Security Authentication Protocol for Underwater Sensor Networks Based on NTRU

Abstract

Underwater Wireless Sensor Networks (UWSNs) have a wide range of applications, where issues related to data authentication and communication are critical for enhancing underwater resource utilization and ensuring secure data transmission. Sensor nodes face resource limitations and the threat of quantum computing attacks, making it challenging for traditional authentication protocols to balance security and computational efficiency. By employing the Number Theory Research Unit (NTRU) encryption scheme and incorporating Generalized One-Time Pad (GOTP) key encapsulation along with a node mobility model under ocean current environments, we propose a two-round mutual authentication protocol, named the NTRU-GOTP and Position-aware Authentication Protocol (NTRU-GOPA), to verify location information and enhance security. We verify the protocol’s security using the random oracle model and analyze it through informal methods. Preliminary experiments demonstrate that the proposed protocol is more secure and computationally efficient than existing methods. This method satisfies the requirements for defending against node capture and external network attacks, thereby making it suitable for complex and dynamic underwater network scenarios.

1. Introduction

The ocean covers approximately 70% of the Earth’s surface, serving not only as a critical regulator of the global climate system but also as a repository of strategic resources such as oil and gas, minerals and renewable energy. As nations intensify their focus on marine resource development, environmental monitoring, scientific research, and military security, UWSNs have emerged as a pivotal technology for deep-sea exploration and marine environment monitoring through distributed nodes that collaboratively sense and transmit data. In contrast to Terrestrial Wireless Sensor Networks (TWSNs) that rely on electromagnetic waves, UWSNs utilize acoustic waves to overcome the high attenuation of electromagnetic signals in seawater and the limited transmission range of optical communications caused by scattering effects. Due to the low-frequency characteristics of acoustic waves, kilometer-scale underwater communication can be achieved. By deploying sensor nodes via platforms like Unmanned Underwater Vehicles (UUVs), UWSNs form multi-hop self-organizing networks capable of executing complex tasks including ocean data collection, pollution prediction, and ship obstacle avoidance, thereby providing critical data support for scientific research and industrial applications [1].

However, the complex and open marine environment poses significant challenges for UWSNs. At the physical layer, underwater acoustic channels exhibit time-varying characteristics due to temperature and salinity gradients, resulting in narrow bandwidth, low propagation speed, and severe signal attenuation, all of which significantly degrade transmission reliability [2,3]. At the network layer, node drift caused by dynamic ocean currents triggers frequent topology reconfigurations, while energy constraints and high deployment costs compound resource management challenges. Most critically, open acoustic channels are vulnerable to security breaches such as eavesdropping, data manipulation, and malicious node injection, with the unsupervised nature of nodes increasing the risks of physical capture [4,5]. Traditional authentication protocols, due to their high computational overhead, fail to meet the lightweight requirements of UWSNs and are also susceptible to quantum attacks. Therefore, designing an authentication mechanism that achieves low computational complexity while ensuring post-quantum security is imperative for reliable UWSN operation [6,7].

1.1. Related Work

To address these issues, most existing studies are based on TWSNs and rely on traditional cryptographic authentication mechanisms to counter replay attacks, node capture, and other threats while enhancing communication efficiency. These solutions primarily employ the following five authentication techniques:(a) Hash Functions; (b) Elliptic Curve Cryptography (ECC); (c) Chaotic Mapping; (d) Blockchain; (e) Lattice-Based Cryptography.

(a). Hash Functions: Due to their high computational efficiency and low resource consumption, hash functions are widely used in authentication methods for wireless sensor networks. Zhou et al. [8] employed hash functions along with XOR operations to enhance the security of authentication and key exchange in resource-constrained medical IoT environments. Kumar et al. [9] introduced an authentication technique based on hash functions to establish session keys and achieve secure and efficient authentication for UWSNs. Zhang et al. [10] combined chameleon hash functions with Physical Unclonable Function (PUF) technology to defend against physical capture attacks in industrial IoT environments while reducing device overhead. Almuhaideb et al. [11] also uses PUF to realize two-way authentication in UWSNs environment to satisfy more efficient secure communication.

(b). Elliptic Curve Cryptography (ECC): ECC can achieve high security with smaller key sizes, making it the most cost-effective solution for resource-limited devices. Sadhukhan et al. [12] proposed a remote user authentication scheme for users and smart devices based on symmetric encryption and ECC, but the scheme is prone to smart card loss and privileged insider attacks. Li et al. [13] introduced a three-factor authentication protocol based on ECC to address local password verification and device loss issues in wireless medical sensor networks, ensuring forward security. Moghadam et al. [14] presented an improved mutual authentication and key exchange protocol based on Elliptic Curve Diffie–Hellman (ECDH) to overcome the shortcomings of the Alotaibi protocol [15]. Zou et al. [16] proposed an ECC based two-factor authentication scheme to address issues such as session key forward secrecy, node capture attacks, and impersonation attacks in smart home systems.

(c). Chaotic Mapping: Chaotic mapping generates unpredictable keys that can effectively resist brute-force attacks; however, it is highly sensitive to initial conditions, making it vulnerable to minor perturbations that can destabilize the authentication process. Zhang et al. [17] integrated chaotic mapping with hash functions for application in UWSNs, but the reliance on a centralized registration center introduces a single point of failure and fails to ensure secure mutual authentication. Mo et al. [18] emphasized an improved three-factor dynamic authentication scheme based on Chebyshev chaotic mapping that balances security and efficiency, although it still suffers from user impersonation and sensor node capture attacks. Long et al. [19] proposed a blockchain-based anonymous authentication and key management scheme that leverages Chebyshev chaotic maps to achieve lightweight and secure group key generation. Xie et al. [20] combined PUF with chaotic mapping to mitigate the vulnerability of sensor and gateway nodes to capture in UWSNs.

(d). Blockchain: Blockchain has the advantages of decentralisation, immutability and traceability in authentication, but still faces performance bottlenecks, privacy protection and lack of standardisation. Abdi et al. [21] integrates attribute-based encryption, blockchain and zero-knowledge proof technologies to provide cross-domain authentication and access control, however, it suffers from high latency and inefficient consensus mechanisms. Deebak et al. [22] proposed a trust-aware blockchain-based seamless authentication mechanism for large-scale IoT-enabled industrial applications, addressing issues such as device identity management and data privacy. Heshmati et al. [23] proposed a blockchain-based smart home identity access validation scheme that combines attribute signatures to achieve privacy protection, efficient authentication, and access control in smart homes. Additionally, Tomović et al. [7] proposed a key management protocol that integrates hierarchical routing with blockchain technology to ensure communication security in UWSNs.

(e). Lattice-Based Cryptography: Lattice-based cryptography has attracted extensive attention due to its resistance to quantum computing attacks. To enhance security in mobile client-server environments, Feng et al. [24] designed an ideal lattice-based anonymous authentication protocol. Dabra et al. [25] identified that this protocol is susceptible to side-channel and impersonation attacks, and consequently proposed an anonymous key authentication and exchange scheme suitable for mobile devices. However, Ding et al. [26] later found that the scheme remains vulnerable to side-channel attacks and further refined the anonymous authentication protocol, albeit at the cost of significant communication overhead. Kumar et al. [27] proposed a novel post-quantum key exchange scheme based on Ring Learning With Errors (RLWE) that achieves both authentication and key agreement with only two message exchanges. Nevertheless, existing lattice-based key exchange protocols, constructed from either Learning With Errors (LWE) or RLWE, are not well-suited for resource-constrained network environments and continue to be at risk of side-channel attacks.

1.2. Motivation and Contribution

Due to the unique characteristics of the underwater environment, traditional methods face numerous limitations in practical applications—such as insufficient real-time performance due to high latency, an inability to effectively resist quantum attacks, and increased computational and communication overhead that imposes a significant energy burden on nodes [6]. Therefore, there is an urgent need to design a lightweight, efficient, and secure authentication mechanism specifically for UWSNs to meet the complex and dynamic communication demands of marine environments. NTRU is a lightweight public-key encryption algorithm that, compared to other encryption schemes, offers efficient encryption and decryption operations with low memory and computational overhead [28]. Its application in underwater networks demonstrates advantages in energy consumption and communication delay, and especially in the face of quantum threats, the NTRU scheme provides long-term security assurance.

The main contributions of this paper are as follows:

(a). We propose a lightweight and secure anonymous authentication protocol for underwater sensor networks based on NTRU. The protocol employs random numbers and a key encapsulation mechanism to protect user anonymity and ensure message untraceability, while timestamps are used to guarantee message freshness. The scheme achieves a complete two-round mutual authentication among the user, gateway nodes, and sensor nodes.

