Dynamic Key Extraction Technique Using Pulse Signal and Lightweight Cryptographic Authentication Scheme for WBAN

Abstract

As a key component of ubiquitous computing, the wireless body area network (WBAN) can be used in a variety of disciplines, including health monitoring. Our everyday routines have been transformed by wearable technology, which has changed the medical industry and made our lives more convenient. However, the openness of the wireless network has raised concerns about the privacy and security of patient’s data because of the latent threat imposed by attackers. Patients’ sensitive data are safeguarded with authentication schemes against a variety of cyberattacks. Using pulse signals and a lightweight cryptographic approach, we propose a hybrid, anonymous, authentication scheme by extracting the binarized stream (bio-key) from pulse signal. We acquired 20 different sample signals to verify the unpredictability and randomness of keys, which were further utilized in an authentication algorithm. Formal proof of mutual authentication and key agreement was provided by the widely known BAN logic, and informal verification was provided by the Automated Validation of Internet Security Protocol and Applications (AVISPA) tool. The performance results depicted that storage cost on the sensor side was only 640 b, whereas communication cost was 512 b. Similarly, the computation time and energy consumption requirements were 0.005 ms and 0.55 µJ, respectively. Hence, it could be asserted that the proposed authentication scheme provided sustainable communication cost along with efficient computation, energy, and storage overheads as compared to peer work.

1. Introduction

New research opportunities have arisen as a result of recent technological advancements. The wireless body area network (WBAN) has gained substantial interest as a promising research path. Emerging advancements in this technology have made it easier for us to get the medical care we need. However, the use of wireless technology comes with the potential risk of an attacker passively sliding into the network and compromising the privacy and security of medical data. The sensing nodes are attached to the body and used to collect physiological data, which are then transmitted via cellphones to the medical practitioner [1].

Authentication techniques offer a solution to protect one’s most sensitive personal data, such as ECG, pulse signal, BP, and sugar level. A wide range of literary classifications can be found in many studies [2,3,4]. Patients’ physiological traits can be used to authenticate devices with limited resources, such as WBANs [5,6,7]. Their main disadvantage is that they are prone to DoS attacks, and it is difficult to collect identical signals from diverse devices located throughout the body [8]. However, physiological signals have been combined with machine learning techniques to come up with innovative authentication schemes that provide efficient results [9].

Furthermore, Donida et al. [10] developed an ECG biometrics system using a deep convolutional neural network (CNN). By transforming the ECG into binary form, their proposed method improved accuracy. Similarly, machine learning (ML) was used in another study for authentication using EEG (brain) signals. EEG has additional advantages, such as the inability to fake results, supplying a foolproof authentication technique that was more reliable than other biometric traits [11]. Moreover, multimodal techniques that rely on more than one physiological feature such as ECG fingerprints have proven higher accuracy in authentication than unimodal techniques. They provide more robust authentication and resilience against cyberattacks (e.g., [12]).

Another promising area of research is the development of anonymous authentication methods. Suitable for WBAN environments, they provide lightweight cryptography solutions. Binary logical operations such as XOR and hash functions were used by Kompara et al. [13] to create an anonymous, lightweight, key agreement and authentication. Their work provided resilience against several known attacks and provided better results in terms of computational, communicational, storage, and energy overheads. However, Kompara et al.’s [10] scheme was found to be vulnerable to a few attacks, i.e., base station compromise, sensor node impersonation, and intermediate node (IN) compromise. The remedies of the identified weaknesses were rectified in our earlier study [14], where we made significant architectural-level improvements to the original system in terms of communicational, computational, and energy consumption cost. Similarly, the studies in [15,16,17] were also based on hashing and XOR operations.

Several promising results have been obtained by mixing physiological signals such photoplethysmogram (PPG), electroencephalogram (EEG), and ECG with cryptographic methods to come up with hybrid authentication schemes, which have attracted great attention in the research community. The authentication schemes were subsequently found to be more versatile and resilient than their predecessors. The authentication scheme of Li et al. [12] was combined with ECG signals by Koya et al. [18] to create a hybrid approach. The ECG signal was used to extract a 128 bit bio-key to improve authentication and, ultimately, security. Tao et al. [19] adopted the bio-key generation technique of Koya et al. [18] to present a more energy- and time-efficient continuous authentication scheme. Another example of using biometric signals in conjunction with cryptographic techniques to develop cost-effective authentication schemes can be found in [20,21,22]. The same may be said for this study, whose major contributions are summarized below.

