Toward Smart Home Authentication Using PUF and Edge-Computing Paradigm

The smart home is a crucial embodiment of the internet of things (IoT), which can facilitate users to access smart home services anytime and anywhere. Due to the limited resources of cloud computing, it cannot meet users’ real-time needs. Therefore, edge computing emerges as the times require, providing users with better real-time access and storage. The application of edge computing in the smart home environment can enable users to enjoy smart home services. However, users and smart devices communicate through public channels, and malicious attackers may intercept information transmitted through public channels, resulting in user privacy disclosure. Therefore, it is a critical issue to protect the secure communication between users and smart devices in the smart home environment. Furthermore, authentication protocols in smart home environments also have some security challenges. In this paper, we propose an anonymous authentication protocol that applies edge computing to the smart home environment to protect communication security between entities. To protect the security of smart devices, we embed physical unclonable functions (PUF) into each smart device. Real-or-random model, informal security analysis, and ProVerif are adopted to verify the security of our protocol. Finally, we compare our protocol with existing protocols regarding security and performance. The comparison results demonstrate that our protocol has higher security and slightly better performance.


Introduction
The internet of things (IoT) [1][2][3][4] is a network connected with everything, which can collect various types of information in real time and communicate with other devices. The development of the IoT has brought significant achievements in different fields, such as smart city [5][6][7][8], healthcare [9][10][11], vehicular ad hoc network (VANET) [12][13][14][15][16], smart home [17][18][19], and artificial intelligence [20,21]. The smart home is the embodiment of IoT. It is an environment in which smart devices are deployed in the house, and various devices provide services to users through connecting to the internet. People can access smart home services anytime and anywhere through voice assistants or applications and easily control smart devices. In the smart home environment, people's live have become more comfortable, their lifestyle has become more intelligent, and people's quality of life is also constantly improving.
Many smart devices are deployed in the smart home environment, such as smart air conditioners, smart desk lamps, and smart curtains. These smart devices can provide users with various services. The traditional framework of the smart home is shown in Figure 1. The framework consists of four entities: registration authority (RA), users, gateway, and smart devices. The primary responsibilities of RA include the registration of users and smart devices as well as the distribution of system parameters. Gateway is a bridge between smart devices and users. Only smart devices registered in RA can provide services for users. Users use mobile devices (such as smartphones, tablets, and smartwatches) to control smart devices in their homes at any time. For example, users can turn on the air conditioner and close the curtains outdoors; users can master the family situation by viewing the smart camera.
The traditional smart home architecture relies on centralized cloud computing, which is used for data collection and processing. There are some problems in the traditional architecture; for example, in monitoring this application scenario that requires real-time feedback, cloud computing [22][23][24] will process a great deal of data, which may not meet users' real-time needs [25,26]. Edge computing [27][28][29] is closer to the data source than cloud computing. It can better process data and provide real-time access, solving the above problems. An edge gateway is the node of edge computing, which can give real-time computing and storage in the smart home environment instead of going to the remote cloud center. The edge gateway can locally process the data collected between the user's mobile device and the smart device. First, the user and the smart device are registered in the registration center, and the registered legal user negotiates the session key with the smart device with the help of the edge gateway. Only legal users can enjoy smart home services. Although smart homes bring convenience to people's lives, users and smart devices communicate through public channels. Due to the openness of the public channel, the information transmitted in the public channel may be intercepted by malicious attackers, which will lead to user privacy disclosure. Therefore, protecting users and smart devices for secure communication is very important. The physical unclonable function (PUF) [30,31] is a function that can be embedded in an integrated circuit. The integrated circuit takes a bit string as input (or called challenge) and generates a random response string as the output. For various PUF modules manufactured on the same integrated circuit, no two PUF modules will produce the same response if faced with the same challenges. If a malicious attacker wants to change or destroy the PUF, it will change the corresponding internal circuit and logic gate delay. At this time, even if the same challenge is entered, the malicious attacker cannot obtain the same response. According to the microstructure and response of a given PUF, it is difficult for a malicious attacker to guess or infer the correct challenge. Moreover, the PUF is available on demand and does not require secure storage.
In this paper, a smart home authentication protocol using PUF and edge computing paradigm is proposed. The following are the novelty and contributions of this paper: (1) To the best of our knowledge, we are the first to introduce an edge-computingbased smart home architecture and propose an authentication protocol based on this architecture. In our protocol, the user and the smart device realize mutual authentication with the help of the edge gateway and successfully establish a session key for secure communication.
(2) We apply PUF to smart devices to prevent data-leakage attacks launched by attackers, thus ensuring data security. According to the security properties of PUF, even if an attacker gets the same challenge, they cannot get the same response. Therefore, using PUF in our protocol can resist tampering and biological cloning attacks. (3) We verify the security of our protocol by using the real or random (ROR) model, informal security analysis and simulation software (ProVerif). The results are shown that the proposed protocol can resist several well-known attacks. (4) Finally, we compare our protocol with existing protocols regarding security and performance. The comparisons demonstrate that our protocol guarantees better security and slightly lower communication cost.
The remainder of this paper is structured as follows. The relevant research on smart homes, edge computing, and PUF is briefly reviewed in Section 2. In Section 3, we describe the system model and detailed protocol. We prove the security of our proposed protocol in Section 4. In Section 5, we compare our protocol with existing protocols in terms of security and performance. In Section 6, we set forth our conclusions.

