Securing Group Patient Communication in 6G-Aided Dynamic Ubiquitous Healthcare with Real-Time Mobile DNA Sequencing

Abstract

(1) Background: With an advanced technique, third-generation sequencing (TGS) provides services with long deoxyribonucleic acid (DNA) reads and super short sequencing time. It enables onsite mobile DNA sequencing solutions for enabling ubiquitous healthcare (U-healthcare) services with modern mobile technology and smart entities in the internet of living things (IoLT). Due to some strict requirements, 6G technology can efficiently facilitate communications in a truly intelligent U-healthcare IoLT system. (2) Research problems: conventional single user–server architecture is not able to enable group conversations where “multiple patients–server” communication or “patient–patient” communication in the group is required. The communications are carried out via the open Internet, which is not a trusted channel. Since heath data and medical information are very sensitive, security and privacy concerns in the communication systems have become extremely important. (3) Purpose: the author aims to propose a dynamic group-based patient-authenticated key distribution protocol for 6G-aided U-healthcare services enabled by mobile DNA sequencing. In the protocol, an authenticated common session key is distributed by the server to the patients. Using the key, patients in a healthcare group are allowed to securely connect with the service provider or with each other for specific purposes of communication. (4) Results: the group key distribution process is protected by a secure three-factor authentication mechanism along with an efficient sequencing-device-based single sign-on (SD-SSO) solution. Based on traceable information stored in the server database, the proposed approach can provide patient-centered services which are available on multiple mobile devices. Security robustness of the proposed protocol is proven by well-known verification tools and a detailed semantic discussion. Performance evaluation shows that the protocol provides more functionality and incurs a reasonable overhead in comparison with the existing works.

1. Introduction

Third-generation sequencing (TGS) provides services with long deoxyribonucleic acid (DNA) reads and super short sequencing time [1,2,3]. In this technique, since single DNA molecules are sequenced directly, the sequencing time is reduced to a few hours, and even real-time data analysis process is enabled. In addition, TGS-based sequencers can be miniaturized while its DNA-reading biosensors are placed on the body to monitor human health and vital signs via blood, sweat, saliva, tissue, etc. [3]. This enables an onsite mobile DNA sequencing solution for facilitating ubiquitous healthcare (U-healthcare) services with modern mobile technology and smart systems in the internet of living things (IoLT) [3,4]. For instance, as shown in Figure 1, the SmidgION sequencer is a tiny device designed by the Oxford Nanopore [5] to be run on mobile devices (e.g., smart phones) using small batteries and apps [3]. The biosensors load biological samples into the sequencer, and the genomic data (e.g., FAST5 file, FASTQ file, or TXT file [5]) along with its analytical results are produced, building a sort of “lab-on-a-chip (LOC)” system [3,5,6,7]. Therefore, medical providers can rapidly screen for new viruses, paving a way for further discovering the IoLT. The researchers can also obtain onsite DNA sequences for specific end-to-end analysis. The U-healthcare is directly concerned with patient-centric therapies. To this end, a real-time mobile DNA sequencing service is completely a good fit as it can provide personalized treatments and holds promise for precision medicine research.

Due to its excellent mobility, high operating frequency, high data transfer rate, and super low end-to-end communication delay, 6G mobile technology is attracting much attention in various application fields [9,10,11]. Strict requirements of 6G, which cannot be achieved by 5G, were particularly introduced for the healthcare sector, including an operating frequency of ≥1 THz, data transfer rate of ≥1 Tbps, communication delay of ≤1 ms, mobility of ≥1000 km/h, reliability of ${10}^{-9}$, and a wavelength of ≤300 µm [10]. Due to such advances, 6G can efficiently support artificial intelligence (AI) functionalities [12] with seamless communications. As a matter of fact, it has certain advantages in establishing a truly intelligent U-healthcare IoLT system enabled by real-time mobile NDA sequencing techniques and advanced medical analysis. Patients and healthcare providers are allowed to communicate with each other in a reliable and high-speed network environment, possibly sharing large files or a huge amount of data.

1.1. Research Problems

Apart from individual services, healthcare providers may provide some special treatments for groups of patients (e.g., family). These patients may have similar diseases, signs, or symptoms. They can also be persons those who need similar procedures in the healthcare processes or medical treatments. Traditional single user–server architecture is not able to provide such group conversations where “multiple patients–server” communications and “patient–patient” communications are required.

The communications are carried out via the open Internet, which is not a trusted channel. Because heath data and medical information are very sensitive, security and privacy concerns in the communication systems have become extremely important. Cyber criminals may perform various attacks that can steal personal information of patients, violate user privacy, or disrupt services (e.g., impersonation attacks). During communication, care providers (e.g., medical professionals, physicians, doctors, etc.) also need to verified as a legitimate entity to avoid possibly fraudulent services or fake behaviors.

The U-healthcare services may be provided by different institutions, including hospitals, clinics, etc.; the number of services (e.g., hematologist, cardiologist, gastroenterologist, etc. [13]) is increasing over time. Therefore, the traditional single-server system model would be unable to satisfy the demand of users once they wish to enjoy massive medical services. When using services from multiple providers, remembering massive amounts of credentials (especially user passwords) for the login will certainly induce inconvenience and directly affect the efficiency of communications. In these systems, how to alleviate computational overhead and communicational overhead is also an important concern that needs to be considered.

1.2. Goals and Contributions

This paper proposes a dynamic group-based patient-authenticated key distribution protocol for 6G-aided U-healthcare services enabled by real-time mobile DNA sequencing. In the protocol, an authenticated common session key is distributed by the server to the patients. Using the key, patients in a healthcare group are allowed to securely connect with the service provider or with each other for specific purposes of communication. The author aims to introduce a protocol that achieves multiple innovative functionalities, high security robustness, and reasonable communication overhead. The main contributions of the paper are presented as follows.

(1)

This work is the first to introduce 6G-assisted group-based U-healthcare services enabled by a real-time DNA sequencing technique constructed in IoLT environments. A patient-grouping solution helps in accelerating service communications and achieving better medical-centered services. With the assistance of 6G technology, onsite sequencing data produced by a portable TGS-based sequencer (connected to a patient’s mobile device) is transmitted to the server in a real-time manner for further healthcare processes. Thereafter, the server shares analytical results and related medical information with the patients. These procedures are secured by common group keys generated by the proposed protocol. The server is also allowed to trace the users based on their registered information for achieving a truly patient-centric service.

(2)

In the proposed protocol, a sequencing-device-based single sign-on (SD-SSO) function is introduced for the first time. Patients are allowed to store a single set of credentials (registered with multiple servers) on their DNA sequencers directly. Due to the SSO property, the patients only need to login to the system once per session to communicate with multiple providers. In addition, the proposed SD-SSO function is designed without the participation of a third-party center, which can reduce communication overhead and address the risk of adversaries hacking into the registration center and compromising all servers.

(3)

A three-factor authentication mechanism is enabled in the protocol through the integration of password (the first factor), sequencing device (the second factor), and biometrics (the third factor). Lacking only one of the three factors will result in failure of the authentication. In this way, better patient privacy and perfect forward secrecy of group keys are assured for securing U-healthcare communications. In the protocol, patient password and patient biometrics are changeable, which further enhances the security robustness.

(4)

The author introduces dynamic U-healthcare services enabled by a time-bound function. In this design, different services of a provider or multiple healthcare processes in a single service can be allotted in respective time ranges in accordance with specific requests. This solution makes providers flexibly adjust service time in order to provide more efficient medical processes as well as more convenient treatments for different kinds of patients. Controlling such access to the services using the time bounds can also address possible bottleneck issues where the services are requested at the same time by massive patients. Furthermore, a fast synchronizable key-derivation procedure is provided, which can rapidly reset communication keys for addressing desynchronization problems that could possibly occur in such a dynamic environment.

1.3. Paper Organization

The remainder of this article is structured as follows. Section 2 presents related works of the proposed protocol. Some technical preliminaries used in the work are provided in Section 3. In Section 4, the problem formulation describes the architecture model and formal security model of the proposed work. Section 5 details the design of the proposed protocol. Security evaluation and performance analysis of the proposed protocol are provided in Section 6 and Section 7, respectively. The author concludes the proposal and discusses some of his future research works in the last section of the article.

2. Related Works

2.1. 5G, 6G, and U-Healthcare

In many countries, 5G mobile technology has been successfully developed and deployed as an enabler for supporting various sorts of networks and diverse applications [14]. However, in the era of digital transformation and emerging smart internet of things (IoT) applications, 5G needs some more advances to improve service delivery and business [15]. Moreover, 5G has some drawbacks and limitations in terms of functionalities in healthcare sector; for instance, it cannot provide holographic communication for medical applications due to its lower data rate [9,16]. To this end, 6G was introduced to fully address escalating technical demands, e.g., remote robotic surgery or other truly intelligent healthcare services enabled by the Intelligent Radio (IR) technique [17]. It achieves an ultra-high bandwidth (three times higher than that of 5G [18,19]) and a highly dynamic environment with a terahertz (THz) signal [18]. Therefore, 6G offers an ultra-high data transfer rate for revolutionizing U-healthcare communications. It is also fully backed by satellite [20], which completely facilitates ubiquitous care activities in medical networks at every geographical location. This article introduces a construction of 6G wireless technology for a time-bound-enabled DNA-based group healthcare application via IoLT-based biosensor networks. In addition, to the best of the author’s knowledge, this is the first work to address security and privacy issues in a dynamic U-healthcare communication environment.

2.2. User Authentication and Key Negotiation Solutions

User authentication and key agreement solutions were discussed in many previously published works. Deebak and Al-Turjman [21] introduced a patient authentication scheme used in healthcare systems with cloud services; it overcame several security challenges that had been not successfully addressed in the protocol of Chiou et al. [22], e.g., lost device attacks or server impersonation attacks. Wang et al. [23] also proposed an improved key agreement mechanism for wireless body area networks (WBANs) that resolved some similar issues of Farash et al. [24]’s work. Kumar et al. [25] discussed a single-factor password-based patient authentication solution for cloud-based healthcare systems in the internet of medical things (IoMT). A two-factor data authentication scheme with access control was proposed by Gupta et al. [26] for an industrial healthcare infrastructure. Alam and Kumar [27] designed a session key establishment protocol for ensuring confidentiality of IoMT-based communications in COVID-19 and future pandemic scenarios. In addition, Thakare and Kim [28] discussed another two-factor cryptographic approach for user authentication in IoT networks, and Yu et al. [29] introduced a biometrics-based multi-server user authentication and key agreement mechanism using extended chaotic maps. Wong et al. [30] introduced a three-factor identification model applied to 5G-enabled e-health environments with multi-server architecture. However, Le and Hsu [31] indicated that biometrics noise had not been discussed and resolved in Wong et al. [30]’s work, which always makes the authentication procedure incorrect. Le and Hsu [31] then discussed various solutions [32] (error-correcting codes, fuzzy extractor, biohash function, etc.) for remedying this issue and proposed an improved protocol for securing communications in group e-health services. The author found the protocol of Le and Hsu [31] is not robust against stolen smart-card attacks as adversaries can obtain patients’ passwords in unmasked forms using the power analysis method [33]. Another design of lightweight group key agreement presented by Harn et al. [34] exploited some basic cryptographic operations and explained its potentials in several application networks. Based on principles of elliptic-curve cryptography (ECC), Tselikis et al. [35] also introduced an group key distribution scheme that provided privacy protection for communications. Both Harn et al. [34] and Tselikis et al. [35] did not include either biometric authentication function or three-factor authentication solutions in their designs. Meshram et al. [36] proposed a remote user password-based key negotiation scheme for application in smart cities based on smart cards and extended chaotic maps. Nevertheless, the service provider in Meshram et al. [36]’s scheme has to update a dynamic parameter in the database before each authentication is completed. This would sometimes result in unexpected desynchronization problems in the system. Based on the author’s observation, although Thakare and Kim [28] and Meshram et al. [36] achieved user anonymity in their works, both are not able to assure user untraceability. Communicated transcripts in their proposed schemes contain fixed parameters that give adversaries opportunities to trace users’ identities. Le [37] recently introduced a cross-server-authenticated patient key exchange protocol for U-healthcare in IoLT networks. Apart from its security robustness, Le [37]’s protocol cannot provide truly patient-centric services, as the server does not store any information of patients after its registration procedure finishes. In the registration phase of Le [37]’s approach, some credentials of the patients are stored in a single mobile entity, which cannot make U-healthcare services available on multiple devices. Furthermore, none of the above works discussed dynamic healthcare communication in group-based services.

