PUF-Based Secure Authentication Protocol for Cloud-Assisted Wireless Medical Sensor Networks

Abstract

Wireless medical sensor networks (WMSNs) have evolved alongside the development of communication systems, and the integration of cloud computing has enabled scalable and efficient medical data management. However, since the messages in WMSNs are transmitted over open channels, they are vulnerable to eavesdropping, replay, impersonation, and other various attacks. In response to these security concerns, Keshta et al. suggested an authentication protocol to establish secure communication in the cloud-assisted WMSNs. However, our analysis reveals their protocol cannot prevent session key disclosure, impersonation of the user and sensor node, and denial of service (DoS) attacks. Moreover, Keshta et al.’s protocol cannot support user untraceability due to fixed hidden identity. To address these weaknesses, we propose a physical unclonable function (PUF) based secure authentication protocol for cloud-assisted WMSNs. The protocol uses lightweight operations, provides mutual authentication between user, cloud server, and sensor node, and supports user anonymity and untraceability. We validate the proposed protocol’s security through informal analysis on various security attacks and formal analysis including “Burrows–Abadi–Needham (BAN) logic”, “Real-or-Random (RoR) model” for session key security, and “Automated Validation of Internet Security Protocols and Application (AVISPA) simulations”. Performance evaluation demonstrates lower communication cost and computation overhead compared with existing protocols, making the proposed protocol suitable for WMSN environments.

1. Introduction

Wireless sensor networks (WSNs) have become a fundamental technology in modern communication systems [1]. WSNs consist of numerous compact sensor nodes that are wirelessly interconnected and capable of sensing, processing, and transmitting environmental data. Owing to these capabilities, WSNs are utilized in various fields, including smart agriculture [2], industrial automation [3], smart city infrastructures [4], and medical services [5]. In the medical domain, specifically in WMSNs, physiological parameters, such as body temperature, blood pressure, pulse rate, and electrocardiogram signals, are collected and transmitted to medical servers or healthcare professionals [6]. These functions enable remote patient monitoring, support telemedicine, and timely medical interventions, enhancing accessibility, efficiency, and responsiveness in healthcare [7].

Cloud computing is a virtualized environment managed by cloud service providers, offering on-demand access to shared resources, such as storage, processing power, and applications [8]. From a conceptual perspective, cloud computing abstracts underlying hardware and presents computing capabilities as services, enabling users to access resources without concern for physical infrastructure [9]. This enables dynamic scalability, efficient resource utilization, and broad accessibility for computationally intensive tasks. Leveraging these capabilities, cloud-assisted WMSNs are proposed to improve the scalability and operational efficiency of medical services [10]. Through the integration of cloud computing with WMSNs, patient data can be stored and processed on cloud servers, allowing adaptation to varying data volumes [11]. In addition, platforms support healthcare analytics, enabling predictive diagnostics and personalized treatment planning [12]. Intelligent decision-making is further supported by aggregating data from multiple sensor nodes, which improves the accuracy and responsiveness of medical services [13].

Nevertheless, cloud-assisted WMSNs remain highly susceptible to significant security threats because communication is performed over public channels [14]. Malicious adversaries can attempt to obtain session keys, impersonate legitimate participants, or conduct DoS attacks that undermine system availability. These threats may lead to the disclosure of sensitive information, including patients’ personal data and physicians’ diagnostic records, resulting in serious privacy violations [15]. In addition, forged or delayed medical data can compromise diagnostic accuracy and obstruct timely treatment, placing patients at risk. Without strong security mechanisms, neither the confidentiality of medical information nor the reliability of healthcare services can be assured [16].

To mitigate these security vulnerabilities, secure authentication and key agreement (AKA) protocols are essential for protecting sensitive patient data and ensuring the reliability of cloud-assisted WMSN services. In response to this need, Keshta et al. [17] proposed an elliptic curve cryptography (ECC) based AKA protocol, asserting that it provides adequate security for WMSN environments. However, our analysis identified several deficiencies. The protocol remains susceptible to session key disclosure, user and sensor node impersonation, and DoS attacks, and it does not provide user untraceability. To resolve these issues, we propose a secure authentication protocol for cloud-assisted WMSNs which employs PUF to ensure robust sensor node authentication and utilizes fuzzy extractor based biometric verification on mobile devices. The proposed protocol is shown to be resilient against various attacks, including sensor node capture and insider attacks, while mutual authentication, anonymity, and untraceability are achieved. Moreover, lightweight cryptographic operations are utilized, making the proposed protocol highly efficient and well-suited for WMSN environments.

1.1. Research Contribution

The primary achievements of the research are listed as follows:

• We review the authentication protocol proposed by Keshta et al. [17] demonstrating that it is prone to several security attacks, including session key disclosure, impersonation, and DoS attacks and it fails to ensure user untraceability.
• We propose an AKA protocol for WMSNs to address these issues. The proposed protocol employs PUF to protect sensor nodes of patients against various security attacks and utilize fuzzy extractor for secure user verification. In addition, our protocol adopts lightweight operations such as XOR and hash functions to enhance computational efficiency.
• We validate the security of the proposed protocol through both informal and formal analyses. The results prove that it achieves mutual authentication, ensures session key security, and resists various security attacks.
• We evaluate the performance of the proposed protocol by comparing its computational overhead, communication cost, and security features with existing works. The results demonstrate that our protocol achieves superior overall efficiency while maintaining strong security for WMSN environments.

1.2. Organization

Section 2 discusses the related works on authentication protocols for WMSN systems. Section 3 presents the system model, PUF, fuzzy extractor, and adversary model. Section 4 provides a review of Keshta et al.’s protocol, while Section 5 demonstrates its vulnerabilities. Section 6 introduces the proposed protocol, designed to address these weaknesses. Section 7 provides the security analysis, and Section 8 and Section 9 evaluate the performance and summarize our paper.

2. Related Works

With the rapid advancement of communication technologies, various AKA protocols have been introduced to ensure secure medical data transmission. In 2019, Vijayakumar et al. [18] designed an key agreement protocol using bilinear pairing for wireless body area networks. Their protocol supports conditional privacy, through which a trusted authority can revoke malicious users who abuse the system. However, their pairing-based methods impose substantial storage and computational overhead and fail to prevent man-in-the-middle (MitM) attacks [19]. To achieve both efficiency and security, Xu et al. [20] designed a lightweight protocol for wireless body area networks that requires only four hash operations on the sensor node, making it suitable for resource-limited environments. However, Alzahrani et al. [21] showed that Xu et al.’s protocol fails to prevent offline identity guessing and replay attacks. To overcome these limitations, they proposed an authentication protocol for wireless body area networks that incorporates a fuzzy extractor for user verification, providing strong patient monitoring security supported by formal analysis.

In 2021, Subramani et al. [22] proposed a lightweight authentication protocol that integrates a fuzzy extractor with a PUF. Their protocol supports conditional tracing, allowing the identification and revocation of malicious users. However, its performance is hindered by increased computational latency caused by repeated fuzzy extractor operations during authentication and the use of bilinear pairing. In 2022, Shao et al. [23] presented a PUF-based anonymous authentication protocol for WMSNs, enabling AKA among the user, gateway, and sensor node. Nevertheless, as later noted in [24], the protocol remains vulnerable to stolen verifier attacks. To further reduce computational overhead, a user authentication protocol relying solely on XOR and one-way hash operations was designed by Masud et al. [25] for IoT-based healthcare. Although lightweight, the protocol was later shown by Kim et al. [26] to be vulnerable to privileged insider, replay, and offline password guessing attacks. An enhanced protocol was subsequently proposed by Kim et al. to mitigate these weaknesses. However, Xie et al. [27] later demonstrated that the Kim et al.’s improved protocol continued to suffer from user and sensor node impersonation attacks, and an ECC and PUF-based AKA protocol was proposed to address these issues. Wu et al. [28] also showed that Kim et al.’s protocol fails to prevent user device capture and MitM attacks, after which a PUF-based three-factor authentication protocol combining strong and weak PUFs was proposed. In 2025, Shang et al. [29] proposed an AKA protocol for WMSNs that introduces an enhanced adversary model considering semi-trusted servers and ephemeral-secret leakage. Their protocol achieves lower computation and communication overheads and provides formal security analyzes. Wang et al. [30] introduced a PUF-based remote medical identity authentication protocol designed to mitigate security weaknesses found in previous remote medical authentication protocols. Their protocol achieves reductions of approximately 50.71% in computation overhead and 16.32% in storage overhead. Kuo et al. [31] proposed a lightweight AKA protocol for IoMT environments that integrates OPUF with ECC to protect patient data against impersonation, modeling attacks, and ephemeral-secret leakage. Their design additionally applies rate-limiting to resist DoS attempts and ensure availability.

Recently, Keshta et al. [17] proposed an ECC-based AKA protocol for cloud-assisted WMSNs, claiming that security was strengthened by eliminating the use of passwords and biometrics to prevent password-guessing attacks. However, our analysis reveals that their protocol remains vulnerable to session key disclosure, user and sensor node impersonation, and DoS attacks, and it fails to provide user untraceability due to static parameters and the transmission of plaintext session key components. Furthermore, the reliance on elliptic curve operations imposes considerable computational overhead on lightweight sensor nodes, making the protocol unsuitable for resource-constrained WMSN environments. Consequently, we suggest the lightweight and secure authentication protocol that effectively enhances robustness while ensuring mutual authentication, supporting untraceability and anonymity of users, and guaranteeing perfect forward secrecy.

3. Preliminaries

This part outlines the foundational concepts required for understanding the protocol, including the proposed system model, PUF, fuzzy extractor, and the adversary model.

