PUF and Chaotic Map-Based Authentication Protocol for Underwater Acoustic Networks

: A secure and eﬀective authentication and communication scheme between users and underwater sensors plays an important role in improving the detection and utilization of marine resources in underwater acoustic networks (UANs). However, due to the energy li mitations and susceptibility to capture of underwater sensors and gateways, it is necessary to design a lightweight authentication protocol that can resist capture of sensors and gateways during attacks. In this paper, a lightweight authentication protocol for UANs based on the Physical Unclonable Function (PUF) and chaotic map is proposed. We used the advantages of PUF to resist sensors and gateways being captured in attacks and the chaotic map to achieve lightweight authentication because the computational cost of the chaotic map is almost one - third that of Elliptic Curve Cryptography (ECC). Ad-ditionally, we used the formal security proof in the random oracle model to prove the security of the proposed scheme. Our scheme was more secure and eﬃc ient compared with some other related schemes in terms of security and performance requirements, and the proposed scheme is suitable for UANs.


Introduction
The ocean area accounts for about 71% of the earth's surface area.With the increasingly prominent contradiction between the global shortage of food, resources, and energy supply and the rapid population growth, the development of marine resources is inevitable for historical development.Using wireless sensor networks (WSNs) to perceive and monitor marine environment information can improve the utilization efficiency of marine resources, coordinate the allocation of marine and land resources, and realize the maximum utilization value of marine resources.
Due to the poor propagation of electromagnetic waves in seawater and since optical communications will be strongly affected by scattering, acoustic waves can enable communications over long-range links, so they provide the most obvious medium to enable underwater communication.Underwater wireless sensor networks are wireless communication networks based on acoustic signals, in which sensors are deployed underwater, where the environments are time-varying, called underwater acoustic networks (UANs).They use aircraft, submarines, or surface ships to randomly deploy a large number of cheap, miniature sensor nodes in the seawater.The nodes form a multi-hop self-organizing network system through underwater acoustic communication, which can cooperatively sense, collect, and process the information of the sensing objects in the network coverage area, and send it to the receiver.They are mainly used to carry out coordinated tasks, such as oceanographic data collection, pollution prediction, ocean mining, shipwreck avoidance, ocean monitoring, etc.
With the increasing use of UANs in industry and the military, the need to transmit sensitive information on insecure channels is also increasing.It is easy for adversaries to eavesdrop, intercept, modify, and delete the information, which leads to various attacks and causes huge losses [1].Therefore, it is essential to control access to UANs' information and services and ensure that sensitive information is securely exchanged between users and sensor nodes.At the same time, the UANs are required to be able to respond to the relevant information of the marine environment in real time, reflecting the real-time requirements of the UANs.Only by continuous and real-time monitoring of the changing state of the ocean can humans grasp the ocean data in time, develop, and use the data.
Authentication can ascertain the user legitimacy of using the network resource and establishing the session key between the user and the sensor node to protect the confidentiality and integrity of the data from the attacker.A number of security authentication and key agreement schemes have been proposed for terrestrial wireless sensor networks (TWSNs), but most of them are not applicable to UANs, due to the energy limitations and susceptibility to capture of underwater sensors and gateways.Therefore, a security mechanism specifically for UANs is needed [2].

