Fog-Driven Secure Authentication and Key Exchange Scheme for Wearable Health Monitoring System

Hindawi
Security and Communication Networks
Volume 2021, Article ID 8368646, 14 pages
https://doi.org/10.1155/2021/8368646

Research Article
Fog-Driven Secure Authentication and Key Exchange Scheme for
Wearable Health Monitoring System

 Tsu-Yang Wu , Lei Yang , Qian Meng , Xinglan Guo , and Chien-Ming Chen
 College of Computer Science and Engineering, Shandong University of Science and Technology, Qingdao 266590, China

 Correspondence should be addressed to Chien-Ming Chen; chienmingchen@ieee.org

 Received 10 August 2021; Revised 13 September 2021; Accepted 17 September 2021; Published 6 October 2021

 Academic Editor: Azees M

 Copyright © 2021 Tsu-Yang Wu et al. This is an open access article distributed under the Creative Commons Attribution License,
 which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

 Smart wearable devices, as a popular mobile device, have a broad market. Smart wearable medical devices implemented in
 wearable health monitoring systems can monitor the data pertaining to a patient’s body and let the patient know their own
 physical condition. In addition, these data can be stored, analyzed, and processed in the cloud to effectively prevent diseases. As an
 Internet-of-things technology, fog computing can process, store, and control data around devices in real time. However, the
 distributed attributes of fog nodes make the monitored body data and medical reports at risk of privacy disclosure. In this paper,
 we propose a fog-driven secure authentication and key exchange scheme for wearable health monitoring systems. Furthermore,
 we conduct a formal analysis using the Real-Oracle-Random model, Burrows–Abadi–Needham logic, and ProVerif tools and an
 informal analysis to perform security verification. Finally, a performance comparison with other related schemes shows that the
 proposed scheme has the best advantages in terms of security, computing overhead, and communication cost.

1. Introduction Patients with hypertension, coronary heart disease, and
 other chronic diseases need not visit a hospital frequently for
The Internet of things (IoT) [1, 2] refers to the communi- examinations, thereby saving a significant amount of time
cation, transmission, analysis, and control between things and reducing the cost of diagnosis. Doctors can provide
through the Internet. In other words, the IoT is an expansion timely feedback on the health status based on the SWMDs
and extension of the Internet, providing various devices with worn by patients. Furthermore, using the information
the ability to communicate. Smart mobile devices, as popular uploaded by SWMDs, doctors can better understand the
IoT devices, have entered the stage of commercialization, data pertaining to a patient’s body data to obtain more
and their development is relatively mature. Smart mobile accurate diagnosis results. From the perspective of medical
devices, such as smart watches, smart glasses, and smart resources, the application of wearable health monitoring
helmets, have been widely used in the fields of medical health systems reduces the number of patients seeking medical
and reasonable sports. Owing to the rapid development of treatment and alleviates problems regarding the lack of
mobile medical platforms and increasing attention to hospital beds.
physical health, smart wearable medical devices (SWMDs) As a relatively mature IoT technology, fog computing
have a broad market in the field of artificial intelligence can extend cloud services to the edge of a network. The
[3–6]. In addition, SWMDs have the advantages of simple principle of fog computing and cloud computing is to up-
operation, reduced treatment costs, and prevention of dis- load data for analysis, storage, and processing. The difference
eases. As a specific application of SWMDs, wearable health is that cloud computing uploads all data to the same center,
monitoring systems are of great significance to both doctors and fog computing disperses the data to many central nodes.
and patients. Patients can evaluate their health in real time When the data load is too large, cloud computing cannot
without visiting a hospital. SWMDs can monitor blood meet the application requirements of high mobility and low
pressure, heart rate, sleep status, and other indicators. latency. For example, SWMDs are placed far from the cloud

2 Security and Communication Networks

server, and transmission delays occur when patients need a anonymous AKA scheme for wireless body area networks. In
real-time diagnosis. As an extension of cloud computing, fog 2018, Chen et al. [19] showed that the scheme proposed in
computing can process, store, and control data around [18] is vulnerable to offline identity guessing attacks, sensor
devices in real time. Fog nodes are deployed between the node impersonation attacks, and hub node spoofing attacks.
cloud and SWMDs, and these are located at a low position in Subsequently, they improved Li et al.’s scheme. Koya and
the network topology and have less network delay. Figure 1 Deepthi [20] found that the scheme in [18] is vulnerable to
shows the typical structure of a fog-based wearable health sensor node impersonation attacks and that the assumption
monitoring system. that hub nodes are trustworthy is not feasible. Therefore,
 In this structure, SWMDs and fog nodes need to register they provided an anonymous two-way AKA scheme for
with the cloud server to obtain a legal identity before being wireless body area networks. In 2019, Kompara et al. [21]
used. Fog nodes are deployed between the cloud server and reported that the scheme in [18] does not provide untra-
the users of SWMDs. These users send the data pertaining to ceability for sensor nodes, and thus they proposed a robust
their body to the fog node through the communication and efficient AKA scheme with untraceability in wireless
protocol. After filtering and aggregating the received in- body area networks. In the same year, Aghili et al. [22] found
formation, fog nodes send it to the cloud server through a that the scheme in [17] fails to resist user traceability attacks,
wireless network. The cloud server analyzes and stores the desynchronization attacks, denial-of-service attacks, and
received body data and then returns the diagnosis results in internal attacks. Further, they proposed a new lightweight
real time through the fog node. AKA and ownership transfer scheme for e-health systems in
 an IoT environment. In 2020, Sowjanya et al. [23] conducted
 cryptanalysis on the scheme proposed in [18] and found that
1.1. Related Work. Wearable health monitoring systems it cannot support perfect forward security and key control
have significant practical value in medical health monitor- and is vulnerable to desynchronous attacks. To overcome
ing. SWMDs can monitor the basic information and health these limitations, an enhanced anonymous AKA protocol
data of patients and transmit these data to medical staff. [23] in a wearable health monitoring system was proposed.
During the transmission process, if the health data or di- SWMDs using IoT technologies, such as cloud com-
agnostic records are intercepted or tampered with by an puting and fog computing, also participate in the AKA
adversary, then the lives of patients can be directly impacted. process of wearable health monitoring systems. In 2019, Jia
Many authentication and key agreement (AKA) protocols et al. [24] proposed a fog-driven AKA scheme for IoT
for SWMDs have been proposed. In 2008, Venkatasu- medical systems. In the same year, Wazid et al. [25] designed
bramanian et al. [7] designed an AKA scheme based on a secure AKA scheme based on fog computing. In 2020,
electrocardiogram (ECG) data transmission for patients Chen et al. [26] showed that the scheme in [24] suffers from
with heart diseases in body sensor networks. In 2009, Sriram ephemeral secret leakage attacks and proposed a secure AKA
et al. [8] used a wearable ECG sensor to monitor biometric scheme based on fog computing. In 2021, Shamshad et al.
ECGs for verifying the identity of patients in remote health [27] reported that the scheme in [24] is vulnerable to im-
monitoring. Venkatasubramanian et al. [9] proposed an personation attacks and cannot provide anonymity for users
AKA scheme based on the physiological signal in the body and fog nodes. Wu et al. [28] also reported that the scheme in
area network, which can realize secure communication [24] exhibits security vulnerabilities, such as known session-
between sensors without initialization or pre-deployment. In specific temporary information attacks and a lack of pre-
2013, Hu et al. [10] proposed an AKA scheme based on verification. Thus, they proposed an improved fog-driven
ordered physiological features in wireless body area net- AKA scheme for IoT medical systems. In the same year, Ali
works. This scheme does not require initialization or the pre- et al. [29] analyzed and determined that the scheme in [25] is
deployment phase and can calculate the biological charac- vulnerable to traceability and clogging attacks. Therefore,
teristics according to the physiological signals of different they proposed an anti-clogging AKA scheme based on fog
parts of the human body. In 2017, Masdari et al. [11] re- computing. Some important related works are summarized
ported that the scheme proposed in [7] has a high time in Table 1.
complexity and low security. During the process of message
transmission, the scheme in [10] has a lower energy con-
sumption and smaller storage space than the scheme in [9], 1.2. Our Contribution. According to the earlier analysis,
but they have similar efficiency and time variance in gen- medical health monitoring systems based on fog computing
erating keys. need further improvement. We propose a fog-driven secure
 SWMDs are the key applications of IoT technology, in authentication and key exchange scheme for wearable health
which identity AKA is of great significance in protecting the monitoring systems to ensure the security and privacy of the
security of health data. Therefore, privacy protection [12–16] monitoring information and diagnostic reports of SWMDs.
has become an important security attribute of the protocols
proposed by researchers. In 2017, to ensure anonymity and (1) Our scheme can provide user device anonymity, fog
low energy consumption, Zhang et al. [17] designed an AKA node anonymity, and perfect forward security and
scheme based on dynamic authentication and three factors resist replay attacks, impersonation attacks, known
for an e-health system. In the same year, Li et al. [18] session-specific temporary information attacks, and
designed a lightweight, centralized, and two-hop insider attacks.

