Lightweight One-to-Many User-to-Sensors Authentication and Key Agreement

Abstract

The proliferation of Internet of Things (IoT) deployments demands Authentication and Key Agreement (AKA) protocols that scale from one initiator to many devices while preserving strong security guarantees on constrained hardware. Prior lightweight one-to-many designs often rely on a network-wide secret, reuse a single group session key across devices, or omit Perfect Forward Secrecy (PFS), leaving systems vulnerable to compromise and traffic exposure. To this end, we present in this paper a lightweight protocol, named Lightweight One-To-many User-to-Sensors Authentication and Key Agreement (LOTUS-AKA), that achieves mutual authentication, PFS, and per-sensor key isolation while keeping devices free of public-key costs. The user and gateway perform an ephemeral elliptic-curve Diffie–Hellman exchange to derive a short-lived group key, from which independent per-sensor session keys are expanded via Hashed Message Authentication Code HMAC-based Key Derivation Function (HKDF). Each sensor receives its key through a compact Authenticated Encryption with associated data (AEAD) wrap under its long-term secret; sensors perform only hashing and AEAD, with no elliptic-curve operations. The login path uses an augmented Password-Authenticated Key Exchange (PAKE) to eliminate offline password guessing in the smart-card theft setting, and a stateless cookie gates expensive work to mitigate denial-of-service. We provide a game-based security argument and a symbolic verification model, and we report microbenchmarks on Cortex-M–class platforms showing reduced device computation and linear low-constant communication overhead with the number of sensors. The design offers a practical path to secure, scalable multi-sensor sessions in resource-constrained IoT.

1. Introduction

The development of Internet of Things (IoT) technology has greatly simplified people’s lives, allowing them to access real-time data from sensors thousands of miles away without leaving their homes [1]. However, due to the inherent nature of data transmission over public channels, incidents of information interception and tampering are a common occurrence [2].

Large-scale implementations of IoT regularly require an initiator (a user or a gateway) to establish protected channels with multiple sensors [3]. Repeating a one-to-one Authentication and Key Agreement (AKA) handshake n times wastes spectrum and energy, inflates latency, and magnifies the exposed attack surface at constrained devices [4]. The reason is two-fold: (i) each node must expose and parse additional handshake/certificate code paths that empirical studies show, which are prone to state-machine and parsing flaws exploitable for DoS or logic errors [5,6,7], and (ii) deployments of handshake-gating mechanisms (e.g., address-validation/anti-amplification) can still be bypassed or abused, leaving residual flooding vectors [8,9,10].

These pressures motivate one-to-many AKA: a single protocol run that yields fresh keys with a set of sensors while keeping device-side costs low. Prior “lightweight” approaches push public-key work to a more capable party and leave hashing or simple symmetric operations at sensors, achieving practical performance in IoT and Industrial IoT settings [11,12,13,14,15]. However, many such designs remain either (i) heavy on devices under realistic batching and revocation demands, or (ii) miss core guarantees such as Perfect Forward Secrecy (PFS), per-sensor key isolation, and a concrete rekey path, which are essential in adversarial, high-churn deployments [16].

1.1. Limitations of Prior Scheme(s)

Lack of true PFS: Several one-to-many schemes derive final session material primarily from long-term server, device secrets or static group values, so post-compromise disclosure of these values can retrospectively expose past traffic. In particular, designs that omit an ephemeral Diffie–Hellman (DH) contribution in the key schedule cannot claim PFS.

To overcome this limitation, we confine a fresh ephemeral Elliptic Curve Diffie–Hellman (ECDH) to the user–gateway path and base the entire session on that secret.

Single network-wide secret: Some constructions rely on a gateway-chosen value shared across all sensors (e.g., to mask identities or authenticate broadcasts). Compromising any one node then deanonymizes or weakens the entire fleet.

In this paper, we eliminate network-wide secrets; all derivations and authenticity checks are conducted under per-sensor long-term keys managed at the gateway registry.

Group key shared by all sensors: To save messages, a single group session key is often delivered to every sensor in the batch. This couples confidentiality across devices: the weakest sensor compromises the rest.

To fix this weakness, we adopt a two-tier schedule—derive a short-lived group key, then expand per-sensor keys—to deliver each securely via a compact Authenticated Encryption with associated data (AEAD) wrap under that sensor’s long-term secret.

Offline guessing under smart-card theft: Login paths that store verifier material on the card (or server) without augmentation enable offline dictionary attacks if the card or database is copied.

To mitigate this attack, we integrate an augmented Password-Authenticated Key Exchange (PAKE) so the server-side secret is required to validate guesses, hence, closing the stolen-card gap.

Timestamp-only DoS control: Many “lightweight” designs accept messages if a timestamp falls within a window, which is cheap for attackers to satisfy and does not gate expensive operations.

This limitation is fixed using a stateless cookie/Message Authentication Code (MAC) before-work gate at the gateway with minimal checks at sensors so unauthenticated requests cannot trigger heavyweight processing.

1.2. Our Contributions

In this paper, we present a Lightweight One-To-many User-to-Sensors Authentication and Key Agreement (LOTUS-AKA) protocol that preserves device frugality while restoring missing guarantees.

• One-to-many with PFS, no Elliptic-Curve Cryptography (ECC) on sensors: a single ephemeral ECDH between user and gateway yields a secret session; sensors perform only hashing and AEAD, without any elliptic-curve operations.
• Per-sensor keys without network-wide secrets: we derive a short-lived group key $\mathrm{GK}$, expand per-sensor, and deliver them via AEAD wraps under each sensor’s long-term key, thus removing any shared masking value.
• Augmented-PAKE login: the user login is hardened with an augmented PAKE, eliminating offline password guessing even if a smart card or server database is copied.
• Stateless DoS cookie: a MACed cookie authenticates the initiator before any heavyweight work at the gateway; sensors verify a cheap tag before state allocation.
• Revocation and rekey: we provide a Logical Key Hierarchy (LKH)-style mechanism with subset wrapping to revoke sensors and rotate long-term keys with bounded broadcast cost.
• Security analysis: we provide an Extended Canetti–Krawczyk eCK/${\mathrm{CK}}^{+}$-style proof for AKE security and privacy (anonymity/unlinkability) [17] and validate the design with a ProVerif/Tamarin model [18].
• Performance: measurements on Cortex-M–class Microcontroller Units (MCUs) show lower device computation and linear, low-constant communication/energy versus repeated one-to-one handshakes and recent one-to-many baselines.

The rest of the paper is organized as follows: Previous works is presented and discussed in Section 2. Section 3 introduces the background and the used preliminaries. The LOTUS-AKA Protocol is proposed in Section 4. In Section 5, we present the complete security analysis for the LOTUS-AKA Protocol. The evaluation of the proposed protocol is performed in Section 6. Section 7 presents the conclusion with future works.

2. Related Work

This section reviews prior work most relevant to lightweight, one-to-many AKA for IoT and WSN deployments. We group the literature into (i) standard one-to-one AKEs for constrained devices; (ii) broadcast and group-oriented authentication; (iii) group key management and subset rekeying; (iv) smart-card and multi-server schemes adapted to IoT; (v) DoS and availability defenses in handshakes; and (vi) symmetric-crypto choices and KDFs on MCUs.

2.1. One-to-One AKE for Constrained Devices

Transport-layer designs such as Datagram Transport Layer Security (DTLS) deliver mutual authentication and channel security over datagrams; DTLS 1.2 introduced a stateless cookie to reduce amplification, while DTLS 1.3 streamlined the handshake along TLS 1.3 lines [19,20]. Application-layer protection via OSCORE moves security to the Constrained Application Protocol (CoAP) message layer and composes cleanly with constrained transports [21]. Ephemeral Diffie–Hellman Over COSE (EDHOC), standardized by the Lightweight Authenticated Key Exchange Working Group (IETF LAKE WG), offers a compact AKE that pairs naturally with OSCORE [22,23,24]. These protocols are mature and well analyzed, but they are fundamentally one-to-one: a controller addressing n sensors typically repeats the handshake n times (1 → 1 repeated), amplifying ECDH/PAKE cost and airtime. Moreover, if sensors participate in ECC, the device code, energy, and timing budget grow accordingly.

