Trusted Authority Assisted Three-Factor Authentication and Key Agreement Protocol for the Implantable Medical System

The application of implantablemedical devices (IMDs), which solves the problems of geographical distance limitation and real-time health monitoring that plague patients and doctors, has caused great repercussions in the medical community. Despite the great potential of wide application, it also brings some security and privacy issues, such as the leakage of health data and unauthorized access to IMDs. Although a number of authentication and key agreement (AKA) schemes have been developed, we find that some subtle attacks still remain to be addressed. Then we propose an improved AKA scheme which achieves strong security features including user anonymity and known key security. It is formally proved to be secure under the Real-or-Randommodel. Moreover, a comprehensive security analysis shows that our scheme can resist various attacks and satisfy the desired requirements. Finally, the performance analysis shows the superiority of our protocol which is suitable for the implantable medical system.


Introduction
With the improvement of wireless communication technologies, the implantable medical devices (IMDs), such as pacemakers, cranial nerve stimulators, and cochlear implants, have been widely used in the medical services field [1,2].All these micro devices implanted in patients' body can continuously monitor and collect data to reflect the patient's health.Through controller node (CN), implantable medical devices are able to transmit the data to the remote attending physician or the medical institution, which greatly simplifies the treatment process of patients and breaks the limitation of region.Generally speaking, the combination of these advanced technologies improves health care practices, urgent care, and preventive health [3].
A typical architecture of implantable medical system is shown in Figure 1.CN and IMDs firstly register to the trusted authority (TA) before they are deployed into the system.Then, IMDs collect data such as body temperature, heart beats, and blood pressure, which can be derived by CN via wireless communication technologies, such as Bluetooth or ZigBee [4].After the collection process, the CN needs to be plugged into the Internet via an access point to be accessible by the attending physician or the medical institution.In the meantime, cloud servers may be used for storing collected health data to ease the storage burden on mobile devices [5,6].
However, it is the application of wireless communication that makes the transmission of medical data face the potential security risks [7][8][9].According to the Dolev-Yao threat model [10], the implantable medical system is facing a wide range of malicious attacks which may cause the leakage of health data and unauthorized access to IMDs.In response to the serious security threats, it is imperative to design a mutual authentication and key agreement (AKA) mechanism which can ensure the confidentiality of the transmitted sensor data and resist malicious attacks.

Related Work.
With the wireless interface enabled, IMDs can be accessed by an authorized operator in physical proximity via the IMDs programmer.However, the wireless communication and networking capabilities of IMDs turn out to be the major sources of security vulnerabilities [11,12].For this purpose, access control for implantable medical system is highly desired and many schemes have also been put forward in this field.
Initially, considering the scarce energy reserves and limited communication capacity of IMDs, some schemes based on symmetric key cryptography [15][16][17][18][19] were proposed, they realized high encryption speed and efficiency at the same time but showed weaknesses of resisting against certain attacks, and the complexity of key management will introduce large memory and communication overhead which contradicts their original intentions.This means that the symmetric key cryptography based schemes are difficult to provide a complete security guarantee for implantable medical system.
Then, traditional public key cryptography (TPKC) based authentication schemes [20,21] were implemented in IMDs.Unfortunately, the limited computing capability and battery capacity of the mobile device hinders the application of TPKC in implantable medical system.The concept of ECC (Elliptic curve cryptosystem) was then put forward [22] which provided the same security with a much smaller key size compare to the TPKC [23] so that many ECC-based protocols were proposed subsequently [13,24].In 2013, Liu et al. [25] put forward a scheme in which they used the bilinear pairing defined on the elliptic curve to design a new certificateless signature scheme, but later in 2014, Xiong [26] analyzed the Liu et al. 's authentication protocol and concluded that their scheme was prone to a kind of attack by a key replacement adversary [27].In 2016, He et al. [28] also claimed that the Liu et al. 's scheme cannot resist the impersonation attack; meanwhile they put forward their own improved protocol.In 2018, Li et al. [29] analyzed the loopholes in each layer of the current implantable medical system and put forward a complete three-layer scheme.
As we know, each authentication factor has its own advantages and disadvantages.Passwords are prone to dictionary attacks while smart cards may be lost.A number of two-factor protocols [30][31][32][33][34][35][36][37][38] have been put forward.In these schemes, two kinds of factors, i.e., passwords and smart cards, are combined to achieve user authentication.In 2015, He et al. came up with a scheme [35] where the smart card is used to store some private parameters about healthcare applications using wireless medical sensor networks.Wei et al. proposed an anonymous authentication scheme [33] for wireless body area networks in 2017 as well as gave a formal security analysis of the protocol.
To further enhance the security strength of two-factor protocols, three-factor authentication (3FA) schemes which consolidate all three factors (i.e., passwords, smart cards, and biometrics) have attracted more and more attentions [14,[39][40][41][42][43][44].In 2017, Wei applied the fuzzy extractor scheme into his newly proposed protocol [39] to handle the biometrics.Meanwhile Jiang et al. presented a scheme [41] where the biohashing is used to protect the biometrics.In 2016, Wu et al. proposed a 3FA scheme [43] aiming at summarizing the flaws that existed in previous typical protocols and came up with a more complete solution.In 2017, Li et al. [40] remedied flaws in Jiang et al. 's scheme [32] in which fuzzy commitment is used to protect biometrics.In 2017, Wazid et al. provided a 3FA scheme [14] for IMDs and claimed that their protocol could meet the known security, but we reveal that the protocol cannot achieve complete security.