Security and Communication Networks 3

 Fog node
 Cloud server

 Wearable device user

 Figure 1: A typical structure of a fog-based wearable health monitoring system.

 Table 1: Cryptographic techniques and limitations.
Scheme Cryptographic techniques Limitations
 (i) Does not resist user traceability attacks
 (i) Utilized one-way hash function (ii) Does not resist desynchronization attacks
Zhang et al. [12]
 (ii) Dynamic string generating algorithm (iii) Does not resist denial-of-service attacks
 (iv) Does not resist internal attacks
 (i) Does not resist offline identity guessing attacks
 (ii) Does not resist sensor node impersonation attacks
 (iii) Does not resist hub node spoofing attacks
Li et al. [13] (i) Utilized one-way hash function (iv) Does not provide untraceability
 (v) Does not resist desynchronization attacks
 (vi) Does not provide perfect forward security
 (vii) Does not provide key control
 (i) Does not resist ephemeral secret leakage attacks
 (i) Utilized one-way hash function (ii) Does not resist impersonation attacks
Jia et al. [19] (ii) Based on bilinear pairings (iii) Does not resist known session-specific temporary information attacks
 (iii) Based on Diffie–Hellman problem (iv) Does not provide anonymity
 (v) Does not provide pre-verification
 (i) Utilized one-way hash function (i) Does not provide traceability
Wazid et al. [20]
 (ii) Utilized ECC (ii) Does not resist clogging attacks

 (2) Using the Real-Oracle-Random (ROR) model, we logic, and ProVerif tool and an informal analysis. In Section
 provide the probability of breaking the symmetric 4, the performance of the proposed scheme is analyzed and
 encryption and decryption algorithms and prove compared with those of five related schemes. The conclu-
 that our protocol has a secure authentication process sions are presented in Section 5.
 and session key. By using the Bur-
 rows–Abadi–Needham (BAN) logic, ProVerif tools, 2. Proposed Scheme
 and an informal analysis, we prove that the security
 of the proposed protocol can resist all known attacks. The proposed scheme involves three entities: wearable de-
 (3) The proposed protocol and five related protocols are vice (Wi ), fog node (Fj ), and cloud server (CS). The entire
 analyzed for performance evaluation. We find that scheme consists of four phases: initialization, SWMD reg-
 the proposed protocol has advantages in terms of istration, fog node registration, and AKA. The symbols used
 security, computing overhead, and communication are listed in Table 2.
 cost.
 2.1. Initialization. CS completes the initialization of the
1.3. Paper Organization. The remainder of this paper is functions and defines the required parameters involved in
organized as follows. Section 2 describes the proposed se- the scheme. CS chooses its own secret key, s, and defines the
curity scheme in detail. Section 3 presents the verification of one-way hash function, h(·), and the symmetric encryption
the security of the proposed scheme, including a formal and decryption function, Ek (·)/Dk (·). Then, CS publishes
analysis using the Real-Oracle-Random (ROR) model, BAN h(·), Ek (·)/Dk (·) .

