A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve

AbuAlghanam, Orieb; Alazzam, Hadeel; Almobaideen, Wesam; Saadeh, Maha; Saadeh, Heba

doi:10.3390/s25082357

Open AccessArticle

A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve

by

Orieb AbuAlghanam

^1,*

,

Hadeel Alazzam

²

,

Wesam Almobaideen

^1,3

,

Maha Saadeh

⁴

and

Heba Saadeh

¹

Department of Computer Science, The University of Jordan, Amman 77110, Jordan

²

Department of Information Technology, Yarmouk University, Irbid 21110, Jordan

³

Department of Electrical Engineering and Computing Sciences, Rochester Institute of Technology, Dubai P.O. Box 341055, United Arab Emirates

⁴

Department of Computer Engineering and Informatics, Middlesex University Dubai, Dubai P.O. Box 500697, United Arab Emirates

^*

Author to whom correspondence should be addressed.

Sensors 2025, 25(8), 2357; https://doi.org/10.3390/s25082357

Submission received: 21 February 2025 / Revised: 27 March 2025 / Accepted: 2 April 2025 / Published: 8 April 2025

(This article belongs to the Section Communications)

Download

Browse Figures

Versions Notes

Abstract

:

Ensuring secure communication for mobile patients in e-healthcare requires an efficient and robust key distribution mechanism. This study introduces a novel hierarchical key distribution architecture inspired by federated learning (FL), enabling seamless authentication for patients moving across different healthcare centers. Unlike existing approaches, the proposed system allows a central healthcare authority to share global security parameters with subordinate units, which then combine these with their own local parameters to generate and distribute symmetric keys to mobile patients. This FL-inspired method ensures that patients only need to store a single key, significantly reducing storage overhead while maintaining security. The architecture was rigorously evaluated using SPAN-AVISPA for formal security verification and BAN logic for authentication protocol analysis. Performance metrics—including storage, computation, and communication costs—were assessed, demonstrating that the system minimizes the computational load and reduces the number of exchanged messages during authentication compared to traditional methods. By leveraging FL principles, the solution enhances scalability and efficiency, particularly in dynamic healthcare environments where patients frequently switch between facilities. This work bridges a critical gap in e-healthcare security, offering a lightweight, scalable, and secure key distribution framework tailored for mobile patient authentication.

Keywords:

authentication; AVISPA; BAN logic; e-healthcare system; federated learning (FL)

1. Introduction

In the age of interconnected healthcare systems, the Internet of Medical Things (IoMT) has emerged as a transformative force, revolutionizing the way healthcare data are collected, analyzed, and used [1]. From wearable devices that monitor vital signs to smart implants that transmit real-time health information, IoMT has ushered in an era of unprecedented medical data generation [2]. However, with this abundance of data comes a pressing need for robust security and authentication mechanisms to ensure the integrity and privacy of patient information.

The benefits of IoMT are indeed profound. It enables remote patient monitoring, facilitating the continuous collection of health data outside traditional clinical settings [3]. This empowers healthcare providers to offer personalized and proactive care, detect health problems early, and make data-driven decisions, ultimately improving patient outcomes. In addition, IoMT improves the efficiency of medical services, reducing the burden on healthcare facilities by enabling telemedicine, remote consultations, and even the possibility of timely interventions through predictive analytics [4].

At the same time, alongside these remarkable advantages, IoMT introduces a series of complex challenges. Security and privacy vulnerabilities are large as data flows between numerous devices, networks, and cloud platforms [5]. Unauthorized access to medical data poses serious risks, making robust authentication mechanisms paramount. Interoperability issues also arise as various devices and platforms must communicate and share data seamlessly while maintaining data integrity [6].

In this intricate landscape, the need for secure and efficient patient authentication mechanisms becomes increasingly evident. Ensuring that healthcare providers have access to the right patient’s data is not just a matter of convenience, but a fundamental requirement to provide safe and effective care [7]. Traditional methods of patient authentication, often relying on static identifiers such as usernames and passwords, are not suited to the dynamic and interconnected world of IoMT. They leave room for vulnerabilities and may hinder the full realization of IoMT’s potential [8].

Patient authentication within the IoMT ecosystem is a multifaceted challenge with far-reaching implications. It encompasses the methods and technologies used to verify the identity of patients and healthcare providers who access IoMT devices and the data they generate [9]. The fundamental goals of patient authentication in IoMT are twofold: to ensure the security and integrity of medical data and to protect patient privacy [10].

IoMT introduces unique challenges to patient authentication. The diverse array of devices, ranging from wearable sensors to implantable medical devices, requires authentication methods that can accommodate various form factors and communication protocols. These devices must seamlessly integrate into the broader healthcare infrastructure while ensuring the privacy and security of patient data [11].

Additionally, the real-time nature of IoMT data transmission necessitates authentication mechanisms that can operate swiftly and efficiently, without causing delays in medical data access or decision-making processes. Balancing security, speed, and usability is paramount in the IoMT environment [12].

One critical aspect of securing data transmitted within the IoMT ecosystem is the use of robust encryption techniques [10]. Encryption ensures that data are protected from unauthorized access while in transit. However, effective encryption relies on the secure distribution of encryption keys.

Key distribution in the context of IoMT involves the secure exchange and management of cryptographic keys between devices, users, and healthcare systems. These keys are essential for encrypting and decrypting data as they move between IoMT devices, ensuring that sensitive medical information remains confidential and tamper-proof during transmission.

Establishing a secure and efficient key distribution system is paramount for the overall data security within IoMT [13]. It involves addressing challenges such as key management, key generation, and key revocation, while ensuring that patient authentication seamlessly integrates with the encryption process [14].

Federated Learning (FL) is a collaborative, decentralized, and distributed iterative procedure in which individuals work together to train machine learning models while protecting the confidentiality of their personal data [15]. This approach is exemplified by its implementation in Google Gboard [16]. Rather than transmitting raw data, terminal devices (clients) locally process their information and then forward only the modifications to a central system (server). Subsequently, the server compiles and aggregates the modifications from all clients to generate an updated global model, which is then redistributed to the clients [17]. This iterative process persists until an optimal global model is achieved allowing for continuous improvement of the global model without exposing sensitive data to a centralized entity, making federated learning a promising technique for training machine learning models in privacy-sensitive scenarios [18]. FL has applications in various domains, such as healthcare, finance, Internet of Things (IoT), and edge computing, where data privacy, network bandwidth limitations, or regulatory constraints make centralized training impractical or undesirable [19,20].

A privacy-preserving domain refers to an area or context where techniques, methods, or systems are employed to protect and maintain the privacy of individuals’ sensitive information. In such a domain, measures are taken to ensure that personal data are securely handled and are used in a way that minimizes the risk of unauthorized access, disclosure, or misuse [21,22]. This can be achieved using different approaches such as data anonymization, encryption, differential privacy, access controls, secure multi-party computation (SMPC), and FL [23].

The process of FL passes through different steps as illustrates in Figure 1. It begins with the Initialization Phase, where a central server initializes a global model and distributes it to participating devices or servers. In the subsequent local model training phase, each device trains the model independently using its local data, safeguarding the raw data’s privacy [24]. The updated models’ parameters are then transmitted back to the central server during the model aggregation phase, where they are combined from all participating devices or servers [25]. Following this, the central server performs a model update, incorporating the aggregated parameters into the global model. The updated global model is subsequently sent back to the participating devices, commencing the next round of local training [26,27]. This iterative process, including local training, model aggregation, and model updates, continues until the desired level of model performance is achieved or convergence is reached [15,27,28].

1.1. Challenges to Ensuring Authentication and Confidentiality in Healthcare

Securing healthcare systems is a critical endeavor, but it comes with several challenges such as data privacy, cybersecurity threats, interoperability, mobile and IoT devices, human errors, legacy systems, resource constraints, emerging technologies, patient mobility, and regulatory compliance [29].

Ensuring security in various applications, particularly in healthcare systems, has become a prominent area of research. This entails addressing multiple security facets, including confidentiality, authentication, and privacy. Preserving patient privacy is of the utmost importance. Establishing a secure connection through data encryption between the sender and receiver is crucial. Moreover, accommodating patient mobility is a significant consideration [30,31].

In this paper, we will focus on three challenges: patient mobility, privacy, and resource constraints.

1.2. Contributions

Proposing a hierarchical key distribution architecture in the context of an e-healthcare system to enhance the security and privacy of patients based on FL.
Proposing a novel key distribution protocol based on FL to exchange the local and global model between the root public key generator $R o o t_{P K G}$ and sub-public key generator $S u b_{P K G}$ .
Designing a lightweight key establishing approach between $S u b_{P K G}$ and mobile patient using Diffie–Hellman elliptic curve algorithm.
Providing patient authentication using a private key and several secure parameters also providing identity preservation using the concept of a local model for each $S u b_{P K G}$ .
Enhancing the performance for the mobile node in terms of the number of exchange messages [32].

Our work primarily follows a scientific approach, as it focuses on enhancing the security and privacy of patients by proposing a hierarchical key distribution architecture in the context of an e-healthcare system with simulation and formal security proofs.

2. Related Work

This section provides a summary of the authentication techniques discussed in the literature, as illustrated in Table 1. It highlights key methodologies, their effectiveness, and the contexts in which they are applied. Additionally, a comparative analysis is presented to examine the authentication techniques and the environments for which they are designed.

Table 2 provides a comparative analysis of different healthcare systems discussed in the literature. The comparisons have been performed using various architectures, security goals, verification methods, and performance aspects, offering insights into their strengths and limitations.

Many authentication techniques have been used in the literature. For instance, the authors of [33] employ fingerprint recognition as a biometric modality and extract specific features to create a shared cryptographic key. Their proposed methodology includes three phases: System Initialization, Patient Registration, and Mutual Authentication with Session Key Agreement. The System Initialization Phase involves two key steps: extracting a cancelable biometric template and generating system parameters. The authors of [34] propose a lightweight and robust authentication scheme utilizing a simple hash cryptographic function, with public–private key pairs designed specifically for IoMT devices. They utilize formal analysis techniques like BAN logic and ProVerif2.02, in conjunction with informal pragmatic illustration, to validate the effectiveness of their proposed protocol. Moreover, the study conducts a performance analysis to showcase the delicate balance achieved between security and efficiency, an aspect frequently overlooked in existing solutions.

Another study that uses biometric data for patient authentication is [35]. The authors propose a framework that integrates wearable sensors to monitor vital signs and authenticate patients using biometric data alongside traditional credentials, secured by the SHA-512 algorithm. Sensor data transmission to the cloud is encrypted with the Substitution-Ceaser cipher and improved Elliptical Curve Cryptography (IECC), with enhanced security from an additional secret key. Despite increased complexity, the approach remains computationally efficient, with encryption and decryption times of 1.032

μ

and 1.004

μ

, respectively, and performance analysis shows strong algorithm reliability compared to RSA and ECC.

The authors of [36] introduce a lightweight anonymous mutual authentication and key agreement scheme for Wireless Body Area Networks (WBANs). This scheme relies solely on hash function operations and XOR operations. The authors employ the automatic security verification tool ProVerif to verify the security properties of their scheme, complemented by informal security analysis. Furthermore, they conduct a comparative analysis of their proposed scheme against several related works. The results demonstrate that their scheme either offers superior advantages in terms of computation cost, energy consumption, and communication cost, or presents lower security risks compared to existing approaches.

