Enhanced Authenticated Key Agreement for Surgical Applications in a Tactile Internet Environment

The Tactile Internet enables physical touch to be transmitted over the Internet. In the context of electronic medicine, an authenticated key agreement for the Tactile Internet allows surgeons to perform operations via robotic systems and receive tactile feedback from remote patients. The fifth generation of networks has completely changed the network space and has increased the efficiency of the Tactile Internet with its ultra-low latency, high data rates, and reliable connectivity. However, inappropriate and insecure authentication key agreements for the Tactile Internet may cause misjudgment and improper operation by medical staff, endangering the life of patients. In 2021, Kamil et al. developed a novel and lightweight authenticated key agreement scheme that is suitable for remote surgery applications in the Tactile Internet environment. However, their scheme directly encrypts communication messages with constant secret keys and directly stores secret keys in the verifier table, making the scheme vulnerable to possible attacks. Therefore, in this investigation, we discuss the limitations of the scheme proposed by Kamil scheme and present an enhanced scheme. The enhanced scheme is developed using a one-time key to protect communication messages, whereas the verifier table is protected with a secret gateway key to mitigate the mentioned limitations. The enhanced scheme is proven secure against possible attacks, providing more security functionalities than similar schemes and retaining a lightweight computational cost.


Introduction
The fifth generation (5G) network provides fast speeds, high data rates, very low latency, and reliable connections for intelligent devices, sensors, and actuators, as well as the ability to communicate through a single device, such as a smartphone. When 5G technology matures, it will provide 100 Gbps coverage, 10 GB/s peak data rates, and more than 100 billion smart device connections to the entire Internet of Things [1]. The high capacity and speed of the 5G network will provide many opportunities for the IoT environment. The Tactile Internet (TI) represents a future development goal with respect to the Internet of Things (IoT), including human-machine interaction and machine-machine interaction, which will enable real-time collaboration and innovative applications in the industrial, social, and commercial fields of the Internet [2,3].
The Tactile Internet will use 5G URLLC (ultra-reliable and low-latency communication) functionality to provide users with ultra-fast Internet so that haptic interaction can be realized through visual feedback [3]. This visual feedback relates to audio-visual interaction, real-time control of robotic systems and actuators, and real-time control of the human body and the environment around it. With the increasing availability of high-speed Internet connections, such low-latency functions will lead to enhanced human-machine (tactile) interactions that can be transmitted to the other end of the world in real time [1,3,4]. However, such messages may face security or performance risks once they are transmitted. Therefore, any unauthorized access may lead to an unplanned or unexpected surgery, which could lead to adverse consequences or even death.
The open nature of Tactile Internet connections makes them vulnerable to a variety of security attacks, including replay, denial of service, man-in-the-middle, differential privacy, error data injection, impersonation, and modification attacks, as well as malicious software attacks, requiring secure Tactile Internet access. The remote surgery application establishes a secure user authentication protocol, which allows authorized and registered surgeons to authenticate each other and to generate a shared secure session key for secure and reliable communications with others.  A hospital operating room includes robotic arms with tactile sensors and actuators; gateways, such as access points (APs); and patients to be operated on. A remote surgeon controls the robotic arm using instructions provided by a mobile device (or multiple mobile devices) and receives the results of the operation on the screen. All devices must be registered with a trusted institution (TA). interaction, real-time control of robotic systems and actuators, and real-time control of the human body and the environment around it. With the increasing availability of highspeed Internet connections, such low-latency functions will lead to enhanced human-machine (tactile) interactions that can be transmitted to the other end of the world in real time [1,3,4]. However, such messages may face security or performance risks once they are transmitted. Therefore, any unauthorized access may lead to an unplanned or unexpected surgery, which could lead to adverse consequences or even death. The open nature of Tactile Internet connections makes them vulnerable to a variety of security attacks, including replay, denial of service, man-in-the-middle, differential privacy, error data injection, impersonation, and modification attacks, as well as malicious software attacks, requiring secure Tactile Internet access. The remote surgery application establishes a secure user authentication protocol, which allows authorized and registered surgeons to authenticate each other and to generate a shared secure session key for secure and reliable communications with others. Figure 1 illustrates a simple model of a Tactile Internet remote surgery application. A hospital operating room includes robotic arms with tactile sensors and actuators; gateways, such as access points (APs); and patients to be operated on. A remote surgeon controls the robotic arm using instructions provided by a mobile device (or multiple mobile devices) and receives the results of the operation on the screen. All devices must be registered with a trusted institution (TA).

