Probabilistic Bit-Similarity-Based Key Agreement Protocol Employing Fuzzy Extraction for Secure and Lightweight Wireless Sensor Networks

Abstract

Wireless sensor networks comprise many resource-constrained nodes that must protect both local readings and routing metadata. The sensors collect data from the environment or from the individual to whom they are attached and transmit it to the nearest gateway node via a wireless network for further delivery to external users. Due to wireless communication, the transmitted messages may be intercepted, rerouted, or even modified by an attacker. Consequently, security and privacy issues are of utmost importance, and the nodes must be protected against unauthorized access during transmission over a public wireless channel. To address these issues, we propose the Probabilistic Bit-Similarity-Based Key Agreement Protocol (PBS-KAP). This novel method enables two nodes to iteratively converge on a shared secret key without transmitting it or relying on pre-installed keys. PBS-KAP enables two nodes to agree on a symmetric session key using probabilistic similarity alignment with explicit key confirmation (MAC). Optimized Garbled Circuits facilitate secure computation with minimal computational and communication overhead, while Secure Sketches combined with Fuzzy Extractors correct residual errors and amplify entropy, producing reliable and uniformly random session keys. The resulting protocol provides a balance between security, privacy, and usability, standing as a practical solution for real-world WSN and IoT applications without imposing excessive computational or communication burdens. Security relies on standard computational assumptions via a one-time elliptic–curve–based base Oblivious Transfer, followed by an IKNP Oblivious Transfer extension and a small garbled threshold circuit. No pre-deployed long-term keys are required. After the bootstrap, only symmetric operations are used. We analyze confidentiality in the semi-honest model. However, entity authentication, though feasible, requires an additional Authenticated Key Exchange step or malicious-secure OT/GC. Under the semi-honest OT/GC assumption, we prove session-key secrecy/indistinguishability; full entity authentication requires an additional AKE binding step or malicious-secure OT/GC.

1. Introduction

The integration of new technologies has revolutionized the way many sectors operate and the quality of their services. Wireless Sensor Networks (WSNs) and the Internet of Things (IoT) connect the physical world with digital infrastructures, transforming massive amounts of data into valuable information and enabling different users to access devices. WSNs consist of numerous small sensor nodes with limited computational power and battery life. Sensor nodes often monitor phenomena directly tied to the physical world. A sensor may periodically transmit data about the location of a high-value shipment, a biomedical node may send sensitive health measurements, or a security node may detect movement in a specific area. If an adversary monitors network traffic and can associate packets with a particular node, its owner, or its geographic location, they can extract critical information about personal activities or target physical infrastructures and resources. Sensor nodes are considered an easy target for attackers because they typically lack tamper-resistant mechanisms. Consequently, an adversary can use power analysis techniques to extract parameters stored in the node’s memory and exploit them during key negotiation with other nodes, pretending to be a legitimate sensor node.

While extensive research has been conducted on authentication and key management in WSNs, existing protocols still face significant limitations. Many rely on pre-distributed keys, static credentials, or trusted gateway nodes, which creates single points of failure and limits resilience against node capture and insider attacks [1,2]. Multi-factor and hardware-assisted schemes, including those leveraging PUFs and fuzzy extractors, improve security but often introduce high computational or communication overhead, suffer from environmental sensitivity, or lack robustness and reusability [3,4,5,6,7]. Moreover, public-key approaches remain impractical for resource-constrained sensor nodes due to energy and processing limitations [1,2,3]. The design of secure and efficient authentication protocols must meet not only security and privacy requirements but also usability demands for resource-constrained devices such as IoT devices. These challenges highlight the need for authentication mechanisms that are lightweight, secure, resilient to node capture, and capable of reliably generating cryptographic keys without pre-distributed secrets, which motivates the development of a protocol that does not rely on pre-distributed keys, trusted gateways, secure channels, or computationally heavy cryptographic operations.

Our approach is an iterative, bit-flipping protocol where nodes gradually converge on a shared secret without sending the secret itself or relying on pre-installed keys. It’s lightweight, secure, and well-suited for constrained WSN environments. Building on the conceptual scheme of [8], our work contributes:

• A self-contained, implementation-ready pseudocode for the full protocol, including deterministic index sampling, turn-taking, and round synchronization,
• a concrete, library-friendly 2PC design for the “half-or-more mismatches” test using a one-time base OT, IKNP OT extension, a Free-XOR + half-gates threshold circuit (no pre-distributed keys), and a fuzzy extractor with a secure sketch
• theory refinements: strict-majority thresholding for guaranteed negative drift, optional sequential sampling to reduce expected k, and parameter sizing via tail bounds with a worked numeric example
• engineering guidance: message and label encodings, wire formats, MAC-based key confirmation, and privacy amplification, so the interested reader can implement and experiment with the protocols without consulting other information sources.

The remainder of the paper follows with related work (Section 2), criteria for designing authentication in WSNs (Section 3), preliminaries and threat model (Section 4). Next, we present our protocol (Section 5), implementation details (Section 6), security analysis and proof (Section 7), and experimental evaluation (Section 8). Finally, there is a discussion section (Section 9), limitations and future work (Section 10), and conclusions (Section 11).

2. Related Work

Over the years, numerous protocols have been proposed to achieve secure authentication in WSNs, evolving from simple password-based approaches to multi-factor and hardware-assisted mechanisms. The following subsections outline this progression and highlight the main contributions and limitations.

Early work focused on password-based authentication schemes mediated by a gateway node [9,10]. Still, subsequent cryptanalysis has demonstrated that such one-factor approaches are vulnerable to replay, impersonation, and offline password-guessing attacks [11,12]. Two-factor schemes incorporating smart cards were later proposed to address these weaknesses [13]; however, they remain susceptible to card loss, insider attacks, and sensor node capture [14,15,16,17]. Many schemes, such as [18,19,20,21,22,23], analyzed previous cryptographic schemes, identified vulnerabilities, and proposed improved versions. Unfortunately, significant studies such as [12,24] have shown that most proposed solutions in two-factor authentication schemes remain vulnerable to various attacks.

This led to the proposal of a new authentication scheme to enhance the security of communication between entities in a wireless sensor network, the three-factor authentication [25,26,27,28,29,30]. In this approach, user authorization relies on something the user knows (their password), something the user possesses (their smart card), and something that uniquely characterizes the user (their biometric data). Due to the use of biometrics, these types of schemes offer increased resilience, as biometric data cannot be lost, forgotten, or easily compromised, and the keys generated from them are extremely difficult for a malicious actor to predict. While these approaches improve resistance against specific attack vectors, extensive analysis has shown that many such schemes still fail to ensure user anonymity, forward secrecy, or resistance to known session-specific temporary information (KSSTI) attacks [1,31]. Moreover, Elliptic Curve Cryptography (ECC)-based constructions, although cryptographically strong, often impose non-negligible computational and communication overhead on resource-constrained sensor nodes, and continue to rely on pre-distributed secrets that form single points of failure.

The findings regarding three-factor authentication protocols for WSNs indicate that most of these protocols rely on cryptographic techniques such as ECC and often incorporate biometric data, smart cards, and passwords (e.g., Xie et al. [32], Shuai et al. [33], Rangwani et al. [34], Wu et al. [35], Ryu et al. [36], Yang et al. [37], Zhu et al. [38], Mo et al. [39], Chhikara et al. [40]) to achieve strong security and privacy protection. These protocols have been validated as secure through formal analyses using tools such as BAN logic, ProVerif, AVISPA, and the Real-or-Random model, as well as via theoretical and practical testing. Specifically, they demonstrate resilience against various attacks, including replay attacks, offline dictionary attacks, impersonation attacks, man-in-the-middle attacks, insider attacks, smart card theft, sensor capture, and session key compromise. However, they remain vulnerable. Some protocols, such as those by Xie et al. [32], Shuai et al. [33], Rangwani et al. [34], and Wu et al. [35], exhibit vulnerabilities in information leakage, fail to ensure complete anonymity and untraceability, or do not maintain perfect forward secrecy, as noted by Mo et al. [39] and Hu et al. [41]. Protocols like that of Xie et al. [32] may also lead to rapid battery depletion due to high communication overhead. Wu et al.’s protocol was found by Mo et al. to lack three-factor security and user anonymity and is vulnerable to information disclosure attacks. Furthermore, protocols such as Shuai et al.’s are susceptible to desynchronization and stolen verifier attacks and do not provide perfect forward secrecy, according to Xie et al. [32] and Hu et al. [41]. To address the remaining challenges of three-factor authentication protocols, improved or new protocols have been proposed (e.g., Yang et al. [37], Zhu et al. [38], Mo et al. [39], Chhikara et al. [40]), which incorporate techniques such as fuzzy extractors, Physically Unclonable Functions (PUFs), blockchain, and solutions tailored to specialized environments.

Despite various advances, surveys in [2,3] indicate that most recent protocols still rely on pre-distributed secrets, static credentials, or trusted gateway nodes, creating single points of failure and limiting resilience against node capture and insider attacks. Even solutions, such as assigning a distinct key to each sensor [1], only partially mitigate this risk, as the compromise of a sensor node can still expose all stored encryption keys [42]. Effective authentication and key agreement in IoT systems, therefore, require a careful balance between security and efficiency. Lightweight and hybrid cryptographic techniques are widely adopted to accommodate resource-constrained devices while maintaining adequate protection. Overall, current trends emphasize the need for adaptable security designs that minimize the risk of key exposure and are tailored to both application requirements and device limitations [2].

Hardware-assisted authentication has been widely investigated as a countermeasure against sensor node capture attacks, most notably through the use of Physically Unclonable Functions (PUFs) [43,44,45]. A representative example is the protocol proposed by Lee et al. [46], which aims to enhance security in IoT environment by addressing vulnerabilities such as ID/password guessing attacks and device capture attacks. The protocol employs three-factor authentication framework that combines PUFs with honey lists, which act as decoy entries to mislead potential attackers. However, the security of this scheme relies on the presence of a trusted gateway node. If this gateway is compromised, user identities and other sensitive information may be exposed, rendering users vulnerable to identity theft and privileged insider attacks [47]. In addition, PUF-generated responses are highly sensitive to environmental and physical variations, which makes them inherently non-reproducible. A comprehensive comparison of authentication techniques used in IoT environments can be found in [4]. Consequently, although PUFs are suitable for device identification and authentication with some tolerance for error, even small variations prevent their use in key generation, which requires exact reproducibility [48]. PUF responses serve as unique device fingerprints, necessitating error-correction mechanisms for key generation [48]. Differential design techniques can reduce environmental sensitivity [49], but noise may still cause bit flips and false negative authentications.

To address this, fuzzy extractor-based error-correction schemes are employed, mitigating noise-induced errors without increasing false positives and improving PUF output reliability [48]. Traditional fuzzy extractors, while secure against passive attackers, face challenges when helper data are manipulated by an active adversary or when multiple keys must be derived from correlated inputs [7,50,51]. Some constructions improved security by concealing randomness rather than directly extracting it from biometric or noisy sources [50], but they often lacked robustness or were weakly reusable [7,51]. Subsequent work introduced robust fuzzy extractors capable of resisting helper data manipulation and reusable fuzzy extractors that allow multiple independent key extractions from the same source without leaking sensitive information [6]. Other schemes combine computational assumptions such as Learning With Errors (LWE), Non-uniform Learning With Errors (NLWE), Decisional Diffie-Hellman (DDH), or Decisional Linear (DLIN) to provide robust and reusable fuzzy extractors, addressing practical constraints like storage and error tolerance, although challenges remain regarding post-quantum security, uniformity of inputs, and residual information leakage [7,52,53]. These advances position fuzzy extractors as a viable method for reliably generating cryptographic keys from PUF outputs or other noisy sources in real-world IoT and sensor network environments.

From the sensor side, public-key encryption systems are impractical in wireless sensor networks due to limitations in energy, processing power, memory, and communication capabilities [8,9,54]. While symmetric cryptosystems are considered more suitable for such networks, as they require less computational power [55], they still present several challenges. These include difficulties in key distribution [8], vulnerability to node compromise that can expose a large portion of the network, limited capability to ensure anonymity and protect personal data, lack of perfect forward secrecy, and restricted support for dynamic authentication and the use of temporary identities [12].

Pre-distributed secret information stored in sensor memory, as well as cryptographic keys managed and disseminated by gateways, inherently contain sensitive data related to communicating entities; their exposure therefore poses a serious threat to overall network security under node-capture attacks. PUF-based schemes mitigate key storage requirements but remain dependent on hardware stability and environmental conditions, while group key-agreement approaches further increase communication and revocation complexity.

In contrast to these designs, the proposed PBS-KAP protocol eliminates the need for pre-distributed long-term secrets, centralized key pools, and complex key management infrastructures, and confines public-key operations to a one-time bootstrap phase. By leveraging probabilistic bit similarity, oblivious transfer, and fuzzy extraction, our protocol achieves lightweight key agreement without storing or transmitting long-term secrets in clear form, thereby providing strong resilience against sensor node capture, compromise, and eavesdropping. When properly implemented, this approach significantly reduces energy consumption and computational overhead, enhances privacy protection, and maintains a high level of security and robustness, making it particularly well-suited for resource-constrained WSN deployments. In

Table 1. Comparison of representative key agreement protocols for wireless sensor networks in terms of cryptographic characteristics, node-capture resilience, and suitability for resource-constrained deployments.

Protocol	Key Agreement Method (GWN–Sensor)	Pre-Distributed Long-Term Secrets	Resistance to Node Capture	Impact of Node Compromise	Hardware Dependence	Suitability for Resource-Constrained WSNs
Chen et al. (2021) [56]	Symmetric	Yes	Partial	Localized compromise	No	High
Li et al. (2019) [57]	Symmetric	Yes	Limited	Affects neighboring nodes	No	High
Hajian et al. (2021) [58]	Symmetric	Yes	Yes	Limited	No	Moderate
Singh et al. (2021) [59,60]	Symmetric	Yes (master key/pairwise keys)	Weak	Severe (cluster-wide)	No	High
Yoon et al. (2020) [45]	PUF-based authentication	Yes	Partial	Device-local compromise	Yes	Moderate
FSMFA (2023) [61]	PUF + fuzzy extractor	Yes	Yes	Localized	Yes	Moderate
Lee et al. (2022) [46]	PUF + fuzzy extractor	Yes (PUF challenges, gateway secrets)	Partial	Gateway/device compromise	Yes	Moderate
Alkanhal et al. (2024) [4]	PUF + fuzzy extractor	Yes	Partial	Local compromise	Yes	Low–Moderate
PBS-KAP	Bit-similarity agreement + OT + fuzzy extractor + MAC	No	High	Session-local only	No	High

, we compare our key agreement protocol with other representative protocols for WSNs.

