FAIDM for Medical Privacy Protection in 5G Telemedicine Systems

Featured Application

This work can be applied in 5G telemedicine systems which can remote monitor health condition of patients and provide medical related data to medical professional. Devices on patients, which are IoT devices, should be managed properly, and proposed scheme can achieve the purpose while preserving privacy.

Abstract

5G networks have an efficient effect in energy consumption and provide a quality experience to many communication devices. Device-to-device communication is one of the key technologies of 5G networks. Internet of Things (IoT) applying 5G infrastructure changes the application scenario in many fields especially real-time communication between machines, data, and people. The 5G network has expanded rapidly around the world including in healthcare. Telemedicine provides long-distance medical communication and services. Patient can get help with ambulatory care or other medical services in remote areas. 5G and IoT will become important parts of next generation smart medical healthcare. Telemedicine is a technology of electronic message and telecommunication related to healthcare, which is implemented in public networks. Privacy issue of transmitted information in telemedicine is important because the information is sensitive and private. In this paper, 5G-based federated anonymous identity management for medical privacy protection is proposed, and it can provide a secure way to protect medical privacy. There are some properties below. (i) The proposed scheme provides federated identity management which can manage identity of devices in a hierarchical structure efficiently. (ii) Identity authentication will be achieved by mutual authentication. (iii) The proposed scheme provides session key to secure transmitted data which is related to privacy of patients. (iv) The proposed scheme provides anonymous identities for devices in order to reduce the possibility of leaking transmitted medical data and real information of device and its owner. (v) If one of devices transmit abnormal data, proposed scheme provides traceability for servers of medical institute. (vi) Proposed scheme provides signature for non-repudiation.

1. Introduction

5G (the fifth generation) networks, also known as next generation of 4G, is the newest standard of mobile telecommunication from 3GPP which is being deployed, providing high-speed network, big capacity, and scalability [1,2]. 5G networks have an efficient effect in energy consumption and provide a quality experience via a large number of communication devices [3]. End point devices transmit data and request for services through a small base station (SBS) and major base station (MBS) [1,4,5]. A device connects with SBS by using a high-band spectrum (5G mmWave) technology and device-to-device (D2D) communication, which is one of the key technologies of 5G networks [1,4,5]. Moreover, 5G combines and connects virtual systems to cloud environments through artificial intelligence and helps derive different calculating models [6]. 5G will totally change connected services and devices through higher reliability, connectivity, and cloud storage [6]. Because 5G network is a multi-server environment, conventional schemes for single server structure are not suitable [3]. Many reasons lead to multi-server environment requirements including load balance, expanded coverage, and security [3].

IoT becomes a focus because of being predicted to be an important component of 5G networks [1]. IoT applying 5G infrastructure changes application scenario in many fields especially real-time communication between machines, data, and people [7]. Moreover, 5G network can work with amount of IoT devices [7]. We can see a form of 5G-based IoT networks which assembles smart phone, virtual reality, sensors, and other numerous wireless communication devices [3]. As the result, IoT with 5G technology influences social life largely [3].

Nowadays, medical healthcare systems face many challenges, such as infrastructure, connections, professional requirements, data management, and real-time monitoring [8]. About 40% countries have less than one doctor for one thousand population and less than 18 sickbeds for ten thousand population according to global survey data from 2005 to 2015 [8,9]. 5G networks have expanded rapidly around the world including in healthcare [5]. Internet of things (IoT) with a 5G environment provides solutions for network layers, including enhancing quality of service, router and jamming control, and resource optimization, to solve some challenges of smart medical healthcare [1]. Lloret et al. utilized a smart phone to continuously monitor chronic patients in IoT with a 5G environment [10]. Chen et al. proposed a mobile medical system based on IoT with a 5G environment to continuously evaluate and monitor diabetes patients [11]. This augers a new and reliable business model of medical health with 5G technology. 5G and IoT will become important parts of the next generation smart medical healthcare [1].

Medical privacy is of the utmost importance. Once leaked, it not only brings huge economic losses and loss of credibility to hospitals and other related institutions, but also does potential harm to patients, and, more importantly, it can even endangers lives of patients, which will seriously damage the healthy development of medical industry [12]. Unfortunately, the healthcare industry has lagged to meet users’ expectations. The health data, which is stored in conventional system, are very difficult to share due to varying standards and data formats, i.e., current healthcare ecosystem is ill-suited for the instantaneous needs of modern user. Maintaining privacy of user data is very important and failure to this will result in implications related to financial as well as legal sectors [13]. If a person’s medical information is the key to finding clinical treatment, how to maintain the privacy of health records is a central issue that determines the success of medical practice. Increasingly, people interact with health-care providers, using digital media technologies [14,15,16]. Accompanying the acceleration of medical data collection are rapid advancements in algorithmic computing capacities to aggregate, analyze, and draw sensitive inferences about individuals from their health data [15,17,18,19].

Since the above description, federated anonymous identity management (FAIDM) for medical privacy protection in telemedicine systems is proposed in this paper, which can provide a secure way to protect medical privacy. There are some properties below. (i) The proposed scheme provides federated identity management which can manage identity of devices in a hierarchical structure efficiently. (ii) Identity authentication will be achieved by mutual authentication. (iii) The proposed scheme provides session key to secure transmitted data which is related to privacy of patients. (iv) The proposed scheme provides anonymous identities for devices in order to reduce the possibility of leaking transmitted medical data and real information of device and its owner. (v) If one of devices transmit abnormal data, the proposed scheme provides traceability for servers of medical institute. (vi) the proposed scheme provides signature for non-repudiation.

The rest of this paper is organized as follows. We introduce related works in Section 2, including telemedicine, healthcare certificate, ID-based cryptosystem, definitions of Chebyshev chaotic maps, and chaotic maps-based signature which we apply in our scheme. In Section 3, we describe the proposed scheme. We discuss the security and performance analysis of proposed scheme in Section 4 and Section 5, respectively. Finally, some concluding remarks are presented.

2. Related Works

In this section, we introduce telemedicine, Chebyshev chaotic maps, healthcare certificate, chaotic maps-based signature, and some related works.

2.1. Telemedicine

Telemedicine is a technology of electronic message and telecommunication related to healthcare [20,21]. The patient will send healthcare related information, which is important, sensitive, and private, to healthcare services through public networks when using telemedicine technology [21]. Medical professionals can know users’ health condition if they are able to view the information immediately [21]. Data transmission security will be discussed, such as eavesdropping, man-in-the-middle attack, data tempering attack, message modification attack, and data interception attack [22]. Technical support is not enough though Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and Safe Harbor Laws have been made which provide personal information privacy [22,23,24].

A general telemedicine system can be divided to three levels [25]. Level 1 (primary healthcare unit) consist of users with webcam, smart phone, or wearable devices; Level 2 (city or district hospital) is clinic or local hospital which patient may visit before being transferred to large hospital or medical center; Level 3 (specialty center) will take part in telemedicine in case of rare disease or incurable disease [25]. Figure 1 illustrates a remote patient monitoring system in 5G IoT architecture which can assist medical professional to monitor remote patient’s biodata through specific devices [2,25,26]. Mobile health plays an important role on medical healthcare monitoring and alarm system and clinical data storage and maintenance system. In remote patient monitoring systems, wearable devices and mobile phones belong to a sensor layer which is responsible for gathering measured data. Measured data is transmitted to network layer, IoT gateway for example, through small base station (SBS) communication. After that, data will be transmitted out of the local area network to major base station (MBS), such as 5G link, through MBS communication. Both the network layer and communication layer are responsible for data processing. Finally, data will be transmitted to a medical services servers of clinic or local hospital called architecture layer, such as an electronic health records (EHR) system, cloud storage, and analytics. Authorized medical professionals in the main hospital can access medical services servers to monitor a patient. Authorized medical professionals in specialty center will involve and observe measured data in case of rare disease or incurable disease.

In this paper, we introduced a cryptographic protocol which can be applied in asynchronous telemedicine and synchronous telemedicine and provide communication security and user anonymity to protect patient’s privacy.

2.2. Healthcare Certificate

Medical and healthcare devices nowadays are required certifications under safety and functional requirements [27]. Meanwhile, healthcare service providers should go through a certification procedure based on ISO 27000 and 20000 series in order to process healthcare data [27]. However, different kinds of healthcare devices have different safety and privacy requirements [27]. Establishing a general certification for all healthcare sectors is difficult [27]. One of the solutions to the problem would be to design segregated schemes with links between them, such as a healthcare certificate issued by a trusted institution [27]. All medical and healthcare devices should be issued certificates to proof that they are qualified in safety and functional requirements [27]. In other words, using certified components can be a requirement in medical and healthcare field.

2.3. ID-Based Cryptosystem

In 1985, Shamir introduced the concept of identity-based (ID-based) cryptosystem [28]. The main difference from traditional public key cryptosystem is that it derives the user’s public key from public information that uniquely identifies the user. Since it is meaningful information, we do not need any certificate to prove the validity of the corresponding public key. In 2002, Gentry et al. proposed hierarchical ID-based cryptography, also called HIDC [29]. The major purpose of Gentry et al.’s scheme is reducing the loading of private key generation (called PKG) and the risk of key escrow [29]. In the structure of HIDC, there is a key generation center at each level, and the one at the top level is root PKG. The root PKG is the third trusted center, and there will be legal sub-level key generation centers where users under the same domain register to. In 2009, Yan et al. discovered that HIDC was suitable for cloud computing and improved the register phase in order to achieve federated identity management because as more and more cloud service providers provide various cloud services via different interfaces, federal identity management becomes a rising issue [30]. The cloud service providers in Yan et al.’s scheme can compose an alliance, and users can sign on with one account and use various cloud services [30]. However, Yan et al.’s scheme [30] only proposed mutual authentication for security except for rules of identity authentication code, and it did not mention the possible security problems of cloud computing. Nevertheless, Yan et al.’s scheme [30] does not provide user anonymity. Park et al. [31] proposed an HIDC scheme for VANETs which provided vehicle user anonymity, but it is not suitable for cloud computing. Shen et al. introduced an HIDC scheme with time-bound and key management for multicast systems [32]. Fremantle and Aziz [33] proposed a cloud-based federal identity management mechanism for IoT, and Maria et al. [34] proposed a lightweight federal identity management mechanism for IoT. However, federal identity management in 5G IoT environment is still lack of discussions, not to mention telemedicine in a 5G IoT environment.

2.4. Chebyshev Chaotic Maps

The chaotic system is characterized by a sensitive dependence on initial conditions, pseudo-randomness, and ergodicity [35,36,37]. These features have the excellent properties of diffusion and confusion, which are important in cryptography [35,36]. Researchers have proposed image encryption in chaotic maps [38,39]. Definitions of Chebyshev chaotic maps are introduced below.

Definition 1.

The Chebyshev polynomial $T_n(x): [-1, 1]\to [-1, 1]$ is a polynomial in x of degree n, defined as $T_n(x)=\mathit{cos}({\mathit{ncos}}^{-1}(x))$.

Definition 2.

The recurrent relation of $T_n(x)$ is defined as $T_n(x)=2{\mathit{xT}}_{n-1}(x)-T_{n-2}(x)$ for any $n\ge 2$, $T_0(x)=1$, and $T_1(x)=x$.

Definition 3.

One of the most important properties of Chebyshev polynomials is semi-group property which establishes $T_r(T_s(x))=T_{\mathit{rs}}(x)=T_s{(T}_r(x))$ for any $(s, r)\in Z$ and $s\in [-1, 1]$. The interval [−1, 1] is invariant under the action of the map $T_n(x): [-1, 1]\to [-1, 1]$. Therefore, the Chebyshev polynomial restricted to the interval [−1, 1] is a well-known chaotic map for all n > 1. It has a unique continuous invariant measure with positive Lyapunov exponent ln n. For n = 2, Chebyshev maps reduces to well-known logistic maps.

Definition 4.

In order to enhance property of Chebyshev chaotic maps, Zhang [40] proved that the semi-group property holds for Chebyshev polynomials defined on interval $[-\infty , +\infty ]$. This paper utilizes the following enhanced Chebyshev polynomials.

$$T_n(x)=(2{\mathit{xT}}_{n-1}(x)-T_{n-2}(x)) \mathrm{mod} N$$

where $n\ge 2$, $x\in (-\infty , +\infty )$, and N is a large prime number. According to the equations, the semi-group property still holds, and the enhanced Chebyshev polynomials also commute.

$$T_r{(T}_s{(x)) \mathrm{mod} N = T}_{\mathit{rs}}{(x) \mathrm{mod} N=T}_s{(T}_r(x)) \mathrm{mod} N$$

Definition 5.

Chaotic maps-based discrete logarithm problem (CMDLP). Given two elements x and y, it is computationally infeasible to find the integer n such that $T_n(x) \mathrm{mod} N = y$.

Definition 6.

Chaotic maps-based Diffie-Hellman problem (CMDHP). Given three elements x, $T_r(x) \mathrm{mod} N$, and $T_s(x) \mathrm{mod} N$, it is computationally infeasible to compute $T_{\mathit{rs}}(x) \mathrm{mod} N$.

2.5. Chaotic Maps-Based Signature

Chebyshev chaotic maps has been utilized not only in authentication, key agreement schemes but signature schemes. Chain and Kuo first proposed a digital signature scheme based on chaotic maps [41]. Several signature schemes based on chaotic maps have been proposed recently. For example, Tahat and Hijazi [42] proposed an enhanced signature scheme to improve Chain and Kuo’s [41]; Tahat et al. proposed an ID-based cryptographic model for Chebyshev chaotic maps to demonstrate the transformation model of ID-based schemes [43]; Tahat et al. proposed an ID-based blind signature based on chaotic maps [44]. Meshram et al. focused on online/offline short signature schemes and proposed schemes using chaotic maps [45], such as ID-based short signature scheme and subtree-based short signature scheme for wireless sensor network [46]. In this paper, we apply Meshram et al.’s ID-based online short signature scheme [45].

3. Proposed Scheme

In this paper, we proposed a FAIDM for medical privacy protection in 5G telemedicine systems. The notations of the scheme are shown as

Table 1. Notations of the proposed scheme.

Notations	Definitions
$s_0$	The secrete value of remote server node S
$s_i$	The secrete value of ith gateway node (${\mathit{GW}}_i$)
$s_{\mathit{ij}}$	The secrete value of ijth constrained node (${\mathit{CN}}_{\mathit{ij}}$)
$S_i$	Private key of ${\mathit{GW}}_i$ after registering to remote server node
$S_{\mathit{ij}}$	Private key of ${\mathit{CN}}_{\mathit{ij}}$ after registering to ${\mathit{GW}}_i$
${\mathit{aS}}_{\mathit{ij}}$	${\mathit{CN}}_{\mathit{ij}}$’s anonymous private key issued by ${\mathit{GW}}_i$
${\mathit{ID}}_i, {\mathit{ID}}_{\mathit{ij}}, {\mathit{aID}}_{\mathit{ij}}$	Identity of ${\mathit{GW}}_i$, ${\mathit{CN}}_{\mathit{ij}}$, and ${\mathit{CN}}_{\mathit{ij}}$’s anonymous identity
$Q_0, Q_i, Q_{\mathit{ij}}, Q_{{\mathit{aID}}_{\mathit{ij}}}$	Public parameters of generated by secrete values
${\mathit{sk}}_{{\mathit{GW}}_i\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$	The session key of ${\mathit{CN}}_{\mathit{ij}}$ and ${\mathit{GW}}_i$
$H_1(.), H_2(.), H_3(.)$	Collision-resistance one-way hash functions
$h_K(.)$	Collision-resistance secure one-way chaotic hash function using K as the key
$E_k(.), D_k(.)$	The symmetric encryption and decryption using $k$ as the key
${\mathit{MAC}}_{{\mathit{GW}}_i}, {\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$	The message authentication code algorithm of ${\mathit{GW}}_i$ and ${\mathit{CN}}_{\mathit{ij}}$
${\mathit{Cert}}_{\mathit{HCA}\to S}$	The certification issued by healthcare certification authority to remote server node S.
${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$	The certification issued by remote server node S to ${\mathit{GW}}_i$ which is generate from ${\mathit{Cert}}_{\mathit{HCA}\to S}$.
${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$	The certification issued by ${\mathit{GW}}_i$ to ${\mathit{CN}}_{\mathit{ij}}$ which is generate from ${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$.

. The system structure of proposed scheme includes remote server node, gateway node (${\mathit{GW}}_i$), and constrained node (${\mathit{CN}}_{\mathit{ij}}$). A constrained node is in a sensor layer of a proposed 5G IoT remote patient monitoring system structure and can be in devices which gather measured data, such as sensors or wearable devices that can be carried by a human. The role of these devices consists of monitoring or sensing the environment, so they collect and transmit data to gateway nodes. For example, in a healthcare application, sensors can be planted in or on a human’s body in order to collect health-related data. Gateway nodes, which are SBSs/MBSs, are in the network or communication layers of the proposed 5G IoT remote patient monitoring system structure, and it can be assumed that the gateway nodes have enough energy resources, performance processors, and memory. Gateway nodes process received data collected by the different constrained nodes and forward the to the remote server node. Remote server node is in architecture layer of proposed 5G IoT remote patient monitoring system structure and can be assumed that remote server node has no limitations of computing resource. Medical professionals in the architecture layer can continuously follow a patient’s health status based on data received. Note that the interaction between communication and the architecture layer should be secure which may be guaranteed by functions in the core network, such as authentication server function (AUSF), authentication credential repository and processing function (ARPF), subscription identifier de-concealing function (SIDF), and security anchor function (SEAF) [47,48], but secure communication between these two layers is not discussed in our scheme. The remote server node takes part in the system initialization and generating system parameters. A constrained node has to register to any legitimate gateway node for becoming legitimate. A gateway node has to register to the remote server node for becoming legitimate. When a patient wears a wearable healthcare device and goes home from hospital, the device transmits measured data through an IoT gateway (${\mathit{GW}}_t$) at home which is in different domain from hospital. The system structure is show as Figure 2.

The proposed scheme consists of seven phases: System initialization phase, gateway node registration phase, constrained node registration phase, mutual authentication and key agreement phase, anonymous identity distribution phase, and anonymous signature and verification phase. The notations of proposed scheme are shown in Table 1.

Before system initialization phase, the healthcare services provider needs to apply for certificates ${\mathit{Cert}}_{\mathit{HCA}\to S}$ from healthcare certification authority before providing healthcare services. The healthcare certification authority should be a credible and dependent institute, such as National Health Service Business Services Authority (NHSBSA) of United Kingdom [49], European Federation Gateway Service (EFGS) of European Commission [50], American Hospital Association Certification Center (AHA-CC) of USA [51], Pharmaceuticals and Medical Devices Agency (PMDA) of Ministry of Health, Labor and Welfare, Japan [52], or Healthcare Certification Authority (HCA) of Ministry of Health and Welfare, Taiwan [53]. The certificate ${\mathit{Cert}}_{\mathit{HCA}\to S}$ is regarded as the root certificate in the system, and only certified healthcare services provider can obtain ${\mathit{Cert}}_{\mathit{HCA}\to S}$.

3.1. System Initialization Phase

In the remote server node initial phase, the remote server node S, which provides telemedicine services and is certified by healthcare certification authority, sets up parameters by performing following steps.

Step 1: The healthcare certification authority issues a certificate ${\mathit{Cert}}_{\mathit{HCA}\to S}$ to remote server node S which provides telemedicine services and is certified by healthcare certification authority.

Step 2: The remote server node S generates a secret value $s_0$, a big prime p, and random number $x\in (-\infty , +\infty )$ and computes $Q_0=T_{s_0}(x) \mathrm{mod} p$.

Step 3: The remote server node S choses a symmetric encryption algorithm $E_k(.)$, a symmetric decryption algorithm $D_k(.)$, collision-resistance one-way hash functions ($H_1(.), H_2(.), H_3(.)$), and a collision-resistance secure one-way chaotic hash function $h_k$(.).

Step 4: The remote server node S outputs public parameters $\{Q_0, p, x, H_1(.), H_2(.), H_3(.), h_k(.), E_k(.), D_k(.)\}$ and private parameters $s_0$.

Step 5: The gateway node ${\mathit{GW}}_i$ generates two large random primes ($p_i$, $q_i$), $N_i$, and ${\phi }_i$ as follows. Then, the gateway node ${\mathit{GW}}_i$ selects a random integer $e_i$, where $1<e_i<{\phi }_i$ and gcd ($e_i$, ${\phi }_i$) = 1, and makes it public. After that, the gateway node ${\mathit{GW}}_i$ computes $d_i$, where $1<d_i<{\phi }_i$ and $e_i{d}_i\equiv 1 (\mathrm{mod} {\phi }_t)$ and keeps it secretly.

3.2. Gateway Node Registration Phase

In this phase, gateway node ${\mathit{GW}}_i$ interacts with remote server node S for registration. To deal with the registration request submitted by the gateway node ${\mathit{GW}}_i$, the remote server node S validates the gateway node ${\mathit{GW}}_i$’s legitimacy then issues the private key $S_i$ and certificate ${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$ via a secure channel. Note that remote server node S computes a private key by gateway node ${\mathit{GW}}_i$’s registration information. Figure 3. illustrates process of gateway node registration phase. Detailed descriptions are stated as follows:

Step 1: The gateway node ${\mathit{GW}}_i$ chooses an identifier ${\mathit{ID}}_i$ and submits to remote server node S.

Step 2: Upon receiving ${\mathit{ID}}_i$ from gateway node ${\mathit{GW}}_i$, remote server node checks the format of ${\mathit{ID}}_i$. If ${\mathit{ID}}_i$ is valid, remote server node S computes $S_i$ correspond to ${\mathit{ID}}_i$, generates ${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$ from ${\mathit{Cert}}_{\mathit{HCA}\to S}$, and sends ($S_i$, ${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$) via secure channel to the gateway node ${\mathit{GW}}_i$.

$$P_i=H_1({\mathit{ID}}_i)$$

(1)

$$S_i=T_{s_0}(P_i) \mathrm{mod} p$$

(2)

Step 3: The gateway node ${\mathit{GW}}_i$ chooses a random number $s_i$ as secret value and computed $Q_i$ and stores ${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$ to complete gateway node registration phase.

$$Q_i=T_{s_i}(x) \mathrm{mod} p$$

(3)

3.3. Constrained Node Registration Phase

The constrained node ${\mathit{CN}}_{\mathit{ij}}$ submits registration information to gateway node ${\mathit{GW}}_i$ in this phase. The gateway node ${\mathit{GW}}_i$ verifies the constrained node ${\mathit{CN}}_{\mathit{ij}}$’s legitimacy then issues private key $S_{\mathit{ij}}$ and certificate ${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$ to complete this phase. Note that the gateway node ${\mathit{GW}}_i$ computes private key $S_{\mathit{ij}}$ by constrained node ${\mathit{CN}}_{\mathit{ij}}$’s registration information. Figure 4. illustrates process of constrained node registration phase. Detailed descriptions are stated as follows:

Step 1: Constrained node ${\mathit{CN}}_{\mathit{ij}}$ chooses an identifier ${\mathit{ID}}_{\mathit{ij}}$ and a random number $s_{\mathit{ij}}$ as his own secret, computes $Q_{\mathit{ij}}$, and sends (${\mathit{ID}}_{\mathit{ij}}$, $Q_{\mathit{ij}}$) to gateway node ${\mathit{GW}}_i$.

$$Q_{\mathit{ij}}=T_{s_{\mathit{ij}}}(x) \mathrm{mod} p$$

(4)

Step 2: Upon receiving ${\mathit{ID}}_{\mathit{ij}}$ from constrained node ${\mathit{CN}}_{\mathit{ij}}$, gateway node ${\mathit{GW}}_i$ checks the format of ${\mathit{ID}}_{\mathit{ij}}$. If ${\mathit{ID}}_{\mathit{ij}}$ is valid, gateway node ${\mathit{GW}}_i$ computes private key $S_{\mathit{ij}}$ correspond to ${\mathit{ID}}_{\mathit{ij}}$, generates ${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$ from ${\mathit{Cert}}_{S\to {\mathit{GW}}_i}$, and sends ($S_{\mathit{ij}}$, ${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$) to constrained node ${\mathit{CN}}_{\mathit{ij}}$ via secure channel.

$$P_{\mathit{ij}}=H_2(Q_{\mathit{ij}},{\mathit{ID}}_i)$$

(5)

$$S_{\mathit{ij}}=S_i{T}_{s_i}{(P}_{\mathit{ij}}) \mathrm{mod} p$$

(6)

Step 3: The constrained node ${\mathit{CN}}_{\mathit{ij}}$ stores ($S_{\mathit{ij}}$, ${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$) to complete the constrained node registration phase.

