An Anonymous Authentication Scheme Based on Chinese Residue Theorem in Wireless Body Area Networks

Abstract

Considering the resource limitations of low-cost wireless sensors, there is a growing inclination to utilize cryptographic primitives that are optimized for efficiency, such as symmetric key encryption/decryption and hash functions, when designing authentication schemes. However, designing a lightweight authentication scheme that can meet various security requirements poses a significant challenge. In recent years, numerous lightweight authentication schemes have been proposed in order to address these security needs. Nevertheless, recent research has revealed that many of these schemes exhibit security vulnerabilities and design deficiencies, including challenges related to asynchronization and impractical gateway-node search operations. Due to the inadequate security of existing schemes, this study introduces a novel privacy-preserving authentication scheme that aims to provide adaptive resilience against desynchronization attacks in wireless body area networks (WBANs). The proposed scheme utilizes lightweight cryptographic modules to optimize efficiency. To ensure user anonymity, the Chinese Remainder Theorem technique is employed, whereas forward secrecy and resistance to desynchronization attacks are achieved through the use of one-way hash chains and serial numbers, respectively. Through extensive analysis and comparisons, the proposed scheme is demonstrated to strike a fine balance between security and efficiency.

1. Introduction

In light of the rapid advancement of network communication technology, particularly in the context of wireless communication, various applications utilizing wireless sensor network technology have become possible. In the field of healthcare, one significant development is the emergence of wireless body area networks (WBANs). WBANs have emerged as a promising technology for real-time physiological data monitoring and collection. In WBANs, a network of implantable or wearable medical sensors is strategically deployed on patients, enabling the continuous monitoring of their vital signs and physiological parameters. These data are then transmitted to mobile devices such as smartphones, where they can be aggregated and analyzed. By leveraging these advanced sensing technologies, healthcare professionals can gain valuable insights into patients’ health conditions and make timely and informed decisions. By utilizing various sensor nodes, doctors can remotely monitor patients’ conditions, greatly facilitating the progress of mobile health. This technology has also opened up new possibilities for telemedicine. However, the openness and mobility of the WBAN environment expose transmitted data to potential security risks. Therefore, ensuring data security in the WBAN environment is of paramount importance. Additionally, due to the limited resources of sensor nodes [1] in WBANs, we need to consider not only security but also the performance of these nodes. Performance and security issues have emerged as significant obstacles in the practical implementation of wireless sensor networks. Over the past two decades, WSNs have garnered considerable interest from researchers in academia and industry owing to their widespread applications in areas such as smart homes, healthcare, and military monitoring. As depicted in Figure 1, WSNs consist of a network composed of numerous distributed sensor nodes [1,2], with the number of nodes ranging from hundreds to thousands, which are distributed in a uniform or random manner. In practical applications, wireless sensor networks generate massive and complex real-time information, imposing requirements on the computing and storage resources of the sensors. Additionally, due to data privacy concerns, security issues need to be considered. Particularly when authenticating external users with sensor nodes [3], mutual authentication between the nodes and users is necessary to ensure secure access to trusted sensor nodes, allowing only authorized users to establish trusted connections. However, the authentication process can face various external attacks, making user anonymity crucial in wireless sensor networks (WSNs). User anonymity encompasses identity protection and untraceability [4,5]. Identity protection ensures that attackers cannot discover the real identity of a user, whereas user untraceability prevents attackers from determining the user’s identity or distinguishing between multiple user sessions, thus preventing information leakage. Furthermore, WSNs encounter notable security challenges, especially due to the deployment of sensor nodes in unattended and potentially hostile environments. These sensor nodes are often situated in remote or inaccessible areas, making them susceptible to physical tampering or unauthorized access. If attackers gain access to the long-term keys stored in the nodes [6], user privacy is compromised. Therefore, ensuring forward secrecy in WSN environments is of utmost importance. Forward secrecy is a crucial security property that guarantees the confidentiality of past session keys, even in the event of long-term key compromise. This means that if the long-term secret keys are compromised, it becomes infeasible for an attacker to retrospectively decrypt previously encrypted communications or recover the session keys used in the past.

Figure 1. Conceptual model diagram.

Addressing user privacy in wireless sensor network (WSN) environments becomes crucial. However, achieving this goal is a complex task. The challenges stem from previous research [6,7,8], where the core role of public key primitives in achieving forward secrecy and user anonymity is emphasized. Yet, accomplishing this is not easy because of the resource constraints of nodes. Therefore, the current mainstream research approach is to design a lightweight authentication scheme using symmetric keys or hash functions. However, designing a lightweight authentication scheme that meets various security requirements for WSN environments remains a significant challenge.

To meet the safety requirements of user anonymity and forward secrecy in the WSN environment, various lightweight anonymous authentication schemes have been proposed [9,10]. However, it is worth noting that these schemes often suffer from various security and design deficiencies. For example, it is possible to achieve the anonymity of the user and secrecy of the forwarding through dynamic pseudonym identification and one-time hash chains using lightweight authentication schemes; however, they can encounter challenges related to asynchronization when an attacker blocks message transmission, resulting in communication asynchrony.

To address these issues, our research comprehensively analyzes lightweight anonymous authentication schemes for WSNs from the past decade. Through comparative analysis, we provide valuable theoretical insights to guide the future design of lightweight anonymous authentication protocols.

1.1. Security Requirements

In the actual application environment, all the sensitive information of the user is transmitted in an open channel, so a secure and effective authentication scheme must be able to resist various attacks. On the basis of previous work [6,10,11,12,13], we describe some important security authentication requirements based on wireless sensor networks below.

User anonymity: User anonymity is an important security attribute in lightweight authentication schemes. The implementation of user anonymity in authentication schemes can prevent the real identity of a user from being obtained by adversaries and prevent attackers from identifying the user or determining if two sessions are conducted by the same user.

Mutual authentication: Only authorized users can access the data so mutual authentication between the sensor node and the user is necessary. This function needs to be performed with the help of a GWN.

Forward secrecy: When a scheme provides forward security, it means that even if an adversary obtains the user’s private key, it cannot affect the previous session. In order to ensure the safe transmission of sensitive information, forward security is a security attribute that must be considered.

Resistance to desynchronization attack: When designing authentication schemes, to achieve anonymity and ensure that users cannot be traced, the user’s identity is updated in most authentication schemes in each round of communication. Therefore, the synchronization of information between two parties is crucial to the success of their subsequent protocol operation. Furthermore, in the majority of anonymous authentication schemes, hash-chain technology is commonly utilized to guarantee forward security. This involves updating the shared one-time hash chain value after each successful protocol round. Consequently, a flawed protocol can lead to a lack of synchronization in communication between the two parties.

Multifactor security: Multifactor security refers to a scenario where a system remains secure even if n − 1 out of n factors are lost. Typically, n is set to 2 or 3. In this paper, we focus on dual-factor security using passwords and an SC with n = 2. Our scheme must satisfy two essential requirements. Firstly, even if an attacker gains access to the SC and extracts its confidential data, they must be unable to deduce the correct password through offline password-guessing attacks. Secondly, it is crucial that an attacker who possesses knowledge of the user’s password is unable to assume the identity of the user.

Attack resistance: To guarantee the security of communication, the authentication scheme must possess resilience against a wide range of security attacks such as smart card loss attacks, replay attacks, man-in-the-middle attacks, etc.

