LGAAFS: A lightweight group anonymous mutual authentication and forward security scheme for wireless body area networks

Wireless Body Area Network (WBAN) plays an important role in the modern telemedicine environment. In WBAN, intelligent and resource-limited sensors will collect patients’ health data and communicate this information to doctors over the Internet to provide services. However, during the communication between WBAN entities, the privacy and security of data and user information should be protected to prevent various security threats. Aiming at these security defects, this paper proposes a privacy-preserving WBAN authentication scheme. To the best of our knowledge, this paper is the first to introduce group anonymous techniques into WBAN. Moreover, we use Random Oracle Model and BAN logic to verify the security properties of our scheme and discuss informal security analysis. Last but more importantly, compared with the best solution in the WBAN environment, our communication overhead is reduced by 19.8%\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$19.8\%$$\end{document}, and the computing overhead is is reduced by 17.4%\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$17.4\%$$\end{document}.


Introduction
With the advancement of wireless communication technology, as well as the increase in the average age of the world and the emergence of an aging populations in many countries, the WBAN system has attracted widespread attention from the academia and industry over the past decade, and has become one of the most concerned wireless networks in the field of Internet of Things (IOTs).
The WBAN is composed of three entities, namely sensor nodes (SNs), mobile devices (such as smartphones), and service providers (SPs) (such as hospitals, clinics, doctors, etc.).The SNs are devices embedded or worn inside or outside the patients' body to monitor the patients' health data (such as temperature, heart rate, etc.).These data are then sent to the mobile terminal.After collecting data from the sensor nodes, the mobile device transmits the data to the SPs.By analyzing the received data, the SPs return the feedback results to the mobile device.In this paper, we consider SNs and mobile devices as a whole entity (as sensor nodes) and only consider communication between the SNs and the SPs.
However, due to the openness and mobility of WBAN, data is often transmitted in insecure environments.Besides, SNs are also limited by resources such as memory space and calculation capacity.A lightweight WBAN-based authentication scheme is a solution to these challenges, which protects subsequent communications by negotiating session keys and uses lightweight cryptographic algorithms to reduce computational overhead.Unfortunately, in these authentication schemes, the user's identity information is transmitted through plaintext, and an attacker can get the privacy of user upon request.Thus, the attackers can easily obtain access to a user's privacy based on when and how often data is sent.Therefore, our authentication scheme needs to guarantee anonymity of user.
Shuangrong Peng, Xiaohu Tang, Ling Xiong and Hui Zhu has contributed equally to this work.
Anonymity of users includes protection of identity and unlinkability [1,2].Identity protection means that an attacker unable to extract the user's real identity from the conveying message.The unlinkability guarantees that the attacker cannot determine the identity of the target user and cannot identify multiple conversations from the same user.In lightweight authentication schemes, there are three solving schemes to implement user anonymity in general, namely static pseudonym identity technique [3,4], dynamic pseudonym identity technique [5,6] and group anonymity technique [7].The first technique uses a pseudonym to replace the user's true identity, in order to keep the user's anonymity.But, this technique uses the same pseudonym in each round of communication, making it easy for adversaries to link to the same user in multiple sessions.To address this problem, scholars use dynamic pseudonym identity technology.However, since this technology needs to update its pseudonym after the communication is completed, it is vulnerable to asynchronous attacks, which makes the authentication scheme unavailable.For asynchronous problem, [8,9] apply a sequence number to defend against asynchronous attacks.This method can resist asynchronous attacks effectively and has advantages in communication overhead and computation overhead.Recently, Wang and Zhou [7] provided a new anonymous technique to protect user identity.It hides the user's real identity in a group, so that the attacker unable to distinguish which member of the group the user is.Each group has a group key k G i , which is used by the server to confirm the user's true identity.Group anonymity technology can effectively avoid the problems of session unlinkability and asynchronous attack that the first two anonymous schemes can not realize, so that it does not need to rely on other technologies to overcome these problems, and will not increase the extra calculation and communication overhead.Moreover, for the WBAN environment, it can effectively reduce the communication and computing overhead, making it more suitable for the system environment with weak computing power.On the basis of this scheme, we optimize the computation and communication efficiency to make it more suitable for the characteristics of WBAN system environment.
Our contributions are reflected in the following aspects: 1. We have introduced a new method to implement the anonymity technique called group anonymity.This is the first one group anonymity has been used in WBAN. 2. Group anonymity technology can effectively avoid the problems of session unlinkability and asynchronous attack that the first two anonymous schemes can not realize, so that it does not need to rely on other technologies to overcome these problems, and will not increase the extra calculation and communication overhead.
3. We demonstrate through security analysis that LGAAFS satisfies all existing security requirements.Compared to the solution in the WBAN environment, our communication overhead is reduced by 19.8% , and the computing overhead is reduced by 17.4%.
The rest of this article is described below.Section 2 briefly introduces the related work of anonymous identity authentication.Section 3 presents the system model, threat model, security requirements and group anonymous.Section 4 designs the LGAAFS for WBAN.Section 5 apply the BAN logic to analyze the proposed scheme and discuss informal security analysis.Section 6 evaluates the performance analysis of LGAAFS.Section 7 concludes this paper.