3.4. Mutual Authentication and Key Agreement Phase

After the constrained node joins the remote server node alliance as a remote server node member, it can use the services not only provided by the registered services provider but also other services provider in the same remote server node alliance. When the constrained node applies for remote server node services, the gateway node and constrained node will executive mutual authentication to ensure the further interaction between the gateway node and constrained node is secure and validated. Figure 5. illustrates process of mutual authentication and key agreement phase. Detailed descriptions are stated as follows:

Step 1 Constrained node ${\mathit{CN}}_{\mathit{ij}}$ chooses a random number $a_{\mathit{ij}}$, computes ${\mu }_{\mathit{ij}}$ and $C_t$, and sends ($C_t, {\mathit{ID}}_{\mathit{ij}}$) to gateway node ${\mathit{GW}}_t$.

$${\mu }_{\mathit{ij}}=T_{s_{\mathit{ij}}}{(a}_{\mathit{ij}}) \mathrm{mod} p$$

(7)

$$C_t={(T}_{e_t}{(\mu }_{\mathit{ij}}{\left|\right|a}_{\mathit{ij}}{\left|\right|\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}{) \mathrm{mod} p)P}_t$$

(8)

Step 2: Upon receiving ($C_t, {\mathit{ID}}_{\mathit{ij}}$), gateway node ${\mathit{GW}}_t$ obtains ${(\mu }_{\mathit{ij}}{\left|\right|a}_{\mathit{ij}}{\left|\right|\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}})$ by decrypting $P_t$ and verifies ${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$ is valid. If ${\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}$ is valid, gateway node ${\mathit{GW}}_t$ progresses to steps below, or gateway node ${\mathit{GW}}_t$ abandons request.

$${(\mu }_{\mathit{ij}}{\left|\right|a}_{\mathit{ij}}{\left|\right|\mathit{Cert}}_{{\mathit{GW}}_i\to {\mathit{CN}}_{\mathit{ij}}}={)(T}_d{(C}_t{) \mathrm{mod} p)/P}_t$$

(9)

Step 3: Gateway node ${\mathit{GW}}_t$ computes (${\omega }_t$, ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$, $P_i$, $P_{\mathit{ij}}$, $P_t$, $K$, ${\mathit{MAC}}_{{\mathit{GW}}_t}$) and sends (${\mathit{MAC}}_{{\mathit{GW}}_t}, {\omega }_t$) to the constrained node ${\mathit{CN}}_{\mathit{ij}}$.

$${\omega }_t=T_{s_t}{(a}_{\mathit{ij}}) \mathrm{mod} p$$

(10)

$${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}=H_3{(T}_{s_t}{(\mu }_{\mathit{ij}}) \mathrm{mod} p)$$

(11)

$$P_i=H_2{(\mathit{ID}}_i)$$

(12)

$$P_{\mathit{ij}}=H_2{(Q}_{\mathit{ij}}{, \mathit{ID}}_i)$$

(13)

$$P_t=H_1{(\mathit{ID}}_t)$$

(14)

$$K=(P_i{\left|\right|Q}_0)⨁{(P}_{\mathit{ij}}{\left|\right|Q}_i)⨁{(P}_t{\left|\right|Q}_{\mathit{ij}})⨁{(\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}\left|\right|{\omega }_t)$$

(15)

$${\mathit{MAC}}_{{\mathit{GW}}_t}=h_K{(P}_t{, P}_{\mathit{ij}}{, \mu }_{\mathit{ij}})$$

(16)

Step 4: Upon receiving (${\mathit{MAC}}_{{\mathit{GW}}_t}, {\omega }_t$), constrained node ${\mathit{CN}}_{\mathit{ij}}$ computes (${{\mathit{sk}}^{\prime }}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$, $K^{\prime }$) and verifies ${\mathit{MAC}}_{{\mathit{GW}}_t}$. If result of verification is true, constrained node ${\mathit{CN}}_{\mathit{ij}}$ computes ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$ and sends ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$ to gateway node ${\mathit{GW}}_t$.

$${{\mathit{sk}}^{\prime }}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}=H_3{(T}_{s_{\mathit{ij}}}({\omega }_t) \mathrm{mod} p)$$

