Lightweight and Anonymous Authentication based on PUF Without CRP leakage for Industrial Internet of Things

Jie Cui

¹Key Laboratory of Intelligent Computing and Signal Processing of Ministry of Education, School of Computer Science and Technology, Anhui University, Hefei 230039, China

²Anhui Engineering Laboratory of IoT Security Technologies, Anhui University, Hefei 230039, China

*Corresponding author

Physical unclonable function (PUF) is a critical hardware primitive that provides unique identities for authenticating a large number of devices in the Industrial Internet of Things (IIoT). Most existing PUF-based schemes face challenge-response pair (CRP) leakage during machine-learning attack. Some studies that use hardware or time-consuming cryptographic operations to protect the PUF responses are expensive and unsuitable for existing IIoT devices. To address these issues, a lightweight and anonymous PUF-based authentication scheme is proposed for resource-constrained IIoTs. Using elliptic curve cryptography and zero-knowledge proof, a lightweight blinding mechanism is designed in the proposed scheme that prevents explicit CRP leakage and ensures anonymity. In addition, the authenticated keys are random with forward and backward secrecy. Moreover, the security of the proposed scheme is demonstrated using a random oracle model. Experimental results demonstrate that the proposed scheme is notably more efficient and practical for resource-constrained devices compared to other related schemes.

Industrial Internet of Things (IIoT), lightweight authentication, CRP leakage, physical unclonable function (PUF), anonymous authentication

Fengqun Wang, Jie Cui, Wuquan Wen, and Ke Hu (2025). Lightweight and Anonymous Authentication based on PUF Without CRP leakage for Industrial Internet of Things. Journal of Networking and Network Applications, Volume 5, Issue 2, pp. 64–76. https://doi.org/10.33969/J-NaNA.2025.050202.

[1] Y. Liao, E. de Freitas Rocha Loures, and F. Deschamps, “Industrial internet of things: A systematic literature review and insights,” IEEE Internet of Things Journal, vol. 5, no. 6, pp. 4515–4525, 2018.

[2] J. Koo, G. Kang, and Y.-G. Kim, “Access control framework for cross-platform interoperability in the industrial internet of things,” IEEE Transactions on Industrial Informatics, vol. 21, no. 1, pp. 801–810, 2025.

[3] F. Wang, J. Cui, Q. Zhang, D. He, and H. Zhong, “Blockchain-based secure cross-domain data sharing for edge-assisted industrial internet of things,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 3892–3905, 2024.

[4] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security, privacy and trust in internet of things: The road ahead,” Computer networks, vol. 76, pp. 146–164, 2015.

[5] F. Wang, J. Cui, Q. Zhang, D. He, C. Gu, and H. Zhong, “Blockchain-based lightweight message authentication for edge-assisted cross-domain industrial internet of things,” IEEE Transactions on Dependable and Secure Computing, pp. 1–18, 2023.

[6] Q. Zhang, Y. Fu, J. Cui, D. He, and H. Zhong, “Efficient fine-grained data sharing based on proxy re-encryption in iiot,” IEEE Transactions on Dependable and Secure Computing, pp. 1–13, 2024.

[7] Y. Chen and J. Chen, “An efficient mutual authentication and key agreement scheme without password for wireless sensor networks,” The Journal of Supercomputing, vol. 77, no. 12, pp. 13653–13675, 2021.

[8] S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 1338–1351, 2022.

[9] W. Liu, H. Liu, Y. Wan, H. Kong, and H. Ning, “The yoking-proof-based authentication protocol for cloud-assisted wearable devices,” Personal and Ubiquitous Computing, vol. 20, pp. 469–479, 2016.

[10] Q. Zhang, J. Wu, H. Zhong, D. He, and J. Cui, “Efficient anonymous authentication based on physically unclonable function in industrial internet of things,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 233–247, 2023.

[11] W. Che, M. Martin, G. Pocklassery, V. K. Kajuluri, F. Saqib, and J. Plusquellic, “A privacy-preserving, mutual puf-based authentication protocol,” Cryptography, vol. 1, no. 1, p. 3, 2016.

[12] Y. Zheng, W. Liu, C. Gu, and C.-H. Chang, “Puf-based mutual authen-tication and key exchange protocol for peer-to-peer iot applications,” IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 4, pp. 3299–3316, 2023.

[13] C.-H. Chang, Y. Zheng, and L. Zhang, “A retrospective and a look forward: Fifteen years of physical unclonable function advancement,” IEEE Circuits and Systems Magazine, vol. 17, no. 3, pp. 32–62, 2017.

[14] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical unclon-able functions and applications: A tutorial,” Proceedings of the IEEE, vol. 102, no. 8, pp. 1126–1141, 2014.

[15] M. A. Qureshi and A. Munir, “Puf-rake: A puf-based robust and lightweight authentication and key establishment protocol,” IEEE Trans-actions on Dependable and Secure Computing, vol. 19, no. 4, pp. 2457–2475, 2022.

[16] A. Rullo, C. Felicetti, M. Vatalaro, R. De Rose, M. Lanuzza, F. Crupi, and D. Sacc`a, “Puf-based authentication-oriented architecture for identi-fication tags,” IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 1, pp. 66–83, 2025.

[17] U. Chatterjee, V. Govindan, R. Sadhukhan, D. Mukhopadhyay, R. S. Chakraborty, D. Mahata, and M. M. Prabhu, “Building puf based authentication and key exchange protocol for iot without explicit crps in verifier database,” IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 3, pp. 424–437, 2019.

[18] M.-D. Yu, M. Hiller, J. Delvaux, R. Sowell, S. Devadas, and I. Ver-bauwhede, “A lockdown technique to prevent machine learning on pufs for lightweight authentication,” IEEE Transactions on Multi-Scale Computing Systems, vol. 2, no. 3, pp. 146–159, 2016.

