Compliance with HIPAA and GDPR in Certificateless-Based Authenticated Key Agreement Using Extended Chaotic Maps

Abstract

Electronically protected health information is held in computerized healthcare records that contain complete healthcare information and are easily shareable or retrieved by various health care providers via the Internet. The two most important concerns regarding their use involve the security of the Internet and the privacy of patients. To protect the privacy of patients, various regions of the world maintain privacy standards. These are set, for example, by the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in Europe. Most recently developed authenticated key agreement schemes for HIPAA and GDPR privacy/security involve modular exponential computations or scalar multiplications on elliptic curves to provide higher security, but they are computationally heavy and therefore costly to implement. Recent studies have shown that cryptosystems that use modular exponential computation and scalar multiplication on elliptic curves are less efficient than those based on Chebyshev chaotic maps. Therefore, this investigation develops a secure and efficient non-certificate-based authenticated key agreement scheme that uses lightweight operations, including Chebyshev chaotic maps and hash operations. The proposed scheme overcomes the limitations of alternative schemes, is computationally more efficient, and provides more functionality. The proposed scheme complies with the privacy principles of HIPAA and GDPR.

1. Introduction

Exchanging healthcare information on paper, as is required in traditional healthcare systems, is highly inefficient. Today, patient healthcare data are held as electronic protected health information (ePHI). ePHI refers to computerized health records that contain complete healthcare information and can be easily shared or retrieved by various healthcare providers over the Internet. Therefore, the security of the Internet and the privacy of patients are important concerns. To protect the privacy of patients, various privacy standards are followed in different regions; these include HIPAA [1] in the United States and GDPR [2] in Europe. HIPAA controls the collection and use of healthcare data in the USA for other, related purposes. In the EU, all processing of individuals’ data must comply with GDPR, and entities that obtain health data from EU individuals must satisfy strict GDPR rules. Organizations that transfer US health-related data to the EU must comply with both sets of rules [3].

Many authentication and key agreements for e-healthcare systems have recently been proposed. To provide higher security and comply with HIPAA and GDPR, a number of these authentication and key agreement schemes are based on modular exponential computations and scalar multiplications on elliptic curves [4,5,6,7]. Although some authentication and key agreement schemes [8,9,10,11,12,13,14,15,16,17,18] that are based on Chebyshev chaotic maps have been proposed and proven to be more efficient than cryptography on elliptic curves, these schemes require the maintenance of complex public key infrastructures.

1.1. HIPAA Privacy/Security Regulations

The United States enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect the privacy and security of healthcare information [1]. These standards set limits on patients’ privacy and their right to understand and control the use and disclosure of protected personally identifiable information; this includes the patient’s name, address, contact number, medical records, and other important information. The security standard of HIPAA sets guidelines concerning the following safeguards [19].

1.1.1. Administrative Safeguards

(1)

Security Management Process: The policies and procedures to prevent, detect, contain, and correct security violations include risk analysis, risk management, a sanction policy, and the review of information system activities.

(2)

Security Personnel: Security policies and procedures must be developed and implemented by a specified security officer.

(3)

Information Access Management: Access to e-PHI may be authorized only when such access is appropriate, based on the role of the user or recipient of information.

(4)

Workforce Training and Management: All workforce members must have appropriate authorization and supervision to access to e-PHI.

(5)

Evaluation: Periodic technical and nontechnical evaluations must be performed according to security policies and procedures and relevant security regulations.

1.1.2. Physical Safeguards

(1)

Facility Access and Control: Physical access to facilities is restricted.

(2)

Workstation and Device Security: e-PHI, devices, and media controls must be protected by policies and procedures regarding transfer, removal, disposal, and reuse.

1.1.3. Technical Safeguards

(1)

Access Control: Only authorized personnel may access e-PHI.

(2)

Audit Controls: Hardware and software access are recorded and checked.

(3)

Integrity Controls: Entities may implement policies and procedures to protect e-PHI from unauthorized destruction.

(4)

Transmission Security: Unauthorized access to e-PHI that is transmitted over the Internet must be prevented.

1.1.4. HIPAA Privacy Guidelines

The privacy guidelines of HIPAA include a set of valuable security and privacy requirements that must be satisfied for the effective utilization of e-Health [20,21,22,23]; these use the following seven pivotal terms.

(1)

Patients’ understanding: Patients have a right to understand how their personal health information is stored, used, and kept by healthcare providers;

(2)

Patients’ control: Patients may determine who can access and use their health data;

(3)

Confidentiality: A patient’s health data must be kept away from people who have no right to access it;

(4)

Data integrity: Shared patient electronic health data shall be protected against improper tampering or destruction and shall not be modified or changed in any way;

(5)

Consent exception: Access to a patient’s health data without his/her consent is permitted only in emergencies;

(6)

Non-repudiation: To ensure that authorities meet their responsibilities with respect to patient information, all relevant activity must be documented in order to avoid controversy;

(7)

Auditing: Information and logs of all activities must be constantly monitored to ensure that patient health data are properly protected.

1.2. GDPR Privacy Principles

The General Data Protection Regulation (GDPR) came into force in all E.U. countries on 26 May 2018. It regulates personal data sharing outside the EU and EEA. GDPR applies to any organization that collects or processes personal data on EU residents [2]. GDPR has the following six key privacy principles [2,24].

(1)

The Principle of Lawfulness, Fairness, and Transparency: This principle obliges organizations to inform individuals about the handling of their data.

(2)

The Principle of Purpose Limitation: Personal data are to be collected only for specified, explicit, and legitimate purposes, and the use of these data for other purposes is forbidden.

(3)

The Principle of Data Minimization: The storage and collection of personal data must be adequate that is limited to whatever is required to satisfy the stated purpose.

(4)

The Principle of Truth and Accuracy: Stored or collected data shall be accurate and updated as necessary; incorrect information must be deleted or corrected without delay.

(5)

The Principle of Storage Limitation: Personal data must be kept in a form and limited to the original purpose of holding those data. They should be deleted as soon as they are no longer needed.

(6)

The Principle of Integrity and Confidentiality: Personal data may be processed only with appropriate security, including protection against unauthorized or unlawful processing, destruction, and damage.

1.3. Related Works

In 2012, Ray and Biswas [20] proposed a contract-oriented CA-based electronic health service system to overcome the shortcomings of previous schemes [25,26,27] with respect to authorization and verification. In 2014, Ray and Biswas [21] developed a CA-based authentication scheme for electronic health service systems to improve security and computation. Their scheme establishes a contract-based system that involves medical center servers in hospitals, uses the existing public key infrastructure, and is compliant with HIPAA privacy/security regulations. In 2017, Zhang et al. [28] proposed a lightweight and secure authentication scheme for mobile devices that are used in healthcare telemedicine services. In 2020, Meshram et al. [29] proposed an efficient, high-security online/offline ID-based short signature scheme using Chebyshev chaotic maps for use on a wireless sensor network. In 2020, Shafiq et al. [30] presented an efficient and secure ID-based remote user authentication and key agreement scheme for use in an IoT environment, which provides secure access to IoT services. In 2021, Dharminder and Gupta [31] proposed a secure and efficient chaotic map-based scheme with a key agreement that required only two message exchanges and was resistant to attacks. In the same year, Dharminder et al. [32] found that Zhang et al.’s scheme [28] is susceptible to identity guess, password guess, and replay attacks. They proposed a secure and efficient chaotic map-based authentication scheme for use in a telecare medicine information system that supports verified session keys with only two messages of exchange. It reveals how poor verification generates vulnerabilities. In 2021, Meshram et al. [33] proposed a new efficient m-healthcare emergency medical system that uses extended chaotic maps in a cloud computing environment. Their proposed authentication scheme balances high-intensity personal health information (PHI) communication and transmission. It also minimizes the disclosure of PHI privacy in m-Healthcare emergencies. In 2022, Sarosh et al. [19] proposed a framework that preserves the security and confidentiality of images that are transmitted in an e-healthcare system. Their scheme uses a 3D chaotic system to generate a keystream, is secure against statistical attacks, and can be applied in AI-based healthcare. In 2021, Rhahla et al. [34] proposed a framework for GDPR that identifies the main components of regulation implementation by mapping the provisions of GDPR to IT design requirements and is well adapted for Big Data management. In 2022, Hsieh et al. [35] proposed a secure and efficient scheme for authenticating and agreeing on keys that use extended Chebyshev chaotic maps. It complies with HIPAA privacy and security regulations but requires the maintenance of a public-key infrastructure.

1.4. Contributions

In order to overcome the limitations of previous solutions in terms of security and computing performance, this investigation develops a secure and efficient authenticated key agreement scheme that uses extended chaotic maps to increase security but does not require certificates. Therefore, no public key infrastructure must be maintained. Moreover, the proposed scheme uses lightweight operations, including the hash function and extended chaotic maps, and does not require time-consuming modular exponential calculations and scalar multiplications on elliptic curves, so its computational cost is relatively low. The contributions of this paper are as follows:

(1)

This study develops a non-certificate-based authenticated key agreement scheme that uses extended chaotic mapping for medical data protection.

