Extended Chaotic-Map-Based User Authentication and Key Agreement for HIPAA Privacy/Security Regulations

Abstract

Background: The US government has enacted the Health Insurance Portability and Accountability Act (HIPAA), in which patient control over electronic protected health information is a major issue of concern. The two main goals of the Act are the privacy and security regulations in the HIPAA and the availability and confidentiality of electronic protected health information. The most recent authenticated key-agreement schemes for HIPAA privacy/security have been developed using time-consuming modular exponential computations or scalar multiplications on elliptic curves to provide higher security. However, these authenticated key-agreement schemes either have a heavy computational cost or suffer from authorization problems. Methods: Recent studies have demonstrated that cryptosystems using chaotic-map operations are more efficient than those that use modular exponential computations and scalar multiplications on elliptic curves. Additionally, enhanced Chebyshev polynomials exhibit the semigroup property and the commutative property. Hence, this paper develops a secure and efficient certificate-based authenticated key-agreement scheme for HIPAA privacy/security regulations by using extended chaotic maps. Results and Conclusions: This work develops a user-authentication and key-agreement scheme that solves security problems that afflict related schemes. This proposed key-agreement scheme depends on a certificate-management center to enable doctors, patients and authentication servers to realize mutual authentication through certificates and thereby reduce the number of rounds of communications that are required. The proposed scheme not only provides more security functions, but also has a lower computational cost than related schemes.

1. Introduction

The network environment is accessible to the public. Communications between a pair of parties may be wiretapped or forged. Before a communication, parties must go through a key-negotiation phase to generate a session key that will protect transmitted information. Therefore, user-authentication and key-agreement schemes are necessary. The user-authentication and key-agreement scheme is used to verify the identities of both parties and prevent an attacker from fooling a user and the server by forging identities during the key-negotiation phase. It resists potential attacks and raises its own security issues. User authentication and key agreements can also guarantee the fairness of establishment of the session key. Neither of a pair of communicating parties can decide the session key in advance of their communication. The session key must be composed of information that is provided by both parties to ensure that neither party can precalculate it, resulting in an information leak.

1.1. Background

The US government promulgated the HIPAA privacy/security regulations [1] in 1996 to improve overall healthcare quality. The HIPAA specification is a conceptual guideline that can be used to design medical-related protocols. It has become very popular because it simplifies health policies and procedures and promotes the security and privacy of patients’ medical information. Recently, many fragmentary and ambiguous medical regulations have been made clearer and more complete by reference to the HIPAA specification. In the traditional medical environment, the entire course of treatment is described fully in hospital and paper medical records. Nowadays, owing to the development of the network, medical records are efficiently transmitted among hospitals. Medical staff and patients can quickly and conveniently obtain related medical services. Accordingly, the security of transmission and privacy of electronic medical records has become increasingly significant. Therefore, establishing secure communication channels between patients and healthcare centers with mutual authentication and session-key negotiation is extremely important.

1.2. HIPAA Privacy/Security Regulations

The HIPAA privacy/security regulations [1] are briefly summarized as follows.

1.2.1. Privacy Regulations

Privacy regulations give patients the right to claim medical records, including protected health-related information such as name, address, contact numbers, and medical information.

1.2.2. Security Regulations

• Patients’ understanding: The patient has the right to know how their health information will be used and preserved. Digital signatures can be used to protect patient health information.
• Confidentiality: Confidentially concerns protections associated with the use of software. Patient health information must be encrypted and protected in both storage and transmission to ensure confidentiality. Encryption is the most effective way to achieve the confidentiality of information.
• Patients’ control: Patients can control access to their own information by using generated and issued encryption and decryption keys.
• Data Integrity: The integrity of e-health information must be ensured. Medically negligent use, tampering and unauthorized destruction of patients’ health information are prohibited.
• Consent Exception: When an emergency or special circumstance arises, the disclosure of a patient’s medical records and health information without the patient’s authorization is permitted. When this exception is used, the patient is not directly involved, so other methods of decrypting the ciphertext must be designed.

1.3. Threat Models

Threat models for authentication schemes in smart mobile devices are divided into the following five main categories according to the security attributes that the attack attempts to compromise [2].

• Identity-based attacks: This attack targets authentication and attempts to forge identities to gain access to the system posing as an authorized user.
• Eavesdropping-based attacks: This attack targets confidentiality and is based on eavesdropping on the communication channel between the user and the server to obtain some secret information and break the confidentiality of the system.
• Combined eavesdropping and identity-based attacks: This attack targets confidentiality and authentication, and combines eavesdropping and identity-based techniques to compromise systems.
• Manipulation-based attacks: This attack targets data integrity and involves an unauthorized party accessing and changing sensitive data.
• Service-based attacks: This attack targets availability and attempts to make the authentication service unavailable. After that, legitimate users cannot log in to the server.

1.4. Related Works

Many authentication and key-agreement schemes have been proposed for e-health systems. In 2010, Hu et al. [3] proposed an authentication scheme with contract-oriented hybrid public-key infrastructure based on the HIPAA specification design electronic medical method in [4]. In 2012, Ray and Biswas [5] pointed out shortcomings of previous schemes, including that of Hu et al., including the fact that without patient authorization, medical service providers can access patient information without restriction. They also revealed that the previous schemes in [4,6] raise the problem that a round-oriented health smartcard cannot verify the need for health information in multiple places at once, and so proposed a contract-oriented CA-based electronic health service system. In 2014, Ray and Biswas [7] developed a CA-based authentication scheme for e-healthcare systems. Their developed scheme uses the existing PKI and public-key certificate to set up a contract-based system with a medical-center server located at hospitals, and is compliant with HIPAA privacy/security regulations.

In 2019, Aghili et al. [8] proposed a lightweight authentication and ownership transfer protocol for e-health systems in the context of IoT. Their protocol not only provides authentication and key agreement but also satisfies access control and preserves the privacy of doctors and patients. In 2020, Bui et al. [9] proposed a new biometric-based key-management scheme to facilitate remote-access authorization anytime and anywhere. In their scheme, patients and doctors realize mutual authentication by using their biometric information through real-time video-communication technology. Additionally, their scheme also provided a safety channel in delivering their access authorization and secret data between patient and doctor. In the same year, Ali et al. [10] presented a robust authentication and access-control protocol for securing wireless healthcare sensor networks. Their proposed scheme employed three factors, including smart-card authentication, biometric authentication and password authentication, to overcome the pitfalls in previous schemes [11,12]. Additionally, Fotouhi et al. [13] proposed a hash-chain-based authentication scheme for wireless body-area networks in healthcare IoT. Their scheme provides perfect forward secrecy and resists potential attacks, including key-compromise impersonation attacks and known session-specific temporary information attacks. In 2021, Lee et al. [14] considered the entire process of data from data generation through transmission by wearable devices to mobile devices and then to a medical center server, and developed an efficient authentication scheme based on extended chaotic maps. Their scheme reduces the amount of computation on wearable devices, while also taking advantage of the immutability of the blockchain to ensure that data cannot be tampered with, enhancing security requirements. In 2022, Amintoosi et al. [15] performed cryptanalysis of the scheme of Aghili et al. [8] and stated that it is insecure against some possible attacks. They also proposed a lightweight authentication scheme for smart healthcare applications in IoMT as an alternative. At the same year, Zhai and Wang [16] proposed an effective multiserver biometric-authentication scheme based on extended chaotic maps for TMIS to overcome the weaknesses of Lee et al.’s scheme [17] in terms of authentication and revocation. In 2022, Ryu et al. [18] introduced a new method of high-speed symmetric encryption using the Chebyshev chaotic map and developed a multiserver/multiclient authentication scheme using this symmetric map to overcome the weaknesses of Chatterjee et al.’s scheme [19] in terms of revocation and user anonymity.

1.5. Motivation and Contributions

In summary, the aforementioned schemes are limited by permanent authorization, difficulty of changing the password that is kept in the smartcard, the inability of a round-oriented smartcard to verify simultaneously the need for health information in multiple places, and poor computing efficiency during medical treatment.

In order to solve these problems, this investigation proposes a user-authentication and key-agreement scheme that complies with HIPAA security regulations by using enhanced Chebyshev polynomials. Many recent studies showed some mathematical models and theorems can be applied to information systems and have good computing performance [20,21,22,23,24,25,26,27,28,29,30]. Enhanced Chebyshev polynomials exhibit semigroup and commutative properties and provide the Logarithm problem and the Diffie–Hellman problem. Additionally, recent investigations have established that cryptosystems that are developed using extended Chebyshev chaotic maps are more efficient than those developed using modular exponentiations and scalar multiplications on elliptic curves. Therefore, the efficiency of the scheme that is proposed in this investigation is enhanced by using extended Chebyshev chaotic maps. In the mutual-authentication and key-agreement phase of each session, different authorizations are generated to be compliant with HIPAA privacy regulations and security regulations. The contributions of this work are summarized as follows:

• A secure and efficient authentication and key-agreement scheme that is based on extended Chebyshev chaotic maps is proposed by using lightweight extended Chebyshev chaotic maps and hash operations.
• The proposed scheme solves the security problems of previous schemes, which do not include updated passwords, patients’ authorization and patients’ control, and cannot resist password-guessing attacks, impersonation attacks, replay attacks and stolen verifier attacks.
• The proposed scheme is compliant with HIPAA privacy and security regulations.

