This paper presents a lightweight and secure data communication protocol tailored for resource-constrained IoT environments. The proposed method integrates Challenge-Response Pair (CRP) Physically Unclonable Functions (PUFs) and a True Random Number Generator (TRNG) to eliminate the need for non-volatile key storage, thereby significantly enhancing resistance against physical attacks and key extraction threats. In contrast to conventional public key authentication methods such as those employed in Pretty Good Privacy (PGP), the protocol replaces asymmetric key operations with CRP-PUFs and hash-based message authentication codes (HMACs), effectively removing the need for key pair generation, key distribution, and private key encryption. To ensure stability in PUF responses under environmental variations, the protocol applies majority voting and BCH error correction codes. It further leverages a large CRP space and incorporates dynamic CRP updates to ensure backward secrecy. In addition, elliptic curve cryptography (ECC) point validation is used to defend against fault injection attacks, collectively offering strong resistance against cloning, brute-force, and implementation-level attacks. While preserving the core cryptographic functions of PGP—such as session key wrapping, ECDSA-based digital signatures, and AES encryption—the proposed protocol dynamically derives all secret keys from hardware-based entropy sources. As a result, it achieves comprehensive security guarantees including authentication, integrity, confidentiality, and non-repudiation, while significantly reducing computational complexity and authentication latency compared to conventional ECC-based schemes. The protocol’s correctness and security are formally verified using ProVerif and Mao-Boyd logic, and its practical feasibility is demonstrated through a compact single-chip implementation, making it highly suitable for real-world industrial IoT deployments.