Related Works
The Tactile Internet can allow doctors to perform accurate, remote surgery more urgently than ever before. The transmission of the data would require the surgical manipulator to move the scalpel with a delay of less than 1 ms to allow the scalpel to move in the correct direction. To obtain the real-time status of the patient, high-resolution organ images and medical equipment data must also be sent back to doctors within 1 ms. Recently, many authenticated key agreement approaches have been developed for remote medical systems. For example, in 2018, Amin et al. [5] proposed a robust and anonymous patient monitoring system based on wireless medical sensor networks to provide secure access to patient data in WMSN environments. In the same year, Wu et al. [6] developed a

Related Works
The Tactile Internet can allow doctors to perform accurate, remote surgery more urgently than ever before. The transmission of the data would require the surgical manipulator to move the scalpel with a delay of less than 1 ms to allow the scalpel to move in the correct direction. To obtain the real-time status of the patient, high-resolution organ images and medical equipment data must also be sent back to doctors within 1 ms. Recently, many authenticated key agreement approaches have been developed for remote medical systems. For example, in 2018, Amin et al. [5] proposed a robust and anonymous patient monitoring system based on wireless medical sensor networks to provide secure access to patient data in WMSN environments. In the same year, Wu et al. [6] developed a lightweight and robust authentication scheme for personalized healthcare systems using wireless medical sensor networks and demonstrated that their scheme meets common security requirements and prevents attackers from tracking users. Using wireless medical sensor networks, Chandrakar [7] presented a secure remote user authentication protocol for healthcare monitoring that provides privacy, data security, and user authentication to access real-time health information over an insecure channel. Kaur et al. [8] presented a protocol in 2020 that provides the surgeon, robotic arm, and trusted authority (TA) with secure communications, leveraging the advantages of elliptic curve cryptography (ECC) and biometrics. In 2020, Nykvist et al. [9] developed and implemented a lightweight, portable IDS over wireless networks and evaluated throughput, power consumption, and response time. In 2021, Bolton et al. [10] discussed and considered potential data security and privacy issues that may arise when large amounts of data are processed and stored in the cloud. Additional research on the use of the Tactile Internet in remote surgery [8,11,12] provides important background information about the use of the Tactile Internet in remote surgery. For example, Wazid et al. [12] presented a generalized authentication model that can be used to perform authentication among communicating parties to ensure secure remote surgery in the TI environment. In 2021, Kamil et al. [11] proposed an authentication and key agreement (AKA) scheme for a Tactile Internet remote surgery application using lightweight cryptographic operations, such as the one-way hash function and bitwise exclusive OR (XOR), making the scheme ultra-lightweight and suitable for the Tactile Internet environment. However, the proposed scheme directly encrypts communication messages with the constant secret keys of the remote surgeon and the long-life secret key of the robotic arm, directly storing secret keys of the robotic arm in the gateway database; therefore, the scheme cannot resist robotic arm compromise attacks and stolen verifier attacks. Additionally, the scheme proposed by Kamil et al. misuses exclusive OR operations, preventing its correct execution.

Our Motivation
Many AKA schemes have been recently developed for a Tactile Internet for remote surgery. However, most of these schemes are subject to limitations in terms of security and efficiency. Performance improvement and security considerations are two major factors associated with the Tactile Internet because inappropriate and insecure authentication key agreements for the Tactile Internet may cause misjudgment and improper operation by medical staff, endangering the life of patients.

Our Contributions
In this investigation, we discuss the limitations of the scheme proposed by Kamil et al., including the failure to resist potential attacks and incorrect execution. In order to overcome these limitations, we investigation develop an enhanced authenticated key agreement scheme based on the scheme proposed by Kamil et al. for the Tactile Internet environment. The enhanced scheme adopts a one-time key to protect communication messages such that the adversary cannot derive valuable information from previous messages and protects secret keys of robotic arms with a secret gateway key. Thus, the enhanced scheme requires more computations and response time than the protocol proposed by Kamil et al. However, the enhanced scheme solves the previous limitations, provides improved functionality, and retains a low computational cost. The contributions of this study are summarized as follows.
1. In this investigation, we develop an efficient and secure authenticated key agreement scheme based on the scheme proposed by Kamil et al. for the Tactile Internet environment.
2. The enhanced scheme adopts a one-time key to protect communication messages and stores the secret keys of robotic arms, which are encrypted the secret gateway key, in the gateway database to overcome the limitations of the previous scheme.
3. Burrows-Abadi-Needham (BAN) logic provides mutual authentication and session key security through its authentication proof. The heuristic security analyses of the enhanced scheme are presented to verify other security requirements. 4. Compared with related schemes, the enhanced scheme avoids the limitations of pervious schemes, providing improved security properties and retaining low computational cost.