• We utilized a pulse signal to extract an unpredictable variable-length bio-key pattern for the authentication process in conjunction with a lightweight cryptographic algorithm. Moreover, it increased key entropy and robustness, in addition to making the bio-keys more uncertain. As a further benefit, it strengthened resistance against assaults such as anonymous, key escrow, non-linkable sessions, and eavesdropping.
• We collected pulse signals from 20 different subjects, both male and female, to test characteristics such as the randomness, variability, and unpredictability of bio-keys. The results showed high randomness and uncertainty in bio-key extraction.
• The well-adopted BAN logic and informal verification using the Automated Validation of Internet Security Protocol and Applications (AVISPA) tool demonstrated the correctness of our method.
• We further optimized the proposed work in terms of storage, computational, and communicational overheads as compared to related studies. Our proposed scheme outperformed those in the literature, providing more efficient results.

The remainder of the paper is organized as follows: Section 2 defines the system model; Section 3 entails the proposed scheme; Section 4 demonstrates the security analysis; Section 5 compares the performance of the proposed scheme with the literature; Section 6 provides a discussion and conclusion.

2. System Model

The proposed authentication scheme uses a system model that includes network and rival models.

2.1. Network Model

The network design is based on a three-tiered architecture, as depicted in Figure 1. The sensor node (N) comprises Tier 1, an intermediate node (IN) constitutes Tier 2, and a server, i.e., hub node (HN), represents Tier 3. The connection between N and HN was reworked such that IN serves as a relay in the entire model. It passes any received data from either N or HN to the destination without storing any information or identity of its own. As a result, IN plays a supporting role rather than an authoritative function. Figure 1 depicts the network model.

2.2. Rival Model

The following assumptions were made in support of the proposed scheme:

• HN’s security may prevent an opponent from recovering $K_{UN}$ Dolev–Yao [23].
• By intercepting the communication, the data can be erroneously injected, edited, or replayed.
• The sensor nodes N can be compromised by an attacker to disrupt communication and, as a result, the authentication process. In addition, the cost of securing N prevents it from being accessed physically.
• In our scheme, parties communicate using insecure Dolev–Yao [23] channels.

3. The Proposed Scheme

Compared to our previous work [14], we further optimized the storage, computing cost, and energy usage of the proposed scheme. In terms of performance parameters (i.e., storage, energy consumption, and computational overheads) and security characteristics, our proposed authentication scheme exceeds the competition by a wide margin. Our proposed scheme includes five phases: preprocessing and feature extraction, bio-key generation, registration phase, authentication phase, and update key phase. The “upstream node” (UN) refers to both the intermediate node (IN) and the hub node (HN).

Table 1. The symbolic notations used in proposed scheme.

Symbolic Notations	Description
Adm	Admin of system
NU	Node upstream
NS	Node sensor
$i{d}_N$	ID of NS
$ti{d}_N$	Temp. ID
$K_{UN}$	NU’s master key
$K_N$	The ad hoc key for NS
$r_{NS}, r_N$	Binarized (bio-key) form of pulse signal
$e_N, I_N,c_N,a_N$	Authentication parameters
$\gamma ,\delta ,\eta$	Identifiers used for NS
$\rho$	Integrity parameters
$k_S$	Key utilized for session
$t_N$	Timestamp
h (.)	Non-reversible hash function
$\parallel$	Concatenate operation
$\oplus$	XOR operation

lists the various notations that were employed.

3.1. Preprocessing and Feature Extraction Phase

Symlet4 (Sym4) wavelet transform was used to preprocess the pulse signal. In terms of peak detection, the Sym4 wavelet is considered to be a suitable option. The number of vanishing moments or the length of the filter was set to 8. Our main aim was to preserve the peaks while removing all other frequency components. As a result, a wavelet transform is necessary to separate the signal components into diverse frequency bands, which can be accomplished via bandpass action. By reducing undesired frequency ranges (high and low), bandpass filtering is achieved.

3.2. Bio-Key Generation

The bio-key extraction process commences by calculating the inter-pulse interval (IPI) of the pulse signal after the previous stage. Gray coding is then applied to make the resultant bit stream (bio-key) more random and unpredictable in terms of variable length.