Related works
User authentication based on WBAN system is an important security guarantee for legitimate users to access sensitive patients' data.In recent years, many studies on anonymous authentication of patients and doctors or medical professionals have been introduced into WBAN to safely monitor patients' health.Among them, [5,[10][11][12][13] presented the authentication schemes based on ECC.Although these authentication schemes based on ECC can ensure the security of user data in the authentication phase, they generally consume a lot of computing and communication resources.Therefore, these schemes are not suitable for WBAN systems.Based on this, we should provide a lightweight anonymous authentication scheme according to the specific requirements of WBAN system.To the best of our knowledge, there are three types of lightweight anonymity schemes: 1) static pseudonym ID scheme; 2) dynamic pseudonym ID scheme; 3) group anonymous scheme.Next, we will summarize the application of these three techniques.
1. Pseudonym is a common method to realize anonymity of user in the lightweight anonymous authentication schemes.The schemes of He et al. [3], Soni and Singh [14], Amin [4], Chen [15] and Gupta [16] fall into this category.Static anonymous is a technique in which the user U i and the sensor node SN j share a constant pseudonym identity ID PID U i .Then, the user U i uses PID U i to transmit the mes- sage to replace with the user's true identity on the public channel.SN j uses PID U i to quickly find the corresponding communication sender.However, these schemes do not provide anonymity of user.The reason is that an attacker can trace the same user over multiple sessions.2. Based on the problems existing in the previous static pseudonym, the use of dynamic pseudonym ID technology can be well solved.In this category, U i and SN j will share an ID that ID is updated after each authentication session completes.Currently, there are many authentication schemes that use this technology.Das et al. [17] first proposed the use of dynamic ID technology to resist impersonation attack in 2004.Subsequently, on the basis of [17], a series of improvement schemes are proposed to improve the security.Below, Gope and Hwang [18] provided a secure and valid solution for WBAN to provide anonymity and mutual authentication.The following, Li et al. [19] introduced some threat attacks, for instance denial of service (DoS) attacks, forward security attacks, and password guessing attacks.After that, Gope and Sikdar [20] designed a valid anonymous authentication scheme through improving the possiblity of [19]'s scheme on WBAN.And then, Li et al. [21] presented an anonymous mutual authentication scheme for WBAN based smart city applications.Later, Fotouhi et al. [22] provided a two-factor authentication scheme for IoT based healthcare applications.Whereas, since the authentication factors in both communication parties need to be updated during the anonymous authentication process, which can cause asynchronous attack.3.For the traceability and asynchrony problems caused by the above pseudonym technology, group anonymous technology is introduced into the lightweight anonymous authentication scheme.In this category, U i and SN j share a static ID.Specificlly, Wang et al. [7] designed an RFID authentication scheme by applying group anonymity technology.However, this scheme's overhead of the communication and computation is large.Later, Hsu et al. [23] proposed a group anonymity technique in mobile networks.However, this scheme is computationally expensive.
To sum up, asynchronous attack is the most important problem to realize user anonymity in the lightweight authentication Schemes.Likewise, the same problem occurs when implementing forward security, such as schemes [21,24].These schemes can use one-time hash chain values to provide forward security, but the value will be updated every round, when the adversary blocks the message, the values of the communication parties will be out of synchronization.
Thus, it is a difficult challenge to realize both anonymity and forward security simultaneously in lightweight authentication schemes against asynchronous attacks.Later, [18] solves this problem by using one-time hash chain techniques and serial numbers.Unfortunately, [18] communicates asynchronously between GWN and sensor nodes, and the communication overhead is high.While [8,25,26] overcome this challenge, they also bring high computation and communication overhead.Hence, we propose a novel scheme for WBAN, namely LGAAFS.This solution can provide both security and efficiency for user.

Preliminaries
In this section, we design the LGAAFS system model and provide the security requirements required by the solution.Table 1 listed the notations used in our LGAAFS.