Related Work
Many researchers proposed several authentication and key agreement (AKA) protocols in different environments. In 2008, Jeong et al. [32] proposed a lightweight user authentication protocol in the home network environment. This protocol could not guarantee the anonymity of users, and users were easily tracked. In addition, the protocol could not resist attacks by privileged insiders. Vaidya et al. [33] proposed a strong cryptographic-based AKA protocol in the home network environment. The author showed that this protocol has strong security. However, Kim et al. [34] performed cryptanalysis on the protocol of Vaidya et al. [33] and found that their protocol could not provide forward security and suffered from stolen smart card attacks. Kim et al. [34] indicated the security vulnerabilities of Vaidya et al.'s protocol [33] and proposed an enhanced AKA. Unfortunately, the protocol of Kim et al. [34] could not resist privileged insider attacks and was unable to guarantee users' anonymity and untraceability. In 2017, Wazid et al. [35] proposed a lightweight AKA for remote users. They proved that their protocol was secure and had good performance. However, Lyu et al. [36] discovered that the protocol of Wazid et al. [35] was unable to withstand stolen verifier attacks and synchronization attacks. Lyu et al. [36] introduced IFTTT as a home gateway and used it as the executor and supervisor of commands. In 2019, Shuai et al. [37] proposed an efficient AKA protocol using elliptic curve cryptography (ECC) and showed that the protocol could resist existing attacks. However, Kaur and Kumar [38] found that Shuai et al.'s protocol [37] was vulnerable to insider attacks, replay attacks, and offline password guessing attacks. Subsequently, Kaur and Kumar [38] proposed a two-factor AKA protocol to enhance security. Unfortunately, Yu et al. [18] found that the protocol of Kaur and Kumar [38] could not resist impersonation attacks and session key disclosure attacks and proposed a secure AKA protocol based on three factors. However, Alzahrani et al. [39] discovered that Yu et al.'s protocol [18] was unable to achieve mutual authentication. Banerjee et al. [40] found that Shuai et al.'s protocol [37] could not resist stolen smart card attacks and user impersonation attacks and then proposed an efficient anonymous authentication protocol. Unfortunately, this protocol cannot guarantee the anonymity and untraceability of users [41]. Oh et al. [42] proposed an efficient authentication protocol using the hush function for IoT-based smart home environments. They proved that the protocol can resist known attacks.
In edge-computing environments, Tsai and Lo [43] proposed an authentication protocol using identity-based encryption technology. This protocol is based on bilinear pairing and the identity-based cryptosystem, which reduced the computation of users and servers. However, Jiang et al. [44] proved that the protocol of Tsai and Lo [43] was vulnerable to server impersonation attacks. Irshad et al. [45] also found that Tsai and Lo's protocol [43] could not resist the de-synchronization attacks. They designed an improved multi-server authentication protocol and proved that the designed protocol could resist known attacks.
However, Xiong et al. [46] pointed out that the protocol of Irshad et al. [45] lacked the registration and revocation of users and designed a new protocol. Later, Jia et al. [47] designed an identity-based authentication protocol. However, Li et al. [26] found that Jia et al.'s protocol [47] could not resist man-in-the-middle (MITM) attacks and then proposed a novel mobile edge computing environment architecture and designed a lightweight AKA protocol on this architecture. Unluckily, Li et al.'s protocol [26] cannot resist replay attacks and denial of service attacks. Kaur et al. [48] proposed a lightweight privacy-preserving AKA protocol, which adopts elliptic curve cryptography to resist various attacks, thus ensuring secure communication between entities.
Numerous PUF-based AKA protocols were recently proposed to address the aforementioned well-known security issues. Aysu et al. [49] proposed a secure and efficient end-to-end AKA protocol based on PUF between servers and resource-limited devices. Chatterjee et al. [50] designed a PUF-based AKA protocol for the IoT to realize authentication and secure information transfer between devices. Braeken [51] analyzed Chatterjee's protocol [50] and found that it could not resist MITM attacks and replay attacks and proposed an efficient AKA protocol. Gope et al. [52] proposed a lightweight AKA protocol for user privacy protection in industrial wireless sensor networks. In this protocol, user and sensor nodes can authenticate and negotiate the session key with the aid of the gateway. Chen et al. [53] found that PUF-authentication protocols are vulnerable to machine learning attacks. Therefore, they adopted the concept of Shamir's secret sharing to design an AKA protocol to resist the attacks. Ebrahimabadi et al. [54] designed a novel authentication protocol based on PUF and showed that the protocol has better security and efficiency. In order to ensure that users can obtain secure and timely services in a smart city environment, Yu et al. [55] proposed a lightweight authentication protocol based on PUF in an internet of drones environment. Shao et al. [56] proposed an AKA protocol using PUF in a wireless medical sensor environment with limited resources to ensure data security and patient privacy. Some significant relevant works are listed in Table 1. Table 1. The summary of authentication protocols.

