Securing Group Patient Communication in 6G-Aided Dynamic Ubiquitous Healthcare with Real-Time Mobile DNA Sequencing

(1) Background: With an advanced technique, third-generation sequencing (TGS) provides services with long deoxyribonucleic acid (DNA) reads and super short sequencing time. It enables onsite mobile DNA sequencing solutions for enabling ubiquitous healthcare (U-healthcare) services with modern mobile technology and smart entities in the internet of living things (IoLT). Due to some strict requirements, 6G technology can efficiently facilitate communications in a truly intelligent U-healthcare IoLT system. (2) Research problems: conventional single user–server architecture is not able to enable group conversations where “multiple patients–server” communication or “patient–patient” communication in the group is required. The communications are carried out via the open Internet, which is not a trusted channel. Since heath data and medical information are very sensitive, security and privacy concerns in the communication systems have become extremely important. (3) Purpose: the author aims to propose a dynamic group-based patient-authenticated key distribution protocol for 6G-aided U-healthcare services enabled by mobile DNA sequencing. In the protocol, an authenticated common session key is distributed by the server to the patients. Using the key, patients in a healthcare group are allowed to securely connect with the service provider or with each other for specific purposes of communication. (4) Results: the group key distribution process is protected by a secure three-factor authentication mechanism along with an efficient sequencing-device-based single sign-on (SD-SSO) solution. Based on traceable information stored in the server database, the proposed approach can provide patient-centered services which are available on multiple mobile devices. Security robustness of the proposed protocol is proven by well-known verification tools and a detailed semantic discussion. Performance evaluation shows that the protocol provides more functionality and incurs a reasonable overhead in comparison with the existing works.


Introduction
Third-generation sequencing (TGS) provides services with long deoxyribonucleic acid (DNA) reads and super short sequencing time [1][2][3]. In this technique, since single DNA molecules are sequenced directly, the sequencing time is reduced to a few hours, and even real-time data analysis process is enabled. In addition, TGS-based sequencers can be miniaturized while its DNA-reading biosensors are placed on the body to monitor human health and vital signs via blood, sweat, saliva, tissue, etc. [3]. This enables an onsite mobile DNA sequencing solution for facilitating ubiquitous healthcare (U-healthcare) services with modern mobile technology and smart systems in the internet of living things (IoLT) [3,4]. services with modern mobile technology and smart systems in the internet of living things (IoLT) [3,4]. For instance, as shown in Figure 1, the SmidgION sequencer is a tiny device designed by the Oxford Nanopore [5] to be run on mobile devices (e.g., smart phones) using small batteries and apps [3]. The biosensors load biological samples into the sequencer, and the genomic data (e.g., FAST5 file, FASTQ file, or TXT file [5]) along with its analytical results are produced, building a sort of "lab-on-a-chip (LOC)" system [3,[5][6][7]. Therefore, medical providers can rapidly screen for new viruses, paving a way for further discovering the IoLT. The researchers can also obtain onsite DNA sequences for specific end-toend analysis. The U-healthcare is directly concerned with patient-centric therapies. To this end, a real-time mobile DNA sequencing service is completely a good fit as it can provide personalized treatments and holds promise for precision medicine research. Due to its excellent mobility, high operating frequency, high data transfer rate, and super low end-to-end communication delay, 6G mobile technology is attracting much attention in various application fields [9][10][11]. Strict requirements of 6G, which cannot be achieved by 5G, were particularly introduced for the healthcare sector, including an operating frequency of ≥1 THz, data transfer rate of ≥1 Tbps, communication delay of ≤1 ms, mobility of ≥1000 km/h, reliability of 10 , and a wavelength of ≤300 µm [10]. Due to such advances, 6G can efficiently support artificial intelligence (AI) functionalities [12] with seamless communications. As a matter of fact, it has certain advantages in establishing a truly intelligent U-healthcare IoLT system enabled by real-time mobile NDA sequencing techniques and advanced medical analysis. Patients and healthcare providers are allowed to communicate with each other in a reliable and high-speed network environment, possibly sharing large files or a huge amount of data.

Research Problems
Apart from individual services, healthcare providers may provide some special treatments for groups of patients (e.g., family). These patients may have similar diseases, signs, or symptoms. They can also be persons those who need similar procedures in the healthcare processes or medical treatments. Traditional single user-server architecture is not able to provide such group conversations where "multiple patients-server" communications and "patient-patient" communications are required.
The communications are carried out via the open Internet, which is not a trusted channel. Because heath data and medical information are very sensitive, security and privacy concerns in the communication systems have become extremely important. Cyber criminals may perform various attacks that can steal personal information of patients, violate user privacy, or disrupt services (e.g., impersonation attacks). During Due to its excellent mobility, high operating frequency, high data transfer rate, and super low end-to-end communication delay, 6G mobile technology is attracting much attention in various application fields [9][10][11]. Strict requirements of 6G, which cannot be achieved by 5G, were particularly introduced for the healthcare sector, including an operating frequency of ≥1 THz, data transfer rate of ≥1 Tbps, communication delay of ≤1 ms, mobility of ≥1000 km/h, reliability of 10 −9 , and a wavelength of ≤300 µm [10]. Due to such advances, 6G can efficiently support artificial intelligence (AI) functionalities [12] with seamless communications. As a matter of fact, it has certain advantages in establishing a truly intelligent U-healthcare IoLT system enabled by real-time mobile NDA sequencing techniques and advanced medical analysis. Patients and healthcare providers are allowed to communicate with each other in a reliable and high-speed network environment, possibly sharing large files or a huge amount of data.

Research Problems
Apart from individual services, healthcare providers may provide some special treatments for groups of patients (e.g., family). These patients may have similar diseases, signs, or symptoms. They can also be persons those who need similar procedures in the healthcare processes or medical treatments. Traditional single user-server architecture is not able to provide such group conversations where "multiple patients-server" communications and "patient-patient" communications are required.
The communications are carried out via the open Internet, which is not a trusted channel. Because heath data and medical information are very sensitive, security and privacy concerns in the communication systems have become extremely important. Cyber criminals may perform various attacks that can steal personal information of patients, violate user privacy, or disrupt services (e.g., impersonation attacks). During communication, care providers (e.g., medical professionals, physicians, doctors, etc.) also need to verified as a legitimate entity to avoid possibly fraudulent services or fake behaviors.
The U-healthcare services may be provided by different institutions, including hospitals, clinics, etc.; the number of services (e.g., hematologist, cardiologist, gastroenterologist, etc. [13]) is increasing over time. Therefore, the traditional single-server system model would be unable to satisfy the demand of users once they wish to enjoy massive medical services. When using services from multiple providers, remembering massive amounts of credentials (especially user passwords) for the login will certainly induce inconvenience and directly affect the efficiency of communications. In these systems, how to alleviate computational overhead and communicational overhead is also an important concern that needs to be considered.