2.2. Broadcast and Group-Oriented Authentication

Early WSN systems pushed cost to the sender and the network using symmetric pre-distribution and delayed-disclosure broadcast authentication (TESLA and variants) to avoid per-packet public-key work [25]. Later controller-to-many proposals derive a group key once and distribute per-node material. However, many “lightweight” designs optimize device code by (i) assuming a network-wide secret shared across verifiers, (ii) masking a batch group key with hashes or XOR without binding to a full transcript, and (iii) relying on timestamps for freshness. As a result, compromise of a single node or the controller’s long-term secret can retroactively expose past sessions, and simple cut-and-paste across runs may succeed when identities and context are not authenticated in associated data. In contrast, our design keeps the sender convenience (one broadcast plus n short ACKs) but eliminates network-wide secrets, derives a Group Key $\mathrm{GK}$ from an ephemeral ECDH visible only to users and gateways, and AEAD-wraps per-sensor shares under sensor keys with transcript-bound associated data (AD), achieving per-sensor isolation and modern freshness.

2.3. Group Key Management and Subset Rekeying

Logical Key Hierarchy (LKH) and related key-graph methods achieve scalable rekeying for a number of group members n (users/devices) in the secure group: joins and leaves cost $O(logn)$ messages instead of $O\left(n\right)$ by organizing members in a tree [26,27].

Subset-cover broadcast encryption (e.g., the subset-difference construction) provides alternative trade-offs among cover size, state, and revocation latency [28]. These tools power secure multicast, pay-TV, and IoT fleet management. Our protocol composes naturally with either approach: the gateway can wrap $\mathrm{GK}$ to the addressed subset using per-sensor AEADs (our default) or compact subset covers without changing device code. Optional key evolution on devices further limits damage from late device compromise when secure erasure is feasible.

2.4. Smart-Card and Multi-Server Authentication in IoT

A large thread of the IoT literature adapted multi-server, smart-card-based logins to gateways and sensors. Despite being labeled “lightweight,” many such designs avoid public-key cryptography on devices using system-wide symmetric verifiers and timestamp-only replay control, or by masking batch keys with unbound hashes. Analyses repeatedly identified absence of true PFS (no ephemeral DH); offline dictionary attacks once a card is copied; cross-device compromise due to network-wide secrets; and transcript splicing because identities and freshness are not authenticated in an AEAD AD. Our approach addresses the exact issues enumerated in Section 1.1: the only public-key work is an ephemeral ECDH between U and G; sensors do symmetric crypto only; user login is via augmented PAKE (OPAQUE-style), which eliminates offline guessing under card theft; and all ciphertexts are bound to identities and transcript via AEAD AD.

2.5. DoS and Availability in Handshakes

Stateless cookies gate expensive processing by requiring an initiator to echo a MACed token before the responder allocates state or runs heavy cryptography. This pattern appears in DTLS (1.2 HelloVerify, 1.3 cookie-based retry), Internet Key Exchange Protocol Version 2 (IKEv2) cookies, and Quick UDP Internet Connections (QUIC) retry with anti-amplification [19,20,29,30]. On constrained gateways and sensors, MAC-before-work, constant-time parsing, and bounded replay windows (timestamps plus counters) are critical to maintain availability under floods. Our cookie and pseudonym checks enforce these gates before any $\mathrm{AEAD}$ open or $\mathrm{HKDF}$ work.

2.6. Primitives on MCUs: AEAD and KDF

AEAD protects confidentiality and integrity while binding additional headers. AES-GCM is widely hardware-accelerated (ChaCha20–Poly1305 performs well in software on MCUs without AES engines [31,32]). For key derivation, KDF’s extract-then-expand design is simple and robust, with strong PRF-based proofs and broad deployment [33]. For ECDH between U and G, X25519 provides compact, constant-time scalar multiplication with ubiquitous library support [34]. Our evaluation echoes prior observations: on Cortex-M0, ChaCha20–Poly1305 minimizes per-sensor latency; on Cortex-M4/M7 with AES, AES-GCM is preferable.

2.7. Positioning

Table 1. Summary comparison: prior families vs. LOTUS-AKA. Y = supported; N = not; ∼ = partial/depends. Communication scaling is total control-plane bytes vs. the number of sensors n.

Protocol/Family	MutAuth	PFS	Per-Sens Iso	KCI	Privacy	OffDict	DoS	ECC@Sens	Comm. vs. n	Revoc
DTLS 1.3 (1 → 1) [20]	Y	Y	–	Y	∼	Y (no card)	Y	optional	$O\left(n\right)$ (repeat)	–
EDHOC+OSCORE (1 → 1) [22,24]	Y	Y	–	Y	∼	Y (no card)	via CoAP	optional	$O\left(n\right)$ (repeat)	–
TESLA-style broadcast [25]	auth. only	∼	N	–	N	–	N	Y (none)	$O\left(1\right)$ sender meta	∼
Group key w/masking (typical)	Y	N	N	N	N	N	N	Y (none)	$O\left(1\right)+O\left(n\right)$ wraps	∼
Smart-card multi-server (typical)	Y	N	N	N	∼	N	N	Y (none)	$O\left(1\right)+O\left(n\right)$	∼
LKH subset rekey [26,27,28]	–	∼	∼	–	N	–	N	Y (none)	$O(logn)$ rekey	Y
LOTUS-AKA (this work)	Y	Y	Y	Y	Y	Y	Y	Y (none)	$\mathit{O}\left(\mathbf{1}\right)+\mathit{O}\left(\mathit{n}\right)$	Y (via LKH)

presents a comparison among the existing protocols/families and our proposed LOTUS-AKA protocol with respect to several criteria. Standard 1 → 1 AKEs (DTLS, EDHOC+OSCORE) are excellent for pairwise channels but scale poorly when a user must reach many sensors at once. WSN-era broadcast techniques amortize sender cost but typically lack modern guarantees such as per-sensor isolation and PFS under device compromise. Smart-card multi-server proposals often fall to the Section 1.1 issues: network-wide keys, no ephemeral DH, timestamp-only replay control, and offline dictionary under card theft. LOTUS-AKA occupies the intersection: one ECDH per run (off-device), per-sensor AEAD wraps with transcript-bound AD, augmented PAKE login, stateless DoS cookie gates, and straightforward composition with LKH or subset covers.

3. Background and Preliminaries

3.1. Notation and Cryptographic Primitives

We use standard elliptic-curve groups over either NIST P–256 or X25519 for ephemeral Diffie–Hellman. Let G denote the base point, and let $x\in {\mathbb{Z}}_q$ be a uniformly random scalar with public point $X=xG$. Key derivation employs $\mathrm{HKDF}$ with H = SHA256; message authentication uses $\mathrm{HMAC}$ over $\mathrm{H}$. Authenticated Encryption uses an AEAD scheme (either AES–GCM or ChaCha20–Poly1305) with associated data (AD) binding identities, counters, timestamps, and transcript hashes. The password login is instantiated with an augmented PAKE with OPAQUE-style, so the server stores a hardened record while the client holds only an opaque envelope (for complete Notation summary, see

Table 2. Notation summary.

Symbol	Meaning
G	Base point of P–256/X25519 group
$x,X$	Private scalar $x\leftarrow {\mathbb{Z}}_q$, public $X=xG$
s	Gateway master secret
${\mathrm{SID}}_j$	Identifier of sensor $S_j$
$s{k}_j$	Long-term per-sensor secret $H({\mathrm{SID}}_j\Vert s)$
Y	Gateway ephemeral $yG$; X is user ephemeral
Z	ECDH secret $xyG$; $\mathrm{GK}=\mathrm{HKDF}(Z,\mathrm{ctx})$
$S{K}_j$	Per-sensor session key $\mathrm{HKDF}(\mathrm{GK},{\mathrm{SID}}_j\Vert \mathrm{transcript})$
${\pi }_j$	Pseudonym ${\mathrm{HMAC}}_{s{k}_j}(\mathrm{TS}\Vert \mathrm{ctr})$
${\mathrm{Wrap}}_j$	${\mathrm{AEAD}}_{s{k}_j}(\mathrm{GK};\mathrm{AD})$ to deliver $S{K}_j$
TS, ctr	Timestamp and per-session counter
$\mathrm{H},\mathrm{HKDF}$	SHA–256 hash and HKDF (extract&expand)
AEAD	AES–GCM or ChaCha20–Poly1305

).

