Robust and Efficient Authentication and Group–Proof Scheme Using Physical Unclonable Functions for Wearable Computing

Abstract

Wearable computing has garnered a lot of attention due to its various advantages, including automatic recognition and categorization of human actions from sensor data. However, wearable computing environments can be fragile to cyber security attacks since adversaries attempt to block, delete, or intercept the exchanged information via insecure communication channels. In addition to cyber security attacks, wearable sensor devices cannot resist physical threats since they are batched in unattended circumstances. Furthermore, existing schemes are not suited for resource-constrained wearable sensor devices with regard to communication and computational costs and are inefficient regarding the verification of multiple sensor devices simultaneously. Thus, we designed an efficient and robust authentication and group–proof scheme using physical unclonable functions (PUFs) for wearable computing, denoted as AGPS-PUFs, to provide high-security and cost-effective efficiency compared to the previous schemes. We evaluated the security of the AGPS-PUF using a formal security analysis, including the ROR Oracle model and AVISPA. We carried out the testbed experiments using MIRACL on Raspberry PI4 and then presented a comparative analysis of the performance between the AGPS-PUF scheme and the previous schemes. Consequently, the AGPS-PUF offers superior security and efficiency than existing schemes and can be applied to practical wearable computing environments.

1. Introduction

With the development of “mobile and 5G communication” technologies, wearable computing is emerging as a new ubiquitous technology within the Internet of Things (IoT) and it has garnered a lot of attention from both scientific and academic communities [1,2,3]. The wearable devices are integrated into various types of accessories and clothing and provide useful application services in various fields, including “military, healthcare, and industry”. In particular, sustainable wearable computing technology offers innovative healthcare opportunities, which give new methods to medical professionals to treat patients. For instance, wearable computing-based healthcare systems reduce healthcare costs and provide various medical services, including “monitoring, medical consultation, and emergency treatment” [4].

In these environments, wearable devices collect medical data, including “asthma level, blood pressure, electrocardiogram, body temperature” from the patients, and then transmit the corresponding data to the paired mobile terminal. The mobile terminal transmits the received data to the trusted cloud server, and authorized medical professionals remotely connect to the trusted cloud server and precisely monitor, analyze, and diagnose the health data of patients stored within the server. However, despite the numerous advantages of wearable computing, there are several difficulties and challenges that need to be addressed [5]. In wearable computing environments, serious security and privacy issues may arise since the messages are transmitted via an insecure channel [6]. If the collected data from the wearable devices are exposed, an adversary can obtain the sensitive information of legitimate patients and may attempt potential cyber security attacks. Hence, adversaries can bring many unexpected threats and jeopardize the patients’ lives by transmitting false medical diagnoses, such as “treatments and medications”. In addition to cyber security attacks, wearable devices cannot prevent physical threats since they are deployed in hostile and unattended circumstances. Furthermore, considering the resource limitations of wearable devices, it is suitable to adopt lightweight cryptographic primitives, such as “hash functions and symmetric key cryptography that require low computation and communication costs [7]”. In wearable computing environments, it is essential to identify whether data collected from multiple wearable devices belong to the same authorized user. Thus, a lightweight privacy-preserving authentication and group–proof scheme is indispensable to ensure simultaneous identification and secure communication in wearable computing environments.

Recently, Guo et al. [8] presented an “anonymous authenticated key agreement and group–proof protocol for wearable computing” to provide secure communication and simultaneous identification. Guo et al. claimed that their scheme was protected against physical/cyber security attacks, including “physical wearable device capture, impersonation, and forgery” attacks, and guaranteed “secure mutual authentication and untraceability”. Unfortunately, we prove that Guo et al.’s scheme was not protected against security attacks, such as “session key disclosure, man-in-the-middle (MITM), and impersonation” attacks, and it does not offer several security properties, including “untraceability and mutual authentication”. Hence, we present a “new efficient and robust authentication and group–proof scheme using physical unclonable functions (PUF) for wearable computing”, denoted as AGPS-PUFs, to address the security issues of Guo et al.’s scheme [8].

1.1. Motivations

The main purpose of this paper is to identify and improve the security problems of Guo et al.’s scheme based on the threat model presented by them. This paper proves that their protocol [8] is not protected against lethal security attacks and does not offer sensitive security features in wearable computing environments. Guo et al. [8] designed a high-security-supported cryptographic and efficient group–proof scheme for wearable computing. However, they should have examined their protocol from the point of view that we analyzed and proved. This fact motivated us to design a “new efficient and robust authentication and group–proof scheme using PUF for wearable computing”. This scheme is resilient to lethal security attacks and drawbacks that exist in wearable computing environments while guaranteeing security functionalities.

1.2. Research Contributions

This section introduces the main contribution of the AGPS-PUF.

• The AGPS-PUF is specifically designed to improve the security vulnerabilities of Guo et al.’s scheme and offers reliable authentication and maintenance for wearable computing. The AGPS-PUF carries out mutual authentication between a mobile user and wearable devices through a trusted entity known as the cloud server. The PUF enables wearable devices to resist tampering, including physical security attacks.
• We propose the protocol and demonstrate its effectiveness and security strengths via informal and formal security analyses. We exploited the well-known “AVISPA simulation” [9] and “ROR Oracle model” [10].
• We prove that the AGPS-PUF offers efficient performance in terms of security functionalities and overheads, as compared to previous schemes explored in the literature.

1.3. Paper Outlines

The rest of the paper is organized as follows. Section 2 presents the related works for wearable computing environments. Section 3 introduces the preliminaries. In Section 4 and Section 5, we review Guo et al.’s scheme [8] and then prove the security shortcomings of Guo et al.’s scheme. Section 6 designs a “new PUF-based privacy-preserving authentication and group–proof scheme for wearable computing” to resolve the security problems of Guo et al.’s scheme. Section 7 analyzes the security of the AGPS-PUF when performing formal and informal security analyses. Section 8 introduces the testbed experiments for cryptographic operations using MIRACL crypto SDK. Section 9 analyzes the performance comparison of the AGPS-PUF with related schemes. Finally, Section 10 summarizes the future works and conclusions of this paper.

2. Related Works

Over the last few years, many authentication and key agreement (AKA) schemes have been presented for wearable computing to ensure privacy for legitimate users [11,12,13]. The public key cryptosystem (PKC)-based AKA schemes consist of three mechanisms: “traditional PKC scheme [14], identity-based PKC scheme [15], and certificateless PKC scheme [16]”. The traditional PKC scheme faces problems in managing user certificates and needs high computing capabilities, so it is not applicable to wearable computing environments with constrained resources. Identity-based PKC schemes deal with the difficulty of certificate management; however, they are presented for server–client environments. The certificateless PKC scheme enhances the key escrow problem of the identity-based PKC scheme and prevents certificate management and delivery problems from the traditional PKC scheme [17]. However, these existing PKC-based AKA schemes [14,15,16] are not suitable for wearable computing environments because they utilize PKC, such as elliptic curve cryptography (ECC) and bilinear pairing, which require high communication and computation overheads.

The design of a lightweight AKA scheme for wearable computing environments has garnered a lot of attention due to the efficiency problem of the PKC-based AKA scheme and constrained resources for IoT and sensor devices. The lightweight AKA scheme has two main features: “password-based two-factor AKA scheme or password and biometric-based three-factor AKA scheme”. These AKA schemes utilize lightweight cryptographic primitives, including the “one-way hash function, XOR operation, and symmetric key cryptography”. Recently, numerous lightweight AKA schemes [18,19,20] were designed for wearable computing environments to provide useful services with lightweight properties. Li et al. [21] proposed a “secure AKA scheme with user anonymity and lightweight for healthcare applications” in wireless medical sensor networks (WMSN). Unfortunately, Das et al. [22] demonstrated that Li et al.’s scheme [21] is insecure to “privileged insider and sensor node capture” attacks and fails to ensure “user anonymity”. Wu et al. [23] presented an “enhanced two-factor assisted AKA scheme in WMSN environments”. Wu et al. [23] claimed that their protocol is resilient to lethal security attacks and offers the necessary security features. Unfortunately, Srinivas et al. [24] proved that their scheme [23] is not resistant to lethal security attacks, such as “stolen smart card, offline password guessing, user impersonation, and denial of service (DoS)” attacks. Srinivas et al. [24] proposed an “efficient and reliable AKA scheme for healthcare services with WMSN” to address the security weaknesses of Wu et al.’s scheme [23]. Amin et al. [25] designed a “lightweight and anonymous two-factor based AKA scheme” to provide secure patient data in patient monitoring systems for WMSN. Unfortunately, Ali et al. [26] analyzed Amin et al.’s scheme [25] and found that it does not prevent “known-session key temporary information, user impersonation, and offline password guessing” attacks. Ali et al. [26] presented an “enhanced biometric-based three-factor AKA scheme for healthcare monitoring in WMSN” to resolve the security shortcomings of Amin et al.’s scheme [25]. Gupta et al. [27] designed a “lightweight AKA scheme for wearable devices with user anonymity”. Gupta et al.’s scheme [27] has high scalability because the wearable sensing device registration phase does not need a secure channel. However, Hajian et al. [28] proved that Gupta et al.’s scheme [27] is not resistant to lethal security attacks, including “compromise sensing device, desynchronization, and privileged insider” attacks. Hajian et al. [28] proposed a “scalable and lightweight three-factor based AKA scheme with user-friendly and anonymous for wearable sensing devices” to improve the security problems of Gupta et al.’s scheme [27]. However, Yu et al. [29] pointed out that their protocol [28] is still not resistant to “mobile device stolen”, “session key disclosure, MITM, impersonation” attacks and does not guarantee “mutual authentication”. Unfortunately, these lightweight AKA schemes for wearable computing do not identify whether the collected data from multiple wearable devices belong to the same authorized user.

Guo et al. [8] designed an “anonymous and lightweight AKA and group–proof scheme for wearable computing”, which can verify that multiple wearable devices belong to the same user. Guo et al. [8] claimed that their protocol ensures secure data transmission between each entity and is resilient to lethal security attacks. However, based on the threat model presented by them, we have proven that Guo et al.’s scheme [8] is vulnerable to lethal security threats, such as “impersonation, MITM, and session key disclosure” attacks, and does not offer several security properties, such as “untraceability and mutual authentication”. In addition to cyber security attacks, wearable devices may be fragile to physical threats since they are batched in insecure circumstances. Therefore, we propose an “efficient and robust authentication and group-proof scheme using the PUF for wearable computing” to supplement the security functionalities and address the security shortcomings of Guo et al.’s scheme [8].

3. Preliminaries

The following provides an overview of the preliminaries.

3.1. Threat Model

We introduce the adversary capabilities based on the “Dolev-Yao (DY) model” [30,31].

• An adversary (henceforth denoted as $\mathcal{A}$) can “resend, eavesdrop, block, and delete” the exchanged messages over an insecure channel.
• $\mathcal{A}$ can steal the mobile device ($MD$) and the wearable device ($WD$) of the legitimate user. However, $\mathcal{A}$ cannot simultaneously capture the $MD$ and $WD$ of the legitimate user. The cloud server and registration center are trusted authorities and cannot be compromised by $\mathcal{A}$.
• $\mathcal{A}$ can extract the secret information stored in the captured $MD$ or $WD$ by performing the “power-analysis attacks” [32] and “physical capture attacks” [33].

3.2. PUF

The PUF [34,35] is a physical circuit that manufactures an output of a physical microstructure. The PUF does not store a private key in the smart device and it is extremely difficult to clone the circuit. The PUF utilizes an input/output bit string pair, denoted as the challenge/response pair. Even if various challenges occur in the PUF circuit, each has a unique output response. The PUF preserves smart devices in IoMT-enabled TMIS environments from side-channel and tampering threats. The PUF is expressed through a process denoted as $R=PUF\left(C\right)$, where C and R are the challenge/response. The following are several properties of the PUF.

