A Novel Lightweight Authentication Scheme for RFID-Based Healthcare Systems

The Internet of Things (IoT) has been integrated into legacy healthcare systems for the purpose of improving healthcare processes. As one of the key technologies of IoT, radio frequency identification (RFID) technology has been applied to offer services like patient monitoring, drug administration, and medical asset tracking. However, people have concerns about the security and privacy of RFID-based healthcare systems, which require a proper solution. To solve the problem, recently in 2019, Fan et al. proposed a lightweight RFID authentication scheme in the IEEE Network. They claimed that their scheme can resist various attacks in RFID systems with low implementation cost, and thus is suitable for RFID-based healthcare systems. In this article, our contributions mainly consist of two parts. First, we analyze the security of Fan et al.’s scheme and find out its security vulnerabilities. Second, we propose a novel lightweight authentication scheme to overcome these security weaknesses. The security analysis shows that our scheme can satisfy the necessary security requirements. Besides, the performance evaluation demonstrates that our scheme is of low cost. Thus, our scheme is well-suited for practical RFID-based healthcare systems.


Introduction
The Internet of Things (IoT), as its name implies, means to connect a large number of objects to the Internet, such as smartphones, vehicles, sensors, and wearable devices [1]. Nowadays, IoT has gradually penetrated into our daily life, providing services and resources in various domains, including healthcare, smart cities, home automation, smart grid, industrial manufacturing, logistics, business management, and intelligent transportation [2,3].
One of the fundamental technologies of IoT is radio frequency identification (RFID) [4]. RFID uses radio waves for short-range communication so as to provide contactless and automatic object identification [5]. A typical RFID system consists of three components: RFID tag, reader, and server. In the system, each tag is attached to an object and usually stores the information about the object. The reader plays a role as the intermediary between the tag and the server. To identify an object, the reader first retrieves the object information from the tag and then sends it to the server for further processing.
With the nice feature of noncontact automatic identification, in recent years, RFID technology has been applied in healthcare systems for providing intelligent services such as patient monitoring, drug administration, and medical asset tracking [6]. The architecture of a common RFID-based healthcare system is demonstrated in Figure 1. A patient in the system is given a wearable device (e.g., a smart wristband) that contains a sensor and a tag. The sensor in the wearable device collects the patient's medical data and then stores it in the tag. A nurse can read the patient data from the tag using a The data is then transmitted to the server so that doctors can remotely access the patient information, which helps with the goal of real-time patient monitoring. In addition, medication errors [7] caused by inadequate patient monitoring can be reduced. Drugs are also attached with tags so that medical staff can easily check their integrity and availability with a reader. Medical staff can further verify whether the right drug is being given to the right patient. According to the U.S. Food and Drug Administration [8], the improvement of drug management can also help reduce the number of medication errors. By integrating with RFID technology, hospitals can track medical assets in order to mitigate theft loss, improve resource utilization, and save costs [6]. Thus, patients and medical staff can benefit a lot from these services. Although an RFID-based healthcare system has lots of advantages over a traditional one, it suffers from new security and privacy risks [9]. For example, if an adversary can track a tag embedded in the smart wristband of a patient, the location of the patient is known by the adversary. Furthermore, an adversary may impersonate as a legitimate reader to collect a patient's medical data from the patient's smart wristband, leading to medical privacy leakage. Hence, a suitable solution to secure RFID-based healthcare systems is urgently needed.
RFID systems have two common architectures. One is that the reader is fixed and has a wired connection to the server. The other is that the reader is portable and connects to the server wirelessly. In the former one, there is a special cable for the connection between the server and the reader so the channel is considered to be safe, while the channel in the latter one is deemed to be insecure due to the wireless connection between the server and the reader [10]. With the advances of mobile technology, the second architecture has become the mainstream of RFID systems so our article mainly considers this architecture. Besides, in either architecture, since the reader and tag use radio waves for communication, the channel between them is unsafe.
A straightforward idea for securing an RFID system is to encrypt all the communications. However, in practical RFID systems, especially the large ones, tags conforming to the Electronics Product Code Class-1 Generation-2 (short for EPC C1G2) standard [11] are most widely used due to the low price. EPC C1G2 tags have limited computation power and storage capacity and thus only support restricted operations such as exclusive-OR, cyclic redundancy check calculation, and pseudorandom number generation. Besides, such low-cost tags usually have no more than 2000 equivalent gates available for security purposes [12], which is insufficient for standard cryptographic algorithms. For instance, the smallest known implementation of the Advanced Encryption Standard (AES) algorithm needs 2400 equivalent gates [13]. Therefore, a lightweight security solution is required to secure RFID-based healthcare systems.
To address this requirement, in 2019, Fan et al. [14] proposed a lightweight RFID authentication scheme in IEEE Network. They stated that their scheme can provide strong security for low-cost  Although an RFID-based healthcare system has lots of advantages over a traditional one, it suffers from new security and privacy risks [9]. For example, if an adversary can track a tag embedded in the smart wristband of a patient, the location of the patient is known by the adversary. Furthermore, an adversary may impersonate as a legitimate reader to collect a patient's medical data from the patient's smart wristband, leading to medical privacy leakage. Hence, a suitable solution to secure RFID-based healthcare systems is urgently needed.
RFID systems have two common architectures. One is that the reader is fixed and has a wired connection to the server. The other is that the reader is portable and connects to the server wirelessly. In the former one, there is a special cable for the connection between the server and the reader so the channel is considered to be safe, while the channel in the latter one is deemed to be insecure due to the wireless connection between the server and the reader [10]. With the advances of mobile technology, the second architecture has become the mainstream of RFID systems so our article mainly considers this architecture. Besides, in either architecture, since the reader and tag use radio waves for communication, the channel between them is unsafe.
A straightforward idea for securing an RFID system is to encrypt all the communications. However, in practical RFID systems, especially the large ones, tags conforming to the Electronics Product Code Class-1 Generation-2 (short for EPC C1G2) standard [11] are most widely used due to the low price. EPC C1G2 tags have limited computation power and storage capacity and thus only support restricted operations such as exclusive-OR, cyclic redundancy check calculation, and pseudorandom number generation. Besides, such low-cost tags usually have no more than 2000 equivalent gates available for security purposes [12], which is insufficient for standard cryptographic algorithms. For instance, the smallest known implementation of the Advanced Encryption Standard (AES) algorithm needs 2400 equivalent gates [13]. Therefore, a lightweight security solution is required to secure RFID-based healthcare systems.
To address this requirement, in 2019, Fan et al. [14] proposed a lightweight RFID authentication scheme in IEEE Network. They stated that their scheme can provide strong security for low-cost RFID-based healthcare systems. In this article, we first show that their scheme has several security flaws and then propose our improved scheme.

