Internet of Things (IoT) has been widely used in many fields, bringing great convenience to people’s traditional work and life. IoT generates tremendous amounts of data at the edge of network. However, the security of data transmission is facing severe challenges. In particular, edge IoT nodes cannot run complex encryption operations due to their limited computing and storage resources. Therefore, edge IoT nodes are more susceptible to various security attacks. To this end, a lightweight mutual authentication and key agreement protocol is proposed to achieve the security of IoT nodes’ communication. The protocol uses the reverse fuzzy extractor to acclimatize to the noisy environment and introduces the supplementary subprotocol to enhance resistance to the desynchronization attack. It uses only lightweight cryptographic operations, such as hash function, XORs, and PUF. It only stores one pseudo-identity. The protocol is proven to be secure by rigid security analysis based on improved BAN logic. Performance analysis shows the proposed protocol has more comprehensive functions and incurs lower computation and communication cost when compared with similar protocols.

1. Introduction

With the rapid development of new network technologies such as cloud computing and artificial intelligence, Internet of Things (IoT) has been more and more widely used. It has continuously brought great convenience to people’s lives and work [1]. IoT devices play an important role in the power generation, transmission, and distribution of smart grids and can monitor power transmission conditions in a more timely manner [2]. A system called iERS can monitor and notify the availability of parking spaces near the smart community through the IoT infrastructure and help users find suitable parking spaces [3]. Baker et al. [4] created a general model that can be used in most similar healthcare systems using end-to-end IoT. Therefore, diverse technologies based on the IoT make users’ comfortable and convenient life possible.

According to the predictions of relevant agencies, IoT devices are expected to grow exponentially in the next few years, followed by the explosive growth of IoT data [5]. In some low-latency IoT applications, the design idea of combining the computing functions of the edge cloud to complete the reception and management of massive data has become a way to improve the efficiency of IoT. Edge cloud helps edge IoT nodes process data nearby, reducing the heavy computing tasks of cloud data centers.

However, due to the openness of channels and data sensitivity, data security and user privacy issues have attracted more and more attention. Data security issues are also one of the biggest obstacles restricting the widespread deployment and application of Internet of Things [6]. Due to IoT characteristics, the specific challenges faced by data security are as follows: (1) IoT device resources are generally limited. Internet of Things consists of many heterogeneous and resource-constrained devices, which often have a single function and limited computing and storage resources [7]; (2) massive data: the number of IoT devices and users is huge, and massive amounts of data are generated in real time, which brings great workload to security authentication; (3) interactive dynamics: in the environment of Internet of Things, nodes and users are often in constant movement, which makes real-time requirements for secure access and authentication; and (4) strong data privacy: the advent of the big data era puts forward higher requirements for the protection of personal privacy information, and both visitors and IoT nodes must be protected [8].

In order to solve the above-mentioned IoT data security issues, many researchers have proposed various security authentication and key agreement protocols to solve the IoT data security issues [9]. However, as we all know, Internet of Things has many remote nodes. In this scenario, an attacker can extract stored authentication information and keys from the IoT device and then can perform security attacks according to their own needs. At present, most studies have not considered this aspect of security issues. Therefore, the communication protocol designed for the IoT system should ensure that the entire system remains secure, even if the equipment or sensors are damaged. Fortunately, physical unclonable functions (PUF) provide a viable option to achieve this goal. Recently, some PUF-based authentication protocols have been proposed to protect sensor security and data security.

To solve the above issues, we propose a lightweight and anonymous mutual authentication protocol for edge IoT nodes with physical unclonable function. The proposed protocol only needs some lightweight cryptographic operations and stores one pseudo-identity. It is very suitable for data security protection scenarios of IoT nodes in a wide range of deployment scenarios. To sum it up, the main contributions of the proposed protocol are as follows:(i)The proposed protocol realizes secure, lightweight mutual authentication for edge IoT nodes. More importantly, in addition to the noise of the nonideal PUF, we also take the imbalance of resources between the device and the server into account, taking advantage of the reverse fuzzy extractor to reduce the cost.(ii)The proposed protocol only store one pseudo-identity to prevent physical security attack such as side-channel security attacks and memory data theft while ensuring anonymity.(iii)We introduced a supplementary subprotocol for desynchronization attacks to overcome the shortcomings in [10]. It also improves efficiency by querying the relevant subset in the database based on the registration time instead of traversing the entire subset.(iv)We present rigid security proof based on improved BAN logic [11] to demonstrate the proposed protocol is against all of secure attacks.