Security Assumptions and Proof Oracles

Our game-based analysis relies on hardness of CDH/X25519, PRF/RO behavior of $\mathrm{H}$ and $\mathrm{HKDF}$, and IND–CCA security of the AEAD. We use standard AKE oracles: $\mathsf{Send}$ (activate a protocol step), $\mathsf{Reveal}$ (expose a completed session key), $\mathsf{EphemeralReveal}$ (expose fresh DH scalars in eCK/${\mathrm{CK}}^{+}$), $\mathsf{StateReveal}$ (long-term state), $\mathsf{Corrupt}$ (compromise of users/sensors), and $\mathsf{Test}$ (real-or-random key indistinguishability). Privacy is modeled via anonymity/unlinkability queries that challenge the adversary to distinguish identities or link sessions given full transcripts and allowable side information. Freshness excludes sessions where the attacker learns the joint DH secret or both parties’ long-term keys prior to $\mathsf{Test}$.

3.2. System and Trust Model

Before we start with the system and trust model, it is necessary to define some conventions and notations:

All protocol values are byte strings. We write ‖ for bytewise concatenation. A deterministic, injective encoder $\mathsf{enc}(·)$ serializes structured values to bytes: $\mathsf{enc}\left({\mathrm{SID}}_j\right)$ is the length-prefixed UTF-8 encoding of the sensor identifier; $\mathsf{enc}\left(s\right)$ is the fixed-length big-endian encoding of the $\kappa$-bit secret s.

• $\lambda$: Output length of the hash (bits), e.g., $\lambda =256$.
• $H:{\{0,1\}}^{\ast }\to {\{0,1\}}^{\lambda }$: Cryptographic hash (e.g., SHA-256).
• $SI{D}_j\in {\{0,1\}}^{\ast }$: Public identifier of sensor $S_j$.
• $s\in {\{0,1\}}^{\kappa }$: Gateway master secret.
• ‖: Byte-string concatenation.
• $\mathsf{enc}(·)$: Deterministic, injective byte encoding.

Entities: A user U (operator/app), a gateway G (registry, policy, and broadcast engine), and a set of sensors $\left\{S_j\right\}$ (resource constrained, symmetric-only).

Keys: The gateway samples a master secret $s\in {\mathbb{Z}}_q$. For each sensor with identifier ${\mathrm{SID}}_j$, the long-term per-sensor secret is presented as follows:

$$s{k}_j=\mathrm{H}({\mathrm{SID}}_j\Vert s).$$

$$\begin{array}{cc}\hfill s{k}_j& =H\left(SI{D}_j\parallel s\right)\hfill \\ & =H\left(\mathrm{enc}\left(SI{D}_j\right)\parallel \mathrm{enc}\left(s\right)\right).\hfill \end{array}$$

The gateway maintains a registry $\langle {\mathrm{SID}}_j,s{k}_j\rangle$. Users authenticate with G via an augmented PAKE credential; no plaintext password verifiers are stored at G, and user devices hold only an opaque PAKE envelope.

Adversary: We assume a Dolev–Yao network adversary with full control over delivery and ordering of messages (eavesdrop, inject, replay, and delay). The adversary may attempt device capture (including extraction of a smart card or a sensor), offline dictionary attacks, and partial compromise of server-side state. Clocks are loosely synchronized with a skew bound $\mathrm{\Delta }$; protocols additionally bind nonces/counters to each session to prevent replays even under clock drift.

We model loose synchronization by a bound $\mathrm{\Delta }$ such that $\forall i,j,t:|C_i\left(t\right)-C_j\left(t\right)|\le \mathrm{\Delta }$. In practice set $\mathrm{\Delta }=2{\rho }_{max}\tau +{\epsilon }_{\mathrm{sync}}$ from oscillator drift ${\rho }_{max}$, resync interval $\tau$, and residual offset ${\epsilon }_{\mathrm{sync}}$, where:

• $C_i\left(t\right)$: Local clock reading of node i at physical time t (seconds), assumed monotone.
• ${\rho }_{max}$: Worst-case relative drift (frequency error) of clocks (e.g., in ppm).
• $\tau$: Upper bound on the interval between (re-)synchronization events.
• ${\epsilon }_{\mathrm{sync}}$: Residual clock offset immediately after a sync exchange (accounts for delay asymmetry).

3.3. Design Goals

Our protocol targets the following properties:

• Mutual authentication  between U and each $S_j$ via G.
• Perfect Forward Secrecy (PFS) from an ephemeral ECDH between U and G.
• Key-compromise impersonation (KCI) resistance and key indistinguishability.
• Privacy: user anonymity and sensor unlinkability from public transcripts.
• Per-sensor confidentiality: even within one batch run, keys $S{K}_j$ are isolated across sensors.
• Replay and DoS resistance: timestamps + nonces/counters, and a stateless MACed cookie that gates expensive work.
• Efficiency and scalability: sensors perform only hash/HMAC/AEAD; communication scales linearly with the number of addressed sensors with small constants.
• Revocation/rekey: operator can revoke sensors and rotate long-term material using a lightweight Logical Key Hierarchy (LKH) with subset wrapping.

4. Lightweight One-to-Many User-to-Sensors Authentication and Key Agreement (LOTUS-AKA) Protocol

4.1. Setup and Registration

Algorithm 1 outlines the setup and registration part. In details:

Gateway: The gateway G selects an elliptic-curve group (P–256 or X25519) with base point P, and samples a master secret $s\leftarrow {\mathbb{Z}}_q$.

Sensor registration: For each sensor with identifier ${\mathrm{SID}}_j$, G derives a long-term per-sensor secret

$$s{k}_j=H({\mathrm{SID}}_j\Vert s),$$

and stores the registry entries $\langle {\mathrm{SID}}_j,s{k}_j\rangle$. No network-wide key is ever created or distributed. User registration/login: Users authenticate to G via an augmented PAKE with OPAQUE-style. The server stores a hardened PAKE record; the user device (or card) holds only an opaque envelope. Thus, neither side alone enables offline password guessing if compromised. In other words, we store a hardened PAKE record as a verifier, not the password. That means, instead of storing the password, the server stores a hardened verifier produced with a memory-hard password hashing function (Argon2id) using a per-user salt and tuned cost parameters, optionally protected with a server-side pepper/HSM [35,36]. With OPAQUE, the server keeps only an OPRF seed and an encrypted credential “envelope” created at registration; the server never learns the password and a leaked database does not enable offline guessing [37,38]

Algorithm 1: LOTUS-AKA Setup and Registration.

State: Gateway registry $\mathcal{R}$ initially empty 1 Gateway G: choose curve (P-256 or X25519) with base point P; sample master secret      $s\leftarrow {\mathbb{Z}}_q$ ; 2 Sensor registration (each$S_j$with identifier ${\mathrm{SID}}_j$):; 3    $s{k}_j\leftarrow H({\mathrm{SID}}_j\Vert s)$; store $\langle {\mathrm{SID}}_j,s{k}_j\rangle$ in $\mathcal{R}$ (no network-wide key); 4 User registration/login (augmented PAKE, OPAQUE-style); 5    server stores a hardened PAKE record; user device/card stores an opaque envelope (no plaintext password);

   Sensors do not derive the current group key $GK$ from their long-term secret. Instead, after the user–gateway run establishes a new $GK$, the gateway distributes $GK$ to each addressed sensor $S_j$ by encapsulating it with Authenticated Encryption under the sensor’s secret key $s{k}_j$. Concretely, the gateway includes in the broadcast a per-sensor identifier ${\pi }_j$ and an AEAD ciphertext ${\mathrm{Wrap}}_j$ that encrypts $GK$ with associated data binding (e.g., $SI{D}_j$, timestamp/nonce, and epoch). Each sensor computes its own ${\pi }_j$, locates the matching tuple in the broadcast, and performs $\mathrm{AEAD}\_{\mathrm{Open}}_{s{k}_j}\left({\mathrm{Wrap}}_j\right)$ to recover $GK$, from which it derives its per-sensor session key $S{K}_j$ using the specified key-derivation step.

By default, $GK$ is refreshed on every one-to-many authentication session because it is derived from fresh user–gateway ephemeral material.

4.2. One-to-Many Authentication and Key Agreement

Let $\mathcal{S}=\{j_1,\dots ,j_m\}$ be the subset of addressed sensors in this run, $b\leftarrow {\mathbb{Z}}_q$ the user’s fresh scalar with $X=bP$, and $y\leftarrow {\mathbb{Z}}_q$ the gateway’s fresh scalar with $Y=yP$. Let $\tau$ denote the running transcript hash bound into all KDFs/AEAD AD. Figure 1 illustrates a concrete example of subset-tag encoding and gateway-side expansion.

Algorithm 2 tracks the steps to apply the one-to-many authentication and key agreement.

