Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT

: The Internet of Things (IoT) has witnessed signiﬁcant growth with advancements in Internet and wireless technologies. In the medical ﬁeld, the Internet of Health Things (IoHT) has emerged as an extension of the IoT, enabling the exchange of remote data and real-time monitoring of patients’ health conditions. Through the IoHT, doctors can promptly provide diagnoses and treatment for patients. As patient data are transmitted over public channels, security issues may arise, necessitating security mechanisms. Recently, Amintoosi et al. proposed an authentication protocol for smart medical services in the IoHT. However, their protocol exhibited security weaknesses, including vulnerabilities to privileged insider attacks. To address the security concerns, we propose an enhanced authentication and key agreement protocol. The security of our protocol is rigorously analyzed using the Real-Or-Random model, informal security analysis, and the AVISPA tool. Finally, the results of our analysis demonstrate that our proposed protocol ensures sufﬁcient security while maintaining a performance level similar to existing protocols.


Introduction
The Internet of Things (IoT) [1][2][3] is a technology that enables the collection of real-time data and the connection of devices, thus serving as an infrastructure in people's lives.With the advancements in the Internet, mobile communication, and wireless technology, the IoT can be applied to various environments, including smart home [4], smart grid [5], Internet of Vehicles [6,7], and artificial intelligence [8,9].These environments take advantage of the information-gathering features of the IoT to solve problems existing in real life, so as to bring more benefits and convenience to people's lives.
The Internet Health of Things (IoHT) [10][11][12] is an extension of the IoT specifically focused on healthcare.It combines modern communication and medical information technology to create a new mode of health management.The IoHT enables the realtime monitoring of patients' health data, reducing the repetitive workload for medical staff.Simultaneously, it allows medical professionals to provide timely diagnosis and treatment based on the collected data, as well as deliver preventive or proactive healthcare services at a lower cost.The architecture of the IoHT, as illustrated in Figure 1, includes three main entities: users (doctors/nurses), gateway, and sensor nodes.Sensor nodes are distributed among patients and are responsible for collecting various health data, such as electrocardiogram readings, body temperature measurements, and blood oxygen saturation levels.The gateway serves as a semi-trusted entity that facilitates the real-time transmission of the collected data between the sensor nodes and the users.Users are medical staff (doctors/nurses) who have the ability to access patients' health data, and use the collected data to analyze the condition and provide appropriate diagnosis and treatment plans for patients.The security of medical data in IoHT is of utmost importance due to the sensitivity of the information involved.If patient health data and diagnostic reports are stolen by attackers through public channels, it can lead to privacy breaches and potential security attacks such as impersonation [13,14], replay [15,16], and man-in-the-middle (MITM) [17,18] attacks.To address these security concerns, authentication and key agreement (AKA) techniques can be employed to achieve mutual authentication [19,20] between communication entities and establish session keys, ensuring secure communication in IoHT.According to Diffie et al.'s study [21], AKA protocols should follow some general principles when being designed.These principles include the ideas that authentication and key exchange need to be linked together, asymmetry should be exhibited in the protocol, messages should avoid being used repeatedly to prevent replay attacks, entities should incorporate appropriate random numbers into encryption operations, etc.
In recent years, several AKA protocols have been proposed specifically for healthcare applications based on IoT.Challa et al. [22] put forward a secure AKA protocol for medical wireless sensor networks based on elliptic curve cryptography (ECC) in 2018.Unfortunately, Soni et al. [23] found their protocol violated user anonymity and was subjected to session key disclosure attacks.As a result, Soni et al. proposed an enhanced AKA protocol specifically designed for healthcare systems.Unfortunately, Xu et al. [24] demonstrated that this enhanced protocol violated perfect forward secrecy (PFS) and could not resist offline password guessing (OPG) and sensor node capture (SNC) attacks.Qiu et al. [25] put forward a robust AKA protocol based