3. Preliminaries

This section discusses some important technical aspects and mathematical preliminaries employed in the proposed approach, including sequencing biosensor technology, the biohash function, the time-bound function, and security complexity assumptions.

3.1. Sequencing Biosensor Technology

Second-generation sequencing (SGS) techniques, also known as next-generation sequencing (NGS) techniques, enable the process where millions of short deoxyribonucleic acid (DNA) fragments are sequenced in parallel [38]. Nevertheless, SGS comes with some drawbacks, including short read lengths and nonportability of the sequencers. In recent years, innovative healthcare services and medical research have required longer reads and shorter sequencing times, which led to the advent of TGS [3] and fourth-generation sequencing (FGS) [39]. From TGS, single DNA molecules are sequenced directly, reducing processing time from a few days to a few hours and enabling real-time analysis with sequence-based ultrarapid pathogen identification [3]. Sequencing devices can be miniaturized (for instance, SmidgION sequencer), and built-in DNA-reading biosensors on each tiny TGS-based sequencer can collect biological samples for monitoring human health and vital signs. In the proposed protocol, besides the sequencing function, the sequencer also serves as a token that stores user credentials used for authentication process, enabling service availability on multiple mobile devices including smart phones, smart tablets, etc. It is employed as the second authentication factor (something you have) in the proposed approach.

3.2. Biohash Function

As we know, biometric samples are enrolled via a noisy channel. The input biometrics samples in each authentication session are not identical; as a result, it causes false positive errors of the authentication. To this end, the biohash function can map the individuals’ biometrics to specific binary strings and effectively tolerate noise [32]. Security of the biohash function is similar to conventional one-way hash functions [31]. The function also resolves the efficiency issue, which is a drawback of some related ideas, for instance, fuzzy extractor [32].

Definition 1. 

Given a biohash function $h_{bio}$, the original biometrics $B_i$, and the newly input biometrics $B_i^{\prime }$ of an individual, it is inferred that $B_i$ is different to $B_i^{\prime }$, but the difference between them is within a certain threshold. Due to the property of $h_{bio}$, we can achieve $h_{bio}\left(B_i\right)=h_{bio}\left(B_i^{\prime }\right)$.

3.3. Time-Bound Function

Definition 2. 

Given three time points $t,t_1,t_2$ ∈ {1, 2, …, $z$} and two values $p=h^{t_1-1}(▢)$ and $q=h^{z-t_2}(△)$, where $h$ is a one-way hash function and “$▢$, $△$ ” denotes some arbitrary parameters, a value $w=h(h^{t-t_1}(p)||h^{t_2-t}\left(q\right))$ is computable if and only if $t$ satisfies $t_1\le t\le t_2$. Note that $z$ may be 24 (h), 1440 (min), or some value specifying the time of a single day. $z$ may also be set for multiple days or more, based directly on time allocations of specific services and on security level of systems.

3.4. Complexity Assumptions

The ECC is employed in the proposed approach. It is an asymmetric cryptosystem that offers better performance with smaller key space considering the same security level compared with the traditional ones [37]. Therefore, the ECC system is completely suitable for mobile communications in IoLT networks. In the proposed work, the author employs three security assumptions of the ECC including the elliptic curve discrete logarithm problem (ECDLP), the elliptic curve computational Diffie–Hellman problem (ECCDHP), and the elliptic curve factorization problem (ECFP). Suppose there is an elliptic curve $Ep\left(a,b\right):y^2=x^3+ax+b(mod p)$ over a finite field Fp with a basic point $G_{(x,y)}\in E_p$; the assumptions are defined as follows.

Definition 3. 

The ECDLP is to find the scalar $k\in Z_p$ such that $K_{(x,y)}=k·G_{(x,y)}$, given $G_{(x,y)},K_{(x,y)}\in E_p$.

Definition 4. 

The ECCDHP is to find the point $s·t·G_{(x,y)}\in E_p$, given $s,t\in Z_p$ and $G_{(x,y)},s·G_{\left(x,y\right)},t·G\in E_p$.

Definition 5. 

The ECFP is to find two points $s·G_{(x,y)},t·G_{(x,y)}\in E_p$, given $s,t\in Z_p$ and $G_{\left(x,y\right)},[s+t]·G_{(x,y)}\in E_p$.

4. Problem Formulation

This section discusses in details system model of the proposed approach along with some well-known adversarial capabilities. A well-known security model is also formulated based upon the rule of the protocol. Main cryptographic functions and notations used in the work are tabulated in

Table 1. Notations used in the proposed approach.

Notation Used in the Protocol	Explanation
$S_j$	The $j^{th}$ server
$P_i$	The $i^{th}$ patient
${prk}_j,{puk}_j$	Private key, public key of $S_j$
$P_{(x,y)}$	Basic point on the curve $Ep(a,b)$ with two coordinates $x$ and $y$
${ID}_i$	Identity of $P_i$
${PW}_i$	Password of $P_i$
$B_i$	Biometrics of $P_i$
${MD}_i$	Mobile device of $P_i$
${SD}_i$	Sequencing device (sequencer) of $P_i$
$T$	Timestamp
$||$	Concatenating operation
⊕	Exclusive-or (XOR) operation
$h\left(·\right),h_{bio}(·)$	One-way hash function, biohash function
${SE}_k\left(·\right),{SD}_k\left(·\right)$	Symmetric encryption, symmetric decryption using a key k
${[·]}_{{SD}_i}$	Storing parameters in ${SD}_i$
𝒜	Adversary

.

4.1. System Model and Adversarial Capabilities

As shown in Figure 2, the main communicating entities in the system include patient $P_i$ (in a group of multiple patients) and servers $S_j$ (e.g., private doctors, genomic data scientists, etc.) who communicate with each other for conducting group services. DNA-based U-healthcare includes various services, namely, disease virus control, body fluid monitoring, blood-based prognostic tracking, and so on [3,40]. Taking family healthcare services as an example, multiple members $P_i$ in a family may request a common DNA-based healthcare service provided by $S_j$. The service allows the family members to obtain medical data shared among them and to know of the health status of each other conveniently. As a spiritual element, family plays an important role in promoting our health as well as in improving quality of life [41]. In case of need, a family member may also render timely assistance to doctors in observing the other members’ states of illness. Thus, it would significantly improve efficiency of long-term care or treatments and help in reducing the risk of medical incidents. To trigger the services, biological samples of $P_i$ (e.g., saliva) are loaded into the sequencer ${SD}_i$ that is inserted into $P_i$’s mobile device ${MD}_i$ in advance. Next, an onsite sequencing and data analysis process is run directly on ${SD}_i$; the DNA sequencing data generated is transmitted to $S_j$ for point-of-care services. This procedure is secured by the group session key distributed by $S_j$ to $P_i$ in the proposed protocol. Since all patients receive an identical key from $S_j$, $P_i$ is also able to share the data with other patients in the group. Thereafter, analytical results and related medical information based on the received DNA data are encrypted by the key before being sent back to a single patient or to multiple patients of the group. In the proposed architecture, these communications are carried out via the IR signal of the 6G technology. Due to its extremely high data transfer rate, 6G can offer a fully seamless experience for real-time U-healthcare services with large data sets produced by onsite mobile DNA sequencing. $P_i$ can enjoy the services without constraints of time and physical location. As mentioned, a dynamic healthcare solution is also introduced in the system which allows the services to be flexibly allotted by separate time-bounds based on specific requests. Furthermore, the author recommends integrating some related advances, e.g., WBAN, into the system to enhance efficiency of the overall healthcare treatment process.

Prior to starting using the above services, $P_i$ should register with multiple $S_j$ using three factors, namely, password ${PW}_i$, sequencing device ${SD}_i$, and his/her biometrics $B_i$, establishing a multi-server communication environment. In order to receive the group keys, $P_i$ uses a single set of registered credentials stored in ${SD}_i$ to carry out the SD-SSO that sends a login and authentication request to $S_j$ through a public IoLT network. In such an unreliable channel, there are possible security attacks that may induce serious consequences, e.g., violating patient privacy, destructing system architecture, or reducing reliability and quality of service, etc. Based on the author’s observation, an adversary 𝒜 may have the following capabilities to attack the proposed communication system.

• 𝒜 has full control over the open IoLT, which enables 𝒜 to intercept, insert, delete, or replay any transcripts conveyed between $P_i$ and $S_j$.
• 𝒜 may attempt to attack the past communications between $P_i$ and $S_j$ based on secret parameters or on a group session key 𝒜 somehow retrieves from the current communicated messages.
• 𝒜 may attempt to extract the secret values or registered credentials stored in a compromised ${SD}_i$ and use them to attack the communication.
• 𝒜 may be a privileged insider (e.g., member of a maintenance team) who can launch even more serious attacks upon a patient’s registered information obtained from ${DB}_j$.
• 𝒜 may also be a corrupted $P_i$ or $S_j$ that can trigger similar attacks on the communication.

4.2. Formal Security Model

Real-or-Random (RoR) is a well-known formal model used for analyzing success probability of an adversary in attacking cryptographic protocols [42]. In the model, suppose there are two main entities including a patient $P$ and a server $S$ who are communicating with each other via a public channel. Ç denotes a protocol challenger while the message communicated by $P$ and $S$ is denoted as $m$. The following queries should be executed by an adversary 𝒜 to make various attacks.

(1)

Send(Ç, $m$): This query allows 𝒜 to request a message $m$ to Ç; Ç replies to 𝒜 based upon the procedure of the proposed protocol.

(2)

Execute($P,S$): In this query, 𝒜 is allowed to eavesdrop the message $m$ conveyed between $P$ and $S$.

(3)

Reveal(Ç): This query enables 𝒜 to retrieve a session key computed by Ç in accordance with the procedure of the protocol.

(4)

Corrupt$(P,w)$: In a three-factor authentication protocol, this query returns to 𝒜 password ${PW}_i$, parameters stored in sequencing device ${SD}_i$, and biometrics $B_i$ if $w=1$, $w=2$, and $w=3$, respectively.

(5)

Test(Ç): This is a statistical test query. 𝒜 is allowed to directly request Ç for the session key; Ç probabilistically replies to 𝒜 upon the outcome of a tossed coin $b$.

Definition 6. 

Let ${Adv}_{Ç}^{IoLTHC}$ be the advantage of 𝒜 running in polynomial time in a semantically breaking security system of the proposed protocol. We have ${Adv}_{Ç}^{IoLTHC}=\left|2\mathit{Pr}\left[b^{\prime }=b\right]-1\right|$, where $IoLTHC$ stands for IoLT-based healthcare and $b^{\prime }$ is denoted as a guessed bit of the key.

5. The Proposed Protocol

There are five procedures in the proposed protocol, including setup; user registration, login, and authentication; synchronizable key derivation; and password and biometrics change. For facilitating NDA-based U-healthcare processes, $S_j$ is allowed to securely distribute a common key to a group of multiple $P_i$. The design details are as follows.

5.1. Setup Phase

At first, the system selects an elliptic curve over a finite field Fp $Ep\left(a,b\right):y^2=x^3+ax+b(mod p)$ with a basic point $P_{(x,y)}$ of the order $n$ of an additive cyclic group, where $p$ is k-bit prime and $n$ is a large number. For a neat design, the coordinates $x$ and $y$ of $P_{(x,y)}$ are always ignored during procedures of the protocol. $S_m$ chooses a secret private key ${prk}_j$ and computes its public key ${puk}_j={prk}_j·P$.

5.2. Registration Phase

This phase is carried out via a secure channel. $P_i$ registers with $S_j$ to become a legitimate patient for using U-healthcare services. As depicted in Figure 3, $P_i$ and $S_j$ perform the following steps for this procedure.