(2)

The proposed scheme uses lightweight operations, including a hash function and extended chaotic maps, to minimize computational cost.

(3)

The proposed scheme complies with HIPAA security regulations and GDPR privacy principles;

(4)

The proposed scheme overcomes the limitations of related schemes, is more computationally efficient, and provides more functionality.

1.5. Organization

This study is organized as follows: Section 2 briefly introduces the primitives that are used herein. Section 3 presents the proposed certificateless-based authenticated key agreement that is based on extended chaotic maps. Section 4 presents the authentication proof in the proposed scheme that uses BAN Logic, heuristically analyzes the security of the scheme, and compares the proposed scheme with other schemes. Section 5 draws conclusions.

2. Preliminaries

This section defines the notation that is used in this paper and describes the underlying primitives, including Chaotic Maps, Chebyshev Chaotic Maps, enhanced Chebyshev chaotic maps, the extended chaotic map-based Discrete Logarithm problem, and the extended chaotic map-based Diffie-Hellman problem.

2.1. Notation

A patient is denoted as Pat; a doctor is denoted as Doc, and a medical center server is denoted as MCS.

Table 1. Notation.

Notation	Description
$E\left(\cdot \right)/D\left(\cdot \right)$	Symmetric en/decryption algorithm, ex. DES, AES [36]
$h\left(\cdot \right)$	One way hash function, ex. MD5, SHA-256 [36]
$T\left(\cdot \right)$	Extended chaotic maps
$I{D}_P;I{D}_D$	Identity of Pat; Identity of Doc
$P{W}_P$;$P{W}_D$	Password of Pat; password of Doc
$NI{D}_P;NI{D}_D$	Anonymous information of Pat; Anonymous information of Doc
w	The medical power of attorney of Pat
p	A large prime number
$T{S}_i$	Timestamp for $i=1, 2, 3,\dots$
SK	Session key
$K$	Security key
V	Verification data
⊕	Bitwise XOR operation
$\left|\right|$	Concatenation

provides the notation used in this research.

2.2. Enhanced Chebyshev Chaotic Maps

This subsection defines enhanced Chebyshev chaotic maps, the extended chaotic map-based discrete logarithm problem, and the extended chaotic map-based Diffie-Hellman problem.

(1)

Enhanced Chebyshev Chaotic Maps

Chebyshev polynomials and their enhancement are characterized as follows [10,37,38,39].

$$T_n\left(x\right)=\left\{\begin{array}{c}1,\\ x,\\ 2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right)\left(\mathrm{mod} p\right),\end{array}\begin{array}{c}\mathrm{if} n=0;\\ \mathrm{if} n=1;\\ \mathrm{if} n \ge 2\end{array}\right.$$

(1)

when $x\in \left(-\infty ,+\infty \right)$ and p is a large prime number. A Chebyshev polynomial exhibits the semi-group characteristics and the commutative property

$$T_r\left(T_s\left(x\right)\right)\equiv T_{r\cdot s}\left(x\right)\equiv T_s\left(T_r\left(x\right)\right)\left(\mathrm{mod} p\right).$$

(2)

(2)

Extended Chaotic Map-Based Discrete Logarithm Problem [10,38,39]

Given x, y, T(.) and p, finding an integer r that satisfies

$$T_r\left(x\right)\equiv y \left(\mathrm{mod} p\right)$$

(3)

is computationally infeasible.

(3)

Extended Chaotic Map-Based Diffie-Hellman Problem [10,38,39]

Given $T_u\left(x\right),T_v\left(x\right),T\left(.\right)$, x and p, when u, v ≥ 2, $x\in \left(-\infty ,+\infty \right)$, and p is a large prime number, obtaining

$$T_{u\cdot v}\left(x\right)\equiv T_u\left(T_v\left(x\right)\right)\equiv T_v\left(T_u\left(x\right)\right)\mathrm{mod} p.$$

(4)

is computationally infeasible.

3. Proposed Certificateless-Based User Authentication and Key Agreement Scheme That Complies with HIPAA and GDPR

An authentication and key agreement scheme that complies with HIPAA regulations and GDPR principles is presented in this section. The proposed scheme provides secure communication without maintaining user certificates and has six phases, which are initializing system parameters, registration, generating and updating patient information, accessing patient information, processing an emergency exception status, and changing a smart card password. The proposed scheme involves three communicating entities, which are a medical center server, MCS; a doctor or medical professional, Doc; and a patient, Pat.

3.1. Initialisation Phase of System Parameters

The Medical Center Sever MCS selects a secure hash function$h\left(\cdot \right)$, a random variable x, setups $T\left(\cdot \right)$, and a prime p, and publishes $\left\{x,h\left(\cdot \right),T\left(\cdot \right),p\right\}$.

3.2. Registration Phase

(1)

Registration of patients

Step 1:

Patient Pat signs a privacy contract $w$ where the patient’s information and instructions are included in $w$. Pat then sends $\left\{w,I{D}_P,W_P\right\}$ to MCS, where $I{D}_P$ is Pat’s identity, $P{W}_P$ is Pat’s password, and $W_P=h(I{D}_P||P{W}_P)$.

Step 2:

On receiving $\left\{w,I{D}_P,W_P\right\}$ from Pat, MCS selects a random number $R_{MCS}$ and a random secret key $K_{MCS\_P}$, and computes $NI{D}_P=E_S(I{D}_P\left|\left|W_P\right|\right|R_{MCS}||K_{MCS\_P})$ and $X_P=h(I{D}_P||K_{MCS\_P})$ for authentication. MCS then sends $\left\{NI{D}_P,X_P\right\}$ to Pat.

Step 3:

On receiving $\left\{NI{D}_P,X_P\right\}$ from MCS, Pat gets his smartcard and computes $Y_P=X_P\oplus W_P$, and replaces $X_P$ with $Y_P$.

(2)

Registration of doctors

Step 1:

Doc sends $\left\{I{D}_D,W_P\right\}$ to MCS, where $I{D}_D$ is Doc’s identity, $P{W}_D$ is Doc’s password, and $W_D=h(I{D}_D||P{W}_D)$.

Step 2:

On receiving $\left\{I{D}_D,W_D\right\}$, MCS selects a random number $R_{MCS}$ and a random secret key $K_{MCS\_D}$, and computes $NI{D}_D=E_S(I{D}_D\left|\left|W_D\right|\right|R_{MCS}||K_{MCS\_D})$ and $X_D=h(I{D}_D||K_{MCS\_D})$ for authentication. MCS then sends $\left\{NI{D}_D,X_D\right\}$ to Doc.

Step 3:

On receiving $\left\{NI{D}_P,X_P\right\}$, Doc gets his smartcard and computes $Y_D=X_D\oplus W_D$, and replaces $X_D$ with $Y_D$

3.3. PHI Upload Phase

Figure 1 illustrates the process of the PHI upload phase of the proposed scheme, which is described in detail as follows.

Step 1:

Pat→ Doc : $M_1=$ {$NI{D}_P,V_1,T_a\left(x\right),T{S}_1\}$

Patient Pat inputs $I{D}_P$ and $P{W}_P$, selects a random number a, and computes $T_a\left(x\right)\mathrm{mod} p$, $W_P=h(I{D}_P||P{W}_P)$, $X_P=Y_P\oplus W_P$, $V_1=h(X_P\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\right|T_a\left(x\right)|| T{S}_1$) as an authorization to Doc, where $T{S}_1$ is the current timestamp, and sends {$NI{D}_P,V_1,T_a\left(x\right),T{S}_1\}$ to the hospital.

Step 2:

Doc → MCS : $M_2=\left\{NI{D}_P,NI{D}_D,V_1,V_2,T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$

On receiving the messages from Pat, the doctor Doc inputs $I{D}_D$ and $P{W}_D$, checks the timestamp $T{S}_1$, checks the timestamp $T{S}_1$. If successful the received messages do not expire. Otherwise, Doc declines this message. Doc selects a random number $b$, computes $T_b\left(x\right)\mathrm{mod} p$, $W_D=h(I{D}_D||P{W}_D)$, $X_D=Y_D\oplus W_D$ and $V_2=h(W_D\left|\left|X_D\right|\right|T_b\left(x\right)|| T{S}_2$), where $T{S}_2$ is the current timestamp, and sends $\left\{NI{D}_P,NI{D}_D,V_1,V_2,T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$ to MCS.