1.6. Organization

The remainder of this paper is organized as follows: Section 2 briefly introduces primitives used in this paper. Section 3 presents the proposed extended chaotic map-based user-authentication and key-agreement scheme. Section 4 presents the authentication proof using BAN logic, analyzes the security of the proposed scheme and compares the proposed scheme with the related works. Section 5 concludes this work.

2. Preliminaries

This section presents the notation and definitions that are used in this paper, including those related to enhanced Chebyshev polynomials, the extended chaotic-map-based discrete logarithm problem and the extended chaotic-map-based Diffie–Hellman problem.

2.1. Notation

A patient is denoted as Pat; a doctor is denoted as Doc and a medical-center server is denoted as MCS.

Table 1. Notations.

Notation	Description
$E(.)/D(.)$	Symmetric en/decryption algorithm, ex. DES, AES [31]
$h(.)$	One-way hash function, ex. MD5, SHA-256 [31]
$I{D}_P,I{D}_D$	Pat’s identity/Doc’s identity
$P{W}_P$	Pat’s password
$NI{D}_P/NI{D}_D$	Pat’s anonymous information/Doc’s anonymous information
w	Pat’s medical power of attorney
$r_P/T_{r_P}\left(x\right)$	Pat’s private/public key pair
$r_D/T_{r_D}\left(x\right)$	Doc’s private/public key pair
$r_{MCS}/T_{r_{MCS}}\left(x\right)$	MCS’ private/public key pair
PHI	Pat’ Protected Health Information
p	A large prime number
$V_i$	Confirmation message

lists the entire notation that is used in this paper.

2.2. Enhanced Chebyshev Polynomials

In 2008, to avoid the limitations demonstrated by Bergamo et al. [32], Zhang [33] developed the enhanced Chebyshev polynomials, and showed that the semigroup property and the commutative under composition are still satisfied. That is,

$$T_n\left(x\right)=\left(2T_{n-1}\left(x\right)-T_{n-2}\left(x\right)\right)\left(mod p\right),$$

(1)

where $n\ge 2,x\in \left(-\infty ,+\infty \right)$ and $p$ is a large prime number. Then,

$$T_r\left(T_s\left(x\right)\right)\equiv T_{r·s}\left(x\right)\equiv T_s\left(T_r\left(x\right)\right)mod p$$

(2)

holds, where $r,s\ge 2$.

The enhanced Chebyshev chaotic maps still have the discrete logarithm problem and Diffie–Hellman problem [15,16,17], which are described as follows.

• Extended Chaotic-Map-Based Discrete Logarithm Problem (ECM-DLP):

Given x, y and p, it is computationally infeasible to find an integer r such that

$$T_r\left(x\right)modp=y$$

(3)

holds.

2.

Extended Chaotic-Map-Based Diffie–Hellman Problem (ECM-DHP):

Given $T_r\left(x\right)\left(modp\right)$, $T_s\left(x\right)\left(modp\right)$, $T(·)$, $x\in \left(-\infty ,+\infty \right)$ and $p$ is a large prime number, it is computationally infeasible to calculate

$$T_r\left(T_s\left(x\right)\right)\equiv T_{r·s}\left(x\right)\equiv T_s\left(T_r\left(x\right)\right)modp,$$

(4)

where r, s ≥ 2.

2.3. The Medical System Model

The system model includes three roles: patient Pat, doctor Doc and medical-center server MCS. The medical-center server MCS provides Pat with registration and issues smartcards and is responsible for providing medical services. Doctors or medical staff Doc must first register with the MCS to obtain medical staff credentials. Patients Pat need to sign a privacy contract with medical-center server MCS, obtain a smartcard SC during the registration phase, and then receive medical services using the smartcard SC. Pat and Doc store and exchange protected medical records and health information in the cloud via the help of MCS. Figure 1 illustrates the relations among Pat, Doc and MCS in the medical system model.

3. Proposed Extended Chaotic-Map-Based User-Authentication and Key-Agreement Scheme

This section presents a user-authentication and key-agreement scheme, which is certificate-based and used for HIPAA privacy/security regulations. The proposed scheme uses a user certificate to reduce the number of rounds of transmission and has higher security. The scheme includes three roles, which are a trusted government health server, patients and medical staff. The proposed authentication and key-agreement schemes have six phases, which are system-parameter initialization, registration, uploading of patient’s PHI, access to patient’s PHI, emergency-exception handling and smartcard password changing, which are described below.

3.1. System-Parameter Initialization Phase

Medical-center server MCS selects a secure hash function $h(\cdot )$, a random number $r_{MCS}$ and a random variable x in $\left(-\infty ,+\infty \right)$. Then, MCS computes $T_{r_{MCS}}\left(x\right)modp$ and publishes $\left\{x,T_{r_{MCS}}\left(x\right)\mathrm{mod}p,h(.)\right\}$. Patient Pat selects a random number $r_P$, computes $T_{r_P}\left(x\right) \mathrm{mod} p$ and publishes $\left\{T_{r_P}\left(x\right)mod p\right\}$. Medical service staff (or Doctor) Doc selects a random number $r_D$, computes $T_{r_D}\left(x\right)mod p$ and publishes $\left\{T_{r_D}\left(x\right)mod p\right\}$.

3.2. Registration Phase

Figure 2 illustrates the processes of registration phase of the proposed scheme. Each patient Pat signs a privacy contract $w$ that includes the patient’s information and instructions on how to be stored and used, and then performs the following steps for registration.

Step 1: Patient Pat selects an identity $I{D}_P$ and password $P{W}_P$, computes $W_P=h(I{D}_P\Vert P{W}_P)$ and sends $\left\{w,I{D}_P,W_P\right\}$ to MCS.

Step 2: On receiving $\left\{w,I{D}_P,W_P\right\}$ from Pat, MCS selects a random number $R_{MCS}$ and computes $NI{D}_P=E_{r_{MCS}}(I{D}_P\Vert W_P\Vert R_{MCS}\Vert w)$ and $X_P=h(I{D}_P\Vert R_{MCS})$ for authentication. Then, MCS sends $\left\{NI{D}_P,X_P\right\}$ to Pat.

Step 3: On receiving $\left\{NI{D}_P,X_P\right\}$ from MCS, Pat obtains his/her smartcard and computes $Y_P=X_P\oplus W_P$, and replaces $X_P$ with $Y_P$.

3.3. PHI Uploading Phase

Figure 3 illustrates the processes of the PHI uploading phase of the proposed scheme, which are described as follows.

Step 1: Patient Pat inputs his/her identity $I{D}_P$ and password $P{W}_P$ and computes $W_P=h(I{D}_P\Vert P{W}_P)$; $X_P=Y_P\oplus W_P$, selects random numbers $R_P$ and a, a timestamp $T{S}_1$, computes $T_a\left(x\right)mod p$, $P_P=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)mod p\right)\Vert T{S}_1)$, $C_P=Ce{r}_P\oplus R_P$, $V_1=h(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P$), $S{K}_{PD}=h\left(T_a\left(T_{r_D}\left(x\right)mod p\right)\right)$, $NI{D}_{PD}=I{D}_P\oplus S{K}_{PD}$, $Ce{r}_{PD}=h(T_{r_P}\left(T_{r_D}\left(x\right)mod p\right)\Vert T{S}_1)$, $V_2=h(I{D}_P\Vert Ce{r}_{PD})$ and sends $\{NI{D}_{PD},NI{D}_P,V_1,V_2,C_P,T_a\left(x\right),T{S}_1\}$ to the hospital.

Step 2: After receiving the messages from Pat, the doctor Doc checks the timestamp $T{S}_1\leqq \Delta T$ and computes $S{K}_{PD}=h\left(T_{r_D}\left(T_a\left(\mathrm{x}\right)modp\right)\right)$, $I{D}_P=NI{D}_{PD}\oplus S{K}_{PD}$, $Ce{r}_{PD}=h(T_{r_D}\left(T_{r_P}\left(x\right)modp\right)\Vert T{S}_1)$ and $V_2^{\prime }=h(I{D}_P\Vert Ce{r}_{PD})$. If $V_2^{\prime }=V_2$ does not hold, then Doc rejects this request; otherwise, Doc successfully authenticates Pat, selects random numbers $R_D,b$ and timestamp $T{S}_2$, and computes $T_b\left(x\right)$, encrypted session key $S{K}_{DMCS}=h\left(T_b\left(T_{r_{MCS}}\left(x\right)modp\right)\right)$, temporal identity $NI{D}_D=E_{S{K}_{DMCS}}\left(I{D}_D\Vert R_D\right)$, $Ce{r}_D=h(T_{r_D}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_2)$, $D_{PHI}=Ce{r}_D\oplus PHI$ and $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$. Then, Doc sends $\{NI{D}_D,NI{D}_P,V_1,V_3,C_P,D_{PHI},T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\}$ to MCS.