on a telecare medicine system.However, Shamshad et al. [20] found that this protocol was vulnerable to privileged insider (PI) and OPG attacks.Consequently, Shamshad et al. devised a security-enhanced authentication protocol for healthcare services.Sharma and Kalra [26] presented a secure AKA protocol based on IoHT, demonstrating its resilience against multiple security attacks.Unfortunately, Azrour et al. [27] discovered that this protocol suffered from impersonation and OPG attacks.Similarly, Azrour et al. proposed an enhanced protocol for remote healthcare services based on cloud-based IoT.Aghili et al. [28] developed a lightweight AKA protocol for an e-health system based on IoT.However, Amintoosi et al. [29] demonstrated that this protocol violated PFS and was susceptible to SNC and impersonation attacks.
In 2020, Merabet et al. [30] introduced a novel mutual authentication protocol based on IoHT, ensuring secure communication between machines and the cloud.Kumari et al. [31] proposed an efficient AKA protocol for smart healthcare and cloud environments, utilizing ECC.However, Wu et al. [32] demonstrated that their protocol suffered from several security vulnerabilities, including impersonation, known session specific temporary information (KSSTI), and desynchronization attacks.Subsequently, Wu et al. proposed an alternative AKA protocol for smart healthcare, addressing the identified security issues.Hajian et al. [33] devised an attack-resilient protocol for Medical Internet of Things (MIoT) applications.Unfortunately, Yu et al. [17] found that this protocol was susceptible to MITM, impersonation, and session key disclosure (SKD) attacks.Consequently, Yu et al. proposed an enhanced AKA protocol specifically designed for the MIoT environment, seeking to improve its security.Alladi et al. [34] designed a two-way AKA protocol for the healthcare environment, incorporating physical unclonable functions to enhance data security.Shuai et al. [35] put forward a robust AKA protocol for a private healthcare system, incorporating three factors to strengthen security.However, Xie et al. [36] identified that their protocol violated PFS and was vulnerable to PI attacks.Similarly, Xie et al. proposed a privacy-protected AKA protocol for IoT environments.Agrahari et al. [37] devised an AKA protocol for healthcare monitoring systems, ensuring the security of patient data during transmission.Al-Saggaf et al. [38] proposed a two-factor AKA protocol based on IoHT, utilizing quantum computing for enhanced security.
According to previous research, ensuring the security of medical data and user privacy in the IoHT is crucial.In light of this, Amintoosi et al. [29] proposed an authentication protocol for smart medical services, which not only achieves mutual authentication between communication entities, but also facilitates the establishment of session keys between them to ensure secure communication.However, during our investigation, we identified security vulnerabilities in their protocol.To address these security concerns, we have developed an enhanced AKA protocol specifically tailored for the IoHT environment.Our protocol aims to provide robust security measures to ensure the secure transmission of medical data and protect user privacy.The main contributions of our paper are summarized as follows: (1) We conducted a thorough review of Amintoosi et al.'s protocol and identified certain security weaknesses, particularly PI attacks.(2) In response to the identified weaknesses, we propose an enhanced AKA protocol for smart medical services in the IoHT.Our protocol utilizes lightweight primitives and facilitates the establishment of session keys between doctors and sensor nodes with the assistance of gateways, ensuring secure communication.(3) To validate the security of our proposed protocol, we conducted a rigorous analysis using the Real-Or-Random (ROR) model, informal security analysis, and the automated validation of Internet security protocols and applications (AVISPA) tool.(4) Finally, we compare the performance and security of our proposed protocol with existing protocols.The comparison results demonstrate that our proposed protocol offers sufficient security with comparable performance to other protocols in the IoHT environment.
The structure of this paper is organized as follows.In Section 2, we review and analyze Amintoosi et al.'s protocol.We present the specific process and design details of the proposed enhanced security AKA protocol in the IoHT in Section 3. In Section 4, we demonstrate the security of our protocol through the ROR model, informal security analysis, and the AVISPA tool.A comparison of the proposed protocol with existing AKA protocols in the IoHT is involved in Section 5 and the conclusion is made in Section 6.