(b). In the two rounds of message authentication, the nodes generate random numbers and utilize a GOTP encapsulation method, thus improving the security of each authentication round and making it difficult for malicious nodes to quickly compromise the authentication messages.

(c). Given that underwater sensor nodes are prone to drifting with ocean currents, the protocol incorporates sensor location awareness and processes historical location interaction data through hash functions. This effectively safeguards the privacy of location information and the integrity of the data, thereby enhancing the overall security and reliability of remote sensor data access.

(d). We conduct a comprehensive security analysis of the proposed protocol and compare its performance with other related protocols. The results show that the proposed scheme achieves strong performance and security in UWSNs, indicating promising practical prospects.

2. Models and Methods

2.1. Underwater Wireless Sensor Networks Model

In a UWSN model constructed through the collaboration of four parties, the registration center is responsible for the secure offline registration of nodes, while the base station, gateway, and sensor nodes jointly participate in the authentication and communication processes. Figure 1 shows the underwater wireless sensor network model. Resource-constrained underwater acoustic sensor nodes are the fundamental components of UWSNs. They are deployed at various underwater locations and, through appropriate routing protocols, store and forward the collected underwater acoustic environmental data. The gateway is endowed with robust storage and data processing capabilities, enabling it to receive and forward data from both the base station and sensor nodes, as well as to achieve mutual authentication and key negotiation between users and sensor nodes. Additionally, the gateway can determine its own position via satellite navigation and provide corresponding location information to the sensor nodes. The base station connects to the terrestrial network and is responsible for collecting, processing, integrating, and transmitting data within the network, thereby allowing users to access and manipulate these data.

2.2. Encapsulated Encryption Algorithm

Definition 1.

Lattice: In an n-dimensional vector space ${\mathbb{R}}^n$, given m linearly independent vectors ${\mathbf{b}}_1,{\mathbf{b}}_2,\dots ,{\mathbf{b}}_m\in {\mathbb{R}}^n$, the lattice is defined as:

$$\mathcal{L}=\left\{\sum _{i=1}^m{a}_i{\mathbf{b}}_i\mid a_i\in \mathbb{Z},i=1,2,\dots ,m\right\}$$

(1)

where $\left\{{\mathbf{b}}_1,{\mathbf{b}}_2,\dots ,{\mathbf{b}}_m\right\}$ is called a basis of the lattice. The dimension of the lattice is n, and its rank is m. The security of lattice-based cryptography relies on the computational hardness of problems such as the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP), there is no effective algorithm to solve these two problems.

Definition 2.

NTRU algorithm: NTRU is a lattice-based public-key cryptosystem operating over polynomial rings. Its security is rooted in the difficulty of solving lattice problems in this polynomial setting. Below are the formal definitions for key generation, encryption, and decryption.

(a). Parameters: N: A positive prime number that defines the ring $R=\mathbb{Z}\left[x\right]/(x^N-1)$. $p,q$: Coprime integers with $gcd(p,q)=1$, where $q\gg p$. Typically, $p=2\mathrm{or}3$. Polynomial sets $L_f,L_g,L_r,L_m$: These are collections of polynomials in R whose coefficients are bounded by small integers (e.g., $\{-1,0,1\}$ or similarly small ranges).

(b). Key Generation: Randomly select two polynomials $f\in L_f$ and $g\in L_g$ such that f is invertible modulo p and modulo q. Compute the inverses $F_p\in R_p$ and $F_q\in R_q$ satisfying $F_p·f\equiv 1\left(\mathrm{mod}p\right)$ and $F_q·f\equiv 1\left(\mathrm{mod}q\right)$. Compute public key $h\equiv F_q·g\left(\mathrm{mod}q\right)$. The private key is $(f,F_p)$.

(c). Encryption: Given a plaintext polynomial $m\in L_m$. Select a random polynomial $r\in L_r$. Compute the ciphertext $e\in R_q$: $e\equiv pr\ast h+m\left(\mathrm{mod}q\right)$.

(d). Decryption: Compute the intermediate polynomial $a\in R_q$: $a\equiv f\ast e\left(\mathrm{mod}q\right)\equiv f(pr\ast h+m)\left(\mathrm{mod}q\right)\equiv pr\ast g+f\ast m\left(\mathrm{mod}q\right)$. In practice, one ensures the coefficients of a are reduced into the interval $(-q/2,q/2]$ to allow correct recovery in the next step. Recover the plaintext $m^{\prime }\in R_p$: $m^{\prime }\equiv F_p\ast a\left(\mathrm{mod}p\right)$.

Definition 3.

Function GOTP: $\mathcal{X}\times \mathcal{U}\to \mathcal{Y}$, where X, U, and Y denote the plaintext message space, randomness space, and ciphertext space, respectively. Relative to the distributions ${\psi }_{\chi },{\psi }_y,{\psi }_u$, it is termed “generalized” if the following conditions are satisfied:

(a). Decoding: There exists an efficient inverse algorithm $Inv$ such that for all $x\in \mathcal{X}$ and $u\in \mathcal{U}$, $\mathrm{Inv}\left(\mathrm{GOTP}\right(x,u),u)=x$.

(b). Message Hiding: For all $x\in \mathcal{X}$, the random variable $\mathsf{GOTP}(x,u)$ (where $u\leftarrow {\psi }_u$) is identically distributed to ${\psi }_y$.

(c). Randomness Hiding: For all $u\in \mathcal{U}$, the random variable $\mathsf{GOTP}(x,u)$ (where $x\leftarrow {\psi }_x$) is identically distributed to ${\psi }_y$.

2.3. Node Mobility Model

In marine environments, sensor node motion is influenced by various environmental factors such as ocean currents and temperature. Due to tidal forces, currents, and other external conditions, these nodes exhibit stochastic movement characterized by variations in velocity and direction. Studies reveal that underwater object motion under oceanic currents demonstrates distinct regularity, which can be decomposed into horizontal and vertical components. Notably, horizontal motion remains largely unaffected by vertical dynamics [29]. To characterize the dynamics of tidal velocities with position and time, we give model expressions for tidal motions, which consist of the superposition of the mean flow velocity and periodic tidal components:

$$\xi (x,t)={\xi }_0\left(x\right)+\sum _{i=1}^N\left[g_i\left(x\right)\cos \left({\omega }_{i}t\right)\right]+\sum _{i=1}^N\left[h_i\left(x\right)\sin \left({\omega }_{i}t\right)\right]$$

(2)

where x denotes the tidal current position, t represents time variable, $\xi$ indicatess the tidal velocity of the tidal component at position x, $N(1\le i\le N)$ is the number of tidal components, ${\omega }_i$ indicates the tidal frequency, $\sin {\omega }_{i}t$ and $\cos {\omega }_{i}t$ are temporal basis functions for tidal components, ${\xi }_0\left(x\right)$ signifies the observed mean flow velocity, $g_i\left(x\right)$ and $h_i\left(x\right)$ are coefficients corresponding to the temporal basis functions.

Force analysis of sensor nodes is derived from Newton’s second law, with accelerations and velocities calculated separately in horizontal and vertical directions. The horizontal acceleration $a^{\prime }$ and vertical acceleration $a^{″}$ are given by the following formulas:

$$a^{\prime }=a^{\prime }(x,y,t)={\displaystyle \frac{F_l^{\prime }(x,y,t)}{m}}$$

(3)

$$\begin{array}{c}{a}^{″}=a^{″}(x,y,t)={\displaystyle \frac{F_l^{″}(x,y,t)}{m}}\end{array}$$

(4)

where $F_l^{\prime }$ and $F_l^{″}$ represent the tension components in horizontal and vertical directions, and m is the mass of the node. We decompose the rope tension into horizontal and vertical components and consider the equilibrium relationship between buoyancy and gravity. The buoyancy force $F_b=\rho gV$, $F_G$ denotes the gravity of the node, and the rope tension is $F_l=mg$. The tension components can be formulated as:

$$F_l^{\prime }=\sqrt{F_l^2-{\left(F_b-F_G\right)}^2}$$

(5)

$$F_l^{″}=F_b-F_G$$

(6)

The velocity of the node in the horizontal and vertical directions can be derived by integrating the accelerations, where $v^{\prime }$ denotes the horizontal velocity of the node and ${\nu }^{″}$ denotes the vertical velocity of the node, expressed as:

$$v^{\prime }(x,y,t)=\int a^{\prime }(x,y,t)dt$$

(7)

$${\nu }^{″}(x,y,t)=\int a^{″}(x,y,t)dt$$

(8)

In the tidal motion model, the motion of a node is modelled by a combination of the velocity generated by the component force $F_l^{\prime }$ and the velocity generated by the tide, We combine the tidal flow velocity with the node’s own motion velocity to model the total motion of the node, given by the following equation:

$${\xi }^{\prime }(\tau ,t)=\int a^{\prime }(\tau ,t)\mathrm{d}t=\int {\displaystyle \frac{F_l^{\prime }(\tau ,t)}{m}}\mathrm{d}t$$