• The PUF is easy to implement and evaluate.
• The PUF relies on the system’s physical microstructure.
• Any attempt to tamper with a smart device that contains the PUF will update the behavior of the PUF and, thus, destroy it [36].

Figure 1 shows a “PUF-based key generator procedure”. As shown in Figure 1, the PUF generates strong extractors for a private secret key based on various functions, including “encode, decode, and key derivation” functions. Thus, the PUF makes it impossible for attackers to perform lethal physical threats. Moreover, these properties combine to make a “good solution for the robust and efficient authentication of lightweight devices in wearable computing environments”.

3.3. System Model

This section introduces an overview of the system model (see Figure 2) of this paper. The system model for wearable computing is composed of four entities: registration center, cloud server, mobile users, and wearable devices.

• Registration center: This entity is a trusted authority that registers wearable devices and mobile users in a secure channel. Moreover, the registration center sets the secret credentials of each wearable device before being batched in wearable computing environments.
• Cloud server: This entity is also a trusted authority. The cloud server stores and shares the health data of legitimate patients and has computational and storage capabilities to manage patients’ health data.
• Mobile users: They have a mobile terminal and wear wearable devices to analyze the health status of the patients. The mobile terminal receives health data from the wearable devices, and then sends the received data to the cloud server through wireless communications. Moreover, remote authorized users access the cloud server to analyze the patients’ data and provide accurate medical diagnoses based on the stored physiological data.
• Wearable device: Wearable devices track and collect health data from corresponding body parts of patients. Then, the collected data are transmitted to the paired mobile terminal via Bluetooth.

4. Review of Guo et al.’s Scheme

This section introduces the reviews of Guo et al.’s scheme [8].

Table 1. Notations.

Symbol	Meaning
$U_i$	ith user
$W{D}_j$	jth wearable device
$CS$	Cloud server
$RC$	Registration center
$I{D}_U,I{D}_{WD},I{D}_{CS},I{D}_{RC}$	Real identity of $U_i$, $W{D}_j$, $CS$, and $RC$
$P{W}_i$	Password of $U_i$
$C_U^x,R_U^x$	Challenge/response of $U_i$
$C_{WD}^x,R_{WD}^x$	Challenge/response of $W{D}_j$
$R_i,R{N}_i,n_i$,	Random nonce
$TI{D}_U,TI{D}_{WD}$,	Temporary identity of $U_i$ and $W{D}_j$
$\Delta T_i$	Maximum transmission delay
$T_i$ and $T{S}_i$	Timestamp
$MK$	A master private key of $CS$
$S{K}_{CS-U}$	A session key for $U_i$ and $CS$
$S{K}_{WD-U}$	A session key for $U_i$ and $W{D}_j$
$En{c}_K(·)/De{c}_K(·)$	Encryption/decryption
$h(·)$	Hash function
⊕	XOR function
$\left|\right|$	Concatenation

shows the notations utilized in this article.

4.1. System Setup Phase

In this section, $RC$ denotes the secret credentials of each $W{D}_j$.

SP-1: 

$RC$ select s a master private key $MK$ for $CS$.

SP-2: 

$RC$ chooses a unique identity $I{D}_{WD}$ for each $W{D}_j$ and computes the pseudo-identity $PI{D}_{WD}=h(I{D}_{WD}\left|\right|MK)$. After that, $RC$ generates a temporary identity $TI{D}_{WD}$ for each $W{D}_j$.

SP-3: 

$RC$ stores $\{I{D}_{WD},TI{D}_j^{old}=null,TI{D}_j^{new}=TI{D}_{WD}\}$ in $CS$’s secure database and then stores $\{PI{D}_{WD},TI{D}_{WD},h(·)\}$ in the memory of $W{D}_j$.

4.2. User Registration Phase

In this phase, $U_i$ registers with $RC$ and obtains certain secret information to utilize later for authentication.

URP-1: 

$U_i$ selects $I{D}_U$ and $P{W}_i$ at $M{D}_i$ and $W{D}_j$. After that, $M{D}_i$ generates a random number $R{N}_i$ and computes $HI{D}_U=h(I{D}_U\left|\right|R{N}_i)$ and $HP{W}_i=h(P{W}_i\left|\right|R{N}_i)$. Then, $M{D}_i$ sends $\{HI{D}_U,HP{W}_i\}$ to $RC$ over a secure channel.

URP-2: 

$RC$ selects a temporary identity $TI{D}_U$ and a random number $r_i$. After that, $RC$ calculates $Aut{h}^{*}=h(HI{D}_U\left|\right|HP{W}_i\left|\right|r_i)$, $A_i=r_i\oplus h(HI{D}_U\oplus HP{W}_i)$, $B_i=h(TI{D}_U\left|\right|r_i\left|\right|MK)$, $C_i=r_i\oplus h(TI{D}_U\left|\right|MK)$. Finally, $RC$ stores $\{TI{D}_j^{old}=null,TI{D}_j^{new}=TI{D}_{WD},C_i\}$ in $CS$’s secure database and then sends $\{Aut{h}^{*},TI{D}_U,A_i,B_i\}$ to $M{D}_i$ over a secure channel.

URP-3: 

$M{D}_i$ computes $HAuth=h\left(Aut{h}^{*}\right||HP{W}_i\oplus R{N}_i)$, $D_i=R{N}_i\oplus A_i$, $E_i=B_i\oplus h(TI{D}_U\oplus HP{W}_i\oplus R{N}_i)$, and $F_i=R{N}_i\oplus h(I{D}_U\left|\right|P{W}_i)$. Finally, $M{D}_i$ stores $\{TI{D}_U,HAuth,D_i,E_i,F_i,h(·)\}$ in its memory.

4.3. Login and Authentication Phase

In this phase, all participants authenticate each other and establish a common session key.

LAP-1: 

$U_i$ first inputs $I{D}_U$ and $P{W}_i$ into $M{D}_i$. After that, $M{D}_i$ computes $R{N}_i=F_i\oplus h(I{D}_U\left|\right|P{W}_i)$, $HI{D}_i^{*}=h(I{D}_U\left|\right|R{N}_i)$, $HP{W}_i^{*}=h(P{W}_i\left|\right|R{N}_i)$, $R_i^{*}=A_i\oplus h(HI{D}_i^{*}\oplus HP{W}_i^{*})=D_i\oplus R{N}_i\oplus h(HI{D}_i^{*}\oplus HP{W}_i^{*})$, $Aut{h}^{*}=h(HI{D}_i^{*}\left|\right|HP{W}_i^{*}\left|\right|R_i^{*})$, and $HAut{h}^{*}=h(Aut{h}^{*}\oplus HP{W}_i^{*}\oplus R{N}_i)$, and checks $HAut{h}^{*}\stackrel{?}{=}HAuth$. If it matches, $M{D}_i$ generates a random nonce $n_1$ and a current timestamp $T_1$ and then transmits $Ms{g}_1=\{n_1,T_1\}$ to $W{D}_j$ over an insecure channel.

LAP-2: 

$W{D}_j$ verifies the freshness of $|T_2-T_1| \le \Delta T_i$, where $T_2$ is the current timestamp and $\Delta T_1$ is the maximum transmission delay for the message to be transmitted between $M{D}_i$ and $W{D}_j$. If they match, $W{D}_j$ selects $n_2$ and computes $M_1=h(TI{D}_{WD}\left|\right|PI{D}_{WD})\oplus n_2$ to transmit the secret parameters securely, and $M_2=$$h\left(M_1\right|\left|T_2\right|\left|n_1\right|\left|n_2\right)$ to verify the authorized entity. After that, $W{D}_j$ transmits $Ms{g}_2=\{M_1,M_2,TI{D}_{WD},T_2\}$ to $M{D}_i$.

LAP-3: 

$M{D}_i$ checks the freshness of $|T_3-T_2| \le \Delta T_i$. If the condition is met, $M{D}_i$ selects $n_3$ and computes $B_i=E_i\oplus h(TI{D}_U\oplus HP{W}_i\oplus R{N}_i)$, $M_3=n_3\oplus h(TI{D}_U\left|\right|r_i\left|\right|T_3)$ to transmit the random nonce securely, $M_4=h(TI{D}_U\left|\right|B_i\left|\right|n_3\left|\right|T_3)$ to verify the authorized entity, $M_5=h(TI{D}_U\left|\right|TI{D}_{WD})\oplus n_1$ to transmit the secret parameters securely, and $M_6=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|M_2\left|\right|M_4\left|\right|n_3\left|\right|T_3)$ to verify the authorized entity, and sends $Ms{g}_3=\{M_1,M_2,M_3,M_4,M_5,M_6,TI{D}_U,TI{D}_{WD},T_2,T_3\}$ to $CS$ over an insecure channel.

LAP-4: 

$CS$ verifies the freshness of $|T_4-T_3| \le \Delta T_i$. If it matches, $CS$ retrieves $TI{D}_U$ in the database. There are three scenarios for $TI{D}_U$. The first scenario is $TI{D}_i^{old}=TI{D}_U$, indicating that $CS$ and $U_i$ did not correctly update the temporary identity of $U_i$ in the previous session. The second scenario is $TI{D}_i^{new}=TI{D}_U$, indicating that $CS$ and $U_i$ correctly updated the temporary identity of $U_i$ in the previous session. In the third scenario, there is no matching of $TI{D}_U$ in the $CS$ database, and the authentication phase is terminated. For the first two scenarios, $CS$ obtains $\left\{C_i\right\}$, corresponding to $TI{D}_U$ in its database. After that, $CS$ computes $r_i^{*}=C_i\oplus h(TI{D}_U\left|\right|MK)$, $B_i^{*}=h(TI{D}_U\left|\right|r_i^{*}\left|\right|MK)$, $n_3^{*}=M_3\oplus h(TI{D}_U\left|\right|r_i^{*}\left|\right|T_3)$, $M_4^{*}=h(TI{D}_U\left|\right|B_i^{*}\left|\right|n_3^{*}\left|\right|T_3)$, and $M_6^{*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|M_2\left|\right|M_4^{*}\left|\right|n_3^{*}\left|\right|T_3)$, and verifies $M_4^{*}\stackrel{?}{=}{M}_4$ and $M_6^{*}\stackrel{?}{=}{M}_6$. If they are not equal, the authentication phase is terminated. Otherwise, $CS$ successfully authenticates $U_i$ and then updates the temporary identity of $U_i$. For the second scenario, $U_i$’s new temporary identity remains unchanged for the time being and is updated later in the session.

LAP-5: 

$CS$ retrieves $TI{D}_{WD}$ in its database. Similar to LAP-4, there are three scenarios: $TI{D}_j^{old}=TI{D}_{WD}$, $TI{D}_j^{new}=TI{D}_{WD}$, or $TI{D}_{WD}$ cannot be found in the $CS$ database. In the first two scenarios, $CS$ obtains $\left\{I{D}_{WD}\right\}$, corresponding to $TI{D}_{WD}$ in its database, and then computes $PI{D}_{WD}=h(I{D}_{WD}\left|\right|MK)$, $n_2^{*}=h(TI{D}_{WD}\left|\right|PI{D}_{WD})\oplus M_1$, $n_1^{*}=h(TI{D}_U\oplus TI{D}_{WD})\oplus M_5$, and $M_2^{*}=h(M_1\left|\right|T_2\left|\right|n_1^{*}\left|\right|n_2^{*})$, and checks $M_2^{*}\stackrel{?}{=}{M}_2$. If it matches, $CS$ successfully authenticates $W{D}_j$. Then, $CS$ updates the temporary identity of $W{D}_j$ as it updates $U_i$’s temporary identity.