Proposed Protocol
In this section, an authentication protocol using PUF and the edge-computing paradigm for the smart home environment is proposed. Four entities, trusted third party TTP, edge gateway EGW, user U i , and smart device SD j , are involved in our protocol. The system model is shown in Figure 2. Details on each entity are described below: (1) Trusted third party TTP: TTP is a trusted entity, mainly responsible for the registration of home users and smart devices. Additionally, it stores a few users and smart device registration parameters in the edge gateway's secure database. (2) Edge gateway EGW: EGW is a trusted entity and is deployed in the home. EGW can collect data from various smart devices, process the data, and send the processed data to users who need data. It also serves as a bridge between smart devices and users. (3) Home user U i : U i refers to the legal users who have successfully registered through TTP. With the help of the EGW, legal home users can enjoy the services provided by smart devices and remotely control them through mobile devices (such as smartphones, tablets, and smartwatches) anytime and anywhere. (4) Smart device SD j : SD j deployed in the smart home environment (such as cameras, smart refrigerators, smart desk lamps, and smart locks) must be registered with TTP. Each smart device is embedded with a PUF module. In the smart home, it can execute the instructions transmitted by the user through the edge gateway and collect the data. Our protocol is divided into the registration, login and authentication phases. Before U i and SD j are deployed in the smart home environment, TTP generates a master key x. Each SD j has a unique identity SMID j and PUF module. The symbols used in the protocol are shown in Table 2, and the following thoroughly explains each phase.