1.2. Threat Model

In this study, by building upon the foundation of the Dolev–Yao threat model [14], we make certain assumptions regarding the capabilities of an attacker. These assumptions enable us to establish a comprehensive security evaluation framework. Specifically, we consider that the attacker possesses the following capabilities:

• Within the framework of the Dolev–Yao threat model, we assume that the adversary has the ability to intercept, modify, insert, and delete messages transmitted over insecure public channels.
• Under the Dolev–Yao threat model, we also consider the possibility of an attacker employing side-channel attacks to extract all the secret values stored within the smart card.
• In accordance with the Dolev–Yao threat model, we consider the scenario where an attacker has the ability to attempt to ascertain the password and personal identification details.

2. Related Works

In the past decade, numerous lightweight anonymous identity authentication schemes have been proposed for WSN environments. This section focuses on user anonymity and forward secrecy as key factors and summarizes the technological evolution in designing lightweight identity authentication schemes. For instance, mutual authentication between users and sensor nodes in WBANs is one of the most crucial security measures for protecting data privacy. Over the last few years, various research has been conducted on anonymous authentication, with one scheme introducing authentication mechanisms based on elliptic curve cryptography (ECC). Although ECC-based authentication mechanisms provide robust user data identity authentication, they often require significant computational and communication resources. As a result, these schemes may not be well-suited for deployment in applications based on WSNs. Therefore, there is an urgent need to develop a lightweight anonymous identity authentication method specifically designed to meet the unique requirements of this environment.

Wong proposed a scheme [15] for a WBAN that suffered from security issues such as replay and stolen-verifier attacks. However, their scheme lacked consideration for user anonymity. Subsequently, Das devised a similar lightweight WSN authentication scheme that claimed to ensure user anonymity by using a shared secret parameter. Nonetheless, since this secret parameter was shared among all users in the system, Das’s scheme failed to achieve user anonymity. Several other schemes [11,12,13] encountered similar limitations. To address this challenge, several lightweight novel approaches (e.g., [16,17,18,19,20,21]) have been proposed in which the parameter of the shared secret is known only to the sender and receiver. In this technique, the user’s authentic identity is encoded into ciphertext, safeguarding their anonymity. Transmitting the user’s genuine identity in cipher form makes it impossible for anyone to obtain the identity information without the secret parameter, which prevents the user’s identity from being divulged. Nevertheless, this approach is accompanied by the drawback of an exhaustive search operation [9] that is impractical.

To overcome the challenge of impractical exhaustive search operations, a static pseudonym ID is often utilized during transmission. This static pseudonym ID can either be linked to the real ID (e.g., [22,23,24,25]) or decrypted to reveal the real ID (e.g., [26,27,28,29,30]). However, since the static ID remains fixed in every session and is transmitted through a public channel, such schemes provide identity protection but fail to achieve untraceability. To enhance the security of lightweight authentication schemes [31], the dynamic ID [32,33,34,35,36] technique was introduced. By using a different pseudonym identity for each session, adversaries cannot trace and track individual users. Unfortunately, these schemes that rely on pseudonym identity may be susceptible to asynchronization attacks if an adversary simply blocks the update messages. As a result, the affected schemes can become completely unusable unless users re-register [37].

Currently, there exist three ways to address the asynchronization problem. The first approach involves updating the dynamic pseudonym ID only on one side. Several such schemes, such as those that protect the real ID or secret parameter using a derived key, have utilized this method to great effect. It is an excellent way of resolving the asynchronization issue. However, if adversaries manage to obtain one of the used pseudonym IDs and its corresponding derived key, they can impersonate the sender. The second approach, proposed by Gope et al., utilizes emergency IDs and key techniques to achieve user anonymity and resist asynchronization attacks. However, this method necessitates a significant allocation of storage resources. Furthermore, in the event of depleting the IDs and keys, users are obliged to undergo the process of re-registration. Unlike the first two approaches, Chang et al.’s scheme employs a third method that only requires storing two pseudonym IDs on the GWN side, with used pseudonym IDs rendered unusable. This is currently the most efficient way to solve the asynchronization problem while achieving user anonymity.

The preceding analyses focused primarily on achieving user anonymity in authentication schemes. However, asynchronous attacks, such as user anonymity, pose their own set of challenges. Consider Gope and Hwang’s scheme as an example—when an attacker obstructs the transmitted message returned by the sensor node, the GWN and sensor-node hash values become asynchronous. Thus, designing a lightweight authentication scheme that achieves user anonymity, forward secrecy, and resistance to asynchronization attacks simultaneously is a significant challenge for WSNs [38]. To meet these security requirements, researchers have proposed numerous lightweight anonymous authentication schemes with forward secrecy. These schemes are designed to address the requirement for efficient and secure authentication protocols in resource-constrained environments. Shuai et al.’s scheme addresses only the problem of asynchronization resulting from achieving forward secrecy, whereas Yang et al.’s scheme suffers from issues related to user anonymity. Although the three schemes are capable of satisfying all three security requirements, they require five-round sessions, which may affect their efficiency. To improve efficiency, Xiong et al. developed a four-round lightweight authentication scheme that has been proven to be resistant to various attacks. This scheme achieves user anonymity, forward secrecy, and resistance to asynchronization attacks concurrently, making it a promising solution for the WSN environment.

Based on the above information, asynchronous attacks pose a major challenge to ensuring user anonymity when designing lightweight authentication schemes. The same issue arises in achieving forward secrecy. As shown in the schemes in [39,40], security is ensured by using one-time hash-chain values, but if an adversary disrupts the messages, it can lead to a lack of synchronization between the values of communicating parties since the hash values are updated after each round. Therefore, it is necessary to address asynchronous attacks when designing lightweight authentication schemes. To tackle this issue, the method proposed in [41] utilizes techniques such as one-time hash values and sequence numbers. However, due to the asynchronous communication between the GWN and sensor nodes, this approach incurs significant communication overhead. On the other hand, although [34,42,43] overcame this challenge, they lead to increased computational and communication costs. Therefore, to achieve user security while maintaining efficiency, a trade-off must be made between user security and efficiency. Hence, we leverage the Chinese Remainder Theorem to address the issue of user anonymity in the communication process.

3. Preliminaries

This section presents a brief overview of the system architecture, along with the adversary model and security requirements for authentication schemes in WBANs.

System Model

Generally, the authentication scheme in the WBAN environment is made up of three units: the user, sensor node, and gateway. The gateway can be seen as a trusted entity that can issue specific security parameters. The $S{N}_j$ is responsible for processing data accessed by authorized users.