3.1. System Model

In our paper, there are three primary entities as follows: the sensor node ($S{N}_j$), the physician user ($U_i$), and the cloud server ($CS$). According to Figure 1, users can communicate with patients’ sensor node remotely using mobile device. After login and AKA phase, the user, cloud server, and sensor node establish secure communication. Details of the three entities are described below:

• Physician User $U_i$: Physicians use mobile devices to remotely monitor patients’ vital signs. Before accessing the medical data, Users must complete the registration phase with the cloud server. After the login and AKA phase, they can securely receive diagnostic data and check the patient’s vital sign remotely.
• Cloud Server $CS$: $CS$ is the central and fully trusted authority in the system model. $CS$ has sufficient storage and computing power. It manages user and sensor node registrations, stores credentials and patient records, and assists mutual authentication between physicians and sensor nodes.
• Sensor Node $S{N}_j$: $S{N}_j$ is a resource-constrained device that is deployed on or nearby the patient. It is responsible for continuously collecting sensitive health data such as pulse rate, or ECG signals. After AKA phase, $S{N}_j$ securely transmits the patient data to physician user through the cloud server using a session key.

3.2. Physical Unclonable Functions (PUF)

The PUF is a hardware primitive that utilizes the intrinsic physical differences that arise in the semiconductor fabrication stage [32]. These variations make each PUF unique and practically impossible to replicate. In addition, recent advances have proposed more robust and secure PUF designs that ensures robustness under diverse environmental conditions with long-term stability [33,34]. The mechanism of PUF is based on the concept of challenge-response pairs (CRPs). When two different challenges are applied to the same PUF, they generate distinct responses; similarly, even if the identical challenge is injected to two separate PUFs, their responses will differ. The pair of challenge and response is formally expressed as $R=PUF(C)$, where R denotes the response and C represents the challenge. These characteristics allow PUFs to generate device-specific responses can be utilized to support robust authentication and protecting secret parameters. In the proposed protocol, each sensor node employs PUF to derive shared key between that sensor node and cloud server.

3.3. Fuzzy Extractors

A fuzzy extractor is a cryptographic primitive reliably producing consistent keys from noisy biometric inputs such as fingerprints, irises, or other biometric data [35]. To deal with the noisy inputs, the fuzzy extractor introduces a helper string that tolerates small variations in the input while ensuring reproducibility of the same secret key. When a user provides his biometric $Bio$, the fuzzy extractor produces two values, a secret key $\sigma$ and an helper string $\tau$. The value $\sigma$ is computationally equivalent to a random string, while $\tau$ can be disclosed without exposing useful information about $\sigma$ [36]. The fuzzy extractor operates with two core procedures:

• Gen($BIO$) $\to (\sigma ,\tau )$: Given input $BIO$, the generation function outputs a value $\sigma$ with a helper string $\tau$.
• Rep($BI{O}^{\ast },\tau$) $\to \sigma$: When a noisy biometric input $BI{O}^{\ast }$ close to $BIO$ is received together with helper string $\tau$, the reproduction function correctly reconstructs the original secret key $\sigma$.

In our protocol, we employ a fuzzy extractor in mobile device to achieve secure user verification by using identity and password of a user with the noisy biometric input.

3.4. Adversary Model

We adopt the “Dolev–Yao (DY) model [37]” and “Canetti–Krawczyk (CK) model [38]” as our adversary model. Under the DY model, the malicious attacker $\mathcal{A}$ gets control over the open channel. Consequently, $\mathcal{A}$ is capable of intercepting, modifying, deleting, or injecting transmitted messages [39]. In CK model, $\mathcal{A}$ can get private key of the $CS$ or ephemeral secrets [40].

Based on these adopted adversary models, $\mathcal{A}$’s capabilities are summarized as follows:

• $\mathcal{A}$ can extract secret parameters from physicians’ mobile devices or from a patient’s sensor node after physical capture [41].
• $\mathcal{A}$ can register with the cloud server and eavesdrop, intercept, delete, inject, or replay messages to attempt various security attacks including impersonation and MitM attacks.
• $\mathcal{A}$ may obtain ephemeral secrets or the cloud server’s private key to compute session key shared between the three entities [42].

4. Review of Keshta et al.’s Protocol

We review the AKA protocol proposed by Keshta et al. [17] for cloud-assisted WMSNs. We describe details of their protocol which includes initialization, registration of user and sensor node, and the AKA phase.

Table 1. Notation used in the paper.

Notation	Description
$CS$	Cloud server
$U_i$	Physician user
$S{N}_j$	Sensor node
s	Private key of $CS$
$I{D}_i$	$U_i$’s unique identity
$HI{D}_i$	Hidden identity of $U_i$
$PI{D}_i$	Pseudo-identity of $U_i$
$P{W}_i$	Password of $U_i$
$BI{O}_i$	Biometric information of $U_i$
$r_0,r_1$	Random numbers
$K_{U_{i}C}$	Shared key between $U_i$ and $CS$
$K_{C{S}_j}$	Shared key between $CS$ and $S{N}_j$
$SI{D}_j$	$S{N}_j$’s unique identity
$C_j,R_j$	PUF challenge and response pair
$r_i,r_j$	Random nonces
$Gen(·),Rep(·)$	Fuzzy extractor functions
${\sigma }_i$	Secret biometric key of $U_i$
${\tau }_i$	Helper string of $U_i$
$T_n$	Timestamp
$SK$	Session key
$\Delta T$	Acceptable transmission time delay
$h(·)$	Hash function
∥	Concatenation
⊕	Exclusive-OR

shows the notation of the parameters utilized in the paper.

4.1. Initialization Phase

During the setup phase, the cloud server $CS$ chooses an elliptic curve $E_q(a,b)$, curve point $\mu \in {\mathbb{Z}}_q^{\ast }$ in $E_q(a,b)$, hash function $h(·)$, and private key s. Then, $CS$ publicizes $\{E_q(a,b),\mu ,h(·)\}$.

4.2. Registration Phase

All sensor nodes deployed for patients and physicians’ mobile devices must register with the cloud server $CS$.

4.2.1. Patient Sensor Node Registration

Patient’s $S{N}_j$ perform registration phase with $CS$ via secure channel (Figure 2).

Step 1: 

The patient chooses his identity $I{D}_P$ and $S{N}_j$ selects a fresh random value $N\in {\mathbb{Z}}_q^{\ast }$. $S{N}_j$ computes a hidden identity $HPI{D}_P=h(I{D}_P\parallel N)$ and sends $CS$ the message $\{HPI{D}_P,I{D}_P\}$.

Step 2: 

Upon receiving $\{HPI{D}_P,I{D}_P\}$, $CS$ produces a fresh random value $N^{\prime }\in {\mathbb{Z}}_q^{\ast }$, computes $K_P=N^{\prime }·\mu ,H_P=h(I{D}_P\parallel K_P)$ and $X_P=((N\oplus H_P)\parallel s)$. Then, $CS$ returns $\{s,X_P,H_P,K_P\}$ to $S{N}_j$.

Step 3: 

$S{N}_j$ receives the response message $\{s,X_P,H_P,K_P\}$ and $S{N}_j$ stores $\{s,X_P,H_P,K_P\}$.

4.2.2. Physician Mobile Device Registration

Physician $U_i$ perform this phase with $CS$ using their mobile device $M{D}_i$ (Figure 3).

Step 1: 

$U_i$ selects and inputs his unique identity $I{D}_{PM}$ into $M{D}_i$. $M{D}_i$ chooses a random number $N\in {\mathbb{Z}}_q^{\ast }$. $M{D}_i$ calculate a hidden identity $HPI{D}_{PM}=h(I{D}_{PM}\parallel N)$ and sends $CS$ the request message $\{HPI{D}_{PM},I{D}_{PM}\}$.

Step 2: 

After $CS$ receives $\{HPI{D}_{PM},I{D}_{PM}\}$, $CS$ selects a fresh random number $N^{\prime }\in {\mathbb{Z}}_q^{\ast }$, computes $K_P=N^{\prime }·\mu ,H_P=h(I{D}_p\parallel K_p)$ and $X_{PM}=((N^{\prime }\oplus H_{PM})\parallel s)$. Then, $CS$ returns $\{s,X_{PM},H_{PM},K_P\}$ to $M{D}_i$.

Step 3: 

$M{D}_i$ receives response message $\{s,X_{PM},H_{PM},K_P\}$, and stores $\{s,X_{PM},H_{PM},K_P\}$.

4.3. AKA Phase

To send patient’s vital data to the user, $U_i$, $S{N}_j$, and $CS$ perform this phase to support secure communication. The flow of this procedure is described in Figure 4. Details of AKA phase are demonstrated as follows:

Step 1: 

$S{N}_j$ produces fresh timestamp $T_1$ at first. Then, $S{N}_j$ computes $X_{PM}=((N·\mu )\parallel T_1)$ and sends the message $\{K_P,HPI{D}_{PM},X_{PM},T_1\}$ to $M{D}_i$.

Step 2: 

Upon $M{D}_i$ receiving the message, $M{D}_i$ verifies freshness by checking $|T_1-T_c|\le \Delta T?$. Then $M{D}_i$ computes $K_P=X_{PM}\oplus h(HPI{D}_{PM}\parallel K_{PM})$, $Y_p=(X_{PM}\parallel (X_{PM}\oplus N)\parallel K_P)$, and send parameters $\{HPI{D}_P,K_P,Y_P,T_2\}$ to $CS$.

Step 3: 

After $CS$ obtains $\{HPI{D}_P,K_P,Y_P,T_2\}$, $CS$ checks freshness of the timestamp by confirming $|T_2-T_c|\le \Delta T?$. If $T_2$ is valid, $CS$ computes $K_P^{\ast }=X_{PM}\oplus h(HPI{D}_{PM}\parallel K_{PM})$ and checks $K_P^{\ast }\stackrel{?}{=}{K}_P$. Then $CS$ also computes $Y_P^{\ast }=(X_{PM}\parallel (X_{PM}\oplus N)\parallel K_P)$ and checks $Y_P^{\ast }\stackrel{?}{=}{Y}_P$. If all values are verified, $CS$ computes session key $SK=h(Y_P\parallel K_P)$ and $R_P=h(SK\parallel X_{PM})$. To establish equal session key, $CS$ sends $\{K_P^{\ast },Y_P^{\ast },R_P,T_3\}$ to $M{D}_i$.