Alzahrani et al. [37] present a review of the patient healthcare monitoring and authentication protocol designed for Wireless Body Area Network (WBAN) environments proposed by Xu et al. in [36]. While Xu et al.’s scheme demonstrates efficiency in terms of computation by employing lightweight operations, the conducted analysis uncovers several security loopholes. It is revealed that Xu et al.’s protocol is susceptible to various threats, including replay attacks, key compromise impersonation (KCI) attacks, and privacy concerns. In response to these vulnerabilities, they propose a new authenticated key agreement protocol tailored for WBANs. The security properties of the improved protocol are formally verified and validated through BAN logic analysis and the ProVerif automated simulation tool.

Table 1. Mobile patient authentication in the literature.

Reference	Authentication Technique	Environment
[38]	Biometric+ECC	Mobile healthcare environments
[34]	Shared key	Wireless Medical Sensor Networks
[35]	ECC	IoT
[37]	Improved mutual authentication	Wireless Body Area Networks
[36]	Lightweight anonymous mutual authentication	Wireless Body Area Networks
[39]	Federated learning and blockchain	IoT healthcare
Our proposal	Federated learning and key distribution	IoT healthcare system

The authors of [38] propose a secure and lightweight remote patient authentication scheme tailored for mobile healthcare settings. Their approach translates patient biometric data into Elliptic Curve Cryptography (ECC)-based keys, enabling secure and cost-effective authentication without the need to store or transmit biometric templates. Moreover, the proposed approach provides mutual authentication with session key agreement and resists various types of attacks. Singh et al. in [39] explore the applications of federated learning in establishing a distributed secure environment within smart cities. In addition, they propose a secure architecture for privacy preserving in smart healthcare, utilizing blockchain and FL technologies. Blockchain-based IoT cloud platforms enhance security and privacy, while FL enables scalable machine learning applications, particularly in healthcare. Importantly, users can access well-trained machine learning models without compromising personal data through federated learning.

Table 2. Different healthcare systems in the literature.

Reference	Architecture	Security Goal	Verification Method	Performance Analysis
[40]	Cloud of things	Prevent Man-in-the-Middle (MITM)	Scyther	Anonymity, Authentication, Authorization, Accountability, Confidentiality, Integrity, Non-repudiation
[41]	IoT-based M-Health system	Signature, Encryption, and Signcryption	Mathematical proof	Computational Cost, Communication Cost
[42]	WBANs	Authentication	Mathematical proof	Storage Overhead, Computation Cost, Communication Cost
[43]	E-healthcare	Authentication	AVISPA and BAN logic	Storage Cost, Communication Cost, Computation Cost
Our proposal	IoT healthcare	Authentication, Confidentiality, and Privacy	AVISPA and BAN logic	Storage Cost, Communication Cost, Computation Cost

3. Proposed System

3.1. Architecture Overview

This section proposes a key distribution architecture inspired by FL, as illustrated in Figure 2. Additionally, Table 3 presents the abbreviations used in this paper. The architecture consists of Root PKG, several Sub-PKGs, and patients. In each Sub-PKG, there is a local model to keep the data for each patient who belongs to this party. In the Root PKG, there is a global model that handle all local models without having knowledge about the patients in each Sub-PKG. In this architecture, several challenges have been addressed, such as computational complexity, communication demands, and storage requirements for mobile patients. Additionally, it prioritizes the secure key distribution process to safeguard patient privacy, even in situations where patients change their positions, all while minimizing unnecessary complexity.

It can be noticed that the Root PKG has a global model that aims to distribute common parameters for all Sub-PKGs based on the received local models from Sub-PKGs. Moreover, each Sub-PKG authenticates the patient using a shared common key between them. Thus, any mobile patient moving to another Sub-PKG can be authenticated without asking the original Sub-PKG.

In this architecture, we will employ the concept of FL to design a lightweight protocol to provide a secure connection between the patient and the hospital. Thus, the patient can establish a shared key using Elliptic Curve Diffie–Hellman (ECDH) and can be authenticated by the other parts (Sub-PKGs). ECDH is a cryptographic key exchange and authentication protocol commonly used to establish a secure communication channel between two parties over an insecure network [44].

3.2. The Proposed Protocol Overview

The proposed protocol consists of three phases: the first phase, called the Initialization Phase, between

R o o t_{P K G}

and

S u b_{P K G}

. In the second phase, the patient registers for an official

S u b_{P K G}

. The third phase is the Mobile Patient Authentication Phase, which allows an easy way for any mobile patient node to access any

S u b_{P K G}

without returning to the old one. On the other hand, further details on Elliptic Curve Diffie–Hellman can be found in Appendix A.1. The following subsections discuss each phase in detail.

3.2.1. Initialization Phase Between $R o o t_{P K G}$ and $S u b_{P K G}$

During this phase, the

R o o t_{P K G}

initializes and distributes specific set of parameters for each

S u b_{P K G}

to assist them in creating their local models. After each

S u b_{P K G}

has finished building its local model, it sends its local model back to the Root PKG. The Root PKG, in turn, utilizes these local models to combine them into the ultimate model, often known as the global model. Figure 3 illustrates the process of the Initialization Phase, which consists of a two-step Initialization Phase and the model aggregation phase.

Each

S u b_{P K G}

has its own public key and private key, while the same applies to the

R o o t_{P K G}

.

R o o t_{P K G}

is considered as one trusted point for all other

S u b_{P K G}

s. Thus, for any further connection between any

S u b_{P K G}

s, they should exchange their digital signature which is represented in Equation (1):

D C {(S u b P K G i)}_{(r o o t, s u b_{i})} = \{\begin{matrix} E_{P r_{r o o t}, (P K_{s u b_{i}}, I D_{s u b}, T^{'})} \end{matrix}

(1)

The following steps conclude the details of each connection:

$R o o t_{P K G}$ initiates a request to send information about the whole system, which consists of all Sub-PKGs and patients. This information is essential for the Sub-PKGs to construct their local models while considering these parameters.
Root parameters are elliptic curve ranges for each Sub-PKG ( $ϵ$ ), ranges for group signature ( $η$ ), and root sign value ( $γ$ ).
The parameters are securely handled. Initially, ensuring nonrejection properties, the $R o o t_{P K G}$ encrypts these parameters using its private key, to ensure integrity and authentication. Subsequently, it encrypts them once more using the public key provided by the respective Sub-PKG to maintain confidentiality.
After each $S u b_{P K G}$ receives the parameters from the root and based on the number of patients that it needs to deal with, the $S u b_{P K G}$ determines the group signature $σ_{s i g}$ , Sub-PKG signing value $Υ$ , and identity for the group $I D_{g}$ . After that, the $S u b_{P K G}$ sends a local model via its private key and encapsulates via the root public key.
The root aggregates multiple local models from various Sub-PKGs, each equipped with its own set of parameters. This collective information is then used to construct the global model, ensuring a comprehensive consideration of all these individual parameters.

3.2.2. Patient Registration and Key Generation Phase

Figure 4 illustrates this phase; each patient is assigned to their respective

S u b_{P K G}

. They must agree on various parameters and establish a shared key. This shared key will then be utilized for future connections. The

S u b_{P K G}

needs to authenticate patients. When the patient asks for the

S u b_{P K G}

for the first time for registration to be part of a group, the patient must show the

S u b_{P K G}

acceptable credentials.

The

S u b_{P K G}

thoroughly reviews it and checks whether anything about the patient is suspicious. If the

S u b_{P K G}

is fully satisfied with the background verification, it accepts the patient’s request to be part of the group. The

S u b_{P K G}

and the patient create a shared key using ECDH as follows:

The $S u b_{P K G}$ selects generator G based on the range that was created by the $R o o t_{P K G}$ , prime number p, and selects a private number $d_{s u b}$ to determine the pubic key as $P s u b = G^{d_{s u b}} m o d p$ .
The patient selects the private key $d_{p a t i e n t}$ then determines its public key as $P p a t i e n t = G^{d_{p a t i e n t}} m o d p$ and sends the public key to the $S u b_{P K G}$ . Moreover, it determines the shared key as $S K = P s u b * d_{p a t i e n t}$ .
After the $S u b_{P K G}$ receives the patient’s public key it will determine the shared key as $S K = P p a t i e n t * d_{s u b}$ .

After the shared key has been established between the patient and the

S u b_{P K G}

, the

S u b_{P K G}

sends an encrypted message using the shared key that holds the group signature (

σ_{G S}

), the identity of the group (

I D_{g}

), the root sign (

γ

), and the Sub-PKG sign (

Υ

).

The patient computes their own signature after receiving the parameters from

S u b_{P K G}

using ECDSA Sign based on the following points:

Compute a message digest of the data you want to sign, often using a cryptographic hash function like SHA-256.
The patient computes the digest for the message that equals $σ_{s i g} + Υ + γ$ ; this will be as one block while $ϰ$ is unique for each patient.

$M e s s a g e = σ_{s i g} + Υ + γ + ϰ$

(2)
Generate a random number k in the range [1, n−1].
Compute the point ( $X_{1}$ , $Y_{1}$ ) = k*G.
Calculate r = $X_{1}$ mod n.
Calculate s = $\frac{H (M) + d_{p a t i e n t} * r}{K}$ mod n.
The patient ’s signature ( $P_{s i g}$ ) is (r + $ϰ$ ,s + $ϰ$ ).

3.2.3. Mobile Patient Authentication

Figure 5 illustrates the steps that are needed for any mobile patient that needs to change its location. The bottleneck in [32] is that if any mobile moves to a different Sub-PKG domain, it needs around nine messages to distribute a shared key, and the mobile node should ask the gateway. In this protocol, the patient has a signature and a group identity. Once the patient changes their location and wants to join another Sub-PKG domain, the following procedure is applied.

For verification, the Sub-PKG tries first to extract the patient secret value $ϰ$ as follows:

A mobile patient sends a request for $S u b_{P K G j}$ to obtain authentication and to be allowed to enter this domain.
To achieve confidentiality, the mobile patient encrypts its request via $S u b_{P K G j}$ ’s public key.
The request contains the patient signature, patient public key, group identity, hashed secret value, and nonce.
$S u b_{P K G j}$ extracts the $ϰ$ assuming that the Sub-PKG has initial values for each $σ_{s i g}, Υ, a n d γ$ that exist in the global model. $x = M - (σ_{s i g} + Υ + γ$ ) then checks this value by hashing it then compares it with the received digest. After that, it hashes the message using hash algorithm h = H(M).
$S u b_{P K G j}$ find the exact value of (r,s) after subtracting the patient’s secret value from each $ϰ$ .
Calculate the modular inverse of the signature proof $s 1 = s^{(- 1)} m o d n$ .
Recover the random point used during the signing: R’ = (h ∗ s1) ∗ G + (r ∗ s1) ∗ pubKey.
Take from R’ its x-coordinate: r’ = R’.x.
Calculate the signature validation result by comparing whether r’ == r.

