A Distributed Lightweight PUF-Based Mutual Authentication Protocol for IoV

Abstract

In recent times, the advent of innovative technological paradigms like the Internet of Things has paved the way for numerous applications that enhance the quality of human life. A remarkable application of IoT that has emerged is the Internet of Vehicles (IoV), motivated by an unparalleled surge of connected vehicles on the roads. IoV has become an area of significant interest due to its potential in enhancing traffic safety as well as providing accurate routing information. The primary objective of IoV is to maintain strict latency standards while ensuring confidentiality and security. Given the high mobility and limited bandwidth, vehicles need to have rapid and frequent authentication. Securing Vehicle-to-Roadside unit (V2R) and Vehicle-to-Vehicle (V2V) communications in IoV is essential for preventing critical information leakage to an adversary or unauthenticated users. To address these challenges, this paper proposes a novel mutual authentication protocol which incorporates hardware-based security primitives, namely physically unclonable functions (PUFs) with Multi-Input Multi-Output (MIMO) physical layer communications. The protocol allows a V2V and V2R to mutually authenticate each other without the involvement of a trusted third-party (server). The protocol design effectively mitigates modeling attacks and impersonation attempts, where the accuracy of predicting the value of each PUF response bit does not exceed 54%, which is equivalent to a random guess.

1. Introduction

The Internet of Vehicles is a cutting-edge technology that has made significant strides by creating intelligent vehicles equipped with connected sensors and electronic control units (ECUs). Wireless communication has significantly transformed the way data are transmitted by enabling faster and more reliable connectivity with lower latency and higher availability [1]. These advances have been embraced by various protocols and applications in IoV [2]. In essence, IoV represents the integration of Vehicular Ad Hoc Networks (VANETs) and the Internet of Things (IoT) [3]. The emergence of IoT has resulted in a significant change in the way vehicles interact with networks to obtain real-time traffic updates, ensure safe navigation, and support other driving features. According to industry analysts at Gartner, the imminent arrival of the fifth-generation IoT communication technology (5G IoT) is expected to be the driving force behind the development of connected cars. It is projected that by 2030, the automotive industry will capture a substantial percentage of the market opportunity for 5G IoT, with connected vehicles accounting for approximately 53% of the overall 5G IoT endpoints [4].

IoV leverages a range of networking technologies to facilitate seamless communication between different components within a vehicle, as well as with other entities on the road, such as other vehicles and the roadside infrastructure. This fosters the sharing of valuable insights and information. However, given the presence of multiple IoT sensors and processors within the IoV network, connectivity through the network does carry inherent risks. Wireless communications between vehicles and V2R generally make them vulnerable to a number of security attacks, including Denial of Service (DoS), masquerading, and man-in-the-middle attacks. An eavesdropper can overhear communications between a user and a vehicle. Consequently, a piece of secret information is captured and misused for different malicious purposes, which can cause serious interruptions [5]. Moreover, the constant exchange of information between road entities makes IoV an attractive target for eavesdroppers [6]. Such vulnerability raises significant concerns, as it can potentially lead to malicious activities that can endanger the safety, security, and privacy of the vehicle system. The manipulation of Tesla’s Autopilot self-driving software by hackers is an example of how serious this issue is, where the software was tricked into swerving into oncoming traffic [7]. Given the security threats of IoV, protecting the network is very crucial.

Node (or user) authentication is an essential security aspect before launching a secure communication session. Most existing authentication protocols in IoV are cryptography based, either asymmetric (employing public–private keys), or symmetric (using a shared secret key) [8]. The former is computationally demanding for the resource-constrained vehicle on-board electronic system, while the latter requires key pre-agreement and storage and often involves a trusted third-party, e.g., a server. A centralized node authentication process would not suit V2V and V2R communication [9]. An effective hardware-based strategy that has been proposed in the literature is to generate authentication tokens (secret keys) dynamically [10]. PUFs are one example of hardware primitives that can support such a strategy. The PUF design makes use of the random and uncontrollable variations that occur during the manufacturing of integrated circuits to create a unique device signature. PUF is a technology that maps input bits, known as a challenge, to an output bit or bits that reflect the circuit output response. This unique challenge–response mapping is often exploited in security solutions as an alternative to storing secrets in device memories [11].

One of the primary benefits of PUF-based authentication is that it facilitates the generation of a secret key/token on demand, thereby eliminating the need for storage. Typically, a server is given a subset of the challenge–response pairs (CRPs). The server then acts as a verifier by sending the vehicle (prover) a challenge bit-string and matches what the prover generates from its PUF with the pre-known (expected) response. However, the aforementioned process is not compatible with environments like the IoV, which prefer autonomous management strategies. One major challenge with using PUFs for distributed authentication is that the exchange of challenge and response happens between IoV nodes instead of the secure server. This increases the vulnerability to attacks, as eavesdroppers can intercept these interactions and collect enough CRPs to model the underlying PUF using machine learning (ML) techniques [12]. Encrypting the challenge and/or the response imposes overhead and requires key management, and consequently is not an attractive option. This paper aims to address this technical issue by utilizing the physical properties of communication links to obscure the exchanged challenge and response bits between IoV nodes [13]. Specifically, we leverage the increased use of the MIMO technology in wireless communication. As shown in Figure 1, every node will have an embedded PUF as well as a MIMO antenna array.