Step 3:

MCS → Doc : $M_3=\left\{QI{D}_D,V_3,QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$

On receiving the messages from Doc, MCS checks the timestamp $T{S}_1$, and computes $(I{D}_D\left|\left|W_D\right|\right|R_{MCS}||K_{MCS\_D})=D_S\left(NI{D}_D\right)$, $X_D^{\prime }=h(I{D}_D||K_{MCS\_D})$, $V_2^{\prime }=h(W_D||X_D^{\prime }\left|\left|T_b\left(x\right)\right|\right| T{S}_2$). If $V_2^{\prime }=V_2$ does not hold, then MCS rejects this service request; otherwise, MCS successfully authenticates Doc and computes $(I{D}_P\left|\left|W_P\right|\right|R_{MCS}||K_{MCS\_P})=D_S\left(NI{D}_P\right)$ and $X_P^{\prime }=h(I{D}_P||K_{MCS\_P})$ and $V_1^{\prime }=h\left(X_P^{\prime }\left|\left|W_P\left|\left|I{D}_P\right|\right|I{D}_D\left|\right|T_a\left(x\right)\right|\right| T{S}_1\right)$. If $V_1^{\prime }=V_1$ holds, then MCS successfully authenticates Pat, and stores $PHI$ into its database. MCS then randomly chooses $R_{new}$, $c$, and computes $T_c\left(x\right)\mathrm{mod} p$, $S{K}_D=T_c\left(T_b\left(x\right)\right)\mathrm{mod} p$, Doc’s new temporal identity $NI{D}_D^{new}=E_S\left(I{D}_D\left|\right|W_D\left|\left|R_{new}\right|\right|K_{MCS\_D}\right)$, $QI{D}_D=h(S{K}_D||T{S}_3)\oplus (NI{D}_D^{new}||I{D}_P)$, $V_3=h\left(NI{D}_D^{new}\left|\right|X_D^{\prime }\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|T{S}_3\right)$ $S{K}_P=T_c\left(T_a\left(x\right)\right)\mathrm{mod} p$, Pat’s new temporal identity $NI{D}_P^{new}=E_S\left(I{D}_P\left|\right|W_P\left|\left|R_{new}\right|\right|K_{MCS\_P}\right)$, $QI{D}_P=h(S{K}_P||T{S}_3)\oplus NI{D}_P^{new}$, and $V_4=h\left(NI{D}_P^{new}\left|\right|X_P^{\prime }\left|\right|S{K}_P\left|\left|I{D}_D\right|\right|T{S}_3\right)$, where $T{S}_3$ is the current timestamp. MCS then sends $\left\{QI{D}_D,V_3,QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$ to Doc.

Step 4:

Doc → Pat : $M_4=\left\{QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$

On receiving the message form MCS, Doc checks $T{S}_3$, computes $S{K}_D=T_b\left(T_c\left(x\right)\right)\mathrm{mod} p$, $(NI{D}_D^{new}|\left|I{D}_P\right)=QI{D}_D\oplus h(S{K}_D||T{S}_3)$, $V_3^{\prime }=h\left(NI{D}_D^{new}\left|\left|X_D\left|\right|S{K}_D\right|\right|I{D}_P\left|\right|T{S}_3\right)$ and checks whether $V_3^{\prime }=V_3$ holds or not. If unsuccessful, Doc aborts this session. Otherwise, Doc replaces $NI{D}_D$ with $NI{D}_D^{new}$ and forwards $\left\{QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$ to Pat.

Step 5:

Pat → Doc : $M_5=\left\{V_5\right\}$

On receiving the message, Pat computes $S{K}_P=T_a\left(T_c\left(x\right)\right)\mathrm{mod} p)$ and $NI{D}_P^{new}=QI{D}_P\oplus h(S{K}_P||T{S}_3)$, and $V_4^{\prime }=h\left(NI{D}_P^{new}\left|\left|X_P\left|\right|S{K}_P\right|\right|I{D}_D\left|\right|T{S}_3\right)$, and checks whether $V_4^{\prime }=V_4$ holds or not. If unsuccessful, Pat aborts this request. Otherwise, Pat replaces $NI{D}_P$ as $NI{D}_P^{new}$, computes $V_5=h\left(S{K}_P\left|\right|I{D}_P\right)$, and sends $\left\{V_5\right\}$ to the hospital.

Step 6:

Doc → MCS : $M_6=\left\{V_5,V_6,D_{PHI}\right\}$

On receiving the message form Pat, Doc computes $D_{PHI}=h(S{K}_D||T{S}_2)\oplus PHI$, $V_6=h\left(S{K}_D\left|\right|PHI\right)$ and sends $\left\{V_5,V_6,D_{PHI}\right\}$ to MCS.

Step 7:

On receiving the message form Doc, MCS computes $PHI=h(S{K}_D||T{S}_2)\oplus D_{PHI}$, $V_5^{\prime }=h\left(S{K}_P\left|\right|I{D}_P\right)$ and $V_6^{\prime }=h\left(S{K}_D\left|\right|PHI\right)$. Finally. it verifies $V_5^{\prime }$ and $V_6^{\prime }$.

3.4. PHI Access Phase

Figure 2 illustrates the process of the PHI access phase of the proposed scheme, which is described in detail as follows.

Step 1:

Pat→ Doc : $M_1=$ {$NI{D}_P,V_1,T_a\left(x\right),T{S}_1\}$

Patient Pat inputs $I{D}_P$ and $P{W}_P$, selects a random number a, and computes $T_a\left(x\right)\mathrm{mod} p$, $W_P=h(I{D}_P||P{W}_P)$, $X_P=Y_P\oplus W_P$ and $V_1=h(X_P\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\left|T_a\left(x\right)\right|\right|IN{D}_{PHI}|| T{S}_1$), where $T{S}_1$ is the current timestamp, and sends {$NI{D}_P,V_1,T_a\left(x\right),T{S}_1\}$ to the hospital.

Step 2:

Doc → MCS : $M_2=\left\{NI{D}_P,NI{D}_D,V_1,V_2,T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$

On receiving the messages from Pat, the doctor Doc inputs $I{D}_D$ and $P{W}_D$, checks the timestamp $T{S}_1$, selects random numbers $b$, $W_D=h(I{D}_D||P{W}_D)$; $X_D=Y_D\oplus W_D$, computes $T_b\left(x\right)\mathrm{mod} p$, $K_D=h(X_D||T{S}_2)\oplus IN{D}_{PHI}$ and $V_2=h(W_D\left|\left|X_D\right|\right|IN{D}_{PHI}\left|\left|T_b\left(x\right)\right|\right|T{S}_2$), where $T{S}_2$ is the current timestamp, and sends $\left\{NI{D}_P,NI{D}_D,V_1,V_2,K_D,T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$ to MCS.

Step 3:

MCS → Doc : $M_3=\left\{QI{D}_D,V_3,QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$

On receiving the messages from Doc, MCS checks the timestamp $T{S}_1$, and computes $(I{D}_D\left|\left|W_D\right|\right|R_{MCS}||K_{MCS\_D})=D_S\left(NI{D}_D\right)$, $X_D^{\prime }=h(I{D}_D||K_{MCS\_D})$, $\left(IN{D}_{PHI}^{\prime }\right)=K_D\oplus h(X_D^{\prime }||T{S}_2)$, $V_2^{\prime }=h(W_D\left|\left|X_D\right|\right|IN{D}_{PHI}^{\prime }\left|\left|T_b\left(x\right)\right|\right|T{S}_2$). If $V_2^{\prime }=V_2$ does not hold, then MCS rejects this service request; otherwise, MCS successfully authenticates Doc and computes $(I{D}_P\left|\left|W_P\right|\right|R_{MCS}||K_{MCS\_P})=D_S\left(NI{D}_P\right)$ and $X_P^{\prime }=h(I{D}_P||K_{MCS\_P})$ and $V_1^{\prime }=h(X_P^{\prime }\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\right|T_a\left(x\right)\left|\left|IN{D}_{PHI}^{\prime }\right|\right| T{S}_1$). If $V_1^{\prime }=V_1$ holds, then MCS successfully authenticates Pat. MCS then randomly chooses $R_{new}$, $c$, and computes $T_c\left(x\right)\mathrm{mod} p$, $S{K}_D=T_c\left(T_b\left(x\right)\right)\mathrm{mod} p$, Doc’s new temporal identity $NI{D}_D^{new}=E_S\left(I{D}_D\left|\right|W_D\left|\left|R_{new}\right|\right|K_{MCS\_D}\right)$, $QI{D}_D=h(S{K}_D||T{S}_3)\oplus (NI{D}_D^{new}||I{D}_P)$, $V_3=h\left(NI{D}_D^{new}\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|T{S}_3\right)$ $S{K}_P=T_c\left(T_a\left(x\right)\right)\mathrm{mod} p$, Pat’s new temporal identity $NI{D}_P^{new}=E_S\left(I{D}_P\left|\right|W_P\left|\left|R_{new}\right|\right|K_{MCS\_P}\right)$, $QI{D}_P=h(S{K}_P||T{S}_3)\oplus NI{D}_P^{new}$, and $V_4=h\left(NI{D}_P^{new}\left|\right|S{K}_P\left|\left|I{D}_D\right|\right|T{S}_3\right)$, where $T{S}_3$ is the current timestamp. MCS then sends $\left\{QI{D}_D,V_3,QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$ to Doc.