(9)

$${\xi }_{node(\tau ,t)}=\xi (\tau ,t)+{\xi }^{\prime }(\tau ,t)$$

(10)

$${\xi }_{Node}(\tau ,t)={\xi }_0\left(\tau \right)+\sum _{i=1}^N\left[g_i\left(\tau \right)\cos {\omega }_{i}t\right]+\sum _{i=1}^N\left[h_i\left(\tau \right)\sin {\omega }_{i}t\right]+\int {\displaystyle \frac{F_l^{\prime }(\tau ,t)}{m}}dt$$

(11)

By combining Equations (2), (9), and (10), Equation (11) is derived. Here, ${\xi }_{node(\tau ,t)}$ denotes the total velocity of the node at position $\tau$ and time t, ${\xi }^{\prime }(\tau ,t)$ is the velocity of the node caused by the horizontal component of the rope tension. Subsequently, the position correlation functions ${\xi }_0\left(\tau \right)$, $g_i\left(\tau \right)$ and $h_i\left(\tau \right)$ are expanded into a linear combination of Gaussian radial basis functions.

$$\begin{array}{c}{\xi }_0\left(\tau \right)=\sum _{j=1}^M{k}_{1,j}{\varphi }_j\left(\tau \right)\end{array}$$

(12)

$$g_i\left(\tau \right)=\sum _{j=1}^M{k}_{2,j}{\varphi }_j\left(\tau \right)$$

(13)

$$h_i\left(\tau \right)=\sum _{j=1}^M{k}_{2i+1,j}{\varphi }_j\left(\tau \right)$$

(14)

$${\varphi }_j\left(\tau \right)=\exp \left({\displaystyle \frac{- \Vert \tau -c_i{ \Vert }^2}{2{\sigma }^2}}\right)$$

(15)

where $\tau$ denotes the two-dimensional coordinate position, $\xi$ represents the velocity at $\tau$, M is the number of radial basis functions, N is the number of tidal components, $k_{i,j}$ the coefficients of the Gaussian radial basis functions, ${\varphi }_j\left(\tau \right)$ is the jth Gaussian radial basis function, $c_i$ is the center of the ith Gaussian radial basis function, and $\sigma$ defines the width parameter of the radial basis function.

3. The Proposed Authentication Scheme

The proposed authentication protocol consists of four phases: initialization phase, node registration phase, login and authentication phase, and password update phase. These phases are elaborated in detail below. The notations used in this paper are shown in

Table 1. Notations and descriptions.

Notation	Description
$I{D}_k,P{W}_k$	Identity and password of user
$L_i(i=f,g,r,m)$	Set of polynomials i over ring $R=\mathbb{Z}\left[x\right]/(x^N-1)$
$L_{m,gw},L_{m,sn}$	Random polynomials selected from $L_m$
$I{D}_{j,GW},PI{D}_{j,GW}$	Identity and pseudo-identity of the jth gateway node
$I{D}_{i,SN},PI{D}_{i,SN}$	Identity and pseudo-identity of the ith sensor node
$h_{j,GW},F_{j,GW}$	Public/private key of the jth gateway node
$h_{i,SN},F_{i,SN}$	Public/private key of the ith sensor node
$h_{SC},F_{SC}$	Public/private key of smart card
$S{K}_{i,j}$	Session key between i and j
$r_m,r_n$	Random number generated by user
$a_i,r_{gw}$	Random number generated by gateway node
$r_{sc},r_{sn}$	Random number generated by smart card and sensor node, respectively
$En{c}_K\left(X\right)$	Message X encrypted with public key K
$GOTP\left(\right),Inv\left(\right)$	Key encapsulation/decapsulation
‖	Concatenate operation
⊕	XOR operation
$H\left(\right)$	One-way hash function
$T_i$	Timestamp
$\Delta T$	The allowable maximum transmission time interval
$L_p,L_c$	The initial and current location
$\Delta L$	The allowable maximum displacement

.

3.1. Initialization Phase

The Registration Center (RC) selects three integer parameters $(N,p,q)$ and four polynomial sets $(L_f,L_g,L_r,L_m)$ based on the ring $R=\mathbb{Z}\left[x\right]/(x^N-1)$. Here, $f\in L_f$ and $g\in L_g$. The RC computes its public key $h_{\mathrm{RC}}\equiv f^{-1}·g\left(\mathrm{mod}q\right)$, where f is retained as the private key. A secure hash function $H:{\{0,1\}}^{\ast }\to {\{0,1\}}^{\lambda }$ is selected, where $\lambda$ is a positive integer. The private key f remains confidential, while the public parameters $(N,p,q,L_f,L_g,L_r,L_m,H,h_{\mathrm{RC}})$ are published.

3.2. Node Registration Phase

Prior to mutual authentication, gateways, sensor nodes, and users must complete legitimate registration. The registration process for user nodes is shown in

Table 2. User node registration process.

User	Gateway Node
Select $I{D}_k$, $P{W}_k$
Select random number $r_m$, $r_n$
Compute $MI{D}_k$, $MP{W}_k$
Send $\{MI{D}_k,MP{W}_k\}$ $\overrightarrow{securechannel}$
	Select random number $a_i$
	Compute $A_1$, $A_2$
	$A_1,A_2,a_i$ add in Smart Card
	$\overleftarrow{securechannel}$ Send Smart Card
Compute $A_3$, $A_4$, $A_5$
$A_3,A_4,A_5$ add in Smart Card

. The steps are as follows:

3.2.1. Gateway and Sensor Node Registration

Step 1: The RC assigns unique identities $I{D}_{j,GW}\in ID$ and $I{D}_{i,SN}\in ID$ to the gateway and sensor node, respectively. It then selects random polynomials $L_{m,gw}\in L_m$ and $L_{m,sn}\in L_m$, which are kept secret. The pseudonyms for the gateway and sensor node are computed as:$PI{D}_{j,GW}=H(h_{j,GW} \Vert L_{m,gw}\ast h_{RC})\oplus I{D}_{j,GW}$, $PI{D}_{i,SN}=H(h_{i,SN} \Vert L_{m,sn}\ast h_{RC})\oplus I{D}_{i,SN}$.

Step 2: The RC computes the public keys for the gateway and sensor node as: $h_{j,GW}\equiv F_{j,GW}\ast g\left(\mathrm{mod}q\right)$, $h_{i,SN}\equiv F_{i,SN}\ast g\left(\mathrm{mod}q\right)$, where $f_{j,GW}\in L_f$ and $f_{i,SN}\in L_f$.

Step 3: The RC sets the initial location information for the sensor node. Before deploying the node to the target waters, the gateway and sensor node share the initial location $L_p$.

Step 4: The RC sends $\{PI{D}_{i,SN},I{D}_{i,SN},h_{j,GW},h_{i,SN}\}$ to the sensor node and $\{PI{D}_{j,GW},I{D}_{i,SN},I{D}_{j,GW},h_{j,GW},h_{i,SN}\}$ to the gateway node through a secure offline channel. If new sensor nodes are added or existing nodes are updated, the registration process follows the above steps.

3.2.2. User Node Registration

Step 1: The RC selects a private key $f_{sc}\in L_f$ for the smart card (SC) and computes the corresponding public key as: $h_{SC}\equiv F_{SC}\ast g\left(\mathrm{mod}q\right)$, The RC sends $h_{sc}$ to the SC through a secure offline channel.

Step 2: The user selects identity $I{D}_k$, password $P{W}_k$, and random numbers $r_m$ and $r_n$. The user computes: $MI{D}_k=H((P{W}_k \Vert r_m)\oplus I{D}_k)$, $MP{W}_k=H((I{D}_k \Vert r_n)\oplus P{W}_k)$, and sends $\{MI{D}_k,MP{W}_k\}$ securely to the gateway node.

Step 3: Upon receiving the message, the gateway generates a random number $a_i$ and computes: $A_1=H(MI{D}_k \Vert a_i)\oplus I{D}_{j,GW}$, $A_2=H(MP{W}_k \Vert I{D}_{j,GW})\oplus h_{j,GW}$, The gateway stores $\{A_1,A_2,a_i\}$ in the SC and sends the SC to the user.

Step 4: After receiving the SC, the user computes: $A_3=r_m\oplus H(I{D}_k \Vert P{W}_k)$, $A_4=r_n\oplus H(I{D}_k \Vert P{W}_k)$ and $A_5=H(MI{D}_k \Vert r_m)\oplus H(MP{W}_k \Vert r_n)$. The user sends $\{A_3,A_4,A_5\}$ to the SC.