We propose a novel lightweight mutual authentication protocol for V2V and V2R without involving heavy computational techniques, such as cryptography-based algorithms. The proposed protocol obtains a node, i.e., a vehicle ${\delta }_A$, to share a limited number of its CRPs ${\gamma }_{A\to B}$ with a roadside unit (RSU), i.e., verifier ${\delta }_B$. Contrasted with a central network where a secure server is involved, a set ${\gamma }_{A\to B}$ might be disclosed or ${\delta }_B$ gets hacked. Our proposed protocol employs an innovative technique to prevent a cloning attack that might eavesdrop on the communication between ${\delta }_B$ and ${\delta }_A$, thereby capturing a number of CRPs to model the ${\delta }_A$ PUF accurately. The challenge bit is encoded using the MIMO antenna array in a way that is controlled by the verifier and changes continuously. As demonstrated by the results of a PUF implementation, our proposed method effectively and robustly defeats cyberattacks. This paper extends our previous work [14] that exploits PUFs and MIMO in authenticating IoT nodes. Such work does not handle dynamic scenarios, where a node is in motion, which is common in the context of the IoV. The proposed protocol addresses such a limitation. To ease the presentation, we use ${\delta }_A$ as an indication of the vehicle throughout the paper and ${\delta }_B$ for the RSU node. The main contribution of this work can be summarized as follows:

• Developing a novel lightweight mutual authentication protocol for IoV that does not require a trusted third party, such as a server, during the authentication process;
• Leveraging hardware-based security primitives, specifically PUFs, which ensures no heavy computational overhead is imposed on the resource constraints of IoV;
• Exploiting the configurability of the MIMO technology to implicitly transmit the CRPs of the PUF and mutually authenticate the IoV nodes;
• Proposing a mapping technique that utilizes the physical properties of communication links to obscure the exchanged challenge and response bits between IoV nodes, thereby protecting against ML-based PUF modeling attacks and impersonation attempts.

The remainder of the paper is organized as follows. Section 2 discusses the related work on IoV authentication and PUF-based solutions. In Section 3, we cover some background on PUFs, present the system model, and provide an overview of our solution strategy. Section 4 describes the proposed protocol in detail. Section 5 and Section 6 report the validation setup and performance results, while Section 7 provides an error rate analysis. We conclude the paper in Section 8.

2. Related Work

Numerous security provisions and authentication techniques have been developed to protect wireless networks [15]. Yet, these techniques fall short of the requirements for an IoV network that operates in an unattended setup with minimal human intervention. Storing the device identity in its memory, which is widely utilized in various authentication techniques, might not be sufficiently secure. The use of PUFs is a viable option for mitigating these shortcomings. On the other hand, some solutions have been geared for applications of ad hoc networks. For example, Wang [16] proposed a bi-directional authentication scheme using elliptic curve encryption and bilinear pair mapping theory, which improves efficiency and security. In addition to the heavy computational load, this approach requires storing the device identity at the RSU. Patil et al. [17] presented a protocol that utilizes blockchain smart contracts to facilitate the authentication of an IoT device by miners in the blockchain network. Yet, they employed the Diffie–Hellman key exchange protocol, which is computationally heavy. The AKAP-IoV system, proposed by Bojjagani et al. [18], enables mutual authentication and key management among various entities, including vehicles, roadside units, and fog and cloud servers. AKAP-IoV applies the elliptic curve integrated encryption scheme (ECIES) for encryption and decryption, as well as the elliptic curve digital signature algorithm (ECDSA) for signature generation and verification; neither ECIES nor ECDSA is lightweight. Similarly, Bagga et al. [19] proposed a Mutual Authentication and Key Management Scheme for an IoV-enabled Intelligent Transportation System, referred to as MAKMS-IoV. MAKMS-IoV employs elliptic curve cryptography (ECC) for two levels of authentication and session key agreement. The first level pertains to a cluster head in a vehicle cluster and its associated RSU. The second level pertains to authentication and session key agreement between any two neighboring vehicles in a cluster (V2V). However, these protocols introduce a significant computational load. Wallrabenstein [20] aims to reduce the computational complexity of the authentication process by employing only ECC. Nevertheless, this approach requires some alterations in the device hardware. It is worth noting that some work has focused on authenticating the shared data in IoV rather than the source of such data, i.e., the vehicle itself. For example, HIDE [21] factors in the spatial dependency of traffic data to assess the validity of the claimed mobility patterns of vehicles.

Some security solutions have exploited the advantages of PUFs. Chatterjee et al. [13] proposed an authentication protocol that utilizes PUF, along with identity-based encryption and a keyed hash function. The protocol of Yoon et al. [22] is also PUF based and seeks to establish mutual authentication among IoT devices. However, the protocol introduces additional complexity via the encryption of the exchanged CRPs between devices. Furthermore, the protocol requires the involvement of an intermediary server to store CRPs and generate secure keys. Additionally, Fakroon et al. [23] introduced a multi-factor authentication protocol that relies on PUFs and user passwords. Alladi and Chamola [24] aim to provide a secure authentication method for Healthcare IoT devices. The registration process involves storing the CRPs of the PUF in a database, making it vulnerable to machine learning attacks. Nimmy et al. [25] proposed an authentication protocol for IoT that leverages geometric threshold secret sharing and PUF. This protocol aims to eliminate the need for the explicit storage of CRPs in the verifier’s database. However, the verifier is still required to store the share of the challenge and the hash of the response. Moreover, Jiang et al. [26] proposed a three-factor authentication protocol for IoV. Such a protocol is designed to provide secure communication between a pair of honest parties, namely, the vehicle sensor and the user, or the vehicle sensor and the data center. It utilizes ECC, hash functions, and PUFs as well as string concatenation and XOR operations. Yet, an attacker can potentially extract the shared session key between the two honest parties. All the aforementioned protection techniques require a secure server for authenticating the underlying network nodes.