Step 4: 

Upon $M{D}_i$ receiving $\{K_P^{\ast },Y_P^{\ast },R_P,T_3\}$, then $M{D}_i$ checks freshness by confirming $|T_3-T_c|\le \Delta T?$. If $T_3$ is valid, $M{D}_i$ computes $K_P^{\ast \ast }=X_{PM}\oplus h(HPI{D}_{PM}\parallel K_{PM})$ and checks $K_P^{\ast \ast }\stackrel{?}{=}{K}_P^{\ast }$. Then $M{D}_i$ also computes $Y_P^{\ast \ast }=(X_{PM}\parallel (X_{PM}\oplus N)\parallel K_P)$ and checks $Y_P^{\ast \ast }\stackrel{?}{=}{Y}_P^{\ast }$. $M{D}_i$ computes session key $SK=h(Y_P\parallel K_P)$ and $R_P^{\ast }=h(SK\parallel X_{PM})$. Then $CS$ check $R_p^{\ast }\stackrel{?}{=}{R}_P$, and sends $\{K_P^{\ast \ast },Y_P^{\ast \ast },R_P^{\ast },T_4\}$ to $S{N}_j$.

Step 5: 

When $S{N}_j$ receives $\{K_P^{\ast \ast },Y_P^{\ast \ast },R_P^{\ast },T_4\}$, then $S{N}_j$ checks freshness of the timestamp by confirming $|T_4-T_c|\le \Delta T?$. If $T_4$ is valid, $S{N}_j$ computes $K_P^{\ast \ast \ast }=X_{PM}\oplus h(HPI{D}_{PM}\parallel K_{PM})$ and checks $K_P^{\ast \ast \ast }\stackrel{?}{=}{K}_P^{\ast \ast }$. Then $M{D}_i$ also computes $Y_P^{\ast \ast \ast }=(X_{PM}\parallel (X_{PM}\oplus N)\parallel K_P)$ and checks $Y_P^{\ast \ast \ast }\stackrel{?}{=}{Y}_P^{\ast \ast }$. Finally $M{D}_i$ computes session key $SK=h(Y_P\parallel K_P)$ and $R_P^{\ast \ast }=h(SK\parallel X_{PM})$ to check $R_p^{\ast \ast }\stackrel{?}{=}{R}_P^{\ast }$. If all mutual authentication passed, $U_i,CS,$ and $S{N}_j$ can communicate with session key $SK$.

5. Cryptanalysis of Keshta et al.’s Protocol

In this section, we analyze the security vulnerabilities of Keshta et al.’s AKA protocol. Our findings indicate that the protocol fails to withstand several security attacks, including session key disclosure, user and sensor node impersonation, and DoS attacks. The detailed attack scenarios are presented as follows.

5.1. Session Key Disclosure Attacks

Under the DY adversary model, adversary $\mathcal{A}$ can eavesdrop messages transmitted over the public channel. $\mathcal{A}$ can get the authentication messages $\{HPI{D}_P,K_P,Y_P,T_2\}$, $\{K_P^{\ast },Y_P^{\ast },R_P,T_3\}$, and $\{K_P^{\ast \ast },Y_P^{\ast \ast },R_P^{\ast },T_4\}$. The values $K_P$, $K_P^{\ast }$, and $K_P^{\ast \ast }$ are equivalent and likewise for $Y_P$, $Y_P^{\ast }$, and $Y_P^{\ast \ast }$. Using these intercepted values, $\mathcal{A}$ derive the session key as $SK=h(K_P\parallel Y_P)$. Therefore, the protocol by Keshta et al.’s cannot prevent session key disclosure attacks.

5.2. User Untraceability

User untraceability requires that an adversary cannot determine whether two or more sessions involve the same user, even after observing all authentication messages transmitted over public channels. During the AKA phase, the message $\{K_P,HPI{D}_{PM},X_{PM},T_1\}$ is transmitted over a public channel. Among parameters in the message, $U_i$’s hidden identity $HPI{D}_{PM}=h(I{D}_{PM}\parallel N)$ is calculated in $U_i$’s registration phase, and is not changed across sessions. Consequently, an adversary $\mathcal{A}$ that eavesdrops transmitted messages can distinguish $U_i$’s sessions by repeatedly observing the same $HPI{D}_{PM}$ value across different sessions. Then, $\mathcal{A}$ can trace sessions that belong to the same user using collected $HPI{D}_{PM}$ values. Thus, Keshta et al.’s protocol cannot ensure user untraceability.

5.3. User and Sensor Node Impersonation Attacks

An adversary $\mathcal{A}$ can intercept the message $\{HPI{D}_P,K_P,$$Y_P,T_2\}$ transmitted over the public channel. Except for the timestamp $T_2$, these parameters remain unchanged across sessions. Consequently, $\mathcal{A}$ can generate a fresh authentication message $\{HPI{D}_P,K_P,Y_P,T_2^{\mathcal{A}}\}$ by substituting $T_2$ with a newly generated timestamp $T_2^{\mathcal{A}}$.

Similarly, $\mathcal{A}$ can construct a valid request message of the sensor node $\{K_P,HPI{D}_{PM},$$X_{PM},T_1\}$ because $K_P$ and $HPI{D}_{PM}$ are fixed while $X_{PM}=((N·\mu )\parallel T_1)$ only varies through the timestamp $T_1$. By choosing a fresh $T_1^{\mathcal{A}}$ and the corresponding $X_{PM}^{\mathcal{A}}$, together with a fresh timestamp $T_2^{\mathcal{A}}$, $\mathcal{A}$ can produce $\{K_P,HPI{D}_{PM},X_{PM}^{\mathcal{A}},T_1^{\mathcal{A}}\}$. Therefore, Keshta et al.’s protocol fails to prevent user and sensor node impersonation.

5.4. DoS Attacks

In this attack, an adversary $\mathcal{A}$ repeatedly sends valid forged authentication requests to the cloud server $CS$. As a result, $CS$ must verify each received message and perform the corresponding computations, eventually becoming overloaded and unable to respond to legitimate users. The process are explained in detail below.

Step 1: 

$\mathcal{A}$ eavesdrops authentication messages and obtain $\{HPI{D}_P,K_P,Y_P\}$. Using this information, $\mathcal{A}$ forges a message $\{HPI{D}_P,K_P,Y_P,T_2^{\mathcal{A}}\}$ by replacing the timestamp $T_2$ with a fresh timestamp $T_2^{\mathcal{A}}$. Then, $\mathcal{A}$ repeatedly sends $\{HPI{D}_P,K_P,Y_P,T_2^{\mathcal{A}}\}$ while updating $T_2^{\mathcal{A}}$ each time.

Step 2: 

$CS$ receives these messages and verifies their timestamps by checking whether $|T_2-T_c|\le \Delta T?$. Since all timestamps have been chosen to be fresh by $\mathcal{A}$ the messages are considered valid. Consequently, $CS$ proceeds to compute $K_P$, $Y_P$, $SK$, and $R_P$ for every forged message, exhausting computational resources and blocking legitimate users who attempt to access the system.

6. Proposed Protocol

To overcome the security weaknesses of Keshta et al.’s protocol, we propose a lightweight and security enhanced authentication protocol that uses biometrics and PUFs. The proposed protocol achieves security and efficiency, ensuring that cloud servers, mobile devices, and sensor nodes can securely communicate in cloud-assisted WMSNs. The proposed protocol is divided into four main phases: initialization, registration, login and AKA, and offline password and biometric update phase.

6.1. Initialization Phase

The CS solely perform this phase. Initially, $CS$ generates its key s. Then, $CS$ selects a collision-free hash function $h(·)$, the two functions of the fuzzy extractor, $Gen(·)$ and $Rep(·)$ to deal with noisy biometric input, and publicize the global system parameters $\{h(·),Gen(·),Rep(·)\}$ to all users and devices.

6.2. Registration Phase

Every users and sensor nodes should register with the cloud server. The overall registration is executed through a secure channel. The user $U_i$ and the sensor node $S{N}_j$ share key with $CS$, and store parameters needed for authentication.

6.2.1. User Registration Phase

Physician $U_i$ perform registration phase with $CS$ as demonstrated in next three steps. Figure 5 summarizes user registration phase.

Step 1: 

$U_i$ selects his unique identity $I{D}_i$ and a high entropy password $P{W}_i$. $U_i$ inputs $I{D}_i,P{W}_i$, and biometric data $BI{O}_i$ into the mobile device $M{D}_i$. Then, $M{D}_i$ computes $Gen(BI{O}_i)=({\sigma }_i,{\tau }_i)$, generates a random number $r_0$, and sends a registration request message $\{HI{D}_i,r_0\}$ to $CS$ via a secure channel.

Step 2: 

$CS$ selects a pseudo-identity $PI{D}_i$ corresponding $U_i$. Then $CS$ computes shared key $K_{U_{i}C}=h(r_0\parallel s)$ between $U_i$ and $CS$, stores $\{PI{D}_i,r_0\}$ into $CS$’s database for the AKA phase, sends a message $\{PI{D}_i,K_{U_{i}C}\}$ to $M{D}_i$.

Step 3: 

To encrypt $K_{U_{i}C}$, $M{D}_i$ generates parameters $A_0=h(I{D}_i\parallel {\sigma }_i\parallel P{W}_i)\oplus K_{U_{i}C}$ and $V_0=h({\sigma }_i\parallel K_{U_{i}C})$. Lastly, $M{D}_i$ stores $\{PI{D}_i,A_0,V_0,{\tau }_i\}$ in its memory and completes the registration process.