(17)

$$K^{\prime }=(P_i{\left|\right|Q}_0)⨁{(P}_{\mathit{ij}}{\left|\right|Q}_i)⨁{(P}_t{\left|\right|Q}_{\mathit{ij}})⨁{({\mathit{sk}}^{\prime }}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}\left|\right|{\omega }_t)$$

(18)

$$h_{K^{\prime }}{(P}_t{, P}_{\mathit{ij}}{, \mu }_{\mathit{ij}}{) ?= \mathit{MAC}}_{{\mathit{GW}}_t}$$

(19)

$${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}=h_{{{\mathit{sk}}^{\prime }}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(P}_{\mathit{ij}}{, P}_t, {\omega }_t)$$

(20)

Step 5: Upon receiving ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$, gateway node ${\mathit{GW}}_t$ verifies ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$. If the result of verification is true, mutual authentication and key agreement is completed.

$$h_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(P}_{\mathit{ij}}{, P}_t, {\omega }_t{) ?=\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$$

(21)

3.5. Anonymous Identity Distribution Phase

If the constrained node needs an anonymous identity for some remote server node services, the gateway node will generate an anonymous identity and the corresponding private key for constrained node according to the registration information. Note that anonymous identity will compute by adding constrained node’s ID to ensure their connection. Figure 6. illustrates process of anonymous identity distribution phase. Detailed descriptions are stated as follows:

Step 1: Gateway node ${\mathit{GW}}_t$ generates a random number $t_t$, uses session key ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$ to encrypt ${\mathit{ID}}_{\mathit{ij}}$ and $t_t$, and generates and sends pseudonym ${\mathit{aID}}_{\mathit{ij}}$ to constrained node ${\mathit{CN}}_{\mathit{ij}}$.

$${\mathit{aID}}_{\mathit{ij}}=E_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(\mathit{ID}}_{\mathit{ij}}{\left|\right|t}_t)$$

(22)

Step 2: Upon receiving ${\mathit{aID}}_{\mathit{ij}}$, constrained node ${\mathit{CN}}_{\mathit{ij}}$ computes $P_{{\mathit{aID}}_{\mathit{ij}}}$ and $Q_{{\mathit{aID}}_{\mathit{ij}}}$ and sends $Q_{{\mathit{aID}}_{\mathit{ij}}}$ to gateway node ${\mathit{GW}}_t$.

$$P_{{\mathit{aID}}_{\mathit{ij}}}=H_1{(\mathit{ID}}_t{\left|\right|\mathit{aID}}_{\mathit{ij}})$$

(23)

$$Q_{{\mathit{aID}}_{\mathit{ij}}}=E_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(\mathit{ID}}_t{\left|\right|P}_{{\mathit{aID}}_{\mathit{ij}}})$$

(24)

Step 3: After receiving $Q_{{\mathit{aID}}_{\mathit{ij}}}$, gateway node ${\mathit{GW}}_t$ decrypts $Q_{{\mathit{aID}}_{\mathit{ij}}}$ with ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$ and checks $P_{{\mathit{aID}}_{\mathit{ij}}}$ using ${\mathit{ID}}_t$ and ${\mathit{aID}}_{\mathit{ij}}$. If it holds, gateway node ${\mathit{GW}}_t$ computes ${\mathit{aS}}_{\mathit{ij}}$ and encrypts ${\mathit{aS}}_{\mathit{ij}}$ with ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$. Then, gateway node ${\mathit{GW}}_t$ encrypts ${(C, P}_t)$ to ${{\mathit{MAC}}^{\prime }}_{{\mathit{GW}}_t}$ and sends ${{\mathit{MAC}}^{\prime }}_{{\mathit{GW}}_t}$ to constrained node ${\mathit{CN}}_{\mathit{ij}}$.

$${(\mathit{ID}}_t{\left|\right|P}_{{\mathit{aID}}_{\mathit{ij}}}{)=D}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(Q}_{{\mathit{aID}}_{\mathit{ij}}})$$

(25)

$$H_1{(\mathit{ID}}_t{\left|\right|\mathit{aID}}_{\mathit{ij}}{) ?=P}_{{\mathit{aID}}_{\mathit{ij}}}$$

(26)

$${\mathit{aS}}_{\mathit{ij}}{=S}_t{T}_{s_t}{(P}_t) \mathrm{mod} p$$

(27)

$${C=E}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(\mathit{aS}}_{\mathit{ij}})$$

(28)

$${{\mathit{MAC}}^{\prime }}_{{\mathit{GW}}_t}{=E}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(C, P}_t)$$

(29)

Step 4: Upon receiving ${{\mathit{MAC}}^{\prime }}_{{\mathit{GW}}_t}$, gateway node ${\mathit{GW}}_t$ verifies ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$. If result of verification is true, gateway node ${\mathit{GW}}_t$ obtain ${\mathit{aS}}_{\mathit{ij}}$ by decrypting C, and anonymous identity distribution phase is completed.

$${(C, P^{\prime }}_t{)=D}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{({\mathit{MAC}}^{\prime }}_{{\mathit{GW}}_t})$$