Goals and Contributions
This paper proposes a dynamic group-based patient-authenticated key distribution protocol for 6G-aided U-healthcare services enabled by real-time mobile DNA sequencing. In the protocol, an authenticated common session key is distributed by the server to the patients. Using the key, patients in a healthcare group are allowed to securely connect with the service provider or with each other for specific purposes of communication. The author aims to introduce a protocol that achieves multiple innovative functionalities, high security robustness, and reasonable communication overhead. The main contributions of the paper are presented as follows.
(1) This work is the first to introduce 6G-assisted group-based U-healthcare services enabled by a real-time DNA sequencing technique constructed in IoLT environments. A patient-grouping solution helps in accelerating service communications and achieving better medical-centered services. With the assistance of 6G technology, onsite sequencing data produced by a portable TGS-based sequencer (connected to a patient's mobile device) is transmitted to the server in a real-time manner for further healthcare processes. Thereafter, the server shares analytical results and related medical information with the patients. These procedures are secured by common group keys generated by the proposed protocol. The server is also allowed to trace the users based on their registered information for achieving a truly patient-centric service. (2) In the proposed protocol, a sequencing-device-based single sign-on (SD-SSO) function is introduced for the first time. Patients are allowed to store a single set of credentials (registered with multiple servers) on their DNA sequencers directly. Due to the SSO property, the patients only need to login to the system once per session to communicate with multiple providers. In addition, the proposed SD-SSO function is designed without the participation of a third-party center, which can reduce communication overhead and address the risk of adversaries hacking into the registration center and compromising all servers. (3) A three-factor authentication mechanism is enabled in the protocol through the integration of password (the first factor), sequencing device (the second factor), and biometrics (the third factor). Lacking only one of the three factors will result in failure of the authentication. In this way, better patient privacy and perfect forward secrecy of group keys are assured for securing U-healthcare communications. In the protocol, patient password and patient biometrics are changeable, which further enhances the security robustness. (4) The author introduces dynamic U-healthcare services enabled by a time-bound function. In this design, different services of a provider or multiple healthcare processes in a single service can be allotted in respective time ranges in accordance with specific requests. This solution makes providers flexibly adjust service time in order to provide more efficient medical processes as well as more convenient treatments for different kinds of patients. Controlling such access to the services using the time bounds can also address possible bottleneck issues where the services are requested at the same time by massive patients. Furthermore, a fast synchronizable key-derivation procedure is provided, which can rapidly reset communication keys for addressing desynchronization problems that could possibly occur in such a dynamic environment.

Paper Organization
The remainder of this article is structured as follows. Section 2 presents related works of the proposed protocol. Some technical preliminaries used in the work are provided in Section 3. In Section 4, the problem formulation describes the architecture model and formal security model of the proposed work. Section 5 details the design of the proposed protocol. Security evaluation and performance analysis of the proposed protocol are provided in Sections 6 and 7, respectively. The author concludes the proposal and discusses some of his future research works in the last section of the article.

5G, 6G, and U-Healthcare
In many countries, 5G mobile technology has been successfully developed and deployed as an enabler for supporting various sorts of networks and diverse applications [14]. However, in the era of digital transformation and emerging smart internet of things (IoT) applications, 5G needs some more advances to improve service delivery and business [15]. Moreover, 5G has some drawbacks and limitations in terms of functionalities in healthcare sector; for instance, it cannot provide holographic communication for medical applications due to its lower data rate [9,16]. To this end, 6G was introduced to fully address escalating technical demands, e.g., remote robotic surgery or other truly intelligent healthcare services enabled by the Intelligent Radio (IR) technique [17]. It achieves an ultra-high bandwidth (three times higher than that of 5G [18,19]) and a highly dynamic environment with a terahertz (THz) signal [18]. Therefore, 6G offers an ultra-high data transfer rate for revolutionizing U-healthcare communications. It is also fully backed by satellite [20], which completely facilitates ubiquitous care activities in medical networks at every geographical location. This article introduces a construction of 6G wireless technology for a time-boundenabled DNA-based group healthcare application via IoLT-based biosensor networks. In addition, to the best of the author's knowledge, this is the first work to address security and privacy issues in a dynamic U-healthcare communication environment.

User Authentication and Key Negotiation Solutions
User authentication and key agreement solutions were discussed in many previously published works. Deebak and Al-Turjman [21] introduced a patient authentication scheme used in healthcare systems with cloud services; it overcame several security challenges that had been not successfully addressed in the protocol of Chiou et al. [22], e.g., lost device attacks or server impersonation attacks. Wang et al. [23] also proposed an improved key agreement mechanism for wireless body area networks (WBANs) that resolved some similar issues of Farash et al. [24]'s work. Kumar et al. [25] discussed a single-factor password-based patient authentication solution for cloud-based healthcare systems in the internet of medical things (IoMT). A two-factor data authentication scheme with access control was proposed by Gupta et al. [26] for an industrial healthcare infrastructure. Alam and Kumar [27] designed a session key establishment protocol for ensuring confidentiality of IoMT-based communications in COVID-19 and future pandemic scenarios. In addition, Thakare and Kim [28] discussed another two-factor cryptographic approach for user authentication in IoT networks, and Yu et al. [29] introduced a biometrics-based multi-server user authentication and key agreement mechanism using extended chaotic maps. Wong et al. [30] introduced a three-factor identification model applied to 5G-enabled e-health environments with multi-server architecture. However, Le and Hsu [31] indicated that biometrics noise had not been discussed and resolved in Wong et al. [30]'s work, which always makes the authentication procedure incorrect. Le and Hsu [31] then discussed various solutions [32] (error-correcting codes, fuzzy extractor, biohash function, etc.) for remedying this issue and proposed an improved protocol for securing communications in group e-health services. The author found the protocol of Le and Hsu [31] is not robust against stolen smart-card attacks as adversaries can obtain patients' passwords in unmasked forms using the power analysis method [33]. Another design of lightweight group key agreement presented by Harn et al. [34] exploited some basic cryptographic operations and explained its potentials in several application networks. Based on principles of elliptic-curve cryptography (ECC), Tselikis et al. [35] also introduced an group key distribution scheme that provided privacy protection for communications. Both Harn et al. [34] and Tselikis et al. [35] did not include either biometric authentication function or three-factor authentication solutions in their designs. Meshram et al. [36] proposed a remote user password-based key negotiation scheme for application in smart cities based on smart cards and extended chaotic maps. Nevertheless, the service provider in Meshram et al. [36]'s scheme has to update a dynamic parameter in the database before each authentication is completed. This would sometimes result in unexpected desynchronization problems in the system. Based on the author's observation, although Thakare and Kim [28] and Meshram et al. [36] achieved user anonymity in their works, both are not able to assure user untraceability. Communicated transcripts in their proposed schemes contain fixed parameters that give adversaries opportunities to trace users' identities. Le [37] recently introduced a cross-server-authenticated patient key exchange protocol for U-healthcare in IoLT networks. Apart from its security robustness, Le [37]'s protocol cannot provide truly patient-centric services, as the server does not store any information of patients after its registration procedure finishes. In the registration phase of Le [37]'s approach, some credentials of the patients are stored in a single mobile entity, which cannot make U-healthcare services available on multiple devices. Furthermore, none of the above works discussed dynamic healthcare communication in group-based services.

Preliminaries
This section discusses some important technical aspects and mathematical preliminaries employed in the proposed approach, including sequencing biosensor technology, the biohash function, the time-bound function, and security complexity assumptions.

Sequencing Biosensor Technology
Second-generation sequencing (SGS) techniques, also known as next-generation sequencing (NGS) techniques, enable the process where millions of short deoxyribonucleic acid (DNA) fragments are sequenced in parallel [38]. Nevertheless, SGS comes with some drawbacks, including short read lengths and nonportability of the sequencers. In recent years, innovative healthcare services and medical research have required longer reads and shorter sequencing times, which led to the advent of TGS [3] and fourth-generation sequencing (FGS) [39]. From TGS, single DNA molecules are sequenced directly, reducing processing time from a few days to a few hours and enabling real-time analysis with sequence-based ultrarapid pathogen identification [3]. Sequencing devices can be miniaturized (for instance, SmidgION sequencer), and built-in DNA-reading biosensors on each tiny TGS-based sequencer can collect biological samples for monitoring human health and vital signs. In the proposed protocol, besides the sequencing function, the sequencer also serves as a token that stores user credentials used for authentication process, enabling service availability on multiple mobile devices including smart phones, smart tablets, etc. It is employed as the second authentication factor (something you have) in the proposed approach.

Biohash Function
As we know, biometric samples are enrolled via a noisy channel. The input biometrics samples in each authentication session are not identical; as a result, it causes false positive errors of the authentication. To this end, the biohash function can map the individuals' biometrics to specific binary strings and effectively tolerate noise [32]. Security of the biohash function is similar to conventional one-way hash functions [31]. The function also resolves the efficiency issue, which is a drawback of some related ideas, for instance, fuzzy extractor [32]. Definition 1. Given a biohash function h bio , the original biometrics B i , and the newly input biometrics B i of an individual, it is inferred that B i is different to B i , but the difference between them is within a certain threshold. Due to the property of h bio , we can achieve h bio (B i ) = h bio B i .