Organization of Paper
The rest of the paper is organized as follows. In Section 2, we introduce the scheme proposed by Kamil et al. and discuss its weaknesses. In Section 3, we introduce an enhanced authenticated key agreement scheme for the Tactile Internet environment. In Section 4, we analyze the security and performance of the enhanced scheme. Finally, in Section 5, we present our conclusions.

Preliminary
In this section, we review the authentication and key agreement scheme proposed by Kamil et al. and discuss its limitations. The notations used in this paper are elaborated in Table 1.

Review of the Scheme of Kamil et al.
In 2020, Kamil et al. [11] proposed an authentication and key agreement scheme using the Tactile Internet for remote surgery. Prior to the announcement, they discussed Tactile Internet technology in remote surgery, the potential of network architecture for the Internet of Thing (IoT), and the security issues of Tactile Internet technology in remote surgery.
The scheme proposed by Kamil et al. comprises four entities: a trusted authority (TA), remote surgeons, gateways, and robotic arms. Gateways act as system administrators and serve as central authentication points. Without BS, other entities would never be able to trust each other in the authentication and key agreement scheme. Kamil et al.'s scheme consists of the following phases: registration of the gateway and robotic arm, registration of the user, the authentication and key agreement phase, the password update phase, the addition of the dynamic robotic arm, and the revocation phase. Before placing the gateway and robot (or robotic arm) in the hospital operating room, they must register with the TA. These devices are generated and preloaded with secrets. The registration process is performed by the TA through the following steps.
Step 1: The trust authority (TA) first chooses a unique identity (RID TA ) and a one-way hash function operation ( h : {0, 1} * → Z * q ) for itself. Next, the TA chooses RID i and RID j as the identities of the gateway (G i ) and a robotic arm (RM j ), respectively, picks a secret (s ∈ Z * q ), and computes D i = h(s, RID TA , RID i ) and D j = h s, RID TA , RID j . Finally, the TA stores RID i , D i , RID j , D j and sends M 1 to G i through a secure channel.
Step 2: In this stage, when the remote surgeon wants to use the robotic arm for remote surgery, they first need to register with the TA. The process is as follows.
Step 1: The remote surgeon (S k ) first picks an identity (RID k ), a password (PW k ), and a random nonce (B k ) and computes D k = h(RID k , B k ) and HPW k = h(PW k , B k ). Next, S k sends M 3 to the TA using a secure channel.
Step 2: When the TA receives M 3 , the TA at first picks a random C and then computes After the TA stores (α, β, h(.)) into the memory of a mobile device, the TA sends the mobile device to the surgeon through a secure channel.
Step 3: Store (A 1 , A 2 , h(.)) in smart card. When S k receives the mobile device, S k uses a smart card to compute A 1 = h(PW k , RID k ) ⊕B k and A 2 = h(B k , HPW k , D k ). Next, S k stores A 1 and A 2 in the smart card.

User Login Phase
First, S k must input his/her identity or password into the mobile device in order to access the service of robotic arms for remote surgery. Upon successful verification, the mobile device sends a login request message to the gateway (G i ). The login process is as follows.
S k first inputs his identity (RID k ) and password (PW k ) and computes The mobile device checks whether A * 2 is the same as the A 2 . If so, the identity and password of the surgeon are verified by the smart card. Otherwise, the session is aborted.