The paper’s organization is as follows: Section 2 shows the related works on the authentication protocols for the IoT system. Section 3 and Section 4 introduce, respectively, related preliminaries and system model and security requirements. Section 5 presents the proposed scheme with its supplementary subprotocol in detail. Section 6 and Section 7 show the security and performance analysis. Finally, the conclusion and future work are described in Section 8.

As IoT has gained steam in recent decades, its security issues have also attracted widespread attention. In 2014, a study by Hewlett Packard suggested that about seventy percent of IoT devices suffer from acute vulnerability, which cannot be ignored [12]. Therefore, considerable authentication protocols for Internet of Things sprang up.

Most of the incipient authentication protocols are based on asymmetric cryptography, which cuts both ways in IoT: it boasts higher security but bears inevitably the computational inefficiency and huge overhead. For instance, Fouda et al. [13] proposed a scheme that established the shared session key with Diffie–Hellman exchange protocol, whose needed computing resources put a certain burden on resource-constrained IoT devices. In addition, Porambage et al. [14] involved the elliptic curve cryptography belonging to the public key system to achieve the implicit certificate-based protocol. Besides, Amin et al. [15] utilized the smart card and the RSA algorithm. Therefore, not only does it have a major potential danger in tampering because it is vulnerable to physical attack but also it contributes to terribly large computation costs.

Then, the study on protocols with symmetric cryptography is generally extensive. Das et al. [16] introduced a scheme with smart cards, which is a novel authentication protocol on the basis of passwords and symmetric cryptography for the hierarchical wireless sensor networks (HWSN), a branch of Internet of Things. However, it is similar that the scheme, which is not tamper-proof, cannot avoid physical attacks. Turkanovi and Holbl [17] designed another protocol for HWSN, which pointed out the flaws in [16] and eliminated its redundant components, taking advantage of the symmetric encryption or decryption. Nevertheless, even if symmetric cryptography reduces the computational complexity and saves some resources with hash functions, XOR operations, and concatenation operations, compared with the asymmetric one, the storage of secret keys still produces a large memory overhead in a matter of the IoT system connected with a substantial amount of devices.

The demand for more secure and efficient authentication protocols has prompted scholars to introduce the PUF, which makes up for the drawbacks of smart cards and is claimed as a hardware function with great promise in recent research. Aman et al. [18] showed the scheme where the response generated by PUF encrypted the data and verified the source. Chatterjee et al. [19] proposed the scheme which used the response value to construct the session key. What is more, there is no need to explicitly store the challenge-response pair. However, the protocols mentioned in [18, 19] fail to guarantee anonymity. In addition, the challenge-response pair is not updated and replaced every round, even when the protocol introduced by Feikken et al. [20] avoids conveying the identity in plain text. Consequently, considering the device anonymity, Gope and Sikdar [10] presented a scheme with plentiful alternative pseudonyms and challenge-response pairs. Instead of direct identity, it completes communication with the help of pseudo-identity which, together with the challenge-response pair, is regenerated to prevent adversaries from the trail. However, it is more likely to encounter desynchronization attacks. The protocol proposed by Jiang et al. [21] resolved the above two weaknesses, but its overhead increases due to asymmetric cryptography. Additionally, the protocol in [22] performs better than that in [10] in terms of resistance to desynchronization attack. On the contrary, the majority of protocols such as [18] merely consider the ideal PUF. Since noisy factors are inescapable in daily life, it is required to take appropriate measures against them. Significantly, the fuzzy extractor is regarded as a widely used and practical tool for error correction. In the part of noisy PUF in [22], the fuzzy extractor emerges to convert the error response values. Besides, the protocol in [20] also serves as an example to show the great role of the fuzzy extractor in addressing noisy PUF issues. Furthermore, the fuzzy extractor in reverse is a feasible optimization method, which takes the resource difference between the device and the server in IoT system into full consideration and makes the resource utilization more reasonable. For instance, the protocols in [10, 21, 23, 24] reverse the fuzzy extractor to arrange resources more evenly.