3.3. Login and Authentication Phase

Secure session key is established among the user, the gateway and the sensor node. The authentication and key negotiation process is shown in

Table 3. Authentication and key negotiation process.

User	Gateway Node	Sesnor Node
Insert SC and input $I{D}_k^{\ast }$, $P{W}_k^{\ast }$
Compute $r_m^{\ast },r_n^{\ast },MI{D}_k^{\ast },MP{W}_k^{\ast },A_5^{\ast }$
Check whether $A_5=A_5^{\ast }$
Compute $I{D}_{j,GW}^{\ast }=H(MI{D}_k \Vert a_i)\oplus A_1$
$h_{j,GW}^{\ast }=H(MP{W}_k \Vert I{D}_{j,GW})\oplus A_2$
SC produces a random number $r_{sc}$
$S_1=h_{j,GW}^{\ast }\ast F_{SC}\left(\mathrm{mod}q\right)$
$S{K}_{ug}=H(MI{D}_k \Vert I{D}_{j,GW}^{\ast } \Vert S_1)$
Encapsulate $h_{sc}$, encrypt $h_{j,GW}^{\ast }$
Compute $S_2$, $S_3$
$Ms{g}_1=\{S_3,c_{r_{ug}},T_1\}⟶$	Check $T_2-T_1\le \Delta T$
	Decrypt $c_{r_{ug}}$, obtain $c_{ug} \Vert r_{sc}$
	GW produces a random number $r_{gw}$
	Decapsulate $c_{ug}$, obtain $h_{sc}$
	Compute $S_2^{\ast }$, $V_1$, $S{K}_{gu}$
	Check $S_3^{\ast }=S_3$
	$W_1=F_{j,GW}\ast h_{i,SN}\left(\mathrm{mod}q\right)$
	$S{K}_{gs}=H(I{D}_{i,SN} \Vert PI{D}_{j,GW} \Vert W_1)$
	Encapsulate $PI{D}_{j,GW}$, encrypt $h_{i,SN}$
	Compute $W_2$
	$Ms{g}_2=\{W_2,c_{r_{gs}},T_2\}⟶$	Check $T_3-T_2\le \Delta T$
		Compute $M_1=F_{i,SN}\ast h_{j,GW}\left(\mathrm{mod}q\right)$
		$S{K}_{sg}=H(PI{D}_{j,GW} \Vert I{D}_{i,SN} \Vert M_1)$
		Decrypt $c_{r_{gs}}$, obtain $c_{gs} \Vert r_{gw}$
		SN produces a random number $r_{sn}$
		Decapsulate $c_{gs}$, obtain $PI{D}_{j,GW}$
		Check $W_2^{\ast }=W_2$
		$X_n=H(X_{n-1} \Vert L_c)$
		Encapsulate $r_{sn}$, encrypt $h_{j,GW}$
		Compute $M_2$
	Check $T_4-T_3\le \Delta T$	$⟵Ms{g}_3=\{M_2,c_{r_{cg}},T_3\}$
	Decrypt $c_{r_{sg}}$, verify $r_{gw}$
	Compare $\Delta L$ and $\Delta L_{max}$
	$X_n=H(X_{n-1} \Vert L_c)$
	Decapsulate $c_{sg}$, obtain $r_{sn}$
	Check $M_2^{\ast }=M_2$
	Negotiate session key $S{K}_{gs}=S{K}_{sg}$
	Encapsulate $r_{gw}$, encrypt $h_{sc}$
	Compute $V_2$, $V_3$
Check $T_5-T_4\le \Delta T$	$⟵Ms{g}_4=\{V_2,V_3,c_{r_{gu}},T_4\}$
Decrypt $c_{r_{gu}}$, obtain $c_{gu}\parallel r_{sc}$
Verify the correctness of $r_{sc}$
Decapsulate $c_{gu}$, obtain $r_{gw}$
Check $V_3^{\ast }=V_3$
Negotiate session key $S{K}_{ug}=S{K}_{gu}$

. The detailed steps are as follows:

Step 1: The user inserts the SC into a reader and inputs their identity $I{D}_k^{\ast }$, password $P{W}_k^{\ast }$.

Step 2: The SC computes: $r_m^{\ast }=A_3\oplus H(I{D}_k^{\ast } \Vert P{W}_k^{\ast })$, $r_n^{\ast }=A_4\oplus H(I{D}_k^{\ast } \Vert P{W}_k^{\ast })$. Based on $MI{D}_k^{\ast }=H((P{W}_k^{\ast } \Vert r_m^{\ast })\oplus I{D}_k^{\ast })$, $MP{W}_k^{\ast }=H((I{D}_k^{\ast } \Vert r_n^{\ast })\oplus P{W}_k^{\ast })$, $A_5^{\ast }=H(MI{D}_k^{\ast } \Vert r_m^{\ast })\oplus H(MP{W}_k^{\ast } \Vert r_n^{\ast })$. the SC verifies whether $A_5$ matches the computed value $A_5^{\ast }$. If they match, the user is authenticated; otherwise, access is denied.

Step 3: The user inserts the SC into the reader to retrieve messages, computes: $I{D}_{j,GW}^{\ast }=H(MI{D}_k\parallel a_i)\oplus A_1$, $h_{j,GW}^{\ast }=H(MP{W}_k\parallel I{D}_{j,GW})\oplus A_2$, generates a random number $r_{sc}$, and computes the session key $S{K}_{ug}$ with the gateway node: $S_1=h_{j,GW}^{\ast }\ast F_{SC}\left(\mathrm{mod}q\right)$, $S{K}_{ug}=H(MI{D}_k \Vert I{D}_{j,GW}^{\ast } \Vert S_1)$.

Step 4: The user computes redundancy message and encrypts the key encapsulation: $u_{ug}=H(r_{sc} \Vert a_i)$, $c_{ug}=GOTP(h_{sc},u_{ug})$, $c_{r_{ug}}=Enc(h_{j,GW}^{\ast },c_{ug} \Vert r_{sc})$, $S_2=H(r_{sc}\ast h_{j,GW}^{\ast } \Vert MI{D}_k)$, $S_3=H(MI{D}_k \Vert I{D}_{j,GW}^{\ast } \Vert S{K}_{ug} \Vert S_2 \Vert r_{sc} \Vert T_1)$, where $T_1$ is the current timestamp. The user sends the message $Ms{g}_1=\{S_3,c_{r_{ug}},T_1\}$ to the gateway node.

Step 5: Upon receiving the login request message $Ms{g}_1$, the gateway checks whether $T_2-T_1\le \Delta T$, where $T_2$ is the time the gateway receives the request and $\Delta T$ is the maximum allowed time difference. If the time difference is within the acceptable range, access is granted; otherwise, it is denied.

Step 6: The gateway decrypts $c_{r_{ug}}$ using its private key $F_{j,GW}$ to obtain $c_{ug} \Vert r_{sc}$, computes the redundancy message: $u_{ug}=H(r_{sc} \Vert a_i)$, decapsulates the public key: $h_{sc}=In\nu (c_{ug} \Vert u_{ug})$, and computes: $S_2^{\ast }=H(r_{sc}\ast h_{j,GW} \Vert MI{D}_k)$, $V_1=h_{sc}\ast F_{j,GW}\left(\mathrm{mod}q\right)$, $S{K}_{gu}=H(MI{D}_k\parallel I{D}_{i,GW}\parallel V_1)$, $S_3^{\ast }=H(MI{D}_k\parallel I{D}_{j,GW}\parallel S{K}_{gu}\parallel S_2^{\ast }\parallel r_{sc}\parallel T_1)$. The gateway verifies whether $S_3$ matches $S_3^{\ast }$. If they match, the gateway successfully authenticates the user; otherwise, access is immediately denied.

Step 7: The gateway generates a random number $r_{gw}$ and computes the session key with the sensor node: $W_1=F_{j,GW}\ast h_{i,SN}\left(\mathrm{mod}q\right)$, $S{K}_{gs}=H(I{D}_{i,SN} \Vert PI{D}_{j,GW} \Vert W_1)$. It then computes the redundancy message and ciphertext: $u_{gs}=H(r_{gw}\parallel W_1)$, $c_{\mathfrak{gs}}=GOTP(PI{D}_{j,GW},u_{\mathfrak{gs}})$, $c_{r_{gs}}=Enc(h_{i,SN},c_{gs} \Vert r_{gw})$, $W_2=H(PI{D}_{j,GW} \Vert I{D}_{i,SN} \Vert S{K}_{gs} \Vert r_{gw} \Vert T_2)$. The gateway sends the message $Ms{g}_2=\{W_2,c_{r_{gz}},T_2\}$, to the sensor node.

Step 8: At time $T_3$, the sensor node receives the message $Ms{g}_2$ and checks the freshness of $T_3$ by verifying $T_3-T_2\le \Delta T$. If the condition is satisfied, the process continues to step 9; otherwise, it is terminated immediately.

