Next Article in Journal
Deglobalization Trends and Communication Variables: A Multifaceted Analysis from 2009 to 2023
Previous Article in Journal
Performance Variability in Public Clouds: An Empirical Assessment
Previous Article in Special Issue
An Intelligent Fuzzy-Based Routing Protocol for Vehicular Opportunistic Networks
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

PMAKA-IoV: A Physical Unclonable Function (PUF)-Based Multi-Factor Authentication and Key Agreement Protocol for Internet of Vehicles

1
School of Computer, Xi’an University of Post and Telecommunications, Xi’an 710061, China
2
School of Modern Posts, Xi’an University of Post and Telecommunications, Xi’an 710061, China
*
Author to whom correspondence should be addressed.
Information 2025, 16(5), 404; https://doi.org/10.3390/info16050404
Submission received: 3 April 2025 / Revised: 12 May 2025 / Accepted: 12 May 2025 / Published: 14 May 2025
(This article belongs to the Special Issue Wireless Communication and Internet of Vehicles)

Abstract

With the explosion of vehicle-to-infrastructure (V2I) communications in the internet of vehicles (IoV), it is still very important to ensure secure authentication and efficient key agreement because of the vulnerabilities in the existing protocols such as physical capture attacks, privacy leakage, and low computational efficiency. This paper proposes a physical unclonable function (PUF)-based multi-factor authentication and key agreement protocol tailored for V2I environments, named as PMAKA-IoV. The protocol integrates hardware-based PUFs with biometric features, utilizing fuzzy extractors to mitigate biometric template risks, while employing dynamic pseudonyms and lightweight cryptographic operations to enhance anonymity and reduce overhead. Security analysis demonstrates its resilience against physical capture attacks, replay attacks, man-in-the-middle attacks, and desynchronization attacks, and it is verified by formal verification using the strand space model and the automated Scyther tool. Performance analysis demonstrates that, compared to other related schemes, the PMAKA-IoV protocol maintains lower communication and storage overhead.

1. Introduction

The rapid development of the internet of vehicles (IoV) has brought revolutionary changes to intelligent transportation systems (ITSs). Within modern IoV architectures, vehicles are equipped with integrated sensor arrays, edge computing modules, and dedicated communication interfaces such as on-board units (OBUs), enabling dynamic information exchange through standardized communication paradigms including vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) communication [1]. Specifically, V2I communication facilitates bidirectional real-time interactions between OBUs and roadside units (RSUs), allowing vehicles to obtain real-time traffic information, such as road congestion and accident locations. This capability enables intelligent route planning to bypass congested areas, optimize travel efficiency, and enhance coordinated driving through inter-vehicle data sharing, thereby significantly reducing collision risks and improving road safety.
However, the surge of IoV deployments has inadvertently expanded the attack surface of vehicle networks. The inherent broadcast characteristics of dedicated short-range communications (DSRCs) and cellular-V2X (C-V2X) protocols expose some key vulnerabilities, which can be used by attackers to launch various malicious activities [2], including eavesdropping, tampering, spoofing, and replay attacks. Furthermore, sophisticated adversaries may extract sensitive information stored in OBUs, compromising vehicle owners’ privacy through trajectory reconstruction, or impersonate legitimate entities by forging digital identities. These threats elevate security and privacy concerns in V2I communications to a critical priority, necessitating robust authentication mechanisms to ensure communication integrity and system reliability. Traditional V2I authentication protocols face three key challenges: (1) vulnerability to physical capture attacks, where the stored information of a physically captured device can be obtained by performing power analysis attacks on it; (2) inadequate privacy preservation, where fixed identifiers or pseudonyms enable long-term tracking of user behavior; and (3) inefficiency due to computationally intensive cryptographic operations, hindering real-time response.
In the past few years, many researchers have proposed various V2I authentication protocols. Specifically, physical unclonable function (PUF) can resist physical capture attack because it is the unique identifier of a semiconductor device. Moreover, multi-factor authentication is an authentication mechanism that can enhance security. Therefore, although several authentication and key agreement schemes based on the PUF or multi-factor are proposed for the IoV, which can address certain vulnerabilities, they often exhibit deficiencies in robustness. These gaps highlight the necessity of a holistic approach that balances security, privacy, and efficiency.
In this paper, we present a novel PUF-based multi-factor authentication and key agreement protocol designed for V2I environments, called PMAKA-IoV. Different from previous solutions, our major contributions can be summarized as follows.
  • Multi-factor authentication integration: by combining PUF’s hardware characteristics with user’s biometrics, the scheme employs a fuzzy extractor to handle the noise of biometric data, thus eliminating the risk of storing the raw biometric templates in plaintext. This approach enhances the reliability of identity authentication and resistance to spoofing.
  • Dynamic privacy protection mechanism: a dynamic pseudonym system is introduced to ensure vehicle identity anonymity and session key untraceability while achieving perfect forward secrecy in the protocol.
  • Lightweight design: hash functions and “exclusive or” (XOR) operations replace traditional public key cryptography, significantly reducing computational complexity. Simultaneously, dynamic random number updating and timestamp validation mechanisms can defend against replay attacks and ensure forward security.
In order to verify the security of the protocol, formal proofs using the strand space model show that PMAKA-IoV satisfies critical security properties, including resisting man-in-the-middle attacks, replay attacks, physical capture attacks, and desynchronization attacks. Further, the automated verification via the Scyther tool confirms its bidirectional authentication capability and session key confidentiality. The performance analysis results demonstrate that PMAKA-IoV outperforms the existing schemes in overall performance, especially in computational overhead, thereby meeting real-time requirements for IoV applications. Subsequent sections will elaborate on the protocol design, security analysis, and performance evaluation.