Motivations and Contributions.
With the popularity of the IMD, its safety and privacy protection have attracted great attention and a large number protocols in this field have emerged, but few of them can achieve the desired security guarantee.In such a situation, it is imperative to sum up the defects in previous protocols and propose new schemes to make the implantable medical system more secure and reliable.Among these protocols, we pick Wazid et al. 's scheme [14] as a typical case study to analyze some defects of the scheme.Then we propose a trusted authority assisted 3FA protocol which effectively solves the security vulnerabilities in the original protocol.Our contributions are summarized as follows: (i) First, we find out three drawbacks of the most recent 3FA protocol of Wazid et al.To be specific, we find that the scheme cannot withstand offline password guessing attack, the CN impersonation attack, and the authentication phase of the protocol is problematic.(ii) Second, we propose a trusted authority assisted 3FA protocol.Specifically, we introduce the fuzzy verifier [45] to effectively prevent offline password guessing attack during local login verification phase and adopt the widely used fuzzy vault [46] to protect the biometric template.(iii) Third, we analyze the security of our protocol both formally and informally.Our protocol not only properly solves the shortcomings in the original scheme, but also achieves perfect forward security, user anonymity, know key security, and so forth.At the same time, our protocol can resist a variety of known attacks.

Organization of the Paper.
The rest of the paper is organized as follows.In Section 2, we briefly review some preliminaries used in this paper, including ECC and the fuzzy vault.Section 3 depicts the details of Wazid et al. 's scheme.
Then in Section 4, we present the vulnerabilities in their scheme.In Section 5, we propose an improved scheme.In Section 6, we have an elaborate analysis from both formal and informal point of view.The comparisons of efficiency and features are listed in Section 7. In the end, this paper is concluded in Section 8.

Preliminaries
2.1.Fuzzy Vault.The fuzzy vault is a constructor used to protect biometric templates  with various built-in algorithms.Its security relies on the secret key  and .
It works in key binding mode where the biometric and the key are monolithically bound within a binding mechanism.Compared with fuzzy extractor [47], the Euclidean distance measurement used in fuzzy vault has been widely accepted in most biostatistical applications [48].Therefore, in view of the value in practice, we will adopt the fuzzy vault to protect biometric features in our improved scheme.Specifically, the user selects a polynomial  which is used to encode secret key  and be evaluated on all elements in .Then the biometric  which is imprinted by user can be converted into a set of  points which lie on the  according to (, , ) = .Then, taking  and  which is a large set of "chaff points" as inputs of (⋅), we can get the final vault  which equals ∪, that is, (, ) = .Generally, we put the final vault  in the mobile device.
When the user wants to recover the secret key , she/he can scan the biometric  * on terminal firstly, then taking the vault  and  * as the inputs of the algorithm (⋅) which will output the  if and only if | −  * | <  where  is the fuzziness parameter.The secret key  can be recovered with the input  by the algorithm Rec(⋅) finally.

Elliptic Curve Cryptosystem (ECC).
Compared with the traditional RSA algorithm, ECC achieves the same security and Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP).Specifically, the first one depicts that it is impossible to find an integer  ∈  *  that satisfies the formula  =  ⋅  with two given points  and  over   (, ).The other one describes that it is hard to calculate the value  ⋅  with the given points ,  ⋅  and  ⋅ , ,  ∈  *  .These two hard problems guarantee the security of Elliptic Curve primitives, and an adversary still has a great deal of difficulty in getting the secret after obtaining the public values.