Step 4:

Doc → Pat : $M_4=\left\{QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$

On receiving the message form MCS, Doc checks $T{S}_3$, computes $S{K}_D=T_b\left(T_c\left(x\right)\right)\mathrm{mod} p$, $(NI{D}_D^{new}|\left|I{D}_P\right)=QI{D}_D\oplus h(S{K}_D||T{S}_3)$, $V_3^{\prime }=h\left(NI{D}_D^{new}\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|T{S}_3\right)$ and checks whether $V_3^{\prime }=V_3$ holds or not. If unsuccessful, Doc aborts this session. Otherwise, Doc replaces $NI{D}_D$ with $NI{D}_D^{new}$ and forwards $\left\{QI{D}_P,V_4,T_c\left(x\right),T{S}_3\right\}$ to Pat.

Step 5:

Pat → Doc : $M_5=\left\{V_5\right\}$

On receiving the message, Pat computes $S{K}_P=T_a\left(T_c\left(x\right)\right)\mathrm{mod} p)$ and $NI{D}_P^{new}=QI{D}_P\oplus h(S{K}_P||T{S}_3)$, and $V_4^{\prime }=h\left(NI{D}_P^{new}\left|\right|S{K}_P\left|\left|I{D}_D\right|\right|T{S}_3\right)$, and checks whether $V_4^{\prime }=V_4$ holds or not. If unsuccessful, Pat aborts this request. Otherwise, Pat replaces $NI{D}_P$ as $NI{D}_P^{new}$, computes $V_5=h\left(S{K}_P\left|\right|I{D}_P\right)$, and sends $\left\{V_5\right\}$ to the hospital.

Step 6:

Doc → MCS : $M_6=\left\{V_5,V_6\right\}$

On receiving the message form Pat, Doc computes $V_6=h\left(S{K}_D\left|\right|I{D}_D\right)$ and sends $\left\{V_5,V_6\right\}$ to MCS.

Step 7:

MCS → Doc : $M_7=\left\{D_{PHI},V_7\right\}$

On receiving the message form Doc, MCS computes and verifies $V_5^{\prime }=h\left(S{K}_P\left|\right|I{D}_P\right)$ and $V_6^{\prime }=h\left(S{K}_D\left|\right|I{D}_D\right)$. If successful, MCS gets Pat’s authorization, retrievals $PHI$ by using $IN{D}_{PHI}^{\prime }$ form its database, and computes $D_{PHI}=h(S{K}_D||T{S}_2)\oplus PHI$ and $V_7=h\left(S{K}_D\left|\right|PHI\right)$, and sends $\left\{D_{PHI},V_7\right\}$ to Doc.

Step 8:

On receiving the message, Doc computes $PHI=h(S{K}_D||T{S}_2)\oplus D_{PHI}$ and $V_7^{\prime }=h\left(S{K}_D\left|\right|PHI\right)$, and verifies $V_7^{\prime }=?V_7$.

3.5. Emergency Exception Handling Phase

Figure 3 illustrates the process of the emergency exception handling phase of the proposed scheme, which is described in detail as follows.

Step 1:

Doc → MCS : $M_1=\left\{NI{D}_D,Re{q}_{PHI},T_a\left(x\right),V_1,T{S}_1\right\}$

The doctor Doc inputs $I{D}_D$ and $P{W}_D$, selects a random number $a$, computes $W_D=h(I{D}_D||P{W}_D)$, $X_D=Y_D\oplus W_D$, $T_a\left(x\right)\mathrm{mod} p$, $Re{q}_{PHI}=h(X_D||T{S}_1)\oplus (I{D}_P||IN{D}_{PHI})$ and $V_1=h(W_D\left|\left|X_D\right|\right|I{D}_P\left|\left|Re{q}_{PHI}\right|\right|T_a\left(x\right)||T{S}_1)$, where $T{S}_1$ is the current timestamp, and sends $\left\{NI{D}_D,Re{q}_{PHI},T_a\left(x\right),V_1,T{S}_1\right\}$ to MCS.

Step 2:

MCS → Doc : $M_2=\left\{QI{D}_D,D_{PHI},V_2,T_b\left(x\right),T{S}_2\right\}$

On receiving the messages from Doc, MCS checks the timestamp $T{S}_1$, and computes $(I{D}_D\left|\left|W_D\right|\right|R_{MCS}||K_{MCS\_D})=D_S\left(NI{D}_D\right)$, $X_D^{\prime }=h(I{D}_D||K_{MCS\_D})$, $(I{D}_P||IN{D}_{PHI})=Re{q}_{PHI}\oplus h(X_D^{\prime }||T{S}_1)$, $V_1^{\prime }=h(W_D||X_D^{\prime }\left|\left|I{D}_P\right|\right|Re{q}_{PHI}\left|\left|T_a\left(x\right)\right|\right|T{S}_1)$. If $V_1^{\prime }=V_1$ does not hold, then MCS rejects this service request; otherwise, MCS successfully authenticates Doc, gets $PH{I}_P$ stored in its database by using the index $IN{D}_{PHI}$. Next, MCS randomly chooses $R_{new}$, $b$, and computes $b\left(x\right)\mathrm{mod} p$, $S{K}_D=T_b\left(T_a\left(x\right)\right)\mathrm{mod} p$, Doc’s new temporal identity $NI{D}_D^{new}=E_S\left(I{D}_D\left|\right|W_D\left|\left|R_{new}\right|\right|K_{MCS\_D}\right)$, $QI{D}_D=h(S{K}_D||T{S}_2)\oplus (NI{D}_D^{new}||I{D}_P)$, $D_{PHI}=h(S{K}_D||T{S}_1)\oplus PH{I}_P$ and $V_2=h\left(NI{D}_D^{new}\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|D_{PHI}\left|\right|T{S}_2\right)$, where $T{S}_2$ is the current timestamp. MCS then sends $\left\{QI{D}_D,D_{PHI},V_2,T_b\left(x\right),T{S}_2\right\}$ to Doc.

Step 3:

On receiving the message form MCS, Doc checks $T{S}_2$, computes $S{K}_D=T_a\left(T_b\left(x\right)\right)\mathrm{mod} p$, $(NI{D}_D^{new}|\left|I{D}_P\right)=QI{D}_D\oplus h(S{K}_D||T{S}_2)$, $V_2^{\prime }=h\left(NI{D}_D^{new}\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|D_{PHI}\left|\right|T{S}_2\right)$ and checks whether $V_2^{\prime }=V_2$ holds or not. If unsuccessful, Doc aborts this session. Otherwise, Doc computes $PH{I}_P=D_{PHI}\oplus h(S{K}_D|\left|T{S}_1\right)$, and replaces $NI{D}_D$ with $NI{D}_D^{new}$.

3.6. Password Update Phase

Figure 4 illustrates the processes that a user (a patient or a doctor) uses to update his/her password in the proposed scheme, which are described as the following:

Step 1:

A user U (Pat or Doc) inputs his/her identity $I{D}_U$, old password $P{W}_U$ and new password $P{W}_U^{new}$, selects a random number a, and computes $T_a\left(x\right)\mathrm{mod} p$, $W_U=h(I{D}_U||P{W}_U)$, $X_U=Y_U\oplus W_U$, $W_U^{new}=h(I{D}_U|\left|P{W}_U^{new}\right)$, $C{P}_U=h(X_U||T{S}_1)\oplus W_U^{new}$, $V_1=h\left(X_U\left|\left|W_U\right|\right|C{P}_U\left|\left|T_a\left(x\right)\right|\right|T{S}_1\right)$, where $T{S}_1$ is the current timestamp, and sends {$NI{D}_P,C{P}_U,V_1,T_a\left(x\right),T{S}_1\}$ to MCS.

Step 2:

On receiving the messages from U, MCS checks the timestamp $T{S}_1$, and computes $(I{D}_U\left|\left|W_U\right|\right|R_{MCS}||U)=D_S\left(NI{D}_U\right)$ and $X_U^{\prime }=h(I{D}_U||K_{MCS\_U})$ and $V_1^{\prime }=h(X_P^{\prime }\left|\left|W_U\right|\right|C{P}_U\left|\left|T_a\left(x\right)\right|\right| T{S}_1$). If $V_1^{\prime }=V_1$ holds, then MCS successfully authenticates U. MCS then randomly chooses $R_{new}$, $b$, and computes $T_{cb}\left(x\right)\mathrm{mod} p$, $S{K}_U=T_b\left(T_a\left(x\right)\right)\mathrm{mod} p$, U’s new temporal identity $NI{D}_U^{new}=E_s(I{D}_U||W_U^{new}\left|\left|R_{new}\right|\right|K_{MCS\_U})$, $QI{D}_U=h(S{K}_U||T{S}_2)\oplus (NI{D}_U^{new}||I{D}_U)$ and $V_2=h(X_U^{\prime }||NI{D}_U^{new}\left|\left|S{K}_U\right|\right|T{S}_2)$, where $T{S}_2$ is the current timestamp. MCS then sends $\left\{QI{D}_U,V_2,T_b\left(x\right),T{S}_2\right\}$ to U.