The experiment was conducted using a fingertip pulse oximeter connected with Arduino UNO to collect pulse signals from 20 subjects, both male and female. Figure 2 depicts the testbed designed for this purpose. Figure 3 shows the preprocessing and peak detection of the acquired signal via Matlab 2016b, as well as the bio-key extracted after applying gray coding. We randomly selected four subjects (as a case study) and generated bio-keys from the acquired signals. In order to ensure unpredictability and uncertainty of the bio-keys, we calculated key entropy H(X) and Hamming distance (HD) as shown in

Table 2. Comparison of bio-keys using HD.

Subjects	Sub01	Sub02	Sub03	Sub04
Sub 01	0	28	31	37
Sub 02	28	0	25	31
Sub 03	31	25	0	30
Sub 04	37	31	30	0

, Figure 4 and Figure 5. Moreover, H(X) values closer to 1 denote higher uncertainty, and greater HD values indicate more difference and unpredictability. Both these characteristics are highly desirable.

3.3. Registration Phase

This phase commences after registration of the new node sensor (NS) via a secure connection. The steps involved here resemble our previous work [14].

• A unique ID is chosen for NS $i{d}_N$ along with key $K_N$.
• $a_N=K_{UN}\oplus i{d}_N\oplus K_N.$
• $I_N=h\left(K_{UN}\parallel K_N\right)$.

The values of $i{d}_N$, $a_N$, and $I_N$ are saved on the NS, whereas parameters such as $i{d}_N$, $K_N$, and $K_{UN}$ are saved on the UN.

3.4. Authentication Phase

• The NS receives a synchronization signal from the UN and extracts bio-key $r_N$ from the pulse signals it receives. NS creates a timestamp $t_N$ and extracts a new bio-key
• $r_{NS}$ from yet another pulse signal.

  (i)

  $c_N=I_N\oplus r_N$

  (ii)

  $ti{d}_N=\mathrm{h}(i{d}_N \oplus t_N \parallel r_N)$.

  (iii)

  Sends $\left(ti{d}_N, a_N, c_N, t_N\right)$ to UN.

• After ensuring the validity of received timestamp $\left(ti{d}_N, a_N, c_N, t_N\right)$, the UN then calculates the following:

  (iv)

  $i{d}_N \oplus K_N=a_N \oplus K_{UN}$.

  (v)

  Confirms valid $i{d}_N$ from the saved values

  (vi)

  $I_N^{*}=h\left(K_N \oplus K_{UN}\right), r_N^{*}=I_N^{*} \oplus c_N$.

  (vii)

  $ti{d}_N^{*}=\mathrm{h}(i{d}_N \oplus t_N \parallel r_N^{*})$.

  (viii)

  Checks $ti{d}_N^{*} ?=ti{d}_N$. Ends if it fails.

  (ix)

  Computes the HD among two bit streams (bio-keys) $r_N$ and $r_{NS}$. If less than threshold level, then both entities (NS, UN) can be authenticated.

  (x)

  Calculates new $K_N^{+}=r_{NS}$.

  (xi)

  $I_N^{+}=h\left(K_{UN}\oplus K_N^{+}\right)$.

  (xii)

  $e_{NS}^{+}=h\left(r_{NS} \parallel K_{UN}\right)$.

  (xiii)

  $\gamma =\left(r_N \oplus e_{NS}^{+} \parallel I_N^{+}\right)$.

  (xiv)

  $\eta =e_{NS}^{+}\oplus I_N^{*}.$

  (xv)

  $\delta =K_{UN} \oplus K_N^{+} \oplus \gamma$.

  (xvi)

  $\rho =h\left(r_N\parallel e_{NS}^{+} \parallel \eta \parallel \delta \right)$

  (xvii)

  Completes the key session.

  (xviii)

  $k_S=\gamma \oplus e_{NS}^{+}$

  (xix)

  The UN sends the tuple $\left(\rho ,\delta ,\eta \right)$ to N.

• On reception of $\left(\rho ,\delta ,\eta \right)$, N computes the following:

  (xx)

  $e_{NS}^{+*}=\eta \oplus I_N$.