(1)

User → Gateway

The user U sends a request containing (i) the PAKE finish tag, (ii) a response to a stateless DoS cookie issued earlier by G, (iii) the sensor subset descriptor for $\mathcal{S}$ (optionally anonymized as a policy tag), and (iv) the ephemeral $X=bP$. Sensor identifiers do need not to appear clearly when anonymity is required.

(2)

Gateway processing

Upon verifying the PAKE finish and cookie, G samples y, sets $Y=yP$, and computes the ECDH shared secret $Z=\mathrm{KDF}\left(bY\right)=\mathrm{KDF}\left(yX\right)$. It derives a short-lived group key

$$\mathrm{GK}=\mathrm{HKDF}(Z,\mathrm{info}=\tau ),$$

which never leaves U and G clearly.

$\tau$ is the HKDF $\mathsf{info}$ context string providing domain separation.

(3)

Per-sensor wrapping and broadcast

For each $j\in \mathcal{S}$, G computes a per-run pseudonym and wrap:

$$\begin{array}{cc}\hfill {\pi }_j& = {\mathrm{HMAC}}_{s{k}_j}\left(\mathrm{TS} \Vert \mathrm{ctr}\right),\hfill \\ \hfill {\mathrm{Wrap}}_j& ={\mathrm{AEAD}}_{s{k}_j}\left(\mathrm{GK};\mathrm{AD}= {\mathrm{SID}}_j \Vert \mathrm{TS} \Vert \tau \right).\hfill \end{array}$$

(1)

G broadcasts a single message

$$\{Y,\mathrm{TS},\mathrm{ctr},{\{{\pi }_j,{\mathrm{Wrap}}_j\}}_{j\in \mathcal{S}}\},$$

optionally alongside a compact policy tag instead of explicit ${\mathrm{SID}}_j$ values (for anonymity; sensors recover by trial on ${\pi }_j$).

(4)

Sensor $S_j$ processing

Each sensor verifies the cheap cookie/tag and finds its entry by testing ${\pi }_j$ under $s{k}_j$. It opens ${\mathrm{Wrap}}_j$ using AEAD to obtain $\mathrm{GK}$, and derives its independent session key

$$S{K}_j=\mathrm{HKDF}\left(\mathrm{GK},\mathrm{info}={\mathrm{SID}}_j \Vert \mathrm{UID} \Vert \tau \right).$$

It returns an authenticated confirmation ${\mathrm{MAC}}_j={\mathrm{HMAC}}_{S{K}_j}(\tau \Vert \mathrm{role})$ to G.

(5)

User key confirmation

The user recomputes $Z=\mathrm{KDF}\left(yX\right)$ and $\mathrm{GK}$ from $X,Y$, derives all ${\left\{S{K}_j\right\}}_{j\in \mathcal{S}}$ locally, and verifies the returned ${\mathrm{MAC}}_j$ values (either relayed by G or observed directly). An optional final acknowledgment from U completes the run.

4.3. Rationale and Differences

Perfect Forward Secrecy (PFS): Only the U↔G path performs ephemeral ECDH; session material depends on Z and is therefore forward–secret even if s or any $s{k}_j$ are later compromised.

Per-sensor isolation: A two-tier schedule is used: a short-lived group key $\mathrm{GK}$ expands to independent $S{K}_j$ values via $\mathrm{HKDF}$; each $S{K}_j$ is delivered implicitly by opening ${\mathrm{Wrap}}_j$. Compromise of one sensor does not expose other sensors’ keys.

No XOR masking, no network-wide secret: The design removes any single value shared by all sensors. Identity protection and delivery authenticity are enforced via ${\pi }_j$ and AEAD under $s{k}_j$.

Lightweight sensors: Sensors perform only hash/HMAC and AEAD (no elliptic-curve), fitting MCU-class devices.

Practical hardening: The augmented PAKE eliminates offline guessing under card theft; a stateless MACed cookie gates expensive work at G; timestamps and per-session counters prevent replays; revocation/rekey are handled separately via LKH with subset wrapping as detailed and presented in Algorithm 3.

Figure 2 depicts the one-to-many AKA run between the user U, the gateway G, and the sensor set $\left\{S_j\right\}$ (Please refer to

Table 3. Key schedule and AEAD associated data (AD).

Label	Definition
Z	$\mathrm{KDF}\left(bY\right)=\mathrm{KDF}\left(yX\right)$ (ECDH secret)
$\mathrm{GK}$	$\mathrm{HKDF}(Z,\mathrm{info}=\tau )$
$S{K}_j$	$\mathrm{HKDF}(\mathrm{GK},\mathrm{info}={\mathrm{SID}}_j \Vert \mathrm{UID} \Vert \tau )$
${\pi }_j$	${\mathrm{HMAC}}_{s{k}_j}(\mathrm{TS} \Vert \mathrm{ctr})$
${\mathrm{Wrap}}_j$	${\mathrm{AEAD}}_{s{k}_j}(\mathrm{GK};\mathrm{AD}={\mathrm{SID}}_j \Vert \mathrm{TS} \Vert \tau )$
AD fields	Identities, subset tag, $\mathrm{TS}$, $\mathrm{ctr}$, transcript hash $\tau$

for the definition of the variables used in the one-to-many AKA run). First, U sends a single request to G carrying the PAKE finish tag, the response to a stateless DoS cookie, an (optionally anonymizing) subset tag for the addressed sensors, and the user’s ephemeral $X=bP$. After validating the PAKE and cookie, G samples y, sets $Y=yP$, computes the ECDH secret $Z=\mathrm{KDF}\left(yX\right)$, and derives a short-lived group key $\mathrm{GK}=\mathrm{HKDF}(Z,\tau )$, where $\tau$ is the running transcript hash. For each target sensor $S_j$, G then forms a pseudonym ${\pi }_j={\mathrm{HMAC}}_{s{k}_j}(\mathrm{TS} \Vert \mathrm{ctr})$ and a compact wrap ${\mathrm{Wrap}}_j={\mathrm{AEAD}}_{s{k}_j}\left(\mathrm{GK};\mathrm{AD}={\mathrm{SID}}_j \Vert \mathrm{TS} \Vert \tau \right)$, and broadcasts a single message $\{Y,\mathrm{TS},\mathrm{ctr},{({\pi }_j,{\mathrm{Wrap}}_j)}_j\}$ to the whole set. Each $S_j$ identifies its entry via ${\pi }_j$, opens ${\mathrm{Wrap}}_j$ using its long-term key $s{k}_j$ to recover $\mathrm{GK}$, derives an independent per-sensor key $S{K}_j=\mathrm{HKDF}(\mathrm{GK},{\mathrm{SID}}_j \Vert \mathrm{UID} \Vert \tau )$, and returns a short confirmation ${\mathrm{MAC}}_j={\mathrm{HMAC}}_{S{K}_j}\left(\tau \right)$. The user (directly or via G) verifies these ${\mathrm{MAC}}_j$ values after recomputing Z and $\mathrm{GK}$ from $(X,Y)$. Only U and G perform ephemeral ECDH (yielding PFS); sensors remain hash/AEAD-only. Because no network-wide secret is used and keys are derived per sensor, compromise of one device does not endanger others, and a single broadcast plus n short replies scales efficiently to large batches.

5. Security Analysis

This section sketches why LOTUS-AKA protocol meets its goals under standard assumptions. We use a game-based approach for AKE security and privacy, and complement it with symbolic verification.

5.1. Proof Roadmap (Game-Based)

We follow the standard computational model: a probabilistic polynomial-time (PPT) adversary is a (possibly non-uniform) randomized oracle machine $\mathcal{A}$ that, with the input of the security parameter $1^{\lambda }$, runs in time $\mathrm{poly}\left(\lambda \right)$ and interacts with the ${\mathrm{CK}}^{+}$/eCK experiment via the usual oracles ($\mathsf{Send}$, $\mathsf{Reveal}$, $\mathsf{EphemeralReveal}$, $\mathsf{StateReveal}$, $\mathsf{Corrupt}$, and $\mathsf{Test}$). All success probabilities/advantages are taken over the coins of the experiment and of $\mathcal{A}$; security requires every PPT adversary’s advantage to be negligible in $\lambda$.

