Provably Secure Three-Factor-Based Mutual Authentication Scheme with PUF for Wireless Medical Sensor Networks

Wireless medical sensor networks (WMSNs) are used in remote medical service environments to provide patients with convenient healthcare services. In a WMSN environment, patients wear a device that collects their health information and transmits the information via a gateway. Then, doctors make a diagnosis regarding the patient, utilizing the health information. However, this information can be vulnerable to various security attacks because the information is exchanged via an insecure channel. Therefore, a secure authentication scheme is necessary for WMSNs. In 2021, Masud et al. proposed a lightweight and anonymity-preserving user authentication scheme for healthcare environments. We discover that Masud et al.’s scheme is insecure against offline password guessing, user impersonation, and privileged insider attacks. Furthermore, we find that Masud et al.’s scheme cannot ensure user anonymity. To address the security vulnerabilities of Masud et al.’s scheme, we propose a three-factor-based mutual authentication scheme with a physical unclonable function (PUF). The proposed scheme is secure against various security attacks and provides anonymity, perfect forward secrecy, and mutual authentication utilizing biometrics and PUF. To prove the security features of our scheme, we analyze the scheme using informal analysis, Burrows–Abadi–Needham (BAN) logic, the Real-or-Random (RoR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Furthermore, we estimate our scheme’s security features, computation costs, communication costs, and energy consumption compared with the other related schemes. Consequently, we demonstrate that our scheme is suitable for WMSNs.


Introduction
With the development of wireless communication and sensor minimization technology, wireless sensor networks (WSNs) have been widely used in various environments, such as industrial Internet of Things [1], healthcare [2], and smart homes [3]. In particular, the demand for remote healthcare services has been increased due to the COVID-19 pandemic [4]. Remote healthcare services can be realized through wireless medical sensor networks (WMSNs). Generally, WMSNs consist of doctors (users), a gateway, and sensor nodes. Doctors communicate with the gateway to access a patient's health data through their smart device. The gateway, such as a smart hospital, stores sensitive data and supports smooth wireless communication between doctors and sensor nodes. Sensor nodes are attached to patients and transmit patients' sensitive health data to doctors through the gateway [5]. Therefore, doctors can perform the diagnosis of patients remotely and patients can receive convenient remote medical services wherever they are.
Although WMSNs can provide convenient medical services to patients, there are several security risks. First of all, each message is exchanged through a public channel; therefore, malicious adversaries can perform security attacks such as replay and manin-the-middle attacks [6]. In addition, the smart device of a doctor can be stolen and an adversary can attempt to impersonate the doctor using parameters extracted from the device. In addition, the sensor node can be physically captured by an adversary and the adversary can attempt to impersonate the patient using the secret parameter, extracted from the sensor node. If an adversary obtains and modifies the information of patients using the above security attacks, this can have a serious effect on the patient's health, such as inducing a misdiagnosis by the doctor. Accordingly, secure authentication schemes are necessary to overcome these security vulnerabilities for WMSNs.
In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. They claimed that their scheme is lightweight and prevents various security attacks (e.g., replay, privileged insider, and impersonation attacks). Moreover, they asserted that their scheme can ensure user anonymity and session key agreement. However, we find that Masud et al.'s scheme cannot prevent offline password guessing, user impersonation, and privileged insider attacks. Moreover, we prove that their scheme cannot ensure user anonymity. Their scheme also has a device update problem, where the doctor cannot perform a login process on his own smart device. To overcome these security vulnerabilities of Masud et al.'s scheme, we propose a secure three-factor-based mutual authentication scheme with physical unclonable function (PUF) for WMSNs. In our scheme, we use PUF and fuzzy extractor [8] to enhance the security level. The PUF is a physical circuit that outputs unpredictable random strings, and the fuzzy extractor is a cryptographic algorithm that utilizes the biometrics of users. Therefore, we install the PUF in the sensor node to prevent physical and cloning attacks, and we utilize the fuzzy extractor to overcome offline password guessing attacks. Our scheme also uses hash functions and exclusive-OR operations to ensure real-time communication.

Research Contributions
The contributions of our paper are as follows. • We review Masud et al.'s scheme and prove that their scheme cannot ensure user anonymity. Moreover, we show that their scheme is vulnerable to offline password, impersonation, and privileged insider attacks and has a device update problem. • We propose a secure three-factor-based mutual authentication scheme to overcome the security vulnerabilities of Masud et al.'s scheme. We use hash functions and exclusive-OR operations to provide real-time communication for WMSNs. We also utilize PUF and fuzzy extractor [8] to prevent physical and offline password guessing attacks, respectively. • We analyze the security features of the proposed scheme using well-known Burrows-Abadi-Needham (BAN) logic [9] and the Real-or-Random (RoR) model [10], which can prove mutual authentication and session key security, respectively. Furthermore, we utilize the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool [11,12] to prove that the proposed scheme has resistance against replay and man-in-the-middle attacks. • We show that our scheme has resistance against various security attacks, such as offline password, impersonation, privileged insider, replay, and man-in-the-middle attacks, using informal analysis. Moreover, the proposed scheme ensures user anonymity, perfect forward secrecy, and mutual authentication. • We estimate the security properties and functionalities, communication costs, computation costs, and energy consumption of our scheme in comparison with existing authentication schemes.

Organization
In Section 2, we introduce related works for WMSNs. We describe the PUF, fuzzy extractor, adversary model, and system model in Section 3. In Section 4, we describe the detailed procedures of Masud et al.'s scheme. In Section 5, we prove the security vulnerabilities of Masud et al.'s scheme. To overcome these security vulnerabilities, we propose a secure three-factor-based mutual authentication scheme with PUF for WMSNs in Section 6. In Sections 7 and 8, we analyze the security features of our scheme using formal and informal analyses and estimate the performance of our scheme, respectively. Finally, we conclude and summarize our paper in Section 9.

Related Works
In the past several decades, researchers have proposed numerous two-factor-based authentication schemes for WMSNs. In 2012, Kumar et al. [13] proposed an authentication scheme for healthcare applications using a smart card. Their scheme used a symmetric encryption method to establish the session key between the user and the medical sensor node. However, He et al. [14] claimed that Kumar et al.'s scheme is vulnerable to password guessing and privileged insider attacks. As a result, He et al. proposed a robust authentication scheme to overcome these security weaknesses. Unfortunately, Mir et al. [15] demonstrated that [14] cannot prevent offline password guessing and masquerading user attacks. To address the security vulnerabilities of He et al's scheme [15], they proposed an authentication and key agreement scheme using hash functions and exclusive-OR operations. In 2018, Wu et al. [16] proposed an authentication scheme for personalized healthcare systems. They used a smart device as a factor to protect the privacy of the doctor. However, the above schemes [13][14][15][16] can be vulnerable to smart device theft and offline password guessing attacks because they adopt two-factor-based authentication schemes.
Three-factor-based authentication schemes have been proposed to improve the security level for WMSNs. In 2018, Challa et al. [17] proposed a three-factor-based user authentication and key agreement protocol using bilinear pairings for wireless healthcare sensor networks. Challa et al. employed bilinear pairing and the fuzzy extractor to overcome security vulnerabilities such as smart card theft, offline password guessing, and privileged insider attacks. In 2019, Li et al. [18] proposed a three-factor user authentication protocol based on elliptic curve cryptography (ECC). They claimed that their scheme can resist various security attacks utilizing biometrics verification with error-correcting code and a fuzzy commitment scheme. Shin et al. [19] suggested an authentication and key agreement scheme that can preserve users' privacy in 5G-integrated IoT environments. In [19], each entity establishes the session key using elliptic curve Diffie-Hellman (ECDH). Furthermore, Ali et al. [20] proposed a biometric-based authentication and access control protocol for WMSNs using ECC. They claimed that their scheme is secure against privileged insider, stolen smart card, and offline password guessing attacks. In 2020, Hsu et al. [21] proposed a three-factor user-controlled single sign-on (UCSSO) scheme for telecare medicine information systems. Their scheme can provide fast authentication and privacy protection using only hash functions and exclusive-OR operations. Although the above schemes [18][19][20][21] can provide lightweight communications to doctors and patients, they cannot prevent sensor node physical and cloning attacks.
Recently, PUF-based authentication schemes have been proposed to prevent physical attacks. In 2017, Aman et al. [22] suggested a mutual authentication scheme using PUF in IoT systems. They claimed that their scheme is secure against IoT device cloning attacks because PUF is employed on each IoT device. Byun [23] proposed an end-to-end key exchange scheme using PUF. This scheme utilized PUF-embedded devices and the fuzzy extractor to ensure mutual authentication between two devices. In 2020, Fang et al. [24] proposed a PUF-based data transmission scheme for IoT environments. They proved that their scheme can prevent various attacks, such as DoS, eavesdropping, impersonation, and cloning attacks, using PUF. In 2021, Chen et al. [25] suggested an efficient mutual authentication and key agreement scheme using PUF and biometrics for wireless sensor network environments. To reduce the storage overhead of the user, Chen et al. [25] eliminated the password during the login phase.
In 2021, Masud et al. [7] proposed a lightweight user authentication scheme for IoTbased healthcare. They asserted that their scheme can protect against impersonation attacks and replay attacks and provide data privacy and anonymity. However, we discover that their scheme is vulnerable to several security issues, such as offline password guessing, user impersonation, and privileged insider attacks. We also find that their scheme cannot ensure user anonymity. Therefore, we propose a three-factor-based mutual authentication scheme using PUF to prevent various security weaknesses such as user anonymity, smart device theft, offline password, privileged insider, and cloning attacks, which are critical for WMSNs.

Preliminaries
In this section, we introduce the general system model and the adversary model for WMSNs. Then, we describe PUF and the fuzzy extractor, which can improve the security level of our scheme. Figure 1 shows the general system model of a WMSN, which consists of doctors, a gateway, and sensor nodes. Details are as follows.

System Model
• Doctor(user): The doctor, who has a resource-constrained smart device, authenticates with the gateway to access patients' health reports. To communicate with sensor nodes, the doctor must register with the gateway. • Gateway: The gateway, which is the smart hospital, communicates with doctors and sensor nodes to provide efficient and convenient remote services to patients. We assume that the gateway is a trusted party and has enough storage and computing power. • Sensor node: The sensor node is a resource-constrained device attached to the patient in the form of a wearable device. The sensor node collects the patient's health information and sends it to the doctor through the gateway.

Adversary Model
In our paper, we assume that an adversary can eavesdrop, insert, remove, and modify messages transmitted through a public channel according to a well-known adversary model, the Dolev-Yao (DY) model [26]. Moreover, we use the Canetti-Krawczyk (CK) adversary model [27]. In this model, an adversary can access ephemeral parameters or the master key of the gateway. With the CK and DY adversary models, we assume that an adversary can perform various attacks. Details are as below.

•
An adversary can steal a doctor's smart device and obtain the secret parameter, extracted from the smart device using a power analysis attack [28]. • An adversary can be a privileged insider who can obtain the user's registration message. • An adversary can obtain the patient's sensor node and perform a cloning attack. • An adversary can perform various attacks, such as man-in-the-middle, password guessing, and stolen verifier attacks [29].

Physical Unclonable Function
Physical unclonable functions (PUFs) are physical circuits that operate as a one-way function. In the PUF circuit, there is an input-output bit string pair called the "challenge-response pair". If a random bit string challenge is entered into the PUF circuit, a unique output response is printed out. In this paper, we express this process as R = PUF(C), where C and R are a challenge and a response, respectively. Ideal PUF properties are as below.

•
The PUF is an unclonable circuit. • The PUF is a unique physical microstructure. The output of the PUF depends on the physical circuit. • The output of the PUF has to be unpredictable. • The circuit of the PUF is easy to estimate and implement.
Since a PUF has the properties of a one-way function, the PUF returns the same response when the same challenge is input into a PUF-installed device. Moreover, the PUF gives different responses when the same challenge is input into different devices. Therefore, the PUF can provide a unique one-way function that cannot be duplicated. This uniqueness enables the PUF to prevent various attacks, such as physical and cloning attacks.

Fuzzy Extractor
In this section, we explain the basic concept and direction of the fuzzy extractor [8]. When a user utilizes his biometrics or the PUF response string, we cannot ensure the accuracy due to the noise of external environmental factors. The fuzzy extractor can control the noise using the helper string. Therefore, we can use the biometric information and the PUF response string as a secret parameter using the fuzzy extractor. The fuzzy extractor consists of "generate (Gen(.))" and "reproduce (Rep(.))" algorithms. Details are as follows. • Gen(B i ) = (R i , P i ): This is a probability algorithm to generate a secret string R i . If a user inputs a random string B i , the fuzzy extractor generates the secret parameter R i and a helper string P i . • Rep(B * i , P i ) = (R i ): This is a deterministic algorithm to reproduce the secret string R i . If a user enters the random string B * i , the fuzzy extractor controls the noise of B * i using the helper string P i and reproduces the secret string R i .

Review of Masud et al.'s Scheme
In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. Their scheme consists of user registration, sensor node registration, and mutual authentication and key agreement phases. Notations and descriptions are explained in Table 1. Master key of the gateway R req Registration request message R SG , R SN Random number generated by the gateway and the sensor node D TID , S TID Temporary identity of the doctor and the sensor node N D , N G , N S Random nonce generated by device of the doctor, the gateway, and the sensor node CH 1 , RE 1 Challenge and response pair SK Session key PUF(.) Physical unclonable function h(.) Hash function || Concatenation operator ⊕ Exclusive-OR operator

User Registration Phase
A doctor must register in the gateway to use this network system. We show the user registration phase of Masud et al.'s scheme as follows.
Step 1: The doctor inputs an identity D ID and password PW D , and generates a registration request message R req . Then, the doctor sends M 1 RD = {D ID , PW D , R req } to the gateway through a secure channel.
Step 2: The gateway stores D ID and PW D , and then generates R 1 SG to compute α = (D ID ⊕ R 1 SG ) ⊕ PW D and D TID = R 1 SG ⊕ D ID . The gateway stores {R 1 SG , D TID } in its secure database and sends α to the doctor via a secure channel.

Sensor Node Registration Phase
To transmit the health information of a patient, the sensor node must register with the gateway. We describe the sensor node registration phase as below.
Step 1: The sensor node generates R 1 SN , and sends {S ID , R 1 SN } to the gateway via a secure channel, where S ID is the real identity of the sensor node.
Step 2: The gateway generates R 2 SG and computes δ = (S ID ⊕ R 2 SG ) ⊕ R 1 SN and S TID = R 2 SG ⊕ S ID . Then, the gateway stores {S ID , R 1 SN , R 2 SG , S TID } in its secure database and transmits {δ} to the sensor node through a secure channel.
Step 3: When the sensor node receives {δ}, it computes

Mutual Authentication and Key Agreement Phase
In this phase, the doctor and the sensor node conduct a mutual authentication and key agreement phase to authenticate each other and establish a session key. Figure 2 shows the mutual authentication and key agreement phase of Masud et al.'s scheme and details are as follows.
Step 1: When the doctor inputs his own password PW D , the smart device of the doctor computes Q = h(PW D ||R 1 * SG ) and verifies Q ? = β. If it is correct, the smart device generates a random nonce N 1 D and computes N 1 * D = N 1 D ⊕ PW D and λ = h(R 1 * SG ||PW D ). Then, the doctor sends {N 1 * D , D TID , λ, S TID } to the gateway via a public channel.
Step 2: The gateway receives {N 1 * D , D TID , λ, S TID } and computes N 1 D is a fresh random nonce, the gateway checks the validity of S TID and D TID , and computes λ * = h(R 1 SG ||PW D ). After verifying the equation λ * ? = λ, the gateway generates N 1 G and computes G 1 Step 3: The sensor node computes N 1 G = G 1 W ⊕ S TID and checks the freshness of N 1 G . After this, the sensor node computes S 1 N = h(R 1 SN ||R 2 SG ) and checks the equality of S 1 N and G 2 W . If it is equal, the sensor node generates N 1 S and computes SK = ( Step 4: When the gateway receives {S 2 N , S 3 N , S 4 N } from the sensor node, the gateway computes N 1 S = S 2 N ⊕ S TID and verifies the freshness of N 1 S . Then, the gateway computes Lastly, the gateway stores {R 4 SG , D new TID } in its secure database and sends a message {µ, SK U , η, G 5 W } to the smart device of the doctor.
Step 5: After receiving {µ, SK U , η, G 5 W } from the gateway, the doctor computes N 2 G = µ ⊕ D ID and checks the freshness of N 2 G . Then, the smart device computes the session key

Cryptanalysis of Masud et al.'s Scheme
If an adversary A obtains a legitimate user's smart device, A can extract the information {β, R 1 * SG , D TID } from the smart device using a power analysis attack [28], according to Section 3.2. With this information, A can perform various security attacks, such as offline password guessing, user impersonation, and privileged insider attacks. Furthermore, Masud et al.'s scheme does not ensure user anonymity and has a device update problem when signing in for the next session. Details are shown as below.

User Anonymity
An adversary A obtains the smart device of a doctor and extracts {β, R 1 * SG , D TID } using power analysis attack. Then, A calculates D ID = D TID ⊕ R 1 * SG , where D ID is the real identity of the doctor. Therefore, Masud et al.'s scheme cannot ensure user anonymity.

Offline Password Guessing Attack
An offline password guessing attack has a purpose of obtaining the valid password for a user using a password dictionary in polynomial time. Thus, an adversary A needs some information about the user in order to check whether the guessed password is correct or not. In Masud et al.'s scheme, A can verify the correctness of the guessed password using the information extracted from the smart device of the doctor. We describe the procedures as follows.
Step 1: The adversary A inputs a guessed password PW A and calculates is a parameter extracted from the smart device of the doctor. If it is equal, it means that A has guessed the password PW D correctly.
Thus, Masud et al.'s scheme is vulnerable to offline password guessing attacks.

User Impersonation Attack
The adversary A can obtain the real identity D ID and the password PW D of the doctor, according to Sections 5.1 and 5.2. Then, A can impersonate the doctor with this information. We describe the steps as follows.
Step 1: A generates a random nonce N 1 A and computes N 1 * Step 2: After receiving {N 1 * A , D TID , λ A , S TID } from the adversary A, the gateway retrieves N 1 A = N 1 * A ⊕ PW D and checks the freshness of N 1 A . If it is found to be fresh, the gateway verifies D TID and S TID from its database. Then, the gateway computes If the equation is correct, the gateway generates a random nonce N 1 G and computes G 1 The sensor node generates a random nonce S is a fresh random nonce, the gateway computes After this, the gateway generates a random nonce N 2 G and computes Step 5: A computes N 2 G = µ ⊕ D ID and verifies the freshness of N 2 G . Then, A computes

Privileged Insider Attack
A privileged insider attack can be performed by an insider adversary A that has unquestioned authority within the system. Therefore, the privileged insider A can obtain various information about users, including registration request messages, and may attempt to calculate the session key or impersonate a legal user.
In Masud et al.'s scheme, a privileged insider adversary A can impersonate a legitimate doctor after obtaining a registration request message {D ID , PW D , R req } and the secret parameter {β, R 1 * SG , D TID } extracted from the smart device of the doctor. A generates a random nonce N 1 A and computes N 1 * The gateway and the sensor node authenticate each other and return a message {µ, Thus, Masud et al.'s scheme is insecure against privileged insider attacks.

Device Update Problem
The smart device replaces {R 1 * SG , D TID } with {R 4 SG , D new TID } at the end of the authentication and key agreement phase. After this, the doctor may try to authenticate another sensor node that is attached to a patient in other session. However, the doctor cannot perform the login phase. If the doctor inputs a password PW D , the smart device computes , the login phase is aborted. Therefore, Masud et al.'s scheme has a device update problem.

Proposed Scheme
Although Masud et al.'s scheme has efficiency for WMSNs, their scheme has several security vulnerabilities. To address these security weaknesses, we propose a secure threefactor-based mutual authentication and key agreement scheme using PUF. Our scheme consists of initialization, user registration, sensor node registration, mutual authentication and key agreement, and password change phases.

Initialization Phase
Before starting the registration phase, the gateway inserts an identity and a challenge into the sensor node. Figure 3 shows the initialization of our scheme and detailed steps are as follows.

Gateway
Sensor node Selects S ID Generates a challenge CH 1 Step 1: The gateway selects an identity S ID , a challenge CH 1 , and sends {S ID , CH 1 } to the sensor node via a secure channel.
Step 2: The sensor node stores {S ID , CH 1 } in the memory.

User Registration Phase
A doctor must register in the network to provide a convenient remote medical service to patients. We show the sensor node registration phase in Figure 4 and detailed steps are as follows.  Step 1: A doctor inputs an identity D ID , a password PW D , and biometric template BIO D to the smart device. Then, the smart device generates a registration request message R req and computes Gen(BID D ) =< R D , P D > and GPW D = h(PW D ||R D ), where Gen(.) is a fuzzy extractor generation function. The doctor sends {D ID , GPW D , R req } to the gateway via a secure channel.

User (Doctor) Gateway
Step 2: After receiving {D ID , GPW D , R req } from the doctor, the gateway generates random numbers R 1 SG and R 2 SG , and computes

Sensor Node Registration Phase
A patient must register in the network using a sensor node in order to receive remote medical services from the doctor. In Figure 5, we show the sensor node registration phase of our scheme and details are as below.

Sensor node Gateway
Retrieves Step 1: The sensor node retrieves the challenge stored in the memory and computes RE 1 = PUF(CH 1 ), Gen(RE 1 ) =< R 1 SN , P SN >, and AS ID = h(R 1 SN ||S ID ). Then, the sensor node sends {S ID , AS ID , CH 1 } to the gateway through a secure channel.
Step 2: The gateway generates R 3 SG and computes δ = h(AS ID ||s), S TID = h(δ||R 3 SG ||AS ID ). After this, the gateway stores {AS ID , S TID , CH 1 } in its secure database and sends {δ, S TID } to the sensor node via a secure channel.
Step 3: Finally, the sensor node deletes the challenge CH 1 and stores {δ, P SN , S TID } in its memory.

Mutual Authentication and Key Agreement Phase
The doctor sends a login request message to the gateway and establishes a session key among the doctor, the gateway, and the sensor node. After this, the doctor can perform an accurate diagnosis of the patient. We describe the mutual authentication and key agreement phase in Figure 6 and details are as follows.

Doctor
Gateway Sensor node = Ver * D . If it is correct, the smart device generates a random nonce N 1 D and computes R 2 . The smart device sends {D TID , S TID , M D1 , V D1 } to the gateway through a public channel.
Step 2: When the gateway receives the message {D TID , S TID , M D1 , V D1 } from the doctor, the gateway checks the pseudo identity {D TID , S TID } and retrieves {ω, R 1 SG } in the database. Then, the gateway computes α = ω ⊕ h(R 1 SG ||s), is correct, the gateway generates a random nonce N 1 G and retrieves {AS ID , CH 1 }. The gateway computes δ = h(AS ID ||s), . After this, the gateway transmits {D TID , S TID , M G1 , M G2 , V G1 } to the sensor node via a public channel.
Step 3: The sensor node computes CH * = V G1 is correct, the sensor node generates a random nonce N 1 S and computes a new pseudo identity S new . Lastly, the sensor node sends {M S1 , V S1 } to the gateway through a public channel and updates {S TID } to {S new TID }.
Step 4: After receiving {M S1 , V S1 } from the sensor node, the gateway computes = V S1 is correct, the gateway computes a new pseudo identity of the doctor D new TID } in the smart device.

Password Change Phase
In our scheme, we provide a convenient password update process for the doctor. Detailed steps are as follows.
Step 1: A doctor inputs D ID , PW D , and BIO D to the smart device.

Security Analysis
To prove the security features of the proposed scheme, we use BAN logic and the RoR model, which can prove the mutual authentication properties and session key security, respectively. Moreover, we show that our scheme has resistance against man-in-the-middle and replay attacks using AVISPA. Furthermore, we claim that the proposed scheme can prevent various security attacks using informal analysis.

BAN Logic
BAN logic is a well-known formal proof to verify the mutual authentication of a protocol. Therefore, many researchers have used BAN logic to prove the mutual authentication of their schemes [30][31][32][33]. In this section, we prove the mutual authentication of the proposed scheme using BAN logic [9]. The basic notations and descriptions of BAN logic are shown in Table 2.

Rules
The logical rules of BAN logic are as follows.

Notation Description
K ← → P 2 P 1 and P 2 have shared key K

Freshness rule (FR) :
The BAN logic goals of the proposed scheme are as follows. We define the principals DO, GW N, and SN as the doctor, the gateway, and the sensor node, respectively. In the proposed scheme, there are four messages exchanged through a public channel. We transform these messages into idealized forms. Our scheme's idealized forms for the messages are as follows: The assumptions in the proposed scheme are shown below.

BAN Logic Proof
Step 1: We can obtain S 1 from the message Message 1 .
We can obtain S 2 from the message meaning rule using S 1 and A 10 .
Step 3: We can obtain S 3 from the freshness rule using S 2 and A 1 .
Step 4: We can obtain S 4 from the nonce verification rule using S 2 and S 3 .
Step 5: We can obtain S 5 from the message Message 2 .
Step 6: We can obtain S 6 from the message meaning rule using S 5 and A 11 .
Step 7: We can obtain S 7 from the freshness rule using S 6 and A 3 .
Step 8: We can obtain S 8 from the nonce verification rule using S 6 and S 7 .
Step 9: We can obtain S 9 from the message Message 3 .
Step 10: We can obtain S 10 from the message meaning rule using S 9 and A 12 .
S 10 : GW N| ≡ SN| ∼ (N 1 S ) Step 11: We can obtain S 11 from the nonce verification rule using A 2 and S 10 .
Step 12: We can obtain S 12 and S 13 from S 8 and S 11 . SN and GW N can compute the session key Step 13: We can obtain S 14 and S 15 from the jurisdiction rule using S 12 and A 8 , and S 13 and A 7 , respectively. Step 14 : We can obtain S 16 from the message Message 4 .
Step 15: We can obtain S 17 from the message meaning rule using A 9 and S 16 .
Step 16: We can obtain S 18 from the freshness rule using S 17 and A 4 .
Step 17: We can obtain S 19 from the nonce verification rule using S 17 and S 18 .
Step 18 : We can obtain S 20 and S 21 using S 4 and S 19 . DO and GW N can compute the session key Step 19: We can obtain S 22 and S 23 using the jurisdiction rule using S 20 and A 5 , S 21 , and A 6 , respectively.

RoR Model
In this section, we prove that the session key in the proposed scheme is secure, using the Real-or-Random (RoR) model [10]. To apply our scheme into the RoR model, we discuss the basic concepts of participants, adversaries, and queries. There are three participants in our scheme: P t 1 User , P t 2 Gateway , and P t 3 Sensor , where t k is the participant instance of the user, the gateway, and the sensor node. We assume that an adversary A can control the whole network, which intercepts, deletes, inserts, and eavesdrops messages transmitted through a public channel. Moreover, A attempts to attack the network utilizing Execute, CorruptSD, Reveal, Send, and Test queries in the RoR model. Details of the queries are as follows.
• Execute(P t 1 User , P t 2 Gateway , P t 3 Sensor ): The query Execute is a passive attack. This query explains that A can eavesdrop messages generated by P t 1 User , P t 2 Gateway , and P t 3 Sensor . • CorruptSD(P t 1 User ): This query is an active attack. By this query, A can obtain sensitive information extracted from the smart device of P t 1 User . • Reveal(P t ): A can reveal the current session key SK. • Send(P t , M): Using the query Send, A can send a message M to P t 1 User , P t 2 Gateway , and P t 3 Sensor . Moreover, A can receive the return message. Therefore, this query is an active attack. • Test(P t ): If A performs a Test query, an unbiased coin C is flipped prior to starting the game. When the session key SK is fresh, A obtains C = 1. A also obtains C = 0 when the session key is not fresh. Otherwise, A will receive a null value (⊥). If A cannot distinguish between the session key and the random number, we can ensure that the proposed scheme can provide the security of the session key.
Security Proof Theorem 1. In the RoR model, an adversary A tries to calculate the session key of the proposed scheme in polynomial time. Let Adv A (P) be the possibility that A breaks the security of the session key. We define Hash and PUF as the range space of hash function h(.) and PUF function PUF(.), respectively. In addition, we define q h , q p , and q s as the number of Hash, PUF, and Send queries, respectively. l D is the number of bits in biometric secret key BIO D of the doctor, C and s are the Zipf's parameter [34].
We follow the security proof as performed in [35][36][37]. In our proof, there are five games Game k where k = 0, 1, 2, 3, 4. We denote S Game k as the winning probability of the adversary A and Pr[S Game k ] as the advantage of the S Game k .
• Game 0 : Game 0 is the starting game, where the adversary A picks up the random bit c. Therefore, we obtain the following: • Game 1 : In this game, A performs an eavesdropping attack, which is the Execute query in the RoR model. When obtaining messages {D TID , S TID , M D1 , V D1 }, {D TID , S TID , M G1 , M G2 , V G1 }, {M S1 , V S1 }, and {M G3 , V G2 }, A carries out Test and Reveal queries to distinguish between the session key SK and a random number. To obtain the session key and N 1 S , which are random numbers generated by the user (doctor), the gateway, and the sensor node, respectively. α is the shared secret parameter between the gateway and the user. For these reasons, the adversary A cannot compute the session key SK. This means that A does not enhance the probability compared with the Game 0 . [ • Game 2 : In Game 2 , the adversary A performs Send and Hash queries. In the message {D TID , S TID , M D1 , V D1 }, {D TID , S TID , M G1 , M G2 , V G1 }, {M S1 , V S1 }, and {M G3 , V G2 }, parameters D TID , S TID , V D1 , V G1 , V S1 , and V G2 are masked by the cryptographic one-way hash function, which provides resistance against hash collision. Moreover, random numbers N 1 D , N 1 G , N 1 S , and the hash functions are contained in M D1 , M G1 , M G2 , M G3 , and M S1 . Therefore, there is no collision problem when A performs a Hash query. We apply the birthday paradox [38] and obtain the result as follows: • Game 3 : Game 3 is similar to Game 2 . A performs Send and PUF queries. As explained in Section 3.3, the physical function PUF(.) has a secure property. Therefore, we can obtain the following inequation: • Game 4 : In the final game Game 4 , A performs a CorruptSD query and extracts sensitive data {β, θ, Ver D , D TID , P D } from the smart device of the user. A attempts to calculate parameters α and R 2 SG from β = α ⊕ h(GPW D ||R 2 SG ) and θ = R 2 SG ⊕ h(R D ||GPW D ), respectively. Since parameters R D and GPW D = h(PW D ||R D ) are composed of the password and biometrics, A must guess these parameters. Therefore, A cannot enhance the probability because guessing the password and biometrics is a computationally infeasible task. According to Zipf's law [34], we can make the following inequation: When the games are completed, the adversary A obtains the guessed bit c. Therefore, it is clear that By (2) and (3), we can obtain the following equation: We can obtain the following equation using (6) and (7): Applying the triangular inequality, we obtain the following result: Finally, we obtain the required result multiplying (9) by 2: Thus, we have proven Theorem 1.

AVISPA Simulation
We simulate the proposed scheme using AVISPA [11,12] to analyze the security features of our scheme. AVISPA is a formal verification tool that can detect security vulnerabilities regarding replay and man-in-the-middle attacks. Therefore, various authentication schemes [39][40][41] have been simulated by using AVISPA.
To simulate our protocol, we need to create a code written in the High-Level Protocol Specification Language (HLPSL). The code written in HLPSL is converted to the Intermediate Format (IF) by the translator. Then, the translator inputs the IF into back-ends. AVISPA has four back-ends, named On-the-Fly Model Checker (OFMC), Constraint Logic-based Attack Searcher (CL-AtSe), SAT-based Model Checker (SATMC), and Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP). In this paper, the OFMC and CL-AtSe back-ends are used because these back-ends provide exclusive-OR operations. Lastly, we obtain the Output Format (OF), which is the security analysis result of the protocol. If we obtain a "SAFE" message in the summary of OF, we can consider that the protocol is secure against replay and man-in-the-middle attacks.

HLPSL Specification
In this section, we explain the HLPSL code of our scheme. There are three basic roles in HLPSL: the doctor DO, the gateway GW, and the sensor node SN. With these roles, we describe the session and the environment roles. The goals, the environment, and the session of our scheme written in HLPSL are shown in Figure 7.

Simulation Result
We perform simulations using the OFMC and CL-AtSe back-ends and show the simulation result of the proposed scheme in Figure 9. If the summary message is "SAFE", this indicates that the proposed scheme is secure against replay and man-in-the-middle attacks. As with the simulation result shown in Figure 9, both summaries simulated in the OFMC and CL-AtSe back-ends are "SAFE". Thus, the proposed scheme can prevent replay and man-in-the-middle attacks.

Informal Analysis
In this section, we show the security features of the proposed scheme, including those that protect against offline password guessing, impersonation, replay, man-in-themiddle, physical, cloning, privileged insider, session-specific random number leakage, and verification table leakage attacks. Moreover, the proposed scheme can ensure user anonymity, perfect forward secrecy, and mutual authentication.

User Anonymity
We assume that an adversary A obtains the stolen smart device of a doctor (user) and extracts {β, θ, Ver D , D TID , P D }. However, A cannot compute the real identity of the doctor because the pseudo identity of the doctor D TID is masked by the hash function and updated in every session. Since the parameters β = α ⊕ h(GPW D ||R 2 SG ) and SG stored in the smart device are masked in the biometric template of the doctor, the A has difficulty in guessing the real identity of the doctor. Hence, A cannot obtain the real identity of the doctor. Therefore, we demonstrate that the proposed scheme can ensure user anonymity.

Offline Password Guessing Attack
A obtains a doctor's smart device and obtains {β, θ, Ver D , D TID , P D } from the device using a power analysis attack. Then, A attempts to guess the password of the doctor using the extracted parameters. Unfortunately, A cannot guess the password of the doctor because we use the biometrics in the proposed scheme. Since GPW D = h(PW D ||R D ), A must guess not only the password PW D but also the biometrics BIO D of the doctor at the same time. Note that R D is the result of the fuzzy extractor, which is expressed as R D = Rep(BIO D , P D ). However, this process is a computationally infeasible task. Thus, the proposed scheme can prevent offline password guessing attacks.

Impersonation Attack
Assume that an adversary A tries to impersonate a legitimate doctor using parameters {β, θ, Ver D , D TID , P D }, which are stored in the doctor's device. Then, A attempts to calculate the login request message {D TID , S TID , M D1 , V D1 }. However, A cannot calculate . Hence, the proposed scheme is secure against impersonation attacks.

Replay Attack
Assume that an adversary A intercepts authentication request messages {D TID , S TID , M D1 , V D1 }, {D TID , S TID , M G1 , M G2 , V G1 }, and sends messages to authenticate the gateway and the sensor node at other sessions. However, each entity checks the freshness of N 1 D , N 1 G , and N 1 S , which are random nonces generated by the doctor, the gateway, and the sensor node, respectively. Therefore, the proposed scheme is secure against replay attacks.

Man-in-the-Middle Attack
We show that A cannot generate the login request message {D TID , S TID , M D1 , V D1 }, according to Section 7.4.3. Moreover, A cannot compute {D TID , S TID , M G1 , M G2 , V G1 }, {M S1 , V S1 }, and {M G3 , V G2 } because each message is masked in the shared secret parameter α and δ. Thus, the proposed scheme can prevent man-in-the-middle attacks.

Physical and Cloning Attacks
We can assume that A physically captures a sensor node SN 1 and tries to authenticate the gateway as SN 1 . To do this, A obtains the parameters of SN 1 {δ, P SN , S TID } using a power analysis attack. Then, A attempts to authenticate as a legitimate sensor node SN 1 using parameters {δ, P SN , S TID } or by cloning the sensor node SN 1 . When A receives {D TID , S TID , M G1 , M G2 , V G1 } from the gateway, A computes CH * 1 = M G3 ⊕ h(δ||D TID ||S TID ). However, A cannot compute RE 1 because the function PUF(.) is a physically unclonable circuit and cannot duplicate, according to Section 3.3. Therefore, A cannot compute R 1 SN = Rep(RE 1 , P SN ) and AS ID = h(R 1 SN ||S ID ) to calculate M S1 and V S1 . Thus, the proposed scheme is secure against physical and cloning attacks.

Privileged Insider Attack
Assume that a privileged insider A obtains the registration request message {D ID , GPW D , R req } of a doctor and obtains parameters {β, θ, Ver D , D TID , P D }, extracted from the stolen smart device of the doctor using a power analysis attack, and A attempts to impersonate as the doctor. To compute the login request message {D TID , S TID , M D1 , V D1 }, A must calculate the shared secret parameter α. However, A cannot calculate α = h(GPW D ||R 2 SG ) because the parameter R D in GPW D = h(PW D ||R D ) is generated by the biometrics of the doctor. Moreover, A must guess the password PW D of the doctor to calculate GPW D = h(PW D ||R D ), and it is a computationally infeasible task to guess R D and PW D at the same time. Therefore, the proposed scheme can prevent privileged insider attacks.
However, A cannot compute α = h(D ID ||s) without the real identity of the doctor, and all random nonces are masked by hash functions. Therefore, A cannot calculate SK. For this reason, the proposed scheme ensures perfect forward secrecy.

Mutual Authentication
To ensure mutual authentication, each entity checks the validity of V * = V S1 , and V * G2 ? = V G2 . Furthermore, all participants check the freshness of random nonces N 1 D , N 1 G , and N 1 S . When the verification processes are successful, we can demonstrate that the participants of the proposed scheme authenticate each other. Therefore, the proposed scheme ensures mutual authentication.

Performance
In this section, we compare the security features of the proposed scheme with other related schemes [7,[18][19][20]25]. Moreover, we show the communication costs, computation costs, and energy consumption of the proposed scheme.

Security Features Comparison
We present the security features of the proposed scheme compared with related schemes [7,[18][19][20]25]. In Table 3, we consider various security attacks and functionalities. The security features and the functionalities are as follows: SP1: resistance against smart device theft attack, SP2: resistance against offline password guessing attack, SP3: resistance against impersonation attack, SP4: resistance against replay attack, SP5: resistance against privileged insider attack, SP6 : resistance against physical and cloning attacks, SP7: resistance against session-specific random number leakage attack, SP8: resistance against verification table leakage attack, SP9: ensuring user anonymity, SP10: ensuring perfect forward secrecy, SP11: ensuring mutual authentication, SP12: performing RoR model, SP13: performing AVISPA simulation, SP14: performing BAN logic proof. Therefore, our scheme can provide a secure authentication process compared with [7,[18][19][20].
: Provides the security/functionality feature. ×: Does not provide the security/functionality feature. −: Does not consider the security/functionality feature.

Communication Costs Comparison
In this section, we compare the communication costs of the proposed scheme with existing schemes [7,[18][19][20]25]. According to [35], we suppose that the SHA-1 hash digest, identity, random number, PUF challenge-response pair, timestamp, and ECC point are 160, 160, 128, 128, 32, and 320 bits, respectively. Therefore, the communication costs of the proposed scheme can be described as follows.
Therefore, the total communication costs of our scheme are 640 + 800 + 320 + 320 = 2080 bits. In Table 4, we show the total communication costs of our scheme and other related schemes. Consequently, we demonstrate that our scheme has more efficient communication costs than other related schemes [7,[18][19][20]25].
The total computation costs of our scheme are slightly higher than those of Masud et al.'s scheme [7] as shown in Table 5. However, our scheme has a much higher security level than [7] using the fuzzy extractor and PUF. Moreover, our scheme is more efficient and lightweight than previous schemes [18][19][20]25] that utilize ECC, the fuzzy extractor, and PUF. Shin et al. [19] 1T Ali et al. [20] 1T Chen et al. [25] 1T Masud et al. [7] 1T

Energy Consumption Comparison
In this section, we compare the energy consumption of our scheme with [7,[18][19][20]25]. We follow the battery consumption model used in [44], where the energy consumption for sending and receiving a bit are taken as 4.602 mJ and 2.34 mJ, respectively [45]. Therefore, the total energy consumption of our scheme is 4867 mJ. Table 6 shows the total energy consumption of the proposed scheme and [7,[18][19][20]25]. The result indicates that our scheme is more efficient in terms of energy consumption than other related schemes. Table 6. Comparison of energy consumption.

Conclusions
In this paper, we review Masud et al.'s scheme and prove that their scheme is vulnerable to offline password guessing, impersonation, and privileged insider attacks. We also discover that Masud et al.'s scheme cannot ensure user anonymity and has a device update problem. To improve the security level and overcome the security weaknesses of Masud et al.'s scheme, we propose a provably secure three-factor-based mutual authentication and key agreement scheme for WMSNs. Our scheme has light weight, using only hash functions and exclusive-OR operators; it provides a secure login process to the doctor using the fuzzy extractor, and it provides resistance against cloning and physical attacks using PUF. We ensure the mutual authentication utilizing BAN logic and prove the session key security of our scheme using the RoR model. We also show that our scheme offers resistance against replay and man-in-the-middle attacks by utilizing the AVISPA simulation tool. We prove that our scheme is secure against various attacks, including offline password, impersonation, sensor node capture, and verification table leakage attacks, through informal analysis. Furthermore, we demonstrate that our scheme can provide user anonymity, perfect forward secrecy, and mutual authentication. Finally, we estimate the computation costs, communication costs, and energy consumption of our scheme and compare it with other related schemes. Our result shows that the proposed scheme can provide doctors and patients with more secure services for WMSNs. In the future, we will develop and implement our scheme, considering performance evaluation and result analysis, confirming its suitability for practical WMSN environments.