Secure and Efficient Authentication Protocol for Underwater Wireless Sensor Network Environments Using PUF

Abstract

Underwater wireless sensor networks (UWSNs) are increasingly used in marine monitoring and naval coastal surveillance, where limited bandwidth, long propagation delays, and physically exposed nodes make efficient authentication critical. This paper analyzes the maritime-surveillance-oriented protocol of Jain and Hussain and identifies vulnerabilities to physical capture, replay, and denial-of-service (DoS) attacks. We propose a PUF-assisted mutual authentication and session key agreement protocol for UWSNs. The design relies on lightweight symmetric primitives (one-way hash and XOR) and uses a fuzzy extractor to support stable PUF-based key material. In addition, a lightweight continuous authentication procedure is introduced to facilitate fast re-authentication under intermittent link disruptions commonly observed in underwater communication. Security is evaluated using BAN logic, the Real-or-Random (ROR) model, and security verification with the Scyther tool. An analytical overhead evaluation reports a computational cost of 5.972 ms per mutual authentication and a 1152-bit communication overhead, supporting a practical security–efficiency trade-off for resource-constrained UWSN deployments.

1. Introduction

As wireless sensor networks (WSNs) became widely adopted in terrestrial environments, similar concepts were extended to marine environments, leading to the development of underwater wireless sensor networks (UWSNs). Compared to land-based networks, UWSNs face unique challenges due to the physical properties of water, including high attenuation, limited bandwidth, long propagation delay, and frequent link disruptions. To satisfy complex monitoring requirements, UWSNs typically integrate heterogeneous nodes that can be categorized into static nodes, semi-mobile nodes, and mobile nodes [1,2]. Among them, mobile nodes are particularly suitable for coastal and maritime surveillance because they can autonomously traverse wide areas and collect data from diverse coastal points. Recent advances in unmanned technologies, battery lifetime, and underwater communication systems have further improved the operational efficiency and reliability of mobile nodes, enabling sustained monitoring in rapidly changing coastal environments [3].

The design and communication technologies for UWSNs in naval coastal surveillance have continuously evolved [4]. However, many studies have focused primarily on network architectures and deployment frameworks, while security issues during underwater communication remain insufficiently addressed [5,6]. In underwater environments, sensor nodes exchange data over open channels, which makes confidentiality and integrity vulnerable to external threats—especially in sensitive scenarios such as naval surveillance, where security breaches may cause severe operational consequences. Moreover, underwater acoustic communication often suffers from high attenuation and short transmission ranges, which results in unstable links and frequent retransmissions. Therefore, practical UWSN security protocols must be not only secure but also lightweight for resource-constrained sensor nodes, and they should support fast re-authentication to accommodate intermittent link disruptions.

1.1. Related Work and Motivation

Recent authentication research for UWSNs and underwater IoT (IoUT) can be broadly categorized into lightweight designs and public-key-based designs, with additional works addressing routing efficiency and trust management. Islam and Taher [7] proposed a lightweight scheme to mitigate Sybil attacks using node identities and a hierarchical fuzzy trust system; however, their approach does not address several routing-related threats (e.g., blackhole and wormhole attacks) and may be less adaptable to highly dynamic environments. Almuhaideb and Al-Khulaifi [8] developed a mutual authentication protocol for IoUT using lightweight operations combined with elliptic curve cryptography (ECC) and reported resistance to attacks such as man-in-the-middle and replay attacks; nevertheless, ECC-based mechanisms may still impose non-trivial computational overhead and require additional scalability/performance evaluation for dynamic large-scale deployments. Kapileswar et al. [9] proposed an energy-efficient routing protocol for IoT-enabled UWSNs based on the bald eagle search (BES) optimization algorithm. The scheme aims to balance traffic and residual energy during route selection to improve network lifetime. The authors evaluated energy consumption, residual energy, packet delivery ratio, throughput, delay, and network lifetime, and reported improved performance compared with representative routing baselines.

Al Guqhaiman et al. [10] proposed a lightweight multi-factor authentication model for UWSNs to detect malicious activities and protect MAC/routing operations against common attacks (e.g., Sybil, blackhole, wormhole, flooding-related threats). Instead of heavy cryptography, their scheme authenticates packets using multiple header-level factors such as IMAC, AoA/DoA, and hop count, which are checked against locally stored neighbor information without requiring accurate time synchronization or precise localization. The approach supports monitoring and mitigation by dropping suspicious packets and isolating malicious nodes.

Kumar et al. [11] proposed SafeCom, a mutual authentication and dynamic session key sharing protocol for UWSNs, considering a practical architecture with sensor nodes, a sink, and a base station (with optional AUV-assisted forwarding). The authors validated security via informal analysis and simulation using the Scyther tool, and compared computational and communication overhead with representative schemes. However, SafeCom relies on a secure provisioning assumption during the registration stage and does not explicitly address surveillance-oriented requirements such as hardware cloning resistance under physical capture and fast re-authentication under intermittent underwater link disruptions, which motivate our work.

Khatwani and Roy [12] analyzed ECC-based authentication protocols and highlighted their susceptibility to clogging attacks, where an adversary can repeatedly trigger computationally expensive ECC operations (e.g., point multiplication) by sending forged or replayed requests, thereby exhausting a victim’s energy and processing resources. This observation implies that, despite strong cryptographic foundations, ECC-heavy designs can be operationally fragile in resource-constrained and intermittently connected UWSN settings, motivating lightweight primitives and early-request filtering for practical deployments.

Yang and Zou [13] proposed a device-to-device authentication protocol for IoT environments. They pointed out the limitations of secure channels in registration phase and proposed a protocol structure where the server distributes a public key but cannot reverse-compute the private key. In their protocol, they utilized ECC to support direct authentication among IoT devices and reduce the dependency on a central trusted authority.

Overall, existing protocols often provide either strong cryptographic security with relatively higher overhead (e.g., ECC-based approaches) or lightweight schemes that do not explicitly address both physical capture/cloning risks in physically exposed sensor nodes and the practical requirement of fast re-authentication under intermittent underwater connectivity. In 2021, Jain and Hussain proposed an authentication mechanism explicitly targeting maritime territory and frontier surveillance in underwater environments [14].

We selected this work as a baseline because it directly aligns with surveillance-oriented UWSN deployments and adopts a lightweight symmetric-key-based design that is suitable for resource-constrained sensor nodes. This operational context closely matches naval coastal surveillance considered in this paper, making a mission-relevant baseline for analysis and improvement. In addition, this protocol has been referenced by subsequent studies in the UWSN security literature, indicating that it serves as a representative starting point for further analysis and enhancement.

However, our analysis indicates that the protocol in [14] remains vulnerable to replay attacks, physical cloning attacks, and denial-of-service (DoS) attacks, and it does not fully achieve mutual authentication. Moreover, it does not sufficiently reflect the practical requirement of fast re-authentication under intermittently connected underwater acoustic links. These limitations motivate the design goals of our work. Accordingly, we use [14] as a practically aligned baseline for systematic vulnerability analysis and protocol-level improvement, while comparing our scheme with representative alternatives in Section 6.

To address the above gap, this paper proposes a secure and lightweight mutual authentication and session key agreement protocol for UWSNs in naval coastal surveillance. The key contributions of this work are as follows:

• We employ one-way hash functions and XOR operations to reduce computational and communication overhead on resource-constrained sensor nodes.
• We incorporate a physically unclonable function (PUF) to bind node identity to hardware and mitigate cloning risks under physical capture, using a fuzzy extractor to support stable PUF-derived cryptographic material. In particular, we integrate a PUF-based device to achieve the end-to-end lightweight authentication and key agreement workflow for preventing impersonation using a captured node’s stored data.
• A lightweight continuous authentication procedure is introduced to facilitate fast re-authentication under intermittent link disruptions common in underwater communication.
• Security is evaluated through informal analysis and formal methods, including BAN logic [15], the Real-or-Random (ROR) model [16], and security verification with the Scyther tool [17,18].