Review and Cryptanalysis of Amintoosi et al.'s Protocol [29]
2.1.Review of Amintoosi et al.'s Protocol [29] Here, we only review the "registration" and the "login and authentication" phases of Amintoosi et al.'s protocol.Their protocol involves user, medical server, and sensor node.The notations used in this paper are shown in Table 1.The registration phase is divided into two phases, which are the user and sensor node registration phases.
User registration phase.The process of user registration is depicted in Figure 2, with the specific steps outlined as follows.
(1) User U i chooses ID i , PW i , and a i , and calculates U M i = h(ID i PW i a i ).Next, U i sends {UM i , ID i } to MS via a secure channel.(2) On receiving the {UM i , ID i }, MS firstly searches for the ID i stored in the database.
If the ID i exists, the U i should be asked to send a new ID i .Otherwise, MS selects b i to compute , and i = i + 1.Then, MS stores {b i , UP i , UQ i } in smart card, and stores {UP i , UN i , UQ i , ID i } in its database.Finally, MS transmits smart card to U i .(3) When U i receives the smart card, {a i } is added to it.Sensor registration phase.Figure 3 depicts the sensor registration process, and the subsequent detailed steps are as follows.
(1) Sensor S j selects IDS j and c j to calculate SM j = h(IDS j X j c j ), and sends {SM j , c j , IDS j } to MS via secure channel.
(2) When MS receives the {SM j , c j , IDS j }, it computes SN j = h(IDS j s c j ), and j = j + 1.Then, MS stores {SM j , IDS j , c j } in database, and transmits {SN j } to S j .(3) S j receives the {SN j }, and stores {SN j , c j } in its memory.

Sensor S j
Medical server MS

Login and Authentication Phase
The login and authentication phase process is illustrated in Figure 4, as shown below in the specific steps.
(1) First, U i inputs If the two values do not correspond, the authentication process is suspended.Otherwise, MS selects r s , and calculates W 2 = h(r i IDS j c j ) ⊕ r s , SN j = h(IDS j s c j ), V 2 = h(SN j SM j r s ).Finally, MS retrieves T 2 and transmits the message If the two values are equal, S j chooses r j , and computes SK = h(r s IDS j r j ), and then computes SK = h(r s IDS j r j ).

Cryptanalysis of Amintoosi et al.'s Protocol
In this section, we point out that Amintoosi et al.'s protocol has certain security weaknesses, particularly PI attacks.
Attacker Model.According to the Dolev-Yao (DY) [39] and Canetti and Krawczyk (CK) [40] models, we define the following capabilities for an attacker (A) to follow.
(1) A possesses the capability to intercept, monitor, and manipulate messages that are transmitted through the public channel.(2) The medical server may have a malicious insider named A who can acquire data from the database.(3) A can utilize power analysis to obtain the data in the user's smart card or smart device.(4) A can obtain temporary information value and long-term key.

Privileged Insider Attacks
Assume A obtains the data {SM j , IDS j , c j } from MS. Through the following steps, A can compute the SK successfully.The process of the attack method is depicted in Figure 5, showing only the important portion.The parts marked in red indicate the data and messages obtained by A, while the red boxes represent A's computational steps.
(1) A can eavesdrop on the messages (2) Next, A can compute r s = W 2 ⊕ h(r i IDS j c j ) and r j = h(SM j c j SN j ) ⊕ W 3 , respectively.(3) At last, A can compute SK = h(r s IDS j r j ).

Medical server MS
Sensor Sj {SMj,

Incorrectness of SK
In the authentication phase of Amintoosi et al.'s protocol [29], MS first transmits the M 4 to U i .On receiving the M 4 , U i calculates numbers r j and r s to establish the SK, where SK = h(r s IDS j r j ).The IDS j is stored in the database of MS, and the MS does not transmit the value IDS j to U i .Thus, the U i cannot know the value IDS j , and cannot establish the SK.

