Sage Journals: Discover world-class research

Abstract

Mobile healthcare (M-health) systems can monitor the patients’ conditions remotely and provide the patients and doctors with access to electronic medical records, and Radio Frequency Identification (RFID) technology plays an important role in M-health services. It is important to securely access RFID data in M-health systems: here, authentication, privacy, anonymity, and tracking resistance are desirable security properties. In 2014, He et al. proposed an elliptic curve cryptography- (ECC-) based RFID authentication protocol which is quite attractive to M-health applications, owing to its claimed performance of security, scalability, and efficiency. Unfortunately, we find their scheme fails to achieve the privacy protection if an adversary launches active tracking attacks. In this paper, we demonstrate our active attack on He et al.'s scheme and propose a new scheme to improve the security. Performance evaluation shows the improved scheme could meet the challenges of M-health applications.

1. Introduction

Mobile healthcare (M-health) systems can monitor the patients’ conditions remotely and provide the patients and doctors with access to electronic medical records. Such a system improves both convenience and efficiency, because the patients and doctors are no longer required to be present at the same place; therefore, patients can contact their doctor at home and obtain the instant diagnosis and prescription. In the development of M-health systems, Radio Frequency Identification (RFID) technology plays an important role for identifying and accessing patients and objects. Therefore, securely accessing these RFID tags and systems is critical to the success of M-health systems [1, 2].

In a RFID system, there are three types of roles: RFID tags, RFID readers, and a back-end server. Each tag has a unique number which is used to identify a RFID-tagged product. To obtain data from a tag, a reader first issues a query to the tag and then forwards the received information provided by the tag to a back-end server. The back-end server maintains a database of the information of tags and their labelled products. However, since a tag automatically responds to any readers’ queries via radio signal, the owner of the tagged product is even unaware of this action. If the tag transmits a fixed value in response to readers’ queries, it raises potential privacy threats to the labelled objects and the owner's location.

Privacy protection in a RFID system is investigated in two respects. One is anonymity; the other is tracking attack resistance. The former is to provide confidentiality of tag's identity such that an unauthorized observer cannot learn the identity of the tag. The latter is to provide unlinkability of any two RFID transmission sessions; that is, given any two RFID transactions, an attacker cannot tell whether the two transactions came from the same tag or not. Tracking attack could be classified into two categories: passive tracking attack and active tracking attack. The passive tracking attack is that an adversary tries to distinguish whether two RFID transactions came from the same tag by eavesdropping only, while the active tracking attack is that an adversary can actively participate in the transactions (like eavesdropping, interrupt, replay, and modification) to get the data to tell whether two transactions came from the same tag. Both types of tracking might be used to infer users’ location information or even their personal profiles.

Due to the advances of hardware development, many RFID schemes based on the public key techniques have been proposed and implemented [3]. Compared with the other cryptography mechanisms, the elliptic curve cryptography (ECC) [4, 5] is more competitive since it could provide the same security level with much smaller key size. Lee et al. [6] proposed an ECC-based RFID authentication scheme. Bringer et al. [7] and Deursen and Radomirovic [8] found that Lee et al.'s scheme is vulnerable to the tracking attack and the replay attack. Liao and Hsiao [9] proposed an ECC-based RFID authentication scheme integrated with an ID verifier transfer protocol; nevertheless, Peeters and Hermans [10] showed Liao and Hsiao's scheme cannot resist the server impersonation attack. Tan [11] proposed ECC-based RFID three-factor authentication. Arshad and Nikooghadam [12] found that Tan's scheme is not resistant to the replay attack and the denial-of-service attack.

In 2014, He et al. [13] proposed an elliptic curve cryptography- (ECC-) based RFID authentication protocol which aimed at protecting tag's anonymity and unlinkability and improving the computational complexity. Compared with the previous authentication schemes, He et al.'s scheme has better performance in terms of security, computational cost, and storage requirement. Unfortunately, we find that their scheme fails to achieve the privacy protection if an adversary launches active tracking attacks. We will show the weaknesses and propose an improved scheme. The rest of this paper is organized as follows. Section 2 gives the preliminary sketch of the elliptic curve cryptography and bilinear pairing. Section 3 reviews He et al.'s scheme and shows its security weakness. In Section 4, we propose our new scheme, which is followed by security analysis and performance evaluation in Section 5. Finally, conclusions are given in Section 6.

2. Preliminaries

We briefly introduce the elliptic curve cryptography and the bilinear pairing.