Review of Wazid et al.'s Scheme
In this section, we review the details of Wazid et al. 's scheme, which consists of eight phases, i.e., predeployment, postdeployment, registration, login, authentication and key agreement, password and biometric update, and dynamic control node addition, as well as dynamic IMD addition.The scheme is for the purpose of mutual authentication and key agreement establishment between the mobile device and IMDs.The notations used in this paper are listed in Table 1.Step 1.The user selects his/her identity   at will and forwards it with registration request to  in a secure channel.
Step 3.After receiving registration reply from ,   further selects a private key  ∈  *  and computes the corresponding public key  =  ⋅ .
Step 4.   inputs his/her password   and imprints fingerprint   in mobile device   , then , } in its memory.

Login Phase.
As depicted in Figure 2, to login to   ,   executes the following steps.
Step 1.   inputs his/her   ,   and    , then   retrieves the biometric key If  *  equals the stored   , it means that   's inputs are verified as correct; otherwise, the login phase will be terminated immediately.

Authentication and Key Agreement Phase.
In this phase,   and   need to authenticate each other as well as establish a session key between them for future safe communications; see Figure 2.
Finally, both   and   complete the mutual authentication and agree on the same session key which will used for the secure communications in future.

Password and Biometric Update Phase.
If   wants to change the password, he/she can execute ensuing procedure.

Weakness of the Wazid et al.'s Scheme
The widely accepted Dolev-Yao threat model (DY model) [10] demonstrates that the adversary  can fully control the public channel between communicators.has the following three flaws, i.e., offline password guessing attack, controller node impersonation attack, and Incorrect authentication process.As a result, it cannot achieve mutual authentication; that is, the scheme fails to meet the security claimed by the authors.

Offline Password Guessing Attack.
To achieve user friendliness, in registration phase, users are allowed to choose their own identities and passwords at will; the majority of users will choose easy-to-recall  and ; the combination of these low entropy  and  are likely to be vulnerable to offline guessing attack.A probabilistic polynomial time (PPT) adversary can offline enumerate all (, ) pairs in Cartesian product   *   , where   and   represent  space and  space, respectively.In a 3FA protocol, we should ensure that even the   and biometric have been corrupted, and the whole scheme can still resist this type attack to protect the security of user's secrets.Based on all above assumptions, the adversary can launch an offline password guessing attack through the following processes.
Step 2. The adversary  picks a (   ,    ) pair and calculates Step 3. Finally,  checks whether  *  =   , and if it holds, we can say that the (   ,    ) selected by the adversary is a legal one.Otherwise,  can choose another (  ,   ) pair to continue implementing above steps until success.

The Controller Node Impersonation Attack.
In registration phase,  picks a secret number  and calculates 's pseudo identifier   = ℎ(  ‖ ) which is a fixed value.What is more, in predeployment phase, both   and   have obtained   ; for a malicious   , he/she can disguise himself/herself as   to communicate with another    as shown in Figure 3.
Step At this point,   and    have completed mutual authentication and negotiated the same session key (   =  *  ) used in future sessions.In real life, this situation is manifested as the adversary (  , e.g., a doctor) successfully disguises as another patient and sends false health information to his/her attending doctor, which is easy to cause medical accident as well as being extremely harmful to the patient.

Incorrect Authentication Process.
In authentication phase,   computes  1 =   ⋅  and  2 =   +     (mod) and then sends the message ⟨ 1 ,  2 ,  1 ⟩ to   .Normally, after   receiving the message, she/he computes    = ℎ(  ‖  1 ) and then judges the legality of  2 via checking  2 ⋅ ? =  1 +    ⋅ .But it is not hard to notice that the message ⟨ 1 ,  2 ,  1 ⟩ does not contain the public key .Without knowledge of ,   cannot complete the judgement of signature, so that   fails to authenticate   .

The Proposed Scheme
To correct these shortcomings in Section 4, we remedy the protocol of Wazid et al. from the following aspects.(1) In the predeployment phase,  chooses a random value  ∈   as the private key and computes the corresponding public key   = ⋅.(2) We add the fuzzy verifier to prevent the offline password guessing attack in login phase.(3) We adopt the more widely used fuzzy vault to protect biometric templates instead of fuzzy extractor.
There are also eight phases in our proposed scheme: predeployment, postdeployment, registration, login, authentication and key agreement, password and biometric update, and dynamic control node addition as well as dynamic IMD addition.

Predeployment Phase.
first selects a secret 1024-bit number  and chooses the finite cyclic additional group  generated by a point  with a large prime order  over a finite field   on an elliptic curve.Then  selects the private key  ∈   only known to itself, whose corresponding public key is   =  ⋅  which is made public.
computes the value    = ℎ(   ‖    ‖ ) and stores {   ,    } in the memory of  as well as   and then adds the univariate polynomial (   , ) to the memory of   .
The computing processes in predeployment phase of the   is the same as that of Wazid et al. 's scheme, so the details are omitted.