The solution we adopt differs fundamentally from the classical symmetric or asymmetric cryptographic architectures typically used in wireless sensor networks and is based on the Bit-Similarity Key-Agreement Protocol, as proposed by Liagkou et al. [8]. This approach allows two nodes to establish a shared secret key without requiring pre-distributed keys or the exchange of sensitive material over the network. In each round, the nodes privately compare $k$ selected positions from their local secret bitstrings without revealing them. Only if a sufficient number of differences (majority) is detected, does a node randomly flip some bits at the corresponding positions. This process is repeated until the two strings converge, forming the shared key. The underlying intuition of the protocol is that when two random substrings from two bitstrings differ in at least half of their positions, randomly flipping certain bits in one of the substrings tends to increase the percentage of similarities between the two bitstrings. Conversely, if the substrings are already highly similar, a single flip could potentially further decrease their similarity. Once the two nodes reach a point where their bitstrings are sufficiently similar, they can generate a large set of potential keys from them, potentially applying error-correction methods to increase the number of matching bits, which can then be used for both current and future communications. At this stage, our approach integrates a Fuzzy Extractor to serve as an error-correction mechanism. This allows the nodes to reliably derive matching keys from their similar bitstrings, even in the presence of slight variations, without being hindered by constraints on reusability and robustness. In more detail, the two parties (i.e., the GWN and the sensor node) begin with independent bitstrings. Using the bit-similarity protocol, they iteratively sample positions and flip bits until their strings are sufficiently close. Once the Hamming distance between the strings is below a threshold, they apply a Fuzzy Extractor to correct residual mismatches and extract a uniform random key. This produces a final shared, secure key, without requiring pre-distributed secrets.

3. Criteria for Designing Authentication in Wireless Sensor Networks

While the existing literature largely follows a “break–fix” pattern, identifying specific vulnerabilities and proposing incremental patches (e.g., two/three-factor authentication, additional checks, or temporary nonces) to isolate attacks, these approaches ultimately collapse once an adversary gains access to the pre-distributed key. Dependence on pre-installed key material provides implementation convenience but introduces a critical single point of failure. The compromise of one node or the exposure of a shared parameter can jeopardize the security of the entire network. For this reason, our research takes a different approach, eliminating reliance on pre-distributed keys and instead focusing on mechanisms that generate secrets dynamically and are inherently resilient to node compromise and physical capture. The goal is to establish solutions that do not rely on a fixed trust anchor but remain robust under realistic attack scenarios and partial key exposure.

In an effort to break this “break–fix” cycle, Wang et al. [24] attempted to summarize and address all identified deficiencies and limitations. They argued that modern authentication protocols for WSNs must satisfy a broad range of criteria to comprehensively tackle all critical security and privacy issues. However, we propose the inclusion of two additional criteria: C13, “Time Efficiency,” and C14, “Network Topology.” Although the C13 characteristic is considered in many protocols, due to the nature of WSNs, which require lightweight methods, it is not yet an official criterion. Therefore, its addition would serve as an extra factor to strengthen the protocol requirements. Similarly, criterion C14 is mentioned in many proposed protocols, but is not always guaranteed. Its presence is critical because the distance between the user and the sensor often exceeds the communication range [62].

Table 2. Criteria for a Secure Authentication Protocol.

Acronym	Criteria	Description
C1	No Password Verification Table	No node should store values related to the user’s password.
C2	Password-Friendly	The user should be able to choose and change their password freely.
C3	No Password Exposure	The password cannot be obtained or extracted even by the gateway node.
C4	Smart Card Loss Resistance	An attacker possessing the smart card cannot find the password, even if secret parameters stored in it are revealed.
C5	Resistance to Known Attacks	Protection against user/gateway/sensor impersonation, offline password guessing attacks, replay attacks, and key-related attacks.
C6	Extensibility (Sound Repairability)	Provides dynamic addition of sensor nodes.
C7	Key Agreement Assurance	During authentication, the user and gateway agree on a session key for subsequent communication.
C8	No Clock Synchronization	The protocol is not affected by clock synchronization issues or network delays.
C9	Password-Typo Detection	If the user enters a wrong password, they should be promptly notified.
C10	Mutual Authentication	The user, gateway, and sensors should verify each other’s authenticity (this requires the addition of an Authenticated Key Exchange step or malicious-secure OT/GC).
C11	User Anonymity	User anonymity should be maintained even if the gateway colludes with an attacker.
C12	Forward Secrecy	If an attacker obtains the long-term secret key used for authentication or encryption, they cannot decrypt past or future communications.
C13	Time Efficiency	Lightweight architecture with minimal cryptographic operations (e.g., hash functions instead of public-key algorithms where possible), few message exchanges, and low operation time even in large or low-speed networks.
C14	Network Topology	The user and sensor communicate through a gateway node, not directly.
C15	Sensor Node Capture Resistance	An attacker physically capturing a sensor cannot extract critical information.

presents 15 independent criteria that a proper authentication protocol must satisfy in order to address security and privacy issues, according to [1,24], with additional new criteria included based on our own research.

In the broad criteria for evaluating authentication protocols in WSNs, criterion C5, “Resistance to Known Attacks,” includes the sensor node capture attack. In contrast, Wang et al. [24] propose a separate criterion specifically for reducing the risk of such an attack, denoted as C15. They found that only two protocols were capable of resisting sensor node capture attacks: the protocols proposed by Li et al. [63] and Gope and Hwang [64]. However, regarding Li et al.’s protocol, we observed that if an adversary succeeds in capturing a sensor node, he could exploit the parameters stored in the sensor’s memory to generate a valid request to the gateway. In the case of Gope and Hwang’s protocol, according to Gope et al. [65], the protocol does not support sensor anonymity and remains vulnerable to sensor node capture and cloning attacks.

4. Preliminaries

In this section, we present the system model, threat model, and garbled circuit optimizations.

4.1. System Model

We consider architecture to be a two-level system commonly adopted in wireless sensor networks, consisting of sensor nodes and gateway nodes. Sensor nodes collect environmental data and communicate exclusively with nearby gateway nodes, which act as aggregation and control points for the network. The gateway nodes manage communication with multiple sensors and coordinate secure data exchange within the network. Communication between sensor nodes and gateway nodes takes place over insecure wireless channels that are vulnerable to eavesdropping, replay, and impersonation attacks. Therefore, sensor nodes and gateway nodes must mutually authenticate each other and establish a shared session key before initiating secure data transmission. The entities involved in the system are described as follows:

• The sensor node is a highly resource-constrained device with limited computational capability, memory, and energy supply. Sensor nodes are typically deployed in unattended or hostile environments, making them susceptible to physical capture and compromise. Consequently, sensor nodes are assumed to be unable to securely store long-term cryptographic secrets, motivating the design of lightweight and capture-resilient key agreement mechanisms.
• The gateway node serves as the bridge of communication between a sensor node and a user. Compared to sensor nodes, gateways possess greater computational and communication resources, enabling them to perform more complex cryptographic operations. The gateway has general computing capacity but lacks security mechanisms.

4.2. Threat Model

Throughout this work, we adopt the semi-honest (honest-but-curious) adversary model. In this setting, each party is assumed to follow the prescribed steps of the protocol correctly but may attempt to infer additional information from its local view of the execution, which consists of its private input and random coins, the messages it sends and receives, and the final output of the protocol.

In the semi-honest model, a protocol is secure if whatever a party can learn from its real view could be efficiently simulated from its own input and output only; thus, the execution reveals no extra information beyond what is implied by the prescribed outputs. Within this work, we assume semi-honest parties and design the “half-or-more mismatches” test so that each side learns only the single bit β and nothing else about the peer’s sampled bits.

Additionally, we consider the practical deployment scenario of sensor nodes in unattended environments, where nodes are incapable of protecting the secrets stored in their memories. Moreover, we assume that an attacker may perform memory probing attacks on both gateway and sensor nodes, modeled under the Dolev-Yao adversary model [66], where they can eavesdrop on communications, intercept or synthesize messages, and perform replay attacks. The attacker’s primary objective is to impersonate sensor nodes or compromise the established group key without being detected. We assume, however, that the adversary cannot break cryptographic primitives (e.g., hash functions, MACs).

Model separation. In this manuscript, we assume honest-but-curious (semi-honest) endpoints for the OT/GC sub-protocol privacy. Separately, we consider an active Dolev–Yao network adversary controlling the channel; our security claims for key secrecy/indistinguishability therefore hold for protocol-abiding endpoints with authenticated messages (see transcript-MAC clarification below). Full active/malicious endpoint security would require malicious-secure OT/GC and/or an AKE

Considering that sensor devices are often deployed in unattended environments, the attacker can capture the device, obtain data stored in its memory, and carry out node cloning and tampering attacks [67].

4.3. Garbled Circuit Optimizations for Efficient Secure Computation

Our protocol relies on Garbled Circuits (GCs), allowing the participating parties to jointly compute a function on their private inputs without revealing those inputs to each other. The garbled circuit generator (garbler) generates a garbled circuit from a pre-calculated Boolean circuit truth table and sends it to the evaluator. Next, the evaluator takes the garbled circuit, evaluates it, and produces the final result. The result is then shared with the garbler. To make these circuits efficient enough for constrained devices, we employ two standard optimizations, Free-XOR and Half-Gates. The Free-XOR optimization allows all XOR gates in a garbled circuit to be evaluated at essentially zero cost. This is achieved by assigning wire labels that differ by a fixed global offset, enabling the evaluator to compute XORs simply by XOR’ing labels, instead of transmitting, storing, or decrypting any garbled tables, eliminating the cost of XOR gates. The evaluator never sees both labels of any input wire, so the global offset remains hidden [68,69]. We employ oblivious transfer. In a one-time bootstrap, the parties execute 256 base 1-out-of-2 OTs (κ = 128 security parameter) using an ECC-based OT scheme, thereby obtaining correlated seed values. These seeds are then used to realize a large number of OTs efficiently via the IKNP OT-extension protocol (symmetric-key only).

The P&P optimization removes the need for the evaluator to check and decrypt all ciphertexts by associating each label with a choice bit. P&P and Free-XOR operate on orthogonal dimensions: P&P supplies the per-wire selection bit used to pick the right row of any garbled table, while Free-XOR removes the need for a table for XOR gates altogether by defining correlated labels via a global offset $\Delta$. The Half-Gates optimization reduces data transfer in garbled circuits by decomposing an AND gate into two half-gates, thereby eliminating the need for multiple ciphertexts. For non-linear gates (e.g., AND), we still emit a small table (two ciphertexts under Half-Gates), and P&P ensures the evaluator reads exactly one entry per half without any guesses. This preserves security even though labels share the global offset Δ. Used together (and with Half-Gates for AND), they yield zero-cost XORs, two-ciphertext ANDs, and single-shot row access, meeting our goals of low bandwidth and predictable, constant-time evaluation.

In the following subsections, we recall the key ideas of Free-XOR, which are crucial to the efficiency of our construction:

4.3.1. Global Offset and Wire Labels

Choose a secret global offset $\Delta \in \{\mathrm{0,1}{\}}^{\kappa }$ once per circuit ($\kappa$ is the security parameter, e.g., $128$). Require that the least significant bit of $\Delta$ is $1$ to support point-and-permute. For every wire $w$, pick a random base label $K_w^0\in \{\mathrm{0,1}{\}}^{\kappa }$ with a chosen permute bit as its Least Significant Bit (LSB), and set

$$K_w^1 = K_w^0\oplus \Delta .$$

Thus the two labels for a wire differ by the fixed offset $\Delta$, and their LSBs differ automatically.

4.3.2. Free Evaluation of XOR

For an XOR gate $c=a\oplus b$ the garbler sets

$$K_c^0 = K_a^0\oplus K_b^0, K_c^1 = K_c^0\oplus \Delta ,$$

sends no garbled table and publishes the output label mapping only at the very end. The evaluator, who holds runtime labels $L_a=K_a^x$ and $L_b=K_b^y$ for inputs $x,y\in \left\{\mathrm{0,1}\right\}$, computes:

$$L_c = L_a\oplus L_b = K_a^x\oplus K_b^y = (K_a^0\oplus K_b^0)\oplus (x\oplus y)\cdot \Delta = K_c^{ x\oplus y}.$$

Therefore XOR gates require no ciphertexts and no hashing or decryption.

4.3.3. Half-Gates Garbling of AND Gates

The Half-Gates technique [70] optimizes the garbling of AND gates by decomposing each AND into two half-gates, one garbled by the party holding the first input label and one by the party holding the second. Each half-gate consists of a single ciphertext, reducing the cost of an AND gate from four ciphertexts (in the traditional Yao garbling) to two while remaining fully compatible with the Free-XOR construction and the point-and-permute mechanism.

Let $A$, $B$ be Boolean input wires with labels $(A_0, A_1 = A_0 \oplus \Delta )$ and $(B_0, B_1 = B_0 \oplus \Delta ),$ where $\Delta$ is the global offset chosen once per circuit and lsb($\Delta$) = 1. The output wire $C$ has labels $(C_0, C_1 = C_0 \oplus \Delta ).$ The garbler chooses a random base label $C_0$ and constructs:

$$T_g = H\left(A_0\right) \oplus (B_0 · \Delta ) \oplus C_0$$

$$T_e=H(B_0 \oplus (A_0 · \Delta \left)\right) \oplus C_0$$

Here, $H(·)$ is a correlation-robust hash and “·” denotes conditional XOR depending on the permute bit of the corresponding wire label. The two ciphertexts $T_g$ and $T_e$ constitute the half-gate table.

During evaluation, the evaluator, holding runtime labels $A_{\mathrm{x}}$ and $B_y$ with hidden bits $x,y \in \left\{\mathrm{0,1}\right\}$, computes:

$$C = H\left(A_{\mathrm{x}}\right) \oplus T_g \oplus x · \Delta \oplus H(B_y \oplus (x · \Delta \left)\right) \oplus T_e.$$

The resulting label $C$ corresponds to $C_{x\wedge y}$ no other information about $A$,$B$ is leaked. XOR gates remain free under the same global offset $\Delta$, enabling compact threshold and Hamming-distance circuits using only symmetric operations.

In the proposed PBS-Key Agreement protocol, this half-gate optimization is used inside the SecureHalfDiff routine to implement the strict-majority test over sampled bit positions. Combining IKNP OT extension, Free-XOR, and Half-Gates yields a lightweight garbled circuit that outputs only a single comparison bit while maintaining security in the semi-honest model. The integration of half-gates thus minimizes both transmission and computation overhead, making the protocol practical for resource-constrained wireless sensor nodes.

4.3.4. Point-And-Permute Compatibility

P&P is a routing/indexing mechanism that removes try-all-rows and makes evaluation work constant-time per gate. Each wire label $K_w$ carries a selection bit ${\pi }_w$(e.g., the LSB of $\mathrm{H}\left({\mathrm{K}}_{\mathrm{w}}\right||\mathrm{d}\mathrm{o}\mathrm{m}\mathrm{a}\mathrm{i}\mathrm{n}-\mathrm{s}\mathrm{e}\mathrm{p})).$ Given the selection bits of the two input wires to a gate, the evaluator directly indexes the single correct row of that gate’s table, without trial decryptions.

To ensure compatibility with the Free XOR and Half-Gates optimizations, we adopt a unified label format across the entire circuit. In particular, we derive ${\pi }_w$ as the least significant bit (LSB) of each label that can be used as the selection bit, allowing the evaluator to identify the correct row in the garbled table without any additional computational effort.