2. Related Works

Research from recent years shows that the emerging authentication technologies provide an innovative direction for IoV security. For example, federated learning-based authentication schemes [3,4] can protect data privacy and improve the accuracy and robustness, but they have the drawbacks of high communication overhead, high requirements for the network, and vulnerability to abnormal model attacks. In addition, edge artificial intelligence-based dynamic security schemes [5] can achieve real-time response and reduce data transmission, but they face challenges such as limited computing resources of edge devices and difficulties in model updating. In 2020, Ma et al. [6] proposed a decentralized key management mechanism for the IoV, which realized the registration, update, and revocation of vehicle public keys based on smart contracts. However, there are performance bottlenecks and high storage costs. Wang et al. [7] proposed a V2I authentication scheme using blockchain to achieve trustworthy and scalable computing, as well as blockchain-based cross-domain authentication schemes [8,9]. These schemes have their own advantages in the field of IoV security authentication, but there are also some problems.
The lightweight nature of PUFs enables them to operate efficiently on resource-constrained IoV devices without imposing excessive computational or storage burdens [10]. For example, in small-scale devices such as vehicle electronic control units, PUFs can achieve security functionalities without significantly increasing hardware costs or power consumption. The unclonability of PUFs stems from the inherent physical variations introduced during chip manufacturing, which generate unique responses that are random and unpredictable, making it difficult for attackers to replicate or forge PUF outputs. The uniqueness of PUFs ensures that the response of each device is different, providing a unique identity identifier that enhances the accuracy and reliability of authentication.
In recent years, an increasing number of scholars have attempted to integrate PUFs into devices and design PUF-based authentication and key agreement protocols. Chatterjee et al. [11] proposed an authentication and key exchange protocol combining identity-based encryption with PUF, which avoids the explicit storage of secret challenge–response pairs (CRPs). However, this scheme fails to achieve user anonymity and relies solely on random number checks to resist replay attacks, leaving certain security vulnerabilities. Aman et al. [12] introduced a PUF-based authentication protocol, establishing a three-tier authentication framework involving RSUs, RSU gateways, and a trusted center. When a vehicle enters a gateway area covered by multiple RSUs, it only needs to initiate a single authentication request to the gateway. By using the unique responses generated by the PUF, the gateway can complete cross-domain authentication and authorization for multiple RSUs synchronously. This protocol fully exploits the properties of PUFs, reducing the risk of key storage while enhancing encryption efficiency through hardware-level random number generation mechanisms. It provides a novel approach and methodology for secure authentication in the IoV. Umar et al. [13] proposed a lightweight PUF-based authentication protocol. This protocol requires only basic operations such as XOR, concatenation, and hashing on resource-constrained devices such as vehicles and RSUs, significantly reducing computational costs and making it suitable for IoV devices with limited resources. However, its anonymity mechanism only relies on temporary identifiers, and it lacks robust dynamic updating abilities. This means that the attacker may crack or trace the temporary identifier within a certain time, thus endangering the privacy protection of users. Xie et al. [14] presented an anonymous authentication scheme based on PUFs and elliptic curve cryptography (ECC). ECC offers high security with relatively low computational complexity, and its integration with the PUF enables anonymous authentication in the IoV. Nevertheless, this scheme has some security flaws. Since it involves only partially trusted RSUs and vehicles during the authentication process, the attacker can spoof malicious RSUs to deceive vehicles into completing the verification process, thereby undermining the reliability of authentication.
Fuzzy extractor is a cryptographic technique that aims to derive fixed-length, reproducible, and secure binary strings from noisy data sources such as biometrics. Due to variations in acquisition environments, sensor devices, and individual physiological states, biometric data inherently contain noise and inconsistencies. Fuzzy extractors address this challenge by reliably extracting stable and secure information from these variable data, thereby meeting the requirements of security-sensitive applications such as authentication systems. Jiang et al. [15] addressed the security shortcomings of identity authentication in the IoV by proposing a three-factor authentication scheme that integrates PUFs, biometrics, and dynamic passwords. By leveraging the hardware characteristics of the PUF, the uniqueness of biometrics, and the randomness of dynamic passwords, the scheme improves the accuracy of feature detection and authentication. Since it is extremely challenging for adversaries to simultaneously forge PUF responses, biometric features, and dynamic passwords, the IoV system can effectively defend against impersonation attacks. This scheme compensates for the lack of anonymity in Chatterjee et al.’s [11] approach. Saleem et al. [16] proposed a lightweight authentication and key agreement scheme for vehicular networks that combines hash functions, XOR operations, and the PUF. This scheme employs the PUF and fuzzy extractors to protect OBUs against physical tampering and cloning attacks. Although the protocol reduces the computational cost and communication overhead, it is still vulnerable to security problems such as desynchronization attacks. Although PUF-based authentication schemes have made progress in the field of IoV security, there is still a lot of room for improvement in terms of both security and performance.
Multi-factor authentication is an authentication mechanism that enhances identity security by combining multiple independent authentication elements. Jiang et al. [17] proposed a cloud-centric three-factor authentication and key agreement protocol (CT-AKA) integrating passwords, biometrics, and smart cards to ensure secure access to both the cloud and autonomous vehicles. Tahir et al. [18] proposed a multi-factor authentication scheme that integrates identity, password, and biometric information. The scheme enhances the robustness of the system by employing simple cryptographic operations to reduce computational overhead and leveraging the vehicle’s geographical coordinates to verify its actual location. However, it still faces security problems such as physical capture attacks. Awais et al. [19] put forward a lightweight privacy-preserving authentication protocol for the vehicular ad hoc network (VANET) using the PUF technique, which provides efficient and secure communication via public channels, but it does not provide PUF challenge–response pair protection. He et al. [20] proposed a verifiable commitment-based mutual authentication and key agreement protocol, called mutual authentication and key agreement protocol based on verifiable commitment (VC-MAKA). However, it is not applicable to high-traffic IoV scenarios. Some important related works are summarized in Table 1.

3. System Model

3.1. Network Model

As shown in Figure 1, the network model of the PMAKA-IoV protocol comprises three main entities: vehicle, RSU, and trust authority (TA). Their roles are defined as follows.
Vehicle: As a protocol participant, it completes registration, login, and mutual authentication with RSUs, along with dynamic key agreement. Each vehicle is equipped with an OBU that stores identity information, biometric features, and challenge–response pairs generated by the PUF.
RSU: It is deployed in the traffic infrastructure nodes, and it forwards authentication requests and collaborates in key generation. It stores its own identity, PUF challenge–response pairs, and other security parameters. In addition, it synchronizes security parameters with the TA to ensure consistency and participates in key agreement.
TA: As the core security entity of the system, it is responsible for registering vehicles and RSUs, generating master keys and session keys. It maintains a database to store pseudonyms, hash responses, and other security parameters and coordinates the authentication process.
In Figure 1, each RSU and each vehicle need to undergo RSU registration and vehicle registration before deployment. Then, after the user logins, each vehicle conducts V2I authentication and key agreement with its connected RSU and the TA.

3.2. Threat Model

The network model in this study employs a public wireless communication channel to exchange information between entities. This open environment exposes the system to various security threats. Specifically, malicious attackers (MAs) can exploit the open nature of wireless channels to disrupt normal communications. To comprehensively evaluate the security of the SLAKA-IoD protocol, we adopt two classical threat models for analysis.
Firstly, according to the Dolev–Yao (DY) threat model [21], the MA is assumed to have capabilities as follows:
  • Intercepting communications between nodes;
  • Tampering with transmitted messages;
  • Forging or deleting messages.
Furthermore, we apply the more rigorous Canetti–Krawczyk (CK) threat model [22], which additionally considers the following abilities of the MA:
  • Obtaining secret information and session states through session hijacking attacks;
  • Conducting ephemeral secret leakage (ESL) attacks;
  • Performing physical capture attacks on vehicle nodes.

4. Proposed PMAKA-IoV Protocol

The execution of our proposed PMAKA-IoV protocol is divided into four phases: initialization phase, registration phase, login phase, and authentication phase. Table 2 lists the notations used in the protocol. In addition, in order to prevent side channel attacks, dynamic power consumption adjustment, and electromagnetic radiation shielding, randomization and noise injection techniques, as well as physical isolation and real-time monitoring and response, can be further adopted to protect the operation of the protocol. Further, during the implementation and operation of the PMAKA-IoV protocol, compliant commercial cryptographic algorithms should be used, unpredictable random numbers should be generated based on a high-entropy random number generator, and the keys should be updated regularly.

4.1. Initialization Phase

The TA selects a one-way cryptographic hash function h:{0,1}* to register all vehicles and generates a master key mk.

