A Lightweight and Secure Anonymous User Authentication Protocol for Wireless Body Area Networks

)e recent development of wireless body area network (WBAN) technology plays a significant role in the modern healthcare system for patient health monitoring. However, owing to the open nature of the wireless channel and the sensitivity of the transmitted messages, the data security and privacy threats in WBAN have been widely discussed and must be solved. In recent years, many authentication protocols had been proposed to provide security and privacy protection inWBANs. However, many of these schemes are not computationally efficient in the authentication process. Inspired by these studies, a lightweight and secure anonymous authentication protocol is presented to provide data security and privacy for WBANs. )e proposed scheme adopts a random value and hash function to provide user anonymity. Besides, the proposed protocol can provide user authentication without a trusted third party, which makes the proposed scheme have no computational bottleneck in terms of architecture. Finally, the security and performance analyses demonstrate that the proposed scheme can meet security requirements with low computational and communication costs.


Introduction
In recent years, along with the quick development of communications and microelectronics technologies, a new network paradigm for detecting human body data, named wireless body area networks (WBANs) [1], has emerged. A typical architecture of WBAN for the healthcare system is depicted in Figure 1. ere are three main participants in the WBAN: a dynamic set of M patients with monitoring sensors, denoted as PAT � P j |j � 1, 2, . . . , M , a set of N doctors as DCT D i |i � 1, 2, . . . , N , and a registration center (RC) as a trusted third party [2]. e sensors are mainly embedded or worn on the patient. eir main function is to collect various physical parameters of the patient, such as blood pressure (BP), electrocardiogram (ECG), and temperature, and then transmit these data to the personal terminal. Next, the personal terminal uses a wireless communication technology (such as Wi-Fi and 4G/5G/CDMA) to forward all collected information to the appropriate doctor or the medical server. erefore, the personal terminal acts as a bridge between the doctors and WBAN. ese sensory data collected from the patient will play an important role in the doctor's medical diagnosis. In addition, this new technology not only helps to monitor and improve the health of patients but is also more suitable for health monitoring and care for the elderly and the disabled. However, due to the openness of the wireless channel, the data transmitted in WBAN can easily be eavesdropped or tampered with by unauthorized users. Since these sensitive patient data are the basis of clinical diagnosis, any data leakage or modification may put the patient's life at risk [3][4][5]. Consequently, it is necessary and important to provide a safe and reliable authentication protocol in the WBAN to ensure that only legitimate users can obtain the patient's sensitive information.
Since the collected information is vital to the patient's life, it is very confidential and vulnerable to various attacks by an adversary. If these sensitive data are obtained and misused by an adversary, it may threaten the lives of patients. erefore, it is important to provide data security and privacy protection to the WBAN [6]. In other words, strong security solutions and authentication protocols are necessary for the success and large-scale deployment of the WBANs. Motivated by these shortcomings, we proposed a lightweight and secure anonymous user authentication protocol for the WBAN. e contributions of the paper are summarized as follows: (1) To guarantee the privacy of doctors and patients in the WBAN, an efficient ECC-based privacy-preserving authentication is proposed. Moreover, the proposed authentication protocol can verify the legitimacy of the patients and doctors. (2) In the proposed authentication protocol, under the premise of anonymous authentication of users, no trusted third party is required to participate in the authentication process. In this way, the proposed authentication protocol has no computational bottleneck in terms of architecture. Besides, the proposed scheme can provide a low computation burden on the client side, which makes the proposed authentication protocol more efficient. (3) e proposed authentication protocol provides a method for RC to track the doctor's actual identity. At the same time, it also ensures that the doctor's identity information is not obtained by unrelated parties. is makes it possible to prevent doctors from making a wrong diagnosis or to pursue accountability afterward. (4) A detailed security analysis and performance analysis show that the proposed authentication protocol can meet the security and performance requirements of the WBAN application. e rest of the paper is organized as follows. Section 2 discusses the existing secure authentication schemes. Section 3 describes the attacker models and preliminaries. Section 4 presents the proposed mutual authentication scheme. Security and performance analyses of the proposed protocol are provided in Sections 5 and 6, respectively. Finally, Section 7 gives the conclusion of this paper.