Before stating the theorems, it is beneficial to describe some parameters:

• $\mathcal{B}$ denotes a probabilistic polynomial-time oracle machine that runs the AKE adversary $\mathcal{A}$ as a subroutine and leverages its view/queries to attack an underlying primitive. The quantity ${\mathsf{Adv}}_{\mathcal{B}}^{\star }$ is $\mathcal{B}$’s success/advantage in the corresponding security game (standard in reduction-based proofs).
• $\lambda$: Security parameter; all algorithms are PPT in $1^{\lambda }$.
• ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{ake}}$: Adversary $\mathcal{A}$’s AKE advantage in the ${\mathrm{CK}}^{+}$/eCK indistinguishability experiment (distinguishing a fresh session key from uniform under the standard oracle interface).
• ${\mathsf{Adv}}_{{\mathcal{B}}_1}^{\mathsf{pake}}$: Advantage of some PPT reduction ${\mathcal{B}}_1$ in breaking the underlying PAKE security experiment (following BPR-style PAKE definitions).
• ${\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)$: PRF advantage of ${\mathcal{B}}_2$ against the HMAC-based HKDF-Expand function (modeled as a keyed PRF on its input). Formally, $|Pr[{\mathcal{B}}_2^F=1]-Pr[{\mathcal{B}}_2^R=1]|$, where F is HKDF-Expand and R is a random function.
• ${\mathsf{Adv}}_{{\mathcal{B}}_3}^{\mathsf{aead}}$: AEAD advantage of ${\mathcal{B}}_3$ against the symmetric cipher (aggregate of privacy IND-CPA/nonce-respecting and integrity INT-CTXT advantages for associated data).
• ${\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}$: Success probability of ${\mathcal{B}}_4$ in solving the Computational Diffie–Hellman problem in the chosen group (given $(g,g^a,g^b)$, output $g^{ab}$).
• $\mathrm{negl}\left(\lambda \right)$: A negligible function in $\lambda$.

Theorem 1

(AKE security under ${\mathrm{CK}}^{+}$/eCK). Let $\mathcal{A}$ be a PPT adversary in the ${\mathit{CK}}^{+}$/eCK setting with access to $\mathsf{Send}$, $\mathsf{Reveal}$, $\mathsf{EphemeralReveal}$, $\mathsf{StateReveal}$, $\mathsf{Corrupt}$, and $\mathsf{Test}$ oracles. Then, for any fresh session between U and $S_j$,

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{ake}}\le {\mathsf{Adv}}_{{\mathcal{B}}_1}^{\mathsf{pake}}+{\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)+{\mathsf{Adv}}_{{\mathcal{B}}_3}^{\mathsf{aead}}+{\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}+\mathrm{negl}\left(\lambda \right).$$

Proof. 

(i) Replace the augmented-PAKE transcript with an ideal functionality; any distinguishing advantage reduces to the PAKE security of the underlying scheme. (ii) Replace AEAD by an ideal $(\mathsf{IND}-\mathsf{CCA},\mathsf{INT}-\mathsf{CTXT})$ channel; any forgery or decryption advantage reduces to AEAD security. (iii) Replace $Z=\mathrm{KDF}\left(yX\right)$ by a uniform key using the CDH/X25519 hardness (via a standard DDH/CDH-style hybrid for ephemeral ECDH). (iv) Replace HKDF (extract&expand with SHA-256) by a PRF/RO; any bias in $\mathrm{GK}$ or $S{K}_j$ becomes a PRF distinguisher. After these hops, the Test oracle returns a key computationally indistinguishable from random, yielding the bound. Freshness follows ${\mathrm{CK}}^{+}$/eCK conventions: revealing long-term user or sensor keys (or one side’s ephemeral) without jointly exposing the session DH secret keeps the tested session fresh.

Let ${\mathsf{Hyb}}_0$ be the real ${\mathrm{CK}}^{+}$/eCK AKE experiment and let ${\mathsf{Hyb}}_4$ be the ideal one where the Test key is uniform. We transform ${\mathsf{Hyb}}_0$ into ${\mathsf{Hyb}}_4$ in four hops, each paid for by a standard advantage term; all oracles ($\mathsf{Send/Reveal/EphemeralReveal/StateReveal/Corrupt/Test}$) and freshness are simulated exactly as in [39,40].

(${\mathsf{Hyb}}_0\to {\mathsf{Hyb}}_1$—PAKE idealization). Replace the real PAKE subroutine with its ideal experiment (BPR-style). A reduction ${\mathcal{B}}_1$ uses any AKE distinguisher to win the PAKE game, so

$$\left|Pr[{\mathsf{Hyb}}_0\Rightarrow 1]-Pr[{\mathsf{Hyb}}_1\Rightarrow 1]\right|\le {\mathsf{Adv}}_{{\mathcal{B}}_1}^{\mathsf{pake}}.$$

(${\mathsf{Hyb}}_1\to {\mathsf{Hyb}}_2$—HKDF as PRF). Replace each call to HKDF-Expand by an oracle that is either the real PRF or a random function. A reduction ${\mathcal{B}}_2$ turns any change in $\mathcal{A}$’s success into a PRF win:

$$\left|Pr[{\mathsf{Hyb}}_1\Rightarrow 1]-Pr[{\mathsf{Hyb}}_2\Rightarrow 1]\right|\le {\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right).$$

(${\mathsf{Hyb}}_2\to {\mathsf{Hyb}}_3$—AEAD privacy and integrity). Answer all protocol encryptions/decryptions using the AEAD challenger; any successful privacy distinction or ciphertext forgery by $\mathcal{A}$ provides an AEAD win to ${\mathcal{B}}_3$:

$$\left|Pr[{\mathsf{Hyb}}_2\Rightarrow 1]-Pr[{\mathsf{Hyb}}_3\Rightarrow 1]\right|\le {\mathsf{Adv}}_{{\mathcal{B}}_3}^{\mathsf{aead}}.$$

(${\mathsf{Hyb}}_3\to {\mathsf{Hyb}}_4$—Diffie–Hellman hardness). Embed a CDH instance into the ephemeral DH exchange (e.g., set one party’s ephemeral public key to a challenge point). If $\mathcal{A}$ still distinguishes the Test key from random in a fresh session, ${\mathcal{B}}_4$ extracts $abP$, solving CDH:

$$\left|Pr[{\mathsf{Hyb}}_3\Rightarrow 1]-Pr[{\mathsf{Hyb}}_4\Rightarrow 1]\right|\le {\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}.$$

Finally, by the triangle inequality and since in ${\mathsf{Hyb}}_4$ the Test key is uniform,

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{ake}}=\left|Pr[{\mathsf{Hyb}}_0\Rightarrow 1]-\frac{1}{2}\right|\le \sum _{i=0}^3\left|Pr[{\mathsf{Hyb}}_i\Rightarrow 1]-Pr[{\mathsf{Hyb}}_{i+1}\Rightarrow 1]\right|+\mathrm{negl}\left(\lambda \right),$$

which yields

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{ake}}\le {\mathsf{Adv}}_{{\mathcal{B}}_1}^{\mathsf{pake}}+{\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)+{\mathsf{Adv}}_{{\mathcal{B}}_3}^{\mathsf{aead}}+{\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}+\mathrm{negl}\left(\lambda \right).$$

The negligible term covers standard bad events (e.g., collisions, and freshness failure) under our assumptions.    □

Theorem 2

(Post-compromise secrecy of Z, $\mathrm{GK}$, and $S{K}_j$). Let U and $S_j$ complete a fresh session producing the shared Diffie–Hellman value $Z=xyP\in \mathbb{G}$ and derive keys via $\mathrm{GK}\leftarrow \mathrm{HKDF}(Z;\mathit{info}=\tau )$ and $S{K}_j\leftarrow \mathrm{HKDF}(\mathrm{GK};\mathit{info}=\mathtt{sk} \Vert {\mathrm{SID}}_j \Vert \tau )$. If, after this completion, the gateway master secret s is revealed, then for any PPT adversary $\mathcal{A}$ in the ${\mathit{CK}}^{+}$/eCK model, the AKE distinguishing advantage satisfies

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{ake}}\le {\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}+{\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)+\mathrm{negl}\left(\lambda \right),$$

hence, Z, $\mathrm{GK}$, and all $S{K}_j$ from that session remain indistinguishable from random.

Proof. 

We use a standard sequence of games. Let $\lambda$ be the security parameter, and let $\mathrm{negl}\left(\lambda \right)$ denote a negligible function.

Game $G_0$ (Real): This is the real ${\mathrm{CK}}^{+}$/eCK experiment for $\mathcal{A}$ with a fresh test session. Let ${\mathsf{Adv}}_0=\left|Pr[b=1]-\frac{1}{2}\right|$ be $\mathcal{A}$’s distinguishing advantage.