Contributions
We make the following contributions to this article.

•
We perform a security analysis of Fan et al.'s scheme [14] and demonstrate that this scheme fails to support forward secrecy and is prone to impersonation attacks.

•
To overcome the security vulnerabilities of Fan et al.'s scheme, we propose an improved scheme. The security of our proposed scheme is evaluated from informal and formal security analyses. The analysis results illustrate that our scheme can offer better security than existing schemes.

•
To show the efficiency of our proposed scheme, we compare it with other existing schemes in terms of computation cost, communication cost, storage cost, and hardware implementation cost. The performance evaluation results present that our proposed scheme is lightweight and conforming to the EPC C1G2 standard.

Organization
The rest of this article is structured as follows. Section 2 briefly discusses the related works. Section 3 presents the preliminaries, including the security demands, adversary model, and notations used in this article. Section 4 firstly describes Fan et al.'s scheme [14] and then analyzes the security of this scheme. Section 5 proposes our enhanced scheme, followed by its security analysis. Section 6 evaluates the performance of our proposed scheme. Finally, Section 7 summarizes the paper.

Related Works
Over the last several years, researchers have proposed a variety of authentication schemes, aiming to secure RFID-based healthcare systems. In 2014, Zhao [15] proposed an RFID authentication protocol based on elliptic curve cryptosystem (ECC) to secure communications in healthcare environments. In the same year, Zhang and Qi [16] proposed an ECC-based RFID authentication protocol for medical systems to enhance patient safety. However, Farash et al. [17] analyzed the protocols in [15,16] and pointed out that these two protocols cannot ensure forward secrecy. Farash et al. also suggested an improved protocol based on ECC to enhance the security of healthcare environments in [17]. Later, researchers proposed more ECC-based RFID authentication protocols [18][19][20][21][22][23] for healthcare applications. Because of the high hardware requirement of ECC, these ECC-based protocols are not well compatible with the EPC C1G2 standard.
In 2015, Srivastava et al. [24] proposed a new authentication protocol to strengthen the security of telecare medicine information systems (TIMSs), which is based on a hash function and shared secrets. However, Li et al. [25] analyzed Srivastava et al.'s protocol and found that an adversary can use a stolen/lost reader to obtain sensitive information of any tagged object. Furthermore, Li et al. demonstrated that the server and the reader in this protocol do not authenticate each other. Besides, Li et al. pointed out that this protocol requires the server to perform an exhaustive search to validate a tag, which exhibits low efficiency in practical TIMSs. To remedy these weaknesses, Li et al. provided an enhanced version in [25]. Later in 2017, Benssalah et al. [26] illustrated that Li et al.'s protocol incurs traceability, impersonation and desynchronization attacks, and introduced an improvement. Unfortunately, Benssalah et al.'s protocol is still vulnerable to traceability and desynchronization attacks [27]. In 2018, Fan et al. [10] proposed an ultralightweight RFID authentication protocol, named LRMI, to protect medical privacy in IoT, using cross and rotation functions for authentication. Nevertheless, in 2019, Aghili et al. [28] analyzed the LRMI protocol and found that it cannot withstand traceability and impersonation attacks. Additionally, Aghili et al. proposed an improved version in [28], named SecLAP, which is based on modular rotation function. However, Safkhani et al. [29] discovered that the SecLAP protocol has a security vulnerability of secret disclosure, which allows Sensors 2020, 20, 4846 4 of 24 an adversary to mount traceability and desynchronization attacks. Moreover, it is suggested that the ultralightweight operations such as the rotation, cross, and modular rotation functions do not converge to construct a secure protocol [29,30]. In the same year, Zhou et al. [31] presented a quadratic residue-based RFID authentication protocol for TIMSs. Later, Safkhani and Vasilakos [27] pointed out that Zhou et al.'s protocol [31] is prone to desynchronization attacks. They also proposed an improved protocol for TIMSs in [27]. In this improved protocol, the identifier of a tag is used as the secret key of the tag, which does not update so as to avoid desynchronization attacks. In the authentication phase, a tag encrypts its identifier with random numbers and timestamp using a hash function, and sends the ciphertext to the server for authentication. To verify the tag, the server needs to exhaust its database to find a tag identifier that can satisfy the received ciphertext. Thus, their protocol is inefficient. Besides, since the random numbers and timestamp are transmitted in plain text, once a tag identifier is exposed, an adversary can easily identify the tag's messages in previous sessions, which implies that this protocol is destitute of forward secrecy.
Recently, Fan et al. proposed [14] a lightweight RFID authentication scheme based on quadratic residue theorem. The authors claimed that their scheme meets the security requirements necessary for RFID-based healthcare systems and is compatible with the EPC C1G2 standard. In this article, we demonstrate that this scheme has several security concerns.

Security Demands
An authentication scheme, which aims to secure a practical RFID-based healthcare system, should meet the following security demands.
(a) Untraceability: A tag should not be traced by an adversary. The adversary who stands between the tag and the reader may eavesdrop and correlate the tag's messages from two different sessions so as to identify the tag. (b) Forward secrecy: Even if the secret parameters of a tag are exposed to an adversary, the adversary can hardly identify the previous messages of the tag, which can be obtained by eavesdropping the read-tag channel. (c) Resilience to impersonation attacks: An adversary may try to impersonate legitimate scheme parties (the server, reader, or tag), e.g., by replaying a message intercepted from the channels. Any impersonation should be prevented. (d) Resistance to desynchronization attacks: If a scheme relies on shared values for authentication, an adversary may cause desynchronization problems. For example, if the server updates the shared values but the tag does not, the server may not be able to authenticate the tag in the future. Such desynchronization attacks should be resisted. (e) Scalability: If the server needs to do an exhaustive search to verify a tag, the scheme is not scalable. Worse than that, an adversary may launch a time measurement attack [32] against the scheme, which can identify a tag according to its authentication time spent by the server. Thus, an authentication scheme should avoid any exhaustive search operation to ensure scalability.