Registration Phase
In the smart home environment, U i and SD j must register with TTP via a secure channel. There are two phases of registration: U i registration and SD j registration.
User Registration Phase. If U i wants to enjoy smart home services, he or she must first register as a legal user in TTP. The process of U i registration is shown in Figure 3. The steps of U i registration are described in detail below. (1) To begin with, U i uses the mobile device to enter the identity U ID i , password UPW i , and selects a random number a i . Then, the mobile device calculates If retrieved in the database, TTP rejects the U i 's registration. Or else, TTP calculates Thereafter, TTP calculation is completed, stores {PID i } in its database, and stores Finally, Smart Device Registration Phase. SD j must be registered at TTP before it can provide smart home services to U i . The SD j registration process is shown in Figure 4. The following are the specific SD j registration process.
(1) Initially, SD j selects an identity SMID j , generates a challenge C j . Then, SD j calculates Finally, SD j sends {SMID j , C j , δ j } to TTP. (2) After receiving {SMID j , C j , δ j }, TTP retrieves SMID j from the database. If not retrieved in the database, TTP calculates Then, TTP stores {SMID j } in its database and stores {SMID j , C j , δ j , X ST } in EGW's security database. Finally, TTP sends {X ST } to SD j . (3) After receiving {X ST }, SD j generates a random number b j , and then calculates Finally, SD j stores {S 2 , S 3 , b j } in memory.

SD j TTP
Choose an identity SMID j Generate a challenge set C j R j = PUF(C j )

Login and Authentication Phase
In this phase, all entities communicate via a public channel. With the help of the EGW, the legal U i establishes a session key SK with the SD j . The established SK facilitates the U i to safely obtain the service of the SD j and future communication. The detailed login and authentication process is shown in Figure 5. The steps of this process are described in detail below.
(1) First, U i uses the mobile device to input his own identity U ID i , password UPW i , and then calculates Next, U i check V * i ? = V i . If it holds, U i successfully logs in. Otherwise, U i will be denied login. Then, U i calculates Additionally, U i selects unique identity SMID j of the SD j , random number r i , and T 1 .
At last, U i sends the message M 1 = {W 1 , W 2 , PID i , V UE , T 1 } through the public channel to EGW.
(2) When receiving M 1 sent by U i , EGW first checks |T 1 − T s | ≤ ∆T. If T 1 is valid, EGW uses PID i retrieve X UT from the secure database, and calculates (SMID j r i ) = W 1 ⊕ h(X UT T 1 ), Next, EGW checks V * UE ? = V UE . If it is correct, EGW authenticates SD j , and uses SMID j retrieves {C j , δ j , X ST } from the secure database. Then, EGW generates a timestamp T 2 , and calculates Eventually, EGW sends the message Next, SD j checks V * ED ? = V ED . If it is correct, the identity of the EGW is authenticated, then SD j calculates Additionally, SD j generates r j and T 3 , then calculates Finally, SD j sends the message If it is correct, EGW authenticates the SD j . Next, EGW generates a timestamp T 4 , and calculates At last, EGW sends the message M 4 = {W 5 , V EU , T 4 } to U i . (5) When receiving M 4 sent by EGW, U i first checks |T 4 − T s | ≤ ∆T. Then, U i calculates Finally, U i checks V * EU ? = V EU . If the verification is successful, U i calculates The SK of the U i and SD j is successfully established, indicating the complete login and authentication process.
Generate r j and timestamp T3 SK = h((RID i ⊕ r i ) (PSMID j ⊕ r j ))