Time-Bound Function
Definition 2. Given three time points t, t 1 , t 2 ∈ {1, 2, . . . , z} and two values p = h t 1 −1 ( positive errors of the authentication. To this end, the biohash functio viduals' biometrics to specific binary strings and effectively tolerate n the biohash function is similar to conventional one-way hash functio also resolves the efficiency issue, which is a drawback of some relate fuzzy extractor [32].

Definition 1. Given a biohash function ℎ , the original biometrics , a ometrics
of an individual, it is inferred that is different to , but them is within a certain threshold. Due to the property of ℎ , we ca ℎ ( ).

Complexity Assumptions
The ECC is employed in the proposed approach. It is an asym that offers better performance with smaller key space considering th compared with the traditional ones [37]. Therefore, the ECC system i for mobile communications in IoLT networks. In the proposed work three security assumptions of the ECC including the elliptic curv problem (

Problem Formulation
This section discusses in details system model of the proposed some well-known adversarial capabilities. A well-known security m lated based upon the rule of the protocol. Main cryptographic fun used in the work are tabulated in Table 1.
) and q = h z−t 2 ( ), where h is a one-way hash function and " rics samples in each authentication session are not identical; as a result, it causes false positive errors of the authentication. To this end, the biohash function can map the individuals' biometrics to specific binary strings and effectively tolerate noise [32]. Security of the biohash function is similar to conventional one-way hash functions [31]. The function also resolves the efficiency issue, which is a drawback of some related ideas, for instance, fuzzy extractor [32].

Definition 1. Given a biohash function ℎ
, the original biometrics , and the newly input biometrics of an individual, it is inferred that is different to , but the difference between them is within a certain threshold. Due to the property of ℎ , we can achieve ℎ ( ) = ℎ ( ).

Complexity Assumptions
The ECC is employed in the proposed approach. It is an asymmetric cryptosystem that offers better performance with smaller key space considering the same security level compared with the traditional ones [37]. Therefore, the ECC system is completely suitable for mobile communications in IoLT networks. In the proposed work, the author employs

Problem Formulation
This section discusses in details system model of the proposed approach along with some well-known adversarial capabilities. A well-known security model is also formulated based upon the rule of the protocol. Main cryptographic functions and notations used in the work are tabulated in Table 1.
, " denotes some arbitrary parameters, a value w = h(h t−t 1 (p)||h t 2 −t (q)) is computable if and only if t satisfies t 1 ≤ t ≤ t 2 . Note that z may be 24 (h), 1440 (min), or some value specifying the time of a single day. z may also be set for multiple days or more, based directly on time allocations of specific services and on security level of systems.

Complexity Assumptions
The ECC is employed in the proposed approach. It is an asymmetric cryptosystem that offers better performance with smaller key space considering the same security level compared with the traditional ones [37]. Therefore, the ECC system is completely suitable for mobile communications in IoLT networks. In the proposed work, the author employs three security assumptions of the ECC including the elliptic curve discrete logarithm problem (ECDLP), the elliptic curve computational Diffie-Hellman problem (ECCDHP), and the elliptic curve factorization problem (ECFP). Suppose there is an elliptic curve Ep(a, b) : y 2 = x 3 + ax + b(mod p) over a finite field Fp with a basic point G (x,y) ∈ E p ; the assumptions are defined as follows.

Definition 3.
The ECDLP is to find the scalar k ∈ Z p such that K (x,y) = k·G (x,y) , given G (x,y) , K (x,y) ∈ E p .

Definition 4.
The ECCDHP is to find the point s·t·G (x,y) ∈ E p , given s, t ∈ Z p and G (x,y) , s·G (x,y) , t·G ∈ E p .

Definition 5.
The ECFP is to find two points s·G (x,y) , t·G (x,y) ∈ E p , given s, t ∈ Z p and G (x,y) , [s + t]·G (x,y) ∈ E p .

Problem Formulation
This section discusses in details system model of the proposed approach along with some well-known adversarial capabilities. A well-known security model is also formulated based upon the rule of the protocol. Main cryptographic functions and notations used in the work are tabulated in Table 1. Table 1. Notations used in the proposed approach.

S j
The j th server P i The i th patient prk j , puk j Private key, public key of S j P (x,y) Basic point on the curve Ep(a, b) with two coordinates x and y ID i Sequencing device (sequencer) of P i Table 1. Cont.

Notation Used in the Protocol Explanation
One-way hash function, biohash function SE k (·), SD k (·) Symmetric encryption, symmetric decryption using a key k [·] SD i Storing parameters in SD i A Adversary

System Model and Adversarial Capabilities
As shown in Figure 2, the main communicating entities in the system include patient P i (in a group of multiple patients) and servers S j (e.g., private doctors, genomic data scientists, etc.) who communicate with each other for conducting group services. DNAbased U-healthcare includes various services, namely, disease virus control, body fluid monitoring, blood-based prognostic tracking, and so on [3,40]. Taking family healthcare services as an example, multiple members P i in a family may request a common DNA-based healthcare service provided by S j . The service allows the family members to obtain medical data shared among them and to know of the health status of each other conveniently. As a spiritual element, family plays an important role in promoting our health as well as in improving quality of life [41]. In case of need, a family member may also render timely assistance to doctors in observing the other members' states of illness. Thus, it would significantly improve efficiency of long-term care or treatments and help in reducing the risk of medical incidents. To trigger the services, biological samples of P i (e.g., saliva) are loaded into the sequencer SD i that is inserted into P i 's mobile device MD i in advance. Next, an onsite sequencing and data analysis process is run directly on SD i ; the DNA sequencing data generated is transmitted to S j for point-of-care services. This procedure is secured by the group session key distributed by S j to P i in the proposed protocol. Since all patients receive an identical key from S j , P i is also able to share the data with other patients in the group. Thereafter, analytical results and related medical information based on the received DNA data are encrypted by the key before being sent back to a single patient or to multiple patients of the group. In the proposed architecture, these communications are carried out via the IR signal of the 6G technology. Due to its extremely high data transfer rate, 6G can offer a fully seamless experience for real-time U-healthcare services with large data sets produced by onsite mobile DNA sequencing. P i can enjoy the services without constraints of time and physical location. As mentioned, a dynamic healthcare solution is also introduced in the system which allows the services to be flexibly allotted by separate time-bounds based on specific requests. Furthermore, the author recommends integrating some related advances, e.g., WBAN, into the system to enhance efficiency of the overall healthcare treatment process.
Prior to starting using the above services, P i should register with multiple S j using three factors, namely, password PW i , sequencing device SD i , and his/her biometrics B i , establishing a multi-server communication environment. In order to receive the group keys, P i uses a single set of registered credentials stored in SD i to carry out the SD-SSO that sends a login and authentication request to S j through a public IoLT network. In such an unreliable channel, there are possible security attacks that may induce serious consequences, e.g., violating patient privacy, destructing system architecture, or reducing reliability and quality of service, etc. Based on the author's observation, an adversary A may have the following capabilities to attack the proposed communication system.

•
A has full control over the open IoLT, which enables A to intercept, insert, delete, or replay any transcripts conveyed between P i and S j .
• A may attempt to attack the past communications between P i and S j based on secret parameters or on a group session key A somehow retrieves from the current communicated messages. • A may attempt to extract the secret values or registered credentials stored in a compromised SD i and use them to attack the communication.