4 Security and Communication Networks

 Table 2: Symbols and descriptions. V3 ). Then, Fj sends M2 � V1 , V2 , RIDW , V3 , V4 ,
Symbol Description
 RIDF } to CS.
Wi Smart wearable medical device (3) After receiving M2 , CS finds the corresponding
Fj Fog node IDW , sW and sF in the database according to
CS Cloud server RIDW and RIDF , respectively. CS calculates
A Adversary a � V1 ⊕h(IDW ‖sW ‖s) and b � V3 ⊕h(sF ‖s) and
 ?
s Private key of CS checks V2 � h(a‖IDW ‖RIDW ‖RIDF ‖V1 ) and
 ?
Ek (·) Symmetric encryption function V4 � h(b‖IDW ‖RIDW ‖RIDF ‖V3 ). If the equations
Dk (·) Symmetric decryption function do not hold, the session is terminated. Otherwise, CS
h(·) Hash function selects c, calculates sW′ � c⊕h(RIDW ‖sW ‖a), s′F � c⊕h
‖ Connect operation
 (RIDF ‖sF ‖b), and RID′W � h(IDW ‖sW ′ ‖s), and up-
⊕ Exclusive or operation
 dates RID′W, IDW , sW ′ and RIDF , s′F in the da-
 tabase. Further, CS computes �� V5 � h(RIDW ‖IDW ‖
 sW )and V6 � h(RIDF ��sF ) and encrypts
2.2. SWMD Registration Phase. SWMDs worn by users must E1 � ERIDW ⊕h(IDW ‖sW ‖s)(b, c, sW′ , RID′W, RIDF , V5 )an-
be registered with the cloud server before being used. Wi d E2 � ERIDF ⊕h(sF ‖s)(a, c, s′F, RID′W, V6 ). Finally, CS
inputs identity IDW and password PWW , generates a ran- computes the session key, SKc � h(a‖b‖
dom number, rW , and calculates RPWW � h(IDW ‖PWW ‖ ‖cRID′W‖RIDF ), and sends M3 � E1 , E2 to Fj .
rW ). Wi sends IDW , RPWW to CS. After CS receives the ��
 (4) After receiving M3 , Fj calculates VF′ � h(RIDF ��sF ),
request, it generates a random �number, sW , and calculates decrypts (a, c, s′F, RID′W, V6 � Dh(IDF ‖QF )(E2 )), and
 �
RIDW � h(IDW ‖sW ‖s)⊕h(IDW ��RPWW ). Subsequently, CS ?
 checks V6′� V6 . If the equation does not hold, the
stores RIDW , IDW , sW in the database and sends session is terminated. Otherwise, Fj updates
 RIDW , sW to Wi . After receiving the response, Wi cal-
 �� F , s′F in the memory, computes SKf � h(a‖b‖
 RID
culates PW � r�W ⊕ h(IDW ‖PWW ‖RIDW ) and RW � h c���RID′W/parallel RIDF ), and sends M4 � E1 to Wi .
 �
(RPWW ‖PW sW ‖��RIDW ) and stores PW , RW , RIDW , sW in
memory. The wearable device registration phase is shown in (5) After receiving M4 , Wi calculates V5′ � h(RIDW
 ‖IDW ‖sW ), decrypts (b, c, sW ′ , RID′W, RIDF , V5 ) �
Figure 2. ?
 Dh(IDW ‖RPWW )(E1 ), and checks V5′� V5 . If the
 equation does not hold, the session is terminated.
2.3. Fog Node Registration Phase. Fog nodes must register Otherwise, Wi updates RID′W, sW ′ in the memory
with the cloud service before collecting and transmitting and computes SKw � h(a‖b‖c‖RID′W‖RIDF ).
user data. Fj inputs identity IDF , generates �� a random Wi and CS complete mutual AKA through Fj , and
number, rF , and calculates QF � h(IDF ��rF ). Fj sends RIDW , sW , sF is updated simultaneously. The authentica-
 IDF , QF to CS. After CS receives the request, it generates a tion and key exchange phase is shown in Figure 4.
random�� number, sF , and calculates RIDF � h(sF ‖s)⊕h
(IDF ��QF ). Subsequently, CS stores RIDF , sF in the da- 3. Security Analysis
tabase and sends RIDF , sF to Fj . After receiving the re-
sponse, Fj calculates PF � rF ⊕h(IDF ‖sF ‖RIDF ) and stores 3.1. Formal Proof. In the ROR model [30, 31], some queries
 PF , RIDF , sF in memory. The fog node registration phase is are used to verify the security robustness of the proposed
shown in Figure 3. scheme. In the scheme, participants Wi , Fj , and CS generate
 many communication instances in the process of interac-
 y
 tion. For the convenience of proof, we define ​ xW , ​ F , and
2.4. Authentication and Key Exchange Phase. The SWMD ​z
 CS as the x-th instance of Wi , y-th instance of Fj , and z-th
regularly uploads the data pertaining to the user’s physical instance of CS, respectively.
condition to the nearby fog node, which pre-processes the
data and then sends it to CS. After receiving the user’s body
data, CS provides timely feedback to the SWMD through the 3.1.1. Queries. In this model, the queries used by adversary
fog node. The details are as follows. A are defined as follows.
 y
 (1) Wi inputs IDW andPWW , calculates rW � PW ⊕h (1) Execute( ​ xW , ​ F , ​ zCS ): the query passively captures
 (IDW ‖PWW ‖RIDW ) and RPWW � h(ID�W ‖PWW ‖ the information transmitted by entities in the public
 ? �
 rW ), and checks RW � h(RPWW ‖PW ‖sW ��RIDW ). If channel and outputs message records.
 the equation does not hold, the session is terminated. (2) Hash(str): the query inputs string str and outputs the
 Otherwise,
 �� Wi selects a, calculates V1 � a⊕RIDW corresponding hash value.
 ⊕h(IDW ��RPWW ) and V2 � h(a‖IDW ‖RIDW y
 (3) Send( ​ xW , ​ F , ​ zCS , M): the query actively inter-
 ‖RIDF ‖V1 ), and sends M1 � V1 , V2 , RIDW to Fj . cepts information transmitted between entities in the
 (2) After receiving M1 , Fj selects b and �calculates rF � public channel and forges them as M. Then, A sends
 �
 PF ⊕h(IDF ‖sF�‖RIDF ), QF � h(IDF ��rF ), V3 � b⊕ y
 M to ​ xW , ​ F , or ​ zCS and receives the corre-
 ��
 RIDF ⊕h(IDF �QF ), and V4 � h(b‖sF ‖RIDW ‖RIDF ‖ sponding response.

Security and Communication Networks 5

 Wi CS

 Selects IDW, PWW
 Choose a random rW
 RPWW=h(IDW|| PWW ||rW)
 {IDW,RPWW}
 Chooses a random sW
 Computes
 RPWW=h(IDW || sW ||s) ⊕h((IDW|| RPWW)
 {RIDW,sW} Stores {RIDW,IDW,sW} in database
 PW=rW⊕h(IDW|| PWW ||RIDW)
 PW=h(RPWW|| PW ||sW ||rW)
 Stores {PW, RW, RIDW,sW} in memory

 Figure 2: SWMD registration phase.

 Fj CS

 Selects IDF
 Choose a random rF
 QF=h(IDF ||rF)
 {IDF,QF}
 Chooses a random sF
 Computes
 RIDF=h(sF ||s) ⊕h((IDF|| QF)
 {RIDF,sF} Stores {RIDF,sF} in database
 PF=rF⊕h(IDF|| sF||RIDF)
 Stores {PF, RIDF,sF} in memory

 Figure 3: Fog node registration phase.

 Figure 4: Authentication and key exchange phase.