Postdeployment Phase.
The specific process of this phase is as follows.
Firstly,   sends the message ⟨   ⟩ to   ; once   receives the message,   responds with the message ⟨   ⟩.At the same time, they calculate the same shared secret key    ,  = (   ,    ) and    ,  = (   ,    ) on each own for future use.

User Registration Phase.
In this phase,   registers with  by executing ensuing procedure as shown in Figure 4.
Step 1.   inputs the selected   and password   and imprints the biometric   into the   .  chooses the private key  ∈   and computes the corresponding public key   =  ⋅ , as well as keeping the both secret.Finally,   submits the   and   to  via the secure channel.
Step 2. After receiving the registration request from   ,  calculates   = ℎ(  ‖  ‖ ) and stores specific {  ,   } of   in the memory.Then  forwards the value   to   .

Login Phase.
As showed in Figure 5  Finally,   sends the message { 1 ,  2 ,   ,  1 ,   } to  via a public channel.Step 3.After the computation,   updates the value of    ,    , and    in the list.Above processes simulate the situation that user only wants to update the password and maintains original biometric where    =   .The password and biometric update phase are summarized in Figure 6.

Dynamic Controller Node Addition Phase.
In this phase, we can deploy a new control node as follows.
Step prior to its deployment.

Dynamic IMD Addition
Phase.Depending on the real situation, the patient needs to check the state of the implantable device in time to ensure that accurate health data is conveyed, so we often need to replace an old IMD or add a new IMD.In the case that we use a new    to replace the existing one, please refer to Wazid et al. 's scheme for the details.

Security Analysis
We analyze the security of our proposed scheme in this section; it fully proves that our scheme can solve the shortcomings of Wazid et al. 's scheme and resist all kinds of known attacks.The security features such as user anonymity and forward secrecy are guaranteed in our protocol.
6.1.Security Model.Our scheme involves three interacting entities, such as   with {  ,   ,   , },   with    , and  which keeps his/her private key .Each participant can activate multiple protocol instances and run multiple session instances in parallel.The  ℎ  is defined as the th instance of   , and the same rules apply to  ℎ  and   .All of these instances can be seen as oracles which have three states below.
(i) Accept state: when the oracle has received the last valid message of the protocol, we can say the oracle accepts the message.
(ii) Reject state: when the oracle has received any incorrect message, the oracle will reject the received message.
(iii) ⊥ state: when the oracle outputs no answer of the queries, we say that the oracle is in an unresponsive state which is defined as ⊥ state.
We give the security model of our scheme, which combines the security models of [33,45].

Definition 3 (correctness). When 𝑈 𝑡ℎ
and  ℎ  are partnered as well as accepted, they will agree on the same session key.Definition 4 (adversary capabilities).Interaction between the adversary  and participants in the protocol is implemented via oracle queries to simulate the abilities of attackers in reality.All oracle queries are listed as follows.
(i) Execute( ℎ  ,  ℎ  ,   ): this oracle simulates the passive attacks (such as eavesdropping, tracking) where the adversary can get all response messages ⟨1, 2, 3⟩ exchanged during the honest execution of authentication process.
(ii) Send( ℎ  / ℎ  /  , ): this oracle models the active attacks where the adversary can forward a modified message  to  ℎ  / ℎ  /  .Then he/she will get the response generated from  ℎ  / ℎ  /  who executes the procedure of honest protocol after receiving .Additionally, the query Send( ℎ  , start) initials the protocol.
(iii) Test( ℎ  / ℎ  ): this query does not model the actual attack capabilities of adversary  but rather measures the semantic security of the session key .For a participant instance  ℎ  / ℎ  , if the instance does not generate the session key, an undefined symbol ⊥ will be returned.Otherwise, a uniform coin is thrown, if the result is 1, the true session key of the instance  ℎ  / ℎ  is returned; otherwise, a random number of the same length as the session key is returned.The adversary needs to guess the result of the toss to see whether he/she gets a real session key or a random number.Notice that the Test( ℎ  / ℎ  ) oracle query can only be used for fresh instance and up to once.
(iv) Reveal( Definition 5 (random oracle).We determine the cryptographic one-way hash function  which can be accessed by all participants including  as a random oracle.
A 3FA protocol should guarantee the semantic security which is defined from Test-query.In the process run of the protocol ,  can ask the Test-query just once while other queries; i.e., Execute-query, Reveal-query, or Send-query can be asked multiple times in polynomial time.Besides,  can only make Test-query on a fresh instance.The adversary's operation is to guess the result of the coin toss in the Testquery, then we treat the event in which the adversary correctly guesses the result as a successful attack, credited as Succ().Only after the participants have completed the strict mutual authentication can a common session key be negotiated.The advantage of an adversary breaking the session key security of protocol  is defined as Adv  , () = 2Pr[Succ()] − 1 where  denotes the password space whose distribution follows a Zipf 's law [50].
Theorem 6 (semantic security).Given a 3FA protocol , if the advantage Adv  , () of an arbitrary PPT adversary breaking the session key security of the protocol is at most a negligible amount () larger than   ⋅     , then we believe that the  satisfies the semantic security, where the   denotes the number of active attacks by the PPT adversary and () represents a negligible function for the security parameter .
As shown above,   = 0.062239 and   = 0.155478 represent the Zipf parameters put forward by Wang et al. [50].