•
A may be a privileged insider (e.g., member of a maintenance team) who can launch even more serious attacks upon a patient's registered information obtained from DB j . • A may also be a corrupted P i or S j that can trigger similar attacks on the communication.
such an unreliable channel, there are possible security attacks that may induce serious consequences, e.g., violating patient privacy, destructing system architecture, or reducing reliability and quality of service, etc. Based on the author's observation, an adversary may have the following capabilities to attack the proposed communication system.
• has full control over the open IoLT, which enables to intercept, insert, delete, or replay any transcripts conveyed between and . • may attempt to attack the past communications between and based on secret parameters or on a group session key somehow retrieves from the current communicated messages.
• may attempt to extract the secret values or registered credentials stored in a compromised and use them to attack the communication. • may be a privileged insider (e.g., member of a maintenance team) who can launch even more serious attacks upon a patient's registered information obtained from . • may also be a corrupted or that can trigger similar attacks on the communication.

Formal Security Model
Real-or-Random (RoR) is a well-known formal model used for analyzing success probability of an adversary in attacking cryptographic protocols [42]. In the model, suppose there are two main entities including a patient and a server who are communicating with each other via a public channel. Ç denotes a protocol challenger while the message communicated by and is denoted as . The following queries should be executed by an adversary to make various attacks.

Formal Security Model
Real-or-Random (RoR) is a well-known formal model used for analyzing success probability of an adversary in attacking cryptographic protocols [42]. In the model, suppose there are two main entities including a patient P and a server S who are communicating with each other via a public channel. Ç denotes a protocol challenger while the message communicated by P and S is denoted as m. The following queries should be executed by an adversary A to make various attacks.
(1) Send(Ç, m): This query allows A to request a message m to Ç; Ç replies to A based upon the procedure of the proposed protocol. (2) Execute(P, S): In this query, A is allowed to eavesdrop the message m conveyed between P and S. with the procedure of the protocol. (4) Corrupt(P, w): In a three-factor authentication protocol, this query returns to A password PW i , parameters stored in sequencing device SD i , and biometrics B i if w = 1, w = 2, and w = 3, respectively. (5) Test(Ç): This is a statistical test query. A is allowed to directly request Ç for the session key; Ç probabilistically replies to A upon the outcome of a tossed coin b.

Definition 6.
Let Adv IoLTHC be the advantage of A running in polynomial time in a semantically breaking security system of the proposed protocol. We have Adv where IoLTHC stands for IoLT-based healthcare and b is denoted as a guessed bit of the key.

The Proposed Protocol
There are five procedures in the proposed protocol, including setup; user registration, login, and authentication; synchronizable key derivation; and password and biometrics change. For facilitating NDA-based U-healthcare processes, S j is allowed to securely distribute a common key to a group of multiple P i . The design details are as follows.

Setup Phase
At first, the system selects an elliptic curve over a finite field Fp Ep(a, b) : y 2 = x 3 + ax + b(mod p) with a basic point P (x,y) of the order n of an additive cyclic group, where p is k-bit prime and n is a large number. For a neat design, the coordinates x and y of P (x,y) are always ignored during procedures of the protocol. S m chooses a secret private key prk j and computes its public key puk j = prk j ·P.

Registration Phase
This phase is carried out via a secure channel. P i registers with S j to become a legitimate patient for using U-healthcare services. As depicted in Figure 3, P i and S j perform the following steps for this procedure.
ance with the procedure of the protocol. (4) Corrupt( , ): In a three-factor authentication protocol, this query returns to password , parameters stored in sequencing device , and biometrics if = 1, = 2, and = 3, respectively.
(5) Test(Ç): This is a statistical test query. is allowed to directly request Ç for the session key; Ç probabilistically replies to upon the outcome of a tossed coin .

Definition 6. Let
Ç be the advantage of running in polynomial time in a semantically breaking security system of the proposed protocol. We have where stands for IoLT-based healthcare and is denoted as a guessed bit of the key.

The Proposed Protocol
There are five procedures in the proposed protocol, including setup; user registration, login, and authentication; synchronizable key derivation; and password and biometrics change. For facilitating NDA-based U-healthcare processes, is allowed to securely distribute a common key to a group of multiple . The design details are as follows.

Setup Phase
At first, the system selects an elliptic curve over a finite field Fp ) with a basic point ( , ) of the order of an additive cyclic group, where is k-bit prime and is a large number. For a neat design, the coordinates and of ( , ) are always ignored during procedures of the protocol. chooses a secret private key and computes its public key = . .

Registration Phase
This phase is carried out via a secure channel. registers with to become a legitimate patient for using U-healthcare services. As depicted in Figure 3, and perform the following steps for this procedure. Step  Step R1: P i inserts SD i into MD i and selects an identity ID i , a password PW i , and a biometrics value B i . P i selects a random number σ, and computes Step R2: Receiving the message {ID i , PB}, S j computes CID i = h ID i ⊕ prk j and checks if CID i exists in DB j , which can trace registered users for achieving patient-centered services in the U-healthcare system. Next, S j computes W i = [CID i + PB]P, stores CID i in DB j , and sends {W i , puk} to P i .
Step R3: Upon the received W i , puk j , puk j in SD i and the registration is completed. In this way, the service availability is enabled on multiple mobile devices MD i .

Remark 1:
Each P i has a unique value of CID i stored in DB j . Based on CID i , S j can easily identify P i , refer to the past records, and focus on the particular care needs of P i , enabling patient-centered services.

Login and Authentication Phase
This procedure is carried out via a public channel. P i uses their registered credentials to login to S j . P i and S j authenticate with each other and compute a secret shared session key used for group healthcare communications. Suppose there are n patients participating in a group communication, Figure 4 presents the procedure where a session key is established.

Remark 1:
Each has a unique value of stored in . Based on , can easily identify , refer to the past records, and focus on the particular care needs of , enabling patientcentered services.

Login and Authentication Phase
This procedure is carried out via a public channel.
uses their registered credentials to login to . and authenticate with each other and compute a secret shared session key used for group healthcare communications. Suppose there are patients participating in a group communication, Figure 4 presents the procedure where a session key is established. Step A1: inserts into and enters credentials * , * , * . computes = ⊕ ℎ( * || * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ ℎ( * || * || )) is performed. If the check holds, the SD-SSO is completed and is Step A1: P i inserts SD i into MD i and enters credentials

Remark 1:
Each has a unique value of stored in . Based on , can easily identify , refer to the past records, and focus on the particular care needs of , enabling patientcentered services.

Login and Authentication Phase
This procedure is carried out via a public channel.
uses their registered credentials to login to . and authenticate with each other and compute a secret shared session key used for group healthcare communications. Suppose there are patients participating in a group communication, Figure 4 presents the procedure where a session key is established. Step A1: inserts into and enters credentials * , * , * . computes = ⊕ ℎ( * || * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ ℎ( * || * || )) is performed. If the check holds, the SD-SSO is completed and is h(ID * i ||PB * ||σ)) is performed. If the check holds, the SD-SSO is completed and P i is allowed to select a server S j in the interface of an app installed in MD i for enjoying a specific service. To this end, P i chooses a random number a s and a timestamp T p , then computes Step A2: Upon receiving the message DID i , R i , Auth i , T p , S j checks the timestamp T p and computes

Login and Authentication Phase
This procedure is carried out via a public channel.
uses their registered credentials to login to . and authenticate with each other and compute a secret shared session key used for group healthcare communications. Suppose there are patients participating in a group communication, Figure 4 presents the procedure where a session key is established. Step A1: inserts into and enters credentials * , * , * . computes = ⊕ ℎ( * || * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ ℎ( * || * || )) is performed. If the check holds, the SD-SSO is completed and is h(x * Ti x * Mi T p ) for confirming the legitimacy of P i . Next, S j determines a time bound (t 1 , t 2 ), chooses two random numbers b j , c j , and computes a group dynamic key at a time point t by gk t = h(h t−1 (h(prk j | b j )||h z−t h(prk j ||c j ) ). S j computes TB 1 = h t 1 −1 (h(prk j ||b j )), The value ck is masked by generating multiple Step A3: Upon receiving the above message, P i checks the timestamp T s and computes . Next, S j checks Auth j uthentication procedure of the proposed protocol.