4.2. Registration Phase

4.2.1. Vehicle Registration

The vehicle registration process is illustrated in Figure 2 and proceeds as follows:
1.
The vehicle Vi generates its identity IDvi and sends it to the TA.
2.
Upon receiving IDvi, the TA queries its database to verify whether IDvi already exists. If not, the TA generates a challenge Cvi, computes the pseudonym PIDvi = h(IDvi | | Cvi), and sends {PIDvi, Cvi, IDt} to Vi, where IDt is the identity of the TA.
3.
After receiving the message, Vi computes the response Rvi = PUF(Cvi) and HRvi = h(Cvi | | Rvi). The user of Vi then inputs its password PWvi and biometric data BIOvi. Subsequently, Vi calculates F·G(BIOvi) = (φvi, φvi*) and A = h(IDvi | | PWvi | | φvi). Finally, Vi stores [φvi*, A, PIDvi, IDt, Cvi] in the OBU and sends {HRvi} to the TA.
4.
The TA securely stores [IDvi, PIDvi, IDt, HRvi] in its database.
Figure 2. Vehicle registration.
Figure 2. Vehicle registration.
Information 16 00404 g002

4.2.2. RSU Registration

The registration process for the RSU is illustrated in Figure 3 and proceeds as follows:
1.
RSUj sends its identity IDj to the TA, where RSUj is the j t h RSU.
2.
The TA generates a challenge Cj and sends it to RSUj.
3.
Upon receiving the message, RSUj computes the response Rj = PUF(Cj) and HRj = h(Cj | | Rj). It then stores [IDj, Cj] locally and sends HRj to the TA.
4.
The TA securely stores [IDj, HRj] in its database.
Figure 3. RSU registration.
Figure 3. RSU registration.
Information 16 00404 g003

4.3. Login Phase

1.
The user of Vi inputs IDvi, PWvi, and BIOvi.
2.
By using the fuzzy extractor, Vi calculates φvi = F·R(BIOvivi*) and computes A= h(IDvi | | PWvi | | φvi). Vi then verifies whether the computed A′ matches the stored security parameter A. If they are equal, the login succeeds.

4.4. V2I Authentication and Key Agreement Phase

The authentication process between vehicle Vi and RSUj, as shown in Figure 4, proceeds as follows:
1.
Vi computes Rvi = PUF(Cvi) and HRvi = h(Cvi | | Rvi), generates a random number ri and a timestamp T1, and then calculates A1 = IDvi HRvi IDt ri and M1 = h(IDj | | PIDvi | | HRvi | | ri | | A1 | | T1). Finally, Vi sends {PIDvi,M1,A1,T1} to RSUj.
2.
Upon receiving the message, RSUj generates a timestamp T2. If |T2-T1|<∆T, the message is discarded, i.e., verifying the freshness of T1. Otherwise, RSUj generates a random number rj; computes Rj = PUF(Cj), HRj = h(Cj | | Rj), A2 = IDj HRj rj, and M2 = h(M1 | | IDt | | HRj | | rj | | A2 | | T2); and then sends {PIDvi,IDj,,M2,A1,A2,T1,T2} to the TA.
3.
The TA verifies the freshness of T2. By using PIDvi, it retrieves HRvi and IDvi, computes ri = IDvi HRvi IDt A1, validates M1 = h(IDj | | PIDvi | | HRvi | | ri | | A1 | | T1), and retrieves HRj based on IDj. Next, it computes rj = IDj HRj A2 and M2= h(M1 | | IDt | | HRj | | rj | | A2 | | T2) and then verifies whether M2= M2. If this is valid, the TA generates a new random number rtnew, a timestamp T3, and a master key mk. It computes PIDvinew = h(IDvi | | Cvi | | rt), X = mk HRvi rt, Y = mk HRj rt, A3 = rj (ri | | rt), M3 = h(IDj | | mk | | rj | | rt | | HRj | | T3), and M4 = h(IDvi | | mk | | ri | | rt | | HRvi | | T3)). The TA stores PIDvinew and sends {A3, M3, M4, X, Y, T3} to RSUj.
4.
RSUj generates timestamp T4; verifies the freshness of T3; computes (ri | | rt) = rj A3, mk = Y HRj rt, and M3′ = h(IDj | | mk | | rj | | rt | | HRj | | T3); and then checks whether M3= M3. If this is valid, RSUj calculates the session key SKij = h(IDj | | PIDvi | | ri | | rj | |  rt | | mk), computes A4 = ri (rj | | rt) and M5 = h(IDj | | M4 | | PIDvi | | SKij | | T4), and then sends {A4,X,M4,M5,T3,T4} to Vi.
5.
Vi verifies the freshness of T4; computes (rj | | rt) = ri A4, mk = X HRvi rt, and M4′ = h(IDvi | | mk | | ri | | rt | | HRvi | | T3); and then checks whether M4= M4. If this is valid, Vi computes M5′ = h(IDj | | M4 | | PIDvi | | SKij | | T4) and verifies whether M5′ = M5. If this is valid, Vi updates PIDvinew in the OBU.
Figure 4. V2I authentication and key agreement.
Figure 4. V2I authentication and key agreement.
Information 16 00404 g004

5. Security Analysis

This section provides a detailed security analysis of PMAKA-IoV. Firstly, an informal analysis of PMAKA-IoV is conducted. Subsequently, a formal verification of PMAKA-IoV is performed using the strand space model. Furthermore, the simulations with the Scyther tool are carried out to further validate PMAKA-IoV’s security. Finally, we compare the security features of PMAKA-IoV and other relevant schemes.