LAP-6: 

$CS$ selects $n_4$ and timestamp $T_4$. After that, $CS$ computes $M_7=B_i\oplus T_4=$$h(TI{D}_U\left|\right|r_i\left|\right|MK)\oplus T_4$ to transmit the secret parameters securely, $M_8=n_4\oplus h(TI{D}_U\left|\right|r_i\left|\right|n_3\left|\right|T_4)$ to transmit the secret parameters securely, $S{K}_{CS-U}=h(TI{D}_U\left|\right|M_7\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$, $M_9=h(M_4\left|\right|M_8\left|\right|S{K}_{CS-U}\left|\right|T_3\left|\right|T_4)$ to verify the authorized entity, $S{K}_{WD-U}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2\left|\right|n_4\left|\right|T_4)$, $M_{10}=h(M_4\left|\right|M_8\left|\right|S{K}_{WD-U}\left|\right|T_3\left|\right|T_4)$ to verify the authorized entity, and $M_{11}=S{K}_{WD-U}\oplus h(B_i\left|\right|n_1\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$. $CS$ selects the new temporary identities $TI{D}_i^{new}$ and $TI{D}_j^{new}$ for $U_i$ and $W{D}_j$, and then changes $(TI{D}_i^{old}=TI{D}_U,TI{D}_i^{new}=TI{D}_i^{new})$ and $(TI{D}_j^{old}=TI{D}_{WD},TI{D}_j^{new}=TI{D}_j^{new})$ in its database. Then, $CS$ calculates $TI{D}_i^{*}=TI{D}_i^{new}\oplus h(TI{D}_U\left|\right|n_4\left|\right|S{K}_{CS-U})$ and $TI{D}_j^{*}=TI{D}_j^{new}\oplus h(TI{D}_{WD}\left|\right|n_4\left|\right|S{K}_{WD-U})$ and transmits $Ms{g}_4=\{M_8,M_9,M_{10},M_{11},TI{D}_i^{*},TI{D}_j^{*},T_4\}$ to $M{D}_i$ over an insecure channel.

LAP-7: 

$M{D}_i$ verifies the freshness of $|T_5-T_4| \le \Delta T_i$. If it matches, $U_i$ calculates $n_4=M_8\oplus h(TI{D}_U\left|\right|n_3\left|\right|T_4)$, $M_7^{*}=B_i^{*}\oplus T_4=E_i\oplus h(TI{D}_U\oplus HP{W}_i\oplus R{N}_i)\oplus T_4$, $S{K}_{CS-U}^{*}=h(TI{D}_U\left|\right|M_7^{*}\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$, $S{K}_{WD-U}^{*}=M_{11}\oplus h(B_i\left|\right|n_1\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$, $M_9^{*}=h(M_4\left|\right|M_8\left|\right|S{K}_{CS-U}^{*}\left|\right|T_3\left|\right|T_4)$, and $M_{10}^{*}=h(M_4\left|\right|M_8\left|\right|S{K}_{WD-U}^{*}\left|\right|T_3\left|\right|T_4)$, and then checks whether $M_9^{*}\stackrel{?}{=}{M}_9$ and $M_{10}^{*}\stackrel{?}{=}{M}_{10}$. If they are valid, $M{D}_i$ authenticates $CS$. After that, $M{D}_i$ stores the session keys, $S{K}_{CS-U}^{*}$ and $S{K}_{WD-U}^{*}$, and the new temporary identity, $TI{D}_i^{new}=TI{D}_i^{*}\oplus h(TI{D}_U\left|\right|n_4\left|\right|S{K}_{CS-U}^{*})$.

LAP-8: 

$M{D}_i$ selects $n_5$ and computes $M_{12}=n_4\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$ to transmit the secret parameters securely, $M_{13}=n_5\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$ to transmit the secret parameters securely, $M_{14}=h(TI{D}_U\left|\right|S{K}_{WD-U}\left|\right|n_5\left|\right|T_5)$ to verify the authorized entity, and then transmits $Ms{g}_5=\{TI{D}_U,TI{D}_j^{*},M_{12},M_{13},M_{14},T_4,T_5\}$ to $W{D}_j$.

LAP-9: 

$W{D}_j$ verifies the freshness $|T_6-T_5| \le \Delta T_i$. If it matches, $W{D}_j$ computes $n_4=M_{12}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$, $n_5=M_{13}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$, $S{K}_{WD-U}^{*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2\left|\right|n_4\left|\right|T_4)$, and $M_{14}^{*}=h(TI{D}_U\left|\right|S{K}_{WD-U}\left|\right|n_5\left|\right|T_5)$, and then checks whether $M_{14}^{*}\stackrel{?}{=}{M}_{14}$. If it matches, $W{D}_j$ authenticates $U_i$ successfully. Finally, $W{D}_j$ stores a session key $S{K}_{WD-U}^{*}$ and a new temporary identity $TI{D}_j^{*}=TI{D}_j^{new}\oplus h(TI{D}_{WD}\left|\right|n_4\left|\right|S{K}_{WD-U}^{*})$.

5. Security Flaws of Guo et al.’s Scheme

In this section, we prove that Guo et al.’s scheme [8] is not protected against the lethal security threats and cannot offer several security functionalities.

5.1. Impersonation Attack

According to Section 3.1, $\mathcal{A}$ can extract the secret credentials $\{PI{D}_{WD},TI{D}_{WD}\}$ stored in $W{D}_j$. Moreover, $\mathcal{A}$ can intercept, block, modify, replay, and delete the exchanged messages over an insecure channel. In this attack, $\mathcal{A}$ attempts to impersonate a legitimate entity.

• Step 1:$\mathcal{A}$ first calculates $n_2=M_1\oplus h(TI{D}_{WD}\left|\right|PI{D}_{WD})$ and a new random nonce $n_2^A$. After that, $\mathcal{A}$ computes $M_1^A=h(TI{D}_{WD}\left|\right|PI{D}_{WD})\oplus n_2^A$ and $M_2^A=h(M_1^A\left|\right|T_2\left|\right|n_1\left|\right|n_2^A)$. After that, $\mathcal{A}$ transmits the message $\{M_1^A,M_2^A,TI{D}_{WD},T_2\}$ to $CS$ via $M{D}_i$.
• Step 2: After receiving the message, $CS$ retrieves $TI{D}_{WD}$ in its database and then obtains $\left\{I{D}_{WD}\right\}$, corresponding to $TI{D}_{WD}$ in its database. Then, $CS$ calculates $PI{D}_{WD}=h(I{D}_{WD}\left|\right|MK)$, $n_2^{A*}=h(TI{D}_{WD}\left|\right|PI{D}_{WD})\oplus M_1^A$, $n_1^{*}=h(TI{D}_U\oplus TI{D}_{WD})\oplus M_5$, and $M_2^{A*}=h(M_1^A\left|\right|T_2\left|\right|n_1^{*}\left|\right|n_2^{A*})$, and checks $M_2^{A*}\stackrel{?}{=}{M}_2^A$. If it matches, $CS$ authenticates $\mathcal{A}$, successfully.
• Step 3:$CS$ generates a random nonce $n_4$ and timestamp $T_4$. After that, $CS$ computes $M_7=B_i\oplus T_4=h(TI{D}_U\left|\right|r_i\left|\right|MK)\oplus T_4$, $M_8=n_4\oplus h(TI{D}_U\left|\right|r_i\left|\right|n_3\left|\right|T_4)$, $S{K}_{CS-U}=h(TI{D}_U\left|\right|M_7\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$, $M_9=h(M_4\left|\right|M_8\left|\right|S{K}_{CS-U}\left|\right|T_3\left|\right|T_4)$, $S{K}_{WD-U}^A=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2^A\left|\right|n_4\left|\right|T_4)$, $M_{10}^A=h(M_4\left|\right|M_8\left|\right|S{K}_{WD-U}^A\left|\right|T_3\left|\right|T_4)$, and $M_{11}^A=S{K}_{WD-U}^A\oplus h(B_i\left|\right|n_1\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$. $CS$ selects the new temporary identities, $TI{D}_i^{new}$ and $TI{D}_j^{new}$ for $U_i$ and $W{D}_j$, and then changes $(TI{D}_i^{old}=TI{D}_U,TI{D}_i^{new}=TI{D}_i^{new})$, and $(TI{D}_j^{old}=TI{D}_{WD},TI{D}_j^{new}=TI{D}_j^{new})$ in its database. Then, $CS$ calculates $TI{D}_i^{*}=TI{D}_i^{new}\oplus h(TI{D}_U\left|\right|n_4\left|\right|S{K}_{CS-U})$ and $TI{D}_j^{A*}=TI{D}_j^{new}\oplus h(TI{D}_{WD}\left|\right|n_4\left|\right|S{K}_{WD-U}^A)$ and transmits $\{M_8,M_9,M_{10}^A,M_{11}^A,TI{D}_i^{*},TI{D}_j^{A*},T_4\}$ to $M{D}_i$ over an open channel.
• Step 4: Upon receiving the message, $M{D}_i$ verifies the freshness of $|T_5-T_4| \le \Delta T_i$. If it matches, $U_i$ calculates $n_4=M_8\oplus h(TI{D}_U\left|\right|n_3\left|\right|T_4)$, $M_7^{*}=B_i^{*}\oplus T_4=E_i\oplus h(TI{D}_U\oplus HP{W}_i\oplus R{N}_i)\oplus T_4$, $S{K}_{CS-U}^{*}=h(TI{D}_U\left|\right|M_7^{*}\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$, $S{K}_{WD-U}^{A*}=M_{11}^A\oplus h(B_i\left|\right|n_1\left|\right|n_3\left|\right|n_4\left|\right|T_3\left|\right|T_4)$, $M_9^{*}=h(M_4\left|\right|M_8\left|\right|S{K}_{CS-U}^{*}\left|\right|T_3\left|\right|T_4)$, and $M_{10}^{A*}=h(M_4\left|\right|M_8\left|\right|S{K}_{WD-U}^{A*}\left|\right|T_3\left|\right|T_4)$, and then checks whether $M_9^{*}\stackrel{?}{=}{M}_9$ and $M_{10}^{A*}\stackrel{?}{=}{M}_{10}^A$. If they are valid, $M{D}_i$ authenticates $CS$. After that, $M{D}_i$ stores the session keys $S{K}_{CS-U}^{*}$ and $S{K}_{WD-U}^{A*}$ and the new temporary identity $TI{D}_i^{new}=TI{D}_i^{*}\oplus h(TI{D}_U\left|\right|n_4\left|\right|S{K}_{CS-U}^{*})$.
• Step 5: Then, $M{D}_i$ selects $n_5$ and computes $M_{12}=n_4\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$, $M_{13}=n_5\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$, $M_{14}^A=h(TI{D}_U\left|\right|S{K}_{WD-U}^A\left|\right|n_5\left|\right|T_5)$, and then transmits $\{TI{D}_U,TI{D}_j^{A*},M_{12},M_{13},M_{14}^A,T_4,T_5\}$ to $W{D}_j$.
• Step 6: After eavesdropping on the message, $\{TI{D}_U,TI{D}_j^{A*},M_{12},M_{13},M_{14}^A,T_4,T_5\}$, $\mathcal{A}$ calculates $n_4=M_{12}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$, $n_5=M_{13}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$, $S{K}_{WD-U}^{A*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2^A\left|\right|n_4\left|\right|T_4)$, and $M_{14}^{A*}=h(TI{D}_U\left|\right|S{K}_{WD-U}^A\left|\right|n_5\left|\right|T_5)$. Note that $h\left(I{D}_{WD}\right|\left|MK\right)$, included in the session key, is the same as $PI{D}_{WD}$. Finally, $\mathcal{A}$ stores a session key $S{K}_{WD-U}^{A*}$ and a new temporary identity $TI{D}_j^{A*}=TI{D}_j^{new}\oplus h(TI{D}_{WD}\left|\right|n_4\left|\right|S{K}_{WD-U}^{A*})$.

Consequently, their scheme is not resistant to impersonation attacks since $\mathcal{A}$ can impersonate the legitimate $W{D}_j$.

5.2. MITM Attack

Based on the threat model, $\mathcal{A}$ can extract the secret parameters $\{PI{D}_{WD},TI{D}_{WD}\}$ stored in $W{D}_j$. Furthermore, $\mathcal{A}$ can block, intercept, modify, replay, and delete the transmitted messages via an open channel.

