1-RAAP: An Efficient 1-Round Anonymous Authentication Protocol for Wireless Body Area Networks

Thanks to the rapid technological convergence of wireless communications, medical sensors and cloud computing, Wireless Body Area Networks (WBANs) have emerged as a novel networking paradigm enabling ubiquitous Internet services, allowing people to receive medical care, monitor health status in real-time, analyze sports data and even enjoy online entertainment remotely. However, because of the mobility and openness of wireless communications, WBANs are inevitably exposed to a large set of potential attacks, significantly undermining their utility and impeding their widespread deployment. To prevent attackers from threatening legitimate WBAN users or abusing WBAN services, an efficient and secure authentication protocol termed 1-Round Anonymous Authentication Protocol (1-RAAP) is proposed in this paper. In particular, 1-RAAP preserves anonymity, mutual authentication, non-repudiation and some other desirable security properties, while only requiring users to perform several low cost computational operations. More importantly, 1-RAAP is provably secure thanks to its design basis, which is resistant to the anonymous in the random oracle model. To validate the computational efficiency of 1-RAAP, a set of comprehensive comparative studies between 1-RAAP and other authentication protocols is conducted, and the results clearly show that 1-RAAP achieves the best performance in terms of computational overhead.


Introduction
Since the concept of Wireless Body Area Network (WBAN) was proposed in [1], it has drawn considerable attention from both academia and industry. The WBAN technology can be utilized in several applications such as physiological and medical monitoring, human computer interaction, and education, as well as entertainment. The technology provides a convenient environment to support and monitor the daily lives and medical conditions of patients without any restrictions. WBAN is a kind of short distance communication network consisting of various kinds of sensors. The sensors, which are attached to or implanted into the human body, could be used to collect and transmit important physiological signals (such as the temperature, the blood glucose, the blood pressure, etc.), human activities or action signals as well as information about the environment around a human's body.
Despite the past non-trivial efforts, the WBAN concept still needs increasing research attention because of the openness of the wireless environment. In particular, the leakage of privacy is the major concern of potential users and must been taken into account. Due to its unique characteristics, such as open medium channel, signal noise, mobile terminals, etc., WBANs encounter many security challenges in their practical applications. For example, in medical applications, authorized patients should share

Paper Outline
The rest of the paper is organized as follows: in Section 2, we provide a review of the definitions for groups equipped with bilinear maps and several complexity assumptions. The proposed 1-RAAP and its security properties analysis are thoroughly presented in Section 3. Computational efficiency and the performance evaluation are given in Section 4 followed by the conclusions presented in Section 5.

Bilinear Pairings
Definition 1. Bilinear Pairings map. A bilinear pairing is defined as a map e : G 1ˆG1 " G 2 , where G 1 is a cyclic additive group generated by P, whose order is a prime q, and G 2 is a cyclic multiplicative group of the same order. We assume that the discrete logarithm problems (DLP) in both G 1 and G 2 are hard. Bilinear pairings have the following properties: ‚ Bilinearity Let P, Q P G 1 , random number a, b P Zq , then e paP, bQq " e pP, Qq ab ; ‚ Non-degeneracy There exists P, Q P G 1 , such that e pP, Qq ‰ I G 2 , where I G 2 denotes the identity element of group G 2 ; ‚ Computability There is an efficient algorithm to compute e pP, Qq, for all P, Q P G 1 ;

Complexity Assumptions
Definition 2. Decisional Diffie-Hellman (DDH) Problem. G 1 is a cyclic additive group of prime order q, P is the generator of G 1 , for any a, b, c P Zq , given an instance xaP, bP, cPy, it is difficult to decide whether abP " cP.

Definition 3.
Divisible Computational Diffie-Hellman (DCDH) Problem. G 1 is a cyclic additive group of the prime order q, P is the generator of G 1 , for a P Zq , give an instance xaP, bPy, it is difficult to compute b a P and abP.

1-Round Anonymous Authentication Protocol for WBANs
In this section, 1-RAAP is specifically presented.