Step 3: On receiving the messages from Doc, MCS checks the timestamp $T{S}_2\leqq \Delta T$, and computes $S{K}_{DMCS}=h\left(T_{r_{MCS}}\left(T_b\left(\mathrm{x}\right)modp\right)\right)$, $\left(I{D}_D\Vert R_D\right)=D_{S{K}_{DMCS}}\left(NI{D}_D\right)$, $Ce{r}_D=h(T_{r_{MCS}}\left(T_{r_D}\left(x\right)modp\right)\Vert T{S}_2)$, $PHI=D_{PHI}\oplus Ce{r}_D$, $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$. If $V_3^{\prime }=V_3$ does not hold, then MCS rejects this service request; otherwise, MCS successfully authenticates the doctor Doc, computes $(I{D}_P\Vert W_P\Vert R_{MCS}\Vert w)=D_{r_{MCS}}\left(NI{D}_P\right)$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_1)$, $R_P=C_P\oplus Ce{r}_P$, $P_P^{\prime }=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $X_P^{\prime }=h(I{D}_P\Vert R_{MCS})$ and $V_1^{\prime }=h(X_P^{\prime }\Vert P_P^{\prime }\Vert Ce{r}_P\Vert R_P$). If $V_1^{\prime }=V_1$ holds, then MCS successfully authenticates the patient Pat, and stores $PHI$ into its database. Then MCS chooses $R_{new},c$, and computes $T_c\left(x\right)modp$, $S{K}_{MCSP}=h\left(T_c\left(T_a\left(\mathrm{x}\right)modp\right)\right)$, a new temporal identity $NI{D}_P^{new}=E_{r_{MCS}}\left(I{D}_P\Vert W_P\Vert R_{new}\Vert w\right)$, $X_P^{new}=h(I{D}_P\Vert R_{new}$), $QI{D}_P=E_{S{K}_{MCSP}}(NI{D}_P^{new}\Vert X_P^{new}$), $V_4=h\left(I{D}_D\Vert R_D\right)$ and $V_5=h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$. Then MCS sends $\left\{QI{D}_P,V_4,V_5,T_c\left(x\right)\right\}$ to Doc.

Step 4: On receiving $\left\{QI{D}_P,V_4,V_5,T_c\left(x\right)\right\}$ from MCS, Doc computes $V_4^{\prime }=h\left(I{D}_D\Vert R_D\right)$ and checks whether $V_4^{\prime }=V_4$ holds or not. If unsuccessful, D aborts this session. Otherwise, Doc sends $\left\{QI{D}_P,V_5,T_c\left(x\right)\right\}$ to Pat.

Step 5: On receiving $\left\{QI{D}_P,V_5,T_c\left(x\right)\right\}$ from Doc, Pat computes $S{K}_{MCSP}=h\left(T_a\left(T_c\left(\mathrm{x}\right)modp\right)\right)$, decrypts $QI{D}_P$ with $S{K}_{MCSP}$ and obtains $(NI{D}_P^{new}\Vert X_P^{new})$. Then, Pat computes $V_5^{\prime }=h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$ and checks whether $V_5^{\prime }=V_5$ holds or not. If unsuccessful, Pat aborts this request. Otherwise, Pat computes $Y_P^{new}=X_P^{new}\oplus W_P$ and replaces $\left\{NI{D}_P,Y_P\right\}$ as $\{NI{D}_P^{new},Y_P^{new}\}$ in SC.

3.4. PHI Access Phase

Figure 4 illustrates the processes of the PHI access phase of the proposed scheme, which are described as follows.

Step 1: Patient Pat inputs his/her ID and password and computes $W_P=h(I{D}_P\Vert P{W}_P)$; $X_P=Y_P\oplus W_P$, selects $R_P$, a, timestamp $T{S}_1$, computes $T_a\left(x\right)modp$, $P_P=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_1)$, $C_P=Ce{r}_P\oplus R_P$, $V_1=h\left(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P\right)$, $S{K}_{PD}=h\left(T_a\left(T_{r_D}\left(\mathrm{x}\right)modp\right)\right)$, $NI{D}_{PD}=I{D}_P\oplus S{K}_{PD}$, and sends $\{NI{D}_{PD},NI{D}_P,V_1,V_2,C_P,T_a\left(x\right),T{S}_1\}$ to the hospital.

Step 2: After receiving the messages from Pat, the doctor Doc checks the timestamp $T{S}_1\leqq \Delta T$ and computes $S{K}_{PD}=h\left(T_{r_D}\left(T_a\left(\mathrm{x}\right)modp\right)\right)$, $I{D}_P=NI{D}_{PD}\oplus S{K}_{PD}$, $Ce{r}_{PD}=h(T_{r_D}\left(T_{r_P}\left(x\right)modp\right)\Vert T{S}_1)$ and $V_2^{\prime }=h(I{D}_P\Vert Ce{r}_{PD})$. If $V_2^{\prime }=V_2$ does not hold, then Doc rejects this request; otherwise, Doc successfully authenticates Pat, selects random numbers $R_D,b$ and timestamp $T{S}_2$, and computes $T_b\left(x\right)modp$, encrypted session key $S{K}_{DMCS}=h\left(T_b\left(T_{r_{MCS}}\left(x\right)modp\right)\right)$, temporal identity $NI{D}_D=E_{S{K}_{DMCS}}\left(I{D}_D\Vert R_D\Vert IN{D}_{PHI}\right)$, $Ce{r}_D=h(T_{r_D}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_2)$ and $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert R_D\Vert IN{D}_{PHI}\right)$, where $IN{D}_{PHI}$ is the medical-record number that Doc requires. Then, Doc sends $\{NI{D}_D,NI{D}_P,V_1,V_3,C_P,T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\}$ to MCS.

Step 3: On receiving the messages from Doc, MCS checks the timestamp $T{S}_2\leqq \Delta T$, and computes $S{K}_{DMCS}=h\left(T_{r_{MCS}}\left(T_b\left(\mathrm{x}\right)modp\right)\right)$ by using $r_{MCS}$, $\left(I{D}_D\Vert R_D\Vert IN{D}_{PHI}\right)=D_{S{K}_{DMCS}}\left(NI{D}_D\right)$, $Ce{r}_D=h(T_{r_{MCS}}\left(T_{r_D}\left(x\right)modp\right)\Vert T{S}_2)$ and $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert R_D\Vert IN{D}_{PHI}\right)$. If $V_3^{\prime }=V_3$ does not hold, then MCS rejects this service request; otherwise, MCS successfully authenticates Doc and computes $(I{D}_P\Vert W_P||R_{MCS}\Vert w)=D_{r_{MCS}}\left(NI{D}_P\right)$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_1)$, $R_P=C_P\oplus Ce{r}_P$, $P_P^{\prime }=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $X_P^{\prime }=h(I{D}_P\Vert R_{MCS})$ and $V_1^{\prime }=h(X_P^{\prime }\Vert P_P^{\prime }\Vert Ce{r}_P\Vert R_P$). If $V_1^{\prime }=V_1$ holds, then MCS successfully authenticates Pat, and stores $PHI$ in its database by using $IN{D}_{PHI}$. Then, MCS chooses $R_{new},c$ and computes $T_c\left(x\right)$, $S{K}_D=h\left(T_c\left(T_b\left(\mathrm{x}\right)modp\right)\right)$, $D_{PHI}=E_{S{K}_D}\left(PHI\right)$, $V_4=h(I{D}_D\Vert S{K}_D\Vert R_D\Vert IN{D}_{PHI}\Vert h\left(PHI\right))$, $S{K}_{MCSP}=h\left(T_c\left(T_a\left(\mathrm{x}\right)modp\right)\right)$, a new temporal identity $NI{D}_P^{new}=E_{r_{MCS}}\left(I{D}_P\Vert W_P\Vert R_{new}\Vert w\right)$, $X_P^{new}=h(I{D}_P\Vert R_{new}$), $QI{D}_P=E_{S{K}_{MCSP}}(NI{D}_P^{new}\Vert X_P^{new}$) and $V_5=h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$. Then MCS sends $\left\{QI{D}_P,V_4,V_5,D_{PHI},T_c\left(x\right)\right\}$ to Doc.

