An Integrated Two-Stage Medical Pre-Checkup and Subsequent Validation Key Agreement Authentication Mechanism

: In the global village era, several competitions require pre-checkups for the participants who are qualiﬁed to participate that must be passed before the competition, so the accuracy of the checkup data must be conﬁrmed and must not be leaked or tampered with. This is a new challenge to the accuracy of medical checkups data in the information and communication era. How to protect the rights of participants and the non-repudiation of participants are the main issues of this study. We have designed a two-phase user identity embedding and authentication scheme for pre-checkups and subsequent validations. A participant’s private key is added to the physical examination data, and the identity of the examinations data is conﬁrmed by the contestant before the competitions. Our work integrates lightweight Exclusive-OR (XOR) operations, fuzzy extractor biometric personal passwords, and a ﬁxed-length hash operation accords with post-quantum operations to solve the problem of two-stage medical pre-checkup and subsequent validation key agreement authentication. The random oracle authentication mechanism proves the security of the protocols, and the security analysis proves that the protocols can resist the vulnerability attacks.


Introduction
With the efforts of countries around the world, advances in communications and technology are obvious to all. With the development of electronics and mobile technology, communication technology has evolved into a portable ubiquitous generation. Especially driven by Industry 4.0, cloud computing has become one of the best choices for data processing and storage. The sensing and monitoring data of the Internet of Things is also continuously transmitted and stored in the devices of cloud computing. Physical examinations or doctor consultations can use telemedicine in addition to requiring patients to go to the hospital in person. The storage of patient medical records has also changed from manual handwriting to electronic input, and from various hospitals to cloud storage systems. Instant messaging data for telemedicine consultations, or instant messaging data stored and read from cloud servers, may expose private data or be tampered with by malicious people. Therefore, many security technologies with cloud computing as the core issue have been proposed, such as several different protocols provided in the literature [1][2][3][4][5].
In such a global village era, several competitions require pre-checkups for the participants, and must be passed prior to being entitled to participate in competitions, so the accuracy of the checkup data must be confirmed and must not be leaked or tampered with. In addition, issues such as the adoption of a specimen related to the law and the ex-post evidence, the process of taking the specimen must be confirmed by the party. However, most of the studies on communication security focus on a The study of our integrated two-phase TCVK is organized in the following manner. Section 2 describes the related works. Section 3 shows the proposed schemes and Section 4 shows random oracle model security proof of the proposed protocols. Section 5 makes a security analysis of the proposed scheme. Section 6 states performance comparisons of the proposed scheme. Finally, our conclusion is written in Section 7.

Related Work
In the era of telematics and telemedicine, a large amount of sensitive information is being transmitted in a public network environment. To protect the information privacy of these transmissions, much information security research has proposed various solutions. These schemes include symmetric encryption [6][7][8][9] and asymmetric encryption. Owing to the high maintenance cost required by the asymmetric public key method, some symmetric encryption systems have been popularly used recently [10][11][12]. The symmetric encryption must generate the shared key required for the conference immediately, as the zero-knowledge-based key exchange mechanism came into being. In the key exchange process, it must be ensured that the transfer messages are not tampered with or resented. Therefore, some researchers use the timestamp mechanism to ensure the security of the communication using the irreversibility of time [13][14][15]. However, some researchers believe that the computer's timestamps cannot guarantee consistency. The computer's computing speed is The study of our integrated two-phase TCVK is organized in the following manner. Section 2 describes the related works. Section 3 shows the proposed schemes and Section 4 shows random oracle model security proof of the proposed protocols. Section 5 makes a security analysis of the proposed scheme. Section 6 states performance comparisons of the proposed scheme. Finally, our conclusion is written in Section 7.