The Proposed Protocol
In response to the identified weaknesses of Amintoosi et al.'s protocol, we propose an enhanced AKA protocol in the IoHT (shown in Figure 1).The entities involved in the protocol include U i , GW N, and S j .Here, we use GW N to replace the MS in Amintioosi et al.'s protocol, because the functions of the MS and the GW N are the same, and the GW N is commonly used in the IoHT environment.The initialization, registration, and login and authentication phases are included in our proposed protocol.

Initialization Phase
The smart device, gateway, and sensor nodes need to write basic arithmetic functions, such as h(.), ⊕, and ||.Here, GW N is a semi-trusted entity, which means that it possesses the ability to engage in misconduct, yet lacks the capacity to collaborate with other entities.Moreover, the GW N chooses k as its private key, and is responsible for the pre-deployment of the sensor nodes.The sensor pre-deployment process is shown in Figure 6.The specific steps are described below.
(1) S j chooses its IDS j and a random number c j , and sends {IDS j , c j } to GW N via a secure channel.(2) When GW N receives the {IDS j , c j }, it calculates SM j = h(IDS j c j k), SN j = h(IDS j k) ⊕ SM j .Then, GW N stores {IDS j , SN j } in its database.Finally, GW N transmits {SM j } to S j .(3) On receiving {SM j }, S j computes SO j = h(IDS j c j ) ⊕ SM j .Next, S j stores {c j , SO j } in its memory.
Sensor S j Gateway node GW N

Doctor Registration Phase
In this phase, doctors need to register with the GW N to become legitimate users U i .The doctor registration process is described in Figure 7, and the specific steps are as follows.
(1) First, U i chooses ID i , PW i , a i , and calculates

Login and Authentication Phase
In this section, the U i , GW N, and S j achieve mutual authentication, and the U i and S j successfully establish a SK with the assistance of the GW N. The login and authentication process is depicted in Figure 8, and the detailed login and authentication steps are as follows.
(1) First, U i inputs ID i , PW i , and calculates RPW i ), and chooses r i and its (2) Following the receipt of message M 1 , GW N initially verifies that timestamp T 1 is fresh.Next, GW N retrieves {b i , UN i } from the database using TID i and calculates If they are equal, GW N retrieves {SN i } according to IDS j and computes SM j = SN j ⊕ h(IDS j k), W 3 = R i ⊕ h(IDS j SM j ).At last, GW N retrieves the current timestamp T 2 to compute V 2 = h(TID i R i SM j T 2 ) and transmits message If it holds, S j chooses r j to calculate R j = h(IDS j c j r j ), SK = h(R i R j ), W 4 = R j ⊕ h(IDS j SM j ).Finally, S j retrieves T 3 to compute V 3 = h(R j SM j T 3 ) and transmits message M 3 = {W 4 , V 3 , T 3 } to GW N. (4) When GW N receives the M 3 , it verifies the freshness of T 3 .Next, GW N computes , which means that the U i and S j successfully establish a SK with the assistance of the GW N.
= V 2 Select a random number r j and compute

Security Analysis 4.1. Formal Security Analysis
We show the security of our protocol using the well-known ROR model [41][42][43].Real attacks are simulated in this model through a series of rounds of games.

Security Model
Three entities are included in our proposed protocol: U i , GW N, and S j .We use I x U i to represent the x-th user instance, I y GW N represents the y-th gateway instance, and I z S j represents the z-th sensor node instance.Here, we define that A has certain capabilities in different games, but needs to follow the following queries.A obtains the SK.Otherwise, A obtains the random string.

