Anonymous and Efficient Chaotic Map-Based Authentication Protocol for Industrial Internet of Things

Abstract

The exponential growth of Internet infrastructure and the widespread adoption of smart sensing devices have empowered industrial personnel to conduct remote, real-time data analysis within the Industrial Internet of Things (IIoT) framework. However, transmitting this real-time data over public channels raises significant security and privacy concerns. To prevent unauthorized access, user authentication mechanisms are crucial in the IIoT environment. To mitigate security vulnerabilities within IIoT environments, a novel user authentication and key agreement protocol is proposed. The protocol is designed to restrict service access exclusively to authorized users of designated smart sensing devices. By incorporating cryptographic hash functions, chaotic maps, Physical Unclonable Functions (PUFs), and fuzzy extractors, the protocol enhances security and functional integrity. PUFs provide robust protection against tampering and cloning, while fuzzy extractors facilitate secure biometric verification through the integration of smart cards, passwords, and personal biometrics. Moreover, the protocol accommodates dynamic device enrollment, password and biometric updates, and smart card revocation. A rigorous formal security analysis employing the Real-or-Random (ROR) model was conducted to validate session key security. Complementary informal security analysis was performed to assess resistance to a broad spectrum of attacks. Comparative performance evaluations unequivocally demonstrate the protocol’s superior efficiency and security in comparison to existing benchmarks.

1. Introduction

The Industrial Internet of Things (IIoT) employs numerous devices for real-time data sensing, transmission, and analysis, improving industrial control, productivity, and product quality while reducing costs and resource consumption. However, as IIoT expands with Industry 5.0, the rapid proliferation and interaction of IoT devices introduce critical security challenges [1,2,3,4]. Many IIoT devices incorporate lightweight software and hardware to minimize costs, limiting their ability to support robust security comparable to traditional Internet environments. This limitation creates vulnerabilities, making devices prone to attacks. Furthermore, deployment in remote, unmonitored environments exacerbates risks, exposing critical industrial processes to malicious disruptions [5,6,7].

In general, a typical IIoT system comprises smart sensing devices, such as temperature and humidity sensors, vibration sensors, and RFID tags, alongside users and gateway nodes, collectively forming a wireless sensor network (WSN) [8,9,10]. However, the dependence on wireless communication technologies exposes IIoT systems to substantial security vulnerabilities, as malicious adversaries can compromise system security through attacks such as eavesdropping and message tampering [11,12,13]. Authentication and key agreement mechanisms are regarded as one of the most effective countermeasures against these threats [14,15,16]. Nevertheless, given the intrinsic resource limitations of sensing devices, authentication protocols deployed in such settings must carefully balance computational efficiency with robust security guarantees.

1.1. Existing Research and Motivation

Recently, numerous research efforts have focused on developing anonymous and lightweight authenticated key agreement protocols, aiming to enhance security, privacy, and efficiency in IIoT environments [17,18,19,20]. Turkanović et al. [21] proposed a mutual authentication scheme that relied on a pre-shared cryptographic key between the sensor node and the user. Their scheme employed simple hash and XOR operations to accommodate the resource constraints of WSN. However, a subsequent analysis by Tai et al. [22] demonstrated that the protocol developed by Turkanović et al. fails to provide anonymity and is susceptible to sensor-capture attacks. Chen et al. [23] introduced an authentication and key agreement protocol for industrial control systems. Nevertheless, their proposed solution suffers from high computational and communication overheads, susceptibility to ephemeral secret leakage (ESL) attacks, and a lack of perfect forward secrecy. Shuai et al. [24] proposed an authentication protocol utilizing the Rabin cryptosystem. However, their protocol remains vulnerable to offline guessing, user impersonation, privileged insider, eavesdropping, and stolen smart card attacks. Gong et al. [25] propose a certificateless anonymous mutual authentication scheme ensuring privacy, traceability, and scalability for IoT. The schemes presented in [26,27] rely on a clock synchronization assumption, limiting their applicability in practical IIoT deployments. Zhai et al. [28] proposed a lightweight authentication protocol that combines blockchain with chaotic maps to enable mutual authentication between smart devices and edge gateways in IIoT systems. However, their protocol relies solely on the security of the chaotic-map discrete logarithm problem and fails to provide anonymity and untraceability. Aman et al. [29] proposed a PUF-based device authentication protocol for IoT systems. However, subsequent analyses demonstrated that the protocol is susceptible to replay attacks and non-invasive physical attacks [30], and it does not account for the influence of environmental noise on PUF responses.

Rafique et al. [31] addressed a critical challenge in the IIoT concerning secure data transmission. Their research proposed a multifactor authentication key agreement protocol that balanced robust security with resource limitations. This protocol utilized bitwise XOR, cryptographic hash functions, and symmetric cryptography to create a secure system tailored for resource-constrained environments, ensuring high-level security while enabling remote access to sensing devices. However, ref. [32] identified that Rafique’s protocol is vulnerable to attacks involving the loss of smart cards or devices. Eldefrawy et al. [33] proposed a user authentication method for IIoT systems, focusing on computational and communication efficiency. While this protocol was efficient, it did not provide mutual authentication between users and the smart devices or sensor nodes within the system. Harishma et al. [34] developed a method for securing data transmission in cyber-physical systems with heterogeneous components. Nevertheless, their approach was found vulnerable to the ESL attack under the Canetti and Krawczyk (CK) adversary model [35]. Additionally, the protocol did not support the dynamic incorporation of new IoT smart devices, limiting its practical application. Chen et al. [36] designed a key agreement and user authentication system for IoT environments. Although their protocol was efficient in terms of computational and communication costs, it was vulnerable to insider attacks, node-capturing attacks, and gateway node-bypassing attacks, and lacked untraceability [37,38,39].

In summary, although several commendable AKA protocols have been proposed for IIoT systems, most remain impractical for deployment on resource-constrained smart sensing devices due to their substantial resource overhead [40,41,42]. Furthermore, their incomplete security and functional guarantees further diminish their applicability in real-world deployments. Addressing these limitations is critical to enabling the efficient and secure operation of IIoT environments. The comparative summary is given in Table 1.

Table 1. Existing Authentication Protocols: A Comparative Summary.

Protocol	Cryptographic Primitives	Descriptions	Limitations
Turkanović et al. [21]	• Cryptographic hash function	• Lightweight • Dynamic addition of sensor nodes • Free password update	• No PUF-based physical security provided • Strict clock synchronization required • Anonymity not provided • No resistance to sensor capture attacks
Chen et al. [23]	• Cryptographic hash function • Elliptic curve cryptography	• Supporting node revocation • No strict clock synchronization	• No PUF-based physical security provided • Excessive system overhead • Lack of perfect forward secrecy • No resistance to ephemeral secret leakage attacks
Shuai et al. [24]	• Cryptographic hash function • Rabin cryptosystem	• Free password update • Dynamic addition of sensor nodes	• No PUF-based physical security provided • Strict clock synchronization required • No resistance to offline guessing and user impersonation attacks • No resistance to privileged insider and eavesdropping attacks • No resistance to stolen smart-card attacks
Zhai et al. [28]	• Cryptographic hash function • Chaotic Map	• Lightweight • Supporting cross-domain authentication	• No PUF-based physical security provided • Strict clock synchronization required • Lack of anonymity and untraceability
Aman et al. [29]	• Cryptographic hash function • PUF	• Lightweight • Providing PUF-based physical security • No strict clock synchronization	• No resistance to replay and non-invasive physical attacks • The neglect of PUF noise impact
Rafique et al. [31]	• Cryptographic hash function • AES symmetric encryption/decryption	• Lightweight	• No PUF-based physical security provided • No resistance to smart-card and device theft attacks • Strict clock synchronization required
Eldefrawy et al. [33]	• Cryptographic hash function	• Lightweight • Free password update • Dynamic addition/revocation of sensor nodes • No strict clock synchronization	• No PUF-based physical security provided • Lack of mutual authentication
Harishma et al. [34]	• Cryptographic hash function • Identity-based encryption • PUF	• Providing PUF-based physical security • No strict clock synchronization	• No resistance to ephemeral secret leakage attacks
Chen et al. [36]	• Cryptographic hash function • Elliptic curve cryptography	• Lightweight	• No PUF-based physical security provided • No resistance to insider and node-capturing attacks • Strict clock synchronization required • Lack of untraceability

1.2. Contribution

This paper proposes an anonymous and efficient Chaotic Map-based authentication protocol for the IIoT environment that ensures both efficiency and security. The main contributions are as follows:

• We propose a novel chaotic map-based mutual authentication and session key agreement protocol for the IIoT environment, where independent session keys are generated between users and smart sensing devices to ensure secure communications.
• We design the proposed protocol by integrating a one-way cryptographic hash function, chaotic map, physical unclonable function (PUF), and fuzzy extractor to enhance security and functional integrity. The PUF component provides robust protection against tampering and cloning attacks on the smart sensing device.
• We conduct a formal security analysis of the protocol using the real-or-random (ROR) model to rigorously assess and ensure session key security. Additionally, we provide an informal security analysis to demonstrate resistance to a broad spectrum of attacks.
• A rigorous comparative performance evaluation was conducted to assess the security, functionality, communication overhead, and computational efficiency of the proposed protocol in relation to existing benchmarks. The study clearly demonstrates the proposed protocol’s superior efficiency and enhanced security features compared to existing protocols.

1.3. Novelty

The proposed protocol introduces several key innovations that collectively address critical gaps in existing IIoT authentication protocols. First, it pioneers a hybrid security architecture that uniquely integrates authentication based on chaotic-map and lightweight cryptographic hashing with PUF-based device identity verification, achieving both algorithmic robustness and hardware-rooted trust. Unlike existing protocols that rely solely on lightweight cryptography or PUF, the proposed protocol further incorporates a fuzzy extractor to mitigate the impact of environmental disturbances on PUF responses in industrial settings. In addition, the protocol establishes an independent session key directly between the user and the device without involving a central entity, ensuring genuine end-to-end confidentiality for sensitive information. By avoiding the use of timestamps for replay protection, it also eliminates the dependence on strict clock synchronization. Finally, under a unified framework, the proposed protocol achieves the most comprehensive set of security features with exceptionally high efficiency, as demonstrated in its multidimensional comparison with existing protocols in terms of computational, runtime, communication, and storage overhead, an advantage unmatched by prior works. These contributions collectively position the proposed protocol as a holistic authentication framework expressly tailored to the distinct security and performance demands of IIoT environments.

1.4. Paper Organization

The remainder of this paper is organized as follows: Section 2 presents the background, including network and threat models, and foundational concepts. The proposed protocol is detailed in Section 3. A comprehensive security analysis is provided in Section 4 and formal security analysis is presented in Section 5. Section 6 offers a performance comparison with existing state-of-the-art protocols. Finally, the paper is concluded in Section 7.

