A PUF-Based Secure and Lightweight Authentication Protocol for Medical IoT Environments

The development of sensor and communication technology has enabled the Internet of Things in healthcare. In Medical Internet of Things (MIoT) environments, sensors support real-time patient monitoring, remote diagnosis, and early disease detection. However, communication between users and sensors over public channels is vulnerable to various security attacks, making secure and lightweight authentication with session key establishment essential for protecting medical data. Recently, a lightweight and anonymous authentication protocol for MIoT environments was proposed using Physical Unclonable Functions (PUFs); however, we show that their protocol is vulnerable to eavesdropping, stolen verifier, and ephemeral secret leakage attacks, and fails to guarantee untraceability. To address these weaknesses, we propose a secure and lightweight PUF-based authentication protocol for MIoT environments. The security of our protocol is formally verified using Burrows–Abadi–Needham logic, the Real-or-Random model, and the Scyther tool. Furthermore, the practical validation of the proposed protocol is conducted on a hardware platform along with an evaluation of energy consumption based on the MIRACL cryptographic library. Performance comparisons demonstrate that our protocol achieves enhanced security properties with minimal computational overhead and communication costs. Ultimately, this research provides a secure and robust architectural option for healthcare applications aiming to preserve patient privacy in resource-constrained MIoT.