Definitions and Protocol Description
The proposed anonymous authentication protocol contains three entities, shown as Figure 1.
-Network Manager (NM): it serves as a user management server in WBANs application scenarios; -WBAN User: it refers to the user who uses certain WBAN terminals or applications such as a PDA, smart phone, biosensor or medical device to regularly access various medical services that are offered by Application Server. -Application Server (AS): it provides corresponding services to authorized users, including patient monitoring, physician consult, and so on. It can be a hospital, clinic, physician and even a weather forecast station.
The user first registers to be a legitimate user of the system before enjoying the service, and then sends request to the server to acquire the related information. Upon receiving the request, the server first checks its database to verify the legitimacy of the user, and then provide related services to the valid user. 1-RAAP implements mutual authentication between the WBAN user and the application server, and guarantees that the user can gain access to the services anonymously. In other words, the server provides service to the authenticated user without knowing who he really is. Despite knowing the user's account index, the server has no idea about who is asking for service. In addition, the user cannot deny that he has ever logged in the system to use the service because no one without the private key can successfully authenticate. The proposed 1-RAAP meets the features of WBAN, so the server can implement efficient and secure relevant services. The user first registers to be a legitimate user of the system before enjoying the service, and then sends request to the server to acquire the related information. Upon receiving the request, the server first checks its database to verify the legitimacy of the user, and then provide related services to the valid user. 1-RAAP implements mutual authentication between the WBAN user and the application server, and guarantees that the user can gain access to the services anonymously. In other words, the server provides service to the authenticated user without knowing who he really is. Despite knowing the user's account index, the server has no idea about who is asking for service. In addition, the user cannot deny that he has ever logged in the system to use the service because no one without the private key can successfully authenticate. The proposed 1-RAAP meets the features of WBAN, so the server can implement efficient and secure relevant services.

Initialization
System is set up by NM, generating keys and establishing an enrollment system. In this step, NM determines its public/private key pair , ,G , , , , NM l G q P H PK , in which l represents the security parameters.
We suppose that AS also has a long-term key pair ,

Registration
Each user must execute this stage (shown as Figure 2)  period. This phase should be carried out under the security channel. We believe that NM is reliable, which is a prerequisite and the basis of trust. So the k will not be leaked to others.

Initialization
System is set up by NM, generating keys and establishing an enrollment system. In this step, NM determines its public/private key pair xs N M , PK N M y, where PK N M " s N M P, and publicizes the system parameters tl, G 1 , G 2 , q, P, H, PK N M u, in which l represents the security parameters. We suppose that AS also has a long-term key pair xs AS , PK AS y, where PK AS " s AS P. Each user generates a pair of public or private key xs U , PK U y, here PK U " s U P. pG 1 ,`q and pG 2 ,‚q are a cyclic additive group and cyclic multiplicative group of the same prime order q, H is a secure hash function, H : t0, 1u˚ˆG 1 Ñ Zq .

Registration
Each user must execute this stage (shown as Figure 2) before accessing the services. The user sends his identity ID U and public key PK U to the network manager, and the network manager chooses k P Zq randomly, then computes a user index Ind U " kP and U " kPK U for the user, the network manager simultaneously issues xInd U , U, ky to the user and Account " xInd U , U, Righty to the server.
Here, Right indicates auxiliary information such as service type and prescriptive period. This phase should be carried out under the security channel. We believe that NM is reliable, which is a prerequisite and the basis of trust. So the k will not be leaked to others.  The WBAN user should perform the following steps to prove him/herself to AS when she/he needs to obtain relevant information, shown as Figure 3. Otherwise, the protocol terminates immediately.   The WBAN user should perform the following steps to prove him/herself to AS when she/he needs to obtain relevant information, shown as Figure 3. Otherwise, the protocol terminates immediately.

‚
Select r P Zq randomly and compute R " rP and IndŮ " Ind U`r PK AS .
‚ Pick up the current time t c and compute h " H pt c , R`Uq.

Authentication
The WBAN user should perform the following steps to prove him/herself to AS when she/he needs to obtain relevant information, shown as Figure 3. Otherwise, the protocol terminates immediately.