  (xxi)

  ${\rho }^{*}=h\left(r_N\parallel e_{NS}^{+*} \parallel \eta \parallel \delta \right)$.

  (xxii)

  Confirms if ${\rho }^{*}=\rho$.

  (xxiii)

  $\gamma =\left( r_N \oplus e_{NS}^{+} \parallel I_N\right)$.

  (xxiv)

  $a_N^{+}=\delta \oplus \gamma \oplus i{d}_N$.

  (xxv)

  $k_S=\gamma \oplus e_{NS}^{+*}$.

  (xxvi)

  $\mathrm{NS} \mathrm{replaces} \mathrm{parameters} \left(I_N,a_N\right) with \left(I_N^{+}, a_N^{+}\right)$.

The authentication phase is depicted in Figure 6.

3.5. Update Master Key

There are two methods to keep the UN key uptodate: pre-deploying it during node installation or dynamically adding nodes later on. After the initial round of authentication, the computable bio-key is utilized to update all connected parameters. The master key updating procedure begins with the following steps:

• The master key can be updated using the bio-key $r_{SN}$ created during the registration phase.
• ${\mathrm{K}}_{\mathrm{UN}}^{+}{=\mathrm{K}}_{\mathrm{UN}} \oplus r_{\mathrm{NS}}$.
• All parameter links $\left(I_N^{+}, a_N^{+}\right)$ can be modified using this new master.

4. Security Analysis

The proposed scheme’s soundness is verified using a formal proof based on mathematical modeling generally built on well-established BAN logic [23]. Secondly, we discuss the security features presented by the proposed scheme and, lastly, the outcomes of informal analysis through simulation results.

4.1. Mathematical Modeling Using BAN Logic

4.1.1. Objectives

The following objectives are set to prove the mathematical modeling:

$$\mathrm{Ob}1: UN \left|\equiv NS \right|\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN\right).$$

$$\mathrm{Ob}2: UN |\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN\right).$$

$$\mathrm{Ob}3: NS \left|\equiv UN \right|\equiv \left(NS \stackrel{k_S}{\leftrightarrow } UN\right).$$

$$\mathrm{Ob}4: NS |\equiv \left(NS \stackrel{k_S}{\leftrightarrow } UN\right).$$

4.1.2. Ideal Form (Idf)

The following messages are portrayed in idealized form as follows:

$$\mathrm{Idf}1: NS \to UN: {\left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}_{NS \stackrel{i{d}_N}{\leftrightarrow } UN}.$$

$$\mathrm{Idf}2: UN\to NS:{\left(N \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, NS \stackrel{k_S}{\leftrightarrow } UN\right)}_{NS \stackrel{i{d}_N}{\leftrightarrow } UN}.$$

4.1.3. Preliminary Assumptions (PA)

The objectives are achieved with the help of PAS.

$$\mathrm{PA}1: UN|\equiv \left(NS\stackrel{i{d}_N}{\leftrightarrow }UN\right).$$

$$\mathrm{PA}2: UN|\equiv \#\left(t_N\right).$$

$$\mathrm{PA}3: UN\left|\equiv NS\right|\Rightarrow \left(NS\stackrel{I_N}{\leftrightarrow }UN\right).$$

$$\mathrm{PA}4: NS|\equiv \left(NS\stackrel{i{d}_N}{\leftrightarrow }UN\right).$$

$$\mathrm{PA}5: NS|\equiv \#\left(r_N\right).$$

$$\mathrm{PA}6: NS\left|\equiv UN\right|\Rightarrow \left(NS\stackrel{k_S}{\leftrightarrow }UN\right).$$

4.1.4. Formal Analysis (FA)

The FA is performed with the help of PA, objectives, Idf, and message rules.

FA1: From the message meaning rule, Idf1, and PA1, we obtain

$$\frac{UN|\equiv \left(NS\stackrel{i{d}_N}{\leftrightarrow }UN\right), UN△{\left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}_{NS \stackrel{i{d}_N}{\leftrightarrow } UN}}{UN\left|\equiv NS\right|~\left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}.$$

(1)

FA2: From PA2 and the freshness rule, we obtain

$$\frac{UN|\equiv \#\left(t_N\right)}{UN |\equiv \#\left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}.$$

(2)

FA3: From Equations (1) and (2), by applying the nonce verification rule, we infer

$$\frac{UN |\equiv \#\left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right), UN\left|\equiv NS\right|~\left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}{UN \left|\equiv NS \right|\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}.$$

(3)

FA4: From Equation (3) and the believe rule, we attain the objective Ob1 as

$$\frac{UN \left|\equiv NS \right|\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN, r_N, t_N\right)}{UN \left|\equiv NS \right|\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN\right)}.$$

(4)

Therefore, we attained Objective Ob1.