4. Anonymous Schema

In this section, we use the Chinese Remainder Theorem to address the user anonymity issue in wireless body area networks. The GWN system has N preset users ($U_1,U_2,\dots ,U_N$), each with an $ID$ of {$I{D}_1,I{D}_2,\dots ,I{D}_N$}. Every t users form a group, and there are m = N/t groups (assuming N is a multiple of t). The user group $U_{i1},U_{i2},\dots ,U_{it}$ collectively holds a group pseudonym $GI{D}_i$ and a group key $k{g}_i$. The GWN selects m integers $N_1,N_2,\dots ,N_m$ that are pairwise coprime and uses the Chinese Remainder Theorem to calculate. Bulleted lists look like this:

$$\left\{\begin{array}{c}A{u}_1\equiv I{D}_{1}mod{N}_1\hfill \\ A{u}_1\equiv I{D}_{t+1}mod{N}_2\hfill \\ A{u}_1\equiv I{D}_{2t+1}mod{N}_3\hfill \\ ⋮\hfill \\ A{u}_1\equiv I{D}_{(m-1)t+1}mod{N}_m\hfill \end{array}\right.$$

(1)

We can obtain the solution of the congruent equation for $A{u}_1$ = {$I{D}_1$, $I{D}_{t+1}$, $I{D}_{2t+1}$,

…, $I{D}_{(m-1)t+1}$}, and for each $A{u}_j$$(j\in 1,\dots ,t)$, there is a corresponding key $k_j$$(j\in 1,\dots ,t)$, as shown in the following Figure 2 and Table 1:

Figure 2. Group correspondence diagram.

Table 1. User correspondence table.

$I{D}_1$	$I{D}_{t+1}$	$I{D}_{2t+1}$	…	$I{D}_{(m-1)t+1}$	$A{u}_1$
$I{D}_2$	$I{D}_{t+2}$	$I{D}_{2t+2}$	…	$I{D}_{(m-1)t+2}$	$A{u}_2$
⋮	⋮	⋮	⋮	⋮	⋮
$I{D}_t$	$I{D}_{2t}$	$I{D}_{3t}$	…	$I{D}_{mt}$	$A{u}_t$

In communication, the group pseudonym $GI{D}_i$ is used instead of the real user ID, and the group key $k{g}_i$ is used to encrypt $A{u}_j$, thus achieving the process of anonymity. In the authentication process, the server can retrieve the corresponding keys $k{g}_i$ and $N_j$ through the group pseudonym and then decrypt $A{u}_j$ using the Chinese Remainder Theorem. By calculating $I{D}_{it+j}=A{u}_{j}mod{N}_j$, the server can obtain the real identity $I{D}_{it+j}$ of the user. Since it is a group pseudonym, attackers can only know that the message sender belongs to a certain group but not the specific group. At the same time, for users within the group, although they can obtain $A{u}_j$ corresponding to the sender because $A{u}_j$ is also a common solution of {$I{D}_j,I{D}_{t+j},I{D}_{2t+j},\cdots ,I{D}_{(m-1)t+j}$}, users within the same group still cannot guess the real ID of the sender.

5. Proposed Scheme

We propose an efficient anonymous identity verification scheme based on the Chinese Remainder Theorem to protect user privacy. Authentication is performed by the gateway node when a user accesses the network. Our proposed scheme incorporates four key stages in order to guarantee the protection of the real identity and secret key of the user: the initialization of the GWN, the registration of users and sensors, the anonymous authentication process, and the updating of the user keys. Table 2 listed the notations used in our schema. A detailed description of each stage in our scheme can be found in the following section.

Table 2. Notation Descriptions.

Notation	Description
$U_i$	user
$S{N}_j$	Sensor Node
SC	The smart card
GWN	Gateway
$GI{D}_i$	Pseudonym shared by users in the group
$I{D}_i$	Unique identity of $U_i$
$P{W}_i$	Unique password of $U_i$
$I{D}_{SNj}$	Unique identity of $S{N}_j$
$k{g}_i$	Group key corresponding to the group pseudonym
$S{G}_j,G{S}_j$	The serial number of GWN and $S{N}_j$
$R_1$	random number
$R_2$	session key
$H_0,H_1,H_2,H_3$	hash function
T	timestamp
‖	concatenation operation
⊕	XOR operation

5.1. Initialization Phase

In the initialization phase, the GWN generates four hash functions $H_0:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{512}$; $H_1:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{256}$; $H_2:{\left\{0,1\right\}}^{*}\to \left\{0,1,\dots ,1023\right\}$; and $H_3:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{160}$. Finally, the system parameters are published by the GWN.

5.2. Registration Phase

The proposed scheme involves a registration phase that comprises two distinct stages: user registration and sensor-node registration. In the user registration phase, users are required to undergo a specific registration process. Similarly, in the sensor-node registration phase, sensor nodes are subjected to their respective registration process.

When a new sensor node is introduced into the system, to establish connectivity, the sensor node needs to undergo a registration process with the GWN. Figure 3 illustrates the general registration procedure followed by the sensor node.

Figure 3. Sensor node registration.

Step 1: It selects a unique identity $I{D}_{SNj}$ and sends it securely to the GWN.

Step 2: Upon receiving the $I{D}_{SNj}$, the GWN verifies its existence in the sensor node’s identity information table. An application for registration is rejected if it exists. Otherwise, the GWN generates random numbers $r_j$ and initializes $S{G}_j=G{S}_j=0$. Then, the GWN adds {$r_j,I{D}_{SNj},G{S}_j$} to the identity information table of the sensor node and sends {$S{G}_j,r_j$} to the $S{N}_j$ through a protected communication channel.

Step 3: Upon receiving {$S{G}_j$, $r_j$}, the sensor node keeps them in a secret memory.

New users must register with the GWN during the user registration phase before they can access a specific sensor node. The following section provides a detailed description of the sequential steps involved in the user registration process, which is illustrated in Figure 4.

Figure 4. User registration.

Step 1: User $U_i$ generates their own password $P{W}_i$ and chooses a randomly generated value $b_i$. Next, $U_i$ computes $P_{Ui}=H_0(P{W}_i\left|\right|b_i)$ and sends {$P_{Ui}$} to the GWN through a secure channel.

Step 2: After receiving {$P_{Ui}$} from $U_i$, the GWN randomly selects an unused $I{D}_i$ from the N generated IDs ($I{D}_1,I{D}_2,\dots ,I{D}_N$) in the initialization phase and assigns it to the currently registering user. We can obtain the corresponding group pseudonym $GI{D}_i$, $A{u}_j$, and the secret key $k{g}_i$ of $GI{D}_i$ from the randomly assigned $I{D}_i$. Next, the GWN selects a random number $a_i$ and computes $K_{Ui}=H_1(I{D}_i\left|\right|k_j\left|\right|a_i)$, $F_i=P_{Ui}\oplus (K_{Ui}\left|\right|A{u}_j)$, and $V_{Ui}=H_3(H_2(K_{Ui}\left|\right|A{u}_j\left|\right|P_{Ui}\left)\right)$. The GWN includes {$GI{D}_i,I{D}_i,a_i$} in the table with the user information and stores {$GI{D}_i,k{g}_i,F_i,V_{Ui}$} in the SC. Subsequently, the GWN securely transmits the SC to the $U_i$ through a protected communication channel.

Step 3: When the $U_i$ receives the SC, $b_i$ is stored in the SC’s secret memory.

5.3. Authentication Phase

When the $U_i$ intends to establish direct communication with the $S{N}_j$, it is crucial to ensure mutual authentication between them. As illustrated in Figure 5, the authentication procedure encompasses the following detailed steps.

Figure 5. Authentication phase.