2. Background

This section provides a comprehensive overview of the authentication model, threat model, and cryptographic foundations.

2.1. System Models

This section delineates the authentication model and threat models employed in the design of the proposed authentication and key agreement protocol.

2.1.1. Authentication Model

As illustrated in Figure 1, the proposed Internet of Things (IoT)-based smart sensing system for industrial monitoring aims to establish intelligent factories through the integration of IoT sensors and a robust authentication framework. This integrated system is designed to optimize supply chain, production, safety, and energy management. To address the challenges of securing real-time data transmission from resource-constrained IoT devices operating in inherently insecure wireless environments, a comprehensive authentication model is essential. This model safeguards data integrity and confidentiality while enabling authorized industrial personnel to securely access and utilize real-time data from smart sensing devices. A trusted registration authority (RA) establishes secure communication by registering all network entities and issuing cryptographic credentials. Authorized users, authenticated by the gateway node, can access the collected data through these gateway nodes, ensuring secure and reliable data transmission. The subsequent sections detail the proposed authentication protocol, which provides a secure and efficient mechanism for user authentication and data protection within the smart manufacturing environment [43,44,45].

Figure 1. IoT-based industrial monitoring system architecture.

2.1.2. Threat Model

To assess the security of the proposed protocol, this study adopts the widely recognized Dolev-Yao (DY) threat model [46,47]. Within this framework, an adversary $\mathcal{A}$ is endowed with the capability to intercept, modify, delete, or inject spurious messages during communication over an insecure channel. Given the inherently hostile nature of the IIoT environment, IoT sensing devices are susceptible to physical compromise by $\mathcal{A}$, both internal and external. Such breaches can lead to the unauthorized acquisition of sensitive credentials stored within these devices. Furthermore, an $\mathcal{A}$ may physically acquire an authorized user’s smart card, thereby enabling sophisticated power analysis attacks to compromise the stored secret credentials. Leveraging these credentials, the $\mathcal{A}$ can potentially extract sensitive user data, including identity, password, and biometric information. This compromised position facilitates a range of attack vectors, such as privileged insider attacks, replay attacks, man-in-the-middle (MitM) attacks, and impersonation attacks. Recently, the CK adversary model [48,49,50] has emerged as the de facto standard for evaluating the security of authenticated key agreement protocols. This model extends the DY adversary’s capabilities by granting the attacker the power to compromise secret credentials, session states, and session keys. Consequently, a robust user authentication protocol for the IIoT must safeguard against the exposure of sensitive information, limiting the adversary’s ability to compromise additional credentials even if some secrets are compromised. In addition, gateway nodes are protected by hardware security boundaries (for example, HSM/TEE) to safely store $\{I{D}_{GW{N}_k},X_{GW{N}_k}\}$. However, their databases are only semi-trusted and may be subject to physical capture attacks, allowing $\mathcal{A}$ to extract the hashed credentials stored within them. The symbols used in this paper and respective description is given in Table 2.

Table 2. Symbols and their definitions.

Symbol	Definition
$GW{N}_k$	kth GWN
$X_{GW{N}_k}$	Secret parameter of $GW{N}_k$
$I{D}_{GW{N}_k}$	Identity of $GW{N}_k$
$S{D}_j$	jth smart sensing deivce
$C_j$	Challenge component for $S{D}_j$
$D{R}_j$	Response component for $S{D}_j$
$X_j$	Secret parameter bound to $S{D}_j$
$D{k}_j,s_j$	Cryptographic key and auxiliary data of $S{D}_j$
$U_i$	ith user
$I{D}_i,P{W}_i$	Identity and password of $U_i$
$B_i$	Biometric template of $U_i$
$B{k}_i,s_i$	Cryptographic key and auxiliary data of $U_i$
$S{C}_i,SC{N}_i$	Smart card of $U_i$ and its number of $U_i$
$X_i,Y_i,Aut{h}_i$	Secret parameter bound to $U_i$
$PI{D}_i$	Pseudo-identity of $U_i$
$PU{F}_j(·)$	Physical unclonable function associated with $S{D}_j$
$RA$	The trusted registration authority
$SCN$	Smart card number
$SK$	Session key
$TI{D}_i$	Temporary identity of $U_i$
$TI{D}_i^o/TI{D}_i^n$	The Old/new temporary identitity
$X_{RA}$	Secret key of $RA$
$h(·)$	Cryptographic hash function
$\mathrm{Gen}(·)$	Fuzzy extractor generation function
$\mathrm{Rep}(·)$	Fuzzy extractor reproduction function

2.2. Preliminaries

This section provides a foundational overview of relevant cryptographic primitives, including PUFs, fuzzy extractors, and chaotic maps.

2.2.1. Physical Unclonable Function

The PUF is a cryptographic mechanism that relies on challenge-response pairs (CRPs). The core process of a PUF involves generating a unique response (output) when given a specific challenge (input) [51,52], which can be formalized with $D{R}_j=PU{F}_j\left(C_j\right)$. Here, $C_j$ denotes the unique challenge presented to different devices ($S{D}_j$), while $D{R}_j$ signifies the corresponding unique response. PUFs function as irreversible mathematical functions, deriving cryptographic secrets from inherent physical variations found in integrated circuits (ICs). These variations, stemming from the manufacturing process, ensure that each IC generates a unique response to specific challenges. PUFs provide a cost-effective solution with minimal computational requirements and energy consumption, making them highly suitable for lightweight and physically secure cryptographic applications. They are advanced circuit primitives used to generate secret keys for cryptographic operations. For example, the Static Random Access Memory (SRAM) PUF is widely adopted due to SRAM’s critical role in electronic control units (ECUs). The SRAM PUF exploits random disparities in SRAM threshold voltages to establish a distinctive digital fingerprint for each device. Unlike traditional methods of key storage, the secret key is dynamically regenerated from the SRAM PUF within a secure environment. This approach ensures that even in the event of a memory breach, the secret key remains protected and immune to compromise. Importantly, any attempt to manipulate or tamper with a PUF alters the device’s behavior, thereby invalidating the PUF and facilitating tamper detection. However, in real-world noisy environments, factors such as temperature variations, voltage fluctuations, and device aging may cause a PUF to produce different responses even when supplied with the same challenge, which can result in the erroneous rejection of secret parameters generated solely from PUF responses during authentication. To address this important issue, we integrate a fuzzy extractor with the PUF. During the registration phase, the device first generates a response $D{R}_j=PU{F}_j\left(C_j\right)$. Subsequently, in an authentication session, the device regenerates a new response $D{R}_j^{\prime }=PU{F}_j\left(C_j\right)$. When the Hamming distance $DIST(D{R}_j,D{R}_j^{\prime })$ falls within the tolerable error threshold t, the fuzzy extractor is used to reconcile $(D{R}_j,D{R}_j^{\prime })$, thereby ensuring stable key derivation.

2.2.2. Fuzzy Extractors

Fuzzy extractors are cryptographic mechanisms designed to derive stable and secure cryptographic keys from inherently noisy data sources, such as biometric measurements or PUFs [53]. By mitigating the impact of noise and variations inherent in these data types, fuzzy extractors enhance the robustness and security of recognition systems. A fuzzy extractor consists of two primary components:

• Generation$(B{k}_i,s_i)=Gen\left(B_i\right)$: Given a unique biometric or PUF measurement $B_i$ of entity i, the generation algorithm produces a cryptographic key $B{k}_i$ and public auxiliary data $s_i$.
• Reproduction$B{k}_i^{\prime }=Rep(B_i^{\prime },s_i)$: Utilizing the public auxiliary data $s_i$ and a noisy measurement $B_i^{\prime }$ approximating $B{k}_i$, the reproduction algorithm reconstructs the original key $B{k}_i^{\prime }$. For sufficiently similar input measurements (typically within a predetermined Hamming distance), $B{k}_i^{\prime }$ will be identical to $B{k}_i$.

2.2.3. Chaotic Map

Chaotic map encryption leverages the intrinsic unpredictability and extreme sensitivity to initial conditions of chaotic systems for cryptographic applications [54,55,56]. This method employs the enhanced Chebyshev polynomial, defined as $T_n\left(x\right)=2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right)modlp$, where $lp$ is a large prime number, $n\ge 2$, and $x\in (-\infty ,\infty )$. Alternatively, $T_n\left(x\right)=cos(n·arccos\left(x\right))$. The semigroup property of Chebyshev polynomials, expressed as $T_n\left(T_m\left(x\right)\right)=T_m\left(T_n\left(x\right)\right)=T_{mn}\left(x\right)modlp$, forms the basis for the encryption process. The security of this encryption scheme relies on the computational intractability of the chaotic map discrete logarithm problem (CMDLP). An adversary’s ability to solve this problem within a given time frame is quantified as $Ad{v}_{\mathcal{A}}^{CMDLP}\left(rt\right)=Pr[\mathcal{A}(x_1,x_2)=m\mid T_m\left(x_1\right)=x_{2}modlp]$, where ${\mathbb{Z}}_p^{\ast }=\{1,2,\dots ,p-1\}$ and $r\in {\mathbb{Z}}_p^{\ast }$. Some existing studies [57,58,59] indicate that, $\mathcal{A}$ may be able to solve the CMDLP problem in polynomial time, thereby compromising the security of cryptographic systems based on Chebyshev polynomials. However, this attack capability requires $\mathcal{A}$ to obtain both $T_m\left(x\right)$ and x simultaneously. To counteract this, the proposed protocol maintains the encryption of x during transmission. The protocol is grounded in the computational Diffie-Hellman (CDH) problem adapted to the chaotic map domain. Even with knowledge of $T_m\left(x\right)$ and $T_n\left(x\right)$, computing $T_m\left(T_n\left(x\right)\right)=T_n\left(T_m\left(x\right)\right)modlp$ remains computationally infeasible for an adversary, providing the cryptographic strength of the system.

2.3. Design Objectives

The protocol aims to achieve the following design goals:

• Anonymity: Protect user privacy by ensuring that their identities cannot be inferred from messages, maintaining anonymity throughout communications.
• Mutual Authentication: Verify the authenticity of users, gateways, and smart sensing devices to establish trust within the network.
• Session Key Agreement: Securely establish session keys between users and smart sensing devices, independent of the gateway, for protected communication.
• Unlinkability: Prevent the correlation of intercepted messages with specific users, preserving message anonymity.
• Forward Security: Protect the confidentiality of past communications by ensuring the compromise of current session keys does not affect the security of previous sessions.
• Resistance to Common Attacks: Strengthen the protocol’s defenses against replay, offline password guessing, and impersonation attacks to enhance overall IIoT network security.