Step 3:

On receiving the message from MCS, U computes $S{K}_U=T_a\left(T_b\left(x\right)\right)\mathrm{mod} p)$ and $NI{D}_U^{new}=QI{D}_U\oplus h(S{K}_U||T{S}_2)$, and $V_2^{\prime }=h(X_U||NI{D}_U^{new}\left|\left|S{K}_U\right|\right|T{S}_2))$, and checks whether $V_2^{\prime }=V_2$ holds or not. If unsuccessful, Pat aborts this request. Otherwise, U replaces $NI{D}_U$ as $NI{D}_U^{new}$ and successfully update his/her new password as $P{W}_U^{new}$.

4. Security and Performance Analysis

This section provides authentication proof of the proposed scheme using BAN Logic, heuristically analyzes the security requirements of the proposed scheme, shows that the proposed scheme complies with HIPAA privacy/security regulations and GDPR privacy principles, and compares the functionality and performance of the proposed scheme with those of related schemes.

4.1. Authentication Proof Using the BAN Logic

This subsection shows that the objectives of mutual authentication and session key agreement are achieved by the proposed scheme between communicating entities by using the basic rules and assumptions of BAN logic [40].

Table 2. Notations and abbreviations of the BAN-logic [40].

Notation	Abbreviation
$\mathrm{P} |\equiv \mathrm{X}$	$\mathrm{P}$ believes $\mathrm{X}$.
$\mathrm{P} ⨞ \mathrm{X}$	$\mathrm{P}$ sees $\mathrm{X}$.
$\mathrm{P} |~ \mathrm{X}$.	$\mathrm{P}$ once said $\mathrm{X}$.
$\mathrm{P}⟹ \mathrm{X}$	$\mathrm{P}$ controls $\mathrm{X}$.
$\mathrm{P} {}_{\leftrightarrow }{}^{\mathrm{K} } \mathrm{Q}$	$\mathrm{P}$ and $\mathrm{Q}$ securely communicate by using $\mathrm{K}$.
$\#\left(\mathrm{X}\right)$	$\mathrm{X}$ is freshly generated.
${\left\{\mathrm{X}\right\}}_{\mathrm{K}}$	$\mathrm{X}$ is encrypted with $\mathrm{K}$.
$\mathrm{P} \to \mathrm{Q} :\mathrm{m}$	$\mathrm{P}$ sends $\mathrm{m}$ to $\mathrm{Q}$.

provides the notation and abbreviations that are used in BAN logic: P and Q denote two entities; X denotes a statement; K denotes a share key; and m denotes a message.

(1)

The basic rules of BAN-logic

$\mathrm{Rule} 1$:

Message-meaning rule: $\frac{\mathrm{P} |\equiv \mathrm{P} {}_{\leftrightarrow }{}^{\mathrm{K} } \mathrm{Q}, \mathrm{P} ⨞ {\left\{\mathrm{X}\right\}}_{\mathrm{K}} }{\mathrm{P} \left|\equiv \mathrm{Q} \right|\sim \mathrm{X}}$

If $\mathrm{P}$ believes $\mathrm{Q}$ and itself communicate by $\mathrm{K}$ and $\mathrm{P}$ sees $\mathrm{X}$ which is encrypted with $\mathrm{K}$, then $\mathrm{P}$ believes that $\mathrm{Q}$ once said $\mathrm{X}$.

$\mathrm{Rule} 2$:

Nonce-verification rule: $\frac{\mathrm{P} \left|\equiv \#\left(\mathrm{X}\right), \mathrm{P} \right|\equiv \mathrm{Q} |\sim \mathrm{X} }{\mathrm{P} \left|\equiv \mathrm{Q} \right|\equiv \mathrm{X}}$

If $\mathrm{P}$ believes $\mathrm{X}$ is freshness and $\mathrm{P}$ believes that $\mathrm{Q}$ once said $\mathrm{X}$, then $\mathrm{P}$ believes that $\mathrm{Q}$ believes $\mathrm{X}$.

$\mathrm{Rule} 3$:

Jurisdiction rule: $\frac{\mathrm{P} \left|\equiv \mathrm{Q} ⟹ \mathrm{X}, \mathrm{P} \right|\equiv \mathrm{Q} |\equiv \mathrm{X} }{\mathrm{P} |\equiv \mathrm{X}}$

If $\mathrm{P}$ believes that $\mathrm{Q}$ has jurisdiction over $\mathrm{X}$ and $\mathrm{P}$ believes that $\mathrm{Q}$ believes $\mathrm{X}$, then $\mathrm{P}$ believes $\mathrm{X}$.

$\mathrm{Rule} 4$:

Session key rule: $\frac{\mathrm{P} \left|\equiv \#\left(\mathrm{X}\right), \mathrm{P} \right|\equiv \mathrm{Q} |\equiv \mathrm{X} }{\mathrm{P} |\equiv \mathrm{P} {}_{\leftrightarrow }{}^{\mathrm{K} } \mathrm{Q}}$

If $\mathrm{P}$ believes $\mathrm{X}$ is freshness and $\mathrm{P}$ believes that $\mathrm{Q}$ believes $\mathrm{X}$, then $\mathrm{P}$ believes $\mathrm{Q}$ and itself communicate by $\mathrm{K}$.

(2)

Goals of the proposed scheme

$\mathrm{Goal} 1$:

$\mathrm{Pat} \left|\equiv \mathrm{MCS} \right|\equiv \left(\mathrm{MCS} {}_{\leftrightarrow }{}^{\mathrm{SK} } \mathrm{Pat}\right)$

$\mathrm{Goal} 2$:

$\mathrm{Doc} \left|\equiv \mathrm{MCS} \right|\equiv \left(\mathrm{MCS} {}_{\leftrightarrow }{}^{\mathrm{SK} } \mathrm{Doc}\right)$

$\mathrm{Goal} 3$:

$\mathrm{MCS} \left|\equiv \mathrm{Pat} \right|\equiv \left(\mathrm{Pat} {}_{\leftrightarrow }{}^{\mathrm{SK} } \mathrm{MCS}\right)$

$\mathrm{Goal} 4$:

$\mathrm{MCS} \left|\equiv \mathrm{Doc} \right|\equiv \left(\mathrm{Doc} {}_{\leftrightarrow }{}^{\mathrm{SK} } \mathrm{MCS}\right)$

$\mathrm{Goal} 5$:

$\mathrm{Pat} \left|\equiv \mathrm{Doc} \right|\equiv \left(\mathrm{Doc} {}_{\leftrightarrow }{}^{\mathrm{SK} } \mathrm{Pat}\right)$

$\mathrm{Goal} 6$:

$\mathrm{Doc} \left|\equiv \mathrm{Pat} \right|\equiv \left(\mathrm{Pat} {}_{\leftrightarrow }{}^{\mathrm{SK} } \mathrm{Doc}\right)$

(3)

Implementation form

(a)

PHI upload phase of the proposed scheme

${\mathrm{M}}_1$:

$\mathrm{Pat}\to \mathrm{Doc} : NI{D}_P,V_1,T_a\left(x\right),T{S}_1$

${\mathrm{M}}_2$:

$\mathrm{Doc}\to \mathrm{MCS} : NI{D}_P,NI{D}_D,V_1,V_2,K_D, T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2$

${\mathrm{M}}_3$:

$\mathrm{MCS}\to \mathrm{Doc} : QI{D}_D,V_3,QI{D}_P,V_4, T_c\left(x\right),T{S}_3$

${\mathrm{M}}_4$:

$\mathrm{Doc}\to \mathrm{Pat} : QI{D}_P,V_4,T_c\left(x\right),T{S}_3$

${\mathrm{M}}_5$:

$\mathrm{Pat}\to \mathrm{Doc} : V_5$

${\mathrm{M}}_6$:

$\mathrm{Doc}\to \mathrm{MCS} : V_5,V_6$, $D_{PHI}$

(b)

PHI access phase of the proposed scheme

${\mathrm{M}}_1$:

$\mathrm{Pat}\to \mathrm{Doc} : NI{D}_P,V_1,T_a\left(x\right),T{S}_1$

${\mathrm{M}}_2$:

$\mathrm{Doc}\to \mathrm{MCS} : NI{D}_P,NI{D}_D,V_1,V_2,K_D, T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2$

${\mathrm{M}}_3$:

$\mathrm{MCS}\to \mathrm{Doc} : QI{D}_D,V_3,QI{D}_P,V_4, T_c\left(x\right),T{S}_3$

${\mathrm{M}}_4$:

$\mathrm{Doc}\to \mathrm{Pat} : QI{D}_P,V_4,T_c\left(x\right),T{S}_3$

${\mathrm{M}}_5$:

$\mathrm{Pat}\to \mathrm{Doc} : V_5$

${\mathrm{M}}_6$:

$\mathrm{Doc}\to \mathrm{MCS} : V_5,V_6$

${\mathrm{M}}_7$:

$\mathrm{MCS}\to \mathrm{Doc} : D_{PHI},V_7$

(4)

Assumptions

${\mathrm{AS}}_1$: $\mathrm{MCS}$ |$\equiv \mathrm{MCS}$ $\stackrel{ X_P:h(I{D}_P||K_{MCS\_P}) }{\leftrightarrow }$ Pat

${\mathrm{AS}}_2$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{Pat}\stackrel{ X_P:h(I{D}_P||K_{MC{S}_P})}{\leftrightarrow }$ $\mathrm{MCS}$

${\mathrm{AS}}_3$: $\mathrm{MCS}$ |$\equiv$ #$h(X_P\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\right|T_a\left(x\right)|| T{S}_1$)

${\mathrm{AS}}_4$: $\mathrm{Pat}$ |$\equiv$ #$h\left(NI{D}_P^{new}\left|\left|X_P\left|\right|S{K}_P\right|\right|I{D}_D\left|\right|T{S}_3\right)$

${\mathrm{AS}}_5$: $\mathrm{MCS}$ |$\equiv$ $\mathrm{Pat}$ $⟹I{D}_P$

${\mathrm{AS}}_6$: $\mathrm{Pat}$ |$\equiv \mathrm{MCS}⟹NI{D}_P^{new}$

${\mathrm{AS}}_7$: $\mathrm{MCS}$ |$\equiv \mathrm{MCS}$ $\stackrel{ X_D:h(I{D}_D||K_{MCS\_D}) }{\leftrightarrow }$ Doc

${\mathrm{AS}}_8$: Doc |$\equiv \mathrm{Doc}\stackrel{ X_D:h(I{D}_D||K_{MCS\_D})}{\leftrightarrow }$$\mathrm{MCS}$

${\mathrm{AS}}_9$: $\mathrm{Doc}$ |$\equiv$ # $h\left(NI{D}_D^{new}\left|\left|X_D\left|\right|S{K}_D\right|\right|I{D}_P\left|\right|T{S}_3\right)$

${\mathrm{AS}}_{10}$: $\mathrm{Pat}$ |$\equiv \mathrm{Doc}\Rightarrow I{D}_D$

${\mathrm{AS}}_{11}:\mathrm{Doc}$ |$\equiv$ $\mathrm{Pat}$ $\Rightarrow I{D}_P$

(5)

Verification of the PHI upload phase

By using Message M₂,

$\mathrm{MCS} ⨞\left\{NI{D}_P,NI{D}_D,V_1:h(X_P\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\right|T_a\left(x\right)||T{S}_1),V_2, T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$

From Rule 1 and ${\mathrm{AS}}_1$,

${\mathrm{S}}_1$: $\mathrm{MCS}$ |$\equiv$ $\mathrm{Pat}$ |$\sim {\mathrm{ID}}_{\mathrm{P}}$.

From Rule 2 and ${\mathrm{AS}}_3$,

${\mathrm{S}}_2$: $\mathrm{MCS}$ |$\equiv$ $\mathrm{Pat}$ |$\equiv$ ${\mathrm{ID}}_{\mathrm{P}}$.

From Rule 3 and ${\mathrm{AS}}_5$,

${\mathrm{S}}_3$: $\mathrm{MCS}$ |$\equiv$ ${\mathrm{ID}}_{\mathrm{P}}$.

From Rule 4, ${\mathrm{AS}}_3$ and ${\mathrm{S}}_2$,

${\mathrm{S}}_4$: $\mathrm{MCS}$ |$\equiv$ $\mathrm{MCS}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{Pat}$.

Further, using Rule 2, ${\mathrm{AS}}_3$ and ${\mathrm{S}}_1$,

${\mathrm{S}}_5$: $\mathrm{MCS}$ |$\equiv$ $\mathrm{Pat}$ |$\equiv$ $\mathrm{MCS}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{Pat}$. $\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{Goal} 1$

By using Message M₄,

$\mathrm{Pat} ⨞\left\{QI{D}_P,V_4:h\left(NI{D}_P^{new}\left|\left|X_P^{\prime }\left|\left|S{K}_P\right|\right|I{D}_D\right|\right|T{S}_3\right),T_c\left(x\right),T{S}_3\right\}$

From Rule 1 and ${\mathrm{AS}}_2$,

${\mathrm{S}}_6$: $\mathrm{Pat}$ |$\equiv$| $\mathrm{MCS}$~ $NI{D}_P^{new}$

From Rule 2 and ${\mathrm{AS}}_4$,

${\mathrm{S}}_7$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{MCS}$ |$\equiv$ $NI{D}_P^{new}$.

From Rule 3 and ${\mathrm{AS}}_6$,

${\mathrm{S}}_8$: $\mathrm{Pat}$ |$\equiv$ $NI{D}_P^{new}$

From Rule 4, ${\mathrm{AS}}_4$ and ${\mathrm{S}}_7$,

${\mathrm{S}}_9$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{Pat}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{MCS}$.

Further, using Rule 2, ${\mathrm{AS}}_4$ and ${\mathrm{S}}_6$,

${\mathrm{S}}_{10}$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{MCS}$ |$\equiv$ $\mathrm{Pat}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{MCS}$. $\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{Goal} 2$

Goal 3 can be deduced using arguments similar to Goal 1, and Goal 4 can be deduced using arguments similar to Goal 2, respectively.

• By using Message M₄,
  $\mathrm{Pat} ⨞\left\{QI{D}_P,V_4:h\left(NI{D}_P^{new}\left|\left|X_P^{\prime }\left|\left|S{K}_P\right|\right|I{D}_D\right|\right|T{S}_3\right),T_c\left(x\right),T{S}_3\right\}$From Rule 1, ${\mathrm{AS}}_2$ and ${\mathrm{AS}}_7$,
  ${\mathrm{S}}_{11}$: $\mathrm{Pat}$ |$\equiv$| $\mathrm{Doc}$~ $I{D}_D$
  From Rule 2 and ${\mathrm{AS}}_4$,
  ${\mathrm{S}}_{12}$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{Doc}$ |$\equiv$ $I{D}_D$.
  From Rule 3 and ${\mathrm{AS}}_{10}$,
  ${\mathrm{S}}_{13}$: $\mathrm{Pat}$ |$\equiv$ $I{D}_D$
  From Rule 4, ${\mathrm{AS}}_4$ and ${\mathrm{S}}_{12}$,
  ${\mathrm{S}}_{14}$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{Pat}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{Doc}$.
  Further, using Rule 2, ${\mathrm{AS}}_4$ and ${\mathrm{S}}_{11}$,
  ${\mathrm{S}}_{15}$: $\mathrm{Pat}$ |$\equiv$ $\mathrm{Doc}$ |$\equiv$ $\mathrm{Pat}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{Doc}$.    $\mathrm{Goal} 5$

• By using Message M₃,
  $\mathrm{Doc} ⨞\left\{QI{D}_D,V_3:h\left(NI{D}_D^{new}\left|\right|X_D^{\prime }\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|T{S}_3\right),QI{D}_P,V_4, T_c\left(x\right),T{S}_3\right\}$
  From Rule 1, ${\mathrm{AS}}_1$ and ${\mathrm{AS}}_8$,
  ${\mathrm{S}}_{16}$: $\mathrm{Doc}$ |$\equiv$| $\mathrm{Pat} \sim I{D}_P$
  From Rule 2 and ${\mathrm{AS}}_9$,
  ${\mathrm{S}}_{17}$: $\mathrm{Doc}$ |$\equiv$ $\mathrm{Pat}$ |$\equiv$ $I{D}_P$.
  From Rule 3 and ${\mathrm{AS}}_{10}$,
  ${\mathrm{S}}_{18}$: $\mathrm{Doc}$ |$\equiv$ $I{D}_P$
  From Rule 4, ${\mathrm{AS}}_9$ and ${\mathrm{S}}_{17}$,
  ${\mathrm{S}}_{19}$: $\mathrm{Doc}$ |$\equiv$ $\mathrm{Doc}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{Pat}$.
  Further, using Rule 2, ${\mathrm{AS}}_9$ and ${\mathrm{S}}_{16}$,
  ${\mathrm{S}}_{20}$: $\mathrm{Doc}$ |$\equiv$ $\mathrm{Pat}$ |$\equiv$ $\mathrm{Doc}$ ${}_{\leftrightarrow }{}^{\mathrm{SK} }$ $\mathrm{Pat}$.     $\mathrm{Goal} 6$
  The proof of the PHI uploading phase of the proposed scheme is completed.

By using arguments similar to those in the verification of the PHI uploading phase, the verification of the PHI access phase can be derived, which will not be repeated here.