3. Preliminaries

3.1. Physical Unclonable Function

Described as “an expression of an inherent and unclonable instance-specific feature of a physical object” in [25], the PUF is considered a key factor in the physical uniqueness of a device. Thanks to the randomness and uncertainty during the fabrication of integrated circuits, it is less likely to produce a copy; thereby, the PUF is increasingly shining in the security domain.

Additionally, the definition in [26] that a PUF is deemed to be a special function that inputs a random challenge and generates the corresponding response relying on the complex physical character clarifies the PUF from another perspective. As shown in the following equation, is the challenge inputted and is the response outputted:

In ideal circumstances, there is a one-to-one correspondence between the challenge-response pair and the PUF; scilicet, if a challenge is assigned to the same PUF multiple times, the responses generated are identical, and if the same challenge is given to different PUFs, the responses obtained are distinct. However, due to the environmental and circuit noise, a PUF always outputs various responses with a few errors to a challenge value.

3.2. Reverse Fuzzy Extractor

Since the influence of noisy PUFs cannot be ignored, the fuzzy extractor is introduced to address the issue. Combined with the PUF, the fuzzy extractor with a secure sketch maps the responses with resemblance to the same result [27].

A fuzzy extractor comprises two algorithms, which are and , according to [20,27]. As a probabilistic algorithm, generates a key string and a helper data with the input value . In the phase, in terms of every with min-entropy , with (2), the difference of statistics between and is up to the threshold . means a constellation of strings from , which are chosen in a random and uniform way. As a deterministic algorithm, if the hamming distance between and is at most , can utilize and to reproduce , according to (3):

Generally, the reconstruction function is deployed on the device with a PUF, while the key generation function is placed in the server. However, it is a critical defect that the reconstruction algorithm is performed on the device end with limited memory and computing resources as a consequence of numerous gates and time costs when correcting errors [28]. Therefore, the reverse fuzzy extractor, which sets on the PUF-equipped device and on the server, is applied to resolve the problem.

3.3. Symbols and Descriptions

The symbols and descriptions involved in the protocol are presented in Table 1.

4. System Model and Security Requirements

4.1. System Model

Figure 1 shows two roles in the system model: a series of IoT devices and a server situated in the data center. Moreover, the communication between devices and the server is through Internet in the IoT system.(i)IoT devices: In the IoT system, every device possesses a PUF, in which any effort to manipulate the PUF will make it unavailable and any attempt to remove the PUF will comprise it. In addition, it is assumed that devices have finite resources.(ii)Server: The server is described as a secure, trusted, and resource-unlimited entity, which can store the related information about IoT devices in the database to operate the mutual authentication.

4.2. Adversary Model

In matters of the adversary model, we refer to the well-known Dolev–Yao attack model in [29], with an assumption that an adversary boasts a series of capabilities as described below:(i)According to the Dolev–Yao model, the adversary has complete control over the open channel, who can grasp total information on the insecure channel between the IoT device and the server and thereby intercept, tamper, or cancel it.(ii)Besides the threats mentioned above, aiming at acquiring the essential data, the adversary can also launch physical attacks, cloning attacks, counterfeit attacks, desynchronization attacks, and so forth.

4.3. Security Requirements

After the analysis of the adversary model, we take account of the related security requirements for the proposed two-party authentication protocol:(i)Mutual authentication: The genesis of the fact that it is crucial to achieve the mutual authentication between the IoT device and the server before the formal communication lurks in the issue that an attacker may disguise as a trusted device sending malicious information to others with the impersonation attack.(ii)Reliable session key generation: The problem that an adversary is more likely to obtain the messages transmitted through the open channel serves as an explanation of the requirement that both the device end and the server end ensure the same session key is held during communication.(iii)Anonymity: It is indispensable to use one-time aliases so that the adversary cannot know the true identity of the device.(iv)Defense against the known attacks: The designed protocol is supposed to resist the known attacks, such as physical attacks, cloning attacks, impersonation attacks, and especially desynchronization attacks.