5.1. Informal Analysis

In this section, we conduct an informal analysis of the PMAKA-IoV protocol. It resists various threats including replay attacks, man-in-the-middle attacks, desynchronization attacks, and physical capture attacks, covering common attack scenarios in the IoV environment. Additionally, it satisfies many security features, such as perfect forward secrecy, mutual authentication, and anonymity.
1.
Physical Capture Attack
In the above protocol, HRvi and HRj, rather than Rvi and Rj, are securely transmitted to the TA and stored in it. Therefore, it is difficult for an attacker to obtain Rvi and Rj. Even if the attacker can acquire HRvi and HRj based on the CK threat model, it will be unable to reverse-engineer Rvi and Rj from them, as they are generated via hash functions. Additionally, Cvi is stored in Vvi rather than in the TA, and similarly, Cj is stored in RSUj rather than in the TA. Thus, to obtain the PUF challenge–response pair of Vvi, the attacker will need to physically capture Vvi to acquire Cvi based on the CK threat model. Likewise, to obtain the PUF challenge–response pair of RSUj, the attacker will need to physically capture RSUj to acquire Cj based on the CK threat model.
2.
Replay Attack
Upon receiving a message, the recipient checks the validity of the timestamp in the message, and messages that fail the check will be discarded. Furthermore, the messages {M1, M2, M3, M4, M5} are all bound to timestamps. If an attacker attempts to modify the timestamp for a replay attack, the authentication will fail.
3.
Man-in-the-Middle Attack
If an attacker attempts to carry out a man-in-the-middle attack on the protocol, it must intercept and tamper with the protocol’s messages. As described above, {PIDvi, M1, A1, T1}, {PIDvi, IDj, M2, A1, A2, T1, T2}, {A3, M3, M4, X, Y, T3}, and {A4, X, M4, M5, T3, T4} are protected by HRvi or HRj, which are unknown to the attacker. Thus, although the attacker may intercept these messages, it cannot tamper with them, thereby preventing man-in-the-middle attacks.
4.
Session Key Disclosure Attack
The session key SKij between Vvi and RSUj is computed as SKij = h(IDj | | PIDvi | | ri | | rj | | rt | | mk). An attacker cannot compute SKij because it lacks access to the random numbers ri, rj, and rt generated by Vvi, RSUj, and the TA, respectively, as well as the master key mk.
5.
Desynchronization Attack
Vvi stores the old value {PIDvi} before receiving the fourth message and updates PIDvi = PIDvinew after receiving the second message of the phase. Moreover, the TA stores both the old value {PIDvi} and the new value {PIDvinew}. Therefore, no matter whether the attacker tampers with the third or fourth message to execute a desynchronization attack, there will always be a set of pseudo-identities and key material values shared between Vvi and the TA for this phase.
6.
Mutual Authentication
During the phase of authentication and key agreement between Vvi and RSUj, the TA verifies the legitimacy of Vvi via HRj and validates RSUj by checking whether M2 = h(M1 | | IDt | | HRj | | rj | | A2 | | T2) holds. This is because only the TA and Vvi know HRvi, and only the TA and RSUj know HRj. Similarly, RSUj and Vvi verify the authenticity of the messages from the TA by checking whether M3 = h(IDj | | mk | | rj | | rt | | HRj | | T3) and M4 = h(IDvi | | mk | | ri | | rt | | HRvi | | T3) hold, respectively.
7.
Anonymity and Untraceability
During the phase of authentication and key agreement between Vvi and RSUj, the pseudo-identity PIDvi is used instead of the real identity IDvi. Hence, an adversary cannot obtain IDvi, ensuring the vehicle’s anonymity. Furthermore, PIDvi is updated during this phase, preventing the adversary from using PIDvi to trace Vvi. Thus, our proposed protocol guarantees untraceability.
8.
Perfect Forward Secrecy
The session key SKij is dynamically generated using the temporary random numbers ri, rj, and rt and the master key mk. Therefore, even if long-term keys are compromised, past sessions remain secure.
9.
Denial-of-Service (DoS) Attack
The PMAKA-IoV protocol uses hash functions and XOR operations at its core, avoiding complex cryptography such as elliptic curve math. This makes the processing speed of each request very fast, and even if many requests are processed at the same time, the response ability of the system can be maintained. Each message includes a timestamp. If the receiver finds that the time difference exceeds the limit ∆T, it will drop the request immediately to save resources. Each session also creates unique random numbers associated with the hash values M1 = h(IDj | | PIDvi | | HRvi | | ri | | A1 | | T1), which prevents attackers from reusing old numbers to drown the system. This can prevent resources from being overloaded.
10.
Impersonation Attack
The PMAKA-IoV protocol prevents impersonation attacks through multi-factor authentication and dynamic identity mechanisms. Vehicles must simultaneously provide a PUF hardware response Rvi = PUF(Cvi), biometric features (processed into stable keys φvi via fuzzy extractors, and dynamic pseudonym PIDvi. The physical unclonability of the PUF and the uniqueness of biometrics make it impossible to forge all three factors at the same time. Furthermore, the pseudonym PIDvi is dynamically updated with PIDvinew = h(IDvi | | Cvi | | rt) after each session, which ensures that the intercepted pseudonyms cannot be reused in subsequent sessions, thereby eliminating long-term impersonation risks.
11.
ESL Attacks
The PMAKA-IoV protocol effectively mitigates ESL attacks through multi-parameter binding and session isolation mechanisms. The session key SKij = h(IDj | | PIDvi | | ri | | rj | | rt | | mk) is derived from a combination of ephemeral random numbers ri, rj, and rt and the master key mk. Leakage of a single ephemeral parameter cannot compromise the whole key due to the interdependency of multiple parameters. Additionally, the protocol employs perfect forward secrecy, ensuring that ephemeral random numbers are valid only for a single session and destroyed afterward. Even if ri, rj, and rt from a session are leaked based on the CK threat model, historical and future sessions remain secure due to the use of independently generated random numbers. Furthermore, the master key mk is only used to derive encrypted parameters and is not directly linked to ephemeral values, thus preventing attackers from using leaked ephemeral secrets to reverse-engineer long-term keys. The dynamic pseudonym update mechanism ensures that even if a pseudonym from a session is leaked based on the CK threat model, it cannot be tracked or reused across sessions, thus completely limiting the influence scope of ESL attacks.

5.2. Formal Analysis

The strand space model [23,24,25], a rigorously validated formal framework for analyzing security protocols, is adopted in this work to assess the security of our proposed PMAKA-IoV protocol. The detailed analysis proceeds as follows.
Definition 1.
An infiltrated strand space, Σ,P, is a space for the V2I authentication and key agreement phase of PMAKA-IoV if it is the union of the following four types of strands: Initiator Strand s Init[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T3, T4]: The trace is < + m1, −m4 >, associated with the entity Vvi. Responder Strand s Resp[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3, T4]: The trace is <−m1, + m2, −m3, + m4>, associated with the entity RSUj. Server Strand s Serv[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3]: The trace is <−m2, + m3 >, associated with the entity TA. Penetrator Strand s P.
Theorem 1.
Suppose that (a) Σ is a space for the V2I authentication and key agreement phase of PMAKA-IoV, and C is a bundle in Σ containing an initiator strand s with trace s Init[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T3, T4]; (b) HRvi, HRj KP; and (c) ri, rj, and rt are uniquely originated in Σ, and ri rj rt. Then, C contains a responder t Resp[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2′, T3, T4] and a server strand r Serv[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2′, T3].
Proof of Theorem 1.
By assumptions (b) and (c), M5 term(<s, 2>) uniquely originates from a responder strand t Resp[IDvi, IDj, IDt, ri, rj, rt, mk,PIDvi,T1,T2,T3,T4]. Similarly, M1 term(<t, 1>) uniquely originates from an initiator strand s Init[IDvi, IDj, IDt, ri, rj, rt″, mk,PIDvi, T1, T3, T4″]. From assumption (c), s′ = s, implying IDt′ = IDt and T1′ = T1. Additionally, M3 term(<t, 3>) uniquely originates from a server strand r Serv[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3], and M2  term(<r, 1>) originates from a responder strand t Resp[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3, T4⁗]. By assumption (c), t′ = t, so IDvi‴ = IDvi, IDt‴ = IDt, ri ‴ = ri, PIDvi‴ = PIDvi, T1‴ = T1, and T2‴ = T2′. □
By Theorem 1, Vvi authenticates RSUj and the TA. Both the responder strand t and the server strand r include T2′, as this field is only transmitted between RSUj and the TA and is unknown to the initiator strand s.
Theorem 2.
Suppose that (a) Σ is a space for the V2I authentication and key agreement phase of PMAKA-IoV, and C is a bundle in Σ containing a responder strand s with traces s Resp[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3, T4]; (b) HRvi, HRj KP; (c) ri, rj, and rt are uniquely originated in Σ, and ri rj rt. Then, C contains an initiator strand t Init[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T3, T4] and a server strand r Serv[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3].
Proof of Theorem 2.
By assumptions (b) and (c), M3term (<s, 3>) uniquely originates from a server strand r Serv[IDvi, IDj, IDt, ri, rj, rt, mk,PIDvi,T1,T2,T3]. Similarly, M2 term (<r, 1>) originates from a responder strand s Resp[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3, T4″]. From assumption (c), s′ = s, implying IDvi′ = IDvi, IDt′ = IDt, ri′ = ri, PIDvi′ = PIDvi, T1′ = T1, and T2′ = T2. Moreover, M1term(<s, 1>) uniquely originates from an initiator strand t Init[IDvi, IDj, IDt, ri, rj, rt‴, mk,PIDvi,T1,T3,T4‴], and M5 term(<t, 2>) originates from a responder strand s Resp[IDvi, IDj, IDt, ri, rj, rt, mk, PIDvi, T1, T2, T3, T4‴]. By assumption (c), s″ = s, so rj‴ = rj, rt‴ = rt, mk‴ = mk, T3‴ = T3, and T4‴ = T4. □
By Theorem 2, RSUj successfully authenticates Vvi and the TA.