Related Work
In 2019, Banerjee et al. [3] proposed a security-enhanced authentication and key agreement scheme for WSN, but their scheme cannot resist offline password guessing attacks, impersonation attacks, and does not achieve session key secrecy, identity unlinkability, and perfect forward secrecy.In 2020, Chen et al. [4] proposed an authentication scheme for WSN in IoT environments, but their scheme is vulnerable to offline password guessing attacks, impersonation attacks, and fails to achieve perfect forward secrecy, user anonymity, and unlinkability.In 2021, Shuai et al. [5] presented a lightweight authentication protocol for WSN environments using ECC to prevent various security issues.However, their scheme does not provide perfect forward security and suffers from desynchronization attacks and stolen-verifier attacks.Later, Kaur et al. [6] presented a two-factor user authentication protocol for smart homes using ECC.Yu et al. [7] presented that Kaur et al.'s scheme cannot resist impersonation attacks, session key disclosure attacks, and secure user authentication.They proposed a lightweight authentication scheme to overcome the security problems of Kaur et al.'s protocol.In 2021, Far et al. [8] proposed a user authentication protocol using fuzzy extractor and hash-chain in the IIoT environment.In 2023, Sahoo et al. [9] proposed a three-factor-based authentication scheme of 5G WSN for IoT systems and claimed that their scheme is secure.However, Xie et al. [10] pointed out that their scheme is vulnerable to user impersonation attacks, sensor node impersonation attacks, and capture attacks, and lacks user unlinkability and three-factor secrecy.
Recently, chaotic map has been widely concerned since it has better security and performance than traditional cryptography.The difficulty of the chaotic map's Diffie-Hellman problem and its semi-group property make it feasible to establish secure session keys.In addition, the computation overhead of a Chebyshev polynomial is approximately 1/3 of the scalar multiplication on elliptic curves [11].It significantly reduces the computing overhead and energy consumption of resource-constrained sensor nodes, which is more suitable for devices with a limited battery life and smaller computation power.In 2015, Lee et al. [12] proposed a three-party authenticated key agreement scheme based on chaotic maps without a password table.Jabbari et al. [13] showed that the scheme of Lee et al. fails to guarantee user anonymity and put forward an improved scheme.In 2016, Kumari et al. [14] introduced a two-factor authentication scheme for WSN using the chaotic map.However, the protocol of Kumari et al. suffers from sensor node impersonation attacks [15].In 2018, Aghili et al. [16] proposed an efficient three-factor authentication scheme for WSN using the hash function.However, Wang et al. [17] showed that the scheme does not provide security against session key disclosure attacks, desynchronization attacks, sensor node impersonation attacks, and session-specific temporary information attacks.Besides, they presented an improvement protocol for WSN using chaotic maps.In 2019, Lee et al. [18] introduced a multi-server authentication protocol using extended chaotic maps.However, Kumar et al. [19] found that their protocol is insecure against user impersonation attacks, session-specific temporary information attacks, and time synchronization problems, and proposed another protocol based on extended chaotic maps.In 2021, Qi et al. [20] proposed a chaotic map-based authentication protocol for an industrial medical cyber-physical system.However, Ding et al. [21] showed that their protocol is vulnerable to identity guessing attacks, user impersonation attacks, trace attacks, desynchronization attacks, and lacks perfect forward secrecy, and they proposed a security-enhanced one.
Recently, how to resist capture attacks from physical devices has become a hot topic in authentication protocol research.Thanks to the application of Physically Unclonable Functions (PUF), many security authentication protocols have emerged that resist sensor capture attacks.In 2024, Xie et al. [22] proposed a multi-server authentication protocol based on PUF and chaotic maps to address the security issues of Yu et al.'s scheme [23].Xie et al. [24] also proposed a PUF-based security authentication protocol to address the inability of Kumar et al.'s scheme [25] to resist capture attacks from roadside units.Oláh et al. [26] proposed a Blockchain-and PUF-based registration protocol for the Internet of Drones.
The change from hash-based operations to complex cryptographic primitive-based schemes greatly improved the security of TWSNs.However, the difference between TWSNs and UANs makes it impossible to directly use TWSN's secure authentication mechanism for UANs.In 2019, Diamant et al. [27] proposed a cooperative authentication scheme for UANs, which relies on trusted nodes that independently assist in aggregating nodes during the authentication process.Later, Zhang et al. [28] presented a remote mutual authentication scheme based on chaotic maps for UANs.Based on the architecture of underwater wireless sensor networks, Kumar et al. [29] designed an authentication technique that establishes a session key for safe communication.In 2024, Tomović et al. [30] proposed a Blockchain-based Key Management Protocol for UANs, and Wang et al. [31] proposed a deep learning and random forest algorithm-based dynamic trust model for UANs.