6 Security and Communication Networks

 y
 (4) Corrupt( ​ xW , ​ F , ​ zCS ): the query can capture a 
 Pr SuccGM3 (ξ) − Pr SuccGM2 (ξ) ≤ qsend .
 A A (4)
 private value in an entity, such as the private key of 2l
 CS or a random number.
 y GM4 : in this round of the game, A attempts to make
 (5) Test( ​ xW , ​ F , ​ zCS ): in this model, coin o is tossed offline password-guessing attacks. A launches a
 randomly. If o � 1, the correct session key is returned; Corrupt( ​ xW ) query to obtain parameters PW , RW ,
 otherwise, a random string of the same length as the RIDW , sW } in the memory of the wearable device, where
 session key is returned.
 �� W � rW ⊕h(IDW ‖PWW ‖RIDW ),
 P RW � h(RPW
 � W ‖PW ‖
 ��sW RIDW ), and RIDW � h(IDW ‖sW ‖s)⊕h(IDW ���RPWW ).
3.1.2. Definitions. Symmetric Encryption and Decryption In this calculation process, because rW and RPWW are
Algorithm (Ω). Here, we specify the security key in the unknown, A cannot calculate identity IDW and password
symmetric encryption and decryption algorithm as k, which PWW . According to Zipf’s law [32], it can be deduced
includes k1 , k2 , . . ., kn . Each key corresponds to an inde- that
pendent encryption oracle: Ek1 , Ek2 , . . ., Ekn . Then, in 
polynomial time ξ, the advantage that A can break k is Pr SuccGM4 (ξ) − Pr SuccGM3 (ξ) ≤ C · q′s , (5)
 A A ′ send
AdvΩ,k
 A (ξ) � |2Pr[A←Ek1 ; (b0 , b1 )←A; α←0, 1; β←Ek1
(bα ): A(β) � α] − 1|. For a sufficiently small number, c, we where C′ and s′ are constants.
have AdvΩ,k
 A (ξ) < c. GM5 : the purpose of this game round is to verify the
 security of the session key. We divide it into the following
 two cases.
3.1.3. Theorem. A has the ability to operate Execute, Hash,
Send, Corrupt, and Test queries. Then, in polynomial time ξ, (1) Perfect Forward Security. A launches a
the advantage that A can break the proposed scheme, S, is Corrupt( ​ zCS ) query to obtain the private key, s, of
AdvSA (ξ) ≤ q2hash /2l−1 + qsend /2l−1 + 2C′ · q′ssend + 2AdvΩ,k CS.
 A (ξ),
where qhash and qsend are the times of Hash and Send queries, (2) Known Session-Specific Temporary Information At-
 y
respectively, l is the length of the hash value, and C′ and s′ tacks. A launches a Corrupt( ​ xW ), Corrupt( ​ F ), or
 ​z
are constants. Corrupt( CS ) query to obtain one of the random
 numbers.
Proof. The game sequence, GM0 − GM6 , is defined to verify The session key of S is SK � h(a‖b‖c‖RID′W‖RIDF ). In
 GM
the security robustness of S. Here, SuccA n (ξ) is the event the first case, A knows s and cannot calculate parameters
that A wins in GMn . The proof is as follows. a, b, c, RID′W needed in the session key. In the second
 GM0 : in this round of the game, A simulates a real attack case, based on the assumption that A obtains random
and does not launch any query. We derive that number c, a, b, RID′W cannot be calculated. The same is
 true for a or b. To summarize, if A wants to calculate the
 AdvSA (ξ) � 2Pr SuccA 0 (ξ) − 1 .
 GM
 (1)
 session key, it must decrypt symmetrically on E1 or E2 ,
 GM1 : in this round of the game, A launches an Execute that is,
query. Because of the properties of the query itself, A only 
passively receives messages M1 � V1 , V2 , RIDW , Pr SuccGM5 (ξ) − Pr SuccGM4 (ξ) ≤ AdvΩ,k (ξ). (6)
 A A A
M2 � V1 , V2 , RIDW , V3 , V4 , RIDF , M3 � E1 , E2 , and
M4 � E1 . Thus, we have GM6 : in this round of game, A attempts to make im-
 GM GM
 personation attacks. A launches a h(a‖b‖c‖RID′W‖RIDF )
 Pr SuccA 1 (ξ) � Pr SuccA 0 (ξ) . (2) query, and the probability of successfully guessing the key is
 GM2 : in this round of the game, A launches a Hash 2
query. According to the birthday paradox, the probability of Pr SuccGM6 (ξ) − Pr SuccGM5 (ξ) ≤ qhash . (7)
 A A 
a hash conflict occurring in a query is 2l+1
 2 Because the probability of A guessing the key correctly
 Pr SuccGM2 (ξ) − Pr SuccGM1 (ξ) ≤ qhash , (3)
 A A and incorrectly is equal, we have
 2l+1
where l is the length of a hash value. GM 1
 Pr SuccA 6 (ξ) � . (8)
 GM3 : in this round of the game, A launches a Send 2
query. According to Zipf’s law [32], the probability of a
transmission text collision in the query is According to formulas (1)–(8), we have

Security and Communication Networks 7

 1 1 
 AdvSA (ξ) � Pr SuccA 0 (ξ) − 
 GM
 2 2
 
 � Pr SuccA 0 (ξ) − Pr SuccA 6 (ξ) 
 GM GM

 5 (9)
 � Pr SuccA 1 (ξ) − Pr SuccA 6 (ξ) ≤ Pr SuccA i+1 (ξ) − Pr SuccA i (ξ) 
 GM GM GM GM

 i�0

 q2hash qsend ′
 � + + C · qssend + AdvΩ,k
 A (ξ).
 2 l
 2l ′

 Further derivation yields the result as AdvSA (ξ) ≤ (3) A3: CS| ≡ Wi |⇒a.
 QF
 + (qsend /2l−1 ) + 2C′ · q′ssend +2AdvΩ,k
(q2hash /2l−1 ) A (ξ). □ (4) A4: CS| ≡ CS⇌ Fj .
 (5) A5: CS| ≡ #(b).
3.2. BAN Logic. BAN logic [33, 34] is often used to describe
and prove the logic and correctness of cryptographic protocols. (6) A6: CS| ≡ Fj |⇒b.
Before describing the logical reasoning of BAN, we define the (7) A7: CS| ≡ RID′W.
symbols and idealize the interactive information. Furthermore, (8) A8: CS| ≡ RIDF .
 h(IDW ‖RPWW )
based on the concrete proof, the initial condition assumptions (9) A9: Wi | ≡ Wi ⇌ CS.
are made, and the set goals are finally obtained by reasoning.
 (10) A10: Wi | ≡ #(c).
 (11) A11: Wi | ≡ CS|⇒(b, c, sW ′ , RID′W, RIDF ).
3.2.1. Rules
 (12) A12: Fj | ≡ #(b).
 (1) Message-meaning (M-M) rule: P| ≡ P ⟶K Q, h(IDF ‖QF )
 Y
 (13) A13: Fj | ≡ Fj ⇌ CS.
 P{X}K /P| ≡ Q| ∼ X, P| ≡ P⇌ YQ, P◁⟨X⟩Y /P| ≡ Q| (14) A14: Fj | ≡ #(c).
 ∼ X.
 (15) A15: Fi | ≡ CS|⇒(a, c, s′F, RID′W).
 (2) Nonce-verification (N-V) rule: P| ≡ #(X), P| ≡ Q|
 (16) A16: Wi | ≡ #(a).
 ∼ X/P| ≡ Q| ≡ X.
 (3) Jurisdiction rule: P| ≡ Q|⇒X, P| ≡ Q| ≡ X/P| ≡ X.
 (4) Session key (S-K) rule: P| ≡ #(X), P ≡ Q ∣ 3.2.5. Detailed Proof. From M1 , we can obtain
 K
 ≡ X/P| ≡ P↔ Q. S1 : CS◁ V1 : ⟨a, I DW ⟩RPWW , V2 , RIDW . After simplifica-
 (5) Freshness rule: P| ≡ #(X)/P| ≡ #(X, Y). tion, it becomes S2 : CS◁ ⟨a, IDW ⟩RPWW . Based on A1 and S2 ,
 using the M-M rule, we obtain S3 : CS| ≡ Wi ∣ ∼ (a, IDW ).
 Based on further derivation, we obtain S4 : CS| ≡ Wi ∣ ∼ a.
3.2.2. Goals
 According to A2 and S4 , using the N-V rule, we obtain
 (1) G1: Wi | ≡ Wi ⟶S K Fj . S5 : CS| ≡ Wi | ≡ a. Additionally, based on A3 and S5 , using the
 (2) G2: Fj | ≡ Wi ⟶S K Fj . jurisdiction rule, we obtain S6 : CS | ≡ a.
 From M2 , we can obtain S7 : CS◁ V3 : ⟨b, IDF ⟩QF ,
 (3) G3: CS| ≡ Wi ⟶S K Fj .
 V4 , RIDF }. After simplification, it becomes S8 : CS◁{⟨b,
 (4) G4: Wi | ≡ Fj | ≡ Wi ⟶S K Fj . IDF ⟩QF }. According to A4 and S8 , using the M-M rule, we
 (5) G5: Fj | ≡ Wi | ≡ Wi ⟶S K Fj . obtain S9 : CS ∣ ≡ Fj ∣ ∼ (b, IDF ). Based on further deri-
 (6) G6: CS| ≡ Wi | ≡ Wi ⟶S K Fj . vation, we obtain S10 : CS ∣ ≡ Fj ∣ ∼ b. Based on A5 and S10 ,
 using the N-V rule, we obtain S11 : CS| ≡ Fj | ≡ b. Based on A6
 (7) G7: CS| ≡ Fj | ≡ Wi ⟶S K Fj .
 and S11 , using the jurisdiction rule, we have S12 : CS| ≡ b.
 Because SK � h(a‖b‖c‖RID′W‖RIDF ) and based on
3.2.3. Idealizing the Communication Messages. SK
 A7 , A8 , S6 , and S12 , we have S13 : CS| ≡ Wi ↔Fj (G3). Based
 (1) M1: Wi ⟶ CS: V1 , V2 , RIDW . on A2 and S13 , using the S-K rule, we have
 SK
 S14 : CS| ≡ Wi | ≡ Wi ↔Fj (G6). According to A5 and S14 ,
 (2) M2: Fj ⟶ CS: V3 , V4 , RIDF . SK
 using the S-K rule, we have S15 : CS| ≡ Fj | ≡ Wi ↔Fj (G7).
 (3) M3: CS ⟶ Wi : E1 . From M3 , we can obtain S16 : Wi ◁ E1 : ⟨b, c, s W′, RID′W,
 (4) M4: CS ⟶ Fj : E2 . RIDF ⟩h(IDW ‖RPWW )}. According to A9 and S16 , using the
 M-M rule, we obtain S17 : Wi | ≡ CS| ∼ (b, c, sW ′ ,
 ′
 RIDW, RIDF ). Based on A10 and using the freshness rule, we
3.2.4. Initial Assumptions
 RPWW have S18 : Wi | ≡ #(b, c, sW′ , RID′W, RIDF ). Based on S17 and
 (1) A1: CS| ≡ CS ⇌ Wi . S18 , using the N-V rule, we obtain S19 : Wi | ≡ CS|
 (2) A2: CS| ≡ #(a). ≡ (b, c, sW′ , RID′W, RIDF ). Based on A11 and S19 , using the