• Step 1: After eavesdropping on the message $\{n_1,T_1\}$ via a public channel, $\mathcal{A}$ first calculates $n_2=M_1\oplus h(TI{D}_{WD}\left|\right|PI{D}_{WD})$ and $M_2=h(M_1\left|\right|T_2\left|\right|n_1\left|\right|n_2)$. After that, $\mathcal{A}$ transmits $\{M_1,M_2,TI{D}_{WD},T_2\}$.
• Step 2: After eavesdropping on the message $\{TI{D}_U,TI{D}_j^{*},M_{12},M_{13},M_{14},T_4,T_5\}$ via a public channel, $\mathcal{A}$ computes $n_4=M_{12}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$ and $n_5=M_{13}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$.
• Step 3:$\mathcal{A}$ calculates a session key $S{K}_{WD-U}^{*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2\left|\right|n_4\left|\right|T_4)$, where $h\left(I{D}_{WD}\right|\left|MK\right)$, included in the session key, is the same as $PI{D}_{WD}$. Finally, $\mathcal{A}$ successfully calculates $M_{14}^{*}=h(TI{D}_U\left|\right|S{K}_{WD-U}\left|\right|n_5\left|\right|T_5)$ and then verifies $M_{14}^{*}\stackrel{?}{=}{M}_{14}$. Hence, their scheme is not protected against this attack.

5.3. Session Key Disclosure Attack

Based on Section 5.2, $\mathcal{A}$ extracts $n_4=M_{12}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$ and $n_5=M_{13}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$, and then computes a session key $S{K}_{WD-U}^{*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2\left|\right|n_4\left|\right|T_4)$ successfully. As a result, $\mathcal{A}$ can successfully obtain a common session key $S{K}_{WD-U}^{*}$ between legitimate $U_i$ and $W{D}_j$. Thus, Guo et al.’s scheme is insecure to this attack.

5.4. Mutual Authentication

In Guo et al.’s scheme, they claimed to provide mutual authentication between the entities. Unfortunately, according to Section 5.2 and Section 5.3, $\mathcal{A}$ can successfully generate the sensitive messages, $M_{10}=h(M_4\left|\right|M_8\left|\right|S{K}_{WD-U}\left|\right|T_3\left|\right|T_4)$ and $M_{14}=h(TI{D}_U\left|\right|S{K}_{WD-U}^A\left|\right|n_5\left|\right|T_5)$, for mutual authentication. Thus, Guo et al.’s scheme cannot guarantee secure mutual authentication between the legitimate $U_i$ and $W{D}_j$.

5.5. Untraceability

Guo et al. claimed that their protocol achieved untraceability. However, according to Section 5.2 and Section 5.3, $\mathcal{A}$ calculates the random nonces $n_4=M_{12}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_4)$ and $n_5=M_{13}\oplus h(TI{D}_{WD}\left|\right|n_1\left|\right|T_5)$ and then computes a session key $S{K}_{WD-U}^{*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|h(I{D}_{WD}\left|\right|MK\left)\right||n_2\left|\right|n_4\left|\right|T_4)$. After that, $\mathcal{A}$ successfully calculates a new temporary identity $TI{D}_j^{new}=TI{D}_j^{*}\oplus h(TI{D}_{WD}\left|\right|n_4\left|\right|S{K}_{WD-U}^{*})$. Thus, Guo et al.’s scheme does not achieve untraceability because $\mathcal{A}$ can trace the authorized $W{D}_j$ through their new temporary identity.

6. Proposed Scheme

The existing related schemes for wearable computing are not protected against potential security attacks. Thus, we propose a “robust and efficient authentication and group–proof scheme using the PUF for wearable computing (AGPS-PUF)” to improve the security flaws of the existing schemes. The AGPS-PUF is resilient to cyber/physical security attacks and provides necessary security functionalities. The AGPS-PUF consists of six phases: (1) system setup, (2) registration, (3) login and authentication, (4) group proof, and (5) password update. We show the overall flowchart during the AKA phase of the AGPS-PUF, as shown in Figure 3.

6.1. System Setup Phase

In this section, $RC$ first sets the secret credentials for each $W{D}_j$. The following are detailed descriptions:

SP-1: 

$RC$ selects a master private key $MK$ for $CS$.

SP-2: 

$RC$ chooses a unique identity $I{D}_{WD}$ for each $W{D}_j$ and then generates a temporary identity $TI{D}_{WD}$ for each $W{D}_j$.

SP-3: 

$RC$ stores $\{I{D}_{WD},TI{D}_{WD}\}$ in $CS$’s secure database and then stores the secret credentials $\{I{D}_{WD},TI{D}_{WD},h(·)\}$ in the memory of $W{D}_j$.

6.2. Registration Phase

This phase consists of two parts: $U_i$ and $W{D}_j$ registration phases.

6.2.1. User Registration Phase

In this phase, $U_i$ registers within $RC$ and then obtains the secret credentials from $RC$.

URP-1: 

$U_i$ chooses unique $I{D}_U$ and $P{W}_U$ in $M{D}_i$. After that, $M{D}_i$ selects a random number $a_i$ and generates a set of $(C_U^x,R_U^x)$ based on the PUF to ensure the unique physical properties of the device. Then, $M{D}_i$ computes $HI{D}_U=h(I{D}_U\left|\right|a_i)$ and $HP{W}_i=h(P{W}_U\left|\right|a_i\left|\right|R_U^x)$ and then transmits $\{HI{D}_U,HP{W}_i,(C_U^x,R_U^x)\}$ to $RC$ over a secure channel.

URP-2: 

$RC$ generates a temporary identity $TI{D}_U$ and computes $X_i=h(TI{D}_U\left|\right|MK\left|\right|R_U^x)$, $X_{UW}=h(I{D}_{RC}\left|\right|MK)$, $A_i=(X_i\left|\right|X_{UW})\oplus h(HI{D}_U\oplus h(HP{W}_i\left|\right|R_U^x\left)\right)$, $B_i=h(HP{W}_i\left|\right|TI{D}_U\left|\right|X_i)$, $C_i=X_i\oplus h(I{D}_{CS}\left|\right|TI{D}_U\left|\right|MK)$, Finally, $RC$ stores $\{TI{D}_U,(C_U^x,R_U^x),C_i\}$ in $CS$’s database and then sends $\{A_i,B_i,TI{D}_U\}$ to $M{D}_i$ over a secure channel.

URP-3: 

Finally, $M{D}_i$ computes $D_i=a_i\oplus h(I{D}_U\left|\right|P{W}_U\left|\right|R_U^x)$ and stores $\{A_i,B_i,D_i,TI{D}_U\}$ in its memory.

6.2.2. Wearable Device Registration Phase

In this phase, $W{D}_j$ registers within $RC$ and then obtains the secret credentials from $RC$.

WDRP 1: 

$W{D}_j$ generates a random number $b_j$ and a set $(C_{WD}^x,R_{WD}^x)$ under the PUF to ensure the unique physical properties of the device. After that, $W{D}_j$ calculates $Q_j=b_j\oplus h(I{D}_{WD}\left|\right|R_{WD}^x)$ and $W_j=h(I{D}_{WD}\left|\right|b_j\left|\right|R_{WD}^x)$. After that, $W{D}_j$ sends $\{TI{D}_{WD},Q_j,W_j,(C_{WD}^x,R_{WD}^x)\}$ to $RC$.

WDRP 2: 

$RC$ retrieves the corresponding $I{D}_{WD}$ stored in the database using $TI{D}_{WD}$. After that, $RC$ computes $b_j^{*}=Q_j\oplus h(I{D}_{WD}\left|\right|R_{WD}^x)$, and $W_j^{*}=h(I{D}_{WD}^{*}\left|\right|b_j^{*}\left|\right|R_{WD}^x)$, and verifies $W_j^{*}\stackrel{?}{=}{W}_j$. If it is invalid, $CS$ terminates $W{D}_j$’s registration request; otherwise, $RC$ computes $PI{D}_{WD}=h(TI{D}_{WD}\left|\right|MK)$, $Z_j=h(TI{D}_{WD}\left|\right|MK\left|\right|R_{WD}^x)$, $X_{UW}=h(I{D}_{RC}\left|\right|MK)$, $E_j=(X_{UW}\left|\right|Z_j\left|\right|PI{D}_{WD})\oplus h(I{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|R_{WD}^x\left|\right|b_j)$, and $Y_j=Z_j\oplus h(I{D}_{CS}\left|\right|TI{D}_{WD}\left|\right|MK)$. After that, $RC$ stores $\{Y_j,(C_{WD}^x,R_{WD}^x)\}$ in $CS$’s secure database and then transmits $\left\{E_j\right\}$ to $W{D}_j$.

WDRP 3: 

Finally, $W{D}_j$ computes $O_j=b_j\oplus h(R_{WD}^x\oplus TI{D}_{WD}\oplus I{D}_{WD})$ and then stores $\{E_j,O_j\}$ in memory.

6.3. Login and Authentication Phase

The registered $U_i$ and $W{D}_j$ should establish a common session key with the help of $CS$ to use reliable medical services. This phase is illustrated in Figure 4.

LAP-1: 

$U_i$ first inputs a unique identity $I{D}_U$ and password $P{W}_i$ into $M{D}_i$. After that, $M{D}_i$ calculates $a_i=D_i\oplus h(I{D}_U\left|\right|P{W}_i\left|\right|R_U^x)$, $HI{D}_U=h(I{D}_U\left|\right|a_i)$, $HP{W}_i=h(P{W}_i\left|\right|a_i\left|\right|R_U^x)$, $(X_i\left|\right|X_{UW})=A_i\oplus h(HI{D}_U\oplus h(HP{W}_i\left|\right|R_U^x\left)\right)$, and $B_i^{*}=h(HP{W}_i\left|\right|TI{D}_U\left|\right|X_i)$ and then checks $B_i^{*}\stackrel{?}{=}{B}_i$. If it matches, $M{D}_i$ generates a random nonce $R_1$ and a timestamp $T_1$. Then, $M{D}_i$ computes $M_1=R_1\oplus h(X_{UW}\left|\right|T_1)$ to make the masked random nonce and transmits $Ms{g}_1=\{M_1,T_1\}$ to $W{D}_j$ via an insecure channel.

LAP-2: 

$W{D}_j$ checks the freshness of $|T_2-T_1| \le \Delta T_i$, where $T_2$ is the current timestamp and $\Delta T_1$ is the maximum transmission delay for the message to be transmitted between $M{D}_i$ and $W{D}_j$. If it matches, $W{D}_j$ calculates $b_j=O_j\oplus h(R_{WD}^x\oplus TI{D}_{WD}\oplus I{D}_{WD})$, $(X_{UW}\left|\right|Z_j\left|\right|PI{D}_{WD})=E_j\oplus h(I{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|R_{WD}^x\left|\right|b_j)$, and $R_1=M_1\oplus h(X_{UW}\left|\right|T_1)$. Then, $W{D}_j$ selects $R_2$ and $T_2$. After that, $W{D}_j$ chooses a pair of $(C_{WD}^1,R_{WD}^1)$ from the preloaded CRPs $(C_{WD}^x,R_{WD}^x)$ to ensure the unique physical properties of the device and computes $M_2=R_2\oplus h(PI{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|R_{WD}^1)$ to make the masked random nonce, and $M_3=h(R_1\left|\right|R_2\left|\right|R_{WD}^1\left|\right|T_2)$ to verify the authorized entity, and then transmits $Ms{g}_2=\{M_2,M_3,TI{D}_{WD},C_{WD}^1,T_2\}$ to $M{D}_i$.