6.2.2. Sensor Node Registration Phase

A sensor node $S{N}_j$ performs registration with the cloud server $CS$ ensures unique identification of each device and the storage of secret parameters for subsequent authentication. The process is carried out through the following steps and is described in Figure 6.

Step 1: 

The $CS$ selects $S{N}_j$’s unique identity $SI{D}_j$. Then $CS$ generates a challenge value $C_j$ and random number $r_1$. Using $r_1$, $CS$ computes shared key $K_{C{S}_J}=h(r_1\parallel s)$. $CS$ stores $\{SI{D}_j,r_1\}$ into secure memory, then send $\{SI{D}_j,C_j,K_{C{S}_J}\}$ to $S{N}_j$

Step 2: 

After receiving parameters, $S{N}_j$ gets the response value $R_j=PUF(C_j)$. This response $R_j$ and shared key $K_{C{S}_J}$ are encrypted by $S{P}_j=R_j\oplus K_{C{S}_J}$. $S{N}_j$ stores parameters $\{SI{D}_j,C_j,S{P}_j\}$ and completes its registration phase.

6.3. Login and AKA Phase

$U_i$ inputs $I{D}_i,P{W}_i$, and $BI{O}_i^{\ast }$ into $U_i$’s mobile device $M{D}_i$. $M{D}_i$ locally verifies the legitimacy of the user. After this verification, $U_i$, $CS$, and $S{N}_j$ establish a session key $SK$. The explanation of this process is provided as below (Figure 7).

Step 1: 

$U_i$ initially inputs $I{D}_i$, $P{W}_i$, and biometric data $BI{O}_i^{\ast }$ into $M{D}_i$. $M{D}_i$ computes ${\sigma }_i^{\ast }=Rep(BI{O}_i^{\ast },{\tau }_i)$, $K_{U_{i}C}^{\ast }=A_0\oplus h(I{D}_i\Vert {\sigma }_i^{\ast }\Vert P{W}_i^{\ast })$, $V_0^{\ast }=h({\sigma }_i^{\ast }\Vert K_{U_{i}C}^{\ast })$, and checks whether $V_0^{\ast }\stackrel{?}{=}{V}_0$. If the values match, the login is approved; otherwise, the request is rejected. After login verification, $M{D}_i$ generates a random nonce $r_i$ and timestamp $T_1$. Then, $M{D}_i$ computes $M_1=h(PI{D}_i\Vert K_{U_{i}C}\Vert T_1)\oplus (r_i\Vert SI{D}_j)$, $V_1=h(PI{D}_i\Vert K_{U_{i}C}\Vert SI{D}_j\Vert r_i\Vert T_1)$, sends the message $\{PI{D}_i,M_1,V_1,T_1\}$ to the cloud server $CS$.

Step 2: 

Upon receiving the message $\{PI{D}_i,M_1,V_1,T_1\}$, $CS$ verifies the freshness of $T_1$. If verification fails, $CS$ rejects and terminates aka phase. It extracts $(r_i^{\ast }\Vert SI{D}_j^{\ast })=M_1\oplus h(PI{D}_i\Vert K_{U_{i}C}\Vert T_1)$. Then $CS$ computes $V_1^{\ast }=h(PI{D}_i\Vert K_{U_{i}C}\Vert SI{D}_j^{\ast }\Vert r_i^{\ast }\Vert T_1)$ and checks whether $V_1^{\ast }\stackrel{?}{=}{V}_1$. If valid, $CS$ generates timestamp $T_2$ and computes $K_{C{S}_j}=h(r_1\Vert s)$. $CS$ then calculate $M_2=h(PI{D}_i\Vert K_{C{S}_j}\Vert T_2)\oplus (r_i\oplus K_{U_{i}C})$, $V_2=h(PI{D}_i\Vert K_{C{S}_j}\Vert h(r_i\oplus K_{U_{i}C})\Vert T_2)$, and sends $\{PI{D}_i,M_2,V_2,T_2\}$ to the sensor node $S{N}_j$.

Step 3: 

If the message $\{PI{D}_i,M_2,V_2,T_2\}$ is received, $S{N}_j$ verifies the freshness of $T_2$. If verification fails, $S{N}_j$ rejects and terminates the AKA phase. $S{N}_j$ computes $R_j=PUF(C_j)$ and recovers $K_{C{S}_j}=S{P}_j\oplus R_j$. Then $S{N}_j$ computes $V_2^{\ast }=h(PI{D}_i\Vert K_{C{S}_j}\Vert h(r_i\oplus K_{U_{i}C})\Vert T_2)$ and checks whether $V_2^{\ast }\stackrel{?}{=}{V}_2$. If verification is confirmed, $S{N}_j$ generates nonce $r_j$ and timestamp $T_3$, and calculate the session key $SK=h(PI{D}_i\Vert h(r_i\oplus K_{U_{i}C})\Vert r_j)$. $S{N}_j$ then computes $M_3=h(PI{D}_i\Vert K_{C{S}_j}\Vert T_3)\oplus r_j$, $V_3=h(PI{D}_i\Vert K_{C{S}_j}\Vert r_j\Vert T_3)$, and sends $\{M_3,V_3,T_3\}$ to $CS$.

Step 4: 

Upon receiving the message $\{M_3,V_3,T_3\}$, $CS$ checks the freshness of $T_3$. $CS$ recovers $r_j^{\ast }=M_3\oplus h(PI{D}_i\Vert K_{C{S}_j}\Vert T_3)$. Then $CS$ computes $V_3^{\ast }=h(PI{D}_i\Vert K_{C{S}_j}\Vert r_j^{\ast }\Vert T_3)$. $CS$ checks whether $V_3^{\ast }\stackrel{?}{=}{V}_3$. If correct, $CS$ calculates the session key $SK=h(PI{D}_i\Vert h(r_i\oplus K_{U_{i}C})\Vert r_j)$. It generates timestamp $T_4$ and prepares $M_4=r_j\oplus h(K_{U_{i}C}\Vert PI{D}_i\Vert T_4)$ and $V_4=h(PI{D}_i^{new}\Vert SK\Vert K_{U_{i}C}\Vert r_j\Vert T_4)$, where the pseudo-identity is updated as $PI{D}_i^{new}=h(r_i\Vert K_{U_{i}C})$. Finally, $CS$ sends $\{M_4,V_4,T_4\}$ to $U_i$.

Step 5: 

Upon receiving the message, $M{D}_i$ verifies $|T_4^{\ast }-T_c|\le \Delta T$. $M{D}_i$ recovers $r_j^{\ast }=M_4\oplus h(K_{U_{i}C}\Vert PI{D}_i\Vert T_4)$. Then it computes $V_4^{\ast }=h(PI{D}_i^{new}\Vert SK\Vert K_{U_{i}C}\Vert r_j^{\ast }\Vert T_4)$. $M{D}_i$ checks whether $V_4^{\ast }\stackrel{?}{=}{V}_4$. If valid, $M{D}_i$ derives the same session key $SK=h(PI{D}_i\Vert h(r_i\oplus K_{U_{i}C})\Vert r_j^{\ast })$ and updates the pseudo-identity $PI{D}_i^{new}=h(r_i\Vert K_{U_{i}C})$. At this point, all entities $U_i$, $CS$, and $S{N}_j$ share the session key $SK$.

6.4. Offline Password and Biometric Update Phase

$U_i$ can freely replace his $P{W}_i$ and $BIO$. The details of phase described below and illustrated in Figure 8.

Step 1: 

$U_i$ inputs $I{D}_i$, $P{W}_i^{\ast }$, and $BI{O}_i^{\ast }$ into $M{D}_i$.

Step 2: 

$M{D}_i$ calculates $Rep(BI{O}_i^{\ast },{\tau }_i)={\sigma }_i^{\ast }$, $K_{U_{i}C}^{\ast }=A\oplus h(I{D}_i^{\ast }\Vert {\sigma }_i^{\ast }\Vert P{W}_i^{\ast })$, and $V_0^{\ast }=h({\sigma }_i^{\ast }\parallel K_{U_{i}C}^{\ast })$. Then $M{D}_i$ checks whether $V_0^{\ast }\stackrel{?}{=}{V}_0$. If it is verified, $M{D}_i$ requests new password and biometric.

Step 3: 

$U_i$ inputs a new password, $P{W}_i^{new}$, and a new biometric $Bi{o}_i^{new}$ to $M{D}_i$.

Step 4: 

Upon receiving $P{W}_i^{new}$ and $Bi{o}_i^{new}$. $M{D}_i$ computes $Gen(BI{O}_i^{new})=({\sigma }_i^{new},{\tau }_i^{new})$, $A_0^{new}=h(I{D}_i\Vert {\sigma }_i^{new}\Vert P{W}_i^{new})\oplus K_{U_{i}C}$, and $V_0^{new}=h({\sigma }_i^{new}\parallel K_{U_{i}C})$. Lastly, $M{D}_i$ replaces $\{PI{D}_i,A_0,V_0,{\tau }_i\}$ with $\{PI{D}_i,A_0^{new},V_0^{new},{\tau }_i^{new}\}$.

7. Security Analysis

To demonstrate the robustness of the proposed protocol, both formal and informal security analyses are performed. Informal analysis evaluates resistance to various potential attacks, showing that the protocol withstands security threats. Formal analysis further confirms mutual authentication using BAN logic, ensures session key security under RoR model, and validates overall protocol soundness through AVISPA simulation.

7.1. Informal Analysis

The proposed protocol guarantees robust security against various attacks. In addition, we demonstrate that the protocol ensures mutual authentication, user untraceability and anonymity, and perfect forward secrecy.