3. The Proposed Protocol

This section presents a secure protocol tailored for IIoT environments to guarantee that only authorized users can access smart sensing devices. The protocol incorporates SHA-256 hashing, XOR operations, and PUFs to safeguard smart sensing devices against physical tampering. Furthermore, to address replay attacks, the protocol avoids reliance on clock synchronization among network entities. The subsequent subsections outline the various phases of the proposed protocol.

3.1. Pre-Deployment Phase

In this phase, the RA is responsible for registering the GWNs and smart sensing devices prior to their deployment. A secure channel is assumed for this one-time setup, as commonly adopted in IIoT protocols, typically ensured through administrator-supervised or trusted in-person registration.

3.1.1. GWN Registration

The RA performs the following operations to register a GWN denoted as $GW{N}_k$.

• Step GR-1: The RA selects a distinct and unique identity, $I{D}_{GW{N}_k}$, and a secret parameter, $X_{GW{N}_k}$. These are then transmitted securely to $GW{N}_k$ through a secure channel.
• Step GR-2: $GW{N}_k$ securely stores the received parameters, $\{I{D}_{GW{N}_k},X_{GW{N}_k}\}$, in its secure database.

3.1.2. Smart Sensing Device Registration

To register a smart sensing device, such as $S{D}_j$, the RA follows these steps:

• Step DR-1: The RA starts the registration process by generating a unique challenge parameter, $C_j$. This parameter is securely transmitted to $S{D}_j$ over a secure channel.
• Step DR-2: Upon receiving $C_j$ from the RA, $S{D}_j$ uses a $PUF(·)$ to generate the response parameter $D{R}_j$. This response is then securely sent back to the RA.
• Step DR-3: The RA selects an identity $I{D}_j$ and sends the pair $C_j,D{R}_j$ to the appropriate gateway node $GW{N}_k$ through a secure channel.
• Step DR-4: Upon receiving the $\{I{D}_j,C_j,D{R}_j\}$ from the RA, $GW{N}_k$ generates a random number $r_j$ and computes $X_j=h(I{D}_j\parallel X_{GW{N}_k}\parallel r_j)$. It then stores the parameters $\{I{D}_j, r_j, C_j,D{R}_j\}$ for $S{D}_j$ in its database and sends $X_j$ back to the RA through a secure channel.
• Step DR-5: The RA finally transmits the parameters $\{I{D}_j, X_j\}$ to $S{D}_j$, which then stores these parameters in its memory.

3.1.3. User Registration

To ensure secure communication with an SD that has been accessed, $U_i$ must securely register at the RA through the following steps.

• Step UR-1: User $U_i$ submits their registration request to the RA, along with their identity $I{D}_i$, through a secure channel.
• Step UR-2: The RA then assesses whether the request originates from a legitimate user. It computes $h(I{D}_i\parallel X_{RA}\parallel T_i)$ using a hash function, where $X_{RA}$ is the master secret key of the RA and $T_i$ is the registration timestamp. Based on the computed hash, it consults the database for the corresponding status. If the status indicates that the user is already registered ($\mathit{status}=1$), the registration process ceases. Otherwise, the RA proceeds with registration and picks a unique temporary identity $TI{D}_i$, a unique pseudo-identity $PI{D}_i$, and a random number $r_i$. The user’s smart card $S{C}_i$ is configured with <$TI{D}_i,r_i,PI{D}_i,SC{N}_i,h(·)$>. The RA stores <$I{D}_i,SC{N}_i,T_i,\left[h\right(I{D}_i\parallel X_{RA}\parallel T_i),\mathit{status}]$> in its database and forwards the following parameters to the corresponding gateway node $GW{N}_k$ as <$TI{D}_i^o=TI{D}_i, TI{D}_i^n=TI{D}_i, PI{D}_i, r_i, SC{N}_i$> via a secure channel and dispatches $S{C}_i$ to $U_i$.
• Step UR-3: Upon receiving <$TI{D}_i^o=TI{D}_i,TI{D}_i^n=TI{D}_i,PI{D}_i,r_i,SC{N}_i$> from the RA, $GW{N}_k$ computes $X_{i-g}=(PI{D}_i\parallel r_i)\oplus h(SC{N}_i\parallel X_{GW{N}_k})$. $GW{N}_k$ then stores the parameters as <$TI{D}_i^o=TI{D}_i,TI{D}_i^n=TI{D}_i,X_{i-g},SC{N}_i$> in its database.
• Step UR-4: Upon receipt, $U_i$ inserts $S{C}_i$ into a card reader, reads the biometric data $B_i$, and enters their $I{D}_i$ and password $P{W}_i$ and picks a random number $n_i$. The smart card then proceeds to compute the following:

  $$\begin{array}{cc}\hfill (B{k}_i,s_i)& =Gen\left(B_i\right),X_i=\left(s_i\parallel n_i\right)\oplus h\left(I{D}_i\parallel P{W}_i\right)\hfill \\ \hfill Aut{h}_i& =h\left(I{D}_i\parallel P{W}_i\parallel B{k}_i\parallel n_i\right)\hfill \\ \hfill Y_i& =\left(PI{D}_i\parallel r_i\right)\oplus h\left(I{D}_i\parallel P{W}_i\parallel B{k}_i\right)\hfill \end{array}$$

  where $Gen(·)$ is a fuzzy extractor generator function and $Aut{h}_i$ is an authentication parameter. Finally, the smart card replaces the parameters <$r_i,PI{D}_i$> with <$X_i,Y_i,Aut{h}_i$> and stores <$TI{D}_i,X_i,Y_i,Aut{h}_i,SC{N}_i,h(·),Gen(·),Rep(·)$>.

3.2. Login Phase

A legitimate user, for instance, $U_i$, must first authenticate themselves using their credentials and smart card. The specific steps are as follows:

• Step L-1: User $U_i$ inserts their designated smart card and subsequently enters their unique identity ($I{D}_i^{\prime }$), password ($P{W}_i^{\prime }$), and provides biometric data ($B_i^{\prime }$) via the designated sensor.
• Step L-2: Based on the provided inputs, the following computations are carried out:

  $$\begin{array}{cc}\hfill (s_i^{\prime }\Vert n_i^{\prime })& =X_i\oplus h(I{D}_i^{\prime }\Vert P{W}_i^{\prime }),B{k}_i^{\prime }=Rep(B_i^{\prime },s_i^{\prime })\hfill \\ \hfill Aut{h}_i^{\prime }& =h(I{D}_i^{\prime }\Vert P{W}_i^{\prime }\Vert B{k}_i^{\prime }\Vert n_i^{\prime })\hfill \end{array}$$
  The $Aut{h}_i^{\prime }$ is verified against $Aut{h}_i$ as follows: $Aut{h}_i^{\prime }\stackrel{?}{=}Aut{h}_i$ If the verification fails, the login procedure is aborted. If the verification succeeds, the sign-in process is considered successful, and the following parameters are computed: $(PI{D}_i\parallel r_i)=Y_i\oplus h(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\parallel B{k}_i^{\prime })$.

3.3. Authentication and Key Agreement Phase

The following steps are essential for completing this phase, as illustrated in Figure 2.

Figure 2. Login and authentication phases.

• Step A-1: $U_i$ generates a random nonce m and uses it to compute $M_1=T_m\left(PI{D}_i\right)$ as a chaotic-map variable. Then, $U_i$ chooses $I{D}_j$ and selects random nonce $N_u$, and calculates $X_1=(I{D}_j\parallel N_u)\oplus h(r_i\parallel PI{D}_i\parallel TI{D}_i)$. Additionally, $U_i$ computes $Aut{h}_1=h(I{D}_j\Vert N_u\Vert r_i\Vert PI{D}_i\Vert TI{D}_i\Vert M_1)$. Afterward, $U_i$ constructs $Ms{g}_1=<TI{D}_i,X_1,M_1,Aut{h}_1>$ and sends it to the gateway node $GW{N}_k$ through an open insecure channel.
• Step A-2: Upon receiving $Ms{g}_1$ from $U_i$, $GW{N}_k$ searches for $SC{N}_i$, which should match either $TI{D}_i^o$ or $TI{D}_i^n$. The following computations are then performed:

  $$\begin{array}{cc}\hfill (PI{D}_i\parallel r_i)& =X_{i-g}\oplus h(SC{N}_i\parallel X_{GW{N}_k})\hfill \\ \hfill (I{D}_j^{\prime }\parallel N_u^{\prime })& =X_1\oplus h(r_i\parallel PI{D}_i\parallel TI{D}_i)\hfill \\ \hfill Aut{h}_1^{\prime }& =h(I{D}_j^{\prime }\parallel N_u^{\prime }\parallel r_i\parallel PI{D}_i\parallel TI{D}_i\parallel M_1)\hfill \end{array}$$
  The calculated $Aut{h}_1^{\prime }$ is checked for equality with $Aut{h}_1$, i.e., $Aut{h}_1^{\prime }\stackrel{?}{=}Aut{h}_1$. If they do not match, the process is terminated. If they match, the procedure continues to the next steps.
• Step A-3: For $I{D}_j$, $GW{N}_k$ retrieves $r_j,(C_j,D{R}_j)$ and selects a random nonce $N_g$. The following computations are then performed:

  $$\begin{array}{cc}\hfill X_j& =h(I{D}_j\parallel X_{GW{N}_k}\parallel r_j)\hfill \\ \hfill X_2& =(N_u\parallel N_g)\oplus h(X_j\parallel I{D}_j\parallel M_1)\hfill \\ \hfill X_3& =(PI{D}_i\parallel C_j)\oplus h(X_j\parallel I{D}_j\parallel X_2)\hfill \\ \hfill Aut{h}_2& =h(N_u\parallel N_g\parallel PI{D}_i\parallel C_j\parallel M_1)\hfill \end{array}$$
  Finally, $GW{N}_k$ constructs $Ms{g}_2$ as $Ms{g}_2=<M_1,X_2,$$X_3,Aut{h}_2>$ and transmits it to $S{D}_j$ through an open insecure channel.
• Step A-4: Upon receiving $Ms{g}_2$ from $GW{N}_k$, $S{D}_j$ retrieves $I{D}_j$ and $X_j$ and performs the following:

  $$\begin{array}{cc}\hfill (N_u^{\prime }\parallel N_g^{\prime })& =X_2\oplus h(X_j\parallel I{D}_j\parallel M_1)\hfill \\ \hfill (PI{D}_i^{\prime }\parallel C_j^{\prime })& =X_3\oplus h(X_j\parallel I{D}_j\parallel X_2)\hfill \\ \hfill Aut{h}_2^{\prime }& =h(N_u^{\prime }\parallel N_g^{\prime }\parallel PI{D}_i^{\prime }\parallel C_j^{\prime }\parallel M_1)\hfill \end{array}$$
  The resulting $Aut{h}_2^{\prime }$ is compared with $Aut{h}_2$ to verify if $Aut{h}_2^{\prime }\stackrel{?}{=}Aut{h}_2$. If they do not match, the process is aborted. If they match, the procedure proceeds to the next step.
• Step A-5: $S{D}_j$ inputs the challenge $C_j$ into the $PUF(·)$ function to obtain a device-specific but potentially noisy response, $D{R}_j=PU{F}_j\left(C_j\right)$. Due to the inherent variability of PUFs caused by environmental and hardware factors, $S{D}_j$ employs a fuzzy extractor to ensure reliable key derivation. Specifically, the fuzzy extractor generates a stable and reproducible secret key $D{K}_j$ and corresponding helper data $s_j$, denoted as $(D{K}_j,s_j)=Gen\left(D{R}_j\right)$. This process ensures that even if $D{R}_j$ slightly fluctuates under different conditions, the same $D{K}_j$ can be reliably recovered using the helper data during key reconstruction. Next, $S{D}_j$ selects a random integral string n and a random nonce $N_j$, and computes the following: $M_2=T_n\left(PI{D}_i\right)$, $psk=T_n\left(M_1\right)=T_n\left(T_m\left(PI{D}_i\right)\right)$, $S{K}_{j-i}=h(PI{D}_i\Vert I{D}_j\Vert psk\Vert N_u\Vert N_j)$, $X_4=(N_j\Vert s_j)\oplus h(I{D}_j\Vert X_j\Vert N_g)$, and $Aut{h}_3=h(N_j\Vert s_j\Vert M_2\Vert I{D}_j\Vert X_j\Vert N_g\Vert D{K}_j)$, where $S{K}_{j-i}$ is the generated secret session key between $S{D}_j$ and $U_i$. Finally, $S{D}_j$ constructs $Ms{g}_3$ as $Ms{g}_3=⟨X_4,M_2,Aut{h}_3⟩$ and sends it to $GW{N}_k$ via an open insecure channel.
• Step A-6: Upon receiving $Ms{g}_3$ from $S{D}_j$, $GW{N}_k$ performs the following computations:

  $$\begin{array}{cc}\hfill (N_j^{\prime }\parallel s_j^{\prime })& =X_4\oplus h(I{D}_j\parallel X_j\parallel N_g),D{K}_j^{\prime }=Rep(D{R}_j,s_j^{\prime })\hfill \\ \hfill Aut{h}_3^{\prime }& =h(N_j^{\prime }\parallel s_j^{\prime }\parallel M_2\parallel I{D}_j\parallel X_j\parallel N_g\parallel D{K}_j^{\prime })\hfill \end{array}$$
  $GW{N}_k$ accepts the message if $Aut{h}_3^{\prime }\stackrel{?}{=}Aut{h}_3$ holds true. Next, $GW{N}_k$ picks a unique temporary identity $TI{D}_i^{\prime }$ and updates the old and new temporary identities as $TI{D}_i^o=TI{D}_i$ and $TI{D}_i^n=TI{D}_i^{\prime }$. Then, $GW{N}_k$ computes $X_5=(N_j\parallel TI{D}_i^{\prime })\oplus h(PI{D}_i\parallel r_i\parallel N_u)$ and $Aut{h}_4=h(N_j\parallel TI{D}_i^{\prime }\parallel M_2\parallel I{D}_j\parallel PI{D}_i\parallel r_i\parallel N_u)$. Finally, $GW{N}_k$ sends $Ms{g}_4=<X_5,M_2,Aut{h}_4>$ to $U_i$ to $U_i$ via an open insecure channel.
• Step A-7: Upon receiving $Ms{g}_4$ from $GW{N}_k$, $U_i$ computes $(N_j^{\prime }\parallel TI{D}_i^{\prime })=X_5\oplus h(PI{D}_i\parallel r_i\parallel N_u)$ and $Aut{h}_4^{\prime }=h(N_j^{\prime }\parallel TI{D}_i^{\prime }\parallel M_2\parallel I{D}_j\parallel PI{D}_i\parallel r_i\parallel N_u)$. $U_i$ accepts if $Aut{h}_4^{\prime }\stackrel{?}{=}Aut{h}_4$ holds true. Next, $U_i$ computes $psk=T_m\left(M_2\right)=T_m\left(T_n\left(PI{D}_i\right)\right)$, $S{K}_{UC}=h(PI{D}_i\parallel r_i\parallel N_c\parallel N_u)$ and $S{K}_{i-j}=h(PI{D}_i\Vert I{D}_j\Vert psk\Vert N_u\Vert N_j^{\prime })$. Finally, $U_i$ stores the session key and updates the temporary identity as $TI{D}_i=TI{D}_i^{\prime }$.

3.4. Password and Biometrics Update Phase

The proposed protocol allows users to locally update their passwords without needing to interact with the RA. Users can modify both their password (${PW}_i$) and biometric information ($B_i$) by following these steps:

• Step PBU-1: The legitimate user $U_i$ inserts their smart card and authenticates themselves with their credentials to update their password and biometrics. The following calculations are then performed using the provided inputs:

  $$\begin{array}{cc}\hfill (s_i^{\prime }\Vert n_i^{\prime })& =X_i\oplus h(I{D}_i^{\prime }\Vert P{W}_i^{\prime }),B{k}_i^{\prime }=Rep(B_i^{\prime },s_i^{\prime })\hfill \\ \hfill Aut{h}_i^{\prime }& =h(I{D}_i^{\prime }\Vert P{W}_i^{\prime }\Vert B{k}_i^{\prime }\Vert n_i^{\prime })\hfill \end{array}$$
  The $Aut{h}_i^{\prime }$ is verified against $Aut{h}_i$ as follows: $Aut{h}_i^{\prime }\stackrel{?}{=}Aut{h}_i$ If the verification fails, the login procedure is aborted. If the verification succeeds, $U_i$ can reset the password and update the biometrics data, and the following parameters are computed: $(PI{D}_i\parallel r_i)=Y_i\oplus h(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\parallel B{k}_i^{\prime })$.
• Step PBU-1: Next, $U_i$ inputs new information ($P{W}_i^n$ and $B_i^n$), and the card executes the following computations:

  $$\begin{array}{cc}\hfill (B{k}_i^n,s_i^n)& =Gen\left(B_i^n\right),X_i^n=(s_i^n\parallel n_i)\oplus h\left(I{D}_i\parallel P{W}_i^n\right)\hfill \\ \hfill Aut{h}_i^n& =h\left(I{D}_i\parallel P{W}_i^n\parallel B{k}_i^n\parallel n_i^n\right)\hfill \\ \hfill Y_i^n& =\left(PI{D}_i\parallel r_i\right)\oplus h\left(I{D}_i\parallel P{W}_i^n\parallel B{k}_i^n\right)\hfill \end{array}$$
  Subsequently, the system updates the existing parameters in the smart card $<TI{D}_i,X_i,Y_i,Aut{h}_i,$ $SC{N}_i,h(·),Gen(·),Rep(·)>$ with the new configurations $<TI{D}_i,X_i^n,Y_i^n,Aut{h}_i^n,SC{N}_i,h(·),Gen(·),$$Rep(·)>$.

3.5. Smart Card Revocation

The protocol enables smart card replacement without altering the user’s identity. If user $U_i$ loses or has their smart card stolen, they can request a replacement from the RA using the following procedure:

• Step SCR-1: Initially, $U_i$ securely transmits their identity (${ID}_i$), credentials, and a replacement request to RA. The RA assesses these credentials and the validity of the request. Following confirmation, RA issues a replacement smart card, ${SCN}_i^n$, a unique pseudo-identity $PI{D}_i^n$, and a random number $r_i^n$. Consequently, the freshly configured smart card $S{C}_i^n$ is configured with <$TI{D}_i^n,r_i^n,PI{D}_i^n,SC{N}_i^n,h(·)$>. The RA stores <$I{D}_i,SC{N}_i^n,T_i^n,\left[h\right(I{D}_i\parallel X_{RA}^n\parallel T_i^n),\mathit{status}]$> in its database and forwards the following parameters to the corresponding gateway node $GW{N}_k$ as <$TI{D}_i^o=TI{D}_i^n,$ $TI{D}_i^n=TI{D}_i^n, PI{D}_i^n, r_i^n, SC{N}_i^n$> via a secure channel and dispatches $S{C}_i^n$ to $U_i$.
• Step SCR-2: Furthermore, upon receipt of the card, $U_i$ inserts it into a card reader and performs the same steps as outlined in Section 3.1.3 (“User Registration”). Finally, the smart card stores $<TI{D}_i^n,X_i^n,Y_i^n,$ $Aut{h}_i^n,SC{N}_i^n,h(·),Gen(·),Rep(·)>$.

3.6. Dynamic Smart Device Addition Phase

This phase is essential for subsequent deployment of new smart sensing devices. To integrate a new device, denoted as $S{D}_j^{new}$, the RA performs the following offline steps:

• Step DA-1: The RA starts the registration process by generating a unique challenge parameter, $C_j^{new}$. This parameter is securely transmitted to $S{D}_j^{new}$ over a secure channel.
• Step DA-2: Upon receiving $C_j^{new}$ from the RA, $S{D}_j^{new}$ uses a $PUF(·)$ to generate the response parameter $D{R}_j^{new}$. This response is then securely sent back to the RA.
• Step DA-3: The RA selects an identity $I{D}_j^{new}$ and sends the pair $\{C_j^{new},D{R}_j^{new}\}$ to the appropriate gateway node $GW{N}_k$ through a secure channel.
• Step DA-4: Upon receiving the $\{I{D}_j^{new},C_j^{new},D{R}_j^{new}\}$ from the RA, $GW{N}_k$ generates a random number $r_j^{new}$ and computes $X_j^{new}=h(I{D}_j^{new}\parallel X_{GW{N}_k}\parallel r_j^{new})$. It then stores the parameters $\{I{D}_j^{new},r_j^{new},C_j^{new},D{R}_j^{new}\}$ for $S{D}_j^{new}$ in its database and sends $X_j^{new}$ back to the RA through a secure channel.
• Step DA-5: The RA finally transmits the parameters $\{I{D}_j^{new},X_j^{new}\}$ to $S{D}_j^{new}$, which then stores these parameters in its memory.

Once $S{D}_j^{new}$ is deployed, the $GW{N}_k$/RA will notify all registered users, enabling them to access services from $S{D}_j^{new}$ if needed.