If the equation holds, we consider that the user is legitimate. The AS will perform the following steps: On receiving the service request message M 1 , AS first checks the validity of the time stamp t c and then computes Ind U " IndŮ´s AS R and searches the database with the user's index Ind U and verifies whether the equation vP`hU ? R holds, here h " H pt c , R`Uq. If the equation holds, we consider that the user is legitimate. The AS will perform the following steps: -Compute the session key: key " H`Ind Uˇˇtc , R`U˘.
AS sends M 2 to the user. Upon receiving the response message M 2 , the user computes the session key. Then, the user checks the integrity of the message authentication code by the session key. If the result is negative, the user quits the current session.
We then carefully examined the operational efficiency of 1-RAAP and compared it to those of the existing schemes. Table 1 summarizes the results, in which PCM means the point multiplication in G 1 , EXC means the exponentiation computation in G 2 , BP means the bilinear pairings computation. Table 1 shows that our scheme involves two point multiplication operations in G 1 and two hash operations on the client side, and three point multiplication operations in G 1 , two hash operations on the server side. Both sides do not have exponentiation computation in G 2 and bilinear pairings. Generally, the pairing operation is several times more complex than the scalar multiplication in G 1 . Thus, the number of pairing operations is a key performance metric. It is easily observed that our scheme is significantly simplified and can obtain higher efficiency as a whole.

Security Analysis
In this subsection, we give a comparison between our scheme and the other existing schemes. It demonstrates that our scheme provides higher security level. We will analyze the seven security characteristics of the 1-RAAP authentication protocol provided specifically.

Anonymity
When a WBAN user registers to the system, network manager randomly chooses k P Zq for the user to generate an index Ind U and signature U. Then the user authenticates to the WBAN service network and application server (AS) who provides service to the authenticated user. However, AS does not know who the authenticated user really is in this process. The advantages of the anonymous requests for services are to avoid the leakage of the private information and increase the flexibility of authentication. Anonymity means that an adversary A I cannot obtain the real identity of any WBAN client based on the existing communication. Now we formalize a game: when an oracle O ś pIDq outputs a session message P of a legitimate user with the identity ID A I tries to reveal id with the help of AS.
Proof. Suppose adversary A I is a probabilistic polynomial time Turing machine who tries to reveal an anonymous user's real ID corresponding to any existing session massage with non-negligible probability after getting enough experience. Simulator C has strong ability to imitate any state of whole communication environment and share all information with AS, who may be a malicious AS.
When C receives a DCDH instance xInd U , Uy " xkP, ks U Py. Its goal is to compute PK U " s U P to find the corresponding ID. C gives the parameters tl, G 1 , G 2 , q, P, H, PK N M u and xInd U , Uy to A I . It attempts to simulate the challenger by simulating all the oracles to obtain the ID of client U In particular, A I can query as follows: -H-Queries: A I can query the random oracle H at any time. C simulates the random oracle by keeping a list of couples xK i , h i y that is called L H , where K i is a couple of xx i , Υ i y, where x i P t0, 1u˚, and Υ i P G 1 . When the oracle is queried with an input K, C responds as follows: 1.
If the query K is already in the item of xK, h i y in L H , C outputs h i .

2.
Otherwise, C selects a random h P Zq , outputs h and adds xK, hy to L H . -Initial-Queries: C simulates the initial massage sent by any WBAN client U with xInd U , Uy and t c . C answers the query as follows: 1. C picks up a random h, v P Zq where h is not equal to any existing output of H oracle.

2.
C computes R " vP`hU. If K " xt c , R`Uy equals to any previous input of H oracle, then it returns to step 1.
C computes IndŮ " Ind U`sAS R and outputs`R, v, t c , IndŮ˘as the initial message M 1 sent from client U .
-Respond-Queries: C simulates the respond massage sent by AS with`R, v, t c , IndŮ˘. C answers the query as follows: C outputs MAC key phq as the response message M 2 sent from AS.
Thus, the initial message can be generated without knowing the private key s U of user U . All oracles, simulated by C, has high quality; A I is fully satisfied with the all queries' answers. It can fully exert its ability.
Eventually, given an input of`R, v, t c , IndŮ˘, adversary A I , with non-negligible probability, outputs a legal public key PK U of client U and reveals the real ID from PK U . Here,`R, v, t c , IndŮȋ s not any output of Initial-Queries. C then successfully solves xInd U , U, PK U y = xkP, ks U P, s U Py. It obviously contradicts the hardness of the DCDH problem.
Definition 5. An authentication scheme achieves unlinkability, if for any probabilistic polynomial time adversary A II in the above UL Game, Adv A II "ˇˇPrrx ś 1 ,