8 Security and Communication Networks

 ′ , RID′W, RIDF ).
jurisdiction rule, we have S20 : Wi | ≡ (b, c, sW
Based on further derivation, we obtain S21 : Wi | ≡ b,
S22 : Wi | ≡ c, S23 : Wi ∣ ≡ RID′W, and S24 : Wi | ≡ RIDF . Be-
cause SK � h(a‖b‖c‖RID′W‖RIDF ) and using S21 − S24 , we
 SK
have S2 : Wi | ≡ Wi ↔Fj (G1). Based on A12 and S25 , using the
 SK
S-K rule, we obtain S26 : Wi | ≡ Fj | ≡ Wi ↔Fj (G4).
 From M4 , we can obtain S27 : Fj ◁ E2 : ⟨a, c, s′F,
RIDF′⟩(IDF ‖QF )}. Based on A13 and S27 , using the M-M rule,
we obtain S28 : Fj | ≡ CS| ∼ (a, c, s′F, RID′W). According to
A14 , using the freshness rule, we have S29 : Fj | ≡ #
(a, c, s′F, RID′W). Based on S28 and S29 , using the N-V rule, we
obtain S30 : Fj | ≡ #(a, c, s′F, RID′W). Based on A15 and S30 ,
using the jurisdiction rule, we have S31 : Fj | ≡ #(a,
c, s′F, RID′W). Based on further derivation, we obtain
S32 : Fj | ≡ a, S33 : Fj | ≡ c, and S34 : Fj | ≡ RID′W. Because SK �
 Figure 5: Definitions.
h(a‖b‖c‖RID′W‖RIDF ) and using S32 − S34 , we have
 SK
S3 : Fj | ≡ Wi ↔Fj (G2). According to A16 and S35 , using the
 SK
 > inj − event(Cloud Server AcWearable Device) is
S-K rule, we obtain S36 : Fj | ≡ Wi | ≡ Wi ↔Fj (G5). true.
 (6) Query
 inj − event(Fog Node AcCloud Server) ��
3.3. ProVerif. The formal analysis method has become one > inj − event(CloudServer AcFog Node) is true.
of the main protocol analyses in cryptography. ProVerif
[35, 36] is a common formal analysis tool that uses logic (7) Query
programming language rules and an automatic reasoning inj − event(Wearable Device AcCloud Sever) ��
algorithm to determine whether a given event can occur. > inj − event(Fog Node AcCloud Sever) is true.
Therefore, ProVerif verifies protocol confidentiality and Results (1)–(3) show that the security of the session key is
supports operations such as hashing, symmetric en- not threatened. Results (4)–(7) show that each process of the
cryption, and decryption. According to the specific pro- three entities is successfully initiated and terminated, and
cess of the proposed protocol, we use ProVerif for they ensure the correctness of each step of the protocol.
simulation reasoning. The entire simulation process is Therefore, the proposed protocol has complete authenti-
divided into the declaration, process, event, query, and cation steps and good session-key security.
main function parts.
 First, as shown in Figure 5, we define the public channel,
secure channel, constants, variables, and constituent functions.
Second, as shown in Figure 6, we declare the queries and the 3.4. Informal Proof
events: Wearable Device Started, Wearable Device Authed, and
 3.4.1. Insider Attacks. Suppose A obtains PW , RW ,
Wearable Device AcCloud Server indicate that Wi starts au-
 RIDW , sW } in Wi ’s memory and calculates �� the session key.
thentication, Wi completes authentication, and Wi passes the
 Then, A needs to obtain the key, h(IDW ��RPWW ), used for
authentication of CS, respectively. Fog Node AcCloud Server
 symmetric decryption between Wi and CS, where
indicates that fog node Fj has passed the authentication of CS.
 RPWW � h(IDW ‖PWW ‖rW ). Because PWW and rW are
Moreover, Cloud Server AcWearable Device and
 unknown, A cannot calculate the session key. Suppose A
Cloud Server AcFog Node indicate that CS has passed the
 obtains PF , RIDF , sF in Fj ’s memory and calculates
 �� the
authentication of Wi and Fj , respectively.
 session key. Then, A needs to obtain key h(IDF ��QF ) used
 Third, as shown in Figure 7, we define the process and
 for symmetric�� decryption between Fj and CS, where
main function, which includes three processes: Wi , Fj , and
 QF � h(IDF ��rF ). Because rF is unknown, A cannot cal-
CS. After all operations are completed, we run the ProVerif
 culate the session key. Suppose A obtains
function and obtain the following results.
 RIDW , IDW , sW , RIDF , sF in CS’s database and calculates
 (1) Query not attacker (SKw ) is true. the session key. Then, A needs to obtain the master key s of
 (2) Query not attacker (SKf ) is true. CS, which is used to calculate the private information a �
 V1 ⊕h(IDW ‖sW ‖s) and the key RIDW ⊕h(IDW ‖sW ‖s) for
 (3) Query not attacker (SKc ) is true. symmetric decryption between Wi and CS and the private
 (4) Query information b � V3 ⊕h(sF ‖s) and the key RIDF ⊕h(sF ‖s) for
 inj − event(WearableDeviceAuthed) �� > inj − symmetric decryption between Fj and CS. Because s is
 event(Wearable Device Started) is true. known only by CS and A cannot obtain it, the session key
 (5) Query cannot be calculated. Therefore, the scheme is resistant to
 inj − event(Cloud Server AcFog Node) �� internal attacks.