If the LSB of each $K_w^b$ encodes the permute bit, choosing $\mathrm{L}\mathrm{S}\mathrm{B}\left(\Delta \right)=1$ makes $\mathrm{L}\mathrm{S}\mathrm{B}\left(K_w^1\right)=\mathrm{L}\mathrm{S}\mathrm{B}\left(K_w^0\right)\oplus 1$. For an XOR gate, $\mathrm{L}\mathrm{S}\mathrm{B}\left(K_c^{x\oplus y}\right)=\mathrm{L}\mathrm{S}\mathrm{B}\left(K_a^x\right)\oplus \mathrm{L}\mathrm{S}\mathrm{B}\left(K_b^y\right)$. Thus, the evaluator can route to the correct row without extra work.

5. The Proposed PBS-KAP

Our proposed protocol is structured into three main components, presented in the following subsections. First, we introduce the Bit-Similarity Key Agreement Protocol, a probabilistic and computation-efficient method for dynamic key establishment without pre-distributed secrets. Next, we present the primitives of Secure Sketches and Fuzzy Extractors to correct residual errors and amplify entropy, ensuring reliable and uniformly random session keys, and finally, the key confirmation phase.

5.1. Initialization Parameters

During initialization, the parties perform 256 base Oblivious Transfers (OTs) to establish initial correlated randomness. In each OT instance, one party generates and holds two seeds (e.g., $\left(k_{0i},k_{1i}\right)$), while the other party receives one seed (e.g., $k_{{\sigma }_{i}i}$) corresponding to its private choice bit (e.g., ${\sigma }_i$). This setup provides the shared cryptographic foundation required for later OT extension and conditional flipping rounds. The entire bootstrap exchange requires roughly 16 kB of communication when implemented with Curve25519-based code, and it operates without the need for any long-term public or private keys. Base-OTs, OT-extension state, and garbled circuits are instantiated fresh per session; state and labels are never reused across sessions or rounds.

The initialization phase also defines the following global system parameters:

$N$: the bitstring length held by each party.

$k$: the sample size per round (subset of positions).

$l$: flips per round.

$i:$ the round counter.

$T$: the maximum number of allowed rounds before termination.

These parameters establish the operational framework, providing clear constraints and guiding the iterative execution of the protocol across all participating nodes.

5.2. Authentication and Key Agreement

In this section, we present the core algorithmic logic of our proposed authentication protocol, capturing the stepwise interactions between sensor nodes and GWN. This protocol runs between two parties (labeled $P_0$ and $P_1$, e.g., a gateway and a sensor) and aims to produce a common cryptographic key from two noisy N-bit strings (one per party). It has three main phases: Phase 1: a probabilistic key-agreement phase that tries to make the two bitstrings equal (or very close), Phase 2: a fuzzy-extraction step (secure sketch + extractor) that turns the aligned bits into a stable cryptographic key, and Phase 3: a key confirmation step using MACs to ensure both sides derived the same key.

5.2.1. Phase 1: Probabilistic Key Agreement

In this phase, the protocol enables two parties, $P_0$ and $P_1$, to establish a shared session key starting from independent N-bit strings $X$ and $Y$, and a shared random seed. To ensure both parties select the same random indices without communication overhead, the shared seed is expanded through a pseudorandom generator (e.g., AES-CTR). This produces identical subsets of positions deterministically at each round. As a foundation for secure operations, a one-time elliptic-curve–based base oblivious transfer (baseOT) is executed to bootstrap the system. Specifically, ${\mathrm{n}}_0=256$ 1-out-of-2 baseOTs are performed, from which many additional OTs can be extended efficiently using symmetric primitives (IKNP extension). This setup avoids the need for long-term pre-distributed keys while ensuring cryptographic security.

Each round samples $k$ positions, and through a secure two-party computation, the parties jointly determine a single bit $\beta$ indicating whether the Hamming distance of the sampled substrings exceeds the strict majority threshold $t=\lfloor k/2\rfloor +1$. If $\beta =1$, only the party whose turn it is (according to the turn-taking rule of line 9) performs corrective action by flipping $l$ randomly chosen bits within the sampled set. After each round, a lightweight synchronization message guarantees that both sides remain aligned, but no additional information about the strings is disclosed beyond the single comparison bit. We present the bit similarity key agreement protocol in Section 5.2.2. An overview of this phase is illustrated in Figure 1.

Its operation is iterative and probabilistic: in each round, the parties compare a random sample of their bitstrings, apply corrective flips if necessary, and progressively converge toward agreement. The parties derive the shared seed for JointRand (see Section 6.6.1) via a two-message coin toss (e.g., DH + KDF) bound to session IDs. This produces identical per-session seeds without revealing either party’s local secret. All flips occur privately in local memory, and synchronization messages guarantee that both parties remain aligned. The process repeats for up to $T$ rounds, during which the mismatch rate steadily decreases due to the negative drift introduced by the majority rule. A reference example is presented in Appendix A.1. The pseudocode of this phase (Algorithm 1) is presented below.

Algorithm 1: Round-Based Shared Secret Computation

$\mathrm{Input}: \mathrm{N-bit} \mathrm{string} \mathit{X}$$\mathbf{for} \mathbf{this} \mathbf{party} \mathbf{(}{\mathit{P}}_0$$\mathbf{and} {\mathit{P}}_1$)

Output: Identical key shared for both parties (with high probability)

1.     const  $\mathit{N},\mathit{k},\mathit{l},\mathit{T}$

2.     sharedSeed

3.     $\mathbf{const} \mathit{p}\mathit{a}\mathit{r}\mathit{t}\mathit{y}\mathit{I}\mathit{D}\in \left\{\mathrm{0,1}\right\}$                 //$\mathbf{0} \mathbf{for} {\mathit{P}}_0$$\mathbf{,} \mathbf{1} \mathbf{for} {\mathit{P}}_1$                 // strict majority threshold: t=floor(k/2)+1

4.      $\mathit{t}\leftarrow {\displaystyle \frac{\mathit{k}}{2}}+1$

5.      $\mathit{i}\leftarrow 1$                   // round counter

6.      $\mathbf{While} \mathit{i}\le \mathit{T}$ do

7.      $\mathit{S}\leftarrow \mathit{J}\mathit{o}\mathit{i}\mathit{n}\mathit{t}\mathit{R}\mathit{a}\mathit{n}\mathit{d}(\mathit{k},\left\{1,\dots ,\mathit{N}\right\},\mathit{s}\mathit{h}\mathit{a}\mathit{r}\mathit{e}\mathit{d}\mathit{S}\mathit{e}\mathit{e}\mathit{d},\mathit{i}$)

8.      $\mathit{\beta }\leftarrow \mathit{S}\mathit{e}\mathit{c}\mathit{u}\mathit{r}\mathit{e}\mathit{H}\mathit{a}\mathit{l}\mathit{f}\mathit{D}\mathit{i}\mathit{f}\mathit{f} (\mathit{X}\left[\mathit{S}\right],\mathit{Y}\left[\mathit{S}\right],\mathit{t}) \mathbf{//} \mathit{\beta }=1 \mathit{i}\mathit{f}\mathit{f} \#\{\mathit{j}\in \mathit{S}:\mathit{X}\left[\mathit{j}\right]\oplus \mathit{Y}\left[\mathit{j}\right]=1\}\ge \mathit{t}$

9.      $\mathit{m}\mathit{y}\mathit{t}\mathit{u}\mathit{r}\mathit{n}\leftarrow (\left(\mathit{i}+\mathit{p}\mathit{a}\mathit{r}\mathit{t}\mathit{y}\mathit{I}\mathit{D}\right)\mathit{m}\mathit{o}\mathit{d}2=1$)

10.      $\mathbf{If} \mathit{\beta }=1\bigwedge \mathit{m}\mathit{y}\mathit{t}\mathit{u}\mathit{r}\mathit{n}$ then

11.      ${\mathit{S}}_{\mathit{F}}\leftarrow \mathit{R}\mathit{a}\mathit{n}\mathit{d}\mathit{S}\mathit{u}\mathit{b}\mathit{s}\mathit{e}\mathit{t}(\mathit{l},\mathit{S},\mathit{s}\mathit{h}\mathit{a}\mathit{r}\mathit{e}\mathit{d}\mathit{S}\mathit{e}\mathit{e}\mathit{d},\mathit{i})$

12.     $\mathbf{for} \mathbf{each} \mathit{j}\in {\mathit{S}}_{\mathit{F}}$ do

13.      $\mathit{X}\left[\mathit{j}\right]\leftarrow 1-\mathit{X}\left[\mathit{j}\right]$

14.      $\mathbf{SynchronizeWithPeer} (\mathit{i},\mathit{S},\mathit{\beta })$

15.      $\mathit{i}\leftarrow \mathit{i}+1$

5.2.2. Bit-Similarity Key Agreement Protocol

A probabilistic key-similarity protocol provides a lightweight and efficient method for establishing shared session keys. Unlike traditional methods that rely on costly operations, our approach is built primarily on symmetric primitives (XOR, hashing) together with a one-time ECC-based base OT, plus an IKNP OT extension, and a small garbled threshold circuit for the similarity test, making it well-suited for deployment in WSNs. Moreover, this method does not require key pre-distribution or long-term secrets, reducing setup overhead and vulnerability to node capture.

The 1 bit-similarity key agreement protocol operates in iterative rounds. The parties jointly select a random subset of positions, check (via secure computation) whether more than half of these positions differ, and, if so, one party flips a small number of its bits. The two parties reveal only a single comparison bit, which drives a probabilistic convergence process ensuring that their bitstrings align with high probability. This process is repeated over multiple rounds, with synchronization to ensure both sides remain aligned. Once sufficient similarity is achieved, the final bitstring is compressed through privacy amplification to yield a strong cryptographic session key.

More formally, let $P_0$ and $P_1$ be two parties with inputs of $n_{P0}$ and $n_{P1}$ bits, respectively. The objective is to jointly compute a function $f:{\{0,1\}}_{n_{P0}}\times {\left\{\mathrm{0,1}\right\}}_{n_{P1}}\to \left\{\mathrm{0,1}\right\}$ on their inputs. The problem is that $P_0$ and $P_1$ cannot, simply, exchange their inputs and compute the function since they will learn each other’s inputs, something that is not desirable in a secure computation setting. More importantly, even if $P_0$ and $P_1$ are willing to share their inputs, they would not allow an eavesdropper to acquire these inputs as well. This leads to a general problem in cryptography, secure computation [8]. In their context, they consider the following two Boolean functions:

$f_r:{\{0,1\}}^k\times {\{0,1\}}^k\to \{0,1\}$ with $w_{P_0},w_{P_1}\in {\{0,1\}}^k$ and $0\le t\le k:$

$f\left(w_{P_0},w_{P_1}\right)=\left\{\begin{array}{c}1, if X(w_{P_0}, w_{P_1})\ge t\\ 0, otherwise\end{array}\right.$ with $t=k/2$.

$f_X:{\{0,1\}}^k\times {\{0,1\}}^k\to {\{0,1\}}^{\lceil log2\left(k\right)\rceil } \mathrm{with}{ w}_{P_0},w_{P_1}\in {\{0,1\}}^k$:

$f_X$($w_{P_0},w_{P_1})=x$, with $x=X{(w}_{P_0},w_{P_1})$ written in binary.

The function $f_X$ is essentially a set of simple 1-bit functions, each extracting one bit from the output of $X{(w}_{P_0},w_{P_1})$, from the most significant to the least significant. Using techniques from oblivious function computation [71], they compute both $f_r$ and $f_X$ efficiently with randomized protocols. Since these functions can be represented as Boolean circuits of polynomial size in their inputs, and $k$ is fixed, the computation can be done in a constant number of rounds using a constant number of random bits.

5.2.3. Phase 2: Fuzzy Extraction

Once sufficient similarity is achieved, we proceed to phase 2, where the provisional strings are transformed into a strong, uniform session key using a fuzzy extractor and a secure sketch. The definitions of the primitives of fuzzy extractors and secure sketches are presented in Section 5.2.4. This step ensures that even if residual mismatches remain, both parties derive the same key, and any adversarial uncertainty about the bitstring renders the session key indistinguishable from random.

Specifically, once both parties have aligned their bitstrings in Phase 1, Phase 2 extracts a robust cryptographic key from the potentially noisy shared string using a fuzzy extractor with a secure sketch. The gateway node (GWN) generates a secure sketch of its aligned bitstring ($X\_final$) and derives a key $\left(R\right)$ along with a helper string $(P$) which is sent to the sensor node. Using this helper data and its own aligned bitstring, the sensor node reconstructs the gateway’s bitstring ($X\_recovered$) and reproduces the shared key ($R\_sensor$). An overview of this phase is illustrated in Figure 2.

The pseudocode (Algorithm 2) of this phase is presented below.

Algorithm 2: Fuzzy Extraction with Secure Sketch

$\mathit{X}\_\mathit{f}\mathit{i}\mathit{n}\mathit{a}\mathit{l}\leftarrow \mathit{X} // \mathrm{final} \mathrm{aligned} \mathrm{bitstring} \mathrm{of} \mathrm{party} {\mathit{P}}_0$ (GWN)

$\mathit{Y}\_\mathit{f}\mathit{i}\mathit{n}\mathit{a}\mathit{l}\leftarrow \mathit{Y} // \mathrm{final} \mathrm{aligned} \mathrm{bitstring} \mathrm{of} \mathrm{party} {\mathit{P}}_1$ (sensor node)

// GWN side

1.     $\mathit{S}\mathit{S}\leftarrow \mathit{S}\mathit{e}\mathit{c}\mathit{u}\mathit{r}\mathit{e}\mathit{S}\mathit{k}\mathit{e}\mathit{t}\mathit{c}\mathit{h}(\mathit{X}\_\mathit{f}\mathit{i}\mathit{n}\mathit{a}\mathit{l})$             // generate secure sketch of the aligned bitstring

2.     $(\mathit{R},\mathit{P})\leftarrow \mathit{G}\mathit{e}\mathit{n}(\mathit{X}\_\mathit{f}\mathit{i}\mathit{n}\mathit{a}\mathit{l},\mathit{S}\mathit{S})$                  // generate cryptographic key and helper string

$\mathit{S}\mathit{e}\mathit{n}\mathit{d} \mathit{P} \mathit{t}\mathit{o} \mathit{s}\mathit{e}\mathit{n}\mathit{s}\mathit{o}\mathit{r}$                 // transmit helper string

// Sensor node side

1.     $\mathit{X}\_\mathit{r}\mathit{e}\mathit{c}\mathit{o}\mathit{v}\mathit{e}\mathit{r}\mathit{e}\mathit{d}\leftarrow \mathit{R}\mathit{e}\mathit{c}(\mathit{Y}\_\mathit{f}\mathit{i}\mathit{n}\mathit{a}\mathit{l},\mathit{P})$             // recover GWN’s aligned bitstring using secure sketch

2.     $\mathit{R}\_\mathit{s}\mathit{e}\mathit{n}\mathit{s}\mathit{o}\mathit{r}\leftarrow \mathit{R}\mathit{e}\mathit{p}(\mathit{X}\_\mathit{r}\mathit{e}\mathit{c}\mathit{o}\mathit{v}\mathit{e}\mathit{r}\mathit{e}\mathit{d},\mathit{P})$             // reconstruct the shared key

5.2.4. Secure Sketch and Fuzzy Extractor

Our protocol employs a probabilistic iterative bit-flipping mechanism to align the bitstrings of the two communicating parties progressively. This process significantly increases the likelihood of convergence while maintaining computational efficiency. However, due to its probabilistic nature, it cannot guarantee that the final bitstrings will be perfectly identical. Residual discrepancies may remain, which, if left uncorrected, could compromise both reliability and security. To address this issue, an error-correction code is incorporated, ensuring that any remaining mismatches after the iterative alignment phase are resolved with high accuracy. By applying error correction, the protocol ensures that the bitstrings reconstructed by both parties are consistent, thereby ensuring correctness in the generated raw key material.