Theorem 2. (Unlinkability)
The security-enhanced anonymous authentication protocol achieves unlinkability, assuming the hardness of DDHP described in Section 2.
Unlinkability [32][33][34][35] means that an adversary A II cannot distinguish WBAN clients based on their communication. This means that the all session messages generated by clients should not leak any information to A II that allows A II to trace them. Now, similar to [35], we formalize UL Game: when an oracle O ś pbq for b P p0, 1q outputs two session messages p ś 1 , ś 2 q with two identical pb " 0q or two different pb " 1q legitimate clients, A II guesses b P p0, 1q with the help of NM.
Proof. Suppose adversary A II is a probabilistic polynomial time Turing machine whose input consists of public data. It can represent two identical or two different WBAN client from two given session massages with non-negligible probability after getting enough experience. Simulator C has a strong ability to imitate any state of the whole communication environment and share all information with NM, who maybe a malicious NM. When C receives a DDH instance paP, bP, Qq its goal is to decide if Q " abP. C gives the parameters tl, G 1 , G 2 , q, P, e, H, h, Q PKG u to A II . It attempts to simulate the challenger by simulating all the oracles. In particular, A II can query as follows: Thus, the initial message can be generated without knowing the partial private key s U of client U . All oracles, simulated by C, have high quality; A II is fully satisfied with the all queries' answers. It can fully exert its ability.

Mutual Authentication
1-RAAP realizes the mutual authentication between the user and the server. On receiving the request and the signature U from the user, the server searches its database with the account index Ind U to ensure the existence of the user and then verifies the authenticity of the user by using the user's public key. If all processes hold, the server sends the message authentication code to the user. Then, the user first verifies whether the message authentication code is equal to the value he computed by himself. If so, the user verifies the signature to determine the validity of the server.

Non-Repudiation
For R is generated by the user, no one can forge it without the information on the user's private key, so the user cannot deny that he has ever requested the services provided by the server.

Session Key Establishment
The server and the user will negotiate a session key during authentication process. Only the user and the server know the session key.

Immunity of Key Escrow
This protocol is based on the scheme described previously that can solve the inherent key escrow problem in general anonymous authentication protocol. This property can be obtained directly from Theorem 1.

Unforgeability
The information of user and AS cannot be forged in our protocol. The first condition, if there is an adversary who try to pretend to be a legal user, he cannot get the value k. Even he forges a fake key, AS will calculate the Ind U and compare it with the one from the fake user. If they are not equal, the identity of the adversary will be exposed. The second condition, if there is an adversary who want to pretend to be the AS, he does not know S AS , and can't calculate the Ind U . From the above, we can conclude that our protocol has unforgeability.

Forward Security
The proposed 1-RAAP can provide the forward security property under the DCDH assumption. Suppose that the private key of the AS or the private key of a User were corrupted after establishing a session key shared by the AS and the user. Let a and b be the ephemeral key used by the AS and the User during the establishment of the shared session key respectively. Obviously, in order to compute abP in the shared session key, the adversary who has obtained the full private key must solve the Sensors 2016, 16, 728 9 of 16 DCDH problem in G 1 without the knowledge of either a or b. Therefore, our protocol provides the property of forward security.
Compared with the other schemes, the proposed 1-RAAP is more secure and provides thorough privacy protection. To sum up, 1-RAAP realizes the mutual authentication between the user and the server, the user can obtain the corresponding service under the condition that the user's key information will not be leaked.

Performance Evaluation
We are particularly concerned about the computational complexity and energy consumption of 1-RAAP. To validate that, we set up simulations and compare 1-RAAP with several typical existing schemes. We first analyze the message size which is related to energy consumption on message propagation. Then, a detailed analysis on computational time is provided, along with discussions about energy consumption on both message transmission and computation.