Step 1: The $U_i$ enters the password $P{W}_i$ into the SC. The SC calculates $P_{Ui}^{*}$ = $H_0(b_i\left|\right|P{W}_i)$, $K_{Ui}\left|\right|A{u}_j=F_i\oplus P_{Ui}^{*}$, and $V_{Ui}^{*}$=$H_3(H_2(K_{Ui}\left|\right|A{u}_j\left|\right|P_{Ui}^{*}\left)\right)$. It then compares this value with the stored value $V_{Ui}$ and rejects the login request if there is a discrepancy. Otherwise, the SC trusts that the $U_i$ is a legitimate user and computes $C{T}_1=A{u}_j\oplus H_0(GI{D}_i\left|\right|K{g}_i\left|\right|T)$. Then, the SC generates a random number $R_1$ and computes $C{T}_2=(R_1\left|\right|I{D}_{SNj})\oplus H_0(GI{D}_i\left|\right|A{u}_j\left|\right|K_{Ui}\left|\right|T)$ and $V_1=H_3(R_1\left|\right|K_{Ui}\left|\right|GI{D}_i\left|\right|T)$. The SC sends {$GI{D}_i,C{T}_1,C{T}_2,V_1,T$} to the GWN via the publicly accessible channel.

Step 2: When receiving {$GI{D}_i,C{T}_1,C{T}_2,V_1,T$} from the $U_i$, initially, the GWN verifies the timeliness of T. If the timeliness of T is found to be invalid, the GWN terminates the session. However, if T is determined to be valid, the GWN proceeds to retrieve the appropriate key $k{g}_i$ by receiving $GI{D}_i$ and computes $A{u}_j=C{T}_1\oplus H_0(GI{D}_i\left|\right|k{g}_i\left|\right|T)$. Then, the GWN computes $I{D}_i=A{u}_{j}mod{N}_j$, obtains the user’s ID, and computes $K_{Ui}=H_1(GI{D}_i\left|\right|k{g}_i\left|\right|a_i)$, $R_1\left|\right|I{D}_{SNj}=C{T}_2\oplus H_0(GI{D}_i\left|\right|A{u}_j\left|\right|K_{Ui}\left|\right|T)$, and $V_1^{*}=H_3(R_1\left|\right|K_{Ui}\left|\right|GI{D}_i\left|\right|T)$. Next, the GWN verifies the equality of the value $V_1^{*}$ with the received value $V_1$. In the case of a match, the GWN proceeds to randomly select a session key $R_2$ and computes $C{T}_3=(R_2\left|\right|I{D}_i)\oplus H_0(G{S}_j\left|\right|I{D}_{SNj}\left|\right|r_j)$ and $V_2=H_3(R_2\left|\right|I{D}_i\left|\right|I{D}_{SNj}\left|\right|G{S}_j\left|\right|r_j)$. Subsequently, the GWN updates $r_j=H_1(r_j\left|\right|I{D}_{SNj}),G{S}_j=G{S}_j+1$. The GWN transmits {$G{S}_j,C{T}_3,V_2$} to the $S{N}_j$ via the publicly accessible channel.

Step 3: After receiving {$G{S}_j,C{T}_3,V_2$}, the $S{N}_j$ initially checks whether the equation $1\le (GSj-SGj)\le N$. Here, the threshold value N, which is tailored to the specific application environment, is used in the equation. If the equation fails to satisfy the condition, the $S{N}_j$ will reject the ongoing session. Otherwise, the $S{N}_j$ sets $r_j^{*}=r_j$ and computes $(G{S}_j-S{G}_j-1)$ times $r_j^{*}=H_1(I{D}_{SNj}\left|\right|r_j*),R_2\left|\right|I{D}_i=C{T}_3\oplus H_0(r_j^{*}\left|\right|(G{S}_j-1)\left|\right|I{D}_{SNj})$, and $V_2^{*}=H_3(R_2\left|\right|I{D}_i\left|\right|I{D}_{SNj}\left|\right|(G{S}_j-1)\left|\right|r_j^{*})$. Next, the $S{N}_j$ verifies the correspondence between the received value $V_2$ and the stored value $V_2^{*}$ to ensure their alignment. If they match, the $S{N}_j$ computes $V_3=H_3(I{D}_i\left|\right|I{D}_{SNj}\left|\right|R_2\left|\right|G{S}_j)$ and updates $r_j=H_1(r_j^{*}\left|\right|I{D}_{SNj}),S{G}_j=G{S}_j$. Otherwise, the $S{N}_j$ rejects this session. Finally, the $S{N}_j$ sends {$I{D}_{SNj},V_3$} to the GWN.

Step 4: Upon receiving {$I{D}_{SNj},V_3$} from the $S{N}_j$, the GWN calculates $V_3^{*}=H_3(I{D}_i$$\left|\right|I{D}_{SNj}\left|\right|R_2\left|\right|G{S}_j)$ and verifies whether the received value $V_3$ matches the stored value $V_3^{*}$ for equality. If they are identical, the GWN proceeds with the computation of the value $C{T}_4=(R_2\left|\right|I{D}_i)\oplus H_0(I{D}_{SNj}\left|\right|R_1\left|\right|K_{Ui}\left|\right|A{u}_j)$ and $V_4=H_3(R_2\left|\right|R_1\left|\right|I{D}_i\left|\right|I{D}_{SNj})$. If the received value $V_3$ does not match the stored value $V_3^{*}$, the GWN rejects the session. Finally, the GWN transmits the {$C{T}_4,V_3$} to the $U_i$.

Step 5: Upon receiving {$C{T}_4,V_3$} from the GWN, the $U_i$ calculates $(R_2\left|\right|I{D}_i)=C{T}_4\oplus H_0(I{D}_{SNj}\left|\right|$$R_1\left|\right|K_{Ui}\left|\right|A{u}_j)$ and $V_4^{*}=H_3(R_2\left|\right|R_1\left|\right|I{D}_i\left|\right|I{D}_{SNj})$ and verifies whether the received value $V_4$ matches the stored value $V_4^{*}$. If the values match, the authentication process is considered successful.

5.4. Password Update Phase

When the $U_i$ wishes to update their password, they are not required to go through the gateway for the change. Instead, they simply need to validate their identity using the old password $P{W}_i$ and update the relevant information on the SC.

Step 1: The $U_i$ enters the password $P{W}_i$ into the SC. Then, the SC computes $P_{Ui}=H_0(b_i\left|\right|P{W}_i)$, $K_{Ui}\left|\right|A{u}_j=F_i\oplus P_{Ui}$, and $V_{Ui}^{*}=H_3(H_2(K_{Ui}\left|\right|A{u}_j\left|\right|P_{Ui}\left)\right)$ and verifies the match between the value of $V_{Ui}^{*}$ and the stored value $V_{Ui}$. The $U_i$ proceeds to input a new password $P{W}_i^{*}$ in case of a successful match. However, if the values do not match, the request is rejected by the SC.

Step 2: The SC computes $P_{Ui}^{*}=H_0(P{W}_i^{*}\left|\right|b_i)$, $F_i^{*}=P_{Ui}^{*}\oplus (K_{Ui}\left|\right|A{u}_j)$, and $V_{Ui}^{*}=H_3(H_2(K_{Ui}\left|\right|A{u}_j\left|\right|P_{Ui}^{*}\left)\right)$.

Step 3: Finally, the SC updates its storage by replacing the values of $F_i$ and $V_{Ui}$ with the newly generated values $F_i^{*}$ and $V_{Ui}^{*}$.