[19] O. Millwood, F. Hongming, P. Gope, O. Narlı, M. K. Pehlivano˘glu, E. B. Kavun, and B. Sikdar, “A privacy-preserving protocol level approach to prevent machine learning modelling attacks on pufs in the presence of semi-honest verifiers,” in 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 326–336, 2023.

[20] W. Wang, Q. Chen, Z. Yin, G. Srivastava, T. R. Gadekallu, F. Alsolami, and C. Su, “Blockchain and puf-based lightweight authentication pro-tocol for wireless medical sensor networks,” IEEE Internet of Things Journal, vol. 9, no. 11, pp. 8883–8891, 2022.

[21] A. A. Alamr, F. Kausar, J. Kim, and C. Seo, “A secure ecc-based rfid mutual authentication protocol for internet of things,” The Journal of Supercomputing, no. 9, 2018.

[22] S. Chen, B. Li, Z. Chen, Y. Zhang, C. Wang, and C. Tao, “Novel strong-puf-based authentication protocols leveraging shamir’s secret sharing,” IEEE Internet of Things Journal, vol. 9, no. 16, pp. 14408–14425, 2022.

[23] M. Alkanhal, A. Alali, and M. Younis, “Puf-based authentication pro-tocol with physical layer-based obfuscated challenge-response pair,” in ICC 2023 - IEEE International Conference on Communications, pp. 5867–5872, 2023.

[24] G. S. Poh, P. Gope, and J. Ning, “Privhome: Privacy-preserving authen-ticated communication in smart home environment,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1095–1107, 2021.

[25] N. Xi, W. Li, L. Jing, and J. Ma, “Zama: A zkp-based anonymous mutual authentication scheme for the iov,” IEEE Internet of Things Journal, vol. 9, no. 22, pp. 22903–22913, 2022.

[26] J. Ye, Y. Hu, and X. Li, “Opuf: Obfuscation logic based physical unclonable function,” in 2015 IEEE 21st International On-Line Testing Symposium (IOLTS), pp. 156–161, 2015.

[27] S. T. C. Konigsmark, D. Chen, and M. D. F. Wong, “Polypuf: Physically secure self-divergence,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 35, no. 7, pp. 1053–1066, 2016.

[28] J. Ye, Y. Hu, and X. Li, “Rpuf: Physical unclonable function with randomized challenge to resist modeling attack,” in 2016 IEEE Asian Hardware-Oriented Security and Trust (AsianHOST), pp. 1–6, 2016.

[29] C. Gu, C.-H. Chang, W. Liu, S. Yu, Y. Wang, and M. O’Neill, “A mod-eling attack resistant deception technique for securing lightweight-puf-based authentication,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 40, no. 6, pp. 1183–1196, 2021.

[30] M. Majzoobi, M. Rostami, F. Koushanfar, D. S. Wallach, and S. Devadas, “Slender puf protocol: A lightweight, robust, and secure authentication by substring matching,” in 2012 IEEE Symposium on Security and Privacy Workshops, pp. 33–44, 2012.

[31] L. Zhou, X. Li, K.-H. Yeh, C. Su, and W. Chiu, “Lightweight iot-based authentication scheme in cloud computing circumstance,” Future generation computer systems, vol. 91, pp. 244–251, 2019.

[32] X. Li, J. Peng, J. Niu, F. Wu, J. Liao, and K.-K. R. Choo, “A robust and energy efficient authentication protocol for industrial internet of things,” IEEE Internet of Things Journal, vol. 5, no. 3, pp. 1606–1615, 2018.

[33] T.-F. Lee, K.-W. Lin, Y.-P. Hsieh, and K.-C. Lee, “Lightweight cloud computing-based rfid authentication protocols using puf for e-healthcare systems,” IEEE Sensors Journal, vol. 23, no. 6, pp. 6338–6349, 2023.

[34] S. Li, T. Zhang, B. Yu, and K. He, “A provably secure and practical puf-based end-to-end mutual authentication and key exchange protocol for iot,” IEEE Sensors Journal, vol. 21, no. 4, pp. 5487–5501, 2021.

[35] A. Esfahani, G. Mantas, R. Matischek, F. B. Saghezchi, J. Rodriguez, A. Bicaku, S. Maksuti, M. G. Tauber, C. Schmittner, and J. Bastos, “A lightweight authentication mechanism for m2m communications in industrial iot environment,” IEEE Internet of Things Journal, vol. 6, no. 1, pp. 288–296, 2019.

[36] S. F. Aghili and H. Mala, “Breaking a lightweight m2m authentication protocol for communications in iiot environment,” Cryptology ePrint Archive, 2018.

[37] R. Maes and I. Verbauwhede, “Physically unclonable functions: A study on the state of the art and future research directions,” Towards Hardware-Intrinsic Security: Foundations and Practice, pp. 3–37, 2010.

[38] A. J. Menezes and S. A. Vanstone, “Elliptic curve cryptosystems and their implementation,” Journal of cryptology, vol. 6, pp. 209–224, 1993.

[39] Y.-H. Chuang and C.-L. Lei, “Puf based authenticated key exchange protocol for iot without verifiers and explicit crps,” IEEE Access, vol. 9, pp. 112733–112743, 2021.

[40] P. Gope, O. Millwood, and B. Sikdar, “A scalable protocol level approach to prevent machine learning attacks on physically unclonable function based authentication mechanisms for internet of medical things,” IEEE Transactions on Industrial Informatics, vol. 18, no. 3, pp. 1971–1980, 2022.

[41] “Miracl core.” https://github.com/miracl/core.