System model
The system model designed in this paper based WBAN is shown in Fig. 1.There are three entities: 1) as a service provider for user U i ; 2) as a data provider for sensor node SN j ; 3) gateway node (GWN).In our scheme, GWN is a trusted third party.It generates security parameters and session keys, and has sufficient computing resources to act as a necessary secure interface between the user and the sensor node.The main work of SN j is to collect and monitor the patient's body temperature, blood pressure and other physical data.U i uses a smart card to get real-time information from the desired SN j .

Adversary model
In our work, we assessment the security of LGAAFS by referring to the widely used Dolev-Yao threat model [27].In this model, the participants communicate through a public channel.Attackers can use this channel to intercept, modify and delete messages sent by users.With this threat model and the WBAN-based healthcare environment, we assume that the attacker has the following capabilities: 1.The attacker can easily intercept, modification, inserts and deletes messages sended through insecure open channels.2. The attacker can use a side-channel attack to get all the privacy data which is stored in the smart card.3. The attacker can guess the low-entropy password and identity information in polynomial time.4. Attackers are both legitimate and malicious users.5.The attacker may be legitimate, but it's a malicious sensor.

Security requirements
Since users and sensors in WBAN communicate with each other through open wireless channels, they are vulnerable to various attacks during authentication phase, the following security requirements will be considered in this paper.

Mutual Authentication
We require that only legitimate users can access, analyze and diagnose the patients' information.So mutual authentication between the U i and the SN j is very necessary.

Session Key Protocol
After a successful mutual authentication process, further communication between the two communication parties should be encrypted, and the key is the established session key to realize confidentiality.That is, the scheme must ensure a session key protocol.

User Anonymity
We require that the adversary cannot get the true identity of the user through the messages sended over a public channel.In addition, it requires that the adversary cannot infer the identity of the user from the transmitted messages.So, we need to ensure anonymity of the authentication process.4. Forward Secrecy Even if an attacker obtains the user's or sensor's key, the session key generated by the previous session cannot be obtained.That is, although the long-term key of the participant is leaked, the session key generated in the previous session will not be exposed.Accordingly, the scheme needs to ensure forward secrecy. 5. Password Update External users are free to update their passwords and can update their passwords without the assistance of GWN. 6. Desynchronization Attack It requires synchronization of updated parameters on both sides of the communication, such as a one-time hash chain value.7. Multifactor Security Multifactor security, that is, the scheme is still secure when n − 1 of the n factors in the scheme are losed.In general, the value of n is either 2 or 3.This paper chooses two-factor security of n = 2 for passwords and smart cards(SC).Therefore, we should ensure that our programme meets the following two requirements.First of all, even if the adversary gets the SC and decrypts its confidential data, it still cannot get the correct key through offline password guessing attack.Second, the attacker cannot impersonate the user, even if the user's password is known.in WBAN is open, messages transmitted by users and sensors may be intercepted, modified and replayed by attackers.This scheme must be designed to withstand various attacks, such as replay attacks, smart card loss attacks, privileged inside attacks, impersonating attacks and man-in-the-middle attacks.

Group anonymity
In this paper, the authentication model of group anonymous is adopted to resist the asynchronous attack problem caused by dynamic anonymity technology.The group anonymous model based on WBAN is depicted in Fig. 2. We devide the M static ID into n groups in the system, each group has m = M n static identity ID, namely .., n} .Each group will correspond to a unique group key k i (i ∈ {1, ..., n}) and share k i with each member of the group.In the following communication, the group member will randomly select an ID PID i,j in the group as the ID for his current turn.The server can find the corresponding group key k i through this ID.And then, it decrypts to obtain the real user identity ID, since group members may use the same pseudonym PID i,j when com- municating with each other.

Proposed scheme
This section introduces an efficient authentication scheme based on group anonymity technology.In anonymous authentication scheme, patients can authenticate doctors anonymously to avoid communicating with malicious doctors.For perfect scheme, the user's real identity ID and secret key must be protected.Our scheme LGAAFS has four important stages, namely GWN initialization, users and sensor nodes registration, user anonymous authentication process, and key update.The detail of LGAAFS described as below.

GWN initialization phase
In this phase, GWN chooses to generate the system master key MSK and stores it into the secret memory at first.Then, the GWN selects four collision-resistant hash functions Finally, the GWN publishes the hash functions H k , k = 0, 1, 2, 3.

Registration phase
The registration phase of the LGAAFS contains WBAN users registration phase and sensor nodes registration phase.