Related Work
In the era of telematics and telemedicine, a large amount of sensitive information is being transmitted in a public network environment. To protect the information privacy of these transmissions, much information security research has proposed various solutions. These schemes include symmetric encryption [6][7][8][9] and asymmetric encryption. Owing to the high maintenance cost required by the asymmetric public key method, some symmetric encryption systems have been popularly used recently [10][11][12]. The symmetric encryption must generate the shared key required for the conference immediately, as the zero-knowledge-based key exchange mechanism came into being. In the key exchange process, it must be ensured that the transfer messages are not tampered with or resented. Therefore, some researchers use the timestamp mechanism to ensure the security of the communication using the irreversibility of time [13][14][15]. However, some researchers believe that the computer's timestamps cannot guarantee consistency. The computer's computing speed is very fast, and a tiny time error will cause the key agreement to fail. As a result, many scholars have started to use one-time random numbers instead of timestamps [10][11][12].
Traditional public key cryptosystems (TPKCs) and elliptic curve cryptosystems (ECCs) are key exchange systems commonly used by many researchers. Recently, in order to reduce the computational cost of communication preparation and the advent of the post-quantum era, many researchers have focused on lightweight and time-independent security. Therefore, key exchange mechanisms using hash functions and Exclusive-OR (XOR) operations have been proposed. Lightweight certification can achieve better execution efficiency than TPKC and ECC designs, so it has become a new design requirement. Instead of the traditional password directly input method, a more secure and unique biometric authentication method is often used for offline key verification in recent works [16][17][18].
Recently, the fuzzy extractor has replaced the hash function corresponding to a single result of the dynamic range, which is a biometric tool for user recognition and inspection process [19][20][21]. The fuzzy extractor allows users to use their biometric characteristics as keys. When users enter their biometric characteristics into the extractor, the extractor will use the generation algorithm Gen (B i ) = (X B , P B ) to randomly generate a fixed string of words (Gen for generate and Rep for reproduce), where secret key X B is a word string and extracts a public key P B that can be stored. An example of a biometric fuzzy extractor is shown in Figure 2. Our study also uses a combination of smart cards and participant certifications. If it equipped with powerful Central Processing Unit, Random Access Memory, and Input / Output device a smart card can deal with more data processing tasks. The uniqueness of a participant's identification can be confirmed using the computing system installed in the smart cards [22]. exchange systems commonly used by many researchers. Recently, in order to reduce the computational cost of communication preparation and the advent of the post-quantum era, many researchers have focused on lightweight and time-independent security. Therefore, key exchange mechanisms using hash functions and Exclusive-OR (XOR) operations have been proposed. Lightweight certification can achieve better execution efficiency than TPKC and ECC designs, so it has become a new design requirement. Instead of the traditional password directly input method, a more secure and unique biometric authentication method is often used for offline key verification in recent works [16][17][18].
Recently, the fuzzy extractor has replaced the hash function corresponding to a single result of the dynamic range, which is a biometric tool for user recognition and inspection process [19][20][21]. The fuzzy extractor allows users to use their biometric characteristics as keys. When users enter their biometric characteristics into the extractor, the extractor will use the generation algorithm Gen ( ) = ( , ) to randomly generate a fixed string of words (Gen for generate and Rep for reproduce), where secret key is a word string and extracts a public key that can be stored. An example of a biometric fuzzy extractor is shown in Figure 2. Our study also uses a combination of smart cards and participant certifications. If it equipped with powerful Central Processing Unit, Random Access Memory, and Input / Output device a smart card can deal with more data processing tasks. The uniqueness of a participant's identification can be confirmed using the computing system installed in the smart cards [22].
In the algorithm design of secure information communication protocols, in order to prove that the algorithms used to exchange messages in the public network are secure, researchers usually use probabilistic assumptions and verification. In 1993, Mihir Bellare and Phillip Rogaway (1993) first published a rigorous method of cryptographic proof using mathematical abstraction random oracles [23]. The main issue is to strengthen the proof using random oracles when weak password assumptions cannot be used to prove the password hash function. In contrast to the security in the standard cryptographic model, each hash function is replaced with a random oracle in the random oracle model to prove that the system is secure. A function mapping each possible query to a fixed random response from its output domain-that is, a mathematical function is chosen uniformly at random-is a random oracle [23]. Lin [24] designed a special medical examination case for athletes in 2019. When athletes need a physical examination before the game, they need to go to the on-site checkpoint for a physical examination, and then report to the competition committee within a limited time period. According to Lin's protocol, a malicious person can calculate a session key by combining multiple transmissions. The information in the communication will also be intercepted and eavesdropped by the malicious personnel, which will cause the confidential information of the athletes to be leaked by the malicious personnel and tamper with the medical examination data [24]. Additionally, this method uses a fixed block string and then generates the corresponding value from the one-type single hash function. It can also be maliciously attacked by a birthday attack or a meet-in-the-middle attack. Another In the algorithm design of secure information communication protocols, in order to prove that the algorithms used to exchange messages in the public network are secure, researchers usually use probabilistic assumptions and verification. In 1993, Mihir Bellare and Phillip Rogaway (1993) first published a rigorous method of cryptographic proof using mathematical abstraction random oracles [23]. The main issue is to strengthen the proof using random oracles when weak password assumptions cannot be used to prove the password hash function. In contrast to the security in the standard cryptographic model, each hash function is replaced with a random oracle in the random oracle model to prove that the system is secure. A function mapping each possible query to a fixed random response from its output domain-that is, a mathematical function is chosen uniformly at random-is a random oracle [23].
Lin [24] designed a special medical examination case for athletes in 2019. When athletes need a physical examination before the game, they need to go to the on-site checkpoint for a physical examination, and then report to the competition committee within a limited time period. According to Lin's protocol, a malicious person can calculate a session key by combining multiple transmissions. The information in the communication will also be intercepted and eavesdropped by the malicious personnel, which will cause the confidential information of the athletes to be leaked by the malicious personnel and tamper with the medical examination data [24]. Additionally, this method uses a fixed block string and then generates the corresponding value from the one-type single hash function. It can also be maliciously attacked by a birthday attack or a meet-in-the-middle attack. Another disadvantage of Lin's design approach is that online verifications must be performed with the medical checkpoints of the physical examination of many players at the same time before the game [24].
Our study avoids the possible disadvantages of Lin's method [24] and integrates lightweight XOR operations, fuzzy extractor biometric personal passwords, and a fixed-length hash operation accords with post-quantum operations to solve the problem of two-stage medical examination data protection and future data verification. The random oracle authentication mechanism proves the security of the protocols, and the security analysis proves that the protocol can resist the vulnerability attack.