5. The Proposed Scheme

In this section, we propose a lightweight and anonymous mutual authentication protocol for edge IoT nodes with physical unclonable functions, which features the zero storage of shared secrets and a large number of pseudonyms. In total, the protocol is composed of three phases: the setup phase, the registration phase, and the authentication phase.

5.1. Setup Phase

In this stage, a reliable one-way hash function is selected to achieve mutual authentication, where is a secure parameter chosen by the server.

5.2. Registration Phase

In this stage, the IoT device sends its relevant messages to the server through the secure channel as shown in Figure 2. The IoT device selects a registration time (a time slot such as three days or five days), which together with the identity is utilized to calculate in order to prepare for the supplementary subprotocol against the desynchronization attack. Then, the device randomly chooses a one-time temporary alias and a challenge value and obtains the response from the PUF. The device stores the needed in this round temporarily, while the registration time is also stored in a secure environment. Next, is sent to the server through the ideal channel. After receiving , the server stores it in the database.

5.3. Authentication Phase

In this stage, the device and the server in the IoT system conduct mutual authentication where a few pseudo-identities and shared secrets are stored by the device end. The final generation of the same session key on the device and the server means the achievement of their mutual authentication.(1)The IoT device transmits of this round to the server . On receiving the alias, the server searches for it in the database. If found successfully, gets the corresponding challenge-response pair and selects a nonce . Then, the server computes and . Finally, is given to the IoT device.(2)Upon receiving , the IoT device calculates , , , and and then verifies whether is equal to . If successful, the device computes , the challenge in the next round, the corresponding response , and . Then, the device selects a nonce , which is used to generate , and the session key . Next, the device stores for the next round and sends to the server.(3)After acquiring , the server computes the helper data , the nonce , the challenge , and its response . Then, is computed to verify the identity of and . If the verification is passed, the server generates the session key and the temporary pseudo-identity for the following round. Eventually, is kept in the database.

In summary, the procedure for an agreement of the session key between the physical device and the server in the IoT system is accomplished. The details are presented in Figure 3.

5.4. The Supplementary Subprotocol

If a desynchronization attack is launched when is sent to the server, the one-time temporary alias of the IoT device on the server end cannot be updated in time, which causes the messages of the IoT device and the server to be out of synchronization. In this regard, it is of vital necessity to introduce the supplementary subprotocol against the attack for the sake of the normal continuation of our authentication.

In the registration phase, the IoT device has calculated and sent it to the server for storage. In the subprotocol phase shown in Figure 4, with the current timestamp , the device computes , , and and then transmits to the server end, which searches for the relevant data according to the registration time sent by the physical device and computes , and to compare with after receiving the message. If both are the same, the resynchronization is completed and the authentication process can continue normally.

6. Security Analysis

The BAN logic, designed by Burrows, Abadi, and Needham [30], features its simplicity and practicality, resulting in the general application to the formal security analysis of identity verification protocols. However, even though it pioneered the formal analysis, its pitfalls were pointed out by Mao and Boyd [11]. Hence, we attempt to prove our proposed protocol to meet a series of requirements for the authentication between the IoT device and the server with the Mao and Boyd logic, namely, the improved BAN logic, in this section.

6.1. Basic Definitions

For the sake of eliminating negative features caused by the type mismatch, Mao and Boyd logic constructed three groups of type-specific objects, including principals, messages, and formulas, so we employ letters and to describe principals, , , and to represent messages, while , , and symbolize formulas for the clarity and convenience [11].

Some definitions are listed below:Equation (4) denotes that principal believes formula to be true. Equation (5) shows that principal says message is encrypted with the key . Equation (6) manifests that principal sees message is decrypted with key . Equation (7) points out that is considered as a good shared key between principals and . Equation (8) suggests that message is fresh that it has never appeared before the current protocol conducts. Equation (9) indicates that is a super principal; namely, it is credible and legitimate. Equation (10) bespeaks that principal cannot see the message .