Although a PUF is designed to be unclonable, it is still susceptible to modeling attacks. This happens when an attacker acquires a sufficient number of CRPs. For instance, the attacker could eavesdrop on a prover node to intercept the authentication messages exchanged with other nodes, i.e., verifiers. With the intercepted messages, the attacker can create a machine-learning model that behaves like the prover’s PUF and can predict the responses for unused challenges. In order to address such a vulnerability, Majzoobi et al. [27] proposed to send only a subset of the response bits to the verifier instead of the entire set of bits. The subset of the response is determined using a synchronized random number generator between the prover and verifier. Another approach is presented by Ebrahimabadi et al. [28], where the challenge bit string undergoes a process of shuffling and is subsequently partitioned across multiple messages. Furthermore, challenge obfuscation has been explored as a technique in which the challenge bit strings are encrypted or hashed, and the encrypted version is then used to authenticate the nodes in the PUF [29].

P-MAP [30] is designed to provide mutual authentication and mitigate modeling attacks. It employs two challenges and a bitwise binary operation that is unique to the communicating nodes. However, while this mechanism is effective at countering modeling attacks, it is important to note that P-MAP has limitations. Notably, an attacker may still be able to access the challenge bits, and the security of the protocol is dependent on the secrecy of the binary operation. The proposed protocol in this paper incorporates the advantageous features of MIMO technology to prevent adversaries from accessing challenge and response bits. This renders machine learning-based modeling attempts futile. The utilization of MIMO technology ensures that the adversary is effectively deprived of the requisite knowledge to undertake an attack on the system. Tang et al. [31] leveraged MIMO technology to ensure secure transmission between two nodes through the use of a “key bit” for encrypting confidential information. The key is encoded in the indexes of the activated/deactivated antenna combination of the receiver. The approach was subsequently extended in [32] to enable the sharing of a broadcast key with a group of devices. However, this method is vulnerable to impersonation attacks. To address such a security threat, our proposed approach incorporates PUFs.

3. System Model and Approach Overview

This section covers some preliminaries, highlights the underlying network operation, enumerates the made assumptions, and provides an overview of the proposed security solution.

3.1. Physical Unclonable Functions

The fundamental design basis of PUF is that there will always be small discrepancies in microelectronic circuits due to manufacturing imperfection [33]. Such imperfection is tolerated and does not significantly impact how efficiently integrated circuits operate. PUFs have been constructed to take advantage of these variations to produce a distinct hardware-driven fingerprint [33]. A PUF generates a unique mapping from an input bit string, referred to as a challenge, to an output bit that constitutes the PUF response. To clarify, Figure 2 shows the design of an Arbiter-PUF, which is one of the prominent PUF designs. The Arbiter-PUF is designed to exploit the variation in propagation delays. Since not every integrated circuit encounters the same delay, the latched value for the same challenge bits will vary and be influenced by the device manufacturing despite implementing the same circuit. Thus, for each challenge C, a response R is generated uniquely; the relationship between C and R is represented as $PUF\left(C\right)=R$. PUFs are categorized based on the size of the challenge bits as strong or weak. The fundamental classification is related to the number of combinations, i.e., $2^n$. A strong PUF (large n) is favored for authentication, while a weak PUF latter is often viewed as suitable enough for key generation purposes.

3.2. System and Threat Models

The system model considered in this paper consists of a vehicle and an RSU as shown in Figure 1. Every node is equipped with a PUF, which is used for generating a response when queried with a challenge bit string. On a vehicle, the PUF could be embedded in the on-board computer. We assume that each node has a MIMO antenna array, which enhances the link quality while enabling more efficient use of the spectrum. The distance between each antenna array segment is greater than half a radio frequency wavelength. We denote the number of antennas of a vehicle ${\delta }_A$ and the RSU ${\delta }_B$, by $N_{{\delta }_A}$ and $N_{{\delta }_B}$, respectively. For medium access, standard time division multiplexing is employed. Since our proposed protocol essentially is geared for authentication, a large set of CRPS is required to counter brute-force attacks by an adversary. Thus, a strong PUF is incorporated to satisfy such a requirement. The presentation in the rest of the paper is based on the use of an Arbiter-PUF, discussed above. Nonetheless, the proposed authentication protocol can be applied to other strong PUF designs.

Although a PUF is deemed effective for authentication, it could be susceptible to modeling attacks, wherein an attacker obtains CRPs of the PUF and imitates the characteristics by building a machine-learning model. To clarify, the adversary intercepts the communication between two nodes, in our case a vehicle ${\delta }_A$ and one or more RSUs to capture a sufficient CRP count. The intercepted CRPs are then used to train a machine learning model for the PUF of ${\delta }_A$. Such an attacker would then be able to predict the response of the vehicle’s PUF, denoted by $PU{F}_{{\delta }_A}$, to any assigned challenge bits. The attack scenario is represented in Figure 1, where a passive adversary ${\delta }_{Eve}$ with $N_{{\delta }_{Eve}}$ antennas is eavesdropping on the communication link between ${\delta }_A$ and ${\delta }_B$. It is thus essential to protect the CRPs in order to safeguard against impersonation attacks.

3.3. Approach Overview

The objective of this paper is to establish a secure communication session between a vehicle ${\delta }_A$ and RSU ${\delta }_B$ by performing mutual authentication between these two nodes. Nonetheless, the proposed protocol can be applied for V2V as well. We introduce a lightweight protocol that enables mutual authentication between a vehicle and RSU by utilizing PUFs and a MIMO-based mapping technique to enhance communication security against the threat of device hacking. In our approach, vehicles can be authenticated without the need for a third party during network operation. However, a trusted third party might be needed in the enrollment phase. In the enrollment phase, the RSU will be provided a collection of CRPs derived from the PUF of the vehicles within the network. For example, the vehicle ${\delta }_A$ will share a set ${\gamma }_{B\to A}$ of CRPs with the RSU, where $|{\gamma }_{B\to A}|$ is not sufficient for developing an effective machine learning model of the PUF of ${\delta }_A$.

