Efﬁcient and Secure Pairing Protocol for Devices with Unbalanced Computational Capabilities

: Wearable devices that collect data about human beings are widely used in healthcare applications. Once collected, the health data will be securely transmitted to smartphones in most scenarios. Authenticated Key Exchange (AKE) can protect wireless communications between wearables and smartphones, and a typical solution is the Bluetooth Secure Simple Pairing (SSP) protocol with numeric comparison. However, this protocol requires equivalent computation on both devices, even though their computational capabilities are signiﬁcantly different. This paper proposes a lightweight numeric comparison protocol for communications in which two parties have unbalanced computational capabilities, e.g., a wearable sensor and a smartphone, named UnBalanced secure Pairing using numeric comparison (UB-Pairing for short). The security of UB-Pairing is analyzed using the modiﬁed Bellare–Rogaway model (mBR). The analysis results show that UB-Pairing achieves the security goals. We also carry out a number of experiments to evaluate the performance of UB-Pairing. The results show that UB-Pairing is friendly to wearable devices, and more efﬁcient than standard protocols when the computation capabilities of the two communication parties are highly unbalanced.


Introduction
Obtaining valuable information through big data analysis has become an important trend [1]. In particular, under the influence of Coronavirus Disease 2019 (COVID- 19), much related data need to be collected, processed, and analyzed, such as datasets of nucleic acid test results, chest X-rays, and computed tomography scans [2,3]. Big data will be collected and processed in distributed or centralized servers through various terminal devices [4]. More broadly, in the field of healthcare, with the growing demand for health monitoring and vital sign tracking, the market for wearable devices has tripled in the last few years [5].
Nevertheless, the transmission of these data usually requires security mechanisms to prevent leakage [6]. Authenticated Key Exchange (AKE) negotiates shared secrets over insecure channels to protect the wireless communications [7]. In the abovementioned device-pairing scenarios, Bluetooth is a widely adopted technology [8][9][10], using three Secure Simple Pairing (SSP) protocols as its AKE solutions [11]. One of them is the numeric comparison protocol, which combines the human-computer interaction Out-Of-Band (OOB) channel and Elliptic Curve Cryptography (ECC) to assist authentication between two pairing devices. This method has been proven to be secure and easy to use [12].
However, the numeric comparison protocol assumes that the capabilities of the two communicating parties are "computationally balanced". This is often not the case in Internet of Things (IoT) applications [13,14]. For example, a paired link is established between a wearable device equipped with a body temperature sensor and a hospital server.
Thus, this paper proposes a lightweight pairing protocol, named the UnBalanced secure Pairing (UB-Pairing for short) protocol, for devices with different computational capabilities. UB-Pairing is based on the OOB channels and specifically designed for unbalanced computational requirements. It can outperform the OOB-based protocols in terms of computational costs and has a much more comprehensive range of applications in IoT systems. The main contributions are summarized as follows. • The UB-Pairing protocol is proposed and designed: it allows the powerful device to undertake a portion of the computing tasks on behalf of the wearable device and enables mutual authentication for devices with the help of OOB channels. • The security of UB-Pairing is analyzed using the modified Bellare-Rogaway (mBR) model [15] via the computational No Reveal-mBR (cNR-mBR) game [16]. Analysis results show that UB-Pairing achieves the security goals of an AKE protocol. Moreover, we also identify some security vulnerabilities in parallel lightweight protocols. • We demonstrate the advantages of UB-Pairing through experimental results and use cases in COVID-19 scenarios. Results demonstrate that UB-Pairing is friendly to wearable devices, and the overall performance of UB-Pairing is better than that of benchmark protocols.
The rest of this paper is organized as follows. In Section 2, related work is reviewed and discussed. In Section 3, preliminaries are introduced. In Section 4, the design of the UB-Pairing protocol is explained. In Section 5, security analysis is presented. In Section 6, a number of experiments are conducted and the performance of the UB-Pairing protocol is studied. In Section 7, a use case and corresponding application are simulated. Finally, in Section 8, the paper is concluded.