Security Proof.
Assuming that DDH holds in a cyclic group, the public key encryption algorithm used in the protocol is CCA secure, and the signature algorithm is unforgeable for adaptively chosen messages.Here we prove Theorem 6 by simulating several mixing games.The mixing games start with a real attack game, and then we gradually modify the simulation rules in each game until the adversary's attack advantage to distinguish the correct session key from a random key of the same length becomes zero and then the game ends.For two adjacent mixing games, we will calculate the upper bound of the attacker's advantage gap and finally calculate the upper bound of adversary's attack on this 3FA protocol.We use Δ  to indicate the difference between mixing games   and  +1 and use V  () to denote the advantage of  in hybrid games   .
(i)  0 : this experiment is the start game which simulates the real attack mode of the adversary we demonstrate in Section 6.So, we can get (ii)  1 : in this game, we simulate all random oracles  in the protocol by maintaining a hash query list  ℎℎ .Besides, we also simulate a private hash oracle   by holding another list   ℎℎ which records the Hash-query directly implemented by the adversary.Obviously, the game is indistinguishable from a real one, so we have (iii)  2 : we exclude some impossible collisions in the  2 , i.e., the collisions of messages ⟨1, 2, 3⟩ in sessions and the collisions in the outputs of Hashquery.According to the birthday paradox, we have (iv)  3 : we will revise the session simulation rules for the passive attacks that the adversary asks through the Execute-query.We suppose that   constructs the 1 using another ( (vi)  5 : in this game, we start to revise the simulation session rules by active attacks.We take the Send(, (1)) as the example, and if   is not corrupted and  correctly constructs the signature, then we say that  wins the game and terminate the simulation.Based on the unforgeability security of the signature, then we have The only way to succeed in this game is to obtain the parameters in   and guess   's real password. is unable to get any information of   from simulation, according to the Zipf law, we get V 8 () ≤  () ≤   ⋅     (10) Therefore, Theorem 6 is proved.

Other Discussions.
In this aspect, we demonstrate that our protocol can resist various known attacks as well as achieve security characteristics such as user anonymity, forward security, and key security.

Privileged Insider Attack.
In the registration phase of our protocol,   sends the message consisting of the identity   and corresponding public key   without any knowledge of the password   , so that  has no approach to derive   .Obviously, our scheme can withstand the privileged insider attack.

Stolen-Verifier Attack.
In this attack mode, an attacker can steal the verification parameters stored by  to cheat   , while we just put   and   in the verification table which contains no knowledge about password   .Therefore, our scheme is immune to the stolen-verifier attack.Hence, the offline password guessing attack can not damage   's security.

Undetectable Online Password Guessing
Attack.In the proposed scheme, once  tries initialing the protocol, he/she needs to make sure that the chosen password  *  is valid to construct the verification signature  2 =   +   (mod) which will pass authentication of .Otherwise, the wrong  *  will be observed easily by .So, our scheme can withstand the undetectable online password guessing attack.From another point of view, an adversary  cannot construct the verification value  7 due to the hardness of ECCDH, so  fails to impersonate a   .In a word, the control node impersonation attack has no threat to our protocol.