Our TCVK Mechanism
Our proposed TCVK scheme is composed of four phases: user/participant (U i ) registration phase, checkups stations (C j ) registration phase, pre-checkups phase, and subsequent validation phase. There are three roles, namely, user/participant (U i ), regular checkups records server (RCRS), and checkups station (C j ) that will be introduced into our scenario.

User/Participant Registration Phase
In this phase, a participant U i registers to the regular checkups records server (RCRS) in the first-time registration. Each U i possesses a smart card that includes a configured identity ID i from RCRS and an ex-factory number r i . Then, U i performs the following steps to complete the user's registration work. S1 U i imprints biometric B i on the sensor device of RCRS. Then, RCRS computes Gen where Gen(.) is a generating function of the fuzzy extractor and (X B , P B ) are secret key and public key tuple, as illustrated in Figure 2.

Checkups Station Registration Phase
Checkups station (C j ) must be registered as a valid RCRS member before examinations. S1 Checkups station makes a request {ID Cj } to the RCRS via a secure channel.
S2 When RCRS has received the request, it creates a ID Cj for C j and computes the share token RCC j = h(ID Cj ⊕ X S ) with ID Cj using RCRS's secret key X S . Then, it creates a key X RCCj for ID Cj and then stores tuple S3 When the checkups station C j receives the tuple {ID Cj , RCC j , X RCCj } from RCRS, it keeps this sec ret.