7.1.1. Session Key Disclosure Attacks

In these attacks, an adversary $\mathcal{A}$ attempts to obtain a session key by eavesdropping authentication messages. To compute $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$, $\mathcal{A}$ can intercept messages $\{PI{D}_i,M_1,V_1,T_1\},\{PI{D}_i,M_2,V_2,T_2\},\{M_3,V_3,T_3\}$, and $\{M_4,V_4,T_4\}$. However, random nonce $r_i$ and $r_j$ are securely encrypted by shared keys $K_{U_{i}C}=h(r_0\parallel s)$ and $K_{C{S}_j}=h(r_1\parallel s)$. Without knowing random numbers $r_0$, $r_1$ and $CS$’s private key s, $\mathcal{A}$ cannot calculate $K_{U_{i}C}$ and $K_{C{S}_j}$. Therefore, the proposed protocol prevents session key disclosure attacks.

7.1.2. Impersonation Attacks

In impersonation attacks, an adversary $\mathcal{A}$ attempts to generate a valid authentication message $\{PI{D}_i,M_1,V_1,T_1\}$, $\{PI{D}_i,M_2,V_2,T_2\}$, or $\{M_3,V_3,T_3\}$ to impersonate either a legitimate user, a sensor node, or a cloud server. To forge these messages, $\mathcal{A}$ should calculate random nonces $r_i$, $r_j$, shared keys $K_{U_{i}C}$, and $K_{C{S}_j}$. However, according to Section 7.1.1, $\mathcal{A}$ cannot calculate the parameters to compute a valid $M_1$, $M_2$, or $M_3$. Consequently, $\mathcal{A}$ cannot forge valid authentication messages and the proposed protocol resists impersonation attacks.

7.1.3. Untraceability and Anonymity

The user’s identity $I{D}_i$ is not transmitted over a public channel. Instead of $I{D}_i$, $CS$ selects pseudo-identity $PI{D}_i$ during registration phase. Moreover, $PI{D}_i$ is freshly updated as $PI{D}_i^{new}=h(r_i|K_{U_{i}C})$ in both the user’s mobile device and the cloud server. $\mathcal{A}$ can attempt to trace the user’s session by computing $PI{D}_i^{new}$. However, $r_i$ is encrypted by shared key $K_{U_{i}C}$ and $\mathcal{A}$ cannot calculate $K_{U_{i}C}=h(r_0\parallel s)$ without $CS$’s private key s. Thus, $PI{D}_i$ update makes all transmitted messages unlinkable across sessions and our protocol guarantees user untraceability and anonymity.

7.1.4. DoS Attacks

An adversary $\mathcal{A}$ may attempt to perform a DoS attack by repeatedly sending valid authentication request message $\{PI{D}_i,M_2,V_2,T_2\}$. Such repeated requests can threaten the availability of services for legitimate users and sensor nodes by increasing the load on $CS$. However, to generate a valid verification value $V_2=h(PI{D}_i\parallel K_{U_{i}C}\parallel SI{D}_j\parallel r_i\parallel T_1)$, $\mathcal{A}$ must first calculate $r_i$,$K_{C{S}_j}$ and $K_{U_{i}C}$. As discussed in Section 7.1.3, $r_i$ and $K_{U_{i}C}$ cannot be calculated by $\mathcal{A}$. In addition, computing $K_{C{S}_j}=h(r_1\parallel s)$ is infeasible without private key s. Consequently, $\mathcal{A}$ fails to construct a valid authentication request, and the proposed protocol effectively resists DoS attacks.

7.1.5. Insider Attacks

A legitimate but malicious user $\mathcal{A}$ may attempt to compromise another user’s session using their own registration information. However, each user possesses a distinct shared key $K_{U_{i}C}=h(r_0\parallel s)$, derived from a unique random number $r_0$ generated on the user’s mobile device and the cloud server’s secret s. Therefore, $\mathcal{A}$ cannot derive $U_i$’s $K_{U_{i}C}$. Moreover, $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$ is derived using fresh nonces $r_i$ from $M_1\oplus h(PI{D}_i\parallel K_{U_{i}C}\parallel T_1)$ and $r_j=M_4\oplus h(PI{D}_i\parallel K_{U_{i}C}\parallel T_4)$ which cannot be calculated without $K_{U_{i}C}$. Since $\mathcal{A}$ has no access to these ephemeral values, it is infeasible to derive a valid session key even with full knowledge of its own credentials. Thus, the proposed protocol prevents insider attacks.

7.1.6. Privileged Insider Attacks

An $\mathcal{A}$ can obtain the registration request $\{HI{D}_i,r_0\}$. However, this information reveals no sensitive credentials or session key. To compute $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$, $\mathcal{A}$ must know random nonces $r_i$,$r_j$, and a shared key $K_{U_{i}C}=h(r_0\parallel s)$. As discussed in Section 7.1.5, $\mathcal{A}$ cannot calculate $r_i$,$r_j$, and $K_{U_{i}C}$ without $CS$’s secret key s. Since the session key cannot be derived from only $\{HI{D}_i,r_0\}$, the proposed protocol is secure against privileged insider attacks.

7.1.7. Desynchronization Attacks

An $\mathcal{A}$ may attempt to desynchronize the communication between the user and the cloud server by blocking or modifying the final authentication message that updates the pseudo-identity $PI{D}_i^{new}$. However, the update of $PI{D}_i^{new}=h(r_i\parallel K_{U_{i}C})$ occurs only after successful verification of $V_4$. If the received $V_4^{\ast }$ does not match the expected $V_4$, the authentication fails and both $U_i$ and $CS$ retain the previous valid $PI{D}_i$. Since the pseudo-identity update is synchronized only upon successful validation, the proposed protocol resists desynchronization attacks.

7.1.8. Offline Guessing Attacks

An adversary $\mathcal{A}$ can extract secret parameters $\{PI{D}_i,A_0,V_0\}$ from a mobile device. To obtain the user’s unique identity $I{D}_i$ or password $P{W}_i$, $\mathcal{A}$ try to compute $K_{U_{i}C}^{\mathcal{A}}=A_0\oplus h(I{D}_i^{\mathcal{A}}\Vert \sigma \Vert P{W}_i^{\mathcal{A}})$ and $V_0^{\mathcal{A}}=h({\sigma }_i^{\ast }\parallel K_{U_{i}C})$ by substituting $I{D}_i^{\mathcal{A}}$ and $P{W}_i^{\mathcal{A}}$. If $V_0^{\mathcal{A}}=h({\sigma }_i^{\ast }\parallel K_{U_{i}C})$ is equal to the extracted $V_0$. However, the biometric secret key ${\sigma }_i$ is also contained in hash function which makes infeasible to reveal $I{D}_i$ or password $P{W}_i$. Therefore, the proposed protocol is resilient to offline guessing attacks.

7.1.9. Replay and MitM Attacks

An adversary $\mathcal{A}$ can replay and manipulate authentication messages $\{PI{D}_i,M_1,V_1,T_1\},$$\{PI{D}_i,M_2,V_2,T_2\},\{M_3,V_3,T_3\}$, and $\{M_4,V_4,T_4\}$ transmitted over the public channel. Despite $\mathcal{A}$’s capability, the proposed protocol checks validity of all authentication messages. In the proposed protocol, every message contains a timestamp and random nonces. In addition, the values $V_1$, $V_2$, $V_3$, and $V_4$ are masked with shared keys $K_{U_{i}C}$ and $K_{C{S}_j}$ using hash functions. Therefore, the proposed protocol can resist replay and MitM attacks.

7.1.10. Physical Capture Attacks

In the adversary model, an attacker $\mathcal{A}$ can extract the secret parameters $\{PI{D}_i,A_0,V_0,{\tau }_i\}$ from a compromised mobile device $M{D}_i$. $\mathcal{A}$ may then attempt to impersonate a legitimate user or derive the session key. To do so, $\mathcal{A}$ must obtain the shared key $K_{U_{i}C}$ from the relation $A_0=h(I{D}_i\Vert {\sigma }_i^{\ast }\Vert P{W}_i^{\ast })\oplus K_{U_{i}C}$. However, without the user’s identity $I{D}_i$, password $P{W}_i$, and biometric $BI{O}_i$, $\mathcal{A}$ cannot compute $K_{U_{i}C}$. Therefore, our protocol ensures resistance against mobile device capture attacks.

Similarly, $\mathcal{A}$ may extract $SI{D}_j,C_j,S{P}_j$ from a compromised sensor node $S{N}_j$. To impersonate a legitimate sensor node, $\mathcal{A}$ needs the shared key $K_{C{S}_j}$, which is derived from $S{P}_j=K_{C{S}_j}\oplus R_j$. Since $S{P}_j$ is protected by the PUF response value $R_j$, and predicting or recreating the responses generated by a PUF is practically impossible as discussed in Section 3.2, our protocol is also resilient to sensor node capture attacks.

7.1.11. Stolen Verifier Attacks

This attack scenario assumes that $\{PI{D}_i,r_0\}$ for $U_i$ and $\{SI{D}_j,r_1\}$ for $S{N}_j$ in cloud server are obtained by an $\mathcal{A}$. Then, the $\mathcal{A}$ may try to reveal $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$. However, A cannot obtain the shared keys $K_{U_{i}C}$, $K_{C{S}_j}$ and random nonces $r_i$, $r_j$ without $CS$’s private key s from $CS$. Consequently, proposed protocol resists stolen verifier attacks.

7.1.12. Ephemeral Secret Leakage Attacks

When specific session random nonces $r_i$ and $r_j$ which are generated by user $U_i$ and sensor node $S{N}_j$ are revealed, an $\mathcal{A}$ can attempt to compute $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$. However, $\mathcal{A}$ cannot know the $K_{U_{i}C}=h(r_0\parallel s)$ which is only shared with legitimate user and cloud server at registration phase. Hence, the proposed protocol can depend ephemeral secret leakage attacks.