Step 4: On receiving $\left\{QI{D}_P,V_4,V_5,T_c\left(x\right)\right\}$ from MCS, Doc computes $S{K}_D=h\left(T_b\left(T_c\left(\mathrm{x}\right)modp\right)\right)$, $PHI=D_{S{K}_D}\left(D_{PHI}\right)$, $V_4^{\prime }=h(I{D}_D\Vert S{K}_D\Vert R_D\Vert IN{D}_{PHI}\Vert h\left(PHI\right))$ and checks whether $V_4^{\prime }=V_4$ holds or not. If unsuccessful, D aborts this session. Otherwise, Doc sends $\left\{QI{D}_P,V_5,T_c\left(x\right)\right\}$ to Pat.

Step 5: On receiving $\left\{QI{D}_P,V_5,T_c\left(x\right)\right\}$ from Doc, Pat computes $S{K}_{MCSP}=h\left(T_a\left(T_c\left(\mathrm{x}\right)modp\right)\right)$ and decrypts $QI{D}_P$ with $S{K}_{MCSP}$ and obtains $(NI{D}_P^{new}\Vert X_P^{new})$. Then, Pat computes $V_5^{\prime }=h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$ and checks whether $V_5^{\prime }=V_5$ holds or not. If unsuccessful, Pat aborts this request. Otherwise, Pat computes $Y_P^{new}=X_P^{new}\oplus W_P$ and replaces $\left\{NI{D}_P,Y_P\right\}$ as $\{NI{D}_P^{new},Y_P^{new}\}$ in SC.

3.5. Emergency-Exception-Handling Phase

Figure 5 illustrates the processes of the emergency-exception-handling phase of the proposed scheme, which are described as follows.

Step 1: Doctor Doc selects random numbers $R_D,a$ and timestamp $T{S}_1$, computes $T_a\left(x\right)modp$, $Ce{r}_D=h(T_{r_D}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_1)$, $Re{q}_{PHI}=E_{Ce{r}_D}\left(I{D}_P\Vert R_D\Vert IN{D}_{PHI}\right)$, where $IN{D}_{PHI}$ is the medical-record index number that Doc requires. $V_1=h(I{D}_D\Vert I{D}_P\Vert Ce{r}_D\Vert T_a\left(x\right)\Vert R_D)$. Then, Doc sends $\left\{I{D}_D,Re{q}_{PHI},V_1,T_a\left(x\right),T{S}_1\right\}$ to MCS.

Step 2: On receiving the messages from Doc, MCS checks the timestamp $T{S}_1\leqq \Delta T$, and computes $S{K}_{DMCS}=h\left(T_{r_{MCS}}\left(T_b\left(\mathrm{x}\right)modp\right)\right)$ by using $r_{MCS}$, $\left(I{D}_D\Vert R_D\Vert IN{D}_{PHI}\right)=D_{S{K}_{DMCS}}\left(Re{q}_{PHI}\right)$, $Ce{r}_D=h(T_{r_{MCS}}\left(T_{r_D}\left(x\right)modp\right)\Vert T{S}_1)$, $V_1=h(I{D}_D\Vert I{D}_P\Vert Ce{r}_D\Vert T_a\left(x\right)\Vert R_D)$. If $V_1^{\prime }=V_1$ does not hold, then MCS rejects this service request; otherwise, MCS successfully authenticates Doc, stores $PH{I}_P$ in its database by using the index $IN{D}_{PHI}$, selects $T{S}_2,b$ and computes $T_b\left(x\right)modp$, $S{K}_D=h\left(T_b\left(T_a\left(\mathrm{x}\right)modp\right)\right)$, $D_{PHI}=E_{S{K}_D}\left(PH{I}_P\right)$, $V_2=h\left(I{D}_D\Vert S{K}_D\Vert h\left(PH{I}_P\right)\Vert T{S}_2\Vert R_D\right)$. Then, MCS sends $\left\{D_{PHI},V_2,T_b\left(x\right),T{S}_2\right\}$ to Doc.

Step 3: On receiving $\left\{D_{PHI},V_2,T_b\left(x\right),T{S}_2\right\}$ from MCS, Doc checks the timestamp $T{S}_2\leqq \Delta T$, computes $S{K}_D=h\left(T_a\left(T_b\left(x\right)modp\right)\right)$, $PH{I}_P=D_{S{K}_D}\left(D_{PHI}\right)$, $V_2^{\prime }=h\left(I{D}_D\Vert S{K}_D\Vert h\left(PH{I}_P\right)\Vert T{S}_2\Vert R_D\right)$ and checks whether $V_2^{\prime }=V_2$ holds or not. If unsuccessful, Doc aborts this session. Otherwise, Doc successfully authenticates MCS and obtains the correct $PH{I}_P$ of Pat.

3.6. Password-Updating Phase

Figure 6 illustrates the processes of the password-updating phase of the proposed scheme, which are described as follows.

Step 1: Patient Pat inputs his/her identity $I{D}_P$, password $P{W}_P$ and a new password $P{W}_P^{new}$ and computes $W_P=I{D}_P\oplus P{W}_P$, $X_P=Y_P\oplus W_P$, $W_P^{new}=I{D}_P\oplus P{W}_P^{new}$. Then, Pat selects random numbers $R_P$ and a, a timestamp $T{S}_1$, computes $T_a\left(x\right)modp$, $P_P=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_1)$, $NP{W}_P=Ce{r}_P\oplus (W_P^{new}\Vert R_P)$, $V_1=h\left(X_P\Vert Ce{r}_P\Vert R_P\Vert T_a\left(x\right)\Vert W_P\Vert W_P^{new}\right)$ and sends $\{NI{D}_P,NP{W}_P,V_1,T_a\left(x\right),T{S}_1\}$ to MCS.

Step 2: On receiving the messages from Pat, MCS checks the timestamp $T{S}_1\leqq \Delta T$, and computes $(I{D}_P\Vert W_P\Vert R_{MCS}\Vert w)=D_{r_{MCS}}\left(NI{D}_P\right)$, $Ce{r}_P^{\prime }=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)modp\right)\Vert T{S}_1)$, $(W_P^{new}\Vert R_P)=NP{W}_P\oplus Ce{r}_P^{\prime }$, $X_P^{\prime }=h(I{D}_P\Vert R_{MCS})$ and $V_1=h(X_P^{\prime }\Vert Ce{r}_P^{\prime }\Vert R_P\Vert T_a\left(x\right)\Vert W_P\Vert W_P^{new})$. If $V_1=V_1^{\prime }$ holds, then MCS successfully authenticates the patient Pat, and selects $R_{new},c$, computes $T_c\left(x\right)modp$, $S{K}_{MCSP}=h\left(T_c\left(T_a\left(\mathrm{x}\right)modp\right)\right)$, $NI{D}_P^{new}=E_{T_{MCS}\left(X\right)}\left(I{D}_P\Vert W_P^{new}\Vert R_{new}\Vert w\right)$, $X_P^{new}=h(I{D}_P\Vert R_{new})$ and sends $\left\{QI{D}_P,V_2,T_c\left(x\right)\right\}$ to Pat.

Step 3: On receiving $\left\{QI{D}_P,V_2,T_c\left(x\right)\right\}$ from MCS, Pat computes $S{K}_{MCSP}=h\left(T_a\left(T_c\left(\mathrm{x}\right)modp\right)\right)$, decrypts $QI{D}_P$ with $S{K}_{MCSP}$ and obtains $(NI{D}_P^{new}\Vert X_P^{new})$. Then, Pat computes $V_2^{\prime }=h\left(NI{D}_P^{new}\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$ and checks whether $V_2^{\prime }=V_2$ holds or not. If unsuccessful, Pat aborts this request. Otherwise, Pat computes $Y_P^{new}=X_P^{new}\oplus W_P$ and replaces $\left\{NI{D}_P,Y_P\right\}$ as $\{NI{D}_P^{new},Y_P^{new}\}$ in SC.

4. Security and Performance Analyses

This section presents the authentication proof using BAN logic [34], analyzes the security of the proposed scheme and provides performance and functionality comparisons between the related schemes and the proposed scheme.

4.1. Authentication Proof of the Proposed Scheme Using BAN Logic

This subsection shows that the proposed scheme satisfies the session-key security and mutual authentication by using BAN logic [34].

Table 2. BAN logic notations [34].

Notation	Abbreviation
$P$$|\equiv X$	The entity $P$ believes the statement $X$
$P⟹X$	$P$ has jurisdiction over the statement $X$
$P |~X$	$P$ once said $X$
$P⨞$$X$	$P$ sees $X$
$\langle X{\rangle }_K$	Formula $X$ is encrypted under the key $K$
$P \stackrel{K}{\leftrightarrow } Q$	$P$ and $Q$ communicate via shared key $K$
$P\to Q :m$	$P$ sends the message $m$ and $Q$ receives it
$\#X$	The message $\#X$ is freshly generated

lists the notations of BAN logic.