Message Size
Due to the significant effect of the message size on the energy consumption, we start by analyzing the message size of the following schemes. - The Certificate-Based Authentication Scheme in [2]: the total message size of the scheme is equal toˇˇMˇˇ`ˇˇttˇˇ`ˇˇSIGˇˇ`ˇˇCert U IDˇ; here |˚| denotes the size of "*" in bytes. The minimum size of thěˇC ert U IDˇi s 86 bytes according to the method mentioned in [36]. According to [37], we know SIG is |q| bytes. Then we assume message size of M is 20 bytes, the time stamp tt is 2 bytes, and |q| is 20 bytes, so the message size of the certificate-based authentication scheme is 128 bytes. -A mutual authentication and key exchange scheme in [6]: the total message size of the scheme is equal to |ID i |`|SIG|`|U|`|t 1c |`|t 2c |`|Auth|. Similarly, ID i is the address of 2 bytes, SIG is |q| bytes, U is an element of G 1 of the order |q|, t 1c and t 2c are time stamps of 2 bytes repectively, Auth is a hash value of 20 bytes given by SHA-1. Then we can calculate the message size is 66 bytes. -Identity-Based Anonymous Remote Authentication scheme in [10]: the total message size of the scheme is equal toˇˇID spˇ`ˇR 1ˇ`ˇS IGˇˇ`ˇˇt cˇ`ˇM ACˇˇ. Using the same assumption, ID sp is the address of 2 bytes, R 1 is an element of G 1 of the order |q|, SIG is |q| bytes, t c is a time stamp of 2 bytes, MAC is 20 bytes given by SHA-1, so the message size is 64 bytes. - The ID-Based Authentication Scheme in [11]: the total message size of the scheme is equal to |ID U |`|x|`|SIG|`|Z|`|t u |. Here ID U denotes the user's address of 2 bytes, |x| and t u are elements of G 1 and of Z q , respectively, with the same order |q|, and Z is a hash value which should be 20 bytes given by SHA-1, similarly the SIG is |q| bytes, so the message size is 82 bytes. -An efficient remote user authentication and key agreement protocol in [19]: the total message size of the scheme is equal to |ID C |`|U|`|r|`|Auth|`|R c |`|V|. As above, ID C is the address of 2 bytes, U, R c and V are elements of G 1 of the order |q|, r is the element of Z q of the order |q|, Auth is a hash value of 20 bytes given by SHA-1. The message size is 102 bytes. -Certificateless Remote Anonymous Authentication scheme in [30]: the total message size of the scheme is equal to |v|`|U|`|t c |`|T1|`|I1|`|MAC|. Using the same assumption, t c is the address of 2 bytes, U, T1 and I1 are elements of G 1 of the order |q|, v is the element of Z q of the order |q|, MAC is a hash value of 20 bytes given by SHA-1. The message size is 102 bytes. -Revocable and Scalable Certificateless Remote Anonymity Authentication scheme in [31]: the total message size of the scheme is equal to |C 0 |`|C 1 |`|C 2 |`|C 3 |`|R B |`|MAC|. Using the same assumption, C 0 , C 1 , C 2 , C 3 and R B are elements of Z q of the order |q|, MAC is a hash value of 20 bytes given by SHA-1. The message size is 120 bytes. - The proposed 1-RAAP authentication protocol: its total message size is equal tǒˇI ndŮˇˇ`ˇˇRˇˇ`ˇˇt cˇ`ˇvˇ`ˇM ACˇˇ. Assuming that everything else is the same as above, IndŮ, R are the elements of the G 1 of the order |q|, v is the element of Z q of the order |q|, t c is a time stamp of 2 bytes, and the MAC is 20 bytes given by SHA-1. Thus we obtain that our scheme's size is 82 bytes. Figure 4 shows the message sizes of different schemes. From them, we can arrive at the following conclusions: -Firstly, the certificate-based authentication scheme in [2] has the maximum message size due to the existence of the certification. -Secondly, we can further see that the message size of the Identity-Based Anonymous Remote Authentication scheme in [10] is the minimum, but according to the scheme in [30], the message size of the ID-based scheme increases with the increased value of |q|. In our comparison, we assume the |q| is 20 bytes, so it is clear this scheme will not have the minimum message size when |q| increases. -Finally, neither the maximum nor minimum one in message size, our scheme does not seem to have the obvious advantages over others. However, by the following analysis, our scheme shows a better trade off.

Computational Time
From Section 4.1, it is clear that certificate-based scheme with relatively greater message size is not quite suitable to WBAN, so in the remaining sections, the features of other selected schemes will be quantified except the certificate-based scheme. Now, we analyze the computational efficiency of

Computational Time
From Section 4.1, it is clear that certificate-based scheme with relatively greater message size is not quite suitable to WBAN, so in the remaining sections, the features of other selected schemes will be quantified except the certificate-based scheme. Now, we analyze the computational efficiency of these schemes.