Motivation and Contributions
It is shown that Zhang et al.'s scheme [28] cannot provide secure mutual authentication and establish the session key, and it fails to resist offline password guessing attacks and user impersonation attacks.In Kumar et al.'s scheme [29], the session key between the user and the Onshore Base Station cannot achieve perfect forward secrecy and may suffer from ID guessing attacks.On the other hand, their scheme cannot resist sensor node capture attacks and does not establish the session key between the user and the sensor node.Tomović et al.'s scheme [30] cannot resist sensor node capture attacks and cannot achieve anonymity.
Since almost all authentication protocols for UANs have one or more security flaws, designing a secure and effective lightweight authentication protocol for UANs is a challenge.Therefore, a secure and efficient lightweight authentication protocol for UANs is proposed, and the main contributions are as follows: (1) Based on the uniqueness and randomness of Physical Uncontrollable Functions (PUF) and the fast computation of chaotic maps, a secure and efficient authentication protocol for UANs is proposed.
(2) The proposed scheme is proven secure under the random oracle model, which can achieve all known security properties, such as perfect forward secrecy, anonymity, and resistance to device capture attacks.
(3) The proposed scheme is more secure and efficient compared with some other related schemes in terms of security and performance requirements, and the proposed scheme is suitable for UANs.
The rest of this paper is constructed as follows: Section 2 provides the preliminaries and the threat model.The proposed authentication and key agreement scheme for UANs is presented in Section 3. Sections 4 and 5 provide corresponding formal and informal analyses of the proposed scheme.The security and performance comparisons between the proposed scheme and other resource-constrained schemes are presented in Section 6. Section 7 is the conclusion.

Preliminaries
In this section, we will introduce the threat model used in this paper and review some basic definitions concerning the Chebyshev polynomial, chaotic maps, and PUF.

Threat Model
The proposed protocol adopted the widely accepted Dolev-Yao threat model (DY model) [32], in which any adversary has the ability to eavesdrop, intercept, modify, or delete the messages transmitted among users, gateways, and sensors.In addition, any adversary can extract all the sensitive information stored in the lost/stolen smart card of a legal user,   , using the side channel attack.Meanwhile, any adversary can capture the gateway and sensor nodes.

Definition 2 (semi-group property):
The semi-group property of the Chebyshev polynomial   () is defined as follows: where  and ℎ are positive integers and  ∈ [−1,1].

Definition 3 (chaos property):
The Chebyshev polynomial map,   (): Definition 4: Enhanced Chebyshev polynomial is expressed as: where  is a large prime and  ∈ (−∞, +∞).The enhanced chaotic maps still satisfy the semi-group property and chaos property.

Physically Unclonable Functions
As a new hardware security primitive, the Physically Unclonable Function (PUF) is a hardware function implementation circuit that relies on chip features, with uniqueness and randomness.By extracting process parameter deviations that are inevitably introduced during chip manufacturing, it achieves a function that uniquely corresponds to the excitation and response signals [34].In our scheme, PUF was used to protect the information stored in the gateway and sensors.

The Proposed Scheme
Based on the fact that gateways and sensors in underwater acoustic networks are easily captured, the proposed scheme adopted PUF to protect the secret information stored in gateways and sensors.In order to achieve two-factor security, the user's identity and password are verified using fuzzy authentication.To achieve lightweight and secure authentication, the semi-group property of Chebyshev polynomials was adopted to achieve perfect forward secrecy.The notations used in our scheme are listed in Table 1.XOR operation of  1 and  2 ℎ(. ) A secure one-way hash function   (. )/  (. ) Symmetric encryption/decryption using the key

User Registration Phase
The user performs the following steps to be a legal user through a secure channel.
Step 1: The user   freely selects the identity   and password   , and sends the registration request message {  , ℎ(  ∥   )} to the   through a secure channel.

Login Phase
In order to login to the   and access the data from the   , the user   needs to execute the following steps: After inserting the SC into the card reader of a specific terminal device,   enters its identity   and password   , computes  3 ′ = ℎ(  ∥  0 ∥   )  0 , and checks whether  3 ′ =  3 is correct or not.If yes, the SC generates two random numbers,  and  , and computes where  1 is the current timestamp.Then, the SC sends the login request message, {  ,  5 ,  1 }, to the   .