4. Security Analysis

4.1. Security Proof Using AVISPA Tool

We conduct a comprehensive security verification using Automated Validation of Internet Security Protocols and Applications (AVISPA), which yields outcomes aligned with the protocol’s objectives. Initially scripted in CAS+, the protocol is subsequently translated into HLPSL code to scrutinize the integrity and confidentiality of crucial components such as keys, signatures, and confidential messages. As an illustration of our methodology, we instantiate three entities:

R o o t_{p k g}

,

S u b_{p k g}

, and the mobile patient. In the first phase, we focus on the authentication between

R o o t_{p k g}

and

S u b_{p k g}

as well as the secrecy of the local model of the

S u b_{p k g}

. The next two phases in the proposed protocol are the Patient Authentication Phase and the Patient Registration Phase. The results are simulated and indicate that the protocol is safe against attacks, see Appendix A.2.

4.2. BAN Logic

BAN logic [45,46] is used to formally verify the proposed protocol. BAN logic is a logic of authentication proposed by Burrows, Abadi, and Needham [45]. It uses inference rules and it is based on some initial assumptions to infer new facts that can lead to the aims being achieved. BAN logic has been used to analyze the security of authentication protocols against some of the most common attacks, like the Man-in-the-Middle attack, Intercept-and-Resend attack, and replay attack [47]. The proposed authentication protocol is verified using BAN logic, since it is useful to verify such protocols, which are based on fresh values and trust [48]. For further details regards BAN logic rules and notations, please refer to [45,49]. The full proof and analysis of the BAN logic are included in Appendix A.3.

4.3. Security Analysis Against Well-Known Attack

This section discussed the threat model and how the proposed scheme is secure against the most common attacks.

Brute Force Attack: The attacker cannot reveal the private keys or the symmetric keys in a reasonable time. The EC private key cannot be calculated from the EC public key since it is an Elliptic Curve Discrete Logarithm Problem (ECDLP) [49,50]. The session key SK is generated using the ECDH algorithm which is based on the use of an EC private key for either the patient node or the SubPKG. Breaking ECDH session keys requires solving ECDLP, which is infeasible with classical computers. Consequently, brute force attacks will fail.
Man-In-The Middle and Eavesdropping Attack: The attacker can intercept the communication between the patient’s node and the $S u b_{P K G}$ to read the data shared between these two entities; however, the attack will fail. In the Patient Authentication Phase, all messages are encrypted either using ECC to encrypt message 5.1 with the $S u b_{P K G}$ public key, or ECDH to encrypt messages 5.2 and 5.3 with the symmetric key SK. To decrypt the messages, the attacker should have the $S u b_{P K G}$ private key which is known only to the $S u b_{P K G}$ and the symmetric key SK which is known only to the patient node and the $S u b_{P K G}$ . Consequently, this attack will fail.
Replay Attack: The attacker will try to perform a replay attack by resending a valid message to the $S u b_{P K G}$ ; however, the $S u b_{P K G}$ can detect this attack. Replay attacks can be detected using nonce values. In the Patient Authentication Phase, whenever the patient node should be authenticated, a nonce N1 is generated at the node side and passed to the $S u b_{P K G}$ . Another nonce N2 is also generated at the $S u b_{P K G}$ side and passed to the node. By verifying the freshness of these nonce values, both the patient’s node and the $S u b_{P K G}$ can detect the replay attack. A similar approach is used to detect replay attacks in the Patient Registration Phase; when the signature is calculated, a nonce value is generated by the node and passed to the $S u b_{P K G}$ along with the signature. By verifying the freshness of the nonce value, the $S u b_{P K G}$ will make sure that the signature is newly generated; if not, a replay attack is detected due to nonce verification failure.
Signature Forgery Attack: The attacker tries to impersonate the patient’s node by forging the patient’s node signature; however, this attack will fail. In order to forge a signature, the attacker needs to know the group signature ( $σ_{G S}$ ), the identity of the group ( $I D_{g}$ ), the root sign ( $γ$ ), and the Sub-PKG sign ( $Υ$ ). These parameters are shared by the $S u b_{P K G}$ in an encrypted message during the Patient Registration Phase. The message is encrypted using a session key SK, which is known only to the patient node and the $S u b_{P K G}$ ; consequently, the attacker will not be able to know the parameters. In addition to these parameters, the attacker should know the patient node’s private key, which is known only to the node.
Unauthorized Access and Identity Theft: If the attacker gains access to a patient’s signature, they could impersonate a patient and access personal health information. To mitigate this threat, all communication messages between the patient’s node and the $S u b_{P K G}$ are encrypted. Consequently, the attacker will not be able to access the patient’s signature.

5. Experimental Results and Discussion

In this section, a deeper analysis of the proposed protocol’s complexity in terms of storage, computation, and communication cost is presented. Moreover, a comparison with other related works in terms of several performance metrics is conducted.

5.1. Storage Cost

The storage cost refers to the amount of memory required to store the parameters necessary for establishing a shared key for the mobile patient node. Furthermore, the incurred cost varies based on the specific type of parameter stored within the mobile node.

The Total Storage Cost (TSC) is measured in bits by using the default sizes for each of them. The size of the symmetric key is fixed to 128 bits, and the identifier and the group signatures are saved in 256 bits for the mobile patient node. The public key size is 256 bits assuming that NIST P-256 curve (secp256r1) has been used [51].

In the proposed architecture, we focus on reducing the memory cost of the mobile node in terms of the number of keys and the number of initial parameters that each node should have. The following equation shows the exact complexity for the mobile patient node.

Table 4 presents the size of each parameter that has been used in this paper. The digital signature that has been used in the proposed protocol is based on ECDSA and NIST P-256 curve where r and s have 32 bytes. Therefore, the digital signature’s size is 64 bytes, while the public key and the private key have 64 bytes. Unique Identifiers (UIDs: 16 bytes) are used to identify each patient node.

Elliptic Curve Diffie–Hellman (ECDH) is used, so the size of the shared key is 32 bytes. The root and patient signature have 64 bytes while there is 64 bytes for the patient’s secret value [52,53,54]. Table 5 presents the storage complexity for each node in our architecture. It can be seen that the main objective of the proposed protocol is to reduce the storage complexity of the patient node due to the fact that each

R o o t_{P K G}

and

S u b P K G

are considered powerful devices.

Table 6 presents a comparative study in terms of the memory storage costs required by the mobile nodes and different related protocols. The authors of [55] propose a new and improved group signature scheme base on federated learning. The main goal of their proposal is to reduce the commutation and computation cost to provide efficient privacy. In [56], a full dynamic secret sharing is proposed for federated learning. It can be noticed that our approach outperforms the others due to the fact that only one shared key is stored in the patient node. In [57], a Remote Authentication Method (RAM) with Autonomous Shared Keys (ASK) is introduced in the context of medical applications.

5.2. Computation Cost

The proposed scheme aims to authenticate the patient’s mobile node based on the computed patient signature. The computation cost analysis considers the patient signature generation cost

P_{s i g}

, which is generated once in the Patient Registration Phase and reused in the Patient Authentication Phase, and the patient signature verification cost which is performed by the

S u b_{P K G}

in the Patient Registration Phase and the Patient Authentication Phase. As discussed in Section 3.2.2, signature generation and verification are based on ECDSA. Table 7 presents the notations used to measure the computation cost.

ECDSA Analysis: The cost and efficiency of ECDSA schemes depend on the number of operations used in the methods. Let TM represent the computing time required for the modular multiplication operation, TA the computing time required for the modular addition operation, and TIN the computing time required for the modular inversion operation. TEM represents the computing time required for the elliptic curve multiplication operation. Finally, TEA is the computing time required for the elliptic curve addition operation. According to the literature [58,59], TA is much less than TM and can be negligible. Assuming that TM is the main operation, the computation cost of TIN, TEM, and TEA in terms of modular multiplication operation TM can be calculated as follows: TIN = 11.6 TM, TEM = 29 TM, and TEA = 0.12 TM [58,59,60].

According to the computation cost required for different operations discussed above, we can analyze the computation cost of the ECDSA signature generation and verification as follows: To generate the signature on the mobile patient node, ECDSA requires one modular multiplication operation, one elliptic curve multiplication operation, and one modular inversion operation which equals TM + TEM + TIN = 41.6 TM. To verify the signature on the

S u b_{P K G}

side, ECDSA requires two modular multiplication operations, two elliptic curve multiplication operations, one modular inversion operation, and one elliptic curve addition operation which equals 2TM + 2TEM + TIN + TEA = 71.72 TM. Note that, in our calculation, the modular addition operation is ignored as it is negligible [58,59].

Table 8 shows the computation cost compared with other signature-based authentication schemes from the literature. Note that n indicates whenever a node needs to be authenticated. The main advantage of our scheme is that even the signature generation cost is slightly higher than some related schemes; however, it is computed once on the mobile patient’s node. On the other hand, in the other schemes, the signature is generated every time a node/client should be authenticated.

5.3. Communication Cost

The communication cost in any network refers to the resources consumed during data transmission between devices or nodes [61]. In this paper, the number of exchanged messages required for any mobile patient node to be authenticated by its associated

S u b_{P K G}

is analyzed. Figure 6 illustrates the differences in communication costs across various protocols for the mobile patient node in terms of the total number of messages and the number of nodes that should work together in order to distribute the key. It can be noticed that our proposed method demonstrates a lower communication overhead compared to the other related proposals.

In [56], the highest number of messages is shown for distributing the key between two nodes. In [32], the proposed approach maintains a moderate balance between the number of messages and nodes, while [57] shows a noticeable increase in total messages, though the number of nodes remains controlled. In contrast, our proposal effectively reduces both message exchanges and node involvement, enhancing efficiency in mobile environments.

6. Conclusions

Maintaining privacy and security is vital in healthcare systems, especially those that support mobile patients who need to be authenticated and protected while on the move. This study investigated the integration of the concept inspired by federated learning and the hierarchical structure of public key generators used in layered healthcare systems to authenticate different mobile patients. Both the BAN logic and the SPAN-AVISPA tool were used to verify the validity of the proposed architecture and the performance of key distribution protocols designed based on it. In addition, the storage requirement and computation and communication costs of the mobile patient nodes were used to assess the performance of the proposed protocol. The effectiveness of the proposed key distribution protocol outperformed other similar protocols in terms of reducing computation and communication costs. In addition, it reduced the number of messages needed for an authentication protocol and the number of shared keys that must be exchanged and stored at each patient’s mobile node to only one key.

Author Contributions

O.A. and M.S.: Conceptualization, validation, methodology, writing—original draft preparation, software. H.A., W.A. and H.S.; methodology, validation, review and editing. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Appendix A

Appendix A.1. Elliptic Curve Diffie–Hellman

Elliptic Curve Diffie–Hellman (ECDH) is a cryptographic key exchange protocol that is widely used to establish a secure communication channel between two parties over an insecure network [44]. It is an extension of the original Diffie–Hellman key exchange protocol, leveraging the mathematical properties of elliptic curves to provide strong security with relatively small key sizes and efficient computations. ECDH is particularly important in modern cryptography as it forms the basis for secure communication in various applications, including secure messaging, secure web browsing (HTTPS), and more.

The elliptic curve process can be summarized by the following [62]:

Elliptic Curves: At the heart of ECDH is the use of elliptic curves over finite fields. An elliptic curve is a mathematical structure defined by Equation (A1).