Security Proof
Theorem 1.The advantage that A breaking the proposed protocol (P) in polynomial time ξ is Here, q h , q s , |Hash| denote the hash query, send query, and the space of the hash function, respectively.In addition, C and s are two constants.
Proof.We define four games GM 0 -GM 3 to prove the proposed protocol's security, and these games simulate the real process of A attacking the protocol.Here, Succ GM i A (ξ) indicates that the A wins the i-th game, and Adv P A is defined as the advantage of A breaking the protocol.The A simulates detailed queries as shown in Table 2.The following are the detailed processes in the proof.
GM 0 : In GM 0 , the A performs real attacks to break the proposed protocol.The A starts the game by flipping the c.Hence, we have GM 1 : In GM 1 , A can eavesdrop on the transmitted messages } by executing the Execute() query.After GM 1 , A validates the SK = h(R i R j ) through executing the Test() query.Since A cannot obtain the values R i and R j , A cannot compute the SK.Therefore, the result of GM 1 is no different from GM 0 .
GM 2 : The Send() and Hash() queries are added to GM 2 .The A wants to tamper with the eavesdropped messages, but the authentication values V 1 , V 2 , V 3 , and V 4 in the message are composed of private values and are protected by hash function.Thus, since A cannot obtain the private value and cannot crack the hash function, the intercepted message cannot be tampered with.Furthermore, no hash collision occurs because each session's random numbers are distinct.Hence, in accordance with the birthday paradox, we have GM 3 : In GM 3 , A obtains the data {UO i , UP i , UQ i } in the smart device by executing the Corrupt (I x U i ) query.Then, A utilizes these data and intercepted messages to attempt to deduce the correct PW i .Since A cannot obtain the values RPW i and a i , A cannot compute correct UP i and cannot obtain the PW i , where UP i = h(TID i RPW i a i ).From Zipf's law [44], we can obtain Finally, A wants to win the game by guessing bit c to obtain the correct SK.Thus, we can obtain According to GM 0 to GM 3 , we have Thus, we can obtain Table 2. Simulation of queries.

Query Description
Send(E , M i ) is in a normal state and selects r i , IDS j , and T 1 to compute and checks the V 2 .Then, For Send(I y GW N , (W 4 , V 3 , T 3 )).Assume that I y GW N computes R j , and checks V 3 in a normal state.If the V 3 holds, I y GW N calculates W 5 , V 4 and selects T 4 .Then, the query returns the M 4 = {W 5 , V 4 , T 4 }.On Send(I x U i , W 5 , V 4 , T 4 ).Upon receiving the message (W 5 , V 4 , T 4 ), computes SK, which means that the I x U i accepts and terminates.

Execute(E )
Continue to use Send queries to simulate the process for Execute(E ).
is accepted, this query outputs {UO i , UP i , UQ i } in the smart device.

Test(E )
Flip the coin c.If the result is 1, the SK will be returned.Otherwise, a random string of the same length as SK will be returned.

Informal Security Analysis 4.2.1. Perfect Forward Secrecy (PFS)
We use two methods to show that the proposed protocol ensures PFS.Method 1 : Suppose A can obtain the k of GW N, and attempts to calculate the SK.First, A needs to calculate the value R i , IDS j and R j , where R i = W 1 ⊕ h(a i U M i ) and R j = W 4 ⊕ h(IDS j SM j ).Then A uses these values to calculate the SK.Since A cannot obtain a i , U M i and SM j , A cannot calculate the SK.
Method 2 : We use Ge et al.'s method [45] to demonstrate that A cannot calculate the SK.The specific proof steps are as follows.
(1) First, the composition of the session key requires variables {R i , R j }, where SK = h(R i R j ).Based on the rules of Ge et al.
[45], we add these variables around SK and use arrows to point to SK.Then, we proceed step by step to analyze the newly added variables.For example, the composition of R i requires {r i , ID i , a i } or {a i , W 1 , U M i } or {W 3 , IDS j , SM j }.
(2) Then, coloring is employed to denote nodes that involve long-term secrets or are transmitted over public channels.These nodes are k, W 1 , W 3 , W 4 , W 5 , which means that A can obtain these variables.(3) Finally, we remove the incoming edges of all colored nodes, and judge whether the proposed protocol ensures PFS through the remaining nodes.From Figure 9, we can see that the A does not have the required variables to compute the SK.
Thus, our proposed protocol ensures PFS.