Authentication and Key Agreement Phase
In this phase, in order to perform remote surgery in an emergency, the remote surgeon needs to use the robotic arm to perform remote surgery on the patient through the authorization of the gateway device. The mutual authentication and key agreement process of the scheme proposed by Kamil et al. is described as follows.
Step 1: The mobile device of the remote surgeon (S k ) first picks a random nonce (R k ) and a timestamp (TS 1 ) and computes Next, the remote surgeon sends a login request message (M 1 ) to G i .
Step 2: 3 to obtain the random number (R * k ) of the remote surgeon. Then, G i checks the freshness of the message by verifying whether TR 1 − TS 1 ≤ ∆T, where TR 1 is the time at which the message is received, TS 1 is the time at which it was sent, and ∆T is the transmission delay. If the timestamp is legal, G i computes A * 5 = h R * k , A * 3 , TS 1 to verify whether the A * 5 is the same as A 5 . If the verification is successful, the surgeon (S k ) is authenticated by G i . Then, G i chooses a random nonce (R i ) and a timestamp (TS 2 ) and computes Step 3: RM j → G i : M 3 = (A 10 , A 11 ) . Upon receiving the tuple (A 7 , A 8 , A 9 ), RM j computes R * i || R * * k ||TS 2 = A 8 ⊕ D j to obtain the random numbers R * i and R * * k , where R * i belongs to the gateway and R * * k belongs to the remote surgeon, and checks the freshness of the message by verifying whether TR 2 − TS 2 ≤ ∆T, where TR 2 , TS 2 , and ∆T are the time at which the message was sent, the arrival time of the message, and the transmission delay, respectively. If the freshness Finally, RM j verifies whether A * 9 is the same as A 9 . If verification is successful, the gateway is authenticated by RM j . Next, RM j chooses a random number (R j ) and a timestamp (TS 3 ) and computes the session key Step 4: to obtain the random number of RM j , using the random number of G i and timestamp TS 3 , and checks the freshness of the message by verifying whether TR 3 − TS 3 ≤ ∆T, where TR 3 , TS 3 , and ∆T are the time at which the message was sent, the arrival time of the message, and the transmission delay, respectively. If the freshness of the timestamp is legal, G i computes the session key Step 5: Verification of the remote surgeon. When S k receives M 4 , S k first computes R * i || R * * j || TS 4 = A 13 ⊕ R k using the random number (R k ) and then checks the freshness of the message by verifying whether TR 4 − TS 4 ≤ ∆T, where TR 4 , TS 4 , and ∆T are the time at which the message was sent, the arrival time of the message, and the transmission delay, respectively. If the timestamp is fresh, S k computes the session key If the verification is successful, G i and RM j are authenticated by S k .
The mutual authentication of the remote surgeon and the robotic arm requires the assistance of the gateway for remote authentication. Additionally, secure communication during remote surgery is achieved with the secret session key, Finally, the mobile device replaces α, A 1 , and A 2 , with α new , A new 1 , and A new 2 , respectively.

Dynamic Robotic Arm Addition Phase
After placing these robotic arms in the operation room, additional robots may be required for improved service delivery. The following steps are required.
The TA first chooses a new identity (RID + j ) and computes D + j = h(s, RID TA , RID + j ). The TA stores (RID + j , D + j ) in the memory of the new robotic arm and sends the tuple to the gateway (G i ) through a secure channel. When G i receives the tuple (RID + j , D + j ), G i stores it in its repository.