FA5: Through Equation (4), PA3, and the jurisdiction rule, we get

$$\frac{UN\left|\equiv NS\right|\oplus \left(NS\stackrel{I_N^{+}}{\leftrightarrow }UN\right), UN \left|\equiv NS \right|\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN\right)}{UN |\equiv \left(NS \stackrel{I_N^{+}}{\leftrightarrow } UN\right)}.$$

(5)

Therefore, we accomplished Objective Ob2.

FA6: Through PA4, Idf2, and the message meaning rule, we acquire

$$\frac{NS |\equiv \left(NS \stackrel{i{d}_N}{\leftrightarrow } UN\right), NS△{\left(I_N,I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN\right)}_{NS\stackrel{i{d}_N}{\leftrightarrow }UN}}{NS\left|\equiv UN \right|~ \left(I_N, I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN\right)}.$$

(6)

FA7: Through PA5 and the freshness rule, we achieve

$$\frac{NS|\equiv \#\left(r_N\right)}{NS |\equiv \#\left(I_N, I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN\right)}.$$

(7)

FA8: Through Equations (6) and (7) and the nonce verification rule, we obtain

$$\frac{NS|\equiv \#\left(I_N, I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN,NS \stackrel{i{d}_N}{\leftrightarrow } UN \right), NS\left|\equiv UN \right|~ \left(I_N, I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN\right) }{NS\left|\equiv UN \right|\equiv \left(I_N, I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN\right)}.$$

(8)

FA9: Using Equation (8) and the belief rule, we get

$$\frac{ NS\left|\equiv UN \right|\equiv \left(I_N, I_N^{+}, r_N,N\stackrel{k_S}{\leftrightarrow }UN\right) }{NS\left|\equiv UN \right|\equiv \left(NS\stackrel{k_S}{\leftrightarrow }UN\right)}.$$

(9)

Hence, we achieved Objective Ob3.

FA10: Using Equation (9), PA6, and the jurisdiction rule, we attain

$$\frac{ NS\left|\equiv UN \right|\oplus \left(NS\stackrel{k_S}{\leftrightarrow }UN\right), NS\left|\equiv UN \right|\equiv \left(I_N, I_N^{+}, r_N,NS\stackrel{k_S}{\leftrightarrow }UN\right) }{NS |\equiv \left(NS\stackrel{k_S}{\leftrightarrow }UN\right)}.$$

(10)

Hence, we achieved Objective Ob4.

4.2. Security Features Offered by Proposed Scheme

The key security characteristics offered by the proposed authentication scheme are outlined below.

4.2.1. Key Escrow Resilience

In the event of an insider threat, such as a system administrator or physician, the fixed master key $K_{UN}$ could constitute a risk. By producing a new master key from a new bio-key, we were able to dynamically update the original master key. Nodes NS and UN can no longer be impersonated with the help of this feature. As a result, the key escrow issue was rectified.

4.2.2. Eavesdropping Attack

Eavesdroppers can collect parameters such as $\left(ti{d}_N, a_N, c_N, t_N\right)$ and $\left(\mathsf{\rho },\delta ,\eta \right)$. If they do, they cannot create a bio-key $r_N,r_{NS}$, $I_N^{+}$, $K_{UN}^{+}$, $K_N^{+}$, $I_N$, and $K_N$. Some of these variables are XORed with other secret parameters, making elimination difficult. Similarly, eavesdroppers cannot discover or build $k_S$.

4.2.3. Unlinkable Session and Anonymity

It is possible to hide one’s identity from an adversary using anonymity. In our technique, we use a nonreversible hash function to protect the temporary identity $ti{d}_N$ which also comprises the bio-key $r_N$ computed by NS. It is impossible for an attacker to figure out what tuples are valid for $ti{d}_N$; therefore, they cannot link the two sessions. Additionally, all parameters transferred via public network are formalized using secret and fresh values. Some parameters, such as $I_N^{+}$ and $K_N^{+}$, are constantly changing in each session. Because of this, our proposed approach ensures that no two sessions are ever connected.