Step R1: $P_i$ inserts ${SD}_i$ into ${MD}_i$ and selects an identity ${ID}_i$, a password ${PW}_i$, and a biometrics value $B_i$. $P_i$ selects a random number $\sigma$, and computes $PB=h({ID}_i|\left|{PW}_i\right||h_{bio}(B_i)||\sigma )$. Next, $P_i$ sends $\{{ID}_i,PB\}$ to $S_j$.

Step R2: Receiving the message $\{{ID}_i,PB\}$, $S_j$ computes ${CID}_i=h\left({ID}_i\oplus {prk}_j\right)$ and checks if ${CID}_i$ exists in ${DB}_j$, which can trace registered users for achieving patient-centered services in the U-healthcare system. Next, $S_j$ computes $W_i=[{CID}_i+PB]P$, stores ${CID}_i$ in ${DB}_j$, and sends $\{W_i,puk\}$ to $P_i$.

Step R3: Upon the received $\{W_i,{puk}_j\}$, $P_i$ computes $V=h({ID}_i\left|\left|PB\right|\right|\sigma )$ and ${\epsilon }_i=\sigma \oplus h({ID}_i|\left|{PW}_i\right||h_{bio}(B_i))$. Finally, $P_i$ stores $\{W_i,V,{\epsilon }_i,{puk}_j\}$ in ${SD}_i$ and the registration is completed. In this way, the service availability is enabled on multiple mobile devices ${MD}_i$.

Remark 1: 

Each $P_i$ has a unique value of ${CID}_i$ stored in ${DB}_j$. Based on ${CID}_i$, $S_j$ can easily identify $P_i$, refer to the past records, and focus on the particular care needs of $P_i$, enabling patient-centered services.

5.3. Login and Authentication Phase

This procedure is carried out via a public channel. $P_i$ uses their registered credentials to login to $S_j$. $P_i$ and $S_j$ authenticate with each other and compute a secret shared session key used for group healthcare communications. Suppose there are $n$ patients participating in a group communication, Figure 4 presents the procedure where a session key is established.

Step A1: $P_i$ inserts ${SD}_i$ into ${MD}_i$ and enters credentials ${ID}_i^{\mathrm{*}},{PW}_i^{\mathrm{*}},B_i^{\mathrm{*}}$. $P_i$ computes ${\sigma }_i={\epsilon }_i\oplus h({ID}_i^{\mathrm{*}}|\left|{PW}_i^{\mathrm{*}}\right||h_{bio}(B_i^{\mathrm{*}}))$ and ${PB}^{\mathrm{*}}=h({ID}_i^{\mathrm{*}}|\left|{PW}_i^{\mathrm{*}}\right||h_{bio}(B_i^{\mathrm{*}})||\sigma )$. The check $V\stackrel{?}{=}h({ID}_i^{\mathrm{*}}||{PB}^{\mathrm{*}}||\sigma ))$ is performed. If the check holds, the SD-SSO is completed and $P_i$ is allowed to select a server $S_j$ in the interface of an app installed in ${MD}_i$ for enjoying a specific service. To this end, $P_i$ chooses a random number $a_s$ and a timestamp $T_p$, then computes $R_i=a_i·P=(x_{Ri},y_{Ri})$, $M_i=a_i·{puk}_j=(x_{Mi},y_{Mi})$, ${TID}_i=W_i-{PB}^{\mathrm{*}}·P=\left(x_{Ti},y_{Ti}\right)$, ${DID}_i={ID}_i^{\mathrm{*}}\oplus y_{Mi}$, and ${Auth}_i=h(x_{Ti}||x_{Mi}||T_p)$. $P_i$ conveys message $\{{DID}_i,R_i,{Auth}_i,T_p\}$ to $S_j$ for the purposed of login.

Step A2: Upon receiving the message $\{{DID}_i,R_i,{Auth}_i,T_p\}$, $S_j$ checks the timestamp $T_p$ and computes $M_i^{\mathrm{*}}={prk}_j·R_i=(x_{Mi}^{\mathrm{*}},y_{Mi}^{\mathrm{*}})$ and ${ID}_i^{\mathrm{*}}={DID}_i\oplus y_{Mi}^{\mathrm{*}}$. $S_j$ checks ${CID}_i\stackrel{?}{=}h({ID}_i^{\mathrm{*}}\oplus {prk}_j)$ in its database and checks ${Auth}_i\stackrel{?}{=}h(x_{Ti}^{\mathrm{*}}\left|\left|x_{Mi}^{\mathrm{*}}\right|\right|T_p)$ for confirming the legitimacy of $P_i$. Next, $S_j$ determines a time bound $(t_1,t_2)$, chooses two random numbers $b_j,c_j$, and computes a group dynamic key at a time point $t$ by ${gk}_t=h(h^{t-1}(h({prk}_j|\left|b_j\right))||h^{z-t}\left(h({prk}_j||c_j)\right))$. $S_j$ computes ${TB}_1=h^{t_1-1}(h({prk}_j||b_j))$, ${TB}_2=h^{z-t_2}(h({prk}_j||c_j))$, $Y_j=b_j\oplus h({ID}_i^{\mathrm{*}}|\left|y_{Ti}^{\mathrm{*}}\right||T_s)$, $ck=({TB}_1||{TB}_2||t_1||t_2)$, and $H_j=h(b_j||T_s)$. The value $ck$ is masked by generating multiple $\left[\begin{array}{c}{x}_1\\ x_2\\ \begin{array}{c}⋮\\ x_n\end{array}\end{array}\right]={\left[\begin{array}{ccc}\begin{array}{c}{H}_{j,1}^1\\ H_{j,2}^1\\ ⋮\end{array}& \begin{array}{cc}{H}_{j,1}^2& \dots \\ H_{j,2}^2& \dots \\ ⋮& \ddots \end{array}& \begin{array}{c}{H}_{j,1}^n\\ H_{j,2}^n\\ ⋮\end{array}\\ H_{j,n}^1& \begin{array}{cc}{H}_{j,n}^2& \dots \end{array}& H_{j,n}^n\end{array}\right]}^{-1}\left(\left[\begin{array}{c}\begin{array}{c}h(y_{Ti,1}^{\mathrm{*}}||T_s)\\ h(y_{Ti,2}^{\mathrm{*}}||T_s)\end{array}\\ ⋮\\ h(y_{Ti,n}^{\mathrm{*}}||T_s)\end{array}\right]-\left[\begin{array}{c}ck\\ ck\\ \begin{array}{c}⋮\\ ck\end{array}\end{array}\right]\right)$. $S_j$ conveys a message $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ to $P_i$.

Step A3: Upon receiving the above message, $P_i$ checks the timestamp $T_s$ and computes $b_j=Y_j\oplus h({ID}_i^{\mathrm{*}}||y_{Ti}||T_s$, $H_j=h(b_j||T_s)$, and ${ck}^{\mathrm{*}}=h(y_{Ti}||T_s)-\left[\begin{array}{cc}{H}_{j,1}^{\prime 1}& \begin{array}{ccc}{H}_{j,1}^{\prime 2}& \dots & H_{j,1}^{\prime n}\end{array}\end{array}\right]\left[\begin{array}{c}{x}_1\\ x_2\\ \begin{array}{c}⋮\\ x_n\end{array}\end{array}\right]$. Next, $S_j$ checks ${Auth}_j\stackrel{?}{=}h(y_{Ti}||{ID}_i||b_j||{ck}^{\mathrm{*}})$. If the check holds, the value ${ck}^{\mathrm{*}}=({TB}_1||{TB}_2||t_1||t_2)$ is successfully verified. $S_j$ computes the dynamic group key at the time point $t$ by ${gk}_t=h(h^{t-t_1}({TB}_1)||h^{t_2-t}\left({TB}_2\right))$. In this way, all members $P_i$ in a group of $n$ patients have received the same key ${gk}_t$ for U-healthcare communications.

Remark 2: 

The design allows the time bound $(t_1,t_2)$ to be flexibly changed without having to renew the registration. $P_i$ would be notified of the updated time bound through the app’s notification during the communication session or through some channel (e.g., email) before the communication gets started.

Remark 3: 

Upon specific requests, $P_i$ and $S_j$ are allowed to compute multiple group keys at different time points $t$ by ${gk}_t=h(h^{t-1}(h({prk}_j|\left|b_j\right))||h^{z-t}\left(h({prk}_j||c_j)\right))$ and by ${gk}_t=h(h^{t-t_1}({TB}_1)||h^{t_2-t}\left({TB}_2\right))$, respectively. The key ${gk}_t$ is used as a symmetric encryption key to protect communications between $S_j$ and multiple $P_i$, and between $P_i$ and $P_i$.

5.4. Synchronizable Key-Derivation Phase

In this procedure, $P_i$ and $S_j$ are allowed to quickly compute a new group key to enhance security and to address desynchronization problems in patient–patient communications or in patient–server communications. For example, $S_j$ distributes a key ${gk}_8$ at 8:00 a.m. to the group; then, $S_j$ uses this key for encrypting the data; if a patient $P_i$ joins the communication at 9:00 a.m. and obtains the key ${gk}_9$, $P_i$ is not able to decrypt the data encrypted using ${gk}_8$. It is likely that multiple patients would be in this situation or that some similar situations happen at the same time. This causes a serious communicational desynchronization in the system, since multiple keys would be generated at different time points for a single service. To this end, two values ${TB}_1$ and ${TB}_2$ should be renewed in order to reset the communication with a new common key computed without having to repeat the many steps of the previous procedure. Figure 5 describes specific steps performed in this phase.

Step D1: $S_j$ generates a number $d$, which can be regarded as the number of key derivations. Upon a time point $t^{*}$, $S_j$ computes a new group key ${gk}_{t^{*}}^d=h(h^{t^{*}-1}(h({prk}_j|\left|b_j\right||d)||h^{z-t^{*}}\left(h({prk}_j|\left|c_j\right||d)\right))$ and two new values ${TB}_1^d=h^{t_1-1}(h({prk}_j||b_j||d))$ and ${TB}_2^d=h^{z-t_2}(h({prk}_j|\left|c_j||d\right))$. $S_j$ generates a symmetric ciphertext $C_d={SE}_{{gk}_t}({TB}_1^d||{TB}_2^d)$ using previous key ${gk}_t$, and conveys $\left\{C_d\right\}$ to $P_i$.

Step D2: Upon receiving the message, $P_i$ decrypts $C_d$ and obtains ${TB}_1^d,{TB}_2^d$. Finally, $P_i$ computes the new group key by ${gk}_{t^{\mathrm{*}}}^d=h(h^{t^{\mathrm{*}}-t_1}({TB}_1^d)||h^{t_2-t^{\mathrm{*}}}\left({TB}_2^d\right))$ at the time point $t^{\mathrm{*}}$. In this way, the key ${gk}_t$ computed in the previous phase (Section 5.3) is changed to the key ${gk}_{t^{\mathrm{*}}}^d$ for resolving possible desynchronization issues of similar communications.

Remark 4: 

The time point $t$ and the time point $t^{*}$ may or may not be identical based on the time allocation of specific services.

5.5. Password and Biometrics Change Phase

This procedure allows $P_i$ to change their password and biometrics to enhance security. As shown in Figure 6, $P_i$ and ${SD}_i$ perform the following steps for updating these credentials.

Step C1: $P_i$ inserts ${SD}_i$ and enters ${ID}_i^{\prime },{PW}_i^{\prime },B_i^{\prime }$. ${MD}_i$ computes $\sigma ={\epsilon }_i\oplus h({ID}_i^{\prime }|\left|{PW}_i^{\prime }\right||h_{bio}(B_i^{\prime }))$ and ${PB}^{\prime }=h({ID}_i^{\prime }|\left|{PW}_i^{\prime }\right||h_{bio}(B_i^{\prime })||\sigma )$. It checks $V\stackrel{?}{=}h({ID}_i^{\prime }||{PB}^{\prime }||\sigma )$. If the check holds, $P_i$ is requested to enter new password ${PW}_i^{new}$ and new biometrics $B_i^{new}$.