Sensor nodes registration phase
When a new sensor node SN j enters the system, it needs to register with GWN at first.As shown in Fig. 3, the specific registration process is described as follows: Step 1: The new sensor node SN j chooses a new identity ID SN j and sends it to the GWN.
Step 2: Upon receipt of the registration request from SN j , GWN immediately verifies whether the ID SN j has been stored in the sensor nodes information table.If it exist, the GWN will reject this request.Otherwise, GWN selects a random number r j , and sets HC SG j = r j , and then initialize the serial number SG j = GS j = 0 .Next, the GWN stores {HC SG j , ID SN j , GS j } in the sensor nodes infor- mation table, and sends {SG j , HC SG j } to the SN j .

Fig. 2 Group anonymous model
Step 3: Once the sensor node receives {SG j , HC SG j } , she/ he stores them into secret memory.

User registration phase
When a new user U i wants to access the data which is stored on the sensor node SN j to provide service, she/he must apply for registration with GWN in the first.After successful registration, GWN distributes a smart card to U i .As shown in Fig. 4, the specific process is as follows: Step 1: The user U i chooses an identity ID U i and the password PW U i , and then generates the random number a i .Next, she/he computes P U i = H 0 (ID U i ‖PW U i ‖a i ) and finally sends {ID U i , P U i } to the GWN.
Step 2: Once the GWN received {ID U i , P U i } , the GWN verifies whether the ID U i has been stored in the user identity information table at first.If it dose, the GWN rejects this application.Otherwise, the GWN selects two random numbers b i and c i , and sets HC UG i = b i , UG i = GU i = 0 .Then, the GWN randomly chooses a set PID i and its corresponding key k i , and picks a pseudonym ID UID U i .And it computes Then, GWN gives SC to the U i .
Step 3: Upon receipt of SC, U i writes a i into the SC.
In put : ID SN j In put : ID SN j Select : r j Select : r j Set : HC SG j = r j , SG j = G S j = 0 Set : HC SG j = r j , SG j = G S j = 0 Stor e : {HC SG j , G S j , ID SN

Authentication phase
When U i wants to access the data of SN j , he/she must achieve mutual authentication with GWN and SN j .As shown in Fig. 5, the detail of authentication key agreement process is as follows: Step 1: Firstly, the U i inserts her/his ID U i and PW U i into SC.SC computes P * , and )) , and then verifies whether V * U i is consistent with the stored V U i .If not, SC rejects the session.Otherwise, SC updates . After that, SC selects a ID PID i,j within the group PID i as the ID of this round, and selects a random number R 1 .Next, SC calculates , where T is the current timestamp, and the GWN verifies the timestamp T at first.If it dose not, the GWN rejects the session.Otherwise, the GWN searches for whether a group of ID exists in a group.If not, the GWN terminates the session.Else, it obtains the group key k i , and computes Afterwards, the GWN searches the user information table according to the calculated UID U i to obtain the serial num- ber GU i .Then, the GWN checks if the equation , and In put : , Up d ate : , Com pute : Up d ate : G en er ate : R 2 G en er ate : R 2 , Com pute : Ch eck : T ?Ch eck : T ? 1) .Next, the GWN checks whether the V * 1 is the same as the received value V 1 .If it matched, the GWN updates GU i = UG i , and HC UG i = HC * UG i .Then, the GWN chooses a key R 2 , and computes . Subsequently, the GWN updates HC SG j = H 1 (HC SG j ‖ID SN j ) , GS j = GS j + 1 and transmits {GS j , C 2 , V 2 } to SN j .
Step 3: Once SN j received {GS j , C 2 , V 2 } , she/he at first checks if the equation 1 ≤ (GS j − SG j ) ≤ N is valid, where N is a threshold value.If not, SN j rejects this ses- sion.Otherwise, the SN j sets HC * SG j = HC SG j , and com- putes (GS j − SG j − 1) times HC * ) .Next, the SN j calcu- lates whether the value of V * 2 is the same as the received value V 2 .If they are matched, SN j calculates , and updates HC SG j = H 1 (HC * SG j ‖ID SN j ) , SG j = GS j .Otherwise, SN j rejects this session.Finally, SN j sends {ID SN j , V 3 } to GWN.
Step 4: Then, the GWN calculates V * 3 = H 3 (HC SG j ‖R 2 ‖ID U i ‖ID SN j ) , and checks whether the V * 3 is the same as the received V 3 .If they are matched, the GWN com- p u t e s If not, the GWN ter- minates this conversation.Finally, GWN transmits {C 3 , V 4 } to U i .
Step 5: If they match, this communication is success.Otherwise, the authentication for U i fails and the session is rejected.