4.1.1. Inference Rules of BAN Logic

• Rule 1. $\frac{P|\equiv P\stackrel{K}{\leftrightarrow }Q, P ⨞ {\langle X\rangle }_K }{P|\equiv Q~X}$: If the entity $P$ believes that the secret $K$ is shared with $Q$ and sees message $\mathrm{X}$ is encrypted using $K$, then $\mathrm{P}$ believes that $Q$ once said $X$.
• Rule 2. $\frac{P|\equiv \#\left(X\right),P|\equiv Q~X}{P|\equiv Q|\equiv X}$: If the entity $P$ believes that $X$ is fresh and the entity $Q$ once said $X$, then $P$ believes that $Q$ believes $X$.
• Rule 3. $\frac{P|\equiv Q⟹X, P|\equiv Q|\equiv X }{P|\equiv X}$: If the entity $P$ believes that $Q$ has jurisdiction over $X$ and $Q$ believes $X$, then $\mathrm{P}$ believes that $X$ is true.
• Rule 4. $\frac{P|\equiv \#\left(X\right), P|\equiv Q|\equiv X}{P|\equiv P\stackrel{K}{\leftrightarrow }Q}$: If the entity $P$ believes that $X$ is fresh and $Q$ believes $X$, then $P$ believes the secret $K$ that is shared between both entities $P$ and $Q$.
• Rule 5. $\frac{P|\equiv \#\left(X\right)}{P|\equiv \#\left(X, Y\right)}$: If the entity $P$ believes that $X$ is fresh, then $P$ believes the freshness of $\left(X, Y\right)$.

4.1.2. Goals of Authentication Proof

• Goal1: $MCS \left|\equiv Pat \right|\equiv MCS\stackrel{SK}{\leftrightarrow }Pat$
• Goal2: $MCS \left|\equiv Doc\right|\equiv MCS\stackrel{SK}{\leftrightarrow }Doc$
• Goal 3: $Doc \left|\equiv MCS \right|\equiv Doc \stackrel{SK}{\leftrightarrow }MCS$
• Goal4: $Pat \left|\equiv MCS \right|\equiv Pat \stackrel{SK}{\leftrightarrow }MCS$
• Goal 5: $Doc \left|\equiv Pat \right|\equiv Doc \stackrel{SK}{\leftrightarrow }Pat$
• Goal 6: $Pat \left|\equiv Doc \right|\equiv Pat \stackrel{SK}{\leftrightarrow }Doc$

4.1.3. Idealized Form

• M₁. $\left(Pat\to Doc\right):\{NI{D}_{PD},NI{D}_P,V_1:h\left(X_P\Vert P_P\Vert {Cer}_P\Vert R_P\right),V_2:h(I{D}_P\Vert {Cer}_{PD}),C_P:\langle P_P\rangle {}_{{Cer}_P},$ $T_a\left(x\right),{TS}_1\}$
• M₂. $\left(Doc\to MCS\right):\{NI{D}_D,NI{D}_P,V_1,V_3:h\left(I{D}_D\Vert {Cer}_D\Vert PHI\Vert R_D\right),C_P,D_{PHI}:{\langle PHI\rangle }_{{Cer}_D},$ $T_a\left(x\right),T_b\left(x\right),{TS}_1,{TS}_2\}$
• M₃. ($MCS\to Doc):\{{QID}_P:\langle {NID}_P^{new}\Vert X_P^{new}\rangle {}_{{SK}_{MCSP}},V_4:h\left({ID}_D\Vert R_D\right),$ $V_5:h\left({NID}_P^{new}\Vert {ID}_P\Vert {SK}_{MCSP}\Vert R_P\Vert X_P^{new}\right),T_c\left(x\right)\}$
• M₄.($Doc\to Pat):\left\{{QID}_P,V_5,T_c\left(x\right)\right\}$

4.1.4. Assumptions

• AS₁: $MCS$ |$\equiv$ #$h\left(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P\right)$
• AS₂: $MCS$ |$\equiv$ #$h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$
• AS₃: $Pat$ |$\equiv Pat$ $\stackrel{ T_{r_P{r}_{MCS}}\left(x\right) }{\leftrightarrow }$ $MCS$
• AS₄: $Doc$ |$\equiv$ $Doc$ $\stackrel{ T_{r_D{r}_{MCS}}\left(x\right) }{\leftrightarrow }$ $MCS$
• AS₅: $MCS$ |$\equiv$ $MCS$ $\stackrel{ T_{r_P{r}_{MCS}}\left(x\right) }{\leftrightarrow }$ $Pat$
• AS₅: $MCS$ |$\equiv$ $MCS$ $\stackrel{ T_{r_D{r}_{MCS}}\left(x\right) }{\leftrightarrow }$ $Doc$
• AS₇:$MCS$ |$\equiv$ $Pat$ $⟹R_P$
• AS₈: $MCS$ |$\equiv$ $Doc$ $⟹R_D$
• AS₉: $Doc$ |$\equiv$ $MCS$ $⟹h\left(I{D}_D\Vert R_D\right)$
• AS₁₀: $Pat$ |$\equiv$ $MCS$ $⟹h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$
• AS₁₁: $Doc$ |$\equiv$ $Doc$ $\stackrel{ T_{r_P{r}_D}\left(x\right) }{\leftrightarrow }$ $Pat$
• AS₁₂: $Pat$ |$\equiv$ $Pat$ $\stackrel{ T_{r_P{r}_D}\left(x\right) }{\leftrightarrow }$ $Doc$
• AS₁₃: $Doc$ |$\equiv Pat$ $⟹Ce{r}_{PD}$
• AS₁₄: $Pat$ |$\equiv Doc$ $⟹I{D}_P$

4.1.5. Verification

By using Message M₂,

$$\begin{gathered} MCS ⨞\{NI{D}_D,NI{D}_P,V_1:h\left(X_P\Vert P_P\Vert {Cer}_P\Vert R_P\right), \\ {V}_3:h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right),C_P,D_{PHI}:PH{I}_{Ce{r}_D},T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\}. \end{gathered}$$

(5)

From Rule 1 and AS₅,

$$S_1:MCS|\equiv Pat|\sim R_P.$$

(6)

From Rule 2 and AS₁,

$$S_2:MCS|\equiv Pat|\equiv R_P.$$

(7)

From Rule 3 and AS₇,

$$S_3:MCS|\equiv R_P.$$

(8)

From Rule 4, AS₁ and $S_2$,

$$S_4:MCS|\equiv MCS\stackrel{SK}{\leftrightarrow }Pat.$$

Further, using Rule 2, AS₁ and $S_1$,

$$S_5:MCS|\equiv Pat|\equiv MCS\stackrel{SK}{\leftrightarrow }Pat.\mathbf{Goal}\mathbf{1}$$

(9)

By using similar arguments, from Rule 1 and AS₆,

$$S_6:MCS|\equiv Doc|\sim R_D.$$

(10)

From Rule 2 and AS₂ and $S_6$,

$$S_7:MCS|\equiv Doc|\equiv R_D.$$

(11)

From Rule 3 and AS₈,

$$S_8:MCS|\equiv R_D.$$

(12)

According to Rule 4, AS₂ and $S_7$,

$$S_9:MCS|\equiv MCS\stackrel{SK}{\leftrightarrow }Doc.$$

(13)

Using Rule 2, AS₂ and $S_6$, we have

$$S_{10}:MCS|\equiv Doc|\equiv MCS\stackrel{SK}{\leftrightarrow }Doc.\mathbf{Goal}\mathbf{2}$$

By using Message M₃,

$$\begin{gathered} Doc⨞ \\ \{{QID}_P:\langle {NID}_P^{new}\Vert X_P^{new}\rangle {}_{{SK}_{MCSP}},V_4:h\left(I{D}_D\Vert R_D\right), \\ {V}_5:h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right),T_c\left(x\right)\} \end{gathered}$$

(14)

From Rule 1 and AS₄,

$$S_{11}:Doc|\equiv MCS |\sim h\left(I{D}_D\Vert R_D\right).$$

(15)

From Rule 5 and ($Doc$ |$\equiv \# R_D)$,

$$S_{12}:Doc|\equiv \# h\left(I{D}_D\Vert R_D\right).$$

(16)

From Rule 2, $S_{11}$ and $S_{12}$,

$$S_{13}:Doc|\equiv MCS|\equiv h\left(I{D}_D\Vert R_D\right).$$

(17)

Then, from Rule 3 and AS₉,

$$S_{14}:Doc|\equiv h\left(I{D}_D\Vert R_D\right).$$

(18)

According to Rule 4, $S_{12}$ and $S_{13}$,

$$S_{15}:Doc|\equiv Doc\stackrel{SK}{\leftrightarrow }MCS.$$

(19)

Further, using Rule 2, $S_{11}$ and $S_{12}$,

$$S_{16}:Doc|\equiv MCS|\equiv Doc\stackrel{SK}{\leftrightarrow }MCS.\mathbf{Goal}\mathbf{3}$$

By using similar arguments and Message M₄,

$$Pat⨞\left\{QI{D}_P,V_5:h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right),T_c\left(x\right)\right\}.$$

(20)