Pre-Checkups Phase
When a registered user U i attempts to forward physical examination records to RCRS, it must be authenticated by the checkups station C j first. After successfully completing the key agreement among U i , C j , and RCRS, U i can forward the encrypted medical examination records to RCRS via C j . S1 U i inserts the smart card into the card reader and imprints biometric B i . Then, it retrieves Rep(B i , S2 U i produces a random nonce number R U and computes S3 While the C j receives {ID i , M 0 , M 1 } from U i , C j selects a random nonce number R C and computes S4 After RCRS receives the message M 0 , M 1 , M 2 , M 3 , ID Cj , ID i from C j . RCRS first retrievals D i from RCRS s database using ID i and computes If the above are valid, the RCRS continues to deal with the requisition. On the contrary, the session process aborted. S5 RCRS produces a random nonce number R R and computes SK=h( RCRS now owns the session key SK for this key agreement.
. C j will verify whether or not M * 5 equals M 5 . If both are the same, then mutual authentication and session key agreement are completed. On the contrary, the session process is aborted. C j now owns the session key SK for this key agreement.
By the above steps, the key agreement process has finished and the secure tunnel between C j and RCRS is created. Then, C j produces an encrypted examination record UR i from the checkups station.

Subsequent Validation Phase
The user U i has to pass subsequent validations to connect to the pre-checkup records, and then the competition committee will subsequently either validate U i or not. The proposed scheme is carried out in the following steps. S1 U i inserts the smart card into the card reader and imprints biometric B i to the fuzzy extractor.
Then, it computes Rep(B i , P B )=X * B , UA i = h(ID i ⊕ X * B ). S2 U i produces a random nonce number R U , and computes N 0 = h(UX i ⊕ UA i ⊕ ID i and N 1 = R U ⊕UA i ⊕UR i . Then, U i sends {N 0 , N 1 , ID i } to RCRS via public channel. S3 When the RCRS received the message {N 0 , N 1 , ID i } from U i , RCRS could find D i in the database using ID i . Then, whether or not N 0 equals h(D i ⊕ ID i is checked using UA i = UX i ⊕ D i . If both are the same, then RCRS retrieves r i = D i ⊕ ID i ⊕X s and R * U = N 1 ⊕h(r i ⊕ X s ). On the contrary, the session process is aborted. S4 RCRS produces a random nonce number R R and computes N 2 = R R ⊕ h(r i ⊕ X s ) and N 3 = h(SK ⊕ R U ). After preparing them, RCRS sends {N 2 , N 3 } to U i . Then, RCRS gets the session key . U i gets session key SK * = h(R U ⊕ R R ) and then checks whether or not N 3 = h(SK ⊕ R U ). If both are the same, then the session key agreement process has finished and mutual authentication is built. On the contrary, the session process is aborted. By the above steps, the key agreement process has finished and the secure tunnel is built. S6 When the RCRS has received {ID i , ID Cj }, it computes N 4 = h(ID Cj ⊕ X s ⊕h(ID i ⊕ X s . RCRS Appl. Sci. 2020, 10, 1888 6 of 14

Random Oracles Proof for the Security of Our Protocols
If the function output requires a strong randomness assumption, random oracles can be used as an ideal alternative to the cryptographic functions. We employ some security definitions in the following proposed scenarios and proofs. Definition 1. Partner.
We will define the partner functions here. First, we suppose that each player p i has its corresponding instance Π k i in the k-th session, where i ∈ I, I ∈ {U, RCRS}, and k ∈ N. Besides, we also assume that the player p i 's partner is the j's instance, where j ∈ I, I ∈ {U, RCRS} and k ∈ N. From above definitions, we also defined what the partners are if each of them satisfied the following definitions.

1.
p i 's session is equal to p j 's session in the k-th session, that is, ssid k i = ssid k j .