LAP-3: 

After receiving the message, $M{D}_i$ verifies the freshness of $|T_3-T_2| \le \Delta T_i$. If it matches, $M{D}_i$ generates $R_3$ and a timestamp $T_3$ and chooses a pair of $(C_U^1,R_U^1)$ from the preloaded CRPs $(C_U^x,R_U^x)$ to ensure the unique physical properties of the device. After that, $M{D}_i$ decrypts $M_4=En{c}_{\left(X_i\right|\left|R_U^1\right)}(R_1\left|\right|R_3)$ to obtain the random nonce and calculates $M_5=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|R_3\left|\right|R_U^1\left|\right|T_3)$ to verify the authorized entity, and then transmits $Ms{g}_3=\{M_2,M_3,M_4,M_5,TI{D}_U,TI{D}_{WD},C_{WD}^1,C_U^1,T_2,T_3\}$ to $CS$ through a public channel.

LAP-4: 

After receiving $Ms{g}_3$ from $M{D}_i$, $CS$ checks the freshness of $|T_4-T_3| \le \Delta T_i$. If it matches, $CS$ finds $R_U^1$ on the basis of $C_U^1$. After that, $CS$ extracts $C_i$ corresponding to $TI{D}_U$ in its database. $CS$ decrypts $(R_1\left|\right|R_3)=De{c}_{\left(X_i\right|\left|R_U^1\right)}\left(M_4\right)$, and computes $X_i=C_i\oplus h(I{D}_{CS}\left|\right|TI{D}_U\left|\right|MK)$, and $M_5^{*}=h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|R_3\left|\right|R_U^1\left|\right|T_3)$, and verifies $M_5^{*}\stackrel{?}{=}{M}_5$. If it matches, $CS$ aborts the current session; otherwise, $CS$ extracts $Y_j$ to the corresponding $TI{D}_{WD}$ in its database. Then, $CS$ finds $R_{WD}^1$ on the basis of $C_{WD}^1$ and computes $Z_j=Y_j\oplus h(I{D}_{CS}\left|\right|TI{D}_{WD}\left|\right|MK)$, $PI{D}_{WD}=h(TI{D}_{WD}\left|\right|MK)$, $R_2=M_2\oplus h(PI{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|R_{WD}^1)$, and $M_3^{*}=h(R_1\left|\right|R_2\left|\right|R_{WD}^1\left|\right|T_2)$, and verifies $M_3^{*}\stackrel{?}{=}{M}_3$. If it matches, $CS$ selects the new temporary identities, $TI{D}_i^{new}$ and $TI{D}_j^{new}$ for $U_i$ and $W{D}_j$, and updates $TI{D}_i^{old}$ to $TI{D}_i^{new}$ and $TI{D}_j^{old}$ to $TI{D}_j^{new}$ in its database. $CS$ generates $R_4$ and $T_4$ and computes $S{K}_{CS-U}=h(TI{D}_U\left|\right|X_i\left|\right|R_3\left|\right|R_4\left|\right|T_4)$, $S{K}_{WD-U}=h(TI{D}_U\left|\right|PI{D}_{WD}\left|\right|R_2\left|\right|R_4\left|\right|T_4)$, $TI{D}_j^{*}=TI{D}_j^{new}\oplus h(TI{D}_{WD}\left|\right|S{K}_{WD-U}\left|\right|Z_j\left|R_4\right)$, $M_6=En{c}_{\left(R_3\right|\left|R_U^1\right|\left|X_i\right)}(R_4\left|\right|TI{D}_i^{new}\left|\right|S{K}_{WD-U}\left|\right|TI{D}_j^{*})$ to transmit the secret parameters securely, and $M_7=h(TI{D}_U\left|\right|S{K}_{CS-U}\left|\right|S{K}_{WD-U}\left|\right|R_U^1\left|\right|R_4\left|\right|T_4)$ to verify the authorized entity. Finally, $CS$ sends $Ms{g}_4=\{M_6,M_7,T_4\}$ to $M{D}_i$.

LAP-5: 

$M{D}_i$ verifies the freshness of $|T_4-T_3| \le \Delta T_i$. If it matches, $M{D}_i$ decrypts $(R_4\left|\right|TI{D}_i^{new}\left|\right|S{K}_{WD-U}\left|\right|TI{D}_j^{*})=De{c}_{\left(R_3\right|\left|R_U^1\right|\left|X_i\right)}\left(M_6\right)$ and computes $S{K}_{CS-U}^{*}=h(TI{D}_U\left|\right|X_i\left|\right|R_3\left|\right|R_4\left|\right|T_4)$, and $M_7^{*}=h(TI{D}_U\left|\right|S{K}_{CS-U}^{*}\left|\right|S{K}_{WD-U}\left|\right|R_U^1\left|\right|R_4\left|\right|T_4)$, and verifies $M_7^{*}\stackrel{?}{=}{M}_7$. If it is not equal, $M{D}_i$ terminates the current session; otherwise, $M{D}_i$ updates a new temporary identity $TI{D}_i^{old}$ to $TI{D}_i^{new}$ and stores the session keys $S{K}_{CS-U}^{*}$ and $S{K}_{WD-U}^{*}$. After that, $M{D}_i$ generates a timestamp $T_5$ and computes $M_8=En{c}_{\left(R_1\right|\left|X_{UW}\right)}(R_3\left|\right|R_4)$ to transmit the secret parameters securely, and $M_9=h(TI{D}_{WD}\left|\right|R_3\left|\right|R_4\left|\right|S{K}_{WD-U}\left|\right|T_5)$ to verify the authorized entity, and then transmits $Ms{g}_5=\{M_8,M_9,TI{D}_j^{*},T_4,T_5\}$ to $W{D}_j$ over a public channel.

LAP-6: 

$W{D}_j$ checks the freshness of $|T_5-T_4| \le \Delta T_i$. If it matches, $W{D}_j$ computes $(R_3\left|\right|R_4)=De{c}_{\left(R_1\right|\left|X_{UW}\right)}\left(M_8\right)$, $S{K}_{WD-U}^{*}=h(TI{D}_U\left|\right|PI{D}_{WD}\left|\right|R_2\left|\right|R_4\left|\right|T_4)$, and $M_9^{*}=h(TI{D}_{WD}\left|\right|R_3\left|\right|R_4\left|\right|S{K}_{WD-U}^{*}\left|\right|T_5)$, and verifies $M_9^{*}\stackrel{?}{=}{M}_9$. If it matches, $W{D}_j$ authenticates $U_i$, successfully and then calculates $TI{D}_j^{new}=TI{D}_j^{*}\oplus h(TI{D}_{WD}\left|\right|S{K}_{WD-U}\left|\right|Z_j\left|\right|R_4)$. Finally, $W{D}_j$ updates a new temporary identity $TI{D}_j^{old}$ to $TI{D}_j^{new}$ and stores a session key $S{K}_{WD-U}^{*}$.

6.4. Group–Proof Generation and Verification Phases

After the authentication process is executed successfully, $U_i$ generates a group proof for multiple $W{D}_j$ by $M{D}_i$, indicating that $W{D}_j$ belongs to the same $U_i$ and then sends the group proof to $CS$ for verification. This phase is illustrated in Figure 5.

GPGV 1: 

$M{D}_i$ for authorized $U_i$ selects $R{N}_1$ and $T{S}_1$. After that, $M{D}_i$ computes $G_1=R{N}_1\oplus h(S{K}_{WD-U}\left|\right|X_{UW}\left|\right|T{S}_1)$ and then sends $G{M}_1=\{G_1,T{S}_1\}$ to $W{D}_j$ over a public channel.

GPGV 2: 

$W{D}_j$ verifies the freshness of $|T{S}_2-T{S}_1| \le \Delta T{S}_i$. If it matches, $W{D}_j$ calculates $R{N}_1=G_1\oplus h(S{K}_{WD-U}\left|\right|X_{UW}\left|\right|T{S}_1)$ and generates a random nonce $R{N}_2$ and a timestamp $T{S}_2$. After that, $W{D}_j$ computes $s_j=h(S{K}_{WD-U}\left|\right|R{N}_1\left|\right|R{N}_2)$, $G_2=R{N}_2\oplus h(R{N}_1\left|\right|S{K}_{WD-U}\left|\right|X_{UW})$, and $P_j=h(PI{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|s_j)$, and then transmits $G{M}_2=\{G_2,P_j,s_j,TI{D}_{WD},T{S}_2\}$ to $M{D}_i$.

GPGV 3: 

$M{D}_i$ checks the freshness of $|T{S}_3-T{S}_2| \le \Delta T{S}_i$. If it matches, $M{D}_i$ computes $R{N}_2=G_2\oplus h(R{N}_1\left|\right|S{K}_{WD-U}\left|\right|X_{UW})$ and $s_j^{*}=h(S{K}_{WD-U}\left|\right|R{N}_1\left|\right|R{N}_2)$, and checks whether $s_j^{*}\stackrel{?}{=}{s}_j$. If it matches, $M{D}_i$ generates the group proof $G{P}_i=h(TI{D}_U\left|\right|X_i\left|\right|S{K}_{CS-U}\left|\right|P_1\oplus P_2\oplus \cdots P_j)$ for all wearable devices. Finally, $W{D}_j$ encrypts $G_3=En{c}_{S{K}_{CS-U}}(TI{D}_U,TI{D}_{WD},R{N}_1,R{N}_2,G{P}_i)$ using a session key $S{K}_{CS-U}$ and then transmits $G{M}_3=\left\{G_3\right\}$ to $CS$ over an open channel.

GPGV 4: 

$CS$ decrypts $(TI{D}_U,TI{D}_{WD},R{N}_1,R{N}_2,G{P}_i)=De{c}_{S{K}_{CS-U}}\left(G_3\right)$ using a session key $S{K}_{CS-U}$. $CS$ extracts $C_i$ corresponding to $TI{D}_U$ in this database, computes $X_i=C_i\oplus h(I{D}_{CS}\left|\right|TI{D}_U\left|\right|MK)$, and then extracts $I{D}_{WD}$ and $S{K}_{WD-U}$, corresponding to $TI{D}_{WD}$ in its database. After that, $CS$ computes $PI{D}_{WD}=h(I{D}_{WD}\left|\right|MK)$, $s_j^{*}=h(S{K}_{WD-U}\left|\right|R{N}_1\left|\right|R{N}_2)$, $P_j^{*}=h(PI{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|s_j)$, and $G{P}_i^{*}=h(TI{D}_U\left|\right|X_i\left|\right|S{K}_{CS-U}\left|\right|P_1\oplus P_2\oplus \cdots P_j)$ and then checks whether $G{P}_i^{*}\stackrel{?}{=}G{P}_i$. If it matches, $CS$ successfully verifies that the multiple instances of $W{D}_j$ belong to the same $U_i$ through the group proof.

6.5. Password Update Phase

If $U_i$ wishes to obtain a new $P{W}_i$, $U_i$ can freely update their old $P{W}_i$ without interacting with $RC$.

PUP-1: 

$U_i$ inputs $I{D}_U$ and an old password $P{W}_i^{old}$ in $M{D}_i$.

PUP-2: 

$M{D}_i$ chooses a set of $(C_U^x,R_U^x)$, and computes $a_i=D_i\oplus h(I{D}_U\left|\right|P{W}_i\left|\right|R_U^x)$, $HI{D}_U=h(I{D}_U\left|\right|a_i)$, $HP{W}_i=h(P{W}_i\left|\right|a_i\left|\right|R_U^x)$, $(X_i\left|\right|X_{UW})=A_i\oplus h(HI{D}_U\oplus h(HP{W}_i\left|\right|R_U^x)$, and $B_i^{*}=h(HI{D}_U\left|\right|TI{D}_U\left|\right|X_i)$, and verifies whether $B_i^{*}\stackrel{?}{=}{B}_i$. If the condition is met, $U_i$ is prompted to choose a new password.