Step 9: The sensor node decrypts $c_{r_{gs}}$ using its private key $F_{i,SN}$ to obtain $c_{gs} \Vert r_{gw}$. It then computes redundancy message: $M_1=F_{i,SN}\ast h_{j,GW}\left(\mathrm{mod}q\right)$, $u_{gs}=H(r_{gw} \Vert M_1)$, and decapsulates to retrieve: $PI{D}_{j,GW}=Inv(c_{gs},u_{gs})$. The shared session key is computed as: $S{K}_{sg}=H(I{D}_{i,SN} \Vert PI{D}_{j,GW} \Vert M_1)$, $W_2^{\ast }=H(PI{D}_{j,GW} \Vert I{D}_{i,SN} \Vert S{K}_{sg} \Vert r_{gw} \Vert T_2)$. The sensor node verifies whether $W_2$ matches $W_2^{\ast }$. If they match, the sensor node authenticates the gateway as legitimate.

Step 10: The sensor node extracts its current location information $L_c$ and computes the location hash: $X_n=H(X_{n-1} \Vert L_c)$. It generates a new random number $r_{sn}$ and computes the redundancy message and ciphertext: $u_{sg}=H(r_{gw} \Vert M_1)$, $c_{sg}=GOTP(r_{sn},u_{sg})$, $c_{r_{sg}}=Enc(h_{j,GW},c_{sg} \Vert r_{gw} \Vert L_c)$, $M_2=H(PI{D}_{j,GW} \Vert I{D}_{i,SN} \Vert S{K}_{sg} \Vert r_{sn} \Vert X_n \Vert T_3)$. The sensor node sends the message $Ms{g}_3=\{M_2,c_{r_{sg}},T_3\}$ to the gateway.

Step 11: At time $T_4$, the gateway receives the message $Ms{g}_3$ and verifies $T_4-T_3\le \Delta T$. It also checks the sensor node’s identity $I{D}_{i,SN}$ to prevent replay attacks.

Step 12: The gateway decrypts $c_{r_{sg}}$ using its private key $F_{j,GW}$ to obtain the ciphertext, random number, and the sensor node’s current location $c_{sg} \Vert r_{gw} \Vert L_c$. It verifies whether the random number $r_{gw}$ matches the previously generated value. If they match, the sensor node is authenticated as legitimate.

Step 13: The gateway predicts the sensor node’s current position $L_c$ using the buoyancy-driven flow model. Based on the sensor’s motion model, it calculates the maximum allowable displacement from $L_p$ to $L_c$: $\Delta L_{max}=\zeta (\tau ,t)·\Delta T$, where $\zeta (\tau ,t)$ is the velocity equation derived from tension and tidal forces (see Equation (11)). The actual displacement is computed as: $\Delta L=\left|L_p-L_c\right|$, If $\Delta L\le \Delta L_{\max }$, the position update is deemed valid.

Step 14: The gateway computes the location hash: $X_n=H(X_{n-1} \Vert L_c)$, and the redundancy message: $u_{sg}=H(r_{gw} \Vert W)$. It decapsulates $r_{sn}=Inv(c_{sg},u_{sg})$ and verifies whether: $M_2^{\ast }=H(PI{D}_{j,GW} \Vert I{D}_{i,SN} \Vert S{K}_{gs} \Vert r_{sn} \Vert X_n \Vert T_3)$ matches $M_2$. If they match, the gateway confirms the integrity and consistency of the sensor’s position update. A shared session key $S{K}_{gs}=S{K}_{sg}$ is established, and a secure communication channel is initialized.

Step 15: The gateway computes the redundancy message: $u_{gu}=H(r_{sc} \Vert V_1)$, and encapsulates the ciphertext: $c_{gu}=GOTP(r_{gw},u_{gu})$, $c_{r_{gu}}=Enc(h_{sc},c_{gu} \Vert r_{sc})$. Using the random number $a_i$, the gateway computes: $V_2=H\left(MI{D}_k \Vert MP{W}_k \Vert a_i\right)\oplus PI{D}_{j,GW}$, $V_3=H(PI{D}_{j,GW} \Vert I{D}_{j,GW} \Vert S{K}_{gu} \Vert r_{gw} \Vert a_i \Vert T_4)$. The gateway sends $Ms{g}_4=\{V_2,V_3,c_{r_{gu}},T_4\}$ to the user.

Step 16: At time $T_5$, the user receives $Ms{g}_4$ and checks whether $T_5-T_4\le \Delta T$. If the condition is not satisfied, access is immediately terminated.

Step 17: The user decrypts $c_{r_{gu}}$ using their private key $F_{SC}$ to obtain $c_{gu} \Vert r_{sc}$. If the decrypted random number $r_{sc}$ matches, the gateway is authenticated as legitimate. The user then computes the redundancy message: $u_{gu}=H(r_{sc} \Vert S_1)$, and decapsulates: $r_{gw}=Inv(c_{gu},u_{gu})$, $PI{D}_{j,GW}^{\ast }=H(MI{D}_k \Vert MP{W}_k \Vert a_i)\oplus V_2$. The user verifies whether: $V_3^{\ast }=H(PI{D}_{j,GW}^{\ast }\parallel I{D}_{j,GW}^{\ast }\parallel S{K}_{ug}\parallel r_{gw}\parallel a_i\parallel T_4)$ matches $V_3$. If they match, the user successfully authenticates the gateway, and a shared session key $S{K}_{ug}=S{K}_{gu}$ is established.

3.4. Password Update Phase

To enhance the security of the authentication process, users can update their original password by performing the following steps:

Insert the SC into the card reader, and the user inputs their identity $I{D}_k$ and password $P{W}_k$. The system then verifies the legitimacy of the user through steps 1 and 2 in Section 3.3. If the user is not legitimate, access is denied. The user selects a new password $P{W}_k^{new}$, computes the following: $MP{W}_k^{new}=H((I{D}_k\parallel r_n)\oplus P{W}_k^{new})$, $MI{D}_k^{new}=H((P{W}_k^{new} \Vert r_m)\oplus I{D}_k)$, $A_3^{new}=A_3\oplus H(I{D}_k \Vert P{W}_k)\oplus H(I{D}_k \Vert P{W}_k^{new})$, $A_4^{new}=A_4\oplus H(I{D}_k \Vert P{W}_k)\oplus H(I{D}_k \Vert P{W}_k^{new})$, $A_5^{new}=H(MI{D}_k^{new} \Vert (A_3\oplus H(I{D}_k \Vert P{W}_k)))\oplus H(MP{W}_k^{new} \Vert (A_4\oplus H(I{D}_k \Vert P{W}_k)))$, replace the existing parameters with the newly computed values.

4. Safety Analysis

This section first employs the random oracle model to assess the security and robustness of the proposed protocol. Subsequently, through informal security analysis and discussion, we demonstrate that the proposed scheme is secure and robust, capable of withstanding various attacks encountered during underwater acoustic communication.

4.1. Random Oracle Model Analysis

This subsection uses the random oracle model to validate the security of the scheme. We assumed that the adversary $\mathcal{A}$ is a probabilistic polynomial-time adversary within time t, capable of eavesdropping, modifying, inserting, and replaying messages. $\mathcal{A}$ can obtain corresponding response bits b by querying oracle instances of users, gateways, and sensor nodes. $Succ\left(\mathcal{A}\right)$ denotes the event in which $\mathcal{A}$ successfully guesses the oracle bit $b^{\prime }$, i.e., $b=b^{\prime }$. The probability of a successful guess is denoted as $\mathrm{Pr}\left[S\right]$. P represents the proposed identity authentication key agreement protocol. The advantage of the adversary in breaking the semantic security of protocol P is expressed as: $Ad{v}_P^{AKE}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[S\right]-{\displaystyle \frac{1}{2}}\right|$. The key agreement protocol is considered secure in terms of semantic security if the advantage is negligible for any probabilistic polynomial-time adversary.

Definition 4.

Collision-Resistant One-Way Hash Function: A collision-resistant one-way hash function $H:{\left\{0,1\right\}}^{\ast }\to {\left\{0,1\right\}}^{\lambda }$ produces unpredictable outputs with irreversibility and collision resistance. It prevents adversaries from obtaining sensitive information. For any two distinct inputs $x_1$ and $x_2$, $H\left(x_1\right)\ne H\left(x_2\right)$. Let $\mathcal{A}(\alpha ,t)$ denote an adversary who attempts to find a collision between distinct inputs within time t. The collision advantage is defined as: $Ad{\nu }_{\mathcal{A}}^h\left(t\right)=\mathrm{Pr}[x_1\ne x_2,H\left(x_1\right)=H\left(x_2\right)]$, for any sufficiently small $\alpha >0$, satisfying $Ad{\nu }_{\mathcal{A}}^h\left(t\right)\le \alpha$.

