other hand, their scheme cannot resist sensor node capture attacks and does not establish the session key between the user and the sensor node. Tomović et al.’s scheme [
30] cannot resist sensor node capture attacks and cannot achieve anonymity.
Since almost all authentication protocols for UANs have one or more security flaws, designing a secure and effective lightweight authentication protocol for UANs is a challenge. Therefore, a secure and efficient lightweight authentication protocol for UANs is proposed, and the main contributions are as follows:
(1) Based on the uniqueness and randomness of Physical Uncontrollable Functions (PUF) and the fast computation of chaotic maps, a secure and efficient authentication protocol for UANs is proposed.
(2) The proposed scheme is proven secure under the random oracle model, which can achieve all known security properties, such as perfect forward secrecy, anonymity, and resistance to device capture attacks.
(3) The proposed scheme is more secure and efficient compared with some other related schemes in terms of security and performance requirements, and the proposed scheme is suitable for UANs.
The rest of this paper is constructed as follows:
Section 2 provides the preliminaries and the threat model. The proposed authentication and key agreement scheme for UANs is presented in
Section 3.
Section 4 and
Section 5 provide corresponding formal and informal analyses of the proposed scheme. The security and performance comparisons between the proposed scheme and other resource-constrained schemes are presented in
Section 6.
Section 7 is the conclusion.
2. Preliminaries
In this section, we will introduce the threat model used in this paper and review some basic definitions concerning the Chebyshev polynomial, chaotic maps, and PUF.
2.1. Threat Model
The proposed protocol adopted the widely accepted Dolev–Yao threat model (DY model) [
32], in which any adversary has the ability to eavesdrop, intercept, modify, or delete the messages transmitted among users, gateways, and sensors. In addition, any adversary can extract all the sensitive information stored in the lost/stolen smart card of a legal user,
, using the side channel attack. Meanwhile, any adversary can capture the gateway and sensor nodes.
2.2. Chebyshev Polynomial
Definition 1 (Chebyshev polynomial): The Chebyshev polynomial can be defined as (1) or (2), where , : The semi-group property and chaos property are two primary properties of the Chebyshev polynomial [
33].
Definition 2 (semi-group property): The semi-group property of the Chebyshev polynomial is defined as follows:
where
and
are positive integers and
.
Definition 3 (chaos property): The Chebyshev polynomial map, of degree , is a chaotic map with invariant density as: , for the Lyapunov exponent .
Definition 4: Enhanced Chebyshev polynomial is expressed as:
where
is a large prime and
. The enhanced chaotic maps still satisfy the semi-group property and chaos property.
Definition 5 (chaotic map-based discrete logarithm problem, CMDLP): Considering and, it is computationally infeasible to compute an integer, , such that .
Definition 6 (chaotic map-based Diffie–Hellman problem, CMDHP): Considering ,, and, it is computationally infeasible to compute .
2.3. Physically Unclonable Functions
As a new hardware security primitive, the Physically Unclonable Function (PUF) is a hardware function implementation circuit that relies on chip features, with uniqueness and randomness. By extracting process parameter deviations that are inevitably introduced during chip manufacturing, it achieves a function that uniquely corresponds to the excitation and response signals [
34]. In our scheme, PUF was used to protect the information stored in the gateway and sensors.
3. The Proposed Scheme
Based on the fact that gateways and sensors in underwater acoustic networks are easily captured, the proposed scheme adopted PUF to protect the secret information stored in gateways and sensors. In order to achieve two-factor security, the user’s identity and password are verified using fuzzy authentication. To achieve lightweight and secure authentication, the semi-group property of Chebyshev polynomials was adopted to achieve perfect forward secrecy. The notations used in our scheme are listed in
Table 1.
3.1. Initialization Phase
The initialization phase is executed offline by the gateway. Gateway randomly chooses as its master key, as its identity, a large prime number , and a secure one-way hash function . Meanwhile, the gateway chooses a challenge , and computes the corresponding response, , , or . Then, the gateway chooses , and publishes the public parameters {, , }. In the same way, the gateway chooses as the identity of the sensor node , and computes according to the topological relationship for the sensor node . The gateway sends {, } to , and stores {, , }.
The sensor node chooses a challenge , and computes the corresponding response and , and stores {}.
3.2. User Registration Phase
The user performs the following steps to be a legal user through a secure channel.
Step 1: The user freely selects the identity and password , and sends the registration request message {, } to the through a secure channel.
Step 2: After receiving the registration request message, the computes , where . Then, the stores {, , } in a smart card (SC) and safely issues the SC to the user .