Simulation Environment Setup
In this subsection, we set up the simulation hardware environment to measure the computational time of these selected schemes. The simulation environment of AS is Windows XP OS on an Inter(R)Pentium IV 3.0 GHz processor and 512 MB memory. The hardware environment of a typical mobile WBAN client, such as a PDA, has a low-power high-performance 32-bit Inter(R) PXA270 624 MHz processor [38] and 128MB memory running Windows CE 5.2OS. In addition, we set the pair operation is defined over a supersingular elliptic curve y 2 " x 3`x . The run time of cryptographic primitives on the AS is obtained by experiment and that on the client terminal is estimated using the method in [37]. The simulations will run several times and the results are averaged to compensate for the randomness. Moreover, we set the message authentication code to 160 bits.

Simulation Results
Noting that the computational overhead mainly results from the cryptographic operations, for the sake of simplicity we thus use the computational time consumed on different cryptographic operations as an approximation of the computational overhead. Table 3 lists the run time of several cryptographic operations. In the selected schemes, the computation overhead is mainly due to the cryptographic operations of exponentiation in Zq , multiplication in G 1 and pairing. Given the cryptographic operations and their corresponding time consumption, we can calculate the computational time on authentication process of the selected schemes (shown as Figure 5).
By comparing with the other schemes in different phases, it is clear that our scheme performs better. We note that the server takes the most time in 1-RAAP, but what cannot be neglected is the phenomenon that the server terminal spends most time on the initialization phase that will only run once at the beginning of the system's setup, 1-RAAP costs the least in total authentication process time after being initialized. It is obviously more efficient than others. It proves that 1-RAAP successfully transfers the calculation burden to the server whose computing ability is relatively stronger. Also, it saves the energy consumption in the user terminal. These merits make 1-RAAP very suitable in the WBAN scenario. Given the cryptographic operations and their corresponding time consumption, we can calculate the computational time on authentication process of the selected schemes (shown as Figure 5). By comparing with the other schemes in different phases, it is clear that our scheme performs better. We note that the server takes the most time in 1-RAAP, but what cannot be neglected is the phenomenon that the server terminal spends most time on the initialization phase that will only run once at the beginning of the system's setup, 1-RAAP costs the least in total authentication process time after being initialized. It is obviously more efficient than others. It proves that 1-RAAP successfully transfers the calculation burden to the server whose computing ability is relatively stronger. Also, it saves the energy consumption in the user terminal. These merits make 1-RAAP very suitable in the WBAN scenario.

Energy Consumption
In this subsection, the evaluation of the energy consumption has two aspects: first, we consider the effect of message propagation on the energy consumption; second, we take the computation overhead into account. Eventually, we make an in-depth analysis of the pros and cons of each scheme.
We use the same method in [39] to evaluate the energy consumption due to the transmission of the messages with different size. As is reported, a Chipcon CC1000 radio used in Crossbow MICA2DOT motes consumes 28.6 uJ and 59.2 uJ to receive and transmit one byte, respectively, at an effective data rate of 12.4 kb/s. Moreover, we assume a packet size of 41 bytes, 32 bytes for the payload and 9 bytes for the header. The header, ensuing an 8-byte preamble, consists of source, destination, length, packet ID, CRC, and a control byte. Thus receiving one 41-bytes packet (in addition to the 8-byte preamble) costs 49 × 28.6 = 1.40 mJ, and the corresponding transmission costs 49 × 59.2 = 2.90 mJ. Knowing this, we can calculate the total energy overhead of every scheme as follows: (1) The Certificate-Based Authentication Scheme in [2]: From Section 4.1, we know the message size of this scheme is 128 bytes and then we take the following steps to calculate the energy overhead.
-Divide the message into four packets in total, all of them are 41 bytes.