Step C2: Receiving ${PW}_i^{new},B_i^{new}$ from $P_i$, ${SD}_i$ chooses a new ${\sigma }^{new}$ and computes ${\epsilon }_i^{new}={\sigma }^{new}\oplus h({ID}_i^{\prime }|\left|{PW}_i^{new}\right||h_{bio}(B_i^{new}))$, ${PB}^{new}=h({ID}_i^{\prime }|\left|{PW}_i^{new}\right||h_{bio}(B_i^{new})||{\sigma }^{new})$, $W_i^{new}=W_i+\left[{PB}^{new}-PB\right]P$, and $V_{new}=h({ID}_i^{\prime }||{PB}^{new}||{\sigma }^{new})$. ${MD}_i$ replaces $W_i,V,{\epsilon }_i$ with $W_i^{new},V_{new},{\epsilon }_i^{new}$ in ${SD}_i$.

6. Security Certificate

In this section, the author provides the security certificate of the proposed protocol. An informal discussion, a logical analysis using BAN logic, and a formal mathematical proof using the RoR model are included for security evaluation as follows.

6.1. Sematic Security Discussion

In this subsection, the prevention of various well-known attacks in the protocol is presented in a detailed manner. The author also discusses multiple functionalities and security features achieved by the proposed work.

(1)

Replay attacks: Suppose the message $\{{DID}_i,R_i,{Auth}_i,T_p\}$ is intercepted by 𝒜 and it is resent to $S_m$ to launch a replay attack in the next session. However, timestamp $T_p$ in the protocol is employed to check if the message is resent. Moreover, when receiving the message $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$, 𝒜 will also fail to compromise the key ${gk}_t$ since 𝒜 does not know of ${ID}_i,y_{Ti}$ for retrieving the number $b_j$. Therefore, the replay attack is prevented in the proposed protocol.

(2)

MITM attacks: On the received message $\{{DID}_i,R_i,{Auth}_i,T_p\}$, 𝒜 may insert forged parameters and generate a candidate login message. 𝒜 aims to act as a middle man to compromise the conveyed messages without being noticed by $P_i$ and $S_j$. However, without the private key ${prk}_j$, 𝒜 is not able to compute sufficient parameters for the verifications on ${CID}_i$ and ${Auth}_i$. Similarly, without $y_{Ti}$ and ${ID}_i$, 𝒜 can also not compute a valid message $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ for the check on ${Auth}_j$ on the patient side. As a result, the protocol is free from MITM attacks.

(3)

Password and biometrics guessing attacks: At first, 𝒜 may attempt to directly enter a candidate password for logging to the system. However, the login request will be immediately rejected by ${SC}_i$ upon the check $V\stackrel{?}{=}h({ID}_i^{*}||{PB}^{*}||\sigma )$. Suppose the hash value $PB$ is somehow known to 𝒜, then 𝒜 attempts to guess ${PW}_i$ based on $PB$. Other than ${PW}_i$, the values ${ID}_i,{PW}_i,h_{bio}\left(B_i\right),\sigma$ are also included in the function generating $PB$. Therefore, it is extremely hard (with a negligible success probability) for 𝒜 to guess the correct ${PW}_i$ by computing candidate hashes and comparing them with the original $PB$. Using similar arguments, the biometrics $B_i$ is also completely protected during the communication process. Moreover, my work provides password and biometrics update functions that further assure the security of ${PW}_i$ and $B_i$. Therefore, a robust three-factor authentication mechanism is achieved in the proposed protocol.

(4)

Impersonation attacks: Suppose the identity ${ID}_i$ is somehow disclosed, then 𝒜 obtains and uses it to generate a fake login message for impersonating $P_i$. However, it is not possible for 𝒜 to launch this impersonation attack without ${PW}_i,B_i$ since the protocol can resist password and biometrics guessing attacks, as stated above. Moreover, without the knowledge of $y_{Ti}$, 𝒜 can also not retrieve $b_j$ for further steps upon the known ${ID}_i$. Thus, impersonation attacks are resisted in the proposed protocol.

(5)

Lost/stolen sequencer attacks: Suppose 𝒜 has somehow stolen the sequencer ${SD}_i$; then, 𝒜 retrieved all stored parameters. However, the important credentials ${ID}_i,{PW}_i,B_i$ are not stored in ${SD}_i$ directly. Obtaining the parameters $W_i,V,{\epsilon }_i,{puk}_j$ inside ${SD}_i$ is not sufficient for passing the verification $V\stackrel{?}{=}h({ID}_i^{*}||{PB}^{*}||\sigma )$ and for generating a valid login request message $\{{DID}_i,R_i,{Auth}_i,T_p\}$. Thus, my protocol is robust against lost/stolen sequencer attacks.

(6)

Desynchronization attacks: Two acknowledgement values ${Auth}_i$ and ${Auth}_j$ generated by $P_i$ and $S_j$, respectively, are used for assuring a robust mutual authentication in the proposed protocol. ${Auth}_i$ and ${Auth}_j$ are deleted after the login and authentication procedure session is completed. In addition, after each synchronizable key-derivation procedure finishes, $P_i$ and $S_j$ do not update or store any redundant parameters used for the next communication sessions. Hence, desynchronization problems and related attacks are prevented in my work.

(7)

Privileged insider attacks: Suppose there is a privileged insider 𝒜 who can monitor data transmission during the registration and capture message $\{{ID}_i,PB\}$. Upon the reception of ${ID}_i$, it is not possible for 𝒜 to compromise the communication due to the stated resistance to impersonation attacks. Using the value $PB$, 𝒜 is also not able to compute a correct ${TID}_i$ for the attack on ${Auth}_i$ without $W_i$ stored in the smart card. In another scenario, even if 𝒜 somehow obtains ${CID}_i$ in the database, 𝒜 still cannot pass the server verification without ${ID}_i$. Thus, the protocol can resist privileged insider attacks.

(8)

DoS attacks: For analysis of DoS attacks, the author discusses some possible threats that may affect communication performance of the protocol. In the login phase, the system verifies $P_i$ by $V\stackrel{?}{=}h({ID}_i^{*}||{PB}^{*}||\sigma )$ upon the newly input credentials ${ID}_i^{*},{PW}_i^{*},B_i^{*}$. If the check is not successful, the session will be immediately terminated. Hence, it is not possible for 𝒜 is not able to flood the login and authentication procedure using multiple subsequent steps. On the other hand, upon the received message from $P_i$, $S_j$ only operates two minor computations $M_i^{*}={prk}_j·R_i$ and ${ID}_i^{*}={DID}_i\oplus y_{Mi}^{*}$ before the check ${CID}_i\stackrel{?}{=}h({ID}_i^{*}\oplus {prk}_j)$ is made. Retransmitting massive messages $\{{DID}_i,R_i,{Auth}_i,T_p\}$ to $S_j$ for disrupting its services would not be an efficient attack due to the redundant resources of $S_j$. Moreover, the communication will also be terminated once the check $∆(T_p,T_c)$ does not hold in the beginning. Therefore, DoS attacks are prevented in the protocol.

(9)

Robust mutual authentication: In the proposed communication, $P_i$ should be authenticated as a legitimate patient for preventing patients’ identities and possibly costly services from being compromised. Upon receiving the login request $\{{DID}_i,R_i,{Auth}_i,T_p\}$ from $P_i$, using the private key, $S_j$ computes $M_i^{*}$ and retrieves ${ID}_i^{*},{CID}_i,{DID}_i$. These parameters are used for the verification ${Auth}_i\stackrel{?}{=}h(x_{Ti}^{*}\left|\left|x_{Mi}^{*}\right|\right|T_p)$ that confirms the legitimacy of the patient $P_i$. On the other hand, based on the message $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$, $P_i$ retrieves the number $b_j$ to compute $H_j,{ck}^{*}$. These parameters are used for the check ${Auth}_j\stackrel{?}{=}h(y_{Ti}||{ID}_i||b_j||{ck}^{*})$ of the acknowledgement that confirms legitimacy of the server $S_j$ and assures true service provision. If one of the above checks fails, the session will be terminated and the session key will not be established successfully. Hence, a robust mutual authentication is achieved in the proposed protocol.

(10)

Patient anonymity and untraceability: The identity ${ID}_i$ is hidden in the parameter ${DID}_i$ of the login message $\{{DID}_i,R_i,{Auth}_i,T_p\}$ requested by $P_i$. Also, the message $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ sent by $S_j$ does not reveal ${ID}_i$ to the public. Therefore, the anonymity of ${ID}_i$ is guaranteed during the login and authentication process. The parameters contained in $\{{DID}_i,R_i,{Auth}_i,T_p\}$ and $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ in respective communication sessions are totally not identical since different random numbers and timestamps are used for the computations. Therefore, 𝒜 is not able to identify any two login messages sent by the same patient $P_i$. Hence, the proposed protocol achieves patient anonymity and patient untraceability.

(11)

Message unlinkability: When linking the parameters of all messages $\{{DID}_i,R_i,{Auth}_i,T_p,\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ to each other, there are not any fixed values found. It means that it will not allow 𝒜 to trace $P_i$ for the purpose of guessing $P_i$’s identity. Thus, a message unlinkability feature is achieved in the proposed protocol.

(12)

Perfect forward secrecy: Suppose some sensitive data, secret parameters, or even a session key established in the current session are somehow revealed to 𝒜. Upon receiving these vales, 𝒜 attempts to attack the past communications. However, it is not possible for 𝒜 to launch the attack since the values are completely not identical in different communication sessions due to the inclusion of random numbers and timestamp values in the computations. For instance, 𝒜 cannot use the currency key ${gk}_t^{current}=h(h^{t-t_1}({TB}_1)||h^{t_2-t}\left({TB}_2\right))$ to compromise the message encrypted using a key ${gk}_t^{past}$ established in the past session. If the long-term private key ${prk}_j$ of $S_j$ is compromised, the secrecy of ${gk}_t^{past}$ is also not affected, because there are no associated parameters between them. Hence, a perfect forward secrecy is achieved in my protocol.

(13)

Perfect backward secrecy (known-key security): With similar arguments, the protocol is proven not to be vulnerable to a known-key attack, since compromise of the past key ${gk}_t^{past}$ does not allow either a passive 𝒜 to compromise the future key ${gk}_t^{future}$ or impersonation by an active 𝒜 in the future.

6.2. Logical Analysis Using BAN logic

In this subsection, the well-known BAN logic [43] is employed to further provide a logical analysis on the mutual authentication between $P_i$ and $S_j$. Some rules and analytical logics in the tool are defined in advance. Next, the analysis demonstrates that $P_i$ and $S_j$ believe the key ${gk}_t$ is a secret value shared between them only. Some notations used for the analysis are provided in

Table 2. Notations used in the analysis with BAN logic.

Notations Used in the BAN	Explanation
X |≡ M	X believes a statement M
X ⊲ M	X sees the statement M
X |~ M	X once said the statement M
X ⟹ M	X has jurisdiction over the statement M
(M, N)	M or N is one part of the formula (M, N)
${⟨M⟩}_N$	The statement M is combined with the formula N
#(M)	The formula M is fresh, meaning it has not been sent in any previous messages
$X\stackrel{K}{\iff }Y$	Formula K is a secret known only by X and Y; only X and Y can use M to authenticate each other
$X\stackrel{G}{\leftrightarrow }Y$	Value G is known only to X and Y; it is used for their communication

.

In accordance with the principle of BAN logic and operation rules in my proposed protocol, the mutual authentication proof should satisfy the following four goals. In the protocol, the value $ck$ is utilized by $S_j$ to distribute ${TB}_1$ and ${TB}_2$ to $P_i$ for computing the group key ${gk}_t$. Therefore, authenticity of both $ck$ and ${gk}_t$ should be proven, which can guarantee a completely authenticated key shared between the entities.