7.1.13. Mutual Authentication and Session Key Security

In the AKA phase, $U_i$, $S{N}_j$, and $CS$ checks the legitimacy of each transmitted message to ensure that all participating entities are authenticated. The $U_i$ and $CS$ validate each other by confirming $V_1^{\ast }\stackrel{?}{=}{V}_1$ and $V_4^{\ast }\stackrel{?}{=}{V}_4$. Likewise, $CS$ and $S{N}_j$ authenticate mutually by checking $V_2^{\ast }\stackrel{?}{=}{V}_2$ and $V_3^{\ast }\stackrel{?}{=}{V}_3$. Through this bidirectional verification process, all entities can mutually authenticate each other before establishing the session key. Furthermore, as proven in Section 5.1, an adversary $\mathcal{A}$ cannot compute session key $SK$. Therefore, the proposed protocol successfully achieves mutual authentication and session key security.

7.1.14. Perfect Forward Secrecy

We assume that $\mathcal{A}$ reveals secret key s of the $CS$. To calculate $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$ by using s, $\mathcal{A}$ should compute random nonces $r_i$ and $r_j$. These nonces are encrypted by shared keys $K_{U_{i}C}$ and $K_{C{S}_j}$. Despite of the compromise of s, $\mathcal{A}$ cannot calculate $K_{U_{i}C}=h(r_0\parallel s)$ and $K_{C{S}_j}=h(r_1\parallel s)$. Therefore, the proposed protocol achieves perfect forward secrecy.

7.2. BAN Logic

The BAN logic [43] is a tool for formal proof, which verifies mutual authentication in protocols. We demonstrate proposed protocol guarantees mutual authentication by utlizing BAN logic.

Table 2. Notation of BAN logic.

Notation	Description
$N_1, N_2$	Principals
$S_1, S_2$	Statements
$N_1|\equiv S_1$	$N_1$ believes $S_1$
$N_1|\sim S_1$	$N_1$ once said $S_1$
$N_1\Rightarrow S_1$	$N_1$  controls  $S_1$
$N_1⨞S_1$	$N_1$  receives  $S_1$
$\#S_1$	$S_1$ is fresh
${\left\{S_1\right\}}_K$	$S_1$ is encrypted with K
$N_1\stackrel{K}{\leftrightarrow }{N}_2$	$N_1$ and $N_2$ have shared key K

shows notations and descriptions.

7.2.1. Rules

The BAN logic rules are demonstrated below.

1.    

Message Meaning Rule (MMR):

$${\displaystyle \frac{N_1|\equiv N_1\stackrel{K}{\leftrightarrow }{N}_2,N_1⨞{\left\{S_1\right\}}_K}{N_1|\equiv N_2|\sim S_1}}$$

2.    

Nonce Verification Rule (NVR):

$${\displaystyle \frac{N_1|\equiv \#(S_1),N_1|\equiv N_2|\sim S_1}{N_1|\equiv N_2|\equiv S_1}}$$

3.    

Jurisdiction Rule (JR):

$${\displaystyle \frac{N_1|\equiv N_2\Rightarrow S_1,N_1|\equiv N_2|\equiv S_1}{N_1|\equiv S_1}}$$

4.    

Belief Rule (BR):

$${\displaystyle \frac{N_1|\equiv (S_1,S_2)}{N_1|\equiv S_1}}$$

5.    

Freshness Rule (FR):

$${\displaystyle \frac{N_1|\equiv \#(S_1)}{N_1|\equiv \#(S_1,S_2)}}$$

7.2.2. Goals

In the proposed protocol, $U_i$, $CS$, and $S{N}_j$ negotiate a session key $SK$. We prove $U_i$, $CS$, and $S{N}_j$ share $SK$, by achieving eight goals as follows:

Goal 1: 

$U_i|\equiv U_i\stackrel{SK}{\leftrightarrow }CS$

Goal 2: 

$U_i|\equiv CS|\equiv U_i\stackrel{SK}{\leftrightarrow }CS$

Goal 3: 

$CS|\equiv U_i\stackrel{SK}{\leftrightarrow }CS$

Goal 4: 

$CS|\equiv U_i|\equiv U_i\stackrel{SK}{\leftrightarrow }CS$

Goal 5: 

$S{N}_j|\equiv S{N}_j\stackrel{SK}{\leftrightarrow }CS$

Goal 6: 

$S{N}_j|\equiv CS|\equiv S{N}_j\stackrel{SK}{\leftrightarrow }CS$

Goal 7: 

$CS|\equiv S{N}_j\stackrel{SK}{\leftrightarrow }CS$

Goal 8: 

$CS|\equiv S{N}_j|\equiv S{N}_j\stackrel{SK}{\leftrightarrow }CS$

7.2.3. Idealized Forms

In the proposed protocol, there are four messages $\{PI{D}_i,M_1,V_1,T_1\}$, $\{PI{D}_i,M_2,V_2,T_2\}$, $\{M_3,V_3,T_3\}$, and $\{M_4,V_4,T_4\}$ transmitted through public channels. For BAN logic analysis, these messages can be transformed into idealized forms as follows.

Message 1: 

$U_i\to CS:{\left\{r_i\right\}}_{K_{U_{i}C}}$

Message 2: 

$CS\to S{N}_j:{\left\{h(r_i\oplus K_{U_{i}C})\right\}}_{K_{C{S}_j}}$

Message 3: 

$S{N}_j\to CS:{\left\{r_j\right\}}_{K_{C{S}_j}}$

Message 4: 

$CS\to U_i:{\left\{r_j\right\}}_{K_{U_{i}C}}$

7.2.4. Assumptions

We assumes that each participant trusts the freshness of random nonces and securely shares shared keys. The assumptions are listed below.

$A_1$:

$CS|\equiv \#(T_1)$

$A_2$:

$S{N}_j|\equiv \#(T_2)$

$A_3$:

$CS|\equiv \#(T_3)$

$A_4$:

$U_i|\equiv \#(T_4)$

$A_5$:

$U_i|\equiv U_i\stackrel{K_{U_{i}C}}{\leftrightarrow }CS$

$A_6$:

$CS|\equiv U_i\stackrel{K_{U_{i}C}}{\leftrightarrow }CS$

$A_7$:

$S{N}_j|\equiv S{N}_j\stackrel{K_{C{S}_j}}{\leftrightarrow }CS$

$A_8$:

$CS|\equiv S{N}_j\stackrel{K_{C{S}_j}}{\leftrightarrow }CS$

$A_9$:

$U_i|\equiv CS\Rightarrow (U_i\stackrel{SK}{\leftrightarrow }CS)$

$A_{10}$:

$CS|\equiv U_i\Rightarrow (U_i\stackrel{SK}{\leftrightarrow }CS)$

$A_{11}$:

$S{N}_j|\equiv CS\Rightarrow (S{N}_j\stackrel{SK}{\leftrightarrow }CS)$

$A_{12}$:

$CS|\equiv S{N}_j\Rightarrow (S{N}_j\stackrel{SK}{\leftrightarrow }CS)$

7.2.5. BAN Logic Proof

We demonstrate that our protocol support mutual authentication between $U_i$, $CS$, and $S{N}_j$ using rules and assumptions. The procedure of achieving goals are as follows:

Step 1: 

$S_1$ can be obtained from $Ms{g}_1$.

$$S_1:CS⨞{\{r_i,T_1\}}_{K_{U_{i}C}}$$

Step 2: 

$S_2$ can be obtained by applying the MMR with $S_1$ and $A_6$.

$$S_2:CS|\equiv U_i|\sim (r_i,T_1)$$

Step 3: 

$S_3$ can be obtained by applying the FR with $S_2$ and $A_1$.

$$S_3:CS|\equiv \#(r_i,T_1)$$

Step 4: 

$S_4$ can be obtained by applying the NVR with $S_2$ and $S_3$.

$$S_4:CS|\equiv U_i|\equiv (r_i,T_1)$$

Step 5: 

$S_5$ can be obtained from $Ms{g}_2$.

$$S_5:S{N}_j⨞{\{h(r_i\oplus K_{U_{i}C}),T_2\}}_{K_{C{S}_j}}$$

Step 6: 

$S_6$ can be obtained by applying the MMR with $S_5$ and $A_7$.

$$S_6:S{N}_j|\equiv CS|\sim (h(r_i\oplus K_{U_{i}C}),T_2)$$

Step 7: 

$S_7$ can be obtained by applying the FR with $S_6$ and $A_2$.

$$S_7:S{N}_j|\equiv \#(h(r_i\oplus K_{U_{i}C}),T_2)$$

Step 8: 

$S_8$ can be obtained by applying the NVR with $S_6$ and $S_7$.

$$S_8:S{N}_j|\equiv CS|\equiv (h(r_i\oplus K_{U_{i}C}),T_2)$$

Step 9: 

$S_9$ can be obtained from $Ms{g}_3$.

$$S_9:CS⨞{\{r_j,T_3\}}_{K_{C{S}_j}}$$

Step 10: 

$S_{10}$ can be obtained by applying the MMR with $S_9$ and $A_8$.

$$S_{10}:CS|\equiv S{N}_j|\sim (r_j,T_3)$$

Step 11: 

$S_{11}$ can be obtained by applying the FR with $S_{10}$ and $A_3$.

$$S_{11}:CS|\equiv \#(r_j,T_3)$$

Step 12: 

$S_{12}$ can be obtained by applying the NVR with $S_{10}$ and $S_{11}$.

$$S_{12}:CS|\equiv S{N}_j|\equiv (r_j,T_3)$$

Step 13: 

$S_{13}$ and $S_{14}$ can be obtained from $S_8$ and $S_{12}$. $S{N}_j$ and $CS$ can compute the session key $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$.

$$S_{13}:CS|\equiv S{N}_j|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }CS)(Goal8)$$

$$S_{14}:S{N}_j|\equiv CS|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }CS)(Goal6)$$

Step 14: 

$S_{15}$ and $S_{16}$ can be obtained by applying the JR with $S_{13}$ and $A_{12}$, and $S_{14}$ and $A_{11}$, respectively.