Subsequently, to further enhance the robustness and cryptographic strength of the session key, we utilize a fuzzy extractor with a secure sketch. This method not only reconciles the corrected bitstrings into a perfectly identical common key but also amplifies their entropy, producing a uniformly random session key. This step ensures that the final shared key is both error-free and secure against adversarial inference, thereby satisfying the dual requirements of reliability and statistical privacy (ε-close to uniform, assuming sufficient min-entropy) within the authentication process. We follow the definitions according to Dodis et al. [72]. A secure sketch allows recovery of a secret from a noisy version of it. Let $M$ be a metric space on $N$ points with distance function $dis.$

Definition 1: 

An$(M, m,m\prime , t)$-secure sketch is a randomized map$SS:M\to \left\{\mathrm{0,1}\right\}*$with the following properties:

• There exists a deterministic recovery function Rec allowing to recover$w$from its sketch$SS\left(w\right)$and any vector$w\prime$close to$w$: for all$w,w\prime \in M$satisfying$dis(w,w\prime )\le t$, we have$Rec(w\prime ,SS(w\left)\right)=w.$
• For all random variables$W$over$M$with min-entropy m, the average min-entropy of$W$given$SS\left(W\right)$is at least$m\prime$. That is, ${\hat{\mathrm{H}}}_{\infty }(W | SS\left(W\right)) \ge m\prime$.

The secure sketch is efficient if $SS$ and $Rec$ run in time polynomial in the representation size of a point in $M$. We denote the random output of $SS$ by $SS\left(W\right),$ or by $SS(W;X)$ when we wish to make the randomness explicit.

Definition 2: 

An$\left( M, m, m^{\prime }, t, e\right)-$fuzzy extractor is a given by two procedures$(Gen, Rep).$

• Gen is a probabilistic generation procedure, which on input$w\in M$outputs an “extracted” string$R\in {\left\{\mathrm{0,1}\right\}}^{l }$and a public string$P$. We require that for any distribution$W$on$M$of min-entropy$m$, if$(R,P)\leftarrow Gen\left(W\right)$, then we have$SD\left[\left(R,P\right),\left(U_l,P\right)\right]\le e.$
• Rep is a deterministic reproduction procedure allowing to recover$R$from the corresponding public string$P$and any vector$w\prime$close to$w$: for all$w,w^{\prime }\in M$satisfying$dis(w,w\prime )\le t$, if$(R,P)\leftarrow Gen\left(w\right)$, then we have$Rep\left(w^{\prime },P\right)=R$.

The fuzzy extractor is efficient if $Gen$ and $Rep$ run in time polynomial in the representation size of a point in $M$.

Definition 3 

(Fuzzy Extractors from Sketches): Assume  $SS$is a$(M, m,m\prime , t)-$secure sketch with recovery procedure$Rec,$ and let$Ext$be the$\left(n,m^{\prime },l,e\right)-strong extractor$based on pairwise-independent hashing (in particular,$l=m^{\prime }-2log\left({\displaystyle \frac{1}{e}}\right)$). Then, the following$(Gen, Rep)$is a$\left( M,m,l,t,e\right)-fuzzy extractor:$

–

$Gen\left(W;X_1,X_2\right):set P=\left[SS\left(W;X_1\right),X_2\right],R=Ext\left(W;X_2\right),output(R,P)$

–

$Rep\left[W^{\prime },\left(V,X_2\right)\right]:recover W=Rec \left(W^{\prime },V\right) and output R=Ext(W;X_2)$.

5.2.5. Phase 3: Key Confirmation

In the final phase, both parties verify that they have derived the same shared key. Each party computes a message authentication code (MAC) over its reconstructed key and exchanges the MACs. If the MACs match, the parties confirm that the key is identical and accept it as the shared session key. The final shared string is compressed using SHA-256/HKDF to create the session key. Even a single unknown bit renders the attacker’s guess infeasible, achieving strong privacy amplification. If a mismatch is detected, appropriate corrective action, such as restarting the alignment process, can be taken. This phase is depicted in Figure 3.

Message authentication timing. Key-confirmation MACs use the final derived session key. To authenticate earlier protocol messages against an active network adversary, we derive a transcript-MAC key $K_{tr} = KDF(seed, \prime tr-mac\prime )$ immediately after seed establishment and include MAC tags on all subsequent protocol messages (including synchronization/control messages). The final session key derivation additionally binds the full transcript/IDs.

This step ensures integrity and agreement of the derived key without revealing the key itself. The pseudocode (Algorithm 3) of this phase is presented below.

Algorithm 3: Key Confirmation

1.     $\mathit{M}\mathit{A}\mathit{C}\_\mathit{R}\leftarrow \mathit{C}\mathit{o}\mathit{m}\mathit{p}\mathit{u}\mathit{t}\mathit{e}\mathit{M}\mathit{A}\mathit{C}\left(\mathit{R}\right)$                    // GWN computes MAC on key

2.     $\mathit{M}\mathit{A}\mathit{C}\_\mathit{R}\_\mathit{s}\mathit{e}\mathit{n}\mathit{s}\mathit{o}\mathit{r}\leftarrow \mathit{C}\mathit{o}\mathit{m}\mathit{p}\mathit{u}\mathit{t}\mathit{e}\mathit{M}\mathit{A}\mathit{C}(\mathit{R}\_\mathit{s}\mathit{e}\mathit{n}\mathit{s}\mathit{o}\mathit{r})$ // Sensor computes MAC

3.     Exchange MACs (GWN ↔ Sensor)

4.     if $\mathit{M}\mathit{A}\mathit{C}\_\mathit{R}=\mathit{M}\mathit{A}\mathit{C}\_\mathit{R}\_\mathit{s}\mathit{e}\mathit{n}\mathit{s}\mathit{o}\mathit{r}$ then

5.     Output R as the shared key

6.     else

7.     Handle key mismatch (e.g., restart alignment)

Overall, this solution provides a secure and energy-efficient method for key agreement between the GWN and sensor nodes. By combining iterative alignment and error-correcting extraction, nodes can establish shared keys without pre-distributed secrets, while remaining resilient to eavesdropping, node compromise, and communication errors. In the following sections, we provide the implementation details and the core pseudocodes of our protocol.

6. Implementation Details

In this section, we present the six basic steps of the PBS-Key Agreement protocol in detail. First, we introduce the Secure Similarity Check, where the parties first establish common randomness (via JointRand), selecting the same $k$ indices without exposing their values. To limit information leakage, they reveal only a single bit indicating whether mismatches exceed a threshold (via SecureHalfDiff). Throughout this process, turn scheduling ensures only one side flips in each round, preventing conflicting updates. When mismatches are sufficiently large, conditional flipping of $l$ random positions drives the sequences toward agreement. Synchronization keeps the parties’ counters aligned despite network delays, while a loop-bound T ensures the protocol eventually terminates, with early stopping possible after a successful key-confirmation MAC.

6.1. Secure Similarity Check

As already stated, our protocol proceeds in rounds, where a round is a single iteration in which both parties compare a small, randomly selected subset of their bitstrings. In each round, both parties jointly compute whether the Hamming distance of the sampled substrings exceeds a predefined threshold. This comparison reveals only one bit of information ($\beta$), which indicates whether this threshold is exceeded or not. No other information about the actual bits is revealed, preserving privacy. More formally, this requires computing mismatch bits ${\mathrm{X}}_{\mathrm{S}}\left[\mathrm{j}\right]\oplus {\mathrm{Y}}_{\mathrm{S}}\left[\mathrm{j}\right]$ for all sampled positions. These bits are then summed to obtain the Hamming distance ${\sum }_{\mathrm{j}=1}^{\mathrm{k}} {\mathrm{d}}_{\mathrm{j}}$. Finally, the result is compared to the constant threshold $\mathrm{t}$ using a binary adder tree and a constant comparator.

To implement this, our protocol combines the Ishai–Kilian–Nissim–Petrank (IKNP) OT [73] extension with efficient garbled circuit techniques. The IKNP protocol provides large batches of oblivious transfers using only symmetric cryptography, while Free-XOR and Half-Gates minimize the cost of the garbled threshold circuit. This combination ensures that our similarity check is lightweight enough for wireless sensor networks. More specifically:

• IKNP OT extension: Extends a small number of base OTs (i.e., the n₀ into k correlated OTs using only symmetric primitives, such as AES, SHA, and Keccak.
• Garbled circuit (GC): Uses Free-XOR and Half-Gates to evaluate a threshold circuit that outputs 1 iff Hamming distance ≥ t.

6.1.1. Convergence Analysis

The core mechanism that drives convergence in our protocol is the way mismatches between the parties’ bitstrings are progressively reduced over multiple rounds. At each step, the parties do not directly reveal their bits but instead jointly compute whether the sampled substrings differ in a majority of positions. Based on this outcome, one party flips a small number of bits, introducing a corrective bias that steadily decreases the global Hamming distance. The following analysis formalizes this idea and explains why convergence is guaranteed.

Explicit drift computation: Let the sampled set $S$ have size k and contain $m$ mismatches between the parties. If a flip of size $L$ is applied uniformly at random within $S$, then the expected change in Hamming distance is $E[\Delta d | m] = L·(1 - 2m/k)$ (where $\Delta d = d_{new}- d_{old})$. Hence strict-majority triggering ($m > k/2$) gives negative drift.

The goal of each round is given the initial parties’ strings $X_S[1..k]$, $Y_S[1..k]$, and the Hamming distance $H_t:=HD(X_S,Y_S)$, in each round, a random subset $S\subseteq \{1,\dots ,N\}\in S$ of size $k$ is sampled, then the number of mismatches within that subset is computed securely, specifically $d=\#\{j:X_S[j]\oplus Y_S[j]=1\}\ge t$ with $t=\lfloor k/2\rfloor +1$ (strict majority), and the protocol outputs a single bit $\beta$ that equals $1$ iff $d\ge t$, revealing nothing else and requiring no pre-distributed keys. This strict-majority threshold guarantees negative drift in mismatches, ensuring eventual convergence.

Conditioned on a fixed $d$ and a fixed flip set $S_F\subseteq S$, with $\left|S_F\right|=l$, each flipped bit decreases the Hamming distance $H_t$ by $1$ if it is a mismatch and increases $H_t$ by $1$ otherwise. With $d$ mismatches in $S$, the fraction of mismatches is $d/k$, hence $\mathbb{E}\left[\mathsf{\Delta }{H}_t\right|d] = l\left(1-2 d/k\right).$ Therefore, whenever $d>k/2$ we have a strictly negative drift. If $d=k/2$ the drift is $0$. Since the protocol only flips when the secure similarity check returns “$d\ge t_0$”, choosing $t_0>k/2$ guarantees negative drift whenever we flip.

We consider two possible thresholding strategies. In our construction we adopt the first (strict majority) as the default:

–

Variant A (strict majority). Set $t_0=\lfloor k/2\rfloor +1$. Then any flip implies $\mathbb{E}\left[\mathsf{\Delta }{H}_t\right|d]\le -2l(d/k-1/2)\le -2l/k$.

–

Variant B (coin flip on ties). Keep $t_0=\lceil k/2\rceil$, but if $d=k/2$, perform the flipping step with probability $q\in \left(\mathrm{0,1}\right)$(e.g., $q=1/2$). This preserves a nonpositive overall drift and avoids slowdowns for odd $k$.

6.1.2. Probabilistic Bounds to Prevent Unnecessary Flips

To quantify the probability that the sampled subset’s observed similarity deviates from the true global similarity between the parties’ bitstrings, we apply a probabilistic analysis, to effectively control the decision threshold and prevent unnecessary bit-flipping operations, thereby improving both convergence efficiency and communication overhead. To achieve this, we appeal to Serfling’s bound [66], which gives concentration inequalities for sampling without replacement. Let a finite population $\{x_1,\dots ,x_N\}\subseteq [a,b]$ have mean $\mu ={\displaystyle \frac{1}{N}}{\sum }_{i=1}^N x_i$. Draw $n$ items without replacement and let ${\overline{X}}_n={\displaystyle \frac{1}{n}}{\sum }_{i=1}^n X_i$ be the sample mean. Serfling’s inequality states that for any $\epsilon >0$,

$$\mathrm{P}\mathrm{r}{\displaystyle [{\overline{X}}_n-\mu \ge \epsilon ]} \le \mathrm{e}\mathrm{x}\mathrm{p}\left(-{\displaystyle \frac{2 n {\epsilon }^2}{\left(1-\frac{n-1}{N}\right) (b-a{)}^2}}\right),$$

and the same holds for the lower tail by symmetry. A two–sided version is obtained by multiplying the right-hand side by $2$.

When sampling without replacement from binary populations, hypergeometric distributions arise indicator/hypergeometric special case [74]. If $X_i\in \left\{\mathrm{0,1}\right\}$ with population proportion $p={\displaystyle \frac{1}{N}}{\sum }_i X_i$ and $d={\sum }_{j=1}^n X_j$ is the number of successes in the sample, then

$$\mathrm{P}\mathrm{r}\left[{\displaystyle \frac{d}{n}}-p\ge \epsilon \right] \le \mathrm{e}\mathrm{x}\mathrm{p}\left(-{\displaystyle \frac{2 N n {\epsilon }^2}{ N-n+1 }}\right),$$

which is strictly tighter than the sampling with replacement Hoeffding bound because of the finite-population correction factor ${\displaystyle \frac{N}{N-n+1}}$.

In our case, we set $n=k$ and $p=H_t/N$ (the global mismatch rate) to bound $\mathrm{P}\mathrm{r}[d/k-p\ge \epsilon ]$. The sample mismatch count $d$ is hypergeometric: $d\sim \mathrm{H}\mathrm{y}\mathrm{p}(N,H_t,k)$. By the Serfling bound, for any $\epsilon >0$,

$$\mathrm{P}\mathrm{r}\left[{\displaystyle \frac{d}{k}}-p\ge \epsilon \right] \le \mathrm{e}\mathrm{x}\mathrm{p}\left(-2{\epsilon }^{2}k\right).$$

Writing $p_0:=t_0/k$ and $\epsilon :=p_0-p$, the probability that we trigger (i.e., $d\ge t_0$) when the global rate is $p<p_0$ is exponentially small in $k$:

$$k \ge {\displaystyle \frac{1}{2 (p_0-p{)}^2}} \mathrm{l}\mathrm{n}{\displaystyle \frac{1}{\alpha }} ⟹ \mathrm{P}\mathrm{r}{\displaystyle [d\ge t_0]}\le \alpha .$$

For instance, for $p_0=1/2$, $\alpha =10^{-6}$:

–

at $p=0.40$($10\mathrm{\%}$ below half) the bound gives $k\gtrsim 690$

–

at $p=0.45$($5\mathrm{\%}$ below half) the bound gives $k\gtrsim 2760$

Using a normal approximation to the hypergeometric/binomial tail is tighter: for $p=0.40$ and one-sided tail $10^{-6}$ the $z$-score is $\approx 4.75$, yielding $k\gtrsim 542$; for $p=0.45$ it yields $k\gtrsim 2235$.

