An Efficient User Authentication and User Anonymity Scheme with Provably Security for IoT-Based Medical Care System

In recent years, with the increase in degenerative diseases and the aging population in advanced countries, demands for medical care of older or solitary people have increased continually in hospitals and healthcare institutions. Applying wireless sensor networks for the IoT-based telemedicine system enables doctors, caregivers or families to monitor patients’ physiological conditions at anytime and anyplace according to the acquired information. However, transmitting physiological data through the Internet concerns the personal privacy of patients. Therefore, before users can access medical care services in IoT-based medical care system, they must be authenticated. Typically, user authentication and data encryption are most critical for securing network communications over a public channel between two or more participants. In 2016, Liu and Chung proposed a bilinear pairing-based password authentication scheme for wireless healthcare sensor networks. They claimed their authentication scheme cannot only secure sensor data transmission, but also resist various well-known security attacks. In this paper, we demonstrate that Liu–Chung’s scheme has some security weaknesses, and we further present an improved secure authentication and data encryption scheme for the IoT-based medical care system, which can provide user anonymity and prevent the security threats of replay and password/sensed data disclosure attacks. Moreover, we modify the authentication process to reduce redundancy in protocol design, and the proposed scheme is more efficient in performance compared with previous related schemes. Finally, the proposed scheme is provably secure in the random oracle model under ECDHP.


Introduction
As more network technologies and smart devices have been developed, many IoT (Internet of Things) applications have been proposed, such as transportation and logistics services, healthcare services and a variety of smart environment (home, office, plant) domains. IoT is going to create a world where physical things can be seamlessly integrated into communication networks in order to provide autonomous and intelligent services for improving human beings' life. In general, the IoT system involves three components: a sensing unit contains a large number of sensors, actuators and mobile terminals to sense physical environments; a network layer includes all network techniques with heterogeneous network configurations for data transmission; intelligent computing offers expected services or applications to IoT end users by mining and analyzing data processors.
IoT-based wireless sensor networks have been getting considerable attention from a variety of domains, such as environmental monitoring, intelligent appliances in daily living, medical care services, etc. Due to the ranking of the most common diseases in advanced countries having changed to chronic and cardiovascular diseases, the demands for medical care of such patients have increased substantially in hospitals and healthcare institutions. For the development of medical care services in hospitals and healthcare institutions, IoT-based WSNs technology is used to supplement physiological collection and measurement, enabling doctors, caregivers and families to examine the physiological conditions of patients remotely at anytime and anyplace through the Internet [1][2][3][4][5][6]. On the basis of IoT employed for medical care service in hospitals or healthcare institutions, WSNs enable sensing and collecting the physiological parameters of patients periodically, transmitting the acquired data to the authorized medical personnel, enabling professional doctors and medical personnel to monitor patients' health conditions in real time and providing patients with appropriate medical care and medical treatment.
To apply IoT-based WSNs to medical care services successfully, ensuring the personal privacy of patients and preventing malicious network intrusion are paramount. Undoubtedly, the foundation of security is to authenticate the legitimacy of remote users and ensure the integrity of data transmissions [7][8][9][10][11][12]. In the last decade, a diversity of user authentication schemes in WSNs have been presented. In 2006, Wong et al. [13] introduced an efficient user authentication scheme for WSNs using lightweight hashing functions and XOR operations. In 2007, Tseng et al. [14] pointed out the vulnerability of Wong et al.'s scheme to replay, forgery and password guessing attacks. Furthermore, in 2008, Lee [15] showed that the computational overheads of Wong et al.'s scheme are not suitable for resource-constrained sensor nodes. In 2009, Das [16] suggested a two-factor (namely the password and smart card) authentication mechanism for WSNs, which not only prevents a series of security threats, but also achieves efficiency in terms of computational overheads. However, Huang et al. [17] and Li et al. [18] pointed out the vulnerability of Das's scheme to off-line password guessing, user impersonation, node impersonation and unknown user attacks and that it does not provide the property of user anonymity. In 2012, Yoo et al. [19] pointed out the vulnerability of Huang et al.'s scheme to insider and parallel session attacks and that it does not provide mutual authentication between system participants. In 2013, Xue et al. [20] presented a temporal-credential-based authentication scheme for resource-constrained WSNs, and the authors claimed that their scheme provides relatively more security criteria without increasing system overheads too much in terms of communication, computation and storage. Parallel to Xue et al.'s work, in the same year, Li et al. [3] cryptanalyzed that Xue et al.'s scheme cannot withstand off-line password guessing, stolen-verifier, privileged insider, many logged-in users' and stolen smart card attacks, and the above security threats make Xue et al.'s scheme inapplicable to practical WSN applications.
In order to design a secure and two-factor user authentication scheme for wireless healthcare sensor networks, Liu and Chung [21] in 2016 proposed a bilinear pairing-based [22] authentication scheme, and Figure 1 illustrates the comprehensive structure of the IoT-based medical care system, which could be applied in hospitals or healthcare institutions. When patients live in hospitals or healthcare institutions, they wear smart clothes in which body sensors are embedded in the piece of clothing and collect their physiological parameters (such as blood pressure, heartbeat, body pulse, electrocardiography and body temperature). Therefore, the users (such as doctors, caregivers, families and friends) in the medical care system can remotely inquire and monitor physiological information on patients with the help of trust authority. Before accessing the system, users must register with the trusted authority in person. After successful registration, the trusted authority issues a smart card to the user, and he/she can then use his/her smart card and mobile devices (such as smart phone, PDA, laptop and tablet computer) to log into the medical care system. After successful authentication, the user can access the sensed data of patients measured from sensor nodes within a limited time. Nevertheless, in this paper, we present a cryptanalysis of Liu-Chung's authentication scheme and indicate that their scheme is susceptible to the password disclosure, replay, sensed data disclosure, sensed data forgery, off-line password guessing and stolen smart card attacks. To solve the above-mentioned security problems, we present an improved version of Liu-Chung's authentication scheme using ECC, and we prove that the proposed scheme is secure under the elliptic curve discrete logarithm problem (ECDLP) and the elliptic curve Diffie-Hellman problem (ECDHP). In addition, by designing the mechanism of dynamic identity in the authentication process, we can build an extended scheme with user anonymity. User anonymity [23][24][25] means that a remote user's real identity will be masked during the login session, and he/she cannot be linked or traced by any outsiders. Furthermore, the correctness of mutual authentication between participants has been proven in the random oracle model under ECDHP. Finally, the proposed scheme requires lower computational overheads compared with other ECC-based schemes, and this advantage makes our scheme more suitable and practical for IoT-based medical care systems. The rest of the paper is organized as follows. In Section 2, a brief review of Liu-Chung's authentication scheme is provided. In Section 3, security weaknesses developed to attack Liu-Chung's scheme are presented. In Section 4, the improved scheme is proposed. Security and performance analyses of our proposed scheme are presented in Sections 5 and 6, respectively. Section 7 concludes this paper.

Review of Liu-Chung's Authentication Scheme
This section briefly reviews Liu-Chung's authentication scheme [21], and their scheme consists of five phases, including: setup phase, registration phase, login phase, verification phase and access control and encryption phase. For convenience of description, the terminology and notations used in the paper are summarized as follows: • U i : The user.

Setup Phase
In this phase, the trusted authority TA selects a bilinear mapê : G 1 × G 1 → G 2 and P 0 ∈ G 1 and generates two one-way hash functions H 1 : {0, 1} * → G 2 and H 2 : G 2 → {0, 1} * , where G 1 is an additive cyclic group of points on an elliptic curve E over F p , G 2 is a multiplicative cyclic group of a finite field F * p and p is a large prime, such that q|p − 1 for some great prime q. Then, TA selects the secret key S 0 ∈ Z * q and publishes the parameter P pub = S 0 × P 0 .

Registration Phase
In this phase, the user registers with the trusted authority TA through a secure channel to be a legal user. The details of registration phase are as follows: Step 1: U i registers an authenticated identity ID i with TA and sets password PW i .
Step 2: U i sends < ID i , PW i > to TA.
Step 3: TA computes Q priv = S 0 × U pub , where U pub = U priv × P 0 and U priv ∈ Z * q are U i 's public parameter and secret key, respectively.
Step 4: TA stores the parameters < h(·), Q priv , ID i , PW i , a > in U i 's smart card, where a represents a private parameter generated by TA and all of the sensor nodes of TA include a.
Step 5: TA issued the smart card to U i .

Login Phase
In this phase, the user inserts his/her smart card into the device and inputs ID i and PW i . Then, the smart card performs the following steps: Step 1: The smart card checks the ID i and PW i entered by U i matches those stored in the smart card.
If yes, the smart card executes Step 2. Otherwise, the smart card terminates this phase.
Step 2: The smart card computes r = h(ID i ||PW i ||a) and Sig = r × Q priv .
Step 3: The smart card sends < Sig, r, T L , ID i > to TA through a public channel, where T L represents U i 's login time to the TA.

Verification Phase
When TA receives the login request < Sig, r, T L , ID i > from U i , TA authenticates U i through the following steps: Step 1: TA checks the validity of ID i and verifies ifê(P 0 , Sig) =ê(P pub , r × U pub ). If yes, TA approves the request of U i and executes Step 2. If no, TA rejects the request of U i .
Step 2: TA checks if T now − T L < ∆T. If yes, TA executes Step 3. Otherwise, it means that the login time exceeds the transmission delay, and the login request is rejected by TA.
Step 3: TA generates a random number b and computes E = h(b ⊕ U pub ). Then, TA sends E to U i through a public channel.
Step 4: TA sends < T u , b, ID i > to all of the sensor nodes S through a secure channel and notifies S that U i is legal. Note that T u represents the time limit on the legal access to sensor node data by U i .

Access Control and Encryption Phase
When the user U i is authenticated as legal, U i can legally access sensed data m in S within a limited time, and U i and S perform the following steps: Step 1: U i inserts his/her smart card into the device and inputs ID i and PW i . Then, the smart card verifies whether ID i and PW i inputted matches the data stored in the card. If yes, the smart card executes Step 2.
Step 2: The smart card computes C = h(a||ID i ) ⊕ E.
Step 3: The smart card sends < C, ID i , T > to S through a public channel, where T represents a timestamp.
Step 4: Upon receiving < C, ID i , T > from U i , S verifies if T now − T < ∆T and T now = T u . If yes, S executes Step 4.
Step 5: S computes C = h(a||ID i ) ⊕ h(b ⊕ U pub ) and checks whether C = C . If yes, the sensed data m will be transmitted, and S executes Step 5. If no, S terminates this session.
Step 7: S sends M to U i through a public channel.
Step 8: U i uses the secret parameter Q priv and the public parameter P 0 to perform the following calculation to obtain m: Figure 2 shows the schematic of Liu-Chung's authentication scheme for the IoT-based medical care system.
Access control and encryption phase 1.

Weaknesses of Liu-Chung's Authentication Scheme
In this section, we present the security weaknesses of Liu-Chung's scheme. We show that their scheme has some security problems and that an attacker U a can mount different types of attacks on Liu-Chung's scheme.

Password Disclosure Attacks
In real environments, the user may register with a number of remote services by using a common password PW and the identity ID for his/her convenience. Thus, the privileged-insider of TA may try to use the knowledge of user's PW and ID to access another remote services. In the registration phase of Liu-Chung's scheme, U i registers to TA by sending (ID i , PW i ). Therefore, U i 's sensitive password PW i will be revealed by the privileged-insider of TA.

Replay Attacks
In the login phase of Liu-Chung's scheme, although the transmitted login message < Sig, r, T L , ID i > includes timestamp T L , however, the other login parameters < Sig, r, ID i > of U i are unchanged. Thus, an attacker U a could replay the eavesdropped messages, such as U i 's login request < Sig, r, T L , ID i > with U a 's current login time T L . Finally, U a can bypass the timestamp checking and replay attacks cannot prevented in Liu-Chung's scheme.

Sense Data Disclosure Attacks
In the access control and encryption phase of Liu-Chung's scheme, the sensor node S sends the encrypted sensed data M to U i through an insecure channel. Due to the public U pub of U i and the public P pub of TA, once an attacker U a eavesdrops the encrypted sensed data M from the public channel, U a can perform the following calculation to obtain m without knowing Q priv : Finally, Liu-Chung's scheme cannot prevent sensed data disclosure attacks.

Sense Data Forgery Attacks
In the access control and encryption phase, we found that Liu-Chung's scheme allows the attacker U a to forge a fake sensed data m for the user U i , and U i wrongly believes he/she has received the physiological conditions of the patients. The sensed data forgery attacks on Liu-Chung's scheme are as follows: (1) When the sensor node S sends M = m ⊕ H 2 (ê(U pub , P pub )) to the user U i , U a intercepts the message M.
(2) U a maliciously forges a fake sensed data m and computes M = m ⊕ H 2 (ê(U pub , P pub )), where U pub and P pub are public parameters of U i and TA, respectively. Then, U a sends M to the user U i . (3) Upon receiving the message M , U i uses the secret parameter Q priv and the public parameter P 0 to obtain m = M ⊕ H 2 (ê(Q priv , P 0 )).
Therefore, the attacker U a can control the sensed data that occur between the user U i and the sensor nodes S.

Stolen Smart Card Attacks
Usually, the smart card of the user U i is equipped with tamper-resistant hardware. However, if U i 's smart card is lost or stolen, the attacker U a may obtain all of the sensitive parameters stored in its memory by monitoring the power consumption of the smart card [26]. Assume that U a obtains the smart card of U i and extracts the parameters < h(·), Q priv , ID i , PW i , a > stored inside it. U a then can make a valid login request with ease. For example, U a uses h(·), ID i , PW i , a and Q priv and computes r = h(ID i ||PW i ||a) and Sig = r × Q priv . Finally, U a can make a valid login request to impersonate U i by sending < Sig, r, T L , ID i > to the trusted authority TA, where T L is the current login time of U a .

Off-Line Password Guessing Attacks
Since Liu-Chung's authentication scheme is executed in the open network environment, then we assumed that an attacker U a can eavesdrop the communication channels between U i and TA in the login phase. Moreover, we assumed that U a was a legitimate user in the medical care system, and he/she can extract the parameter a by launching power analysis attack [26]. Thus, U a could guess U i 's password through the following steps.
(1) U a eavesdrops the message < Sig, r, T L , ID i > sent by a legal user U i , where r = h(ID i ||PW i ||a).
(2) U a guesses a password PW a and computes r a = h(ID i ||PW a ||a) in an off-line manner.
(3) U a checks whether r a is equal to r or not. If it is equal, U i 's sensitive password is successfully guessed. Otherwise, U a repeats Steps (1) and (2) until the correct password is found.
From the above descriptions, we conclude that U a could derive U i 's password through an off-line manner, and Liu-Chung's authentication scheme could not succeed against the off-line password guessing attacks.

The Proposed Scheme
This section proposes the new and improved lightweight user authentication scheme for medical care tailored for the Internet of Things environment. The proposed scheme is based on Liu-Chung's scheme; thus, it tackles and eliminates all of the previously-mentioned security problems and vulnerabilities of their scheme. As Liu-Chung's scheme, the proposed scheme also consists of five phases: setup, registration, login, verification and access control and encryption. Figure 3 shows the schematic of our proposed scheme for the IoT-based medical care system.

Setup Phase
In this phase, the trusted authority TA selects an elliptic curve E over F p and a base point P 0 over the E and chooses a secure one-way hashing function h(·) : {0, 1} * → {0, 1} l , where p is a large prime such that q|p − 1 for some great prime q and l means the length of the output. In addition, TA chooses the secret key S 0 ∈ Z * q and computes its public key P pub = S 0 × P 0 . Finally, TA keeps S 0 securely and publishes < E, q, P 0 , P pub , h(·) > as system parameters.

Registration Phase
In this phase, the user registers with the trusted authority TA through a secure channel to be a legal user, and the details of registration phase are as follows: Step 1: U i registers an authenticated identity ID i and password PW i with TA and chooses a random number r for computing R i = h(ID i ||PW i ||r).
Step 2: U i sends the registration request < ID i , R i > to TS through a secure channel.
Step 3: TA checks whether ID i has been registered or not. If ID i has not been registered, Then, TA stores the parameters < W i , a, E, q, P 0 , P pub , h(·) > in U i 's smart card and issued the smart card to U i , where a represents a private parameter generated by TA and all the sensor nodes of TA include a.
Step 4: and stores < X i , Y i > into the smart card. Finally, U i 's smart card contains the parameters < Y i , X i , W i , a, E, q, P 0 , P pub , h(·) >.

Login Phase
In this phase, the user inserts his/her smart card into the device and inputs ID i and PW i . Then, the smart card executes the following steps: Step 1: The smart card checks the ID i and PW i entered by U i matches those stored in the smart card. First, the smart card computes r = X i ⊕ h(ID i ||PW i ), V i = W i ⊕ h(ID i ||PW i ||r ) and Y i = h(V i ||r ||h(ID i ||PW i )) and verifies whether Y i = Y i . If it holds, the smart card executes Step 2. Otherwise, the smart card terminates this phase.
Step 2: The smart card generates a random number α and computes M i = α × P 0 , N i = α × P pub , O i = h(ID i ||V i ||T L ) and Q i = h(N i ) ⊕ (ID i ||O i ) and sends < M i , Q i , T L > to TA through a public channel, where T L represents U i 's login time to the TA.

Verification Phase
When TA receives the login request < M i , Q i , T L > from U i , TA authenticates U i through the following steps: Step 1: TA checks if T now − T L < ∆T. If yes, TA executes Step 2. Otherwise, it means that the login time exceeds the transmission delay, and the login request will be rejected by TA.
Step 2: TA computes N i = S 0 × M i and (ID i ||O i ) = Q i ⊕ h(N i ) and checks if user's ID i is recorded by TA. If yes, TA executes Step 3. Otherwise, the login request is denied by TA.
Step 3: TA goes on to compute V i = h(ID i ||S 0 ||a) by using the identity ID i and checks that the decrypted O i is the same as computed O i = h(ID i ||V i ||T L ). If no, the session is aborted by TA. Otherwise, TA computes E = h(b ⊕ TID i ) and RM = h(N i ) ⊕ (ID i ||TID i ||T u ||E) sends the response message < RM > to U i through a public channel, where b represents a random number and TID i represents a temporary identity for the user U i . Step 4: TA sends < T u , b, TID i > to all of the sensor nodes S via a secure channel and notifies S that the temporary identity TID i is legal in the next access control and encryption phase.
Step 5: When U i receives < RM > from TA, U i authenticates TA by computing (ID i ||TID i ||T u ||E) = h(N i ) ⊕ RM and checks that the decrypted ID i is involved in RM or not. If yes, U i confirms that TA is legal and the parameters TID i , T u and E will be used in access control and encryption phase. Otherwise, U i ends this session. Note that TID i and E must be kept secret by U i and temporarily stored into U i 's smart card until the end of the access control and encryption phase.

Access Control and Encryption Phase
When the user U i is authenticated as legal, U i can legally access sensed data m in S within a permitted time T u , and U i and S perform the following steps: Step 1: In this step, the executed operations are the same as Step 1 of the login phase.
Step 2: The smart card calculates C = h(a||TID i ||T ) ⊕ h(E) and sends < C, TID i , T > to S through a public channel, where T represents a timestamp.
Step 3: Upon receiving < C, TID i , T > from U i , S verifies if T now − T < ∆T and T now ⊆ T u . If yes, S executes Step 4.
Step 4: S computes C = h(a||TID i ||T ) ⊕ h(h(b ⊕ TID i )) by using the b transmitted by TA and the temporary identity TID i of the user to examine whether C = C . If yes, the validity of U i is authenticated by S, and the sensed data m will be transmitted by S. If no, S terminates this session.
Step 5: S computes the session key SK = h(E ⊕ a ⊕ T u ) and encrypts the sensed data by computing M = m ⊕ SK. Then, S sends < M > to U i through a public channel. Note that the session key SK provides a secure channel for protecting data transmission between S and U i . Step 6: When U i receives < M > from S, U i uses the parameters (E, a, T u ) to calculate the session key SK = h(E ⊕ a ⊕ T u ) and decrypts the sensed data m by computing m = M ⊕ SK.
Note that SK should be frequently updated when U i 's T u is expired. If so, U i returns to the login and verification phases for requesting a new T u with TA. Finally, a new SK will be established and updated among U i and S in the access control and encryption phase.

Security Analysis of the Proposed Scheme
In this section, we analyze the security of our proposed scheme, and show that it is able to prevent the above-mentioned weaknesses in Liu-Chung's scheme. The security of the proposed scheme is based on the collision-free one-way hash function and two hard problems: the elliptic curve discrete logarithm problem (ECDLP) and the elliptic curve Diffie-Hellman problem (ECDHP), defined as follows: ECDLP: Given a base point P over an elliptic curve E and a random variable b ∈ Z * q , it is computationally infeasible to find out an integer solution a such that b = aP. ECDLP: Given three parameters P, aP, bP ∈ Z * q , it is computationally infeasible to compute abP ∈ Z * q .
We analyze and summarize the main security advantages of our proposed scheme as follows.

Resistance to Password Disclosure and Password Guessing Attacks
In the registration phase, the user's password PW i is used in the message R i = h(ID i ||PW i ||r). Although the privileged-insider of TA can obtain the message R i and the identity ID i of the user, it is unable to know the user's sensitive password PW i due to r being randomly selected by the user, and PW i is protected by h(ID i ||PW i ||r). Note that deriving PW i from h(ID i ||PW i ||r) is equal to implementing the brute-force attack to crack the one-way hashing function. Moreover, during the login, verification and access control and encryption phases, neither the smart card nor the transmitted messages include user's password PW i . Hence, the proposed scheme eliminates the possibility of password disclosure and password guessing attacks.

Resistance to Replay Attacks
The timestamps and random numbers are common countermeasures to prevent replay attacks in the authentication process. Since the messages < M i , Q i , T L > and < C, TID i , T > contain freshly generated timestamps T L and T and these timestamps are also embedded in the protected messages Q i = h(N i ) ⊕ (ID i ||h(ID i ||V i ||T L )) and C = h(a||TID i ||T ) ⊕ h(E), thus each participant first checks the freshness of timestamps received and verifies whether the same timestamps are present in the transmitted messages. Hence, this design discards the possibility of replay attacks in our proposed scheme.

Resistance to Sensed Data Disclosure Attacks
In the access control and encryption phase of the proposed scheme, the sensed data m is embedded in the encrypted message M = m ⊕ SK, and m is well-protected via high-entropy session key SK = h(E ⊕ a ⊕ T u ). Here, we assume that U a can obtain the parameter a from a legal smart card and can eavesdrop the transmitted messages < C, TID i , T > and < M > from the public channels between the user U i and the sensor nodes S. U a can use the collected parameters to compute h(a||TID i ||T ) and C ⊕ h(a||TID i ||T ) and derive h(E). However, without having the knowledge of secrets E and T u , an attacker U a cannot derive SK from h(E) because of the irreversibility of the secure one-way hashing function.
On the other hand, during the login phase of the proposed scheme, we assume that the parameter M i = α × P 0 and the public key P pub = S 0 × P 0 of TA are disclosed. However, the secret parameter N i = α × P pub = αS 0 P 0 cannot be calculated by U a since the random number α is unknown due to the infeasibility of deriving them from M i by solving ECDLP. Moreover, during the access control and encryption phase, a unique and fresh secret parameter N i is computed in each new session using the random parameter α and the private key S 0 . Due to the difficulties of ECDHP, U a cannot derive N i from M i and P pub , and thus, the protection of fresh secret parameter h(N i ) does not allow U a to gain E and T u from RM. Therefore, U a cannot successfully derive m from M by computing m = M ⊕ h(E ⊕ a ⊕ T u ), and the confidentiality of the sensed data m is guaranteed in the proposed scheme.

Resistance to Sensed Data Forgery Attacks
In the access control and encryption phase of the proposed scheme, the sensor node S first authenticates the user U i by verifying whether C = h(a||TID i ||T ) ⊕ h(h(b ⊕ TID i )) = C. Due to the protection of using timestamp T and the secret parameters a and h(b ⊕ TID i ), no one can forge a valid message < C, TID i , T > to pass S's verification. In addition, we assume that the attacker U a intercepts the response message M and tries to generate a legitimate message M = m ⊕ h(E ⊕ a ⊕ T u ) with fake sensed data m . However, since U a does not know the secret parameters E and T u , it cannot generate the legitimate message < M >. Thus, the proposed scheme could withstand the sensed data forgery attacks.

Resistance to Stolen Smart Card Attacks
Suppose that the smart card of U i is lost or stolen. The attacker U a could get the stored parameters < Y i , X i , W i , a, E, q, P 0 , P pub , h(·) > and try to impersonate U i to successfully login to the trusted authority TA. U a can first guess a candidate identity ID * i and password PW * i and compute The way for U a to learn PW i is to find out the correct pair (ID * i , PW * i ) such that Y i = Y * i . In the proposed scheme, we assume the probability of guessing ID i composed of exact l characters and PW i composed of exact m characters is approximately 1 2 6l+6m . This probability is negligible, and U a has no feasible way to derive ID i and PW i of the user U i in polynomial time.

Resistance to Off-Line Password Guessing Attacks
In the proposed scheme, we assume that an attacker U a could eavesdrop all of the transmission messages < M i , Q i , T L >, < RM >, < C, TID i , T > and < M > between U i , TA and S. However, neither the smart card, nor the transmission messages include U i 's password PW i . Therefore, the proposed scheme could withstand the off-line password guessing attack.

Provision of the Efficient Login Phase
In order to illustrate the verification mechanism during the login phase, three cases are taken into consideration. Case 1 assumed U i inputs a correct identity ID i and incorrect password PW * i . Case 2 assumed U i inputs an incorrect identity ID * i and correct password PW i . Case 3 assumed U i inputs incorrect identity ID * i and incorrect password PW * i .
Case 1: After the user inputs (ID i , PW * i ), the smart card computes ). In fact, the verification cannot pass as Y i = h(V * i ||r * ||h(ID i ||PW * i )), and the smart card immediately terminates the session. Case 2: After the user inputs (ID * i , PW i ), the smart card computes r . Furthermore, the verification cannot pass as Y = h(V * i ||r * ||h(ID * i ||PW i )), and the smart card immediately terminates the session. Case 3: After the user inputs (ID * i , PW * i ), the smart card computes Similarly, the verification cannot pass as Y = h(V * i ||r * ||h(ID * i ||PW * i )), and the smart card immediately terminates the session.

Provision of User Anonymity
Based on the design of our proposed scheme, the excellent property of user anonymity can be guaranteed at every phase. We cleverly mask the real identity of U i via a public channel, and no attacker can compromise U i 's real identity by launching security attacks. First, in the login phase, U i 's real identity is included in Q i = h(N i ) ⊕ (ID i ||O i ). Thus, U a cannot reveal Q i without h(N i ). Additionally, in the verification and access control and encryption phases, the temporary identity TID i is generated and utilized to replace U i 's identity transmitted among the user and the sensor nodes. That is to say, all of the identities are transmitted in cipher format instead of plaintext, and these temporary identities will be randomized at each new session. As a result, our proposed scheme can provide the property of user anonymity.

Provision of Mutual Authentication
In the login phase of the proposed scheme, only the legitimate user can know the secret parameter V i = h(ID i ||S 0 ||a) to generate a legal O i . Therefore, in Step 3 of the verification phase, TA can authenticate U i by checking if the decrypted O i is equal to the computed O i . Moreover, in Step 5 of the verification phase, only the legal TA can own the secret key S 0 to compute the common secret parameter h(N i ). As a result, U i can authenticate TA by decrypting RM and checking if the revealed ID i is involved in RM.
On the other hand, in the access control and encryption phase, only the legal user can obtain the secret parameter h(E) to generate a legal C. Thus, in Step 4 of the access control and encryption phase, S can authenticate U i by checking if the received C is equal to the computed C . Additionally, in Step 5 of the access control and encryption phase, only the participated S can calculate the common session key SK = h(E ⊕ a ⊕ T u ) to encrypt the sensed data by computing M = m ⊕ SK. Finally, U i can also authenticate S by establishing the common session key SK and checking if the sensed data m are involved in M by decrypting m = M ⊕ SK.

Provision of Session Key Security
Since the common session key SK is only shared and established among the user U i and the sensor nodes S, in order to establish a secure and authenticated channel for late successive transmission, the session key SK not only ensures confidentiality, but also achieves authenticity of participants and messages. Based on the design of session key SK = h(E ⊕ a ⊕ T u ), E is used for verifying the integrity of the transmitted messages, whereas T u is used for preventing possible replay and misuse service attacks. As a result, the session key security and data confidentiality can be provided in the proposed authentication scheme.

Security Proof of the Proposed Scheme
Here, we follow similar techniques to demonstrate the security of our scheme in the random oracle model [27][28][29][30] and under the elliptic curve Diffie-Hellman problem (ECDHP).

Adversarial Model
We assume an adversary A is a probabilistic polynomial time algorithm and allowed to issue the following queries to some oracles. Note that an oracle has multiple instances ∏ j U , where U denotes participants and j ∈ N. Here, we set U ∈ {U i , TA, S} and may use A to simulate the proposed scheme via issuing queries. A may only issue this query once. Upon receiving this query, instance ∏ j E ∈{U i ,S} flips an unbiased coin b. If b = 1, it returns a session key. Otherwise, it returns a random string. Note that this query models the semantic security of session key.

Theorem 1.
In the random oracle model, assume that there exists an adversary A with a non-negligible advantage 0 that can impersonate U i to communicate with TA. Then, there is a challenger C, which can solve the elliptic curve Diffie-Hellman problem (ECDHP) with advantage q · 0 < ≤ q H 2 k , where q S denotes the maximum number of send queries issued by A, q H denotes the maximum number of hash queries issued by A and k denotes the length of the hash value.
Proof. Note that we say that A successfully impersonates U i to communicate with TA. This means that TA accepts (M i , Q i , T L ), but it has not been produced by U i . In this case, it could be that A guessed (M i , Q i , T L ). Then, this leads to: Given that M i = a · P and P pub = b · P to A for a, b ∈ Z * q are unknown, then, A can compute N i = abP. Thus, given (P, M i , P pub ) = (P, aP, bP), C can use A as a subroutine to compute abP. In other words, C can solve ECDLP with the advantage q · 0 < ≤ q H 2 k .
bilinear pairing operation are more complicated than other operations, and the running time of the addition operation of points, the map-to-point hash function and the one-way hash function could be ignored. Therefore, we only need to count the execution time of the elliptic curve scalar point multiplication and the bilinear pairing operation. In Table 2, we summarize the efficiency comparisons among our proposed scheme and other previous WSN-based authentication schemes in terms of computational complexity and the execution time, where the total execution times are measured using Table 1. From Table 2, we can see that the computation cost of our scheme is lower than that of Yeh et al.'s and Liu-Chung's schemes on both the user, the trusted authority and the sensor node side. Therefore, our proposed scheme is the most efficient compared to the other two related schemes in terms of overall computation costs, and it can be claimed that the execution time of the proposed scheme is suitable for different real-life applications, including medical care systems. Lastly, the security criteria and functional properties of three ECC-based authentication schemes are summarized in Table 3. It is visible from Table 3 that Yeh et al.'s scheme [5] is vulnerable to password disclosure attack in the registration phase and also does not provide the user anonymity property, where Liu-Chung's scheme [21] does not support this property. The proposed scheme can prevent all of the security weaknesses of the former scheme and provide mutual authentication and user anonymity to protect data integrity and user privacy. From Tables 2 and 3, the proposed scheme not only keeps lower computational cost, but also possesses more security requirements along with strong security protection on the relevant security attacks for IoT-based medical care systems. Table 3. Functionality comparisons among the proposed scheme and other related schemes.

Conclusions
In this paper, we first give a brief review of Liu-Chung's authentication scheme combined with its basic security analysis and find that their scheme is vulnerable to password disclosure, off-line password guessing, sensed data disclosure, sensed data forgery, replay attacks and the stolen smart card problem. Furthermore, their scheme cannot achieve user anonymity and session key security, and it has unnecessary redundancy in protocol design. In order to repair their security flaws and improve the system performance, an improved efficient scheme is proposed. The security analysis indicates that the proposed authentication scheme is able to withstand those attacks mentioned and satisfies all desirable security attributes, such as user anonymity, mutual authentication, session key security and an efficient verification mechanism during the login phase. Comparing the efficiency with other ECC-based authentication schemes, the proposed scheme is comparable in terms of the computational overheads and practical as the secure authentication mechanism for the IoT-based medical care system.