6. Security Analysis

6.1. Authentication Verification Using BAN Logic

The proposed authentication scheme in our research leverages BAN logic as a formal method to demonstrate the authentication and session key security between the $U_i$ and the $S{N}_j$. BAN logic utilizes specific symbols to represent various elements, where P and Q represent the subjects, and X and Y denote the statements. To facilitate a better understanding, Table 3 includes a comprehensive list of the symbolic notations used in BAN logic. Furthermore, we employ key logic rules to substantiate the secure mutual authentication between the $U_i$ and $S{N}_j$ in the context of a WBAN. The rigorous utilization of BAN logic and logical rules ensures the establishment of a robust and secure authentication framework in our scheme.

Table 3. BAN logic.

Notation	Description
$U|\equiv M$	U believes M, or U is entitled to believe M. Specifically, the subject U considers M to be true.
$U|\sim M$	U has stated M, and the subject U has, at some point, sent a message containing M.
$U|◃M$	P has seen M, messages containing M have been sent by certain subjects, and U is able to read and repeat X.
$U|\Rightarrow M$	U has the capability to mediate or adjudicate M.
$\#\left(M\right)$	M is fresh.
$U\stackrel{K}{⟷}V$	U and V share a key K.
$\stackrel{K}{⟷}V$	K is U’s public key.
$P\stackrel{X}{\rightleftharpoons }$ V	M is the shared secret between U and V.
${\left\{M\right\}}_K$	Encrypt M using the encryption key K.
$⟨M_k⟩$	The combination of M and k, where k is a secret.

Foundational principles of BAN logic:

(1)

Message-meaning rule: $\frac{U\mid \equiv V\stackrel{K}{⟷}U,U◃{\left\{M\right\}}_K}{U\mid \equiv V\sim X}$, $\frac{U\mid \equiv \stackrel{K}{\to }V,U◃{\left\{X\right\}}_K-1}{U\mid \equiv V\sim M}$ and $\frac{U\mid \equiv V\stackrel{N}{\rightleftharpoons }U,U◃{\left\{M\right\}}_N}{U\mid \equiv V\sim M}$

(2)

Nonce-verification rule: $\frac{\mathrm{U}|\equiv \#(M),\mathrm{U}|\equiv \mathrm{V}\mid \sim \mathrm{M}}{U|\equiv V|\equiv M}$

(3)

Jurisdiction rule: $\frac{\mathrm{U}|\equiv V|\Rightarrow M,\mathrm{U}|\equiv \mathrm{V}|\equiv \mathrm{M}}{U\mid \equiv M}$

(4)

Belief rule: $\frac{\mathrm{U}|\equiv M,\mathrm{U}|\equiv N}{U\mid \equiv (M,N)}\frac{\mathrm{U}\mid \equiv (M,N)}{P\mid \equiv M}\frac{\mathrm{U}|\equiv V|\equiv (M,N)}{U|\equiv V|\equiv M}$

(5)

Freshness rule: $\frac{\mathrm{P}|\equiv \#(X)}{P\mid \equiv \#(X,Y)}$

In order to establish the security of our proposed protocol in achieving mutual authentication between the $U_i$ and the $S{N}_j$, it is essential to demonstrate the fulfillment of the following four objectives:

(1)

Goal 1: $U_i|\equiv \left(U_i\right)\stackrel{R_2}{⟷}S{N}_j$.

(2)

Goal 2: $U_i|\equiv S{N}_j|\equiv \left(U_i\right)\stackrel{R_2}{⟷}S{N}_j$.

(3)

Goal 3: $S{N}_j|\equiv \left(U_i\right)\stackrel{R_2}{⟷}S{N}_j$.

(4)

Goal 4: $S{N}_j|\equiv U_i|\equiv \left(U_i\right)\stackrel{R_2}{⟷}S{N}_j$.

Firstly, the authentication process in the scheme is converted to the form of BAN logical abstraction.

• $M_1(U_i\to GWN):{(U_i\stackrel{R_1}{⟷}GWN,I{D}_{SNj})}_{U_i\stackrel{K_{Ui}\left|\right|k{g}_i}{⟷}GWN}$, $<GI{D}_i,I{D}_{SNj},R_1,T{>}_{U_i\stackrel{K_{Ui}\left|\right|k{g}_i}{⟷}}$
  GWN.
• $M_2(GWN\to S{N}_j):{(GWN\stackrel{R_2}{⟷}S{N}_j,I{D}_i)}_{GWN\stackrel{r_j}{⟷}S{N}_j}$, $<I{D}_i,I{D}_{SNj},GWN\stackrel{R_2}{⟷}S{N}_j$,
  $G{S}_j{>}_{GWN\stackrel{r_j}{⟷}S{N}_j}$.
• $M_3(S{N}_j\to GWN):<I{D}_i,I{D}_{SNj},S{N}_j\stackrel{R_2}{⟷}GWN{>}_{S{N}_j\stackrel{r_j}{⟷}GWN}$.
• $M_4(GWN\to U_i):{\left(GWN\stackrel{R_2}{⟷}{U}_i\right)}_{U_i\stackrel{K_{Ui}}{⟷}GWN}$, $<I{D}_i,I{D}_{SNj},GWN\stackrel{R_2}{⟷}{U}_i{>}_{U_i\stackrel{R_1}{\rightleftharpoons }GWN}$.

Secondly, The initial assumptions regarding the proposed scheme are enumerated as follows:

$A_1:GWN|\equiv \#\left(T\right)$

$A_2:GWN|\equiv \#\left(R_1\right)$

$A_3:S{N}_j|\equiv \#\left(R_2\right)$

$A_4:U_i|\equiv \#\left(R_2\right)$

$A_5:U_i|\equiv U_i\stackrel{K_{Ui}\left|\right|k{g}_i}{⟷}GWN$

$A_6:GWN|\equiv U_i\stackrel{K_{Ui}\left|\right|k{g}_i}{⟷}GWN$

$A_7:S{N}_j|\equiv S{N}_j\stackrel{r_j}{⟷}GWN$

$A_8:GWN|\equiv S{N}_j\stackrel{r_j}{⟷}GWN$

$A_9:U_i|\equiv GWN|\Rightarrow U_i\stackrel{R_2}{⟷}S{N}_j$

$A_{10}:S{N}_j|\equiv GWN|\Rightarrow U_i\stackrel{R_2}{⟷}S{N}_j$

Thirdly, by employing the rules and BAN logic, we conduct the primary demonstrations in the following manner:

According to the $M_1$, we obtain $S_1$: $GWN◃{(U_i\stackrel{R_1}{⟷}GWN,I{D}_{SNj})}_{U_i\stackrel{K_{Ui}\left|\right|k{g}_i}{⟷}GWN}$.

Building upon assumption $A_6$ and applying the message-meaning rule $S_1$, we obtain the following result: $S_2$: $GWN|\equiv U_i\stackrel{R_1}{⟷}GWN,I{D}_{SNj}$.

From $A_6$ and the freshness rule, we obtain $S_3$: $GWN|\equiv \#(I{D}_i,I{D}_{SNj},GI{D}_i,T,U_i\stackrel{R_1}{⟷}GWN)$.

By considering $S_3$ and $S_2$ and applying the nonce-verification rule, we obtain $S_4$: $GWN|\equiv U_i|\equiv (I{D}_i,I{D}_{SNj},GI{D}_i,T,U_i\stackrel{R_1}{⟷}GWN)$.