Energy Consumption
In this subsection, the evaluation of the energy consumption has two aspects: first, we consider the effect of message propagation on the energy consumption; second, we take the computation overhead into account. Eventually, we make an in-depth analysis of the pros and cons of each scheme.
We use the same method in [39] to evaluate the energy consumption due to the transmission of the messages with different size. As is reported, a Chipcon CC1000 radio used in Crossbow MICA2DOT motes consumes 28.6 uJ and 59.2 uJ to receive and transmit one byte, respectively, at an effective data rate of 12.4 kb/s. Moreover, we assume a packet size of 41 bytes, 32 bytes for the payload and 9 bytes for the header. The header, ensuing an 8-byte preamble, consists of source, destination, length, packet ID, CRC, and a control byte. Thus receiving one 41-bytes packet (in addition to the 8-byte preamble) costs 49ˆ28.6 = 1.40 mJ, and the corresponding transmission costs 49ˆ59.2 = 2.90 mJ. Knowing this, we can calculate the total energy overhead of every scheme as follows: (1) The Certificate-Based Authentication Scheme in [2]: From Section 4.1, we know the message size of this scheme is 128 bytes and then we take the following steps to calculate the energy overhead.
-Divide the message into four packets in total, all of them are 41 bytes. - The bytes to be transmitted are: 41ˆ4 + 8ˆ4 = 196 bytes, and the relevant energy overhead is 196ˆ59.2 = 11.60 mJ. - The bytes to be received are: 196 bytes, and the related energy consumption is 196ˆ28.6 = 5.61 mJ.
(2) The ID-Based Authentication Scheme in [11]: The message size of this scheme is 82 bytes. We do the same steps to obtain the energy overhead.
-Divide the message into three packets in total, among which two of them are 41 bytes, and one is 27 bytes. - The bytes to be transmitted are: 41ˆ2 + 27ˆ1 + 8ˆ3 = 133 bytes, and the relevant energy overhead is 133ˆ59.2 = 7.87 mJ. - The bytes to be received are: 133 bytes, and the related energy consumption is 133ˆ28.6 = 3.80 mJ.
(3) A mutual authentication and key exchange scheme in [6]: The message size of this scheme is 66 bytes. The energy overhead is calculated using the following steps: -Divide the message into three packets in total, among which two of them are 41 bytes, and one is 11 bytes. - The bytes to be transmitted are: 41ˆ2 + 11ˆ1 + 8ˆ3 = 117 bytes, and the relevant energy overhead is 117ˆ59.2 = 6.93 mJ. - The bytes to be received are: 117 bytes, and the related energy consumption is 117ˆ28.6 = 3.35 mJ.
(4) Identity-Based Anonymous Remote Authentication scheme in [10]: The message size of this scheme is 64 bytes. We do the same steps to obtain the energy overhead: The bytes to be received are: 166 bytes, the related energy consumption is 3.80 mJ. Figure 6 shows that 1-RAAP offers a relatively lower energy message propagation overhead as compared to the others, while the scheme in [31] consumes the most energy.

-
The bytes to be received are: 166 bytes, and the related energy consumption is 188 × 28.6 = 5.38 mJ.
(8) 1-RAAP: From Section 3, we know the message size of 1-RAAP is 82 bytes, so the energy overhead is calculated as follows.
-Divide the message into four packets in total, among which two of them are 41 bytes, and one is 27 bytes. - The bytes to be transmitted are: 41 × 2 + 27 × 1 + 8 × 3 = 133 bytes, and the relevant energy overhead is 133 × 59.2 = 7.87 mJ. - The bytes to be received are: 166 bytes, the related energy consumption is 3.80 mJ. Figure 6 shows that 1-RAAP offers a relatively lower energy message propagation overhead as compared to the others, while the scheme in [31] consumes the most energy. In order to facilitate comparisons, we sum up the performance evaluation comparison between the different authentication protocols in Table 4. The results in Table 4 demonstrate that the proposed 1-RAAP generally outperforms the others and offers a better tradeoff between the security properties and performance. We would like to design a protocol with better trade-off between computational overhead and energy consumption, so that the computational complexity of the authentication protocols can be decreased as a whole. These makes it more suitable for wireless body area networks. In order to facilitate comparisons, we sum up the performance evaluation comparison between the different authentication protocols in Table 4. The results in Table 4 demonstrate that the proposed 1-RAAP generally outperforms the others and offers a better tradeoff between the security properties and performance. We would like to design a protocol with better trade-off between computational overhead and energy consumption, so that the computational complexity of the authentication protocols can be decreased as a whole. These makes it more suitable for wireless body area networks.

Conclusions
A secure 1-round anonymous authentication protocol for WBAN-1-RAAP-is proposed in this paper. All the user operations involved in the scheme require a very small amount of calculation. Complex computation is transferred to a server with relatively higher computing ability. The security properties of mutual authentication, non-reputation, anonymity, and session key establishment allow users to securely access the services at any time. Furthermore, the analysis of energy consumption demonstrates our scheme has higher efficiency. To sum up, the proposed 1-RAAP authentication scheme can achieve a better performance compared with the current schemes, and provides communication services efficiently and securely for WBAN users.