2.
Each partner's instance is matched the corresponding partner's instance, that is, p i 's instance Π k i ≡Π k j .
Definition 2. Queries. In the following, we give some definitions about query types that an attacker could use to make this request to ask the simulator respectively. By the way, we also model that the attacker's ability may control all communication during the simulation of the pre-checkups phase and subsequent validations phase of the proposed scheme. We defined in a "Game" that an attacker could ask query types as follows.

1.
Send(i, k, M) (or Send(j, k, M))query: an attacker could impersonate some player and forward the message M to the instance Π k i in the k-th session, where i ∈ I and k ∈ N.

2.
Reveal(i, k) (or Reveal(j, k)) query: an attacker could obtain the session key from the instance Π k i in the k-th session, where i ∈ I and k ∈ N.

3.
Corrupt(i) (or Corrupt(j)): the instance Π k i 's secret key is exposed to the attacker.

4.
Test(i, k) (or Test(j, k)): an attacker could guess the real session key with non-negligible advantage. If the attacker makes this type of query to the simulator, then the simulator could make a coin flipped by b. If b equals to 1, the simulator will output real session key SK i,j k in the k-th session, where i, j ∈ I, and k ∈ N.
Otherwise, it gives the random string chosen from {0, 1} * to the attacker. Then, the attacker has to guess whether or not the session key is the real one. Besides, the attacker only could be allowed to make this type of query to the "fresh" instance of each player.

Definition 3. Freshness.
If the following situations occur, an instance Π k i is "fresh".

1.
Π k i owns the session key and the attacker does not query the player Π k i who is p j 's instance, Reveal(i, k).

2.
If there is a player p j , its instance and partner are both Π k i . Then, none of the attackers query the p j and Π k i that owns the same session key, Reveal(j, k).

3.
An insider attacker created by the opponent cannot be for player i or j, where {i, j} ∈ I and I ∈ {U, RCRS}.

Definition 4. Forward Secure (FS).
In our proposed scheme, we define that our scheme satisfied "forward secure" if there exists an attacker that could not guess the session key successfully with a non-negligible advantage with both instances in which they were asked the corrupted queries (i.e., Corrupt(i) or Corrupt(j)).

Theorem 1.
We assume that there exists h to be a hash function that satisfies the random oracle (RO) assumptions. Then, we claim that our proposed scheme (AD) is a user authentication scheme with forward secure (FS), that is, if AD is forward secure, then Adv FS AD, A, C (θ, t ) ≤ I 2 q h 2 3l Adv PC, h, RO (θ, t) + (I 2 q h 2 2l Adv SV, h, RO (θ, t ) ) Appl. Sci. 2020, 10, 1888

of 14
where t' is the maximal game time including an attacker perform its own execution time in the subsequent validations (SV) phase, t is the maximal game time including an attacker distinguish the real session key in the pre-checkups (PC) phase, t is the maximal game time in the above phases, I is the upper bound of the number of players, θ is the security parameter of the proposed scheme, Z * n is the l-bit length prime number filed, and q h is the upper bound of hash query number in the above game.
Proof. In the beginning, we consider that there exists an attacker A that attempts to attack our proposed scheme (AD) against the forward secure in the above definition. Then, we defined that the following equation will hold: where b and b' are the coin flips chosen by the simulator and the attacker, correspondingly.
Then, we consider the above two situations in the following cases.
1. In the pre-checkups phase.
In this pre-checkups (PC) phase, we assume that there exists an attacker, D, whose job is to distinguish the real session key in this phase. The simulator that we assume to be A begins to prepare system parameters including the instance of players {i, j} ∈ I and I ∈ {U, RCRS, C} in the k-th session, where C is the checkups station in this phase with the k ∈ N under the security parameter θ.

•
After preparing the above parameters for building the environment, A also prepares the above query types in order to respond to D's query. Before the simulation starts, A also generates the corresponding key pairs for each player {i, j} ∈ I and I ∈ {U, RCRS, C}, where C is the checkups station. The following are the simulation steps.