Remark 2:
The design allows the time bound (t 1 , t 2 ) to be flexibly changed without having to renew the registration. P i would be notified of the updated time bound through the app's notification during the communication session or through some channel (e.g., email) before the communication gets started.
Remark 3: Upon specific requests, P i and S j are allowed to compute multiple group keys at different time points t by gk t = h(h t−1 (h(prk j | b j )||h z−t h(prk j ||c j ) ) and by gk t = h(h t−t 1 (TB 1 )||h t 2 −t (TB 2 )), respectively. The key gk t is used as a symmetric encryption key to protect communications between S j and multiple P i , and between P i and P i .

Synchronizable Key-Derivation Phase
In this procedure, P i and S j are allowed to quickly compute a new group key to enhance security and to address desynchronization problems in patient-patient communications or in patient-server communications. For example, S j distributes a key gk 8 at 8:00 a.m. to the group; then, S j uses this key for encrypting the data; if a patient P i joins the communication at 9:00 a.m. and obtains the key gk 9 , P i is not able to decrypt the data encrypted using gk 8 . It is likely that multiple patients would be in this situation or that some similar situations happen at the same time. This causes a serious communicational desynchronization in the system, since multiple keys would be generated at different time points for a single service. To this end, two values TB 1 and TB 2 should be renewed in order to reset the communication with a new common key computed without having to repeat the many steps of the previous procedure. Figure 5 describes specific steps performed in this phase.
Step D1: S j generates a number d, which can be regarded as the number of key derivations. Upon a time point t * , S j computes a new group key gk d t * = h(h t * −1 (h(prk j | b j |d)||h z−t * h(prk j | c j |d) ) and two new values TB d 1 = h t 1 −1 (h(prk j ||b j ||d)) and TB d 2 = h z−t 2 (h(prk j | c j ||d ). S j generates a symmetric ciphertext C d = SE gk t (TB d 1 ||TB d 2 ) using previous key gk t , and conveys {C d } to P i .
Step D2: Upon receiving the message, P i decrypts C d and obtains TB d 1 , TB d 2 . Finally, P i computes the new group key by gk d t * = h(h t * −t 1 (TB d 1 )||h t 2 −t * TB d 2 ) at the time point t * . In this way, the key gk t computed in the previous phase (Section 5.3) is changed to the key gk d t * for resolving possible desynchronization issues of similar communications. repeat the many steps of the previous procedure. Figure 5 describes specific steps performed in this phase.

Figure 5.
Synchronizable key-derivation procedure of the proposed protocol. Step

Password and Biometrics Change Phase
This procedure allows P i to change their password and biometrics to enhance security. As shown in Figure 6, P i and SD i perform the following steps for updating these credentials. Step D1: generates a number , which can be regarded as the number of key derivations. Upon a time point * , computes a new group key * = ℎ(ℎ * (ℎ( | | )||ℎ * ℎ( | | ) ) and two new values = ℎ (ℎ( || || )) and = ℎ (ℎ( | || ). generates a symmetric ciphertext = ( || ) using previous key , and conveys { } to .
Step D2: Upon receiving the message, decrypts and obtains , . Finally, computes the new group key by * = ℎ(ℎ * ( )||ℎ * ( )) at the time point * . In this way, the key computed in the previous phase (Section 5.3) is changed to the key * for resolving possible desynchronization issues of similar communications.

Remark 4:
The time point and the time point * may or may not be identical based on the time allocation of specific services.

Remark 1:
Each has a unique value of stored in . Based on , can easily identify , refer to the past records, and focus on the particular care needs of , enabling patientcentered services.

Login and Authentication Phase
This procedure is carried out via a public channel.

Security Certificate
In this section, the author provides the security certificate of the proposed protocol. An informal discussion, a logical analysis using BAN logic, and a formal mathematical proof using the RoR model are included for security evaluation as follows.

Sematic Security Discussion
In this subsection, the prevention of various well-known attacks in the protocol is presented in a detailed manner. The author also discusses multiple functionalities and security features achieved by the proposed work.
(1) Replay attacks: Suppose the message DID i , R i , Auth i , T p is intercepted by A and it is resent to S m to launch a replay attack in the next session. However, timestamp T p in the protocol is employed to check if the message is resent. Moreover, when receiving the message [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s , A will also fail to compromise the key gk t since A does not know of ID i , y Ti for retrieving the number b j . Therefore, the replay attack is prevented in the proposed protocol. (2) MITM attacks: On the received message DID i , R i , Auth i , T p , A may insert forged parameters and generate a candidate login message. A aims to act as a middle man to compromise the conveyed messages without being noticed by P i and S j . However, without the private key prk j , A is not able to compute sufficient parameters for the verifications on CID i and Auth i . Similarly, without y Ti and ID i , A can also not compute a valid message [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s for the check on Auth j on the patient side. As a result, the protocol is free from MITM attacks. (3) Password and biometrics guessing attacks: At first, A may attempt to directly enter a candidate password for logging to the system. However, the login request will be immediately rejected by SC i upon the check V Step A1: inserts into and enters credentials * , * , * . computes = ⊕ ℎ( * || * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ ℎ( * || * || )) is performed. If the check holds, the SD-SSO is completed and is h(ID * i ||PB * ||σ). Suppose the hash value PB is somehow known to A, then A attempts to guess PW i based on PB. Other than PW i , the values ID i , PW i , h bio (B i ), σ are also included in the function generating PB. Therefore, it is extremely hard (with a negligible success probability) for A to guess the correct PW i by computing candidate hashes and comparing them with the original PB. Using similar arguments, the biometrics B i is also completely protected during the communication process. Moreover, my work provides password and biometrics update functions that further assure the security of PW i and B i . Therefore, a robust three-factor authentication mechanism is achieved in the proposed protocol. (4) Impersonation attacks: Suppose the identity ID i is somehow disclosed, then A obtains and uses it to generate a fake login message for impersonating P i . However, it is not possible for A to launch this impersonation attack without PW i , B i since the protocol can resist password and biometrics guessing attacks, as stated above. Moreover, without the knowledge of y Ti , A can also not retrieve b j for further steps upon the known ID i . Thus, impersonation attacks are resisted in the proposed protocol. (5) Lost/stolen sequencer attacks: Suppose A has somehow stolen the sequencer SD i ; then, A retrieved all stored parameters. However, the important credentials ID i , PW i , B i are not stored in SD i directly. Obtaining the parameters W i , V, ε i , puk j inside SD i is not sufficient for passing the verification V