2.1. Elliptic Curve Cryptography

Koblitz [4] and Miller [5] introduced elliptic curves for cryptographic applications. Since then, elliptic curve cryptography (ECC) has played an important role in many cryptosystems. An elliptic curve E is defined over the equation $y^{2} = x^{3} + a x + b$ over $F (q)$ , where q is a large prime and $F (q)$ is a finite field of order q. The main attraction of ECC is that ECC with 160-bit key can reach a security level the same as that of 1024-bit RSA and thereby significantly reduce the key size.

The security of He et al.'s protocol is based on the complexity of the elliptic curve discrete logarithm problem (ECDLP) [14].

Elliptic Curve Discrete Logarithm Problem (ECDLP). Given an elliptic curve E over $F (q)$ and two points P and Q on E, the elliptic curve discrete logarithm problem is to find an integer $x \in Z_{q}^{*}$ such that $x P = Q$ .

2.2. The Bilinear Pairing

The bilinear pairing was initially considered as a negative property on the design of elliptic curve cryptosystems, because it reduces the discrete logarithm problem on some elliptic curves (especially for supersingular curves) to the discrete logarithm problem in a finite field [15]. Such property diminishes the strength of supersingular curves in practice [16]. However, followed by the tripartite key agreement protocol proposed by Joux [17] and the identity-based encryption scheme proposed by Boneh and Franklin [18], pairing becomes beneficial and favorable to the design of cryptographic protocols or cryptosystems [19].

Let $G_{1}$ be an additive cyclic group (which is the elliptic curve group $E (F_{q})$ here) and let $G_{2}$ be a multiplicative cyclic group with the same prime order n; that is, $|G_{1}| = |G_{2}| = n$ . Bilinear pairing is defined by $\hat{e} : G_{1} \times G_{1} \to G_{2}$ which satisfies the following properties: (1)

Bilinear: for all $P, Q \in G_{1}$ and all $u, v \in Z_{n}^{*}$ , we have $\hat{e} (u P, v Q) = \hat{e} (u v P, Q) = \hat{e} (P, u v Q) = \hat{e} (P, Q)^{u v}$ .

(2)

Nondegenerate: $\hat{e} (P, P) \neq 1$ for some $P \in G_{1}$ .

(3)

Computable: given $P, Q \in G_{1}$ , there is an efficient algorithm to compute $\hat{e} (P, Q)$ .

We find that He et al.'s protocol is vulnerable to active tracking attack. We will utilize the bilinear pairing to facilitate our active attacks in Section 4.

3. Weaknesses of He et al.'s Protocol

3.1. Review of He et al.'s Protocol

This section reviews He et al.'s protocol [13]. The system consists of three kinds of entities: readers, a back-end server, and a set of tags; but the RFID reader is omitted from the protocol description since it acts as an intermediate party that relays messages exchanged between a tag and the server. It is assumed that the communication between the reader and back-end server is secure. The proposed protocol comprises two phases: setup and authentication. Notations used in the protocol are defined as follows: (i)

$n, q$ : two large primes.

(ii)

$F (q)$ : a finite field of order q.

(iii)

E: an elliptic curve defined by the equation $y^{2} = x^{3} + a x + b$ over $F (q)$ .

(iv)

P: a generator point for a group of order n over E.

(v)

$x_{s}$ : the private key of the server.

(vi)

$P_{s}$ : the public key of the server $P_{s} = x_{s} P$ .

(vii)

$X_{T}$ : the ID verifier of the tag.

Setup Phase. To set up the system, the back-end server performs the following tasks: (i)

Define $params = \{q, a, b, P, n\}$ as the elliptic curve domain parameters.

(ii)

Choose a random number $x_{s} \in Z_{n}^{*}$ as the server's private key, and compute $P_{s} = x_{s} P$ as the server's public key.

(iii)

Choose a random point $X_{T}$ on E denoted as a tag's ID verifier.

(iv)

(params, $P_{s}$ , $X_{T}$ ) is stored at both the tag and the server's database.

(v)

The server also keeps $x_{s}$ secret.

Authentication Phase. To achieve mutual authentication, the server (S) and the tag ( $T a g_{X_{T}}$ ) do the following steps. The authentication phase is illustrated in Figure 1.

Figure 1

The authentication phase of He et al.'s protocol.

Step 1 ( $S \to T a g_{X_{T}} : m_{1} = \{R_{1}\}$ ).

S randomly chooses $r_{1} \in Z_{n}^{*}$ , computes $R_{1} = r_{1} P$ , and sends $m_{1} = \{R_{1}\}$ as a challenge to the tag.