•
In the beginning, D would make a Send (i, k, ID i ) query to the A. When A has received this type of query, it forwards to the hash oracle and the hash oracle has to compute the UA i with the secret key's help X B , that is, UA i = h(ID i ⊕ X i ). A also prepares the hash oracle simulation of each message in this pre-checkups phase. The hash oracle would record the tuple (i, ID i , UA i , M 0 , M 1 , k) in the k-th session.

•
In the checkups station, the simulator also records the communication message j, M 0 , M 1 , M 2 , M 3 , ID Cj , ID i , k, R C . From the above message simulation, we could see that A would be able to handle this query type with the help of random oracle and the secret key.

•
If D makes a Reveal(i) query, A could reply to D according to the secret key X i generated in the beginning. In order to compute whether the session key of A is the desired one, A also asks the random oracle to generate the hash value of R U and R R from a random oracle. However, A does not know the real value of R U and R R . After receiving the hash value from A, D could compute SK t i,j by assigning the received hash value, where t k ∈ N and {i, j} ∈ I and I ∈ {U, RCRS, C}.

•
After the above query training, A makes the Test(i) query to the simulator D. We assume that A has chosen some instances to attack that i = i * and j = j * in the k-th session. In this time, D starts to coin flip to output b. If b is 1, the simulator generates the real session key SK k i * ,j * = h(R U ⊕ R R ⊕ R C ), where R U , R R , and R C are random numbers in the Z * n with l-bit length and i * , j * ∈ I and I ∈ {U, RCRS, C}. Otherwise, A outputs the random string from {0, 1} * . When D has received the tuple from A, its work is to distinguish whether or not this tuple is a real session key.
We assume that if the attacker D could distinguish this tuple with a non-negligible advantage Adv AD, h, RO (θ, t). Then, the following equation will hold.

In the subsequent validation phase.
In this subsequent validation (SV) phase, we consider the following situation. In this phase, we assume that there is an attacker C whose job is to distinguish the real session key after gathering enough training information. The simulator that we assume to be F begins to prepare system parameters including the instance of players {i, j} ∈ I and I ∈ {U, RCRS} in the k-th session, where k ∈ N under the security parameter θ and each player's key pair. The attacker C could also make queries as follows.
• Send (i, k, ID i ) query: When the attacker makes the send query to the simulator F, F will prepare the (i, ID i ) for the further simulation usage. Then, F forwards (i, ID i ) to the attacker C.

•
Hash query (i, k, ID i ): When the attacker makes the hash query of instance Π k i with the ID i . The simulator F will prepare the random oracle to reply to the result UA i to C, where UA i is computed from random oracle with the help of ID i and the instance's secret key X i . • Reveal(i) query: If C makes a Reveal(i) query, F could reply to C according to the hash value (i, h(R U ⊕ R R ), R U , R R , k), where R U and R R are random numbers in the Z * n with l length bits and they are chosen by player U i and RCRS in the k-th session, respectively. • Corrupt(i) query: If C makes a Corrupt(i) query, F could reply to C according to the secret key value X i . • Finally, if C makes a Test(i) query to F, then F prepares in the following. First, we assume that the instance i = i and the instance j = j in the kth session are chosen by attacker C, where each of them is a fresh instance of player, respectively. In this time, F also prepares the session key to respond to the attacker C. It depends on the coin flips by the simulator F with the output b. If b is 1, then F computes SK k i ,j = h(R U ⊕ R R ), where R U and R R are random numbers and i , j ∈ I and I ∈ {U, RCRS}. Otherwise, F outputs a random string from {0, 1} * . When C has received the tuple from F, its work is to distinguish whether this tuple is real session key or not.
We assume that the attacker F could distinguish this tuple with a non-negligible advantage Adv SV, h, RO (θ, t ). Then, the following equations will hold.
Pr F(·) = 1 SK k i * ,j * is real one in the Test query −Pr F(·) = 1 SK k i * ,j * is a random in the Test query Finally, the following equation will hold From the above two cases, we summarize the attacker's advantage to break the system with the following equation.