$y^{2} = x^{3} + a x + b$

(A1)

where a and b are constants. The curve is defined over a finite field, which means all calculations are performed modulo a prime number p.
Key Generation: Each party involved in the key exchange process generates its own elliptic curve key pair. This consists of a private key (a randomly chosen number) and a corresponding public key (calculated by multiplying the base point of the curve by the private key).
Key Exchange: When two parties want to establish a shared secret key, they exchange their public keys over an insecure communication channel.
Shared Secret Calculation: Each party uses their private key and the received public key to independently compute a shared secret point on the elliptic curve. The magic of elliptic curve mathematics ensures that these independently calculated shared secrets are equal.
Shared Secret Derivation: The shared secret point is then used as an input to a key derivation function (KDF) to produce a shared secret key. This shared secret can be used for the symmetric encryption and decryption of data between the two parties.

Elliptic Curve Diffie–Hellman (ECDH) offers several distinct advantages when compared to the traditional Diffie–Hellman key exchange. Firstly, ECDH provides robust security despite employing relatively compact key sizes, resulting in efficient computations and reduced bandwidth usage [63]. Moreover, it boasts resilience against quantum attacks, positioning it as a promising candidate for post-quantum cryptography. This protocol excels in terms of efficiency due to the superior performance of elliptic curve operations compared to the conventional modular exponentiation operations used in standard Diffie–Hellman. The compact nature of ECDH keys, considerably shorter than their RSA or DSA counterparts of equivalent strength, renders them ideal for resource-constrained devices and systems. Lastly, ECDH enjoys widespread adoption across modern cryptography standards and protocols, including TLS for secure web browsing, PGP for secure email communication, and numerous others, affirming its significance in ensuring secure data exchange over insecure networks.

Appendix A.2. Simulation Code of the Security Proof

Figure A1. The simulation for the Initialization Phase between

R o o t P K G

and

S u b_{P K G}

.

Figure A1. The simulation for the Initialization Phase between

R o o t P K G

and

S u b_{P K G}

.

Figure A2. The simulation for Patient Registration Phase between

S u b_{P K G}

and patient.

Figure A2. The simulation for Patient Registration Phase between

S u b_{P K G}

and patient.

Figure A3. The simulation for Mobile Patient Authentication Phase.

Figure A4. The result for the Initialization Phase between

R o o t_{P K G}

and

S u b_{P K G}

Protocol.

Figure A4. The result for the Initialization Phase between

R o o t_{P K G}

and

S u b_{P K G}

Protocol.

Figure A5. The result for the Patient Registration Phase between

S u b_{P K G}

and patient Protocol.

Figure A5. The result for the Patient Registration Phase between

S u b_{P K G}

and patient Protocol.

Figure A6. The result for Mobile Patient Authentication Phase Protocol.

Appendix A.3. BAN Logic

BAN Logic Notations that are used in this study:

P∣≡ X: P believes X. This means that P considers X to be true and acts accordingly.
P ◃ X: P sees X, i.e., when P receive a message contains X, then P sees X.
P ∣∼ X: P said X.
P ‖∼: P recently said X.
P⇒ X: P has jurisdiction over X or P controls X.
#(X): The formula X is fresh. This means that X has not been sent in a message at any time before the current run of the protocol.
xk: This means that formula X is encrypted using the key k.
x $k^{- 1}$ : This represents that formula X is encrypted using the inverse key of k, i.e., if k is a public key, then $k^{- 1}$ is the private key that corresponds to k.
PK (k, P): k is a public key for P and there exists a unique key that corresponds to k.
II(P): P has a private key that is known only to P.
$σ$ (X, P): X is signed by P’s private key.
A $⟷^{k}$ B , K is a shared key between only A and B.

Initialization Phase: Assume that

S u b_{i}

is

S u b_{P K G i}

,

R o o t_{i}

is Root PKGi, PK

R o o t_{i}

is the public key of

R o o t_{i}

, PK

S u b_{i}

is the public key of the

S u b_{i}

, Pr

R o o t_{i}

is the private key of

R o o t_{i}

, Pr

S u b_{i}

is the private key of

S u b_{i}

,

M_{1}

is the first message between

R o o t_{i}

and

S u b_{i}

,

M_{2}

is the second message sent from

S u b_{i}

to

R o o t_{i}

, and

M_{3}

is the third message sent from

R o o t_{i}

to

S u b_{i}

.

Idealized messages: The following are the idealized messages for this phase based on Figure 3.

$M_{1}$ : $R o o t_{i}$ → $S u b_{i}$ : {{P, $N_{1}$ , $ϵ$ , $η$ , $γ$ } $P r_{R o o t_{i}}$ } $P K_{S u b_{i}}$ .
$M_{2}$ : $S u b_{i}$ → $R o o t_{i}$ :{{LM, $N_{1}$ , $N_{2}$ } $P r_{S u b_{i}}$ } $P K_{R o o t_{i}}$ .
$M_{3}$ : $R o o t_{i}$ → $S u b_{i}$ {{GM, $N_{2}$ , $N_{3}$ } $P r_{R o o t_{i}}$ } $P K_{S u b_{i}}$ .

Assumptions:

A1: ${Root}_{i} | \equiv PK ({Sub}_{i}, {PK}_{{Sub}_{i}})$ means that Root PKG Root_i believes that $P K_{S u b_{i}}$ is the public key of the Sub- $P K G_{i}$ Sub_i.
A2: ${Root}_{i} | \equiv II ({Sub}_{i})$ means that Root PKG Root_i believes that the Sub_i has a private key that corresponds to its public key.
A3: ${Sub}_{i} | \equiv PK ({Root}_{i}, {PK}_{{Root}_{i}})$ means that Sub_i believes that $P K_{R o o t_{i}}$ is the public key of Root_i.
A4: ${Sub}_{i} | \equiv II ({Root}_{i})$ means that Sub_i believes that Root_i has a private key that corresponds to its public key.
A5: ${Root}_{i} | \equiv {Sub}_{i} \Rightarrow (M_{2}, LM)$ means that Root PKG Root_i believes that Sub_i controls the generation of message $M_{2}$ and local model LM.
A6: ${Sub}_{i} | \equiv {Root}_{i} \Rightarrow (M_{1}, P)$ means that Sub_i believes that Root_i controls the generation of message $M_{1}$ and the parameters P.
A7: ${Sub}_{i} | \equiv # {(M_{1})}^{'}$ means that Sub_i believes that part of message $M_{1}$ is fresh and has not been sent previously.
A8: ${Root}_{i} | \equiv # {(M_{2})}^{'}$ means that Root PKG Root_i believes that part of message $M_{2}$ is fresh and has not been sent previously.
A9: ${Sub}_{i} | \equiv # {(M_{3})}^{'}$ means that Sub_i believes that part of message $M_{3}$ is fresh and has not been sent previously.
A10: ${Sub}_{i} | \equiv {Root}_{i} \Rightarrow (M_{3}, GM)$ means that Sub_i believes that Root_i controls the generation of message $M_{3}$ and the global model GM.

Goals: The goal of the Initialization Phase is to guarantee the mutual authentication between Root_i and Sub_i. Moreover, Root_i must trust the LM and believe that it is true, and Sub_i must trust the GM and believe that it is true. The following are the goals to be achieved in this phase:

G1: ${Sub}_{i} | \equiv {Root}_{i} | \sim M_{1}$ means that Sub_i should believe that Root_i has said message $M_{1}$ . So, Sub_i authenticates Root_i.
G2: ${Sub}_{i} | \equiv M_{1}$ means that Sub_i should believe message $M_{1}$ , which includes the parameters, and consider it true.
G3: ${Sub}_{i} | \equiv # M_{1}$ means that Sub_i should believe that message $M_{1}$ is fresh and not sent before.
G4: ${Root}_{i} | \equiv {Sub}_{i} | \sim M_{2}$ means that the Root PKG Root_i should believe that Sub_i has said message $M_{2}$ , which includes the local model LM. So, Root_i authenticates the Sub_i.
G5: ${Root}_{i} | \equiv M_{2}$ means that the Root PKG Root_i should believe that message $M_{2}$ , which includes the LM is true.
G6: ${Root}_{i} | \equiv # M_{2}$ means that the Root PKG Root_i should believe that message $M_{2}$ is fresh and not sent before.
G7: ${Sub}_{i} | \equiv {Root}_{i} | \sim M_{3}$ means that Sub_i should believe that Root_i has said message $M_{3}$ .
G8: ${Sub}_{i} | \equiv M_{3}$ means that Sub_i should believe message $M_{3}$ , which includes the global model GM and consider it true.
G9: ${Sub}_{i} | \equiv # M_{3}$ means that Sub_i should believe that message $M_{3}$ is fresh and not sent before.

Analysis:

Goals G1, G2, and G3: G1 is achieved via applying the following signing rule on A3, A4, and

M_{1}

. That is, if

{Sub}_{i}

receives the signed message

M_{1}

that is signed using

{PK}_{{Root}_{i}}^{- 1}

from

{Root}_{i}

, and

{Sub}_{i}

believes that

{PK}_{{Root}_{i}}

is the public key of

{Root}_{i}

and that

{Root}_{i}

has a private key that corresponds to

{PK}_{{Root}_{i}}

which is

{PK}_{{Root}_{i}}^{- 1}

, then

{Sub}_{i}

should believe that

{Root}_{i}

said message

M_{1}

, which includes the parameters P, and

{Sub}_{i}

authenticates

{Root}_{i}

.

\begin{matrix} ({Sub}_{i} | \equiv PK ({Root}_{i}, {PK}_{{Root}_{i}}), {Sub}_{i} | \equiv II ({Root}_{i}), \\ {Sub}_{i} ▹ σ (M_{1}, {Root}_{i})) / ({Sub}_{i} | \equiv {Root}_{i} | \sim M_{1}), G 1 is achieved . \end{matrix}

G3 is achieved by applying the below freshness rule to A7. That is, if

{Sub}_{i}

believes that part of message

M_{1}

is fresh (which is

N_{1}

), then message

M_{1}

is fresh.

({Sub}_{i} | \equiv # {(M_{1})}^{'}) / ({Sub}_{i} | \equiv # M_{1}), so G 3 is achieved .

G2 is achieved if the following rules are applied. From G1 and G3, we can infer that

{Sub}_{i}

believes that

{Root}_{i}

believes message

M_{1}

; then, the control rule is applied to A6. Specifically, if

{Sub}_{i}

believes that

{Root}_{i}

controls message

M_{1}

, and

{Sub}_{i}

believes that

{Root}_{i}

believes message

M_{1}

, then

{Sub}_{i}

should believe that message

M_{1}

is true.