Related Work
Secure Simple Pairing (SSP) protocols can establish secure communications between devices. Depending on the input and output capabilities of the device, a series of MANual Authentication (MANA) protocols have been designed by Gehrmann, Mitchell, and Nyberg [17]. Vaudenay designed a protocol that requires only one message on the OOB channel and pointed out the efficiency problems of MANA protocols that require two OOB channel messages [18]. In [19], the protocol in [18] was improved by reducing one message sent over the wireless channel. In the same year, Laur and Nyberg proposed the three-round protocols MANA IV and MA-DH with a formal security analysis [20]. Later, a series of SSP protocols were proposed using a theory called hash commitment before knowledge [21][22][23][24], which forms the basis of our security analysis. In 2015, Nguyen and Leneutre [25] proposed a lightweight scheme for device pairing with only four messages. However, a brute-force attack was found by Khalfaoui et al. [26]. Later, in 2017, Taparia, Panigrahy, and Jena [27] proposed AKE based on a commitment scheme and authentication strings to withstand MITM (man-in-the-middle) attacks. Unfortunately, we found that their protocol had a design flaw leading to an MITM attack, which will be explained in the security discussion section. In recent years, Hou, Zhang, and Man tried to resist side-channel attacks in SSP protocols [28]; Groza et al. [29] used accelerometer data to establish OOB channels. IEEE 802.15.6 employs the SSP protocols to establish initial trust in wearable applications [30]. In terms of security, Huang, Liu, and Zhang [31] identified that impersonation and MITM attacks were found against password-authenticated association protocol IEEE 802.15.6. Later, an improved protocol was proposed to solve the security defects [32], including off-line attacks and the lack of forward secrecy. In terms of light weight, Zhang, Xue, and Huang [33] proposed a lightweight version of the display association protocol in IEEE 802.15.6 for pervasive social networks.
Bluetooth also uses SSP as the authentication protocol in wearable applications [11]. Recently, researchers have carried out intensive research on the security of numeric comparison protocols [28,34,35] as well as the Passkey Entry protocols [36] in the Bluetooth standard. However, the requirement of being lightweight for these protocols has not been adequately studied. The proposed protocol aims to address this requirement. To evaluate the performance, we chose the numeric comparison protocol (named Pairing-Bluetooth) in the Bluetooth standard [11], the display-authenticated association protocol (named Pairing-IEEE 802.15.6) in IEEE 802.15.6 [30], and Zhang, Xue, and Huang's protocol (named ZXH) [33] as the benchmark protocols. Pairing-Bluetooth and Pairing-IEEE 802.15.6 are two standard protocols that have been widely used in many applications; ZXH is a lightweight solution for IEEE 802.15.6.

Preliminaries
This section introduces the system model, security goals, security models, and relevant security mechanisms. Table 1 summarizes the notations used in this paper.  Figure 1 shows the system model. UB-Pairing can be applied to scenarios where two parties with unbalanced computational capabilities intend to generate a shared link key through Bluetooth connections. Without loss of generality, we assume that a wearable device (A) intends to establish a common secret key with a relatively computationally powerful smartphone (B) via UB-pairing. Then, using the shared link key, the health data can be securely collected and transmitted to the smartphone according to the Bluetooth protocol stack [11]. A and B can both display a 6-digit number and allow the users to enter confirmation signals (yes or no). If "yes" is entered on both devices, the pairing is successful. An attacker cannot alter, insert, delay, or delete the 6-digit numbers and confirmation signals.
UB-Pairing has two security goals: • To be secure under passive eavesdropping-the adversary cannot infer any useful information from eavesdropping; • To be secure against MITM attacks (active eavesdropping)-it prevents a third party from establishing independent contacts with both communication parties without being detected.