4. Informal Security Analysis

In this section, security and functional attributes of the proposed protocol are examined through a descriptive analysis.

4.1. Smart Sensing Device Capture Attack

The physical unclonability of PUF technology safeguards smart sensing devices, such as $S{D}_j$, against unauthorized access. Any tampering with the PUF-based sensor will significantly alter its response or disable the device entirely. Consequently, extracting sensitive information from the PUF-equipped $S{D}_j$ becomes extremely challenging for potential attackers.

4.2. Gateway Node Capture Attack

Assume that $\mathcal{A}$ is a privileged insider within the IIoT system who is capable of physically compromising a gateway node and thereby obtaining the secret credentials stored on it, namely $\{TI{D}_i^o/TI{D}_i^n,SC{N}_i,X_{i-g}\}$ and $\{I{D}_j,r_j,(C_j,D{R}_j)\}$, where $X_{i-g}=(PI{D}_i\parallel r_i)\oplus h(SC{N}_i\parallel X_{GW{N}_k})$. However, due to the one-way property of the cryptographic hash function, the secret credentials $PI{D}_i$ and $r_i$, which are bound to $U_i$, remain protected since $X_{GW{N}_k}$ is stored within a hardware-isolated region that is inaccessible to $\mathcal{A}$. Moreover, $GW{N}_k$ does not store the identity $I{D}_i$, password $P{W}_i$, or biometric template $B_i$ of $U_i$. Given only $\{TI{D}_i^o/TI{D}_i^n,SC{N}_i\}$ and the hashed credential $X_{i-g}$, even if $\mathcal{A}$ simultaneously acquires the user’s smart card, no valid information can be inferred that would compromise the security of the session key.

4.3. Anonymity and Untraceability

Considering the threat model described in Section 2.1.2, suppose that $\mathcal{A}$ intercepts the transmitted messages $Ms{g}_1$ to $Ms{g}_4$ during the login and authentication processes, as illustrated in Figure 2, over an insecure public channel. These intercepted messages contain secret random nonces, which are crucial for maintaining confidentiality. This confidentiality makes it extremely difficult for $\mathcal{A}$ to determine critical identifiers such as the user’s identity ($I{D}_i$), the user’s pseudo-identity ($PI{D}_i$), or the smart sensing device’s identifier ($I{D}_j$). This mechanism ensures the anonymity of users and their associated smart sensing devices within the network. Additionally, the use of unique random nonces for each session prevents $\mathcal{A}$ from tracking users across different sessions. Even if $\mathcal{A}$ identifies the temporary identities of $U_i$ from the intercepted messages, the protocol’s design requires frequent renewal of these identifiers to new temporary ones ($TI{D}_i^n$) with each session. This ensures that tracking users and devices over time is not possible. Consequently, the proposed protocol effectively guarantees the anonymity and untraceability of participants, establishing a robust security foundation within the system.

4.4. De-Synchronization Attack

In our protocol, users are assigned unique temporary identities ($TI{D}_i$) during the registration phase. The gateway node ($GW{N}_k$) stores the parameters $<TI{D}_i^o=TI{D}_i,TI{D}_i^n=TI{D}_i,X_{i-g},SC{N}_i>$ for each user $U_i$. To counter de-synchronization attacks, the protocol maintains both the old and new temporary identities in the gateway node’s database, ensuring synchronization between $U_i$ and $GW{N}_k$. This design ensures the protocol’s functionality remains unaffected even if the final confirmation message is delayed or lost, thereby providing robust protection against de-synchronization attacks.

4.5. Replay Attack

The proposed protocol safeguards against replay attacks where an adversary $\mathcal{A}$ intercepts and attempts to reuse previously exchanged messages ($Ms{g}_1$ to $Ms{g}_4$), where $Ms{g}_1=<TI{D}_i,X_1,M_1,Aut{h}_1>$, $Ms{g}_2=<M_1,X_2,$ $X_3,Aut{h}_2>$, $Ms{g}_3=<X_4,M_2,Aut{h}_3>$, and $Ms{g}_4=<X_5,M_2,Aut{h}_4>$. The strength of the protocol lies in its use of unpredictable, one-time random values (nonces) within each transmitted message. These nonces guarantee that each message is unique to a specific session, rendering them useless in any subsequent attempt by $\mathcal{A}$ to replay them. This effectively prevents replay attacks and ensures the protocol’s robustness.

4.6. MitM Attack

Even if an attacker ($\mathcal{A}$ ) intercepts messages ($Ms{g}_1$ to $Ms{g}_4$) intending to tamper with them and impersonate a user, the protocol’s design thwarts such attempts. Modifying the initial message ($Ms{g}_1=<TI{D}_i,X_1,M_1,Aut{h}_1>$) requires access to secret information like $N_u$, $I{D}_j$, and $PI{D}_i$, which are beyond $\mathcal{A}$’s reach. Similarly, for messages $Ms{g}_2$, $Ms{g}_3$, and $Ms{g}_4$, the protocol relies on confidential data like $PI{D}_i$, $D{R}_j$, $I{D}_j$, and others to generate valid nonces. Without this information, $\mathcal{A}$ cannot forge messages that appear legitimate. This ensures the protocol’s resistance to MitM attacks.

4.7. Mutual Authentication

The proposed protocol establishes mutual authentication between user $U_i$, gateway $GW{N}_k$, and sensor $S{D}_j$ via the subsequent three steps: (1) $GW{N}_k$ validates $U_i$ by checking $SC{N}_i$ and $Aut{h}_1$; (2) $S{D}_j$ authenticates $GW{N}_k$ directly by verifying $Aut{h}_2$ and indirectly by matching $PI{D}_i$ from the transcripts with $U_i$; (3) $U_i$ verifies $Aut{h}_4$ to confirm $GW{N}_k$ directly and also indirectly confirms $S{D}_j$, establishing the session key independently of the gateway node.

4.8. Session Key Security

The proposed protocol ensures session key security through a multi-layered approach. An adversary $\mathcal{A}$ cannot bypass local user authentication or access sensitive credentials such as $PI{D}_i$ and $r_i$ stored on the smart card in encrypted form. This protection is due to the requirement of all three factors (password, biometric data, and smart card) for login. Additionally, the session key $S{K}_{j-i}=h(PI{D}_i\parallel I{D}_j\parallel psk\parallel N_u\parallel N_j)$ is derived using a combination of a one-way hash function and unique, secret parameters specific to each user, device, and communication session. These parameters include $PI{D}_i$, $psk$, $N_j$, $N_u$, and $I{D}_j$. The one-way nature of the hash function ensures that even without knowledge of these secret parameters, deriving the session key remains computationally infeasible. This approach safeguards the confidentiality and integrity of communication within the protocol.

4.9. Perfect Forward Secrecy

In the proposed protocol, the session key $S{K}_{j-i}=h(PI{D}_i\parallel I{D}_j\parallel psk\parallel N_u\parallel N_j)$ established between $U_i$ and $S{D}_j$ is derived through a hybrid mechanism that combines random values, long-term secrets, and chaotic-map–based secrets, thereby ensuring perfect forward secrecy. First, these parameters are unique to each session and each communicating entity, preventing $\mathcal{A}$ from correlating information across different sessions or participants. Second, in every authentication session, the random values used to compute the chaotic-map encryption outputs are randomly selected, and $PI{D}_i$ remains hidden from $\mathcal{A}$. Due to the inherent hardness of the CMDLP, $\mathcal{A}$ can not derive $psk=T_n\left(T_m\left(PI{D}_i\right)\right)$ that satisfies $M_1=T_m\left(PI{D}_i\right)$ and $M_2=T_n\left(PI{D}_i\right)$. Moreover, the random values and long-term secrets that contribute to $S{K}_{j-i}$ are protected by the cryptographic hash function and thus remain concealed from $\mathcal{A}$. Overall, through this hybrid derivation mechanism that incorporates both long-term and ephemeral secrets, the proposed protocol ensures that the security of $S{K}_{j-i}$ does not rely on any single cryptographic component, thereby providing perfect forward secrecy.

4.10. ESL Attack

In the proposed protocol, the session key $S{K}_{j-i}=h(PI{D}_i\parallel I{D}_j\parallel psk\parallel N_u\parallel N_j)$ is generated between $U_i$ and $S{D}_j$ with the help of $GW{N}_k$. This key relies on session-specific and entity-specific secret information as well as random parameters. To assess the resilience of the key against ESL attacks, we examine two distinct scenarios:

• Scenario 1: If the attacker $\mathcal{A}$ manages to obtain the temporary secrets $TI{D}_i$, $N_g$, $N_u$, $N_j$, and $psk$, the hash function $h(·)$’s collision-resistant properties make it difficult for $\mathcal{A}$ to derive the session key without also having access to the long-term secrets $I{D}_i$, $P{W}_i$, $PI{D}_i$, $I{D}_j$, $X_j$, and $D{K}_j$.
• Scenario 2: Even if $\mathcal{A}$ gains possession of the long-term secrets $I{D}_i$, $P{W}_i$, $PI{D}_i$, $I{D}_j$, $X_j$, and $D{K}_j$, the absence of short-term secrets still makes it impractical for $\mathcal{A}$ to compute the session key.

4.11. Stolen Smartcards and Privileged-Insiders Attacks

These scenarios explore the implications of a lost or stolen smartcard, $S{C}_i$, belonging to a registered user. The registration process commences with user $U_i$ transmitting $I{D}_j$ to the RA via a secure channel. Suppose a privileged-insider within the RA, denoted as adversary $\mathcal{A}$, has access to the information $<TI{D}_i,r_i,PI{D}_i,SC{N}_i>$. Subsequent to registration completion, it is assumed that adversary $\mathcal{A}$ has gained possession of user $U_i$’s stolen smartcard, denoted as $S{C}_i$ and then extracted the data $<TI{D}_i,X_i,Y_i,Aut{h}_i,SC{N}_i>$ from $S{C}_i$ using power analysis attacks. Extracting or guessing $I{D}_i$ from the values $(X_i,Y_i,Aut{h}_i)$ without knowing $P{W}_i$ and $B_i$ of $U_i$ is computationally infeasible, as $P{W}_i$ and $B_i$ are protected by a collision-resistant hash function $h(·)$. This demonstrates that identity guessing attacks are challenging for $\mathcal{A}$. Similarly, deriving $P{W}_i$ from $(X_i,Y_i,Aut{h}_i)$ without $I{D}_i$ and $B_i$ is computationally infeasible due to $h(·)$’s collision resistance. Additionally, it is computationally infeasible for the adversary $\mathcal{A}$ to derive $P{W}_i$ from the extracted parameters. Thus, the system is robust against offline password guessing attacks, even in the case of stolen smartcards or privileged insider threats.