From Rule 1 and AS₃,

$$S_{17}:Pat|\equiv MCS |\sim h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right).$$

(21)

From Rule 5 and ($Pat$ |$\equiv \# R_D)$,

$$S_{18}:Pat|\equiv \# h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right).$$

(22)

From Rule 2, $V_{17}$ and $V_{18}$,

$$S_{19}:Pat|\equiv MCS|\equiv h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right).$$

(23)

Then, from Rule 3 and AS₁₀,

$$S_{20}:Pat|\equiv h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right).$$

(24)

According to Rule 4, $S_{18}$ and $S_{19}$,

$$S_{21}:Pat|\equiv Pat\stackrel{SK}{\leftrightarrow }MCS.$$

(25)

Further, using Rule 2, $S_{17}$ and $S_{18}$,

$$S_{22}:Pat |\equiv MCS|\equiv Pat\stackrel{SK}{\leftrightarrow }MCS.\mathbf{Goal}\mathbf{4}$$

(26)

By using Message M₁,

$$Doc⨞\{NI{D}_{PD},NI{D}_P,V_1:h\left(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P\right),V_2:h(I{D}_P\Vert Ce{r}_{PD}),C_P:\langle P_P\rangle {}_{Ce{r}_P},T_a\left(x\right),T{S}_1\}$$

(27)

From Rule 1 and AS₁₁,

$$S_{23}:Doc|\equiv Pat |\sim Ce{r}_{PD}.$$

(28)

From Rule 5 and ($Doc$ |$\equiv \# T{S}_1)$,

$$S_{24}:Doc|\equiv \# Ce{r}_{PD}.$$

(29)

From Rule 2, $V_{23}$ and $V_{24}$,

$$S_{25}:Doc|\equiv Pat|\equiv Ce{r}_{PD}.$$

(30)

Then, from Rule 3 and AS₁₃,

$$S_{26}:Doc|\equiv Ce{r}_{PD}.$$

(31)

According to Rule 4, $S_{24}$ and $S_{25}$,

$$S_{27}:Doc|\equiv Doc\stackrel{SK}{\leftrightarrow }Pat.$$

(32)

Further, using Rule 2, $S_{23}$ and $S_{24}$,

$$S_{28}:Doc|\equiv Pat|\equiv Doc\stackrel{SK}{\leftrightarrow }Pat.\mathbf{Goal}\mathbf{5}$$

(33)

By using Message M₄,

$$Pat⨞\left\{QI{D}_P,V_5:h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right),T_c\left(x\right)\right\}.$$

(34)

From Rule 1 and AS₁₂,

$$S_{29}:Pat|\equiv Doc |\sim I{D}_P.$$

(35)

From Rule 2 and $S_{18}$: $Pat$ |$\equiv \#h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$,

$$S_{30}:Pat|\equiv Doc|\equiv I{D}_P.$$

(36)

Then, from Rule 3 and AS₁₄,

$$S_{31}:Pat|\equiv I{D}_P.$$

(37)

According to Rule 4, $S_{18}$ and $S_{30}$,

$$S_{32}:Pat|\equiv Pat\stackrel{SK}{\leftrightarrow }Doc.$$

(38)

Further, using Rule 2, $S_{29}$ and $S_{30}$,

$$S_{33}:Pat|\equiv Doc|\equiv Pat\stackrel{SK}{\leftrightarrow }Doc.\mathbf{Goal}\mathbf{6}$$

(39)

The proof is completed.

4.2. Security Analyses

4.2.1. Mutual Authentication (Threat Model 1)

In the proposed scheme, Medical-Center Server MCS authenticates Doctor Doc by checking $V_3$ since only Doc and MCS have capability to compute $Ce{r}_D$, and thus $V_3$, where $Ce{r}_D=h(T_{r_{MCS}{r}_D}\left(x\right)\mathrm{mod} p\Vert T{S}_2)$, $PHI=D_{PHI}\oplus Ce{r}_D$ and $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$. Similarly, MCS authenticates Patient P by checking $V_1$ since only Pat and MCS have capability to compute $Ce{r}_P$, and thus $V_1$, where $Ce{r}_P=h(T_{r_{MCS}{r}_P}\left(x\right)\mathrm{mod} p\Vert T{S}_1)$ and $V_1=h(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P$). Patient Pat authenticates MCS by checking $V_5$, since only MCS can compute $Ce{r}_P$, and thus $R_P$, where $R_P=C_P\oplus Ce{r}_P$ and $V_5=h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$. Patient Pat implicitly authenticates Doc through MCS by checking $V_1$ and $V_3$ to make sure that the doctor Doc is authorized by using $P_P$, where $P_P=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$. Doctor Doc authenticates MCS by checking $V_4$, since only MCS can compute $S{K}_{DMCS}$ and derive $R_D$ from $NI{D}_D$, where $S{K}_{DMCS}=h\left(T_{b{r}_{MCS}}\left(x\right)\mathrm{mod} p\right)$ $NI{D}_D=E_{S{K}_{DMCS}}\left(I{D}_D\Vert R_D\right)$, and $V_4=h\left(I{D}_D\Vert R_D\right)$. Doctor Doc implicitly authenticates Pat through MCS by checking $V_4$ since MCS will send $V_4$ after P passes the authentication of MCS.

4.2.2. Session-Key Security (AKE-Security, Threat Model 1)

In order to ensure the security of PHI, the proposed scheme uses the chaotic-map-based Diffie–Hellman key exchange to negotiate the session keys $S{K}_{MCSP}=h\left(T_{a·c}\left(\mathrm{x}\right)mod p\right)$ of Pat and MCS, $S{K}_D=h\left(T_{a·b}\left(x\right)mod p\right)$ of Doc and MCS, and $S{K}_{PD}=h\left(T_{a·r_D}\left(x\right)mod p\right)$ of Pat and Doc. Therefore, the session-key security of the proposed scheme is based on ECM-DHP and one-way property of the hash function, and thus is negligible. Hence, the proposed scheme provides session-key security.

4.2.3. Resisting Password-Guessing Attacks (Threat Model 2)

• Undetectable online password-guessing attack:

A malicious attacker A who has $SC:\left\{NI{D}_P,Y_P\right\}$ can guess a password $P{W}_P^{\prime }$, and compute $W_P^{\prime }=h(I{D}_P^{\prime }\Vert P{W}_P^{\prime })$, $X_P^{\prime }=Y_P\oplus W_P^{\prime }$ and $P_P^{\prime }=h(W_P^{\prime }\Vert I{D}_P^{\prime }\Vert I{D}_D\Vert T_a\left(x\right))$. A cannot compute $Ce{r}_P$ without $r_P$ and $r_{MCS}$ because of ECM-DLP. Thus, A cannot successfully compute a $V_1^{\prime }=h\left(X_P^{\prime }\Vert P_P^{\prime }\Vert Ce{r}_P\Vert R_P\right)$ and send it to MCS. Thus, an incorrect online guess will be detected by MCS. Therefore, the proposed scheme resists undetectable online password-guessing attacks.

2.

Offline password-guessing attack:

A malicious attacker A who has $SC:\left\{NI{D}_P,Y_P\right\}$ can guess a password $P{W}_P^{\prime }$, and compute $W_P^{\prime }=h(I{D}_P^{\prime }\Vert P{W}_P^{\prime })$, $X_P^{\prime }=Y_P\oplus W_P^{\prime }$ and $P_P^{\prime }=h(W_P^{\prime }\Vert I{D}_P^{\prime }\Vert I{D}_D\Vert T_a\left(x\right))$. A cannot compute $Ce{r}_P$ without $r_P$ and $r_{MCS}$ because of ECM-DLP. Consequently, A cannot compute a $V_1^{\prime }=h\left(X_P^{\prime }\Vert P_P^{\prime }\Vert Ce{r}_P\Vert R_P\right)$ to verify $V_1^{\prime }=?V_1$. Additionally, $W_P$, which contains $P{W}_P$, in $NI{D}_P$ is encrypted with MCS’s secret key $r_{MCS}$, where $W_P=h(I{D}_P\Vert P{W}_P)$ and $NI{D}_P=E_{r_{MCS}}(I{D}_P\Vert W_P\Vert R_{MCS}\Vert w)$. Thus, A cannot obtain any information about $W_P$ and $P{W}_P$ without $r_{MCS}$. Therefore, the proposed scheme resists offline password-guessing attacks.