Password update phase
If U i losed or forgotten his/her password PW U i , he/she only perform the following steps to modify the PW U i : Step 1: First, U i inserts his/her ID U i and PW U i into SC.Then, SC calculates Step 3: Finally, SC stores to replace A U i and V U i , respectively.

Security analysis
In this section, we will analyze the security of LGAAFS.In order to demonstrate the authentication process and session key security of LGAAFS, we will aplly the BAN logic [28] and also, we use the random oracle model to prove the semantic security.Similarlly, we perform an informal analysis to show that LGAAFS can resist various pre-existing attacks.

LGAAFS proof based on random oracle model
The Random Oracle Model (ROM) is an extensively used model to verify whether the authentication protocol can provide provable security.Assuming that an authentication protocol is secure under ROM, which provides strong evidence for the security and reliability of the protocol.
There are three parties involved in our proof: U i , GWN, and SN j .Then, we use I a , represent a th instance of U i , b th instance of GWN, and c th instance of SN j ,respectively.Adversary is a probabilistic polynomial time (PPT) algorithm that allows breaking our protocol based on the following oracle query.Here, we formalize the attacker's ability to execute the following queries: If not, this oracle randomly selects a value from {1, 0} l and returns it as an output.
Based on the oracle query above, we propose the following definitions to define the semantic security of our protocol.
Definition 1 (Accepted State).We call the instance I s an acceptable instance if its state changes to the accept and it gives the previous message expected from the protocol.Definition 4 (Probability of Success).Let P be the proposed protocol and Succ P A be the event in which, the attacker performs a single Test query to some fresh and terminated instance O against P. Attacker returns a guess bit b ′ .We can say that the attacker violates the semantic security of P if b'=b.Besides, the advantage of attacker in compromising the semantic security of P is represented as , in which b was assigned while performing the Test query.Definition 5 (Semantic Security).We say that an authenticated protocol P is called "semantically secure" if (1) O and its partner are in an accepted state in the presence of adversary and calculate a shared session key; (2) the advantage of adversary is negligible, Adv P A ≤ .
Based on the above oracle query and various definitions of semantic security, we prove that our work is provably safe, as demonstrated by the following theorem.

Theorem 1 Assume that adversary is a PPT attacker. If the attacker can violate the semantic security of our proposed protocol P in the random oracle model, then ADV
, where C represents the unified password dictionary, q h q s , | H | , and | C | respectively represents the number of Hash que- ries and Send queries, the size of Hash query space, and the size of the dictionary space C.
Proof We defined four games G i (i = 0, 1, 2, 3) to simulate the attack process of the adversary.In the proof process, Succ i represents the probability of attacker winning in each game, and Adv P A represents attacker's advantage of breaching the security of P. The real attack starts from G 0 to the end of G 3 .The specific process of the games can be described as follows: • G 0 ∶ In this game, adversary only needs to select bit b to simulate a real attack, so, we have • G 1 ∶ Based on the game G 0 , we introduce an eavesdropping operation, where the attacker can perform the Execute(O) query.Note that, on a Execute query, we use the simulation of Send query to do the subsequent operations: where we assume that instances I a query, and must verify whether the returned value is the real session key or just a string of characters.In our protocol, the session key is R 2 , assuming the attacker inter- cepts that information.However, this information is not really helpful in cracking the session key.Therefore, compared with G 0 , this game dose not increase the prob- ability of the attacker winning.Therefore, we can obtain • G 2 ∶ In this game, we apply the new operations Hash query and Send query.The simulation of Send query is executed by the following operations: ,start): Upon receiving the send query with the message "start", selects a random R 1 and compute (1) An attacker cannot forge the communication messages between various entities according to these queries because C 1 , V 1 are based on the hash function.Moreover, because R 1 are different in each session, the hash function will not collide.Therefore, according to the birthday paradox, we have ) queries are executed.Therefore, attacker will have the information {SG j , HC SG j } and {PID i , k i , PID i,j , HC UG i , UG i , A U i , V U i } .In addition, with a password dictionary, adversary can guess U i 's pass- word PW i .If an attacker dose not have the password PW i of U i , the parameter P U i cannot be obtained; how- ever, the session key between the user and the gateway node therefore, the attacker cannot obtain the session key in this game.If the system can only enter the wrong password a limited number of times, we obtain Because the adversary dose not know whether the bit b that is guessed to be the session key is generated by U i or SN j , we have (5) .