5.3. Security Verification Based on Scyther

Scyther [26,27], introduced and utilized by Cremers, is a powerful formal verification tool that serves as a cornerstone for analyzing security protocols. It specializes in verifying potential threats, such as forgery and tampering. In this study, we leverage Scyther’s capabilities to simulate the V2I authentication and key agreement phase of the PMAKA-IoV protocol by using the security protocol description language (SPDL). The Scyther tool employs symbolic model checking to exhaustively analyze protocol execution paths under the Dolev–Yao adversary model [21] (where the attackers control the network and can intercept, modify, or replay messages). This section provides a detailed exposition of the experimental results.
As shown in Figure 5, the formal verification using the Scyther tool demonstrates that the PMAKA-IoV protocol meets the design requirements for core security properties, including confidentiality, authenticity, and freshness. Furthermore, the protocol can resist various attacks, such as replay, man-in-the-middle, and desynchronization attacks. The verification results further support the security claims made in the informal analysis, confirming the protocol’s reliability and robustness in practical vehicular network environments. The main findings are as follows:
1.
No Successful Attack Traces: Scyther exhaustively explored all possible interleavings of protocol runs and failed to find any violations of the specified security properties. For example, the attempts to forge M3 = h(IDj | | mk | | rj | | rt | | HRj | | T3) without knowledge of HRj or mk were detected as invalid.
2.
Mutual Authentication Guarantees: The tool verified that Vvi and Rj mutually authenticate each other through TA-mediated validation of M1, M2, M4, and M5. Any tampering with these messages will destroy the integrity of the hash-chain, thus triggering the termination of the protocol.
3.
Session Key Confidentiality: Scyther confirmed that SKij remains secret even if the long-term key mk is compromised, as SKij relies on ephemeral values erased after each session.
4.
Desynchronization Resilience: The dual pseudonym storage of this protocol ensures continuity, even though messages are lost or tampered. Scyther validated that the TA retains both versions until successful key confirmation, preventing denial-of-service via forced state mismatches.
Figure 5. The Scyther-based verification results of the PMAKA-IoV protocol.
Figure 5. The Scyther-based verification results of the PMAKA-IoV protocol.
Information 16 00404 g005

5.4. Security Comparison

Table 3 demonstrates that the PMAKA-IoV scheme exhibits superior security characteristics compared to similar authentication schemes, proving more resilient against various types of security attacks. The comparison includes the existing representative authentication and key agreement schemes.
In Table 3, all the messages of the PMAKA-IoV protocol are protected by HRvi or HRj, which are unknown to the attacker, and they are bound to fresh timestamps, so the PMAKA-IoV protocol can resist man-in-the-middle attack, reply attack, and DoS attack, while the scheme in [28] cannot resist man-in-the-middle attack, and the schemes in [16,28,29] cannot resist replay attack or DoS attack. Our proposed PMAKA-IoV protocol and the scheme in [16] are based on the PUF, so they can resist physical capture attack, while the schemes in [28,29] cannot resist this attack because they do not use PUFs. In the PMAKA-IoV protocol, the TA stores both the old value PIDvi and the new value PIDvinew to resist desynchronization attack, while the schemes in [16,28,29] do not provide this mechanism. Moreover, PIDvinew is generated in a secret way in the PMAKA-IoV protocol, so the attacker cannot link PIDvi to PIDvinew, while the schemes in [28,29] do not provide unlinkability.

6. Performance Analysis

This section evaluates the practical efficiency of the PMAKA-IoV protocol through rigorous analysis of the communication cost, storage cost, computation cost, and energy cost.

6.1. Communication Cost

In order to evaluate the communication cost and storage cost, we consider that the sizes of the timestamp, identity, random number, hash value, AES value, PUF challenge, and PUF response are 64 bits, 80 bits, 160 bits, 256 bits, 128 bits, 32 bits, and 320 bits, respectively.
During the authentication and key agreement phase, for our scheme, the message {PIDvi,M1,A1,T1} requires 256 + 256 + 256 + 64 = 832 bits, the message {PIDvi,IDj,M2,A1,A2,T1,T2} requires 256 + 256 + 256 + 256 + 80 + 64 + 64 = 1232 bits, the message {A3,M3,M4,X,Y,T3} requires 256 + 256 + 256 + 256 + 64 + 160 = 1248 bits, and the message {A4,X,M4,M5,T3,T4} requires 256 + 256 + 256 + 64 + 64 + 160 = 1056 bits, totaling 4368 bits. Similarly, for the scheme in [28], it requires 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 256 + 160 + 160 + 64 + 64 + 64 + 64 = 5696 bits. For the scheme in [29], it requires 320 + 320 + 320 + 320 + 320 + 320 + 320 + 320 + 320 + 320 + 64 + 64 + 64 + 64 + 160 = 3616 bits. For the scheme in [16], it requires 256 + 256 + 256 + 256 + 256 + 256 + 160 + 160 + 160 + 160 + 160 + 160 + 160 + 160 + 128 + 128 = 3072 bits. Table 4 compares the communication cost between our scheme and other schemes.
As can be seen from Table 4 and Figure 6, the scheme in [28], which is based on hash and XOR operations, involves a higher communication cost than our scheme. However, our scheme has a higher communication cost than the schemes in [16,29]. This represents a trade-off between communication efficiency and the additional security features provided by our lightweight yet secure authentication protocol.
For PMAKA-IoV, if the number of vehicles in an IoV network is n, the theoretical communication cost during the V2I authentication and key agreement phase can reach (4368 × n!)/((n − 2)! × 2) bits. As shown in Figure 7, the communication cost comparison among different schemes under varying numbers of vehicles can be observed. In the actual scenarios, this phase is performed on-demand, thereby avoiding a sudden increase in communication cost. Consequently, the PMAKA-IoV protocol is still suitable in terms of communication cost.

