A Lightweight and Privacy-Preserving Authentication Protocol for Healthcare in an IoT Environment

Abstract

In Internet of Things (IoT)-based healthcare, sensor nodes are deployed to detect the patient’s physiological data in a wireless sensor network. In order to prevent unwarranted users from accessing the sensor network to obtain patients’ data, designing lightweight and privacy-preserving authentication protocols plays a crucial role. Many lightweight authentication protocols for IoT-based healthcare have been proposed in recent years, but most of them may suffer from one or more security problems. In particular, few protocols can resist sensor node-captured attacks and achieve n-factor secrecy, which leads to unauthorized personnel being able to access the patient’s physiological data and obtain patients’ privacy. Therefore, a lightweight and privacy-preserving authentication protocol for healthcare based on elliptic curve cryptography (ECC) and physical unclonable function (PUF) is proposed to surmount the above obstacles. We design a dynamic anonymity strategy to achieve users’ anonymity and unlinkability and use PUF to protect information stored in users’ devices and sensor nodes. In addition, higher security features such as three-factor secrecy, perfect forward secrecy, resistance to sensor node-captured attacks, and update asynchronous attacks are guaranteed. The proposed protocol is proven to be secure under the random oracle model and maintains lightweight computing efficiency.

1. Introduction

Smart healthcare is a new medical form in the information age that can realize synergy between patients and doctors with the help of wireless devices. Especially, the introduction of IoT technology provides patients with efficient, convenient, easy-to-use, low-cost, and intelligent medical services. The wise, efficient, and wirelessly interconnected medical devices can ceaselessly monitor and manage bio-information gathered by sensors, such as rate of respiration and heart rate, temperature, etc. Access to sensor nodes by unwarranted users can lead to the disclosure of patients’ privacy. To ward off this, user authentication is the first step to ensuring patients’ data security and users’ privacy. However, due to the computation and storage resources being constrained and the sensitivity of the patient’s identity, how to design an authentication protocol for IoT-based healthcare that meets the requirements of lightweight, security, and privacy protection is a challenge.

In 2010, Wu et al. [1] proposed the first two-factor authentication scheme for smart healthcare. Since then, many researchers have addressed this topic [2,3,4,5,6,7,8,9,10,11]. Al-Turjman and Alturjman [12] proposed a mutual authentication and key agreement scheme for medical sensor networks, where medical experts and patients can authenticate each other based on smartphones or sensor nodes. Kumar and Chand [13] designed a lightweight cloud-assisted anonymous authentication and key agreement scheme for a secure wireless body area network. Huang et al. [14] proposed a new authentication scheme for body-IoT devices. Adeli et al. [15] proposed a biometric-based authentication scheme for the Internet of Medical Things (IoMT) and mobile healthcare. Yang et al. [16] designed a cloud-based anonymous authentication scheme for healthcare services. Hamdi et al. [17] proposed a patient monitoring system for smart healthcare, which supposes IoT sensors and Android applications for efficient interaction. However, signature-based [8,9], computational Diffie–Hellman-based [10], or bilinear pairing-based [11] authentication and key establishment schemes for IoT applications may suffer from high computation and communication costs. Thus, these schemes are not suitable for smart medical scenarios.

In 2016, Ibrahim et al. [18] designed an anonymous authentication protocol based on the XOR operation and hash function. However, Xu et al. [19] demonstrated that the above scheme is endangered by desynchronization attacks because the parameters need to be updated in each session. Liu et al. [20] provided an innovative healthcare scheme for wireless sensor networks, and they designed a novel protocol to overcome the security weaknesses. However, Li et al. [21] indicated that their improved scheme is still susceptible to privileged-insider attacks and impersonation attacks. Then Li et al. proposed another anonymous authentication scheme for healthcare. Li et al. [22] proposed a three-factor authentication protocol for wireless medical sensor network systems. In 2019, Shuai et al. [23] proposed a lightweight three-factor authentication scheme for healthcare monitoring. But their scheme is vulnerable to stolen-verifier attacks, update asynchronous attacks, and lacks perfect forward secrecy. Sharma and Kalra [24] proposed a lightweight authentication scheme for healthcare services based on cloud-IoT, but their scheme suffers from privileged-insider attacks, offline password guessing attacks, impersonation attacks, smart card loss attacks, sensor node capture attacks, and does not achieve perfect forward secrecy, session key secrecy, anonymity, or unlinkability. In 2020, Gupta et al. [25] proposed a lattice-based authentication scheme for e-health systems. Fotouhi et al. [26] proposed a lightweight two-factor authentication scheme for healthcare IoT. Nevertheless, Rangwani and Om [27] pointed out that their scheme is vulnerable to privileged-insider attacks, sensor node capture attacks, update asynchronous attacks, replay attacks, stolen-verifier attacks, and lacks anonymity. To overcome these weaknesses, Rangwani and Om proposed a four-factor authentication scheme for healthcare using asymmetric encryption. However, their scheme lacks anonymity and perfect forward secrecy, and its computational cost is high. Shamshad et al. [28] proposed an identity-based authentication protocol for the telecare medical information system (TMIS), which uses the physically unclonable function (PUF) to protect the data’s security. In 2021, Shuai et al. [29] proposed an anonymous three-factor authentication protocol in the wireless sensor network (WSN) for personalized healthcare applications. However, Xie et al. [30] pointed out that Shuai et al.’s scheme is vulnerable to stolen-verifier attacks and message tampering attacks and has no perfect forward secrecy. Then, Xie et al. proposed a security-enhanced authentication scheme based on ECC. Hu et al. [31] proposed a two-factor authentication protocol for WSN that properly meets the needs of medical sensor networks.

Recently, Masud et al. [32] proposed a lightweight and privacy-preserving authentication protocol for healthcare based on IoT. However, Wang et al. [33] found that their scheme is threatened by offline password guessing attacks, update asynchronous attacks, and known session key attacks. The scheme also has no anonymity or unlinkability, session key secrecy, or perfect forward secrecy. Kim et al. [34] also pointed out the security problems of Masud et al.’s scheme and proposed a novel security-enhanced authentication protocol for IoMT. In addition, sensor node-captured attacks have a serious impact on WSN. Most protocols cannot overcome the problem of privacy disclosure caused by sensor nodes being captured, and some protocols even collapse due to this attack [35].

• Design goals

The design goals of a lightweight and privacy-preserving authentication protocol for healthcare in an IoT environment are that the protocol must be proven to be secure and able to resist various known attacks, including sensor node capture attacks and three-factor secrecy, and necessary security properties such as perfect forward secrecy and session key secrecy should be provided. In addition, the protocol should achieve lightweight computing efficiency.

• Motivations

Up until now, many authentication protocols for IoT-based healthcare have been proposed. However, most of the existing protocols may suffer from one or more security problems. We also find that there are few protocols that can resist sensor node-captured attacks and achieve n-factor secrecy (i.e., password, smart card, biological information, etc.). Recently, Masud et al. [32] proposed an authentication scheme for IoT-based healthcare that has several security flaws, and Kim et al.’s security-enhanced scheme [34] still suffers from user impersonation attacks, sensor node impersonation attacks, and so on. Therefore, we propose a security-enhanced protocol that conquers the above obstacles.

• Contributions

(1) To solve the security problems of the existing protocols for IoT-based healthcare, a lightweight and privacy-preserving authentication protocol based on ECC and PUF is proposed.

(2) We design a dynamic anonymous policy to protect users privacy, achieve unlinkability, and adopt the physical unclonable function (PUF) [36] to protect information stored in users’ devices and sensor nodes. In addition, higher security features such as three-factor secrecy, perfect forward secrecy, resistance to sensor node-captured attacks, and update asynchronous attacks are guaranteed.

(3) We present the formal security proof in the random oracle model to prove the security of our scheme. Compared with other analogous schemes, our scheme achieves higher security while maintaining a lower computational cost.

The organization of this paper is as follows: Section 1 introduces the motivations, contributions, and design goals. The system model and attack model are presented in Section 2. The security-enhanced scheme is proposed in Section 3. Formal proof and informal security analysis are shown in Section 4 and Section 5. Section 6 presents security and performance comparisons between our scheme and some related schemes. This paper concludes in Section 7.

2. System Model and Attack Model

2.1. System Model

The model of the proposed protocol consists of the user (doctor), the gateway, and the sensor node. Gateway is a trusted server deployed in the hospital that is responsible for the registration of users (with devices) and sensor nodes and authenticating the user and the sensor node. Sensor nodes are deployed on patients to monitor their conditions. The system model is shown in Figure 1. After registration, the doctor sends a communication request to the patient sensor through the gateway. The gateway authenticates the doctor and forwards the request to the patient sensor. Then the patient and the doctor mutually authenticate and negotiate a secure session key.

2.2. Attack Model

According to the Dolev–Yao (DY) [37] model, the attacker has the following competencies:

• The attacker can eavesdrop on the open channels.
• The attacker can modify, insert, replay, and reroute the captured messages.
• The attacker can obtain the stored data if he/she captures a sensor node.
• If an attacker obtains the device of the user, he/she can get all the data kept on the device.
• The attacker may be an insider user, but the gateway is trustworthy, and the registration channels are secure.

According to the adversary model of Rahman et al. [38], the attacker can influence the patient’s heartbeat by affecting the patient’s equipment or launch flood attacks on the doctor’s equipment to paralyze it.

3. Our Proposed Scheme

In this section, a security-enhanced protocol is proposed.