To further enhance the security of communication, we employ a MIMO mapping technique to transmit a challenge bit pattern. Such a mapping determines the number of antennas utilized by the communicating nodes. The idea is to partition the challenge bits into $N_{{\delta }_A}-N_D$ segments, where $N_{{\delta }_A}$ is the number of the antennas that a vehicle has, and $N_D$ is the number of deactivated antennas. The set of segments $Seg$ is ordered, where the order is determined based on the node ID. For example, assume $N_{{\delta }_A}=4$ and one antenna is deactivated, i.e., $N_D=1$; generally, the number of deactivated antennas can take any value that is less than $N_{{\delta }_A}$. A possible segmentation order for ${\delta }_A$ may be $Seg=\{s_2,s_3,s_1\}$; we note that another ordering can be pursued as long as it can be inferred based on the node ID. Then, the RSU ${\delta }_B$ will deactivate one of ${\delta }_A$’s antennas and activate the others. This process encodes an index that indicates which antenna holds a portion of C. The vehicle can use the same method to transmit the PUF response. The proposed protocol is discussed in detail in the next section.

4. Protocol Design

The proposed protocol has two phases, namely, enrollment and operation. The latter covers decoding at the receiver, challenge bits obfuscation using MIMO precoding at the sender, and physical layer channel estimation.

4.1. Enrollment Phase

During the enrollment process, each node needs to share specific information in order to become part of the network. Once enrolled, the newly joined vehicle will share a subset of the CRPs with the RSUs. To illustrate, if a vehicle ${\delta }_i$ shares ${\Gamma }_i$ in the system, where ${\Gamma }_i$ is a subset of all CRPs of the PUF of ${\delta }_i$ (denoted by $PU{F}_i$), after that, the RSU ${\delta }_j$ will have ${\gamma }_{i\to j}$ s.t. ${\gamma }_{i\to j}\subset {\Gamma }_i$. To ensure a sufficient variety of the provided CRPs of $PU{F}_i$ within the RSUs in the system, $\gamma$ will be distinct for each RSU s.t. ${\gamma }_{i\to j}\ne {\gamma }_{i\to g}$ for all $j\ne g$, where ${\Gamma }_i$ is constructed based on the number of RSUs in the network. Additionally, each node (i.e., vehicle/RSU) will be provided with a segmentation order $Se{g}_i$ for other nodes in the system. The proposed protocol utilizes the PUF incorporated in each device to identify the segmentation by defining $Se{g}_i=PU{F}_j\left(I{D}_i\right)$.

We note that the process of enrollment can be streamlined through the utilization of a trusted server, which would be particularly beneficial if nodes are joining the network at varying intervals. However, it is important to recognize that this approach remains distributed in nature, as the enrollment phase serves solely as an initialization process, and no centralized entity is involved during the operation phase. Once enrolled, the node will transition to the operation phase, wherein inter-node interaction is application dependent and will be further elucidated in subsequent subsections.

4.2. Channel Estimation

As illustrated in Figure 1, a vehicle attempts to communicate with an RSU node. We assumed that the communication link between the vehicle and the RSU could work for any frequency band. Due to weak non-line-of-sight (NLoS) links in the outdoor environment, the line-of-sight (LoS) link is the only channel we consider between the vehicle and the RSU. The gain between the antenna at the vehicle ${\delta }_A$ and the antenna at the RSU ${\delta }_B$ can be written as [34]:

$$\begin{array}{c}\hfill h_{{\delta }_{A_i},{\delta }_{B_j}}=\frac{p_0}{d_{{\delta }_{A_i},{\delta }_{B_j}}^2}\end{array}$$

(1)

where $d_{{\delta }_{A_i},{\delta }_{B_j}}$ is the distance between the $i^{th}$ antenna at the vehicle to the $j^{th}$ antenna at the RSU, with $2\le i\le N_{{\delta }_A}$ and $2\le j\le N_{{\delta }_B}$. Recall that $N_{{\delta }_A}$ and $N_{{\delta }_B}$ are the number of antennas that a vehicle and an RSU have, respectively. $p_0$ denotes the channel gain at a reference distance of 1 and is calculated as $p_0={\left(\frac{\mathcal{L}}{4\pi f}\right)}^2$, where $\mathcal{L}$ is the speed of light, and f is the operating frequency. To apply our protocol, first ${\delta }_A$ sends a pilot signal to ${\delta }_B$ in a time that is lower than the channel coherence time [35]. ${\delta }_B$ estimates the up-link channel using:

$${\mathbf{H}}_{{\delta }_A{\delta }_B}=$$

$$\left(\begin{array}{cccc}{h}_{{\delta }_{A_1},{\delta }_{B_1}}& h_{{\delta }_{A_1},{\delta }_{B_j}}& \cdots & h_{{\delta }_{A_1},{\delta }_{B_{N_B}}}\\ ⋮& ⋮& \ddots & ⋮\\ h_{{\delta }_{A_{N_A},{\delta }_{B_1}}}& h_{{\delta }_{A_{N_B}},{\delta }_{B_j}}& \cdots & h_{{\delta }_{A_{N_A}},{\delta }_{B_{N_B}}}\end{array}\right)$$