Security and Communication Networks 9

 (∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗ queries∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗)
 query attacker(SKw).
 query attacker(SKf).
 query attacker(SKc).
 query inj-event(WearableDeviceAuthed()) ==> inj-event(WearableDeviceStarted()).
 query inj-event(CloudServerAcFogNode()) ==> inj-event(CloudServerAcWearableDevice()).
 query inj-event(FogNodeAcCloudServer()) ==> inj-event(CloudServerAcFogNode()).
 query inj-event(WearableDeviceAcCloudServer()) ==> inj-event(FogNodeAcCloudServer()).

 (∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗ events ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗)
 event WearableDeviceStarted().
 event WearableDeviceAuthed().
 event CloudServerAcWearableDevice().
 event CloudServerAcFogNode().
 event FogNodeAcCloudServer().
 event WearableDeviceAcCloudServer().

 Figure 6: Queries and events.

 ��
3.4.2. Man-in-the-Middle Attacks. Suppose A intercepts calculate V1 � a⊕RIDW ⊕h(IDW ��RPWW ),� V2 � h(a‖IDW ‖
 �
messages M1 � V1 , V2 , RIDW and M2 � V 1 , RIDW ‖RIDF ‖V1 ), V3 � b⊕RIDF ⊕h(IDF ��QF ), and V4 �
V2 , RIDW , V3 , V4 , RIDF } and forges them to pass the au- h(b‖sF ‖RIDW ‖RIDF ‖V3 ). To calculate these four verifica-
thentication of CS and then intercepts M3 � E1 , E2 and tion values, A also needs IDW , RPWW , IDF , rF , and sF .
M4 � E1 and forges CS to pass the authentication of Fj However, the identity information (IDW , IDF ) is confi-
and Wi , respectively. First, assume that A forges the message dential, and RPWW is only known by Wi , and rF , sF are
from Wi . CS determines the identity of Wi by verifying updated in each communication. In other words, A cannot
 ?
V2 � h(a‖IDW ‖RIDW ‖RIDF ‖V1 ), where IDW is stored in construct V1 , V2 , V3 , V4 and make them pass the verification
the registration phase, and A cannot be obtained in the of CS. Therefore, our scheme can resist clogging attacks.
authentication phase. Second, assume that A forges the
message from Fj . CS determines the identity of Fj by
 ?
 4. Performance Evaluation
verifying V4 � h(b‖sF ‖RIDW ‖RIDF ‖V3 ), where sF is stored
in the registration phase, and A cannot be obtained in the The proposed scheme and five related protocols are analyzed
authentication phase. In other words, A cannot pass the for performance evaluation. These five schemes were pro-
verification at the CS end and cannot continue to intercept posed by Jia et al. [24], Wazid et al. [25], Chen et al. [26], Wu
M3 and M4 . Therefore, the proposed scheme successfully et al. [28], and Ali et al. [29].
resists man-in-the-middle attacks.
 4.1. Security Evaluation. Table 3 presents the security
3.4.3. Replay Attacks. A attempts to replay messages evaluation. SA1 − SA11 , respectively, represent insider at-
M1 � V1 , V2 , RIDW M2 � V1 , V2 , RIDW , V3 , V4 , RIDF , tacks, offline password-guessing attacks, impersonation at-
M3 � E1 , E2 , and M4 � E1 in the public channel. M1 and tacks, clogging attacks, user anonymity, user untraceability,
M2 are updated with random numbers a and b, respectively, fog node anonymity, replay attacks, man-in-the-middle
and A cannot obtain a and b. M3 and M4 are updated by attacks, perfect forward security, and known session-specific
random numbers a, b, and c, and A cannot replay. Even if A temporary information attacks. Note that clogging attacks
replays these messages, it will cause the session to terminate. [26] mean that an adversary can force a legitimate user to
Therefore, the proposed scheme can resist replay attacks. process a fake request sent by him disguised as a legitimate
 user, resulting in resource clogging. “√” indicates that it can
 resist this attack. “χ” indicates that the attack cannot be
3.4.4. Anonymity and Untraceability. In the proposed resisted. According to Table 3, we can see that Jia et al.’s
protocol, the identities of Wi and Fj are not transmitted scheme [24] and Wazid et al.’s scheme [25] cannot provide
directly to the public channel. Moreover, IDW�and IDF are user anonymity and user untraceability. In addition, the
 �
protected by h(IDW ‖PWW ‖rW ) and h(IDF ��rF ), respec- scheme in [24] cannot resist impersonation attacks and
tively. Therefore, A cannot know the real identities of Wi known session-specific temporary information attacks and
and Fj during the entire authentication process and cannot cannot provide fog-node anonymity. The scheme in [25]
trace them by intercepting information. Therefore, the cannot resist clogging attacks. The schemes in [26, 28, 29]
proposed scheme provides device anonymity and fog node and our scheme have good security.
anonymity.
 4.2. Computation Cost Evaluation. The evaluation envi-
3.4.5. Clogging Attacks. A attempts to launch clogging at- ronment was a Windows 10 operating system with an Intel
tacks by forging request message M2 � V1 , V2 , RIDW , (R) Core (TM) i5-8500 CPU at 3.00 Hz, and the memory was
V3 , V4 , RIDF }. A can select random numbers a, b and 8G. The development software is IntelliJ idea version 2019.3,

10 Security and Communication Networks

 Figure 7: Processes.