6.2. Storage Cost

In the vehicle and RSU registration phase of our scheme, the PUF challenge–response pairs, biometric fuzzy parameters, and dynamic pseudo-identity information are stored. The TA stores 80 + 80 + 80 + 256 + 256 + 256 = 1008 bits, each vehicle stores 80 + 256 + 256 + 160 + 32 = 784 bits, and each RSU stores 80 + 32 = 112 bits, totaling 1904 bits of storage cost. The calculation of the storage cost does not consider the newly generated messages during the execution of the protocol, which will be deleted later because they are usually located in memory.
Similarly, for the scheme in [28], the TA stores 80 + 160 + 160 = 400 bits, each vehicle stores 256 + 256 + 256 + 80 = 848 bits, and each RSU stores 80 + 160 = 240 bits, totaling 1488 bits of storage cost. For the scheme in [29], the TA stores 256 + 256 + 256 = 768 bits, each vehicle stores 256 + 256 + 256 + 320 + 80 = 1168 bits, and each RSU stores 256 bits, totaling 2192 bits of storage cost. For the scheme in [16], the TA stores 256 + 256 + 256 = 768 bits, each vehicle stores 128 + 256 + 256 + 256 + 160 = 1056 bits, and each RSU stores 256 + 80 = 336 bits, totaling 2160 bits of storage cost. Table 5 compares the storage cost between the PMAKA-IoV protocol and the other schemes.
As can be seen from Table 5 and Figure 8, the scheme in [28] stores pseudo-identities, hash values, and random numbers in both the TA and the OBU, resulting in a lower storage cost than our scheme due to the fewer stored security parameters. However, this scheme stores vehicle registration parameters in plaintext within the OBU, which may lead to security problems. If a smart card is stolen, the attackers can obtain these parameters and impersonate vehicles. Moreover, compared with the other schemes in [16,29], our scheme still has advantages in storage cost.
For the PMAKA-IoV protocol, when the number of vehicles in a V2I network is n, the storage cost amounts to (784n + 1008 + 112) bits. In Figure 9, a comparative analysis of the storage cost across different schemes under varying vehicle numbers is presented. Because the storage cost of vehicles is relatively low, with the increase in the number of vehicles, the advantages of the PMAKA-IoV protocol become increasingly obvious.

6.3. Computation Cost

The computation cost during the V2I authentication and key agreement phase of our scheme comprises the sum of the computation cost from three entities. According to the execution time per operation [16,28,29,30,31], some symbols for the execution time are defined as shown in Table 6.
As demonstrated in Table 7 and Figure 10, which compare the computation cost between the PMAKA-IoV protocol and the other schemes, the scheme in [29] involves multiple ECC point multiplication operations, resulting in a higher computational complexity. Our scheme reduces computational overhead by employing more efficient cryptographic operations.
In Figure 11, the computation cost comparison of different schemes under varying numbers of vehicles is presented. For the PMAKA-IoV protocol, theoretically, when the number of vehicles in an IoV network is n, the computation cost during the V2I authentication and key agreement phase is (0.0323 × n!)/((n − 2)! × 2) ms. The results demonstrate that the PMAKA-IoV protocol can meet the real-time requirements for V2I communications in terms of computation cost.

6.4. Energy Cost

During the communication between vehicles and other entities, performing any computation consumes energy, and a high energy cost may negatively affect the performance of the authentication scheme. As described in [31], the formula for calculating the energy cost is as follows: energy cost = total computation cost × maximum processing power.
Generally, the maximum processing power in wireless transmission is 10.88 W [32]. Hence, for our scheme, the energy cost is 0.35 mJ (i.e., 0.0323 × 10.88 ≈ 0.35 mJ). Similarly, the energy costs of the schemes in [16], [29], and [28] are 9.52 mJ (i.e., 0.8750 × 10.88 ≈ 9.52 mJ), 397.88 mJ (i.e., 36.570 × 10.88 ≈ 397.88 mJ), and 0.50 mJ (i.e., 0.460 × 10.88 ≈ 0.50 mJ), respectively. As demonstrated in Figure 12, our scheme maintains a low energy cost. In addition, the energy cost comparison of different schemes under varying numbers of vehicles is similar to Figure 11.

7. Conclusions

We propose a PUF-based multi-factor authentication and key agreement protocol for the internet of vehicles, named PMAKA-IoV. From the aspect of security analysis, we first conducted an informal security analysis to illustrate its defense ability against various potential threats. Then, we performed a rigorous logical proof of the protocol’s security using the strand space model as a formal verification tool, further confirming its theoretical reliability. Finally, we comprehensively tested the protocol’s security using the Scyther automated verification tool, verifying its effectiveness against various known attacks.
Compared with the existing V2I security protocols of the same type, the PMAKA-IoV protocol demonstrates significant advantages in security. By introducing the PUF’s unique characteristics, the key unpredictability and physical anti-cloning ability are realized, effectively enhancing the overall security of the protocol. The PMAKA-IoV protocol also fully considers the efficiency and practicality of the authentication process, avoiding unnecessary computational overhead and communication delays.
In terms of performance, we conducted an in-depth analysis and evaluation. While satisfying more security properties, the PMAKA-IoV protocol maintains a low overhead and demonstrates outstanding performance in computing speed.