ogin and Authentication Phase
This procedure is carried out via a public channel. uses their registered credento login to . and authenticate with each other and compute a secret shared n key used for group healthcare communications. Suppose there are patients parting in a group communication, Figure 4 presents the procedure where a session key ablished. Step A1: inserts into and enters credentials * , * , * . computes ⊕ ℎ( * || * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ || * || )) is performed. If the check holds, the SD-SSO is completed and is h(ID * i ||PB * ||σ) and for generating a valid login request message DID i , R i , Auth i , T p . Thus, my protocol is robust against lost/stolen sequencer attacks. (6) Desynchronization attacks: Two acknowledgement values Auth i and Auth j generated by P i and S j , respectively, are used for assuring a robust mutual authentication in the proposed protocol. Auth i and Auth j are deleted after the login and authentication procedure session is completed. In addition, after each synchronizable key-derivation procedure finishes, P i and S j do not update or store any redundant parameters used for the next communication sessions. Hence, desynchronization problems and related attacks are prevented in my work. (7) Privileged insider attacks: Suppose there is a privileged insider A who can monitor data transmission during the registration and capture message {ID i , PB}. Upon the reception of ID i , it is not possible for A to compromise the communication due to the stated resistance to impersonation attacks. Using the value PB, A is also not able to compute a correct TID i for the attack on Auth i without W i stored in the smart card.
In another scenario, even if A somehow obtains CID i in the database, A still cannot pass the server verification without ID i . Thus, the protocol can resist privileged insider attacks. (8) DoS attacks: For analysis of DoS attacks, the author discusses some possible threats that may affect communication performance of the protocol. In the login phase, the system verifies P i by V uses their registered credenauthenticate with each other and compute a secret shared althcare communications. Suppose there are patients parication, Figure 4 presents the procedure where a session key on procedure of the proposed protocol.
into and enters credentials * , * , * . computes * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ d. If the check holds, the SD-SSO is completed and is h(ID * i ||PB * ||σ) upon the newly input credentials ID * i , PW * i , B * i . If the check is not successful, the session will be immediately terminated. Hence, it is not possible for A is not able to flood the login and authentication procedure using multiple subsequent steps. On the other hand, upon the received message from P i , S j only operates two minor computations M * i = prk j ·R i and ID * i = DID i ⊕ y * Mi before the check CID i entication procedure of the proposed protocol. ts into and enters credentials * , * , * . computes |ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ rformed. If the check holds, the SD-SSO is completed and is h(ID * i ⊕ prk j ) is made. Retransmitting massive messages DID i , R i , Auth i , T p to S j for disrupting its services would not be an efficient attack due to the redundant resources of S j . Moreover, the communication will also be terminated once the check ∆(T p , T c ) does not hold in the beginning. Therefore, DoS attacks are prevented in the protocol. (9) Robust mutual authentication: In the proposed communication, P i should be authenticated as a legitimate patient for preventing patients' identities and possibly costly services from being compromised. Upon receiving the login request DID i , R i , Auth i , T p from P i , using the private key, S j computes M * i and retrieves ID * i , CID i , DID i . These parameters are used for the verification Auth i in and authentication procedure of the proposed protocol. : inserts into and enters credentials * , * , * . computes * || * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ | )) is performed. If the check holds, the SD-SSO is completed and is h(x * Ti x * Mi T p ) that confirms the legitimacy of the patient P i . On the other hand, based on the message [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s , P i retrieves the number b j to compute H j , ck * . These parameters are used for the check Auth j re of the proposed protocol. and enters credentials * , * , * . computes * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ check holds, the SD-SSO is completed and is h(y Ti ||ID i ||b j ||ck * ) of the acknowledgement that confirms legitimacy of the server S j and assures true service provision. If one of the above checks fails, the session will be terminated and the session key will not be established successfully. Hence, a robust mutual authentication is achieved in the proposed protocol. (10) Patient anonymity and untraceability: The identity ID i is hidden in the parameter DID i of the login message DID i , R i , Auth i , T p requested by P i . Also, the message [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s sent by S j does not reveal ID i to the public. Therefore, the anonymity of ID i is guaranteed during the login and authentication process. The parameters contained in DID i , R i , Auth i , T p and [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s in respective communication sessions are totally not identical since different random numbers and timestamps are used for the computations. Therefore, A is not able to identify any two login messages sent by the same patient P i . Hence, the proposed protocol achieves patient anonymity and patient untraceability. It means that it will not allow A to trace P i for the purpose of guessing P i 's identity. Thus, a message unlinkability feature is achieved in the proposed protocol. (12) Perfect forward secrecy: Suppose some sensitive data, secret parameters, or even a session key established in the current session are somehow revealed to A. Upon receiving these vales, A attempts to attack the past communications. However, it is not possible for A to launch the attack since the values are completely not identical in different communication sessions due to the inclusion of random numbers and timestamp values in the computations. For instance, A cannot use the currency key gk current t = h(h t−t 1 (TB 1 )||h t 2 −t (TB 2 )) to compromise the message encrypted using a key gk past t established in the past session. If the long-term private key prk j of S j is compromised, the secrecy of gk past t is also not affected, because there are no associated parameters between them. Hence, a perfect forward secrecy is achieved in my protocol. (13) Perfect backward secrecy (known-key security): With similar arguments, the protocol is proven not to be vulnerable to a known-key attack, since compromise of the past key gk past t does not allow either a passive A to compromise the future key gk f uture t or impersonation by an active A in the future.

Logical Analysis Using BAN logic
In this subsection, the well-known BAN logic [43] is employed to further provide a logical analysis on the mutual authentication between P i and S j . Some rules and analytical logics in the tool are defined in advance. Next, the analysis demonstrates that P i and S j believe the key gk t is a secret value shared between them only. Some notations used for the analysis are provided in Table 2. Table 2. Notations used in the analysis with BAN logic.

Notations Used in the BAN Explanation
X |≡ M X believes a statement M X M X sees the statement M X |~M X once said the statement M X does not allow either a passive to compromise the future key or impersonation by an active in the future.

Logical Analysis Using BAN logic
In this subsection, the well-known BAN logic [43] is employed to further provide a logical analysis on the mutual authentication between and . Some rules and analytical logics in the tool are defined in advance. Next, the analysis demonstrates that and believe the key is a secret value shared between them only. Some notations used for the analysis are provided in Table 2. In accordance with the principle of BAN logic and operation rules in my proposed protocol, the mutual authentication proof should satisfy the following four goals. In the protocol, the value is utilized by to distribute and to for computing the group key . Therefore, authenticity of both and should be proven, which can guarantee a completely authenticated key shared between the entities. The formula M is fresh, meaning it has not been sent in any previous messages In accordance with the principle of BAN logic and operation rules in my proposed protocol, the mutual authentication proof should satisfy the following four goals. In the protocol, the value ck is utilized by S j to distribute TB 1 and TB 2 to P i for computing the group key gk t . Therefore, authenticity of both ck and gk t should be proven, which can guarantee a completely authenticated key shared between the entities. Goal 1: S j |≡ (P i gk t ↔ S j ). S j believes that the key gk t computed is a secret value shared between P i and S j . (G1) Goal 2: S j |≡ (P i ck ↔ S j ). S j believes that the key ck computed is a secret value shared between P i and S j . (G2) Goal 3: P i |≡ (P i ck ↔ S j ). P i believes that the key ck computed is a secret value shared between P i and S j . (G3) Goal 4: P i |≡ (P i gk t ↔ S j ). P i believes that the key gk t computed is a secret value shared between P i and S j . (G4) Two messages communicated in the login and authentication procedure of the protocol are included in the authentication proof.
Message 1: P i → S j : (ID * i ⊕ y Mi , x Ri , y Ri , h(x Ti ||x Mi ||T p ), T p ) Message 2: S j → P i : ([x 1 , x 2 , . . . , x n ], b j ⊕ h(ID * i | y * Ti |T s ), h(y * Ti ||ID i ||b j ||ck), T s ) Some logical rules of the tool used in the proof are provided as follows.

•
Seeing rule (R1): In this way, an idealized form of the communicated messages is described as follows.
Based on the specified rules, assumptions, and procedure of the protocol, the logical analysis of mutual authentication between P i and S j in the proposed protocol is described by the following steps.

•
Step 1 : Based on the Message 1, we have S j ( ID i , y Mi K ij , x Ri , y Ri , x Ti , x Mi , T p K ij , T p ).

•
Step 2 : Using A1 and R1, we have S j |≡ P i |~(ID i , y Mi , x Ri , y Ri , x Ti , x Mi , T p ).

•
Step 7 : Based on R6 and Step 6 , we obtain S j |≡ x Ti , S j |≡ x Mi , and S j |≡ T p .

•
Step 8 : Due to Step 7 , and Auth i = h(x Ti ||x Mi ||T p ), we obtain S m |≡ Auth i .

•
Step 11 : According to the Message 2, we have P i ([x 1 , x 2 , . . . , x n ], b j , ID i , y Ti , T s K ij , y Ti , ID i , b j , ck K ij , T s )

•
Step 18 : In accordance with Step 17 , while H j = h(b j ||T s ) and ck = h(y Ti ||T s ) − , we can obtain P i |≡ (P i ck ↔ S j ) (G3 achieved).
In this way, the proposed protocol achieves all goals-G1, G2, G3, and G4. Therefore, it proves that P i and S j can mutually authenticate each other and gk t is an authenticated key shared between them.