PUP-3: 

$U_i$ inputs a new $P{W}_i^{new}$ and computes $HP{W}_i^{new}=h(P{W}_i^{new}\left|\right|a_i\left|\right|R_U^x)$, $A_i^{new}=(X_i\left|\right|X_{UW})\oplus h(HI{D}_U\oplus h(HP{W}_i^{new}\left|\right|R_U^x\left)\right)$, $B_i^{new}=h(HP{W}_i^{new}\left|\right|TI{D}_U\left|\right|X_i)$, $D_i^{new}=a_i\oplus h(I{D}_U\left|\right|P{W}_i^{new}\left|\right|R_U^x)$. Finally, $M{D}_i$ replaces $\{A_i,B_i,D_i\}$ with $\{A_i^{new},B_i^{new},D_i^{new}\}$. As a result, $M{D}_i$ contains $\{A_i^{new},B_i,D_i^{new},TI{D}_U\}$.

7. Security Analysis

The following introduces the informal/formal security analyses.

7.1. Informal Security Analysis

We demonstrate that the AGPS-PUF can prevent“lethal security attacks” and allow “anonymity, untraceability, and mutual authentication”.

7.1.1. Impersonation Attack

This attack means that $\mathcal{A}$ attempts to impersonate the legitimate user by eavesdropping on the exchanged data over an open channel. In this case, $\mathcal{A}$ should generate the authentication messages $\{Ms{g}_1,Ms{g}_2,Ms{g}_3\}$, and $\{Ms{g}_4,Ms{g}_5\}$. However, it is difficult to generate the sensitive messages since $\mathcal{A}$ cannot obtain the “random nonces $\{R_1,R_3\}$” and “secret credential $\{X_i,X_{UW}\}$”. Consequently, the AGPS-PUF is resistant to impersonation attacks because $\mathcal{A}$ cannot successfully generate the sensitive messages of the legitimate user.

7.1.2. MITM Attack

According to Section 3.1, $\mathcal{A}$ can inject, modify, eavesdrop, intercept, delete, and block the exchanged messages, $\{Ms{g}_1,Ms{g}_2,Ms{g}_3,Ms{g}_4,Ms{g}_5\}$, in the bidirectional communication between $U_i$, $W{D}_j$, and $CS$, and then attempt to obtain sensitive information from legitimate entities. However, $\mathcal{A}$ cannot generate sensitive messages since all messages are masked with the PUF responses, $\{R_U^1,R_{WD}^1\}$, and fresh random nonces $\{R_1,R_2,R_3\}$, by using “XOR” and “hash” functions. Hence, the AGPS-PUF is secure against MITM attacks since $\mathcal{A}$ cannot obtain sensitive information from legitimate entities.

7.1.3. Session Key Disclosure Attack

Based on the information presented in Section 3.1, $\mathcal{A}$ can steal the $MD$ and then extract the secret information $\{A_i,B_i,D_i,TI{D}_U\}$ stored in the memory. In the AGPS-PUF, $\mathcal{A}$ should obtain the real identities $\{I{D}_U,I{D}_{WD},I{D}_{CS}\}$ and random nonces $\{R_2,R_3,R_4\}$ to calculate the session keys, $S{K}_{CS-U}=h(TI{D}_U\left|\right|X_i\left|\right|R_3\left|\right|R_4\left|\right|T_4)$ and $S{K}_{WD-U}=h(TI{D}_U\left|\right|PI{D}_{WD}\left|\right|R_2\left|\right|R_4\left|\right|T_4)$. However, it is impossible for $\mathcal{A}$ to obtain the common session keys, $S{K}_{CS-U}$ and $S{K}_{WD-U}$, since the random nonces and real identities are preserved with secret parameters $\{X_i,X_{UW},Z_j\}$, and the PUF parameters $\{R_U^1,R_{WD}^1\}$, using cryptographic primitives. Hence, the AGPS-PUF resists session key disclosure attacks.

7.1.4. Replay Attack

$\mathcal{A}$ eavesdrops on the transmitted messages $\{Ms{g}_1,Ms{g}_2,Ms{g}_3,Ms{g}_4,Ms{g}_5\}$ during the AKA phase and then attempts to authenticate with other parties by transmitting the intercepted data in the previous session. A solution to prevent replay attacks, such as the existing schemes [37,38], is to add random nonces and timestamps to the information exchanged so that the data are unique for each authentication phase. Thus, the AGPS-PUF verifies the freshness of $T_i$. Moreover, the data are masked with $\{R_1,R_2,R_3,R_4\}$. Therefore, even if $\mathcal{A}$ selects and sends valid authentication messages to legitimate entities, the AGPS-PUF is secure against replay attacks since the current timestamp freshness is incorrect.

7.1.5. Physical Wearable Device Capture Attack

Assume that $W{D}_j$s are physically captured by $\mathcal{A}$ and then extract $\{E_j,O_j\}$ in $W{D}_j$’s memory, where $E_j=(X_{UW}\left|\right|Z_j\left|\right|PI{D}_{WD})\oplus h(I{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|R_{WD}^x\left|\right|b_j)$ and $O_j=b_j\oplus h(R_{WD}^x\oplus TI{D}_{WD}\oplus I{D}_{WD})$. However, $\mathcal{A}$ does not successfully compute $S{K}_{WD-U}^{*}$ between $U_i$ and $W{D}_j$ without the knowledge of $\{R_2,R_4\}$ and the secret credentials $\left\{X_{UW}\right\}$. In addition, the PUF pairs $\left\{(C_{WD}^1,R_{WD}^1)\right\}$ are distinct, independent, and secure for all batched $W{D}_j$. Hence, the AGPS-PUF is resilient against physical wearable device capture attacks since the PUF output depends on the inherent physical fluctuations of the IC chip.

7.1.6. Stolen Verifier Attack

In this attack, $\mathcal{A}$ extracts and learns the secret parameters related to $U_i$ and $W{D}_j$, which are stored in the database of $CS$, and it then attempts to masquerade as a legitimate entity. However, even if $\mathcal{A}$ obtains the stored parameters $\{TI{D}_U,(C_U^x,R_U^x),C_i\}$ for $U_i$ and $\{Y_j,(C_{WD}^x,R_{WD}^x)\}$ for $W{D}_j$, $\mathcal{A}$ cannot calculate the common session keys $\{S{K}_{WD-U},S{K}_{CS-U}\}$, and impersonate a legitimate entity. Unfortunately, $\mathcal{A}$ does not obtain the secret credentials $\{C_i,Y_j\}$ that are masked with $RC$’s master secret key $MK$ by performing the cryptographic primitives. Furthermore, PUF pairs $(C_U^x,R_U^x)$, and $(C_{WD}^x,R_{WD}^x)$ for $U_i$ and $W{D}_j$ are computationally infeasible for $\mathcal{A}$ to derive the fresh PUF because the PUF output depends on the inherent physical fluctuations of the IC. Hence, the AGPS-PUF is resistant to stolen verifier attacks.

7.1.7. Offline Password-Guessing Attack

Referring to the information presented in Section 3.1, we assume that $\mathcal{A}$ can intercept the transmitted information and then extract the secret credentials stored in the $MD$. Then, $\mathcal{A}$ attempts to use these attacks to guess $U_i$’s real $P{W}_i$. However, $P{W}_i$ is composed as $MP{W}_i=h(P{W}_i\left|\right|a_i\left|\right|R_U^x)$. Therefore, it is impossible for $\mathcal{A}$ to correctly guess $P{W}_i$ without knowledge of the random number $a_i$ and the PUF response value $R_U^x$. As a result, the offline password-guessing attack is not feasible in the AGPS-PUF.

7.1.8. Desynchronization Attack

In the AGPS-PUF, the temporary identities, $TI{D}_U$ and $TI{D}_{WD}$, are assigned to $U_i$ and $W{D}_j$ during the AKA phase and then tables are maintained from $CS$. Since both the old temporary identities, i.e., $TI{D}_i^{old}$ and $TI{D}_j^{old}$, are stored, if the last acknowledgment messages are blocked or lost due to time delay, there will always be consistent temporary identities between $U_i$, $W{D}_j$, and $CS$. Thus, the AGPS-PUF is resistant to desynchronization attacks.

7.1.9. Privileged Insider Attack

In this attack, $\mathcal{A}$ is a privileged insider of the proposed system. Hence, we assume that $\mathcal{A}$ is able to obtain the request message $\{HP{W}_i,HP{W}_i,(C_U^x,R_U^x)\}$ from the remote user $U_i$. However, the secret credentials, $\{X_i,Z_j,X_{UW}\}$ of $M_i$, and $W{D}_j$, are computationally infeasible for $\mathcal{A}$ without knowledge of the master private key $MK$ and identity $I{D}_{CS}$. Thus, the AGPS-PUF can prevent privileged insider attacks because $\mathcal{A}$ cannot correctly generate the sensitive information of $U_i$ and $W{D}_j$.

7.1.10. Mutual Authentication

In the AGPS-PUF, all participants successfully perform secure mutual authentication. After obtaining the authentication request messages, $\{M_3,M_5\}$, $C{S}_j$ check whether $M_5^{*}\stackrel{?}{=}h(TI{D}_U\left|\right|TI{D}_{WD}\left|\right|R_3\left|\right|R_U^1\left|\right|T_3)$ to verify the authenticity and integrity of the received message. If it matches, $CS$ is authenticated with $U_i$. $CS$ then verifies whether $M_3^{*}\stackrel{?}{=}h(R_1\left|\right|R_2\left|\right|R_{WD}^1\left|\right|T_2)$ to verify the authenticity and integrity of the received message. If it matches, $CS$ is authenticated with $W{D}_j$. Upon receiving the authentication message, $\left\{M_7\right\}$, $U_i$ checks $M_7^{*}\stackrel{?}{=}h(TI{D}_U\left|\right|S{K}_{CS-U}^{*}\left|\right|S{K}_{WD-U}\left|\right|R_U^1\left|\right|R_4\left|\right|T_4)$ to verify the authenticity and integrity of the received message. If it matches, $U_i$ authenticates $CS$. After receiving the authentication confirmation message, $\left\{M_9\right\}$, $W{D}_j$ verifies $M_9^{*}\stackrel{?}{=}h(TI{D}_{WD}\left|\right|R_3\left|\right|R_4\left|\right|S{K}_{WD-U}^{*}\left|\right|T_5)$ to verify the authenticity and integrity of the received message. If it is valid, $W{D}_j$ authenticates $U_i$. Thus, the AGPS-PUF successfully allows secure mutual authentication and integrity between $U_i$, $W{D}_j$, and $CS$.

7.1.11. Anonymity and Untraceability

Assume that $\mathcal{A}$ intercepts the transmitted messages during the AKA phase. However, it is impossible for $\mathcal{A}$ to obtain $U_i$’s identity $I{D}_U$ and pseudo-identity $HI{D}_U$ and $W{D}_j$’s identity $I{D}_{WD}$ and pseudo-identity $PI{D}_{WD}$ without knowledge, such as random nonces, the PUF secret value, and secret credentials. Hence, the AGPS-PUF provides anonymity for $U_i$ and $W{D}_j$. Furthermore, $\mathcal{A}$ cannot track the legitimate $U_i$ since all messages are unique and dynamic using timestamps, random nonces, and temporary identities in each session. Moreover, the temporary identities, $TI{D}_U$ and $TI{D}_{WD}$ of $U_i$ and $W{D}_j$, are updated as $TI{D}_i^{new}$ and $TI{D}_j^{new}$ in each session. Hence, 3P-AGPS guarantees untraceability for $U_i$ and $W{D}_j$.

7.1.12. Perfect Forward Secrecy (PFS)

The PFS security indicates that $SK$ will not be exposed to $\mathcal{A}$ even if a long-term secret key is compromised. In the AGPS-PUF, if $CS$’s long-term secret key $MK$ is compromised, $\mathcal{A}$ cannot compute the session keys, $S{K}_{CS-U}$ and $S{K}_{WD-U}$, because $\mathcal{A}$ does not have knowledge of the secret credentials $\{X_{UW},X_i\}$, the PUF secret value $\{R_U^x,R_{WD}^x\}$, and real identities $\{I{D}_U,I{D}_{WD}\}$. Consequently, the AGPS-PUF is resistant to PFS.