LGAAFS proof based on BAN logic
BAN logic is a set of rules that define the authentication and session key security between the U i and SN j after the LGAAFS has completed.The basic symbols of BAN logic are defined as follows, where P and Q represent the subject, and X and Y represent the statement.For convenience, all the notations used in the BAN logic are given in Table 2.
In addition, we introduce some of the main logic rules to prove that LGAAFS provides a secure mutual authentication between U i and SN j .
1. Message-Meaning Rule: To prove that our protocol provides secure mutual authentication between U i and SN j , we need to prove the following four test goals.

Goal 1:
First, the message form of our scheme can be transformed as follows.
Then, the assumptions about the initial state of our scheme are as follows.
⟷SN j Finally, we will use BAN logic rules and assumptions to prove the secure authentication of the above test goals.A detailed description is given in Table 3.
Based on Goal 1, Goal 2, Goal 3 and Goal 4, we can get that LGAAFS provides secure mutual authentication between the two participants U i and SN j , and also the ses- sion key R 2 is shared between U i and SN j .

Further security analysis of LGAAFS
In this section, we will analyze the security and functional properties of the proposed privacy-preserving authentication scheme.

Mutual Authentication:
In this solution, the user U i and the gateway GWN authenticate each other by verifying whether the calculated ) and V 4 are equal.Clearly, without K GU i and HC UG i , an attacker cannot forge the legitimate identity of a user or sensor to authenticate messages.Then, in the communication between the sensor SN j and the gateway GWN, SN j verifies whether ) is consistent with the received V 3 .Likewise, with- out HC SG j , no one can forge legitimate authentication information.

User Anonymity:
LGAAFS uses dynamic group anonymity technology to ensure user anonymity.The real identity of a user is sended in ciphertext.GWN uses pseudo-random ID and group number to identify the users communicates with it.PID i,j is randomly selected within a group, and each communication can use a different identity ID.Therefore, an attacker cannot determine whether it is the same user based on the dynamic PID i,j on the public channel.To sum up, LGAAFS can achieve both identity protection and unlinkability.3. Forward Security: Suppose the attacker has three secret values K GU i , HC UG i and HC SG i .But in this scheme, the attacker still cannot restore R 2 .Because HC UG i and HC SG j are updated after each successful communication, where HC The attacker cannot computes the previous HC UG i , HC SG j from the current HC * UG i , and HC * SG j . Therefore, our scheme can realize forward security.4. Desynchronization Attack: In this scheme, we use group anonymous and one-time hash chain technology to realize user anonymity and forward security.For the purpose of guaranteeing the consistency of the one-time hash chain value, we use serial number technology to defense the asynchronous attacks.Figure 6 shows a variety of pos- sible aynchronization attack methods.The details of the scheme in this section are analyzed as follows: Scenario 1: The attacker blocks the first message, then there are three situations.
• When the message 1 is blocked, the HC UG i on the user side has been updated, while the HC UG i on the GWN side is not changed.Nevertheless, the attack does not render LGAAFS disabled, because GWN updates HC UG i by checking the difference between the sequence numbers UG i and GU i , so that the session can continue conduct.
• When the message 2 is blocked, this situation will involve the communication between U i and GWN, and the communication between GWN and SN j .For the communication between U i and GWN, the value of HC UG i on both sides is equal, and the value will not be changed in the next session.For the communication between GWN and SN j , the value of HC SG j of both parties is not equal.This situation is the same as the message blocked solution, and the value of HC SG j is synchronized by the sequence numbers SG j and GS j .so that subsequent sessions will not have any effect.• When the message 3 is blocked, this situation will involve communication between U i and GWN and between GWN and SN j .For U i and GWN communica- tion, the situation is similar to the situation when the message is blocked.For the communication between GWN and SN j , the attack is invalid, in this case, both parties have synchronized the value of HC SG j .• When the message 4 is blocked, this situation is similar to the situation in which message 3 is blocked.