According to $M_2$, we obtain $S_5$: $S{N}_j◃{(GWN\stackrel{R_2}{⟷}S{N}_j,I{D}_i)}_{GWN\stackrel{r_j}{⟷}S{N}_j}$.

According to $S_5,A_7$, and the message-meaning rule, we have $S_6$: $S{N}_j|\equiv GWN|\sim (GWN\stackrel{R_2}{⟷}S{N}_j,I{D}_i)$.

According to $A_3$ and the freshness rule, we obtain $S_7$: $S{N}_j|\equiv \#(I{D}_i,I{D}_{SNj},GWN\stackrel{R_2}{⟷}S{N}_j,G{S}_j)$.

From $S_7$, $S_6$, and the nonce-verification rule, we obtain $S_8$: $S{N}_j|\equiv GWN|\equiv (I{D}_i,I{D}_{SNj},GWN\stackrel{R_2}{⟷}S{N}_j,G{S}_j)$.

According to $M_3$, we obtain $S_9$: $GWN◃<I{D}_i,I{D}_{SNj},S{N}_j\stackrel{R_2}{⟷}GWN{>}_{S{N}_j\stackrel{r_j}{⟷}GWN}$.

According to $S_9$, $A_8$, and the message-meaning rule, we obtain $S_{10}$: $GWN|\equiv S{N}_j|\sim (I{D}_i,I{D}_{SNj},S{N}_j\stackrel{R_2}{⟷}GWN)$.

From $S_{10}$ and the freshness rule, we obtain $S_{11}$: $GWN|\equiv (S{N}_j|\equiv (I{D}_i,I{D}_{SNj},S{N}_j\stackrel{R_2}{⟷}GWN))$.

According to $M_4$, we obtain $S_{12}$: $U_i◃{\left(GWN\stackrel{R_2}{⟷}{U}_i\right)}_{U_i\stackrel{K_{Ui}\left|\right|k{g}_i}{⟷}GWN}$.

From $A_5,S_{12}$, and the message-meaning rule, we obtain $S_{13}$: $U_i|\equiv GWN|\sim \left(GWN\stackrel{R_2}{⟷}{U}_i\right)$.

From $A_4$ and the freshness rule, we have $S_{14}$: $U_i|\equiv \#(I{D}_i,I{D}_{SNj},GWN\stackrel{R_2}{⟷}{U}_i)$.

From $S_{13},S_{14}$, and the nonce-verification rule, we obtain $S_{15}$: $U_i|\equiv GWN|\equiv (I{D}_i,I{D}_{SNj},GWN\stackrel{R_2}{⟷}{U}_i)$.

From $S_6,S_7$, and the belief rule, we obtain $S_{16}$: $S{N}_j|\equiv \left(GWN\stackrel{R_2}{⟷}S{N}_j\right)$.

From $S_8$ and by applying the belief rule, we have $S_{17}$: $S{N}_j|\equiv GWN|\equiv \left(GWN\stackrel{R_2}{⟷}{U}_i\right)$.

From $S_{11}$ and by applying the belief rule, we have $S_{18}$: $GWN|\equiv S{N}_j|\equiv \left(S{N}_j\stackrel{R_2}{⟷}GWN\right)$.

From $S_{13},S_{14}$, and by applying the belief rule, we have $S_{19}$: $U_i|\equiv \left(GWN\stackrel{R_2}{⟷}{U}_i\right)$.

From $S_{15}$ and by applying the belief rule, we have $S_{20}$: $U_i|\equiv GWN|\equiv \left(GWN\stackrel{R_2}{⟷}{U}_i\right)$.

From $A_{10}$ and $S_{16}$, we have $S_{21}$: $S{N}_j|\equiv \left(U_i\stackrel{R_2}{⟷}S{N}_j\right)$.

From $A_{10}$ and $S17$, we have $S_{22}$: $S{N}_j|\equiv U_i|\equiv \left(U_i\stackrel{R_2}{⟷}S{N}_j\right)$.

From $A_9,S_{18}$, and $S_{19}$, we have $S_{23}$: $U_i|\equiv \left(S{N}_j\stackrel{R_2}{⟷}{U}_i\right)$.

From $A_9,S_{18}$, and $S_{20}$, we have $S_{24}$: $U_i|\equiv S{N}_j|\equiv \left(S{N}_j\stackrel{R_2}{⟷}{U}_i\right)$.

6.2. Further Security Analysis of the Proposed Scheme

6.2.1. Mutual Authentication

In this scheme, mutual authentication between the $U_i$ and the GWN is achieved by computing the user’s true identity. It is evident that without $K_{Ui}$ and $k_j$, an attacker cannot falsify the authentic identity of the user or the sensor in the authentication process. Likewise, in the interaction between the $S{N}_j$ and the GWN, mutual authentication is established by verifying that $V_2$ and $V_3$ match the received $V_2$ and $V_3$, respectively. Moreover, without $r_j$, no one can forge a valid authentication message.

6.2.2. User Anonymity

User anonymity encompasses two main aspects: user identity anonymity and user untraceability. User identity anonymity ensures that adversaries cannot deduce the true identity of a user based on the information exchanged over a public channel. This scheme is based on a novel anonymity technique to protect user identities. The GWN generates N pseudonyms in advance, where every t pseudonyms form a group, and each group corresponds to a pseudonym $GI{D}_i$ and a group key $k{g}_i$. During communication, the pseudonym $GI{D}_i$ is used instead of the real user ID, and the group key $k{g}_i$ is used to encrypt $A{u}_j$, thus achieving anonymity. In the authentication process, the server can find the corresponding key $k{g}_i$ and $N_j$ based on the pseudonym $GI{D}_i$ and then decrypt $A{u}_j$. By using the Chinese Remainder Theorem, the server calculates $I{D}_{it+j}=A{u}_{j}mod{N}_j$, thereby obtaining the true user identity $I{D}_{it+j}$. Since pseudonyms are used, attackers can only determine that the message sender belongs to a certain group, without knowing the specific group. Furthermore, for users within the same group, although they can obtain the corresponding $A{u}_j$ of the sender, they still cannot guess the user’s true ID because $A{u}_j$ is a shared solution for {$I{D}_j,I{D}_{t+j},I{D}_{2t+j},\dots ,I{D}_{(m-1)t+j}$} within the group.

6.2.3. Forward Secrecy

Forward secrecy is an important property that must be considered in authentication key agreement protocols. It ensures that if the long-term keys of the communicating parties are compromised, an attacker cannot recover the session keys previously negotiated between the parties. In this scheme, we assume that the attacker has obtained the keys $K_{Ui}$ and $r_j$. However, the attacker still cannot reconstruct $R_2$ because the value of $r_j$ is updated after each session, i.e., $r_j=H_1(r_j\left|\right|I{D}_{SNj})$. Due to the one-way property of the hash function, even if the attacker obtains the current key, they cannot calculate the keys used in previous sessions, thereby ensuring forward secrecy.

6.2.4. Protection against Asynchronous Attacks

In this scheme, asynchronous attacks are mitigated due to the use of a pseudonym $GI{D}_i$ for communication by users in each communication session, along with the inclusion of a timestamp to verify the freshness of messages. Figure 6 provides a concise illustration of the framework of this scheme in the presence of asynchronous attacks. Potential malicious scenarios for attackers are analyzed in the following section.