Privileged Insider (PI) Attacks
Suppose that A is an insider in the gateway and has access to data {TID i , b i , UN i } and {IDS j , SN j } in its database.Then, A attempts to compute the values R i and R j using these data, where Because a i , U M i and SM j are confidential to A, the A cannot compute R i and R j , and then cannot calculate the SK.Therefore, our protocol prevents PI attacks.

Sensor Node Capture (SNC) Attacks
Assume A can capture the {c j , SO j } in the memory of the S j , and attempt to calculate the values R i and R j .However, since A cannot obtain IDS j , SM j , and R j , A cannot compute R i and R j , and thus the A does not obtain the correct SK.So our protocol can withstand SNC attacks.

Offline Password Guessing (OPG) Attacks
Suppose A obtains the data {UO i , UP i , UQ i } from a smart device and tries to enumerate the correct password using a password dictionary.Since the A cannot obtain the RPW i and a i , and does not calculate the correct value UP i , where UP i = h(TID i RPW i a i ), A cannot obtain the correct PW i .Thus, our protocol can prevent OPG attacks.

Session Key Disclosure (SKD) Attacks
A can only obtain the private values R i and R j in order to compute the SK = {R i R j }.However, A cannot obtain the ID i , a i and r i , so R i cannot be calculated, where R i = h(ID i a i r i ).Similarly, the A cannot obtain IDS j , c j and r j , and cannot calculate R j , where R j = h(IDS j c j r j ).Thus, the correct SK remains undisclosed to A. The proposed protocol is immune to SKD attacks.

Correctness of SK
In our proposed protocol, the entities involved in establishing the session key include U i , GW N, and S j .The required values for the SK are R i and R j , where SK = h(R i R j ), R i = h(ID i a i r i ) and R j = h(IDS j c j r j ).The U i transmits the computed R i to the GW N, which securely forwards it to the S j .Upon receiving R i , the S j independently computes R j to establish the SK.Similarly, the S j transmits R j to the GW N, which then forwards this value to the U i .When receiving R j , the U i is able to successfully establish the SK.Therefore, our protocol ensures the correctness of SK.

Man-In-The-Middle (MITM) Attacks
Assume that A can intercept messages M 1 , M 2 , M 3 and M 4 .Here, we take . However, due to the fact that values IDS j and R j are confidential to the A, A cannot calculate the V 1 .Thus, the request message sent by A cannot be authenticated by the GW N. Similarly, A cannot obtain private values to tamper with messages M 2 , M 3 , and M 4 .Thus, it is impossible for MITM attacks to break our protocol.

Mutual Authentication
In the proposed protocol, entities verify each other's legitimacy by the authentication values Here, the GW N is to determine the legitimacy of the U i by verifying V 1 .The S j judges the legitimacy of the GW N by verifying V 2 .The GW N is used to determine the legitimacy of the S j by verifying V 3 .The U i is to determine the legitimacy of the GW N by verifying V 4 .Since the message sent by one entity to another entity can be verified, our protocol can achieve mutual authentication.