4.12. Resistance to Modeling Attacks

The proposed protocol prevents modeling attacks by avoiding challenge-response transmission over insecure channels. Using collision-resistant hash function $h(·)$ and XOR to encrypt secret parameters, adversary $\mathcal{A}$ cannot extract useful information from intercepted messages, ensuring security with minimal overhead.

4.13. Impersonation Attacks

To mitigate impersonation attacks, three scenarios are examined: Case I (User Impersonation Attack): Suppose an adversary $\mathcal{A}$ intercepts the message $Ms{g}_1=<TI{D}_i,X_1,M_1,Aut{h}_1>$. Using this information, $\mathcal{A}$ tries to impersonate the user by crafting a modified message $Ms{g}_1^{\mathcal{A}}=<TI{D}_i^{\mathcal{A}},X_1^{\mathcal{A}},M_1^{\mathcal{A}},Aut{h}_1^{\mathcal{A}}>$ to deceive others. However, without knowledge of $PI{D}_i$, $r_i$, and $I{D}_j$, $\mathcal{A}$ cannot produce a valid $Ms{g}_1$, rendering it incapable of establishing a credible communication with $GW{N}_k$ and thus preventing successful user impersonation.

Case II (Gateway Node Impersonation Attack): Consider the scenario where $\mathcal{A}$ intercepts $Ms{g}_2=<M_1,X_2,$ $X_3,Aut{h}_2>$. To impersonate a gateway node, $\mathcal{A}$ would need to fabricate $Ms{g}_2$ to convince a smart sensing device of its authenticity. However, without knowledge of $I{D}_j$ and $X_j$, $\mathcal{A}$ cannot compute $X_2$, $X_3$, and $Aut{h}_2$. Therefore, $\mathcal{A}$ cannot create a valid $Ms{g}_2$ to impersonate a gateway node, and similarly, $\mathcal{A}$ cannot compute $Ms{g}_4$ to deceive $U_i$. Thus, $\mathcal{A}$ fails to impersonate a gateway node.

Case III (Smart Sensing Device Impersonation Attack): When $\mathcal{A}$ intercepts the message $Ms{g}_3=<X_4,M_2,Aut{h}_3>$ from $S{D}_j$ to $GW{N}_k$, impersonating $S{D}_j$ requires crafting a credible $Ms{g}_3$. Nonetheless, lacking crucial information like $I{D}_j$, $X_j$, $D{K}_j$, $N_j$, $s_j$, $N_g$, and $PI{D}_i$, $\mathcal{A}$ fails to generate a legitimate $Ms{g}_3$. This inability to forge a valid message demonstrates the protocol’s effectiveness in thwarting attempts at impersonating the smart sensing device, underscoring its security against such types of attacks.

5. Formal Security Analysis

This section analyzes the security of the proposed protocol using the ROR model, formally proving session key security. Before presenting the session key proof (Theorem 1), we introduce essential ROR model primitives.

Participants. The proposed protocol involves three primary participants: the user $U_i$, the gateway node $GW{N}_k$, and the smart sensing device $S{D}_j$. Instances of these participants are represented as ${\Omega }_U^{t_1}$, ${\Omega }_{GWN}^{t_2}$, and ${\Omega }_{SD}^{t_3}$, corresponding to the $t_1$th instance of $U_i$, the $t_2$th instance of $GW{N}_k$, and the $t_3$th instance of $S{D}_j$, respectively. Each instance is treated as an oracle, and ${\Omega }^t$ is occasionally used to denote the tth instance of any given entity.

Partnership. Entities ${\Omega }^{t_1}$ and ${\Omega }^{t_2}$ in the protocol are considered partners if they meet the following criteria: (1) Both entities have reached an acceptance state; (2) They share the same session identifier $SID$; and (3) A session key has been established between them.

Freshness. An entity ${\Omega }^t$ is considered to be fresh if its established session key has not been compromised by the adversary $\mathcal{A}$. An entity ${\Omega }^t$ is deemed fresh if its established session key remains uncompromised by the adversary $\mathcal{A}$.

Adversary. In the ROR model, the adversary $\mathcal{A}$’s capabilities are represented by conducting specific oracle queries: In the ROR model, the capabilities of the adversary $\mathcal{A}$ are represented through specific oracle queries defined in Table 3. It is important to emphasize that, while $\mathcal{A}$ is granted the ability to extract the secret credentials stored in a user’s smart card via the $CorruptSmartcard\left({\Omega }^t\right)$ query, deriving either the long-term or ephemeral secrets from the hashed credentials remains well beyond $\mathcal{A}$’s capability.

Table 3. Adversary queries in the ROR model.

Query	Functionality
$Execute({\Omega }_{U_i}^{t_1},{\Omega }_{GW{N}_k}^{t_2},{\Omega }_{S{D}_j}^{t_3})$	This query allows the adversary $\mathcal{A}$ to passively observe and collect messages exchanged among ${\Omega }_{U_i}^{t_1},{\Omega }_{GW{N}_k}^{t_2},$ and ${\Omega }_{S{D}_j}^{t_3}$, facilitating the evaluation of forward secrecy.
$Send({\Omega }^t,msg)$	This query enables the simulation of active attacks, such as impersonation and replay. The adversary $\mathcal{A}$ sends a message $msg$ to ${\Omega }^t$ and receives the corresponding response.
$CorruptSmartcard\left({\Omega }^t\right)$	Upon executing this query, the adversary $\mathcal{A}$ obtains complete access to the credentials stored on the compromised smart card $S{C}_i$ belonging to the legitimate registered user $U_i$.
$Reveal\left({\Omega }_{U_i}^{t_1}\right)$	This query discloses the actual session key if ${\Omega }_{U_i}^{t_1}$ has been accepted.
$Test\left({\Omega }^t\right)$	This query returns the real session key when $b=1$, or a random string of the same length when $b=.$. If $\mathcal{A}$ can consistently guess the value of b correctly, it signifies a successful compromise of the session key’s semantic security.

Definition 1

(Semantic Security). In the context of the RoR model, the adversary $\mathcal{A}$ is tasked with distinguishing between the actual session key and a random string during the $Test$ query. The adversary $\mathcal{A}$ attempts to correctly guess the value of b to succeed in this challenge. The advantage of the adversary in compromising the semantic security of the proposed protocol P is denoted as $Ad{v}_{\mathcal{A}}^P$ and is defined by the equation $Ad{v}_{\mathcal{A}}^P=2·Pr[b^{\prime }=b]-1$. If there exists a sufficiently small function ϵ such that $Ad{v}_{\mathcal{A}}^P<ϵ$, then the proposed protocol P is considered to be semantically secure.

Definition 2

(Security of PUF). For two secure functions $PUF{(·)}_1$ and $PUF{(·)}_2$, given any inputs $c_1$ and $c_2$ in ${0,1}^k$, the probability that the Hamming distance $HD(PUF{\left(c_1\right)}_1,PUF{\left(c_2\right)}_2)$ exceeds d is $1-ϵ$. Here, d represents the fault tolerance level.

Definition 3

(CMDLP). The advantage of an adversary $\mathcal{A}$ in solving the Chaotic Map Discrete Logarithm Problem (CMDLP) within a runtime of $rt$ is considered negligible if it satisfies $Ad{v}_{\mathcal{A}}^{CMDLP}\left(rt\right)<ϵ$, where ϵ is a negligible function.

Theorem 1.

For the proposed protocol P, the adversary $\mathcal{A}$ operates within polynomial time, aiming to compromise semantic security. Let $q_h$ denote the number of hash queries, $q_p$ the number of PUF queries, and $q_s$ the number of send queries. Additionally, let l represent the length of the biometric data, D be the uniformly distributed password dictionary, and the PUF has a key length of $\left|PUF\right|$. Combining the aforementioned definitions, $Ad{v}_A^{CMDLP}\left(rt\right)$ denotes the advantage of solving the CMDLP problem within time $rt$. Thus, we have:

$$\begin{array}{cc}\hfill Ad{v}_{\mathcal{A}}^P\le & {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2\left({\displaystyle \frac{q_s}{2^l·\left|D\right|}}+Ad{v}_{\mathcal{A}}^{CMDLP}\left(rt\right)\right).\hfill \end{array}$$

We establish the provable security of the proposed protocol by defining a series of games $Gam{e}_i$$(i=0,1,2,\dots ,5)$. Specifically, in our protocol P, let $Pr\left[{\mathrm{suc}}_i\right]$ denote the event where the adversary $\mathcal{A}$ successfully guesses the value of b in the $Test$ query within the game $Gam{e}_i$.

${\mathit{Game}}_{\mathbf{0}}.$ This game models an attack scenario where the adversary $\mathcal{A}$ targets the protocol P. At the start, $\mathcal{A}$ is tasked with determining the value of the bit b. The advantage of $\mathcal{A}$ in this context is given by:

$${Adv}_{\mathcal{A}}^P=\left|2Pr\left[{\mathrm{suc}}_0\right]-1\right|,$$

(1)

where $Pr\left[{\mathrm{succ}}_0\right]$ represents the probability of $\mathcal{A}$ succeeding in guessing b.

${\mathit{Game}}_{\mathbf{1}}.$ In this game, $\mathcal{A}$ simulates an eavesdropping attack by performing multiple $Execute$ queries. Assume $\mathcal{A}$ intercepts all messages $Ms{g}_1$ through $Ms{g}_4$ transmitted within the protocol. To determine the session key $S{K}_{j-i}=h(PI{D}_i\parallel I{D}_j\parallel psk\parallel N_u\parallel N_j)$, $\mathcal{A}$ must have access to specific long-term and short-term secret parameters. However, based on the informal security analysis, obtaining these parameters is impractical for $\mathcal{A}$. Therefore, the probability of $\mathcal{A}$ successfully winning ${\mathit{Game}}_{\mathbf{1}}$ remains unchanged. Consequently, we have $Pr\left[{\mathrm{suc}}_0\right]=Pr\left[{\mathrm{suc}}_1\right]$.