1.2. Organization

The remainder of this paper is organized as follows. Section 2 introduces the preliminaries, including the adversary model, PUF and fuzzy extractor background, and the system model. Section 3 reviews the baseline protocol of Jain and Hussain and analyzes its security vulnerabilities. Section 4 presents the proposed PUF-assisted mutual authentication and session key agreement protocol, including the continuous authentication procedure for intermittent underwater connectivity. Section 5 provides protocol-level security analysis using BAN logic, the Real-or-Random (ROR) model, and Scyther-based security verification. Section 6 evaluates performance in terms of security coverage as well as computational and communication overhead. Finally, Section 7 concludes the paper and outlines future research directions.

2. Preliminaries

In this section, we introduce the adversary model, PUF, fuzzy extractor, and the proposed system model.

2.1. Adversary Model

To analyze the security of our proposed protocol, we modeled the adversary using the well-known Dolev–Yao (DY) model [19,20]. The capabilities of a malicious user, denoted as $\mathcal{A}$, can be defined as follows.

• $\mathcal{A}$ can eavesdrop on, intercept, inject, replay, and modify messages transmitted over a public channel [19]. Based on these capabilities, $\mathcal{A}$ is able to launch attacks such as MITM, replay, and impersonation.
• The adversary can compromise a legitimate sensor node and extract secret credentials stored in its memory by performing a power analysis attack. $\mathcal{A}$ can steal the legal user’s mobile device or smart device and extract secret credentials stored in the memory by performing the power analysis attack [21].

Additionally, the sensor nodes operating underwater are military-grade and highly trusted, with minimal operational numbers to maintain stealth in underwater environments. We assume that legitimate sensor nodes are not designed to impersonate others under normal conditions, and such behavior is prohibited by strict security regulations. However, if a node is compromised by an adversary, impersonation becomes possible.

2.2. Physical Unclonable Function

Hardware has unique physical characteristics for each device even with the same design due to subtle process differences that occur during the manufacturing process. A PUF is a hardware structure to produce a device-specific output. Formally, for a given input (challenge) C, a PUF returns an output (response) R:

$$R=\mathrm{PUF}\left(C\right).$$

(1)

The pair $(C,R)$ is often referred to as a challenge–response pair (CRP). In practice, PUF responses may slightly vary across measurements due to temperature, voltage, aging, or measurement noise. Therefore, a PUF is commonly combined with a fuzzy extractor to reliably reproduce a stable private key from noisy responses without permanently storing sensitive keys in memory. PUFs provide the following key properties in our threat model:

• Unclonability: For the same input C, no other circuit can generate exactly the same response $R=PUF\left(C\right)$.
• One-way Evaluability: The output R for the input C can be easily computed, but it should be computationally difficult to infer C or its internal structure in reverse through R.
• Unpredictability: PUF responses cannot be predicted externally in advance.

In particular, we integrate PUF-derived device binding into the end-to-end lightweight authentication and key agreement workflow so that a captured node’s stored data alone is insufficient for impersonation.

2.3. Fuzzy Extractor

This section explains the concept and operation of a fuzzy extractor [22]. Since physics-based inputs such as biometric information or PUF responses are vulnerable to environmental noise or measurement errors, it is difficult to obtain the same output. Fuzzy extractor is a technique designed to compensate for this uncertainty and reliably reproduce the same secret even when a certain level of noise exists. Let $C_i\in {\{0,1\}}^n$ denote initial input of device $D_i$, and let $C_i^{\ast }\in {\{0,1\}}^n$ denote a later input in authentication phase. We assume that the deviation between $C_i$ and $C_i^{\ast }$ is bounded by a noise threshold t:

$$\mathrm{Dis}(C_i,C_i^{\ast })\le t,$$

(2)

Note that $\mathrm{Dis}(·,·)$ represents the Hamming distance. From that, fuzzy extractor is useful for converting non-deterministic inputs such as PUFs or biometric information into stable secret parameters. Fuzzy extractor consists of two core algorithms:

• $Gen\left(C_i\right)=(R_i,P_i)$: It is a probabilistic algorithm that generates an initial secret. After receiving input $C_i$, the smart device generates a secret string $R_i$ and a helper string $P_i$.
• $Rep(C_i^{\ast },P_i)=R_i$ : It is a deterministic algorithm that reproduces the secret by compensating for the noise in input. When the smart device obtains $C_i^{\ast }$, it compensates for the noise using the helper string $P_i$ and regenerates the original secret $R_i$.

2.4. System Model

The proposed system model aims to secure communication in underwater wireless sensor networks through a lightweight and dynamic authentication protocol. As illustrated in Figure 1, the network architecture comprises multiple underwater sensor nodes ($SNs$) and base stations ($BSs$). These entities work together to monitor the underwater environment and protect sensitive data during transmission. In this paper, we explicitly distinguish the physical/operational characteristics of underwater acoustic communication (e.g., high attenuation, limited bandwidth, long propagation delay, multipath, and intermittent connectivity) from the system and threat-model assumptions used for protocol design and verification. Our evaluation focuses on protocol-level security goals (mutual authentication and session key security) under the stated adversary model. Physical-layer channel effects such as bit errors caused by noise or multipath are assumed to be handled by standard lower-layer reliability mechanisms and are therefore outside the scope of the formal verification presented in this study. These aspects will be addressed in future implementation-oriented and empirical evaluations.

Figure 1. System model for UWSN-based coastal surveillance.

• $SN$: The sensor nodes are deployed underwater to collect environmental and operational data. They communicate with neighboring nodes and base stations, ensuring secure data exchange through mutual authentication. Base stations serve as trusted entities that facilitate communication between sensor nodes and central monitoring systems. They also handle the initialization, authentication, and session key generation processes, which are critical for maintaining network security and reliability.
• $BS$: The $BSs$ are strategically deployed both on-shore (land-based) and off-shore (marine-based) to facilitate efficient communication and coordination between underwater sensor nodes and central monitoring systems.

3. Jain and Hussain’s Protocol and Vulnerability Analysis

This section reviews the authentication protocol proposed by Jain and Hussain [14], which is used as the baseline scheme in this study for surveillance-oriented UWSN deployments. The protocol is designed to establish secure communication between sensor nodes and the base station using lightweight symmetric primitives, and it mainly comprises a sensor node registration phase and an authentication phase.

For clarity, the notations used in the baseline protocol are summarized in Table 1. Based on this description, we then analyze the protocol’s security limitations and demonstrate its vulnerability to replay, physical capture/cloning, and denial-of-service (DoS) attacks, as well as incomplete mutual authentication.

Table 1. Notation of Jain and Hussain’s protocol.

Notation	Description
$SN$	Sensor Node
$BS$	Base Station
$I{D}_{SN}$	Identity of Sensor Node
$K_{SN}$	Secret key of Sensor Node
$R_{SN}$	Random number of Sensor Node
$SK$	Session key
$h(·)$	One-way hash function
$E_K(·)$/$D_K(·)$	Symmetric encryption/decryption
T	Timestamp

3.1. Review of Jain and Hussain’s Protocol

3.1.1. Initial Phase

During the initial phase, the $BS$ generates and initializes global parameters required for authentication. Each sensor node is assigned a unique identifier ($I{D}_{SN}$), a random value ($R_{SN}$), and a secret key ($K_{SN}$), which are securely stored for use in the registration and authentication phases.

3.1.2. Sensor Node Registration Phase

In the registration phase, the $SN$ communicates with the $BS$ over a secure channel. $SN$ encrypts a request message $M1=E_{Ki}(I{D}_i,I{D}_j,X_i)$ using its secret key $K_i$. The value $X_i$ is a hash computed as $X_i=h(I{D}_i\left|\right|R_i\left|\right|K_i)$. The $BS$ decrypts the message, verifies the $ID$ and hash, and computes an intermediate value $X_j=h(I{D}_j\left|\right|R_j\left|\right|K_j)$. It then generates an authentication credential $V_j=E_{Ki}(X_i\left|\right|N_j)$ and sends message $M2=E_{Ki}(I{D}_j,T_i,E_{Kj}(I{D}_i,N_i,V_i))$ to $S{N}_i$ and message $M3=E_{Kj}(I{D}_i,X_j,T_j,E_{Ki}(I{D}_j,N_j,V_j))$ to $S{N}_j$.