Goal 1: $S_j$ |≡ $(P_i\stackrel{{gk}_t}{\leftrightarrow }{S}_j)$. $S_j$ believes that the key ${gk}_t$ computed is a secret value shared between $P_i$ and $S_j$. (G1)

Goal 2: $S_j$ |≡ $(P_i\stackrel{ck}{\leftrightarrow }{S}_j)$. $S_j$ believes that the key $ck$ computed is a secret value shared between $P_i$ and $S_j$. (G2)

Goal 3: $P_i$ |≡ $(P_i\stackrel{ck}{\leftrightarrow }{S}_j)$. $P_i$ believes that the key $ck$ computed is a secret value shared between $P_i$ and $S_j$. (G3)

Goal 4: $P_i$ |≡ $(P_i\stackrel{{gk}_t}{\leftrightarrow }{S}_j)$. $P_i$ believes that the key ${gk}_t$ computed is a secret value shared between $P_i$ and $S_j$. (G4)

Two messages communicated in the login and authentication procedure of the protocol are included in the authentication proof.

Message 1: $P_i\to S_j:({ID}_i^{\mathrm{*}}\oplus y_{Mi},x_{Ri},y_{Ri},h(x_{Ti}||x_{Mi}||T_p),T_p)$

Message 2: $S_j\to P_i:(\left[x_1,x_2,\dots ,x_n\right],b_j\oplus h({ID}_i^{\mathrm{*}}|\left|y_{Ti}^{\mathrm{*}}\right||T_s),h(y_{Ti}^{\mathrm{*}}||{ID}_i||b_j|\left|ck\right),T_s)$

Some logical rules of the tool used in the proof are provided as follows.

• Seeing rule (R1): $\frac{X\stackrel{K}{\iff }Y,Y⊲{⟨A⟩}_K}{X\left|\equiv Y\right|~A}$;
• Interpretation rule (R2): $\frac{X\left|\equiv Y\right|~(A,B)}{X\left|\equiv Y\right|~A}$;
• Freshness rule (R3): $\frac{X|\equiv \#(A)}{X|\equiv \#(A,B)}$;
• Verification rule (R4): $\frac{X|\equiv \#\left(A\right),X|\equiv Y|~A}{X|\equiv Y|\equiv A}$;
• Jurisdiction rule (R5): $\frac{X|\equiv Y⟹A,X|\equiv Y|\equiv A}{X|\equiv A}$;
• Belief rule (R6): $\frac{X|\equiv (A,B)}{X|\equiv A}$.

Along with the rules, the following assumptions are also used in the analysis.

• Assumption 1 (A1): $S_j$ |≡ $P_i\stackrel{K_{ij}}{\iff }{S}_j$;
• Assumption 2 (A2): $S_j$ |≡ $\#(T_p)$;
• Assumption 3 (A3): $S_j|\equiv P_i⟹(x_{Ti},x_{Mi},T_p)$;
• Assumption 4 (A4): $S_j⟹(t_1)$;
• Assumption 5 (A5): $S_j⟹(t_2)$;
• Assumption 6 (A6): $S_j⟹(b_j)$;
• Assumption 7 (A7): $S_j⟹(c_j)$;
• Assumption 8 (A8): $S_j⟹({prk}_j)$;
• Assumption 9 (A9): $P_i$ |≡ $\#(T_s)$;
• Assumption 10 (A10): $P_i|\equiv S_j⟹(\left[x_1,x_2,\dots ,x_n\right],b_j,y_{Ti},T_s)$;
• Assumption 11 (A11): $P_i⟹({ID}_i)$.

In this way, an idealized form of the communicated messages is described as follows.

Message 1: $P_i\to S_j:({⟨I{D}_i,y_{Mi}⟩}_{K_{ij}},x_{Ri},y_{Ri},{⟨x_{Ti},x_{Mi},T_p⟩}_{K_{ij}},T_p)$

Message 2: $S_j\to P_i:([x_1,x_2,\dots ,x_n],{⟨b_j,I{D}_i,y_{Ti},T_s⟩}_{K_{ij}},{⟨y_{Ti},I{D}_i,b_j,ck⟩}_{K_{ij}},T_s)$

Based on the specified rules, assumptions, and procedure of the protocol, the logical analysis of mutual authentication between $P_i$ and $S_j$ in the proposed protocol is described by the following steps.

• ${Step}_1$: Based on the Message 1, we have $S_j⊲({⟨I{D}_i,y_{Mi}⟩}_{K_{ij}},x_{Ri},y_{Ri},{⟨x_{Ti},x_{Mi},T_p⟩}_{K_{ij}},T_p)$.
• ${Step}_2$: Using A1 and R1, we have $S_j$ |≡ $P_i$ |~ $({ID}_i,y_{Mi},x_{Ri},y_{Ri},x_{Ti},x_{Mi},T_p)$.
• ${Step}_3$: According to R2, we obtain $S_j$ |≡ $P_i$ |~ $(x_{Ti},x_{Mi},T_p)$.
• ${Step}_4$: Using R3 and A2, we have $S_j$ |≡ #$(x_{Ti},x_{Mi},T_p)$.
• ${Step}_5$: Based on R4, ${Step}_3$, and ${Step}_4$, we obtain $S_j$ |≡ $P_i$ |≡ $(x_{Ti},x_{Mi},T_p)$.
• ${Step}_6$: According to R5, A3, and ${Step}_5$, we obtain $S_j$ |≡ $(x_{Ti},x_{Mi},T_p)$.
• ${Step}_7$: Based on R6 and ${Step}_6$, we obtain $S_j$ |≡ $x_{Ti}$, $S_j$ |≡ $x_{Mi}$, and $S_j$ |≡ $T_p$.
• ${Step}_8$: Due to ${Step}_7$, and ${Auth}_i=h(x_{Ti}||x_{Mi}||T_p)$, we obtain $S_m$ |≡ ${Auth}_i$.
• ${Step}_9$: Based on ${Step}_8$, A4, A5, A6, A7, A8, and ${gk}_t=h(h^{t-1}(h({prk}_j|\left|b_j\right))||h^{z-t}\left(h({prk}_j||c_j)\right))$, we can obtain $S_j$ |≡ $(P_i\stackrel{{gk}_t}{\leftrightarrow }{S}_j)$ (G1 achieved).
• ${Step}_{10}$: Based on ${Step}_8$, A4, A5, A6, A7, A8, and $ck=(h^{t_1-1}(h({prk}_j||b_j))||h^{z-t_2}(h({prk}_j||c_j))||t_1||t_2)$, we can obtain $S_j$ |≡ $(P_i\stackrel{ck}{\leftrightarrow }{S}_j)$ (G2 achieved).
• ${Step}_{11}$: According to the Message 2, we have $P_i⊲\left(\right[x_1,x_2,\dots ,x_n],{⟨b_j,I{D}_i,y_{Ti},T_s⟩}_{K_{ij}},{⟨y_{Ti},I{D}_i,b_j,ck⟩}_{K_{ij}},T_s)$
• ${Step}_{12}$: In accordance with R1 and A1, we obtain $P_i$ |≡ $S_m$ |~ $(\left[x_1,x_2,\dots ,x_n\right],b_j,{ID}_i,y_{Ti},ck,T_s)$.
• ${Step}_{13}$: Based upon R2, we can obtain $P_i|\equiv S_m|~(\left[x_1,x_2,\dots ,x_n\right],b_j,y_{Ti},T_s)$.
• ${Step}_{14}$: Using R3 and A9, we have $P_i|\equiv \#(\left[x_1,x_2,\dots ,x_n\right],b_j,y_{Ti},T_s)$.
• ${Step}_{15}$: Based on R4, ${Step}_{13}$ and ${Step}_{14}$, we obtain $P_i$ |≡ $S_j$ |≡ $(\left[x_1,x_2,\dots ,x_n\right],b_j,y_{Ti},T_s)$.
• ${Step}_{16}$: According to R5, A10, and ${Step}_{15}$, we obtain $P_i$ |≡ $(\left[x_1,x_2,\dots ,x_n\right],b_j,y_{Ti},T_s)$.
• ${Step}_{17}$: Based on R6 and ${Step}_{16}$, we obtain $P_i$ |≡ $\left[x_1,x_2,\dots ,x_n\right]$, $P_i$ |≡ $b_j$, $P_i$ |≡ $y_{Ti}$, and $P_i$ |≡ $T_s$.
• ${Step}_{18}$: In accordance with ${Step}_{17}$, while $H_j=h(b_j||T_s)$ and $ck=h(y_{Ti}||T_s)-\left[\begin{array}{cc}{H}_{j,1}^{\prime 1}& \begin{array}{ccc}{H}_{j,1}^{\prime 2}& \dots & H_{j,1}^{\prime n}\end{array}\end{array}\right]\left[\begin{array}{c}{x}_1\\ x_2\\ \begin{array}{c}⋮\\ x_n\end{array}\end{array}\right]$, we can obtain $P_i$ |≡ $(P_i\stackrel{ck}{\leftrightarrow }{S}_j)$ (G3 achieved).
• ${Step}_{19}$: Due to ${Step}_{17}$, ${Step}_{18}$, A11, and ${Auth}_j=h(y_{Ti}||{ID}_i||b_j|\left|ck\right)$, we obtain $P_i$ |≡ ${Auth}_j$.
• ${Step}_{20}$: Based on ${Step}_{18}$, ${Step}_{19}$, $ck=({TB}_1||{TB}_2||t_1||t_2)$, and ${gk}_t=h(h^{t-t_1}({TB}_1)||h^{t_2-t}\left({TB}_2\right))$, we obtain $P_i$ |≡ $(P_i\stackrel{{gk}_t}{\leftrightarrow }{S}_j)$ (G4 achieved).

In this way, the proposed protocol achieves all goals—G1, G2, G3, and G4. Therefore, it proves that $P_i$ and $S_j$ can mutually authenticate each other and ${gk}_t$ is an authenticated key shared between them.

6.3. Formal Security Proof with RoR Model

Formal security proof of the proposed protocol is provided using the widely-accepted ROR model. Based on mathematical principles, its idea is to analyze the success probability of 𝒜 in attacking the protocol. The goal is to demonstrate that this probability is a negligible advantage, assuring the sematic security of the approach. Various games are included in the analysis where 𝒜 makes multiple attack queries discussed in Section 4.2 with an increased success probability. Notations used in the proof are described in

Table 3. Notations used in the security proof with RoR Model.

Notations	Explanation
$l_h$	Size of a hash value
$l_r$	Size of a random number
$l_{bio}$	Size of a biometric value
$q_h$	Total hash oracle queries
$q_s$	Total Send queries
$q_e$	Total Execute queries
$L_h$	List of hash oracle outputs
$L_r$	List of random oracle results
$L_t$	List of transcripts conveyed between $P_i$ and $S_j$
${\epsilon }_{bio}$	Biometric false-positive probability
$C^{\prime },s^{\prime }$	Zipf parameters

.

Definition 7. 

When Ç receives the last communicated message in the protocol, Ç goes to an Accept state. All messages $m_1=\{{DID}_i,R_i,{Auth}_i,T_p\}$ and $m_2=\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ are orderly concatenated, forming a session with an identification “s_id”.

Definition 8. 

$P_i^{T_c}$ and ${S_j}^{T_c^{*}}$ are defined to be partnered if $P_i^{T_c}$ and ${S_j}^{T_c^{*}}$ simultaneously meet the following conditions: (1) $P_i^{T_c}$ and ${S_j}^{T_c^{*}}$ are in an Accept state; (2) $P_i^{T_c}$ and ${S_j}^{T_c^{*}}$ mutually authenticate each other in the same session s_id; and (3) $P_i^{T_c}$ and ${S_j}^{T_c^{*}}$ are mutually a partner of each other. $P_i^{T_c}$ and ${S_j}^{T_c^{*}}$ are called “partners”.

Definition 9. 

Ç is defined to be fresh if Ç simultaneously meets the following conditions: (1) Ç is in an accepted state; (2) Reveal(Ç) queries have never been submitted; and (3) less than three Corrupt $(P_i,n)$ queries have been submitted. This is called the “freshness” rule.

Definition 10. 

${Adv}_{𝒜}^{ECDLP}(t_{𝒜})$ is denoted as the advantage of 𝒜 in breaking the ECDLP assumption within an execution time $t_{𝒜}$. Because the assumption holds, ${Adv}_{𝒜}^{ECDLP}(t_{𝒜})$ is a negligible probability.

Definition 11. 