${\mathit{Game}}_{\mathbf{2}}.$ The primary distinction between $Gam{e}_2$ and its predecessor, $Gam{e}_1$, lies in the incorporation of simulated $Send$ and $Hash$ queries. In $Gam{e}_2$, $\mathcal{A}$ performs an active attack, trying to deceive a participant into accepting forged messages. Although the adversary may conduct multiple hash queries on $Ms{g}_1$, $Ms{g}_2$, $Ms{g}_3$, and $Ms{g}_4$ to identify potential collisions, the inclusion of random nonces, unique identifiers ($PI{D}_i$ and $I{D}_j$), and long-term secrets associated with each message renders this a highly improbable event. As a result, the likelihood of the adversary encountering a collision during $Send$ queries is negligible. Moreover, applying the birthday paradox reinforces this assertion by indicating that

$$\left|Pr\left[{\mathrm{suc}}_1\right]-Pr\left[{\mathrm{suc}}_2\right]\right|\le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}$$

(2)

${\mathit{Game}}_{\mathbf{3}}.$ In $Gam{e}_3$, we simulate PUF queries. Applying the definition of secure PUF functions (Definition 2), we derive the following inequality:

$$\left|Pr\left[{\mathrm{suc}}_2\right]-Pr\left[{\mathrm{suc}}_3\right]\right|\le {\displaystyle \frac{q_p^2}{2\left|PUF\right|}}$$

(3)

${\mathit{Game}}_{\mathbf{4}}.$ The transition from $Gam{e}_3$ to $Gam{e}_4$ involves the addition of the $CorruptSmartcard(\Omega )$ query. By utilizing this query, the adversary $\mathcal{A}$ will acquire the credentials $TI{D}_i,X_i,Y_i,$ and $Aut{h}_i$. To correctly identify $I{D}_i$ and $P{W}_i$ for $U_i$ from ($s_i^{\prime }\Vert n_i^{\prime })=X_i\oplus h(I{D}_i^{\prime }\Vert P{W}_i^{\prime })$ and $B{k}_i^{\prime }=Rep(B_i^{\prime },s_i^{\prime })$, $\mathcal{A}$ must have both the secret credential $n_i^{\prime }$ and the biometric key $B{k}_i^{\prime }$. By capping the number of unsuccessful identity/password or biometric verifications, the system upholds the following condition:

$$\left|Pr\left[{\mathrm{suc}}_3\right]-Pr\left[{\mathrm{suc}}_4\right]\right|\le {\displaystyle \frac{q_s}{2^l·\left|D\right|}}$$

(4)

${\mathit{Game}}_{\mathbf{5}}.$ The final game involves $\mathcal{A}$ endeavoring to compute the shared session key $S{K}_{i-j}$ between $U_i$ and $S{D}_j$ by exploiting intercepted communications and simultaneously solving the CMDLP instance (cf. Definition 3). To calculate the session key $S{K}_{j-i}=h(PI{D}_i\parallel I{D}_j\parallel psk\parallel N_u\parallel N_j)$, $\mathcal{A}$ needs $I{D}_j$ and $psk$, where $psk=T_n\left(T_m\left(PI{D}_i\right)\right)=T_m\left(T_n\left(PI{D}_i\right)\right)=T_{mn}\left(PI{D}_i\right)modlp$. It is evident that even with knowledge of $PI{D}_i$, computing $T_n\left(PI{D}_i\right)modlp$ necessitates access to n. Similarly, determining $T_m\left(PI{D}_i\right)modlp$ requires knowledge of m, despite possessing $PI{D}_i$. Consequently, $\mathcal{A}$ must solve the CMDLP within a runtime of at most $rt$ to obtain the session key $S{K}_{i-j}$. Therefore,

$$\left|Pr\left[{\mathrm{suc}}_4\right]-Pr\left[{\mathrm{suc}}_5\right]\right|\le Ad{v}_{\mathcal{A}}^{CMDLP}\left(rt\right)$$

(5)

Taking into account all the games described earlier, after all the oracle queries have been executed, the adversary $\mathcal{A}$ does not gain any extra advantage in correctly guessing the bit b in the $Test$ query. Consequently, $Pr\left[{\mathrm{suc}}_5\right]={\displaystyle \frac{1}{2}}$. Additionally, based on the calculations, we get:

$$\begin{array}{cc}\hfill \left|Pr\left[{\mathrm{suc}}_0\right]-Pr\left[{\mathrm{suc}}_5\right]\right|& =\left|Pr\left[{\mathrm{suc}}_0\right]-{\displaystyle \frac{1}{2}}\right|=\left|Pr\left[{\mathrm{suc}}_1\right]-{\displaystyle \frac{1}{2}}\right|\hfill \\ \hfill & \le \left|Pr\left[{\mathrm{suc}}_1\right]-Pr\left[{\mathrm{suc}}_2\right]\right|\hfill \\ \hfill & +\left|Pr\left[{\mathrm{suc}}_2\right]-Pr\left[{\mathrm{suc}}_3\right]\right|\hfill \\ \hfill & +\left|Pr\left[{\mathrm{suc}}_3\right]-Pr\left[{\mathrm{suc}}_4\right]\right|\hfill \\ \hfill & +\left|Pr\left[{\mathrm{suc}}_4\right]-Pr\left[{\mathrm{suc}}_5\right]\right|\hfill \\ \hfill & ={\displaystyle \frac{q_h^2}{2\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{2\left|PUF\right|}}\hfill \\ \hfill & +{\displaystyle \frac{q_s}{2^l·\left|D\right|}}+Ad{v}_{\mathcal{A}}^{CMDLP}\left(rt\right)\hfill \end{array}$$

(6)

Combining the results yields:

$$\begin{array}{cc}\hfill Ad{v}_{\mathcal{A}}^P=& |2Pr\left[{\mathrm{suc}}_0\right]-1|=2|Pr\left[{\mathrm{suc}}_0\right]-{\displaystyle \frac{1}{2}}|\hfill \\ \hfill \le & {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2\left({\displaystyle \frac{q_s}{2^l·\left|D\right|}}+Ad{v}_{\mathcal{A}}^{CMDLP}\left(rt\right)\right)\hfill \end{array}$$

(7)

6. Performance Evaluation

In this section, we compare the proposed protocol with five state-of-the-art schemes [60,61,62,63,64], focusing on computational overhead, communication overhead, and security and functionality features.

6.1. Computational Overhead

This section analyzes the computational cost of our proposed protocol compared to existing ones. Core cryptographic operations underpinning user login and authentication are considered. We exclude basic operations like XOR and concatenation from the analysis. For the efficiency evaluation, we implemented all cryptographic primitives involved in the proposed protocol and the baseline protocols using Python 3.9.13, leveraging libraries such as hashlib, pypuf, and ecpy. We then measured their average execution times, including hash function ($T_{\mathsf{H}}$), ECC point multiplication ($T_{\mathsf{EM}}$), PUF ($T_{\mathsf{PUF}}$), fuzzy extractor ($T_{\mathsf{FE}}\approx T_{\mathsf{EM}}$), and chaotic map ($T_{\mathsf{CM}}$). In addition, to support the testing procedures, a Raspberry Pi 4 equipped with 2 GiB of memory and running Raspberry Pi OS (32-bit) was used as the resource-constrained Platform I to simulate smart sensing devices, whereas a 64-bit Windows 10 machine with 8 GiB of memory and an Intel^® Core™ i5-8300H CPU @ 2.30GHz was employed as the resource-rich Platform II to emulate gateway nodes and user devices. For each platform and cryptographic primitive, 1000 test runs were conducted. The resulting average execution times in milliseconds are tabulated in Table 4.

Table 4. Average execution time of various primitives.

Operation	Platform-I	Platform-II
Hash function ($T_{\mathsf{H}}$)	0.007 ms	0.001 ms
ECC point multiplication ($T_{\mathsf{EM}}$)	6.549 ms	0.846 ms
ECC point addition ($T_{\mathsf{EA}}$)	0.273 ms	0.002 ms
Physical unclonable function ($T_{\mathsf{PUF}}$)	0.5 $\mathrm{\mu }$s	–
Fuzzy extractor ($T_{\mathsf{FE}}\approx T_{\mathsf{EM}}$)	6.549 ms	0.846 ms
Chaotic map ($T_{\mathsf{CM}}$)	0.102 ms	0.019 ms

Table 5 summarizes the computational overheads of different protocols. Our protocol incurs a computation overhead of approximately $6T_{\mathsf{H}}+T_{\mathsf{PUF}}+T_{\mathsf{FE}}+2T_{\mathsf{CM}}\approx 6.7955$ on resource-constrained smart sensing devices (Platform-I). This is lower than the overhead of protocols proposed by the benchmark protocols of Hammad et al. [60], Wazid et al. [61], and Sutrala et al. [63]. This indicates better suitability for resource-constrained settings. While the total computation overhead of our protocol ($8.5445$ ms) exceeds that of some existing solutions Yang et al. [62] and Srinivas et al. [64], it offers superior security and functionality features, as detailed in Table 5. This trade-off between efficiency and security is a crucial consideration for real-world deployments.

Table 5. Computation overheads comparison (ms).

Protocol	User	GWN / Server	Smart Sensing Device	Total Overhead
Hammad et al. [60]	$T_{PUF}+2T_{EM}+7T_H\approx 1.699$	$2T_{EM}+9T_H\approx 1.701$	$T_{PUF}+2T_{EM}+5T_H\approx 13.1335$	$16.5335$
Wazid et al. [61]	$T_{FE}+4T_{EM}+T_{EA}+19T_H\approx 4.251$	$5T_{EM}+T_{EA}+T_H\approx 4.233$	$4T_{EM}+T_{EA}+12T_H\approx 26.553$	$35.037$
Yang et al. [62]	$10T_H\approx 0.01$	$19T_H\approx 0.019$	$8T_H\approx 0.056$	$0.085$
Sutrala et al. [63]	$T_{FE}+5T_{EM}+2T_{EA}+16T_H\approx 5.096$	$3T_{EM}+2T_{EA}+9T_H\approx 2.551$	$4T_{EM}+T_{EA}+8T_H\approx 26.525$	$34.172$
Srinivas et al. [64]	$15T_{\mathsf{H}}+T_{\mathsf{FE}}+2T_{\mathsf{CM}}\approx 0.899$	$10T_{\mathsf{H}}\approx 0.01$	$6T_{\mathsf{H}}+2T_{\mathsf{CM}}\approx 0.246$	$1.155$
Our Proposed	$8T_{\mathsf{H}}+T_{\mathsf{FE}}+2T_{\mathsf{CM}}\approx 0.892$	$11T_{\mathsf{H}}+T_{\mathsf{FE}}\approx 0.857$	$6T_{\mathsf{H}}+T_{\mathsf{PUF}}+T_{\mathsf{FE}}+2T_{\mathsf{CM}}\approx 6.7955$	$8.5445$

6.2. Runtime Comparison

In this subsection, a comprehensive performance evaluation is conducted by implementing the complete workflows of both the proposed protocol and its baseline protocols in Python on a Windows 10 experimental machine equipped with an Intel^® Core™ i5-8300H CPU @ 2.30GHz processor and 8 GiB of memory. Each protocol underwent 100 runs, and the average execution time for the integrated login and AKA phase is recorded; comparative results appear in Figure 3. Empirical data indicate that the proposed protocol attains an average runtime of 1013.86 ms, outperforming the protocols of Hammad et al. [60] (1016.38 ms), Sutrala et al. [63] (1024.63 ms), Wazid et al. [61] (1041.15 ms), and Yang et al. [62] (1019.19 ms). Although its overhead is marginally higher than that of the protocol proposed by Srinivas et al. [64], this slight increase is offset by the additional security features and functional enhancements delivered by the proposed protocol (see Table 8).