4.2.4. Resisting Impersonation Attacks (Threat Model 1)

A malicious attacker Pat* has $SC:\left\{NI{D}_P,Y_P\right\}$ and tries to impersonate Pat. Pat* cannot derive $W_P$ from $NI{D}_P$, where $NI{D}_P=E_{r_{MCS}}(I{D}_P\Vert W_P\Vert R_{MCS}\Vert w)$, because of the security of the symmetric en/decryption algorithm. Moreover, Pat* cannot derive the private key $r_P$ from a previous message $V_1$, where $V_1=h\left(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P\right)$ and $Ce{r}_P=h\left(T_{r_P{r}_{MCS}}\left(x\right)mod p\Vert T{S}_1\right)$, because of the one-way hash property and ECM-DLP. Hence, Pat* cannot compute the correct $W_P$, $Ce{r}_P$, $P_P$ and $V_1$ without the correct $P{W}_P$ and $r_P$, where $W_P=h(I{D}_P\Vert P{W}_P)$, $P_P=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)mod p\right)\Vert T{S}_1)$, $V_1=h(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P$), and cannot send out the correct $\{NI{D}_{PD},NI{D}_P,V_1,V_2,C_P,T_a\left(x\right),T{S}_1\}$. Therefore, a login will be detected by Doc or MCS.

Similarly, a malicious attacker Doc* tries to impersonate Doc. Doc* cannot derive the private key $r_D$ from previous messages $V_2$ and $V_3$, where $Ce{r}_{PD}=h(T_P\left(T_{r_D}\left(x\right)mod p\right)\Vert T{S}_1)$, $V_2=h(I{D}_P\Vert Ce{r}_{PD})$, $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$) and $Ce{r}_P=h\left(T_{r_P{r}_{MCS}}\left(x\right)mod p\Vert T{S}_1\right)$, because of the one-way hash property and ECM-DLP. Then, Doc* cannot compute $S{K}_{PD}=h\left(T_{r_D}\left(T_a\left(\mathrm{x}\right)mod p\right)\right)$, $Ce{r}_D=h(T_{r_D}\left(T_{r_{MCS}}\left(x\right)mod p\right)\Vert T{S}_2)$, $D_{PHI}=Ce{r}_D\oplus PHI$, and $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$ without $r_D$, and so cannot send out the correct $\{NI{D}_D,NI{D}_P,V_1,V_3,C_P,D_{PHI},T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\}$. Therefore, a login failure will be detected by MCS.

4.2.5. Resisting Replay Attacks (Threat Model 1)

All communication messages among Pat, Doc and MCS contain timestamps $T{S}_i$ to guarantee message freshness so the proposed scheme is secure against replay attacks.

4.2.6. Resisting Man-in-the-Middle Attacks (Threat Model 4)

An attacker A intercepts patient transmission $M_1=\{NI{D}_{PD},NI{D}_P,V_1,V_2,C_P,T_a\left(x\right),T{S}_1\}$ and $M_4=\left\{QI{D}_P,V_5,T_c\left(x\right)\right\}$ between Pat and Doc. A cannot successfully modify $M_1$ without $P{W}_P$, $r_P$ or $r_D$ because of the one-way hash property and ECM-DLP, where $W_P=h(I{D}_P\Vert P{W}_P)$,$P_P=h(W_P\Vert I{D}_P\Vert I{D}_D\Vert T_a\left(x\right))$, $Ce{r}_P=h(T_{r_P}\left(T_{r_{MCS}}\left(x\right)mod p\right)\Vert T{S}_1)$, $V_1=h(X_P\Vert P_P\Vert Ce{r}_P\Vert R_P$) and $V_2=h(I{D}_P\Vert Ce{r}_{PD})$. A cannot successfully modify $M_4$ without $r_P$ and $r_{MCS}$ because of the one-way hash property and ECM-DLP, where $QI{D}_P=E_{S{K}_{MCSP}}(NI{D}_P^{new}\Vert X_P^{new})$, $NI{D}_P^{new}=E_{r_{MCS}}\left(I{D}_P\Vert W_P\Vert R_{new}\Vert w\right)$, $X_P^{new}=h(I{D}_P\Vert R_{new})$, $QI{D}_P=E_{S{K}_{MCSP}}(NI{D}_P^{new}\Vert X_P^{new})$, and $V_5=h\left(NI{D}_P^{new}\Vert I{D}_P\Vert S{K}_{MCSP}\Vert R_P\Vert X_P^{new}\right)$. An attacker A intercepts patient transmission $M_2=\left\{NI{D}_P,NI{D}_D,V_1,V_3,C_P,D_{PHI},T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$ and $M_3=\left\{QI{D}_P,V_4,V_5,T_c\left(x\right)\right\}$ between Doc and MCS. A cannot successfully modify $(M_2-M_1)$ and $\left(M_3-M_4\right)$ without $r_{MCS}$ or $r_D$ because of the one-way hash property and ECM-DLP, where $S{K}_{PD}=h\left(T_{r_D·a}\left(\mathrm{x}\right)mod p\right)$, $I{D}_P=NI{D}_{PD}\oplus S{K}_{PD}$, $Ce{r}_{PD}=h(T_{r_D·r_P}\left(x\right)mod p\Vert T{S}_1)$, $S{K}_{DMCS}=h\left(T_{b·r_{MCS}}\left(x\right)mod p\right)$, $NI{D}_D=E_{S{K}_{DMCS}}\left(I{D}_D\Vert R_D\right)$, $Ce{r}_D=h(T_{r_D·r_{MCS}}\left(x\right)mod p\Vert T{S}_2),$ $D_{PHI}=Ce{r}_D\oplus PHI$ and $V_3=h\left(I{D}_D\Vert Ce{r}_D\Vert PHI\Vert R_D\right)$. Hence, the proposed scheme can avoid the attacker A’s trick for Pat, Doc and MCS, and resists man-in-the-middle attacks.

4.2.7. Resisting Stolen Verifier Attacks (Threat Model 3)

The proposed scheme does not require a verifier table maintained by MCS to authenticate Pat and Doc. Hence, stolen verifier attacks are not an issue.

4.2.8. Resisting Denial-of-Service Attacks (Threat Model 5)

In the proposed scheme, if Pat’s smartcard $SC:\left\{NI{D}_P,Y_P\right\}$ is stolen or lost, a malicious attacker A who has $SC:\left\{NI{D}_P,Y_P\right\}$ cannot successfully perform an undetectable online password-guessing attack to make new passwords, so the proposed scheme is resistant to denial-of-service attacks.

4.2.9. Compliance with HIPAA Privacy/Security Regulations

• Patients’ understanding: The patient Pat has signed privacy contract w during the registration phase, which clearly states how MCS will use, store and access PHI.
• Confidentiality (Threat model 2): This subsection concerns three phases—uploading of the patient’s PHI, access of the patient’s PHI and emergency-exception handling. In the uploading of the patient’s PHI, the doctor Doc checks the patient’s authorization through MCS. Doc and MCS generate the key $Ce{r}_D$ by performing the extended chaotic Diffie–Hellman key exchange to ensure the security of Pat’s PHI. In the patient’s PHI access phase, the doctor Doc checks Pat’s authorization $P_P$ through MCS. Doc and MCS generate the key $S{K}_D$ by performing the extended chaotic Diffie–Hellman key exchange to protect Pat’s PHI. In the emergency-exception-handling phase, the doctor Doc checks Pat’s identity through MCS. Doc and MCS generate the key $S{K}_D$ by performing the extended chaotic Diffie–Hellman key exchange to ensure the security of Pat’s PHI.
• Patient’s control of PHI: Patient Pat generates an authorization $P_P$ and sends it to MCS. MCS checks the authorization $P_P$ that Pat gives Doc. Then, Doc negotiates the encryption key $S{K}_D$ with MCS and securely accesses Pat’s PHI, which is encrypted with $S{K}_D$. Therefore, Pat must authorize access control to patient information PHI.
• PHI integrity (Threat model 4): The proposed scheme ensures the integrity of the medical-record information during the transmission of PHI by checking the confirmation message $V_4=h(I{D}_D\Vert S{K}_D\Vert R_D\Vert IN{D}_{PHI}\Vert PHI)$.
• Consent exception: When the patient has signed a privacy contract $w$ during registration and an emergency or special situation arises, Doc is authorized to access the patient’s medical records or health information PHI from MCS. First, Doc and MCS realize mutual authentication by verifying $Ce{r}_D$, where $Ce{r}_D=h(T_{r_D·r_{MCS}}\left(x\right)mod p\Vert T{S}_1)$, $r_D$ is the Doc’s private key and $r_{MCS}$ is the private key of MCS. Then, Doc and MCS generate the session key $S{K}_D$ by using the chaotic-map-based Diffie–Hellman key exchange to ensure the security of PHI, where $S{K}_D=h\left(T_{a·b}\left(x\right)mod p\right)$. Therefore, the proposed scheme provides emergency-exception handling to protect the patients’ life and rights.

4.3. Performance Comparison

Table 3. Performance comparison.