${Adv}_{𝒜}^{ECCDHP}(t_{𝒜})$ is denoted as the advantage of 𝒜 in breaking the ECCDHP assumption within an execution time $t_{𝒜}$. Also, ${Adv}_{𝒜}^{ECCDHP}(t_{𝒜})$ is a negligible probability since the assumption holds.

Definition 12. 

${Adv}_{𝒜}^{ECFP}(t_{𝒜})$ is denoted as the advantage of 𝒜 in breaking the ECFP assumption within an execution time $t_{𝒜}$. Similarly, ${Adv}_{𝒜}^{ECFP}(t_{𝒜})$ is a negligible probability as the assumption holds.

Theorem 1. 

${Adv}_{Ç}^{IoLTHC}$ can be calculated in the following equation.

$$\begin{gathered} {Adv}_{\mathrm{Ç}}^{IoLTHC}\le \frac{{(q_s+q_e)}^3+6q_s}{2^{L_r}}+\frac{{q_h}^2+20q_h}{2^{L_h}}+2max\left\{\left(C^{\prime }·q_s^{s^{\prime }}\right),q_s\left(\frac{1}{2^{l_{bio}}},{\epsilon }_{bio}\right)\right\} \\ +4q_h\left(q_s+q_e+1\right){Adv}_{𝒜}^{ECDLP}\left(t_{𝒜}\right)+2q_h(q_s+q_e+1){Adv}_{𝒜}^{ECCDHP}(t_{𝒜}) \\ +2q_h(q_s+q_e+1){Adv}_{𝒜}^{ECFP}(t_{𝒜}) \end{gathered}$$

(1)

Since Equation (1) is obviously a negligible probability, the proposed protocol is semantically secure.

Proof. 

The author considers six games simulated for the proof including $G_0,G_1,G_2,G_3,G_4,G_5$ with increasing success probabilities of 𝒜 in attacking the protocol. The ultimate goal of 𝒜 is to retrieve the bit $b$ using the Test query after each of the games finishes. $Pr\left[S_i\right]$ is denoted as success probabilities, in which $E_f$ ($f=\mathrm{0,1},\mathrm{2,3},\mathrm{4,5}$) are events in respective games. I set a simulator Ş to play the role of the challenge Ç in the games. □

Game $G_0$: This is the starting game, which is identical to the real protocol in the RoR model. Ş tosses the coin $b$ and the game is started. We obtain

$${Adv}_{\mathrm{Ç}}^{IoLTHC}=\left|2\mathit{Pr}\left[E_0\right]-1\right|$$

(2)

Game $G_1$: This game executes all queries that are specified in the model. The queries are simulated in

Table 4. All queries executed in the RoR model.

Hash query is executed as follows, where ${\mathit{m}}_{\mathit{i}}$ are messages. If the record (${\mathit{m}}_{\mathit{i}}$, $\mathit{h}({\mathit{m}}_{\mathit{i}})$) is found in the list ${\mathit{L}}_{\mathit{h}}$, return $\mathit{h}({\mathit{m}}_{\mathit{i}})$; if not, choose ${\mathit{h}}^{\mathit{\prime }}\left({\mathit{m}}_{\mathit{i}}\right)\in {\mathit{Z}}_{\mathit{p}}^{\mathit{*}}$ and write (${\mathit{m}}_{\mathit{i}}$, ${\mathit{h}}^{\mathit{\prime }}\left({\mathit{m}}_{\mathit{i}}\right)$) to ${\mathit{L}}_{\mathit{h}}$; the list ${\mathit{L}}_{\mathit{r}}$ is created by a similar procedure.

Reveal(Ç) query is executed by a simple procedure as follows. Once Ç is in an Accept state, a session key formed by Ç is returned.

Test(Ç) query is executed as follows. Ç tosses the coin $\mathit{b}$. If $\mathit{b}=1$, the query returns an available key ${\mathit{g}\mathit{k}}_{\mathit{t}}$; otherwise, it returns a random number.

Corrupt(${\mathit{P}}_{\mathit{i}},\mathit{w}$) query is executed as follows. If $\mathit{w}=1$, the query outputs password ${\mathit{P}\mathit{W}}_{\mathit{i}}$. If $\mathit{w}=2$, the query outputs parameters stored in ${\mathit{S}\mathit{D}}_{\mathit{i}}$. If $\mathit{w}=3$, the query outputs biometrics ${\mathit{B}}_{\mathit{i}}$.

Execute(${\mathit{P}}_{\mathit{i}}$, ${\mathit{S}}_{\mathit{j}}$) query is executed in succession with execution of Send(Ç, ${\mathit{m}}_{\mathit{i}}$) query. It is presented as follows. ${\mathit{P}}_{\mathit{i}}$ sends ${\mathit{m}}_1$ to ${\mathit{S}}_{\mathit{j}}$ and ${\mathit{S}}_{\mathit{j}}$ sends ${\mathit{m}}_2$ to ${\mathit{P}}_{\mathit{i}}$. we have $<{\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}\oplus {\mathit{y}}_{\mathit{M}\mathit{i}},{\mathit{a}}_{\mathit{i}}·\mathit{P},\mathit{h}\left({\mathit{x}}_{\mathit{T}\mathit{i}}\left|\left|{\mathit{x}}_{\mathit{M}\mathit{i}}\right|\right|{\mathit{T}}_{\mathit{p}}\right),{\mathit{T}}_{\mathit{p}}>$ ← Send(${\mathit{P}}_{\mathit{i}}$, start), $<\left[{\mathit{x}}_1,{\mathit{x}}_2,\dots ,{\mathit{x}}_{\mathit{n}}\right],{\mathit{b}}_{\mathit{j}}\oplus \mathit{h}({\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}|\left|{\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}\right||{\mathit{T}}_{\mathit{s}}),\mathit{h}({\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}||{\mathit{I}\mathit{D}}_{\mathit{i}}||{\mathit{b}}_{\mathit{j}}|\left|\mathit{c}\mathit{k}\right),{\mathit{T}}_{\mathit{s}}>$ ← Send(${\mathit{S}}_{\mathit{j}}$, $<{\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}\oplus {\mathit{y}}_{\mathit{M}\mathit{i}},{\mathit{a}}_{\mathit{i}}·\mathit{P},\mathit{h}\left({\mathit{x}}_{\mathit{T}\mathit{i}}\left|\left|{\mathit{x}}_{\mathit{M}\mathit{i}}\right|\right|{\mathit{T}}_{\mathit{p}}\right),{\mathit{T}}_{\mathit{p}}>$) At last, ${\mathit{m}}_1=<{\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}\oplus {\mathit{y}}_{\mathit{M}\mathit{i}},{\mathit{a}}_{\mathit{i}}·\mathit{P},\mathit{h}\left({\mathit{x}}_{\mathit{T}\mathit{i}}\left|\left|{\mathit{x}}_{\mathit{M}\mathit{i}}\right|\right|{\mathit{T}}_{\mathit{p}}\right),{\mathit{T}}_{\mathit{p}}>$ and ${\mathit{m}}_2=<\left[{\mathit{x}}_1,{\mathit{x}}_2,\dots ,{\mathit{x}}_{\mathit{n}}\right],{\mathit{b}}_{\mathit{j}}\oplus \mathit{h}({\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}|\left|{\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}\right||{\mathit{T}}_{\mathit{s}}),\mathit{h}({\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}||{\mathit{I}\mathit{D}}_{\mathit{i}}||{\mathit{b}}_{\mathit{j}}|\left|\mathit{c}\mathit{k}\right),{\mathit{T}}_{\mathit{s}}>$ are returned.

Based on the logical procedure of the protocol, the Send query is simulated as follows. 𝒜 runs Send(${\mathit{P}}_{\mathit{i}}$, start) query and Ç replies to 𝒜 as follows. Ç computes ${\mathit{M}}_{\mathit{i}}={\mathit{a}}_{\mathit{i}}·\mathit{p}\mathit{u}\mathit{k}=({\mathit{x}}_{\mathit{M}\mathit{i}},{\mathit{y}}_{\mathit{M}\mathit{i}})$, ${\mathit{R}}_{\mathit{i}}={\mathit{a}}_{\mathit{i}}·\mathit{P}$, ${\mathit{c}}_{\mathit{i},\mathit{m}22}={\mathit{y}}_{\mathit{i},\mathit{m}2}\mathbf{*}{\mathit{r}}_{\mathit{i},\mathit{m}1}\mathit{m}\mathit{o}\mathit{d} \mathit{p}$, ${\mathit{T}\mathit{I}\mathit{D}}_{\mathit{i}}={\mathit{W}}_{\mathit{i}}-{\mathit{P}\mathit{B}}^{\mathit{*}}·\mathit{P}=\left({\mathit{x}}_{\mathit{T}\mathit{i}},{\mathit{y}}_{\mathit{T}\mathit{i}}\right)$, and ${\mathit{A}\mathit{u}\mathit{t}\mathit{h}}_{\mathit{i}}=\mathit{h}({\mathit{x}}_{\mathit{T}\mathit{i}}||{\mathit{x}}_{\mathit{M}\mathit{i}}||{\mathit{T}}_{\mathit{p}}$) and outputs ${\mathit{m}}_1=<{\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}\oplus {\mathit{y}}_{\mathit{M}\mathit{i}},{\mathit{R}}_{\mathit{i}},\mathit{h}\left({\mathit{x}}_{\mathit{T}\mathit{i}}\left|\left|{\mathit{x}}_{\mathit{M}\mathit{i}}\right|\right|{\mathit{T}}_{\mathit{p}}\right),{\mathit{T}}_{\mathit{p}}>$. 𝒜 runs Send(${\mathit{S}}_{\mathit{j}}$, $<{\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}\oplus {\mathit{y}}_{\mathit{M}\mathit{i}},{\mathit{R}}_{\mathit{i}},\mathit{h}\left({\mathit{x}}_{\mathit{T}\mathit{i}}\left|\left|{\mathit{x}}_{\mathit{M}\mathit{i}}\right|\right|{\mathit{T}}_{\mathit{p}}\right),{\mathit{T}}_{\mathit{p}}>$) query and Ç replies to 𝒜 as follows. Ç checks ${\mathit{T}}_{\mathit{p}}$; computes ${\mathit{M}}_{\mathit{i}}^{\mathit{*}}=\mathit{p}\mathit{r}\mathit{k}·{\mathit{R}}_{\mathit{i}}=({\mathit{x}}_{\mathit{M}\mathit{i}}^{\mathit{*}},{\mathit{y}}_{\mathit{M}\mathit{i}}^{\mathit{*}})$ and ${\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}={\mathit{D}\mathit{I}\mathit{D}}_{\mathit{i}}\oplus {\mathit{y}}_{\mathit{M}\mathit{i}}^{\mathit{*}}$; checks ${\mathit{C}\mathit{I}\mathit{D}}_{\mathit{i}}$; computes ${\mathit{T}\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}$ and ${\mathit{A}\mathit{u}\mathit{t}\mathit{h}}_{\mathit{i}}$; computes ${\mathit{T}\mathit{B}}_1={\mathit{h}}^{{\mathit{t}}_1-1}(\mathit{h}(\mathit{p}\mathit{r}\mathit{k}||{\mathit{b}}_{\mathit{j}}))$, ${\mathit{T}\mathit{B}}_2={\mathit{h}}^{\mathit{z}-{\mathit{t}}_2}(\mathit{h}(\mathit{p}\mathit{r}\mathit{k}||{\mathit{c}}_{\mathit{j}}))$, ${\mathit{Y}}_{\mathit{j}}={\mathit{b}}_{\mathit{j}}\oplus \mathit{h}({\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}|\left|{\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}\right||{\mathit{T}}_{\mathit{s}})$, $\mathit{c}\mathit{k}=({\mathit{T}\mathit{B}}_1||{\mathit{T}\mathit{B}}_2||{\mathit{t}}_1||{\mathit{t}}_2)$, ${\mathit{A}\mathit{u}\mathit{t}\mathit{h}}_{\mathit{j}}=\mathit{h}({\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}||{\mathit{I}\mathit{D}}_{\mathit{i}}||{\mathit{b}}_{\mathit{j}}|\left|\mathit{c}\mathit{k}\right)$, and ${\mathit{H}}_{\mathit{j}}=\mathit{h}({\mathit{b}}_{\mathit{j}}|\left|{\mathit{T}}_{\mathit{s}}\right)$; and generates $\left[{\mathit{x}}_1,{\mathit{x}}_2,\dots ,{\mathit{x}}_{\mathit{n}}\right]$ from ${\mathit{H}}_{\mathit{j}},{\mathit{y}}_{\mathit{T}\mathit{i}},\mathit{c}\mathit{k}$. Ç terminates the session if one of the above checks does not hold. Otherwise, Ç outputs ${\mathit{m}}_2=<\left[{\mathit{x}}_1,{\mathit{x}}_2,\dots ,{\mathit{x}}_{\mathit{n}}\right],{\mathit{b}}_{\mathit{j}}\oplus \mathit{h}({\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}|\left|{\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}\right||{\mathit{T}}_{\mathit{s}}),\mathit{h}({\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}||{\mathit{I}\mathit{D}}_{\mathit{i}}||{\mathit{b}}_{\mathit{j}}|\left|\mathit{c}\mathit{k}\right),{\mathit{T}}_{\mathit{s}}>$. The session key ${\mathit{S}}_{\mathit{j}}$ obtains is ${\mathit{g}\mathit{k}}_{\mathit{t}}=\mathit{h}({\mathit{h}}^{\mathit{t}-1}(\mathit{h}(\mathit{p}\mathit{r}\mathit{k}|\left|{\mathit{b}}_{\mathit{j}}\right))||{\mathit{h}}^{\mathit{z}-\mathit{t}}\left(\mathit{h}(\mathit{p}\mathit{r}\mathit{k}||{\mathit{c}}_{\mathit{j}})\right))$. 𝒜 runs Send(${\mathit{P}}_{\mathit{i}}$, $<\left[{\mathit{x}}_1,{\mathit{x}}_2,\dots ,{\mathit{x}}_{\mathit{n}}\right],{\mathit{b}}_{\mathit{j}}\oplus \mathit{h}({\mathit{I}\mathit{D}}_{\mathit{i}}^{\mathit{*}}|\left|{\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}\right||{\mathit{T}}_{\mathit{s}}),\mathit{h}({\mathit{y}}_{\mathit{T}\mathit{i}}^{\mathit{*}}||{\mathit{I}\mathit{D}}_{\mathit{i}}||{\mathit{b}}_{\mathit{j}}|\left|\mathit{c}\mathit{k}\right),{\mathit{T}}_{\mathit{s}}>$) query and Ç replies to 𝒜 as follows. Ç checks ${\mathit{T}}_{\mathit{s}}$; computes ${\mathit{b}}_{\mathit{j}},{\mathit{H}}_{\mathit{j}},{\mathit{c}\mathit{k}}^{\mathit{*}}$ based on some related parameters; and checks ${\mathit{A}\mathit{u}\mathit{t}\mathit{h}}_{\mathit{j}}$. If one of the checks does not hold, Ç terminates the session; otherwise, a session key ${\mathit{g}\mathit{k}}_{\mathit{t}}=\mathit{h}({\mathit{h}}^{\mathit{t}-{\mathit{t}}_1}({\mathit{T}\mathit{B}}_1)||{\mathit{h}}^{{\mathit{t}}_2-\mathit{t}}\left({\mathit{T}\mathit{B}}_2\right))$ is established, and the session is completed.