TA Impersonation Attack.
For , it is computationally infeasible to get the value  4 = ℎ(  ‖    ‖   ) which is protected by hash function and critical parameters    as well as nonce   .The   can be derived from two functions as   =   ⊕ ℎ(   ‖   ‖  2 ) =   ⊕ ℎ(  ‖  5 ‖  1 ), but even  has intercepted the parameters   ,   , and   ; he/she still cannot calculate   without    ,   , or  3 , and then  4 cannot be computed.In short, our scheme is immune to the TA impersonation attack.6.3.9.Denial-of-Service (DoS) Attack.Before   's login request is sent to , the password  *  , identity  *  , and biometric  *  input in the terminal by   will be determined locally by verifying the value of  *  .According to the protocol, only when  *  =   , the process will continue.Hence, our protocol can withstand such an attack.6.3.10.Replay Attack.When an adversary  wants to send the intercepted messages ⟨1, 2, 3⟩ to receiver again, it will fail to pass the protection of timestamp ⟨ 1 ,  2 ,  3 ,  4 ⟩.All these intercepted messages will be seen overdue.So, our scheme can withstand this attack effectively.6.3.11.Mutual Authentication.Mutual authentication means that before the doctor gets health information from   ,   , , and   have confirmed the legitimacy of the other two parties.In our protocol,  holds the public key   to verify the signature  2 , and then   is authenticated.In the same way, we take the verification values  4 and  7 which consist of some parameters only known to them just like private key or nonce to accomplish mutual authentication.That is, when they affirm that each other is legal, a secure session key is negotiated between   and   .6.3.12.Known Key Security.Our entire protocol's purpose is to ensure the safety of subsequent medical information delivery after mutual authentication is completed.The session key   = ℎ(  ‖    ‖     ⋅ ) which depends on random numbers   and   can be different and independent in every key agreement phase.Even some session keys are disclosed, in the next session, the   will maintain secure.Hence, our protocol guarantees the security of the session key.6.3.13.Perfect forward Secrecy.At the final step of authentication phase,   and   negotiate a session key   = ℎ(  ‖    ‖     ⋅) = ℎ(  ‖    ‖   ⋅ 5 ) = ℎ(  ‖    ‖   ⋅  1 ).To calculate the session key with  1 =   ⋅ ,  has to solve the ECCDH problem as we showed before.It follows that even long-term keys of   and   are disclosed, the session key still maintains secure.Hence, the proposed protocol achieves perfect forward secrecy.6.3.14.User Anonymity.In the proposed protocol, we conceal the identity   in the   = ℎ(  ‖  1 ‖   ‖    ),   = (  ‖    ) ⊕ ℎ( 3 ), and   =   ⊕ ℎ(  ‖    ‖  2 ).It shows that   is protected by private key  in   = ℎ(  ‖  ‖ ), nonce   in  3 =   ⋅  .That means in addition to the   , , and   , no one knows the   .So, our scheme achieves user anonymity.6.3.15.User Untraceability.In the proposed protocol, messages 1{ 1 ,  2 ,   ,  1 ,   }, 2{ 1 ,   ,   ,   ,  2 ,  4 }, and 3{ 5 ,  3 ,  7 } transmitted among   , , and   are dynamic and different from before ones because the sender randomly selects a number to compose messages.For instance, in 1, the introductions of   and   make the parameters different for each login phase to prevent  from using static values to track user.In short, it is impossible for  to track   in our scheme.6.3.16.Biometric Template Privacy.Our scheme can effectively maintain the privacy of biometric   .On the one hand, user does not offer   the biometric template, and there is no knowledge about   's biometric template in the

Figure 1 :
Figure 1: The network model of the implantable medical system.

Figure 3 :
Figure 3: The controller node impersonation attack in Wazid et al. 's scheme.

Figure 4 :
Figure 4: User registration phase of our scheme.