Authentication and Key Management Phase
This phase allows the user to accomplish mutual authentication and session key agreement between the user and the sensor node through the help of the gateway node, and the steps are described as follows.
Step 1: After receiving the login request message, {  ,  5 ,  1 }, the   first computes whether  2 −  1 ≤  holds, where  2 is the current timestamp.If the timestamp verification holds,   continues to execute the next step, otherwise, the login request is denied.
Step 3: The   computes Step 4: The   checks whether  4 ′ =  4 is correct or not.If the equation holds, the   and   are successfully authenticated by each other, otherwise,   terminates this session instantaneously.
Step 6: Upon obtaining the message {  7 ,  2 } at timestamp  3 , the   checks whether  3 −  2 ≤  is correct.If it holds, they move to the next step, otherwise, this session is terminated instantaneously.
The Login and authentication process is shown in Table 2. if it holds , the session key is SK.

Password Update Phase
For the security consideration, a legal user should be allowed to update the personal password.In this phase, when the user wants to update his password,   , to a new password,    , the user needs to enter his identity,   , old password,   , and new password,    , after inserting the SC into the card reader.The SC computes  3 ′ = ℎ(  ∥  0 ∥   )  0 , and checks whether  3 ′ =  3 is correct or not.If yes, the SC computes  1  =  1 ⨁ℎ(  ∥   )⨁ℎ(  ∥    ) and replaces  1 with  1  .

Formal Security Analysis
This section will formally analyze the security of the proposed scheme.The results demonstrated that our scheme was proven secure.The notions of the model used in this paper are defined as follows: Participants: In the proposed scheme, , denoted as , the participants include the user , the gateway , and the sensor node .In the  ℎ instance, the participants, the user, the gateway, and the sensor node are denoted as    ,    ,    , and    , respectively.
States of Oracle: Oracle in our scheme has three states: , , and ⊥.If an oracle receives a correct request message, the state is , if the request message is illegal, the state is .When the above conditions do not occur, the state is ⊥.
We and    are in , and the query Test has not been executed yet.The query Reveal will reveal the session key when it is executed.Otherwise, the output is null.
Corrupt (   ): This query simulates a corruption attack.It will return the message {ℎ(.),  0 ,  1 } to the adversary, which is stored in the smart card.

Test (𝐼𝐼𝑁𝑁𝑆𝑆 𝑃𝑃 𝑖𝑖
): This query is allowed to be executed at most once.The query generates a random bit ; if  = 1 and the session key has been generated, the session key is sent to the adversary.Otherwise,  receives a random number.
Freshness: An instance    can be identified as fresh if it satisfies the following conditions: 1. Reveal query has not been executed.
Proof.We assume that the adversary  tends to break the scheme  in the probabilistic polynomial time (PPT).Meanwhile, we define games, denoted as   (0 ≤  ≤ 4), to simulate multiple attacks launched by .According to   , the event   (0 ≤  ≤ 4) represents that  breaks  in   .The games are defined as:  0 : This game simulates the real attack launched by .First,  guesses the random bit ; hence, we have: 1 : This game simulates the eavesdropping attack. executes multiple Execute queries and at most one Test query.After obtaining the output of the Test query,  has to figure out if the output is the session key according to the captured transcripts, {  ,  5 ,  7 ,  9 ,  10 ,  11 ,  13 ,   } .Here, This session key is based on CMDLP, and  cannot compute  according to the messages or figure out the relationship between the session key and the transcripts because the one-way hash function, random numbers, and timestamps are used.Therefore, we have: 2 : This game simulates  and executes the Execute and Send queries to launch the collision attacks among transmitted messages.These messages are symmetric encrypted or hashed.According to the birthday paradox, the probability of collision of the symmetric encryption is . Therefore, we have: 3 : This game simulates that after the Corrupt query is executed, A launches guessing attacks on the password.A can obtain {ℎ(.),  0 ,  1 } stored in the smart card.Here,  0 =   ()   and  1 = ℎ(  ∥   )⨁ℎ(  ∥   ) .The probability of guessing the password by  is 1 2   ; therefore, we have: 4 : This game simulates that  calculates  according to  9 =   ()  and   =   ()  , which are transmitted openly.According to the definition, we have: The probability of guessing the random bit  is 1/2, which is equal to the probability of guessing the session key.We have: Combining ( 5) to (10), we have: That is: □