Step 2 ( $T a g_{X_{T}} \to S : m_{2} = \{R_{2}, {A u t h}_{T}\}$ ).

$T a g_{X_{T}}$ randomly chooses $r_{2} \in Z_{n}^{*}$ and computes $R_{2} = r_{2} P$ , $T K_{T 1} = r_{2} P_{s}$ , $T K_{T 2} = r_{2} R_{1}$ , and $A u t h_{T} = (X_{T} + T K_{T 1}) \oplus T K_{T 2}$ . Then, $T a g_{X_{T}}$ sends back $m_{2} = \{R_{2}, {A u t h}_{T}\}$ to S.

Step 3 ( $S \to T a g_{X_{T}} : m_{3} = \{{A u t h}_{s}\}$ ).

S computes $T K_{s 1} = x_{s} R_{2}$ , $T K_{s 2} = r_{1} R_{2}$ , and $X_{T} = ({A u t h}_{T} \oplus T K_{s 2}) - T K_{s 1}$ and then searches the server's database for $X_{T}$ . If it is not found, the server S rejects the tag; otherwise, the tag $T a g_{X_{T}}$ is authenticated and thereafter S computes ${A u t h}_{s} = (X_{T} + 2 T K_{s 1}) \oplus (2 T K_{s 2})$ and sends back $m_{3} = \{{A u t h}_{s}\}$ to $T a g_{X_{T}}$ .

Step 4.

Upon receiving the server's response, $T a g_{X_{T}}$ checks if $(X_{T} + 2 {TK}_{T 1}) \oplus (2 {T K}_{T 2}) = {A u t h}_{s}$ . If it succeeds, the server S is authenticated; otherwise, the tag stops the procedure.

3.2. The Weaknesses

We find that He et al.'s protocol is vulnerable to active tracking attack. We utilize the bilinear pairing to check whether the two transactions came from the same tag or not. We demonstrate our active attack as follows, where Adv denotes the notion that the adversary impersonates the server to get the responses for tracking. First of all, Adv randomly chooses $r_{1} \in Z_{n}^{*}$ , computes $R_{1} = r_{1} P$ , and sends message $m_{1} = \{R_{1}\}$ to probe the tags it encounters. In the following, we assume Adv encounters the same tag $T a g_{X_{T}}$ .

Upon receiving the query, $T a g_{X_{T}}$ randomly chooses $r_{2} \in Z_{n}^{*}$ and computes $R_{2} = r_{2} P$ , $T K_{T 1} = r_{2} P_{s}$ , $T K_{T 2} = r_{2} R_{1}$ , and ${A u t h}_{T} = (X_{T} + T K_{T 1}) \oplus T K_{T 2}$ . Then, $T a g_{X_{T}}$ sends back $m_{2} = \{R_{2}, A u t h_{T}\}$ to S. Adv can compute $T K_{s 2} = r_{1} R_{2}$ , which equals $T K_{T 2}$ . So Adv obtains $(X_{T} + T K_{T 1}) \oplus T K_{T 2} \oplus T K_{s 2} = (X_{T} + T K_{T 1})$ .

When $T a g_{X_{T}}$ is probed again, it randomly chooses $\bar{r_{2}} \in Z_{n}^{*}$ and computes $\bar{R_{2}} = \bar{r_{2}} P$ , $\bar{T K_{T 1}} = \bar{r_{2}} P_{s}$ , $\bar{T K_{T 2}} = \bar{r_{2}} R_{1}$ , and $\bar{A u t h_{T}} = (X_{T} + \bar{T K_{T 1}}) \oplus \bar{T K_{T 2}}$ . Then, $T a g_{X_{T}}$ responds with $m_{2} = \{\bar{R_{2}}, \bar{A u t h_{T}}\}$ . Adv computes $T K_{s 2} = r_{1} \bar{R_{2}}$ , which equals $\bar{T K_{T 2}}$ . Then, it obtains $(X_{T} + \bar{T K_{T 1}}) \oplus \bar{T K_{T 2}} \oplus \bar{T K_{s 2}} = (X_{T} + \bar{T K_{T 1}})$ . Now Adv performs the following steps to verify whether the two transactions came from the same tag: (1)

It computes $(X_{T} + T K_{T 1}) - (X_{T} + \bar{T K_{T 1}}) = T K_{T 1} - \bar{T K_{T 1}} = (r_{2} - \bar{r_{2}}) P_{s}$ and $R_{2} - \bar{R_{2}} = r_{2} P - \bar{r_{2}} P = (r_{2} - \bar{r_{2}}) P$ .

(2)

It checks whether the equation $\hat{e} (R_{2} - {\bar{R}}_{2}, P_{S}) \overset{?}{=} \hat{e} ((X_{T} + T K_{T 1}) - (X_{T} + \bar{T K_{T 1}}), P)$ holds.

If the transactions came from the same tag, the above verification equation should hold, because $\hat{e} (X_{T} + T K_{T 1}) - (X_{T} + \bar{T K_{T 1}}), P) = \hat{e} ((r_{2} - {\bar{r}}_{2}) P_{S}, P) = \hat{e} ((r_{2} - {\bar{r}}_{2}) P, P)^{x_{s}} = \hat{e} ((r_{2} - {\bar{r}}_{2}) P, x_{s} P) = \hat{e} ((R_{2} - {\bar{R}}_{2}), P_{S})$ . That is, He et al.'s protocol cannot resist the active tracking attack.

4. The Proposed Scheme

We propose a new ECC-based scheme, which owns excellent performance in terms of security, computational complexity, and communicational cost. Our scheme can resist all security threats including active tracking attack. Regarding computational complexity, we reduce the number of elliptic curve scalar multiplications, which is the most computationally expensive operation in ECC cryptography. For embedded systems like RFID and wireless sensor network, the communication operations consume the highest amount of energy of all the operations; therefore, reducing the message length is critical for saving the energy of these devices. The proposed scheme consists of two phases: setup and authentication. Since the setup phase is the same as that in He et al.'s protocol, it is omitted here. The authentication phase is described as follows.

Authentication Phase. To achieve mutual authentication, the server (S) and the tag ( $T a g_{X_{T}}$ ) do the following steps. The authentication phase is illustrated in Figure 2.

Figure 2

The authentication phase of the proposed protocol.

Step 1 ( $S \to T a g_{X_{T}} : m_{1} = \{R_{1}\}$ ).

S randomly chooses $r_{1} \in Z_{n}^{*}$ , computes $R_{1} = r_{1} P$ , and sends $m_{1} = \{R_{1}\}$ as a challenge to the tag.

Step 2 ( $T a g_{X_{T}} \to S : m_{2} = \{R_{2}, A u t h_{T}\}$ ).

$T a g_{X_{T}}$ randomly chooses $r_{2} \in Z_{n}^{*}$ and computes $R_{2} = r_{2} P$ , $T K_{T 1} = r_{2} P_{s}$ , $T K_{T 2} = r_{2} R_{1}$ , and $A u t h_{T} = (X_{T} + T K_{T 2}) \oplus H (R_{1} + T K_{T 1})$ . Then, $T a g_{X_{T}}$ sends back $m_{2} = \{R_{2}, A u t h_{T}\}$ to S.

Step 3 ( $S \to T a g_{X_{T}} : m_{3} = \{A u t h_{s}\}$ ).

S computes $T K_{s 1} = x_{s} R_{2}$ , $T K_{s 2} = r_{1} R_{2}$ , and $X_{T} = (A u t h_{T} \oplus H (R_{1} + T K_{s 1})) - T K_{s 2}$ and then searches the server's database for $X_{T}$ . If it is not found, the server S rejects the tag; otherwise, the tag $T a g_{X_{T}}$ is authenticated and thereafter S computes $A u t h_{s} = (X_{T} + 2 T K_{s 2}) \oplus 2 H (R_{1} + T K_{s 1})$ and sends back $m_{3} = \{A u t h_{s}\}$ to $T a g_{X_{T}}$ .

Step 4.

Upon receiving the server's response, $T a g_{X_{T}}$ checks if $(X_{T} + 2 T K_{T 2}) \oplus 2 H (R_{1} + T K_{T 1}) = A u t h_{s}$ . If it succeeds, the server S is authenticated; otherwise, the tag stops the procedure.

5. Security Analysis and Performance Evaluation

5.1. Security Analysis

We analyze the security of the proposed scheme as follows.

Mutual Authentication. The authentication of the tag is dependent on tag's ability to prove its knowledge of the secret $X_{T}$ . In our scheme, the server receives the message $m_{2} = \{R_{2}, A u t h_{T}\}$ , where $R_{2} = r_{2} P$ and $A u t h_{T} = (X_{T} + T K_{T 2}) \oplus H (R_{1} + T K_{T 1})$ . The server will use its private key $x_{s}$ to compute $T K_{s 1} = x_{s} R_{2}$ and $T K_{s 2} = r_{1} R_{2}$ and to extract $X_{T} = (A u t h_{T} \oplus H (R_{1} + T K_{s 1})) - T K_{s 2}$ . Then, the server checks whether $X_{T}$ is stored in the database. Only the genuine tag that owns the secret $X_{T}$ can generate valid $A u t h_{T}$ .

The authentication of the server is dependent on server's ability to extract $X_{T}$ and generate valid $A u t h_{s}$ . Only the genuine server that owns the secret $x_{s}$ can correctly extract $X_{T}$ from $A u t h_{T}$ and then compute valid $A u t h_{s} = (X_{T} + 2 T K_{s 2}) \oplus 2 H (R_{1} + T K_{s 1})$ . Without knowledge of the server's secret key $x_{s}$ , the adversary cannot obtain $T K_{s 1} = x_{s} R_{2}$ . The tag checks the validity of $A u t h_{s}$ . If it is valid, then the server is authenticated.

Anonymity. In our scheme, $m_{1} = \{R_{1}\}$ , $m_{2} = \{R_{2}, A u t h_{T}\}$ , and $m_{3} = \{A u t h_{s}\}$ are transmitted, where the tag-identity-related messages are $A u t h_{T} = (X_{T} + T K_{T 2}) \oplus H (R_{1} + T K_{T 1})$ and $A u t h_{s} = (X_{T} + 2 T K_{s 2}) \oplus 2 H (R_{1} + T K_{s 1})$ which are random due to two random and fresh numbers $r_{1}$ and $r_{2}$ in each session. Therefore, the adversary can learn nothing about the identity of the tag from the transmission. The randomness and freshness of the two random numbers ensure the anonymity of the proposed scheme.

Tracking Attack Resistance. The essence of the active tracking resistance of the proposed scheme is that each calculation of $A u t h_{T} = (X_{T} + T K_{T 2}) \oplus H (R_{1} + T K_{T 1})$ involves the confusion value $H (R_{1} + T K_{T 1})$ , where the computation of $T K_{T 1}$ needs either tag's secret $r_{2}$ or the server's private key $x_{s}$ ; therefore, an active tracker has no way to derive any verifiable data from the transmissions. We can verify this by launching the same active attack on our proposed protocol as follows, where Adv denotes the notion that the adversary impersonates the server to get the responses for tracking.

First of all, Adv randomly chooses $r_{1} \in Z_{n}^{*}$ , computes $R_{1} = r_{1} P$ , and sends message $m_{1} = \{R_{1}\}$ to probe the tags it encounters. In the following, we assume Adv encounters the same tag $T a g_{X_{T}}$ .

Upon receiving the query, $T a g_{X_{T}}$ randomly chooses $r_{2} \in Z_{n}^{*}$ and computes $R_{2} = r_{2} P$ , $T K_{T 1} = r_{2} P_{s}$ , $T K_{T 2} = r_{2} R_{1}$ , and $A u t h_{T} = (X_{T} + T K_{T 2}) \oplus H (R_{1} + T K_{T 1})$ . Then, $T a g_{X_{T}}$ sends back $m_{2} = \{R_{2}, A u t h_{T}\}$ to S. Since Adv cannot compute $T K_{T 1} = r_{2} P_{s}$ , Adv obtains nothing except $A u t h_{T}$ . When $T a g_{X_{T}}$ is probed again, it randomly chooses $\bar{r_{2}} \in Z_{n}^{*}$ and computes $\bar{R_{2}} = \bar{r_{2}} P$ , $\bar{T K_{T 1}} = \bar{r_{2}} P_{s}$ , $\bar{T K_{T 2}} = \bar{r_{2}} R_{1}$ , and $\bar{A u t h_{T}} = (X_{T} + \bar{T K_{T 2}}) \oplus H (R_{1} + \bar{T K_{T 1}})$ . Then, $T a g_{X_{T}}$ responds with $m_{2} = \{\bar{R_{2}}, \bar{A u t h_{T}}\}$ . Adv cannot compute $\bar{T K_{T 1}} = \bar{r_{2}} P_{s}$ , and Adv obtains nothing except $\bar{A u t h_{T}}$ . Adv cannot verify whether the two transactions came from the same tag. That is, our proposed protocol can resist the active tracking attack.

Tag Masquerade Attack Resistance. To impersonate a tag, the adversary must be able to generate a valid message $m_{2} = \{R_{2}, A u t h_{T}\}$ , where $A u t h_{T} = (X_{T} + T K_{T 2}) \oplus H (R_{1} + T K_{T 1})$ . However, it is difficult to generate such a message without knowing the identity of the tag $X_{T}$ .

Server Spoofing Attack Resistance. To impersonate the server, the adversary must be able to generate a valid message $m_{3} = \{{A u t h}_{s}\}$ , where $R_{1} = r_{1} P$ and ${A u t h}_{s} = (X_{T} + 2 T K_{s 2}) \oplus 2 H (R_{1} + T K_{s 1})$ . It is easy for the adversary to generate $R_{1}$ , but it is difficult to generate $A u t h_{s}$ without knowledge of the server's secret key $x_{s}$ and the tag's identity $X_{T}$ .

5.2. Performance Evaluation

We compare the proposed scheme with He et al.'s protocol [13] and some related schemes [9, 12] in terms of computational cost, communicational cost, and storage cost. Let $T_{E A}$ denote the cost of point addition over an elliptic curve E, let $T_{E M}$ denote the cost of scalar multiplication over an elliptic curve E, let $T_{M}$ denote the cost of modular multiplication over the underlying field $F (q)$ , let $T_{I N V}$ denote the cost of modular inverse over the underlying field $F (q)$ , let $T_{H}$ denote the cost of computing a hash value, let $L_{E C C}$ denote the bit length of one elliptic curve point, let $|x|$ denote the size of integer x, and let n denote the number of tags in the system. To evaluate the complexity, we adopt the practical figures from [20]. In [20], it lists the timing for computing $k P$ and $g^{k} \mod p$ , where E is an elliptic curve defined over $F (q)$ , $q \approx 2^{160}$ , P is a point whose order is 160-bit prime over E, k is a random 160-bit integer, and p is a 1024-bit prime. Therefore, we can conclude that $T_{M} \approx (41 / 5) T_{E A} \approx 8 T_{E A}$ , $T_{E M} \approx (29 / 0.12) T_{E A} \approx 241 T_{E A}$ , and $T_{I N V} \approx (3 * 8 / 41) T_{E A} \approx 0.58 T_{E A}$ [20]. Note that the cost of executing an exclusive-or operation (XOR) is negligible when compared with other operations stated above. Since the parameters $params = \{q, a, b, P, n\}$ are stored in both the server and the tag, the storage cost of params is omitted in the following comparison. The performance comparison is summarized in Table 1. Since He et al.'s protocol [13], Liao and Hsiao's scheme [9], Arshad and Nikooghadam's scheme [12], and our proposed scheme rely on the ECDLP, the elliptic curve scalar multiplication is the most time-consuming operation in the elliptic curve cryptosystem. Although our proposed scheme has the same communicational and storage costs as He et al.'s protocol, our proposed scheme owns better computational performance by eliminating one elliptic curve scalar multiplication operation. Our proposed scheme is more efficient than Liao and Hsiao's scheme because our proposed scheme requires less cost in terms of computation, communication, and storage. Table 1 shows that Arshad and Nikooghadam's scheme requires less computational cost than our proposed scheme. However, it has been studied that communication consumes more energy than computation in embedded wireless communication systems like RFID and wireless sensor network [21, 22]. Studies in the past have shown that 3000 instructions could be executed for the same energy usage as sending a bit 100 m by radio [23]; therefore, many studies in these fields devoted lots of efforts to reducing the communication complexity [24, 25]. It is important to optimize communication and minimize energy consumption. In our proposed scheme, the tag communication requires only 50% of that of Arshad and Nikooghadam's scheme, while our scheme achieves the same security properties with slightly more computations.

Table 1

Performance comparison.

	Arshad and Nikooghadam [12]	Liao and Hsiao [9]	He et al. [13]	Ours
The server's computational cost	$2 T_{E M} + T_{M} + T_{I N V} + 8 T_{H} = 490.58 T_{E A} + 8 T_{H}$	$5 T_{E M} + 3 T_{E A} = 1208 T_{E A}$	$5 T_{E M} + 2 T_{E A} = 1207 T_{E A}$	$4 T_{E M} + 4 T_{E A} + 2 T_{H} = 968 T_{E A} + 2 T_{H}$
The tag's computational cost	$2 T_{E M} + T_{M} + 7 T_{H} = 490.58 T_{E A} + 7 T_{H}$	$5 T_{E M} + 3 T_{E A} = 1208 T_{E A}$	$5 T_{E M} + 2 T_{E A} = 1207 T_{E A}$	$4 T_{E M} + 4 T_{E A} + 2 T_{H} = 968 T_{E A} + 2 T_{H}$
Number of rounds/steps	3	3	3	3
Total length of transmitted message	$8 \|x\| + 2 L_{E C C}$	$4 L_{E C C}$	$4 L_{E C C}$	$4 L_{E C C}$
The tag's transmission length	$4 \|x\| + L_{E C C}$	$2 L_{E C C}$	$2 L_{E C C}$	$2 L_{E C C}$
The server's storage cost	$(n + 1) \|x\| + L_{E C C}$	$(n + 1) \|x\| + n L_{E C C}$	$\|x\| + (n + 1) L_{E C C}$	$\|x\| + (n + 1) L_{E C C}$
The tag's storage cost	$5 \|x\| + L_{E C C}$	$\|x\| + 2 L_{E C C}$	$2 L_{E C C}$	$2 L_{E C C}$
Security weaknesses		Server impersonation	Active tracking	No

6. Conclusions

Mobile healthcare systems are becoming more and more popular. Lack of protecting patient and data privacy may hinder the utility of mobile healthcare system. In this paper, we have shown the weakness of He et al.'s protocol. The protocol cannot meet privacy protection requirement since it is vulnerable to active tracking attack. We have proposed a new scheme which not only conquers the security weaknesses but also improves the computational performance.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This project is partially supported by the National Science Council, Taiwan, under Grant no. MOST 103-2221-E-260-022.

References

Sadeghi

A.-R.

Visconti

Wachsmann

User privacy in transport systems based on RFID e-tickets

Proceedings of the 1st International Workshop on Privacy in Location-Based Applications

October 2008

Malaga, Spain

102 122

2-s2.0-80052993333

Yen

Y.-C.

N.-W.

T.-C.

Two RFID-based solutions for secure inpatient medication administration

Journal of Medical Systems 2012 36 5 2769 2778

10.1007/s10916-011-9753-7

2-s2.0-84867297288

Chen

Chou

J.-S.

Sun

H.-M.

A novel mutual authentication scheme based on quadratic residues for RFID systems

Computer Networks 2008 52 12 2373 2380

10.1016/j.comnet.2008.04.016

2-s2.0-46749130059

Koblitz

Elliptic curve cryptosystems

Mathematics of Computation 1987 48 177 203 209

10.2307/2007884

MR866109

ZBL0622.94015

Miller

Use of elliptic curves in cryptography

Advances in Cryptology—CRYPTO ’85 Proceedings 1985 218

Berlin, Germany

Springer

417 426 Lecture Notes in Computer Science

10.1007/3-540-39799-X_31

Lee

Batina

Verbauwhede

EC-RAC (ECDLP based randomized access control): provably secure RFID authentication protocol

IEEE International Conference on RFID

April 2008

Las Vegas, Nev, USA

97 104

10.1109/RFID.2008.4519370

Bringer

Chabanne

Icart

Cryptanalysis of EC-RAC, a RFID identification protocol

Cryptology and Network Security: 7th International Conference, CANS 2008, Hong-Kong, China, December 2–4, 2008. Proceedings 2008 5339

Berlin, Germany

Springer

149 161 Lecture Notes in Computer Science

10.1007/978-3-540-89641-8_11

Deursen

Radomirovic

Attacks on RFID protocols (version 1.1)

2009

University of Luxembourg

Liao

Y.-P.

Hsiao

C.-M.

A secure ECC-based RFID authentication scheme integrated with ID-verifier transfer protocol

Ad Hoc Networks 2014 18 133 146

10.1016/j.adhoc.2013.02.004

2-s2.0-84899644274

10.

Peeters

Hermans

Attack on Liao and Hsiao's Secure ECC-based RFID Authentication Scheme Integrated with ID-Verifier Transfer Protocol 2013

Cryptology ePrint Archive

11.

Tan

A user anonymity preserving three-factor authentication scheme for telecare medicine information systems

Journal of Medical Systems 2014 38, article 16

10.1007/s10916-014-0016-2

2-s2.0-84898905921

12.

Arshad

Nikooghadam

Three-factor anonymous authentication and key agreement scheme for Telecare Medicine Information Systems

Journal of Medical Systems 2014 38 12, article 136

10.1007/s10916-014-0136-8

13.

Kumar

Chilamkurti

Lee

J.-H.

Lightweight ECC based RFID authentication integrated with an ID verifier transfer protocol

Journal of Medical Systems 2014 38, article 116

10.1007/s10916-014-0116-z

2-s2.0-84905324282

14.

Miller

Short programs for functions on curves

1986, https://crypto.stanford.edu/miller/miller.pdf

15.

Menezes

A. J.

Okamoto

Vanstone

Reducing elliptic curve logarithms to logarithms in a finite field

IEEE Transactions on Information Theory 1993 39 5 1639 1646

10.1109/18.259647

MR1281712

2-s2.0-0027662341

16.

Lin

C.-Y.

T.-C.

Zhang

Hwang

J.-J.

New identity-based society oriented signature schemes from pairings on elliptic curves

Applied Mathematics and Computation 2005 160 1 245 260

10.1016/j.amc.2003.07.016

MR2100189

ZBL1070.94018

2-s2.0-8344247772

17.

Joux

A one round protocol for tripartite Diffie-Hellman

Proceedings of the 4th Algorithmic Number Theory Symposium (ANTS ’00)

July 2000

Leiden, The Netherlands

385 394

18.

Boneh

Franklin

Identity-based encryption from the Weil pairing

Advances in Cryptology—CRYPTO 2001 2001 2139 213 229 Lecture Notes in Computer Science

10.1007/3-540-44647-8_13

19.

Boneh

Lynn

Shacham

Short signatures from the Weil pairing

Advances in Cryptology—ASIACRYPT 2001 2001 2248

Berlin, Germany

Springer

514 532 Lecture Notes in Computer Science

10.1007/3-540-45682-1_30

20.

Jurisic

Menezes

A.-J.

Elliptic curves and cryptography

Dr. Dobb's Journal 1997 26 36

21.

Zhao

Guibas

L. J.

Wireless Sensor Networks: An Information Processing Approach 2004

San Francisco, Calif, USA

Elsevier-Morgan Kaufmann

22.

Akyildiz

I. F.

Sankarasubramaniam

Cayirci

Wireless sensor networks: a survey

Computer Networks 2002 38 4 393 422

10.1016/s1389-1286(01)00302-4

2-s2.0-0037086890

23.

Pottie

Kaiser

W. J.

Embedding the internet wireless integrated network sensors

Communications of the ACM 2000 43 5 51 58

24.

Tilak

Abu-Ghazaleh

N. B.

Heinzelman

A taxonomy of wireless micro-sensor network models

ACM SIGMOBILE Mobile Computing and Communications Review 2002 6 2 28 36

10.1145/565702.565708

25.

Heidemann

Silva

Intanagonwiwat

Govindan

Estrin

Ganesan

Building efficient wireless sensor networks with low-level naming

Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP ’01)

2001

Banff, Canada

146 159

10.1145/502034.502049

An Elliptic Curve Cryptography-Based RFID Authentication Securing E-Health System

Abstract

1. Introduction

2. Preliminaries

2.1. Elliptic Curve Cryptography

2.2. The Bilinear Pairing

3. Weaknesses of He et al.'s Protocol

3.1. Review of He et al.'s Protocol

Step 1 ( S → T a g X T : m 1 = R 1 ).

Step 2 ( T a g X T → S : m 2 = R 2 , A u t h T ).

Step 3 ( S → T a g X T : m 3 = A u t h s ).

Step 4.

3.2. The Weaknesses

4. The Proposed Scheme

Step 1 ( S → T a g X T : m 1 = R 1 ).

Step 2 ( T a g X T → S : m 2 = R 2 , A u t h T ).

Step 3 ( S → T a g X T : m 3 = A u t h s ).

Step 4.

5. Security Analysis and Performance Evaluation

5.1. Security Analysis

5.2. Performance Evaluation

6. Conclusions

Footnotes

Conflict of Interests

Acknowledgment

References

Step 1 ( $S \to T a g_{X_{T}} : m_{1} = \{R_{1}\}$ ).

Step 2 ( $T a g_{X_{T}} \to S : m_{2} = \{R_{2}, {A u t h}_{T}\}$ ).

Step 3 ( $S \to T a g_{X_{T}} : m_{3} = \{{A u t h}_{s}\}$ ).

Step 1 ( $S \to T a g_{X_{T}} : m_{1} = \{R_{1}\}$ ).

Step 2 ( $T a g_{X_{T}} \to S : m_{2} = \{R_{2}, A u t h_{T}\}$ ).

Step 3 ( $S \to T a g_{X_{T}} : m_{3} = \{A u t h_{s}\}$ ).