9 Figure 5 :
Figure 5: Login and authentication phase of our scheme.

Figure 6 :
Figure 6: Password and biometric update phase of our scheme.
Phase.Before deployment, a trusted authority  needs to complete the registration for each   as well as   . first selects a secret 1024-bit number  for   and   .Then  picks the identity    for   and calculates   = ℎ(  ‖ ),    = ℎ(   ‖ ),    = ℎ(  ‖    ‖ ).Meanwhile,  constructs the univariate polynomial (   , ) accord- stores {  ,    ,    , (   , )} in the memory of   .Similar to the above calculations,  generates a unique identity    and calculates    = ℎ(   ‖ ), (   , ) and then stores the information {   , (   , )} in the memory of    .3.2.Postdeployment Phase.After the predeployment phase,   and   establish a shared key using the information distributed during the predeployment phase.The details of the process are as follows.Firstly,   sends the message ⟨   ⟩ to   .Once   receives the message,   responds with the message ⟨   ⟩.Then they calculate the same shared secret key    ,  = (   ,    ) and    ,  = (   ,    ) on each own for future use.
Phase.By executing following procedures, mutual authentication is established among   , , and   , and a secure session key is negotiated between   and   .After receiving the login request { 1 ,  2 ,   ,  1 ,   },  first judges if | 1 −  2 | ≤ Δ holds, where  2 is the current timestamp and Δ is the maximum transmission delay.If it is invalid,  terminates the session; otherwise,  computes the value    ) and checks the validation of the signature by checking if the equation  2 ⋅  =  1 +  *  ⋅  *  holds.Specifically, the equality means that  certifies   's legitimacy; otherwise,  terminates the session.Then,  continues to calculate   =   ⊕ ℎ(  ‖  ⋅  1 ‖  1 ),  4 = ℎ(  ‖    ‖   ),   =   ⊕ ℎ(  ‖    ‖  2 ), and   =   ⊕ ℎ(   ‖   ‖  2 ).Finally,  sends the message { 1 ,   ,   ,   ,  2 ,  4 } to   via the public channel.After receiving the message from ,   first checks the validation of the condition | 2 −  3 | ≤ Δ where  3 In this phase, we allow   to update the password at will by the following process, which is executed locally without involving  for security reasons.First,   inputs her/his   ,    , and    on the terminal.Then   calculates fuzzy vault parameters (   , ) =   and (  ) =   and regains the private key   =   ⊕ ℎ(  ‖    ).  checks whether   equals ℎ(ℎ(  ‖    ‖   )mod) or not.If it does not hold,   rejects the request; otherwise,   claims for the new *  ‖  *   =   ⊕ ℎ( ⋅  1 ) and retrieves  *  (i.e., the public key of   ) corresponding to * is the current timestamp.If it does not hold, the session is terminated here; otherwise,   regains the value of   and   by computing  *  =   ⊕ ℎ(  ‖    ‖  2 ) as well as  *  =   ⊕ ℎ(   ‖  *  ‖  2 ).Then,   checks if  4 equals the result of the computation of ℎ( *  ‖    ‖  *  ).If it does not hold,   terminates the session; otherwise, it means that   verifies 's legality.Then   selects a random number   and goes on with the computation of  5 =   ⋅ ,  6 =   ⋅  1 , the session key   = ℎ(  ‖    ‖  6 ), and  7 = ℎ(  ‖   ‖  3).Finally, the massage { 5 ,  3 ,  7 } will be sent to   for authentication.Step 3. When receiving the massage { 5 ,  3 ,  7 } from   ,   will first check the validation of condition | 3 −  4 |? ≤ Δ; if it holds,   continues to calculate the session key   = ℎ(  ‖    ‖   ⋅  5 ) and judge if the value  7 equals ℎ(  ‖   ‖  3 ).The final verification shows that the mutual authentication among the   , , and   is accomplished and the session key   = ℎ(  ‖    ‖   ⋅ 5 ) = ℎ(  ‖    ‖   ⋅  1 ) =   is established for future sessions.5.6.Password and Biometric Update Phase. .Step 2. When   inputs the new password    ,   computes 1.  first picks a new identity for    , called     , then  repeats the calculation , )} into the memory of target object of session for the other instances in the protocol, that is, the partner identification of  ℎ  is  ℎ  and vice versa.(2) Both instances accept the messages mutually and negotiate the same secure session key.(3) Both instances share the same session identifier.
ℎ  and  ℎ  satisfy the following three conditions meanwhile, we determine that they are partnered to each other.(1) One of the instances is the ℎ  / ℎ  ): this oracle simulates the reveal of session key  to adversary if  ℎ  / ℎ  really holds  and has not been queried by a Test( ℎ  / ℎ  ) before.Otherwise the ⊥ will be returned.(v) Corrupt( ℎ  , ): this oracle query is used to model the corruption ability of the adversary; we assume  can get any one factor of  ℎ  but not all.If  = 1, it responses  with the password   of  ℎ  .If  = 2, it responses  with all the security parameters stored in the   of  ℎ  .If  = 3, it responses  with the biometric   of  ℎ  .If  = 4, it responses  with the private key  of  ℎ  .(vi) Corrupt( ℎ  /  ): the adversary can get the longterm secret values of  ℎ  /  , such as    of  ℎ  or the private key  of   .