Security Model
Kudla and Paterson in [16] proposed modular security proofs and the mBR model. We use their cNR-mBR game to prove the security of UB-Pairing based on the mBR model.

cNR-mBR Game
A cNR-mBR game is a simulation of a protocol being attacked by an adversary. Kudla and Paterson mainly followed the spirit of the BR model [15,37] to construct the security game and removed the Reveal-query of the mBR model.
Formally, a protocol is denoted by Π, the security of which is modelled by a cNR-mBR game between an adversary A and a challenger C. k is the security parameter; P is the set of participants; oracle Π i U is a session of U with session number i; SK U is the private key of U, and PK U is the public key. The adversary A is given all {PK U } and has access to any Π i U together with random oracles, which are set by C to simulate the attack of A using inquiries and responses: • Send(Π i U , M) : A sends an arbitrary message M to the oracle Π i U , and Π i U responds according to Π. If M = λ, the oracle Π i U initiates a protocol run with its partner U and {role U = initiator, role U = responder}.
• Corrupt(U): A obtains the private key SK U of U. • Test(Π i U ): Π i U must be accepted, and its partner must not be queried by the Corruptoracle. Then, a random element in the key space of the protocol is returned to A.

cNR-mBR-Secure Protocol
For any adversary A, let Advantage E (k) be the probability that the session key sk guessed by A is equal to sk Pi i U , where Pi i U is the oracle responding to the Test query. Definition 1. Π is a cNR-mBR-secure protocol if: • Two oracles running the protocol both accept holding the identical session key and session ID, and the session key is distributed uniformly on {0, 1} k for a benign adversary; • Advantage E (k) is negligible for any adversary A in the cNR-mBR game.

Partnership
The partnership between two participants is defined as follows.

Definition 2.
Suppose that Π i U holds (sk, sid, pid), Π j U holds (sk , sid , pid ), and both oracles have accepted. Two oracles Π i U and Π j U are partners when the following three conditions are satisfied: • pid = U , sk = sk , sid = sid , and pid = U, and • role U = initiator and role U = responder or vice versa, and • no oracle accepts on the same session ID such that sid = sid besides Π i U or Π j U .
The mBR model [16] requires that Π has a strong partnering property.
Definition 3. Assume that adversary A has a non-negligible advantage over protocol Π in the cNR-mBR game. Π has weak partnering if A could cause any two oracles to accept holding the same session key when they are not partners. Otherwise, Π has strong partnering.

Hardness Assumptions
Suppose that EC is an elliptic curve, G is its generator in the order of q, and a, b, c ∈ Z * q . • Computational Diffie-Hellman (CDH) assumption: given a × G, b × G, the advantage of computing ab × G in probability polynomial time is negligible. • Decisional Diffie-Hellman (DDH) assumption: given a × G, b × G, c × G, the advantage of determining whether c × G = ab × G in probability polynomial time is negligible. • Gap Diffie-Hellman (GDH) assumption: given a × G, b × G and an oracle that solves the DDH problem, the advantage of computing ab × G in probability polynomial time is negligible.

Security Mechanisms
Several security mechanisms are worth mentioning here.

Commitment Scheme
A commitment scheme is defined as follows.

Definition 4.
The following two algorithms constitute a commitment scheme: • The probabilistic algorithm Commit(pub, x) → (c, t), where x is the n-bit private value to be committed, c is the commitment value, t is the corresponding opening value, and pub is some public value.

•
The deterministic algorithm Open(pub, c , t ) → x ∈ {1, 0} n ∪ {⊥}. This algorithm returns the n-bit private value x if the commitment c is valid, or ⊥ otherwise. The commitment scheme shall satisfy the following two properties:
where k is the l-bit key, m is the n-bit message, and d is the 16-bit output. It satisfies two properties: • r -(no uniform compensation) property:

The Proposed Protocol
In this section, we first provide a brief review on the Pairing-Bluetooth in [11]; then, the UB-Pairing protocol design is explained in detail and its advantages are described afterwards.