Author Contributions

Methodology, M.Y.; formal analysis, Y.X. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the National Natural Science Foundation of China (No. 61741216, 61402367) and the New Star Team Project of Xi’an University of Posts and Telecommunications.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in the study are included in the article. Further inquiries can be directed to the corresponding authors.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Muhammad, M.; Safdar, G.A. Survey on existing authentication issues for cellular-assisted V2X communication. Veh. Commun. 2018, 12, 50–65. [Google Scholar] [CrossRef]
  2. Wei, L.; Cui, J.; Zhong, H.; Xu, Y.; Liu, L. Proven secure tree-based authenticated key agreement for securing V2V and V2I communications in VANETs. IEEE Trans. Mob. Comput. 2021, 21, 3280–3297. [Google Scholar] [CrossRef]
  3. Li, Z.; Wu, H.; Dai, Y.; Lu, Y. PAFL: Parameter-Authentication Federated Learning for Internet of Vehicles. In Proceedings of the GLOBECOM 2023 IEEE Global Communications Conference, Kuala Lumpur, Malaysia, 4–8 December 2023; pp. 1241–1246. [Google Scholar]
  4. Zhao, P.; Huang, Y.; Gao, J.; Ling, X.; Wu, H.; Ma, H. Federated learning-based collaborative authentication protocol for shared data in social IoV. IEEE Sens. J. 2022, 22, 7385–7398. [Google Scholar] [CrossRef]
  5. Alkhalidy, M.; Taha, M.B.; Chowdhury, R.; Ould-Slimane, H.; Mourad, A.; Talhi, C. Vehicular edge-based approach for optimizing urban data privacy. IEEE Sens. J. 2023, 24, 5609–5621. [Google Scholar] [CrossRef]
  6. Ma, Z.; Zhang, J.; Guo, Y.; Liu, Y.; Liu, X.; He, W. An efficient decentralized key management mechanism for VANET with blockchain. IEEE Trans. Veh. Technol. 2020, 69, 5836–5849. [Google Scholar] [CrossRef]
  7. Wang, C.; Shen, J.; Lai, J.F.; Liu, J. B-TSCA: Blockchain assisted trustworthiness scalable computation for V2I authentication in VANETs. IEEE Trans. Emerg. Top. Comput. 2020, 9, 1386–1396. [Google Scholar] [CrossRef]
  8. Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng. 2022, 9, 1346–1358. [Google Scholar] [CrossRef]
  9. Roy, S.; Nandi, S.; Maheshwari, R.; Shetty, S.; Das, A.K.; Lorenz, P. Blockchain-based efficient access control with handover policy in IoV-enabled intelligent transportation system. IEEE Trans. Veh. Technol. 2023, 73, 3009–3024. [Google Scholar] [CrossRef]
  10. Zheng, Y.; Liu, W.; Gu, C.; Chang, C.H. PUF-based mutual authentication and key exchange protocol for peer-to-peer IoT applications. IEEE Trans. Dependable Secur. Comput. 2022, 20, 3299–3316. [Google Scholar] [CrossRef]
  11. Chatterjee, U.; Govindan, V.; Sadhukhan, R.; Mukhopadhyay, D.; Chakraborty, R.S.; Mahata, D.; Prabhu, M.M. Building PUF based authentication and key exchange protocol for IoT without explicit CRPs in verifier database. IEEE Trans. Dependable Secur. Comput. 2018, 16, 424–437. [Google Scholar] [CrossRef]
  12. Aman, M.N.; Javaid, U.; Sikdar, B. A privacy-preserving and scalable authentication protocol for the internet of vehicles. IEEE Internet Things J. 2020, 8, 1123–1139. [Google Scholar] [CrossRef]
  13. Umar, M.; Islam, S.H.; Mahmood, K.; Ahmed, S.; Ghaffar, Z.; Saleem, M.A. Provable secure identity-based anonymous and privacy-preserving inter-vehicular authentication protocol for VANETS using PUF. IEEE Trans. Veh. Technol. 2021, 70, 12158–12167. [Google Scholar] [CrossRef]
  14. Xie, Q.; Ding, Z.; Zheng, P. Provably secure and anonymous V2I and V2V authentication protocol for VANETs. IEEE Trans. Intell. Transp. Syst. 2023, 24, 7318–7327. [Google Scholar] [CrossRef]
  15. Jiang, Q.; Zhang, X.; Zhang, N.; Tian, Y.; Ma, X.; Ma, J. Three-factor authentication protocol using physical unclonable function for IoV. Comput. Commun. 2021, 173, 45–55. [Google Scholar] [CrossRef]
  16. Saleem, M.A.; Li, X.; Ayub, M.F.; Shamshad, S.; Wu, F.; Abbas, H. An efficient and physically secure privacy-preserving key-agreement protocol for vehicular ad-hoc network. IEEE Trans. Intell. Transp. Syst. 2023, 24, 9940–9951. [Google Scholar] [CrossRef]
  17. Jiang, Q.; Zhang, N.; Ni, J.; Ma, J.; Ma, X.; Choo, K.K.R. Unified biometric privacy preserving three-factor authentication and key agreement for cloud-assisted autonomous vehicles. IEEE Trans. Veh. Technol. 2020, 69, 9390–9401. [Google Scholar] [CrossRef]
  18. Tahir, H.; Mahmood, K.; Ayub, M.F.; Saleem, M.A.; Ferzund, J.; Kumar, N. Lightweight and secure multi-factor authentication scheme in VANETs. IEEE Trans. Veh. Technol. 2023, 72, 14978–14986. [Google Scholar] [CrossRef]
  19. Awais, S.M.; Yucheng, W.; Mahmood, K.; Akram, M.W.; Hussain, S.; Das, A.K.; Park, Y. PUF-based privacy-preserving simultaneous authentication among multiple vehicles in VANET. IEEE Trans. Veh. Technol. 2023, 73, 6727–6739. [Google Scholar] [CrossRef]
  20. He, Z.; Tan, W.; Long, Y.; Chen, Y.; Niu, K.; Li, C.; Tan, W. VC-MAKA: Mutual Authentication and Key Agreement Protocol Based on Verifiable Commitment for Internet of Vehicles. IEEE Internet Things J. 2024, 11, 41166–41181. [Google Scholar] [CrossRef]
  21. Dolev, D.; Yao, A. On the Security of Public Key Protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  22. Canetti, R.; Krawczyk, H. Universally Composable Notions of Key Exchange and Secure Channels. In Proceedings of the Advances in Cryptology (EUROCRYPT 2002), Berlin/Heidelberg, Germany, 28 April–2 May 2002; pp. 337–351. [Google Scholar]
  23. Fábrega, F.J.T.; Herzog, J.C.; Guttman, J.D. Strand spaces: Proving security protocols correct. J. Comput. Secur. 1999, 7, 191–230. [Google Scholar] [CrossRef]
  24. Fábrega, F.J.T.; Herzog, J.C.; Guttman, J.D. Mixed strand spaces. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, Mordano, Italy, 30 June 1999; pp. 72–82. [Google Scholar]
  25. Herzog, J.C. The Diffie-Hellman Key-agreement Scheme in the Strand Space Model. In Proceedings of the 16th IEEE Computer Security Foundations Workshop, 2003 Proceedings, Pacific Grove, CA, USA, 30 June–2 July 2003; pp. 234–247. [Google Scholar]
  26. Cremers, C.J.F. Scyther—Semantics and Verification of Security Protocols. Ph.D. Dissertation, Institute for Programming Research Algorithmics, Eindhoven University of Technology, Eindhoven, The Netherlands, 2006. [Google Scholar]
  27. The Scyther Tool. Available online: http://www.cs.ox.ac.uk/people/cas.cremers/scyther (accessed on 7 May 2022).
  28. Li, X.; Liu, T.; Obaidat, M.S.; Wu, F.; Vijayakumar, P.; Kumar, N. A lightweight privacy-preserving authentication protocol for VANETs. IEEE Syst. J. 2020, 14, 3547–3557. [Google Scholar] [CrossRef]
  29. Yadav, K.A.; Vijayakumar, P. LPPSA: An efficient lightweight privacy-preserving signature-based authentication protocol for a vehicular ad hoc network. Ann. Telecommun. 2022, 77, 473–489. [Google Scholar] [CrossRef]
  30. Brighente, A.; Conti, M.; Vasudev, H. MeLSeC: A Method for Lightweight and Secure Communication in Internet of Vehicles. In Proceedings of the 2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress, Falerna, Italy, 12–15 September 2022; pp. 1–8. [Google Scholar]
  31. Sikarwar, H.; Das, D. A novel MAC-based authentication scheme (NoMAS) for Internet of Vehicles (IoV). IEEE Trans. Intell. Transp. Syst. 2023, 24, 4904–4916. [Google Scholar] [CrossRef]
  32. Limbasiya, T.; Das, D. Lightweight secure message broadcasting protocol for vehicle-to-vehicle communication. IEEE Syst. J. 2019, 14, 520–529. [Google Scholar] [CrossRef]
Figure 1. Network model.