6.1.3. Adapting L Value for Improving Protocol Performance

Recall that we have $d$ mismatches in $S$, $d/k$ the fraction of mismatches, and $\mathbb{E}\left[\Delta H_t\right|d] = l\left(1-2 d/k\right)$. A larger $l$ accelerates progress when the fraction is well above $1/2$, but can overshoot near the boundary. We consider two possible ways to control $l$. As already stated, in our implementation we adopt the conservative fixed-$l$ strategy as the default.

• Conservative fixed$\mathit{l}$. Pick a constant $l\ll k$(e.g., $l=\lfloor k/4\rfloor$). Then each triggered round yields at least $-2l/k$ expected decrease under Variant A. The empirical sweet-spot $l\approx k/4$ maximizes expected progress, while setting $l=1$ still converges albeit slower.
• Adaptive$\mathit{l}$with bounded leakage. As an alternative, we also introduce a single additional 2PC bit to detect a “margin” event, $M_{\tau }:=[ d\ge t_0+\tau ]$ for a small margin parameter $\tau$, (e.g., $\tau =4$). Then, set $l={\mathcal{l}}_{\mathrm{h}\mathrm{i}}$ if $M_{\tau }=1$ and $l={\mathcal{l}}_{\mathrm{l}\mathrm{o}}$ otherwise. This leaks at most one bit per round but increases negative drift when the mismatch fraction is safely above $1/2$.

6.2. Turn Scheduling

If the mismatch threshold is exceeded, only one party performs flips. To prevent simultaneous flips, which could cause divergence, the protocol enforces turn scheduling. Specifically, a turn-taking rule is enforced (line 10 of phase 1:$myturn\leftarrow (\left(i+partyID\right)mod2=1)$. Only the party whose turn it is flips $l$ randomly chosen bits from the sampled set $S$, using the shared seed to ensure unbiased selection. This mechanism guarantees progress (negative drift) toward agreement while preventing oscillations or divergence.

6.3. Conditional Flipping

For conditional flipping with a conservative fixed $l$, a subset of bits is selected in each round, and a fixed number $l$ of bits are flipped whenever the disagreement in the subset exceeds a predefined threshold. Choosing $l$ to be a moderate fraction of the subset size ensures steady progress toward agreement: when the fraction of mismatched bits is well above the threshold, flipping $l$ bits significantly reduces disagreements, while near the threshold, it avoids overshooting and destabilizing the process. Smaller values of $l$ still guarantee convergence, albeit more slowly, making the fixed-$l$ strategy a simple and reliable method for gradually aligning the parties’ bitstrings through conditional flipping.

6.4. Synchronization

To ensure that the two random selections remain independent, even though they originate from the same seed, the protocol employs distinct labels (e.g., $“S|”$ vs. $“S_F|”$) when expanding the shared seed with the pseudorandom generator. Specifically, the label $“S|”$ is used when deriving the subset of sampled indices S, while $“S_F|”$ is used when deriving the subset of flip positions $S_F$. After each round, both parties exchange a short control message of the form:

$$m_i=⟨i,\mid S\mid ,\mid S_F\mid ,\beta ⟩,$$

and wait to receive the matching $m_i\prime$ from the peer. This message serves two purposes. Firstly, it synchronizes the round counter and parameters between the parties, and secondly, it acts as a safeguard against desynchronization caused by packet loss or delays. The inclusion of $\beta$ ensures that both sides are aligned not only on the indices but also on the outcome of the similarity check, thereby maintaining protocol consistency across rounds.

The actual subset sampling is carried out using either reservoir sampling or a Fisher–Yates shuffle applied to the set $\{1,\dots ,N\}.$ Both methods guarantee that every element has an equal probability of being chosen, while also being implementable with minimal memory footprint, which is essential in constrained WSN devices.

6.5. Loop Bound T

Once convergence is reached, after T rounds, both parties derive a provisional key and exchange a short MAC to confirm agreement. Theory suggests $\mathrm{T}=\mathcal{O}\left(\mathrm{l}\mathrm{o}\mathrm{g}\mathrm{N}\right)$, but in practice, $\mathrm{T}\approx 500$ is ample for 128-byte keys on 8-bit MCUs. If mismatches are detected, the protocol restarts with fresh subsets.

6.6. Core Functions

To ensure clarity, in the following subsections, we present the pseudocodes of the two core subroutines used throughout the protocol:

• The function JointRand provides both parties with identical pseudorandom subsets without requiring communication. It is instantiated via a pseudorandom generator seeded with the shared seed established in the initialization phase.
• The function SecureHalfDiff is responsible for securely comparing sampled substrings without leaking any additional information. Specifically, it computes a single bit $\beta$ that indicates whether the Hamming distance of the two sampled substrings exceeds the strict majority threshold.

6.6.1. JointRand

This process refers to how two parties in our protocol independently select a subset of indices for use in each round of a protocol. They use a shared initial secret (seed) as an input to a deterministic cryptographically secure pseudorandom number generator (CSPRNG). In each round, both parties derive the same $S$ per round from a shared seed and the round index. We require a CSPRNG $G:\{\mathrm{0,1}{\}}^{\lambda }\times \{\mathrm{0,1}{\}}^{\mathrm{*}}\to \{\mathrm{0,1}{\}}^{\infty }$ (e.g., AES-CTR with a 128-bit seed), ensuring that sampling is performed without replacement. The pseudocode of this function is presented below.

Step 1: JointRand  $(k,\{1,\dots ,N\},seed,i)$

$\mathrm{Input}: N,k\in \mathbb{N}, seed\in \{\mathrm{0,1}{\}}^{\lambda }, \mathrm{round} i\ge 1$

$\mathrm{Output}: S \mathrm{a} \mathrm{size-}k \mathrm{subset} \mathrm{of} \{1,\dots ,N\}$ (no duplicates)

1.   $stream\leftarrow G(seed,\mathrm{”}S|\mathrm{”},i)$

2.   $S\leftarrow \varnothing$

3.   $\mathrm{while} \left|S\right|<k$ do

4.   $u\leftarrow \mathrm{next} 32 \mathrm{bits} \mathrm{of} stream$ // uniform sampling: ensure the subset is sampled       uniformly without replacement. Avoid modulo bias if mapping PRG bits to [0,N-1];       use rejection sampling or Fisher-Yates/reservoir sampling.

5.   $idx\leftarrow 1+\left(u\mathrm{m}\mathrm{o}\mathrm{d}N\right)$

6.   $\mathrm{if} idx\notin SS$ then

7.   $S\leftarrow S\cup \left\{idx\right\}$

6.6.2. SecureHalfDiff

The following pseudocode describes SecureHalfDiff, a protocol that combines BaseOT, IKNP extension, and Half-Gates to securely determine whether the number of mismatches exceeds a strict majority, without requiring pre-distributed keys.

2PC/OT resources per round. In each round, for a k-bit sampled substring comparison, the evaluator requires k OT instances to obtain input wire labels (amortized via IKNP OT extension after base OTs). Base OTs are performed once per session and the OT extension expands them for all rounds. State explicitly which party is Garbler/Evaluator (e.g., GWN as Garbler, sensor as Evaluator) and whether roles are fixed.

Step 2: SecureHalfDiff: strict-majority mismatches via BaseOT + IKNP + Half-Gates (no pre-distributed keys)

$\mathrm{Data}: k (\mathrm{sample} \mathrm{size}), t=\lfloor k/2\rfloor +1, \mathit{role}\in \{Garbler,Evaluator\}$

$\mathrm{Input}: \mathrm{Garbler}: X_S[1..k]$

$\mathrm{Evaluator}: Y_S[1..k]$

$\mathrm{Result}: \mathrm{both} \mathrm{parties} \mathrm{learn} \beta \mathrm{where} \beta =1 \mathrm{iff} \#\{j:X_S[j]\oplus Y_S[j]=1\}\ge t$

// ONE-TIME BOOTSTRAP (ECC base OTs; no pre-installed keys)

1.     if BOOTSTRAP_PENDING then

2.     $BaseOT\_Init(n_0\leftarrow 256)$

3.     BOOTSTRAP_PENDING ← false

// IKNP OT EXTENSION: derive k cheap correlated OTs (symmetric only)

4.     $\left(q\left[1..k\right], t^{\prime }\left[1..k\right]\right)\leftarrow IKN{P}_{Extend\left(k\right)}$

// GLOBAL CORRELATION LABEL (garbler side)

5.     if role==Garbler then

6.     $\Delta \leftarrow Rnd\left(128\right)$

// PREPARE EVALUATOR INPUT WIRE-KEYS (garbler side)

7.     $\mathit{for}j\leftarrow 1 \mathrm{to} k$ do

8.     if role==Garbler then

9.     $(w_j^0,w_j^1)\leftarrow RndPair\left(128\right)$

10.     else

11.     $w_j\leftarrow {t^{\prime }}_j\oplus \left(Y_S\left[j\right]\cdot \Delta \right)$

$// \mathrm{TRANSFER} \mathrm{GARBLER} \mathrm{INPUT} \mathrm{KEYS} \mathrm{FOR} {\mathrm{X}}_{\mathrm{S}}$ (one key per bit)

12.     if role==Garbler then

13.     $\mathit{for}j\leftarrow 1 \mathrm{to} k$ do

14.     $u_j\leftarrow w_j^{X_S\left[j\right]}$

15.     $Send\left(u_j\right)$

16.     $else$

17.     $\mathit{for}j\leftarrow 1 \mathrm{to} k$ do

18.     $u_j\leftarrow Receive\left(\right)$

$// \mathit{GARBLE}\&\mathit{SHIP}\mathit{THRESHOLD}\mathit{CIRCUIT}ThreshH{D}_{k,t}$

19.     if role==Garbler then

20.     $Send(GC\leftarrow HalfGates\_Garble(ThreshH{D}_{k,t}, \{w_j^0,w_j^1{\}}_{j=1}^k, \{u_j{\}}_{j=1}^k\left)\right)$

21.     else

22.     $GC\leftarrow Receive\left(\right)$

// EVALUATE AND REVEAL THE SINGLE OUTPUT BIT

23.     if role==Evaluator then

24.     $\beta \leftarrow HalfGates\_Eval(GC, \{u_j{\}}_{j=1}^k, \left\{w_j{\}}_{j=1}^k\right)$

25.     $Send\left(\beta \right)$

26.     else

27.     $\beta \leftarrow Receive\left(\right)$

28.     $\mathrm{return} \beta$

7. Security Analysis and Proof

We demonstrate the security of the protocol using two commonly employed methods. Initially, through heuristic analysis, we demonstrate that the protocol can resist typical attacks, and subsequently, leveraging the Real-or-Random (ROR) model.

7.1. Heuristic Analysis on Known Attacks

We adopt the commonly informal analysis used in recent WSN and IoT security studies and evaluate whether the protocol can withstand practical adversarial behaviors under the assumed threat model.

7.1.1. Resistance to Node Capture Attack

In our PBS-KAP, sensor nodes do not store any pre-distributed long-term cryptographic keys or static secret parameters that can be reused across sessions. The session key is established dynamically based on probabilistic bit similarity and reconstructed using fuzzy extraction, eliminating the need for permanent secret storage.

Consequently, even if an adversary captures a sensor node and gains full access to its memory, no long-term secret information can be extracted that would enable the adversary to impersonate the node or compromise past or future session keys. Moreover, the compromise of one sensor node does not affect the security of other nodes in the network. Therefore, our protocol provides strong resistance against node capture attacks.

7.1.2. Resistance to Impersonation Attack

Our protocol prevents impersonation attacks through a combination of a bit-similarity threshold test (half-or-more mismatches), fuzzy extraction, and MAC-protected message exchanges. Successful authentication requires the adversary to generate protocol messages that satisfy the similarity constraints on the underlying secret bit strings and pass MAC verification. Without knowledge of a sufficiently similar secret bit string, an adversary cannot complete the similarity protocol or produce valid authentication data.

7.1.3. Resistance to Man-in-the-Middle Attack

A man-in-the-middle attacker attempts to intercept, modify, or inject messages exchanged between a sensor node and a gateway. In our protocol, all authentication messages are cryptographically bound to session-specific values, and any modification of transmitted data will result in verification failure during the authentication phase. Furthermore, the session key is established only after mutual authentication is successfully completed, and the adversary cannot independently derive the same session key due to the absence of long-term secrets and the reliance on probabilistic agreement mechanisms.

7.1.4. Resistance to Replay Attack

Replay attacks involve retransmitting previously captured valid protocol messages to gain unauthorized access. Authentication messages are cryptographically bound to the current session; therefore, replaying messages from previous executions does not satisfy freshness or MAC verification checks.

7.1.5. Resistance to Key Compromise

Key compromise attacks exploit leaked session keys or partial information to derive other session keys. In our protocol, each session key is independently established using fresh probabilistic material, and no key derivation depends on previously generated session keys. Therefore, even if a session key is compromised, it does not provide any advantage in computing past or future session keys.

7.1.6. Resistance to Information Leakage Attack

Information leakage attacks focus on extracting sensitive data from protocol messages transmitted over public channels. In our system, no long-term secrets, identities, or reusable credentials are transmitted. Our protocol design strictly limits information to a single bit ($\beta$) and helper data.

7.1.7. Mutual Authentication

Both the sensor and the gateway node independently verify that the other party possesses the correct ephemeral session material required to derive the shared session key. Only if both entities pass the similarity checks and message verification steps is the session key accepted.

In

Table 3. Threat mitigation table.

Threat/Attack	Protocol Feature	Mitigation
Node capture	No pre-stored long-term keys; session keys generated per execution	Compromised node cannot reveal keys of other nodes, no stored secrets that reveal future keys.
Impersonation	“Half-or-more mismatches” test, fuzzy extraction, MAC-protected messages	Adversary cannot complete similarity protocol without knowledge of secret bitstring and MAC-protected exchanges
Man-in-the middle	MACs, commit-and-prove garbled circuits	MACs bind messages to session IDs/parties; tampered messages are rejected
Replay attacks	Fresh session IDs, MAC verification	Replayed messages fail MAC and session binding
Key compromise	No long-term keys, fuzzy extractor + KDF	Each session derives independent keys and fuzzy extractor prevents partial exposure from revealing future keys
Information leakage	Single-bit β per round	Protocol design strictly limits information to β and protected helper data

, we summarize the resistance of the proposed PBS-KAP protocol against common security threats in wireless sensor networks. For each attack, the corresponding protocol feature and its mitigation effect are considered, following our heuristic analysis.

To further clarify how existing authentication and key-agreement schemes for WSNs compare under widely accepted security and efficiency criteria,

Table 4. Protocol compliance with design criteria for GWN–sensor communication. Symbol ✓ indicates that the protocol satisfies the criterion, whereas–it does not.