4.2.4. NS Capture and Impersonation Attack

Due to the unpredictability of bio-key and $I_N$, it would be difficult for an attacker to construct a valid record (e.g., $a_N$, $c_N$, and $t_N$) to conduct an NS impersonation attack. As the master key $K_{UN}$ is updated later on and requires a fresh bio-key $r_{SN}$, an adversary would not be able to get access to a sensor node. Therefore, the proposed system is able to withstand both sorts of attacks.

4.2.5. Backward/Forward Attack

An adversary may use previous session information to predict a future session, which is not possible in proposed scheme. To create the session key $k_S$, an adversary would need to know the parameters $\gamma$ and $e_{NS}^{+}$, which is impossible; even if they succeed, they will not be able to discover the session keys for the past or future. All parameters are computed dynamically during each session, and their values are updated. Thus, this functionality is supplementary.

4.2.6. UN Capture Attack

This attack may only succeed if the base station (in this example, UN) is breached and the master key $K_{UN}$ is obtained. The parameters $e_{NS}^{+}, \gamma , \rho , \eta , k_S$, and a random bio-key $r_{NS}$, generated from a random patient’s pulse sample, are also required by an adversary. The master key is also updated with these parameters. As a result, this attack is ruled out.

4.2.7. IN Compromise Attack

No identifying information is stored in the intermediate node (IN); hence, a compromise of this node would have no effect. Therefore, it would be impossible to initiate a series of impersonation attacks. As parameters such as bio-key $r_N$ and $I_N$ are not made public, they are difficult to forge.

4.2.8. Jamming Attack

To prevent a synchronized updating of mutual parameters between communicating entities (in our case, NS and UN), this attack jams the link. No new values for $\left(I_N^{+}, a_N^{+}\right)$ can be calculated by the sensor node NS in this situation. Notwithstanding, the proposed scheme can continue to use earlier values $\left(I_N, a_N\right)$ with a new authentication phase.

4.3. Simulation Using AVISPA Tool

The safety of the proposed method was verified informally using the well-established AVISPA tool [24], broadly utilized for security protocol verification. The proposed scheme was coded using the High-Level Protocol Specification Language (HLPSL) and interpreted into Intermediate Format (IF). Two backend models, namely, On-the-Fly Model Check (OFMC) and Constraint Logic-Based Attack Searcher (CL-AtSe), were used to verify the IF. These models ensure that the proposed system is safe and resilient to both active and passive attacks. Figure 7a,b show the summary reports for OFMC and CL-AtSe, respectively.

5. The Evaluation of Performance Results

The performance results for the proposed scheme was compared with the literature, i.e., Koya et al. [18], Tao et al. [19], Wazid, et al. [20], Xu, et al. [25], Almuhaideb et al. [26], and Rehman et al. [14]. We compared our proposed scheme with currently available state-of-the-state authentication schemes in the same category. This makes it simple to evaluate the effectiveness of our authentication scheme.

Table 3. Comparison of the security aspects.

	[18]	[19]	[20]	[25]	[26]	[14]	[Our]
F1	√	√	√	×	√	×	√
F2	√	×	√	√	√	√	√
F3	√	√	√	√	√	√	√
F4	√	√	√	√	√	√	√
F5	√	√	√	√	√	√	√
F6	√	×	×	×	×	√	√
F7	×	×	×	×	×	√	√
F8	√	×	×	√	√	×	√

F1: key escrow, F2: eavesdropping, F3: unlinkable session and anonymity, F4: NS capture and impersonation, F5: backward/forward secrecy, F6: UN capture, F7: IN compromise, F8: jamming attack.

provides a comparison of the security aspects.

5.1. Storage Cost

The storage cost of the proposed scheme depends upon the number of parameters stored on each entity, i.e., NS, IN, and HN. Hence, the NS stores only three parameters $\left(i{d}_N, a_N, I_N\right)$ along with session key $k_S,$ which needs 160 bits each, whereas no value is stored on the IN. The UN saves three parameters, i.e., $\left(K_{UN}, i{d}_N, K_N\right)$, along with $k_S$, again needing 160 bits/parameter. A comparison of storage overhead is shown in

Table 4. Storage overhead comparison.