Related Work
Security, privacy, and identity authentication are the most critical and challenging issues in the WBAN. During the last few years, so many authentication protocols have been proposed to solve the security and privacy protection problem for wireless-based healthcare applications [7][8][9][10]. Some research activities use public key cryptography (PKC) to build authentication schemes [7,8]. Since the traditional PKC requires a large amount of computation overhead, these existing PKC-based methods are not suitable for the resource-constrained WBAN. In 2014, Chatterjee et al. [9] presented an ECC-based user authentication for WBAN. Liu et al. [10] proposed a lightweight certificateless authentication scheme that uses ECC and bilinear pairings. Unfortunately, their method was found to be unable to resist tracking attack and impersonation attack [11].
In 2015, Das et al. [12] suggested a biometric-based authentication protocol for WBAN. eir proposed protocol combines biometric information and a password to verify the legitimacy of the user. Later, Wang and Zhang [13] found that Das et al.'s scheme is not able to provide user anonymity. In order to avoid this defect, they proposed a new bilinear pairing-based authentication protocol in the WBAN environment. In the same year, Debiao et al. [14] presented a bilinear pairing-based anonymous authentication scheme for WBAN. Liu et al. [15] proposed an anonymous 1-round authentication protocol for WBANs. ey claimed that their authentication scheme was efficient and secure. However, Li et al. [16] demonstrated that Liu et al.'s scheme is unable to resist impersonation attack, DoS attack, and session key guessing attack. To avoid these flaws, they proposed an improved 1-round authentication protocol for WBANs. Later, Shen et al. [17] presented a lightweight nonpairing certificateless authentication protocol for WBANs. Unfortunately, their proposed scheme was found to be unable to resist the impersonation attack. To remove the flaws, Liu et al. [18] proposed an improved authentication to remedy the flaws in Shen et al.'s scheme. Wazid et al. [19] proposed a novel authentication and key management scheme for the cloud-assisted WBAN. Later, Qiu et al. [20] proposed a secure mutual authentication protocol based on ECC for wireless medical sensor networks. In this paper, the BAN logic is used to prove the security of the proposed scheme. However, according to [21], it is still suffering from insider attack. Shen et al. [21] presented a cloud-aided certificateless and privacypreserving authentication scheme for the WBAN. In [21], the authors use public key cryptography and the message authentication code (MAC) to achieve user authentication. Shuai et al. [22] presented a bilinear pairing-based mutual authentication scheme for WBAN. Fotouhi et al. [23] propose a new lightweight hash chain-based and forward secure authentication scheme for WBAN. Kumar et al. [24] presented an ECC-based authentication scheme for wearable devices environment. Jegadeesan et al. [25] proposed an efficient privacy-preserving anonymous authentication for WBAN. However, their scheme is also not able to resist the impersonation attack.
To enhance the security of WBAN, a novel lightweight and secure anonymous user authentication protocol was designed. Compared with other existing schemes, the scheme proposed in this paper has two distinct characteristics. First, the proposed scheme does not require a trusted third party to verify the legitimacy of users anonymously. Second, the proposed authentication protocol provides a method for RC to track the doctor's actual identity, which can reduce the doctor's misbehaving.

reat
Model. An adversary model is a valid abstraction of an arbitrary adversary which is able to lunch a successful attack. Due to the open nature of WBAN, the wireless communication channel is vulnerable to various attacks. In the proposed authentication protocol, the two widely used models, named Dolev-Yao model and CK-adversary model, are used. In the Dolev-Yao model, the communication between different entities can be intercepted by an adversary. Besides, the adversary is also able to modify/delete/fake/ inject into the transmitting information [26,27]. In the CKadversary model, the adversary can control all the communication between the entities. Moreover, the adversary is assumed to be able to extract the secret parameters stored in the entity's memory and the temporary data used to establish session keys [6]. Furthermore, the adversary can use oracle queries to interact with the entities. As far as we know, these two adversary models are widely adopted in the authenticated key exchange protocols [28].