Offline Password Guessing Attack
Since the information in smart cards can be retrieved by side channel attacks, such as power analysis attacks, stolen smart card attacks should be considered when designing authentication schemes using smart cards.In our scheme, if the SC is stolen by an adversary, it can retrieve the information stored in the SC and eavesdrops on the message transferred on the public channel.Though the adversary can guess the user's identity and password and obtain  2 , he still cannot know the random nonce  , and can not verify whether  4 = ℎ( 1 ∥  2 ∥  ∥   ) is correct or not.Therefore, the adversary cannot know whether his guessed identity and password are correct or not.On the other hand, if an adversary wants to guess   and   to satisfy  3 = ℎ(  ∥  0 ∥   )  0 , there are 2 32 candidates for the (  ,   ) pair when n = 256.Moreover, the adversary cannot know which pair is correct.Thus, our scheme can withstand the stolen smart card attack and offline password guessing attack.

Mutual Authentication
In our scheme, only the legitimate user with the correct identity and password can pass the verification.In the authentication and key agreement phase,   transmits message {  ,  5 ,  1 } via the public channel, and only   can recover the encryption key  − to decrypt  5 and obtain {  ,   ,  ,  4 }.If   verifies  4 successfully, the user can authenticate   by checking the correctness of  12 , so our scheme achieves mutual authentication between   and   .In the same way,   transmits the encrypted data  7 to the sensor node, and only the sensor node can decrypt the message and verify the correctness of   to achieve mutual authentication between   and   .Thus, it could provide mutual authentication among the user, the gateway, and the sensor node.

User Impersonation Attack
In our scheme, if an adversary wants to impersonate the user, he must know the message,  2 , which can verify the legitimacy of the user.However,  2 is protected by the user's identity and password, and the adversary cannot verify whether his guessed identity and password are correct or not.Therefore, our scheme can withstand the impersonation attack.

Man-in-the-Middle Attack
An adversary, , could intercept messages transferred on a public channel.In our scheme, an adversary, , needs to make the   believe that it is from the user,   .However, the adversary,  , cannot pass the verification without the identity,   , and password,   , to calculate  2 .Meanwhile, only the   can calculate  − to decrypt  5 and encrypted messages with the encryption key   to the sensor node   , so the adversary cannot impersonate the user and the gateway node.In the same way, the adversary cannot impersonate the sensor node since the adversary does not know   to decrypt the encrypted message.Therefore, the scheme can withstand the man-in-the-middle attack successfully.

Malicious Insider Attack
If a malicious insider attacker can impersonate a user,   , he must know ℎ(  ∥   ) of the user   .In our scheme, the   's password is protected by the collision-resistant oneway hash function ℎ(. ), and according to the analysis in Section 5.1, the adversary cannot obtain   and ℎ(  ∥   ) .Therefore, the attacker cannot compute ℎ(  ∥   ) from  1 .Meanwhile, it cannot obtain ℎ(  ∥   ) from the gateway node and the sensor node.Therefore, our scheme can withstand the malicious insider attack.

Replay Attack
In our scheme, we used timestamp and the random number to resist replay attacks.In each session of the scheme, random numbers, , , and , are generated by the user and the sensor node to establish the session keys, and the session keys of each session are calculated relying on these random numbers.Meanwhile, these messages are protected by the encryption algorithm and hash function.Therefore, our scheme can withstand the replay attack.

Perfect Forward Secrecy
This secrecy means that the disclosure of a long-term master key will not lead to past session key disclosure.In the proposed scheme, if the   's long-term private key,   , is leaked to the attacker, it does not help the adversary to reveal the past session keys.The session key is computed as  = ℎ�  ( 9 ) ∥   ∥  9 ∥   ∥   ∥ ℎ(  ∥ )� = ℎ�  (  ) ∥   ∥  9 ∥   ∥   ∥ ℎ(  ∥ )� .The parameters  and  are generated randomly and uniquely for every session.Meanwhile, it is computationally infeasible to compute   �  ()� according to   () and   () due to the hardness of CMDHP.Therefore, our scheme can achieve perfect forward secrecy.

Known Session Key Attack
If the implementation of the authentication scheme can generate a unique session key, and the compromise of the key has no effect on other session keys, the authentication scheme can provide known session key security.In the proposed scheme, the session key, SK, is unique to each session run because the random numbers  and  are generated randomly and independently by the user and the sensor node.Therefore, our scheme can provide known session key security.