Review of Pairing-Bluetooth
The Pairing-Bluetooth protocol is composed of four phases. Figure 2 shows the integrated process of Pairing-Bluetooth.

Initiating Device A Non-initiating Device B
Generate private-public key pair (SK A , PK A ).
Compute confirmation: Proceed if user confirms "OK". Compute the LK and MacKey: Compute the LK and MacKey: If check fails, abort.
If check fails, abort.

UB-Pairing
UB-Pairing transfers one scalar multiplication from the wearable device A to the more powerful smartphone B. First, both A and B compute their private-public key pairs; then, they start the two authentication stages and, finally, the Link Key Calculation. The process is demonstrated in Figure 3. After these, A and B will share a fresh and secure session key (or link key [11] Proceed if user confirms "OK".

Initiation
Both A and B share the public parameters of elliptic curve EC, generator G, prime finite field Z * q , and security parameter k. Then, A generates its private and public key pair SK A and PK A = SK A × G; B generates its private and public key pair SK B and PK B = SK B × G.

Authentication Stage 1 •
A sends the message M 1 to B as (1): • Upon receiving M 1 , B generates a random value R B ∈ Z * q and computes U B , T B , and a commitment C B as (2)-(4): Then, B sends the message M 2 to A as (5): • Upon receiving M 2 , A generates a random value R A ∈ Z * q and computes U A as (6): A sends the message M 3 to B as (7).
• Upon receiving M 3 , B computes digest D B as (8): B then displays the six-digit decimal number converted from D B . Meanwhile, B sends the message M 4 to A as (9): • Upon receiving M 4 , A verifies C B as (10): If the verification succeeds, A computes a digest D A as (11): A then displays the six-digit decimal number converted from D A . • The human user checks if D A = D B . If the digests are equal, the user confirms on each device. The two devices compute the shared key as (12) and (13):

Authentication Stage 2 •
A firstly computes mac A as (14): Then, A sends the message M 5 to B as (15): • B firstly checks the following Equation (16): When the verification succeeds, B computes mac B as (17): Then, B sends the message M 6 to A as (18): • A checks the following Equation (19):

Link Key Calculation
If the verification of mac B and mac A succeeds, A and B derive the link key LK from the shared key as (20):

Advantages
The Bluetooth Core Specification [11] stipulates that the device should replace the public-private key pair in each round for protecting the device's private key. This leads to recalculating a new public-private key pair every time. However, UB-Pairing can generate fresh shared secrets while using the long-term public key. Since UB-Pairing shifts the computational load (one scalar multiplication) from the wearable device to the smartphone, it significantly reduces the computational requirements of the wearable device.
The computational complexity required for UB-Pairing and related protocols is shown in Table 2, where S A and S B represent the computational complexity on A and B, respectively. In Pairing-Bluetooth and Pairing-IEEE 802.15.6, the time complexity of A and B is the same, and both A and B undertake two scalar multiplications; meanwhile, in the ZXH and UB-Pairing protocols, the time complexity difference between A and B is mainly in scalar multiplication, where A undertakes one scalar multiplication, and B undertakes three scalar multiplications. Table 2. Number of cryptography operations required on the two parties in UB-Pairing and related protocols. [29] 2lT mod + lT h 2lT mod + lT h HDK [28] 2T Note: T h : HMAC operation; T a : elliptic curve point addition; T m : elliptic curve point scalar multiplication; T x : xor operation; T mod : Modulo exponentiation; l is typically larger than 56.
The ZXH protocol is based on IEEE 802.15.6 (which is not widely used as Bluetooth) and lacks explicit key confirmation. In addition, an inattentive user may confirm two unequal values, but ZXH is unable to detect this kind of human error (will be explained in the next section).
Note: Pairing-Bluetooth, Pairing-IEEE 802.15.6, and ZXH are selected as benchmark protocols in the experiments. The reason is that these three protocols are more efficient than other protocols, as shown in Table 2.