Security Requirements for the WBAN.
e communication of the WBAN is mainly divided into two types: the communication between the sensor and the personal terminal and the communication between the personal terminal and the back-end server. Our work focuses on the security of communication between the personal terminal and the back-end server. In this section, we discuss the security and privacy requirements for the WBAN environment [29].

Mutual Authentication.
As we all know, the messages transmitted in the WBAN are easily eavesdropped and modified. Hence, once a message is received, the most important thing for the receiver is to determine whether the message is sent by a legitimate user and whether the message has been modified. erefore, there should be a mechanism to verify the legitimacy of the message and the sender of the message.

Data Integrity.
To ensure the integrity of the transmitted message in the WBAN, an anonymous signature mechanism is attached to the transmitted message.

Confidentiality.
Since the messages transmitted in the WBAN contain the patient's sensitive information, and this sensitive information is very important privacy for patients. erefore, the proposed protocol needs to ensure that the unauthorized entities cannot obtain the content of the transmitted message.

Identity Privacy-Preserving.
To protect the identity privacy of users (especially the patients), the actual identity of the patients cannot directly appear in the transmitted messages. Besides, the proposed protocol also needs to ensure that the adversary cannot decipher/calculate the patient's actual identity through the message.

Conditional Traceability.
In WBAN, for the manager, the doctor's identity should be traceable. Especially when a doctor makes any dispute or misbehavior, the manager needs to have the ability to get the doctor's actual identity.
is provides a basis for subsequent accountability and can also reduce the loss of WBAN.

Attack Resistance.
To ensure secure communication in WBANs, the proposed protocol should be able to withstand various common attacks, such as replay attack, impersonation attack, and man-in-the-middle attack.

Elliptic Curve Cryptography.
Elliptic curve cryptography (ECC) is one of the most widely used public key asymmetric cryptographies [30]. Its security comes from the discrete logarithm problem (DLP) in a group defined by points on elliptic curve. An elliptic curve E over GF (p), where p is a large prime, is defined by an equation of the following form: where a, b ∈ GF (p) and satisfies 4a 3 + 27b 2 ≠ 0(modp). ere are two basic operations on ECC: point addition and Security and Communication Networks 3 scalar multiplication. e scalar multiplication over E can be computed by repeated addition as k · P � P + P + · · · + P(k times).
(2) e hardness of the elliptic curve discrete logarithm problem is essential for the security of all elliptic curve cryptographic schemes. Here, we present two important mathematical problems on elliptic curves as follows [31]: Elliptic curve discrete logarithm problem (ECDLP): given an elliptic curve E defined over a finite field GF (p), and two points Q, P ∈ E of order q, it is hard to find an integer k ∈ Z * q such that Q � k·P Elliptic curve Diffie-Hellman problem (ECDHP): given an elliptic curve E defined over a finite field GF (p), a point P∈ E of order n, A � aP, B � bP, and find the point C � abP

The Proposed Authentication Protocol
In this section, we present our proposed authentication protocol for WBAN. e proposed protocol consists of three phases: system initialization, registration, and anonymous mutual authentication. All the notations used in this paper are presented in Table 1. e detailed descriptions of these phases are explained as follows.

System Initialization.
In the proposed authentication protocol, as mentioned earlier, RC is considered as a trusted third party. It is responsible for the registration of all patients and doctors in the WBAN. At the same time, it must also set relevant security parameters for the authentication protocol.
Step I-1: RC selects an appropriate elliptic curve E over the finite field GF (p).
en, RC chooses a bilinear mapping e: G 1 × G 1 ⟶ G 2 and the generator P 0 ∈ G 1 with the order q over elliptic curve E, where q is a big prime number.
Step I-2: RC chooses two secure hash function h and H, where h:{0, 1} * ⟶ Z * q, H: {P ∈ E} ⟶ {0, 1} l , in which l is the length of the string. Next, RC selects two random number u, v ∈ Z * q as secret values and keeps them properly.
Step I-3: RC chooses a random number s RC as its master key and computes the corresponding public key PK RC � s RC ·P.
en, RC publishes the public system parameters to the users: param � {E, G 1 , G T , PK RC , h, H, e}.