4.2. Heuristical Security Analysis

(1)

Mutual authentication

The MCS authenticates the doctor Doc by checking $W_D$ and $X_D$ in $V_2=h(W_D\left|\left|X_D\right|\right|T_b\left(x\right)||T{S}_2$), $S{K}_D$ in $V_6=h\left(S{K}_D\left|\right|PHI\right)$ and authenticates the patient Pat by checking $W_P$ and $X_P$ in $V_1=h(X_P\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\right|T_a\left(x\right)|| T{S}_1$) and $S{K}_P$ in $V_5=h\left(S{K}_P\left|\right|I{D}_P\right)$, respectively, where $W_D=h(I{D}_D||P{W}_D)$, $X_D=h(I{D}_D||K_{MCS\_D})$,$S{K}_D=T_c\left(T_b\left(x\right)\right)$, $W_P=h(I{D}_P||P{W}_P)$, $X_P=h(I{D}_P||K_{MCS\_P})$ and $S{K}_P=$ $T_a\left(T_c\left(x\right)\right)$. Additionally, the Doc authenticates the MCS by checking $X_D$ and $S{K}_D$ in $V_3=h\left(NI{D}_D^{new}\left|\left|X_D\left|\right|S{K}_D\right|\right|I{D}_P\left|\right|T{S}_3\right)$. The Pat authenticates the MCS by checking $X_P$ and $S{K}_P$ in $V_4=h\left(NI{D}_P^{new}\left|\left|X_P\left|\right|S{K}_P\right|\right|T{S}_3\right)$. The Doc authenticates the MCS by checking $S{K}_D$ in $V_3=h\left(NI{D}_D^{new}\left|\right|S{K}_D\left|\left|I{D}_P\right|\right|T{S}_3\right)$. Pat and Doc implicitly realize mutual authentication through MCS.

(2)

Session key security

The proposed scheme negotiates the session keys $S{K}_P=h\left(T_{a·c}\left(x\right)\mathrm{mod} p\right)$ of Pat and MCS, $S{K}_D=h\left(T_{b·c}\left(x\right)mod p\right)$ of Doc and MCS in PHI uploading PHI access phases and $S{K}_D=h\left(T_{a·b}\left(x\right)\mathrm{mod} p\right)$ of MCS and Doc in emergency exception handling phase by adopting the extended chaotic-map-based Diffie-Hellman key exchange. The session key security is based on ECM-DHP, and thus the proposed scheme exhibits session key security.

(3)

Resisting password guessing attacks

(a)

Undetectable online password guessing attacks

An attacker who obtains a patient Pat’s smart card containing $\left\{NI{D}_P,Y_P\right\}$ and guesses $I{D}_P^{\prime }$ and $P{W}_P^{\prime }$, and computes $W_P^{\prime }=h(I{D}_P^{\prime }||P{W}_P^{\prime })$, $X_P^{\prime }=Y_P\oplus W_P^{\prime }$ and $V_1^{\prime }=h(X_P^{\prime }||W_P^{\prime }\left|\left|I{D}_P\right|\right|I{D}_D\left|\left|T_a\left(x\right)\right|\right|T{S}_1)$. He/she then sends $\left\{NI{D}_P,V_1,T_a\left(x\right),T{S}_1\right\}$ to MCS. However, MCS decrypts the patient’s anonymity $NI{D}_P$ with its secret key S and obtains $W_P$ at the time of registration to calculate and verify $V_1$. A failure request will be detected by MCS because the attacker does not have correct $I{D}_P$ and $P{W}_P$. Similarly, the attacker who obtains a doctor Doc’s smart card containing $\left\{{NID}_{\mathrm{D}},{\mathrm{Y}}_{\mathrm{D}}\right\}$ and guesses $I{D}_D^{\prime }$ and $P{W}_D^{\prime }$, and computes $W_D^{\prime }=h(I{D}_D^{\prime }||P{W}_D^{\prime })$, $X_D^{\prime }=Y_D\oplus W_D^{\prime }$ and $V_2^{\prime }=h(W_D\left|\left|X_D\right|\right|T_b\left(x\right)||T{S}_2)$, and then sends $\left\{NI{D}_P,NI{D}_D,V_1,V_2^{\prime },T_a\left(x\right),T_b\left(x\right),T{S}_1,T{S}_2\right\}$ to MCS. A failure request will be detected by MCS’s verifying $V_2$ because the attacker does not have correct $I{D}_P$ and $P{W}_P$

(b)

Offline password guessing attacks

In the proposed scheme, the password verification is on the MCS, not the smart card verification. There is no information that the attacker can use to compare during the transmission process, so offline password guessing attacks cannot be launched.

(4)

Resisting impersonation attacks

An attacker who tries to impersonate a legitimate user U (a patient Pat or a doctor Doc) must have information $W_U=h(I{D}_U||P{W}_U)$, $X_U=h(I{D}_U||K_{MCS\_U})$ (or =$Y_U\oplus W_U$). However, the attacker cannot derive $W_U$, $X_U$, $K_{MCS\_U}$ and $I{D}_U$ form revealed messages $NI{D}_U,V_1,V_2$, where $NI{D}_U=h(I{D}_U\left|\left|W_U\right|\right|R_{MCS}||K_{MCS\_U})$, $V_1=h(X_P\left|\left|W_P\right|\right|I{D}_P\left|\left|I{D}_D\right|\right|T_a\left(x\right)||T{S}_1)$ and $V_2=h(W_D\left|\left|X_D\right|\right|T_b\left(x\right)||T{S}_2)$, because the used hash functions provide one-way property. The attacker is difficult to impersonate a legitimate user U without the knowledge of $W_U$, $X_U$, $K_{MCS\_U}$ and $I{D}_U$. Thus, the proposed scheme resists impersonation attacks.

(5)

Resisting replay attacks

The proposed scheme ensures the message’s freshness by checking the timestamp of the communication message. Therefore, the proposed scheme resists replay attacks.

(6)

Resisting man-in-the-middle attacks

The proposed scheme provides mutual authentication and message freshness. Therefore, an attacker finds it difficult to perform the man-in-the-middle attack.

(7)

Resisting stolen verifier table attacks

The proposed scheme does not require maintaining the verifier table, and thus it is secure against stolen verifier table attacks.

(8)

Perfect Forward security

In the proposed protocol, given that a, b, and c are randomly chosen and independent of each other among the protocols executed, a compromised password $P{W}_P$ (or $P{W}_D$) does not yield any previous session keys $S{K}_P=h\left(T_{a·c}\left(x\right)\mathrm{mod} p\right)$ of Pat and MCS, $S{K}_D=h\left(T_{b·c}\left(x\right)mod p\right)$ of Doc and MCS in PHI uploading PHI access phases and $S{K}_D=h\left(T_{a·b}\left(x\right)\mathrm{mod} p\right)$ of MCS and Doc in emergency exception handling phase. The session key security is based on the ECM-DHP problem. The proposed protocol therefore provides perfect forward certainty.

4.3. Compliance with HIPAA Privacy/Security Regulations

(1)

Patient’s Understanding:

In the registration phase of the proposed scheme, the patient needs to sign the consent form w, which clearly states how the government health server will use and store medical record information.

(2)

PHI’s Confidentiality:

The MCS authenticates Doc and checks the patient’s authorization for Doc. Doc and MCS then adopt Chaotic Diffie-Hellman Key Exchange to generate a session key to guarantee the confidentiality of the PHI.

(3)

Patient’s Control:

The patient generates an authorization to give to the MCS. The MCS checks the patient’s authorization to give the doctor the patient’s authorized medical record information and then negotiates the encryption key. Thus, Pat can control the access rights to the patient’s PHI through Pat’s authorization.

(4)

Data Integrity:

In the proposed scheme, every communication message attaches a conformation message ${\mathrm{V}}_{\mathrm{i}}$ for $\mathrm{i}=1, 2, \dots , 7$ to ensure the integrity of patients’ PHIs. Therefore, it can prohibit and avoid any possible medical negligence, tampering, or unauthorized destruction of PHIs.

(5)

Consent Exception:

The proposed scheme provides the emergency exception handling phase to enable that MCS and Doc authenticate each, and then adopt Extended Chaotic Maps Diffie-Hellman Key Exchange to construct a secure channel to securely transmit the patient’s PHI when emergencies and special circumstances occur.

4.4. Compliance with GDPR Privacy Principles

(1)

The Principles of Lawfulness, Fairness, and Transparency:

In the registration phase of the proposed scheme, the patient must sign a privacy contract, which includes the patient’s information and instructions to ensure that the patient is transparent about the process of personal data processing.

(2)

The Principle of Purpose Limitation:

Furthermore, in the registration phase of the proposed scheme, the patient must sign a privacy contract to ensure that the patient is transparent about the process of personal data processing. Additionally, in the PHI uploading and access phases, the patient Pat can control the access rights to the patient’s PHI stored in the database with the help of MCS. The PHI is to be collected only for specified, explicit, and legitimate purposes, and re-using the data for purposes other than the original one is restricted.

(3)

The Principle of Data Minimization:

In the proposed scheme, the patient Pat can control the access rights to the patient’s PHI stored in the database with the help of MCS. Thus, the data storage and collection of the patient’s PHI must be adequate, relevant, and limited to what is necessary in relation to the purposes.

(4)

The Principle of Trueness, Accuracy:

In the PHI uploading phase of the proposed scheme, Doc, Pat, and MCS realize mutual authentication and securely transmit PHI by adopting Chaotic Diffie-Hellman Key Exchange to ensure that the PHI stored in the database is accurate and fresh.

(5)

The Principle of Storage Limitation:

In the proposed scheme, the patient Pat can control the access rights to the patient’s PHI stored in the database with the help of MCS. Thus, the PHI stored in the database can be kept in a form and limited to its necessity of the original purpose.

(6)

The Principle of Integrity and Confidentiality:

In the proposed scheme, every communication message attaches a conformation message ${\mathrm{V}}_{\mathrm{i}}$ for $\mathrm{i}=1, 2,\dots ,7$ to ensure the integrity of patients’ PHIs. Additionally, the MCS authenticates Doc and checks the patient’s authorization for Doc. Doc and MCS then adopt Chaotic Diffie-Hellman Key Exchange to generate a session key to guarantee the confidentiality of the PHI.

4.5. Functionality Comparison

Table 3. Functionality comparison.

Phases Schemes	Used Algorithm	User Verification	P1	P2	P3	P4	P5	P6	P7	P8	P9	P10	P11
Hu et al. [26]	RSA	Public-key Certificate	√	×	×	×	−	×	×	√	×	×	×
Ray-Biswas [20]	RSA	Public-key Certificate	×	×	×	×	−	×	×	×	−	×	×
Ray-Biswas [21]	RSA	Public-key Certificate	√	×	×	×	−	√	√	√	×	×	×
Amin et al. [41]	Hash	Secret Key	√	√	×	×	√	×	×	√	×	×	×
Wu et al. [42]	Hash	Secret Key	√	√	×	×	√	√	×	√	√	×	×
Soni et al. [43]	ECC	Secret Key	√	√	×	×	√	√	√	√	×	×	×
Li et al. [44]	ECC	Secret Key	√	√	×	×	√	√	×	√	×	×	×
Ali et al. [45]	ECC	Public-key Certificate	√	√	×	×	√	√	√	√	×	×	×
Kamil-Ogundoyin [46]	Hash	Secret Key	√	√	×	×	√	√	√	√	×	×	×
Hsieh et al. [35]	Chaotic maps	Public-key Certificate	√	√	√	√	√	√	√	√	√	√	−
Proposed scheme	Chaotic maps	Secret Key	√	√	√	√	√	√	√	√	√	√	√

“√”: Satisfaction; “×”: Dissatisfaction; “−”: No consideration; P1: Providing mutual authentication; P2: Providing updated password; P3: Providing patients’ authorization; P4: Providing patients’ control; P5: Resisting password guessing attacks; P6: Resisting impersonate attacks; P7: Resisting replay attacks; P8: Resisting man-in-the-middle attacks; P9: Resisting stolen verifier attacks; P10: Compliance with HIPAA privacy/security regulations; P11: Compliance with GDPR privacy principles.

compares the proposed scheme with the schemes of Hu et al. [26], Ray and Biswas [20], Ray and Biswas [21], Amin et al. [41], Wu et al. [42], Soni et al. [43], Li et al. [44], Ali et al. [45], Kamil and Ogundoyin [46], and Hsieh et al. [35] with respect to functionality. Some [20,21,26] are based on RSA; others [43,44,45] are based on ECC; others [41,42,46] use lightweight hash functions; and the scheme of Hsieh et al., similar to the proposed scheme, is based on extended chaotic maps. Although many efficient schemes have been proposed for e-healthcare systems, most do not take into account the patient’s control and authorization of PHI or the handling of emergency exceptions; they fail to meet many requirements, including HIPAA privacy/security regulations and GDPR privacy principles, and they cannot resist some attacks. The scheme of Hsieh et al. [35] and the proposed scheme have more security properties than related schemes, and only they comply with privacy and security regulations and resist all possible attacks. However, the scheme of Hsieh et al. [35] requires the maintenance of a complex public key infrastructure.

4.6. Performance Analysis

Table 4. Performance comparison.

Phases Schemes	Registration	PHI Uploading	PHI Access	Emergency Exception	Password Updating
		Authentication & Key Agreement
Hu et al. [26]	$6T_a+1T_s$ 2254 ms	$5T_a+1T_s+T_h$ 1887 ms	$4T_a+1T_s$ 1520 ms	$2T_a$ 734 ms	-
Ray-Biswas [20]	$4T_a+1T_h$ 1469 ms	$5T_a+2T_s+2T_h$ 1939 ms	$3T_a+2T_s$ 1204 ms	$3T_a+1T_s$ 1153 ms	-
Ray-Biswas [21]	$4T_a+1T_h$ 1469 ms	$3T_a+4T_s+3T_h$ 1308 ms	$1T_a+4T_s+2T_h$ 574 ms	$1T_a+4T_s+2T_h$ 574 ms
Amin et al. [41]	$5T_h$ 3 ms	$37T_h$ 19 ms		-	$6T_h$ 3 ms
Wu et al. [42]	$5T_h$ 3 ms	$34T_h$ 17 ms		-	$17T_h$ 9 ms
Soni et al. [43]	$10T_h+1T_f$ 170 ms	$31T_h+6T_e+1T_f$ 1171 ms		-	-
Li et al. [44]	$4T_h$ 2 ms	$20T_h+6T_e$ 994 ms		-	$7T_h$ 4 ms
Ali et al. [45]	$T_h+T_e+T_f$ 331ms	$8T_h+3T_e+T_f$ 664 ms		-	$2T_h+2T_f$ 331 ms
Kamil-Ogundoyin [46]	$7T_h$ 4 ms	$20T_h$ 10 ms		-	$10T_h$ 5 ms
Hsieh et al. [35]	$T_c+T_s+T_h$ 69 ms	$10T_c+6T_s+13T_h$ 484 ms	$10T_c+8T_s+14T_h$ 588 ms	$3T_c+4T_s+4T_h$ 258 ms	$4T_c+3T_s+6T_h$ 225 ms
Proposed scheme	$2T_h+1T_s$ 52 ms	$7T_c+4T_s+20T_h$ 334 ms	$7T_c+4T_s+26T_h$ 337ms	$4T_c+2T_s+12T_h$ 176ms	$4T_c+2T_s+11T_h$ 176ms

compares the computations that are required by the proposed scheme and the related schemes of Hu et al. [26], Ray and Biswas [20], Ray and Biswas [21], Amin et al. [41], Wu et al. [42], Soni et al. [43], Li et al. [44], Ali et al. [45], Kamil and Ogundoyin [46], and Hsieh et al. [35], where $T_a$ denotes the required time to execute asymmetric en/decryption; $T_s$ denotes the required time to execute a symmetric en/decryption; $T_h$ denotes the required time to execute a hash operation; $T_e$ denotes the required time to execute a point multiplication using ECC; $T_f$ denotes the required time to execute a fuzzy extractor; $T_c$ denotes the required time to execute an extended chaotic map operation, and $T_f\approx T_e$ [47].

Some schemes [20,21,26] are based on RSA and require many exponential computations. Others [43,44,45] are based on ECC and also require time-consuming point multiplications using ECC. Others [41,42,46] use lightweight hash functions and are more efficient than the alternatives, but they do not meet many requirements or resist some possible attacks. The scheme of Hsieh et al. [35] and the proposed scheme use symmetric encryptions and decryptions, extended chaotic maps, and hash operations, have a shorter response time, and are more efficient than others. Simulations are conducted in an environment that includes Windows Server 2008, Visual Studio 2012 software and C++ language, 256 input bits, Intel Xeon CPU E3-1231 v3 3.4GHz CPU and 8G RAM. The results of these simulations indicate that the proposed scheme has a shorter response time than the other schemes. Although the scheme of Hsieh et al. has a lower computational cost and a shorter response time than the others except for the proposed scheme, it requires the maintenance of a public key infrastructure. The results of the simulations reveal the proposed scheme has a shorter response time than all other schemes.

5. Conclusions

This study develops a secure and efficient certificateless authentication and key agreement scheme that is based on extended Chebyshev chaotic maps. The proposed scheme solves such security problems as the accessing of patient information without the patient’s permission, the inability to execute multiple verifications simultaneously, and others. Additionally, this study demonstrates that the proposed scheme is highly computationally efficient and compliant with HIPAA privacy/security regulations and GDPR privacy principles. The proposed scheme is certificateless and does not require the maintenance of users’ certificates or a certificate management center. The proposed scheme overcomes the limitations of other schemes, has higher computational efficiency, and has more functionality.