(2)

where ${\mathbf{H}}_{{\delta }_A{\delta }_B}$$\in M^{N_{{\delta }_A}\times N_{{\delta }_B}}$ reflects the engagement of all antennas of ${\delta }_A$ and ${\delta }_B$, and M is a matrix with a size of $i\times j$. In order to obtain the corresponding down-link channel, ${\delta }_B$ transposes ${\mathbf{H}}_{{\delta }_A{\delta }_B}$ as ${\mathbf{H}}_{{\delta }_B{\delta }_A}={\mathbf{H}}_{{\delta }_A{\delta }_B}^T$. The RSU will need to normalize the estimated channel matrix to reduce the possible impact of path loss, then will compute the precoding weights space using zero-forcing precoding [36] $\mathcal{W}$$\in M^{N_{{\delta }_B}\times N_{{\delta }_A}}$ as:

$$\begin{array}{c}\hfill \mathcal{W}=\frac{{\mathbf{H}}_{{\delta }_A{\delta }_B}^H{\left({\mathbf{H}}_{{\delta }_A{\delta }_B}{\mathbf{H}}_{{\delta }_A{\delta }_B}^H\right)}^{-1}}{\parallel {\mathbf{H}}_{{\delta }_A{\delta }_B}^H{\left({\mathbf{H}}_{{\delta }_A{\delta }_B}{\mathbf{H}}_{{\delta }_A{\delta }_B}^H\right)}^{-1}\parallel }=(w_1,w_2,...,w_{N_{{\delta }_A}})\end{array}$$

(3)

where each column vector $w_j\in M^{N_{{\delta }_A}\times 1},j=1,2,..,N_{{\delta }_B}$ is normalized as ${\parallel w_j\parallel }^2=1$. Thus

$$\begin{array}{c}\hfill {\mathbf{H}}_{{\delta }_A{\delta }_B}\mathcal{W}=\mathrm{diag}(\frac{1}{\parallel w_1\parallel },\frac{1}{\parallel w_2\parallel },....,\frac{1}{\parallel w_{N_{{\delta }_A}}\parallel })\end{array}$$

(4)

4.3. Challenge Bits Mapping

Let $\mathbf{e}$ be the set of antenna indices, i.e., $\mathbf{e}=\{e_1,e_2,e_3,....,e_{N_{{\delta }_A}}\}$. The cardinality of $\mathbf{e}$ depends on the number of antennas ($N_{{\delta }_A}$) of ${\delta }_A$. Our proposed protocol maps the challenge bit string C utilizing these antennae indices. Specifically, when ${\delta }_B$ intends to transmit the bit string C, it will activate a certain combination of the antenna elements of ${\delta }_A$. An activated antenna index is represented by “1”, while an inactivated index is represented by “0”. Thus, we construct the non-zero precoding weights $\mathcal{W}\left(\mathbf{e}\right)$ by excluding the zero column vector of $\mathcal{W}$ and combine the remaining ($N_{{\delta }_A-1}$) column as:

$$\begin{array}{c}\hfill \mathcal{W}\left(\mathbf{e}\right)=\sqrt{\frac{P_w}{N_{{\delta }_A}-1}}\sum _{j=1}^{In\left(\mathbf{e}\right)}{w}_j,\end{array}$$

(5)

where $P_w$ denotes the transmit power and $In\left(\mathbf{e}\right)$ represents the index of non-zero antennas in e. Based on (1), (2), and (5), the received signal by ${\delta }_A$ can thus be represented as:

$$\begin{array}{c}\hfill {\mathbf{Y}}_{{\delta }_A}={\mathbf{H}}_{{\delta }_B{\delta }_A}\mathcal{W}\left(\mathbf{e}\right)C+n=\sqrt{P_s}{\mathbf{H}}_{{\delta }_B{\delta }_A}\sum _{j=1}^{(N_{{\delta }_A}-1)}{w}_{j}C+n\end{array}$$

(6)

where $n\in M^{N_{{\delta }_A}\times 1}$ is the additive Gaussian noise of the signal received by ${\delta }_A$, and ${\mathbf{Y}}_{{\delta }_A}=(y_1,y_2,y_3,....,y_{N_{{\delta }_A}})\in M^{N_{{\delta }_A}\times 1}$ indicates the received signals vector. $P_s$ is the transmit power on each transmission s.t. $P_s=\frac{P_w}{(N_{{\delta }_A}-1)}$. Based on the activated\deactivated antenna elements, the received signal of ${\delta }_A$ s.t. $y\in {\mathbf{Y}}_{{\delta }_A}$ can be written as:

$$\begin{array}{c}\hfill y_j=\frac{\sqrt{P_w}}{\parallel w_j\parallel }C+n,(\mathrm{an}\mathrm{active}\mathrm{antenna})\end{array}$$

(7)

$$\begin{array}{c}\hfill y_j=n,(\mathrm{non-active}\mathrm{antenna})\end{array}$$

(8)

From (5)–(8), the received signal of ${\delta }_A$ will be:

$$\begin{array}{c}\hfill {\mathbf{Y}}_{{\delta }_A}=\sqrt{P_s}{(\frac{1}{\parallel w_1\parallel },...,0,...,\frac{1}{\parallel w_{N_{{\delta }_A}}\parallel })}^{T}C+n\end{array}$$

(9)

where “0” in the position of the antenna implies it is inactive. To illustrate, assume that $N_{{\delta }_A}=5$, and that the RSU ${\delta }_B$ sets $N_D=1$ and disables, i.e., deactivates, the second antenna; hence, the antenna indices can be written as $\mathbf{e}=\left(10111\right)$. Then, ${\delta }_B$ transmits the challenge bits C in four segments $s_1,s_2,s_3$, and $s_4$ using the activated antennas. Effectively, C is constructed by combining the segments $s_1,s_2,s_3$, and $s_4$, where each segment reflects a subset of C, e.g., $s_1=\{c_1,..,c_{16}\},s_2=\{c_{17},..,c_{32}\},s_3=\{c_{33},..,c_{48}\},s_4=\{c_{49},..,c_{64}\}$. Assume that $Se{g}_A$ is the segmentation order of ${\delta }_A$, where $Se{g}_A=(s_3,s_2,s_1,s_4)$. The antenna index mapping will be $e_1=s_2$, $e_3=s_3$, $e_4=s_1$ and $e_5=s_4$. Because the second antenna is not activated, it will not convey any part (bits) of C. Therefore, the eavesdropper has to recognize the segmentation of C, even if the antenna index $\mathbf{e}$ is exposed. As aforementioned, the node ID is used to infer the segmentation order for each node.