Both nodes decrypt the messages, verify the timestamps, and store the credentials if verification is successful. Once the registration is complete, secure communication can proceed.

3.1.3. Authentication Phase

After registration, mutual authentication is performed over a public channel. Sensor node $S{N}_i$ encrypts an authentication request $M4=E_{Kj}(I{D}_i,N_i,V_i)$ using symmetric encryption and sends it to $S{N}_j$. Here, $N_i$ is a random number, and $V_i$ is a stored credential.

$S{N}_j$ decrypts the message and verifies the random number and credential. If successful, $S{N}_j$ responds with message $M5=E_{Ki}(I{D}_j,N_j,V_j)$. $S{N}_i$ then verifies the response. Upon successful verification, mutual authentication is complete, and both nodes establish a session key for secure communication.

3.2. Cryptanalysis of Jain and Hussain’s Protocol

This section analyzes the vulnerabilities of Jain and Hussain’s protocol which is susceptible to various attacks, including physical and cloning, replay, and DoS attacks. Moreover, Jain and Hussain’s protocol cannot ensure mutual authentication. Details are as follows.

3.2.1. Physical and Cloning Attack

Sensor nodes deployed in UWSN environments are often located in physically unprotected environments, such as underwater regions where direct access control is difficult. As a result, these nodes are highly susceptible to physical capture by adversaries. Once a node is compromised, an attacker can extract sensitive credentials from its memory, including the node identity $I{D}_i$, the shared secret key $K_i$, and session-related nonces $N_i$.

Using the extracted set $\{I{D}_i,K_i,N_i\}$, the attacker can generate a clone node ${\mathrm{SN}}_i^{\prime }$ that imitates the original sensor node’s identity and cryptographic behavior.

A typical physical and cloning attack proceeds in the following stages:

Step 1: 

Physical capture of the sensor node ${\mathrm{SN}}_i$.

Step 2: 

Extraction of authentication credentials from memory:

$$\{I{D}_i,K_i,N_i\}\leftarrow \mathrm{Memory}\left({\mathrm{SN}}_i\right)$$

Step 3: 

Deployment of a clone node ${\mathrm{SN}}_i^{\prime }$ and transmission of forged messages, such as

$$M_1=E_{K_i}(I{D}_i,N_i)$$

where $E_{K_i}(·)$ denotes symmetric encryption using the compromised key $K_i$.

Due to the absence of freshness verification mechanisms such as timestamps or challenge–response structures in $M_1$, the receiving node may accept even a replayed or forged message as valid. An attacker can also construct:

$$M_1^{\prime }=E_{K_i}(I{D}_i,N_i^{\prime })$$

where $N_i^{\prime }$ is a newly generated nonce that appears valid, thereby allowing the clone node to initiate repeated authentications.

Jain and Hussain’s protocol relies solely on symmetric key cryptography and lacks robust countermeasures against cloning, such as physical tamper resistance, key revocation, or anomaly-based intrusion detection. Consequently, the protocol cannot effectively prevent identity reuse or node impersonation stemming from physical compromise.

In UWSN environments, where real-time monitoring is limited and physical inspection is impractical due to the deployment context, detecting cloned nodes is particularly challenging. Therefore, Jain and Hussain’s protocol remains vulnerable to physical and cloning attacks due to both structural weaknesses and environmental constraints.

3.2.2. Replay Attack

In UWSN environments, where propagation delays are substantial and time synchronization among sensor nodes is difficult to maintain, ensuring the freshness of authentication messages becomes crucial. These environmental characteristics significantly amplify the vulnerability to replay attacks, wherein previously transmitted messages are maliciously reused to deceive the system.

While Jain and Hussain’s protocol incorporates timestamps and nonces in certain parts of the authentication process, it fails to include such freshness parameters in critical messages like $M_4$ and $M_5$. This omission exposes the protocol to replay-based intrusions.

An adversary $\mathcal{A}$ can capture a legitimate authentication message exchanged between nodes and store it locally. After a time delay $\Delta t$, the adversary can retransmit the identical message to the recipient. Since the protocol lacks any form of freshness verification such as timestamps or session tokens, the replayed message is accepted as valid. For instance, a captured message $M_4$ is reused as follows:

$$M_4^{\mathrm{replay}}(t+\Delta t)=M_4^{\mathrm{captured}}\left(t\right)=M_4=E_{K_j}(I{D}_i,N_i,V_i)$$

(3)

The receiving node $S{N}_j$ decrypts and processes the message as if it were a legitimate new request. This vulnerability arises because the protocol does not include mechanisms such as session tokens, timestamps, or challenge–response values to detect message freshness.

Similarly, the attacker can replay another message $M_5$:

$$M_5^{\mathrm{replay}}(t+\Delta t)=M_5^{\mathrm{captured}}\left(t\right)=M_5=E_{K_i}(I{D}_j,N_j,V_j)$$

(4)

These replayed messages are interpreted as new authentication attempts, granting the adversary unauthorized access or causing unnecessary resource consumption. In UWSN environments, where communication is delayed and synchronization is unreliable, distinguishing replayed messages from fresh ones becomes especially difficult, thereby increasing the likelihood of a successful attack.

Therefore, due to the absence of freshness verification in essential messages, Jain and Hussain’s protocol remains highly vulnerable to replay attacks. This weakness is further exacerbated in the delay-prone and asynchronous communication environments typical of UWSN environments.

3.2.3. DoS Attack

DoS attacks aim to exhaust a sensor node’s computational and energy resources by continuously transmitting a large volume of authentication requests. In Jain and Hussain’s protocol, each incoming request triggers cryptographic computations, which consume both processing power and battery capacity.

As a result, if an adversary repeatedly sends forged authentication messages to a node $S{N}_j$, the node is forced to handle every incoming request. This leads to potential resource exhaustion and service disruption. For instance, the attacker may impersonate a legitimate node $S{N}_i$ and flood $S{N}_j$ with continuous authentication attempts, causing unnecessary computational overhead and energy depletion.

This type of attack becomes particularly severe in UWSN environments, where sensor nodes operate under strict energy limitations and physical maintenance is highly impractical. Furthermore, Jain and Hussain’s protocol does not incorporate any rate-limiting, anomaly detection, or filtering mechanisms to mitigate excessive or malicious traffic.

Consequently, the protocol remains vulnerable to resource-based DoS attacks, especially in UWSN environments where resilience against such energy-draining threats is critical.

3.2.4. Mutual Authentication Issue

Although Jain and Hussain’s protocol claims to provide mutual authentication between sensor nodes and the base station, it relies solely on symmetric key cryptography, which introduces several limitations. Each node authenticates its peer using pre-shared secret keys. However, this approach inherently assumes that all key materials remain secure throughout deployment.

If an adversary $\mathcal{A}$ compromises a sensor node $S{N}_i$ and extracts its shared key, the attacker can impersonate the legitimate node and bypass mutual authentication with $S{N}_j$ or the base station. In symmetric key infrastructures, the compromise of a single key undermines the entire trust relationship in both directions. Moreover, Jain and Hussain’s protocol lacks mechanisms for key revocation, re-authentication, or dynamic key updates. Without such recovery mechanisms, the system cannot recover from key compromise events. As a result, the protocol fails to guarantee robust and continuous mutual authentication in realistic and adversarial deployment environments.

4. Proposed Protocol

In this section, we propose a secure and lightweight authentication protocol specialized for underwater environments to address the security shortcomings of Jain and Hussain’s protocol. The proposed protocol consists of three phases: Registration, authentication, and continuous authentication phases. Table 2 shows the basic notations and descriptions of the proposed protocol.