Table 1. Notations of the Proposed Scheme.

Notations	Descriptions
$U_i$	${\mathrm{i}}^{th}$ User (Doctor)
$U_A$	Adversary
$S{N}_j$	${\mathrm{j}}^{th}$ sensor node
$P{W}_i$	Password of ${\mathrm{U}}_{\mathrm{i}}$
$I{D}_i$	Personal identity of ${\mathrm{U}}_{\mathrm{i}}$
$SI{D}_j$	Unique identity of ${\mathrm{SN}}_{\mathrm{j}}$
$fn{g}_i$	The bioinformatics (fingerprint) of ${\mathrm{U}}_{\mathrm{i}}$
$SK$	Session key
$DI{D}_i$	Temporary identity of ${\mathrm{U}}_{\mathrm{i}}$
$h(.)$	Hash function
$\parallel$	Concatenation
$\oplus$	XOR operation
$Rep(.)$	The reproduction function of Fuzzy Extractor algorithm
$Gen(.)$	The generation function of Fuzzy Extractor algorithm
PUF	Physical unclonable function
$GWN$	The gateway
${\tau }_i$	Public parameter of Fuzzy Extractor algorithm
${\sigma }_i$	Biometric key of Fuzzy Extractor algorithm
$T_1,T_2,T_3$	Timestamps
$\mathsf{\Delta }T$	The maximum transmission delay time
$P$	The generator point of the elliptic curve
$K_{GWN}$	The secret parameter of $\mathrm{GWN}$
$C_i, R_i$	The challenge and corresponding response of PUF

shows the notations and intuitive abbreviations used in our scheme.

3.1. Initialization Phase

The gateway selects an elliptic curve $\mathrm{E}\left({\mathrm{GF}}_{\mathrm{q}}\right)$, where $\mathrm{GF}\left(\mathrm{q}\right)$ is the finite field and $\mathrm{q}$ is a large prime number. Then, the gateway chooses a generator point $\mathrm{P}$ and publishes it.

3.2. Registration Phase

In this phase, users (doctors) and sensor nodes will register on the $\mathrm{GWN}$, as shown in Figure 2 and Figure 3.

The registration phase for a user (${\mathrm{U}}_{\mathrm{i}}$) is as follows:

Step UR1: ${\mathrm{U}}_{\mathrm{i}}$ chooses ${\mathrm{ID}}_{\mathrm{i}}$ and sends ${\mathrm{ID}}_{\mathrm{i}}$ to $\mathrm{GWN}$ via the private channel.

Step UR2: $\mathrm{GWN}$ checks if the ${\mathrm{ID}}_{\mathrm{i}}$ is unique and legal, if not, requests ${\mathrm{U}}_{\mathrm{i}}$ to choose a new ${\mathrm{ID}}_{\mathrm{i}}$. Else, generates a random number, ${\mathrm{r}}_{\mathrm{g}}$, and calculates

$${\mathrm{a}}_{\mathrm{i}}=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}\parallel {\mathrm{K}}_{\mathrm{GWN}}\right),$$

$${\mathrm{DID}}_{\mathrm{i}}=\left({\mathrm{ID}}_{\mathrm{i}}\parallel {\mathrm{r}}_{\mathrm{g}}\right)\oplus \mathrm{h}\left({\mathrm{K}}_{\mathrm{GWN}}\right).$$

where ${\mathrm{K}}_{\mathrm{GWN}}$ is a secret number of $\mathrm{GWN}$. Then, $\mathrm{GWN}$ stores $h\left({\mathrm{ID}}_{\mathrm{i}}\right)$ to verify the uniqueness of identity later and sends $\left\{{\mathrm{a}}_{\mathrm{i}},{ \mathrm{DID}}_{\mathrm{i}}\right\}$ to ${\mathrm{U}}_{\mathrm{i}}$.

Step UR3: ${\mathrm{U}}_{\mathrm{i}}$ inputs the password ${\mathrm{PW}}_{\mathrm{i}}$ and fingerprint ${\mathrm{fng}}_{\mathrm{i}}$ into the device, generates a challenge $C_i$, then computes

$$\left({\sigma }_i, {\tau }_i\right)= \mathrm{Gen}\left({\mathrm{fng}}_{\mathrm{i}}\right),$$

$${\mathrm{MPW}}_{\mathrm{i}}=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}\parallel {\mathrm{PW}}_{\mathrm{i}}\parallel {\sigma }_i\right)mod n,$$

$$R_i=PUF\left(C_i\right),$$

$${\mathrm{F}}_{\mathrm{i}}={\mathrm{a}}_{\mathrm{i}}\oplus h\left(R_i\right),$$

$${\mathrm{Q}}_{\mathrm{i}}={\mathrm{DID}}_{\mathrm{i}}\oplus \mathrm{h}\left(R_i\left|\right|1\right),$$

where n belongs to 16 to 256. Finally, the device stores $\left\{{\mathrm{MPW}}_{\mathrm{i}},{\tau }_i,{\mathrm{F}}_{\mathrm{i}},{\mathrm{Q}}_{\mathrm{i}},\mathrm{Rep}(.),\mathrm{h}(.), n, PUF,C_i\right\}$.

The registration phase of the sensor node (${\mathrm{SN}}_{\mathrm{j}}$) is as follows:

Step SR1: $\mathrm{GWN}$ chooses a unique identity ${\mathrm{SID}}_{\mathrm{j}}$ for the sensor node and computes ${\mathrm{b}}_{\mathrm{j}}=\mathrm{h}\left({\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{K}}_{\mathrm{GWN}}\right)$. Then, GWN transmits $\left\{{\mathrm{b}}_{\mathrm{j}},{ \mathrm{SID}}_{\mathrm{j}}\right\}$ to sensor node ${\mathrm{SN}}_{\mathrm{j}}$ privately.

Step SR2: Sensor node ${\mathrm{SN}}_{\mathrm{j}}$ generates a challenge $C_j$, computes

$$R_j=PUF\left(C_j\right),$$

$${\mathrm{B}}_{\mathrm{j}}={\mathrm{b}}_{\mathrm{j}}\oplus h\left(R_j\right),$$

and stores $\left\{{\mathrm{B}}_{\mathrm{j}},{ \mathrm{SID}}_{\mathrm{j}}, PUF,C_j\right\}$.

3.3. Mutual Authentication and Key Agreement Phase

In this phase, the ${\mathrm{U}}_{\mathrm{i}}$ and ${\mathrm{SN}}_{\mathrm{j}}$ authenticate mutually, and the session key is negotiated with the help of $\mathrm{GWN}$. Figure 4 depicts this phase.

Step LA1: ${\mathrm{U}}_{\mathrm{i}}$ inputs the identity ${\mathrm{ID}}_{\mathrm{i}}^{*}$, the password ${\mathrm{PW}}_{\mathrm{i}}^{*}$ and enters the fingerprint ${\mathrm{fng}}_{\mathrm{i}}^{*}$. Then the device calculates

$${\sigma }_i^{*}=\mathrm{Rep}\left({\mathrm{fng}}_{\mathrm{i}}^{*},{\tau }_i\right),$$

$${\mathrm{MPW}}_{\mathrm{i}}^{*}=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{PW}}_{\mathrm{i}}^{*}\parallel {\sigma }_i^{*}\right)mod n.$$

If ${\mathrm{MPW}}_{\mathrm{i}}^{*}\ne {\mathrm{MPW}}_{\mathrm{i}}$, login fails. Else, computes

$$R_i=PUF\left(C_i\right),$$

$${\mathrm{a}}_{\mathrm{i}}^{*}={\mathrm{F}}_{\mathrm{i}}\oplus \mathrm{h}\left(R_i\right),$$

$${\mathrm{DID}}_{\mathrm{i}}^{*}={\mathrm{Q}}_{\mathrm{i}}\oplus \mathrm{h}\left(R_i\left|\right|1\right).$$

The device generates a random number ${\mathrm{c}}_{\mathrm{i}}$, timestamp ${\mathrm{T}}_1$, and computes

$${\mathrm{L}}_1={\mathrm{c}}_{\mathrm{i}}\mathrm{P},$$

$${\mathrm{M}}_1=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{DID}}_{\mathrm{i}}^{*}\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{L}}_1\parallel {\mathrm{a}}_{\mathrm{i}}^{*}\parallel {\mathrm{T}}_1\right).$$

The device transmits ${\mathrm{MES}}_1=\left\{{\mathrm{DID}}_{\mathrm{i}}^{*},{\mathrm{SID}}_{\mathrm{j}},{\mathrm{M}}_1,{\mathrm{L}}_1,{\mathrm{T}}_1\right\}$ to $\mathrm{GWN}$ via an open channel.

Step LA2: Upon receiving ${\mathrm{MES}}_1=\left\{{\mathrm{DID}}_{\mathrm{i}}^{*},{\mathrm{SID}}_{\mathrm{j}},{\mathrm{M}}_1,{\mathrm{L}}_1,{\mathrm{T}}_1\right\}$, $\mathrm{GWN}$ generates the current timestamp ${\mathrm{T}}_1^{*}$, if $\left|{\mathrm{T}}_1^{*}-{\mathrm{T}}_1\right|>\mathsf{\Delta }\mathrm{T}$, terminates the session. Else, $\mathrm{GWN}$ computes

$$\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{r}}_{\mathrm{g}}^{\prime }\right)={\mathrm{DID}}_{\mathrm{i}}^{*}\oplus \mathrm{h}\left({\mathrm{K}}_{\mathrm{GWN}}\right),$$

$${\mathrm{a}}_{\mathrm{i}}^{\prime }=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{K}}_{\mathrm{GWN}}\right),$$

$${\mathrm{M}}_1^{\prime }=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{DID}}_{\mathrm{i}}^{*}\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{L}}_1\parallel {\mathrm{a}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{T}}_1\right).$$

If ${\mathrm{M}}_1^{\prime }\ne {\mathrm{M}}_1$, decline. Else, $\mathrm{GWN}$ generates a timestamp ${\mathrm{T}}_2$, and computes

$${\mathrm{S}}_1=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{a}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{T}}_1\right),$$

$${\mathrm{b}}_{\mathrm{j}}=\mathrm{h}\left({\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{K}}_{\mathrm{GWN}}\right),$$

$${\mathrm{M}}_2={\mathrm{S}}_1\oplus \mathrm{h}\left({\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{b}}_{\mathrm{j}}\parallel { \mathrm{T}}_2\right),$$

$${\mathrm{M}}_3=\mathrm{h}\left({\mathrm{M}}_2\parallel {\mathrm{S}}_1\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{b}}_{\mathrm{j}}\parallel {\mathrm{L}}_1\parallel { \mathrm{T}}_2\right).$$

$\mathrm{GWN}$ transmits the message ${\mathrm{MES}}_2=\left\{{\mathrm{M}}_2,{\mathrm{M}}_3,{\mathrm{L}}_1,{\mathrm{T}}_2\right\}$ to sensor node (${\mathrm{SN}}_{\mathrm{j}}$) openly.

Step LA3: After obtaining the message ${\mathrm{MES}}_2=\left\{{\mathrm{M}}_2,{\mathrm{M}}_3,{\mathrm{L}}_1,{\mathrm{T}}_2\right\}$, ${\mathrm{SN}}_{\mathrm{j}}$ checks the freshness of the timestamp. If $\left|{\mathrm{T}}_2^{*}-{\mathrm{T}}_2\right|>\mathsf{\Delta }\mathrm{T}$, aborts it. Else, ${\mathrm{SN}}_{\mathrm{j}}$ computes

$$R_j=PUF\left(C_j\right),$$

$${\mathrm{b}}_{\mathrm{j}}={\mathrm{B}}_{\mathrm{j}}\oplus h\left(R_j\right),$$

$${\mathrm{S}}_1^{\prime }={\mathrm{M}}_2\oplus \mathrm{h}\left({\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{b}}_{\mathrm{j}}\parallel { \mathrm{T}}_2\right),$$

$${\mathrm{M}}_3^{\prime }=\mathrm{h}\left({\mathrm{M}}_2\parallel {\mathrm{S}}_1^{\prime }\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{b}}_{\mathrm{j}}\parallel {\mathrm{L}}_1\parallel { \mathrm{T}}_2\right).$$

If ${\mathrm{M}}_3^{\prime }\ne {\mathrm{M}}_3$, aborts it. Else, ${\mathrm{SN}}_{\mathrm{j}}$ generates a random number ${\mathrm{d}}_{\mathrm{j}}$, timestamp ${\mathrm{T}}_3$, and calculates

$${\mathrm{L}}_2={\mathrm{d}}_{\mathrm{j}}\mathrm{P},$$

$$\mathrm{SK}=\mathrm{h}\left({\mathrm{d}}_{\mathrm{j}}{\mathrm{L}}_1\parallel {\mathrm{L}}_1\parallel {\mathrm{L}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{S}}_1^{\prime }\right),$$

$${\mathrm{M}}_4=\mathrm{h}\left({\mathrm{S}}_1^{\prime }\parallel { \mathrm{b}}_{\mathrm{j}}\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{L}}_2\parallel {\mathrm{T}}_3\right).$$

${\mathrm{SN}}_{\mathrm{j}}$ transmits message ${\mathrm{MES}}_3=\left\{{\mathrm{M}}_4,{\mathrm{L}}_2,{\mathrm{T}}_3\right\}$ to $\mathrm{GWN}$ via an open channel.

Step LA4: After receiving ${\mathrm{MES}}_3=\left\{{\mathrm{M}}_4,{\mathrm{L}}_2,{\mathrm{T}}_3\right\}$, $\mathrm{GWN}$ first confirms the freshness of ${\mathrm{T}}_3$, if it is fresh, $\mathrm{GWN}$ computes ${\mathrm{M}}_4^{\prime }=\mathrm{h}\left({\mathrm{S}}_1\parallel {\mathrm{b}}_{\mathrm{j}}\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{L}}_2\parallel {\mathrm{T}}_3\right)$. If ${\mathrm{M}}_4^{\prime }\ne {\mathrm{M}}_4$, aborts it. Else, $\mathrm{GWN}$ generates a nonce ${\mathrm{r}}_{\mathrm{g}}^{″}$, timestamp ${\mathrm{T}}_4$, and computes

$${\mathrm{DID}}_{\mathrm{i}}^{\mathrm{new}}=\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{r}}_{\mathrm{g}}^{″}\right)\oplus \mathrm{h}\left({\mathrm{K}}_{\mathrm{GWN}}\right),$$

$${\mathrm{M}}_5={\mathrm{DID}}_{\mathrm{i}}^{\mathrm{new}}\oplus \mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel { \mathrm{T}}_4\parallel {\mathrm{a}}_{\mathrm{i}}^{\prime }\right),$$

$${\mathrm{M}}_6=\mathrm{h}\left({\mathrm{DID}}_{\mathrm{i}}^{\mathrm{new}}\parallel {\mathrm{L}}_2\parallel {\mathrm{L}}_1\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{a}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{T}}_4\right).$$

$\mathrm{GWN}$ transmits ${\mathrm{MES}}_4=\left\{{\mathrm{M}}_5,{\mathrm{M}}_6,{\mathrm{L}}_2,{\mathrm{T}}_4\right\}$ to ${\mathrm{U}}_{\mathrm{i}}$ via an open channel.

Step LA5: On receiving ${\mathrm{MES}}_4=\left\{{\mathrm{M}}_5,{\mathrm{M}}_6,{\mathrm{L}}_2,{\mathrm{T}}_4\right\}$, ${\mathrm{U}}_{\mathrm{i}}$’ device first makes sure that the timestamp is fresh.

If so, the device of ${\mathrm{U}}_{\mathrm{i}}$ computes

$${\mathrm{DID}}_{\mathrm{i}}^{\mathrm{new}*}={\mathrm{M}}_5\oplus \mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel { \mathrm{T}}_4\parallel {\mathrm{a}}_{\mathrm{i}}^{*}\right),$$

$${\mathrm{M}}_6^{\prime }=\mathrm{h}\left({\mathrm{DID}}_{\mathrm{i}}^{\mathrm{new}*}\parallel {\mathrm{L}}_2\parallel {\mathrm{L}}_1\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{a}}_{\mathrm{i}}^{*}\parallel {\mathrm{T}}_4\right).$$

If ${\mathrm{M}}_6^{\prime }\ne {\mathrm{M}}_6$, aborts it. Else, compute

$${\mathrm{S}}_1^{*}=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{a}}_{\mathrm{i}}^{*}\parallel {\mathrm{T}}_1\right),$$

$$\mathrm{SK}=\mathrm{h}\left({\mathrm{c}}_{\mathrm{i}}{\mathrm{L}}_2\parallel {\mathrm{L}}_1\parallel {\mathrm{L}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{S}}_1^{*}\right).$$

The user updates the temporary identity by replacing ${\mathrm{Q}}_{\mathrm{i}}$ with ${\mathrm{Q}}_{\mathrm{i}}^{\mathrm{new}}$, where ${\mathrm{Q}}_{\mathrm{i}}^{\mathrm{new}}=\mathrm{h}\left(R_i\left|\right|1\right)\oplus {\mathrm{DID}}_{\mathrm{i}}^{\mathrm{new}*}$.

The authentication and the session of key negotiation is completed.

3.4. Password Update Phase

In this phase, users (doctors) and can update their passwords as following:

${\mathrm{U}}_{\mathrm{i}}$ inputs the identity ${\mathrm{ID}}_{\mathrm{i}}^{*}$, the password ${\mathrm{PW}}_{\mathrm{i}}^{*}$ and enters the fingerprint ${\mathrm{fng}}_{\mathrm{i}}^{*}$. Then the device calculates

$${\sigma }_i^{*}=\mathrm{Rep}\left({\mathrm{fng}}_{\mathrm{i}}^{*},{\tau }_i\right),$$

$${\mathrm{MPW}}_{\mathrm{i}}^{*}=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{PW}}_{\mathrm{i}}^{*}\parallel {\sigma }_i^{*}\right)mod n.$$

If ${\mathrm{MPW}}_{\mathrm{i}}^{*}\ne {\mathrm{MPW}}_{\mathrm{i}}$, login fails. Else, ${\mathrm{U}}_{\mathrm{i}}$ inputs the new password ${\mathrm{PW}}_{\mathrm{i}}^{\mathrm{n}}$, the device calculates

$${\mathrm{MPW}}_{\mathrm{i}}^{\mathrm{n}}=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{PW}}_{\mathrm{i}}^{\mathrm{n}}\parallel {\sigma }_i^{*}\right)mod n.$$

Then, the device replaces ${\mathrm{MPW}}_{\mathrm{i}}^{*}$ by ${\mathrm{MPW}}_{\mathrm{i}}^{\mathrm{n}}$.

4. Formal Security Analysis

4.1. Random Oracle Model

In this section, we provide a formal security proof using the random oracle model. The notions and queries of the model are defined as follows:

Definition 1 (Participants): 

In the proposed scheme, denoted as $\Pi$, there are three participants: the user ($\mathrm{U}$), the gateway ($\mathrm{GWN}$), and the sensor node ($\mathrm{SN}$). Assume ${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$ is the $\mathrm{i}$-th instance of participant ($\mathrm{P}$), ${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$, ${\mathrm{I}}_{\mathrm{GWN}}^{\mathrm{i}}$, and ${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$ represent   $\mathrm{U}$, $\mathrm{GWN}$, and $\mathrm{SN}$ in the $\mathrm{i}$-th instance, respectively. We consider all these instances to be oracles.

Definition 2 (States of oracle): 

In the model, there are only three states of oracles: $accept$,   $reject,$ and   $null$; each oracle must be in only one of them. If an oracle obtains a correct request, it will   $accept$ it. If the request is illegal, the state of the oracle is   $reject$. $Null$ means that the oracle is in a state where neither of the above conditions have occurred. If the oracle   ${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$ (or   ${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$) is in   $accept$ and has already generated the session key, it obtains a session identity   ${\mathrm{Sid}}_{\mathrm{U}}^{\mathrm{i}}$ (or   ${\mathrm{Sid}}_{\mathrm{SN}}^{\mathrm{i}}$), a partner identity   ${\mathrm{Pid}}_{\mathrm{U}}^{\mathrm{i}}$ (${\mathrm{Pid}}_{\mathrm{SN}}^{\mathrm{i}}$), and the negotiated session key   ${\mathrm{SK}}_{\mathrm{U}}^{\mathrm{i}}$ (${\mathrm{SK}}_{\mathrm{SN}}^{\mathrm{i}}$).

Definition 3 (Partnering): 

If ${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$ and   ${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$ are in the state of   $acceptance$, and have negotiated the session key, they are considered partners if the following conditions are also satisfied:

$$\left(1\right) {\mathrm{SK}}_{\mathrm{U}}^{\mathrm{i}}={\mathrm{SK}}_{\mathrm{SN}}^{\mathrm{i}}. \left(2\right) {\mathrm{Sid}}_{\mathrm{U}}^{\mathrm{i}}={\mathrm{Sid}}_{\mathrm{SN}}^{\mathrm{i}}\ne \mathrm{NULL}. \left(3\right) {\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}={\mathrm{Pid}}_{\mathrm{SN}}^{\mathrm{i}} \mathrm{and} {\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}={\mathrm{Pid}}_{\mathrm{U}}^{\mathrm{i}}.$$

Definition 4 (Queries): 

In the model, the adversary is allowed to obtain all the messages transmitted via the open channel and launch active attacks based on the following queries:

Execute (${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$, ${\mathrm{I}}_{\mathrm{GWN}}^{\mathrm{i}}$, ${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$): In this query, the scheme is executed, and all the messages transmitted openly are sent to the adversary $\mathrm{A}$ as a response, which models a passive attack launched by $\mathrm{A}$.

Send (${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$, ${\mathrm{MES}}_{\mathrm{i}}$): Send query simulates an attack in which $\mathrm{A}$ sends the message ${\mathrm{MES}}_{\mathrm{i}}$ to the oracle ${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$. ${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$ responses $\mathrm{A}$ according to the scheme if ${\mathrm{MES}}_{\mathrm{i}}$ is correct; otherwise, the message is neglected by ${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$.

Reveal (${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$): If the session key ${\mathrm{SK}}^{\mathrm{i}}$ has been negotiated by ${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$ and ${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$, and both of them are in the $accept$ state and have not requested the query Test. Then this query reveals the session key ${\mathrm{SK}}^{\mathrm{i}}$, otherwise, it reveals $\mathrm{NULL}$.

CorruptUser (${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$): This query tends to offer the user’s important credentials. If the CorruptUser query is executed, the information $\left\{{\mathrm{MPW}}_{\mathrm{i}},{\tau }_{\mathrm{i}},{\mathrm{F}}_{\mathrm{i}},{\mathrm{Q}}_{\mathrm{i}},\mathrm{Rep}(.),\mathrm{h}(.)\right\}$ stored in the device is sent to $\mathrm{A}$.

CorruptSensor (${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$): CorruptSensor query simulates the sensor node captured by $\mathrm{A}$. That is, the stored information $\left\{{\mathrm{b}}_{\mathrm{j}},{ \mathrm{SID}}_{\mathrm{j}}\right\}$ is provided to A when the query is executed.

Test (${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$): Test query is allowed to be executed only once by $\mathrm{A}$. If the session key has not been negotiated, this query returns $null$ to $\mathrm{A}$. Otherwise, the model generates a random bit $\mathrm{r}\in \left(0,1\right)$, if $\mathrm{r}=1$, the current session key is obtained by $\mathrm{A}$; if not, $\mathrm{A}$ gets a random number with the same length as the session key.

Hash (string): if $\mathrm{A}$ executes this query with an input string, the Hash query can output its hash value.

Definition 5 (Freshness): 

An instance ${\mathrm{I}}_{\mathrm{P}}^{\mathrm{i}}$ is regarded as fresh if the following conditions are satisfied.

(1) ${\mathrm{I}}_{\mathrm{U}}^{\mathrm{i}}$ and ${\mathrm{I}}_{\mathrm{SN}}^{\mathrm{i}}$ are   $accept$. (2) The query Reveal has not been executed. (3) The query CorruptUser has been executed at most once.

Definition 6 (Semantic Security): 

In the random oracle model, the adversary $\mathrm{A}$  is permitted to execute multiple Execute, Send, and Reveal queries and at most once Test query when the protocol is carried out. The correctness of the returned session key of the Test query is based on the random bit $\mathrm{r}$. If   $\mathrm{r}= {\mathrm{r}}^{\prime }$,   $\mathrm{A}$  breakthroughs the semantic security of   $\Pi$ successfully, where  ${\mathrm{r}}^{\prime }$ is a random bit guessed by $\mathrm{A}$. The advantage of breaking the semantic security of $\Pi$ is described as

$${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)=\left|2\mathrm{Pr}\left[\mathrm{r}= {\mathrm{r}}^{\prime }\right]-1\right|=\left|2\mathrm{Pr}\left[\mathrm{success}\left(\mathrm{A}\right)\right]-1\right|$$

If   ${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)<\mathsf{\eta }$, where $\mathsf{\eta }$ is sufficiently small, the negotiated session key is secure.

Definition 7 (ECDLP&CDHP): 

In the proposed scheme, the security of the session key negotiation is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP) and the Computational Diffie-Hellman Problem (CDHP). Assume that $\mathrm{P}$ is the generator point that belongs to   $\mathrm{E}\left({\mathrm{F}}_{\mathrm{p}}\right)$,   $\mathrm{x}$ is an integer selected from   ${\mathrm{Z}}_{\mathrm{p}}$. Given   $\mathrm{P}$ and   $\mathrm{xP}$, obtaining   $\mathrm{x}$ is computationally infeasible. In probabilistic polynomial time (PPT), the probability of solving ECDLP by an adversary is defined as

$${\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{ECDLP}}=\mathrm{Pr}\left[\mathrm{A}\left(\mathrm{P},\mathrm{xP}\right)=\mathrm{x}:\mathrm{P}\in \mathrm{E}\left({\mathrm{F}}_{\mathrm{p}}\right);\mathrm{x}\in {\mathrm{Z}}_{\mathrm{p}}\right]. {\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{ECDLP}}<\mathsf{\eta },$$

where   $\mathsf{\eta }$ is sufficiently small.

Given $\mathrm{P}$,  $\mathrm{xP}$, and $\mathrm{yP}$, where $\mathrm{x}$,  $\mathrm{y}\in {\mathrm{Z}}_{\mathrm{p}}$, it is computationally infeasible to compute $\mathrm{xyP}$ for an adversary $\mathrm{A}$ in  PPT. The probability of solving CDHP by A is expressed as

$${\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{CDHP}}=\mathrm{Pr}\left[\mathrm{A}\left(\mathrm{P},\mathrm{xP},\mathrm{yP}\right)=\mathrm{xyP}:\mathrm{P}\in \mathrm{E}\left({\mathrm{F}}_{\mathrm{p}}\right);\mathrm{x},\mathrm{y}\in {\mathrm{Z}}_{\mathrm{p}}\right].$$

Also, ${\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{CDHP}}<\mathsf{\eta }$.

4.2. Formal Proof

Theorem 1: 

Let ${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)$ represent the advantage that the semantic security of the proposed scheme $\Pi$ is breached by the adversary $\mathrm{A}$ in probabilistic polynomial time (PPT). ${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)$ can be expressed as:

$${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)\le \frac{{\mathrm{q}}_{\mathrm{hash}}^2}{2^{{\mathrm{l}}_{\mathrm{h}}}}+\frac{{({\mathrm{q}}_{\mathrm{send}}+{\mathrm{q}}_{\mathrm{execute}})}^2}{2^{{\mathrm{l}}_{\mathrm{A}}-1}}+2 {\mathrm{C}}^{\prime }·{\mathrm{q}}_{\mathrm{send}}^{ {\mathrm{s}}^{\prime }}·\frac{{\mathrm{q}}_{\mathrm{send}}}{2^{{\mathrm{l}}_{\mathsf{\sigma }}}}+{\mathrm{q}}_{\mathrm{hash}}\left(\frac{1}{2^{{\mathrm{l}}_{\mathrm{h}}-1}}+2{\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{ECDLP}}\right)$$

where ${\mathrm{C}}^{\prime }$ and ${\mathrm{s}}^{\prime }$ are the regression parameters of the password dictionary. ${\mathrm{l}}_{\mathsf{\sigma }}$,  ${\mathrm{l}}_{\mathrm{h}}$ and ${\mathrm{l}}_{\mathrm{r}}$ are the bit-length of the biometric key, the output of the hash operation, and a random number, ${\mathrm{l}}_{\mathrm{A}}=\frac{{\mathrm{l}}_{\mathrm{r}}+{ \mathrm{l}}_{\mathrm{h}}}{2}$. Meanwhile,   $\mathrm{A}$ executes ${\mathrm{q}}_{\mathrm{hash}}$,  ${\mathrm{q}}_{\mathrm{send}}$ and ${\mathrm{q}}_{\mathrm{execute}}$ times Hash, Send, and Execute queries, respectively.

Proof: 

The adversary $\mathrm{A}$ aims to break the semantic security; we define a sequence of games to simulate the attacks; the games are donated as ${\mathrm{Game}}_{\mathrm{i}}$ ($0\le \mathrm{i}\le 4$). The event ${\mathrm{Event}}_{\mathrm{i}}$ ($0\le \mathrm{i}\le 4$) corresponds to the ${\mathrm{Game}}_{\mathrm{i}}$, which means that $\mathrm{A}$ successfully estimates the random bit $\mathrm{r}$ in Test query. The games are defined as follows.

${\mathrm{Game}}_0$: The real attack on the proposed scheme by A is implemented in this game. $\mathrm{A}$ must guess the bit $\mathrm{r}$ at the beginning. By definition, we get:

$${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)=\left|2\mathrm{Pr}\left[{\mathrm{Event}}_0\right]-1\right|$$

(1)

${\mathrm{Game}}_1$: This game simulates the eavesdropping attack launched by $\mathrm{A}$ after the Execute query is executed. With the help of the Test query, $\mathrm{A}$ gets a result, and he/she has to figure out whether the output is the session key. The session key-related messages are ${\mathrm{L}}_1={\mathrm{c}}_{\mathrm{i}}\mathrm{P}$, ${\mathrm{L}}_2={\mathrm{d}}_{\mathrm{j}}\mathrm{P}$, ${\mathrm{SID}}_{\mathrm{j}}$, and ${\mathrm{M}}_2={\mathrm{S}}_1\oplus \mathrm{h}\left({\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{b}}_{\mathrm{j}}\parallel { \mathrm{T}}_2\right)$, while $\mathrm{SK}=\mathrm{h}\left({\mathrm{c}}_{\mathrm{i}}{\mathrm{d}}_{\mathrm{j}}\mathrm{P}\parallel {\mathrm{L}}_1\parallel {\mathrm{L}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{S}}_1^{\prime }\right)$. $\mathrm{A}$ cannot figure out the relation between the messages captured and $\mathrm{SK}$ because of CDHP and the one-way hash function used in the session key negotiation. Therefore, we get:

$$\mathrm{Pr}\left[{\mathrm{Event}}_0\right]=\mathrm{Pr}\left[{\mathrm{Event}}_1\right]$$

(2)

${\mathrm{Game}}_2$: This is an active game that simulates Execute, Send, and Hash queries and dedicates itself to implementing collisions that occur in the transmitted messages. First, $\mathrm{A}$ tries to execute Hash queries to identify a collision in the hash output in the massages. According to the birthday paradox, the probability of a hash collision is at most $\frac{{\mathrm{q}}_{\mathrm{hash}}^2}{2^{{\mathrm{l}}_{\mathrm{h}}+1}}$. Where ${\mathrm{q}}_{\mathrm{hash}}$ is the execution time of the Hash query and ${\mathrm{l}}_{\mathrm{h}}$ is the bit length of the hash output. The collision probability of other transcripts is at most $\frac{{({\mathrm{q}}_{\mathrm{send}}+{\mathrm{q}}_{\mathrm{execute}})}^2}{2^{{\mathrm{l}}_{\mathrm{A}}+1}}$, where ${\mathrm{l}}_{\mathrm{A}}=\frac{{\mathrm{l}}_{\mathrm{r}}+{ \mathrm{l}}_{\mathrm{h}}}{2}$. Hence, we have:

$$\mathrm{Pr}\left[{\mathrm{Event}}_2\right]-\mathrm{Pr}\left[{\mathrm{Event}}_1\right]\le \frac{{\mathrm{q}}_{\mathrm{hash}}^2}{2^{{\mathrm{l}}_{\mathrm{h}}+1}}+\frac{{({\mathrm{q}}_{\mathrm{send}}+{\mathrm{q}}_{\mathrm{execute}})}^2}{2^{{\mathrm{l}}_{\mathrm{A}}}}$$

(3)

${\mathrm{Game}}_3$: In the proposed scheme, the negotiation and generation of the session key are based on CDHP and the hash function $\mathrm{SK}=\mathrm{h}\left({\mathrm{c}}_{\mathrm{i}}{\mathrm{d}}_{\mathrm{j}}\mathrm{P}\parallel {\mathrm{L}}_1\parallel {\mathrm{L}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{S}}_1^{\prime }\right)$. ${\mathrm{Game}}_3$ simulates that $\mathrm{A}$ executes Execute, Send, and CorruptSensor queries to calculate the session key without user-related information. It should be noted that CorruptSensor can only be executed after the session key has been negotiated. There are two ways that $\mathrm{A}$ computes $\mathrm{SK}$.

(1) It is possible for $\mathrm{A}$ to realize the collision of hash content; the probability is $\frac{{\mathrm{q}}_{\mathrm{hash}}}{2^{{\mathrm{l}}_{\mathrm{h}}}}$.

(2) Suppose $\mathrm{A}$ executes CorruptSensor after the negotiation of $\mathrm{SK}$, then he/she knows ${\mathrm{S}}_1^{\prime }$, $\mathrm{P}$, ${\mathrm{L}}_1$, ${\mathrm{L}}_2$, and ${\mathrm{SID}}_{\mathrm{j}}$. $\mathrm{A}$ tends to calculate ${\mathrm{c}}_{\mathrm{i}}{\mathrm{d}}_{\mathrm{j}}\mathrm{P}$ or ${\mathrm{d}}_{\mathrm{j}}{\mathrm{c}}_{\mathrm{i}}\mathrm{P}$, the probability of the above calculating is ${\mathrm{q}}_{\mathrm{hash}}{\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{ECDLP}}$.

Therefore, we got:

$$\mathrm{Pr}\left[{\mathrm{Event}}_3\right]-\mathrm{Pr}\left[{\mathrm{Event}}_2\right]\le {\mathrm{q}}_{\mathrm{hash}}\left(\frac{1}{2^{{\mathrm{l}}_{\mathrm{h}}}}+{\mathrm{Adv}}_{\mathrm{A}}^{\mathrm{ECDLP}}\right)$$

(4)

${\mathrm{Game}}_4$: This game simulates the user’s device, which is obtained by $\mathrm{A}$. Therefore, the CorruptUser query is executed first, and $\mathrm{A}$ gets $\left\{{\mathrm{MPW}}_{\mathrm{i}},{\tau }_{\mathrm{i}},{\mathrm{F}}_{\mathrm{i}},{\mathrm{Q}}_{\mathrm{i}},\mathrm{Rep}(.),\mathrm{h}(.)\right\}$. Then, $\mathrm{A}$ forges ${\mathrm{MES}}_1=\left\{{\mathrm{DID}}_{\mathrm{i}}^{*},{\mathrm{SID}}_{\mathrm{j}},{\mathrm{M}}_1,{\mathrm{L}}_1,{\mathrm{T}}_1\right\}$ and executes the Send query. Where ${\mathrm{MPW}}_{\mathrm{i}}^{*}=h\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{PW}}_{\mathrm{i}}^{*}\parallel {\sigma }_i^{*}\right) mod n$, ${\mathrm{DID}}_{\mathrm{i}}^{*}={\mathrm{Q}}_{\mathrm{i}}\oplus \mathrm{h}\left(R_i\left|\right|1\right)$, ${\mathrm{M}}_1=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{DID}}_{\mathrm{i}}^{*}\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{L}}_1\parallel {\mathrm{a}}_{\mathrm{i}}^{*}\parallel {\mathrm{T}}_1\right)$, and ${\mathrm{L}}_1={\mathrm{c}}_{\mathrm{i}}\mathrm{P}$. ${\mathrm{PW}}_{\mathrm{i}}^{*}$ and ${\mathsf{\sigma }}_{\mathrm{i}}^{*}$ are confidential to $\mathrm{A}$; the probability of $\mathrm{A}$ guessing the biometric key is $\frac{1}{2^{{\mathrm{l}}_{\mathsf{\sigma }}}}$, where ${\mathrm{l}}_{\mathsf{\sigma }}$ is the bit-length of the biometric key. According to Zipf’s law [39], we get:

$$\mathrm{Pr}\left[{\mathrm{Event}}_4\right]-\mathrm{Pr}\left[{\mathrm{Event}}_3\right]\le {\mathrm{C}}^{\prime }·{\mathrm{q}}_{\mathrm{send}}^{ {\mathrm{s}}^{\prime }}·\frac{{\mathrm{q}}_{\mathrm{send}}}{2^{{\mathrm{l}}_{\mathsf{\sigma }}}}$$

(5)

where ${\mathrm{C}}^{\prime }$ and ${\mathrm{S}}^{\prime }$ are the regression parameters of the password dictionary space; they are constants that are computed by the linear regression.

We know that the probability of guessing the random bit $\mathrm{r}$ is equal to the probability of $\mathrm{A}$ successfully getting the session key from the Test query. Consequently, we get:

$$\mathrm{Pr}\left[{\mathrm{Event}}_4\right]=\frac{1}{2}$$

(6)

According to formulas (1) and (2), we get:

$${\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)=\left|2\mathrm{Pr}\left[{\mathrm{Event}}_1\right]-1\right|$$

(7)

That is:

$$\frac{1}{2}{\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)=\left|\mathrm{Pr}\left[{\mathrm{Event}}_1\right]-\frac{1}{2}\right|$$

(8)

From (6) to (8), we have:

$$\begin{gathered} \frac{1}{2}{\mathrm{Adv}}_{\Pi }\left(\mathrm{A}\right)=\left|\mathrm{Pr}\left[{\mathrm{Event}}_1\right]-\mathrm{Pr}\left[{\mathrm{Event}}_4\right]\right| \\ \le \left|\mathrm{Pr}\left[{\mathrm{Event}}_1\right]-\mathrm{Pr}\left[{\mathrm{Event}}_2\right]\right|+|\mathrm{Pr}\left[{\mathrm{Event}}_2\right] \\ -\mathrm{Pr}\left[{\mathrm{Event}}_3\right]|+|\mathrm{Pr}\left[{\mathrm{Event}}_3\right]-\mathrm{Pr}\left[{\mathrm{Event}}_4\right]| \end{gathered}$$

(9)

Combining (1) to (7), we have:

$$\begin{array}{c}\frac{1}{2}\mathrm{A}\mathrm{d}{\mathrm{v}}_{\Pi }\left(\mathrm{A}\right)\le \frac{{\mathrm{q}}_{\mathrm{hash}}^2}{2^{{\mathrm{l}}_{\mathrm{h}}+1}}+\frac{{({\mathrm{q}}_{\mathrm{send}}+{\mathrm{q}}_{\mathrm{execute}})}^2}{2^{{\mathrm{l}}_{\mathrm{A}}}}\\ + {\mathrm{C}}^{\prime }·{\mathrm{q}}_{\mathrm{send}}^{ {\mathrm{s}}^{\prime }}·\frac{{\mathrm{q}}_{\mathrm{send}}}{2^{{\mathrm{l}}_{\mathsf{\sigma }}}}\\ +{\mathrm{q}}_{\mathrm{hash}}\left(\frac{1}{2^{{\mathrm{l}}_{\mathrm{h}}}}+\mathrm{A}\mathrm{d}{\mathrm{v}}_{\mathrm{A}}^{\mathrm{ECDLP}}\right)\end{array}$$

(10)

That is:

$$\begin{array}{c}\mathrm{A}\mathrm{d}{\mathrm{v}}_{\Pi }\left(\mathrm{A}\right)\le \frac{{\mathrm{q}}_{\mathrm{hash}}^2}{2^{{\mathrm{l}}_{\mathrm{h}}}}+\frac{{({\mathrm{q}}_{\mathrm{send}}+{\mathrm{q}}_{\mathrm{execute}})}^2}{2^{{\mathrm{l}}_{\mathrm{A}}-1}}\\ +2 {\mathrm{C}}^{\prime }·{\mathrm{q}}_{\mathrm{send}}^{ {\mathrm{s}}^{\prime }}·\frac{{\mathrm{q}}_{\mathrm{send}}}{2^{{\mathrm{l}}_{\mathsf{\sigma }}}}\\ +{\mathrm{q}}_{\mathrm{hash}}\left(\frac{1}{2^{{\mathrm{l}}_{\mathrm{h}}-1}}+2\mathrm{A}\mathrm{d}{\mathrm{v}}_{\mathrm{A}}^{\mathrm{ECDLP}}\right)\end{array}$$

(11)

□

5. Informal Security Analysis

In this section, we discuss the potential attacks against the proposed scheme.

5.1. Off-Line Password Guessing Attack

The user’s password is not conveyed publicly and is only used for login. Suppose the attacker ${\mathrm{U}}_{\mathrm{A}}$ gets the device of the user and can obtain the values $\left\{{\mathrm{MPW}}_{\mathrm{i}},{\tau }_i,{\mathrm{F}}_{\mathrm{i}},{\mathrm{Q}}_{\mathrm{i}},\mathrm{Rep}(.),h(.), n, PUF,C_i\right\}$ stored in the device, where ${\mathrm{MPW}}_{\mathrm{i}}=h\left({\mathrm{ID}}_{\mathrm{i}}\parallel {\mathrm{PW}}_{\mathrm{i}}\parallel {\mathsf{\sigma }}_{\mathrm{i}}\right)\mathrm{mod} n$, $R_i=PUF\left(C_i\right)$, ${\mathrm{F}}_{\mathrm{i}}={\mathrm{a}}_{\mathrm{i}}\oplus h\left(R_i\right)$, ${\mathrm{Q}}_{\mathrm{i}}={\mathrm{DID}}_{\mathrm{i}}\oplus h\left(R_i\left|\right|1\right)$, ${\mathsf{\sigma }}_{\mathrm{i}}$ is the user’s biometric key, $\left({\mathsf{\sigma }}_{\mathrm{i}},{ \tau }_{\mathrm{i}}\right)= \mathrm{Gen}\left({\mathrm{fng}}_{\mathrm{i}}\right)$. Assume an attacker can obtain the biometric information and attempt to guess $\left(I{D}_i,P{W}_i\right)$ to match ${\mathrm{MPW}}_{\mathrm{i}}$. When $n=256$, there are $\left|D_{PW}\right|\ast \left|D_{ID}\right|/n\approx 2^{32}$ candidates of the $\left(I{D}_i,P{W}_i\right)$ pair [40]. Therefore, the attacker cannot know which pair is correct, so the proposed scheme can resist offline password guessing attacks.

5.2. Three-Factor Secrecy

According to the above analysis, if an attacker knows the user’s biometric information and parameters stored on the device, he/she cannot know the correct $\left(I{D}_i,P{W}_i\right)$, so the attacker cannot get ${\mathrm{a}}_{\mathrm{i}}$ and launch any attacks.

If an attacker knows the user’s biometric information and password but cannot know the parameters stored in the device, he/she still cannot know ${\mathrm{a}}_{\mathrm{i}}$ and launch any attacks.

If an attacker knows the user’s password and parameters stored in user’s device, he/she still cannot know ${\mathrm{a}}_{\mathrm{i}}$ and launch any attacks.

Therefore, our protocol achieves three-factor secrecy.

5.3. Forgergery Attack and Impersonation Attack

Suppose an attacker ${\mathrm{U}}_{\mathrm{A}}$ tries to impersonate a legal user ${\mathrm{U}}_{\mathrm{i}}$ to send ${\mathrm{MES}}_1=\left\{{\mathrm{DID}}_{\mathrm{i}}^{*},{\mathrm{SID}}_{\mathrm{j}},{\mathrm{M}}_1,{\mathrm{L}}_1,{\mathrm{T}}_1\right\}$, but he/she cannot forge ${\mathrm{M}}_1=\mathrm{h}\left({\mathrm{ID}}_{\mathrm{i}}^{*}\parallel {\mathrm{DID}}_{\mathrm{i}}^{*}\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{L}}_1\parallel {\mathrm{a}}_{\mathrm{i}}^{*}\parallel {\mathrm{T}}_1\right)$, because ${\mathrm{a}}_{\mathrm{i}}^{*}$ is contained in ${\mathrm{F}}_{\mathrm{i}}$ with PUF securely and it contains the timestamp ${\mathrm{T}}_1$. Therefore, attackers cannot impersonate legal users.

The attacker is unable to impersonate the gateway to sends ${\mathrm{MES}}_2$ or ${\mathrm{MES}}_4$, because ${\mathrm{K}}_{\mathrm{GWN}}$ is not available. So, he/she is unable to compute ${\mathrm{b}}_{\mathrm{j}}$ and ${\mathrm{a}}_{\mathrm{i}}^{\prime }$ to forge ${\mathrm{M}}_2$, ${\mathrm{M}}_3$ and ${\mathrm{M}}_6$. Meanwhile, replaying those messages cannot be worked because of timestamps.

5.4. Update Asynchronous Attack

In steps 4 and 5, the gateway updates the ${\mathrm{DID}}_{\mathrm{i}}$ of the user. Suppose an attacker captures or modifies the message ${\mathrm{MES}}_4=\left\{{\mathrm{M}}_5,{\mathrm{M}}_6,{\mathrm{L}}_2,{\mathrm{T}}_4\right\}$, ${\mathrm{MES}}_4$ cannot pass the substantiation because ${\mathrm{M}}_6\ne {\mathrm{M}}_6^{\prime }$, however, which only reflects the current session, the user is not affected. The gateway obtains the real identity of the user by computing $\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{r}}_{\mathrm{g}}^{\prime }\right)={\mathrm{DID}}_{\mathrm{i}}^{*}\oplus \mathrm{h}\left({\mathrm{K}}_{\mathrm{GWN}}\right)$, so the gateway does not store ${\mathrm{DID}}_{\mathrm{i}}$, the user can still use the previous ${\mathrm{DID}}_{\mathrm{i}}$ for a new session run.

5.5. Replay Attack

Because each message uses a fresh timestamp and new random numbers, replay attacks cannot pass verification.

5.6. Sensor Node Captured Attack

Suppose an attacker captures ${\mathrm{SN}}_{\mathrm{j}}$ and obtains $\left\{{\mathrm{B}}_{\mathrm{j}},{ \mathrm{SID}}_{\mathrm{j}}, PUF,C_j\right\}$, where R_j = PUF(C_j), ${\mathrm{B}}_{\mathrm{j}}={\mathrm{b}}_{\mathrm{j}}\oplus \mathrm{h}\left(R_j\right), {\mathrm{b}}_{\mathrm{j}}=\mathrm{h}\left({\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{K}}_{\mathrm{GWN}}\right)$. However, the attacker cannot know $\left\{{\mathrm{b}}_{\mathrm{j}}\right\}$, due to the security properties of PUF. So the attacker cannot know the secret parameters of users and the gateway from the session run, and he/she cannot impersonate other sensor nodes because different sensor nodes have different secret parameters.

5.7. Anonymity and Unlinkability

In the proposed scheme, ${\mathrm{DID}}_{\mathrm{i}}=\left({\mathrm{ID}}_{\mathrm{i}}\parallel {\mathrm{r}}_{\mathrm{g}}\right)\oplus \mathrm{h}\left({\mathrm{K}}_{\mathrm{GWN}}\right)$, where ${\mathrm{ID}}_{\mathrm{i}}$ is the user’s real identity, which is contained in the temporary identity ${\mathrm{DID}}_{\mathrm{i}}$, ${\mathrm{r}}_{\mathrm{g}}$ is a nonce. The ${\mathrm{DID}}_{\mathrm{i}}$ is different in each session because the gateway update the ${\mathrm{DID}}_{\mathrm{i}}$ with a new nonce. Only the gateway knows the user’s identity by computing $\left({\mathrm{ID}}_{\mathrm{i}}^{\prime }\parallel {\mathrm{r}}_{\mathrm{g}}^{\prime }\right)={\mathrm{DID}}_{\mathrm{i}}^{*}\oplus \mathrm{h}\left({\mathrm{K}}_{\mathrm{GWN}}\right)$. The attackers cannot obtain ${\mathrm{ID}}_{\mathrm{i}}$ or trace the user by ${\mathrm{DID}}_{\mathrm{i}}$. Our scheme meets the requirements of anonymity and unlinkability.

5.8. Known Session Key Security

In our scheme, the session key $\mathrm{SK}=\mathrm{h}\left({\mathrm{d}}_{\mathrm{j}}{\mathrm{c}}_{\mathrm{i}}\mathrm{P}\parallel {\mathrm{L}}_1\parallel {\mathrm{L}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{S}}_1^{\prime }\right)$, the negotiation of the session key is based on the Elliptic Curve Diffie–Hellman Problem (ECDHP). The random numbers used in the negotiation are different in each session; therefore, the session keys are unlinkable. Even if the adversary knows the current session key, he/she cannot obtain the other session keys or any long-term keys.

5.9. Perfect Forward Secrecy

The session key $\mathrm{SK}=\mathrm{h}\left({\mathrm{d}}_{\mathrm{j}}{\mathrm{c}}_{\mathrm{i}}\mathrm{P}\parallel {\mathrm{L}}_1\parallel {\mathrm{L}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\parallel {\mathrm{S}}_1^{\prime }\right)$, where ${\mathrm{d}}_{\mathrm{j}}$ and ${\mathrm{c}}_{\mathrm{i}}$ are the random numbers generated by the sensor node and the user, respectively. Assuming the adversary knows all the long-term keys, such as the password ${\mathrm{PW}}_{\mathrm{i}}$ of the user, the shared secret parameters ${\mathrm{a}}_{\mathrm{i}}$ and ${\mathrm{b}}_{\mathrm{j}}$, even the secret key ${\mathrm{K}}_{\mathrm{GWN}}$ of the gateway, he/she still cannot obtain the previous random numbers to calculate the former session keys. Therefore, the proposed scheme maintains perfect forward secrecy.

5.10. Mutual Authentication

In our protocol, both parties—the user, the gateway, and the sensor node—have achieved mutual authentication.

On receiving $ME{S}_1=\left\{DI{D}_i^{*},SI{D}_j,M_1,L_1,T_1\right\}$, the gateway verifies $M_1^{\prime }=h\left( I{D}_i^{\prime }\parallel DI{D}_i^{*}\parallel SI{D}_j\parallel L_1\parallel a_i^{\prime }\parallel T_1\right)$ to authenticate the user, where $a_i^{\prime }=h\left(I{D}_i^{\prime }\parallel K_{GWN}\right)$ can only be recovered by the user and the gateway. Similarly, the user verifies $M_6^{\prime }=h\left(DI{D}_i^{new*}\parallel L_2\parallel L_1\parallel SI{D}_j\parallel a_i^{*}\parallel T_4\right)$ to authenticate the gateway.

By verifying the shared secret parameter $b_j$ in $M_3=h\left(M_2\parallel S_1\parallel SI{D}_j\parallel b_j\parallel L_1\parallel T_2\right)$ and $M_4=h\left(S_1^{\prime }\parallel b_j\parallel SI{D}_j\parallel L_2\parallel T_3\right)$, the gateway and the sensor node authenticate each other.

Through a feasible third-party, the gateway, the user, and the sensor node achieve mutual authentication.

6. Performance Comparison

In this section, we will analyze the security properties and the computational costs between our scheme and some related schemes (Shuai et al. [23], Sharma and Kalra [24], Fotouhi et al. [26], Rangwani and Om [27], Shuai et al. [29], Xie et al. [30], Kin et al. [32], and Masud et al. [33]), which are given in

Table 2. Comparison of Our Scheme and Related Schemes in Attack/Properties.

Attacks/Properties	[23]	[24]	[26]	[27]	[29]	[30]	[32]	[34]	Ours
Privileged-Insider Attack	✓	✗	✓	✓	✓	✓	✗	✓	✓
Off-line Password Guessing Attack	✓	✗	✓	✓	✓	✓	✗	✓	✓
Impersonation Attack	✓	✗	✓	✓	✓	✓	✗	✗	✓
Replay Attack	✓	✓	✓	✓	✓	✓	✓	✓	✓
Man-in-Middle Attack	✓	✓	✓	✓	✓	✓	✓	✓	✓
Smart Card (Device) Loss Attack	✓	✗	✓	✓	✓	✓	✗	✓	✓
Sensor Node Captured Attack	✓	✗	✗	✓	✓	✗	✓	✗	✓
Stolen-Verifier Attack	✗	✓	✓	✓	✗	✓	✗	✓	✓
Update Asynchronous Attack	✗	✓	✓	✓	✗	✓	✗	✓	✓
Identity Anonymity	✓	✗	✓	✓	✓	✓	✗	✓	✓
Mutual Authentication	✓	✓	✓	✓	✓	✓	✓	✓	✓
Session Key Secrecy	✓	✗	✓	✓	✓	✓	✗	✗	✓
Known Session Key Attack	✓	✓	✓	✓	✓	✓	✗	✗	✓
Perfect Forward Secrecy	✗	✗	✗	✗	✗	✓	✗	✗	✓
Unlinkability	✓	✗	✓	✓	✓	✓	✗	✗	✓
n-Factor Security	✗	✗	✗	✗	✗	✗	✗	✗	✓

✓: Resist (Attacks)/Possess (Properties); ✗: Suffer (Attacks)/No (Properties).

and

Table 3. Comparison of Computational Costs.

Scheme	User	Gateway	Sensor	Total	$\mathbf{Time} \left(\mathrm{ms}\right)$
[23]	$11{\mathrm{T}}_{\mathrm{H}}$	$17{\mathrm{T}}_{\mathrm{H}}$	$7{\mathrm{T}}_{\mathrm{H}}$	$35{\mathrm{T}}_{\mathrm{H}}$	2.38 $\mathrm{ms}$
[24]	$12{\mathrm{T}}_{\mathrm{H}}$	$8{\mathrm{T}}_{\mathrm{H}}$	$14{\mathrm{T}}_{\mathrm{H}}$	$34{\mathrm{T}}_{\mathrm{H}}$	2.312 $\mathrm{ms}$
[26]	$10{\mathrm{T}}_{\mathrm{H}}$	$20{\mathrm{T}}_{\mathrm{H}}$	$6{\mathrm{T}}_{\mathrm{H}}$	$36{\mathrm{T}}_{\mathrm{H}}$	2.448 $\mathrm{ms}$
[27]	$6{\mathrm{T}}_{\mathrm{H}}+3{\mathrm{T}}_{\mathrm{AS}}$	$8{\mathrm{T}}_{\mathrm{H}}+{\mathrm{T}}_{\mathrm{AS}}$	$7{\mathrm{T}}_{\mathrm{H}}+2{\mathrm{T}}_{\mathrm{AS}}$	$21{\mathrm{T}}_{\mathrm{H}}+6{\mathrm{T}}_{\mathrm{AS}}$	134.334 $\mathrm{ms}$
[29]	$7{\mathrm{T}}_{\mathrm{H}}+2{\mathrm{T}}_{\mathrm{S}}$	$4{\mathrm{T}}_{\mathrm{H}}$	$10{\mathrm{T}}_{\mathrm{H}}+2{\mathrm{T}}_{\mathrm{S}}$	$21{\mathrm{T}}_{\mathrm{H}}+4{\mathrm{T}}_{\mathrm{S}}$	3.668 $\mathrm{ms}$
[30]	$7{\mathrm{T}}_{\mathrm{H}}+3{\mathrm{T}}_{\mathrm{M}}$	$7{\mathrm{T}}_{\mathrm{H}}+{\mathrm{T}}_{\mathrm{M}}$	$4{\mathrm{T}}_{\mathrm{H}}+2{\mathrm{T}}_{\mathrm{M}}$	$18{\mathrm{T}}_{\mathrm{H}}+6{\mathrm{T}}_{\mathrm{M}}$	16.23 $\mathrm{ms}$
[32]	$3{\mathrm{T}}_{\mathrm{H}}$	$3{\mathrm{T}}_{\mathrm{H}}$	$2{\mathrm{T}}_{\mathrm{H}}$	$8{\mathrm{T}}_{\mathrm{H}}$	0.544 $\mathrm{ms}$
[34]	$6{\mathrm{T}}_{\mathrm{H}}$	$5{\mathrm{T}}_{\mathrm{H}}$	$3{\mathrm{T}}_{\mathrm{H}}$	$14{\mathrm{T}}_{\mathrm{H}}$	0.952 $\mathrm{ms}$
Ours	$4{\mathrm{T}}_{\mathrm{H}}+2{\mathrm{T}}_{\mathrm{M}}$	$11{\mathrm{T}}_{\mathrm{H}}$	$4{\mathrm{T}}_{\mathrm{H}}+2{\mathrm{T}}_{\mathrm{M}}$	$19{\mathrm{T}}_{\mathrm{H}}+4{\mathrm{T}}_{\mathrm{M}}$	11.296 $\mathrm{ms}$

.

In Shuai et al.’s scheme [23], GWN stores the user information table after registration, which contains users’ identity and identity verification parameters. The attackers can impersonate legitimate users after launching the stolen-verifier attack. In addition, the stored parameters need to be updated after authentication; the update asynchronous attack prevents users and sensor nodes from being authenticated correctly. The leakage of long-term keys will lead to the recovery of the previous session keys, so the scheme cannot provide perfect forward secrecy.

In Sharma and Kalra’s scheme [24], the user’s device stores $\left\{{\mathrm{a}}_{\mathrm{I}},I,{\mathrm{I}}_{\mathrm{i}},{\mathrm{R}}_1\right\}$, where ${\mathrm{a}}_{\mathrm{i}}=\mathrm{H}\left(\mathrm{H}\left({\mathrm{PS}}_{\mathrm{i}}\parallel {\mathrm{R}}_1\right)\parallel {\mathrm{Id}}_{\mathrm{i}}\right)$, ${\mathrm{PS}}_{\mathrm{i}}$ is the password. The gateway and the sensor nodes share a long-term secret parameter, $\mathrm{K}$, After launching the sensor captured attack, user identity ${\mathrm{Id}}_{\mathrm{i}}$ can be obtained by calculating ${\mathrm{Id}}_{\mathrm{i}}={\mathrm{V}}_{\mathrm{i}}\oplus \mathrm{H}\left(\mathrm{H}\left(\mathrm{K}\right)\parallel {\mathrm{T}}_1\right)$. Therefore, the protocol cannot resist privileged-insider attacks, offline password guessing attacks, impersonation attacks, and sensor node capture attacks. The session key ${\mathrm{S}}_{\mathrm{K}}=\mathrm{H}\left({\mathrm{N}}_{\mathrm{i}}\oplus {\mathrm{N}}_{\mathrm{j}}\right)$, where ${\mathrm{N}}_{\mathrm{i}}$ and ${\mathrm{N}}_{\mathrm{j}}$ can be obtained easily by calculating ${\mathrm{N}}_{\mathrm{i}}={\mathrm{V}}_2\oplus \mathrm{H}\left(\mathrm{H}\left({\mathrm{Id}}_{\mathrm{i}}\parallel \mathrm{K}\right)\parallel {\mathrm{T}}_1\right)$ and ${\mathrm{N}}_{\mathrm{j}}={\mathrm{V}}_6\oplus \mathrm{H}\left(\mathrm{H}\left({\mathrm{Id}}_{\mathrm{i}}\parallel \mathrm{K}\right)\parallel {\mathrm{T}}_3\right)$. Therefore, the protocol cannot provide identity anonymity, session key secrecy, perfect forward secrecy, or unlinkability.

In Fotouhi et al.’s scheme [26] and Rangwani and Om’s scheme [27], if the long-term keys are compromised, the previous session keys will be easily recovered, which cannot provide perfect forward secrecy.

In Shuai et al.’s scheme [29], if the parameter updates are disturbed, the users and the sensor nodes cannot be authenticated by the gateway again. Suppose the adversary obtains the long-term key ${\mathrm{K}}_2$ of the sensor node; he/she can compute the session keys by calculating $\left(\mathrm{SK}\parallel {\mathrm{ID}}_{\mathrm{i}}\right)={\mathrm{M}}_2\oplus \mathrm{h}\left({\mathrm{K}}_2\parallel {\mathrm{SID}}_{\mathrm{j}}\right)$. In addition, the gateway stores the table $\left\{{\mathrm{SID}}_{\mathrm{j}},{\mathrm{K}}_2\right\}$, which can be used for impersonating sensor nodes or paralyzing sensor nodes. Therefore, the protocol cannot resist stolen-verifier attacks and update asynchronous attacks and cannot provide perfect forward secrecy.

In Kim et al.’s scheme [34], because $TI{D}_i^{new}=TI{D}_i\oplus G{M}_2\oplus G{M}_3$, where $G{M}_2$ and $G{M}_3$ are public transmitted, so the attackers can trace the user because $TI{D}_i$ and $TI{D}_i^{new}$ are linkable. On the other hand, the attackers can use a side-channel attack to obtain $U_i{M}_2$ and $U_i{M}_3$, and obtain $G{M}_6$ from public channel, and can compute $S_i^1=G{M}_6\oplus TI{D}_i^{new}$, $S_i^2=U_i{M}_2\oplus U_i{M}_3\oplus S_i^1$, then they can launch user impersonation attacks and sensor node impersonation attacks. Kim et al.’s scheme also cannot achieve session key secrecy, perfect forward secrecy, two-factor secrecy, or known session key secrecy, and cannot resist sensor node captured attacks.

According to Table 2, we can know that our scheme is safer than other related schemes.

In the environment of a Windows 10 64-bit PC with an Intel Core i5-3210M CPU running at 2.5 GHz and 8 GB of RAM, we obtain ${\mathrm{T}}_{\mathrm{H}}=0.068 \mathrm{ms}$, ${\mathrm{T}}_{\mathrm{M}}=2.501 \mathrm{ms}$, ${\mathrm{T}}_{\mathrm{AS}}=22.151 \mathrm{ms}$, and ${\mathrm{T}}_{\mathrm{S}}=0.56 \mathrm{ms}$ [41], where $\mathrm{ms}$ is millisecond, ${\mathrm{T}}_{\mathrm{H}}$, ${\mathrm{T}}_{\mathrm{M}}$, ${\mathrm{T}}_{\mathrm{AS}}$, and ${\mathrm{T}}_{\mathrm{S}}$ represent the time spent in hash operations, the times of elliptic curve scalar multiplication, asymmetric encryption/decryption, and symmetric encryption/decryption, respectively.

According to Table 3, although the computational costs of Shuai et al.’s scheme [23], Sharma and Kalra’s scheme [24], Fotouhi et al.’s scheme [26], Shuai et al.’s scheme [29], Masud et al.’s scheme [32], and Kim et al.’s scheme [34] are lower than ours, those schemes have some weaknesses, such as having no perfect forward secrecy and anonymity. No perfect forward secrecy and anonymity mean that the previous session keys, previous messages, and identities are at risk of disclosure, which is hazardous to the patient’s health and privacy. The cost of Rangwani and Om’s scheme [27] and Xie et al.’s scheme [30] is higher than ours; moreover, Rangwani and Om’s scheme [27] also has the above problems, and an adversary can obtain the user’s identity if he/she captures a sensor node in [30], while Xie et al.’s scheme [30] cannot achieve three-factor secrecy and sensor node captured attacks. Therefore, our scheme is lightweight and secure and can satisfy the requirements of healthcare.

7. Conclusions

In this paper, to solve the security problems of the existing protocols for IoT-based healthcare, we propose a security-enhanced authentication scheme based on ECC and PUF. A dynamic anonymous policy is designed to guarantee the user’s privacy and unlinkability even if the sensor node is captured. We use PUF to protect information stored in users’ devices and sensor nodes and can also resist sensor node capture attacks. Through informal security analysis and formal security proof under the random oracle model, our scheme can resist various attacks and maintain anonymity, unlinkability, three-factor secrecy, and perfect forward secrecy. Compared with other related schemes, our scheme achieves higher security and keeps lightweight computing efficiency, which can be used in IoT-based healthcare.