Physical-Unclonable-Function-Based Secure and Anonymous User Authentication for Smart Homes

The Internet of Things (IoT) technology has revolutionized various sectors, including healthcare, smart cities, agriculture, education, and homes. The interconnected network of diverse IoT devices used in smart homes allows users to remotely manage lighting, security systems, heating, and household appliances through smart devices. The multitude of interactions and frequent data exchanges in smart homes necessitate robust user authentication. Strengthening smart home security is crucial to ensuring user safety and safeguarding personal information, thereby maximizing the benefits of smart technology. In 2023, Bai et al. proposed an authentication scheme aimed at ensuring anonymity and secure key establishment in smart environments. Although their scheme achieved various security objectives, we identified security vulnerabilities in their proposal. In this paper, we highlight the weaknesses in their scheme and introduce a new, secure, and anonymous authentication scheme. The proposed solution integrates bio-hash techniques for protecting user identity and physical unclonable functions to mitigate device capture attacks. Our scheme establishes a secure session key between the user, gateway, and sensor, providing protection against various known attacks from both internal and external adversaries. Furthermore, we conducted both formal and informal analyses to validate the security of the proposed scheme and compared its performance with related schemes to demonstrate its effectiveness and practical applicability.