in accordance with rules of my proposed protocol. In this way, $G_1$ creates three lists, namely, $L_h$, $L_r$, and $L_t$. Since $G_0$ and $G_1$ are indistinguishable, we have

$$\mathit{Pr}\left[E_1\right]=\mathit{Pr}\left[E_0\right]$$

(3)

Game $G_2$: In this game, the author considers collision probabilities of hash oracle queries and random oracle queries for all transcripts conveyed between $P_i$ and $S_j$. Based on a property of the birthday paradox, the probability of the hash queries is at most $\frac{{q_h}^2}{2^{L_h+1}}$. During login and authentication procedures of the protocol, $P_i$ and $S_j$ generate three random numbers $\{a_i,b_j,c_j\}$ for constructing two messages $\{{DID}_i,R_i,{Auth}_i,T_p\}$ and $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$. Its total collision probability is $\frac{{(q_s+q_e)}^3}{2^{L_r+1}}$. Due to the indistinguishability between $G_1$ and $G_2$, the following equation is obtained:

$$|\mathit{Pr}\left[E_2\right]-\mathit{Pr}\left[E_1\right]|\le \frac{{(q_s+q_e)}^3}{2^{L_r+1}}+\frac{{q_h}^2}{2^{L_h+1}}$$

(4)

Game $G_3$: $G_3$ is similar to $G_2$, but Send(Ç, $m$) queries are made for each communicated message. This game consists of two cases consistent with two messages sent by $P_i$ and $S_j$.

+ Case 1: Query Send($S_j,m_1$) is simulated in this case. Messages $m_1$ is computed from three values ${ID}_i^{*}\oplus y_{Mi},a_i·P,h(x_{Ti}||x_{Mi}||T_p)\in L_h$. To lauch the attack, the hash value $PB$ should also be revealed to 𝒜. It results in a total probability of 4$\frac{q_h}{2^{L_h}}$ in total. Meanwhile, the random number $a_i$ included in $m_1$ has a probability at most of $\frac{q_s}{2^{L_r}}$.

+ Case 2: Query Send($P_i,m_2$) is executed in this case. To launch the attack, the values $b_j\oplus h({ID}_i^{\mathrm{*}}|\left|y_{Ti}^{\mathrm{*}}\right||T_s)$, $h(y_{Ti}^{\mathrm{*}}||{ID}_i||b_j|\left|ck\right)$, $H_j=h(b_j||T_s)$, $h(y_{Ti}||T_s)$, $h^{t_1-1}(h(prk||b_j))$, and $h^{z-t_2}(h(prk||c_j))$ containing messages $m_2$ should be known to 𝒜. Therefore, its maximum probability is up to 6$\frac{q_h}{2^{L_h}}$. Random numbers $b_j,c_j$ have a probability of, at most, 2$\frac{q_s}{2^{L_r}}$.

Since $G_2$ and $G_3$ are identical when these attacks are absent, we obtain

$$|\mathit{Pr}\left[E_3\right]-\mathit{Pr}\left[E_2\right]|\le 10\frac{q_h}{2^{L_h}}+3\frac{q_s}{2^{L_r}}$$

(5)

Game $G_4$: Guessing attacks executed by 𝒜 are simulated in this game. The author includes five attack cases, which are described as follows.

+ Case 1: 𝒜 runs query Corrupt$(P_i,w=1)$ to guess ${PW}_i$ of $P_i$. Next, 𝒜 makes query Send($S_j,m_1$) for the attacks. The probability in this case is at most ($C^{\prime }·q_s^{s^{\prime }}$).

+ Case 2: 𝒜 runs the query Corrupt$(P_i,w=3)$ to retrieve $B_i$ of $P_i$. 𝒜 also executes query Send($S_j,m_1$) to launch the attack; therefore, the collision probability is up to $max\{q_s(\frac{1}{2^{l_{bio}}},{\epsilon }_{bio})\}$.

+ Case 3: Suppose 𝒜 employs power analysis to successfully retrieve parameters stored in ${SC}_i$. Upon Hash oracle queries, 𝒜 aims to break the ECDLP to compromise the values ${CID}_i,PB,a_i$ (based on the points $W_i,R_i$, respectively) in order to impersonate $P_i$. The probability in this case is at most $2q_h{Adv}_{𝒜}^{ECDLP}(t_{𝒜})$.

+ Case 4: To trigger MITM attacks or impersonation attacks, 𝒜 runs Hash oracle queries that break the ECCDHP assumption to compromise the point $M_i=a_i·prk·P$ given the points $R_i=a_i·P$ and $puk=prk·P$. Its maximum collision probability is up to $q_h{Adv}_{𝒜}^{ECCDHP}(t_{𝒜})$.

+ Case 5: To trigger similar attacks, 𝒜 runs Hash oracle queries to break the ECFP to compromise two points ${TID}_i={CID}_i·P$ and $PB·P$ given the point $W_i=[{CID}_i+PB]P$ (retrieved from ${SC}_i$ using power analysis). In this case, the collision probability is at most $q_h{Adv}_{𝒜}^{ECFP}(t_{𝒜})$.

Because $G_3$ and $G_4$ are indistinguishable, we have

$$\begin{gathered} \left|\mathit{Pr}\left[E_4\right]-\mathit{Pr}\left[E_3\right]\right|\le max\left\{\left(C^{\prime }·q_s^{s^{\prime }}\right),q_s\left(\frac{1}{2^{l_{bio}}},{\epsilon }_{bio}\right)\right\}+2q_h{Adv}_{𝒜}^{ECDLP}(t_{𝒜}) \\ +q_h{Adv}_{𝒜}^{ECCDHP}(t_{𝒜})+q_h{Adv}_{𝒜}^{ECFP}(t_{𝒜}) \end{gathered}$$

(6)

Game $G_5$: The author simulates attack scenarios on the forward secrecy property in this last game. Based on the current transcripts, Execute, Send, and Hash oracle queries are executed to retrieve group session keys generated by the old transcripts. The ECDLP assumption, ECCDHP assumption, and ECFP assumption are included in the simulation. To this end, the Test query is made to return the session key to 𝒜. To launch the attacks, 𝒜 has to at least break the ECDLP two times in a row, to break the ECCDHP one time, or to break the ECFP one time; therefore, the following equation is obtained:

$$\begin{gathered} |\mathit{Pr}\left[E_5\right]-\mathit{Pr}\left[E_4\right]|\le 2q_h(q_s+q_e){Adv}_{𝒜}^{ECDLP}(t_{𝒜}) \\ +q_h(q_s+q_e){Adv}_{𝒜}^{ECCDHP}(t_{𝒜}) \\ +q_h(q_s+q_e){Adv}_{𝒜}^{ECFP}(t_{𝒜}) \end{gathered}$$

(7)

After all games are made, the bit $b^{\prime }$ is guessed upon the probability of the Test query below:

$$\mathit{Pr}\left[E_5\right]=\frac{1}{2}$$

(8)

Applying property of the triangular inequality and results of Equations (3)–(8), we have

$$\begin{gathered} |\mathit{Pr}\left[E_0\right]-\frac{1}{2}|=|\mathit{Pr}\left[E_1\right]-\mathit{Pr}\left[E_5\right]| \\ \le \left|\mathit{Pr}\left[E_1\right]-\mathit{Pr}\left[E_2\right]\right| \\ +\left|\mathit{Pr}\left[E_2\right]-\mathit{Pr}\left[E_3\right]\right| \\ +\left|\mathit{Pr}\left[E_3\right]-\mathit{Pr}\left[E_4\right]\right| \\ +\left|\mathit{Pr}\left[E_4\right]-\mathit{Pr}\left[E_5\right]\right| \end{gathered}$$

(9)

Applying Equations (2)–(9), the following result is achieved:

$$\begin{gathered} \frac{1}{2}{Adv}_{\mathrm{Ç}}^{IoLTHC}=|\mathit{Pr}\left[E_0\right]-\frac{1}{2}| \\ \le \frac{{(q_s+q_e)}^3}{2^{L_r+1}}+\frac{{q_h}^2}{2^{L_h+1}}+10\frac{q_h}{2^{L_h}}+3\frac{q_s}{2^{L_r}}+max\left\{\left(C^{\prime }·q_s^{s^{\prime }}\right),q_s\left(\frac{1}{2^{l_{bio}}},{\epsilon }_{bio}\right)\right\} \\ +2q_h\left(q_s+q_e+1\right){Adv}_{𝒜}^{ECDLP}\left(t_{𝒜}\right)+q_h(q_s+q_e+1){Adv}_{𝒜}^{ECCDHP}(t_{𝒜}) \\ +q_h(q_s+q_e+1){Adv}_{𝒜}^{ECFP}(t_{𝒜}) \end{gathered}$$

(10)

Multiplying two sides of Equation (10) with a factor of 2, we can easily obtain the following final result:

$$\begin{gathered} {Adv}_{\mathrm{Ç}}^{IoLTHC}\le \frac{{(q_s+q_e)}^3+6q_s}{2^{L_r}}+\frac{{q_h}^2+20q_h}{2^{L_h}}+2max\left\{\left(C^{\prime }·q_s^{s^{\prime }}\right),q_s\left(\frac{1}{2^{l_{bio}}},{\epsilon }_{bio}\right)\right\} \\ +4q_h\left(q_s+q_e+1\right){Adv}_{𝒜}^{ECDLP}\left(t_{𝒜}\right)+2q_h(q_s+q_e+1){Adv}_{𝒜}^{ECCDHP}(t_{𝒜}) \\ +2q_h(q_s+q_e+1){Adv}_{𝒜}^{ECFP}(t_{𝒜}) \end{gathered}$$

(11)

As can be seen, Equation (1) and Equation (11) are consistent. Hence, Theorem 1 is claimed and the proposed protocol is proven to be secure, as ${Adv}_{\mathrm{Ç}}^{IoLTHC}$ is a completely negligible advantage.