Anonymity and Non-Traceability
Our scheme provides user anonymity, as an adversary cannot obtain or eavesdrop on the user identity,   , in the login and authentication phase because the identity,   , is transferred in encrypted form by an encryption key  − and   is a trusted entity.Meanwhile, the encryption key is generated randomly for every new session, so the message is dynamic for each session, and it is unable to distinguish between different users.Therefore, our scheme achieves user anonymity and cannot be traced.

Immunity from Bergamo et al.'s Attack
If both   () and x are known, then one can determine  ′ , such that   ′ () =   ().

Sensor Node and Gateway Capture Attacks
In the proposed scheme, all sensor nodes,   , and gateways,   , are deployed with PUF to protect the stored secret information, so our scheme can resist sensor node and gateway capture attacks.

Performance Comparison
This section will analyze and compare the proposed scheme with other related schemes [5,7,8,13,[28][29][30] in terms of security and computation costs, which are presented in Tables 3 and 4.  The client program is written based on JAVA and deployed on a mobile phone, with the environment (Version: Android 13, Hardware: MediaTek Dimensity 8100, 8GB of RAM, Mali-G610 MC6 GPU), and the cryptographic operations are based on JAC library.The server program is written based on Python and deployed on the Ubuntu virtual machine (Version: 22.04.3LTS, Hardware: 64-bit AMD 860K CPU @ 3.7GHz 8GB RAM), and the cryptographic operations are based on the gmpy2 library and pycrypto library.The sensor program is written based on Python and deployed on the Raspberry Pi 4B (Broadcom BCM2711, 1.5 GHz, 64-bit, ARM Cortex-A72, RAM: 2GB LPDDR4-3200 RAM).According to the requirements of the protocol, the interaction at the registration stage is based on a secure channel, so we used the WebSocket library to construct the secure channel.WebSocket is a protocol that enables full-duplex communication over a single TCP connection and supports TLS.The interaction at the authentication stage is based on an open channel and is implemented using sendto in the WebSocket library.Sendto directly sends data based on UDP, which has higher efficiency compared to TCP.
All the above devices were tested under the WIFI 1000 Mbps environment.We tested the transmission and reception delay during the registration and authentication, respectively.Here, we took the average value in the relevant schemes.Taking 512-bit data in the TLS channel in the registration stage and 2048-bit data in the open channel in the authentication stage as examples, a total of 1000 tests were conducted to obtain the average values.Table 5 shows the test results.The measured results indicated that the time overhead for a single transmission and reception was on the microsecond level (1 μs = 10 −3 ms = 10 −6 s).The transmission delay was much lower than the hardware operation, so in the analysis of time complexity, we ignored the transmission delay.Since the time for computing the XOR operation and string concatenation could be ignored, as compared with other cryptographic primitive-based operations, we only considered the time to calculate the one-way hash function ( ℎ ), deterministic reproduction function of fuzzy extractor (  ), Chebyshev chaotic map polynomial (  ), elliptic curve point multiplication (  ), modular multiplication (  ), and symmetric encryption/decryption (  ).In the environment of Windows 7 64-bit AMD 860K CPU @ 3.7GHz 8GB RAM, the computational times were approximately 0.068 ms, 8.038 ms, 3.084 ms, 8.038 ms, 16.076 ms, and 0.56 ms, respectively.
From Tables 3-5, we can see that our scheme had a lower computation cost and higher security.

Conclusions
Few lightweight, underwater acoustic network authentication schemes have been designed due to the change in the data transmission environment and propagation medium.Thus, this work proposed a lightweight authentication and key agreement scheme for UANs, which adopted PUF to protect the secret information stored in the gateway and sensors, used the fuzzy verifier to achieve two-factor secrecy, and used the semi-group property of Chebyshev polynomials to achieve lightweight authentication and perfect forward secrecy.We used the widely accepted formal security proof in the random oracle model to prove the security of our scheme.Compared to existing schemes, the proposed protocol had higher security and improved the computational efficiency by 39.52% compared to the best existing solutions, with perfect forward security.As a result, the proposed scheme is efficient and more suitable for battery-powered devices in the underwater acoustic networks.

Table 4 .
Comparison of security features.