Registration.
is phase consists of the doctor registration and the patient registration. e process of registration is explained as follows: Doctor registration: when a doctor D i wants to login to the system to get the patient's information, he/she must first register at RC through the following steps: Step DR-1: the doctor D i chooses his/her own identification DID i and password DPW i and a random number r i and then computes h(r i ⊕ DPW i ). en, D i sends the message {DID i , h(r i ⊕ DPW i )} to RC via a secure channel.
Step DR-2: upon receiving the message . en, RC regards the parameter s Di � h(r i ⊕ DPW i ) as the doctor D i 's master key and then computes the corresponding public key PK Di � s Di ·u·P.
Step DR-3: RC provides a license to the doctor D i : L Di � s Di · v · P, then RC maintains <DID i , L Di > in the checklist. is checklist is used to check the actual identity of the doctor when the doctor makes any dispute or misbehavior.
Step DR-4: the RC issues a smart card to the doctor D i , the card contains the values {B i , V i , PK Di , L Di , r i }. After receiving the smart card, the doctor D i inserts the value r i into the smart card.
en, the smart card Patient registration: when the patient P j is ready to go to the hospital for treatment, RC will register his/her handheld terminal and assign relevant medical sensors to him/her to monitor the physical parameters.
Step PR-1: RC chooses a random number s Pj ∈ Z * p as the patient P j 's master key. And then RC computes the corresponding public key PK Pj � s Pj ·u·P. Next, RC sends the message {s Pj , PK Pj } to the patient P j through a secure channel.

Patient to Doctor Anonymous Authentication.
When the patient P j wants to send the data collected by himself to the doctor D i to facilitate the doctor's diagnosis or detection, this step is required. Since the data transmitted by the patient to the doctor contain very sensitive health information, in order to preserve the privacy of these data, the patient needs to use encryption and authentication methods to process the data. e detailed steps are as follows: Step PA-1: the patient P j first chooses a random value k ∈ Z * p and calculates where data are the physical parameters of the patient P j and T j is the timestamp. en, the patient P j sends the message {a 1 , c 1 , T j } to the doctor D i via common channel.
Step PA-2: upon receiving the message {a 1 , c 1 , T j }, the doctor D i computes w * 1 � c 1 ⊕ H(s Di ·a 1 ) and extracts the data, a 3 , a 4 and the timestamp T j from w * 1. en, the doctor D i verifies whether the timestamp T j is fresh. If it is not fresh, the doctor D i discards the message directly and terminates the authentication process. Otherwise, go to the next step.
Step PA-3: the doctor D i checks if e(a 3 , PK Di )? � e(PK RC , h(data) · s Di · a 4 ) holds. If the above equation is true, the doctor D i considers that the patient P j is legitimate and the health information data have not been destroyed. Otherwise, the patient P j is considered to be an illegal user and refuses to accept the health information data. Proof of Correctness. e challenger equation e(a 3 , PK Di )? � e(PK RC , h(data) · s Di · a 4 ) calculated by the doctor D i should be held by using the values a 3 and a 4 sent from the patient P j . e a 3 , PK Di � e h(data) · k · s Pj · PK RC , PK Di � e k · s Pj · PK RC , h(data) · s Di · P � e PK RC , h(data) · k · s Pj · s Di · P � e PK RC , h(data) · s Di · k · PK Pj � e PK RC , h(data)s Di · a 4 . (4)