({Sub}_{i} | \equiv {Root}_{i} | \sim M_{1}, {Sub}_{i} | \equiv # M_{1}) / ({Sub}_{i} | \equiv {Root}_{i} | \equiv M_{1}),

and

\begin{matrix} ({Sub}_{i} | \equiv {Root}_{i} \Rightarrow (M_{1}, P), {Sub}_{i} | \equiv {Root}_{i} | \equiv M_{1}) / ({Sub}_{i} | \equiv M_{1}), \\ G 2 is achieved . \end{matrix}

Goals G4, G5, and G6:

G4 is achieved by applying the below signing rule on A1, A2, and

M_{2}

. That is, if

{Root}_{i}

receives the signed message

M_{2}

that is signed using

{PK}_{{Sub}_{i}}^{- 1}

from

{Sub}_{i}

, and

{Root}_{i}

believes that

{PK}_{{Sub}_{i}}

is the public key of

{Sub}_{i}

and that

{Sub}_{i}

has a private key that corresponds to

{PK}_{{Sub}_{i}}

which is

{PK}_{{Sub}_{i}}^{- 1}

, then

{Root}_{i}

should believe that

{Sub}_{i}

said message

M_{2}

, which includes the local model LM, and

{Root}_{i}

authenticates

{Sub}_{i}

.

\begin{matrix} ({Root}_{i} | \equiv PK ({Sub}_{i}, {PK}_{{Sub}_{i}}), {Root}_{i} | \equiv II ({Sub}_{i}), \\ {Root}_{i} ▹ σ (M_{2}, {Sub}_{i})) / ({Root}_{i} | \equiv {Sub}_{i} | \sim M_{2}), \\ G 4 is achieved . \end{matrix}

G6 is achieved if the below freshness rule on A8 is applied. That is, if

{Root}_{i}

believes that part of message

M_{2}

is fresh (which is

N_{2}

), then message

M_{2}

is fresh.

({Root}_{i} | \equiv # {(M_{2})}^{'}) / ({Root}_{i} | \equiv # M_{2}), so G 6 is achieved .

G5 is achieved if the following rules are applied. From G4 and G6, we can infer that

{Root}_{i}

believes that

{Sub}_{i}

believes message

M_{2}

; then, the control rule is applied to A5. Specifically, if

{Root}_{i}

believes that

{Sub}_{i}

controls message

M_{2}

, and

{Root}_{i}

believes that

{Sub}_{i}

believes message

M_{2}

, then

{Root}_{i}

should believe that message

M_{2}

is true.

({Root}_{i} | \equiv {Sub}_{i} | \sim M_{2}, {Root}_{i} | \equiv # M_{2}) / ({Root}_{i} | \equiv {Sub}_{i} | \equiv M_{2}),

and

\begin{matrix} ({Root}_{i} | \equiv {Sub}_{i} \Rightarrow (M_{2}, LM), \\ {Root}_{i} | \equiv {Sub}_{i} | \equiv M_{2}) / ({Root}_{i} | \equiv M_{2}), G 5 is achieved . \end{matrix}

Goals G7, G8, and G9:

G7 is achieved by applying the following signing rule on A3, A4, and

M_{3}

. That is, if

{Sub}_{i}

receives the signed message

M_{3}

that is signed using

{PK}_{{Root}_{i}}^{- 1}

from

{Root}_{i}

, and

{Sub}_{i}

believes that

{PK}_{{Root}_{i}}

is the public key of

{Root}_{i}

and that

{Root}_{i}

has a private key that corresponds to

{PK}_{{Root}_{i}}

which is

{PK}_{{Root}_{i}}^{- 1}

, then

{Sub}_{i}

should believe that

{Root}_{i}

said message

M_{3}

, which includes the global model GM.

\begin{matrix} ({Sub}_{i} | \equiv PK ({Root}_{i}, {PK}_{{Root}_{i}}), {Sub}_{i} | \equiv II ({Root}_{i}), \\ {Sub}_{i} ▹ σ (M_{3}, {Root}_{i})) / ({Sub}_{i} | \equiv {Root}_{i} | \sim M_{3}), \\ G 7 is achieved . \end{matrix}

By applying the following freshness rule to A9, G9 is achieved. That is, if

{Sub}_{i}

believes that part of message

M_{3}

is fresh (which is

N_{3}

), then message

M_{3}

is fresh.

({Sub}_{i} | \equiv # {(M_{3})}^{'}) / ({Sub}_{i} | \equiv # M_{3}), so G 9 is achieved .

G8 is achieved via applying the following rules. From G7 and G9, we can infer that

{Sub}_{i}

believes that

{Root}_{i}

believes message

M_{3}

; then, the control rule is applied to A10. Specifically, if

{Sub}_{i}

believes that

{Root}_{i}

controls message

M_{3}

, and

{Sub}_{i}

believes that

{Root}_{i}

believes message

M_{3}

, then

{Sub}_{i}

should believe that message

M_{3}

is true.

({Sub}_{i} | \equiv {Root}_{i} | \sim M_{3}, {Sub}_{i} | \equiv # M_{3}) / ({Sub}_{i} | \equiv {Root}_{i} | \equiv M_{3}),

and

\begin{matrix} ({Sub}_{i} | \equiv {Root}_{i} \Rightarrow (M_{3}, GM), {Sub}_{i} | \equiv {Root}_{i} | \equiv M_{3}) / \\ ({Sub}_{i} | \equiv M_{3}), G 8 is achieved . \end{matrix}

Patient Registration Phase

In this section, assume the following:

${Sub}_{i}$ is Sub-PKGi
${PK}_{{Sub}_{i}}$ is the public key of ${Sub}_{i}$
$\Pr_{{Sub}_{i}}$ is the private key of ${Sub}_{i}$
${PK}_{{Patient}_{i}}$ is the public key of ${Patient}_{i}$
$\Pr_{{Patient}_{i}}$ is the private key of ${Patient}_{i}$
${SK}_{{Sub}_{i}}$ is the session key between ${Sub}_{i}$ and ${Patient}_{i}$
${PKDH}_{{Patient}_{i}}$ is the public component of ${Patient}_{i}$
${PKDH}_{{Sub}_{i}}$ is the public component of ${Sub}_{i}$
${DC}_{{Sub}_{i}}$ is the digital certificate for ${Sub}_{i}$
${DC}_{{Patient}_{i}}$ is the digital certificate of ${Patient}_{i}$
$M 1$ is the first message in this phase between ${Patient}_{i}$ and ${Sub}_{i}$
$M 2$ is the second message in this phase sent from ${Sub}_{i}$ to ${Patient}_{i}$
$M 3$ is the third message in this phase sent from ${Patient}_{i}$ to ${Sub}_{i}$
$M 4$ is the fourth message in this phase sent from ${Sub}_{i}$ to ${Patient}_{i}$
$M 5$ is the fifth message sent from ${Patient}_{i}$ to ${Sub}_{i}$

Idealized messages:

The following are the idealized messages for this phase based on Figure 4:

$M 1$ : ${Patient}_{i} \to {Sub}_{i}$ : $ID | | N 1$
$M 2$ : ${Sub}_{i} \to {Patient}_{i}$ : ${DC}_{{Sub}_{i}} | | {G, N 1, N 2, {PKDH}_{{Sub}_{i}}} \Pr_{{Sub}_{i}}$
$M 3$ : ${Patient}_{i} \to {Sub}_{i}$ : ${DC}_{{Patient}_{i}} | | {{PKDH}_{{Patient}_{i}}, N 2} \Pr_{{Patient}_{i}}$
$M 4$ : ${Sub}_{i} \to {Patient}_{i}$ : ${σ_{GS}, Υ, γ, Idg, N 3} {SK}_{{Sub}_{i}}$
$M 5$ : ${Patient}_{i} \to {Sub}_{i}$ : ${Psig, N 3} {SK}_{{Sub}_{i}}$

Assumptions:

A1: ${Sub}_{i} | \equiv {Sub}_{i} □ (\leftrightarrow ({SK}_{{Sub}_{i}})) {Patient}_{i}$ means that ${Sub}_{i}$ believes that ${SK}_{{Sub}_{i}}$ is a key shared between ${Patient}_{i}$ and ${Sub}_{i}$
A2: ${Patient}_{i} | \equiv {Sub}_{i} □ (\leftrightarrow ({SK}_{{Sub}_{i}})) {Patient}_{i}$ means that ${Patient}_{i}$ believes that ${SK}_{{Sub}_{i}}$ is a key shared between ${Patient}_{i}$ and ${Sub}_{i}$

Goals:

This phase aims to achieve mutual authentication between the Sub-PKG and the patient, and to generate the session key shared between them. Therefore, both

{Patient}_{i}

and

{Sub}_{i}

should believe and trust that the session key is true. Note that public Diffie–Hellman components

{PKDH}_{{Patient}_{i}}

and

{PKDH}_{{Sub}_{i}}

are shared in signed messages (

M 2

and

M 3

) which means the authenticity of these components can be proved in the same way as performed in the previous phase. In this section, we will focus on the trust of the generated session key. The following are the goals to be achieved:

G1: ${Patient}_{i} | \equiv {Sub}_{i} | \sim M_{4}$ means that ${Patient}_{i}$ should believe that ${Sub}_{i}$ has sent message $M_{4}$ , which includes N3. So, ${Patient}_{i}$ authenticates ${Sub}_{i}$ .
G2: ${Sub}_{i} | \equiv {Patient}_{i} | \sim M_{5}$ means that ${Sub}_{i}$ should believe that ${Patient}_{i}$ has sent message $M_{5}$ which includes the same nonce N3. So, ${Sub}_{i}$ authenticates ${Patient}_{i}$ .

Analysis:

G1 is achieved via applying the below symmetric rule on A2 and

M_{4}

. That is, if

{Patient}_{i}

receives message

M_{4}

that is encrypted using

{SK}_{{Sub}_{i}}

from

{Sub}_{i}

, and

{Patient}_{i}

believes that

{SK}_{{Sub}_{i}}

is the shared key between

{Patient}_{i}

and

{Sub}_{i}

, then

{Patient}_{i}

should believe that

{Sub}_{i}

sent message

M_{4}

and so

{Sub}_{i}

is authenticated.

\begin{matrix} ({Patient}_{i} ⊢ {M_{4}} {SK}_{{Sub}_{i}}, {Patient}_{i} | \equiv {Sub}_{i} □ (\leftrightarrow ({SK}_{{Sub}_{i}})) {Patient}_{i}) \\ / ({Patient}_{i} | \equiv {Sub}_{i} | \sim M_{4}), G 1 is achieved . \end{matrix}

Similarly, G2 is achieved if the below symmetric rule is applied to A1 and

M_{5}

. That is, if

{Sub}_{i}

receives message

M_{5}

that is encrypted using

{SK}_{{Sub}_{i}}

from

{Patient}_{i}

, and

{Sub}_{i}

believes that

{SK}_{{Sub}_{i}}

is the shared key between

{Patient}_{i}

and

{Sub}_{i}

, then

{Sub}_{i}

should believe that

{Patient}_{i}

sent message

M_{5}

and so

{Patient}_{i}

is authenticated.

\begin{matrix} ({Sub}_{i} ⊢ {M_{5}} {SK}_{{Sub}_{i}}, {Sub}_{i} | \equiv {Sub}_{i} □ (\leftrightarrow ({SK}_{{Sub}_{i}})) {Patient}_{i}) \\ / ({Sub}_{i} | \equiv {Patient}_{i} | \sim M_{5}), G 2 is achieved . \end{matrix}

Patient Authentication Phase

Assume that

{Sub}_{i}

is Sub-PKG_i,

{PK}_{{Sub}_{i}}

is the public key of

{Sub}_{i}

,

\Pr_{{Sub}_{i}}

is the private key of

{Sub}_{i}

,

{PK}_{{Patient}_{i}}

is the public key of

{Patient}_{i}

,

\Pr_{{Patient}_{i}}

is the private key of

{Patient}_{i}

, and SK is the session key between

{Sub}_{i}

and

{Patient}_{i}

.

{DC}_{{Sub}_{i}}

is the digital certificate for

{Sub}_{i}

,

{DC}_{{Patient}_{i}}

is the digital certificate for

{Patient}_{i}

,

M_{1}

is the first message between

{Patient}_{i}

and

{Sub}_{i}

,

M_{2}

is the second message sent from

{Sub}_{i}

to

{Patient}_{i}

, and

M_{3}

is the third message in this phase sent from

{Patient}_{i}

to

{Sub}_{i}

.

Idealized messages: The below are the idealized messages based on Figure 4.

$M_{1}$ :

$\begin{matrix} {Patient}_{i} \to {Sub}_{i} : {{DC}_{{Patient}_{i}} | | {Idg, Psig, X, N 1} \Pr_{{Patient}_{i}}} {PK}_{{Sub}_{i}} \end{matrix}$
$M_{2}$ : ${Sub}_{i} \to {Patient}_{i}$ : ${{SK, N 1, N 2} \Pr_{{Sub}_{i}}} {PK}_{{Patient}_{i}}$
$M_{3}$ : ${Patient}_{i} \to {Sub}_{i}$ : ${N 2} SK$

Assumptions:

A1: ${Patient}_{i} | \equiv PK ({Sub}_{i}, {PK}_{{Sub}_{i}})$ means that ${Patient}_{i}$ believes that ${PK}_{{Sub}_{i}}$ is the public key of ${Sub}_{i}$ .
A2: ${Patient}_{i} | \equiv II ({Sub}_{i})$ means that ${Patient}_{i}$ believes that ${Sub}_{i}$ has a private key that corresponds to its public key.
A3: ${Sub}_{i} | \equiv PK ({Patient}_{i}, {PK}_{{Patient}_{i}})$ means that ${Sub}_{i}$ believes that ${PK}_{{Patient}_{i}}$ is the public key of ${Patient}_{i}$ .
A4: ${Sub}_{i} | \equiv II ({Patient}_{i})$ means that ${Sub}_{i}$ believes that ${Patient}_{i}$ has a private key that corresponds to its public key.
A5: ${Sub}_{i} | \equiv # {(M_{1})}^{'}$ means that ${Sub}_{i}$ believes that part of message $M_{1}$ is fresh and has not been sent previously.
A6: ${Patient}_{i} | \equiv # {(M_{2})}^{'}$ means that ${Patient}_{i}$ believes that part of message $M_{2}$ is fresh and has not been sent previously.
A7: ${Sub}_{i} | \equiv {Patient}_{i} \Rightarrow (M_{1}, Psig)$ means that ${Sub}_{i}$ believes that ${Patient}_{i}$ controls the generation of message $M_{1}$ which includes Psig.
A8: ${Patient}_{i} | \equiv {Sub}_{i} \Rightarrow (M_{2}, SK)$ means that ${Patient}_{i}$ believes that ${Sub}_{i}$ controls the generation of message $M_{2}$ and the session key SK.
A9: ${Sub}_{i} | \equiv {Sub}_{i} □ (\leftrightarrow (SK)) {Patient}_{i}$ means that ${Sub}_{i}$ believes that SK is a key shared between ${Patient}_{i}$ and ${Sub}_{i}$ .
A10: ${Patient}_{i} | \equiv {Sub}_{i} □ (\leftrightarrow (SK)) {Patient}_{i}$ means that ${Patient}_{i}$ believes that SK is a key shared between ${Patient}_{i}$ and ${Sub}_{i}$ .

Goals: The goal of this phase is to authenticate the patient and to generate the session key SK shared between them. Therefore, both

{Patient}_{i}

and

{Sub}_{i}

should believe and trust that the session key is true. The following are the goals to be achieved in this phase.

G1: ${Sub}_{i} | \equiv {Patient}_{i} | \sim M_{1}$ means that ${Sub}_{i}$ should believe that ${Patient}_{i}$ has sent message $M_{1}$ , which includes the patient’s signature Psig.
G2: ${Sub}_{i} | \equiv M_{1}$ means that ${Sub}_{i}$ should believe message $M_{1}$ .
G3: ${Sub}_{i} | \equiv # M_{1}$ means that ${Sub}_{i}$ should believe that message $M_{1}$ is fresh and has not been sent before.
G4: ${Patient}_{i} | \equiv {Sub}_{i} | \sim M_{2}$ means that ${Patient}_{i}$ should believe that ${Sub}_{i}$ has sent message $M_{2}$ , which includes the session key SK.
G5: ${Patient}_{i} | \equiv M_{2}$ means that ${Patient}_{i}$ should believe message $M_{2}$ which includes the session key SK.
G6: ${Patient}_{i} | \equiv # M_{2}$ means that ${Patient}_{i}$ should believe that message $M_{2}$ , which includes the session key SK, is fresh and has not been sent before.
G7: ${Sub}_{i} | \equiv {Patient}_{i} | \sim M_{3}$ means that ${Sub}_{i}$ should believe that ${Patient}_{i}$ has sent message $M_{3}$ , which includes the same nonce $N 2$ . So, ${Sub}_{i}$ authenticates ${Patient}_{i}$ .

Analysis:

Goals G1, G2, and G3: G1 is achieved via applying the below signing rule to A3, A4, and

M_{1}

. That is, if

{Sub}_{i}

receives the signed message

M_{1}

that is signed using

{PK}_{{Patient}_{i}}

from

{Patient}_{i}

, and

{Sub}_{i}

believes that

{PK}_{{Patient}_{i}}

is the public key of

{Patient}_{i}

and that

{Patient}_{i}

has a private key corresponding to

{PK}_{{Patient}_{i}}

, then

{Sub}_{i}

should believe that

{Patient}_{i}

sent message

M_{1}

, which includes the patient’s signature Psig.

\begin{matrix} ({Sub}_{i} | \equiv PK ({Patient}_{i}, {PK}_{{Patient}_{i}})), \\ ({Sub}_{i} | \equiv II ({Patient}_{i})), \\ ({Sub}_{i} ⊢ σ (M_{1}, {Patient}_{i})) / \\ ({Sub}_{i} | \equiv {Patient}_{i} | \sim M_{1}), G 1 is achieved . \end{matrix}

G3 is achieved by applying the below freshness rule to A5. That is, if

S u b_{i}

believes that part of message M1 is fresh (which is NI), then message M1 is fresh.

(S u b_{i} \equiv # {(M_{1})}^{'},) / (S u b_{i} \equiv # M_{1}), so G 3 is achieved .

G2 is achieved via applying the below rules. From G1 and G3, we can infer that

S u b_{i}

believes that

P a t i e n t_{i}

believes message M1; then, the control rule is applied to A7. Specifically, if

S u b_{i}

believes that

P a t i e n t_{i}

controls message M1, and

S u b_{i}

believes that

P a t i e n t_{i}

believes message M1, then

S u b_{i}

should believe that message M1 is true.

\begin{matrix} \begin{matrix} (S u b_{i} \equiv P a t i e n t_{i} | \sim M_{1}, S u b_{i} \equiv # M_{1}) / \\ (S u b_{i} \equiv P a t i e n t_{i} \equiv M_{1}), \end{matrix} \\ and (S u b_{i} \equiv P a t i e n t_{i} \Rightarrow (M_{1}, P s i g), \\ S u b_{i} \equiv P a t i e n t_{i} \equiv M_{1}) / (S u b_{i} \equiv M_{1}), G 2 is achieved . \end{matrix}

Goals G4, G5, and G6:

Similarly, G4 is achieved by applying the below signing rule to A1, A2, and M2. That is, if

P a t i e n t_{i}

receives the signed message M2 that is signed using PKsubi-1 from

S u b_{i}

, and

P a t i e n t_{i}

believes that PKsubi is the public key of

S u b_{i}

and that

S u b_{i}

has a private key corresponding to PKsubi which is PKsubi-1, then

P a t i e n t_{i}

should believe that

S u b_{i}

said message M2, which includes the session key SK.

\begin{matrix} (P a t i e n t_{i} \equiv P K (S u b_{i}, P K_{S u b_{i}}), \\ P a t i e n t_{i} \equiv I I (S u b_{i}), P a t i e n t_{i} ⊢ σ (M_{2}, S u b_{i})) / \\ (P a t i e n t_{i} \equiv S u b_{i} | \sim M_{2}), G 4 is achieved . \end{matrix}

G6 is also achieved by applying the following freshness rule to A6. That is, if

P a t i e n t_{i}

believes that part of message M2 is fresh (which is N2), then message M2 is fresh.

(P a t i e n t_{i} \equiv # {(M_{2})}^{'},) / (P a t i e n t_{i} \equiv # M_{2}), so G 6 is achieved .

G5 is achieved via applying the below rules. From G4 and G6, we can infer that

P a t i e n t_{i}

believes that

S u b_{i}

believes message M2; then, we apply the control rule to A8. Specifically, if

P a t i e n t_{i}

believes that

S u b_{i}

controls message M2, and

P a t i e n t_{i}

believes that

S u b_{i}

believes message M2, then

P a t i e n t_{i}

should believe that message M2 is true.

\begin{matrix} (P a t i e n t_{i} \equiv S u b_{i} | \sim M_{2}, P a t i e n t_{i} \equiv # M_{2}) / \\ (P a t i e n t_{i} \equiv S u b_{i} \equiv M_{2}), and (P a t i e n t_{i} \equiv S u b_{i} \Rightarrow (M_{2}, S K), \\ P a t i e n t_{i} \equiv S u b_{i} \equiv M_{2}) / (P a t i e n t_{i} \equiv M_{2}), G 5 is achieved . \end{matrix}

Goal G7:

Finally, G7 is achieved by applying the below symmetric rule to A9 and M3. That is, if

S u b_{i}

receives message M3 that is encrypted using SK from

P a t i e n t_{i}

, and

S u b_{i}

believes that SK is the shared key between

S u b_{i}

and

P a t i e n t_{i}

, then

S u b_{i}

should believe that

P a t i e n t_{i}

said message M3, which includes the nonce N2, so

P a t i e n t_{i}

is authenticated.

\begin{matrix} (S u b_{i} ⊢ {M_{3}} S K, S u b_{i} \equiv S u b_{i} □ (\leftrightarrow (S K)) P a t i e n t_{i}) / \\ (S u b_{i} \equiv P a t i e n t_{i} | \sim M_{3}), G 7 is achieved . \end{matrix}

References

Razdan, S.; Sharma, S. Internet of medical things (IoMT): Overview, emerging technologies, and case studies. IETE Tech. Rev. 2022, 39, 775–788. [Google Scholar] [CrossRef]
Mishra, P.; Singh, G. Internet of Medical Things Healthcare for Sustainable Smart Cities: Current Status and Future Prospects. Appl. Sci. 2023, 13, 8869. [Google Scholar] [CrossRef]
Manickam, P.; Mariappan, S.A.; Murugesan, S.M.; Hansda, S.; Kaushik, A.; Shinde, R.; Thipperudraswamy, S. Artificial intelligence (AI) and internet of medical things (IoMT) assisted biomedical systems for intelligent healthcare. Biosensors 2022, 12, 562. [Google Scholar] [CrossRef]
Ullah, M.; Hamayun, S.; Wahab, A.; Khan, S.U.; Rehman, M.U.; Haq, Z.U.; Rehman, K.U.; Ullah, A.; Mehreen, A.; Awan, U.A.; et al. Smart Technologies used as Smart Tools in the Management of Cardiovascular Disease and their Future Perspective. Curr. Probl. Cardiol. 2023, 48, 101922. [Google Scholar] [CrossRef]
Hireche, R.; Mansouri, H.; Pathan, A.S.K. Security and privacy management in Internet of Medical Things (IoMT): A synthesis. J. Cybersecur. Priv. 2022, 2, 640–661. [Google Scholar] [CrossRef]
Omolara, A.E.; Alabdulatif, A.; Abiodun, O.I.; Alawida, M.; Alabdulatif, A.; Hamdan Alshoura, W. Arshad, H. The internet of things security: A survey encompassing unexplored areas and new insights. Comput. Secur. 2022, 112, 102494. [Google Scholar] [CrossRef]
Abouelmehdi, K.; Beni-Hessane, A.; Khaloufi, H. Big healthcare data: Preserving security and privacy. J. Big Data 2018, 5, 1–18. [Google Scholar] [CrossRef]
Borgia, E. The Internet of Things vision: Key features, applications and open issues. Comput. Commun. 2014, 54, 1–31. [Google Scholar] [CrossRef]
Aminizadeh, S.; Heidari, A.; Toumaj, S.; Darbandi, M.; Navimipour, N.J.; Rezaei, M.; Talebi, S.; Azad, P.; Unal, M. The applications of machine learning techniques in medical data processing based on distributed computing and the Internet of Things. Comput. Methods Programs Biomed. 2023, 241, 107745. [Google Scholar] [CrossRef]
Hasan, M.K.; Ghazal, T.M.; Saeed, R.A.; Pandey, B.; Gohel, H.; Eshmawi, A.; Abdel-Khalek, S.; Alkhassawneh, H.M. A review on security threats, vulnerabilities, and counter measures of 5G enabled Internet-of-Medical-Things. IET Commun. 2022, 16, 421–432. [Google Scholar] [CrossRef]
Alhaj, T.A.; Abdulla, S.M.; Iderss, M.A.E.; Ali, A.A.A.; Elhaj, F.A.; Remli, M.A.; Gabralla, L.A. A survey: To govern, protect, and detect security principles on internet of medical things (iomt). IEEE Access 2022, 10, 124777–124791. [Google Scholar]
Alsaeed, N.; Nadeem, F. Authentication in the Internet of Medical Things: Taxonomy, Review, and Open Issues. Appl. Sci. 2022, 12, 7487. [Google Scholar] [CrossRef]
Rasool, R.U.; Ahmad, H.F.; Rafique, W.; Qayyum, A.; Qadir, J. Security and privacy of internet of medical things: A contemporary review in the age of surveillance, botnets, and adversarial ML. J. Netw. Comput. Appl. 2022, 201, 103332. [Google Scholar]
Abualghanam, O.; Qatawneh, M.; Almobaideen, W. A survey of key distribution in the context of internet of things. J. Theor. Appl. Inf. Technol. 2019, 97, 3217–3241. [Google Scholar]
Li, L.; Fan, Y.; Tse, M.; Lin, K.Y. A review of applications in federated learning. Comput. Ind. Eng. 2020, 149, 106854. [Google Scholar] [CrossRef]
Yang, T.; Andrew, G.; Eichner, H.; Sun, H.; Li, W.; Kong, N.; Ramage, D.; Beaufays, F. Applied federated learning: Improving google keyboard query suggestions. arXiv 2018, arXiv:1812.02903. [Google Scholar]
Rieke, N.; Hancox, J.; Li, W.; Milletari, F.; Roth, H.R.; Albarqouni, S.; Bakas, S.; Galtier, M.N.; Landman, B.A.; Maier-Hein, K.; et al. The future of digital health with federated learning. NPJ Digit. Med. 2020, 3, 119. [Google Scholar]
Zhang, C.; Xie, Y.; Bai, H.; Yu, B.; Li, W.; Gao, Y. A survey on federated learning. Knowl.-Based Syst. 2021, 216, 106775. [Google Scholar]
Kanagavelu, R.; Li, Z.; Samsudin, J.; Yang, Y.; Yang, F.; Goh, R.S.M.; Cheah, M.; Wiwatphonthana, P.; Akkarajitsakul, K.; Wang, S. Two-phase multi-party computation enabled privacy-preserving federated learning. In Proceedings of the 2020 20th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID), IEEE, Melbourne, Australia, 11–14 May 2020; pp. 410–419. [Google Scholar]
Mo, F.; Haddadi, H.; Katevas, K.; Marin, E.; Perino, D.; Kourtellis, N. PPFL: Privacy-preserving federated learning with trusted execution environments. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, Virtual, 24 June–2 July 2021; pp. 94–108. [Google Scholar]
Hsu, C.Y.; Lu, C.S.; Pei, S.C. Image feature extraction in encrypted domain with privacy-preserving SIFT. IEEE Trans. Image Process. 2012, 21, 4593–4607. [Google Scholar]
Ji, J.; Wang, H.; Huang, Y.; Wu, J.; Xu, X.; Ding, S.; Zhang, S.; Cao, L.; Ji, R. Privacy-preserving face recognition with learnable privacy budgets in frequency domain. In Proceedings of the European Conference on Computer Vision, Tel Aviv, Israel, 23–27 October 2022; Springer: Berlin/Heidelberg, Germany, 2022; pp. 475–491. [Google Scholar]
Chen, C.; Wu, H.; Su, J.; Lyu, L.; Zheng, X.; Wang, L. Differential private knowledge transfer for privacy-preserving cross-domain recommendation. In Proceedings of the ACM Web Conference 2022, Lyon, France, 25–29 April 2022; pp. 1455–1465. [Google Scholar]
Li, A.; Sun, J.; Zeng, X.; Zhang, M.; Li, H.; Chen, Y. Fedmask: Joint computation and communication-efficient personalized federated learning via heterogeneous masking. In Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems, Coimbra, Portugal, 15–17 November 2021; pp. 42–55. [Google Scholar]
Zhang, W.; Yang, D.; Wu, W.; Peng, H.; Zhang, N.; Zhang, H.; Shen, X. Optimizing federated learning in distributed industrial IoT: A multi-agent approach. IEEE J. Sel. Areas Commun. 2021, 39, 3688–3703. [Google Scholar]
Lim, W.Y.B.; Luong, N.C.; Hoang, D.T.; Jiao, Y.; Liang, Y.C.; Yang, Q.; Niyato, D.; Miao, C. Federated learning in mobile edge networks: A comprehensive survey. IEEE Commun. Surv. Tutor. 2020, 22, 2031–2063. [Google Scholar] [CrossRef]
Fang, C.; Guo, Y.; Hu, Y.; Ma, B.; Feng, L.; Yin, A. Privacy-preserving and communication-efficient federated learning in internet of things. Comput. Secur. 2021, 103, 102199. [Google Scholar] [CrossRef]
Liu, Y.; Yuan, X.; Xiong, Z.; Kang, J.; Wang, X.; Niyato, D. Federated learning for 6G communications: Challenges, methods, and future directions. China Commun. 2020, 17, 105–118. [Google Scholar] [CrossRef]
Al-Issa, Y.; Ottom, M.A.; Tamrawi, A. eHealth cloud security challenges: A survey. J. Healthc. Eng. 2019, 2019, 7516035. [Google Scholar] [CrossRef]
Usak, M.; Kubiatko, M.; Shabbir, M.S.; Viktorovna Dudnik, O.; Jermsittiparsert, K.; Rajabion, L. Health care service delivery based on the Internet of things: A systematic and comprehensive study. Int. J. Commun. Syst. 2020, 33, e4179. [Google Scholar] [CrossRef]
Somasundaram, R.; Thirugnanam, M. Review of security challenges in healthcare internet of things. Wirel. Netw. 2021, 27, 5503–5509. [Google Scholar] [CrossRef]
AbuAlghanam, O.; Qatawneh, M.; Almobaideen, W.; Saadeh, M. A new hierarchical architecture and protocol for key distribution in the context of IoT-based smart cities. J. Inf. Secur. Appl. 2022, 67, 103173. [Google Scholar] [CrossRef]
Mohammed, I.A. Cloud identity and access management–A model proposal. Int. J. Innov. Eng. Res. Technol. 2019, 6, 1–8. [Google Scholar]
Jan, S.U.; Ali, S.; Abbasi, I.A.; Mosleh, M.A.; Alsanad, A.; Khattak, H. Secure patient authentication framework in the healthcare system using wireless medical sensor networks. J. Healthc. Eng. 2021, 2021, 9954089. [Google Scholar] [CrossRef]
Khan, M.A.; Quasim, M.T.; Alghamdi, N.S.; Khan, M.Y. A secure framework for authentication and encryption using improved ECC for IoT-based medical sensor data. IEEE Access 2020, 8, 52018–52027. [Google Scholar] [CrossRef]
Xu, Z.; Xu, C.; Chen, H.; Yang, F. A lightweight anonymous mutual authentication and key agreement scheme for WBAN. Concurr. Comput. Pract. Exp. 2019, 31, e5295. [Google Scholar] [CrossRef]
Alzahrani, B.A.; Irshad, A.; Albeshri, A.; Alsubhi, K. A provably secure and lightweight patient-healthcare authentication protocol in wireless body area networks. Wirel. Pers. Commun. 2021, 117, 47–69. [Google Scholar] [CrossRef]
Mohammedi, M.; Omar, M.; Bouabdallah, A. Secure and lightweight remote patient authentication scheme with biometric inputs for mobile healthcare environments. J. Ambient. Intell. Humaniz. Comput. 2018, 9, 1527–1539. [Google Scholar] [CrossRef]
Singh, S.; Rathore, S.; Alfarraj, O.; Tolba, A.; Yoon, B. A framework for privacy-preservation of IoT healthcare data using Federated Learning and blockchain technology. Future Gener. Comput. Syst. 2022, 129, 380–388. [Google Scholar] [CrossRef]
Alkeem, E.A.; Shehada, D.; Yeun, C.Y.; Zemerly, M.J.; Hu, J. New secure healthcare system using cloud of things. Clust. Comput. 2017, 20, 2211–2229. [Google Scholar] [CrossRef]
Ullah, I.; Amin, N.U.; Khan, M.A.; Khattak, H.; Kumari, S. An efficient and provable secure certificate-based combined signature, encryption and signcryption scheme for internet of things (IoT) in mobile health (M-health) system. J. Med. Syst. 2021, 45, 1–14. [Google Scholar] [CrossRef]
Tan, H.; Chung, I. Secure authentication and group key distribution scheme for WBANs based on smartphone ECG sensor. IEEE Access 2019, 7, 151459–151474. [Google Scholar] [CrossRef]
Ali, R.; Pal, A.K. Cryptanalysis and biometric-based enhancement of a remote user authentication scheme for e-healthcare system. Arab. J. Sci. Eng. 2018, 43, 7837–7852. [Google Scholar] [CrossRef]
Wang, S.; Cao, Z.; Strangio, M.A.; Wang, L. Cryptanalysis and improvement of an elliptic curve Diffie-Hellman key agreement protocol. IEEE Commun. Lett. 2008, 12, 149–151. [Google Scholar] [CrossRef]
Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst. (TOCS) 1990, 8, 18–36. [Google Scholar] [CrossRef]
Shang, T.; Liu, J. Secure Quantum Network Coding Theory; Springer: Berlin/Heidelberg, Germany, 2020. [Google Scholar]
Yu, S.; Park, K.; Lee, J.; Park, Y.; Park, Y.; Lee, S.; Chung, B. Privacy-preserving lightweight authentication protocol for demand response management in smart grid environment. Appl. Sci. 2020, 10, 1758. [Google Scholar] [CrossRef]
Sierra, J.M.; Hernández, J.C.; Alcaide, A.; Torres, J. Validating the Use of BAN LOGIC. In Proceedings of the Computational Science and Its Applications–ICCSA 2004: International Conference, Assisi, Italy, 14–17 May 2004; Proceedings, Part I 4. Springer: Berlin/Heidelberg, Germany, 2004; pp. 851–858. [Google Scholar]
Saadeh, M.; Sleit, A.; Sabri, K.E.; Almobaideen, W. Hierarchical architecture and protocol for mobile object authentication in the context of IoT smart cities. J. Netw. Comput. Appl. 2018, 121, 1–19. [Google Scholar]
Wesam Almobaideen, M.S. Lightweight Authentication for Mobile Users in the Context of Fog Computing. Int. J. Adv. Comput. Eng. Netw. 2018, 6, 17–22. [Google Scholar]
Bos, J.W.; Halderman, J.A.; Heninger, N.; Moore, J.; Naehrig, M.; Wustrow, E. Elliptic curve cryptography in practice. In Proceedings of the Financial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, 3–7 March 2014; Revised Selected Papers 18. Springer: Berlin/Heidelberg, Germany, 2014; pp. 157–175. [Google Scholar]
Adalier, M.; Teknik, A. Efficient and secure elliptic curve cryptography implementation of curve p-256. In Proceedings of the Workshop on Elliptic Curve Cryptography Standards, NIST, Gaithersburg, MA, USA, 11 June 2015; Volume 66, pp. 2014–2017. [Google Scholar]
Al-Zubaidie, M.; Zhang, Z.; Zhang, J. Efficient and secure ECDSA algorithm and its applications: A survey. arXiv 2019, arXiv:1902.10313. [Google Scholar]
Maimuţ, D.; Matei, A.C. Speeding-Up Elliptic Curve Cryptography Algorithms. Mathematics 2022, 10, 3676. [Google Scholar] [CrossRef]
Kanchan, S.; Jang, J.W.; Yoon, J.Y.; Choi, B.J. Efficient and privacy-preserving group signature for federated learning. Future Gener. Comput. Syst. 2023, 147, 93–106. [Google Scholar] [CrossRef]
Liu, W.; Zhang, Y.; Han, G.; Cao, J.; Cui, H.; Zheng, D. Secure and efficient smart healthcare system based on federated learning. Int. J. Intell. Syst. 2023, 2023, 8017489. [Google Scholar] [CrossRef]
Ramalingam, P.; Pabitha, P. Ask-ram-imot: Autonomous shared keys based remote authentication method for internet of medical things applications. Wirel. Pers. Commun. 2023, 131, 273–293. [Google Scholar]
Jiby, J. Puthiyidam, Shelbi Joseph, B.B. Enhanced authentication security for IoT client nodes through T ECDSA integrated into MQTT broker. J. Supercomput. 2024, 80, 8898–8932. [Google Scholar]
Jiby, J. Puthiyidam, Shelbi Joseph, B.B. Temporal ECDSA: Atime stamp and signature mask enabled ECDSA algorithm for IoT client node authentication. Comput. Commun. 2024, 216, 307–323. [Google Scholar]
Yang, X.b.; Liu, Y.; Wu, J.s.; Han, G.; Liu, Y.x.; Xi, X.q. Nomop-ecdsa: A lightweight ecdsa engine for internet of things. Wirel. Pers. Commun. 2021, 121, 171–190. [Google Scholar] [CrossRef]
Logeshwaran, J.; Shanmugasundaram, N.; Lloret, J. Energy-efficient resource allocation model for device-to-device communication in 5G wireless personal area networks. Int. J. Commun. Syst. 2023, 36, e5524. [Google Scholar] [CrossRef]
Subramanian, E.; Tamilselvan, L. Elliptic curve Diffie–Hellman cryptosystem in big data cloud security. Clust. Comput. 2020, 23, 3057–3067. [Google Scholar] [CrossRef]
Kumar, M. A secure and efficient authentication protocol based on elliptic curve diffie-hellman algorithm and zero knowledge property. Int. J. Soft Comput. Eng. 2013, 3, 137–142. [Google Scholar]

Figure 1. Federated learning steps.

Figure 2. Hierarchy architecture for key distribution using federated learning.

Figure 3. The proposed protocol at Initialization Phase.

Figure 4. Patient Registration Phase.

Figure 5. The mobile Patient Authentication Phase.

Figure 6. The communication cost of various protocols for the mobile patient node. The references are: Kanchan et al. (2023) [55], Abualghanam et al. (2022) [32], Ramalingam et al. (2023) [57], and Liu et al. (2023) [56].

Table 3. List of symbols and abbreviations used in the paper for notation and computation purposes.

Notations	Description
GM	Global model
LM	Local model
PKG	Public key generator
$P K_{R o o t}$	Public key for the $R o o t_{P K G}$
$P r_{R o o t}$	Private key for the $R o o t_{P K G}$
$D C_{R o o t}$	Digital signature for $R o o t_{P K G}$
$D C_{S u b}$	Digital signature for $S u b_{P K G}$
ID	Real identity of the patient
H	Hash function
$ϵ$	Elliptic curve range
$η$	Ranges for group signature
$γ$	Root sign value
$Υ$	Sub-PKG sign value

Table 4. The size in byte for each abbreviation in the proposed protocol.

Abbreviation	Size (Byte)
Digital Signature	64
Public Key	64
Private Key	64
Unique Identifiers	16
Shared Key	32
Patient Signature	64
Root Signature ( $γ)$	64
Patient Secret Value ( $ϰ)$	64

Table 5. The storage complexity for each node in the proposed protocols.

Node Type	Storage	Size in (Bytes)
$R o o t_{P K G}$	$P K_{R o o t}$ , $P r_{R o o t}$ , $D C_{R o o t}$ , root parameters $ϵ$ , $η$ , $γ$ , n* $Υ$ .	384 + 64 n
$S u b_{P K G}$	$P K_{S u b}$ , $P r_{S u b}$ , $D C_{S u b}$ , m*SK, $γ$ , $Υ$	320 + 32 m
$M o b i l e_{P a t i e n t}$	SK, $I d_{i}$ , $P_{s i g}$ , $γ$ , $ϰ$	240

Table 6. The total number of shared keys that should be stored in each node.

Scheme	Number of Shared Keys
Our Proposal	1
[57]	1
[55]	2
[32]	3
[56]	2

Table 7. Notation used in computational cost analysis.

Metric	Description
$T M$	The computing time of the modular multiplication operation.
$T A$	The computing time of the modular addition operation (negligible).
$T I N$	The computing time of the modular inversion operation.
$T E M$	The computing time of the elliptic curve multiplication operation.
$T E A$	The computing time of the elliptic curve addition operation.

Table 8. Computation cost for signature generation and verification.

Schemes	Signing Cost	Verification Cost	Node Cost	Server Cost
Our scheme	TM + TEM + TIN = 41.6 TM	2TM + 2TEM + TIN + TEA = 71.72 TM	41.6 TM (once)	71.72 TM*n
[58]	TM + TEM + TIN = 41.6 TM	2TM + 2TEM + TIN + TEA = 71.72 TM	41.6 TM*n	71.72 TM*n
[60]	TM + TEM = 30 TM	2 TEM + TEA = 58.12 TM	(30 TM + 58.12 TM)*n	(30 TM + 58.12 TM)*n
[59]	TM + 2TEM = 59 TM	2TEM + TEA = 58.12 TM	59 TM*n	58.12 TM*n

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

AbuAlghanam, O.; Alazzam, H.; Almobaideen, W.; Saadeh, M.; Saadeh, H. A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve. Sensors 2025, 25, 2357. https://doi.org/10.3390/s25082357

AMA Style

AbuAlghanam O, Alazzam H, Almobaideen W, Saadeh M, Saadeh H. A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve. Sensors. 2025; 25(8):2357. https://doi.org/10.3390/s25082357

Chicago/Turabian Style

AbuAlghanam, Orieb, Hadeel Alazzam, Wesam Almobaideen, Maha Saadeh, and Heba Saadeh. 2025. "A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve" Sensors 25, no. 8: 2357. https://doi.org/10.3390/s25082357

APA Style

AbuAlghanam, O., Alazzam, H., Almobaideen, W., Saadeh, M., & Saadeh, H. (2025). A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve. Sensors, 25(8), 2357. https://doi.org/10.3390/s25082357

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve

Abstract

1. Introduction

1.1. Challenges to Ensuring Authentication and Confidentiality in Healthcare

1.2. Contributions

2. Related Work

3. Proposed System

3.1. Architecture Overview

3.2. The Proposed Protocol Overview

3.2.1. Initialization Phase Between $R o o t_{P K G}$ and $S u b_{P K G}$

3.2.2. Patient Registration and Key Generation Phase

3.2.3. Mobile Patient Authentication

4. Security Analysis

4.1. Security Proof Using AVISPA Tool

4.2. BAN Logic

4.3. Security Analysis Against Well-Known Attack

5. Experimental Results and Discussion

5.1. Storage Cost

5.2. Computation Cost

5.3. Communication Cost

6. Conclusions

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Conflicts of Interest

Appendix A

Appendix A.1. Elliptic Curve Diffie–Hellman

Appendix A.2. Simulation Code of the Security Proof

Appendix A.3. BAN Logic

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

Article Menu

A Novel Key Distribution for Mobile Patient Authentication Inspired by the Federated Learning Concept and Based on the Diffie–Hellman Elliptic Curve

Abstract

1. Introduction

1.1. Challenges to Ensuring Authentication and Confidentiality in Healthcare

1.2. Contributions

2. Related Work

3. Proposed System

3.1. Architecture Overview

3.2. The Proposed Protocol Overview

3.2.1. Initialization Phase Between R o o t P K G and S u b P K G

3.2.2. Patient Registration and Key Generation Phase

3.2.3. Mobile Patient Authentication

4. Security Analysis

4.1. Security Proof Using AVISPA Tool

4.2. BAN Logic

4.3. Security Analysis Against Well-Known Attack

5. Experimental Results and Discussion

5.1. Storage Cost

5.2. Computation Cost

5.3. Communication Cost

6. Conclusions

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Conflicts of Interest

Appendix A

Appendix A.1. Elliptic Curve Diffie–Hellman

Appendix A.2. Simulation Code of the Security Proof

Appendix A.3. BAN Logic

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

3.2.1. Initialization Phase Between $R o o t_{P K G}$ and $S u b_{P K G}$