Formal Security Proof with RoR Model
Formal security proof of the proposed protocol is provided using the widely-accepted ROR model. Based on mathematical principles, its idea is to analyze the success probability of A in attacking the protocol. The goal is to demonstrate that this probability is a negligible advantage, assuring the sematic security of the approach. Various games are included in the analysis where A makes multiple attack queries discussed in Section 4.2 with an increased success probability. Notations used in the proof are described in Table 3. Table 3. Notations used in the security proof with RoR Model.

Notations Explanation
l h Size of a hash value l r Size of a random number l bio Size of a biometric value q h Total hash oracle queries q s Total Send queries q e Total Execute queries L h List of hash oracle outputs L r List of random oracle results L t List of transcripts conveyed between P i and S j ε bio Biometric false-positive probability C , s Zipf parameters Definition 7. When Ç receives the last communicated message in the protocol, Ç goes to an Accept state. All messages m 1 = DID i , R i , Auth i , T p and m 2 = [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s are orderly concatenated, forming a session with an identification "s_id". Definition 9. Ç is defined to be fresh if Ç simultaneously meets the following conditions: (1) Ç is in an accepted state; (2) Reveal(Ç) queries have never been submitted; and (3) less than three Corrupt (P i , n) queries have been submitted. This is called the "freshness" rule.

Definition 10. Adv ECDLP
A (t A ) is denoted as the advantage of A in breaking the ECDLP assumption within an execution time t A . Because the assumption holds, Adv ECDLP A (t A ) is a negligible probability.

Definition 11. Adv ECCDHP
is denoted as the advantage of A in breaking the ECCDHP assumption within an execution time t A . Also, Adv ECCDHP A (t A ) is a negligible probability since the assumption holds.

Definition 12. Adv ECFP
is denoted as the advantage of A in breaking the ECFP assumption within an execution time t A . Similarly, Adv ECFP A (t A ) is a negligible probability as the assumption holds.
Since Equation (1) is obviously a negligible probability, the proposed protocol is semantically secure.
Proof. The author considers six games simulated for the proof including G 0 , G 1 , G 2 , G 3 , G 4 , G 5 with increasing success probabilities of A in attacking the protocol. The ultimate goal of A is to retrieve the bit b using the Test query after each of the games finishes. Pr[S i ] is denoted as success probabilities, in which E f ( f = 0, 1, 2, 3, 4, 5) are events in respective games. I set a simulatorŞ to play the role of the challenge Ç in the games.
Game G 0 : This is the starting game, which is identical to the real protocol in the RoR model.Ş tosses the coin b and the game is started. We obtain Game G 1 : This game executes all queries that are specified in the model. The queries are simulated in Table 4 in accordance with rules of my proposed protocol. In this way, G 1 creates three lists, namely, L h , L r , and L t . Since G 0 and G 1 are indistinguishable, we have Game G 2 : In this game, the author considers collision probabilities of hash oracle queries and random oracle queries for all transcripts conveyed between P i and S j . Based on a property of the birthday paradox, the probability of the hash queries is at most q h 2 2 L h +1 . During login and authentication procedures of the protocol, P i and S j generate three random numbers a i , b j , c j for constructing two messages DID i , R i , Auth i , T p and [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s . Its total collision probability is (q s +q e ) 3 2 Lr +1 . Due to the indistinguishability between G 1 and G 2 , the following equation is obtained: Game G 3 : G 3 is similar to G 2 , but Send(Ç, m) queries are made for each communicated message. This game consists of two cases consistent with two messages sent by P i and S j . + Case 1: Query Send(S j , m 1 ) is simulated in this case. Messages m 1 is computed from three values ID * i ⊕ y Mi , a i ·P, h(x Ti ||x Mi ||T p ) ∈ L h . To lauch the attack, the hash value PB should also be revealed to A. It results in a total probability of 4 q h 2 L h in total. Meanwhile, the random number a i included in m 1 has a probability at most of q s 2 Lr . + Case 2: Query Send(P i , m 2 ) is executed in this case. To launch the attack, the values , and h z−t 2 (h(prk||c j )) containing messages m 2 should be known to A. Therefore, its maximum probability is up to 6 q h 2 L h . Random numbers b j , c j have a probability of, at most, 2 q s 2 Lr . Since G 2 and G 3 are identical when these attacks are absent, we obtain Game G 4 : Guessing attacks executed by A are simulated in this game. The author includes five attack cases, which are described as follows. + Case 1: A runs query Corrupt(P i , w = 1) to guess PW i of P i . Next, A makes query Send(S j , m 1 ) for the attacks. The probability in this case is at most (C ·q s s ). + Case 2: A runs the query Corrupt(P i , w = 3) to retrieve B i of P i . A also executes query Send(S j , m 1 ) to launch the attack; therefore, the collision probability is up to max q s ( 1 2 l bio , ε bio ) . + Case 3: Suppose A employs power analysis to successfully retrieve parameters stored in SC i . Upon Hash oracle queries, A aims to break the ECDLP to compromise the values CID i , PB, a i (based on the points W i , R i , respectively) in order to impersonate P i . The probability in this case is at most 2q h Adv ECDLP A (t A ). + Case 4: To trigger MITM attacks or impersonation attacks, A runs Hash oracle queries that break the ECCDHP assumption to compromise the point M i = a i ·prk·P given the points R i = a i ·P and puk = prk·P. Its maximum collision probability is up to q h Adv ECCDHP A (t A ). + Case 5: To trigger similar attacks, A runs Hash oracle queries to break the ECFP to compromise two points TID i = CID i ·P and PB·P given the point W i = [CID i + PB]P (retrieved from SC i using power analysis). In this case, the collision probability is at most q h Adv ECFP A (t A ).  Reveal(Ç) query is executed by a simple procedure as follows. Once Ç is in an Accept state, a session key formed by Ç is returned.
Test(Ç) query is executed as follows. Ç tosses the coin b. If b = 1, the query returns an available key gk t ; otherwise, it returns a random number.
Corrupt(P i , w) query is executed as follows. If w = 1, the query outputs password PW i . If w = 2, the query outputs parameters stored in SD i . If w = 3, the query outputs biometrics B i .
Execute(P i , S j ) query is executed in succession with execution of Send(Ç, m i ) query. It is presented as follows. P i sends m 1 to S j and S j sends m 2 to P i . we have < ID Based on the logical procedure of the protocol, the Send query is simulated as follows.
, T s >) query and Ç replies to A as follows. Ç checks T s ; computes b j , H j , ck * based on some related parameters; and checks Auth j . If one of the checks does not hold, Ç terminates the session; otherwise, a session key gk t = h(h t−t 1 (TB 1 )||h t 2 −t (TB 2 )) is established, and the session is completed.
Because G 3 and G 4 are indistinguishable, we have Game G 5 : The author simulates attack scenarios on the forward secrecy property in this last game. Based on the current transcripts, Execute, Send, and Hash oracle queries are executed to retrieve group session keys generated by the old transcripts. The ECDLP assumption, ECCDHP assumption, and ECFP assumption are included in the simulation. To this end, the Test query is made to return the session key to A. To launch the attacks, A has to at least break the ECDLP two times in a row, to break the ECCDHP one time, or to break the ECFP one time; therefore, the following equation is obtained: After all games are made, the bit b is guessed upon the probability of the Test query below: Applying property of the triangular inequality and results of Equations (3)-(8), we have Applying Equations (2)-(9), the following result is achieved: Multiplying two sides of Equation (10) with a factor of 2, we can easily obtain the following final result: As can be seen, Equation (1) and Equation (11) are consistent. Hence, Theorem 1 is claimed and the proposed protocol is proven to be secure, as Adv IoLTHC Ç is a completely negligible advantage.

Performance Evaluation and Comparison
This section provides a detailed performance evaluation and presents a comparative study on multiple aspects of the protocols, including security properties and functionalities, computation overhead, and communication overhead.

Security Properties and Functionalities
The author provides the results of a comparison of security properties and functionalities of different works discussed in Section 2.2, which are tabulated in Table 5. As can be seen, the proposed protocol provides more functionality and achieves more security properties compared to the others. Especially notable is that only the proposed work introduces a 6G-aided group-based dynamic U-healthcare application. In addition, this work is the first to employ a sequencer to directly store user's registered credentials as well as use it as a separate factor for the authentication in a key agreement protocol.