Table 2. Notation of proposed protocol.

Notation	Description
$I{D}_i$ and $I{D}_j$	Sensor node i and j’s identities, respectively
N	Random number for all $SN$
$N_i$ and $N_j$	Random number of sensor node i and sensor node j, respectively
$V_i$ and $V_j$	Sensor node i and j’s secret values, respectively
$SK$	Session key between $SN$ and $BS$
$h(·)$	One-way hash function
$\left|\right|$	Concatenation operation
⊕	XOR operation
$PUF(.)$	PUF
$Gen(·)$ / $Rep(·)$	Generation/Reproduction operation
$T_i$ and $T_j$	Timestamps of i and j, respectively
$\stackrel{?}{=}$	Check for the correctness

4.1. Registration Phase

The registration phase is the process where $SN$ establish initial communication with the $BS$ and share key information required for authentication. This phase is conducted securely through a secure channel. In this paper, the “secure channel” refers to a protected setup step performed before deployment or during controlled maintenance (e.g., on-site configuration or a physically protected link), not the normal underwater acoustic communication link used during operation. All sensor nodes must go through the registration phase with the $BS$. Typically, in underwater environments, nodes operate based on confidentiality and are composed of highly reliable nodes with minimal operational redundancy. This completes the registration phase for sensor nodes. We show the registration phase in Figure 2 and details are as follows.

Figure 2. $S{N}_i$ Registration phase of the proposed protocol.

Step 1: 

$BS$ selects the unique identifier $I{D}_i$ for $S{N}_i$ and generates a random challenge $CH$. Then, $BS$ sends $I{D}_i$ and $CH$ to $S{N}_i$ through a secure channel.

Step 2: 

$S{N}_i$ computes $R{E}_i=\mathrm{PUF}\left(CH\right)$, derives $\mathrm{Gen}\left(R{E}_i\right)=(R_{S{N}_i},P_{S{N}_i})$, and calculates $K_i=h(R_{S{N}_i}\parallel I{D}_i)$. Then, $S{N}_i$ sends $K_i$ to $BS$.

Step 3: 

$BS$ generates a network-wide random value N and additional random values ${\left\{N_a\right\}}_{a=i,j,k,\dots }$. It computes $V_{ia}=h(K_a\parallel N_a)\oplus h(I{D}_i\parallel N_i)$ and $X_{ia}=(N_i\parallel N\parallel V_{ia})\oplus h(I{D}_i\parallel K_i)$. Then, $BS$ sends ${\{I{D}_a,X_{ia}\}}_{a=i,j,k,\dots }$ to $S{N}_i$.

Step 4: 

$S{N}_i$ calculates $C_i=CH\oplus h(I{D}_i\parallel K_i)$ and $V{N}_i=(N_i\parallel N)\oplus h(I{D}_i\parallel K_i\parallel R_{S{N}_i})$. Then, $S{N}_i$ stores $\{I{D}_i,C_i,K_i,{\{I{D}_a,V_{ia}\}}_{a=i,j,k,\dots },V{N}_i,P_{S{N}_i}\}$ and deletes $CH$ from its memory.

4.2. Authentication Phase

The authentication phase is the process where two sensor nodes in the network mutually verify their trustworthiness and establish a session key necessary for secure communication. We show the authentication phase in Figure 3. This phase involves exchanging messages through a public channel and is conducted through the following steps:

Figure 3. Mutual authentication and session key agreement phase of the proposed protocol.

Step 1: 

$S{N}_i$ detects an event and generates a random nonce $R_1$ and a timestamp $T_1$. It computes the challenge value $C{H}^{\ast }=C_i\oplus h(I{D}_i\parallel k_i)$, followed by $R{E}_i^{\ast }=\mathrm{PUF}\left(C{H}^{\ast }\right)$. Using $R{E}_i^{\ast }$, it reconstructs $R_{S{N}_i}^{\ast }$ as $R_{S{N}_i}^{\ast }=\mathrm{Rep}(R{E}_i^{\ast },P_{S{N}_i})$, and calculates the secret key $K_i^{\ast }$ as $K_i^{\ast }=h(R_{S{N}_i}^{\ast }\parallel I{D}_i)$. Then, it retrieves the network values $N_i$ and N from $V_N$ using $(N_i\parallel N)=V{N}_i\oplus h(I{D}_i\parallel k_i\parallel R_{S{N}_i}^{\ast })$, and computes $M_1=R_1\oplus h(I{D}_i\parallel N\parallel T_1)$ and $M_2=h(T_1\parallel I{D}_i\parallel h(K_i^{\ast }\parallel N_i)\parallel R_1\parallel N)$. Finally, $S{N}_i$ sends the message $\{T_1,I{D}_i,M_1,M_2\}$ to $S{N}_j$ through the public channel.

Step 2: 

Upon receiving the message at timestamp $T_1^{\ast }$, $S{N}_j$ verifies the validity of the timestamp by checking whether $|T_1^{\ast }-T_1|\le \Delta T$. If valid, $S{N}_j$ retrieves $V_{ji}$ corresponding to $I{D}_i$ and computes the challenge value as $C{H}^{\ast }=C_j\oplus h(I{D}_j\parallel k_j)$. It then calculates $R{E}_j^{\ast }=\mathrm{PUF}\left(C{H}^{\ast }\right)$, reconstructs $R_{S{N}_j}^{\ast }=\mathrm{Rep}(R{E}_j^{\ast },P_{S{N}_j})$, and derives the secret key $K_j^{\ast }=h(R_{S{N}_j}^{\ast }\parallel I{D}_j)$. Using $V{N}_j$, it retrieves the network values $N_j$ and N as $(N_j\parallel N)=V{N}_j\oplus h(I{D}_j\parallel K_j\parallel R_{S{N}_j}^{\ast })$, and calculates $R_1=M_1\oplus h(I{D}_i\parallel N\parallel T_1)$. Next, it computes $M_2^{\ast }=h(T_1\parallel I{D}_i\parallel h(K_i^{\ast }\parallel N_i)\parallel R_1\parallel N)$ and checks whether $M_2^{\ast }=M_2$. If the check fails, the process is terminated. Otherwise, $S{N}_j$ generates a random nonce $R_2$ and records the timestamp $T_2$, then calculates $M_3=R_2\oplus h(I{D}_j\parallel N\parallel T_2)$ and $M_4=h(T_2\parallel I{D}_j\parallel h{(K_i\parallel N_i)}^{\ast }\parallel h(K_j^{\ast }\parallel N_j)\parallel R_2\parallel R_1\parallel N)$. Finally, $S{N}_j$ sends the message $\{T_2,I{D}_j,M_3,M_4\}$ back to $S{N}_i$ through the public channel.

Step 3: 

Upon receiving the response at timestamp $T_2^{\ast }$, $S{N}_i$ verifies the validity of the timestamp by checking whether $|T_2^{\ast }-T_2|\le \Delta T$. If valid, $S{N}_i$ calculates $R_2=M_3\oplus h(I{D}_j\parallel N\parallel T_2)$ and then computes $M_4^{\ast }=h(T_2\parallel I{D}_j\parallel h{(K_i\parallel N_i)}^{\ast }\parallel h(K_j^{\ast }\parallel N_j)\parallel R_2\parallel R_1\parallel N)$. It then verifies whether $M_4^{\ast }=M_4$. If the check fails, the process is terminated. Otherwise, $S{N}_i$ computes the session key as $S{K}_{ij}=h\left(h(K_i^{\ast }\parallel N_i)\parallel h{(K_j\parallel N_j)}^{\ast }\parallel R_1\parallel R_2\right)$.

Step 4: 

$S{N}_j$ computes the same session key using $S{K}_{ij}=h\left(h(K_i^{\ast }\parallel N_i)\parallel h(K_j^{\ast }\parallel N_j)\parallel R_1\parallel R_2\right)$ If all computations are successful, mutual authentication is achieved, and a secure session key $S{K}_{ij}$ is established between $S{N}_i$ and $S{N}_j$.