Revocation Phase
When the remote surgeon's mobile device is stolen by an attacker, the attacker can reuse the data from the mobile device, thus impersonating the legitimate doctor. The same method is applied to the robot arm; the attacker can analyze the sensitive information in the robotic arm and compute the session key to execute an attack. In addition, attackers can swap out a robotic arm with a cloned robotic arm, which can lead to life-threatening conditions in patients who require medical attention. The proposed scheme involves two revocation processes: revocation of compromised mobile devices and revocation of compromised robotic arms.
1. Revocation of Smart Card: Steps can be taken to prevent compromised mobile devices from gaining access to the network. The TA first chooses a new identity (RID new i ) and computes D new and stores it in its database.
2. Revocation of Robotic Arm: Suppose RID j is the identity of the malicious or compromised robot. In order to prevent the malicious or damaged robotic arm from being verified by the remote surgeon and accessing the network, the following steps are performed in order to log off the manipulator. The TA computes Π = RID j || D j ) ⊕ h(RID i , D i and sends Π, rev req to G i , where rev req is the revocation request. When G i receives the tuple Π, rev req , G i computes RID j D j = Π ⊕ h(RID i , D i ). Finally, G i deletes the tuple (RID i , D i ) from its database.
1 ) and A 6 = R k || A 5 ⊕ A 3 and send out a service request ( M 1 = ( A 4 , A 5 , A 6 , TS 1 )) to impersonate S k , where R k is a nonce selected by A, and TS 1 is the current timestamp.
Upon receiving M 4 = (A 8 , A 12 , A 13 ) form G i , A can compute R * i || R * * j || TS 4 = A 13 ⊕ R k and the session key (K 3 = h(R * i , R * * j , R k )) shared with G i and RM j and successfully impersonate the surgeon (S k ). Therefore, the scheme proposed by Kamil et al. fails to resist robotic arm compromise attacks.
2. Scenario II: Impersonation of a gateway. According to the analyses of Scenario I, the attacker (A) can easily derive A 3 (= h(C, D i )), the random secret (C) from previous communication messages. Upon receiving M 1 = (A 4 , A 5 , A 6 , TS 1 ) from S k , A computes h(RID i , D i ) = A 4 ⊕ C ⊕ TS 1 and R * k || A 5 = Then, A chooses a nonce ( R i ) and picks the current timestamp ( TS 2 ) and then computes Upon receiving M 3 = (A 10 , A 11 ), A computes R * j || TS 3 = A 11 ⊕ R i and the session key where TS 4 is the current timestamp. A successfully impersonates the gateway (G i ); therefore, the scheme proposed by Kamil et al. fails to resist robotic arm compromise attacks.
3. Scenario III: Violation of session key security.
According to the analyses of Scenario I, the attacker (A) can easily derive A 3 (= h(C, D i )), the random secret (C) from previous communication messages. First, A impersonate S k to compute A 4 = β ⊕ TS * 1 , A 5 = h( R k , A 3 , TS 1 ), and A 6 = R k || A 5 ⊕ A 3 , and to send a service request ( M 1 = ( A 4 , A 5 , A 6 , TS 1 )) to G i , where R k is a nonce selected by A, and TS 1 is the current timestamp.
Then, A eavesdrops on communications between G i and another robotic arm (RM j ) and obtains M 2 = (A 7 , A 8 , A 9 ) and M 3 = (A 10 , A 11 ), where RID j is the identity of RM j , D j is the secret key of RM j , . Although the attacker (A) does not have RM j 's identity (RID j ), A can still monitor other communications between S k , G i , and some robotic arms (RM * j ). A computes (R 1 R 2 ||TS 2 ) = (A 8 ⊕ D j ) and verifies whether TS 2 is a current timestamp. If successful, A makes sure that RM * j is RM j and R 1 is R i from G i and that R 2 is R k from S k . Then, A computes (R i ||R j ||TS 4 ) = A 13 ⊕ R k . Accordingly, A can obtain the session key (K = h R i , R k , R j ) of S k , G i , and RM j to decrypt communication messages between S k , G i , and RM j to perform man-in-the-middle attacks and modification attacks and to trace RM j .

Failure to Resist Stolen Verifier Attacks
In the register phase of the scheme proposed by Kamil et al., the gateway (G i ) stores RID j and D j for each robotic arm (RM j ). An attacker who has stolen the verifier table can impersonate the robotic arm (RM j ), as it obtains the secrets (RID j , D j ) of RM j and has the same ability as RM j .

Failure to Execute Correctly
In the scheme proposed by Kamil et al., the surgeon (S k ) cannot correctly compute 1 ), S k cannot directly execute an exclusive OR operation of (R k A 5 ) and A 3 . Similar problems also occur in that G i cannot correctly compute Step 3, and G i cannot correctly compute A 13 = R i ||R * j ||TS 4 ⊕ R * k in Step 4.

Enhanced Authenticated Key Agreement Scheme for Tactile Internet Environment
In this section, we develop an enhanced AKA scheme based on the AKA scheme proposed by Kamil et al. for the Tactile Internet environment. In order to overcome the limitations of the AKA scheme proposed by Kamil et al., the enhanced scheme adopts a one-time key to protect communication messages such that an attacker who captures the robotic arm cannot derive valuable information from previous messages to perform impersonation attacks. To avoid stolen verifier attacks, G i does not directly store the secret Sensors 2022, 22, 7941 9 of 18 key (D j ) of RM j in its database and protects D j with the secret key (D i ) of G i . Even if the attacker steals the verification table, he/she still cannot obtain the secret key (D j ) of RM j to successfully impersonate RM j .
A number of phases are involved in the enhanced scheme, including registration of gateways and robotic arms, registration of remote surgeons, login of remote surgeons, authentication and key agreement, updating of passwords, adding dynamic robotic arms, and revocation. Because the password updating phase, dynamic robotic arm addition phase, and revocation phase of the enhanced scheme are similar to the scheme proposed by Kamil et al., they are not discussed here. Below, we provide a detailed description of the gateway and robotic arm registration phase, the remote surgeon registration phase, the remote surgeon login phase, the authentication phase, and the key agreement phase. Figure 2 shows a flow chart of the enhanced scheme.

Registration Phase of Gateway and Robotic Arms
This phase provides the registration process for the gateway and robotic arms with the TA, as shown in Figure 3. The registration process is as follows.

Registration Phase of Gateway and Robotic Arms
This phase provides the registration process for the gateway and robotic arms with the TA, as shown in Figure 3. The registration process is as follows.
Step 1: The trust authority (TA) at first chooses a unique identity (RID TA ) and a one-way hash function operation ( h : {0, 1} * → Z * q ). Next, the TA chooses RID i and RID j as the identities of the gateway (G i ) and the robotic arm (RM j ), respectively, picks a secret (s ∈ Z * q ), and computes D i = h(s, RID TA , RID i ) and D j = h s, RID TA , RID j . Finally, the TA stores RID i , D i , RID j , D j and sends M 1 to G i through a secure channel.

User Registration Phase
In this phase, the remote surgeon (S k ) registers with the trusted authority (TA). Each surgeon (S k ) has a smart card with the information of the surgeon. The registration process of the remote surgeon is shown in Figure 4.

User Registration Phase
In this phase, the remote surgeon ( ) registers with the trusted authority ( ). Each surgeon ( ) has a smart card with the information of the surgeon. The registration process of the remote surgeon is shown in Figure 4. Step 1: ). The remote surgeon ( ) first picks his/her own identity ( ), password ( ), and a random number and computes = ℎ( , ) and = ℎ( , ). Finally, sends 1 to the through a secure channel.

Login, Authentication, and Session Key Agreement Phase
In order to perform remote operations in case of an emergency, the remote surgeon Step 1: S k ⇒ TA : M 1 = (RID k , D k , HPW k ) . The remote surgeon (S k ) first picks his/her own identity (RID k ), password (PW k ), and a random number B k and computes D k = h(RID k , B k ) and HPW k = h(PW k , B k ). Finally, S k sends M 1 to the TA through a secure channel.
After receiving M 1 , the TA first picks a random identity (TID k ) and computes α = h(TID k , D i ) ⊕ h(D k , HPW k ). Then, the TA stores (α, TID k ) in the memory of a mobile device and sends it to S k through a secure channel. Upon receiving the mobile device, S k computes A 1 = h(PW k , RID k ) ⊕ B k and the verification message, V M 1 = h(B k , HPW k , D k ). Then, S k stores A 1 , V M 1 , TID k , and α in the smart card.

Login, Authentication, and Session Key Agreement Phase
In order to perform remote operations in case of an emergency, the remote surgeon (S k ) needs to log in to a smart card and send a verification message to access the gateway (G i ). The gateway (G i ) sends a verification message to the robot after the remote surgeon has been identified. The robot passes the authentication message to the remote surgeon via the gateway. Finally, the gateway, remote coverage, and robotic arm establish a session key for the current login session. The authentication and key agreement of the proposed protocol is shown in Figure 5, and the details are summarized below.
Step 1: The remote surgeon (S k ) inputs his/her RID k and PW k into the mobile device; then, mobile device computes B k = A 1 ⊕ h(RID k , PW k ) to obtain the random number (B k ) and If successful, the mobile device picks the current timestamp (TS 1 ) and a random number (R k ) and computes A 2 = α ⊕ h(D k , HPW k ) and A 3 = h(A 2 , HPW k ) ⊕ R k and verification the message, V M 2 = h(R k , A 2 , TS 1 ). Finally, S k sends M 1 to the gateway (G i ).
Step 2: If successful, G i picks a random number (R i ) and the current timestamp (TS 2 ) and computes D j = h(RID j D i ) ⊕ CD j to obtain the D j of RM j , then computes where D j is the secret of the robotic arm, and TS 2 ensures the freshness of messages.
Step 3: After receiving M 2 from G i , RM j checks whether the timestamp (TR 2 − TS 2 ) is less than ∆T. If successful, RM j computes R * i = A 4 ⊕ h D j , TS 2 , 0 , R * * k = A 5 ⊕ h D j , TS 2 , 1 , and V M * 3 = h RID j , D j , TID k , R * i TS 2 to verify V M * 3 =?V M 3 . If successful, RM j picks a random number (R j ) and the current timestamp (TS 3 ) and computes the session key ). Then, RM j sends M 3 to G i .
Step 4: G i → S k : M 4 = (A 7 , A 8 , A 9 , V M 5 , TS 4 ) . When G i receives M 1 , G i checks whether the timestamp (TR 3 − TS 3 ) is less than ∆T. If successful, , and the verification message (V M * 4 = h(R i , R * j , K 2 , RID j , D j , TS 3 )) to verify V M * 4 =?V M 4 . If successful, G i picks the current timestamp (TS 4 ) and computes Step 5: Update TID k and α in S k . After S k receives M 4 , S k checks whether the timestamp (TR 4 − TS 4 ) is less than ∆T. If successful, S k computes R * i = h(A * 2 , TS 4 , 0) ⊕ A 7 and R * * j = h(A * 2 , TS 4 , 1) ⊕ A 8 to obtain the random number (R * i ) of G i and the random number (R * * j ) of RM j . Next, S k computes the session key (

Security and Performance Analysis
An analysis and comparison of the performance and security of the enhanced s are provided in this section.

Security and Performance Analysis
An analysis and comparison of the performance and security of the enhanced scheme are provided in this section.

Authentication Proof of the Proposed Scheme Using BAN Logic
BAN logic [13] is used in this subsection to verify that the proposed scheme satisfies the session key security and mutual authentication requirements. Table 2 lists the notations of BAN logic. Table 2. BAN logic notations and respective abbreviations [13].

Notation Abbreviation
P | ≡ X Entity P believes statement X P =⇒ X P has jurisdiction over statement X P | ∼ X P once said X P X P sees X X K Formula X is encrypted by key K P K ↔ Q P and Q communicate via shared key K P → Q : m P sends the message (m), and Q receives it #X Message #X is freshly generated

Inference Rules of BAN Logic
Below, we present a list of the rules and logical postulates of BAN logic [13].

Rule 1.
P|≡P K ↔ Q, P X K P|≡Q| ∼X : If entity P believes that secret K is shared with Q and sees message X is encrypted using K, then P believes that Q once said X.

Rule 2.
P|≡#(X), P|≡Q| ∼X P|≡Q|≡X : If entity P believes that X is fresh and entity Q once said X, then P believes that Q believes X.

Rule 3.
P| ≡Q=⇒X, P |≡Q|≡X P|≡X : If entity P believes that Q has jurisdiction over X and Q believes X, then P believes that X is true. : If entity P believes that X is fresh and Q believes X, then P believes secret K that is shared between entities P and Q.

Rule 5.
P|≡#(X) P|≡#(X, Y) : If entity P believes that X is fresh, then P believes in the freshness of (X, Y).

Goals of Authentication and Key Agreement
In this subsection, we demonstrate that the proposed scheme satisfies the following goals to ensure its security according to the above assumptions and postulates.
Goal 1: G i |≡ S k | ≡ G i

Assumptions
According to the following assumptions, in this subsection, we prove that the proposed scheme satisfies the security properties.

Verification
Based on the above assumptions and the logic of BAN, the following confirms the correctness of the proposed scheme. By using Message M 1 , From Rule 1 and AS 3 , From Rule 2 and AS 1 , Then, from Rule 3 and AS 11 , According to Rule 4, AS 1 and V 2 , V 4 : G i |≡ G i K ↔ S k . Further, using Rule 2, AS 1 and V 1 , From Rule 2 and AS 2 and V 6 , V 7 : G i |≡ RM j |≡ R j . From Rule 3 and AS 12 , According to Rule 4, AS 2 and V 7 ,

Goal 6
The proof is concluded.

Security Analysis
The security requirements of the enhanced scheme are discussed in this subsection. The enhances scheme uses the properties of the scheme proposed by Kamil et al. [9]. The arguments of some security requirements, including provision of strong anonymity; session key establishment; perfect forward secrecy; and resistance to replay attacks, impersonation attacks, offline user login credentials guessing attacks, insider attacks, mobile device loss attacks, and denial of service attacks, are similar to those in the scheme proposed by Kamil et al. and are therefore not discussed here. These security requirements include resistance to robotic arm compromise attacks and resistance to stolen verifier table attacks, as described below.
Goal 6 The proof is concluded.