Security Analysis
We analyze the security of UB-Pairing in this section.

Formal Security Proof
To start, we first define a similar protocol, UB-Pairing , from UB-Pairing. UB-Pairing is identical to UB-Pairing except for the session key: UB-Pairing uses the string {K, A B PK A PK B }, while UB-Pairing uses MAC(K, A B PK A PK B ). Theorem 1. Suppose that there is an adversary A to protocol UB-Pairing that can win the cNR-mBR game with non-negligible probability η(k) in polynomial time τ(k), where k is the security parameter of UB-Pairing . The number of participants is n P and the number of sessions that each participant may be involved in is n S , where n P and n S are both polynomial functions of k. Then, the CDH problem can be solved with non-negligible probability η(k) 1 The proof of Theorem 1 is given in Appendix A. Based on Definition 4 (commitment scheme) and Definition 5 (MAC 16 (·)), we redefine them here: Definition 6. Commit(·) algorithm modelled by MAC Cmt -oracle is a MAC Cmt -query, where the input value is composed of the public keys and private data, and the output of MAC Cmt -oracle is the commitment value c. Then, the Open(·) algorithm in Definition 4 is a MAC Cmt -query, too, where the output value is compared with the commitment value c held by the query executor. If the output value equals c, c is a valid commitment; otherwise, c is an invalid commitment.
The commitment scheme has the following two properties: According to Theorems 1-3, UB-Pairing is secure in the mBR model if the CDH, DDH, and GDH assumptions hold.

Security Discussion
We discuss the security of UB-Pairing and other protocols [11,25,27,28,30,33] with regard to several security threats involving human users [38]. The results are summarized in Table 3.

Man-in-the-Middle Attack
The attacker can modify the messages transmitted on the wireless channel. For example, to obtain the session key LK, the attacker can replace the values of U A , T B , PK A , and PK B . Nevertheless, with the commitment scheme and OOB checking, the attacker must commit an unknown value, and pass the verification of honest party A or the confirmation of the user who compares the two short numbers. In such cases, the attacker's advantage is negligible. Therefore, UB-Pairing can resist MITM attacks.
However, in Taparia, Panigraphy, and Jena's protocol [27], as shown in Figure 4 (where D a = m a w.l.o.g.), an MITM attacker could replace g X b with its own generated g c in message m b . Since A accepts m b without authentication, and furthermore, S a and S b exclude g X b , A will then generate the shared secret key K a = (g c ) X a = g cX a mod p. Therefore, the attacker could calculate the key K c = (g X a ) c = g cX a = K a mod p. Hence, Taparia, Panigraphy, and Jena's protocol [27] could not resist MITM attacks.

Alice (A) Bob (B)
Given ID a , g, p.
Given ID b , g, p. Select X a , compute g X a . Select ⇐= If user confirmed S a = S b , then both A and B compute K = g X a X b mod p.

Replay Attack
The attacker may replay the messages transmitted in the previous sessions. In UB-Pairing, both A and B generate a fresh nonce or a random number and DHKey in every session. Moreover, the attacker cannot reserve the secure hash function to obtain the random value. Thus, the attacker can only replay the commitment, while the human user's confirmation can prevent the session from proceeding to the next step. Therefore, UB-Pairing can resist replay attacks.

Brute-Force Attack
The attacker may use brute force to extract the values of nonce or random numbers from the hashes. In UB-Pairing, R A and R B are used as ephemeral secrets, the length of which is the same as the private keys (e.g., 160 bits). Therefore, the advantage of an attacker using brute force is negligible. Meanwhile, in Nguyen and Leneutre's protocol [25], their exchanged commitment contained a short nonce used for subsequent OOB checking, but they ignored the ability of an attacker that could extract the nonce by brute-force search. If the nonce is revealed, the attacker could obtain the value used for OOB checking in advance, rendering the protocol insecure. Therefore, their protocol cannot resist the brute-force attack [26].