	UN (HN) (Bits)	NS (Bits)	IN (Bits)
[18]	(n × 160) + 320	640	640
[19]	(m × 480) + (m × 480) + 160	800	480
[20]	(m × 800) + (n × 800) + 160	1600	800
[25]	(m × 32) + (n × 768) + 512	1280	32
[26]	(m × 480) + (n × 960) + 32	800	480
[14]	160 + (n × 480)	800	0
Ours	(n × 480) + 160	640	0

m: No. of IN, n: No. of NS.

.

5.2. Communication Cost

The quantity of messages sent between NS and UN was used to calculate the communication cost of proposed strategy. The initial message exchanged between NS and UN contains $\left(ti{d}_N, a_N, c_N, t_N\right)$ and timestamp $\left|t_N\right|$ = 32 b. Hence, the total cost is equivalent to 512 b (from NS to UN), whereas it is 480 b in the opposite direction. A comparison of the communication cost is revealed in

Table 5. Communication overhead comparison.

	NS$\to$IN	$\mathbf{IN}\to \mathbf{NS}$	$\mathbf{IN}\to \mathbf{HN}$	$\mathbf{HN}\to \mathbf{IN}$
[18]	672	480	1344	960
[19]	672	496	864	496
[20]	512	512	672	672
[25]	832	1088	864	1120
[26]	903	936	1063	936
[14]	512	480	512	480
Ours	512	480	512	480

.

5.3. Computational Time and Cost

The time values $t_h$ and $t_{xor}$ denote the time needed to compute hash function and XOR operation, respectively. In the authentication phase, the NS side employed seven XOR operations and two hash functions, while the UN side featured 11 XOR and five hash functions. Therefore, the equations for both sides could be denoted as $2t_h+7t_{xor}\approx 2t_h$ and 5$t_h+11t_{xor}\approx 5t_h$, respectively; the XOR takes negligible time and is, hence, ignored. According to a previous experiment [25], $t_r$ = 0.65 ms, $t_h$ = 0.0023 ms, and $t_{ecm }$= 0.123 ms. As a result, the proposed scheme took 0.007 ms on the NS side and 0.014 ms on the UN side.

Table 6. Computation time and cost comparison.

	Node	Cost	Time
[18]	N	$5t_h+5t_{xor}\approx 5t_h$	0.012 ms
	UN	$8t_h+11t_{xor}\approx 8t_h$	0.018 ms
[19]	N	$13t_h+4t_{xor}+2t_r\approx 13t_h+2t_r$	0.160 ms
	HN	$11t_h+4t_{xor}+3t_r\approx 11t_h+3t_r$	0.220 ms
[20]	N	$14t_h+t_{ecm}$	0.155 ms
	HN	$19t_h$	0.044 ms
[25]	N	$5t_h+5t_{xor}\approx 5t_h$	0.012 ms
	HN	$7t_h+9t_{xor}\approx 7t_h$	0.016 ms
[26]	N	$3t_h+12t_{xor}\approx 3t_h$	0.007 ms
	HN	$7t_h+13t_{xor}\approx 7t_h$	0.016 ms
[14]	N	$3t_h+6t_{xor}\approx 3t_h$	0.007 ms
	UN	$6t_h+10t_{xor}\approx 6t_h$	0.014 ms
Ours	NS	$2t_h+8t_{xor}\approx 2t_h$	0.005 ms
	UN	$5t_h+10t_{xor}\approx 5t_h$	0.012 ms

presents a comparison of the computational cost and time.

5.4. Power Consumption Overhead

The power consumption in active mode was computed as 118.8 mW, with the proposed scheme requiring (0.0046 × 118.8)/1000 $\approx$ 0.55 µJ on the NS side and (0.0115 × 118.8)/1000 $\approx$ 1.37 µJ on the UN side.

Table 7. Power consumption comparison.

	HN (µJ)	NS (µJ)
[18]	2.19	1.37
[19]	6.14	9.0
[20]	5.19	8.4
[25]	1.91	1.37
[26]	1.93	0.82
[14]	1.64	0.82
Ours	1.37	0.55

depicts the comparison.