Doctor to Patient Anonymous Authentication.
When the doctor D i wants to get the relevant health data of the patient P j , he first generates the query information demand and completes the message authentication through the following steps: Step DA-1: the doctor D i first inserts his/her smart card to a terminal and then inputs his/her identity DID i and password DPW i . en, the smart card computes as follows: , and checks whether B * i � B i . If not, the smart card rejects this request and prompts the doctor to enter the correct identity and password. Otherwise, go to the next step.
Step DA-2: the doctor D i chooses a random number r ∈ Z * p and computes where demand is the query request information of the doctor and T i is the timestamp. en, the doctor D i sends the message {b 1 , b 5 , c 2 , Cert i , T i } to the patient P j via a common channel.
Step DA-3: upon receiving the message {b 1 , b 5 , c 2 , Cert i , T i }, the patient P j verifies whether the time stamp T i is fresh. If not, the authentication process is terminated. Otherwise, P j uses his/her private key to . And then, P j extracts variables demand, b 3 , b 4 , Cert i and the timestamp T i from w * 2 .
Step DA-4: P j verifies whether the equation e(b 3 , PK Pj )? � e(PK RC , h(demand) · s Pj · b 4 ) holds. If the above equation is true, the patient P j considers the doctor to be a legitimate doctor, and he will provide the relevant health data according to the doctor's requirements. Otherwise, he believes that the doctor D i is an illegal doctor and refuses to accept his request. Figure 3 summarizes the process of login and the doctor to patient authentication phase. Proof of correctness: Step DA-5 (identity tracking): if the request message demand is suspected of having a problem or illegal operation, RC is able to track the actual identity of the doctor using the certificate Cert i in the message. e process is as follows: en, RC finds the corresponding record <DID i , L Di > in the checklist and gets the actual identity of the doctor DID i .
chooses a random k ∈ Z * p and computes: a 1 = k · P, a 2 = k · PK Di , a 3 = h (data) · k · s Pj · PK RC , a 4 = k · PK Pj , if holds, consider the patient P j is legitimate, Accept the health information data.
Patient P j Doctor D i Figure 2: e patient to doctor authentication phase.
Patient P j Doctor D i if so, chooses a random r ∈ Z * p and computes: inserts smart card and input DID i and DPW i , checks the freshness of T i , if so, compute: and then checks: Accept the request demand.
if holds, consider the doctor D i is legitimate, Figure 3: e login process and doctor to patient authentication phase.

Security Analysis
In this section, we first prove that the proposed anonymous user authentication protocol is provably secure under the BAN logic [32,33]. Next, the security and functional features of the proposed authentication protocol are discussed.

BAN Logic-Based Formal Security Analysis.
We use BAN logic to analyze the security and correctness of our proposed authentication protocol. Table 2 summarizes the notations and rules of the BAN logic.
Goals. According to the analytic procedures of the BAN logic, the proposed authentication protocol must satisfy the following security goals: e initial status forms of the proposed authentication protocol are formally described as follows: e idealized transformed message of the proposed authentication protocol is described as follows: e main analysis steps of the proposed authentication protocol based on the BAN logic are described as follows: By A 2 , A 3 , and the message meaning rule, it is easy to getS 1 : D i | ≡ P j | ∼ a 3 , data H(a 2 ) By S 1 , A 3 , Msg 1 , and the nonce verification rule in which k is the necessary part of H(a 2 ), it is easy to get S 2 : D i By S 2 , Msg 1 , and the nonce verification rule in which T j is the part of c 1 , it is easy to get S 3 : By A 1 , A 4 , and the message meaning rule, it is easy to get S 4 : By S 4 , A 4 , Msg 1 , and the nonce verification rule in which r is the necessary part of H(b 2 ), it is easy to get S 5 : P j By S 5 , Msg 2 and the nonce verification rule in which T i is the part of c 2 , it is easy to get S 6 :

Informal Security Analysis.
In this section, the security and functional features of the proposed authentication protocol are discussed. rough the detailed analysis, it has been proven that the proposed protocol can withstand various common attacks.

Privileged Insider Attack.
In the proposed protocol, RC does not store any patient-related information. erefore, the privileged insider cannot obtain any critical information about the patient. In another, although RC stores the doctor's checklist <DID i , L Di > to track the doctor's true identity, the privileged insider cannot guess the doctor's password DPW i or private key s Di . erefore, he/she has no advantage in breaking the robustness of the proposed authentication protocol.

Replay Attack.
Owing to the open nature of the wireless communication channel, the replay attack poses a great security threat to the wireless body area networks.
According to the specification of the proposed protocol, the first step of each entity (the patient or doctor) is to check the freshness of the authentication messages using the timestamps T i or T j . In addition, the timestamp is hashed and Exclusive OR (⊕) with other parameters (c 1 , c 2 , or b 5 ), which is contained in the authentication messages. erefore, if the timestamp is not fresh, the receiver discards the message directly and aborts the session. If the adversary modifies the timestamp, he/she cannot calculate the corresponding parameters. Consequently, our proposed protocol is able to withstand the reply attack.