AVISPA
The AVISPA [46] is an instrument for formal verification that automatically analyzes the cryptographic protocol's security.AVISPA is based on the DY model, which allows A to have attack capabilities during the simulation, and it uses High-Level Protocol Specification Language (HLPSL).In this paper, AVISPA is used to simulate the whole process of the proposed protocol.
We define the role specification for U i , GW N and S j as shown in Figure 10a-c, respectively.Additionally, the role specifications for the session, goal, and environment are shown in Figure 10d.Here, we take the role of U i as an example to explain.In the registration and authentication phases, it is essential for the user to recognize the involvement of three agents: "user agent (UA), gateway agent (GA), and sensor agent (SA)"."(SND, RCV)" represent the send and receive channels, where "(dy)" means that the channel follows the DY model."RCV(start)" indicates that the entire protocol starts running."RCV(H(H(IDi.PWi.Ai').K.Ai')-SKuaga)" indicates that the user receives the message {UM i } transmitted from the gateway.The "SKuaga" encrypts transmitted messages, and this indicates that the message is transmitted via secure channel.Further-more, "SND(H(IDi.PWi.Ai').W1'.W2'.V1'.T1')" signifies that the user transmits the message {TID i , W 1 , W 2 , V 1 , T 1 } to the gateway via a public channel.In "State 3", it becomes evident that the user has successfully established a session key with the sensor.Finally, we use the widely recognized On-the-Fly Model-Checker (OFMC) and Constraint Logic-based Attack Searcher (CL-AtSe) backends to verify the security of the proposed protocol, and the simulated results are depicted in Figure 11.It can be clearly seen that whether it is in the results of OFMC or CL-AtSe backend, the summary display is "SAFE", which means that our proposed protocol can resist replay and MITM attacks.

Security and Performance Comparisons
We compare the security and performance of our proposed protocol to five IoHT authentication protocols [23,29,33,35,47].

Security Comparisons
In terms of security comparison, means that the protocol is resistant to that attack, while × means that the protocol does not satisfy that security property.The primary security properties include S1, mutual authentication; S2, PFS; S3, PI attacks; S4, OPG attacks; S5, SKD attacks; S6, SNC attacks; S7, MITM attacks; S8, correctness of SK.
The security comparison results are presented in Table 3.It is clear that our protocol and Wu et al.'s protocol [47] satisfies all security properties.However, Soni et al.'s protocol [23] violated PFS and suffered from OPG and SNC attacks.Hajian et al.'s protocol [33] failed to provide mutual authentication, leaving it vulnerable to SKD and MITM attacks.Similarly, Shuai et al.'s protocol [35] also violated PFS and suffered from PI attacks.Amintoosi et al.'s protocol [29], like the others, exhibited security weaknesses, specifically being susceptible to PI attacks and unable to ensure the correctness of SK.

Performance Comparisons
The protocol compares three aspects of communication, computational, and storage costs in performance comparison.When comparing communication and computational costs, we exclusively consider the login and authentication phases of the protocols.On the other hand, in the comparison of storage costs, our focus is solely on the registration phase.

Computational Cost Comparisons
For the computational cost, we use three different devices to obtain the runtime of the cryptographic primitives.The configurations of these three experimental devices are shown in Table 4, where we denote that the laptop simulates U i , the desktop computer simulates GW N, and the Xiaomi mobile phone MI 8 simulates S j .The software we use is IntelliJ idea 2020.3, and we use the Java language and cryptographic library JPBC-2.0.0 [48] to write programs.In addition, since the cost of ⊕ and in the protocol is too small, its computational size is ignored.The times of various operations are displayed in Table 5, where the running time of the operation runs 20 times in the software and takes the average value of the results.In addition, since the running time of the hash function and the fuzzy extraction are similar, we take one of them to calculate.The results of the comparison are presented in Table 6, and more clearly shown in Figure 12.The computational costs of a few U i in each protocol are illustrated in Figure 13a.Soni et al.'s protocol [23] utilizes point scalar multiplication and fuzzy extractor, and Shuai et al.'s protocol [35] relies on symmetric key encryption/decryption.As a result, both of them incur relatively high computational costs for U i compared to the other protocols in the comparison.On the other hand, the computational costs of U i in the remaining protocols show little variation and are relatively lower compared to Soni et al.'s and Shuai et al.'s protocols.Figure 13b depicts the computational costs of a few S j in each protocol.In our proposed protocol, the computational costs of S j are higher than in some other protocols, but still lower than the costs in Hajian et al. [33] and Wu et al.To verify the scalability of the protocol, we gradually increased the number of U i from 20 to 100, while simultaneously increasing the number of S j from 50 to 250.The results of computational cost as the counts of U i and S j surged are presented in Figure 13c,d, respectively.The results demonstrate that our protocol can maintain reasonable computational costs as the quantity of entities grows, ensuring the protocol retains stable performance and efficiency.As a result, our proposed protocol can guarantee scalability.