Definition 5.

NTRU Algorithm: An adversary cannot effectively distinguish the public key h from a uniformly random polynomial $u\in R_q$, where $f,g\leftarrow \psi$ and $u\leftarrow R_q$. Let $\mathcal{A}(\beta ,t)$ denote an adversary who attempts to distinguish h from u within time t. The distinguishing advantage is defined as: ${\mathrm{Adv}}_{\mathrm{n},\mathrm{q},■,\mathcal{A}}^{NTRU}\left(t\right)=\mathrm{Pr}[\mathcal{A}\left(h\right)=1]-\mathrm{Pr}[\mathcal{A}\left(u\right)=1]$. For any sufficiently small $\beta >0$, we require ${\mathrm{Adv}}_{\mathrm{n},\mathrm{q},■,\mathcal{A}}^{NTRU}\left(t\right)\le \beta$. This implies that recovering the private key $(f,F_q)$ from the public key $h\equiv F_q\ast g\left(\mathrm{mod}q\right)\in R_q$ is infeasible due to the specific generation structure. Even if the adversary distinguishes h from ciphertext c, recovering the random number r or plaintext e remains intractable because the NTRU one-way problem is hard [30,31].

Definition 6.

GOTP Key Encapsulation: The GOTP key encapsulation scheme via ACWC transformation is secure [32]. For any adversary $\mathcal{A}$ challenging the security of ACWC[PKE,GOTP,F] in a public-key encryption (PKE) scheme, with at most $q_F$ random oracle queries, there exists an adversary $\mathcal{B}$ challenging the security of PKE such that:

$$Ad{v}_{\mathcal{A}}^{ACWC[PKE,GOTP,F]}\left(t\right)\le Ad{v}_{\mathcal{B}}^{PKE}(t+\mathcal{O}\left(q_F\right))+\mu$$

(16)

where μ is a negligible term.

Theorem 1.

Let an adversary $\mathcal{A}$ perform $q_e$ execution queries, $q_s$ send queries, $q_h$ hash queries, and $q_F$ random oracle queries within time t. The advantage of $\mathcal{A}$ in compromising the semantic security of protocol P is bounded by:

$$\begin{array}{cc}\hfill {\mathrm{Adv}}_P^{AKE}\left(\mathcal{A}\right)& \le {\displaystyle \frac{q_h^2+3{(q_s+q_e)}^2+q_F(q_s+q_e)}{2^{\lambda +1}}}+(q_s+q_e)\{{\mathrm{Adv}}_{\mathcal{A}}^{NTRU}\left(t\right)\hfill \\ & +Ad{v}_{\mathcal{A}}^{ACWC[PKE,GOTP,F]}(t+\mathcal{O}\left(q_F\right))\}\hfill \end{array}$$

(17)

Proof. 

Define a sequence of games $G{m}_i(0\le i\le 4)$ to simulate the adversary’s attack and demonstrate the security of the proposed scheme. In each game $G{m}_i$, $S_i(0\le i\le 4)$ denotes the event that the adversary succeeds in the test query, and $\mathrm{Pr}\left[S_i\right]$ denotes the corresponding success probability. The detailed description of each game is as follows:

$G{m}_0$: This game represents the real attack in the random oracle model. The advantage of $\mathcal{A}$ is defined as the difference between the success probability and the random guessing probability. Thus, we get

$$Ad{v}_{\mathcal{A}}\left(t\right)=\left|\mathrm{Pr}\left[S_0\right]-{\displaystyle \frac{1}{2}}\right|$$

(18)

$G{m}_1$: In this game, the proposed authentication protocol is tested, executed, sent, and corrupt according to specific instance queries. A hash list $Lis{t}_H$ is used to simulate the hash function H. For any hash query, if x already exists in $Lis{t}_H$, the corresponding y is returned; otherwise, a random number $y\in {\{0,1\}}^{\lambda }$ is generated, returned and stored in the list. Therefore, the adversary cannot distinguish between random values and the output of the hash function, and the success probabilities of $G{m}_1$ and $G{m}_0$ are almost identical. Thus we obtain

$$\mathrm{Pr}\left[S_1\right]=\mathrm{Pr}\left[S_0\right]$$

(19)

$G{m}_2$: This game considers collisions in hash queries. If a collision occurs in the authentication message, the game aborts, and the adversary wins. According to the birthday paradox, the collision probability of the hash function results is no more than $\frac{q_h^2}{2^{\lambda +1}}$; The probability that random numbers $r_m$ and $r_n$ may collide is no more than $\frac{{(q_s+q_e)}^2}{2^{\lambda +1}}$; The probability that random numbers $r_{sc}$, $r_{gw}$ and $r_{sn}$ may be the same in different sessions is no more than $\frac{{(q_s+q_e)}^2}{2^{\lambda +1}}$. Thus $G{m}_2$ is indistinguishable from $G{m}_1$ and we get

$$\left|\mathrm{Pr}\left[S_2\right]-\mathrm{Pr}\left[S_1\right]\right|\le {\displaystyle \frac{q_h^2+2{(q_s+q_e)}^2}{2^{\lambda +1}}}$$

(20)

$G{m}_3$: The difference between Game $G{m}_3$ and Game $G{m}_2$ lies in the requirement to solve the NTRU problem when compromising the session keys $S{K}_{ug}$ and $S{K}_{gs}$. The session keys are derived from the private keys $\{F_{SC},F_{j,GW},F_{SN}\}$ and $\{MI{D}_k,PI{D}_{j,GW}\}$. The adversary cannot obtain the private keys directly and can only attempt to guess them. A successful guess implies solving the NTRU problem, with a probability of $(q_s+q_e)·{\mathrm{Adv}}_{\mathcal{A}}^{NTRU}\left(t\right)$; $MI{D}_k$ and $PI{D}_{j,GW}$ are generated by a hash function of length $\lambda$. The adversary attempts to generate identical $\{MI{D}_k,PI{D}_{j,GW}\}$ through $q_s$, $q_e$ and $q_F$ queries, the probability is $\frac{(q_s+q_e+q_F)(q_s+q_e)}{2^{\lambda +1}}$. If neither of these events occurs, we obtain

$$\left|\mathrm{Pr}\left[S_3\right]-\mathrm{Pr}\left[S_2\right]\right|\le (q_s+q_e)·{\mathrm{Adv}}_{\mathcal{A}}^{NTRU}\left(t\right)+{\displaystyle \frac{(q_s+q_e+q_F)(q_s+q_e)}{2^{\lambda +1}}}$$

(21)

$G{m}_4$: The difference between Game $G{m}_4$ and $G{m}_3$ is that the adversary simulates sending, executing, testing, and corrupting queries to simulate messages $\{Ms{g}_1,Ms{g}_2,Ms{g}_3,Ms{g}_4\}$. If verification fails, the game terminates. The key point is whether the adversary can obtain the random number, which would imply breaking the GOTP encapsulation encryption scheme. The probability of success is:

$$\left|\mathrm{Pr}\left[S_4\right]-\mathrm{Pr}\left[S_3\right]\right|\le (q_s+q_e)Ad{v}_{\mathcal{A}}^{ACWC[PKE,GOTP,F]}(t+\mathcal{O}\left(q_F\right))$$

(22)

Since the adversary initiates the queries, the final way to win is by guessing whether the random bits b and $b^{\prime }$ are equal in the test query, thus $\mathrm{Pr}\left[S_4\right]={\displaystyle \frac{1}{2}}$. By analyzing the games $G{m}_0$ to $G{m}_4$, we calculate: ${\mathrm{Adv}}_P^{AKE}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[S_1\right]-\mathrm{Pr}\left[S_4\right]\right|$.

Using the triangle inequality and Equations (20)–(22), we compute

$$\begin{array}{cc}\hfill \left|\mathrm{Pr}\left[S_1\right]-\mathrm{Pr}\left[S_4\right]\right|\le & \left|\mathrm{Pr}\left[S_1\right]-\mathrm{Pr}\left[S_2\right]\right|+\left|\mathrm{Pr}\left[S_2\right]-\mathrm{Pr}\left[S_4\right]\right|\le \hfill \\ & \left|\mathrm{Pr}\left[S_1\right]-\mathrm{Pr}\left[S_2\right]\right|+\left|\mathrm{Pr}\left[S_2\right]-\mathrm{Pr}\left[S_3\right]\right|+\hfill \\ & \left|\mathrm{Pr}\left[S_3\right]-\mathrm{Pr}\left[S_4\right]\right|\hfill \end{array}$$

In summary, we obtain

$$\begin{array}{cc}\hfill {\mathrm{Adv}}_P^{AKE}\left(\mathcal{A}\right)\le & {\displaystyle \frac{q_h^2+3{(q_s+q_e)}^2+q_F(q_s+q_e)}{2^{\lambda +1}}}+(q_s+q_e)\hfill \\ & \{{\mathrm{Adv}}_{\mathcal{A}}^{NTRU}\left(t\right)+Ad{\nu }_{\mathcal{A}}^{ACWC[PKE,GOTP,F]}(t+\mathcal{O}\left(q_F\right))\}\hfill \end{array}$$

It can be concluded that the advantage of the adversary is negligible. □

4.2. Informal Security Analysis

This section provides an informal security analysis to verify that the proposed scheme meets privacy and security requirements by resisting various types of attacks.