Considering the issue that the syntax is context-free while the relationship between messages is context-based, Mao and Boyd [11] explained that the idealization of protocol messages converting the implicit contextual information to the explicit specification should be operated. There are some concepts of idealization regulations. On the one hand, there are five related concepts. The atomic message means a data unit with no symbols such as “,”, “”, “”, “” or “”, in a message, where ”,” is a combinator for a message and a principal, and “” or “” is a combinator for two messages. The challenge is an atomic message sent and received in two different lines by its originator, namely, a principal. In the meantime, the atomic message is not a timestamp. The replied challenge is a challenge existing in the message on the way to its originator. The response also belongs to the set of atomic messages excluding timestamps, which is sent with a replied challenge by its sender. If an atomic message is not a challenge, a response, or a timestamp, it is called nonsense. On the other hand, there are several idealization rules of messages in the protocol in the following:(i)All of the atomic messages considered as nonsenses are supposed to be erased.(ii)If an atomic message plays both roles of the challenge and the response in a line, then it is regarded as a response.(iii)The challenges separated by commas can be combined with the symbol “ ”, so do responses.(iv)The challenge and its corresponding response can be combined with the symbol “ ”, whose form is “response replied challenge”.(v)The message and its timestamp can also be combined with “ ”, whose form is “message timestamp”.Moreover, according to [11], there are some inference rules which are created to achieve the intuitive formal analysis on the scheme of authentication and confidentiality in actual applications, where symbol “ ” is a Boolean logic conjunction used to connect two formulas. For instance, if formula and formula are true, then they can get the true formula , in the following form:(vi)The authentication rule (12): if believes that is a good shared key between and and sees with , can believe encrypts with :(vii)The confidentiality rule (13): there are three conditions: (1) believes that is a good key between and ; (2) believes that cannot be obtained by anyone else; and (3) can use to encrypt the message . If they are met, can believe that only can be available to and :(viii)The nonce-verification rule (14): if believes that is fresh and that encrypts with , then can believe that thinks is a good key between and :(ix)The superprincipal rule (15): if believes that trusts and is a legitimate server, can believe :(x)The fresh rule (16): if believes that is fresh and receives the message combined with and , can believe that is fresh:(xi)The good-key rule (17): if believes that is not available to any other principal than , and and is fresh, can believe that is a good key between and :(xii)The intuitive rule (18): it is a rule ignored usually that if decrypts with , then can see :

6.2. Formal Security Analysis on Proposed Protocol

According to the above inference rules, we propose some initial beliefs and assumptions for our protocol between the device and the server in the IoT system, which then are used to construct the security proofs.

Regarding the IoT device as and the server as , first, we try to prove the proposition (vi), which is “ believes that is a good shared key between and ”. As is shown in the following, (i) shows that believes is a good key between and because it is the real identity of the IoT device stored in the server; (ii) shows that believes cannot be known by any other one except ; (iii) shows that can encrypt with ; and (v) shows that believes is fresh because generates the nonce . In the light of the confidentiality rule, we use (i), (ii), and (iii) to obtain the statement “ believes that no one else knows except for and ”, which is (iv). Then, (iv) and (v) are applied in the good-key rule to get the final statement (vi). The detailed proof process is shown in Figure 5(a):

Then, we attempt to prove the proposition (xvi), which is “ believes that is a good shared key between and ”. In the following, (vii) means believes that is a good shared key between and ; (viii) means that can decrypt with ; (ix) means believes that encrypts with ; (x) means believes that is fresh; (xi) means believes that holds the belief that is a good shared key between and ; (xii) means that believes that takes the belief that cannot be known by others except for ; (xiii) means considers the fact that believes only and itself can obtain the nonce ; and (xiv) means that believes that is a credible principal. Therefore, we can use these beliefs and assumptions to deduce the final conclusion. With the authentication rule, (vii) can be combined with (viii) to draw (ix). Additionally, (xi) can be derived from the combination between (ix) and (x) with the nonce-verification rule. With the three conditions (ix), (xi), and (xii) substituted into a variant of the confidentiality rule, we can reason out (xiii), which thereby together with (xiv) can be used in the superprincipal rule to obtain (xv). Then, (xv) and (x) are utilized to generate the final conclusion (xvi) with the good-key rule. The proof process is vividly shown in Figure 5(b):