Step 3: The user computes , where , and stores {, , }
3.3. Login Phase
In order to login to the and access the data from the , the user needs to execute the following steps:
After inserting the SC into the card reader of a specific terminal device, enters its identity and password , computes , and checks whether is correct or not. If yes, the SC generates two random numbers, and , and computes , , , , and , where is the current timestamp. Then, the SC sends the login request message, {, , }, to the .
3.4. Authentication and Key Management Phase
This phase allows the user to accomplish mutual authentication and session key agreement between the user and the sensor node through the help of the gateway node, and the steps are described as follows.
Step 1: After receiving the login request message, {, , }, the first computes whether holds, where is the current timestamp. If the timestamp verification holds, continues to execute the next step, otherwise, the login request is denied.
Step 2: The computes , {, , , }.
Step 3: The computes , .
Step 4: The checks whether is correct or not. If the equation holds, the and are successfully authenticated by each other, otherwise, terminates this session instantaneously.
Step 5: The chooses a random nonce , computes , , and delivers the message {,} to the sensor node .
Step 6: Upon obtaining the message {, } at timestamp , the checks whether is correct. If it holds, they move to the next step, otherwise, this session is terminated instantaneously.
Step 7: The computes , , , .
Step 8: The chooses a random number, , and computes , , , and . Then, the delivers the message {,, , } to .
Step 9: Upon obtaining the message {, , , } at timestamp , the checks whether holds. If yes, they move to the next step, otherwise, this session is terminated instantaneously.
Step 10: first verifies the correctness of , and then computes , , and sends {, , , } to the user .
Step 11: Upon receiving the message {, , , } at timestamp , the SC checks whether , decrypts , obtains and , and checks the correctness of . If yes, they proceed to the next step, otherwise, this session is terminated instantaneously.
Step 12: The SC computes , , and checks whether holds. If the equation holds, a session key, , is established.
The Login and authentication process is shown in
Table 2.
3.5. Password Update Phase
For the security consideration, a legal user should be allowed to update the personal password. In this phase, when the user wants to update his password, , to a new password, , the user needs to enter his identity, , old password, , and new password, , after inserting the SC into the card reader. The SC computes , and checks whether is correct or not. If yes, the SC computes and replaces with .
4. Formal Security Analysis
This section will formally analyze the security of the proposed scheme. The results demonstrated that our scheme was proven secure. The notions of the model used in this paper are defined as follows:
Participants: In the proposed scheme, , denoted as , the participants include the user , the gateway , and the sensor node . In the instance, the participants, the user, the gateway, and the sensor node are denoted as , , , and , respectively.
States of Oracle: Oracle in our scheme has three states: , , and . If an oracle receives a correct request message, the state is , if the request message is illegal, the state is . When the above conditions do not occur, the state is .
We defined that if the oracle () is , and the session key () has been negotiated with , then () obtains its session identity (), and the corresponding participant identity ().
Partnering: If the following conditions are satisfied, and are , and the session key has been negotiated, then and are considered as partners.
The session key generated by equals ’s session key, .
and are in the same session; that is, .
The participant identities of and are equal to and , respectively.
Queries: To simulate multiple attacks, queries are defined as follows:
Execute (): Execute simulates the eavesdropping attack, and executes this query to obtain all the transcripts.
Send (, ): This query simulates the sending operation executed by the adversary, . The message is sent to oracle ; if the message is correct, responds to based on , otherwise, the message is neglected.
Reveal (): If the session key has been negotiated, and are in , and the query Test has not been executed yet. The query Reveal will reveal the session key when it is executed. Otherwise, the output is null.
Corrupt (): This query simulates a corruption attack. It will return the message to the adversary, which is stored in the smart card.
Test (): This query is allowed to be executed at most once. The query generates a random bit ; if and the session key has been generated, the session key is sent to the adversary. Otherwise, receives a random number.
Freshness: An instance can be identified as fresh if it satisfies the following conditions:
Reveal query has not been executed.
Corrupt is executed at most once.
and are in .
Semantic Security: As the definition of the Test query shows, determines if the output is the session key. Furthermore, generates a random bit ; if , knows the correctness. The possibility is . If , is not secure, where is sufficiently small.
CMDLP: The chaotic map-based discrete logarithm problem (CMDLP) is distributed as: considering , where . Computing is computationally hard. The advantage of CMDLP is .
Theorem 1. Assume
is the adversary that tries to break
in PPT.
is allowed to execute multiple Execute and Send queries. The Test query is permitted to execute at most once. We identified
,
,
, and
as the execute numbers of symmetric encryption, hash operation, Send, and Execute queries, respectively.