Adversary Model
Researchers, who proposed the authentication schemes [10,14,[25][26][27][28]31] for RFID-based healthcare systems in recent years, have a consensus that both the tag-to-reader channel and the reader-to-server channel are insecure so their security should be considered in the authentication schemes. Thus, we assume that an adversary can control both communication channels. The adversary is able to eavesdrop, modify, block, and replay the transferred messages. In addition, if the scheme leverages timestamps for authentication, we assume that the adversary can manipulate the time setting of the reader, which is practical for mobile readers [27].
We model the adversary A as a polynomial-time algorithm. Given a server, S, a reader, R, and a tag, T, the adversary A has access to the following oracles: • Execute(S, R, T): A eavesdrops on both of the two communication channels during the execution of an instance of the scheme between T, R, and S. This oracle models the adversary's ability to monitor the channels between scheme parties. • Send(X, m 1 , m 2 ): A sends a message m 1 to a scheme party X and receives a message m 2 from X. This oracle models the adversary's ability to act as a scheme party. • Block(.): A blocks any message of the scheme. This oracle models the adversary's ability to stage a denial of service attack by jamming the communication channels. The adversary A can invoke the oracles Execute, Send, Block, Time, and SetTime any polynomial number of times. However, the Reveal oracle can be called only once for each tag. If the tag is already compromised, it is meaningless to invoke the Reveal oracle on the same tag again.

Notations
The notations used for scheme description are presented in Table 1. The tag's current, previous and next pseudo identifier, respectively SRID, SRID old , SRID new The reader's current, previous and next pseudo identifier, respectively x, x old , x new The tag's current, previous and next secret key, respectively x' x 2 mod n, n = pq y, y old , y new The reader's current, previous and next secret key, respectively y' y 2 mod n, n = pq T E The current time of E T th The time threshold N E The random number generated by E The bitwise exclusive-OR PRNG() The pseudo random number generator Rot(x, y) Left shift x y by y mod L bits, in which L is the length of y

Review of Fan et al.'s Scheme
In this section, we first review Fan et al.'s scheme [14] and then perform a security analysis of this scheme.

Fan et al.'s Scheme
In Fan et al.'s scheme, as shown in Figure 2, the server stores the current pseudo identifier SID and secret data x' of a tag in an index data table, in which the current pseudo identifier is used as an index. The old pseudo identifier and secret data of the tag are also recorded in the table. Similarly, the current pseudo identifier and secret data of a reader and also the old ones are stored in another index data table, as presented in Figure 3. and secret data x' of a tag in an index data table, in which the current pseudo identifier is used as an index. The old pseudo identifier and secret data of the tag are also recorded in the table. Similarly, the current pseudo identifier and secret data of a reader and also the old ones are stored in another index data table, as presented in Figure 3.
Fan et al.'s scheme consists of an initial phase, authentication phase, and update phase. The last two phases are demonstrated in Figure 4.

Old index field
Old data field New index field New data field SIDold x'old SID x' Old index field Old data field New index field New data field SRIDold y'old SRID y'  Step 1: The system administrator generates two big primes p and q (the length of each is at least 512 Compute:  Old index field Old data field New index field New data field SRIDold y'old SRID y'

Initial Phase
Step 1: The system administrator generates two big primes p and q (the length of each is at least 512 bits), computes n = pq, and stores n, p, and q in each legitimate reader. Compute:  Step 1: The system administrator generates two big primes p and q (the length of each is at least 512 bits), computes n = pq, and stores n, p, and q in each legitimate reader.
Step 2: For each legitimate reader, the administrator assigns a pseudo identifier SRID and a secret key y. The length of y is at least 1024 bits. In the readers' index data table stored in the server, the administrator sets SRID = SRID and y' = y 2 mod n while SRID old and y' old are both set to 0.
Step 3: For each legitimate tag, the administrator assigns a pseudo identifier SID and a secret key x.
The length of x is at least 1024 bits. In the tags' index data table stored in the server, the administrator sets SID = SID and x' = x 2 mod n while SID old and x' old are both set to 0.

Authentication Phase
Step 1: The reader sends "Query" along with its current time T R to the tag.
Step 2: Tag→Reader Step 4: Server→Reader: M 4 = {x', T C } Once M 3 is received, the server generates its current time T S and checks whether T th1 < T S -T R < T th2 . If so, the server checks the records in the readers' index data table to find an SRID for the matching M R1 = Rot(T R , SRID) SRID. If found, the server reads y' from the corresponding record to check if PRNG(y' T R ) = M R2 . If M R2 is correct, the reader is valid. Then, the server checks the records in the tags' index data table to find a SID for the matching M T1 = Rot(T R , SID) SID. If there is a match, the server reads the corresponding x' and sends it along with the server's current time T C to the reader.
Step 5: Reader→Tag: M 5 = {M T3 , T C } Upon receiving M 4 , the reader resolves four solutions x 1 , x 2 , x 3 , x 4 with x' and p, q. Then, it checks whether there exists a x = x i (i = 1, 2, 3, 4) that can satisfy PRNG(x T R ) = M T2 . If so, the tag is legitimate. The reader computes M T3 = PRNG(x) and sends {M T3 , T C } to the tag.
Step 6: Validation at the tag.
Once M 5 arrives, the tag checks whether the value of M T3 is PRNG(x). If so, the reader is authenticated. The authentication phase ends here, followed by the update phase.

Update Phase
Step 1: Tag→Reader  Step 2: Reader→Server: M 7 = {A R1 , A R2 , A T1 , A T2 } After the receipt of M 6 , the reader computes x new = Rot(x, T C ) T C , x' new = x 2 new mod n, SRID new = SRID + T C , y new = Rot(T C , y), y' new = y 2 new mod n, A R1 = PRNG(y' SRID new T R ), A R2 = Rot(y' new , T R SRID new ) SRID new , A T2 = Rot(x' new , T R SRID new ) SRID new , and sends {A R1 , A R2 , A T1 , A T2 } to the server.
Step 3: Server→Reader: M 8 = {A R3 , A T3 } Once M 7 is received, the server computes SRID new = SRID + T C to check whether PRNG(y' SRID new T R ) = A R1 . If so, the server extracts y' new from A R2 and begins to update the reader's record. If SRID is found in the new index field, the server lets SRID old ←SRID, y' old ←y', SRID←SRID new , y'←y' new . Otherwise, the server just lets SRID←SRID new , y'←y' new . Then, the server computes SID new = SID + T C to check whether PRNG(SID new T R ) = A T1 . If so, the server extracts x' new from A T2 and begins to update the tag's record. If SID is found in the new index field, the server lets SID old ←SID, x' old ←x', SID←SID new , x'←x' new . Otherwise, the server just lets SID←SID new , x'←x' new . At last, the server computes A R3 = PRNG(y' new SRID new T R ), A T3 = PRNG(SID new ) PRNG(x' new T R ), and sends {A R3 , A T3 } to the reader.
Step 4: Reader→Tag: M 9 = {A T4 } Upon receiving M 8 , the reader checks whether PRNG(y' new SRID new T R ) = A R3 . If so, the reader updates SRID←SRID new , y←y new , computes A T4 = A T3 PRNG(x' new T R ) and sends A T4 to the tag.
Step 5: Validation at the tag.
After M 9 arrives, the tag checks whether PRNG(SID new ) = A T4 . If so, the tag updates SID←SID new , x←x new .