 Table 3: Security evaluation.
 [24] [25] [26] [28] [29] Our scheme
SA1 √ √ √ √ √ √
SA2 √ √ √ √ √ √
SA3 χ [28] √ √ √ √ √
SA4 √ χ [29] √ √ √ √
SA5 χ [28] χ [29] √ √ √ √
SA6 χ [28] χ [29] √ √ √ √
SA7 χ [28] √ √ √ √ √
SA8 √ √ √ √ √ √
SA9 √ √ √ √ √ √
SA10 √ √ √ √ √ √
SA11 χ [28] √ √ √ √ √

Security and Communication Networks

 Table 4: Computation cost evaluation.
 [24] [25] [26] [28] [29] Our scheme
User/WD 5Th + 2Tm + Tmap + Tex ≈ 38.62 21Th + Ta + 2Tm + Tfe ≈ 25.934 8Th + 2Tm + Tfe ≈ 25.832 7Th + 3Tm + Tmap + Tex ≈ 47.228 12Th + Ta + 4Tm + Tfe ≈ 43.098 7Th + Ts ≈ 8.228
Fog node 4Th + 2Tm + Tmap + Tex ≈ 38.616 16Th + Ta + 3Tm ≈ 25.914 6Th + 4Tm ≈ 34.424 4Th + 3Tm + Tmap + Tex ≈ 47.216 10Th + Ta + 5Tm ≈ 43.09 6Th + Ts ≈ 8.224
CS 9Th + 3Tm + Tmap + Tex ≈ 47.236 — 12Th + 3Tm ≈ 25.848 10Th + 4Tm + Tmap + Tex ≈ 55.84 — 10Th + 2Ts ≈ 16.44
Device — 17Th ≈ 0.068 — — 10Th ≈ 0.04 —
Total 124.472 ms 51.916 ms 86.104 ms 150.284 ms 86.218 ms 32.892 ms
 11

12 Security and Communication Networks

 160
 140

 (ms)
 120
 55.84

 Computation cost
 100 47.236
 80
 0.04
 25.848
 60 38.616 47.216
 0.068 43.09
 40 25.914 34.424
 20 38.62
 25.934 25.832 47.228
 0 43.098 16.44
 [24] [25] 8.224
 [26] 8.228
 [28]
 [29]
 our
 User/WD CS
 Fog node Device
 Figure 8: Computation cost comparison.

 Table 5: Communication cost evaluation.
 Rounds Cost (bits)
[24] 4 6Cp + 9Ch + 5Ct � 5696
[25] 3 4Cp + 10Ch + 3Ct � 4800
[26] 4 10Cp + 9Ch + 5Ct � 7744
[28] 4 6Cp + 9Ch + 5Ct � 5696
[29] 3 4Ca + 10Ch + 3Ct � 4800
Our scheme 4 9Ch + 3Cs � 3072

 9000
 8000
 Communication cost (bits)

 7000
 6000
 5000
 4000
 3000
 2000
 1000
 0
 [24] [25] [26] [28] [29] our
 Figure 9: Communication cost comparison.

which is based on the calls of the Java pairing library, sig- to Table 4, it is evident that the computational cost of our
nature library, and symmetric encryption/decryption proposed scheme is far less than that of the other five
function. Table 4 presents the computation cost evaluation schemes. Figure 8 shows the advantages of the proposed
of the AKA phase. Th represents the time of general hash scheme in terms of computational cost.
operation, Ta represents the operation time of point addi-
tion, Tm represents the operation time of scalar multipli-
cation of elliptic curve, Tfe represents the operation time of 4.3. Communication Cost Evaluation. Assume that the point
fuzzy function, Ts represents the operation time of sym- of the elliptic curve occupies 512 bits, the hash operation and
metric encryption and decryption, Tmap represents the symmetric encryption and decryption operation occupy
operation time of bilinear pair, and Tex represents the op- 256 bits, and the timestamp occupies 64 bits. Table 5 presents
eration time of exponential operation. It should be noted the communication cost evaluation of the AKA phase, where
that Th � 0.004 ms, Ta � 0.05 ms, Tm � 8.6 ms, Tfe � Tm , Cp , Ch , Cs , and Ct represent the point, hash operation,
Ts � 8.2 ms, Tmap � 10.6 ms, and Tex � 10.8 ms. According symmetric encryption and decryption operation, and

Security and Communication Networks 13

 Table 6: Performance optimization ratio.
 Computational performance speed (times) Communication performance speed (times)
Our scheme 1 1
[24] 3.784 1.854
[25] 1.578 1.563
[26] 2.618 2.521
[28] 4.569 1.854
[29] 2.621 1.563

timestamp, respectively. According to Table 5, the proposed in IIOT,” IEEE Internet of Things Journal, vol. 7, no. 12,
protocol has the lowest communication cost. Figure 9 shows pp. 11713–11724, 2020.
the advantages of the proposed scheme in terms of com- [2] H. Xiong, Y. Zhao, Y. Hou et al., “Heterogeneous signcryption
munication cost. with equality test for IIoT environment,” IEEE Internet of
 After evaluating our scheme and the other four related Things Journal, p. 1, 2020.
 [3] Z. Meng, J.-S. Pan, and K.-K. Tseng, “PaDE: an enhanced
schemes in terms of security, computation cost, and com-
 Differential Evolution algorithm with novel control parameter
munication cost, it is obvious that our scheme has great adaptation schemes for numerical optimization,” Knowledge-
advantages in these three aspects at the same time. Our Based Systems, vol. 168, pp. 80–99, 2019.
scheme not only ensures security but also has the least [4] T. N. Tu, “A fuzzy approach of large size remote sensing image
computation cost and communication cost. Table 6 shows clustering,” Journal of Information Hiding and Multimedia
the ratio of other related schemes and the proposed scheme Signal Processing, vol. 11, no. 4, pp. 187–198, 2020.
in terms of computational performance and communication [5] J.-S. Pan, N. Liu, S.-C. Chu, and T. Lai, “An efficient surrogate-
performance. According to Table 6, [24–26, 28, 29] are, assisted hybrid optimization algorithm for expensive opti-
respectively, 378.4%, 157.8%, 261.8%, 456.9%, and 262.1% of mization problems,” Information Sciences, vol. 561, pp. 304–
the proposed scheme in terms of computational perfor- 325, 2021.
mance and 185.4%, 156.3%, 252.1%, 185.4%, and 156.3% of [6] J. Wu, M. Xu, F.-F. Liu, M. Huang, L.-H. Ma, and Z.-M. Lu,
the proposed scheme in terms of communication perfor- “Solar wireless sensor network routing algorithm based on
mance. Therefore, our scheme has good advantages in multi-objective particle swarm optimization,” Journal of In-
 formation Hiding and Multimedia Signal Processing, vol. 12,
performance.
 no. 1, pp. 1–11, 2021.
 [7] K. K. Venkatasubramanian, A. Banerjee, and S. K. Gupta,
5. Conclusion “Ekg-based key agreement in body sensor networks,” in
 Proceedings of the IEEE INFOCOM Workshops, pp. 1–6,
Researchers have proposed many AKA schemes based on Phoenix, AZ, USA, April 2008.
fog computing. Some of these schemes are for the [8] J. C. Sriram, M. Shin, T. Choudhury, and D. Kotz, “Activity-
healthcare environment; however, these have low security aware ecg-based patient authentication for remote health
and high cost consumption. Therefore, we propose a fog- monitoring,” in Proceedings of the 2009 International Con-
driven secure authentication and key exchange scheme for ference on Multimodal Interfaces, pp. 297–304, Cambridge,
wearable health monitoring systems. Using a formal MA, USA, November 2009.
analysis, BAN logic, ProVerif tools, and an informal [9] K. K. Venkatasubramanian, A. Banerjee, and S. K. S. Gupta,
 “Pska: usable and secure key agreement scheme for body area
analysis, we find that our scheme can resist known attack
 networks,” IEEE Transactions on Information Technology in
methods. The performance comparison with related
 Biomedicine, vol. 14, no. 1, pp. 60–67, 2009.
protocols shows that the proposed scheme has significant [10] C. Hu, X. Cheng, F. Zhang, D. Wu, X. Liao, and D. Chen,
advantages in terms of both computational and com- “Opfka: secure and efficient ordered-physiological-feature-
munication costs. Therefore, our scheme is more suitable based key agreement for wireless body area networks,” in
for a wearable health monitoring system. Proceedings of the 2013 IEEE INFOCOM, pp. 2274–2282,
 Turin, Italy, April 2013.
Data Availability [11] M. Masdari, S. Ahmadzadeh, and M. Bidaki, “Key manage-
 ment in wireless body area network: challenges and issues,”
The data used to support the findings of this study are in- Journal of Network and Computer Applications, vol. 91,
cluded within the article. pp. 36–51, 2017.
 [12] X. Li, J. Niu, M. Karuppiah, S. Kumari, and F. Wu, “Secure
 and efficient two-factor user authentication scheme with user
Conflicts of Interest anonymity for network based e-health care applications,”
 Journal of Medical Systems, vol. 40, no. 12, pp. 1–12, 2016.
The authors declare that they have no conflicts of interest. [13] N. Radhakrishnan and M. Karuppiah, “An efficient and secure
 remote user mutual authentication scheme using smart cards
References for Telecare medical information systems,” Informatics in
 Medicine Unlocked, vol. 16, Article ID 100092, 2019.
 [1] H. Xiong, Y. Wu, C. Jin, and S. Kumari, “Efficient and privacy- [14] J. S. Pan, X. X. Sun, S. C. Chu, A. Abraham, and B. Yan,
 preserving authentication protocol for heterogeneous systems “Digital watermarking with improved SMS applied for QR