,  *  ) pair chosen from Cartesian product   *   instead of the real one.That is, parameters  * =   ⊕ ℎ( *  ‖  *  ‖ ),  *  =    ⊕ ℎ( *  ‖  ‖ ), and   = ℎ(  ‖  1 ‖  *  ‖    ) are calculated and so that the signature can be calculated as  2 =   +  *  *  (mod).Upon receiving the message 1,  continues to simulate session with the false identity.If  is lucky enough to guess the real (  ,   ), the game is terminated.The real (  ,   ) and the pseudo ( *  ,  * ) can be seen as two challenge messages for the encryption algorithm, so the difference between the games  3 and  2 is at most the advantage of  breaking the encryption algorithm's CPA security of the signature.And the CPA security of the signature can be reduced to the DDH hypothesis.So, we can conclude  4 : in this game, we continue to revise the simulation session rules in passive attacks.We use the private hashing function   to compute the session key   without the Diffie-Hellman parameters   and   , that is,   =   (  ‖    ).Since we have excluded the collisions in the previous game, only  computes the valid Diffie-Hellman parameters     ⋅  and sends the query (  ,    ,     ⋅ ) to  and can  distinguish the difference between  4 and the previous one.But the capability of  is limited by the hardness of DDH security where given   ,   ,   and   ,   ,   ,  cannot tell   from   .Based on the intractability of the DDH problem, we have * (vii)  6 : we continue to revise the simulation session rules in active sessions.We acknowledge that  wins the game when  has successfully fabricated the message { 1 ,   ,   ,   ,  4 } and sent it to .We use the private hash function   to simulate the active sessions.The authenticator  4 is calculated as 4 =   (  ‖    ‖   )where the   is randomly selected from a cyclic group.When the   corresponds to a fake  *  , the distribution of   is indistinguishable from the uniform distribution on a cyclic group.Then we have  7 : we change the simulation rules in active sessions for the last time in this game.If  correctly forge the message 3{ 5 ,  7 ,  3 }, then we say  wins the game and terminate the game.The authenticator  7 contains the random number   which is unknown to .We have eliminated this situation in previous game.So, we have Attack with Stolen Mobile Device.For this situation, we usually suppose that the  has gained the security parameters {  ,   ,    ,   , , } stored in the   and the biometric   simultaneously;  can eavesdrop authentication messages ⟨1, 2, 3⟩ transmitted via the public channel. picks a candidate ⟨ *  ,  *  ⟩ pair in the Cartesian product   *   and computes (  , ) = , () = ,  * =   ⊕ ℎ( * In general,  can determine the chosen ⟨ *  ,  *  ⟩ pair's validation by checking if  *  equals the stored value   .If it holds, it means that  has guessed the correct ⟨ *  ,  *  ⟩ of   successfully; otherwise, he/she can pick another ⟨ *  ,  *  ⟩ pair continuing to attack.However, we introduce the fuzzy-verifier   = ℎ(ℎ(  ‖   ‖ )mod) which is effective in leaving adequate candidates for  to identify and thus making it impossible for a PPT adversary to successfully guess the password.
6.3.5.Modification Attack.In our protocol, even  intercepts the messages transmitted in the channel, it is still impossible for  to construct 1{ 1 ,  2 ,   ,  1 ,   }, 2{ 1 ,   ,   ,   ,  2 ,  4 }, and 3{ 5 ,  3 ,  7 } which are protected by the secret value, private key or hash functions to pass the message verification.For example, in 1  is unable to calculate the value  2 =   +   (mod), since   = ℎ(  ‖  1 ‖   ‖    ) where   =    ⊕ ℎ(  ‖  ‖ ) = ℎ(  ‖  ‖ ) consists of secret values only known to   or  such as   , private key , and , so that 's login request will be rejected by .Similarly,  cannot construct the valid verification parameters  4 without knowledge of    or  7 due to the hardness of ECCDH problem introduced in Section 2.2.Thus, all modified messages will be detected and rejected by receiver simultaneously.In conclusion, modification attack is impossible in our scheme.6.3.6.User Impersonation Attack.We suppose that  plans to impersonate as a legitimate user   to interact with .The key step is to construct a valid value  2 to pass the verification of .However,  is unable to calculate  2 =   +   (mod) without   .To get   = ℎ(  ‖  1 ‖   ‖    ), he/she needs to know the most of long-term values.Therefore, our proposed scheme is immune to the user impersonation attack.6.3.7.Control Node Impersonation Attack.We have analyzed that the malicious   may successfully impersonate   to cheat another  *  in Wazid et al. 's scheme.On the one hand, both   and   hold the same parameter   which composes the correct verification value  5 = ℎ(  ‖  2 ) and   = ℎ(  ‖   ‖  1 ‖  2 ).On the other hand, in Wazid et al. 's scheme, the essential parameter   is not verified when it is sent to   .But in our scheme, this attack mode cannot be implemented, and the malicious   is unable to fabricate  7 without knowing   of  *  , so we solve the potential pitfall in Wazid et al. 's scheme.