7.2. Formal Analysis through ROR Oracle Model

We utilize a formal proof, denoted as the ROR Oracle model, to prove the session key (SK) security. We define the queries required for the ROR Oracle model [10].

In the AGPS-PUF, there are three participants: the mobile user ${\mathsf{\Gamma }}_U$, the wearable device ${\mathsf{\Gamma }}_{WD}$, and the cloud server ${\mathsf{\Gamma }}_{CS}$. Let ${\mathsf{\Gamma }}_U^{t_1}$ be the instance $t_1$ of a participant U, ${\mathsf{\Gamma }}_{WD}^{t_2}$ be the instance $t_2$ of a participant $WD$, and ${\mathsf{\Gamma }}_{C{S}_{}}^{t_3}$ be the instance $t_3$ of a participant $CS$. In

Table 2. Query and purpose.

Query	Purpose
$Send$$({\mathsf{\Gamma }}^t,Msg)$	Based on this query, $\mathcal{A}$ can transmit the message $Msg$ to the ${\mathsf{\Gamma }}^t$, and obtain the response message accordingly.
$CorruptMD$$\left({\mathsf{\Gamma }}_U^{t_1}\right)$	This query indicates as the mobile device stolen attacks, where $\mathcal{A}$ can extract the secret credentials stored in $MD$.
$CorruptWD$$\left({\mathsf{\Gamma }}_{WD}^{t_3}\right)$	This query indicates as the physical capture attacks where $\mathcal{A}$ can obtain the secret parameters stored in $WD$.
$Execute({\mathsf{\Gamma }}_U^{t_1},$${\mathsf{\Gamma }}_{WD}^{t_2},$${\mathsf{\Gamma }}_{CS}^{t_3},$)	Based on $Execute(·)$, $\mathcal{A}$ performs the passive/active attacks by eavesdropping the exchanged messages between each entity over a insecure channel.
$Reveal\left({\mathsf{\Gamma }}^t\right)$	Based on this query, $\mathcal{A}$ reveals a SK generated between ${\mathsf{\Gamma }}_U^{t_1}$ and ${\mathsf{\Gamma }}_{WD}^{t_2}$ using $Reveal(·)$ query.
$Test\left({\mathsf{\Gamma }}^t\right)$	An unbiased coin c is tossed prior to game start. If $\mathcal{A}$ gets $c=1$ under the $Test(·)$, it indicates a SK between ${\mathsf{\Gamma }}_U^{t_1}$ and ${\mathsf{\Gamma }}_{WD}^{t_2}$ is fresh. If $\mathcal{A}$ gets the $c=0$, it indicates SK is not fresh; otherwise, $\mathcal{A}$ gets a null value (⊥).

, we present the descriptions for each query, including “$CorruptMD(·)$,$Execute(·)$, $Test(·)$, $Send(·)$, and $Reveal(·)$ for ROR Oracle model”.

Theorem 1. 

Let $Ad{v}_{\mathcal{A}}^{AGPS-PUF}$ be the advantage that $Ad{v}_{\mathcal{A}}^{AGPS-PUF}$ is able to break the SK security of the AGPS-PUF. Hence, we derive the following $Ad{v}_{\mathcal{A}}^{AGPS-PUF} \le \frac{q_h^2}{\left|Hash\right|}+\frac{q_P^2}{\left|PUF\right|}+2\{C·q_{send}^s,\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\}$

Proof. 

The $PUF(·)$ range space, $h(·)$ query number, $Send(·)$ query number, and $Hash$ range space indicate $q_P$, $q_h$, $q_{send}$, and $Hash$. Furthermore, the Zipf credentials [39] indicate C, $l_m$, s, and $l_n$.

Proof: We present the five games $G{M}_i$ ($i\in [0,4]$). We indicate that $Ad{v}_{\mathcal{A},G{M}_i}^{AGPS-PUF}$ is the probability of $\mathcal{A}$ to win $G{M}_i$. All games are described in detail as follows.

Game:$G{M}_0$: $\mathcal{A}$ executes a real attack in AGPS-PUF. Hence, $\mathcal{A}$ picks a random bit c at the beginning of $G{M}_0$. We obtain the following Equation (1) as

$$Ad{v}_{\mathcal{A}}^{AGPS-PUF}=|2·Ad{v}_{\mathcal{A},G{M}_0}^{AGPS-PUF}-1|$$

(1)

Game$G{M}_1$: $G{M}_1$ indicates that $\mathcal{A}$ executes an “eavesdropping attack, in which the transmitted messages are intercepted between U, $WD$, and $CS$ performing $Execute(·)$ query”. In $G{M}_1$, $\mathcal{A}$ carries out “$Test(·)$/$Reveal(·)$ queries” to compromise SK. The results of the $Test(·)$/$Reveal(·)$ queries determine whether $\mathcal{A}$ obtains $S{K}_{CS-U}$ and $S{K}_{WD-U}$. To compromise SK, $\mathcal{A}$ requires the random nonces $\{R_2,R_3,R_4\}$, and PUF values. Therefore, $\mathcal{A}$ is not able to increase the winning probability of $G{M}_1$. We can derive Equation (2) as

$$Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}=Ad{v}_{\mathcal{A},G{M}_0}^{AGPS-PUF}$$

(2)

Game$G{M}_2$: This game indicates that $\mathcal{A}$ executes a “real attack” based on “$Send(·)$ and $Hash$” queries. $\mathcal{A}$ transmits the modified messages to participants and acts as a legal user so that it is able to guess the outcomes of the “$Send(·)$ query”. Moreover, $\mathcal{A}$ aims to find collisions for the hash oracle and attempts to copy messages that are expected to be authenticated by the entities. Because the random nonce, timestamp, temporary secret, and identity are configured using hash functions in each message, running “$Send(·)$ and $Hash$ queries” cannot cause a conflict. We can deduce that the probability of aborting the game is bounded by $\frac{q_h^2}{2\left|Hash\right|}$. It is worth noting that this may happen when processing $Send\left(\right)$ query; the game is aborted with a probability determined by the birthday paradox [40]. The probability of finding collisions in the hash oracle $Hash$, as per the square of the birthday paradox, is the probability, and the two games, $G{M}_1$ and $G{M}_2$, are indistinguishable, unless one of the above rules causes the game to abort. Thus, we can have Equation (3) as

$$|Ad{v}_{\mathcal{A},G{M}_2}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}| \le \frac{q_h^2}{2\left|Hash\right|}$$

(3)

Game$G{M}_3$: This game is executed in the analogy as presented in $G{M}_2$. By using the “analogous argument” described in $G{M}_2$, we can derive Equation (4) as

$$|Ad{v}_{\mathcal{A},G{M}_3}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_2}^{AGPS-PUF}| \le \frac{q_P^2}{2\left|PUF\right|}$$

(4)

Game$G{M}_4$: In this game, $\mathcal{A}$ attempts to extract $\{A_i,B_i,D_i,TI{D}_U\}$ in the $MD$’s memory by using the “differential power analysis” with $CourruptWD(·)$ and $CourruptMD(·)$ queries. Note that $A_i=(X_i\left|\right|X_{UW})\oplus h(HI{D}_U\oplus h(HP{W}_i\left|\right|R_U^x\left)\right)$, $B_i=h(HP{W}_i\left|\right|TI{D}_U\left|\right|X_i)$, $D_i=a_i\oplus h(I{D}_U\left|\right|P{W}_i\left|\right|R_U^x)$, and $TI{D}_U$. Moreover, $\mathcal{A}$ can obtain the secret credentials $\{E_j,O_j\}$ in the $WD$’s memory using physical capture attacks. Note that, $E_j=(X_{UW}\left|\right|Z_j\left|\right|PI{D}_{WD})\oplus h(I{D}_{WD}\left|\right|TI{D}_{WD}\left|\right|R_{WD}^x\left|\right|b_j)$ and $O_j=b_j\oplus h(R_{WD}^x\oplus TI{D}_{WD}\oplus I{D}_{WD})$. However, $G{M}_3$ is computationally infeasible for $\mathcal{A}$ to compromise the $P{W}_i$ of the legitimate $U_i$ over the $Send(·)$ query without $a_i$ and $R_U^x$. Moreover, $\mathcal{A}$ should guess the parameters from the extracted data because $\mathcal{A}$ does not have knowledge of the “password”, “biometric”, and “PUF secret”. Moreover, it is computationally impossible to guess the “biometric”, “password”, and “PUF secret”. In conclusion, $G{M}_3$ and $G{M}_4$ are “indistinguishable”. We obtain Equation (5) as follows:

$$|Ad{v}_{\mathcal{A},G{M}_4}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_3}^{AGPS-PUF}| \le \{C·q_{send}^s,\frac{q_s}{2^{l_b}}\}$$

(5)

Based on the execution of $G{M}_0-G{M}_4$, $\mathcal{A}$ attempts to guess the “bit c to win the games by performing $Test(·)$ query”. We can obtain Equation (6) as follows:

$$Ad{v}_{\mathcal{A},G{M}_4}^{AGPS-PUF}=\frac{1}{2}$$

(6)

Based on the “Formulas (1), (2), and (6)”, we obtain Equation (7) as follows:

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{\mathcal{A}}^{AGPS-PUF}& =|Ad{v}_{\mathcal{A},G{M}_0}^{AGPS-PUF}-\frac{1}{2}|\hfill \\ \hfill & =|Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}-\frac{1}{2}|\hfill \\ \hfill & =|Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_4}^{AGPS-PUF}|\hfill \end{array}$$

(7)

Based on the “triangular inequality with the Formulas (3), (4), (5) and (7)”, we obtain Equation (8) as follows:

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{\mathcal{A}}^{AGPS-PUF}& =|Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_4}^{AGPS-PUF}|\hfill \\ \hfill & \le |Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_3}^{AGPS-PUF}|\hfill \\ \hfill & +|Ad{v}_{\mathcal{A},G{M}_3}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_4}^{AGPS-PUF}|\hfill \\ \hfill & \le |Ad{v}_{\mathcal{A},G{M}_1}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_2}^{AGPS-PUF}|\hfill \\ \hfill & +|Ad{v}_{\mathcal{A},G{M}_2}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_3}^{AGPS-PUF}|\hfill \\ \hfill & +|Ad{v}_{\mathcal{A},G{M}_3}^{AGPS-PUF}-Ad{v}_{\mathcal{A},G{M}_4}^{AGPS-PUF}|\hfill \\ \hfill & \le \frac{q_h^2}{2\left|Hash\right|}+\frac{q_P^2}{2\left|PUF\right|}+\{C·q_{send}^s,\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\}.\hfill \end{array}$$

(8)

Finally, by multiplying both sides of Equation (8) by a factor of 2, we can obtain the following: $Ad{v}_{\mathcal{A}}^{AGPS-PUF} \le \frac{q_h^2}{\left|Hash\right|}+\frac{q_P^2}{\left|PUF\right|}+2\{C·q_{send}^s,\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\}$ □

7.3. Formal Analysis through AVISPA Simulation

This simulation proves the formal security robustness of the cryptographic protocol against MITM and replay attacks. We implement the security simulation and demonstrate the security result. We first need to implement the AGPS-PUF as a programming language HLPSL [41]. After that, this simulation starts analyzing the intermediate format (IF) over the four backends: “On-the-Fly Model Checker (OFMC)”, “Constraint Logic-based Attack Searcher (CL-AtSe)”, “SAT-based Model-Checker (SATMC)”, and “Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)”. Since TA4SP and SATMC backends do not implement XOR operations, the simulation results of the AGPS-PUF under these backends become inconclusive; thus, the results based on TA4SP and SATMC backends have been ignored.