Inattentive or Dishonest User
The human user may be careless when confirming two different values. UB-Pairing needs key confirmation with the MAC exchanging after the careless user confirms, which is not given in ZXH [33] and Pairing-IEEE 802.15.6 [30]. In UB-Pairing, if any MAC verification (mac A or mac B ) fails, the honest party will abort. Therefore, UB-Pairing can tolerate an inattentive or dishonest user.

Rushing Behavior
The human user may forget the confirmation step. UB-Pairing cannot proceed without receiving the confirmation signals from the two negotiating parties, as the session key cannot be generated. Hence, the attacker cannot utilize the rushing behavior of human users to crack UB-Pairing.

User Observation
The attacker may learn the six-digit number through a hidden camera. D A and D B are computed from the messages transmitted on the wireless channel, on which the attacker may eavesdrop. Therefore, the attacker could compute the value of D A or D B . However, the attacker cannot obtain D B or D A in advance; hence, observing the six-digit number does not pose a threat to the security of UB-Pairing.

Honest-but-Curious Party
The negotiating parties may be interested in obtaining some additional information from each other. In UB-Pairing, the additional information may be the long-term private keys. If B wants to derive A's private key SK A through U A , it is no different from obtaining a random number. Moreover, T B gives no advantage to A to derive the private key SK B . Therefore, honest-but-curious parties cannot obtain additional information in UB-Pairing.

Performance Analysis
The performance of UB-Pairing is studied via a series of experiments. Details are elaborated below.

Setup
The experimental setup is shown in Table 4. Experiment I and III used a Raspberry Pi and a virtual machine, and Experiment II used two identical virtual machines. The CPU of the Raspberry Pi was 1.2 GHz ARM, and the CPU of the virtual machine was i7-6700HQ 2.6 GHz, and the programming language was Python. The Raspberry Pi was used as the wearable device A, with the virtual machine in a laptop as the powerful device B. The elliptic curves were P-192, P-224, P-256, P-384, and P-521, which are recommended by Federal Information Processing Standards (FIPS). The HMAC based on SHA-256 was used as the default MAC algorithm. The MAC 16 algorithm in experiments II, III, and IV was implemented based on the MAC algorithm. The output of MAC 16 was the first 16 bits of the MAC output. In the rest of the section, we use T x y to represent the time of running y on device x. For all experiments, we repeated them 10 times and used the average value as the final result.

Experiment I
In experiment I, we evaluated the computing time of HMAC, CMAC, point addition, and scalar multiplication on a Raspberry Pi and a virtual machine. The elliptic curve used was P-192. The average computing time is shown in Table 5. Thus, we should try to reduce the time of scalar multiplication on the wearable devices.

Experiment II
In experiment II, we evaluated the computing time of UB-Pairing on two communication parties, B1 and B2, which were two virtual machines. The average computing time is shown in Figure 5. We can see that T B1

T B2
UB-Pairing . This result verified that • UB-Pairing transferred one scalar multiplication from B1 to B2; • The UB-Paring protocol can reduce the computational loads on one communication party, and it is more friendly to wearable devices.
Thus, we can conclude that UB-Paring can reduce the computational loads on one communication party. It is more friendly to wearable devices.

Experiment III
In this experiment, we implemented and evaluated the running and computing time of UB-Pairing on two communication parties: Raspberry Pi A and a virtual machine B in the laptop. Paring-Bluetooth, Pairing-IEEE 802.15.6, and ZXH were used as the benchmarks. Results are shown in Figure 6. Moreover, the communication overhead is shown in Table 6. The differences between running time and computing time are small. In other words, the dominant factor that influences the protocol performance is the time of computing scalar multiplications.  In summary, the results verified that UB-Pairing performs better than Pairing-Bluetooth and Pairing-IEEE 802.15.6 when the computational capabilities of the two devices are unbalanced, and UB-Pairing is more friendly to wearable devices. The performance of UB-Pairing and ZXH is almost the same; however, UB-Pairing is more secure (see Table 3), and has more application scenarios since Bluetooth has been widely used.