Table 4. Comparison of security features.

	Tomović et al. [7]	Kumar et al. [9]	Li et al. [13]	Moghadam et al. [14]	Mo et al. [18]	Xie et al. [20]	NTRU-GOPA
Replay Attack	✓	✓	✓	✓	✓	✓	✓
Man-in-the-Middle Attack	✓	✓	×	✓	✓	✓	✓
User Anonymity	×	×	✓	✓	✓	✓	✓
Untraceability	✓	×	×	×	✓	✓	✓
DoS Attack	✓	✓	×	✓	✓	×	✓
Offline Password Guessing Attack	✓	✓	✓	✓	×	✓	✓
User Impersonation Attack	✓	✓	✓	✓	✓	✓	✓
Sensor Node Capture Attack	×	×	×	×	✓	✓	✓
Quantum Attack Resistance	×	×	×	×	×	×	✓
Perfect Forward/Backward Security	✓	×	✓	×	✓	✓	✓
Location-Based Authentication	×	×	×	×	×	×	✓

provides a comparison of the security features across different schemes.

(a). Replay Attack: Distinct random numbers are used in each session phase to ensure the uniqueness of messages. Additionally, timestamps are utilized to guarantee message freshness. If an attacker attempts to transmit captured messages from previous sessions to the current session, the session will terminate immediately due to exceeding the maximum time interval. Even if an attacker intercepts transmitted messages over the public channel, they cannot compute corresponding parameters within polynomial time due to the use of hash functions and the NTRU encryption algorithm [30]. Similarly, attackers cannot replay or forge messages, ensuring temporal validity. Thus, the proposed scheme resists replay attacks.

(b). Man-In-The-Middle (MITM) Attack: Assume an attacker masquerades as a legitimate node to intercept messages $Ms{g}_3$ from the public channel. To succeed, the attacker must obtain messages $\{M_2,c_{r_{sg}},T_3\}$ from the sensor to the gateway, as well as the initial parameters $\{PI{D}_{j,GW},I{D}_{i,SN},r_{gw},r_{sn},L_c,T_3\}$ and their respective private keys. However, no one can forge valid information to deceive any communication participant without the private keys and random numbers. Therefore, the proposed scheme can resist man-in-the-middle attacks. The encryption process ensures that intermediaries cannot tamper with or falsify authentication information.

(c). User Anonymity and Untraceability: Anonymity ensures that attackers cannot determine the user’s real identity. Sensitive information is dynamically embedded in $\{MI{D}_k,MP{W}_k\}$, which are generated using different random numbers $r_m,r_n$ in each session. According to Definition 4, the one-way property of hash functions and the unpredictability and uniqueness of random numbers prevent attackers from extracting valid information even if $\{MI{D}_k,MP{W}_k,A_3,A_4,A_5\}$ are intercepted. Untraceability ensures that sessions between different devices cannot be tracked, and attackers cannot link legitimate users to sensor nodes through session analysis. By using timestamps and random numbers $r_{sc},r_{gw},r_{sn}$ for encapsulation and encryption, as demonstrated in Equation (22), the probability of successful decryption by an attacker is negligible [31]. Session keys generated via public-private key pairs ensure the uniqueness of authentication messages, making it impossible for attackers to trace encrypted results of the same message.

(d). DoS Attack: The proposed scheme incorporates a SC pre-authentication mechanism to prevent duplicate registrations and enhance protocol security. Authentication messages are stored in the SC. When the user inputs their identity and password, the SC verifies their legitimacy by comparing $A_5^{\ast }$ and $A_5$. If an attacker attempts frequent login operations or large-scale registration, the SC rejects unauthorized access. Attackers cannot guess random numbers or compute precise authentication messages. Additionally, the timestamp mechanism discards repeated messages received via insecure channels, making it difficult for attackers to launch targeted denial-of-service attacks.

(e). Offline Password Guessing Attack: Assume an attacker intercepts authentication messages $\{S_3,c_{r_{ug}},T_1,V_2,V_3,c_{r_{gu}},T_4\}$ between the user and the gateway. $S_3$ and $V_3$ are encrypted using irreversible hash functions, and ciphertext c is derived through NTRU encryption. Cracking these components is computationally infeasible. Even if $\mathcal{A}$ obtains $PI{D}_{j,GW}$ from $V_2$, $PI{D}_{j,GW}=H(h_{j,GW} \Vert L_{m,gw}\ast h_{RC})\oplus D_{j,GW}$ is a pseudo-identity generated during registration using a random polynomial $L_{m,gw}\in L_m$. Since $L_{m,gw}$ is kept confidential, the dynamic pseudo-identity mechanism makes password guessing attacks highly challenging. If $\mathcal{A}$ compromises network-transmitted messages, they only obtain hashed identities and passwords, ensuring resistance to password guessing attacks.

(f). User Impersonation Attack: Assume an attacker attempts to impersonate a user. The attacker needs to obtain the secret values $\{r_{sc},a_i,MI{D}_k,MP{W}_k,I{D}_{j,GW}\}$ and session keys $S{K}_{ug}$. However, only legitimate users know the random numbers $\{r_{sc},r_m,r_n\}$, making it difficult for the attacker to decrypt the ciphertext and forge a shared session key to compute accurate valid information within polynomial time. Additionally, the gateway node will compute $S_3^{\ast }$ and compare it with the received $S_3$. Therefore, attackers cannot obtain the precise secret values from the information transmitted between the user and the gateway node, demonstrating that the protocol can resist user impersonation attacks.

(g). Sensor Node Capture Attack: Suppose the sensor nodes in the target area are captured by an attacker, who extracts the information $\{PI{D}_{j,SN},I{D}_{i,SN},h_{j,GW},h_{i,SN}\}$ from memory and intercepts the authentication messages $\{W_2,c_{r_g},T_2\}$ on the public channel. Since $\mathcal{A}$ only obtains the public keys of the gateway and the sensor, they cannot compute the session key. Without the private key $F_{i,SN}$, the attacker cannot obtain the random number $r_{gw}$ and thus cannot derive the encapsulated message $PI{D}_{j,GW}$. It is challenging for the attacker to compute the corresponding session key $S{K}_{sg}$ and the authentication message $W_2$ within probabilistic polynomial time. Even if one or more nodes are captured, the captured nodes do not leak any useful information, and other sensor nodes can still communicate securely and effectively with the gateway. Therefore, the proposed scheme can resist node capture attacks.

(h). Quantum Attack Resistance: The proposed scheme is based on the NTRU key encapsulation encryption and authentication method, whose core security relies on the computational complexity of finding the shortest vector problem and the closest vector problem. Research has shown that these problems are proven to be difficult on classical computers, typically requiring exponential computational resources. Moreover, even with quantum computers, existing quantum algorithms (such as Shor’s algorithm) require substantial resources to solve high-dimensional lattice problems [24,33]. By employing the key encapsulation encryption scheme, the overall security of UWSNs is enhanced, ensuring the reliability of identity authentication and the confidentiality of data transmission even under the threat of quantum computing attacks [31].

(i). Perfect Forward/Backward Security: In the proposed scheme, the leakage of the current session key does not compromise the security of previous or subsequent keys, as session keys can only be computed by legitimate participants. If an attacker obtains the current session keys $S{K}_{ug}$ and $S{K}_{gs}$, recovering prior or future keys would require knowledge of the temporary random numbers $\{a_i,r_m,r_n,r_{sc},r_{gw},r_{sn}\}$ generated by each participant in every session. These ephemeral random numbers are updated dynamically during each authentication round. Additionally, the one-way property of hash functions and the NTRU key encapsulation encryption mechanism make it computationally infeasible for an attacker to derive session keys.

(j). Location-Based Authentication: The proposed protocol incorporates node location information into the authentication process to enhance dynamic security. By comparing a node’s positional changes before and after authentication, the protocol validates whether the actual movement aligns with the expected physical environmental logic. Specifically, the scheme employs the node mobility equations under the flow mobility model described in Section 2.3, taking into account the current underwater acoustic environment. This allows the calculation of the theoretical maximum displacement of a sensor node from its previous location $L_p$ to its current location $L_c$. This process dynamically verifies the legitimacy of node positions while mitigating risks such as location forgery, man-in-the-middle attacks, and replay attacks. Consequently, the proposed method significantly improves the security and reliability of identity authentication in the unique context of UWSNs.