,
,
, and
are the lengths of the output of symmetric encryption, hash operation, transcript, and password, respectively. The advantage of breaking
by
in PPT is:
Proof. We assume that the adversary tends to break the scheme in the probabilistic polynomial time (PPT). Meanwhile, we define games, denoted as , to simulate multiple attacks launched by . According to , the event represents that breaks in . The games are defined as:
: This game simulates the real attack launched by
. First,
guesses the random bit
; hence, we have:
: This game simulates the eavesdropping attack.
executes multiple Execute queries and at most one Test query. After obtaining the output of the Test query,
has to figure out if the output is the session key according to the captured transcripts,
. Here,
,
,
,
,
,
,
, and timestamps.
. This session key is based on CMDLP, and
cannot compute
according to the messages or figure out the relationship between the session key and the transcripts because the one-way hash function, random numbers, and timestamps are used. Therefore, we have:
: This game simulates
and executes the Execute and Send queries to launch the collision attacks among transmitted messages. These messages are symmetric encrypted or hashed. According to the birthday paradox, the probability of collision of the symmetric encryption is
. The probability of hash collision is
. The collision probability of transcripts is
. Therefore, we have:
: This game simulates that after the Corrupt query is executed,
launches guessing attacks on the password.
can obtain {
,
,
} stored in the smart card. Here,
and
. The probability of guessing the password by
is
; therefore, we have:
: This game simulates that
calculates
according to
and
, which are transmitted openly. According to the definition, we have:
The probability of guessing the random bit
is
, which is equal to the probability of guessing the session key. We have:
Combining (5) to (10), we have: .
5. Informal Security Analysis
5.1. Offline Password Guessing Attack
Since the information in smart cards can be retrieved by side channel attacks, such as power analysis attacks, stolen smart card attacks should be considered when designing authentication schemes using smart cards. In our scheme, if the SC is stolen by an adversary, it can retrieve the information stored in the SC and eavesdrops on the message transferred on the public channel. Though the adversary can guess the user’s identity and password and obtain , he still cannot know the random nonce , and can not verify whether is correct or not. Therefore, the adversary cannot know whether his guessed identity and password are correct or not. On the other hand, if an adversary wants to guess and to satisfy , there are candidates for the (, ) pair when n = 256. Moreover, the adversary cannot know which pair is correct. Thus, our scheme can withstand the stolen smart card attack and offline password guessing attack.
5.2. Mutual Authentication
In our scheme, only the legitimate user with the correct identity and password can pass the verification. In the authentication and key agreement phase, transmits message {, , } via the public channel, and only can recover the encryption key to decrypt and obtain {, , , }. If verifies successfully, the user can authenticate by checking the correctness of , so our scheme achieves mutual authentication between and . In the same way, transmits the encrypted data to the sensor node, and only the sensor node can decrypt the message and verify the correctness of to achieve mutual authentication between and . Thus, it could provide mutual authentication among the user, the gateway, and the sensor node.
5.3. User Impersonation Attack
In our scheme, if an adversary wants to impersonate the user, he must know the message, , which can verify the legitimacy of the user. However, is protected by the user’s identity and password, and the adversary cannot verify whether his guessed identity and password are correct or not. Therefore, our scheme can withstand the impersonation attack.
5.4. Man-in-the-Middle Attack
An adversary, , could intercept messages transferred on a public channel. In our scheme, an adversary, , needs to make the believe that it is from the user, . However, the adversary, , cannot pass the verification without the identity, , and password, , to calculate . Meanwhile, only the can calculate to decrypt and encrypted messages with the encryption key to the sensor node , so the adversary cannot impersonate the user and the gateway node. In the same way, the adversary cannot impersonate the sensor node since the adversary does not know to decrypt the encrypted message. Therefore, the scheme can withstand the man-in-the-middle attack successfully.
5.5. Malicious Insider Attack
If a malicious insider attacker can impersonate a user,
, he must know
of the user
. In our scheme, the
’s password is protected by the collision-resistant one-way hash function
, and according to the analysis in
Section 5.1, the adversary cannot obtain
and
. Therefore, the attacker cannot compute
from
. Meanwhile, it cannot obtain
from the gateway node and the sensor node. Therefore, our scheme can withstand the malicious insider attack.
5.6. Replay Attack
In our scheme, we used timestamp and the random number to resist replay attacks. In each session of the scheme, random numbers, , , and , are generated by the user and the sensor node to establish the session keys, and the session keys of each session are calculated relying on these random numbers. Meanwhile, these messages are protected by the encryption algorithm and hash function. Therefore, our scheme can withstand the replay attack.
5.7. Perfect Forward Secrecy
This secrecy means that the disclosure of a long-term master key will not lead to past session key disclosure. In the proposed scheme, if the ’s long-term private key, , is leaked to the attacker, it does not help the adversary to reveal the past session keys. The session key is computed as . The parameters and are generated randomly and uniquely for every session. Meanwhile, it is computationally infeasible to compute according to and due to the hardness of CMDHP. Therefore, our scheme can achieve perfect forward secrecy.