Security Analysis of Fan et al.'s Scheme
Although Fan et al. claimed that their scheme is secure, we prove that this scheme cannot provide forward secrecy and is not resistant against impersonation attacks. Proof. In Fan et al.'s scheme, if an adversary manages to obtain the current pseudo identifier SID and secret key x of a tag, the adversary can correlate the tag with its messages before completing the last scheme run with valid scheme parties. This is modeled by the following game between the challenger C as the RFID system and the adversary A. Assumed that both C and A have the power no more than a polynomial-time algorithm:

Attack against Forward Secrecy
(1) C selects two tags, T 0 and T 1 , a reader R, and a server S, which are all valid.
(2) A calls the oracles Execute, Send, and Block for a polynomial number of times on T 0 , T 1 , R, and S.  The advantage of successfully identifying the tag is defined as Adv If the adversary A has no advantage over the random guess, Pr[b = b] = 1 2 . Thus, Fan et al.'s scheme fails to ensure forward secrecy if Adv A > 0. For easy reading, we denote a parameter P in the i-th session of the tag T as i T P. Suppose the challenger C selects two tags, T 0 and T 1 , a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T 0 , T 1 , R and S. Assume that C carries out a complete instance of the scheme, denoted as the i-th session, with each tag. After the i-th session is finished, the pseudo identifier of the tag T j (j ∈ {0, 1}), i T j SID, has been updated to i T j SID new . A records the parameter A T4 in the i-th session of the tag T 0 , denoted as i T 0 A T4 , and notifies C. Then, C chooses a random bit b and sets T = T b . Now, A calls the oracles Reveal(T) to obtain the current pseudo identifier of the tag T, denoted as T SID. Obviously, T SID is either i Otherwise, A outputs a bit b' = 1. Therefore, the probability that Pr(b' = b) is 1. So the advantage of the adversary A in the tag identification, Adv A , is 1, which proves that Fan et al.'s scheme cannot provide forward secrecy.
This security flaw is due to the fact that the value of A T4 is only related to the updated tag pseudo identifier SID new . Proof. In the authentication phase of Fan et al.'s scheme, a tag authenticates a reader through the message M 5 . To model the adversary's attempt to impersonate as a legitimate reader to a tag, we use the following game between the challenger C and the adversary A.

Impersonation Attack
(1) C chooses a tag T, a reader R, and a server S, which are all valid.
(2) A calls the oracles Execute, Send, and Block for a polynomial number of times on T, R, and S.
(3) A stops and notifies C. (4) A invokes the Send oracle to impersonate as a reader. (5) If A is authenticated by the tag T as a valid reader, A wins the game.
Suppose the challenger C selects a tag T, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T, R and S. Assume that C carries out an instance of the scheme on T, R and S. A records the messages M 1 and M 5 , and blocks the message M 5 so that the update phase does not execute. The message M 1 consists of "Query" and T R . The message M 5 consists of M T3 and T C . The value of M T3 is PRNG(x), in which x is the secret key of the tag T. Then, A notifies C. Now, A invokes the Send oracle to impersonate as a reader to T. Specifically, A sends the stored M 1 to T and receives the response from T. After that, A sends the stored M 5 to T. Upon receipt of the stored M 5 , T checks whether PRNG(x) = M T3 . Since T's secret key x does not update in the last scheme run, the condition satisfies. Thus, the adversary A wins the game with a probability of 1. So, an adversary can impersonate as a legitimate reader to the tag in Fan et al.'s scheme.
The reason for this security flaw is that the authentication parameter M T3 contains no randomness produced by the tag. Proof. In the authentication phase of Fan et al.'s scheme, a server authenticates a reader through the message M 3 . If an adversary has the ability to manipulate the time setting of the reader, as the adversary model explained in Section 3.2, the adversary is able to impersonate as a legitimate reader to the server. The impersonation attempt is modeled as the following game between the challenger C and the adversary A.
(1) C chooses a tag T, a reader R, and a server S, which are all valid.
(2) A calls the oracles Execute, Send, Block, and SetTime for a polynomial number of times on T, R, and S. Then, A sets the time of the reader R to the correct time to synchronize with the time of the server S. Before the time t 1 , A blocks any message sent to the server S so that no updates will be done. At the time t 1 , A notifies C and invokes the Send oracle to impersonate as a reader to S. Specifically, A sends the stored M 1 to the tag T. Upon receipt of the response from T, A sends the stored M 3 to S. Once the stored M 3 is received, S generates a timestamp T S and checks whether T th1 < T S -t 1 < T th2 . Because A starts the current session at the time t 1 , A can pass the check. After that, S searches the readers' index data table to find an SRID for the matching Rot(t 1 , SRID) SRID = M R1 . Since the reader pseudo identifier SRID does not update, there is a match. Then, S checks whether PRNG(y' t 1 ) = M R2 . Because the reader's secret data y' does not update, the condition satisfies. In this way, the adversary A is authenticated as a valid reader by the server with a probability of 1. Therefore, an adversary can impersonate as a legitimate reader to the server in Fan et al.'s scheme.
This security flaw is because that T R is the current time of the reader R. By manipulating the reader's time, an adversary can obtain the parameters, M R1 and M R2 , related to a future time.

The Proposed Scheme
In this section, we first propose an improved scheme to overcome the security vulnerabilities of Fan et al.'s scheme [14]. Moreover, to satisfy the EPC C1G2 standard and the mobile environment in an RFID-based healthcare system, the heavyweight cryptographic primitives should not be used. In the proposed scheme, we just leverage the operations supported by an EPC C1G2 tag to secure both the reader-tag channel and the server-reader channel. Although it is feasible to adopt a mutual authenticated TLS channel between the server and the reader to secure the server-reader channel, our scheme can just use the lightweight operations to achieve the same goal with lower overhead. We also formally analyze our proposed scheme on the major security demands.