7. Performance Evaluation and Comparison

This section provides a detailed performance evaluation and presents a comparative study on multiple aspects of the protocols, including security properties and functionalities, computation overhead, and communication overhead.

7.1. Security Properties and Functionalities

The author provides the results of a comparison of security properties and functionalities of different works discussed in Section 2.2, which are tabulated in

Table 5. Security properties and functionalities of different protocols.

Attributes	[21]	[23]	[25]	[26]	[27]	[28]	[29]	[30]	[31]	[36]	[37]	Mine
Resists replay attacks	O	O	O	O	O	O	O	O	O	O	O	O
Resists MITM attacks	O	O	O	O	O	O	O	O	O	O	O	O
Resists online password guessing attacks	–	O	O	O	O	O	O	O	O	O	O	O
Resists offline password guessing attacks	–	O	O	O	O	O	O	O	O	O	O	O
Resists impersonation attacks	O	O	O	O	O	O	O	O	O	O	O	O
Resists lost sequencer or smart card attacks	O	O	–	O	–	–	O	X	X	O	O	O
Resists desynchronization attacks	O	O	O	O	O	O	O	X	O	X	O	O
Resists privileged insider attacks	O	O	O	O	O	O	O	O	O	O	O	O
Resists DoS attacks	O	O	O	O	O	O	O	O	O	O	O	O
Provides mutual authentication	O	O	O	O	O	O	O	O	O	O	O	O
Provides user anonymity	O	O	O	O	O	O	O	X	X	O	O	O
Provides user untraceability	O	O	O	O	O	X	O	O	O	X	O	O
Provides message unlinkability	O	O	O	O	O	X	O	O	O	X	O	O
Provides perfect forward secrecy	O	O	O	O	O	O	O	O	O	O	O	O
Provides perfect backward secrecy	O	O	O	O	O	O	O	O	O	O	O	O
Provides password update	–	O	O	X	O	O	O	X	X	O	O	O
Provides biometrics update	–	–	–	–	–	–	O	X	X	–	O	O
Provides three-factor authentication	X	X	X	X	X	X	O	O	O	X	O	O
Provides SD-SSO	X	X	X	X	X	X	X	X	X	X	X	O
Provides mathematics-based security proof	X	X	O	O	O	X	O	X	O	X	O	O
Provides group-based dynamic services	X	X	X	X	X	X	X	X	X	X	X	O
Provides LOC-based U-healthcare application	X	X	X	X	X	X	X	X	X	X	O	O
Supports patient-centric service	O	X	O	X	O	O	X	O	O	O	X	O

“O”: the protocol achieves a specific attribute; “X”: the protocol does not achieve a specific attribute; “–”: A specific attribute is not available in the protocol.

. As can be seen, the proposed protocol provides more functionality and achieves more security properties compared to the others. Especially notable is that only the proposed work introduces a 6G-aided group-based dynamic U-healthcare application. In addition, this work is the first to employ a sequencer to directly store user’s registered credentials as well as use it as a separate factor for the authentication in a key agreement protocol.

7.2. Computation Overhead

Six of the eleven existing works above, which are the most relevant to the proposed approach, are included for evaluating the computation overhead and communication overhead. To estimate the overhead, the author calculates the running time of all cryptographic operations in the login and authentication phase of each protocol. Since XOR operations are so fast, its running time is assumed to be negligible. For simplicity, the computing times of a traditional one-way hash function and a biohash function are also considered to be similar, as the difference between them is too small [29,32]. The running time of each cryptographic operation used in the evaluation is tabulated in

Table 6. Time estimation of each cryptographic operation [44,45].

Notation	Operation	Computation Time (ms)
$T_H$	Hash function	≈0.00069
$T_{PA}$	EC point addition	≈0.0069
$T_{PM}$	EC point multiplication	≈0.508
$T_{SED}$	Symmetric encryption or decryption	≈0.00054
$T_M$	Modular squaring	≈0.00069
$T_{QR}$	Square root module 𝑁	≈1.169
$T_{CM}$	Chebyshev chaotic polynomial mapping	≈0.02881

. The comparative results of the computation overhead evaluation are described in

Table 7. Comparison of computation overhead.

Protocols		${\mathit{P}}_{\mathit{i}}$		${\mathit{S}}_{\mathit{j}}$		Total Computation Time (ms)
		Computation Complexities	Computation Time (ms)	Computation Complexities	Computation Time (ms)
Thakare and Kim [28]		$2T_H$$+T_{PA}$ + $4T_{PM}$	≈2.04028	$6T_H$ + $2T_{PA}$ + $5T_{PM}$	≈2.55794	≈4.59822
Yu et al. [29]		$10T_H$ + $2T_{CM}$	≈0.06452	$8T_H$ + $2T_{CM}$	≈0.06314	≈0.12766
Wong et al. [30]		$7T_H$$+T_{SED}$$+T_M$	≈0.04953	$7T_H$$+2T_{SED}$$+T_{QR}$	≈1.17491	≈1.22444
Le and Hsu [31]		$9T_H$ +$T_{SED}$ + $T_M$	≈0.00744	$5T_H$$+2T_{SED}$ + $T_{QR}$	≈1.17353	≈1.18097
Meshram et al. [36]		$11T_H$ + $2T_{CM}$	≈0.06521	$9T_H$ +$2T_{CM}$	≈0.06383	≈0.12904
Le [37]		$4T_H$$+T_{SED}$ + $4T_{PM}$	≈2.03530	$2T_H$$+T_{SED}$ + $3T_{PM}$	≈1.52592	≈3.56122
Mine	Initial authentication	$13T_H$$+T_{PA}$ + $3T_{PM}$	≈1.53987	$16T_H$ + $2T_{PM}$	≈1.02704	≈2.56691
	Fast key derivation	$3T_H$ +$T_{SED}$	≈0.00261	$9T_H$ +$T_{SED}$	≈0.00675	≈0.00936

and Figure 7. Giving the support of far fewer functional properties (specified in Table 5), the protocols of Yu et al. [29], Wong et al. [30], Le and Hsu [31], and Meshram et al. [36] incur less computing cost compared to that in the initial authentication procedure of the proposed work. However, overhead consumed in the fast key derivation of the proposed work is less than that of all other protocols, which makes it become the most efficient procedure.

Apart from that, the author considers a scenario in which multiple $S_j$ provide services to a single $P_i$. Here, the SD-SSO function is helpful since it allows $P_i$ to enjoy multiple services using a single set of credentials for the login. The SD-SSO also save a little bit of computing cost as its operations, including $\sigma ={\epsilon }_i\oplus h({ID}_i^{*}|\left|{PW}_i^{*}\right||h_{bio}(B_i^{*}))$, ${PB}^{*}=h({ID}_i^{*}|\left|{PW}_i^{*}\right||h_{bio}(B_i^{*})||\sigma )$ and $V\stackrel{?}{=}h\left({ID}_i^{*}\left|\left|{PB}^{*}\right|\right|\sigma \right)$, only need to be executed once before the communications with multiple $S_j$. According to the result depicted in Figure 8, when the number of servers $S_j$ increases, both procedures of the proposed protocol (especially the fast key derivation) incur less and less overhead compared with that of the others. Furthermore, due to the group key, $S_j$ in the proposed architecture only needs to encrypt health data once before sending it to all $P_i$ while $S_j$ in the other works (except Le and Hsu [31]) must encrypt the same data multiple times, which results in redundant computation costs. Moreover, the patients in those works are not able to directly communicate with each other without a common key. As a matter of fact, the proposed group communication solution in this work is the best fit for group-based U-healthcare services.

7.3. Communication Overhead

In this evaluation, communication overhead includes the number of communication rounds and total length of all transmitted transcripts. Some parameters used for evaluating the overhead are provided in

Table 8. Single length of multiple parameters [44,45].

Parameters	Length (Bits)
Asymmetric encryption or decryption (e.g., Rabin system)	1024
Chebyshev polynomial	1024
Symmetric encryption or decryption	256
Identity	128
Password	128
Biometrics	128
Random number	160
Hash value	160
EC point multiplication	320
Timestamp	32

. In the initial authentication procedure of the proposed protocol, the transcripts of two communication rounds include $\{{DID}_i,R_i,{Auth}_i,T_p\}$ and $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$. For a fair comparison, $\{\left[x_1,x_2,\dots ,x_n\right],Y_j,{Auth}_j,T_s\}$ should contain parameters of a single patient, which only results in a single value $x$ in the transcript. $\{{DID}_i,R_i,{Auth}_i,T_p\}$ and $\{x,Y_j,{Auth}_j,T_s\}$ consume a length of (160 bits + 320 bits + 160 bits + 32 bits) and (384 bits + 160 bits + 160 bits + 32 bits), respectively; the total length is (672 bits + 736 bits) = 1408 bits. Similarly, overhead values of all protocols are calculated and provided in

Table 9. Comparison of communication overhead.

Protocols		No. of Communication Rounds	Length of Total Transcripts (Bits)
Thakare and Kim [28]		3	1440
Yu et al. [29]		3	1120
Wong et al. [30]		2	1344
Le and Hsu [31]		2	1440
Meshram et al. [36]		2	3072
Le [37]		2	1088
Mine	Initial authentication	2	1408
	Fast key derivation	1	256

. Figure 9 further provides a graphical description of the comparison. We can observe that the proposed protocol incurs less overhead than the works of Thakare and Kim [28], Le and Hsu [31], and Meshram et al. [36]. Due to providing the support of more functionality, the author’s work consumes more costs compared to that of Yu et al. [29], Wong et al. [30], and Le [37]. Furthermore, when the proposed work executes the fast key-derivation process, its communication only incurs 256 bits (the length of $C_d$) and only one communication round. As a result, it is the most efficient out of all the protocols.

8. Conclusions

In this article, the author has proposed a group-based patient-authenticated key distribution protocol for 6G-aided dynamic U-healthcare services enabled by real-time mobile DNA sequencing. Seamless communications are provided by 6G technology regardless of patients’ geographical locations. Sharing mobile DNA data for rapid analysis is a good solution for facilitating drug and vaccine development, which is one of the important concerns in the public health sector. Group service helps in improving medical treatments efficiently and promoting the use of smart health with more people participating. Patients in a healthcare group are allowed to securely connect with the service provider or with each other using a common group key generated from the protocol for the specific purposes of dynamic services. The group key generation process is protected by a three-factor authentication mechanism along with an efficient SD-SSO solution. Since all registered credentials are stored on a separate sequencer, the proposed work can enable service availability on multiple mobile devices. It is also able to facilitate a truly patient-centered service upon storing traceable information in the server database. Security analysis of the proposed protocol is presented using well-known verification tools, namely, the RoR model and BAN logic. A semantic discussion is also provided to further indicate its resistance to multiple security attacks. A detailed performance analysis of computation and communication overhead shows that the proposed approach consumes a rational cost compared to predecessor works.

In future works, performance of the initial authentication procedure can be further improved by including more lightweight cryptographic operations in the protocol. Another patient authentication scheme with a new architecture model where multiple external doctors serving as data users join the healthcare processes will be considered. The author will also consider a new design of attribute-based access control for securing cloud-based U-healthcare services in IoLT networks.