Figure 6. Asynchronization in the proposed scheme.

Assumption 1. 

There are three situations where the attacker blocks the first message. When message 1 is blocked, this attack does not render our scheme unusable because in each round of communication, we calculate the ID at the time of communication. If message 2 is in a locked state, this scenario encompasses the interaction between the $U_i$ and the GWN, as well as the communication between the GWN and the $S{N}_j$. More specifically, it pertains to the communication between the $U_i$ and the GWN, every communication calculation, and the verification of the communication ID. For the communication between the GWN and the $S{N}_j$, we use the values of the serial numbers $S{G}_j$ and $G{S}_j$ to ensure the synchronization of the session. Therefore, any potential attacks on subsequent sessions would have no impact or consequences. In the event of message 3 being obstructed or inaccessible, the communication involves both the $U_i$ and the GWN, as well as the GWN and the $S{N}_j$. Regarding the communication between the $U_i$ and the GWN, the situation is comparable to the scenario where the message is obstructed. Regarding the communication between the GWN and the $S{N}_j$, the attack becomes ineffective, as both parties have synchronized the values of $S{G}_j$ and $G{S}_j$. When message 4 is blocked, the situation bears a resemblance to the scenario where message 3 is blocked.

Assumption 2. 

When the attacker deliberately blocks the second, third, and fourth messages, the resulting scenarios bear resemblances to the second, third, and fourth situations described in Assumption 1.

6.2.5. Two-Factor Security

In this scheme, it is assumed that an attacker has obtained a user’s password and successfully forged a legitimate user identity. In addition, the attacker has successfully obtained access to the sensitive data stored in the SC. However, given the magnitude of $|DPW/1024|$, with $\left|DPW\right|$ denoting the password space, the attacker remains incapable of successfully guessing the correct password. Consequently, the proposed scheme guarantees a two-factor security mechanism.

6.2.6. Resisting Incorrect Password and Update Attacks

In this scheme, if an incorrect password is entered, the SC computes $V_{Ui}^{*}$ and compares it with the stored $V_{Ui}$, allowing for the quick detection of incorrect logins and update attacks.

6.2.7. Smart Card Loss Attacks

In this scheme, considering a scenario where an attacker gains access to the secret information {$GI{D}_i,k{g}_i,F_i,V_{Ui}$} from the SC, the attacker guesses a candidate value $P{W}_i^{*}$ and computes $P_{Ui}^{*}$ and $V_{Ui}^{*}$. They then verify that $V_{Ui}^{*}$ matches the stored $V_{Ui}$. If they match, the attacker has obtained the correct $P_{Wi}$; otherwise, they repeat the above steps. Additionally, the hash function $H_2$ has a size of 1024, making it infeasible for the attacker to determine which candidate password corresponds to the correct password of the user. The fuzzy verification method has been theoretically and empirically proven to resist smart card loss attacks.

6.2.8. Resisting Insider Attacks

During the user registration phase, the user sends $P_{Ui}$ to the gateway GWN instead of the password $P{W}_i$. The GWN is unaware of the random number $b_i$. Due to the one-way property of the hash function, internal personnel are unable to guess the correct $P{W}_i$. Therefore, this scheme can resist insider attacks.

6.2.9. Resistance to User Impersonation

If an attacker intends to impersonate a user, they must forge valid authentication information such as {$I{D}_i,F_i,V_{Ui},GI{D}_i$}. However, without the existence of $k_j$ and $K_{Ui}$, forging {$GI{D}_i,k{g}_i,F_i,V_{Ui}$} is not feasible. Therefore, this scheme can resist user impersonation attacks.

6.2.10. Resisting Sensor-Node Spoofing Attacks

In this scheme, when a malicious sensor node is trying to impersonate a legitimate user or another sensor node, it must fabricate and manipulate authentication information such as $V_1=H_3(R_1\left|\right|K_{ui}\left|\right|GI{D}_i\left|\right|T)$ and $V_3=H_3(I{D}_i\left|\right|I{D}_{SNj}\left|\right|R_2\left|\right|G{S}_j)$. However, the sensor node only possesses its own long-term key and does not have the long-term keys of other nodes or users. Therefore, this scheme can resist sensor-node spoofing attacks.

6.2.11. Resisting Replay Attacks

In this scheme, replay attacks are countered by utilizing techniques such as timestamps, challenge-response mechanisms, and sequence numbers. These measures ensure that both communicating parties can confirm the current session when the verification is completed.

6.2.12. Resisting Man-in-the-Middle Attacks

In this scheme, the security of the messages transmitted over a public channel is achieved through the utilization of $k_j$, $K_{Ui}$, and $r_j$ to ensure confidentiality and integrity. Without these secret values, it is impossible for anyone to forge legitimate identity verification messages. Therefore, this scheme provides strong resistance against man-in-the-middle attacks.

7. Performance Analysis

In this section, we discuss our schema and several related schemes, as can be seen from the Table 4. Given that the user and sensor registration phases, as well as the key update phase, are infrequently utilized, this analysis focuses solely on the performance evaluation of the authentication phase.

7.1. Computational Analysis

In this section, we present a comparative analysis of the computational efficiency of our proposed scheme in comparison to existing schemes [34,42,43,44,45,46]. To facilitate our analysis, we use the following notations: $T_h$ denotes the time complexity associated with the general hash operations, FE.Gen() and FE.Rep() denote the runtime complexity of the fuzzy extractor operations. The time complexity of the symmetric encryption and decryption operations is represented by $T_A$. The execution time complexity of the PUF function is denoted by $T_{PUF}$, whereas $T_{CRT}$ represents the time complexity associated with performing modular operations when applying the Chinese Remainder Theorem in our scheme. By employing these standard notations, we can conduct a thorough comparative analysis of the computational efficiency of our proposed scheme and other cryptographic schemes.

The execution times of various cryptographic operations are crucial in assessing the efficiency of a scheme. In our scheme, we observed that the hash operation required an execution time of $T_h\approx 0.013$ ms, $T_A\approx 0.1302$ ms, and $FE.Gen\approx 1.17$ ms, whereas the $T_{PUF}$ for the PUF function was estimated to be 0.12 ms. The fuzzy extractor operation $FE.Rep\left(\right)$ was found to have an execution time of 3.27 ms. On the other hand, the execution time of the modulus operation, which is generally considered a constant-time operation, was fast, as it required only a few processor cycles. Therefore, it was considered an efficient operation with negligible time complexity. To evaluate the computational efficiency of our proposed scheme relative to related schemes, we compared it to several previous studies, and the outcomes are summarized in Table 5. The results revealed that Wang et al.’s [44] scheme had the smallest computational overhead; however, its security level was inadequate. In contrast, our scheme exhibited a reasonable computational overhead while providing the highest level of security. In conclusion, our proposed scheme’s execution time is efficient and guarantees optimal security, making it an ideal candidate for practical implementation.

Table 4. Security features.