4.3. Continuous Authentication Phase

In UWSN environments, sensor nodes utilize acoustic signals because the propagation characteristics of acoustic waves are directly influenced by factors such as water density, salinity, and pressure. As a result, underwater communication has a shorter transmission range and higher signal attenuation compared to communication in the air. Moreover, water currents and physical obstacles can cause signal distortion and multipath interference, further destabilizing the communication link [23,24]. At the protocol level, if a message is corrupted and fails verification, the protocol execution is aborted and retried, and our lightweight continuous authentication procedure enables fast re-authentication after intermittent link disruptions. Thus, we propose the continuous authentication phase to consider unstable connections in UWSN environments. The continuous authentication phase ensures ongoing verification between two sensor nodes, $S{N}_i$ and $S{N}_j$, after the initial session key has been established. This process is conducted over a public channel to maintain secure communication. Figure 4 shows the continuous authentication phase and the steps are as follows:

Figure 4. Continuous authentication phase of the proposed protocol.

Step 1: 

Sensor node $S{N}_i$ detects an event and generates a random nonce $R_3$ along with a timestamp $T_3$. It calculates the challenge value as $C{H}^{\ast }=C_i\oplus h(I{D}_i\parallel k_i)$ and evaluates the PUF response using $R{E}_i^{\ast }=\mathrm{PUF}\left(C{H}^{\ast }\right)$. Using this, $S{N}_i$ reconstructs $R_{S{N}_i}^{\ast }$ as $R_{S{N}_i}^{\ast }=\mathrm{Rep}(R{E}_i^{\ast },P_{S{N}_i})$ and computes the secret key $K_i^{\ast }=h(R_{S{N}_i}^{\ast }\parallel I{D}_i)$. The common and unique nonce values are derived as $(N_i\parallel N)=V{N}_i\oplus h(I{D}_i\parallel k_i\parallel R_{S{N}_i}^{\ast })$, and subsequently, $S{N}_i$ calculates $M_5=R_3\oplus h(I{D}_i\parallel N\parallel T_3)$ and $M_6=h(T_3\parallel I{D}_i\parallel h(K_i^{\ast }\parallel N_i)\parallel R_3\parallel N)$. Finally, $S{N}_i$ sends the message $\{T_3,I{D}_i,M_5,M_6\}$ to $S{N}_j$ over the public channel.

Step 2: 

Upon receiving the message at timestamp $T_3^{\ast }$, $S{N}_j$ verifies the validity of the timestamp by checking $|T_3^{\ast }-T_3|\le \Delta T$. It then checks the existence of the session key $S{K}_{ij}$ corresponding to $I{D}_i$. If $S{K}_{ij}$ exists, $S{N}_j$ determines that it has already been authenticated. $S{N}_j$ generates a new timestamp $T_4$ and computes the message $(T_4,I{D}_j)$.

Step 3: 

Upon receiving the message at timestamp $T_4^{\ast }$, $S{N}_i$ verifies the validity of the timestamp by checking $|T_4^{\ast }-T_4|\le \Delta T$. It confirms the continued authentication with $S{N}_j$ based on the response, completing the continuous authentication process and ensuring secure and uninterrupted communication between $S{N}_i$ and $S{N}_j$.

5. Security Analysis

The analysis in this section is limited to protocol-level security verification (mutual authentication and session key security) using BAN logic, the ROR model, and Scyther-based security verification. This verification does not aim to model physical-layer underwater channel behavior; such effects will be considered in future implementation and experimental studies.

5.1. Informal Analysis

5.1.1. Replay Attacks

An adversary captures messages $\{T_1,I{D}_i,M_1,M_2\}$, $\{T_2,I{D}_j,M_3,M_4\}$, $\{T_3,I{D}_i,M_5,M_6\}$, and $\{T_4,I{D}_j\}$ transmitted via open channels. Then, the adversary submits these messages to the sensor node $S{N}_i$ and $S{N}_j$ to conduct the authentication process. However, $S{N}_i$ and $S{N}_j$ check the freshness of messages using timestamp and random nonces. Thus, the adversary cannot have advantage in this attack. Thus, the proposed protocol is secure against replay attacks.

5.1.2. MITM Attacks

In this attack, an adversary sends fake messages between $S{N}_i$ and $S{N}_j$ to authenticate with each sensor node. However, the adversary cannot generate $M_1$ and $M_3$ because these parameters are masked in the shared secret N. Thus, the proposed protocol can prevent MITM attacks.

5.1.3. Impersonation Attacks

Suppose that an adversary disguises as a sensor node and tries to authenticate with another sensor node. To be recognized as a legitimate sensor node, the adversary must generate $\{T_1,I{D}_i,M_1,M_2\}$. However, the adversary cannot compute $M_1=R_1\oplus h(I{D}_i\Vert N\Vert M_1)$ because N is a shared key of sensor node $S{N}_i$ and $S{N}_j$. Thus, the proposed protocol can prevent impersonation attacks.

5.1.4. Physical and Cloning Attacks

In this attack, the adversary obtains a sensor node $S{N}_i$ and extracts authentication credentials $\{I{D}_i,C_i,K_i,{\{I{D}_a,V_{ia}\}}_{a=j,k,l},V{N}_i,P_{S{N}_i}\}$. After that, the adversary tries to generate the authentication request message $\{T_1,I{D}_i,M_1,M_2\}$ using the credentials. However, the adversary cannot compute the message because $N_i$ and N are encrypted with $R_{S{N}_i}$, which is generated by $PUF(.)$. Therefore, the proposed protocol can prevent stolen smart device attacks.

5.1.5. Ephemeral Secret Leakage (ESL) Attacks

Assume that an adversary obtains $R_1$ and $R_2$, and attempts to compute the session key $h(h(K_i\parallel N_i)\parallel h(K_j\parallel N_j)\parallel R_1\parallel R_2)$. However, the adversary does not have any advantage because $K_i$, $K_j$, $N_i$, and $N_j$ are encrypted with $V{N}_i$ and $V{N}_j$ which can be retrieved using $PUF(.)$. Thus, the proposed protocol is secure against ESL attacks.

5.1.6. DoS Attacks

In this attack, the adversary collects numerous messages transmitted via public channels and sends them to the other sensor node. In the proposed protocol, sensor nodes always check the timestamp and discard the message if it does not arrive within the allowance period. Thus, the proposed protocol can prevent DoS attacks.

5.1.7. Mutual Authentication

In the proposed protocol, timestamps are included in messages. Thus, sensor nodes can verify the freshness of the messages. Moreover, sensor nodes check the freshness of random nonces $R_1$ and $R_2$ using the shared secret N. If these parameters are valid, each sensor node can ensure the legitimacy of messages. Thus, the proposed protocol guarantees mutual authentication.

5.2. BAN Logic

Mutual authentication is an essential property in security protocols. BAN logic [15] is a formal analysis to prove mutual authentication using logical rules, idealized forms, and assumptions. Although BAN logic provides an abstract, assumption-driven reasoning framework and may not capture all adversarial behaviors or implementation/channel-level details, we utilize BAN logic to prove logical mutual authentication of the proposed protocol. We show the notations and descriptions of the BAN logic in Table 3.

Table 3. Notations and descriptions.

Notation	Description
$B_i,B_j$	Principals
$C_1,C_2$	Statements
$SK$	Session key
$B_i|\equiv C_1$	$C_i$ believes $C_1$
$B_i|\sim C_1$	$C_i$ once said $C_1$
$B_i⤇C_1$	$C_i$ controls $C_1$
$B_i⊲C_1$	$C_i$ receives $C_1$
$\#C_1$	$C_1$ is fresh
${\left\{C_1\right\}}_S$	$C_1$ is encrypted with S
$B_{i}S{B}_j$	$B_i$ and $B_j$ have a shared key S

5.2.1. Rules

In BAN logic, there are five rules to analyze authentication protocols.