Phases	Registration	PHI Uploading	PHI Access	Emergency-Exception	Password-Updating
Hu et al. [3]	$6T_A+T_S$ 2.254 s	$5T_A+T_S+T_H$ 1.8874 s	$4T_A+T_S$ 1.5198 s	$2T_A$ 0.7342 s	-
Ray-Biswas [5]	$4T_A+T_H$ 1.4689 s	$5T_A+2T_S+2T_H$ 1.9393 s	$3T_A+2T_S$ 1.2041 s	$3T_A+T_S$ 1.1527 s	-
Ray-Biswas [7]	$4T_A+T_H$ 1.4689 s	$3T_A+4T_S+3T_H$ 1.3084 s	$T_A+4T_S+2T_H$ 0.5737 s	$T_A+4T_S+2T_H$ 0.5737 s	-
Proposed scheme	$T_C+T_S+T_H$ 0.0688 s	$10T_C+6T_S+13T_H$ 0.4839 s	$10T_C+8T_S+14T_H$ 0.5877 s	$3T_C+4T_S+4T_H$ 0.2583 s	$4T_C+3T_S+6T_H$ 0.2248 s
Phases	Registration	Authentication and Key Agreement		Emergency Exception	Password Updating
Aghili et al. [8]	$5T_H$ + $1T_{BH}$ 0.003 s	$28T_H$ + $1T_{BH}$ 0.0145 s		-	-
Ali et al. [10]	$1T_{ECM}$ + $1T_H$ + $1T_{FE}$ 0.3307 s	$3T_{ECM}$ + $8T_H$ + $1T_{FE}$ 0.6644		-	$2T_H$$+2T_{FE}$ 0.3312
Fotouhi et al. [13]	$5T_H$ 0.0025 s	$34T_H$ 0.0170 s		-	$17T_H$ 0.0085 s
Amintoosi et al. [15]	$5T_H$ 0.0025 s	$19T_H$ 0.0095 s		-	$8T_H$ 0.0040 s

presents the performance of the proposed scheme and other related schemes, where T_H denotes the time to execute the one-way hash function; T_BH the time to execute a biohashing; T_S denotes the time to execute symmetric en/decryption; T_A denotes the time to execute asymmetric en/decryption; T_ECM denotes the time to execute a scalar multiplication on elliptic curves; T_FE denotes the time to execute a fuzzy extractor function; and T_C denotes the time to execute extended Chebyshev chaotic maps. T_FE and T_ECM are considered to be the same by using the arguments presented in [35].

Table 4. Simulation environment.

Hardware/Software Specification
Intel Xeon CPU E3-1231 v3 3.4 GHz 8 G Memory Windows Server 2008 Visual Studio 2012 and C++ programming language Input string length- 256 bits
Used Algorithms
Hash function: SHA256
Symmetric en/decryption algorithm: AES
Asymmetric en/decryption algorithm: RSA Scalar multiplication: Elliptic curve
Extended Chebyshev chaotic maps

presents the hardware/software specifications and the algorithms that were used in the simulation environment, including hash function-SHA256, symmetric en/decryption algorithm-AES, asymmetric en/decryption algorithm-RSA, scalar multiplication-elliptic curve, 256-bit strings. The schemes of Hu et al. [3], Ray and Biswas [5], and Ray and Biswas [7] involve several symmetric en/decryptions and hash operations. Those schemes even require time-consuming asymmetric en/decryptions. The scheme of Ali et al. [10] also involves several scalar multiplications on elliptic curves and fuzzy extractor operations, whose computational complexities are close to that of asymmetric en/decryptions. Although Aghili et al. [8], Ali et al. [10], Fotouhi et al. [13] and Amintoosi et al. [15] provided efficient solutions for healthcare systems, their proposed schemes only consider authentication and key agreement, but their schemes do not consider PHI access and emergency exception.

Figure 7 illustrates the response-time statistics of the proposed scheme and other related schemes, which can fully provide the registration phase, PHI uploading phase, PHI access and emergency-exception-handling phase and include the schemes of Hu et al. [3], Ray and Biswas [5] and Ray and Biswas [7]. Compared with other related schemes, the proposed scheme is much faster than in the registration phase; it increases computing performance by at least 63.0% in the PHI uploading phase, and increases computing performance by at least 54.9% in the emergency-exception-handling phase. The proposed scheme completely considers PHI uploading, access and emergency exceptions, and employs only extended chaotic maps, symmetric en/decryptions and hash operations, which have low computation burdens. Therefore, the proposed scheme not only provides more functionality, but also retains efficiency in computations.

Table 5. Communication comparison.

Phases	PHI Uploading	PHI Access	Emergency-Exception
Hu et al. [3]	5	5	2
Ray and Biswas [5]	5	4	4
Ray and Biswas [7]	5	5	2
Proposed scheme	4	4	2
Aghili et al. [8]	4		-
Ali et al. [10]	3		-
Fotouhi et al. [13]	4		-
Amintoosi et al. [15]	4		-

compares the communication of the proposed scheme and other related schemes in term of required messages. The schemes of Hu et al. [3], Ray and Biswas [5] and Ray and Biswas [7] require more messages than the proposed scheme in the PHI uploading and PHI access phases. Furthermore, the proposed scheme has similar numbers of communication messages with those of Aghili et al. [8], Ali et al. [10], Fotouhi et al. [13] and Amintoosi et al. [15], and comprehensively considers PHI uploading, PHI access and emergency-exception phases.

4.4. Functionality Comparison

Table 6. Functionality comparison.

Scheme	Hu et al. [3]	Ray and Biswas [5]	Ray and Biswas [7]	Aghili et al. [8]	Ali et al. [10]	Fotouhi et al. [13]	Amintoosi et al. [15]	Proposed Scheme
Used Algorithm	RSA	RSA	RSA/AES	Hash	ECC	Hash	Hash	ECM
User Verification	SC	PKC	PKC	SC	PKC	SC	SC	PKC
Providing MA	YES	NO	YES	YES	YES	YES	YES	YES
Providing UP	NO	NA	NA	NO	YES	YES	YES	YES
Providing PA	NO	NO	NO	NO	NO	NO	NO	YES
Providing PC	NO	NO	NO	NO	NO	NO	NO	YES
Resisting PGA	NA	NA	NA	YES	YES	YES	YES	YES
Resisting IA	NO	NO	YES	NO	YES	YES	YES	YES
Resisting RA	NO	NO	YES	YES	YES	YES	YES	YES
Resisting MMA	YES	NO	YES	YES	YES	YES	YES	YES
Resisting SVA	NO	NA	NO	YES	YES	NO	YES	YES

SC: smart card; PKC: public-key certificate; MA: mutual authentication; UP: updated password; PA: patients’ authorization; PC: patients’ control; PGA: password-guessing attacks; IA: impersonation attacks; RA: replay attacks; MMA: man-in-the-middle attacks; SVA: stolen verifier attacks; ECM: extended chaotic maps.

compares and the proposed scheme and related schemes in terms of functionality, and specifically the meeting of security requirements and resistance of potential attacks. The schemes of Hu et al. [3], Ray and Biswas [5] and Ray and Biswas [7] are developed by using RSA and the scheme of Ali et al. [10] are developed by using scalar multiplications on elliptic curves, thus requiring time-consuming computations. The schemes of Ray and Biswas [5], Ray and Biswas [7] and Ali et al. [10] perform verification processes by using certificates. The schemes of Hu et al. [3], Aghili et al. [8], Fotouhi et al. [13] and Amintoosi et al. [15] perform verification processes by using smartcards. The schemes of Aghili et al. [8], Fotouhi et al. [13] and Amintoosi et al. [15] are developed by using hash operations. The proposed scheme is developed by using hash operations and chaotic maps, which are lightweight operations. Although the schemes of Aghili et al. [8], Fotouhi et al. [13] and Amintoosi et al. [15] have higher efficiency in computation, their schemes do not consider PHI access and emergency exceptions, and thus cannot provide complete security requirements. Additionally, only the proposed scheme completely considers PHI uploading, access and emergency exceptions; provides completed security requirements, including updated passwords, patients’ authorization and patients’ control; and resists potential attacks, including password-guessing attacks, impersonation attacks, replay attacks and stolen verifier attacks. Accordingly, the proposed scheme is efficient and exhibits greater functionality than the other schemes.

5. Conclusions

This work develops a user-authentication and key-agreement scheme that exploits the favorable characteristics and speed of Chebyshev polynomials to provide high computational efficiency and comply with HIPAA privacy/security regulations. The proposed scheme solves security problems that afflict related schemes, such as the accessing of patient information without patient authorization, the inability to perform multiple verifications simultaneously, and others. This proposed key-agreement scheme depends on a certificate-management center to enable doctors, patients and authentication servers to realize mutual authentication through certificates and thereby reduce the number of rounds of communications that are required. The proposed scheme provides all of the security functions of related schemes, while overcoming their limitations and offering greater efficiency. It is more secure and compliant with HIPAA privacy/security regulations, so it is more suitable for real-world environments.

Since the proposed scheme needs to comply with privacy/security regulations and needs to consider more contexts, it is more complicated than other schemes applied to healthcare systems. Future work plans to simplify the process of the proposed scheme, comply with the general principles of privacy/security regulations and be applicable to practical application scenarios.