CRITERION	[56]	[57]	[58]	[59,60]	[45]	[61]	[46]	[4]	OURS
C5	–	–	–	–	–	✓	–	✓	✓
C6	–	–	✓	✓	–	✓	✓	✓	✓
C8	✓	–	✓	–	–	✓	–	–	✓
C10	✓	–	–	✓	–	✓	✓	✓	✓
C11	✓	✓	✓	–	–	✓	✓	✓	✓
C12	✓	✓	–	–	–	–	✓	–	✓
C13	✓	✓	✓	✓	✓	✓	–	–	✓
C15	–	–	–	–	–	–	–	–	✓

maps representative protocols discussed in Section 2 against the design criteria defined in Table 1. This comparison highlights that most existing solutions satisfy only a subset of the criteria, often relying on pre-distributed secrets or costly public-key operations, whereas our PBS-KAP satisfies all criteria relevant to secure and lightweight deployment in resource-constrained environments. Notably, we focus exclusively on the GWN and sensor aspects, as communication between the GWN and the user has not yet been implemented. Proposals for this communication will be addressed in the discussion section.

We note that in the semi-honest setting, OT/GC ensures privacy/integrity of the comparison, but not entity authentication. C10 should be marked out of scope unless an Authenticated Key Exchange binding or malicious-secure OT/GC is added.

Next, in

Table 5. Explanation of the security criteria satisfaction of the proposed PBS-KAP protocol.

Satisfied Criterion	Explanation
C5	− An adversary cannot impersonate a node because they cannot predict or correctly respond to the synchronized round messages without knowing the local secret bitstring. − Privacy amplification is achieved by hashing the shared string (e.g., with SHA-256) into the session key, so that the presence of even one differing bit is sufficient to invalidate any adversarial key guess. − MACs bind messages to session IDs and party IDs, preventing fake or old messages from being accepted. − The protocol does not rely on static keys, and the produced key can then be safely used for all subsequent communications − Privacy amplification via KDF ensures that even partial knowledge of the raw bits doesn’t reveal the final key. − Key-related attacks are prevented because keys are never transmitted, and helper data leaks minimal information. − Resistant to side-channel attacks: all flips happen in private RAM. Only timing could leak and is blurred by the synchronization barrier.
C6	− The shared keys are not pre-deployed. − There’s no need to update global keys or reconfigure existing nodes.
C8	− Incorporates MAC-protected synchronization messages and key-confirmation tags at the end of the protocol, not clocks.
C10	− An adversary cannot impersonate a node because they cannot predict or correctly respond to the synchronized round messages without knowing the local secret bitstring. − Privacy amplification is achieved by hashing the shared string (e.g., with SHA-256) into the session key, so that the presence of even one differing bit is sufficient to invalidate any adversarial key guess. − MACs bind messages to session IDs and party IDs, preventing fake or old messages from being accepted. − The protocol does not rely on static keys, and the produced key can then be safely used for all subsequent communications − Privacy amplification via KDF ensures that even partial knowledge of the raw bits doesn’t reveal the final key. − Key-related attacks are prevented because keys are never transmitted, and helper data leaks minimal information. − Resistant to side-channel attacks: all flips happen in private RAM. Only timing could leak and is blurred by the synchronization barrier.
C11	− The communication between GWN and the sensor does not contain any information regarding user identity. − The sensor does not store any information about the user in its memory.
C12	− No pre-installed or long-term key is reused, ensuring forward secrecy for future sessions.
C13	− Rely on hashing, XOR, and bit-level operations, suitable for low-power devices. − The IKNP protocol enables large batches of oblivious transfers using only efficient symmetric-key operations, while Free-XOR and Half-Gates techniques minimize the cost of the garbled threshold circuit.
C15	− No pre-deployed keys. − No stored parameters.

, we explain why our protocol satisfies each criterion.

7.2. Formal Security Analysis in the ROR Model

We evaluate session-key confidentiality in the Real-Or-Random (ROR) model for authenticated key exchange. An adversary $A$ controls the communication channel, may eavesdrop, inject, replay, and modify messages, and interacts with protocol instances through standard oracle queries. $A$ wins if it can distinguish the real session key established by a fresh session from a uniformly random key of the same length.

7.2.1. Model Setup

• Participants. Let $P=(GN,S)$ denote the set of our protocol participants, where $GN$ is the gateway node and $S$ is the sensor.
• Instances. Each participant may execute multiple concurrent sessions. We denote the $i$-th instance of a participant $U$ by ${\Pi }_U^i$.
• Accepted State. An instance ${\Pi }_U^i$. is said to have accepted if it completes the protocol (including key confirmation) and outputs a session key $sk$; otherwise, it aborts.
• Partnering. Two instances ${\Pi }_U^i$ and ${\Pi }_V^j$ are partners if they have matching session identifiers, accept with complementary roles (sensor/gateway), and their transcripts are consistent with an honest execution under the same session identifier.
• Oracles. Adversary A can interact with protocol instances via the following queries:
• Execute $({\Pi }_U^i, {\Pi }_V^j)$. Returns the full transcript of an honest execution between ${\Pi }_U^i$ and ${\Pi }_V^j$ (passive eavesdropping).
• Send (${\Pi }_U^i., m$). Delivers a message m to instance ${\Pi }_U^i$ i and returns the response produced by ${\Pi }_U^i$ (active attacks: replay/injection/modification).
• Reveal (${\Pi }_U^i).$ if ${\Pi }_U^i$ has accepted, returns its session key sk (models key compromise after a session).
• Corrupt ($U$). Model’s physical capture of node $U$. It returns $U$’s long-term and persistent state. We assume standard session-key erasure: ephemeral secrets used to derive the current session key are erased upon acceptance; therefore, Corrupt after acceptance does not reveal the accepted session key of a fresh session.
• Test (${\Pi }_U^i$). Can be issued once to a fresh accepted instance. It returns either the real session key $sk$(if $b=1$) or a random key $sk\$$ (if $b=0$). A outputs a guess $b\prime$.
• The ROR advantage of $A$ against protocol $P$ is defined as ${Adv}_P^{ROR}\left(A\right)=|2·Pr[b\prime =b] - 1|.$

7.2.2. Freshness

A session key held by an accepted instance ${\Pi }_U^i$ is fresh if: (i) neither ${\Pi }_U^i$ nor its partner has been the target of a Reveal query; (ii) Test is asked after ${\Pi }_U^i$ accepts; and (iii) if Corrupt($U$) occurs, it happens only after ${\Pi }_U^i$ accepts and after ephemeral session secrets have been erased. These conditions capture forward secrecy with respect to post-session node capture and exclude trivial wins.

7.2.3. Session Key Semantic Security

In the ROR experiment, $A$ is allowed to issue Execute, Send, Reveal, and Corrupt queries, and one Test query to a fresh instance. $A$’s goal is to distinguish the real session key from a uniformly random key of the same length. Formally, $A$’s distinguishing advantage is defined as follows:

$${Adv}_P^{ROR}\left(A\right)=\mid 2\cdot Pr[b\prime =b]-1\mid .$$

7.2.4. Security Theorem and Proof

Theorem 1. 

Assume that (i) the EC-DH problem in the selected elliptic-curve group is hard; (ii) the transcript-MAC is EUF-CMA secure; (iii) the IKNP OT extension and Half-Gates garbled circuits are secure in the semi-honest model; (iv) the JointRand/KDF expansion is a PRF (or is modeled as a random oracle, as stated); and (v) the fuzzy extractor used in Phase 2 is secure for the targeted noise level. Then the PBS-KAP protocol is ROR-secure: for any PPT adversary A,${ Adv}_P^{ROR}{\displaystyle \left(A\right)}$is negligible in the security parameter$\lambda$.

More precisely, for negligible functions ${\epsilon }_{MAC}$, ${\epsilon }_{DH}$, ${\epsilon }_{OT}$, ${\epsilon }_{GC}$, ${\epsilon }_{PRF}$, and statistical distance ${\epsilon }_{FE}$, we have

$${Adv}_P^{ROR}\left(A\right)\le 2({\epsilon }_{MAC}+{\epsilon }_{DH}+{\epsilon }_{OT}+{\epsilon }_{GC}+{\epsilon }_{PRF}+{\epsilon }_{FE})$$

Proof. 

We use a standard sequence-of-games argument. Let $G$_i denote Game $i$ and let $Pr\left[G_i\right]$ be the probability that A outputs the correct test bit in Game $i$. We bound the change in $Pr\left[G_i\right]$ across transitions using the corresponding primitive security. □

Game 0 (Real).${ G}_0$ is the real execution of PBS-KAP under the ROR experiment. By definition: ${Adv}_A^{G_0}=\mid 2Pr\left[G_0\right]-1\mid .$

Game 1 (Authenticated transcript). We modify $G_0$ by aborting any session in which $A$ causes a transcript-MAC verification to succeed on a forged message. Any successful modification/replay that is not detected implies a MAC forgery. Hence, $|\mathrm{Pr}\left[G_1\right]-\mathrm{P}\mathrm{r}[G_0]\le {\epsilon }_{MAC}$.

Bound: $|\mathrm{Pr}\left[G_1\right]-\mathrm{P}\mathrm{r}[G_0]\le {\epsilon }_{MAC}$

Game 2 (Ideal OT/GC comparison). We replace the real executions of the base OTs, the IKNP OT extension, and the Half-Gates garbled-circuit evaluation used to compute the comparison bit $\beta$ with their ideal functionalities that reveal only $\beta$. Under semi-honest OT/GC security, the replacement is indistinguishable: |$Pr\left[G_2\right] - Pr\left[G_1\right]| \le {\epsilon }_{OT} + {\epsilon }_{GC}.$

Bound: |$Pr\left[G_2\right] - Pr\left[G_1\right]| \le {\epsilon }_{OT} + {\epsilon }_{GC}.$

Game 3 (Replace EC-DH shared seed). We replace the EC-DH-derived shared seed used to derive session-dependent seeds (and transcript keys) with a uniformly random seed of the same length. Any distinguisher would break the EC-DH assumption: $\left|Pr\right[G_3] - Pr[G_2\left]\right| \le {\epsilon }_{DH}.$

Bound: |$Pr\left[G_3\right] - Pr\left[G_2\right]$| ≤ ${\epsilon }_{DH}$.

Game 4 (Replace JointRand/KDF expansion with random). We replace the outputs of the JointRand expansion (and any PRF-based subkeys derived from the shared seed, including the transcript-MAC key $K_{tr}$) with uniformly random strings. Under the PRF (or RO) assumption, $\left|Pr\right[G_4] - Pr[G_3\left]\right| \le {\epsilon }_{PRF}.$

Bound: $\left|Pr\right[G_4] - Pr[G_3\left]\right| \le {\epsilon }_{PRF}.$

Game 5 (Replace fuzzy-extractor output). We replace the output key material produced by the fuzzy extractor (given the public helper data and any protocol leakage) with a uniformly random string of the same length. By fuzzy-extractor security (leftover hash), $\left|Pr\right[G_5] - Pr[G_4\left]\right| \le {\epsilon }_{FE}.$

Bound: $\left|Pr\right[G_5] - Pr[G_4\left]\right| \le {\epsilon }_{FE}.$

Game 6 (Random test key). In $G_6$, the Test oracle always returns an independent uniform key, so $Pr\left[G_6\right] = 1/2$ and A can do no better than guessing.

By a telescoping sum and the definition of ROR advantage, ${Adv}_P^{ROR}\left(A\right) = |2·Pr[G_0] - 1| = 2·|Pr\left[G_0\right]- Pr\left[G_6\right]|\le 2·( |Pr\left[G_1\right]-Pr\left[G_0\right]| + |Pr\left[G_2\right]-Pr\left[G_1\right]| + |Pr\left[G_3\right]-Pr\left[G_2\right]| + |Pr\left[G_4\right] - Pr\left[G_3\right]| + |Pr\left[G_5\right] - Pr\left[G_4\right]| + |Pr\left[G_6\right]-Pr\left[G_5\right]| )\le 2·({\epsilon }_{MAC}+{\epsilon }_{DH}+{\epsilon }_{OT}+{\epsilon }_{GC}+{\epsilon }_{PRF}+{\epsilon }_{FE}),$ which is negligible in $\lambda$.

7.3. Interpretation and Alignment with Design Criteria

To formalize the confidentiality guarantees of the proposed key agreement mechanism, we analyze its security under the ROR model for authenticated key exchange. In the ROR experiment, an adversary A interacts with protocol instances using the standard oracle set (Execute, Send, Reveal, and Corrupt) and ultimately attempts to distinguish the established session key from a uniformly random bit-string. A protocol is considered ROR-secure if the adversary’s distinguishing advantage is negligible. The proposed construction achieves ROR security under the following assumptions:

• The elliptic-curve Diffie–Hellman (EC-DH) problem in the selected group is computationally intractable;
  The pseudorandom generator instantiated in the JointRand expansion behaves as a pseudorandom function (PRF);
• The information revealed through the comparison oracle is restricted to the single comparison bit β, which does not disclose any information about the sampled substrings beyond whether their Hamming distance exceeds the threshold $t=\lfloor k/2\rfloor +1.$

Because the final session key is bound to the authenticated transcript, comprising the seed establishment messages, synchronization states, and session identifier, and because the corrective flips are performed privately and never disclosed, an adversary observing all public communication cannot reconstruct intermediate randomness or infer the final key without breaking either EC-DH or distinguishing the PRG output from random.

The proof statements that rely on an “authenticated transcript” are instantiated by using the transcript-MAC key $K_{tr}$ derived from the shared seed (or an equivalent authenticated channel assumption). Without this, an active network attacker could inject/modify messages and the proof would only cover passive eavesdropping. Under these assumptions, any probabilistic polynomial-time adversary has only a negligible distinguishing advantage.

The ROR-based proof formally validates several security properties claimed in Table 5, specifically the following:

• C5 (Resistance to Known Attacks): The proof demonstrates semantic security against a powerful adversary capable of eavesdropping (Execute), injecting/modifying messages (Send), and compromising session keys from other sessions (Reveal).
• C12 (Forward Secrecy): The freshness definition allows Corrupt queries after session completion. Since the proof holds even under this condition (the session key is independent of any long-term secret revealed by Corrupt), the protocol achieves forward secrecy.
• C15 (Sensor Node Capture Resistance): The Corrupt query models the physical capture of a node, revealing its entire volatile state. The proof shows that even with this information, past established session keys (from fresh sessions) remain secure, and future sessions with other nodes are secure as they rely on new, independent executions of the protocol.

8. Experimental Evaluation

In addition to the analytical bounds and the specifications/estimates above, we provide a software-based experimental evaluation of Phase 1 (bit-similarity alignment) and report communication, time, memory/flash estimates, and convergence statistics under multiple initial mismatch rates and noise levels. Because we do not currently have access to a full physical WSN testbed, the results below combine measured software micro-benchmarks with a conservative radio/time/energy model and are intended to validate feasibility on IoT-class devices (e.g., Raspberry Pi–class gateways and microcontroller-based sensors).

8.1. Convergence Evaluation and Probabilistic Bounds

This section refines the probabilistic behavior of Phase 1 (bit-similarity alignment). We give (i) an optional sequential-sampling view, (ii) guidance for selecting the flip parameter L, (iii) a dimensionally consistent heuristic for rounds-to-convergence, (iv) stopping rules with explicit correctness confidence, and (v) a leakage accounting bound to guide secure key-length selection in Phase 2.