Security Analysis
The security requirements of the enhanced scheme are discussed in this subsection. The enhances scheme uses the properties of the scheme proposed by Kamil et al. [9]. The arguments of some security requirements, including provision of strong anonymity; session key establishment; perfect forward secrecy; and resistance to replay attacks, impersonation attacks, offline user login credentials guessing attacks, insider attacks, mobile device loss attacks, and denial of service attacks, are similar to those in the scheme proposed by Kamil et al. and are therefore not discussed here. These security requirements include resistance to robotic arm compromise attacks and resistance to stolen verifier table attacks, as described below.

Resistance to Robotic Arm Compromise Attacks
In the enhanced scheme, even if the attacker compromises the robotic arm (RM j ) and obtains (RID j , D j ) from RM j , the attacker cannot indirectly obtain information about remote surgeons and the gateway (G i ). Additionally, because the (RID j , D j ) of each robotic arm is independent, as destroying a robotic arm, the attacker can communicate with S k , but it does not affect the security of S k 's communication with other robotic arms. The same is true for the gateway. Therefore, the proposed scheme is resilient against robot compromise attack.

Resistance to Stolen Verifier Attacks
In the enhanced scheme, the gateway (G i ) stores (RID j , CD j ) instead of (RID j , D j ), where CD j = D j ⊕ h(RID j D i ), D j is the secret key of RM j , and D i is the secret key of G i . The verifier table does not contain G i 's secret key (D i ). Then, an attacker who has stolen the verifier table cannot derive D j from (RID j , CD j ) without D i , and it is difficult to impersonate RM j . Therefore, the enhanced scheme is resilient against stolen verifier table attacks. Table 3 compares the enhanced AKA scheme with related AKA schemes in term of security functionality. The enhanced AKA scheme provides more security requirements than related AKA schemes and is secure against potential attacks. Furthermore, it can resist robotic arm compromise attacks and stolen verifier table attacks.  Table 4 shows comparisons between the enhanced AKA scheme and related AKA schemes in terms of computational cost, where T h denotes the execution time of a one-way hash function, T e denotes the execution time of a point multiplication based on ECC, and T f denotes the execution time of a fuzzy extractor. The experiment is run on an Intel CPU i3-3220 3.3 Ghz, RAM 4096 MB, Windows 7 Professional 64-bit, Eclipse Java Mars and Java SE 1.8. The hash function uses SHA-1, the point multiplication is based on ECC with a 16-bit key, and the fuzzy extractor refers to [11,17].

Performance Comparisons
The scheme proposed by Kamil et al. [11] requires 20 hash operations, the scheme proposed by Amin et al. [5] requires 37 hash operations, the scheme proposed by Wu et al. [6] requires 34 hash operations, the scheme proposed by Chandrakar [7] requires 29 hash operations, the scheme proposed by Guo et al. [14] requires 36 hash operations, and our enhanced scheme requires 35 hash operations. The scheme proposed by Soni et al. [15] requires 31 hash operations, 6 point multiplications based on ECC, and 11 fuzzy extractor operations. The scheme proposed by Li et al. [16] requires 20 hash operations and 8 point multiplications based on ECC. Both these schemes ( [15,16]) require time-consuming point multiplications based on ECC. The enhanced AKA scheme adopts a one-time key to protect communication messages and protects the verifier table with the G i 's secret key, so it requires more computations and response time than the AKA protocol proposed by Kamil et al. However, the enhanced AKA scheme addresses the limitations of the scheme proposed by Kamil et al., providing improved functionality while retaining a low computational cost. Table 4. Computation cost comparison.

Conclusions
In this paper, we addressed the limitations of the AKA scheme proposed by Kamil et al. for a Tactile Internet environment, including failure to resist robotic arm compromise attacks, failure to resist stolen verifier attacks, and failure to execute correctly. In order to address these limitations, an enhanced AKA scheme based the scheme proposed by Kamil et al. was developed by adopting a one-time key to protect communication messages and protecting the verifier table with a gateway secret key. Although the enhanced scheme requires more computations than the AKA protocol proposed by Kamil et al. it retains a low computational cost and provides more security features. Therefore, the enhanced AKA scheme is suitable for the Tactile Internet environment.