• Message meaning rule (MMR): MMR is a rule when an entity receives a message encrypted with a shared key, the entity trusts the message.

$${\displaystyle \frac{B_i|\equiv B_i\stackrel{S}{\leftrightarrow }{B}_j,B_i⊲{\left\{C_1\right\}}_S}{B_i|\equiv B_j|\sim C_1}}$$

• Nonce verification rule (NVR): NVR is a rule that believes a message was sent from a sender if the message content is fresh and the sender is sure to have sent it.

$${\displaystyle \frac{B_i|\equiv \#\left(C_1\right),B_i|\equiv B_j|\sim C_1}{B_i|\equiv B_j|\equiv C_1}}$$

• Jurisdiction rule (JR): JR is a rule about permissions, meaning that if you have permission to receive a message, the other party can also receive the message.

$${\displaystyle \frac{B_i|\equiv B_j⤇C_1,B_i|\equiv B_j|\equiv C_1}{B_i|\equiv C_1}}$$

• Belief rule (BR): BR is that if an entity believes a tuple, it also believes its elements.

$${\displaystyle \frac{B_i|\equiv (C_1,C_2)}{B_i|\equiv C_1}}$$

• Freshness rule (FR): FR is a rule that believes that if a message is fresh, then its tuples are also fresh.

$${\displaystyle \frac{B_i|\equiv \#\left(C_1\right)}{B_i|\equiv \#(C_1,C_2)}}$$

5.2.2. Goals

In our protocol, the network participants are required to authenticate each other and establish a session key to provide secure communication and prevent data leakage issues. Thus, the goals of our protocol in BAN logic are that the participants are legitimate and share session key securely. Thus, goals of our protocol can be shown as follows:

Goal 1: 

$SNi|\equiv SNi\stackrel{SK}{\leftrightarrow }SNj$

Goal 2:  

$SNi|\equiv SNj|\equiv SNi\stackrel{SK}{\leftrightarrow }SNj$

Goal 3:  

$SNj|\equiv SNj\stackrel{SK}{\leftrightarrow }SNi$

Goal 4:  

$SNj|\equiv SNi|\equiv SNj\stackrel{SK}{\leftrightarrow }SNi$

5.2.3. Idealized Forms

In the proposed protocol, $SNi$ and $SNj$ exchange messages $\{T_1,I{D}_i,M_1,M_2\}$ and $\{T_2,I{D}_j,M_3,M_4\}$ to establish the session key $SK$. Thus, the idealized forms of the proposed protocol are shown as follows:

$C_1:$

$SNi\to SNj:{\{I{D}_i,T_1,R_1\}}_N$

$C_2:$

$SNj\to SNi:{\{I{D}_j,T_2,R_2\}}_N$

5.2.4. Assumptions

To apply BAN logic, we introduce assumptions to reflect the pre-established trust and freshness of the proposed protocol. These assumptions can be derived according to registration phase, and freshness of random nonce and timestamps. Assumptions of BAN logic in our protocol are shown as follows:

$N_1$ :

$SNj|\equiv \#(T_1)$

$N_2$ :

$SNi|\equiv \#(T_2)$

$N_3$ :

$SNj|\equiv SNi\stackrel{N}{\leftrightarrow }SNj$

$N_4$ :

$SNi|\equiv SNi\stackrel{N}{\leftrightarrow }SNj$

$N_5$ :

$SNi|\equiv SNj⤇(SNi\stackrel{SK}{\leftrightarrow }SNj)$

$N_6$ :

$SNi|\equiv SNi⤇(SNi\stackrel{SK}{\leftrightarrow }SNj)$

5.2.5. BAN Logic Proof

Based on the idealized forms and assumptions, we prove the goals by applying the BAN logic rules to the message flow of the proposed protocol.

Pr1:  

We get $D_1$ from $C_1$.

$D_1$ : $SNj⊲{\{I{D}_i,T_1,R_1\}}_N$

Pr2:  

Using $D_1$, we get $D_2$ from MMR and $N_3$.

$D_2$ : $SNj|\equiv SNi|\sim (I{D}_i,T_1,R_1)$

Pr3:  

Using $D_2$, we get $D_3$ from FR and $N_1$.

$D_3$ : $SNj|\equiv \#(I{D}_i,T_1,R_1)$

Pr4:  

Using $D_3$, we get $D_4$ from NVR and $D_2$.

$D_4$ : $SNj|\equiv SNi|\equiv (I{D}_i,T_1,R_1)$

Pr5:  

We get $D_5$ from $C_2$.

$D_5$ : $SNi|⊲{\{I{D}_j,T_2,R_2\}}_N$

Pr6:  

Using $D_5$, we get $D_6$ from MMR and $N_4$.

$D_6$ : $SNi|\equiv SNj|\sim (I{D}_j,T_2,R_2)$

Pr7:  

Using $D_6$, we get $D_7$ from FR and $N_2$.

$D_7$ : $SNi|\equiv \#(I{D}_j,T_2,R_2)$

Pr8:  

Using $D_7$, we get $D_8$ from NVR and $D_6$.

$D_8$ : $SNi|\equiv SNj|\equiv (I{D}_j,T_2,R_2)$

Pr9:  

Using $D_8$, $SNi$ and $SNj$ can compute the session key. Thus, we get $D_9$ and $D_{10}$ as follows:

$D_9$ : $SNi|\equiv SNjSKSNi$ (Goal 1)

$D_{10}$ : $SNj|\equiv SNi|\equiv SNiSKSNj$ (Goal 4)

Pr10:  

Using $D_9$ and $D_{10}$, we get $D_{11}$ and $D_{12}$ from JR as follows:

$D_{11}$ : $SNj|\equiv SNiSKSNj$ (Goal 3)

$D_{12}$ : $SNi|\equiv SNjSKSNi$ (Goal 2)

5.3. ROR Model

If the session key security is not preserved, the reliability of the proposed protocol cannot be guaranteed. Thus, we verify the security of the session key using ROR model [16]. In our protocol, we define participants for sensor nodes $S{N}_i$($I_{SNi}^{i_1}$) and $S{N}_j$($I_{SNj}^{i_2}$). Note that $i_1$ and $i_2$ are instances. In ROR model, the attacker $AK$ can perform various queries using the abilities where $AK$ can eavesdrop, capture, insert, and delete messages.

• $E(I_{SNi}^{i_1},I_{SNj}^{i_2})$: $AK$ can eavesdrop messages that are exchanged via public channels. Thus, this query is a passive attack.
• $S\left(I^r\right)$ : It is an active attack that $AK$ can send messages to network participants $I_r$ via public channels.
• $C(I_{SNi}^{i_1},I_{SNj}^{i_2})$ : $AK$ can extract secret parameters of $S{N}_i$ and $S{N}_j$. Thus, this query is an active attack.
• $T\left(I^r\right)$ : In this query, $AK$ tests the security of the session key by flipping an unbiased coin. After that, $AK$ obtain the result 1, 0, and $NULL$. When 1 is obtained, it means that $AK$ can distinguish the session key. When 0 is obtained, $AK$ cannot distinguish the session key and random nonce. Otherwise, $AK$ gets $NULL$ value.

Theorem 1. 

We define that $H{A}_S\left(P\right)$ is the probability of breaking the session key security. Moreover, we define that C’, s’, $d_{es}$, $d_{puf}$ and $d_{ah}$ are Zipf’s parameters [25], queries of send, PUF, and hash, respectively. The advantage that $AK$ breaks the security of PUF and the range space of hash functions are $PUF(.)$ and $hash(.)$, respectively. Therefore, $H{A}_S\left(P\right)$ can be shown as follows:

                              $H{A}_S\left(P\right)\le {\displaystyle \frac{d_{ah}^2}{\left|hash\right|}}+{\displaystyle \frac{d_{puf}^2}{\left|PUF\right|}}$

In our protocol, we define four games following the related works [26,27,28]. Note that the probability of winning the game is $AT\left[W{G}_{M_k}\right]$ ($k=0,1,2,3$).