Game $G_1$ (Enforce freshness): Identical to $G_0$, except the game aborts if $\mathcal{A}$ violates freshness (e.g., reveals the test session’s long-term or ephemeral secrets). Because the tested session is fresh by hypothesis, $Pr[G_0\ne G_1]=0$ and ${\mathsf{Adv}}_1={\mathsf{Adv}}_0$.

Game $G_2$ (Hide Z by hardness of CDH): We change only how keys are conceptually computed as follows: keep the public transcript $(P,X=xP,Y=yP,\tau ,{\mathrm{SID}}_j)$ exactly as in $G_1$, but regard the seed fed to $\mathrm{HKDF}$ as unknown to $\mathcal{A}$ unless it can compute $Z=xyP$ from $(P,X,Y)$. By the computational Diffie–Hellman assumption, any PPT algorithm that outputs Z from $(P,X,Y)$ has advantage at most ${\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}$. Equivalently, conditioned on the transcript, Z is computationally unpredictable; thus, Z retains (computational) min-entropy $\kappa =\Theta \left(\lambda \right)$. Therefore the transition $G_1\Rightarrow G_2$ changes $\mathcal{A}$’s view by at most ${\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}$:

$$\left|{\mathsf{Adv}}_1-{\mathsf{Adv}}_2\right|\le {\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}.$$

Game $G_3$ (Replace HKDF outputs by random via PRF security): Since in $G_2$ the HKDF input has high (computational) entropy unknown to $\mathcal{A}$, we use that HKDF (Extract-then-Expand with HMAC) is a pseudorandom function/extractor. Replace $\mathrm{HKDF}(·;\mathrm{info})$ at all points (for $\mathrm{GK}$ and for each $S{K}_j$) by a truly random function with the same interface. By the PRF security of HKDF, this changes $\mathcal{A}$’s advantage by at most ${\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)$; any residual statistical slack from extraction (e.g., collision or leftover-hash-style terms) is absorbed in $\mathrm{negl}\left(\lambda \right)$:

$$\left|{\mathsf{Adv}}_2-{\mathsf{Adv}}_3\right|\le {\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)+\mathrm{negl}\left(\lambda \right).$$

Concluding bound: In $G_3$, the test key is independent of the transcript and uniformly random, so ${\mathsf{Adv}}_3=0$. By the triangle inequality over the hops $G_0\to G_1\to G_2\to G_3$,

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{ake}}={\mathsf{Adv}}_0& \le \underset{=0}{\underbrace{\left|{\mathsf{Adv}}_0-{\mathsf{Adv}}_1\right|}}+\underset{\le {\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}}{\underbrace{\left|{\mathsf{Adv}}_1-{\mathsf{Adv}}_2\right|}}+\underset{\le {\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)+\mathrm{negl}\left(\lambda \right)}{\underbrace{\left|{\mathsf{Adv}}_2-{\mathsf{Adv}}_3\right|}}\hfill \\ & \le {\mathsf{Adv}}_{{\mathcal{B}}_4}^{\mathsf{cdh}}+{\mathsf{Adv}}_{{\mathcal{B}}_2}^{\mathsf{prf}}\left(\mathrm{HKDF}\right)+\mathrm{negl}\left(\lambda \right).\hfill \end{array}$$

Finally, revealing the gateway master secret s after completion does not help compute Z (since $x,y$ are erased), nor distinguish HKDF outputs in $G_3$; hence, Z, $\mathrm{GK}$, and every $S{K}_j$ from that session remain indistinguishable from random.    □

Theorem 3

(Privacy). User anonymity and sensor unlinkability hold against a network adversary.

Proof. 

User identity is hidden by the augmented-PAKE (server-aided, no verifier for offline guessing). Sensors appear only via per-session pseudonyms ${\pi }_j={\mathrm{HMAC}}_{s{k}_j}(\mathrm{TS} \Vert \mathrm{ctr})$; without $s{k}_j$, ${\pi }_j$ is a PRF output that changes with $(\mathrm{TS},\mathrm{ctr})$, preventing cross-run linkage. ${\mathrm{SID}}_j$ is never sent in the clear text when the subset tag is anonymized; associated data (AD) binds identities to ciphertexts without revealing them.    □

Theorem 4

(Resilience). Against a Dolev–Yao network adversary with access to $\mathsf{Send}, \mathsf{Reveal}, \mathsf{EphemeralReveal}, \mathsf{StateReveal}$, and $\mathsf{Corrupt}$ oracles (${\mathit{CK}}^{+}$/eCK freshness), the protocol resists (i) key-compromise impersonation (KCI), (ii) replay, (iii) man-in-the-middle and transcript-splicing, (iv) party impersonation without credentials, and (v) offline dictionary attacks under smart-card theft. It also enforces ciphertext integrity for per-sensor wraps and confirmations.

Proof. 

We argue each property under the assumptions used in Theorem 1 (augmented-PAKE security, AEAD $\mathsf{IND}$-$\mathsf{CCA}$ and $\mathsf{INT}$-$\mathsf{CTXT}$, CDH hardness for X25519/P-256, and HKDF as a PRF).

(i) KCI resistance. Suppose the adversary learns the long-term credential of U (or a sensor $S_j$) and attempts to impersonate an honest peer to that corrupted party. A successful attack would require producing a session key consistent with an accepting transcript without knowledge of the fresh ECDH secret $Z=\mathrm{KDF}\left(yX\right)$. In ${\mathrm{CK}}^{+}$/eCK, a session is fresh if the adversary does not obtain both parties’ matching ephemeral secrets. Replacing Z by uniform (CDH hardness) and HKDF by a PRF (Theorem 1 hybrids) makes the test key indistinguishable from random unless the adversary breaks the augmented-PAKE finish to force acceptance on bogus ephemerals, which contradicts PAKE security. Thus, learning a party’s long-term key does not enable impersonation of another honest party to it.

(ii) Replay resistance. Each run binds a timestamp and counter $(\mathrm{TS},\mathrm{ctr})$ into the transcript hash $\tau$ and into AEAD associated data. Replaying an old broadcast or an old confirmation ${\mathrm{MAC}}_j$ would require either acceptance of a stale $(\mathrm{TS},\mathrm{ctr})$ outside the window (rejected by the receiver) or the ability to alter $(\mathrm{TS},\mathrm{ctr},\tau )$ without detection, which would violate AEAD integrity or the PRF security of HMAC/HKDF.

(iii) Man-in-the-middle and transcript splicing. An active adversary cannot bias or splice the key schedule without detection: Z is derived from fresh $(b,y)$; replacing X or Y to force a chosen Z reduces to solving CDH. Moreover, associated data authenticates ${\mathrm{SID}}_j$, $(\mathrm{TS},\mathrm{ctr})$, and $\tau$, binding identities and the full transcript to each ciphertext; any splice or mix-and-match breaks AEAD $\mathsf{INT}$-$\mathsf{CTXT}$.

(iv) Party impersonation. To impersonate the user to G, the adversary must complete the augmented-PAKE; by assumption, this is infeasible without the password (or an online attack that is rate-limited). To impersonate a sensor to U or G, the adversary must return a valid ${\mathrm{MAC}}_j={\mathrm{HMAC}}_{S{K}_j}\left(\tau \right)$ where $S{K}_j$ is derived from $\mathrm{GK}$ recovered by decrypting ${\mathrm{Wrap}}_j$. Forging such a confirmation without $s{k}_j$ or $S{K}_j$ violates AEAD $\mathsf{IND}$-$\mathsf{CCA}$ (to learn $\mathrm{GK}$) or the PRF security of HKDF/HMAC (to compute $S{K}_j$ or the MAC).

(v) Smart-card theft and offline dictionary. The login uses an augmented PAKE (OPAQUE-style): the server stores a hardened record and the card stores only an opaque envelope. A copied card or server record alone yields no offline password oracle; any guessing requires online interaction and is detected/rate-limited, by the PAKE security definition.

