Manivannan, S.Chakraborty, R.S.Chakrabarti, I.Ramalingam, J.2026-02-042024IEEE Embedded Systems Letters, 2024, 16, 2, pp. 118-12119430663https://doi.org/10.1109/LES.2023.3299200https://idr.nitk.ac.in/handle/123456789/21120The immense potential of the Internet of Things (IoT) is challenged by grave security vulnerabilities that are easily exploitable in resource-constrained environments. We propose a lightweight Authentication and Key Agreement (AKA) protocol to derive a shared session key for each communicating node in a mutually communicating cluster of IoT nodes. Each IoT device is embedded with a Physically Unclonable Function (PUF), and a Fuzzy Extractor (FE) is deployed to correct and reproduce the private key and public helper data pair from the possibly erroneous PUF response. This secret raw PUF response is not stored explicitly in the server. A forward-secure authenticated key agreement is achieved by incorporating Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol. The security of the proposed scheme has been formally verified while considering both active and passive attackers using the Verifpal tool. A prototype implementation with the arbiter PUF circuit, FE, and associated software has successfully demonstrated the efficacy of our scheme. © 2009-2012 IEEE.AuthenticationFormal verificationInternet of thingsIronNetwork securityAuthentication and key agreement protocolsAuthentication and key agreementsFuzzy extractorFuzzy extractorsInternet of thingPhysically unclonable functionPhysically unclonable functionsPrototypeSecurity vulnerabilitiesSession keyCryptography