5. Performance Analysis

This section will provide a detailed analysis of the cost and security features of the protocol, evaluating the performance of the proposed scheme in terms of storage overhead, communication overhead, and computational overhead. It will also compare the proposed scheme with different types of traditional encryption schemes [7,9,13,14,18,20].

5.1. Storage Overhead

This subsection analyzes the storage costs incurred by users, gateways, and sensor nodes during the authentication process. Assuming the user identity and password are 64 bits, the timestamp is 32 bits, the random number is 128 bits, the hash value is 160 bits, the NTRU lattice public/private keys are 128 bits, the points on the elliptic curve are 320 bits, the NTRU encryption and symmetric encryption/decryption keys are 128 bits, and other elements such as Chebyshev polynomials and biometric features require 128 bits, the storage requirements for users, gateway nodes, and sensor nodes are 256 (64 + 64 + 128) bits, 544 (64 + 64 + 128 + 128 + 160) bits, and 480 (64 + 128 + 128 + 160) bits, respectively [13,18]. Notably, all schemes do not discuss storage costs.

Table 5. Comparison of storage and communication costs.

Scheme	Tomović et al. [7]	Kumar et al. [9]	Li et al. [13]	Moghadam et al. [14]	Mo et al. [18]	Xie et al. [20]	NTRU-GOPA
User storage	-	128	1384	256	256	736	256
Gateway storage	704	576	1312	448	800	704	544
Sensor storage	640	448	224	224	224	576	480
Total storage(bits)	1344	1152	2920	928	1280	2016	1280
Total communication(bits)	704	1824	2720	2624	1760	1408	1440

provides a detailed analysis of the storage costs for each node. Compared with the schemes in [7,13,20], the total storage cost of our proposed scheme is lower and the same as that of scheme [18]. Although it slightly exceeds schemes in [9,14] in storage overhead, this is due to the inclusion of hashed identities, which prevents adversaries from forging identities even if they compromise sensor or gateway nodes. This design adds an extra layer of security to NTRU’s resistance to quantum attacks, significantly enhancing the overall security. As can be seen from Table 5, Scheme [7] does not discuss user nodes and only considers communication between some of the nodes, and it is clear that it has a slightly lower total storage cost than some of the other scenarios.

5.2. Communication Overhead

Following the storage analysis, we further evaluate the communication costs associated with message transmission among the three parties during the two-round authentication process. A comparison of the communication costs across schemes is presented in Table 5 and Figure 2. For a fair evaluation, consistent parameter lengths are adopted. In our scheme, the communication costs per message are 320 (32 + 128 + 160) bits, 320 (32 + 128 + 160) bits, 320 (32 + 128 + 160) bits, and 480 (32 + 128 + 160 + 160) bits, resulting in a total overhead of 1440 bits. As shown in Table 5 and Figure 2, Our scenarios are better than scenarios [9,13,14,20] and only slightly higher than scenarios [20]. Our protocol demonstrates superior efficiency in communication compared to existing approaches

5.3. Computational Overhead

We analyze the computational costs of our proposed authentication scheme and related schemes during the identity verification phase. Special attention is given to the computational burden on underwater acoustic sensor network nodes, as they are constrained by limited memory, processing power, and energy resources [34]. In

Table 6. Cryptographic operations and the required computational times.

Symbol	Meaning	Time (ms)
$T_h$	Hash function	0.0004
$T_C$	Chebyshev polynomials	2.226
$T_M$	Elliptic curve dot product operations	7.3529
$T_E$	Elliptic curve Encryption/Decryption	7.3529
$T_{se}$	Symmetric Encryption/Decryption	0.1303
$T_{Ne}$	NTRU Encryption	0.13
$T_{Nd}$	NTRU decryption	0.086
$T_{nm}$	Polynomial Multiplication	0.0011

, we present the cryptographic operations and their corresponding computational times.

To facilitate the analysis and evaluation of computational costs, the execution time of connection and XOR operations in the scheme is considered negligible compared to hash function operations. The tasks are executed on a PC workstation using IDEA JDK 18.0.2, equipped with an Intel(R) Core(TM) i5-11500U CPU @ 2.70 GHz and 16 GB of RAM. Thus, based on experimental data from references [9,35,36], this paper focuses on the execution time of hash functions, NTRU encryption/decryption, and NTRU polynomial multiplication operations. The NTRU parameter gives the $N=439,p=3,q=2048$. The adopted GOTP encapsulation and decapsulation method exhibits constant-time computational complexity. When employing 128-bit data encryption, its computation time remains significantly below 1 microsecond and is negligible compared to NTRU encryption/decryption operations. The detailed cryptographic operation symbols and execution times are presented in

Table 7. Comparison of Computational costs.

Scheme	User	Gateway	Sensor	Total Time (ms)
Tomović et al. [7]	-	$T_h+3T_E+2T_{se}$	$T_h+2T_E+T_{se}$	37.1526
Kumar et al. [9]	$5T_h$	$5T_h+T_{se}$	$3T_h+T_{se}$	0.2658
Li et al. [13]	$9T_h+3T_M$	$5T_h+T_M$	$6T_h+2T_M$	44.1254
Moghadam et al. [14]	$6T_h+3T_M+T_{se}$	$5T_h+T_M+2T_{se}$	$2T_h+T_M$	37.1606
Mo et al. [18]	$11T_h+3T_C$	$9T_h+T_C$	$4T_h+2T_C$	13.3656
Xie et al. [20]	$6T_h+3T_C+2T_{se}$	$5T_h+T_C+3T_{se}$	$3T_h+2T_C+T_{se}$	14.3474
NTRU-GOPA	$9T_h+T_{Ne}+T_{Nd}+T_{nm}$	$13T_h+2T_{Ne}+2T_{Nd}+2T_{nm}$	$6T_h+T_{Ne}+T_{Nd}+T_{nm}$	0.8796

. Our scheme involves 28 hash operations, 8 NTRU encryption/decryption operations, and 4 polynomial multiplications, yielding a total computational cost of 0.8796 ms. The other studies that are compared for the execution time of each node related operation are shown in Table 7. In this paper, the total overhead is less compared to literature [7,13,14,18,20] and slightly higher than literature [9] to increase the number of NTRU encryption and decryption to achieve higher security requirements. From a security perspective, our scheme uniquely achieves both quantum-resistant attack prevention and sensor node location authentication. In contrast, scheme [7] directly transmits IDs between Cluster Head (CH) and sensor nodes, exposing identity information to potential interception and failing to satisfy identity anonymity requirements. Our scheme mitigates this risk by employing pseudo-identities, which significantly increases resilience against adversarial attacks. Although scheme [9] demonstrates the lowest computational cost, t relies only on a basic hash function to handle complex underwater sensor networks, limiting its ability to fulfill robust security requirements. As indicated in Table 4, ref. [9] meets the fewest security criteria. Furthermore, Scheme [13] remain vulnerable to man-in-the-middle and DOS attacks, while scheme [18] satisfies untraceability requirements but is susceptible to offline password guessing attacks. References [7,9,13,14] fail to resist sensor node capture attacks, and scheme [18] struggles against offline password guessing attempts. Although scheme [20] meets more security requirements, its communication and computational overheads are comparatively high. Figure 3 and Table 5 present a comparison of storage and communication costs, illustrating that our scheme maintains a lower total overhead relative to [7,13,14,18,20], while achieving stronger security features. Considering both the comprehensive cost and security analysis, the proposed scheme meets enhanced security requirements while maintaining competitive computational efficiency.

6. Conclusions

In this paper, we propose a two-round mutual authentication protocol based on NTRU encryption. The protocol is designed to address storage, communication, and computational costs, adapting to the complexities of hydroacoustic environments while providing effective defense against quantum attacks. Upon successful authentication, the protocol establishes a secure symmetric session key among participants, enabling rapid inter-device communication and enhancing overall network efficiency. We formally validate the scheme’s security using the random oracle model, demonstrating its robustness against probabilistic attacks. Through comprehensive informal security analysis and comparative evaluations with existing protocols, the proposed scheme demonstrates superior security and performance metrics. The protocol effectively mitigates various common attacks, such as man-in-the-middle attacks, thereby ensuring reliable secure communication in UWSNs. As part of future work, we plan to integrate node energy state evaluation to assess the vulnerability risk levels of individual nodes. Furthermore, we aim to leverage Autonomous Underwater Vehicles (AUVs) for localized authentication and dynamic key updates within underwater network segments.