4.4. Decoding Transmitted Bits

At the final stage, once the vehicle receives the down-link signal, it will determine the indices of the deactivated antenna segments to correctly construct the challenge bit C. To achieve this, ${\delta }_A$ determines if the $i^{th}$ antenna index is activated or not by utilizing the following function, which seeks the lowest signal-plus-noise (LSPN) value:

$$\begin{array}{c}\hfill f_e\left({\mathbf{Y}}_{{\delta }_A}\right)=\mathrm{index}\left[\arg \min (|y_1{|}^2,|y_2{|}^2,...,|y_{N_{{\delta }_A}}{|}^2)\right]\end{array}$$

(10)

$$=\widehat{\mathbf{e}}\left(i\right)$$

Using $\widehat{\mathbf{e}}$, ${\delta }_A$ identifies the antenna segments that are activated and cover C. These observed bits are then combined to form the complete challenge bits C. To clarify, let us consider the aforementioned example with $N_{{\delta }_A}=5$, and $N_D=1$. In such a case, $\widehat{\mathbf{e}}=(1,0,1,1,1)$, where four challenge bits, namely, $s_3$, $s_2$, $s_1$, and $s_4$, will be individually received on antennas 0, 2, 3, and 4, respectively. $Se{g}_A$ is then used to construct C such that $Se{g}_A(s_3,s_2,s_1,s_4)=C$. Subsequently, C is applied to $PU{F}_A$ to generate R, where $PU{F}_A\left(C\right)=R$. Finally, ${\delta }_A$ transmits R by following the above steps. Upon receiving R, ${\delta }_B$ compares R with the value obtained during the enrollment phase. ${\delta }_A$ is authenticated upon a successful match. The message sequence during the operation phase of the proposed protocol is depicted in Figure 3.

5. Validation Setup

We implemented the Arbiter-PUF design described earlier in Figure 2 using MATLAB on PC with AMD Ryzen 7 5700U processor running Windows 10 with 16 GB memory. To assess the robustness of our PUF implementation, we considered the performance metrics described in Appendix A; the uniformity of the utilized Arbiter-PUF is 47%, with a uniqueness of 49.69%. As mentioned earlier, mitigating the noise effect caused by ambient temperatures is out of the scope of this work. In other words, the reliability of the PUF was evaluated under a normal temperature. Therefore, the hamming distance between the responses is 0. We further used MATLAB to simulate the IoV operation. The simulation parameters were consistent across all nodes, including vehicle, RSU, and the eavesdropper, all of which shared the same number of antennas, i.e., $N_{{\delta }_A}=N_{{\delta }_B}=N_{{\delta }_{Eve}}=5$. Assuming that the vehicle is mobile, our authentication protocol is applied while the SNR varies from 0 dB to 30 dB based on the distance, transmitted power, and path loss between the two communicating nodes. It was assumed that white Gaussian noise had a zero mean. An SVM is utilized as a representative machine learning technique to model how an adversary ${\delta }_{Eve}$ might execute a cloning attack on the authentication protocol.

For the adversary to launch any cyberattacks, such as impersonation, data forgery, and man-in-the-middle attacks, the underlying device secrets need to be uncovered. In the context of PUFs, that means being able to model the challenge–response mapping through the incorporation of ML techniques. Recall that a key advantage of the PUF design is that it is tamper resistant, and the CRPs (device secrets) are not stored in memory. Hence, our analysis focused on thwarting modeling attacks. We initially used SVM and NN to model the Arbiter-PUF without the application of our approach. When using 5000 CRPs, SVM was able to achieve an accuracy of 99% and 98% for modeling the 16-bit and 64-bit PUF, respectively, as reported in Figure 4. We repeated the experiment using NN, which consisted of an input layer with 64 nodes for 64-bit PUF and 16 nodes for 16-bit PUF, and one hidden layer with 2 and 100 neurons for 16-bit and 64-bit, respectively. An output layer was added with a sigmoid activation function [37]. The first two layers utilized a rectified linear activation function (Relu) to achieve high performance. As shown in Figure 4, when using 5000 CRPs, NN could successfully model the 16-bit and 64-bit PUFs with 99% accuracy.