Figure 3. Comparison of computation overheads.

6.3. Communication Overhead

Table 6 presents a comparison of the communication overhead of various protocols, highlighting the number of bits needed for message exchanges. The communication overhead is quantified in bits for each protocol. To ensure a fair evaluation, the following assumptions are made: timestamps are considered to be 32 bits; identities, random numbers, chaotic map-based encryption outputs, and PUF responses are considered to be 128 bits; hash digest outputs are 256 bits; and ECC points are 320 bits. The analysis reveals that the total communication overhead of the proposed protocol is 2944 bits, which is lower than the 3616 bits, 3360 bits, 5376 bits, and 3200 bits required by the benchmark protocols Hammad et al. [60], Wazid et al. [61], Yang et al. [62], and Sutrala et al. [63], respectively. Thus, the proposed protocol is more resource-efficient. Moreover, while the proposed protocol’s communication overhead is slightly higher than that of Srinivas et al. [64], this increase is justified by its enhanced and comprehensive security features, as outlined in Table 8.

Table 6. Communication overheads comparison.

Protocol	No. of Messages	Total Overhead (Bits)
Hammad et al. [60]	5	3616
Wazid et al. [61]	3	3360
Yang et al. [62]	6	5376
Sutrala et al. [63]	3	3200
Srinivas et al. [64]	3	1856
Our Proposed	4	2944

6.4. Storage Overhead

Building on the experimental configuration in Section 6.3, Table 7 presents a systematic comparison of the storage overhead incurred by the proposed protocol versus baseline protocols. The focus is on the secret credentials that user devices, gateways/servers, and smart sensing units must store after initialization and registration to support subsequent AKA operations. To illustrate scalability, Table 7 also presents the storage cost of each entity as a function of the number of smart sensing devices, denoted by N. For resource-constrained smart sensing devices, the proposed protocol requires only 384 bits of local storage-substantially less than the 1280 bits of Wazid et al. [61] and the 1984 bits of Sutrala et al. [63], and equal to the requirements of Srinivas et al. [64] and Yang et al. [62]. Given the enhanced security and functionality delivered by our protocol (see Table 8), this minimal storage footprint is justified. From a system-wide perspective, the total storage burden introduced by the proposed protocol grows linearly as $1024N+2016$ bits-markedly lower than Wazid et al.’s [61] $1792N+4320$ bits, Yang et al.’s [62] $1152N+1280$ bits, and Sutrala et al.’s [63] $2624N+4576$ bits. While slightly higher than the schemes of Hammad et al. [60] and Srinivas et al. [64], the proposed protocol offers stronger security guarantees and richer functionality (refer to Table 8), making this trade-off reasonable and acceptable.

Table 7. Comparison of storage overheads (bits).

Protocol	User	GWN/Server	Smart Sensing Device	Overall Overheads
Hammad et al. [60]	640	$1024+128n$	512	$640N+2176$
Wazid et al. [61]	$256N+2656$	$256N+1664$	1280	$1792N+4320$
Yang et al. [62]	$128N+640$	$640N+640$	384	$1152N+1280$
Sutrala et al. [63]	$256N+2592$	$384N+1984$	1984	$2624N+4576$
Srinivas et al. [64]	$128N+992$	$384N+128$	384	$896N+1120$
Our Proposed	$128N+1120$	$640N+896$	384	$1024N+2016$

Note: N: Number of Smart Sensing Devices.

Table 8. Security and functionality features comparison.

Feature	[60]	[61]	[62]	[63]	[64]	Our
${\mathcal{F}}_{\mathrm{\infty }}$	✓	×	×	×	×	✓
${\mathcal{F}}_{\mathrm{\in }}$	✓	✓	×	✓	✓	✓
${\mathcal{F}}_{\mathrm{\ni }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{△}}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{▽}}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{/}}$	✓	✓	✓	✓	✓	✓
	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\forall }}$	×	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\exists }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\infty \prime }}$	×	×	✓	×	×	✓
${\mathcal{F}}_{\mathrm{\infty \infty }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\infty \in }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\infty \ni }}$	✓	✓	✓	✓	✓	✓

Note: ${\mathcal{F}}_{\mathrm{\infty }}$: Smart sensing device capture attack; ${\mathcal{F}}_{\mathrm{\in }}$: Anonymity; ${\mathcal{F}}_{\mathrm{\ni }}$: Untraceability; ${\mathcal{F}}_{\mathrm{△}}$: De-synchronization attack; ${\mathcal{F}}_{\mathrm{▽}}$: Replay attack; ${\mathcal{F}}_{\mathrm{/}}$: MitM attack; : Mutual authentication; ${\mathcal{F}}_{\mathrm{\forall }}$: Independent session key establishment; ${\mathcal{F}}_{\mathrm{\exists }}$: Perfect forward secrecy; ${\mathcal{F}}_{\mathrm{\infty \prime }}$: No clock synchronization; ${\mathcal{F}}_{\mathrm{\infty \infty }}$: ESL attack; ${\mathcal{F}}_{\mathrm{\infty \in }}$: Stolen smartcard and privileged-insider attacks; and ${\mathcal{F}}_{\mathrm{\infty \ni }}$: Impersonation attacks; ✓: indicates feature availability; ×: indicates feature unavailability or inapplicability.

Table 8. Security and functionality features comparison.

Feature	[60]	[61]	[62]	[63]	[64]	Our
${\mathcal{F}}_{\mathrm{\infty }}$	✓	×	×	×	×	✓
${\mathcal{F}}_{\mathrm{\in }}$	✓	✓	×	✓	✓	✓
${\mathcal{F}}_{\mathrm{\ni }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{△}}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{▽}}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{/}}$	✓	✓	✓	✓	✓	✓
	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\forall }}$	×	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\exists }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\infty \prime }}$	×	×	✓	×	×	✓
${\mathcal{F}}_{\mathrm{\infty \infty }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\infty \in }}$	✓	✓	✓	✓	✓	✓
${\mathcal{F}}_{\mathrm{\infty \ni }}$	✓	✓	✓	✓	✓	✓

Note: ${\mathcal{F}}_{\mathrm{\infty }}$: Smart sensing device capture attack; ${\mathcal{F}}_{\mathrm{\in }}$: Anonymity; ${\mathcal{F}}_{\mathrm{\ni }}$: Untraceability; ${\mathcal{F}}_{\mathrm{△}}$: De-synchronization attack; ${\mathcal{F}}_{\mathrm{▽}}$: Replay attack; ${\mathcal{F}}_{\mathrm{/}}$: MitM attack; : Mutual authentication; ${\mathcal{F}}_{\mathrm{\forall }}$: Independent session key establishment; ${\mathcal{F}}_{\mathrm{\exists }}$: Perfect forward secrecy; ${\mathcal{F}}_{\mathrm{\infty \prime }}$: No clock synchronization; ${\mathcal{F}}_{\mathrm{\infty \infty }}$: ESL attack; ${\mathcal{F}}_{\mathrm{\infty \in }}$: Stolen smartcard and privileged-insider attacks; and ${\mathcal{F}}_{\mathrm{\infty \ni }}$: Impersonation attacks; ✓: indicates feature availability; ×: indicates feature unavailability or inapplicability.

6.5. Security and Functionality Features

Table 8 presents a comparison of the proposed protocol against the benchmark protocols: Hammad et al. [60], Wazid et al. [61], Yang et al. [62], Sutrala et al. [63], and Srinivas et al. [64]. The comparison evaluates thirteen security and functionality features: ${\mathcal{F}}_{\mathrm{\infty }}$: Smart sensing device capture attack; ${\mathcal{F}}_{\mathrm{\in }}$: Anonymity; ${\mathcal{F}}_{\mathrm{\ni }}$: Untraceability; ${\mathcal{F}}_{\mathrm{△}}$: De-synchronization attack; ${\mathcal{F}}_{\mathrm{▽}}$: Replay attack; ${\mathcal{F}}_{\mathrm{/}}$: MitM attack; : Mutual authentication; ${\mathcal{F}}_{\mathrm{\forall }}$: Independent session key establishment; ${\mathcal{F}}_{\mathrm{\exists }}$: Perfect forward secrecy; ${\mathcal{F}}_{\mathrm{\infty \prime }}$: No clock synchronization; ${\mathcal{F}}_{\mathrm{\infty \infty }}$: ESL attack; ${\mathcal{F}}_{\mathrm{\infty \in }}$: Smartcard theft and insider threats; and ${\mathcal{F}}_{\mathrm{\infty \ni }}$: Impersonation attacks. In Table 8, a check mark (✓) denotes the presence of a feature, while a cross (×) indicates its absence or inapplicability. The comparison reveals that the proposed protocol is the only one to encompass all the essential and critical security and functionality features. Conversely, the benchmark protocols show shortcomings, either missing certain features or failing to counter specific security threats.

6.6. Critical Discussion

The proposed AKA protocol delivers a balanced solution for real-time IIoT environments by integrating PUFs, fuzzy extractors, and chaotic maps, ensuring strong resistance to attacks and meeting all targeted security and functionality objectives. It maintains moderate computational and communication overheads, making it suitable for resource-constrained devices, with superior runtime performance. Limitations include PUF reliability under environmental variations, computational overhead from fuzzy extractors, and reliance on simulations lacking real-world insights. Trade-offs involve latency, storage overhead, and implementation complexity. Future work targets real-world testbed implementation, IIoT communication stack integration, robust key management, recovery mechanisms, and energy efficiency evaluation under diverse scenarios.

7. Conclusions

To address the threats posed by various known attacks on wireless data communication between users, gateway nodes, and smart sensing devices in Industrial Internet of Things (IIoT) network scenarios, this paper proposes an anonymous and secure authentication and key agreement protocol for IIoT settings. The proposed protocol is based on PUF, cryptographic hash, XOR, and Chaotic Map, providing strong security features while maintaining resource efficiency, making it more suitable for resource-constrained IIoT environments. Furthermore, a comprehensive comparison with existing protocols demonstrates that the proposed protocol significantly reduces computational and communication overhead while offering superior security features, representing a substantial advancement in the field. Future work includes the exploration of post-quantum cryptographic primitives to ensure long-term resistance against quantum-capable adversaries, and the experimental deployment of the proposed protocol in real-world IIoT testbeds to validate its performance under diverse and dynamic environmental conditions.