8.1.1. Sequential Sampling Instead of Fixed $k$

Instead of fixing the sample size k in advance, the similarity test can be performed sequentially in batches (k1, k2, …) until evidence for $p>1/2$ or $p\le 1/2$ is decisive. A standard choice is Wald’s Sequential Probability Ratio Test (SPRT), which can reduce the expected number of samples when p is far from $1/2$, while preserving a prescribed error probability at the decision boundary.

8.1.2. Choosing the Number of Flips $L$

The flip parameter $L$ can be chosen adaptively based on how far the sampled mismatch count $d$ appears above the majority threshold $t = \lfloor k/2\rfloor +1$. For example, an optional ‘margin’ test can output a second bit indicating whether $d \ge t+\tau$ for some $\tau >0$. When the margin bit is true, the protocol can apply a larger flip parameter $L_{hi}$; otherwise, it applies a conservative $L_{lo}$. This increases expected progress when the mismatch rate is well above the boundary, while reducing overshoot/oscillation near $p\approx 1/2.$

8.1.3. Rounds to Convergence Estimation

Let $N$ be the key length and let ${p_t=H}_t/N$ denote the mismatch rate at round $t$, where $H_t$ is the Hamming distance between the two strings. Let $\pi (p;k) = Pr\left[Bin\right(k,p) > \lfloor k/2\rfloor ]$ be the probability that the sampled majority test triggers a flip-round. If the comparison bit $\beta$ is flipped with probability $\epsilon$ ($\beta$-noise), the effective trigger probability becomes ${\pi }_{\epsilon }(p;k) = (1-\epsilon )·\pi (p;k) + \epsilon ·(1-\pi (p;k\left)\right).$

Under a mean-field approximation in which a triggered round flips $L$ uniformly random positions on one side, the expected change in mismatch rate per triggered round is approximately $\Delta p \approx (L/N)·(1-2p\_t).$ Therefore, the expected one-round drift is

$$E[p_{t+1}-p_t] \approx {\pi }_{\epsilon }{p}_t;k)·(L/N)·(1-2p_t).$$

When p_t is not close to 1/2 (so ${\pi }_{\epsilon }(p_t;k)\approx 1)$, this yields exponential relaxation toward 1/2: $p_t -1/2 \approx (p_0 - 1/2)·exp(-2Lt/N)$. Consequently, the number of rounds needed to reduce the excess mismatch from $(p_0 -1/2)$ to a target $\Delta$ scales as $t \approx (N/(2L\left)\right)·ln\left(\right(p_0 -1/2)/\Delta$). This heuristic explains the observed N/L scaling in

Table 6. Phase-1 convergence and resource metrics for $k = 128$, $L = 32$, $s = 5$ under different initial mismatch rates $p_0$ $(N = 1024)$ with $\beta$-noise $\epsilon =1\%$.

p0	Median Rounds	p90	p99	Median Flips	Bytes/Round	Median Session Bytes	Median Session Time (s)	Energy (J)	Final Mismatch
0.40	5	5	10	0	2112	26.3 KiB	0.86	0.047	0.398
0.45	5	13	22	0	2112	26.3 KiB	0.86	0.047	0.448
0.48	10	26	54	2	2112	36.6 KiB	1.20	0.065	0.472
0.52	29	55	78	13	2112	75.8 KiB	2.48	0.135	0.485
0.55	40	67	94	22	2112	98.5 KiB	3.23	0.175	0.485
0.60	54	78	108	33	2112	127.4 KiB	4.17	0.227	0.485

and the L trade-off in

Table 7. Representative parameters sweep results ($p_0$ = 0.55, $\epsilon = 1\%,$ $N = 1024$). Session bytes/time include the 16 kB bootstrap.

k	L	s	Median Rounds	p90 Rounds	Median Session Bytes	Median Session Time (s)	Median Final Mismatch
64	16	3	23	45	40.4 KiB	1.33	0.515
64	16	5	55	94	74.4 KiB	2.44	0.491
64	16	7	84	132	105.2 KiB	3.45	0.476
128	32	3	23	39	63.4 KiB	2.08	0.504
128	32	5	42	65	102.6 KiB	3.36	0.484
128	32	7	58	96	135.6 KiB	4.44	0.476
256	64	3	19	33	93.2 KiB	3.05	0.493
256	64	5	29	49.1	133.8 KiB	4.38	0.482
256	64	7	39	69	174.4 KiB	5.72	0.476
128	16	5	61.5	102	142.8 KiB	4.68	0.491
128	32	5	42	65	102.6 KiB	3.36	0.484
128	64	5	28	46	73.8 KiB	2.42	0.477

.

8.1.4. Stopping Rules with Correctness Confidence

Because $\mathrm{d}$ is random, observing $\beta =0$ in one round does not prove $p\le {\displaystyle \frac{1}{2}}$. We stop when $\beta =0$ occurs for $\mathrm{s}$ consecutive rounds. Let $q_{\epsilon }\left(p;k\right)=\mathrm{Pr}\left[“\mathrm{no} \mathrm{trigger}”\right]=1-{\pi }_{\epsilon }\left(p;k\right).$ If the mismatch rate were actually $p>{\displaystyle \frac{1}{2}}$, the probability of a false stop due to $s$ consecutive no-trigger rounds is at most $q_{\epsilon }(p;k{)}^s$ (under the standard independence approximation). Thus, for a target false-stop probability $\delta$ at a design point $p_{\mathrm{design}}>{\displaystyle \frac{1}{2}}$, choose $s \ge {\displaystyle \frac{\ln \left(\delta \right)}{\ln \left(q_{\epsilon }\left(p_{\mathrm{design}};k\right)\right)}}.$

In practice, $p_{\mathrm{design}}$ can be set to the largest mismatch rate that Phase~2 can still correct; using a conservative $p_{\mathrm{design}}$ yields a safe stopping rule.

8.1.5. Accounting for Information Leakage and Parameter Agreement Length

Each round reveals at most one application-visible comparison bit $\beta$ (and optionally one additional margin bit). Let ${\mathcal{l}}_{\mathrm{leak}}$ denote the total protocol leakage in bits over the Phase-1 transcript (e.g., ${\mathcal{l}}_{\mathrm{leak}}\le R$ for $\beta$-only, or ${\mathcal{l}}_{\mathrm{leak}}\le 2R$ with a margin bit, where $R$ is the number of rounds). Let $E$ denote any other side information available to the adversary (e.g., public helper data). A conservative leftover-hash choice for the final key length $m$ extracted in Phase~2 is:

$$m \le H_{\mathrm{\infty }}{\displaystyle (X\mid E)} - {\mathcal{l}}_{\mathrm{leak}} - 2\cdot {\mathrm{l}\mathrm{o}\mathrm{g}}_2\left({\displaystyle \frac{1}{{\epsilon }_{\mathrm{PA}}}}\right),$$

which achieves statistical distance at most ${\epsilon }_{\mathrm{PA}}$ from uniform (Leftover Hash Lemma). This explicitly ties the Phase-2 key length to the measured/estimated number of rounds and the chosen leakage threshold.

A parameterization example is presented in Appendix A.2.

8.2. Specifications and Estimation of Resource Requirement

This section outlines the key implementation aspects of the proposed protocol, focusing on message structure, cryptographic primitives, and resource considerations.

8.2.1. Message Formats and Round Transcript

The one-time bootstrap phase (Base-OT combined with the IKNP seed exchange) is handled internally by the OT/GC library and does not define any external wire formats at this stage. After bootstrap, the protocol proceeds in per-round interactions. For each round $i$, given the sample size $k$ and threshold $t=\lfloor k/2\rfloor +1$, an index announcement occurs first, where either party may initiate the message:

$$\mathrm{I}\mathrm{D}\mathrm{X}=\langle \mathrm{t}\mathrm{a}\mathrm{g}:\mathrm{I}\mathrm{D}\mathrm{X},\mathrm{r}\mathrm{o}\mathrm{u}\mathrm{n}\mathrm{d}:\mathrm{u}32\left(i\right),\mathrm{k}:\mathrm{u}16\left(k\right),\mathrm{N}:\mathrm{u}32\left(N\right),S:\mathrm{u}32\left[k\right]\rangle .$$

Both parties independently recompute the subset $S$ using the shared seed via JointRand and verify that the results match. Next, during the secure computation phase, the parties jointly execute the SecureHalfDiff protocol using OT extension and a garbled circuit implementation of ${\mathrm{ThreshHD}}_{(k,t)}$. The only application-visible output from this step is a single-bit value $\beta$ (as u8).

Finally, a turn-synchronization and acknowledgment message is exchanged:

$$\mathrm{S}\mathrm{Y}\mathrm{N}\mathrm{C}=\langle \mathrm{t}\mathrm{a}\mathrm{g}:\prime \prime \mathrm{S}\mathrm{Y}\mathrm{N}\mathrm{C}\prime \prime ,\mathrm{r}\mathrm{o}\mathrm{u}\mathrm{n}\mathrm{d}:\mathrm{u}32\left(i\right),\beta :\mathrm{u}8,\left|S\right|:\mathrm{u}16\left(k\right),\left|S_F\right|:\mathrm{u}16\left(l\mathrm{o}\mathrm{r}0\right)\rangle .$$

Upon receipt, both parties validate the parameters $(i,|S\left|\right)$ to ensure consistency before proceeding to the next round.

8.2.2. IKNP OT Extension

The Ishai–Kilian–Nissim–Petrank (IKNP) OT extension expands a small number of public-key-based OTs into many OTs using only symmetric primitives. For κ-bit security, IKNP requires κ base OTs per direction. Because PBS-KAP uses OT/GC in a bidirectional manner over the lifetime of the deployment, we provision 2κ base OTs once (one set per direction) during enrollment; afterwards, all per-session work uses OT extension and symmetric cryptography.

Concretely, the extension phase uses AES in counter mode to generate the OT correlation strings, together with hashing for correlation checks. After the one-time base-OT and shared-seed establishment, no long-term public/private keys are required for subsequent sessions.

In each round, the OT-extension outputs are used as wire labels for a compact Half-Gates garbled circuit that computes the single-bit predicate $\beta$ (majority-of-$k$ mismatches, with an optional margin predicate). Thus, the online cost per round is dominated by the OT-extension/GC payload, not by public-key operations.

8.2.3. Memory Footprint Snapshots

The memory footprint of the protocol varies depending on the computational and memory resources. On 8-bit AVR or ARM-M0 microcontrollers with less than 32 kB of Flash and under 4 kB of RAM, an implementation of SecureHalfDiff using an oblivious pseudorandom function (PRF) combined with an equality test fits within approximately 1 kB of RAM and under 20 kB of Flash memory. On Cortex-M4 or M7 processors equipped with around 256 kB of RAM, full OT-extension frameworks such as TinyOT or EMP-OT can execute in less than 10 milliseconds per round when configured with $k=128$. On more capable platforms such as smartphones or Raspberry Pi devices with over 1 MB of available RAM, general-purpose cryptographic libraries, like libscapi, are able to evaluate the Hamming-distance threshold circuit in a single step, providing efficient and scalable performance across a wide range of hardware environments.

8.3. Simulation Methodology

To evaluate PBS-KAP under controlled and repeatable conditions, we implemented a protocol-level, bit-accurate Monte Carlo simulator for the Phase-1 alignment procedure and combined it with deterministic transcript accounting and software profiling. Each simulation run initializes two $N$-bit strings representing the parties’ initial secrets with a prescribed initial mismatch rate $p_0$, i.e., an initial Hamming distance $H_0=\lfloor p_0\cdot N\rfloor$. In each round $t$, both parties sample $k$ positions uniformly without replacement, compute the sample mismatch count $m_t$, and derive the round decision bit ${\beta }_t$ according to the protocol rule (${\beta }_t=1$ when the sample indicates a majority mismatch and ${\beta }_t=0$ otherwise). When ${\beta }_t$ triggers an update, the simulator applies the protocol’s update action by flipping up to $L$ positions on the designated side, updating the two strings and the mismatch rate $p_t=H_t/N$. The run terminates when the stopping rule is satisfied, namely when ${\beta }_t=0$ is observed for $s$ consecutive rounds. For each parameter setting, we repeat many independent runs and report the full rounds-to-stopping distribution (median and tail percentiles), as well as the mismatch-rate trajectories, thereby characterizing convergence behavior beyond a single average-case number.

To assess robustness under imperfect observations, we incorporate a controlled noise model and perform systematic parameter sweeps. In the default decision-noise configuration, after computing ${\beta }_t$ we flip it with probability $\epsilon$, capturing transient measurement or classification errors while preserving the protocol structure. We sweep the initial mismatch rate $p_0$ and noise level $\epsilon$ jointly, and we also sweep the main protocol parameters $k$, $L$, and the stopping confidence $s$ to quantify how they trade off convergence speed, reliability of stopping, and communication overhead. All reported curves and tables are obtained from these sweeps, using fixed and documented random seeds or a deterministic seeding scheme to ensure reproducibility.

Communication, time, memory, and energy results are derived by combining measured and model-based components that reflect what would be observed on low-power IoT hardware. Communication per round and per session is computed from the protocol transcript structure; we separate (i) a one-time bootstrap cost (base OTs and setup messages, amortizable across sessions) from (ii) steady-state per-round payloads (OT-extension and garbled-circuit transfers plus small control messages), and we report totals both including and excluding bootstrap. Runtime is reported as the sum of measured CPU time for the protocol loop (sampling, decision computation, update bookkeeping) and modeled transmission time

$$t_{\mathrm{comm}}={\displaystyle \frac{8\cdot B}{R_b}}$$

for a selected link bitrate $R_b$; session time is the sum over rounds. Peak RAM and flash footprint are estimated from software profiling of the implementation and conservative buffer sizing for the largest per-round cryptographic payloads. Energy is reported when possible, using a standard link-capacity model derived from transmission time and radio power (and optionally reception), with all measured versus modeled quantities clearly labeled.

This methodology is a close proxy for real embedded runs in terms of the specific metrics of interest (bytes, rounds-to-stopping, and peak buffering). First, the dominant cost components in PBS-KAP are communication transcript sizes and the stochastic number of rounds until stopping; both are primarily determined by security parameters and by $(N, k,L,s,p_0, \epsilon )$ and are largely independent of the exact sensor CPU model. Second, communication time and energy on low-power IoT platforms are typically transmission-dominated and therefore follow directly from bytes and the link bitrate/power capacity, which can be instantiated from standard radio specifications. Third, simulation enables controlled initialization of mismatch and noise and allows thousands of independent trials to estimate tail behavior (e.g., 90th/99th percentile rounds), which is difficult to obtain reliably on physical hardware without a programmable mismatch source and extensive experimentation. Finally, any remaining platform-specific effects (constant-factor CPU overheads and OS/network stack differences) primarily influence absolute timings rather than the relative trends across parameter sweeps; these constants can be validated with a small sanity test on an IoT-class board when available.

8.4. Software-Based Prototype and Measurement Methodology

We implemented a reference simulator for Phase 1 that follows the message flow and state-machine in Section 6. The simulator instantiates two parties (gateway and sensor) holding N = 1024-bit strings (128 bytes) and executes the sampling/threshold/flip loop until the stopping rule triggers (s consecutive non-flip rounds) or a hard round limit T. SecureHalfDiff (the 2PC predicate) is modeled as returning the correct comparison bit β based on the true sample Hamming distance; we also evaluate the effect of errors by flipping β with probability ε (β-noise). All reported convergence statistics (median/p90/p99) are obtained from Monte Carlo runs (≥400 sessions/setting). We additionally micro-benchmark the protocol control logic (sampling, mismatch counting, and flips) and use the communication/memory estimates from Section 8.2 for the GC/OT sub-protocol.