Formal Security Analysis
In this section, we verify the security of the proposed protocol by using the ROR [57][58][59] model. Under the ROR model, different rounds of games are set up to simulate whether an attacker (A) can crack the protocol in polynomial time and calculate the SK so as to verify the security of the proposed protocol.
Adversarial Model. In this paper, we use commonly used Dolev-Yao [60] and Canetti-Krawczyk [61] models. The following describes the capabilities of A in the above model.
(1) A can eavesdrop, update, delete, intercept and modify information in the public channel.
(2) A can steal the U i 's mobile device and then through physical analysis to obtain U i 's private information stored in the mobile device [62].
(3) Through a dictionary attack, A can guess the U i 's identity or password, but A cannot simultaneously speculate U i 's identity and password. (4) A can obtain the temporary value of any entity. (5) A cannot access information stored in the EGW security database. Security Model. The proposed protocol involves U i , EGW, and SD j . We define Π x U i , Π y EGW , and Π z SD j represents the x-th U i instance, the y-th EGW instance, and the z-th SD j instance respectively. Here, assume that the A can implement the following operations under the ROR model. According to both models, we adopt Theorem 1 to show the security of our proposed protocol.
Here, q h refers to the number of hash operations performed, |Hash| refers to the space of the hash function, |PUF| refers to the PUF function, and C and s refer to two constants.
Proof. We defined five games: GM 0 -GM 4 to simulate the process of A attacking our proposed protocol. In the process of proof, Succ GM i A (ξ) is defined as the probability of A winning in GM i , Adv P A is defined as the advantage of A to crack the protocol. The specific proof steps are as follows: GM 0 : In GM 0 , A starts the game by tossing a coin C and does not perform any operation in the game. Therefore, we can obtain When GM 1 at the end of the session, calculate the SK by executing Test() query, where SK = h((RID i ⊕ r i ) (PSMID j ⊕ r j )). However, A cannot obtain values {RID i , PSMID j , r i , r j }, so A cannot calculate SK. Therefore, there is no difference between the probabilities of GM 1 and GM 0 : GM 2 : Add Send() operation and Hash() operation in GM 2 . Because the authentication values {V UE , V ED , V DE , V EU } are composed of the private value generated by each entity and is secured by the hash function, so A cannot tamper with the message. In addition, the random number in the authentication value is different in each session, so a hash collision does not occur. Therefore, according to the birthday paradox, we can obtain GM 3 : In GM 3 , the difference from GM 2 is to delete the Hash() operation and add PUF query. As described in Section 1, according to the security attributes of the PUF (·), we can obtain the probability of GM 3 as GM 4 : In GM 4 , A obtains the information {A 1 , R 1 , V i } in the mobile device by executing the Corrupt() query, and attempts to exploit the offline password guessing attacks to obtain the user's correct password UPW i . Since A cannot obtain the U i 's PID i and random number a i . The U i 's password cannot be guessed. Therefore, according to Zipf's law [63], we can conclude that Finally, A can only guess bit C to obtain the correct SK so as to win the game. Therefore, we can obtain Finally, we can conclude that

Informal Security Analysis
MITM Attacks. It is assumed that A can intercept all information transmitted in the public channel. Let us take message M 2 as an example, message M 2 contains the authentication value V ED = h(RID i δ j X ST T 2 ), A tried to tamper with the value of V ED , but A does not know RID i , δ j , and X ST , so A cannot tamper with the authentication value V ED . Similarly, A cannot tamper with the message M 1 , M 3 , and M 4 . Therefore, evil intermediaries cannot break our protocol.
Smart Device Stolen Attacks. Suppose A obtains the information {S 2 , S 3 , b j }, which is stored in the memory of S j . Since each S j is embedded with a PUF module, A is unable obtain the value of δ j and A cannot calculate PSMID j . Similarly, A cannot calculate RID i and r i , so A is incapable of successfully calculating SK. Thus, our protocol can resist smart device stolen attacks.
Temporary Value Disclosure Attacks. Suppose A can obtain the random number generated in any entity. Let us take A can obtain r i generated by U i as an example, where SK = h((RID i ⊕ r i ) (PSMID j ⊕ r j )). Although A can intercept messages in the public channel, A cannot know RID i , PSMID j and r j , so A cannot figure out the correct SK. Similarly, even if A obtains r j generated by S j , it cannot figure out the correct SK. Therefore, even if A obtains the random number of any entity, it cannot break our protocol.
Replay Attacks. In our proposed protocol, each message delivered in the public channel contains a timestamp. When each entity receives a message, it first checks whether the timestamp is valid. The entity will perform subsequent calculations if the timestamp is within the valid range. Here, take message M 2 = {W 3 , V ED , T 2 } as an example. Suppose A intercepts the message M 2 and sends M 2 to S j repeatedly. When S j receiving M 2 sent by A, S j first checks |T 2 − T s | ≤ ∆T. S j will terminate the session because the timestamp in message M 2 is not within the valid time range. Consequently, our proposed protocol can withstand replay attacks.
Mutual Authentication. In our proposed protocol, the validity of the entity is verified by the authentication value. The message passed in the public channel contains the authentication value, wherein EGW through calculation of V UE verify the validity of U i , S j through calculation of V ED verify the validity of EGW, EGW through calculation of V DE verify the validity of S j , U i through calculation of V EU verify the validity of EGW. Therefore, our protocol can ensure that each entity realizes mutual authentication.
Anonymity and Untraceability. In our proposed protocol, random numbers and hash functions are used to hide the real identities of U i and S j . The pseudonym of U i and S j are used in the authentication process. Even if the attacker intercepts the messages M 1 , M 2 , M 3 and M 4 transmitted in the public channel, it cannot track the U i and S j . In addition, random numbers are different during each session, ensuring that U i and S j are not traceable. As a result, the proposed protocol can guarantee the anonymity and untraceability of entities.