Figure 1. Network model.
Information 16 00404 g001
Figure 6. Communication cost comparison with other schemes [16,28,29].
Figure 6. Communication cost comparison with other schemes [16,28,29].
Information 16 00404 g006
Figure 7. Communication cost comparison with other schemes under different numbers of vehicles [16,28,29].
Figure 7. Communication cost comparison with other schemes under different numbers of vehicles [16,28,29].
Information 16 00404 g007
Figure 8. Storage cost comparison with other schemes [16,28,29].
Figure 8. Storage cost comparison with other schemes [16,28,29].
Information 16 00404 g008
Figure 9. Storage cost comparison with other schemes under different numbers of vehicles [16,28,29].
Figure 9. Storage cost comparison with other schemes under different numbers of vehicles [16,28,29].
Information 16 00404 g009
Figure 10. Computation cost comparison with other schemes [16,28,29].
Figure 10. Computation cost comparison with other schemes [16,28,29].
Information 16 00404 g010
Figure 11. Computation cost comparison with other schemes under different numbers of vehicles [16,28,29].
Figure 11. Computation cost comparison with other schemes under different numbers of vehicles [16,28,29].
Information 16 00404 g011
Figure 12. Energy consumption comparison with other schemes [16,28,29].
Figure 12. Energy consumption comparison with other schemes [16,28,29].
Information 16 00404 g012
Table 1. Summary of the related authentication and key agreement schemes for the IoV.
Table 1. Summary of the related authentication and key agreement schemes for the IoV.
SchemeYearCryptographic TechniquesAdvantagesLimitations
Chatterjee et al. [11]2018Uses PUF and hash functionsAvoids explicit storage of secret CRPsLacks user anonymity and relies on random number check for replay resistance
Aman et al. [12]2020Uses PUF and hash functionsReduces the risk of key storage via PUF and provides hardware-level random number generation to improve encryption efficiencyDoes not provide PUF challenge–response pair protection
Jiang et al. [17]2020Uses ECCProvides three-factor authenticationThe computational complexity is relatively high
Umar et al. [13]2021Uses XOR, hash functions, and PUFUses lightweight operations, thus suitable for resource-constrained devicesTemporary identifiers lack dynamic updates, risking privacy breaches
Jiang et al. [15] 2021Uses PUF and hash functionsProvides three-factor authentication and resists impersonation attacks Involves some entities that cannot be fully trusted
Xie et al. [14]2023Uses PUF and ECCCombines PUF with ECC for anonymous authentication and provides high security with low computational complexityRelies on partially trusted RSUs and vehicles and is vulnerable to spoofing attacks by malicious RSUs
Saleem et al. [16]2023Uses PUF, hash functions, XOR, and fuzzy extractorProvides lightweight operations and protects OBUs from physical tampering and cloning attacks using PUF and fuzzy extractorsVulnerable to desynchronization attacks
Tahir et al. [18]2023Uses XOR and hash functionsProvides multi-factor authentication and verifies vehicle location for system robustnessVulnerable to physical capture attacks
Awais et al. [19]2023Uses PUF, hash functions, and ECCProvides high security and is free from the influence of known attacksDoes not provide PUF challenge–response pair protection
He et al. [20]2024Uses PUF, hash functions, and symmetric encryption/decryptionProvides mutual authentication, secure session key establishment, rapid session key updates, and conditional anonymityNot applicable to high-traffic IoV scenarios
Table 2. The notations used in this protocol.
Table 2. The notations used in this protocol.
NotationDescription
Vi i t h vehicle
RSUj j t h RSU
IDvi, PWviIdentity and password of the user of Vi, respectively
BIOviBiometric data of the user of Vi
Cvi, RviPUF challenge–response pair of Vi
IDj, IDtIdentities of RSUj and the TA, respectively
PIDviPseudonym of Vi
Cj, RjPUF challenge–response pair of RSUj
ri, rj, rtRandom numbers
T1, T2, T3, T4Timestamps
T Maximum transmission time delay
F·G()Biometric fuzzy generator function
F·R()Biometric fuzzy reproducer function
mkMaster key generated by the TA
SKijSession key between Vi and RSUj
| | , Concatenation and bitwise XOR operator, respectively
PUF(), h()PUF function and hash function, respectively
vi, φvi*)Parameters generated by fuzzy extractors
Table 3. Comparison of the security features of the V2I authentication and key agreement phase.
Table 3. Comparison of the security features of the V2I authentication and key agreement phase.
FeatureLi et al. [28]Yadav et al. [29]Saleem et al. [16]PMAKA-IoV
Anonymity
Mutual Authentication
Resistance to Man-in-the-Middle Attack
Resistance to Replay Attack
Unlinkability
Resistance to Password Guessing Attack
Resistance to Desynchronization Attack
Resistance to Impersonation Attack
Resistance to DoS Attack
Resistance to Physical Capture Attack
Perfect Forward Secrecy
Table 4. Comparison of the communication cost of the V2I authentication and key agreement phase.
Table 4. Comparison of the communication cost of the V2I authentication and key agreement phase.
SchemeCommunication Cost
PMAKA-IoV4368 bits
Li et al. [28]5696 bits
Yadav et al. [29]3616 bits
Saleem et al. [16]3072 bits
Table 5. Comparison of the storage cost of the V2I authentication and key agreement phase.
Table 5. Comparison of the storage cost of the V2I authentication and key agreement phase.
SchemeVehicleTARSUTotal Cost
PMAKA-IoV784 bits1008 bits112 bits1904 bits
Li et al. [28]848 bits400 bits240 bits1488 bits
Yadav et al. [29]1168 bits768 bits256 bits2192 bits
Saleem et al. [16]1056 bits768 bits336 bits2160 bits
Table 6. Execution time cost of each operation.
Table 6. Execution time cost of each operation.
OperationNotationExecution Time Per Operation
One-way hash functionTh()0.0020 ms
AES encryptionTAE0.0100 ms
AES decryptionTAD0.0100 ms
PUF operationTPUF0.00013 ms
Elliptic curve multiplicationTECC2.6100 ms
Multiplication operationTMUL0.2680 ms
Table 7. Comparison of the computation cost of the V2I authentication and key agreement phase.
Table 7. Comparison of the computation cost of the V2I authentication and key agreement phase.
SchemeComputation CostTotal Cost
PMAKA-IoV16Th() + 2TPUF0.0323 ms
Li et al. [28]23Th()0.0460 ms
Yadav et al. [29]16Th() + 14TECC36.570 ms
Saleem et al. [16]16Th() + 3TMUL + 2TPUF + 2TAE + 2TAD0.8750 ms
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Yuan, M.; Xiao, Y. PMAKA-IoV: A Physical Unclonable Function (PUF)-Based Multi-Factor Authentication and Key Agreement Protocol for Internet of Vehicles. Information 2025, 16, 404. https://doi.org/10.3390/info16050404

AMA Style

Yuan M, Xiao Y. PMAKA-IoV: A Physical Unclonable Function (PUF)-Based Multi-Factor Authentication and Key Agreement Protocol for Internet of Vehicles. Information. 2025; 16(5):404. https://doi.org/10.3390/info16050404

Chicago/Turabian Style

Yuan, Ming, and Yuelei Xiao. 2025. "PMAKA-IoV: A Physical Unclonable Function (PUF)-Based Multi-Factor Authentication and Key Agreement Protocol for Internet of Vehicles" Information 16, no. 5: 404. https://doi.org/10.3390/info16050404

APA Style

Yuan, M., & Xiao, Y. (2025). PMAKA-IoV: A Physical Unclonable Function (PUF)-Based Multi-Factor Authentication and Key Agreement Protocol for Internet of Vehicles. Information, 16(5), 404. https://doi.org/10.3390/info16050404

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop