LAMT: Lightweight and Anonymous Authentication Scheme for Medical Internet of Things Services

Abstract

Medical Internet of Things (IoT) systems can be used to monitor and treat patient health conditions. Security and privacy issues in medical IoT services are more important than those in any other IoT-enabled service. Therefore, various mutual authentication and key-distribution schemes have been proposed for secure communication in medical IoT services. We analyzed Hu et al.’s scheme and found that an attacker can impersonate legitimate sensor nodes and generate illegitimate session keys using the information stored in the sensor node and the information transmitted over the public channel. To overcome these vulnerabilities, we propose a scheme that utilizes physically unclonable functions to ensure a secure session key distribution and increase the computational efficiency of resource-limited sensor nodes. In addition, the proposed scheme enhances privacy protection using pseudonyms, which we prove using a formal security analysis tool, ProVerif 2.05.

1. Introduction

Network services based on sensors are increasing owing to the expansion of utilization fields as a result of the development of sensor technology and the increase in network services due to COVID-19 [1]. Recently, medical devices have been connected to network services worldwide, and medical Internet of Things (IoT) services based on sensors, such as remote medical treatment and the monitoring of patients’ health status by doctors, have been increasing [2]. However, in the medical field, security issues are among the most significant factors hindering the expansion of network services that use medical devices. In particular, information transmitted through medical devices not only requires sensitive privacy but can also cause serious problems for the patient’s health if tampered with, which is why medical IoT environments require strong security protocols [3]. Therefore, government departments in charge of medical device licensing have set high-level requirements for cybersecurity and privacy for medical devices distributed in their countries.

IoT environments used in the healthcare sector often collect and transmit large amounts of individual medical data [3]. The collection of such sensitive data in large volumes poses risks of unauthorized access, use, or disclosure [4]. To ensure secure data management, many devices used in the healthcare field employ methods such as encryption, access control, identity management, and user authentication [5].

Among the various security requirements of IoT service environments based on medical devices, user authentication and privacy protection are the most important. Various studies have been proposed to address user authentication and privacy protection for IoT devices [6,7,8]. In 2021, a user authentication system integrated with blockchain was proposed, which automatically manages the creation, deletion, and addition of multiple data [6]. Additionally, a user authentication system utilizing hospital cloud servers was introduced [7]. In 2022, Hu et al. [8] presented a user authentication scheme between users and sensor nodes that employs two-factor security using the user’s password and smart card. Their scheme features the use of elliptic curve operations to protect values.

In this study, we analyzed the vulnerabilities of the scheme of Hu et al. [8] based on a general system model and attack model in medical IoT services. We found that an attacker can impersonate legitimate sensor nodes and generate illegitimate session keys using the information stored in the sensor node and the information transmitted over the public channel. To overcome these vulnerabilities, we propose a lightweight and anonymous user authentication scheme.

The contributions of the proposed scheme are summarized as follows:

• We thoroughly analyzed the scheme proposed by Hu et al. and identified the following three issues. First, attackers can extract critical authentication values from the data transmitted by sensor nodes and over public channels in Hu et al.’s scheme. Second, these extracted values can be used to perform impersonation attacks on the sensor node. Lastly, attackers can share sessions with the user. To address these three issues, we propose a new scheme, LAMT, in this study.
• The proposed scheme does not store the information used to generate the session key on the user’s mobile device or sensor node. Thus, even if an attacker physically obtains the mobile device or sensor node, it is impossible to perform an impersonation attack.
• The proposed scheme minimizes the computation at sensor nodes by using a physically unclonable function (PUF). In the proposed scheme, a challenge–response pair of the PUF is transmitted over a private channel, and only challenges are transmitted over a public channel; thus, it is resistant to PUF modeling attacks.
• The proposed scheme ensures anonymity and untraceability by using pseudonyms that change from session to session instead of user and sensor node identities. It also ensures forward secrecy, mutual authentication, and is resistant to man-in-the-middle and PUF modeling attacks. Its security was confirmed using ProVerif, a formal security analysis tool. The proposed scheme achieved an average computational cost reduction of 985.73% when compared with the latest research [8,9,10,11] in terms of performance.

The remainder of this paper is organized as follows. In Section 3, we present the hash functions of the system and attack models. The target scheme is introduced in Section 4. In Section 5, we describe the limitations of the proposed scheme. Our scheme is described in Section 6. In Section 7, we present formal and informal security analyses. In Section 8, we present the performance analysis of the proposed scheme, and in Section 9, we discuss the results. Finally, we conclude this paper in Section 10.

2. Related Work

Recently, extensive research has been conducted on authentication schemes for wireless sensor networks (WSNs) used in medicine and healthcare. To provide high-strength security, theories have suggested the use of elliptic curve cryptography (ECC) or fuzzy extractors to extract biometric information.

In 2019, Ostad-Sharif et al. [12] proposed a user authentication scheme suitable for WSNs in IoT environments. In 2020, Chen et al. [13] identified design flaws in Ostad-Sharif et al. [12]’s scheme, highlighting issues with password-change functionality and time synchronization. Chen et al. [13] proposed an improved authentication scheme with enhanced security. Sahoo et al. [10] also identified design flaws in Ostad-Sharif et al. [12]’s scheme and proposed an ECC-based three-factor authentication scheme with enhanced security. However, in 2022, Hu et al. [8] revealed that Chen et al. [13]’s authentication method was vulnerable to offline password-guessing and impersonation attacks and failed to achieve perfect forward secrecy. Hu et al. [8] proposed a secure authentication scheme for WSNs in IoT environments using ECC. However, we found that Hu et al. [8]’s scheme is vulnerable to sensor impersonation attacks.

In 2018, Zhang et al. [14] proposed an authentication scheme for users and servers in health systems. However, in 2019, Aghili et al. [15] pointed out that Zhang et al. [14]’s scheme allowed user tracking and was vulnerable to desynchronization and DoS attacks. They proposed LACO [15], an approach in which a server is positioned between users and sensors to store data securely and allow users to share the data with the sensors. However, Amintoosi et al. [16] found that LACO [15] did not provide perfect forward secrecy and was vulnerable to sensor impersonation attacks; thus, they proposed a secure scheme called Slight [16]. In 2023, Wu et al. [9] demonstrated that Slight [16] was inaccurately designed with respect to session key values and susceptible to privileged-insider attacks, leading them to propose a new IoHT with enhanced security.

In 2019, Gao et al. [17] proposed a biometric-based scheme for WSNs. However, in 2021, Xue et al. [18] found that Gao et al. [17]’s scheme was vulnerable to offline password-guessing attacks and did not provide forward secrecy. Xue et al. [18] proposed an improved three-factor authentication scheme with enhanced security. In 2024, Huang [11] found that Xue et al. [18]’s scheme failed to provide anonymity and had a critical vulnerability in which a user’s private key could be extracted. To address these issues, Huang [11] proposed an enhanced user authentication scheme for WSNs that utilizes user biometric information and ECC for improved security.

3. Preliminaries

In this section, we first introduce the system model and the attack model of our proposed scheme, followed by the definitions and properties of the PUF used in our proposed scheme.

3.1. System Model

Our scheme has three entities: user, medical gateway (gateway), and medical IoT sensor node (sensor node).

• Gateway: The gateway is a trusted entity that can know the identities of all users and sensor nodes, and all users and sensor nodes authenticate and communicate through the GWN. The GWN has powerful resources to perform complex computations.
• User: The user is a legitimate entity who has access to a patient’s medical information. The user can access patient information using mobile devices (e.g., a smartphone or tablet) with limited resources.
• Sensor node: In our scheme, the sensor node is an entity that collects the patient’s medical/health information and transmits it to the legitimate user through the GWN. The sensor node is typically a low-power device placed in or on the patient’s body.

IoT devices used in the medical field have limited computing power due to their nature, which significantly limits their ability to implement the advanced security protocols or complex communication protocols that were widely used in the past. This is a major cause of difficulties in building advanced systems for the safe transmission and processing of medical data [19].

The reasons for this can be found in the limited computational speed, memory capacity, and power usage requirements of IoT devices, which make it difficult to efficiently process or store large amounts of medical data collected in real time.

In addition, due to limitations in hardware resources, it is difficult to support various communication protocols simultaneously or process multiple tasks in parallel, and from a security perspective, lightweight security protocols or solutions with questionable safety must be used, which poses a risk of exposure to potential security vulnerabilities.

The minimum requirements for IoT devices in the proposed system are as follows:

• Basic operational hardware: support for shift registers and arithmetic logic units for hash operations and execution of XOR operation units within XOR gate arrays or arithmetic logic units (ALUs) defined by application protocols.
• Memory and storage: memory to store input data and intermediate results, ROM/flash memory to store protocol execution order and key information, and memory in the secure area to store important information.
• A secure entropy source for security: a method for generating secure random numbers used by application protocols.
• Interface for communication: providing a method for transmitting and receiving data required to implement application protocols.

3.2. Attack Model

The model assumes that the cryptographic primitives used in the protocol are secure and that the attacker has the following capabilities:

• The attacker can intercept, delete, modify, store, and reply to any message exchanged over the public communication channel.
• The attacker can physically capture the user’s mobile device and obtain some of the security parameters stored on the device.
• The attacker can calculate the identity and password in polynomial time, but cannot gain the user’s identity, password, and information stored on the device at the same time.
• The attacker can launch multiple attempts at attacks.

3.3. Physical Unclonable Function (PUF)

We used PUF technology to perform the authentication and session key distribution steps between the sensor nodes and gateways. A PUF can generate a unique response $Rn$ for a specific challenge $Cn$ by utilizing the characteristics of an IC chip and is used to implement methods for authenticating devices in physically insecure environments because of its advantage of being unclear. PUFs include optical PUFs, arbiter PUFs, and memory-based intrinsic PUFs. Optical PUFs are a representative example of optical PUFs. Optical PUFs create one-way functions through physical means, and challenge–response pairs (CRPs) are used only once to prevent replay attacks. However, optical PUFs require bulky external apparatus, resulting in high costs. CMOS-compatible APUFs (arbiter PUFs) exploit random interconnects and transistor gate time delays introduced during manufacturing. However, APUFs are based on a linear additive structure, making them vulnerable to various modeling attacks. Memory-based intrinsic PUFs refer to PUFs embedded in electronic devices during the manufacturing process. These are practical due to the ubiquity of memory in commercial electronic products. The PUFs we use are assumed to satisfy the following properties:

• A PUF is a physically unclonable function. PUFs are fundamentally assumed to be resistant to cloning and modification. They are also assumed to be highly resistant to environmental factors and aging. In other words, an identical device cannot be made by cloning a PUF, and attempts to change a device containing a PUF will change the operation of the PUF and destroy it.
• A PUF has the property of a one-way function. In other words, the challenge $Cn$ cannot be found using the output response $Rn$ of a specific PUF.
• Different PUF1 and PUF2 output different responses $Rn1$ and $Rn2$ for the same challenge $Cn$.
• For the same challenge $Cn$, one PUF outputs the same response $Rn$ every time.
• When multiple PUFs are used, the probability of collision is assumed to be low, meaning devices with identical responses are highly unlikely. Therefore, PUFs can be used in IoT devices to distinguish between a large number of devices effectively.

4. Review of Hu et al.’s Scheme

In this section, we introduce Hu et al. [8]’s scheme. The scheme proposed by Hu et al. [8] consists of three participants: the user, gateway node, and sensor node. The user and sensor node perform mutual authentication to share a session key. This scheme is divided into initialization, registration, and login and authentication phases. The details are as follows.

4.1. Initialization Phase

The gateway node $GWN$ generates two secret keys $K_{GS}$ and $K_{GU}$ and creates the generator P of an elliptic curve. Subsequently, it computes the public key $pk=K_{GU}P$.

4.2. Registration Phase

This phase comprises user registration and sensor node registration. The details are as follows:

4.2.1. User Registration Phase

To register with $GWN$, user $U_i$ follows these steps:

• $U_i$ inputs their $I{D}_i$ and $P{W}_i$ and then generates a random number $r_i$. $U_i$ subsequently computes $A_i=h(I{D}_i\Vert P{W}_i\Vert r_i)$ and sends the message $\{I{D}_i,A_i\}$ to $GWN$ through a secure channel.
• After receiving the message from $U_i$, $GWN$ sets the expiration time $T{E}_i$ for the protocol. Then, using the public key of the sensor, it computes the temporary credential $T{C}_i=h(I{D}_i\Vert I{D}_{GWN}\Vert pk\Vert T{E}_i)$ and $PT{C}_i=T{C}_i\oplus A_i$. $GWN$ stores $\{I{D}_{GWN},T{E}_i,pk,h\left(\right),PT{C}_i\}$ with hash function $h\left(\right)$ in the smart card $SC$ that will be sent to the user and transmits it to $U_i$ through a secure channel.
• $U_i$ computes $T{C}_i=PT{C}_i\oplus A_i$ and $B_i=T{C}_i\oplus h(I{D}_i\Vert P{W}_i)$ and stores $B_i$ instead of storing $PT{C}_i$ in the smart card $SC$. Finally, $SC$ contains $\{I{D}_{GWN},T{E}_i,pk,h\left(\right),B_i\}$.

4.2.2. Sensor Registration Phase

$GWN$ selects the identity $SI{D}_j$ of sensor node $S_j$. It then computes the temporary credential $T{C}_j=h(K_{GS}\Vert SI{D}_j)$ and sends $\{SI{D}_j,T{C}_j\}$ through a secure channel. $S_j$ securely stores $\{SI{D}_j,T{C}_j\}$.

4.3. Login and Authentication Phase

In this phase, user $U_i$, with the assistance of $GWN$, exchanges a session key with $S_j$. The details are as follows:

• $U_i$ attempts to log in by entering $I{D}_i$ and $P{W}_i$. Then, they generate random numbers $N_i$ and $x_i$. After computing $T{C}_i=B_i\oplus h(I{D}_i\Vert P{W}_i)$, $U_i$ proceeds to calculate $T_1=x_{i}P$, $T_2=(I{D}_i\Vert T{E}_i\Vert SI{D}_j\Vert N_i)\oplus h\left(x_{i}pk\right)$, and $T_3=h(T_1\Vert I{D}_i\Vert I{D}_{GWN}\Vert T{C}_i\Vert N_i\Vert T{E}_i\Vert SI{D}_j)$. Finally, $U_i$ sends the message $M_1=\{T_1,T_2,T_3\}$ to $GWN$ via a public channel.

  $$T_1=x_{i}P$$

  (1)

  $$T_2=(I{D}_i\Vert T{E}_i\Vert SI{D}_j\Vert N_i)\oplus h\left(x_{i}pk\right)$$

  (2)

  $$T_3=h(T_1\Vert I{D}_i\Vert I{D}_{GWN}\Vert T{C}_i\Vert N_i\Vert T{E}_i\Vert SI{D}_j)$$

  (3)
• $GWN$ receives $M_1=\{T_1,T_2,T_3\}$ from $U_i$ and performs the following computations to authenticate $U_i$: $(I{D}_i\Vert T{E}_i\Vert SI{D}_j\Vert N_i)=T_2\oplus h\left(x_{i}pk\right)$, $T{C}_i=h(I{D}_i\Vert I{D}_{GWN}\Vert pk\Vert T{E}_i)$, and $T_3=h(T_1\Vert I{D}_i\Vert I{D}_{GWN}\Vert T{C}_i\Vert N_i\Vert T{E}_i\Vert SI{D}_j)$. If the $T_3=T_3$ values match and $T{E}_i$ is also correct, $GWN$ generates $N_2,$$x_1$, and $x_2$ and then performs the following computations: $T{C}_j=h(K_{GS}\Vert SI{D}_j)$, $T_4=x_2\oplus h(T{C}_j\Vert N_2\Vert I{D}_{GWN})$, $T_5=h(I{D}_i\Vert T{E}_i\Vert x)\oplus h(N_2\Vert T{C}_j)$, and $T_6=h(T_1\Vert h(I{D}_i\Vert T{E}_i\Vert x)\Vert x_2\Vert N_2)$. Finally, $GWN$ sends $M_2=\{T_1,T_4,T_5,T_6,N_2\}$ to $S_j$ through a public channel.

  $$T_4=x_2\oplus h(T{C}_j\Vert N_2\Vert I{D}_{GWN})$$

  (4)

  $$T_5=h(I{D}_i\Vert T{E}_i\Vert x)\oplus h(N_2\Vert T{C}_j)$$

  (5)

  $$T_6=h(T_1\Vert h(I{D}_i\Vert T{E}_i\Vert x)\Vert x_2\Vert N_2)$$

  (6)
• $S_j$ receives $M_2=\{T_1,T_4,T_5,T_6,N_2\}$ from $GWN$ and performs the following computations: $x_2=T_4\oplus h(T{C}_j\Vert N_2\Vert I{D}_{GWN})$, $h(I{D}_i\Vert T{E}_i\Vert x)=T_5\oplus h(N_2\Vert T{C}_j)$, and $T_6=h(T_1\Vert h(I{D}_i\Vert T{E}_i\Vert x)\Vert x_2\Vert N_2)$. $S_j$ verifies if $T_6=T_6$ and then generates $N_3$ and $x_3$. Afterward, $S_j$ performs the following computations: $T_7=x_{3}P$, $SK=h\left(h\right(I{D}_i\Vert T{E}_i\Vert x)\Vert SI{D}_j\Vert x_3{T}_1\Vert T_1\Vert T_7)$, $T_8=h(SK\Vert N_3)$, $T_9=(T_8\Vert T_7\Vert N_3)\oplus h(T{C}_j\Vert N_2)$, and $T_{10}=h(T{C}_j\Vert T_7\Vert N_2\Vert T_8)$. Finally $S_j$ sends $M_3=\{T_9,T_{10}\}$ to $GWN$ via a public channel.

  $$T_7=x_{3}P$$

  (7)

  $$SK=h\left(h\right(I{D}_i\Vert T{E}_i\Vert x)\Vert SI{D}_j\Vert x_3{T}_1\Vert T_1\Vert T_7)$$

  (8)

  $$T_8=h(SK\Vert N_3)$$

  (9)

  $$T_9=(T_8\Vert T_7\Vert N_3)\oplus h(T{C}_j\Vert N_2)$$

  (10)

  $$T_{10}=h(T{C}_j\Vert T_7\Vert N_2\Vert T_8)$$

  (11)
• $GWN$ receives $M_3=\{T_9,T_{10}\}$ and performs the following computations: $(T_8\Vert T_7\Vert N_3)=T_9\oplus h(T{C}_j\Vert N_2)$ and $T_{10}=h(T{C}_j\Vert T_7\Vert N_2\Vert T_8)$. Then, $GWN$ verifies if $T_{10}=T_{10}$ and computes $T_{11}=(T_8\Vert N_1\Vert T_7\Vert N_3\Vert x)\oplus h(N_1\Vert T{C}_j)$. Subsequently, $GWN$ sends $M_4=\left\{T_{11}\right\}$ to $U_i$ via a public channel.

  $$T_{11}=(T_8\Vert N_1\Vert T_7\Vert N_3\Vert x)\oplus h(N_1\Vert T{C}_j)$$

  (12)
• $U_i$ receives $M_4=\left\{T_{11}\right\}$ from $GWN$ and performs the following computations: $(T_8\Vert N_1\Vert T_7\Vert N_3\Vert x)=T_{11}\oplus h(N_1\Vert T{C}_j)$, $SK=h\left(h\right(I{D}_i\Vert T{E}_i\Vert x)\Vert SI{D}_j\Vert x_1{T}_7\Vert T_1\Vert T_7)$, and $T_8=h(SK\Vert N_3)$. Then, $U_i$ verifies if $T_8=T_8$.

  $$SK=h\left(h\right(I{D}_i\Vert T{E}_i\Vert x)\Vert SI{D}_j\Vert x_1{T}_7\Vert T_1\Vert T_7)$$

  (13)

5. Limitations of Hu et al.’s Scheme

We discovered a critical vulnerability in Hu et al. [8]’s scheme. First, if an attacker gains control of a sensor node, the attacker can extract the critical values necessary for authentication. Subsequently, the attacker can generate values as if they were sensor nodes, causing confusion in the gateway node. Ultimately, an attacker can share the session key with the user, rendering it legitimate. A detailed explanation of the vulnerability found in Hu et al. [8]’s scheme is provided in the following sections.

5.1. Extraction of Critical Authentication Values

The attacker can extract information from the public channel and obtain data from the sensor node, allowing the attacker to capture $M_2=\{T_1,T_4,T_5,T_6,N_2\}$ and acquire the information $\{SI{D}_j,T{C}_j\}$ of sensor node $S_j$. Because $\{SI{D}_j,T{C}_j\}$ contains all the data $S_j$ may hold, the attacker gains access to both $M_2=\{T_1,T_4,T_5,T_6,N_2\}$ and $\{SI{D}_j,T{C}_j\}$.

5.2. Impersonation of Sensor Nodes

The attacker masquerades as the sensor node $S_j$, generates $N_3^{\prime }$ and $x_3^{\prime }$, and then performs the following computations: $x_2=T_4\oplus h(T{C}_j\Vert N_2\Vert I{D}_{GWN})$, $h(I{D}_i\Vert T{E}_i\Vert x)=T_5\oplus h(N_2\Vert T{C}_j)$, $T_6=h(T_1\Vert h(I{D}_i\Vert T{E}_i\Vert x)\Vert x_2\Vert N_2)$, $T_7^{\prime }=x_3^{\prime }P$, $S{K}^{\prime }=h\left(h\right(I{D}_i\Vert T{E}_i\Vert x)\Vert SI{D}_j\Vert x_3^{\prime }{T}_1\Vert T_1\Vert T_7^{\prime })$, $T_8^{\prime }=h(S{K}^{\prime }\Vert N_3^{\prime })$, $T_9^{\prime }=(T_8^{\prime }\Vert T_7^{\prime }\Vert N_3^{\prime })\oplus h(T{C}_j\Vert N_2)$, and $T_{10}^{\prime }=h(T{C}_j\Vert T_7^{\prime }\Vert N_2\Vert T_8^{\prime })$. The attacker then pretends to be $S_j$ and sends $M_3^{\prime }=\{T_9^{\prime },T_{10}^{\prime }\}$ to $GWN$ via a public channel.

Subsequently, $GWN$ receives $M_3^{\prime }=\{T_9^{\prime },T_{10}^{\prime }\}$ from the attacker masquerading as $S_j$ and performs the following computations: $(T_8^{\prime }\Vert T_7^{\prime }\Vert N_3^{\prime })=T_9^{\prime }\oplus h(T{C}_j\Vert N_2)$ and $T_{10}^{″}=h(T{C}_j\Vert T_7^{\prime }\Vert N_2\Vert T_8^{\prime })$. It verifies if $T_{10}^{\prime }=T_{10}^{″}$, computes $T_{11}^{\prime }=(T_8^{\prime }\Vert N_1\Vert T_7^{\prime }\Vert N_3^{\prime }\Vert x)\oplus h(N_1\Vert T{C}_j)$, and then sends $M_4^{\prime }=\left\{T_{11}^{\prime }\right\}$ to $U_i$ via a public channel.

5.3. Illegitimate Session Key Exchange

$U_i$ receives $M_4^{\prime }=\left\{T_{11}^{\prime }\right\}$ from $GWN$ and performs the following computations: $(T_8^{\prime }\Vert N_1\Vert T_7^{\prime }\Vert N_3^{\prime }\Vert x)=T_{11}^{\prime }\oplus h(N_1\Vert T{C}_j)$ and $S{K}^{\prime }=h\left(h\right(I{D}_i\Vert T{E}_i\Vert x)\Vert SI{D}_j\Vert x_1{T}_7^{\prime }\Vert T_1\Vert T_7^{\prime })$. At this point, because the equation $x_1{T}_7^{\prime }=x_1{x}_3^{\prime }P=x_3^{\prime }{T}_1$ holds true, $S{K}^{\prime }$ is the session key shared by an attacker impersonating $S_j$.

6. Proposed Scheme

The proposed scheme consists of four phases: user registration, sensor node registration, authentication, key distribution, and password update. The notation used in the protocol design is defined in

Table 1. Notation.

Notation	Description
$U_i,$  $S{N}_j$	i-th user, j-th sensor node
$GWN$	Medical gateway node
$I{D}_i,$  $P.I{D}_i$	Identity, pseudonym of i-th user
$SI{D}_j,$  $P.SI{D}_j$	Identity, pseudonym of j-th sensor node
$(Cn,$  $Rn)$	Challenge–response pair of PUF
$SK$	Session key
$R_1,$  $R_2,$$\dots$	Random number
$T_1,$  $T_2,$$\dots$	Time stamp

, and the proposed scheme is illustrated in Figure 1.

6.1. User Registration Phase

In this phase, the user registers their identity and password and issues a smart card for login. The details are presented in Figure 2.

• User $U_i$ enters $I{D}_i$ and $P{W}_i$ into the mobile device and computes $A_i=h(I{D}_i\Vert P{W}_i)$. Then, Ui sends the message $\{I{D}_i,A_i\}$ to $GWN$ through a private channel.

  $$A_i=h(I{D}_i\Vert P{W}_i)$$

  (14)
• $GWN$ generates two random numbers $P.I{D}_i,ke{y}_i$ after receiving the message from $U_i$ and computes $K_i=ke{y}_i\oplus h(A_i\Vert K_{gu})$. Then, it stores $\{I{D}_i,P.I{D}_i,K_{gu},Ki\}$ in the database and sends the message $\{P.I{D}_i,K_{gu},K_i\}$ to $U_i$ through a private channel.

  $$K_i=ke{y}_i\oplus h(A_i\Vert K_{gu})$$

  (15)
• $U_i$ generates a random number $b_i$ after receiving the message from $GWN$, computes $ke{y}_i=K_i\oplus h(A_i\Vert K_{gu})$ and $B_i=A_i\oplus b_i$, $V_i=h(I{D}_i\Vert b_i)$, and stores $\{P.I{D}_i,K_{gu},B_i,V_i\}$ in the memory of $U_i$’s mobile device.

  $$ke{y}_i=K_i\oplus h(A_i\Vert K_{gu})$$

  (16)

  $$B_i=A_i\oplus b_i$$

  (17)

  $$V_i=h(I{D}_i\Vert b_i)$$

  (18)

6.2. Sensor Node Registration Phase

A sensor node must be registered using $GWN$. The details are presented in Figure 3.

• $GWN$ generates a random number $P.SI{D}_j$ and a challenge $C_n$ and sends them to the sensor node $S{N}_j$ through a private channel.
• $S{N}_j$ outputs the response $R_n<-PUF\left(Cn\right)$ and sends it to $GWN$ through a private channel.
• $S{N}_j$ stores $P.SI{D}_j$ in the memory.

6.3. Authentication and Key Distribution Phase

In the authentication and key distribution phases, when user $U_i$ logs in, $GWN$ verifies it and facilitates the exchange of the session key between the user and sensor node $S{N}_j$. The details are presented in Figure 4.

• $U_i$ inputs $I{D}_i$ and $P{W}_i$ to the mobile device, which computes $b_i^{*}=B_i\oplus h(I{D}_i\Vert P{W}_i)$ and $V_i^{*}=h(I{D}_i\Vert b_i^{*})$. Then, the device verifies whether $V_i^{*}=V_i$. If it does not match, the device stops the protocol; otherwise, it proceeds to the next steps. In this process, a method of limiting the maximum number of login attempts using a counter can be used to consider the case where an attacker attempts multiple logins. For example, if the counter is set to 10, if an attacker attempts to login more than 10 times, the login function on the mobile device can be locked for a certain period of time.
• $U_i$ generates a random number $R_1$ and timestamp $T_1$ and computes $A_i=h(I{D}_i\Vert P{W}_i)$, $K_i=ke{y}_i\oplus h(A_i\Vert K_{gu})$, $M1=R_1\oplus h(P.I{D}_i\Vert K_i\Vert T_1)$, $M2=h(P.I{D}_i\Vert R_1\Vert K_i\Vert T_1)$, and $T.SI{D}_j=K_i\oplus SI{D}_j$. Subsequently, $U_i$ sends the message $\{M1,M2,P.I{D}_i,T.SI{D}_j,T_1\}$ to $GWN$.

  $$M1=R_1\oplus h(P.I{D}_i\Vert K_i\Vert T_1)$$

  (19)

  $$M2=h(P.I{D}_i\Vert R_1\Vert K_i\Vert T_1)$$

  (20)

  $$T.SI{D}_j=K_i\oplus SI{D}_j$$

  (21)
• After receiving the message from $U_i$, $GWN$ first checks the validity of the timestamp $T_1$. If it is not valid, $GWN$ stops the protocol; otherwise, $GWN$ checks $P.I{D}_i$ in the message and computes $R_1^{*}=M1\oplus h(P.I{D}_i\Vert K_i\Vert T_1)$ and $M{2}^{*}=h(P.I{D}_i\Vert R_1^{*}\Vert K_i\Vert T_1)$ using the information stored in the database for $U_i$, then verifies whether $M_2^{*}=M_2$.
• $GWN$ computes $SI{D}_j=K_i\oplus T.SI{D}_j$ and checks the $SI{D}_j$ of $S{N}_j$.
• Then, $GWN$ generates the random session key $SK$ and timestamp $T_2$ and computes $M_3=SK\oplus P.SI{D}_j\oplus h\left(Rn\right)$ and $M4=h(SK\Vert P.SI{D}_j\Vert Rn\Vert T_2)$. Then, $GWN$ sends the message $\{M3,M4,Cn,T_2\}$ to $S{N}_j$.

  $$SI{D}_j=K_i\oplus T.SI{D}_j$$

  (22)

  $$M_3=SK\oplus P.SI{D}_j\oplus h\left(Rn\right)$$

  (23)

  $$M4=h(SK\Vert P.SI{D}_j\Vert Rn\Vert T_2)$$

  (24)
• $S{N}_j$ checks the validity of the timestamp $T_2$. Then, $S{N}_j$ outputs the response $Rn<-PUF\left(Cn\right)$, using the challenge $Cn$ received from $GWN$. $S{N}_j$ computes $S{K}^{*}=M3\oplus P.SI{D}_j\oplus h\left(Rn\right)$ and $M4*=h(S{K}^{*}\Vert P.SI{D}_j\Vert Rn\Vert T_2)$, and then verifies whether $M{4}^{*}=M4$.

  $$S{K}^{*}=M3\oplus P.SI{D}_j\oplus h\left(Rn\right)$$

  (25)
• $S{N}_j$ generates timestamp $T3$ and computes $M5=h(SK\Vert h\left(Rn\right)\Vert T_3)$. Then, $S{N}_j$ sends the message $\{M5,T_3\}$ to $GWN$.

  $$M5=h(S{K}^{*}\Vert h\left(Rn\right)\Vert T_3)$$

  (26)
• $GWN$ checks the validity of timestamp $T_3$. If it is not valid, $GWN$ stops the protocol; otherwise, $GWN$ computes $M{5}^{*}=h(SK\Vert h\left(Rn\right)\Vert T_3)$ and then verifies whether $M{5}^{*}=M5$.
• $GWN$ generates a random number $R_2$ and timestamp $T_3$, and computes $M6=R_2\oplus h(P.I{D}_i\Vert K_i\Vert T_4)$, $M7=SK\oplus P.I{D}_i\oplus h(K_i\Vert R_2)$, and $M8=h(R_2\Vert SK\Vert T_4)$. Then, $GWN$ sends the message $\{M6,M7,M8,T_4\}$ to $U_i$.

  $$M6=R_2\oplus h(P.I{D}_i\Vert K_i\Vert T_4)$$

  (27)

  $$M7=SK\oplus P.I{D}_i\oplus h(K_i\Vert R_2)$$

  (28)

  $$M8=h(R_2\Vert SK\Vert T_4)$$

  (29)
• Ui checks the validity of the timestamp $T_4$. If it is not valid, the GWN stops the protocol; otherwise, Ui computes $R_2^{*}=M6\oplus h(P.I{D}_i\Vert K_i\Vert T_4)$, $S{K}^{*}=M7\oplus P.I{D}_i\oplus h(K_i\Vert R_2)$, and $M{8}^{*}=h(R_2^{*}\Vert S{K}^{*}\Vert T_4)$. Then, it verifies whether $M{8}^{*}=M8$.

  $$S{K}^{*}=M7\oplus P.I{D}_i\oplus h(K_i\Vert R_2)$$

  (30)

Once all the processes are completed, the authentication and key distribution between $U_i$ and $S{N}_j$ through $GWN$ are completed. Before terminating the session, $U_i$ and the $GWN$ update the new user pseudonym using $R_2$ as follows: $P.I{D}_i^n=P.I{D}_i\oplus R_2$ and $P.I{D}_i=P.I{D}_i^n$. In addition, $GWN$ and $S{N}_j$ update the new sensor node pseudonym using $SK$ as follows: $P.SI{D}_j^n=P.SI{D}_j\oplus h\left(SK\right)$ and $P.SI{D}_j=P.SI{D}_j^n$.

6.4. Password Update Phase

Users must be able to change their passwords when required. The proposed scheme allows the users to change their password with the help of $GWN$, as shown in Figure 5.

• $U_i$ inputs a new password, $P{W}_i^n$, and computes $A_i^{n}ew=h(I{D}_i\Vert P{W}_i^n)$ and $M9=A_i^n\oplus h(I{D}_i\Vert K_{gu})$. $U_i$ sends the message $\{P.ID\_i,M9\}$ to $GWN$.
• $GWN$ computes $A_i^n=M9\oplus h(I{D}_i\Vert K_{gu})$ and generates a random number $ke{y}_i^n$. Subsequently, $GWN$ computes $K_i^n=ke{y}_i^n\oplus h(A_i^n\Vert K_{gu})$ and $M10=K_i^n\oplus h(A_i^n\Vert K_{gu})$, and sends the message $\left\{M10\right\}$ to $U_i$.
• $U_i$ computes $K_i^n=M10\oplus h(A_i^n\Vert K_{gu})$ and $ke{y}_i^n=K_i^n\oplus h(A_i^n\Vert K_{gu})$ and generates a random number $b_i^{n}ew$. Subsequently, $U_i$ computes $B_i^n=A_i^n\oplus b_i,V_i^n=h(I{D}_i\Vert b_i^n)$.
• $U_i$ stores $\{P.I{D}_i,K_{gu},ke{y}_i^n,B_i^n,V_i^n\}$ in the memory.

7. Security Analysis of the Proposed Scheme

In this section, we describe the formal security analysis conducted using ProVerif as well as an informal security analysis addressing seven key security properties. The details are as follows:

7.1. Formal Security Analysis

ProVerif is a tool for automatically analyzing the security of cryptographic protocols. ProVerif (1) checks whether specific values in the protocol are not exposed to attackers, (2) verifies that mutual trust relationships between communication participants are properly established, and (3) analyzes traceability and anonymity, providing analysis for protocols with unlimited sessions and an unlimited message space [20].

We verified the proposed scheme using ProVerif, a formal analysis tool that ensures the proper functioning of programs. As in several recent studies [21,22,23], we used ProVerif to demonstrate that our scheme provides a viable authentication method and prevents the extraction of sensitive information.

We verify the results in

Table 2. ProVerif query results.

Verification summary:

Query inj-event(endUi(idu)) ==> inj-event(startUi(idu)) is true.

Query inj-event(endGWN(idg)) ==> inj-event(startGWN(idg)) is true.

Query inj-event(endSNj(ids)) ==> inj-event(startSNj(ids)) is true.

Query not attacker(SK[]) is true.

using the queries listed in

Table 3. ProVerif code for queries.

(*—-queries—-*)

query idu:bitstring; inj-event(endUi(idu)) ==> inj-event(startUi(idu)).

query idg:bitstring; inj-event(endGWN(idg)) ==> inj-event(startGWN(idg)).

query ids:bitstring; inj-event(endSNj(ids)) ==> inj-event(startSNj(ids)).

query attacker(SK).

(*—-process—-*)

process

((!Ui)|(!GWN)|(!SNj))

. The results are as follows:

• Query inj-event(EVENT) ==> inj-event(EVENT) is true.
• Query not attacker(K) is true.

The statement “Query inj-event(EVENT) ==> inj-event(EVENT) is true” confirms that the event has been successfully verified, signifying that the event occurred as intended. This implies that, under the specified conditions, the authentication mechanism operates as expected. Similarly, the statement “Query not attacker(K) is true” indicates that the attacker was unable to obtain the keys within the array, as the query result confirms the security of the keys.

For the registration phase, we employed two private channels, and for the login and authentication phases, we used two public channels. Each channel is assumed to connect user Ui and the GWN, as well as the GWN and sensor node SNj. Specifically, privateChannel1 serves as the private channel linking Ui and the GWN during the registration phase for Ui. Similarly, privateChannel2 connects SNj and the GWN during the registration phase for SNj. For the login and authentication phase, publicChannel1 links Ui to the GWN, while publicChannel2 connects SNj to the GWN.

To verify the security of the session key, we define it as a private variable. We also predefine information, such as IDi, PWi, Kgu, GWNd, SIDj, and SID. The identifiers IDi, GWNd, and SID were separately defined to distinguish individuals accessing the system during the login and authentication phases. We define a concat function responsible for the concatenation, hash function, PUF function, and XOR operation, all of which are integral to the system. Additionally, we define an event that distinguishes between the login and authentication processes. These definitions are summarized in

Table 4. ProVerif code for defining values and functions.

(*—-channels—-*)

free privateChannel1:channel [private].

free privateChannel2:channel [private].

free publicChannel1:channel.

free publicChannel2:channel.

(*—-constants—-*)

free IDi:bitstring [private].

free PWi:bitstring [private].

free Kgu:bitstring [private].

free GWNd:bitstring [private].

free SIDj:bitstring.

free SID:bitstring [private].

(*—-shared key—-*)

free SK:bitstring [private].

(*—-functions—-*)

fun concat(bitstring, bitstring):bitstring.

fun h(bitstring):bitstring.

fun PUF(bitstring):bitstring.

fun xor(bitstring, bitstring):bitstring.

equation forall p:bitstring, q:bitstring; xor(xor(p, q), q)=p.

(*—-events—-*)

event startUi(bitstring).

event endUi(bitstring).

event startGWN(bitstring).

event endGWN(bitstring).

event startSNj(bitstring).

event endSNj(bitstring).

.

The behavioral information for each Ui, GWN, and SNj during the registration, login, and authentication phases is presented in

Table 5. ProVerif code for the Ui.

(*—-Ui process—-*)

let Ui =

let Ai = h(concat(IDi, PWi)) in

out(privateChannel1,(IDi, Ai));

in(privateChannel1, (XPIDi:bitstring, XKgu:bitstring, XKi:bitstring));

let xkeyi = xor(XKi, h(concat(Ai, XKgu))) in

new bi:bitstring;

let Bi = xor(Ai, bi) in

let Vi = h(concat(IDi, bi)) in

event startUi(IDi);

new R1:bitstring;

new T1:bitstring;

let M1 = xor(R1, h(concat(concat(XPIDi, R1), T1))) in

let M2 = h(concat(concat(XPIDi, R1), concat(XKi, T1))) in

let TSIDj = xor(SIDj, XKi) in

out(publicChannel1,(M1, M2, XPIDi, TSIDj, T1));

in(publicChannel1,(XM6:bitstring, XM7:bitstring, XM8:bitstring, XT4:bitstring));

let GR2 = xor(XM6, h(concat(concat(XPIDi, XKi), XT4))) in

let GSK = xor(XM7, xor(XPIDi, h(concat(XKi, GR2)))) in

let GM8 = h(concat(concat(GR2, GSK), XT4)) in

if (GM8=XM8) then event endUi(IDi).

,

Table 6. ProVerif code for the GWN.

(*—-GWN process—-*)

let GWN =

in(privateChannel1,(XIDi:bitstring, XAi:bitstring));

new keyi:bitstring;

new PIDi:bitstring;

let Ki = xor(keyi, h(concat(XAi, Kgu))) in

out(privateChannel1, (PIDi, Kgu, Ki));

new PSIDj:bitstring;

new Cn:bitstring;

out(privateChannel2, (PSIDj, Cn));

in(privateChannel2, (XRn:bitstring));

event startGWN(GWNd);

in(publicChannel1,(XM1:bitstring, XM2:bitstring, XPIDi:bitstring, XTSIDj:bitstring, XT1:bitstring));

let GR1 = xor(XM1, h(concat(concat(XPIDi, Ki), XT1))) in

let GM2 = h(concat(concat(XPIDi, GR1), concat(Ki, XT1))) in

if (XM2=GM2) then

let SIDj = xor(XTSIDj, Ki) in

new T2:bitstring;

new SK:bitstring;

let M3 = xor(SK, xor(PSIDj, h(XRn))) in

let M4 = h(concat(concat(SK, PSIDj), concat(XRn, T2))) in

out(publicChannel2, (M3, M4, Cn, T2));

in(publicChannel2, (XM5:bitstring, XT3:bitstring));

let GM5 = h(concat(concat(SK, h(XRn)), XT3)) in

if (XM5=GM5) then

new R2:bitstring;

new T4:bitstring;

let M6 = xor(R2, h(concat(concat(PIDi, Ki), T4))) in

let M7 = xor(SK, xor(PIDi, h(concat(Ki, R2)))) in

let M8 = h(concat(concat(R2, SK), T4)) in

out(publicChannel1, (M6, M7, M8, T4));

event endGWN(GWNd).

and

Table 7. ProVerif code for the SNj.

(*—-SNj process—-*)

let SNj =

in(privateChannel2, (XPSIDj:bitstring, XCn:bitstring));

let Rn = PUF(XCn) in

out(privateChannel2, (Rn));

event startSNj(SID);

in(publicChannel2, (XM3:bitstring, XM4:bitstring, XCn:bitstring, XT2:bitstring));

let GSK = xor(XM3, xor(XPSIDj, h(Rn))) in

let GM4 = h(concat(concat(GSK, XPSIDj), concat(Rn, XT2))) in

if (XM4=GM4) then

new T3:bitstring;

let M5 = h(concat(concat(GSK, h(Rn)), T3)) in

out(publicChannel2, (M5, T3));

event endSNj(SID).

, respectively. It has been explicitly stated that the registration phase occurs through private channels, whereas the login and authentication phases occur via public channels.

7.2. Informal Security Analysis

The proposed scheme satisfied seven critical security requirements. The security properties we verified were impersonation attacks, anonymity and untraceability, replay attacks, forward secrecy, mutual authentication, man-in-the-middle attacks, and PUF modeling attacks. We summarize the latest studies and indicate whether they satisfy the corresponding security properties in

Table 8. Comparison of security features.

Security Features	Wu et al. [9]	Sahoo et al. [10]	Hu et al. [8]	Wenfeng Huang [11]	Ours
Resist impersonation attack	O	O	X	O	O
Provide anonymity and untraceability	O	O	O	O	O
Resist replay attack	O	O	O	O	O
Provide forward secrecy	O	O	O	O	O
Provide mutual authentication	O	O	O	O	O
Resist man-in-the-middle attack	O	O	X	O	O
PUF modeling attack	X	X	X	X	O

. The detailed explanations of each security property are as follows.

7.2.1. Impersonation Attack

In our proposed scheme, even if the attackers physically obtain the user’s mobile device or sensor node and capture the stored information, they cannot impersonate a legitimate user $U_i$ or a sensor node $S{N}_j$. The information stored in the user’s mobile device is $\{P.I{D}_i,K_{gu},ke{y}_i,B_i,V_i\}$. Even if the attackers know this information, they cannot log into the mobile device unless they input a legitimate $P{W}_i$. Even if the attackers log into the mobile device, they cannot proceed with the user authentication procedure because they cannot generate the $A_i$ shared with $GWN$ during the user registration phase without a legitimate $P{W}_i$. Even if the attackers obtain $S{N}_j$, the only information stored in $S{N}_j$ is $P.SI{D}_j$, and even if they use the trace transmitted through the public channel, they cannot generate the response $Rn$ used as authentication information because of the PUF characteristics. Thus, they cannot proceed with the sensor node authentication procedure.

7.2.2. Anonymity and Untraceability

In the authentication and key distribution phase, $I{D}_i$ and $SI{D}_j$ are not transmitted over the public channel, so even if an attacker obtains the message, he cannot figure out $I{D}_i$ and $SI{D}_j$. In addition, the pseudonyms of the user and sensor, $P.I{D}_i$ and $P.SI{D}_j$, are randomly generated by the $GWN$ during the user and sensor registration phase. Therefore, even if an attacker obtains the user $P.I{D}_i$ and the sensor $P.SI{D}_j$, he cannot find $I{D}_i$ and $SI{D}_j$. Thus, the proposed scheme provides anonymity for the user and the sensor (actually, the patient wearing the sensor). Furthermore, at the end of every session, $U_i$ and $GWN$ and $GWN$ and $S{N}_j$ update $P.I{D}_i$ and $P.SI{D}_j$ to $P.I{D}_i^n$ and $P.SI{D}_j^n$, respectively. In the process, $P.I{D}_i^n$ and $P.SI{D}_j^n$ are generated using $GWN$-generated random numbers $R_2$ and $SK$, so even if an attacker captures the mobile device and sensor and obtains the $P.I{D}_i$ and $P.SI{D}_j$ stored on each, he cannot trace the user and sensor to the pseudonym used per session.

7.2.3. Replay Attack

All messages transmitted during the authentication and key-distribution phases include a timestamp, and entities that receive the transmitted message proceed with subsequent processes only if the timestamp is valid. Therefore, the proposed protocol can withstand replay attacks.

7.2.4. Forward Secrecy

In our proposed scheme, session keys are generated randomly for each session. Therefore, even if an attacker knows or has the previous session key, the attacker cannot infer other session keys. Therefore, the proposed scheme satisfies forward secrecy.

7.2.5. Mutual Authentication

During the authentication and key distribution phases, $U_i$, $GWN$, and $S{N}_j$ are mutually authenticated. $GWN$ and $U_i$ authenticate each other by verifying the messages $M{2}^{*}=h(P.I{D}_i\Vert R_1^{*}\Vert K_i\Vert T_1)$ and $M{8}^{*}=h(R_2\Vert S{K}^{*}\Vert T_4)$, respectively. Similarly, $GWN$ and $S{N}_j$ authenticate each other by verifying the messages $M{5}^{*}=h(SK\Vert h\left(R_n\right)\Vert T_4)$ and $M{4}^{*}=h(S{K}^{*}\Vert P.SI{D}_j\Vert R_n\Vert T_2)$. If any of the verifications are invalid, the session is aborted. Therefore, the proposed scheme provides mutual authentication.

7.2.6. Man-in-the-Middle Attack

Assume that an attacker can intercept all messages sent to a public channel. Here, we take the message $M_1,M_2,P.I{D}_i,T.SI{D}_j,T_1$ sent by $U_i$ to $GWN$ during the authentication phase as an example. An attacker attempts to alter the authentication value $M_2=h(P.I{D}_i\Vert R_1\Vert K_i\Vert T_1)$. However, the attacker does not know $K_i$ and $R_1$, and therefore cannot compute $M_2$. Thus, the request message sent by the attacker cannot be authenticated using $GWN$. Similarly, $M4$, $M5$, and $M8$, which are used as authentication values, contain information that is unknown to the attacker. As a result, tampering with authentication values is impossible. Therefore, the proposed scheme is resistant to man-in-the-middle attacks.

7.2.7. PUF Modeling Attack

In the proposed scheme, during the sensor node registration phase, a challenge–response pair of the PUF [24] is transmitted over a private channel. Furthermore, during the authentication and key distribution phases, $GWN$ sends only the challenge to $S{N}_j$. Therefore, PUF modeling attacks that collect a large number of challenge–response pairs and predict legitimate challenge–response pairs based on machine learning are not possible using the proposed scheme.

7.2.8. Denial of Service Attack

During the authentication and key distribution phases, an attacker can attempt to launch denial-of-service attacks on mobile devices and sensor nodes. However, the proposed scheme can prevent denial-of-service attacks by limiting the number of attacks on the device by using counters to limit the maximum number of login attempts and timestamps to limit the possible time of attacks on sensor nodes.

8. Performance Analysis of the Proposed Scheme

We compared our scheme with four recent schemes [8,9,10,11] in terms of computational efficiency. We analyzed the computational load according to the experimental environment of Kim et al. [25] and He et al. [26]. The CPU used was an Intel(R) Core(TM) i7-8565U @1.80 GHz, 1.99 GHz, with 16.0 GB of RAM, and the experiments were conducted on a desktop running Windows 10 Home. The Java Development Kit (JDK) 17 was used, and elliptic curve multiplication operations were measured using the secp521r1 ECC. Extracting biometric information using a fuzzy extractor is similar to multiplying the operation time [26].

The computational times we established are as follows. We set the time required to compute a hash function to 0.007 ms, and the time for extracting biometric information from the fuzzy extractor and performing multiplication operations on the elliptic curve to 34.32 ms. Additionally, the time required to compute a symmetric key was set to 0.23 ms. The computational times for each operation are listed in

Table 9. Computation times for each operation (ms).

Symbol	Meaning	Time (ms)
$T_h$	Computation time for hash functions	$0.007$
$T_B$	Extraction time of biometric information in fuzzy extractors	$34.32$
$T_M$	Multiplication operation time in ECC	$34.32$
$T_E$, $T_D$	Computation time for symmetric key encryption and decryption	$0.23$

.

We measured the computational overhead in the login and authentication phases of each scheme [8,9,10,11] and the proposed scheme. The results are presented in

Table 10. Comparisons of computational costs (ms).

Entity	Wu et al. [9]	Sahoo et al. [10]	Hu et al. [8]	Wenfeng Huang [11]	Ours
User	$8T_h$ = 0.056	$6T_h+1T_B+1T_E+1T_D+1T_M$ = 69.142	$6T_h+1T_M$ = 34.362	$17T_h+4T_M+1T_B$ = 171.719	$9T_h$ = 0.063
Gateway node	$9T_h$ = 0.063	$5T_h+1T_D+1T_E+2T_M$ = 69.135	$11T_h$ = 0.077	$16T_h+2T_M$ = 68.696	$8T_h$ = 0.056
Sensor node	$5T_h$ = 0.035	$6T_h+1T_D+1T_E+1T_M$ = 34.822	$1T_h+1T_M$ = 34.327	$8T_h+2T_M$ = 68.696	$3T_h$ = 0.021
Total	$22T_h$ = 0.154	$17T_h+1T_B+3T_D+3T_E+4T_M$ = 173.099	$18T_h+2T_M$ = 68.766	$41T_h+8T_M+1T_B$ = 309.167	$20T_h$ = 0.14

.

In Wu et al. [9]’s scheme, the user performs eight hash operations, the gateway node performs nine hash operations, and the sensor node performs five hash operations, resulting in twenty-two hash operations. This amounts to a computational cost of $22T_h$ = 0.154 ms.

In Sahoo et al. [10]’s scheme, the user performs six hash operations, one fuzzy extractor operation for extracting biometric data, one symmetric encryption, one symmetric decryption, and one elliptic curve multiplication. The gateway node performs five hash operations, one symmetric encryption, one symmetric decryption, and two elliptic curve multiplications. The sensor node performs six hash operations, one symmetric encryption, one symmetric decryption, and one elliptic curve multiplication. Therefore, the computational cost of Sahoo et al.’s scheme is $17T_h+1T_B+3T_D+3T_E+4T_M$ = 173.099 ms, which includes 17 hash operations, one fuzzy extractor, three symmetric encryptions, three symmetric decryptions, and four elliptic-curve multiplications.

In Hu et al. [8]’s scheme, the user performs six hash operations and one elliptic curve multiplication, the gateway node performs eleven hash operations, and the sensor node performs one hash operation and one elliptic curve multiplication. This results in 18 hash operations and two elliptic curve multiplications, amounting to $18T_h+2T_M$ = 68.766 ms of computational cost.

In Wenfeng Huang [11]’s scheme, the user performs 17 hash operations, four elliptic curve multiplications, and one fuzzy extractor operation; the gateway node performs 16 hash operations and two elliptic curve multiplications; and the sensor node performs 8 hash operations and two elliptic curve multiplications. This results in 41 hash operations, eight elliptic curve multiplications, and one fuzzy extractor operation, with a computational cost of $41T_h+8T_M+1T_B$ = 309.167 ms.

Finally, in the proposed scheme, the user performs nine hash operations, the gateway node performs eight hash operations, and the sensor node performs three hash operations, resulting in twenty hash operations at a computational cost of $20T_h$ = 0.14 ms.

9. Discussion

We compared the security analysis of state-of-the-art schemes [8,9,10,11] with that of our proposed scheme and evaluated the computational cost in terms of performance. The proposed scheme not only satisfies seven critical security properties but also demonstrates robustness against PUF modeling attacks, making it more secure than other studies in this regard.

In terms of computational cost, the time required for authentication in our scheme is 0.14 ms under the environment used by Kim et al. [25]. Compared with other schemes, using the performance improvement calculation $(t2-t1)/t1$, where $t1$ is the proposed scheme and $t2$ represents other schemes, the following improvements were obtained: 10% compared to Wu et al. [9], 1235.42% compared to Sahoo et al. [10], 490.18% compared to Hu et al. [8], and 2207.33% compared to Wenfeng Huang [11]. This demonstrates that our scheme not only achieves an average improvement in performance of 985.73% but also performs 10% better than Wu et al. [9], which is the most lightweight among the compared schemes.

Our performance evaluation is based on the computation metrics measured by Kim et al. [25] and He et al. [26]. Therefore, differences may arise if measurements are conducted using CPUs, GPUs with different performance characteristics, or quantum computers in the future. While the computation of hash functions is very lightweight and may not show significant differences with new devices, public key operations such as elliptic curve computations could be performed more efficiently with improved hardware.

10. Conclusions

In this study, we analyzed Hu et al.’s scheme and found that an attacker can impersonate legitimate sensor nodes and generate illegitimate session keys using information stored in the sensor nodes and information transmitted over public channels. To overcome these vulnerabilities, our proposed scheme utilizes PUFs to make it impossible to impersonate the sensor nodes. By using PUFs, we minimize the computation of resource-constrained sensor nodes and ensure anonymity and untraceability by using pseudonyms that change from session to session instead of user and sensor node identities. In addition, an informal security analysis shows that the proposed scheme ensures forward secrecy and mutual authentication and is resistant to man-in-the-middle and PUF modeling attacks.

However, the proposed scheme can be utilized in a single-gateway environment, assuming the internal environment of a single hospital. For future expansion to a wider range of healthcare services, a multigateway environment must be considered.