Scenario 2:
The attacker blocks the second, third and fourth messages, then the situations are similar to the second, third and fourth situation in scenario 1.Based on the above analysis, LGAAFS is resistant to asynchronous attacks. 5. Two-Factor Security: First of all, an attacker cannot impersonate a legitimate user with a password alone.Then, we assume that the attacker has gained the information in the SC.Since there is | ) .Hence, LGAAFS can effectively resist incorrect password login and update attacks.7. Smart Card Loss Attack: We assume that the user's SC is losed or stolen by an that attacker able to the information {PID i , k i , is the same as the stored V U i .If they match, the attacker can guess the correct password PW U i .On the other hand, the attacker not only obtains the information {PID i , k i , A U i , UG i , HC UG i , V U i , UID U i , a i } in the smart card, but also intercepts the transmitted messages {PID i,j , B i , C 1 , V 1 , T, UG i } .The attacker will try to speculate the password PW U i using the same steps through the previous sended message How- ever, it is unlikely to happen.Since the attacker only obtains the previous one-way hash value HC UG i from the SC, and HC UG i in V 1 is the updated value.Due to the one-way nature of the hash function, the value cannot be inferred, so in this type of attack, the attacker still cannot correctly guess PW U i .8. Privileged Insider Attack: In the user registration phase of LGAAFS, U i sends to GWN not the key PW U i , but ID U i and P U i , where P U i = H 0 (ID U i ‖a i ‖PW U i ) , a i is a random number that GWN does not known.Hence, it is impossible for an insider attacker to guess the user's password PW U i .Therefore, LGAAFS is resisted to insider attacks.9. User Impersonation Attack: In our scheme, if an attacker wants to impersonate a legitimate user, he/she must generate valid login message LGAAFS is resist- ant to user impersonation attacks.10.Sensor Node Spoofing Attack: In our scheme, if a malicious sensor node wants to fake a legitimate user or other sensor nodes, he/she must generate valid authentication values ) .Obviously, it is not feasible without HC UG i , HC SG j and K GU i .Therefore, the sensor node cannot impersonate legitimate users or other legitimate sensor nodes.
Fig. 6 Asynchronization on the proposed scheme 11.Replay Attack: In a replay attack, the attacker sends authentication messages between the user, gateway node, and sensor node to the network again.In our scenario, we use techniques such as timestamps and serial numbers to defend against replay attacks.The attacker sends the data sent by the client to the gateway node again without modification.After receiving the data, the gateway checks whether the timestamp expires.If the timestamp T expires, identity authentication fails.Even if an attacker modifies the timestamp, the gateway can use the serial number UG i (GU i ) to determine the current communication round.Similarly, when messages are sent between the gateway and the sensor node, the sequence number SG j (GS j ) is used to determine the current round, and the attacker cannot obtain the serial number.Thus, when authentication is complete, both parties to the communication can determine that the session is the current session.Thus, LGAAFS are resistant to replay attacks.
12. Man-in-the-Middle Attack: A man-in-the-middle attack is when an attacker intercepts and tampers with the data being transmitted between two nodes.In this scheme, for an attacker to successfully implement a manin-the-middle attack, it is necessary to generate the message (UID U i , B i , C 1 , V 1 , T, UG i ) and the value HC UG i and the session key K GU i , where the The attacker cannot acquire the k i , c i and the master key MSK GWN, so he/she cannot generate authentication that be authenticated by the GWN.Simillary, the attacker dose not know the session key R 2 and the hash chain value HC SG j , where the HC SG j = H 1 (HC SG j ∥ ID SN j ) .However, the attacker cannot obtain the identifier of the sensor node, and therefore cannot generate the session key R 2 , and thus cannot generate the identity authentication of the SN j .Therefore, LGAAFS is resistant to man-in-the- middle attacks.

Security comparisons
This section will compare the security of our scheme with several related schemes [7-9, 22, 25, 26, 29].As can be seen from the Table 4, only our scheme and Xiong et al.'s scheme can satisfy various existing security requirements.

Performance analysis
This section compares the performance of the LGAAFS and several related schemes [7-9, 22, 25, 26, 29].Since the registration phase occurs only at the beginning of the session and the key update phase occurs only when the key is lost or forgotten, only the performance of the authentication phase is compared and analyzed here.

Computation analysis
In this section, the computational efficiency of LGAAFS is compared with that of previous related schemes [7-9, 22, 25, 26, 29].For the convenience of analysis, we use T h to repre- sent the running time of general hash function; FE.Gen() and FE.Rep() represent the time complexity of fuzzy extractor operations; T A represents the time complexity of symmetric encryption and decryption operations; T PUF represents the time complexity of the PUF function.
The results in the Table 5 and the Fig. 7 show that the computational overhead of Wang and Zhou [7] is the smallest when M = 1 but is less secure.It can also be seen from the Table 5 and the Fig. 7 that our scheme is higher than Xiong [9], however, the computational overhead of LGAAFS is within the acceptable range and the same level of security is guaranteed.

Communication analysis
In this section, the communication efficiency of LGAAFS is compared with several previous related schemes [7-9, 22, 25, 26, 29].For comparing equality conditions, we assume that the bit length of the identity ID (ID U i , ID SN j ) , dynamic pseu- donym , static pseudonym identity ID UID U i , timestamp T, serial number (UG i , GU i , SG j , GS j ) , random LGAAFS is 1656 bits.The comparison of the communication overhead of is shown in the Table 6 and the Fig. 8.In order to be fair, the comparison of all schemes adopts the same calculation method.According to Table 6 and the Fig. 8, the communication cost of our scheme is the smallest.