We simulated the AGPS-PUF using the “Security Protocol ANimator (SPAN) [10]” for AVISPA. It is worth noting that AVISPA implements the DY model and that an intruder participates in the protocol execution with a concrete session. The specification roles of the $WD$, U, and $CS$ are implemented using HLPSL, such as sessions, security goals, and environments. In Figure 6, the HLPSL specification of the protocol is converted into the IF by using the HLPSL2IF translator. After that, the IF is converted to the output format (OF) by feeding it to one of the four backends. The OF contains the following:

• SUMMARY: It refers to whether the tested security protocol is safe or unsafe, or whether the analysis is inconclusive.
• DETAILS: It explains why the analysis is inconclusive, why the tested security protocol is safe, or under what conditions the test applications or security protocols may be exploitable to the attack.
• PROTOCOL: It refers to the HLPSL specification of the target security protocol in the IF.
• GOAL: It demonstrates the goal of the analysis, which is performed by AVISPA using HLPSL specifications.
• BACKEND: It is the name of the backend that is utilized for the analysis of SATMC, CL-AtSe, OFMC, or TA4SP.
• STATISTICS: It includes the trace of any potential vulnerability in the target security protocol, along with several useful statistics and related comments.

In the simulation based on AVISPA backends, two verifications were performed: (1) checking for replay attacks and (2) DY model-based MITM attacks. When checking for replay attacks on the AGPS-PUF, both OFMC and CL-AtSe check if the legitimate participants can execute the specified protocols by performing a search for a passive intruder. Moreover, both OFMC and CL-AtSe backends are used to check whether any MITM attacks are possible by an intruder in the DY model. The SPAN simulation results demonstrate the security attacks and intruder simulations over a web-based GUI (graphical user interface). Moreover, the implementation results obtained using the CL-AtSe and OFMC backends are presented in Figure 7. According to the simulation results under the OFMC and CL-AtSe in Figure 7, the SAFE output shows that the AGPS-PUF is safe based on the specified security goals. Consequently, we demonstrate that the AGPS-PUF is protected from replay and MITM attacks.

8. Testbed Experiments Using MIRACL

We present the testbed experiments to estimate the execution times required for essential cryptographic operations utilized in the AGPS-PUF and existing related schemes. We used the well-known “MIRACL crypto SDK [42]”, which is a C/C++-based programming software library.

We used the two platforms to estimate the execution times required for cryptographic operations. $T_{sed}$, $T_{ecpm}$, $T_{me}$, and $T_h$ evaluate the execution times required for “a AES encryption and decryption”, “an ECC scalar point multiplication”, “a modular exponentiation”, and “a SHA-256 hash function”.

• Platform 1: This platform is used to calculate the execution times for the $MD$ and $WD$ settings on MIRACL, as follows: “Model: Raspberry PI 4B, with “OS: Ubuntu 20.04.2 LTS”, “Processor: 1.5 GHz Quad-core”, “CPU: 64-bit”. Each operation was run 1000 times on the same setup and we observed the average, maximum, and minimum times. The results of this platform are tabulated in

  Table 3. Execution times (in milliseconds) based on the MIRACL library, obtained using a Raspberry Pi 4.

  Operation	Min. Time (ms)	Max. Time (ms)	Average Time (ms)
  $T_{ecpm}$	2.766	2.920	2.848
  $T_h$	0.274	0.643	0.309
  $T_{me}$	0.178	0.493	0.228
  $T_{sed}$	0.011	0.021	0.012

  .

• Platform 2: This platform was used to calculate the execution time for the $CS$ server setting as follows: “OS: Ubuntu 18.04.4 LTS, Processor: Intel Core i5-10400 @2.9 GHz, Six-core, CPU: 64-bits”. All primitives were run 1000 times on the same setup and we observed the average, maximum, and minimum times. The results of this platform are tabulated in

  Table 4. Execution times (in milliseconds) based on the MIRACL library for a server.

  Operation	Min. Time (ms)	Max. Time (ms)	Average Time (ms)
  $T_{ecpm}$	0.472	2.737	0.522
  $T_h$	0.024	0.149	0.055
  $T_{me}$	0.022	0.082	0.040
  $T_{sed}$	0.001	0.002	0.001

  .

9. Performance Comparison

This section presents the “performance comparison analysis” of the AGPS-PUF and existing related schemes for wearable computing [8,21,23,25,26,28].

9.1. Computation Costs

We discuss the comparative computation costs of the AGPS-PUF with the existing related schemes [8,21,23,25,26,28] during the AKA phase. We used the“ testbed experimental results for the Raspberry PI 4 and server setting in Section 8”. With the information presented in Table 3, we utilized the analysis results of the average time for each operation under $U_i$ and $W{D}_j$.

We calculated the execution times for the $MD$ and $WD$ settings on MIRACL as follows: “Model: Raspberry PI 4B, with “OS: Ubuntu 20.04.2 LTS”, “Processor: 1.5 GHz Quad-core”, “CPU: 64-bit”. As seen in Table 3, we present “$T_{ecpm}\approx 2.848$ ms, $T_h\approx 0.309$ ms, $T_{me}\approx 0.228$ ms and $T_{sed}\approx 0.012$ ms”. Moreover, we calculated the execution times for the $CS$ server setting as follows: “OS: Ubuntu 18.04.4 LTS, Processor: Intel Core i5-10400 @2.9 GHz, Six-core, CPU: 64-bits”. As seen in Table 4, we utilized the analysis results for the average time of each operation under $CS$. In scenario 2, we present “$T_{ecpm}\approx 0.522$ ms, $T_h\approx 0.055$ ms, $T_{me}\approx 0.040$ ms and $T_{sed}\approx 0.001$ ms”. We prove the performance results for the comparative computational costs in

Table 5. Comparison between computational costs.

Scheme	User	Gateway/Server	Wearable Device	Total Computation Cost
Li et al. [21]	$6T_h+2T_{sed}$	$7T_h+6T_{sed}$	$5T_h+2T_{sed}$	$18T_h+10T_{sed}$
Wu et al. [23]	$10T_h+2T_{sed}$	$6T_h+5T_{sed}$	$4T_h+T_{sed}$	$20T_h+8T_{sed}$
Amin et al. [25]	$12T_h$	$18T_h$	$6T_h$	$36T_h$
Ali et al. [26]	$12T_h+2T_{sed}$	$16T_h+3T_{sed}$	$7T_h+5_{sed}$	$35T_h+10T_{sed}$
Hajian et al. [28]	$13T_h$	$7T_h$	$9T_h$	$29T_h$
Guo et al. [8]	$21T_h$	$18T_h$	$7T_h$	$46T_h$
AGPS-PUF	$10T_h+3T_{sed}$	$10T_h+2T_{sed}$	$8T_h+T_{sed}$	$28T_h+6T_{sed}$

and Figure 8. Consequently, the AGPS-PUF offers the necessary security requirements and features while maintaining similar costs compared to previous schemes [8,25,26,28]. Hence, the AGPS-PUF is suitable for practical wearable computing environments.

9.2. Communication Costs

We discuss the comparative communication costs of the AGPS-PUF and existing related schemes [8,21,23,25,26,28]. Referring to [8], we assume that the bits for the timestamp, the PUF challenge, identity, random nonce, symmetric encryption/decryption, and hash digest are 32, 64, 128, 128, 128, and 256 bits, respectively. During the AKA phase of the AGPS-PUF, the exchanged messages $\{M_1,T_1\}$, $\{M_2,M_3,TI{D}_{WD},C_{WD}^1,T_2\}$, $\{M_2,M_3,M_4,M_5,TI{D}_U,TI{D}_{WD},C_{WD}^1,C_U^1,T_2,T_3\}$, $\{M_6,M_7,T_4\}$, and $\{M_8,M_9,TI{D}_j^{*},T_4,T_5\}$ require “(256 + 32 = 288 bits), (256 + 256 + 128 + 64 + 32 = 736 bits), (256 + 256 + 128 + 256 + 128 + 128 + 64 + 64 + 32 + 32 = 1344), (128 + 256 + 32 = 416 bits), and (256 + 256 + 256 + 32 + 32 = 832 bits)”. Consequently, the AGPS-PUF has similar costs compared with previous schemes, as presented in

Table 6. Comparison between communication costs.

Scheme	Communication Cost for ${\mathit{WD}}_{\mathit{j}}$	Total Cost	Number of Messages
[21]	2112 bits	4352 bits	4 messages
[23]	2304 bits	2816 bits	3 messages
[25]	1280 bits	4096 bits	5 messages
[26]	1952 bits	4128 bits	4 messages
[28]	1504 bits	3552 bits	5 messages
[8]	1920 bits	5088 bits	5 messages
AGPS-PUF	1568 bits	3616 bits	5 messages

and Figure 9, since transmitting fewer bits minimizes the network latency and number of collisions.

9.3. Security Functionality Comparison

This section compares the “security functionalities” of the AGPS-PUF with the existing related schemes for wearable computing [8,21,23,25,26,28]. In

Table 7. Comparative study on security features.

Security Features	[21]	[23]	[25]	[26]	[28]	[8]	Our
$S{F}_1$	o	o	o	o	x	x	o
$S{F}_2$	o	x	x	o	o	o	o
$S{F}_3$	o	x	x	o	x	x	o
$S{F}_4$	x	NA	NA	NA	o	x	o
$S{F}_5$	NA	x	x	NA	x	o	o
$S{F}_6$	o	o	o	o	o	o	o
$S{F}_7$	o	o	x	o	x	x	o
$S{F}_8$	o	o	o	o	o	o	o
$S{F}_9$	x	x	x	o	o	o	o
$S{F}_{10}$	o	o	o	o	x	x	o
$S{F}_{11}$	x	x	x	o	o	o	o
$S{F}_{12}$	o	o	o	o	o	o	o
$S{F}_{13}$	o	x	o	o	o	x	o
$S{F}_{14}$	x	o	o	o	o	x	o
$S{F}_{15}$	NA	NA	NA	NA	NA	o	o

o: “protection of security features”; x: “non-protection of security features”; NA: “not applicable”; $S{F}_1$: “MITM attack”; $S{F}_2$: “offline password-guessing attack”; $S{F}_3$: “impersonation attack”; $S{F}_4$: “sensor physical capture attack”; $S{F}_5$: “mobile device stolen attack”; $S{F}_6$: “stolen verifier attack”; $S{F}_7$: “session key disclosure attack”; $S{F}_8$: “replay attack”; $S{F}_9$: “privileged insider attack”; $S{F}_{10}$: “mutual authentication”; $S{F}_{11}$: “user anonymity”; $S{F}_{12}$: “PFS”; $S{F}_{13}$: “untraceability”; $S{F}_{14}$: “formal (simulation) analysis”; $S{F}_{15}$: “group proof”.

, we show that some existing schemes for wearable computing are not fully protected and may be fragile to different potential security attacks. Thus, the security protocols must be designed in such a way that they must be robust against lethal security attacks. In contrast, the AGPS-PUF is resilient to lethal security attacks, and guarantees the necessary security requirements and functionalities, including “mutual authentication, PFS, anonymity, and untraceability”. Thus, the AGPS-PUF provides more security functionalities when compared to the existing related schemes for wearable computing [8,21,23,25,26,28].

10. Conclusions

We prove that Guo et al.’s scheme is not protected against session key disclosure, MITM, and impersonation attacks, and it does not offer security requirements and features such as mutual authentication and untraceability. Hence, we designed an efficient and robust authentication and group–proof scheme using the PUF for wearable computing to address the security issues of Guo et al.’s scheme. We demonstrate the session key security of the AGPS-PUF by performing formal security under the ROR Oracle model analysis and show that the AGPS-PUF is resistant to replay and MITM attacks by using the AVISPA simulation analysis. Furthermore, we present the testbed experiments of the AGPS-PUF using MIRACL crypto SDK based on Raspberry PI 4. We demonstrate the performance comparison of the AGPS-PUF and the existing related schemes for wearable computing with respect to computation costs, communication costs, and security features. Thus, the AGPS-PUF ensured a higher security level than the existing related scheme in wearable computing environments and provided similar computational and communication costs to the existing related schemes for wearable computing. Thus, the AGPS-PUF is suitable for practical wearable computing environments, as it offers more effective efficiency and superior security compared to existing related schemes for wearable computing.