Scheme Description
As shown in Figure 5, the server stores the current pseudo identifier SID and secret key x of a tag in an index data table. The current pseudo identifier is used as an index in the table. The previous index SID old and secret key x old of the tag are also recorded in the table to prevent desynchronization attacks. Similarly, the current pseudo identifier SRID and secret key y of a reader are stored in another index data table and so are the previous ones, as demonstrated in Figure 6. Our proposed scheme includes an initial phase and an authentication phase.
an RFID-based healthcare system, the heavyweight cryptographic primitives should not be used. In the proposed scheme, we just leverage the operations supported by an EPC C1G2 tag to secure both the reader-tag channel and the server-reader channel. Although it is feasible to adopt a mutual authenticated TLS channel between the server and the reader to secure the server-reader channel, our scheme can just use the lightweight operations to achieve the same goal with lower overhead. We also formally analyze our proposed scheme on the major security demands.

Scheme Description
As shown in Figure 5, the server stores the current pseudo identifier SID and secret key x of a tag in an index data table. The current pseudo identifier is used as an index in the table. The previous index SIDold and secret key xold of the tag are also recorded in the table to prevent desynchronization attacks. Similarly, the current pseudo identifier SRID and secret key y of a reader are stored in another index data table and so are the previous ones, as demonstrated in Figure 6. Our proposed scheme includes an initial phase and an authentication phase.

Old index field
Old key field New index field New key field SIDold x old SID x

Old index field
Old key field New index field New key field SRIDold yold SRID y

Initial Phase
Step 1: For each legitimate tag, the administrator assigns a pseudo identifier SID and a secret key x. The administrator then sets SID = SID and x = x in the tags' index data table while SIDold and xold are both set to 0.
Step 2: For each legitimate reader, the administrator assigns a pseudo identifier SRID and a secret key y. The administrator then sets SRID = SRID and y = y in the readers' index data table while SRIDold and yold are both set to 0. an RFID-based healthcare system, the heavyweight cryptographic primitives should not be used. In the proposed scheme, we just leverage the operations supported by an EPC C1G2 tag to secure both the reader-tag channel and the server-reader channel. Although it is feasible to adopt a mutual authenticated TLS channel between the server and the reader to secure the server-reader channel, our scheme can just use the lightweight operations to achieve the same goal with lower overhead. We also formally analyze our proposed scheme on the major security demands.

Scheme Description
As shown in Figure 5, the server stores the current pseudo identifier SID and secret key x of a tag in an index data table. The current pseudo identifier is used as an index in the table. The previous index SIDold and secret key xold of the tag are also recorded in the table to prevent desynchronization attacks. Similarly, the current pseudo identifier SRID and secret key y of a reader are stored in another index data table and so are the previous ones, as demonstrated in Figure 6. Our proposed scheme includes an initial phase and an authentication phase.

Old index field
Old key field New index field New key field SIDold x old SID x

Old index field
Old key field New index field New key field SRIDold yold SRID y

Initial Phase
Step 1: For each legitimate tag, the administrator assigns a pseudo identifier SID and a secret key x. The administrator then sets SID = SID and x = x in the tags' index data table while SIDold and xold are both set to 0.
Step 2: For each legitimate reader, the administrator assigns a pseudo identifier SRID and a secret key y. The administrator then sets SRID = SRID and y = y in the readers' index data table while SRIDold and yold are both set to 0.

Initial Phase
Step 1: For each legitimate tag, the administrator assigns a pseudo identifier SID and a secret key x. The administrator then sets SID = SID and x = x in the tags' index data table while SID old and x old are both set to 0.
Step 2: For each legitimate reader, the administrator assigns a pseudo identifier SRID and a secret key y. The administrator then sets SRID = SRID and y = y in the readers' index data table while SRID old and y old are both set to 0.

Authentication Phase
The authentication phase of our proposed scheme is presented in Figure 7. This phase consists of the following steps: Step 1: Reader→Server: M 1 = {N R } The reader generates a random number N R and sends it to the server.
Step 2: Server→Reader: M 2 = {N S } After receiving M 1 , the server generates a random number N T and sends it to the reader.    The authentication phase of our proposed scheme is presented in Figure 7. This phase consists of the following steps: Step 1: Reader→Server: M1 = {NR} The reader generates a random number NR and sends it to the server.
Step 2: Server→Reader: M2 = {NS} After receiving M1, the server generates a random number NT and sends it to the reader.    Figure 7. Authentication phase of our improved scheme.
Step 6: Server→Reader: M 6 = {M R2 , M T2 } Upon receiving M 5 , the server searches for the received SRID in the readers' index data table. If found, the server reads the corresponding y to check whether PRNG(y N S N R ) = M R1 . If so, the reader is valid. Then, the server searches for the received SID in the tags' index data table. If found, the server reads the corresponding x to check whether PRNG(x N S N T ) = M T1 . If so, the tag is valid.
After confirming the validity of both the reader and tag, the server computes M R2 = PRNG((y + 1) N S N R ), SRID new = PRNG(SRID y N S N R ), y new = PRNG((y + 2) N S N R ), M T2 = PRNG((x + 1) N S N T ), SID new = PRNG(SID x N S N T ), and x new = PRNG((x + 2) N S N T ). Then, the server updates the readers' index data table. If SRID is found in the new index field, the server lets SRID old ←SRID, y old ←y, SRID←SRID new , y←y new . Otherwise, the server just lets SRID←SRID new , y←y new . Similarly, the server updates the tags' index data table. If SID is found in the new index field, the server lets SID old ←SID, x old ←x, SID←SID new , x←x new . Otherwise, the server just lets SID←SID new , x←x new . Once the updating is finished, the server sends {M R2 , M T2 } to the reader.
Step 7: Reader→Tag: M 7 = {M T2 } After M 6 is received, the reader checks whether PRNG((y + 1) N S N R ) = M R2 . If so, the server is valid and has updated the readers' index data table. Since the server sends out M R2 only when the tag is legitimate, the reader authenticates the tag implicitly via M R2 . Then, the reader computes SRID new = PRNG(SRID y N S N R ), y new = PRNG((y + 2) N S N R ), and updates SRID←SRID new , y←y new . After that, the reader sends M T2 to the tag.
Step 8: Validation at the tag. Once M 7 arrives, the tag checks whether PRNG((x + 1) N S N T ) = M T2 . If so, the server is valid and has updated the tags' index data table. The tag also implicitly authenticates the reader since the tag will not receive a valid M T2 unless the server has authenticated the reader. Then, the tag computes SID new = PRNG(SID x N S N T ), x new = PRNG((x + 2) N S N T ) and updates SID←SID new , x←x new .

Security Analysis
Lemma 1. In the proposed scheme, the secret keys cannot be exposed without calling the Reveal oracle.
Proof. In the scheme, the transferred parameters related to the tag secret key x include M T1 and M T2 , which are generated by M T1 = PRNG(x N S N T ) and M T2 = PRNG((x+1) N S N T ), respectively. An adversary cannot obtain x from M T1 or M T2 because PRNG() is regarded as an irreversible operation [14]. On the other hand, the transferred parameters related to the reader secret key y include M R1 and M R2 , which are generated by M R1 = PRNG(y N S N R ) and M R2 = PRNG((y+1) N S N R ), respectively. Since PRNG() is irreversible, the adversary cannot get y from M R1 or M R2 . Therefore, unless the adversary calls the Reveal oracle, the secret keys cannot be revealed.

Lemma 2.
In the proposed scheme, two of the message parameters, before and after completing a scheme run with valid scheme parties, cannot be correlated without calling the Reveal oracle.
Proof. For easy reading, we denote a parameter P in the i-th session as i P. Without loss of generality, we assume that an adversary attempts to correlate i P with i+1 P. In our proposed scheme, the messages consist of nine parameters: N S , N R , N T , SID, SRID, M T1 , M T2 , M R1 , and M R2 .
First, we consider the parameters N S , N R , and N T . N S is a random number generated in each session so the adversary cannot correlate i N S with i+1 N S . For the same reason, i N R and i N T cannot be correlated with i+1 N R and i+1 N T , respectively.
Second, we consider the pseudo identifiers, SID and SRID. The value of i+1 SID is PRNG( i SID i x i N S i N T ). By Lemma 1, the adversary cannot obtain i x. Thus, it is difficult for the adversary to correlate i SID with i+1 SID unless the Reveal oracle is invoked. Similarly, the value of i+1 SRID is PRNG( i SRID i y i N S i N R ). Because i y is not exposed, the adversary cannot correlate i+1 SRID with i SRID.
Finally, we consider the remaining parameters.
Since i M T1 = PRNG( i x i N S i N T ), i+1 x = PRNG(( i x + 2 ) i N S i N T ) and i+1 M T1 = PRNG( i+1 x i+1 N S i+1 N T ) to correlate i M T1 with i+1 M T1 , the adversary needs to know i x, which cannot be obtained without the Reveal oracle (by Lemma 1).
For the same reason, i M T2 , whose value is PRNG(( i x + 1) i N S i N T ), cannot be correlated with i+1 M T2 , whose value is PRNG(( i+1 x+1) i+1 N S i+1 N T ).
Similarly, since i M R1 = PRNG( i y i N S i N R ), i+1 y = PRNG(( i y + 2) i N S i N R ) and i+1 M R1 = PRNG( i+1 y i+1 N S i+1 N R ), without the knowledge of i y, the adversary cannot correlate i M R1 with i+1 M R1 . For the same reason, i M R2 , whose value is PRNG( i y + 1 i N S i N R ), cannot be correlated with i+1 M R2 , whose value is PRNG(( i+1 y + 1) i+1 N S i+1 N R ).
Thus, without calling the Reveal oracle, the adversary cannot correlate two of the message parameters that are separated by a complete scheme run with valid scheme parties. Proof. In an RFID scheme, a tag is universally untraceable [33] if an adversary cannot correlate two of the messages sent and received by the tag, separated by a complete scheme run with valid scheme parties. This is modeled by a game between the challenger C as the RFID system and the adversary A. Assumed that both C and A have the power no more than a polynomial-time algorithm: (1) C selects two tags, T 0 and T 1 , a reader R, and a server S, which are all valid.
(2) A calls the oracles Execute, Send, and Block for a polynomial number of times on T 0 , T 1 , R and S. Suppose the challenger C selects two tags, T 0 and T 1 , a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T 0 , T 1 , R and S. Assume that C carries out a complete instance of the scheme, denoted as the i-th session, with each tag. A records all the outputs of the oracle calls and notifies C. Then, C chooses a random bit b and sets T = T b . Now, A calls the oracles Execute, Send, and Block on T, R and S. Assume that C carries out a complete instance of the scheme with the tag T, denoted as the i+1-th session. A records all the outputs of the oracle calls and produces a guess bit b'. In the proposed scheme, the tag sends and receives the messages M 1 , M 2 , and M 7 , which consist of the following message parameters: SID, N T , N R , M T1 , and M T2 . Since A cannot correlate any message parameter in the i-th session with the parameter in the i+1-th session (by Lemma 2), A can only perform a random guess. Therefore, the probability that Pr[b' = b] is 1 2 and Adv A is 0. So the tags in our proposed scheme are universally untraceable. Proof. We model this as the game in the proof of Theorem 1. The challenger C selects two tags, T 0 and T 1 , a reader R, and a server S for the game. The adversary A starts the game and calls the oracles Execute, Send, and Block on T 0 , T 1 , R, and S for a polynomial number of times. Assume C carries out a complete instance of the scheme with each tag. A records the outputs of the oracle calls. Then, C generates a random bit b and sets T = T b . Hereafter, A calls the oracles Reveal(T) to obtain the pseudo identifier and secret key of the tag T. Finally, A outputs a guess bit b'.
Because the current secret key of T is generated from the PRNG of the previous one, A cannot inverse the PRNG function to obtain the previous secret key. Similarly, since the current pseudo identifier of T is generated from the PRNG of the previous one, A cannot deduce the previous pseudo identifier. Besides, by Lemma 2, A cannot correlate the previous pseudo identifier of T, which is either that of T 0 or that of T 1 , with the current pseudo identifier of T. Therefore, A has no advantage over a random guess, which means that the proposed scheme can ensure forward secrecy. Theorem 6. The proposed scheme can resist impersonation attacks.
Proof. An adversary may attempt to impersonate as a tag, a reader or a server. We discuss these three cases as follows.

(a) Tag impersonation
We model this as the following game between the challenger C and the adversary A.
(1) C chooses a tag T, a reader R, and a server S, which are all valid.
(2) A calls the oracles Execute, Send, and Block for a polynomial number of times on T, R, and S.
(3) A stops and notifies C. (4) A invokes the Send oracle to impersonate as a tag. (5) If A is authenticated as a valid tag, A wins the game.
Suppose the challenger C selects a tag T, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T, R, and S. Assume that C carries out an instance of the scheme on T, R, and S. A records all the oracle outputs.
To pass the authentication, A must send a valid SID and a valid M T1 = PRNG(x N S N T ). To do so, A needs to know the tag secret key x. However, by Lemma 1, A cannot obtain x to generate a valid M T1 . On the other hand, assume that A calls the Block oracle to block the message M 5 so that no updates will happen, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a tag, A invokes the Send oracle to send the recorded SID, M T1 , and N T to the reader R as the response M 2 . However, since the reader R generates a new N R in this scheme run, the recorded M T1 cannot be valid unless the new N R happens to be the same as the old N R , whose probability is negligible. Therefore, A can hardly impersonate as a valid tag.

(b) Reader impersonation
Firstly, we consider that the adversary A attempts to impersonate as a valid reader to the tag. The attempt is modeled as the game in the proof of Theorem 2. To be validated by the tag T, A needs to send a valid M T2 = PRNG((x + 1) N S N T ). However, by Lemma 1, A cannot obtain x to generate a valid M T2 . On the other hand, assume that A blocks M 7 to prevent any updating on the tag, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a reader to the tag, A sends the recorded M T2 to the tag T. However, the recorded M T2 cannot be valid unless the old N T is the same as the N T generated in the new scheme run, which has a negligible probability.
Secondly, we consider that A tries to impersonate as a valid reader to the server, which can be modeled as a game similar to the one in the proof of Theorem 2, except that in the last step the adversary A should be authenticated by the server S. To be authenticated, A must send a valid SRID and a valid M R1 = PRNG(y N S N R ) to the server. By Lemma 1, the reader secret key y is not exposed so A cannot generate a valid M R1 . On the other hand, assume that A blocks M 5 to prevent any updating, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a reader to the server, A sends the recorded N R , SRID and M R1 to the server S. Since S generates a new N S in the new scheme run, the recorded M R1 has a negligible probability to be valid. Therefore, the probability to impersonate as a valid reader is negligible.
(c) Server impersonation We model this attempt as a game similar to the one in the case (a), except that A calls the Send oracle to impersonate as a valid server. To impersonate as a legitimate server, A must send a valid M R2 = PRNG((y + 1) N S N R ). However, without the knowledge of y (by Lemma 1), A fails to generate a valid M R2 . On the other hand, assume that A blocks M 6 to prevent any updating on the reader and tag, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a server, A sends the recorded M R2 to the reader R. Because the new N R is hardly the same as the old N R , the probability that the recorded M R2 can pass the authentication is negligible. Thus, the adversary A can impersonate as a valid server with a negligible probability.
In summary, the proposed scheme can defend against impersonation attacks.

Theorem 7.
The proposed scheme can ensure the resistance of desynchronization attacks.
Proof. In the proposed scheme, the server updates the index data tables after the message M 5 is received and verified. If the message M 6 is blocked, the reader does not update its pseudo identifier SRID and secret key y. Since SRID and y are stored in the old fields, the server can synchronize with the reader based on them. Assume that there is a new session and M 6 is blocked again. In this session, since the server finds the received SRID in the old index field, the old values do not update. Thus, the server can still synchronize with the reader. Similarly, if M 6 (or M 7 ) is blocked, the server and tag can keep synchronization between them. On the other hand, as discussed in the proof of Theorem 6, an adversary cannot forge valid M T1 and M R1 to force the server to update the index data tables. Therefore, the proposed scheme is resistant to desynchronization attacks.
Theorem 8. The proposed scheme is scalable.
Proof. According to Burmester et al. [34], if the server can find the record of a tag just based on the received data, the time cost can be constant. Otherwise, if some computation operations are needed before checking each record, an exhaustive search operation is needed to authenticate a tag, which results in time measurement attacks [32]. In the proposed scheme, the tag pseudo identifier is used as the index of the tags' index data table so the server can find the tag's record just by the received SID. Similarly, with the received SRID, the server can find the reader's record. So the proposed scheme requires no exhaustive search operation. Therefore, the proposed scheme is of scalability and can also resist time measurement attacks.

Formal Security Analysis with BAN-Logic
In this part, we employ BAN-logic [35] to perform a formal security analysis of our proposed scheme. The notations of BAN-logic are demonstrated in Table 2. Table 2. BAN-logic notations.

Notation Description
P| ≡ X P believes X P X P receives X P| ∼X P sends X P ⇒ X P has jurisdiction over X #(X) X is fresh {X} k X is encrypted by the key k P k ↔ Q P and Q use the shared key k to communicate P Q If P then Q Then, we present the BAN-logic rules used in the analysis as below.
• R1 (Seeing rule): P {X,Y} P X , it means when P receives a message set {X, Y}, P receives the message X.
• R2 (Message-meaning rule): , it means if P believes that P and Q have a shared key K, P receives a message X encrypted by K, which indicates P believes Q has sent X to P. • R3 (Freshness rule): P|≡#X P|≡#{X,Y} , it means if P believes the message X is fresh, P believes the message set {X, Y} is fresh. •

R4 (Nonce-verification rule):
(P|≡#X,P|≡Q| ∼X) P|≡Q|≡X , it means if P believes X is fresh, and Q has sent X, which indicates P believes Q believes X.
In the following analysis, the server, reader, and tag are denoted by S, R, and T, respectively.

Idealized Form
Based on the BAN-logic notations, the message transmissions of our proposed scheme are idealized as below.

. Initial Assumptions
The initial assumptions of our proposed scheme are as follows, specifying the initial process and belief of data.

Security Goals
Since our proposed scheme aims to achieve mutual authentication between the genuine scheme parties, the security goals of should be achieved are listed as follows.

Security Proofs
In this part, we prove the security goals of our scheme.
Proof. According to IM5 and R1, we obtain By E7, A1, and R2, we have On the basis of A5 and R3, we get With E8, E9, and R4, we can deduce S| ≡ T| ≡ PRNG x N S N T x . Therefore, G3 is proved.
Proof. In accordance with IM7, A1, and R2, we get Taking into account A3 and R3, we obtain Based on E10, E11, and R4, we can prove T| ≡ S| ≡ PRNG (x + 1) N S N T x . Thus, G4 is achieved.
Since all security goals are verified, our proposed scheme satisfies the logic security.

Performance Evaluation
In this section, we analyze the performance of our proposed scheme by comparing it with some recent schemes (published since 2018) [10,14,27,28,31] for RFID-based healthcare systems.

Security Performance
We compare the performance of our proposed scheme based on the security demands essential for RFID-based healthcare systems as demonstrated in Table 3. In the table, the symbol "Yes" represents that the scheme meets a security demand while the symbol "No" denotes that the scheme fails to satisfy a security demand. From Table 3, we can see that only our proposed scheme can guarantee all the desired security demands while other schemes fail to meet one or more security demands. As presented in Section 4.2, Fan et al.'s scheme [14] cannot support forward secrecy and is vulnerable to impersonation attacks. The security of other existing schemes has been discussed in Section 2. Safkhani and Vasilakos's scheme [27] fails to ensure forward secrecy and scalability. The LRMI scheme [10] cannot resist traceability and impersonation attacks. The SecLAP scheme [28] is prone to traceability and desynchronization attacks. Zhou et al.'s scheme [31] is unable to withstand desynchronization attacks. The security of our proposed scheme has been analyzed in Sections 5.2 and 5.3.

Efficiency Performance
We also compare the performance of our proposed scheme with other schemes in terms of costs for computation, communication, storage, and hardware implementation.
Firstly, the performance comparison in terms of the computation cost is presented in Table 4. We ignore simple operations such as concatenation, exclusive-OR, and addition. Table 4 shows the number of operations including rotation (denoted as Rot), the inverse operation of rotation (denoted as Rot −1 ), pseudo random number generation (denoted as P), hash (denoted as H), cross (denoted as C), modular rotation (denoted as MR) and squaring root solving operation (denoted as SR), which are required by our scheme and other schemes. From the column "Tag" of Table 4, we can notice that our proposed scheme only needs a tag to perform the pseudo random number generation operation, a preset operation for EPC C1G2 tags, while other schemes require a tag to perform some operations not implemented by EPC C1G2 tags. Thus, our proposed scheme has the best compatibility with the EPC C1G2 standard. According to the experiment results in Section 4.3 of Zhou et al. [31], the time costs of hash, pseudo random number generation, modular squaring, and squaring root solving operations are 0.253, 0.021, 1.896, and 3.481 ms, respectively. As the cross, rotation, and modular rotation are ultralightweight operations, their time cost is negligible in computation. With these data, we can estimate the computation cost of each scheme, as illustrated in Table 5. From Table 5, we can see that the computation cost of our scheme is just higher than the ultralightweight schemes [10,28]. However, it can be justified since our scheme offers a higher security level than all other schemes.
Secondly, we compare the efficiency of our proposed scheme to other schemes in terms of the communication and storage cost. Since RFID tags have limited storage capacity while readers and servers have relatively sufficient storage capacity, the storage cost comparison focuses on the tag's costs. For the schemes not based on quadratic residues, we assume that the lengths of parameters such as identifiers, secret keys, random numbers, timestamps, and function outputs are all L bits. For the quadratic residue-based schemes, we assume that the length of a secret key is L QK bits and the length of the output of modulo squaring operation is L MS bits while other parameters have the same length of L bits. L QK and L MS are usually greater than L for security purposes. According to Fan et al. [14], L QK and L MS are suggested to be at least 1024 while the length of a common tag EPC, used as a tag's identifier, is 96 bits. Thus, for an intuitive comparison of the communication cost and storage cost, we assume L QK = L MS = 1024 while L = 96. Besides, to be fair, we omit the cost of the string "Query" since most schemes do not use it. The comparison results are demonstrated in Table 6.  Table 6. Performance comparison based on the communication and storage cost.

Scheme Communication Cost (bits) Storage Cost (bits)
Fan et al. [14] 2752 1120 Safkhani and Vasilakos [27] 1344 96 LRMI [10] 1632 192 SecLAP [28] 2112 192 Zhou et al. [31] 11008 1120 Our scheme 1344 192 In our proposed scheme, there are seven transferred messages consisting of fourteen 96-bit parameters, which results in a communication cost of 1344 bits. From Table 6, we can see that our scheme and the scheme in [27] have the same communication cost, which is less than the rest of the schemes. Besides, a tag in our scheme needs to store an identifier and a secret key, leading to a storage cost of 192 bits. Table 6 shows that the storage cost of our scheme is just higher than that of the scheme in [27] because a tag stores only an identifier in this scheme. However, the scheme in [27] is less secure than our scheme.
Finally, we discuss the hardware implementation cost. Considering that the server and the reader have much more resources than the tag, we focus on the implementation cost imposed on the tag. From the "Tag" column of Table 4, we can know that the security primitives, used by tags in our scheme and other schemes, include rotation function, cross function, modular rotation function, pseudo random number generator (PRNG), hash function, and modular squaring function. The authors in [10,14,28] present the FPGA implementation costs of the rotation, cross, and modular rotation functions, which are 112, 1, and 65 lookup tables (LUTs), respectively. Due to the limited resource on a tag, lightweight PRNG and hash function should be adopted. For instance, Mandal et al. [36] designed a lightweight PRNG satisfying the EPC C1G2 standard, named Warbler, which can be implemented with 760 equivalent gates or 184 LUTs. Bogdanov et al. [37] proposed a lightweight hash function, named SPONGENT, whose smallest implement cost is 738 equivalent gates. For modular squaring, an estimated implementation cost of 1000 equivalent gates is given in Section 3.4 of Burmester et al. [38]. Table 7 summarizes the hardware implementation costs of these security primitives. Then, we can roughly estimate the implementation cost of each scheme according to the costs of the security primitives. The estimated results are presented in Table 8. From Table 8, we can see that our scheme has the lowest hardware implementation cost and is feasible to be applied in an RFID-based healthcare system with low-cost tags.

Our Proposed Scheme vs. Fan et al.'s Scheme
Based on Sections 6.1 and 6.2, we highlight the advantages of our proposed scheme by comparing it with Fan et al.'s scheme [14], as summarized in Table 9.
As shown in Table 9, Fan et al.'s scheme [14] cannot meet all the security demands. This scheme fails to assure forward secrecy and cannot resist impersonation attacks, which makes it doubtful to be applied in the real world healthcare systems. Our scheme, on the contrary, can satisfy all the security requirements. When considering the efficiency performance, it is obvious that Fan et al.'s scheme has a much higher overhead than our scheme in terms of computation, communication, and storage costs. For the implementation cost imposed on the tag, our scheme just needs to implement a PRNG while Fan et al.'s scheme needs a PRNG and an additional rotation function. In summary, as an improvement of Fan et al.'s scheme, our scheme demonstrates the superiority in all aspects.

Conclusions
The legacy healthcare systems have integrated with RFID technology so as to offer better healthcare services. However, the security and privacy concerns about RFID-based healthcare systems are a challenge to combat. In this article, we have analyzed the security of Fan et al.'s scheme [14], a lightweight authentication scheme to secure RFID-based healthcare systems. We first have shown that their scheme is destitute of forward secrecy and also insecure against impersonation attacks. Subsequently, we have proposed an enhanced scheme. Then, we have analyzed the security of the proposed scheme. Analyses illustrate that the proposed scheme can not only overcome the security vulnerabilities of Fan et al.'s scheme but also meet all the essential security demands. In addition, our scheme has low overhead and is compatible with the EPC C1G2 standard. Therefore, our proposed scheme is of practical use for RFID-based healthcare systems.