Impersonation Attack. Let
A be an adversary and he has the ability to intercept the authentication message of the patient P j : {a 1 , c 1 , T j }. A may try to generate a forged authentication message a * 1, c * 1, T * 1 { }. Since A has not registered at RC and does not know the secret value u, it is impossible for A to obtain its own correct public key PK * Pj. Even though the adversary A chooses a new random number k * to the corresponding parameter a * 1, he cannot compute the correct parameters a * 3 and a * 4 . erefore, it is easy to find that the adversary cannot pretend to be a patient.
Similarly, we can get that the adversary A has no ability to pretend to be a doctor because he does not know the RC's secret value u. erefore, the proposed authentication protocol can resist the impersonation attack.

Stolen Smart Card Attack.
In the proposed protocol, every doctor has a smart card to login to the wireless body area networks. Suppose an adversary A picks up or steals a doctor's smart card and extracts the stored secret parameters , PK Di � s Di ·u·P, and L Di � s Di · v · P. Furthermore, assume that the adversary A eavesdrops the authentication message {b 1 , b 5 , c 2 , Cert i , T i } sent by the doctor. Using these obtained parameters, if A wants to pretend to be a doctor and launch an attack, he must try to guess the doctor's password DPW i to generate the doctor's private key s Di � h(r i ⊕ DPW i ). Without knowing the doctor's password, the adversary A cannot compute the doctor's private key. en he cannot further generate the correct authentication message. erefore, it is easy to find that the proposed protocol is resistant to stolen smart card attack.

User Anonymity.
User anonymity is a very important security requirement in the WBAN. To protect the privacy of doctors and patients, the proposed protocol has made the following measures. In the patient side, the random value k ∈ Z * p and the timestamp T j are used in each round of the patient to doctor authentication. e patient's master key s Pj and public key PK Pj are encrypted in a 3 , a 4 with k and T j , respectively. Suppose that the adversary A could intercept the message {a 1 , c 1 , T j }, it is an impossible task for to obtain the patient's fixed master key s Pj and public key PK Pj . Similarly, the adversary A cannot use the message transferred from the doctor to the patient to obtain the doctor's fixed parameters. Consequently, the proposed authentication protocol can achieve the anonymity of the patients and the doctors.

Authentication and Data
Integrity. In the proposed scheme, the patient's physiological parameter data and the doctor's query request information demand are encrypted by the hash values H(a 2 ) and H(b 2 ), respectively. In addition, the values h(data) and h(demand) are the parameters of a 3 and b 3 , respectively. According to the property of hash, if any bits are modified, the verify equationse(a 3 , PK Di )? � e(PK RC , h(data) · s Di · a 4 ) and e(b 3 , PK Pj )? � e(PK RC , h (demand) · s Pj · b 4 ) cannot be established. Consequently, the proposed authentication protocol can check the integrity of the messages transmitted between the doctor and the patient.

Unlinkability and Conditional Traceability.
For the adversary A, he could intercept the messages {a 1 , c 1 , T j } and {b 1 , b 5 , c 2 , Cert i , T i }. However, the random numbers k and r are different in each round of the message authentication.
erefore, it is difficult for the adversary A to trace the messages which were transmitted from the doctor or the patient. On the other hand, the RC has the ability to track the doctor's actual identity through the formula in Step DA-5. erefore, except for the ability of RC to track the identity of doctors, other entities cannot track the identity of doctors or patients.

Performance Analysis
In this section, the performance of the proposed scheme is evaluated in terms of computational cost, and communication overhead, and security requirements. We then compare the proposed scheme with the existing research activities in terms of security and functional features.