5.8. Known Session Key Attack
If the implementation of the authentication scheme can generate a unique session key, and the compromise of the key has no effect on other session keys, the authentication scheme can provide known session key security. In the proposed scheme, the session key, SK, is unique to each session run because the random numbers and are generated randomly and independently by the user and the sensor node. Therefore, our scheme can provide known session key security.
5.9. Anonymity and Non-Traceability
Our scheme provides user anonymity, as an adversary cannot obtain or eavesdrop on the user identity, , in the login and authentication phase because the identity, , is transferred in encrypted form by an encryption key and is a trusted entity. Meanwhile, the encryption key is generated randomly for every new session, so the message is dynamic for each session, and it is unable to distinguish between different users. Therefore, our scheme achieves user anonymity and cannot be traced.
5.10. Immunity from Bergamo et al.’s Attack
If both
and
are known, then one can determine
, such that
. More precisely,
. However, this attack cannot happen according to the paper of Zhang et al. [
33], because Bergamo et al.’s attack [
35] is based on the value range
. Our proposed scheme uses the enhanced Chebyshev polynomial,
, where q is a large prime and
, so our proposed scheme can avoid Bergamo et al.’s attack.
5.11. Sensor Node and Gateway Capture Attacks
In the proposed scheme, all sensor nodes, , and gateways, , are deployed with PUF to protect the stored secret information, so our scheme can resist sensor node and gateway capture attacks.
6. Performance Comparison
This section will analyze and compare the proposed scheme with other related schemes [
5,
7,
8,
13,
28,
29,
30] in terms of security and computation costs, which are presented in
Table 3 and
Table 4.
The client program is written based on JAVA and deployed on a mobile phone, with the environment (Version: Android 13, Hardware: MediaTek Dimensity 8100, 8GB of RAM, Mali-G610 MC6 GPU), and the cryptographic operations are based on JAC library. The server program is written based on Python and deployed on the Ubuntu virtual machine (Version: 22.04.3 LTS, Hardware: 64-bit AMD 860K CPU @ 3.7GHz 8GB RAM), and the cryptographic operations are based on the gmpy2 library and pycrypto library. The sensor program is written based on Python and deployed on the Raspberry Pi 4B (Broadcom BCM2711, 1.5 GHz, 64-bit, ARM Cortex-A72, RAM: 2GB LPDDR4-3200 RAM). According to the requirements of the protocol, the interaction at the registration stage is based on a secure channel, so we used the WebSocket library to construct the secure channel. WebSocket is a protocol that enables full-duplex communication over a single TCP connection and supports TLS. The interaction at the authentication stage is based on an open channel and is implemented using sendto in the WebSocket library. Sendto directly sends data based on UDP, which has higher efficiency compared to TCP.
All the above devices were tested under the WIFI 1000 Mbps environment. We tested the transmission and reception delay during the registration and authentication, respectively. Here, we took the average value in the relevant schemes. Taking 512-bit data in the TLS channel in the registration stage and 2048-bit data in the open channel in the authentication stage as examples, a total of 1000 tests were conducted to obtain the average values.
Table 5 shows the test results. The measured results indicated that the time overhead for a single transmission and reception was on the microsecond level (
). The transmission delay was much lower than the hardware operation, so in the analysis of time complexity, we ignored the transmission delay.
Since the time for computing the XOR operation and string concatenation could be ignored, as compared with other cryptographic primitive-based operations, we only considered the time to calculate the one-way hash function (), deterministic reproduction function of fuzzy extractor (), Chebyshev chaotic map polynomial (), elliptic curve point multiplication (), modular multiplication (), and symmetric encryption/decryption (). In the environment of Windows 7 64-bit AMD 860K CPU @ 3.7GHz 8GB RAM, the computational times were approximately 0.068 ms, 8.038 ms, 3.084 ms, 8.038 ms, 16.076 ms, and 0.56 ms, respectively.
From
Table 3,
Table 4 and
Table 5, we can see that our scheme had a lower computation cost and higher security.
7. Conclusions
Few lightweight, underwater acoustic network authentication schemes have been designed due to the change in the data transmission environment and propagation medium. Thus, this work proposed a lightweight authentication and key agreement scheme for UANs, which adopted PUF to protect the secret information stored in the gateway and sensors, used the fuzzy verifier to achieve two-factor secrecy, and used the semi-group property of Chebyshev polynomials to achieve lightweight authentication and perfect forward secrecy. We used the widely accepted formal security proof in the random oracle model to prove the security of our scheme. Compared to existing schemes, the proposed protocol had higher security and improved the computational efficiency by 39.52% compared to the best existing solutions, with perfect forward security. As a result, the proposed scheme is efficient and more suitable for battery-powered devices in the underwater acoustic networks.