ProVerif
ProVerif [64,65] is a formal simulation tool developed by Bruno Blanchett for automatically verifying cryptographic protocols. It describes cryptographic primitives, such as hash functions, fuzzy extraction, etc. In this paper, we use ProVerif software to simulate the smart home environment, mainly by executing code to simulate the registration and authentication process of U i , EGW, TTP, and SD j to verify the security of our protocol.
The symbols and operations used in ProVerif are defined in Figure 6a. We use ProVerif to query whether A can calculate SK through the information transmitted on the public channel. Our proposed protocol proof includes six events: event UserStarted(), event User-Authed(), event EGWAcUser(), event SmartdeviceAcEGW(), event EGWAcSmartdevice(), and event UserAcEGW(), which indicate that U i starts authentication, U i completes authentication, EGW completes the authentication of the U i , SD j completes the authentication of the EGW, EGW completes the authentication of SD j , and U i completes the authentication of the EGW. The specific query and event definitions are shown in Figure 6b.
The process of ProVerif simulating U i , SD j , TTP, and EGW in Figure 6c-e. TTP includes two sub-processes: U i registration and SD j registration. "UiReg" represents the user registration phase, and "SDjReg" represents the smart device registration phase. ProVerif describes the detailed steps of each entity, such as the definition of new parameters and sending and receiving messages. Take the U i process as an example, where "new UIDi: bitstring" represents the definition of the U i identity, "out (sch, (PIDi, UPWi, ai))" represents that the U i sends messages to EGW, and "in (sch, (xR1: bitstring))" means that the U i receives messages sent from EGW. Finally, we use ProVerif to verify the proposed protocol, as shown in Figure 6f. We can conclude from the results that A cannot calculate SK, which proves that we propose a secure protocol.
According to the presentations in Sections 4.1-4.3, we demonstrated the security of our protocol in terms of formal proof (using RoR model), informal proof, and simulation software (ProVerif). The results show that the proposed authentication protocol can resist several well-known attacks, such as insider, gateway impersonation, session key disclosure, offline password guessing, and replay, and provides mutual authentication, anonymity, and untraceability.

Security and Performance Comparisons
In this section, we compare the proposed protocol with four existing related protocols [18,37,40,42] in terms of security and performance.

Security Comparisons
We compare the security of our proposed protocol with that of Shuai et al. [37], Banerjee et al. [40], Yu et al. [18], and Oh et al. [42]. Table 3 shows the security comparison results. demonstrates that the protocol can resist this attack, and × demonstrates that the protocol suffers from this attack. Shuai et al.'s protocol [37] suffers from insider attacks, gateway impersonation attacks, session key disclosure attacks, offline password guessing attacks, and replay attacks. Banerjee et al.'s protocol [40] cannot provide anonymity and untraceability. Yu et al.'s protocol [18] is unable to provide mutual authentication. Oh et al. [42] and our protocol can resist these attacks.