$$S_{15}:CS|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }CS)(Goal7)$$

$$S_{16}:S{N}_j|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }CS)(Goal5)$$

Step 15: 

$S_{17}$ can be obtained from $Ms{g}_4$.

$$S_{17}:U_i⨞{\{r_j,T_4\}}_{K_{U_{i}C}}$$

Step 16: 

$S_{18}$ can be obtained by applying MMR with $S_{17}$ and $A_5$.

$$S_{18}:U_i|\equiv CS|\sim (r_j,T_4)$$

Step 17: 

$S_{19}$ can be obtained by applying FR with $S_{18}$ and $A_4$.

$$S_{19}:U_i|\equiv \#(r_j,T_4)$$

Step 18: 

$S_{20}$ can be obtained by applying NVR with $S_{18}$ and $S_{19}$.

$$S_{20}:U_i|\equiv CS|\equiv (r_j,T_4)$$

Step 19: 

$S_{13}$ and $S_{14}$ can be obtained from $S_8$ and $S_{12}$. $S{N}_j$ and $CS$ can compute the session key $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$.

$$S_{21}:U_i|\equiv CS|\equiv (U_i\stackrel{SK}{\leftrightarrow }CS)(Goal2)$$

$$S_{22}:CS|\equiv U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }CS)(Goal4)$$

Step 20: 

$S_{15}$ and $S_{16}$ can be obtained by applying the JR with $S_{13}$ and $A_{12}$, and $S_{14}$ and $A_{11}$, respectively.

$$S_{23}:U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }CS)(Goal1)$$

$$S_{24}:CS|\equiv (U_i\stackrel{SK}{\leftrightarrow }CS)(Goal3)$$

Based on the defined BAN logic rules and assumptions, all BAN logic goals (Goals 1–8) are successfully achieved. All participating entities $U_i,CS$, and $S{N}_j$ believe that they share the same fresh session key. Therefore, the proposed protocol supports mutual authentication between all participating entities.

7.3. RoR Model

We prove that the proposed protocol guarantees the session key security using the RoR model [44]. In our protocol, there are three participants: a user $p_{U_i}^{t_1}$, cloud server $p_{CS}^{t_2}$, and sensor node $p_{S{N}_j}^{t_3}$. $\mathcal{A}$, an adversary, can perform queries to execute security attacks. The following outlines the security proof in accordance with the procedures described in [45,46]. The queries includes $Execute,CorruptSD,Send$, and $Test$ which are explained below.

• $Execute(p_{U_i}^{t_1},p_{CS}^{t_2},p_{S{N}_j}^{t_3})$: $\mathcal{A}$ can eavesdrop on the messages exchanged among legitimate entities over public channels. Based on the intercepted messages, $\mathcal{A}$ may launch various attacks. This query is classified as passive attack.
• $CorruptMD(p_{U_i}^{t_1})$: $\mathcal{A}$ can extract secret parameters from the mobile device of the user $p_{U_i}^{t_1}$. This $CorruptMD(p_{U_i}^{t_1})$ is classified as active attack.
• $Send(p^t,Msg)$: $\mathcal{A}$ can send entity $p^t$ messages and receive response message via the protocol. $Send(p^t,Msg)$ is classified as active attack.
• $Test(p^t)$: $\mathcal{A}$ can decide whether a coin c is a session key or a random value. If the $SK$ is fresh, $\mathcal{A}$ determines $c=1$; otherwise, $c=0$. In all other cases, $\mathcal{A}$ obtains a null output (⊥). The inability of $\mathcal{A}$ to distinguish between the two outcomes implies the security of $SK$. $\mathcal{A}$ may perform multiple $Test$ queries to evaluate this indistinguishability.

Theorem 1.

$\mathcal{A}$ attempts to derive the session key $SK$ within polynomial time. Let $Ad{v}_{\mathcal{A}}$ represent the advantage that $\mathcal{A}$ obtains the session key. Then, this advantage of $\mathcal{A}$ can be bounded as follows:

$$Ad{v}_{\mathcal{A}}\le {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2max\{C^{\prime }·q_{send}^{s^{\prime }},{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

(1)

where $q_h$, $q_p$, and $q_{send}$ indicate the number of queries using hash, PUF, and send. The parameters $\left|Hash\right|$ and $\left|PUF\right|$ denote the hash function and PUF range. Here, $C^{\prime }$ and $s^{\prime }$ represent “Zipf’s parameter [47]”.

Proof. 

To establish the semantic security of the session key, a series of games are employed which are denoted as $G_i$ ($i=0,1,2,3,4$). Let $Pr\left[Suc{c}_i\right]$ denote the probability that the adversary $\mathcal{A}$ correctly predicts the bit c in the corresponding game.

$G_0$: 

In $G_0$, $\mathcal{A}$ does not issue any queries and simply guesses a random bit c. $\mathcal{A}$’s advantage is defined as:

$$Ad{v}_{\mathcal{A}}=|2Pr\left[Suc{c}_0\right]-1|$$

(2)

$G_1$: 

$\mathcal{A}$ eavesdrops messages on the communication channel using Execute query and attempts to calculate $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$. Then $\mathcal{A}$ perform $Test$ query to determine whether obtained value is $SK$. However, $\mathcal{A}$ cannot obtain random nonces $r_i$, $r_j$, or a shared key $K_{U_{i}C}$. Thus, $\mathcal{A}$ can obtain no advantage and $Ad{v}_{\mathcal{A}}$ remains identical to that of $G_0$:

$$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right]$$

(3)

$G_2$: 

In $G_2$, $\mathcal{A}$ tries to obtain sesssion key $SK$ by performing Hash queries and Send queries. $\mathcal{A}$ receive messages using Send queries. However, transmitted components of $SK$ such as $r_i$, $h(r_j\oplus K_{U_{i}C})$ are encrypted by a one-way hash function. To calculate session key, collision must be found by using Hash queries. By the “birthday paradox [48]”, $Ad{v}_{\mathcal{A}}$ is bounded by:

$$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}$$

(4)

$G_3$: 

In this game, $\mathcal{A}$ utilizes PUF and Send queries to predict device responses. Due to the unclonable property of the PUF, $\mathcal{A}$ cannot reproduce the challenge-response pairs, leading to:

$$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le {\displaystyle \frac{q_p^2}{2\left|PUF\right|}}$$

(5)

$G_4$: 

Finally, $\mathcal{A}$ performs a CorruptMD query to obtain $PI{D}_i,A_0$,$V_0$, and ${\tau }_i$ from a compromised mobile device. To compute the session key $SK=h(PI{D}_i\parallel h(r_i\oplus K_{U_{i}C})\parallel r_j)$, $\mathcal{A}$ should guess user’s identity $I{D}_i$, password $P{W}_i$, and biometric $BI{O}_i$ which is impossible in polynomial time. After $G_4$, the acquired $Ad{v}_{\mathcal{A}}$ is derived from “Zipf’s law [48]”.

$$|Pr\left[Suc{c}_4\right]-Pr\left[Suc{c}_3\right]|\le max\{C^{\prime }·q_{send}^{s^{\prime }},{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

(6)

When the all games conclude, $\mathcal{A}$ guesses the random bit c. Across previous games, no information about c is revealed to $\mathcal{A}$. Thus, the following equation can be derived:

$$Pr\left[{Succ}_4\right]={\displaystyle \frac{1}{2}}$$

(7)

Combining Equations (2) and (3), we can derive Equation (8):

$${\displaystyle \frac{1}{2}}{Adv}_{\mathcal{A}}=|Pr[{Succ}_0-{\displaystyle \frac{1}{2}}]|=|Pr[{Succ}_1-{\displaystyle \frac{1}{2}}]|$$

(8)

In addition, combining Equations (7) and (8), we can obtain Equation (9):

$${\displaystyle \frac{1}{2}}{Adv}_{\mathcal{A}}=|Pr\left[{Succ}_1\right]-Pr\left[{Succ}_4\right]|$$

(9)

Applying the triangular inequality, we can derive equation below:

$${\displaystyle \frac{1}{2}}{Adv}_{\mathcal{A}}=|Pr\left[{Succ}_1\right]-Pr\left[{Succ}_4\right]|$$

$$\le |Pr\left[{Succ}_1\right]-Pr\left[{Succ}_3\right]|+|Pr\left[{Succ}_3\right]-Pr\left[{Succ}_4\right]|$$

$$\le |Pr\left[{Succ}_1\right]-Pr\left[{Succ}_2\right]|+|Pr\left[{Succ}_2\right]-Pr\left[{Succ}_3\right]|+|Pr\left[{Succ}_3\right]-Pr\left[{Succ}_4\right]|$$

$$\le {\displaystyle \frac{q_h^2}{2\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{2\left|PUF\right|}}+max\{C^{\prime }·q_{send}^{s^{\prime }},{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

(10)

Multiplying both sides by 2 yields the final bound:

$${Adv}_{\mathcal{A}}\le {\displaystyle \frac{q_h^2}{\left|Hash\right|}}+{\displaystyle \frac{q_p^2}{\left|PUF\right|}}+2max\{C^{\prime }·q_{send}^{s^{\prime }},{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

(11)

Hence, we prove the Theorem 1. □

This means that in the proposed protocol, an adversary $\mathcal{A}$ cannot distinguish the real session key from a random value even after observing all authentication messages and using available queries.

7.4. AVISPA Simulation

In this section, we verify the security of the proposed protocol using the AVISPA tool [49,50]. AVISPA is a well-established framework for formally evaluating authentication protocols and identifying replay and MitM attacks. To perform the simulation, the proposed protocol is first implemented using the “High-Level Protocol Specification Language (HLPSL)”, which defines the behavior of each communicating entity.