Computation Cost.
In the proposed scheme, the computational cost isreferred to the time which was consumed in the phase of message generation and verification. e multiplicative cyclic groups used in the proposed scheme are built based on a Type-A elliptic curve, which is defined in the pairing-based cryptography (PBC) library [34]. In addition, we use C language under specific IDE and C/CCC MIRACL Library to implement the related cryptographic operations. To evaluate the computational costs of the proposed scheme, some of the related notations are listed in Table 3.
Our implementation uses a PC with Intel Core i7 CPU 2.6 GHz and 8 GB memory to run the proposed authentication protocol. In our simulation, each randomized ID is 1024 bits, and the size of the ECC point is 160 bits. e execution time for each cryptographic operation is derived after 10 times experiments. e average running time of each cryptographic operation is listed in Table 4. It needs to be explained here that we have ignored the running time of the XOR operation because it is negligible.
In our implementation, the costs of the registration and smart card distribution are not considered since it only runs a limited number of times in the initial stage of the proposed protocol. Table 5 shows a comparison for computation cost between the proposed authentication protocol and the related works. From Table 5, it is obvious that the proposed authentication protocol takes only one point multiplication, one pairing, and one hash function to generate the certificate. And the time of verifying the certificate only needs one hash function, two point multiplication, and one pairing operation. Compared with the related research activities, it is easy to find that the proposed protocol needs a very low computational overhead to complete the authentication process.

Notations
Description P, Q A principal P ◁ X P sees X P| ∼ X P said X, X was send by P P|⇒X P has jurisdiction over X ⟶ k P k is P's public key P↔ k Q k is only known to P and Q.
Formulae X is combined with the formulae k {X} k X is encrypted by the key k P| ≡ X P has faith in the truth of X Rule 1: message meaning rule

Communication Overhead.
To analyze the communication overhead of the proposed authentication protocol, the size of the parameters used in the proposed scheme is shown below. e length of the random number, the point of ECC, the identity, the output of a hash function, and the timestamp are 128 bits, 320 bits, 128 bits, 160 bits, and 32 bits, respectively. We assumed that the length of the physical parameters of the patient data and the query request information of the doctor demand are 500 bits and 300 bits, respectively. Under these deliberations, in the patient to doctor authentication phase of the proposed protocol, the patient sends the message M 1 � {a 1 , c 1 , T j } to the doctor. Similarly, in the doctor to patient authentication phase, the doctor sends the message M 2 � {b 1 , b 5 , c 2 , Cert i , T i } to the doctor. ese two messages need 320 + 500 + 320 + 320 + 32 + 32 � 1524 bits and 320 + 320 + 300 + 320 + 32 � 1292 bits, respectively. In Table 6, we summarize the brief comparison of communication overhead between the proposed scheme and other existing schemes.
Compared with other existing schemes, the proposed scheme's communication cost is similar to that of other related research works. However, the messages in the proposed protocol contain the patient's physical parameter data and the doctor's query request information demand. In other words, the proposed scheme can not only achieve the identity authentication, but also complete the transfer of the patient's physiological data and the data requested by the doctor. erefore, the proposed protocol is not only efficient in terms of communication overhead in the WBAN system but also has more extra features.

Security Requirements.
We compare the proposed authentication protocol with the related authentication schemes in terms of security requirements such as replay attack, impersonation attack, secure mutual authentication, message integrity, and confidentiality. e detailed comparison of various security attacks and functions is shown in Table 7.
e comments from Table 7 show that our     authentication protocol not only gives the support of much more functionality but also overcomes more security weaknesses.

Conclusion
In this article, an efficient and privacy-preserving authentication protocol for the WBAN is presented. In the proposed authentication scheme, the doctor and the patient are anonymously authenticated by each other before sending the patient-related information (the patient's physical parameters or the doctor's query request). e security analysis showed that the proposed authentication protocol could provide resistance against common attacks such as replay attack, impersonation attack, and eavesdropping attack. e proposed authentication scheme takes very little cost for signature and certificate authentication, which is essential for the WBAN-based applications. Moreover, the proposed scheme gives an effective privacy and tracking method to disclose the actual identification of the malicious doctor to improve the usability of the WBAN. e performance analysis showed that the proposed scheme is efficient in terms of computational cost and communication cost. It is more appropriate for practical WBAN-based applications. e future extension of this article is to provide an authentication method that can transmit a larger amount of data for the patient in an efficient manner.

Data Availability
e data used to support the findings of this study are available at https://crypto.stanford.edu/pbc/.

Conflicts of Interest
None of the authors have any conflicts of interest.