Performance Comparisons
We compare the performance from two aspects: computational cost and communication cost.

Computational Cost Comparisons
We compare and analyze the computational costs of each protocol in the login and authentication phase. Additionally, we perform simulation experiments to evaluate the computational cost of the protocol. We use HONOR Play3 to simulate users, Lenovo desktop to simulate edge gateway, and Lenovo laptop to simulate smart devices. The specific configuration of these three devices is shown in Table 4, where the operation time is obtained by averaging 20 times of operation. Here we will ignore hash and join operations. We can see the comparison results of the computational cost from Table 5. Because the running time of the fuzzy extractor is almost the same as that of the hash function, we use the hash function's running time to represent the fuzzy extractor's running time in the calculation cost comparison. Here, T C represents the execution time of ECC point multiplication, T D represents the execution time of symmetric encryption/decryption operation, T H represents the running time of hash function, and T P represents the execution time of the fuzzy extraction function.
In the framework of the smart home environment, there can be multiple U i and SD j and only one edge gateway. We describe the relationship between the change in the number of entities and the calculated cost as follows. The relationship between the number of U i and the computational cost is shown in Figure 7. Shuai et al. [37] used point multiplication in the protocol, so the computational cost of this protocol is higher than that of other protocols. Yu et al. [18] used symmetric key encryption/decryption and fuzzy extractor in the protocol, and its computational cost is lower than that of Shuai et al. [37]. Moreover, the computational cost of other protocols is not different. The computational cost of EGW is shown in Figure 8. We can conclude from Figure 8 that the EGW computational cost of the proposed protocol is lower than that of other protocols. The relationship between the number of SD j and the computational cost is shown in Figure 9. We can conclude from Figure 9 that the SD j computational cost of the proposed protocol is lower than that of Oh et al.'s protocol [42], the same as that of Yu et al.'s protocol [18], but slightly higher than that of other protocols.

Communication Cost Comparisons
This part assumes that the length of timestamp, random number, identity, hash function, point multiplication, and symmetric encryption/decryption are 32, 128, 160, 256, 320, and 256 bits. Take our protocol as an example to explain the calculation process of communication cost. In our protocol, the messages transmitted in the public channel are  [18], and Oh et al. [42] are 2016, 1696, 1792, and 2368 bits, respectively. We can draw a conclusion from Table 6 and Figure 10 that the communication cost of the proposed protocol is lower than that of Shuai et al. [37] and Oh et al. [42], and slightly higher than that of Banerjee et al. [40] and Yu et al. [18].  [37], Banerjee et al. [40], Yu et al. [18], and Oh et al. [42].

Conclusions
Communication security is an essential factor for the sustainable development of smart homes. It ensures that users can obtain secure smart home services and protects users' privacy. Due to the openness of wireless channels prone to data leakage, using cryptographic methods to ensure communication security has attracted many researchers' attention. To the best of our knowledge, we introduce the first edge-computing-based smart home architecture. Meanwhile, based on this architecture, a PUF-based authentication protocol is proposed. Precisely, the properties of PUF are provided to resist physical tampering and biological cloning attacks. The standard security verification approaches which are formal security analysis using RoR model, informal security analysis, and ProVerif simulation software are made to demonstrate the security of our protocol. The security and performance comparisons are indicated that our protocol has higher security and slightly better performance. In the future, we will adopt several lightweight cryptographic operations to design the new authentication protocol in smart home environments. Without loss of security, the new protocol is more suitable for users' IoT devices.

Data Availability Statement:
The data is included in the article.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

IoT
Internet of Things ROR Real or random RA Registration authority PUF Physical unclonable functions AKA Authentication and key agreement ECC Elliptic curve cryptography