6. Performance Results and Discussion

During the operation phase, an eavesdropper ${\delta }_{Eve}$ may intercept the communication between ${\delta }_A$ and ${\delta }_B$ with the intention to acquire a significant number of CRPs to mimic the ${\delta }_A$ PUF ($PU{F}_A$), thereby impersonating ${\delta }_A$. The MIMO mapping technique in our proposed protocol hinders such an attacker from entirely recording the challenge bits C without being aware of $f_{\mathbf{e}}$ to obtain $\mathbf{e}$. We implemented three attack scenarios aimed at impersonating ${\delta }_A$ by modeling its PUF: (1) The attacker acts as a malicious node within the network with complete awareness of the authentication protocol. (2) Distinct from the previous case, here, the adversary lacks a detailed understanding of the protocol but is aware of the existence of an index mapping function ($f_{\mathbf{e}}$) without knowledge of how $f_{\mathbf{e}}$ is being applied. (3) The external attacker does not know the authentication protocol. The following discusses the results:

• High-awareness attack (${\delta }_{Eve,1}$): In this case, ${\delta }_{Eve,1}$ obtains $\mathbf{e}$, which indicates whether the antenna is activated or not. The comparison of ${\delta }_{Eve,1}$ and ${\delta }_A$ in Figure 5 shows that ${\delta }_{Eve,1}$ finds $\mathbf{e}$ with a probability of $83\%$ at the ideal SNR value 30 dB, while ${\delta }_A$ has $99\%$. Hence, the eavesdropper will record C as $\widehat{C}$, as the RSU includes $Se{g}_A\left(C\right)$ in the request message rather than the actual challenge bit string C. This is emphasized by the probability distribution in Figure 6; such a figure shows the case when ${\delta }_{Eve,1}$ has knowledge of $Se{g}_A\left(C\right)$, where the x-axis presents the SNR values and y-axis shows the probability that the attacker correctly observes C with varying the updating period of CRPs. ${\delta }_{Eve,1}$ attempts to identify $Se{g}_A$; yet, the latter is changed periodically. Such analysis is consistent with the results in Figure 7, where the x-axis shows the recorded number of CRPs of $PU{F}_A$ by ${\delta }_{Eve}$, and the y-axis reflects the ML accuracy of modeling the $PU{F}_{{\delta }_A}$ with 10 dB SNR. Figure 7 demonstrates the modeling attack performed on two PUF sizes, 16-bit and 64-bit. As shown, the highest accuracy that the ML model can achieve is not greater than $54\%$, which is clearly a random guess, given the Boolean nature of the PUF response.
• Partial-awareness attack (${\delta }_{Eve,2}$): In this type of attack, ${\delta }_{Eve,2}$ is aware of $f_{\mathbf{e}}$ but does not realize how it is being used. For example, let the antenna indices be $\mathbf{e}=\left(1110\right)$; one potential scenario by the adversary is dropping the first antenna index such that ${\mathbf{e}}_{Eve}=\left(0111\right)$. Thus, the probability of ${\delta }_{Eve,2}$ to successfully predict the antenna indices $\mathbf{e}$ for the target node ${\delta }_A$ can be expressed as $Pr[\mathbf{e}={\mathbf{e}}_{Eve}]=\frac{1}{N_{{\delta }_A}}$. This is shown in Figure 5, where ${\delta }_{Eve,2}$ has the probability of 0.2. Such a modeling attack scenario will fail in building a ML model using the captured CRPs as shown in Figure 7, where the partial-awareness attack is simulated to model the PUF of ${\delta }_A$ considering two 16-bit and 64-bit PUFs.
• Non-awareness attack (${\delta }_{Eve,3}$): This attacker does not have any knowledge about the protocol configuration. Thus, ${\delta }_{Eve,3}$ will expect that all antennas are active since he/she does not know about either $f_{\mathbf{e}}$ or $\mathbf{e}$. Consequently, ${\delta }_{Eve,3}$ will record the challenge bits as 20 bits, considering the PUF size as 16 bits. To illustrate, assume the challenge bits being sent are 16 bits and $N_{{\delta }_{Eve},3}=5$. Since ${\delta }_{Eve,3}$ assumes all antennas are active, none of the antennas will be ignored. Thus, the total estimated bits would be 20 bits rather than 16 bits. Such a scenario is reflected in Figure 6, where the probability for ${\delta }_{Eve,3}$ is nearly 0.2. Accordingly, it is expected to find that the accuracy of ${\delta }_{Eve,3}$ in modeling the ${\delta }_A$ PUF is completely random as shown in Figure 7, where the highest accuracy achieved does not succeed $53\%$ in both the 16-bit and 64-bit PUFs.

7. Approach Robustness

To demonstrate the practicality of the proposed approach, we analyze the error rate using two measurement parameters—the Probability of the Error Index (PEI) and the Probability of the Error Challenge (PEC)—as follows:

• PEI: This is the probability of the error index $\widehat{e}$ being experienced by a node and can be expressed as:

  $$\begin{array}{c}\hfill PEI=Pr[e\left(\widehat{i}\right)\ne e\left(i\right)]\end{array}$$

  (11)
  PEI can be calculated mathematically using:

  $$\begin{array}{c}\hfill PEI=1-Pr\left[\min (|y_1{|}^2,|y_2{|}^2,...,|y_{N_{{\delta }_A}}{|}^2)\right]\ge {|y_{e\left(\widehat{i}\right)}|}^2\end{array}$$

  (12)

  where $|y_{e\left(\widehat{i}\right)}|$ is the received signal at the non-activated antenna.
• PEC: This reflects the probability of an erroneous challenge $\widehat{C}$ being extracted by the receiver. PEC can be expressed as:

  $$\begin{array}{c}\hfill PEC=Pr[\widehat{C}\ne C]\end{array}$$

  (13)
  The relationship between PEI and PEC can be expressed as:

  $$\begin{array}{c}\hfill PEC\simeq 1-{\left[1-P_{PEI}\right]}^{N_{Seg}\left({\delta }_A\right)}\end{array}$$

  (14)

  where $N_{Seg}\left({\delta }_A\right)$ is the number of segments of the challenge bit string.