Ciphertext integrity. Per-sensor wraps ${\mathrm{Wrap}}_j$ and confirmations ${\mathrm{MAC}}_j$ are protected, respectively, by AEAD $\mathsf{INT}$-$\mathsf{CTXT}$ and by HMAC as a PRF; undetected modification or forgery would contradict these assumptions.    □

5.2. Symbolic Verification

We model the protocol in ProVerif (and Tamarin for sanity checks) with standard constructors for tuples, HMAC, HKDF, and AEAD (idealized as Authenticated Encryption with explicit AD). The model includes an active Dolev–Yao adversary, device-capture events, and cookie issuance/validation. We verify

• Secrecy of $S{K}_j$ for honest U, G, and any $S_j$ not explicitly corrupted as follows: query attacker(SK_j) == false.
• Authentication correspondence between U and each addressed $S_j$: event end_U(j) implies event end_Sj(j) with matching transcript hash $\tau$.
• Unlinkability of sensor sessions: observational equivalence between two traces that swap the identities of two honest sensors while preserving the multiset of messages.

The models reflect the optional key-evolving variant for forward-secure wraps: $s{k}_j$ is advanced per epoch and previous values are erased, enabling queries about past sessions after a capture event at epoch $e^{\ast }$.

5.3. DoS and Availability

The gateway issues a stateless cookie (MAC over source IP/tuple, coarse timestamp, and a brief salt) that must be echoed by U before any AEAD processing or per-sensor work, implementing MAC-before-work. Parsing and MAC checks are constant-time with length and range validation to avoid parser bombs. Replays are bounded by a sliding window over $(\mathrm{TS},\mathrm{ctr})$, with transcript binding in AD blocking cut-and-paste across runs. On sensor nodes, a single cheap HMAC check over the cookie/pseudonym precedes state allocation, ensuring that unauthenticated traffic cannot force expensive operations or buffer exhaustion.

The base design attains PFS against server-side compromise and best-possible security for symmetric-only sensors; enabling the (one-line) key-evolving wrap hardens against post-compromise of sensors without adding public-key costs to devices. Overall, the bounds in Theorems 1–4 reduce attacks to well-studied assumptions (augmented-PAKE, AEAD, CDH/X25519, and HKDF-as-PRF) while keeping device computation strictly symmetric.

6. Performance Evaluation

We evaluate the protocol along operation counts (

Table 4. LOTUS-AKA vs. one-to-many baselines (per run with n addressed sensors).

Scheme	Sensor Work (per ${\mathit{S}}_{\mathit{j}}$)	Gateway Work (per Run)	Bytes-on-Air (Control Plane)	Notes
B3: Broadcast auth only	MAC verify (+buffering)	MAC generation (+key schedule)	$O\left(1\right)$ broadcast (plus disclosure metadata); no ACKs	Authenticity only; no Key Agreement; no per-sensor session keys
B1: Shared $GK$ broadcast	$1\times$AEAD_open (+optional HKDF)	$1\times$AEAD_enc	Broadcast $\approx L_{\mathrm{hdr}}+(L_{GK}+L_{tag}+L_{nonce})$; ACKs optional	All receivers share the same $GK$; limited sensor-to-sensor isolation
B2: LKH subset rekey (shared $GK$)	$\le 1\times$AEAD_open; state $O(logN)$	$\left|cover\right(S\left)\right|\times$AEAD_enc	Broadcast $\approx L_{\mathrm{hdr}}+\left|cover\left(S\right)\right|·(L_{GK}+L_{tag}+L_{nonce})$; ACKs optional	Efficient subset distribution; delivered key still shared across the addressed subset
LOTUS-AKA	HMAC (pseudonym) + AEAD_open + HKDF + HMAC (confirm)	$2\times$ECC_mult + $n\times$(HMAC + AEAD_enc + HMAC)	Broadcast $\approx L_{\mathrm{hdr}}+n·L_{\mathrm{tuple}}$; ACKs $\approx n·(L_{mac}+\mathrm{hdr})$	Perfect Forward Secrecy on U–G; per-sensor key isolation; sensors run symmetric-only

), bytes on the wire, and end-to-end latency/energy on MCU-class sensors and a commodity gateway. Our focus is the one-to-many setting where a user addresses n sensors in a single run.

6.1. Metrics and Setup

Metrics: We count (i) elliptic-curve scalar multiplications ($\#\mathsf{ECC}\text{\_}\mathsf{mult}$) performed only by U and G; (ii) hashes/HMACs ($\#\mathsf{HMAC/}\#\mathsf{Hash}$); (iii) authenticated encryptions/decryptions ($\#\mathsf{AEAD}$); and (iv) total bytes transmitted. For latency/energy, we report per-phase time (auth handshake, per-sensor wrap open) and the aggregate vs. n.

Platforms: Sensors are ARM Cortex-M0 and Cortex-M4 class MCUs (typical: 48–80 MHz, 16–256 KB RAM, 64–512 KB Flash) using constant-time HMAC-SHA256 and either AES-GCM or ChaCha20-Poly1305. The gateway is an x86_64 class CPU with hardware AES support. All code paths use fixed-length parsing and branch-free verification.

6.2. Microbenchmarks

We isolate (i) the U↔G ephemeral ECDH/OPAQUE finish (auth phase); (ii) per-sensor wrap open on $S_j$ (HMAC pseudonym test, AEAD open, HKDF-expand, and confirmation MAC). Let $t_{\mathsf{AEAD}-\mathsf{open}}$, $t_{\mathsf{HMAC}}$, and $t_{\mathsf{HKDF}}$ denote per-operation times on the MCU; for a batch of n sensors, the sensor-side cost is

$$T_{\mathsf{sensor}}\left(n\right)\approx t_{\mathsf{HMAC}}+t_{\mathsf{AEAD}-\mathsf{open}}+t_{\mathsf{HKDF}}+t_{\mathsf{HMAC}}\left(\mathrm{per}{S}_j\right),$$

while the user-side batch work after the ECDH is $\approx n·(t_{\mathsf{HKDF}}+t_{\mathsf{HMAC}})$ to derive $\left\{S{K}_j\right\}$ and verify $\left\{{\mathrm{MAC}}_j\right\}$. Energy follows $E={\sum }_i{I}_{\mathrm{active}}·V·t_i$ for each primitive i; we report both latency and energy as functions of n.

6.3. One-to-Many Baselines

In addition to the repeated one-to-one baseline (invoking a full 1 → 1 handshake n times), we compare LOTUS-AKA against representative lightweight one-to-many families that are commonly used as design patterns in IoT/WSN deployments. We instantiate these baselines using the same primitive choices and message-format conventions as our implementation (AEAD, HMAC/HKDF, and identical byte encodings), and we report the following metrics: sensor computation, gateway computation, bytes on air, and end-to-end latency (see Table 4).

6.3.1. B1: Shared Group-Key Broadcast (Single $GK$ for All)

The gateway distributes one group session key $GK$ that is shared by all receivers in the addressed set (or even all sensors), using a single AEAD-encrypted payload under a group credential. Sensors open the ciphertext to obtain $GK$ and then (optionally) derive local traffic keys from $GK$ (please see

Table 5. Operation counts per party (one run with n sensors).

Party	Operations
User U	$\#\mathsf{ECC}\_\mathsf{mult}=2$ (public key, DH shared secret); HKDF: 1 extract $+1$ expand; per-j: HKDF-expand $+\mathsf{HMAC}$ (verify ${\mathrm{MAC}}_j$).
Gateway G	$\#\mathsf{ECC}\_\mathsf{mult}=2$; PAKE verify; cookie MAC; per-j: $\mathsf{HMAC}$ (pseudonym ${\pi }_j$) $+\mathsf{AEAD}\_\mathsf{enc}\left({\mathrm{Wrap}}_j\right)$$+\mathsf{HMAC}$ (confirm).
Sensor $S_j$	$\mathsf{HMAC}\mathrm{(cookie/pseudonym)}+\mathsf{AEAD}\_\mathsf{open}$ $+\mathsf{HKDF}-\mathsf{expand}$ $+\mathsf{HMAC}$ (confirm).

).

6.3.2. B2: LKH Subset Rekey (Distribute a Shared $GK$)

The gateway maintains a Logical Key Hierarchy (LKH) key tree and distributes a fresh shared $GK$ to an addressed subset using an encrypted rekey messages. Each sensor stores $O(logN)$ long-term node keys and opens at most one relevant rekey ciphertext to obtain $GK$.

6.3.3. B3: Broadcast Authentication Only (no AKA)

This family provides sender/broadcast authenticity with symmetric primitives and delayed disclosure or equivalent techniques, but does not establish per-sensor session keys via Key Agreement. We include it as an authenticity-only reference point for control-plane broadcasts (please see

Table 6. Communication cost vs. n (broadcast + n acks).