The HLPSL specification is then automatically translated into an “Intermediate Format (IF)” using the AVISPA translator. The IF code is analyzed by four back-end engines: the “On-the-Fly Model Checker (OFMC)”, “Constraint-Logic-based Attack Searcher (CL-AtSe)”, “SAT-based Model Checker (SATMC)”, and “Tree Automata based on Automatic Approximations for Analysis of Security Protocols (TA4SP)”. Among these, the OFMC and CL-AtSe back-ends are utilized in our evaluation since they support the XOR operation required in our protocol.

If both back-ends produce an “SAFE” result in the “Output Format (OF)”, it indicates that the proposed protocol is resistant to replay and MitM attacks. Furthermore, the HLPSL implementation models the three entities $U_i$, $CS$, and $S{N}_j$ as independent roles, while the session, environment roles and goal components illustrated in Figure 9, which define the overall execution flow and the security properties to be verified.

Figure 10 shows the detailed user role’s HLPSL code. At the beginning, $U_i$ initializes its state (State = 0) and receives the start signal to initiate the registration phase. During this phase, $U_i$ securely transmits the registration request $HI{D}_i,R_0$ to the $CS$. The $CS$ sends a message through the secure channel $(SKuics)$, after which $U_i$ updates its state from 1 to 2. Once registration is complete, $U_i$ generates a random nonce $R_i^{\prime }$ and a timestamp $T_1^{\prime }$, computes the authentication parameters, and sends the authentication request message over the public channel $(dy)$. During this step, $U_i$ declares $witness(U_i,CS,ui\_cs\_ri,R_i^{\prime })$, representing that $U_i$ has generated a fresh random nonce $R_i$ for $CS$. Finally, $U_i$ computes the session key and completes mutual authentication in state 3.

The $CS$ and $S{N}_j$ role follow the same operational structure as $U_i$, with their respective registration and authentication transitions defined in the HLPSL code. These interactions ensure synchronized message exchanges and secure session key establishment among all entities. The “OFMC” and “CL-AtSe” back-end results are summarized in Figure 11, both of which return the status “SAFE,”. The tests conclude that the proposed protocol is secure from replay and MitM attacks.

8. Performance Comparison

This section analyzes and compares the proposed protocol with other works about the security features, computational costs, and communication costs.

8.1. Security Features

This section analyze the security properties of the proposed protocol compared with related works, [17,22,23,27,28,29]. We denote each security feature as SF. Fourteen key security features (SF1-SF14) are considered: SF1: “resistance to session key disclosure attacks”, SF2: “resistance to user and sensor node impersonation attacks”; SF3: “support user untraceability”; SF4: “resistance to DoS attacks”; SF5: “resistance to insider attacks”; SF6: “resistance to privileged insider attacks”; SF7: “resistance to desynchronization attacks”; SF8: “resistance to offline guessing attacks”; SF9: “resistance to man-in-the-middle attacks”; SF10: “resistance to physical capture attacks”; SF11: “resistance to stolen verifier attacks”; SF12: “resistance to ephemeral secret leakage (ESL) attacks”; SF13: “supporting mutual authentication”; and SF14: “supporting perfect forward secrecy”. The comparison result is represented in

Table 3. Comparison of security features.

Features	[22]	[23]	[27]	[28]	[29]	[17]	Proposed
SF1	∘	∘	∘	∘	∘	×	∘
SF2	×	×	∘	∘	∘	×	∘
SF3	∘	∘	×	×	∘	×	∘
SF4	∘	∘	∘	∘	∘	×	∘
SF5	∘	∘	∘	∘	∘	×	∘
SF6	×	∘	×	∘	∘	×	∘
SF7	∘	×	∘	∘	∘	∘	∘
SF8	×	∘	∘	∘	∘	×	∘
SF9	×	∘	∘	∘	∘	×	∘
SF10	∘	∘	∘	∘	∘	×	∘
SF11	∘	×	×	∘	∘	×	∘
SF12	∘	∘	∘	∘	∘	×	∘
SF13	∘	∘	∘	∘	∘	×	∘
SF14	∘	∘	∘	∘	×	∘	∘

∘: “Supported”; ×: “Not supported”.

. It demonstrates our proposed protocol guarantees enhanced and robust security rather then existed works. The proposed protocol ensures enhanced security over related works, thereby satisfying the necessary security requirements for WMSNs.

8.2. Computational Costs

We measure the computational overheads of the proposed protocol and compare them with related works [17,22,23,27,28,29]. For evaluation, we refer to the simulation setup of cryptographic operations described in [22], which uses an Intel Core i5-8265U processor with 8-GB RAM and the JCE library Pbc-05.14. Based on this environment, we measured the average execution time of each cryptographic operation as follows: one-way hash function ($T_H$ = 0.011 ms), generation function ($T_{Gen}$ = 1.17 ms), reproduction function of fuzzy extractor ($T_{Rep}$ = 3.28 ms), elliptic curve point multiplication ($T_{ECM}$ = 2.6 ms), and physical unclonable function ($T_{PUF}$ = 0.216 ms). The execution time of XOR operations is negligible and, thus, omitted. The execution times of the used functions are summarized in

Table 4. Execution time of cryptographic operations.

${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{Gen}}$	${\mathit{T}}_{\mathit{Rep}}$	${\mathit{T}}_{\mathit{ECM}}$	${\mathit{T}}_{\mathit{PUF}}$
0.011 ms	1.17 ms	3.28 ms	2.6 ms	0.216 ms

, and the comparison of the total computational costs is presented in

Table 5. Comparison result of computational costs.

Protocols	User	Server	Sensor Node	Total Costs
Subramani et al. [22]	$6T_H+2T_{Gen}+2T_{PUF}$	$5T_H+2T_{Rep}$	$6T_H+2T_{Gen}+2T_{PUF}$	12.3 ms
Shao et al. [23]	$13T_H+1T_{Rep}+1T_{PUF}$	$18T_H+1T_{Gen}$	$8T_H+1T_{Rep}+2T_{PUF}$	8.81 ms
Xie et al. [27]	$4T_H+2T_{ECM}$	$11T_H$	$4T_H+2T_{ECM}$	10.6 ms
Wu et al. [28]	$T_{Rep}+3T_H$	$5T_H+T_{PUF}+T_{Gen}$	$4T_H+7T_{PUF}+1T_{Gen}$	7.48 ms
Shang et al. [29]	$T_{Rep}+7T_H+3T_{ECM}$	$6T_H+1T_{ECM}$	$4T_H+2T_{ECM}$	19.067 ms
Keshta et al. [17]	$3T_H+2T_{ECM}$	$4T_H+2T_{ECM}$	$3T_H+1T_{ECM}$	10.5 ms
Proposed	$1T_{Rep}+9T_H$	$13T_H$	$5T_H+1T_{PUF}$	3.79 ms

. In the proposed protocol, the user’s mobile device performs $1T_{Rep}+9T_H$, the cloud server executes $13T_H$, and the sensor node performs $5T_H+1T_{PUF}$. Hence, the total computational cost is $27T_H+1T_{PUF}+1T_{Rep}$, which equals 3.79 ms. Compared to existing protocols [17,22,23,27,28,29], the proposed protocol exhibits the lower cost, demonstrating superior computational efficiency.

8.3. Communication Costs

Communication overheads in the AKA phase are compared in this section. Following [22], we assume the bit lengths of parameters transmitted over the public channel. The random numbers, hash values, PUF challenge-response values, identities, passwords, biological information, ECC points, and timestamps are set to 256, 256, 128, 128, 128, 256, 320, and 32 bits, respectively. We calculate the communication cost of the proposed protocol and compare it with related works, including Keshta et al.’s protocol. The results are summarized in

Table 6. Comparison result of communication costs.

Protocols	Total Costs (Bits)	Messages
Subramani et al. [22]	3520	5
Shao et al. [23]	4352	7
Xie et al. [27]	3136	4
Wu et al. [28]	2944	4
Shang et al. [29]	2688	4
Keshta et al. [17]	3264	4
Proposed	2432	4

.

• Message 1: $\{PI{D}_i,M_1,V_1,T_1\}$ requires (128 + 256 + 256 + 32) = 672 bits.
• Message 2: $\{PI{D}_i,M_2,V_2,T_2\}$ requires (128 + 256 + 256 + 32) = 672 bits.
• Message 3: $\{M_3,V_3,T_3\}$ requires (256 + 256 + 32) = 544 bits.
• Message 4: $\{M_4,V_4,T_4\}$ requires (256 + 256 + 32) = 544 bits.

The total communication cost of the proposed protocol is therefore $672+672+544+544=2432$ bits. The protocols presented in [17,22,23,27,28,29] incur higher communication overhead because they involve more than four message exchanges among three entities during the AKA phase. Although Keshta et al.’s protocol [17] and Xie et al. [27] also use four messages, they include ECC points, which significantly increase message size. Similarly, Wu et al.’s [28] protocol transmits multiple parameters in a message $M_2=\{SI{D}_j,R_2,TP{W}_i,C{H}_j,V_2,T_2\}$, further increasing communication overhead. Therefore, the proposed protocol achieves a lower communication cost than existing ECC-based and non-ECC-based protocols.

9. Conclusions

In this paper, we closely reviewed Keshta et al.’s [17] and demonstrated their protocol cannot resist against session key disclosure, user and sensor node impersonation, and DoS attacks. In addition, the protocol of Keshta et al. cannot support user untraceability. To overcome the security weaknesses of Keshta et al.’s ECC-based authentication protocol for cloud-assisted WMSN, we proposed a PUF based secure AKA protocol. Through informal analysis, we demonstrated that the proposed protocol can resist various attacks, including session key disclosure, impersonation, physical capture, and DoS attacks, while ensuring mutual authentication, user untraceability, and perfect forward secrecy. Formal analysis using “BAN logic”, “RoR model”, and “AVISPA simulation” further confirms that our scheme achieves mutual authentication and session key security. Compared with existing protocols, the proposed protocol enhances security and reduces computational and communication costs, making it more suitable for resource-constrained environments and cloud-assisted WMSNs.