Conclusion
This paper first concludes that most lightweight authentication schemes in WBAN face the asynchronous attacks when implementing anonymity.To overcome this challenge, we design an improved scheme based on group anonymity.The solution covers all the security vulnerabilities of the previous solutions while retaining all the security features.The security analysis shows that this scheme can provide the advantages of user anonymity and forward security, and can resist many known attacks, such as asynchronous attacks.In addition, BAN logic is used for formal analysis to verify the security of the scheme.Performance analysis demonstrates that LGAAFS has the same communication and computation cost as the scheme based on dynamic anonymity technology, and the lowest communication and computation cost compared with the scheme using group anonymity.In the future, we will consider more certification schemes that are more suitable for the WBAN environment, such as certification schemes based on energy saving and low consumption.

Definition 2 (
Partnered Instance).We call two instances I s U i and I s SN j are partnered if (1) they are in the accepted state, denoting that they have mutually authenticated each other and set a session key; (2) they share a session identifier sid; (3) I s U i is the partner of I s SN j and vice-versa.Note that sid of instance I s is defined as the concatenation of all messages I s sent to or received.Definition 3 (Freshness).An instance I s is said to be fresh if, (1) it resides in the accepted state; (2) the query Reveal(O) has not been executed; (3) only one Corrupt-query has been transmitted to I s .Otherwise, one Corrupt query has been transmitted to I s 's partner.
If the attacker's goal is to get the real session key, then the adversary must execute the Test(O)

4 .
∶Upon receiving the send query with the message{GS j , C 2 , V 2 } , I c SN j computes R 2 and checks V * 2 .If it holds, it computes V 3 .Finally, I c SN j returns the output {ID SN j , V 3 }.Send(I b GWN , (ID SN j , V 3)) ∶ Upon receiving the send query with the message(ID SN j , V 3 ) , I b GWN checks V * 3 .If it holds, it computes C 3 , V 4 .Finally, I b GWN returns the output {C 3 , V 4 }. 5. Send(I a U i , (C 3 , V 4 )) ∶Upon receiving the send query with the message (C 3 , V 4 ) , I a U i computes R 2 and checks V * 4 .If it dose not hold, it terminates.Otherwise, I a U i accepts and terminates.

• G 3 ∶)
In this game, CorruptSensor(I c SN j

D PW 1024 |
, where | D PW | is the password space.The attacker still cannot guess the right password.Therefore, LGAAFS provides twofactor security.6. Wrong Password Login or Update Attack: In our scheme, if the wrong password PW ′ U i is entered, then the validation value stored in SC

Wrong Password Login/Update Attack We
require that computing and communication resources should not be wasted during the login or password update phase.9. Various existing attacks Because the environment SG j , G S j , ID SN j } i n to its da ta ba se Stor e : {HC SG j , SG j } i n to its mem or y Stor e : {HC SG j , SG j } i n to its mem or y {HC SG j , SG j } HC SG j , SG j } where N is a threshold value.If this equation dose not work, GWN rejects this conversation.Otherwise, the GWN sets HC * The adversary can forge and send the messages to U i , GWN, and SN j or receive the messages to each of U i , GWN, and SN j ., k i , PID i,j , HC UG i , UG i , A U i , V U i } by the side- channel attack, and store in the smartcard of U i .In each session, the attacker can execute only one Test query.If the session key R 2 is calculated between U i and SN j , oracle returns the R 2 .Otherwise, the oracle returns a null value.Upon receiving a request to execute the Test(O) query, the oracle generates a random bit b.If b = 1 , them it outputs R 2 .
• Execute(O): The adversary can tamper, delete, and intercept the messages transmitted by U i , GWN, and SN j through openly channel, where O = {I a • Hash(O,message): An attacker can perform this query by going to string to O.If a record (s, message) is stored, O returns s = h(message) .Otherwise, O will randomly select a s and return s.Meanwhile, (s, message) is stored in a list.• Send(O, m): • Test(O): Attacker can break the semantic security of a session key computed between U i and SN j in a fresh and accepted session.

Table 2
Notations in BAN logic Notation Descriptions

Table 4
Security features comparisons✓ This security property is supported, or, the attack can be defended against − This security property is not mentioned × This security property is not provided, or, the attack cannot be defended against