Use Case and Advantages
This section illustrates the usages and advantages of UB-Pairing via a use case in emergency scenarios. It verifies whether UB-Pairing is more applicable for emergency scenarios than symmetric-AKE protocols [15] and general asymmetric encryption-based AKE protocols [39].

Application of UB-Pairing
In temporary mobile cabin hospitals and nucleic acid PCR testing areas (Figure 7), the public key infrastructure is not always available, and information sharing between devices must be carried out in ad hoc ways. The following steps explain how to use UB-Pairing.
Suppose that there are two characters, Alice and Bob, in our scenario. Their devices should support UB-Pairing. In particular, Alice's device is a computationally limited device, e.g., a mobile phone A, and Bob's is a powerful device, e.g., a server B. Moreover, both A and B should support encryption/decryption algorithms such as AES and MAC algorithms such as HMAC.
Suppose that there are N devices in emergency scenarios.
• N1 represents the number of devices in N that have master keys (mk) with each other. When devices A and B have mk with each other, the symmetry-AKE protocol in [15] will be run. The probability that the symmetric-AKE protocol is successfully executed is P1 = ( |N1| |N| ) 2 . • N2 represents the number of devices in N that have public keys pk (and no mk) with each other. When devices A and B have public keys with each other, the TLS-AKE protocol in [39] will be run. The probability of the TLS-AKE protocol being successfully executed is P2 = ( |N2| |N| ) 2 . • N3 (N4, N5, or N6) represent the number of devices that have neither mk nor pk. In the situation wherein devices have neither master key nor public key, we will run UB-Pairing (N3), ZXH (N4), Pairing-Bluetooth (N5), or Pairing-IEEE 802.15.6 (N6). The probability of the protocol being successfully executed is When A and B generate the link key, they can use it to send messages securely.

Advantages
Here, we analyze the advantages of UB-Pairing. The availability results are shown in Figures 8 and 9. We find that the connection probability of UB-Pairing (P3) is roughly the same as that of the ZXH protocol (P4), Pairing-Bluetooth (P5), and Pairing-IEEE 802.15.6 (P6), and better than the case in which devices only have shared mk and pk. In addition, when the proportion of N3 (N4 or N5 or N6) increases, the advantages of UB-Pairing, ZXH, Pairing-Bluetooth, or Pairing-IEEE 802.15.6 are much more obvious.
However, UB-Pairing is much more efficient than Pairing-Bluetooth and Pairing-IEEE 802.15.6. Although the efficiency of UB-Pairing and ZXH is almost the same, the use of Bluetooth is more extensive than that of IEEE 802.15.6, and UB-Pairing is more secure than ZXH (see Table 3).
In the extreme case, when protocols run between devices with unbalanced computational capabilities in experiment III, the accumulated authentication time is as shown in Figure 10. In the case in which the elliptic curve is P-521, P3/P4/P5/P6 = 90%, and N = 100/540/1000, UB-Pairing can save 16 min more than Pairing-Bluetooth and 14 min more than Pairing-IEEE 802.15.6. This is extremely important for emergency medical treatment.