Communication Cost Comparisons
In the comparison of communication costs, the lengths of the identity, timestamp, hash function, random number, point multiplication, and symmetrically encrypted ciphertext are defined to be 160, 32, 256, 128, 320, and 256 bits, respectively.Here, the communication cost is illustrated using our protocol as an example.The messages  7 and Figure 14, it is evident that our proposed protocol exhibits a slightly higher communication cost compared to Shuai et al.'s protocol [35].However, our proposed protocol still maintains lower communication costs compared to Soni et al. [23], Hajian et al. [33], Wu et al. [47], and Amintoosi et al. [29].

Storage Cost Comparisons
In the comparison of storage costs, the lengths required for various parameters are consistent with the assumptions in Section 5.2.2.Here, we take the registration phases of our proposed protocol as an example.The storage costs required for U i , GW N, and S j are 128 × 2 + 256 = 512 bits, 128 × 3 + 160 × 2 = 704 bits, and 128 × 2 = 256 bits, respectively.The storage cost required for our proposed protocol is 1472 bits.The total storage costs for each protocol are presented in Table 8.From Figure 15, it is evident that Hajian et al.'s protocol [33] demands the highest storage costs.In contrast, our proposed protocol requires the minimum storage costs.
Security comparison: Our proposed protocol, along with Wu et al.'s protocol, demonstrates the ability to withstand all known attacks.In contrast, other protocols in the comparison exhibit varying degrees of vulnerability to certain attacks.2.
Performance comparison: Despite having the same security level of as Wu et al.'s protocol, our protocol outperforms theirs in terms of computational and storage costs, while also possessing scalability.Additionally, while our computational cost is slightly higher compared to Amintoosi et al.'s protocol, our communication and storage costs are lower than theirs.

Conclusions
In this paper, we emphasized the significance of ensuring secure data transmission within the IoHT environments.We conducted a comprehensive review of the AKA protocols employed in the IoHT context.Subsequently, we thoroughly analyzed Amintoosi et al.'s protocol and identified various security weaknesses, notably PI attacks.In response to these issues, we proposed an enhanced AKA protocol specifically tailored for the IoHT environment.Then, we subjected it to rigorous security analysis using the ROR model, informal security analysis, and the AVISPA tool.Finally, we compared the security and performance aspects of our proposed protocol with existing protocols.The comparison results revealed that our protocol outperforms other protocols in terms of security while maintaining a comparable level of performance, thereby enhancing the feasibility of its practical application.The potential challenge lies in the slightly higher computational and communication costs of the proposed protocol, but this is acceptable in practical applications.Consequently, in future research, we will focus on further enhancing the security and performance of AKA protocols in the IoHT to address evolving needs.

Figure 2 .
Figure 2. U i 's registration phase of Amintoosi et al.'s protocol.

Figure 3 .
Figure 3. S j 's registration phase of Amintoosi et al.'s protocol.

( 1 )
Execute(E ): This query means that A can intercept messages on the public channel, where E = {I x U i , I y GW N , I z S j }. (2) Send(E , M i ): A is able to acquire the response from E subsequent to transmitting message M i to E .(3) Hash(string): A may enter a string to obtain its hash value by performing this query.(4) Corrupt(E ): This query gives A access to the long-term key or temporary information of E .(5) Test(E ): The A would verify the validity of the SK by flipping a coin c.When c = 1,

Figure 9 .
Figure 9.The verification result of our protocol for PFS using Ge et al.'s method [45].

Figure 10 .Figure 11 .
Figure 10.Proof of AVISPA.(a) Role specification for user.(b) Role specification for gateway.(c) Role specification for sensor.(d) Role specification for session, goal, environment.

Table 3 .
Security comparison results.

Table 4 .
Configuration of simulated devices.

Table 5 .
Running time of operations.