Security Analysis
This section describes some well-known security defenses analyses for our proposed scheme.

Privileged Insider Attack
The RCRS secret key Xs is known only by the RCRS itself. In our proposed scheme, all participants, including checkups stations, have never shown their secret keys to others, and the proof in the previous section confirms that the keys cannot be derived from the communication process. Therefore, according to the definition of attack mode, we know that our TCVK scheme can indeed resist privileged insider attacks.

Perfect Forward Secrecy Attack
In our proposed scheme, the RCRS secret key Xs is not related to the RCRS session key SK. The session key is not created by the RCRS internal key Xs. In addition, session keys are randomly created by each legitimate participant from each session. Using the session key for a limited time and then encrypting each key with an irreversible hash function, the attacker cannot find the correct rules and guess the correct session key. That is, the key for each conference session is only related to a random number, and it is impossible to find the rules at any time. Therefore, we confirm that the proposed TCVK scheme provides perfect forward secrecy.

Checkups Station Impersonation Attack
If an attacker tries to impersonate C j by transmitting a request message {ID i ,M 0 , M 1 } to U i and obtains message {M 4 ,M 5 , , and M 6 = R C ⊕h(ID i ⊕ X s ). In order to compute M 4 and M 5 , the attacker must find R U and R R using a shared key X RCCj , where (R U ⊕ R R ) = M 4 ⊕ h(X RCCj ⊕ X S . In communication, if C j is illegal, it will get the wrong value, and at that time, RCRS will immediately recognize and terminate this illegal authentication phase. From the above description, we confirm that the proposed TCVK scheme can resist the checkups station impersonation attack.

User/Participant Impersonation Attack
If an attacker tries to impersonate a legitimate user U i by sending a request message ID i , M 0 , M 1 , Attackers cannot obtain user biometrics and cannot calculate h(r i ⊕ X s ). In addition, RCRS checks its ID i through its own database to confirm its legitimacy. Illegal data will interrupt communication. From the above description, our proposed TCVK scheme can resist participant impersonation attacks.

Offline Password Guessing Attack
When a participant's smart card is lost or stolen, an attacker can try to brute force the owner's password to log in to the system. However, in this study, the smart card does not required entering or storing any password, it only needs biometric characteristics through fuzzy extraction, and does not directly store any private keys. Therefore, the attacker cannot obtain the biometric characteristics of the smart card owner via a smart card and will not be able to apply the fuzzy extractor to pass the password verification at any phase of our proposed scheme. Therefore, our proposed scheme can resist offline password guessing attacks.

Stolen Smart Card Attack
Similarly, when a participant's smart card is lost or stolen. An attacker can obtain information from the smart card, which only has Then, the attacker has to invert the value of UX i or UC i to obtain the secret value. However, because of the characteristics of the hash function, inverting the values of UX i or UC i is computationally unfeasible in the polynomial time. Hence, our proposed scheme can resist stolen smart card attacks.

Session Key Security
Similar to privileged internal attacks, the RCRS key Xs is known only by the RCRS itself. In our proposed TCVK scheme, the session key SK is related to the random number generated by each legitimate participant in the pre-checkups phase and subsequent verification phase. Owing to the characteristics of the hash function, it is not feasible to calculate the session key SK in polynomial time to obtain a random value. Therefore, our proposed scheme provides session key security.

Man-in-the-Middle Attack
According to the definition of a man-in-the-middle attack, an attacker can disguise itself as a terminal, and each participant in the session cannot identify it as a real terminal. In fact, a man-in-the-middle attack is a mutual authentication attack. In our proposed scheme, RCRS saves the authentication data of legitimate users in a database and performs mutual identity verification. If an attacker tries to pretend to be a real terminal, then, without the RCRS authentication record, other steps cannot be performed and any information can be obtained. Therefore, our proposed TCVK scheme can resist man-in-the-middle attacks.