As demonstrated by the results in Figure 8, the segmentation mechanism in our approach has a very low error rate in extracting the challenge bits by the legitimate node (i.e., RSU ${\delta }_A$). These results reflect an attacker who is fully aware of the approach, i.e., ${\delta }_{Eve,1}$, where the number of segments for ${\delta }_A$ varies from 2 to 32. For the largest segment count, only an error rate of 0.003 is experienced under 30dB SNR. Such a percentage has no notable effect on receiving the challenge bits correctly by ${\delta }_A$. Thus, there is no advantage of knowing $N_{Seg}\left({\delta }_A\right)$ since it is interpreted based on the node ID, and it changes periodically. This analysis concludes that having full knowledge of the operation and configuration of the proposed protocol will not allow the attacker to successfully model the PUF.

Figure 9 compares our protocol with the schemes of [32,38] in terms of PEC. As indicated by the results shown in Figure 9, our approach is as robust as the competing schemes, yet the challenge extracted by our approach reflects an obfuscated challenge and response transmissions. In [32,38], the secret information might be leaked, as both approaches entirely depend on their encoding techniques. However, the proposed protocol applies a node-specific function, where a PUF challenge C is partitioned into multiple segments while maintaining a very low PEC at the receiver side. As can be seen in Figure 8, with the highest number of segments, the receiver ${\delta }_A$ can only observe the challenge bits with a PEC of 0.003 at 30 dB. Thus, our protocol is more secure against modeling attacks since the exchanged CRPs are obfuscated using the aforementioned techniques. In addition, we consider the case where a user node ${\delta }_B$ and a vehicle ${\delta }_A$ pursue distributed authentication, which was not considered neither in [32] nor in [38].

The probability that ${\delta }_{Eve,1}$ accurately observes both C and R simultaneously is:

$$\begin{array}{c}\hfill Pr(\widehat{CRP}=CRP)=Pr(\widehat{C}=C).Pr(\widehat{R}=R|\widehat{C}=C)\end{array}$$

(15)

where $\widehat{CRP}$ denotes the successful inference of CRPs by ${\delta }_{Eve,1}$, whereas $\widehat{C}$ and $\widehat{R}$ indicate the observed values of C and R by ${\delta }_{Eve,1}$, respectively. Given the results in Figure 6, the maximum probability that ${\delta }_{Eve,1}$ correctly observes C is $0.8$ and occurs when the SNR is set to 30 dB. Thus, even with a $0.8$ probability of successfully guessing R, i.e., $Pr(\widehat{R}=R)=0.8$, according to Equation (15), the PUF modeling accuracy would not exceed 65%, which is quite low. Therefore, our approach is resilient against PUF modeling attacks.

The expression $PEI=Pr[e\left(\widehat{i}\right)\ne e\left(i\right)]$ in (11) denotes that the non-activated antenna’s observed index does not correspond to the desired non-activated antenna at ${\delta }_A$. The value of PEI is intricately related to the parameters $N_{{\delta }_A},N_{{\delta }_B},\mathrm{and}{P}_w$ as reflected in Figure 8. Assuming that the background noise follows a zero and covariance one complex Gaussian distribution $\mathcal{CN}(0,{\sigma }_{{\delta }_B}^2)$, Equation (12) indicates that when the $j^{th}$ antenna is not activated, ${\delta }_B$ will detect an erroneous index if the minimum LSPN of the other $N_{{\delta }_B}-1$ activated antennas exceeds that of such an inactive antenna (i.e., the $j^{th}$ antenna). Theorem 1 below proves that achieving $PEI\to 0$ is always possible.

Theorem 1.

For any $N_{{\delta }_A},N_{{\delta }_B},\le \infty$, when $\frac{P_w}{{\sigma }_{{\delta }_B}^2}\to \infty$, $PEI\to 0$.

Proof. 

From (7) and (8),when SNR $\frac{P_w}{{\sigma }_{{\delta }_B}^2}\to \infty$

$$\begin{array}{c}\hfill |y_x{|}^2=[\underset{\frac{P_w}{{\sigma }_{{\delta }_B}^2}\to \infty }{lim}|\frac{\sqrt{P_w}}{\parallel w_x\parallel }c+n_x{|}^2\to \infty ]\gg \underset{\frac{P_w}{{\sigma }_{{\delta }_B}^2}\to \infty }{lim}|y_z{|}^2={|n_z|}^2\forall x\in \mathit{Ind}\left(\mathit{e}\right),\forall z\notin \mathit{Ind}\left(\mathit{e}\right)\end{array}$$

(16)

where $\mathit{Ind}$ indicates the activated antenna indices. Consequently,

$$\begin{array}{c}\hfill \underset{\frac{P_w}{{\sigma }_{{\delta }_B}^2}\to \infty }{lim}Pr(|y_x{|}^2>|y_z{|}^2)\to 1,\forall x\in \mathit{Ind}\left(\mathit{e}\right),\forall z\notin \mathit{Ind}\left(\mathit{e}\right)\end{array}$$

(17)

From (17) and (11), Theorem 1 is proven. □

8. Conclusions

In the context of IoV, secure communication among vehicles and roadside units plays a pivotal role in preventing unauthorized access to sensitive information and the injection of malicious data. To support such a role, this paper presented a novel authentication protocol that utilizes hardware-based security primitives, namely PUFs. The proposed protocol allows vehicles and roadside units to authenticate each other. To prevent eavesdropping and impersonation, our protocol obfuscates the exchanged CRPs (challenge–response pairs) using the MIMO encoding technique. The paper also examines the resilience of the proposed approach against modeling attack capabilities for predicting the CRPs of the PUF. As a baseline, a machine learning attack using SVM and NN was applied and showed to achieve at least 98% accuracy when no protection is provisioned. When applying the proposed protocol, the CRP prediction accuracy did not exceed 54%, which indicates that it is similar to random guessing. In the future, we plan to examine the performance of our protocol using a prototype IoV.