Term	Size (bytes)
Y (ephemeral pub. key)	$L_Y$ (e.g., 32 for X25519).
$\mathrm{TS}\Vert \mathrm{ctr}$	$L_{\mathrm{ts}}+L_{\mathrm{ctr}}$ (e.g., $8+4$).
Per-sensor ${\pi }_j$	$L_{\pi }$ (e.g., 16 truncated HMAC).
Per-sensor ${\mathrm{Wrap}}_j$	$L_{\mathrm{GK}}+L_{\mathrm{tag}}+L_{\mathrm{nonce}}$ (e.g., $32+16+12$).
Total Broadcast	$L_Y+L_{\mathrm{ts}}+L_{\mathrm{ctr}}+n·\left(L_{\pi }+L_{\mathrm{GK}}+L_{\mathrm{tag}}+L_{\mathrm{nonce}}\right)$
Total Acks	$n·(L_{\mathrm{mac}}+\mathrm{headers})$ (e.g., $16+$ headers).

).

Let $L_{\mathrm{hdr}}=L_Y+L_{ts}+L_{ctr}$ and $L_{\mathrm{tuple}}=L_{\pi }+(L_{GK}+L_{tag}+L_{nonce})$.

6.4. Comparison with Baselines

Prior one-to-many schemes that derive a single group key and reuse it across sensors and a repeated one-to-one baseline that invokes a full handshake n times were studied. Our design keeps $\#\mathsf{ECC}\text{\_}\mathsf{mult}$ constant in n (only U and G do ECDH once) and shifts scaling to cheap symmetric operations. Communication is one broadcast of size $O(n+1)$ and n short confirmations; the one-to-one baseline sends $O\left(n\right)$ full handshakes. The results (Figure 3) show linear growth with a small slope for ours (dominated by one AEAD wrap per sensor), versus a much steeper slope when full ECDH+PAKE is repeated n times.

6.5. Variants and Sensitivity Analysis

We evaluate how specific design choices affect performance and robustness: (i) PAKE off (replaced with a pre-shared credential) to quantify login overhead; (ii) AEAD choice (AES-GCM vs. ChaCha20-Poly1305) to capture MCU/CPU asymmetries; (iii) Cookie off to measure gateway load and drop rate under adversarial floods. These what-if experiments isolate each component’s contribution to latency, energy, and availability.

Since sensors avoid ECC entirely, their per-sensor work is stable and predictable (one AEAD open, a few HMAC/HKDF evaluations). The gateway performs batched symmetric work with oneECDH per run. As n grows, communication dominates; our broadcast+ack pattern maintains low overhead per sensor and avoids n network handshakes. On Cortex-M0/M4, the slope of $T_{\mathsf{sensor}}\left(n\right)$ is driven chiefly by $\mathsf{AEAD}\_\mathsf{open}$; choosing ChaCha20-Poly1305 on M0 (no AES) and AES-GCM on M4/M7 (with hardware AES) yields the best latency/energy across the tested configurations.

6.6. Communication Cost vs. n (Figure 4)

Our curve grows linearly with a small slope because the broadcast has a small fixed header ($Y+\mathrm{TS}+\mathrm{ctr}$) and then adds one short tuple $({\pi }_j,{\mathrm{Wrap}}_j)$ per sensor plus a 16 B confirmation. With the parameters used to generate the figure, this is roughly $44+92n$ B. The 1 → 1 baseline must ship a full PAKE/ECDH transcript per sensor (modeled $\approx 600$ B) plus a small confirmation, hence the much steeper slope. At $n=64$, the gap is ∼6 KB vs. ∼39 KB.

Figure 4. Payload bytes vs. number of sensors n: our one-to-many run (one broadcast + n short acks) vs. a repeated 1 → 1 baseline (full handshake n times).

Figure 4. Payload bytes vs. number of sensors n: our one-to-many run (one broadcast + n short acks) vs. a repeated 1 → 1 baseline (full handshake n times).

6.7. AEAD Choice on MCUs (Figure 5)

On Cortex-M0 (no AES acceleration), ChaCha20-Poly1305 is faster (≈1.3 ms) than AES-GCM (≈2.8 ms). On Cortex-M4 with AES support, AES-GCM is best (≈0.62 ms) and ChaCha20-Poly1305 is slightly slower (≈1.12 ms). This supports a simple deployment rule: use ChaCha on M0-class boards; use AES-GCM on M4/M7 with hardware AES.

Figure 5. Per-sensor processing latency on Cortex-M0/M4 for AES-GCM and ChaCha20-Poly1305 (including HMAC pseudonym, AEAD open, HKDF-expand, and confirmation MAC).

Figure 5. Per-sensor processing latency on Cortex-M0/M4 for AES-GCM and ChaCha20-Poly1305 (including HMAC pseudonym, AEAD open, HKDF-expand, and confirmation MAC).

6.8. DoS Resilience Under Adversarial Load (Figure 6)

The stateless cookie cheaply filters unauthenticated floods, so the gateway sustains close to its handshake cap even when attack traffic grows. Without the cookie, expensive parsing of junk requests starves the CPU and accepted sessions drop toward zero as the attack rate increases.

Figure 6. Accepted sessions per second vs. adversarial request rate. With a stateless cookie (MAC-before-work), throughput remains near the gateway’s capacity; disabling the cookie collapses throughput under flood.

Figure 6. Accepted sessions per second vs. adversarial request rate. With a stateless cookie (MAC-before-work), throughput remains near the gateway’s capacity; disabling the cookie collapses throughput under flood.

6.9. Authentication Latency and Energy vs. n (Figure 3)

Because ECDH/PAKE is executed once per run (by U and G), our latency/energy increases gently with n, dominated by one AEAD open and a few hashes per sensor. The repeated 1 → 1 baseline redoes ECDH/PAKE for every sensor, so both latency and energy grow much faster with n.

7. Conclusions

This paper revisits the problem of authenticating a user to a set of constrained sensors and deriving fresh, confidential session keys in one shot. We identify concrete gaps in prior “lightweight” proposals—lack of true PFS, reliance on a network-wide secret, per-batch group keys that leak across sensors, offline guessing under smart-card theft, and weak DoS defenses—and address them with a design that keeps sensors strictly symmetric while moving ephemeral public-key work to the user and gateway.

The proposed LOTUS-AKA protocol performs a single ephemeral ECDH between U and G to derive Z and a transcript-bound group key $\mathrm{GK}$ via HKDF. The gateway then broadcasts one message that contains per-sensor, AEAD-wrapped material under long-term $s{k}_j$, and short pseudonyms ${\pi }_j$ to let each sensor privately recognize itself. Each sensor opens exactly one AEAD, runs a few HMAC/HKDF calls, and returns a confirmation MAC; no ECC is required on devices. Login uses an augmented PAKE, eliminating offline dictionary attacks even if a card or server record is stolen. A stateless cookie enforces MAC-before-work at the gateway and sensors, mitigating floods without maintaining per-source state. Revocation and rekey are supported via subset wrapping (and optionally LKH), while an optional key-evolving variant for $s{k}_j$ strengthens post-compromise secrecy on devices that can securely erase.

We analyze security in the ${\mathrm{CK}}^{+}$/eCK style: AKE security reduces to the PAKE, AEAD, HKDF-as-PRF, and CDH/X25519 assumptions; PFS holds for server compromise and can be extended to sensor compromise with key evolution; privacy follows from PAKE-hidden user identifiers and per-session pseudonyms. A symbolic ProVerif/Tamarin model captures secrecy, correspondence, and unlinkability queries, including device capture and the cookie gate.

Our evaluation indicates that one ECDH per run plus n symmetric wraps yields latency and energy that grow gently with the number of sensors, while a repeated 1 → 1 baseline grows much faster. Communication similarly scales linearly with a small per-sensor increment. Microbenchmarks suggest choosing ChaCha20-Poly1305 on Cortex-M0 (no AES) and AES-GCM on Cortex-M4/M7 (with AES) for best per-sensor latency. Under adversarial load, the cookie preserves near-capacity throughput, whereas disabling it causes accepted sessions to collapse.

Overall, the design provides a practical, analyzable path to one-to-many AKA with strong security properties and deployable costs on Cortex-M-class devices.

Future work includes completing a full mechanized proof of the game-based reductions; integrating precise energy measurements from hardware boards; studying loss/retransmission on low-power links; tightening revocation at scale (e.g., LKH variants with constrained memory); and exploring post-quantum KEM drop-ins for the $U\leftrightarrow G$ ephemeral while keeping sensors symmetric.