Tampering Attack
We assume that the user forwards the tampered message ID i , M 0 , M 1 during the pre-checkups phase. RCRS receives ID i , M 0 , M 1 and then obtains D i by retrieving ID i in the database. If RCRS cannot map the corresponding D i , it will find that these messages have been tampered with. Additionally, RCRS will also check if M 0 is equal to h(R U ⊕ h(r i ⊕ X s )), and then use M 1 to calculate M 0 to solve R U . In other words, the attacker cannot reverse the real R U by tampering with the message.
In another case, the message ID Cj , M 2 , M 3 transmitted by the checkups station is tampered with and forwarded to the RCRS. RCRS will also check if M 3 is equal to h(ID Cj ⊕ R C ) and then use M 2 to calculate M 3 to solve R C . Therefore, if users and checkups stations forward these tampered messages to RCRS, RCRS can check that these messages may have been tampered with by an attacker. We assume that RCRS then sends these tampered messages {M 4 , M 5 , M 6 } to the checkups stations during the verification phase, which will use ID Cj and X RCCj ⊕ X S to look in the database to confirm whether or not M * 5 equals M 5 . According to the above description, our proposed scheme can resist tampering attacks.

Performance Comparisons
This section shows a security analysis comparison among Ali et al.'s [25] scheme (Ali [25]) and Chen et al.'s [26] scheme (Chen [26]) compared with our proposed TCVK scheme. Functionality and performance comparisons are presented in the following.

Functionality Comparisons
This subsection shows functionality comparisons among Ali [25], Chen [26], and the proposed TCVK scheme in Table 1. Providing secure communication protocols is a consistent design goal for researchers. In this article, we replace timestamp annotations with one-time random numbers. Our method avoids time inconsistencies and prevents most common malicious attacks.

Efficacy Comparisons
This subsection demonstrates the efficiency comparisons of Ali [25], Chen [26], and the proposed TCVK scheme. Ali [25] applies symmetric encryption and decryption operations, and Chen [26] adopts lightweight operations. Our article applies two-stage lightweight operations. According to the experimental data, the proposed scheme includes three main communication parties-participant/user, RCRS/server, and checkups station/gateway node (GWN). Table 2 shows an efficacy comparison table of authentication and key agreement phase, where T H means the operating time of hash operation, T X means the operating time of XOR operation, T C means the operating time of string concatenation operation, and T S means the operating time of symmetric encryption and decryption. Although the operating time of the concatenation operation is light, the parameter length will greatly affect the operating time of the hash function.

Participant (User) RCRS (Server) Checkups Station (GWN) Sensor Nodes Total
Ali [25] 2T In this article, we apply only lightweight operations XOR and hash functions. In our pre-checkups phase (TCVK-PC), our protocol requires a computation cost of 25T X + 12T H-, and in the subsequent verification phase (TCVK-FV), our protocol requires a computation cost of 13T X + 5T H -. Statistics show that the hash function operation time of our proposed scheme totals 17T H-, which is better than that of Ali [25] and Chen [26]. Comparing the length of the computation time, the longest of the three is the encryption and decryption operation time, and the shortest is the bitwise XOR operation time. The length of the string also affects the operation time of the hash function. Therefore, in contrast, our method obviously has better performance even if it involves two stages of computation time.

Conclusions
Our TCVK uses a cloud computing network to design an integrated two-stage medical examination and verification key agreement authentication scheme for data storage and verification. To ensure the fairness of the competition and the rights of the participants, which the participants can fully control and verify, the correct checkups information will be encrypted using the participant's key and stored in the cloud server in an encrypted manner. Before participants are qualified to participate in competitions, participants will decrypt the encrypted checkup data and submit it to the committee of the competition. Through our agreement, neither party can refuse to acknowledge the correctness of these checkups data. We also use random oracles to prove in detail the security of our designed protocols. Additionally, in security analysis and performance comparison, we also prove that our proposed protocol is secure, fast, and able to resist many types of malicious attacks.