Similarly, the proofs for “ believe that is a good shared key between and ” and “ believes that is a good shared key between and ” as, respectively, shown in Figures 5(c) and 5(d). In the matters of the former, according to the confidentiality rule, “ believes that is a good shared key between itself and ”; “ believes that no one can obtain except for ”; and “ encrypts with ”. These three conditions are involved in deducing a statement, which is “ holds the view that can merely be known by and ”. In the light of the conclusion, we can introduce it with the belief that “ believes is fresh” into the good-key rule in order to obtain the final statement. Moreover, the latter is generated by “ believing that is fresh” which is the result of “convinced that believes only and can know ”; “ believes that is a legitimate principal” with the superprincipal rule; and “ believes that only and can obtain ” with the good-share key rule. Obtained with the developed confidentiality rule, the statement “ is convinced that believes only and can know ” is the result of “believing that holds the belief that is a good shared key between and ”; “ is convinced that believes that it is less likely for to be attached by others except for ”; and “ believes that is encrypted by with ”. In terms of the conclusion “ believes that trusts as a good shared key between and ”. It can be deduced with the nonce-verification rule that “ believes is a fresh nonce” and “ believes can encrypt with ”, which can be obtained by the combination of “ believing that is a good shared key between and ” and “ can be decrypted by with ” with the authentication rule.

In Figures 5(e) and 5(f), the similar manner of the proofs for “ believes that is a good shared key between and ” and “ believes that is a good shared key between and ” is described in the specific process. In Figure 5(e), with the confidentiality rule, we utilize three conditions: “ believes that is a good shared key between and ”; “ believes that no one can obtain except for ”; and “ can be encrypted by with ” to conclude the statement of “ believes it is impossible that a third person can obtain except for and ”, which is combined with the fact that “ believes is fresh” to deduce the final belief of “ believes that is a good shared key between and ” with the good-key rule. In Figure 5(f), what calls for special attention is that, with the fresh rule, the statement “ trusts as fresh” is generated by “ believes that is a fresh nonce” and “ can obtain and ”, which is concluded from “ can decrypt and with ”, according to the intuitive rule.

In conclusion, generally, is rarely known by others excluding and , so an adversary cannot obtain the secrets involved in the formal security proofs, which are , , , and . Some attacks like impersonation attacks are even less likely to be operated. Additionally, thanks to the feature of the PUF, they cannot get valid challenge-response pairs from it even when adversaries control an IoT device. Consequently, our protocol is regarded as reliable enough against some common security attacks.

7. Performance Analysis

In this section, we analyze the performance of the proposed scheme in three respects: security functions, computation costs, and communication costs, whose comparison results with the protocols in [10, 18, 21, 22] are introduced in the following.

7.1. Security Function Analysis

Aiming to present the strengths of the scheme proposed in the paper, we first compare it with four other PUF-based mutual authentication protocols on their security functions in Table 2, where , , , , , , , , and , respectively, represent the mutual authentication, the resilience to desynchronization, the impersonation attack, the session key security, the physical security, the reverse fuzzy extractor, the zero storage of shared secrets, the anonymity, and the lightweight feature. What is more, means achieved while means not achieved.

In terms of resilience to desynchronization and the zero storage of the shared secrets, even when the scheme in [10] keeps a mass of alternate pseudonyms and keys, the desynchronization attack is still a problem. Although the protocol in [22] can prevent attacks to a certain degree, it still needs to store a large number of pseudo-identities and challenge-response pairs, which require a lot of storage space. According to the solution proposed in the paper, it is unnecessary for the IoT device and server to store those. When they are subjected to the desynchronization attack, they merely need to search for a subset in the database in the light of the registration time and finish the resynchronization. Moreover, the issue that it is more likely for noise to lead to some errors in the output is neglected by the scheme in [18]. While the scheme in [22] involves the fuzzy extractor, it does not reverse it to consider the resource imbalance between the device and server. Our scheme takes these factors into full consideration, and with the reverse fuzzy extractor, not only does it solve the noise problem, but it also takes reasonable advantage of resources. What is more, the protocol in [21] addresses the above issues, but it contains the public key cryptography, resulting in a surge of costs. Instead of it, our protocol is characterized by a series of lightweight functions, such as PUFs, hash functions, and XORs. Additionally, since the protocol in [18] directly uses the original identity of the device rather than its pseudo-identity, the anonymity is not achieved. Our resolve in the paper that uses the one-time temporary alias updated in each round of communication protects the privacy of the physical device in the IoT system.