$M_0$ : This game is a initial game that $AK$ guesses $SK$ with no information of the proposed protocol. Thus, $AK$ selects a random bit q. Thus, we can get the following:

$$H{A}_S\left(P\right)=|2AT\left[W{G}_{M_0}\right]-1|$$

(5)

$M_1$ : $AK$ executes $E(I_{SNi}^{i_1},I_{SNj}^{i_2})$ query to obtain $\{T_1,I{D}_i,M_1,M_2\}$ and $\{T_2,I{D}_j,M_3,M_4\}$ which are transmitted through public channels. With the information, $AK$ guesses the session key from $T(.)$. However, the adversary cannot obtain any information because $M_1$ is masked in the long-term secret parameter N. Thus, we can get the following:

$$AT\left[W{G}_{M_0}\right]=AT\left[W{G}_{M_1}\right]$$

(6)

$M_2$ : In this game, $AK$ tries to calculate the session key using hash and send queries. Using these queries, $AK$ attempts to decrypt $M_1$ and $M_3$ to reveal the random nonce $R_1$ and $R_2$. However, $AK$ cannot obtain these parameters due to the “cryptographic one-way hash function”. Thus, the adversary does not have any advantages in this game and we get the following inequation using birthday paradox [29]:

$$AT\left[W{G}_{M_2}\right]-AT\left[W{G}_{M_1}\right]\le {\displaystyle \frac{d_{ah}^2}{\left|hash\right|}}$$

(7)

$M_3$ : This is the last game that $AK$ performs $C(.)$ query and reveals secret parameters $\{I{D}_i,C_i,k_i,{\{I{D}_a,V_{ia}\}}_{a=j,k,l,\dots },V{N}_i,P_{S{N}_i}\}$ and $\{I{D}_j,C_j,k_j,{\{I{D}_a,V_{ja}\}}_{a=i,k,l,\dots },V{N}_j,P_{S{N}_j}\}$. Then $AK$ tries to calculate N to decrypt $M_1$ and $M_3$. However, the adversary cannot retrieve secret parameters from the extracted information $\{I{D}_i,C_i,k_i,{\{I{D}_a,V_{ia}\}}_{a=j,k,l,\dots },V{N}_i,P_{S{N}_i}\}$ and $\{I{D}_j,C_j,k_j,{\{I{D}_a,V_{ja}\}}_{a=i,k,l,\dots }$ because they are encrypted by PUF. Thus, we can get the following:

$$AT\left[W{G}_{M_3}\right]-AT\left[W{G}_{M_2}\right]\le {\displaystyle \frac{d_{puf}^2}{\left|PUF\right|}}$$

(8)

After $M_3$, $AK$ guesses a bit p and the following is obtained:

$$AT\left[W{G}_{M_3}\right]={\displaystyle \frac{1}{2}}$$

(9)

The following equation is obtained using (5) and (6)

$${\displaystyle \frac{1}{2}}H{A}_S\left(P\right)=|AT\left[W{G}_{M_0}\right]-{\displaystyle \frac{1}{2}}|=|AT\left[W{G}_{M_1}\right]-{\displaystyle \frac{1}{2}}|$$

(10)

Using (9) and (10), the following equation is obtained:

$${\displaystyle \frac{1}{2}}H{A}_S\left(P\right)=|AT\left[W{G}_{M_1}\right]-AT\left[W{G}_{M_3}\right]|$$

(11)

Using the triangular inequality, the following is obtained:

$$\begin{gathered} {\displaystyle \frac{1}{2}}H{A}_S\left(P\right)=|AT\left[W{G}_{M_1}\right]-AT\left[W{G}_{M_3}\right]| \\ \le |AT\left[W{G}_{M_1}\right]-AT\left[W{G}_{M_2}\right]|+|AT\left[W{G}_{M_2}\right]-AT\left[W{G}_{M_3}\right]| \end{gathered}$$

$$\le {\displaystyle \frac{d_{ah}^2}{2\left|hash\right|}}+{\displaystyle \frac{d_{puf}^2}{2\left|PUF\right|}}$$

(12)

Multiplying 2, we can get the following:

                                              $H{A}_S\left(P\right)\le {\displaystyle \frac{d_{ah}^2}{\left|hash\right|}}+{\displaystyle \frac{d_{puf}^2}{\left|PUF\right|}}$

5.4. Security Verification Using Scyther

Scyther [17,18] is an automated verification tool to analyze and verify the security of authentication protocols, and detects various attack scenarios. Scyther tool verifies security properties through multiple independent executions for security protocols, and is widely used for research purposes due to its intuitive interface. Scyther tool can be executed on various operating systems such as Windows, Linux, and Mac OS X. The security protocols are described in a dedicated description language, “Security Protocol Description Language (SPDL)”. Then, Scyther tool automatically performs verification and outputs analysis results based on claim events, such as “Aliveness”, “Weak Agreement”, “Non-injective Agreement”, and “Non-injective Synchronization”. If “OK” and “No attacks” are displayed for each claim, it means that the corresponding security property is satisfied. It should be noted that Scyther performs verification under the Dolev–Yao adversary model and does not simulate physical-layer channel noise (e.g., bit errors due to attenuation or multipath). Therefore, our Scyther-based verification focuses on protocol-level properties (e.g., authentication and session key secrecy) against an active attacker who can eavesdrop, replay, and modify messages. In the SPDL model, we represent the main protocol participants as roles (e.g., SN and BS) and verify the security claims for representative protocol sessions. Regarding denial-of-service (DoS), Scyther is not intended to model resource-exhaustion effects; thus, DoS resilience is discussed based on the protocol design choices (lightweight operations and early verification checks) and the comparative overhead analysis in the performance section. Figure 5 shows the Scyther verification results for the proposed protocol.

Figure 5. Scyther simulation results under claim events.

• Aliveness: The participant ensures that the communication partner actually performs the protocol.
• Weak-agreement: The participant ensures that the communication partner actually performs the protocol and is aware of who they were communicating with.
• Non-injective agreement: The participant ensures that there is a mutual agreement between communication parties and that they share consistent session values.
• Non-injective synchronization: The participant ensures that messages are exchanged in a given order and that the session flow was synchronized.

6. Performance Analysis

This section evaluates the performance of our proposed protocol in terms of security properties, computational costs, and communication costs. The goal of this analysis is to show that the proposed protocol provides enhanced security coverage while maintaining moderate computational cost, indicating its practicality for underwater deployments. Compared with existing protocols, the proposed method achieves a reasonable balance between security robustness and efficiency, suggesting that it can be feasibly implemented in real underwater sensor systems. It should be noted, however, that the evaluation in this paper is conducted at the protocol/analytical level, focusing on security verification and overhead comparison. More comprehensive statistical analysis and illustrative real-world demonstrations under practical underwater channel conditions (e.g., intermittent connectivity and packet errors) are beyond the scope of the current study and will be addressed in future work through implementation and empirical validation.

6.1. Security Properties

As presented in Table 3, the proposed authentication protocol satisfies all core security attributes, whereas existing protocols overlook several of them either partially or entirely. For example, the protocols by Xie et al. [30] and Algarni et al. [31] are vulnerable to physical cloning attacks and ESL attacks, respectively. Jain and Hussain’s protocol [14] is vulnerable to replay, MITM, and DoS attacks, primarily due to the absence of nonce- or timestamp-based freshness mechanisms and rate-limiting strategies. Moreover, none of the existing protocols considered in this study support continuous authentication, which is a critical requirement in highly dynamic and resource-constrained UWSNs, where intermittent connectivity and session instability are common. In contrast, the proposed protocol is specifically designed to maintain authentication continuity under such conditions, thereby enhancing its applicability to real-world deployments.