Conclusions
Secure Simple Pairing (SSP) protocols are simpler and more elegant than PKI (Public Key Infrastructure)-based solutions; thus, they have become useful in applications in the mobile computing era. Many researchers have proposed SSP protocols in the past few years, and MANA protocols are one of the representative SSP protocols [17][18][19][20]. Bluetooth [11] and IEEE 802.15.6 [30] also use SSP as their authentication protocols, and some improved versions have been proposed [28,[32][33][34][35][36]. Currently, the security, performance, and usability of SSP protocols are still the main research questions.
This paper presented the design of the UB-Pairing protocol, which is specifically proposed for improving the protocol performance where the two communicating parties have unbalanced computational capabilities. The security of UB-Pairing was analyzed using the modified Bellare-Rogaway (mBR) model via the computational No Reveal-mBR (cNR-mBR) game. The analysis results showed that UB-Pairing achieves the security goals of an AKE protocol. Experimental results showed that UB-Pairing is more friendly to wearable devices and more efficient than standard protocols [11,30] when the computation capabilities of the two communication parties are highly unbalanced. Moreover, compared with ZXH [33], UB-Pairing is more secure and has more application scenarios since Bluetooth has been widely used. Further comparison regarding the performance and security can be found in Tables 2 and 3, and experimental results in Section 6.
In the next few years, when healthcare applications based on Blockchain [40] and Metaverse [41] enter the market, more and more Bluetooth devices will be used to generate health data, and UB-Pairing can play an important role in these applications since it performs better than standard protocols in many cases.
UB-Pairing is the authentication procedure of the whole Bluetooth protocol; thus, if the Bluetooth protocol is used for transmitting large files, the performance improvement is not as obvious as transmitting many small files. In the future, we will study more lightweight AKE protocols, as well as lightweight secure transmitting protocols, which can cover more scenarios.

Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations
The following abbreviations are used in this manuscript: Proof of Theorem 1. We construct a challenger C from A. C is a CDH problem solver: where SK A , SK B ∈ Z * q . C sets the following preparation: • For the participant B, C sets B's public key as PK B = SK B × G; for the participant A, C sets A's public key as PK A = SK A × G. • For other participants P, C generates P's private keys as SK P ∈ Z * q and sets their public keys as PK P = SK P × G.

•
All public keys are sent to A. Suppose that {I, J} are two arbitrary participants. C picks a session number t ∈ {1, . . . , n S }, starts A, and answers A's queries as follows: • Send(Π s I , M): - If M = C B , I = A and role A = initiator, C picks a random number U A ∈ Z * q and sends U A to A. Test(Π s I ): C returns with a random string in the form of {K, A B PK A PK B }. The probability that A queries the oracle Π t A for the test session and pid A = B is 1 Suppose that A outputs a valid session key in the form of {K, A B PK A PK B } with probability η(k). In this case, Thus, C can output SK A × SK B × G = U A × PK B − K as the solution of the CDH problem with non-negligible probability η(k) 1

Appendix B
Proof of Theorem 2. We use Msg to indicate the message sent by A or B. Msg is the message transmitted by A, which may not be equal to Msg. Suppose that Π s A and Π t B are two legal oracles, and A could make oracles Π s A and Π u C accept holding the same session key but without being partners. In the end, Π s A , Π t B , and Π u C have accepted; Π s A and Π u C hold {K A , A B PK A PK B } and {K C , A B PK A PK B }, respectively. To obtain the same session key, Π s A and Π u C must make the same MAC LinkKey query. This means K A = K C .
Let S denote event "A succeeds": where Not-partners refers to the event in which A and B are not partners, A-B -accept refers to the event in which A and B have successfully verified C B (Event X C ), digests (Event X D ), mac A and mac B (Event X M ), and A-B-C -accept refers to the event in which A, B, and C have successfully verified C B , digests, mac A and mac B . With (A2)-(A5), then we have where W = {X C ∧ X D ∧ S 2 }. In addition, let where ind means that two events are independent (e.g., V 1.1 and V 1.2 ). Lemma A1 is proven.
where tpp means the total probability principle, operation (a) omits two probabilities less than 1 (Pr[V] and Pr[V]), and operation (b) substitutes the conclusions of Lemmas A1 and A2.
A makes two oracles accept while they are not partners with each other with advantage 3 b + 3 h + 3 r . UB-Pairing has strong partnering. Theorem 2 is proven.