Communication accounting. We report (a) the number of bytes per round and per session, using the wire-level breakdown from Section 8.2. We treat the base-OT/seed establishment as a one-time bootstrap cost of 16 kB per peer-pair, and we parameterize the per-round 2PC traffic as approximately 16·k bytes (matching the ≈2 kB estimate at $k=128$ in Section 8.2.2). Control headers, nonces, and transcript authentication are conservatively set at 64 bytes per round in total.

Timing/energy accounting. Round time is dominated by radio transmission time on low-rate links; we therefore report (b) time per round and total time assuming an IEEE 802.15.4-class rate of 250 kbps, plus measured local CPU overhead. For (d) energy, we convert transmitted/received bits to energy using a representative 2.4 GHz 802.15.4 radio setting (TX/RX currents from the CC2420 datasheet [75]), assuming the sensor transmits and receives approximately half of the per-session traffic. All these are reported in Table 6.

8.4.1. Rounds-to-Stopping Distributions

Figure 4 shows the empirical CDF of the number of rounds until the stopping rule triggers (s = 5) for representative initial mismatch rates. As expected, sessions that start well below the flip-trigger threshold terminate quickly (no flips), whereas sessions that start above 0.5 require multiple flip rounds before the sample majority condition stops firing.

8.4.2. Parameter Sweeps (k, L and Stopping Confidence)

To quantify the trade-off between per-round cost and convergence speed, we sweep (i) the sample size k, (ii) the flip parameter L, and (iii) the stopping confidence ($s$ consecutive non-flip rounds). Table 7 summarizes representative points for p0 = 0.55 and ε = 1%.

8.4.3. CPU and Memory Footprint

CPU overhead. On our evaluation host (x86-64, Python 3.11), the measured control-loop cost (sampling $k$ indices, counting mismatches, and applying $L$ flips when triggered) is $92.2$ per round for $k=128,L=32$ (averaged over 20,000 rounds). For cryptographic primitives, OpenSSL reports $\approx 7.34 \mathrm{GB}/\mathrm{s}$ for AES-128-CTR on 1 MiB blocks, indicating that on gateway-class CPUs the local computation is typically dominated by the radio time for the 2PC payload on low-rate WSN links.

Peak RAM/flash on the sensor. A microcontroller implementation must store the local key string ($N/8$ bytes), the sampled index set ($\approx 2k$ bytes using 16-bit indices), a flip list ($\approx 2L$ bytes), plus the OT-extension/GC working buffers. Using the traffic parameterization of Section 8.2 ($\approx 16\cdot k$ bytes per round total) and conservative single-round buffering, this yields an estimated peak RAM of $\approx 8.4 \mathrm{kB}$ for $\left(k,L)=(\mathrm{128,32}\right)$ and $\approx 10.8 \mathrm{kB}$ for $\left(k,L)=(\mathrm{256,64}\right)$, excluding the radio driver and OS. The flash footprint depends on the chosen 2PC/OT library; we reserve $\approx 100$–$200 \mathrm{kB}$ of flash for AES/HMAC, OT extension, and garbled-circuit evaluation code, which fits in common Cortex-M4/M7-class sensor platforms.

8.4.4. Quantitative Comparison with Representative Schemes

Table 8. Sensor-side communication and computation costs: PBS-KAP vs. representative WSN schemes. Literature values are taken from Yi et al. (2022) [76]. PBS-KAP time assumes a 250 kbps 802.15.4-class link and includes the 16 kB base-OT bootstrap.

Scheme	Sensor Comm (bits)	Comm Time @250 kbps (ms)	Sensor Comp. (μs)	Source
PBS-KAP Phase 1 (this work)—incl. base-OT bootstrap	806912	3227.6	—(2PC/GC dominated)	This work
PBS-KAP Phase 1 (this work)—excl. bootstrap (amortized)	675840	2703.4	—(2PC/GC dominated)	This work
Protocol [21] (as in Yi et al. 2022)	1408	5.6	9.11	Yi et al. (2022) [76]
Protocol [45] (as in Yi et al. 2022)	1152	4.6	7.995	Yi et al. (2022) [76]
Protocol [46](as in Yi et al. 2022)	1312	5.2	8.271	Yi et al. (2022) [76]
Protocol [47] (as in Yi et al. 2022)	1920	7.7	9.252	Yi et al. (2022) [76]

provides a quantitative comparison against representative WSN authentication/key-agreement schemes. For external schemes, we report the wireless-sensor-side computation and communication costs as reported in a recent survey-style experimental evaluation (Yi et al., 2022) [76] and clearly label these as literature values. For PBS-KAP, we report our measured/simulated Phase-1 costs on the same metrics (sensor-side total bits sent+received), using the median rounds at $p_0=0.55$ and $\epsilon =1\mathrm{\%}$.

8.5. Evaluation of Experimental Results

This section evaluates the experimental results reported in Section 8 and clarifies how the measured/simulated costs translate into practical security and performance trade-offs. In particular, we relate the convergence distributions (Table 6 and Table 7) and the platform accounting (bytes/time/energy) to the comparison of representative schemes in Table 8.

Convergence behavior. The rounds-to-stopping distribution is strongly driven by the initial mismatch rate $p_0$ and by the stopping confidence $s$. As Table 6 shows, when $p_0$ is moderate (0.40–0.45), the protocol typically terminates after 5 rounds, while in adversarial starting points ($p_0\approx 0.55$–0.60) the median rises to 40–54 rounds and the upper tail becomes heavier. This behavior is expected for iterative bit-flipping alignment: as the two strings approach the decision boundary, the sampled mismatch statistics become noisier, and more rounds are needed to obtain $s$ consecutive “similar-enough” outcomes. Importantly, even in these difficult cases, the protocol reduces the mismatch rate to the “correctable” region for the subsequent extraction stage.

Communication, time, and energy: For fixed $k$ and security parameters, the protocol’s per-round communication cost is essentially constant because each round executes one privacy-preserving similarity test ($\beta$) with a fixed transcript structure. In the representative configuration ($k=128,L=32$), this yields 2112 bytes per round (Table 6). Total session traffic, therefore, scales linearly with the realized number of rounds and includes a one-time bootstrap of 16 kB for base OTs; when the bootstrap is amortized across sessions, the online cost is reduced accordingly (Table 6 and Table 7). In low-power radios, transmission dominates the energy consumption, so the energy estimates closely track the total number of bytes; CPU-side control logic remains minor relative to the radio’s airtime.

Impact of $k$, $L$ and stopping confidence: The parameter sweeps (Table 7) illustrate the intended deployment knob set. Increasing $s$ makes premature termination exponentially less likely but increases expected rounds (and hence bytes/time). Increasing $k$ raises bytes per round but stabilizes the $\beta$ decision and can reduce rounds by decreasing sampling variance. Increasing the flip parameter $L$ accelerates convergence in high-mismatch settings (fewer rounds), but it also makes each corrective step more aggressive; thus $L$ should be chosen to balance speed with the desired final mismatch margin for the fuzzy extractor. These trade-offs allow the protocol to be tuned to application-specific noise levels and key-refresh periodicities.

Interpreting the comparison in Table 8: Table 8 indicates that PBS-KAP has higher sensor-side communication than representative lightweight WSN authentication/key-agreement protocols. This difference is expected and does not imply inferior design: PBS-KAP targets a stronger goal under different assumptions. Specifically, it (i) performs privacy-preserving similarity testing via 2PC (OT extension + garbled circuits), which intentionally reveals only a single comparison bit $\beta$ per round, and (ii) avoids reliance on pre-distributed long-term secrets on the sensor. Many lightweight schemes optimize for a few-message exchange given stored secrets (or device-specific assumptions), and therefore their reported cost cannot be directly compared on an “equal-goal” basis.

Consequently, the additional overhead of PBS-KAP should be viewed as the price of the following properties, which are not simultaneously provided by the compared protocols and are directly aligned with the criteria set in Table 2 (notably C12 and C15):

• Capture resilience without long-term secrets on the sensor: Compromising a node does not reveal a global master key or key pool and does not automatically enable impersonation across the network.
• Bounded and quantifiable leakage during agreement: Each alignment round reveals at most the comparison bit $\beta$ (plus fixed-size control metadata), allowing the final extracted key length to be conservatively adjusted.
• Privacy-preserving alignment: Beyond $\beta$ and termination, the gateway does not learn the sensor’s raw string or sampled substrings, mitigating honest-but-curious infrastructure exposure.
• One-time public-key cost: The expensive base OT can be executed during provisioning; subsequent sessions use OT extension and symmetric primitives only.
• Tunability and graceful degradation: The explicit parameters ($k, L, s$) enable systematic trade-offs between overhead and reliability, and the protocol continues to function under higher noise/mismatch at the cost of more rounds rather than failing outright.

Practical implications: For deployments where node capture is plausible and long-lived keys are unacceptable, the extra handshake traffic is exchanged for localized compromise and quantifiable leakage. Moreover, Table 6 shows that for typical mismatch levels, the median session cost is far below the worst-case, and the bootstrap can be amortized across multiple key refreshes. This makes PBS-KAP attractive for scenarios where key agreement is performed infrequently (e.g., at enrollment, after resets, or periodically at long intervals), while still maintaining robust behavior under noisy measurements.

Opportunities for optimization: Our evaluation emphasizes reproducibility over micro-optimizations. The dominant cost is the 2PC component; therefore, implementing OT extension and garbling in optimized C, reusing setup where possible, and batching multiple $\beta$ evaluations per OT-extension instance can reduce both runtime and energy without changing the protocol logic. These optimizations are orthogonal to the convergence behavior and can be incorporated in future hardware-level evaluations.

9. Discussion

Our protocol is constructed to be lightweight, secure, and practical for deployment in wireless sensor networks. It employs bit-flipping rounds, secure similarity checks, and fuzzy extraction with secure sketches, thereby eliminating the necessity for pre-deployed keys, minimizing dependence on costly public-key operations, and restricting the exposure of information during key agreements. The integration of IKNP OT extension with Free-XOR and Half-Gates garbled circuits facilitates efficient execution of similarity checks, even on resource-constrained devices. Furthermore, privacy amplification through hashing ensures that even minor discrepancies in intermediate bitstrings prevent adversaries from deducing the final key.

In particular, with respect to real-world feasibility on WSN links, on an IEEE 802.15.4-class radio (250 kbps), the dominant cost of PBS-KAP is communication airtime rather than local computation. In the representative configuration (e.g., $k=128$), the per-round packet is about 2112 bytes, so total session traffic scales with the realized number of rounds plus a one-time (around) 16 kB bootstrap (base OTs) that can be amortized across multiple key refreshes. Using the same 250 kbps link model, the measured/simulated sessions in Table 6 fall in the sub-second to few-second range (about 0.86 to 4.17 s) across the evaluated mismatch regimes), with corresponding radio-energy estimates on the order of 0.047 to 0.227 J under a standard 802.15.4 radio configuration. With respect to feasibility on sensor-category MCUs, the protocol is designed in a way that expensive public-key work is confined to provisioning/bootstrapping, while steady-state rounds use symmetric primitives plus OT extension and a compact threshold circuit. In terms of embedded information, the sensor stores only the local $N$-bit string plus small per-round index/flip lists and OT/GC buffers. For very constrained nodes (e.g., 8-bit AVR/ARM-M0 with less than 4 kB RAM and less than 32 kB Flash), a PRF+equality-test style SecureHalfDiff implementation can fit in, around, 1 kB RAM and less than 20 kB Flash. Also, for more capable Cortex-M4/M7-class devices, OT-extension frameworks can execute in the millisecond range per round for typical values for $k$.

Finally, since our implementation targets only the communication between the gateway node (GWN) and the sensor, the protocol directly satisfies criteria associated with secure sensor-node key agreement, resistance to known attacks, mutual authentication (if Authenticated Key Exchange or malicious-secure OT/GC is added), forward secrecy, time efficiency, and protection against sensor capture, while user-related criteria are outside the scope of this study. However, as future work, we aim to extend our work to also cover communication between the user and the GWN.

10. Limitations and Future Work

The proposed protocol is explicitly designed to operate within the constraints of typical wireless sensor network hardware, including limited processing capability, restricted memory, and limited energy availability. The protocol minimizes reliance on public-key cryptography by confining expensive operations to a one-time bootstrap phase, after which only symmetric primitives, lightweight oblivious transfer extensions, and bounded-size garbled circuits are used. This design choice significantly reduces per-session computational overhead, making repeated key refresh operations feasible on low-power devices. The convergence behavior, which scales as $\mathrm{O}(\mathrm{N}/\mathrm{L}$), allows the protocol to be customized to the resource constraints of a given deployment by tuning the flip parameter and stopping confidence. Moreover, the protocol’s execution in discrete, independent rounds, without the need for continuous connectivity, seamlessly aligns with the energy-efficient sleep–wake scheduling commonly utilized in WSNs.

The security analysis under the semi-honest model does not cover active or malicious behavior (e.g., deviating from the algorithm, sending inconsistent messages, selective-failure attacks, or aborting strategically). These behaviors fall outside the semi-honest model and are left as future work. Strengthening the protocol against such threats would require integrating malicious-secure OT extensions, authenticated garbled circuits, and cut-and-choose or dual execution techniques. While this would increase computational and communication costs, it would preserve the high-level structure of the protocol.

Furthermore, the current limitation of this study is the absence of implementation on physical sensor hardware. While the protocol and its underlying cryptographic mechanisms have been fully specified and evaluated algorithmically, performance metrics such as execution time, energy consumption, and empirical memory usage remain unmeasured in real-world environments. As future work, we plan to undertake a two-phase validation strategy. First, a software reference implementation will be developed using standard toolchains and libraries (e.g., libOTe or EMP-toolkit for secure computation components and micro-ECC for ECC primitives) to obtain cycle-accurate profiling and communication overhead in simulation. Subsequently, the optimized implementation will be ported to representative IoT platforms such as Arduino MKR series, ESP32, and STM32 Cortex-M4, guided by the resource estimates presented in Section 8.3. Another area for future work is the enhancement of side-channel resilience, for instance, against power analysis or fine-grained timing attacks in real-world deployments. Additionally, the protocol assumes synchronized rounds and reliable communication, adapting it for highly asynchronous or lossy networks may require extra mechanisms for round alignment and error recovery.

11. Conclusions

In this work, we presented a series of protocols that enable two communicating parties, in our case a gateway with a sensor node, to align their secret bitstrings without disclosing their actual values. The gateway node and the sensor iteratively sample positions and flip bits until their strings are sufficiently close; then, a fuzzy extractor corrects residual mismatches to produce a final uniform random key, which is subsequently validated using an MAC.

By eliminating the need for pre-distributed keys or centralized key management, the protocol remains resilient to node capture attacks, eavesdropping, and compromise. Furthermore, its lightweight operations make it particularly suitable for resource-constrained environments such as WSNs and the IoT, offering a practical solution that balances efficiency, robustness, and high security.