This continuous verification capability is particularly valuable in UWSN environments, where environmental interference, multipath distortion, and acoustic signal attenuation frequently disrupt communication. By supporting ongoing re-authentication after the initial session is established, the proposed protocol ensures that security is not compromised even if the connection is temporarily lost and then resumed. This not only prevents potential session hijacking or impersonation during link recovery but also reinforces session integrity throughout the mission duration.

6.2. Computation Costs

This subsection analyzes and compares the computational complexity of the proposed authentication protocol with three representative protocols: Jain and Hussain [14], Xie et al. [30], Algarni et al. [31], and Yang and Zou [13].According to [32], the evaluation of the execution time is conducted using Raspberry-Pi 4B (ARM Cortex A72 @ 1.5GHz 4 core CPU, 8GB RAM, Ubuntu 20.04.2 LTS). Moreover, the evaluation is based on the execution time of standard cryptographic operations, which are adopted for a fair relative comparison among protocols rather than for absolute benchmarking, since actual execution time can vary depending on hardware specifications and implementation details.

-

TH: One-way hash function—0.006 ms

-

TM: Elliptic curve point multiplication—2.926 ms

-

TS: Symmetric key encryption/decryption—0.013 ms

-

TF: Fuzzy extractor—2.926 ms

-

TE: Modular exponentiation—0.358 ms

For transparency, the computation of each protocol is expressed in terms of the number of primitive operations (e.g., hash, FE, ECC), and their weighted sum is shown in Table 4. We also show the total computation costs of the proposed protocol and the related works [13,14,30,31] in Figure 6 and Table 5.

Table 4. Security properties of the proposed protocol and related protocols.

Security Properties	Ref. [13]	Ref. [30]	Ref. [31]	Ref. [14]	Proposed
Replay attacks	∘	∘	∘	×	∘
MITM attacks	∘	∘	∘	×	∘
Impersonation attacks	∘	∘	∘	∘	∘
Physical and cloning attacks	∘	∘	×	×	∘
ESL attacks	∘	×	∘	∘	∘
DoS attacks	∘	∘	∘	×	∘
Mutual authentication	∘	∘	∘	×	∘
Continuous authentication	×	×	×	×	∘

Figure 6. Total computation costs depending on the number of sensor nodes.

Table 5. Computation costs of the proposed protocol and related protocols.

Protocol	Device A	Device B	Total Costs
Yang and Zou [13]	$3TM+3TH$	$3TM+3TH$	17.592 ms
Xie et al. [30]	$3TM+5TH+1TS+1TF$	$3TM+5TH+1TS+1TF$	23.494 ms
Algarni et al. [31]	$4TM+3TH$	$2TM+2TH$	17.586 ms
Jain & Hussain [14]	$1TS$	$1TS$	0.026 ms
Proposed Protocol	$10TH+1TF$	$10TH+1TF$	5.972 ms

The results show that the proposed protocol requires slightly higher computational cost than Jain and Hussain’s protocol [14] due to the inclusion of additional hash and fuzzy-extractor operations. However, it achieves significantly stronger security properties while maintaining far lower complexity than the ECC-based protocols of Xie et al. [30] and Algarni et al. [31]. Specifically, Xie et al.’s method requires about 23.49 ms and Algarni et al.’s protocol about 17.59 ms per computation, whereas the proposed protocol performs the same authentication process in approximately 5.97 ms, reducing the computational burden by approximately three to four times compared to ECC-based protocols. This demonstrates that the proposed design maintains a reasonable balance between security robustness and computational efficiency, which is suitable for resource-constrained underwater environments.

6.3. Communication Costs

This subsection evaluates the communication overhead of the proposed protocol compared with three existing protocols, including Jain and Hussain [14], Xie et al. [30], and Algarni et al. [31]. We define that the total bits of ECC point, hash function, random number, timestamp, and identity are 320 bits, 256 bits, 128 bits, 32 bits, and 32 bits, respectively [33]. Table 6 and Figure 7 show the total communication costs of the proposed protocol and related protocols [13,14,30,31]. The result shows that the proposed protocol requires 320 bits more than Jain & Hussain’s protocol. However, the proposed protocol achieves lower communication cost compared with Xie et al.’s protocol [30], Algarni et al.’s protocol [31], and Yang and Zou’s protocol [13]. In addition, the proposed protocol is a suitable protocol for UWSN environments, which reflects the special characteristics, such as supporting continuous authentication and providing high security.

Table 6. Total communication cost of the proposed protocol and the related protocols.

Protocol	Number of Messages	Total Costs
Yang and Zou [13]	2	1216 bits
Xie et al. [30]	2	1600 bits
Algarni et al. [31]	2	1792 bits
Jain & Hussain [14]	2	832 bits
Proposed Protocol	2	1152 bits

Figure 7. Total communication costs depending on the number of sensor nodes.

6.4. Simulation Study Using NS-3

We simulate the proposed protocol and derive throughput, end-to-end delay using NS-3 [34] to evaluate the realistic environment applicability. In the proposed protocol, there are two messages in the authentication phase: $\{T_1,I{D}_i,M_1,M_2\}$ = 72 bytes, $\{T_2,I{D}_j,M_3,M_4\}$ = 72 bytes. Based on the messages, we construct the underwater environments where sensors communicate with each other. We also specify the NS-3 simulation environments to fit underwater communications as follows:

• Operation System: Ubuntu 16.04 LTS
• CPU: Intel i9-13900 (13th Gen Intel Core 24 cores/32 threads, up to 5.60 GHz) (Intel, Santa Clara, CA, USA)
• Memory: 8GB RAM
• Simulation Time: 2000 s
• Number of Sensors: 10, 20, 30, 40, 50
• Mobility Model: ConstantPositionMobilityModel
• Underwater Stack: UanChannel and UanMacAloha

When the simulation is end, we can calculate throughput ($Thr={\displaystyle \frac{Pac{k}_{Rev}\times Pac{k}_S}{Tim{e}_{Total}}}$, $Thr$: Throughput, $Pac{k}_{Rev}$: Received total packets, $Pac{k}_S$: Packet size, $Pac{k}_{Total}$: Total time) and end-to-end delay ($E2E={\Sigma }_{i=1}^{Aut{h}_{Total}}{\displaystyle \frac{Aut{h}_{Rev}-Aut{h}_{Snd}}{Aut{h}_{Total}}}$, $E2E$: End-to-end delay, $Aut{h}_{Total}$: total message packets in authentication, $Aut{h}_{Rev}$: Received time, $Aut{h}_{Snd}$: Sent time) using flowmonitor files. The simulation results using NS-3 are shown in Figure 8. Based on the result, we can demonstrate that the throughput and end-to-end delay are increased as the number of sensors increases.

Figure 8. Throughput and end-to-end delay results using NS-3.

7. Conclusions

Underwater acoustic communications inherently suffer from high attenuation, limited bandwidth, and intermittent connectivity, which makes coastal surveillance UWSNs particularly vulnerable to both operational disruptions and security threats. Motivated by these characteristics, we selected the mission-relevant protocol of Jain and Hussain as a baseline and identified critical limitations, including replay susceptibility, exposure to physical capture/cloning, denial-of-service potential, and incomplete mutual authentication. Based on these findings, we designed a secure and lightweight authentication and session key agreement protocol that combines hash/XOR-based computations with PUF-derived node binding and a continuous authentication procedure to support fast re-authentication after link disruptions. The security of the proposed protocol was validated at the protocol level through BAN logic, the ROR model, and Scyther-based security verification, while performance was assessed in terms of computational, communication overhead and security coverage compared with representative schemes. Overall, the results indicate that the proposed approach improves security robustness over the baseline while maintaining practical efficiency for surveillance-oriented UWSN deployments. In future work to validate the scientific contribution of the proposed protocol, we will move beyond protocol-level evaluation by implementing the proposed scheme on practical platforms (e.g., a USV or UUV/AUV). Moreover, we will conduct practical studies in an underwater acoustic networking testbed. Such experiments will enable more comprehensive statistical analysis and real-world case demonstrations, including latency, energy consumption, and re-authentication performance under dynamic channel conditions.