14 Security and Communication Networks

 code,” Engineering Applications of Artificial Intelligence, scheme for fog computing services,” Computer Networks,
 vol. 97, Article ID 104049, 2021. vol. 185, Article ID 107731, 2021.
[15] J. M.-T. Wu, G. Srivastava, A. Jolfaei, P. Fournier-Viger, and [30] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle
 J. C.-W. Lin, “Hiding sensitive information in eHealth methodology, revisited,” Journal of the ACM, vol. 51, no. 4,
 datasets,” Future Generation Computer Systems, vol. 117, pp. 557–594, 2004.
 pp. 169–180, 2021. [31] Y. Yu, O. Taylor, R. Li, and B. Sunagawa, “An extended
[16] Z. Zhang, S. Chen, X. Sun, and Y. Liang, “Trajectory privacy chaotic map-based authentication and key agreement scheme
 protection based on spatial-time constraints in mobile social for multi-server environment,” Mathematics, vol. 9, no. 8,
 networks,” Journal of Network Intelligence, vol. 6, no. 3, p. 798, 2021.
 pp. 485–499, 2021. [32] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s
[17] L. Zhang, Y. Zhang, S. Tang, and H. Luo, “Privacy protection law in passwords,” IEEE Transactions on Information Fo-
 for e-health systems by means of dynamic authentication and rensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
 three-factor key agreement,” IEEE Transactions on Industrial [33] M. Burrows, M. Abadi, and R. M. Needham, “A logic of
 Electronics, vol. 65, no. 3, pp. 2795–2805, 2017. authentication,” Proceedings of the Royal Society of London
[18] X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta, and A. Mathematical and Physical Sciences, vol. 426, pp. 233–271,
 K.-K. R. Choo, “Anonymous mutual authentication and key 1871.
 agreement scheme for wearable sensors in wireless body area [34] Y. Luo, W. Zheng, and Y.-C. Chen, “An anonymous au-
 networks,” Computer Networks, vol. 129, pp. 429–443, 2017. thentication and key exchange protocol in smart grid,”
[19] C.-M. Chen, B. Xiang, T.-Y. Wu, and K.-H. Wang, “An Journal of Network Intelligence, vol. 6, no. 2, pp. 206–215,
 anonymous mutual authenticated key agreement scheme for 2021.
 wearable sensors in wireless body area networks,” Applied [35] S. A. Chaudhry, “Correcting “PALK: password-based anon-
 Sciences, vol. 8, no. 7, p. 1074, 2018. ymous lightweight key agreement framework for smart grid”,”
[20] A. M. Koya and P. P. Deepthi, “Anonymous hybrid mutual International Journal of Electrical Power and Energy Systems,
 authentication and key agreement scheme for wireless body vol. 125, Article ID 106529, 2021.
 area network,” Computer Networks, vol. 140, pp. 138–151, [36] T.-Y. Wu, L. Yang, Z. Lee, C.-M. Chen, J.-S. Pan, and
 2018. S. K. H. Lslam, “Improved ECC-based three-factor multi-
[21] M. Kompara, S. H. Islam, and M. Hölbl, “A robust and ef- server authentication scheme,” Security and Communication
 ficient mutual authentication and key agreement scheme with Networks, vol. 2021, Article ID 6627956, 14 pages, 2021.
 untraceability for wbans,” Computer Networks, vol. 148,
 pp. 196–213, 2019.
[22] S. F. Aghili, H. Mala, M. Shojafar, and P. Peris-Lopez, “Laco:
 lightweight three-factor authentication, access control and
 ownership transfer scheme for e-health systems in IoT,”
 Future Generation Computer Systems, vol. 96, pp. 410–424,
 2019.
[23] K. Sowjanya, M. Dasgupta, and S. Ray, “An elliptic curve
 cryptography based enhanced anonymous authentication
 protocol for wearable health monitoring systems,” Interna-
 tional Journal of Information Security, vol. 19, no. 1,
 pp. 129–146, 2020.
[24] X. Jia, D. He, N. Kumar, and K.-K. R. Choo, “Authenticated
 key agreement scheme for fog-driven IoT healthcare system,”
 Wireless Networks, vol. 25, no. 8, pp. 4737–4750, 2019.
[25] M. Wazid, A. K. Das, N. Kumar, and A. V. Vasilakos, “Design
 of secure key management and user authentication scheme for
 fog computing services,” Future Generation Computer Sys-
 tems, vol. 91, pp. 475–492, 2019.
[26] C.-M. Chen, Y. Huang, K.-H. Wang, S. Kumari, and
 M.-E. Wu, “A secure authenticated and key exchange scheme
 for fog computing,” Enterprise Information Systems, pp. 1–16,
 2020.
[27] S. Shamshad, M. S. Obaidat, Minahil, U. Shamshad, S. Noor,
 and K. Mahmood, “On the security of authenticated key
 agreement scheme for fog-driven IoT healthcare system,” in
 Proceedings of the 2021 International Conference on Artificial
 Intelligence and Smart Systems, pp. 1760–1765, Gwailor, Indai,
 August 2021.
[28] T.-Y. Wu, T. Wang, Y.-Q. Lee, W. Zheng, S. Kumari, and
 S. Kumar, “Improved authenticated key Agreement scheme
 for fog-driven IoT healthcare system,” Security and Com-
 munication Networks, vol. 2021, Article ID 6658041, 16 pages,
 2021.
[29] Z. Ali, S. A. Chaudhry, K. Mahmood, S. Garg, Z. Lv, and
 Y. B. Zikria, “A clogging resistant secure authentication