Security Features	Shuai [34]	Li [46]	Fotouhi [47]	Rangwani [43]	Subramani [42]	Peng [48]	Ours
Asynchronization attack	√	√	×	-	√	√	√
Mutual authentication	√	√	√	√	√	√	√
Sensor-node spoofing attack	-	×	×	√	-	√	√
User anonymity	√	×	×	√	√	√	√
Privileged insider attack	√	-	×	√	√	√	√
Forward security	√	√	√	√	√	√	√
Smart-card loss attack	√	-	-	√	-	√	√
Multi-factor security	-	×	-	-	-	√	√
Man-in-the-middle attack	√	-	-	√	-	√	√
User impersonation attack	√	-	√	√	√	√	√
Replay attack	√	√	×	√	√	√	√
Wrong password login/update attack	√	-	-	-	-	√	√

Table 4. Security features.

Security Features	Shuai [34]	Li [46]	Fotouhi [47]	Rangwani [43]	Subramani [42]	Peng [48]	Ours
Asynchronization attack	√	√	×	-	√	√	√
Mutual authentication	√	√	√	√	√	√	√
Sensor-node spoofing attack	-	×	×	√	-	√	√
User anonymity	√	×	×	√	√	√	√
Privileged insider attack	√	-	×	√	√	√	√
Forward security	√	√	√	√	√	√	√
Smart-card loss attack	√	-	-	√	-	√	√
Multi-factor security	-	×	-	-	-	√	√
Man-in-the-middle attack	√	-	-	√	-	√	√
User impersonation attack	√	-	√	√	√	√	√
Replay attack	√	√	×	√	√	√	√
Wrong password login/update attack	√	-	-	-	-	√	√

Table 5. Computational complexity.

Scheme	${\mathit{U}}_{\mathit{i}}$	GWN	${\mathbf{SN}}_{\mathit{j}}$	Total
Shuai [34]	9$T_h$	12$T_h$	6$T_h$	27$T_h$ ≈ 0.351 ms
Li [46]	8$T_h$ + 4$T_A$	8$T_h$ + $T_A$	4$T_h$ + $T_A$	6$T_A$ + 20$T_h$ ≈ 1.0412
Fotouhi [47]	10$T_h$	17$T_h$	7$T_h$	34$T_h$ ≈ 0.442
Rangwani [43]	3$T_A$ + 6$T_h$ + 2$T_{PUF}$	8$T_h$ + $T_{PUF}$	2$T_A$ + 5$T_h$ + 2$T_{PUF}$	6$T_A$ + 19$T_h$ + 4$T_{PUF}$ ≈ 1.5082 ms
Subramani [42]	6$T_h$ + 2FE.Gen() + 2$T_{PUF}$	5$T_h$ + 2FE.Rep()	6$T_h$ + 2FE.Gen() + 2$T_{PUF}$	17$T_h$ + 4FE.Gen() + 2FE.Rep() + 4$T_{PUF}$ ≈ 11.921 ms
Peng [48]	9$T_h$	10$T_h$	5$T_h$	24$T_h$ ≈ 0.312 ms
Ours	8$T_h$	10$T_h$	5$T_h$	23$T_h$ ≈ 0.299 ms

Table 5. Computational complexity.

Scheme	${\mathit{U}}_{\mathit{i}}$	GWN	${\mathbf{SN}}_{\mathit{j}}$	Total
Shuai [34]	9$T_h$	12$T_h$	6$T_h$	27$T_h$ ≈ 0.351 ms
Li [46]	8$T_h$ + 4$T_A$	8$T_h$ + $T_A$	4$T_h$ + $T_A$	6$T_A$ + 20$T_h$ ≈ 1.0412
Fotouhi [47]	10$T_h$	17$T_h$	7$T_h$	34$T_h$ ≈ 0.442
Rangwani [43]	3$T_A$ + 6$T_h$ + 2$T_{PUF}$	8$T_h$ + $T_{PUF}$	2$T_A$ + 5$T_h$ + 2$T_{PUF}$	6$T_A$ + 19$T_h$ + 4$T_{PUF}$ ≈ 1.5082 ms
Subramani [42]	6$T_h$ + 2FE.Gen() + 2$T_{PUF}$	5$T_h$ + 2FE.Rep()	6$T_h$ + 2FE.Gen() + 2$T_{PUF}$	17$T_h$ + 4FE.Gen() + 2FE.Rep() + 4$T_{PUF}$ ≈ 11.921 ms
Peng [48]	9$T_h$	10$T_h$	5$T_h$	24$T_h$ ≈ 0.312 ms
Ours	8$T_h$	10$T_h$	5$T_h$	23$T_h$ ≈ 0.299 ms

7.2. Communication Analysis

In this section, we conduct a comparative analysis of the communication efficiency of our proposed scheme and several previously proposed schemes in the related literature [34,42,43,44,45,46]. To ensure reliable and informative comparisons, we established a consistent assumption regarding the bit length of the identity information. We assumed that ($I{D}_{Ui},I{D}_{SNj}$), pseudonym identity $GI{D}_i$, timestamp T, serial number ($S{G}_j$,$G{S}_j$), random number $R_1$, session key $R_2$, and hash $H_3$ output were 64, 24, 32, 32, 128, 256, and 160 bits. By computing $C{T}_2=(R_1\left|\right|I{D}_{SNj})\oplus H_0(GI{D}_i\left|\right|A{u}_j\left|\right|K_{Ui}\left|\right|T)$ and to ensure the security of ($R_1\left|\right|I{D}_{SNj}$), we employed a technique where we intercepted the upper 192 bits of the $H_0$ output. Consequently, the resulting ciphertext $C{T}_2$ had a bit length of 192 bits. In our proposed scheme, the communications {$GI{D}_i,C{T}_1,C{T}_2,V_1,T$}, {$G{S}_j,C{T}_3,V_2$}, {$I{D}_{SNj},V_3$}, and {$C{T}_4,V_3$} required $(64+32+192+160+32)=480,(32+256+64+160)=512,(64+160)=224,$ and $(256+64+160)=480$ bits. By summing up the four values, we could determine the overall communication cost of our scheme, which amounted to 1696 bits in total.

The communication costs of the alternative systems were calculated based on the methodology described above and are summarized in Table 6. The analysis of the data in Table 6 showed that our proposed scheme had the lowest communication overhead among all the methods analyzed.

Table 6. Comparison of communication complexity.

Schemes	Number of Communication Rounds	Number of Bytes
Shuai [34]	4	1984 bits
Li [46]	4	3488 bits
Fotouhi [47]	4	2752 bits
Rangwani [43]	6	2688 bits
Subramani [42]	6	2880 bits
Peng [48]	4	1720 bits
ours	4	1696 bits

8. Conclusions

In this paper, we outlined the existing challenges associated with developing an anonymous authentication scheme that incorporates identity protection and forward secrecy in the context of a wireless body area network (WBAN) environment. To acquire critical data in the context of WBAN-based environments, we proposed a lightweight authentication scheme based on the Chinese Remainder Theorem (CRT) that utilized only lightweight cryptographic primitives. Security analysis showed that the scheme not only achieves mutual authentication but also ensures user anonymity, forward secrecy, and resilience against desynchronization attacks. BAN logic was employed as a formal analysis tool to ensure the security of the scheme. The performance analysis showed that our scheme consumes fewer computational and communication overheads and can also meet various security requirements compared to previous schemes. Hence, the applicability of the proposed scheme to WBANs is evident, making it a viable choice for practical deployment.