Computation Overhead
Six of the eleven existing works above, which are the most relevant to the proposed approach, are included for evaluating the computation overhead and communication overhead. To estimate the overhead, the author calculates the running time of all cryptographic operations in the login and authentication phase of each protocol. Since XOR operations are so fast, its running time is assumed to be negligible. For simplicity, the computing times of a traditional one-way hash function and a biohash function are also considered to be similar, as the difference between them is too small [29,32]. The running time of each cryptographic operation used in the evaluation is tabulated in Table 6. The comparative results of the computation overhead evaluation are described in Table 7 and Figure 7. Giving the support of far fewer functional properties (specified in Table 5), the protocols of Yu et al. [29], Wong et al. [30], Le and Hsu [31], and Meshram et al. [36] incur less computing cost compared to that in the initial authentication procedure of the proposed work. However, overhead consumed in the fast key derivation of the proposed work is less than that of all other protocols, which makes it become the most efficient procedure.   Apart from that, the author considers a scenario in which multiple provide services to a single . Here, the SD-SSO function is helpful since it allows to enjoy multiple services using a single set of credentials for the login. The SD-SSO also save a little bit of computing cost as its operations, including = ⊕ ℎ( * || * ||ℎ ( * )), * = ℎ( * || * ||ℎ ( * )|| ) and ≟ ℎ * | * | , only need to be executed once before the communications with multiple . According to the result depicted in Figure 8, when the number of servers increases, both procedures of the proposed protocol (especially the fast key derivation) incur less and less overhead compared with that of the others. Furthermore, due to the group key, in the proposed architecture only needs to encrypt health data once before sending it to all while in the other works (except Le and Hsu [31]) must encrypt the same data multiple times, which results in redundant computation costs. Moreover, the patients in those works are not able to directly communicate with each other without a common key. As a matter of fact, the proposed group communication solution in this work is the best fit for group-based U-healthcare services. Apart from that, the author considers a scenario in which multiple S j provide services to a single P i . Here, the SD-SSO function is helpful since it allows P i to enjoy multiple services using a single set of credentials for the login. The SD-SSO also save a little bit of computing cost as its operations, including past records, and focus on the particular care needs of , enabling patienthentication Phase re is carried out via a public channel. uses their registered creden-. and authenticate with each other and compute a secret shared for group healthcare communications. Suppose there are patients parup communication, Figure 4 presents the procedure where a session key authentication procedure of the proposed protocol. inserts into and enters credentials * , * , * . computes * ||ℎ ( * )) and * = ℎ( * || * ||ℎ ( * )|| ) . The check ≟ s performed. If the check holds, the SD-SSO is completed and is h(ID * i ||PB * ||σ), only need to be executed once before the communications with multiple S j . According to the result depicted in Figure 8, when the number of servers S j increases, both procedures of the proposed protocol (especially the fast key derivation) incur less and less overhead compared with that of the others. Furthermore, due to the group key, S j in the proposed architecture only needs to encrypt health data once before sending it to all P i while S j in the other works (except Le and Hsu [31]) must encrypt the same data multiple times, which results in redundant computation costs. Moreover, the patients in those works are not able to directly communicate with each other without a common key. As a matter of fact, the proposed group communication solution in this work is the best fit for group-based U-healthcare services.
Furthermore, due to the group key, in the proposed architecture only needs to encrypt health data once before sending it to all while in the other works (except Le and Hsu [31]) must encrypt the same data multiple times, which results in redundant computation costs. Moreover, the patients in those works are not able to directly communicate with each other without a common key. As a matter of fact, the proposed group communication solution in this work is the best fit for group-based U-healthcare services.

Communication Overhead
In this evaluation, communication overhead includes the number of communication rounds and total length of all transmitted transcripts. Some parameters used for evaluating the overhead are provided in Table 8. In the initial authentication procedure of the proposed protocol, the transcripts of two communication rounds include DID i , R i , Auth i , T p and [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s . For a fair comparison, [x 1 , x 2 , . . . , x n ], Y j , Auth j , T s should contain parameters of a single patient, which only results in a single value x in the transcript. DID i , R i , Auth i , T p and x, Y j , Auth j , T s consume a length of (160 bits + 320 bits + 160 bits + 32 bits) and (384 bits + 160 bits + 160 bits + 32 bits), respectively; the total length is (672 bits + 736 bits) = 1408 bits. Similarly, overhead values of all protocols are calculated and provided in Table 9. Figure 9 further provides a graphical description of the comparison. We can observe that the proposed protocol incurs less overhead than the works of Thakare and Kim [28], Le and Hsu [31], and Meshram et al. [36]. Due to providing the support of more functionality, the author's work consumes more costs compared to that of Yu et al. [29], Wong et al. [30], and Le [37]. Furthermore, when the proposed work executes the fast key-derivation process, its communication only incurs 256 bits (the length of C d ) and only one communication round. As a result, it is the most efficient out of all the protocols. Table 8. Single length of multiple parameters [44,45].

Conclusions
In this article, the author has proposed a group-based patient-authenticated key distribution protocol for 6G-aided dynamic U-healthcare services enabled by real-time mobile DNA sequencing. Seamless communications are provided by 6G technology regardless of patients' geographical locations. Sharing mobile DNA data for rapid analysis is a good solution for facilitating drug and vaccine development, which is one of the important concerns in the public health sector. Group service helps in improving medical treatments efficiently and promoting the use of smart health with more people participating. Patients in a healthcare group are allowed to securely connect with the service provider or with each other using a common group key generated from the protocol for the specific purposes of dynamic services. The group key generation process is protected by a three-factor authentication mechanism along with an efficient SD-SSO solution. Since all registered credentials are stored on a separate sequencer, the proposed work can enable service availability on multiple mobile devices. It is also able to facilitate a truly patientcentered service upon storing traceable information in the server database. Security analysis of the proposed protocol is presented using well-known verification tools, namely, the RoR model and BAN logic. A semantic discussion is also provided to further indicate its resistance to multiple security attacks. A detailed performance analysis of computation and communication overhead shows that the proposed approach consumes a rational cost compared to predecessor works.
In future works, performance of the initial authentication procedure can be further improved by including more lightweight cryptographic operations in the protocol. Another patient authentication scheme with a new architecture model where multiple external doctors serving as data users join the healthcare processes will be considered. The author will also consider a new design of attribute-based access control for securing cloud-

Conclusions
In this article, the author has proposed a group-based patient-authenticated key distribution protocol for 6G-aided dynamic U-healthcare services enabled by real-time mobile DNA sequencing. Seamless communications are provided by 6G technology regardless of patients' geographical locations. Sharing mobile DNA data for rapid analysis is a good solution for facilitating drug and vaccine development, which is one of the important concerns in the public health sector. Group service helps in improving medical treatments efficiently and promoting the use of smart health with more people participating. Patients in a healthcare group are allowed to securely connect with the service provider or with each other using a common group key generated from the protocol for the specific purposes of dynamic services. The group key generation process is protected by a three-factor authentication mechanism along with an efficient SD-SSO solution. Since all registered credentials are stored on a separate sequencer, the proposed work can enable service availability on multiple mobile devices. It is also able to facilitate a truly patient-centered service upon storing traceable information in the server database. Security analysis of the proposed protocol is presented using well-known verification tools, namely, the RoR model and BAN logic. A semantic discussion is also provided to further indicate its resistance to multiple security attacks. A detailed performance analysis of computation and communication overhead shows that the proposed approach consumes a rational cost compared to predecessor works.
In future works, performance of the initial authentication procedure can be further improved by including more lightweight cryptographic operations in the protocol. Another patient authentication scheme with a new architecture model where multiple external doctors serving as data users join the healthcare processes will be considered. The author will also consider a new design of attribute-based access control for securing cloud-based U-healthcare services in IoLT networks.