5.5. Comparison of Performance Resutls

Since there are no data stored on the IN and even fewer storage requirements on the NS than any of schemes, as shown in Table 4, we can conclude that the overall storage demand is lower than any other scheme. Figure 8 depicts a comparison of the storage overhead when both m and n are considered as 1. It is also apparent that the proposed scheme generally attained more optimal results, even better than our previous study [14]. The lack of storage on IN, as well as the lower storage on NS, had a favorable impact on communication costs, as shown in Table 5; nonetheless, the proposed scheme’s overall communication costs remained the same as in [14]. Hence, the proposed scheme experienced the lowest communication costs compared to the related peer work. From Figure 9, it is apparent that there was a major improvement in communication between IN and UN, and vice versa. To be clear, the communication costs indicated here include the entire process from NS to UN and back again.

It is clear from Table 6 that the proposed authentication scheme produced the lowest computation between UN and NS (in our example) when compared to the literature, including our earlier study [14]. As a result, our authentication scheme is also cost-effective in terms of computing, as demonstrated in Figure 10. Moreover, by comparing our results with those of others, we concluded that the proposed scheme is energy-efficient, as also shown in Table 7 and Figure 11.

6. Discussion

The pulse signal can be utilized to extract variable-length bio-keys by maintaining characteristics such as high key entropy and randomness, which are highly desirable for keys. The bio-keys can be further utilized in the proposed authentication process by combining it with a lightweight cryptographic algorithm. The resultant authentication scheme offers multiple security features such as resilience against various attacks, e.g., key escrow, eavesdropping, NS, and base-station compromise. It is notoriously hard to apply impersonation attacks because the bio-keys are updated during the session. It had the lowest storage requirements on NS compared to the literature, which makes it more efficient in terms of storage requirements. A reduced communication cost is one of the features that our scheme offers, which is achieved by not storing anything on IN side. Therefore, it is also efficient in this regard, as depicted in Figure 8. The proposed scheme takes less computation cost in calculating bio-keys, as well as in executing whole scheme. This is made clear in Figure 9, enabling us to claim its improved efficacy.

Moreover, the proposed scheme incurs less energy overhead compared to related work (another highly desirable feature for such schemes). It costs only 0.55 µJ on the NS side, sufficient for sensor nodes, and 1.37 µJ on the UN side (a resourceful node), which is even lesser than our previous work [14], as shown in Figure 10. Therefore, the proposed scheme performs better than other hybrid schemes. Even though our work was improved in terms of storage, computational cost, and energy consumption, the communicational costs remained the same as before [14] because they have already been fully optimized. Accordingly, the proposed scheme improves on existing authentication schemes due to its effectiveness in providing anonymous and lightweight authentication and key agreement.

7. Conclusions and Future Directions

We presented a hybrid authentication scheme that uses physiological features extracted from pulse signals to generate a variable-length bio-key and combined it with further optimized version of a cryptographic solution from our previous work [14]. We extracted bio-keys from 20 different pulse samples through a testbed in order to verify the uncertainty and unpredictability of bio-keys. The results showed higher entropy and an unpredictability rate closer to 1 (highly recommended in this regard). Formal proof of the scheme was provided through well-established BAN logic, demonstrating that the proposed scheme achieved its security objectives while also allowing mutual authentication. The AVISPA tool’s simulation results showed that the scheme was safe, and it was able to withstand against various known security breaches. The performance evaluation results revealed that the proposed scheme required only 512 b in one-way communication, which was the lowest value in the comparison. Similarly, only 640 b storage was required on the NS side, which was again the lowest value in the comparison. Moreover, 0.005 ms of computational time was required on the NS side, i.e., the resource-limited side. Lastly, it consumes 0.55 µJ energy on the resource-limited side, i.e., NS, which was again the lowest value in the comparison. Therefore, it can be claimed that the proposed scheme is efficient in terms of communication, storage, computation, and energy consumption overheads. It can also be asserted that the proposed work contributes effectively to the exploration of sustainable means for remote patient monitoring (i.e., in the field of IoT).

Future development can focus on the following recommendations:

• The use of multimodal biometric features to further explore the authentication possibilities;
• The potential utilization of gestures for authentication purposes to open new dimensions;
• The utilization of more effective AI techniques to enhance the scheme;
• The exploration of potentially less expensive means of authentication to provide more sustainable energy consumption.