7.2. Computation Costs Analysis

Considering the difference of the computation costs generated by various PUF-based protocols, we show the details in Table 3, where , , , , and , respectively, symbolize the time costs of PUFs, hash functions (including the MAC), the key generation function of the fuzzy extractor, the reconstruction function of the fuzzy extractor, and symmetric encryption or decryption. Generally, we think that various time costs roughly meet the following magnitude relationships: and .

Since the protocol in [21] is based on the three-party authentication, we just conduct the comparative analysis of our protocol and those in [10, 18, 22]. In our protocol, in the IoT device is used twice. As a result, we only consider the time cost of calculating it once. According to Table 4, we can conclude that our protocol still has a slight advantage compared with the protocol in [18]. Although it uses fewer hash functions, the time costs caused by the symmetric encryption and decryption with the response value bring our protocol the latest edge through a small victory. In addition, our protocol is one hash function less than that of [10], which is also a narrow margin. Furthermore, the computation costs of our PUFs and hash functions are similar to those of [22], but the device end equipped with the key generation function of the reverse fuzzy extractor costs fewer resources and less time.

7.3. Communication Costs Analysis

By analyzing the communication costs, we can still demonstrate some advantages of our proposed protocol. Since we regard as a security parameter, utilizing the hash function to convert a bit string of arbitrary length into that of l-bit length, we define the length of nonces, identities, challenge values, and response values as bits, and the l-bit data is changed to 8l-bit one after the symmetric encryption.

We contrast the computation costs of relevant protocols in [10, 18, 22], as shown in Table 4, attributing to the fact that the protocol in [21] involves three parties and causes numerous costs with asymmetric encryption and decryption. In Table 4, means the size of messages and means the times of sending messages. It is apparent that the computation costs of the protocol in [18] are much more than any other protocol resulting from symmetric encryption and decryption. Additionally, the communication overhead of our protocol is as little as that in [10]. Besides, even though the communication costs of the IoT device in the protocol proposed by [22] are less than ours, regardless of the total size of messages or the total times of communications, the protocol in [22] is slightly more than ours. Therefore, our protocol in this paper can be treated low-overhead.

Above all, our protocol fully demonstrates its advantages in terms of security functions, computing costs, and communication overhead. Table 5 shows the summary comparisons among the protocols in [10, 18, 21, 22] and this paper. Since the computation and communication costs of the protocol in [21] are not involved in the above comparisons, we ignore them in Table 5, in which we can know that not only does our protocol meet all the security functions mentioned, but its computation and communication overhead is also the lowest.

8. Conclusion and Future Work

In this paper, we propose a lightweight and anonymous mutual authentication protocol for edge IoT nodes with physical unclonable functions. Instead of symmetric or asymmetric cryptography, the proposed protocol only uses lightweight operations, such as hash functions, PUFs, exclusive OR operations, and concatenation operations. On the one hand, we can solve the problem of a large number of pseudonyms in IoT devices due to anonymity and effectively resist physical security attacks from adversaries. On the other hand, we can consider PUF in nonideal environments and use fuzzy extractors to implement error correction to ensure the protocol’s reliability. In addition, we present a strict formal security proof to show that the proposed protocol meets the expected security requirements. Performance comparison analysis shows it has better computing efficiency and communication performance when compared with similar protocols.

We use subprotocols to resist desynchronization attacks. Although it is simple to implement, it is still not a very effective method to solve the desynchronization attack in the lightweight anonymous security authentication protocol. Therefore, our next work will further find better solutions.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they do not have any commercial or associative interest that represents a conflicts in connection with the work submitted.


The work was supported in part by the National Natural Science Foundation of China (61862052) and the Science and Technology Foundation of Qinghai Province (2020-ZJ-943Q).