(30)

$$H_1{(\mathit{ID}}_t{) ?=P^{\prime }}_t$$

(31)

$${\mathit{aS}}_{\mathit{ij}}{=D}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}(C)$$

(32)

3.6. Anonymous Signature and Verification Phase

Gateway node ${\mathit{GW}}_t$ (verifier) receives and verifies message with signature generated by anonymous private key ${\mathit{aS}}_{\mathit{ij}}$ using verification function. Figure 7. illustrates process of anonymous signature and verification phase. Detailed descriptions are stated as follows:

Step 1: Constrained node ${\mathit{CN}}_{\mathit{ij}}$ chooses a random number $R_{\mathit{ij}} \in { Z}_q^{*}$, computes ($W_{\mathit{ij}}$, $V_{\mathit{ij}}$, $t_{\mathit{ij}}$) for further computation.

$$W_{\mathit{ij}}{=T}_{R_{\mathit{ij}}}(x) \mathrm{mod} p$$

(33)

$$V_{\mathit{ij}}{=H}_1{(W}_{\mathit{ij}}{\left|\right|\mathit{aID}}_{\mathit{ij}}{\left|\right|\mathit{aS}}_{\mathit{ij}})$$

(34)

$$t_{\mathit{ij}}{=R}_{\mathit{ij}}{V}_{\mathit{ij}} \mathrm{mod} p$$

(35)

Step 2: Constrained node ${\mathit{CN}}_{\mathit{ij}}$ chooses a random number $L_{\mathit{ij}} \in { Z}_p^{*}$ so that $L_{\mathit{ij}\_g}$ is the gth bit of $L_{\mathit{ij}}$. Then, constrained node ${\mathit{CN}}_{\mathit{ij}}$ computes ($O_{\mathit{ij}}$, $b_{\mathit{ij}}$) to obtain $Y_{\mathit{ij}}$ and ${\eta }_{\mathit{ij}}$, generates signature with signature ${\sigma }_{\mathit{ij}}$, and sends ${\sigma }_{\mathit{ij}}$ to gateway node ${\mathit{GW}}_t$.

$$O_{\mathit{ij}}={{\displaystyle \prod }}_{p=1}^{g_1}{Q^{\prime }}_{g-1}$$

(36)

$$b_{\mathit{ij}}{=H}_1{(Q, W}_{\mathit{ij}}, M)$$

(37)

$$Y_{\mathit{ij}}{=L}_{\mathit{ij}}{b}_{\mathit{ij}}{t}_{\mathit{ij}} \mathrm{mod} p$$

(38)

$${\eta }_{\mathit{ij}}{=T}_{Y_{\mathit{ij}}}(x) \mathrm{mod} p$$

(39)

$${\sigma }_{\mathit{ij}}{=(Q, W}_{\mathit{ij}}{, Y}_{\mathit{ij}})$$

(40)

Step 3: Upon receiving signature ${\sigma }_{\mathit{ij}}$, gateway node ${\mathit{GW}}_t$ verifies signature ${\sigma }_{\mathit{ij}}$. If ${{\eta }^{\prime }}_{\mathit{ij}}$ holds, signature is accepted.

$${{\eta }^{\prime }}_{\mathit{ij}}{=O}_{\mathit{ij}}{T}_{b_{\mathit{ij}}}{(W}_{\mathit{ij}}{)T}_{b_{\mathit{ij}}{V}_{\mathit{ij}}}{(\mathit{aS}}_{\mathit{ij}}) \mathrm{mod} p$$

(41)

4. Security Analysis

We present formal verification using BAN logic [54] and theoretical analyses to prove that proposed scheme can achieve security properties and resist potential common attacks.

4.1. Formal Verification Using BAN Logic

BAN logic has become a widely accepted and well-known logical methodology for analyzing security of schemes [54,55,56,57,58,59,60,61,62,63,64,65]. The goal of BAN logic is to verify the exchanged information and the belief relationship among communicating parties and analyze protocols by deriving beliefs to proof that honest and legitimate parties can correctly execute and complete a protocol [54,66,67,68]. We apply BAN logic [54] to prove the authenticity of our scheme. The notations used in BAN logic [54] analysis are defined as follows. P and Q are principles, X and Y are statements, C is channel, r and w are set of readers and writers respectively, and K is encryption key. P|$\equiv$X denotes that P believes X; P|~X denotes that P once said X; C(X) means that X is transited via channel C; r(C) and w(C) denotes as the set of readers and writers of C respectively. P$⊲$C(X) means that P sees C(X). X is transited via C and can be observed by P, and P must be a reader of C to read X. P$⊲$X|C means that P sees X via C. (X)_K denotes that X is encrypted with the key K. P$\stackrel{K}{\leftrightarrow }$Q means that P and Q can establish a secure communication channel by using K. The logical postulates in BAN logic [54] are described using rules below.

Rule 1. $\frac{P⊲C(X), P\in r(C)}{P|\equiv (P⊲X|C), P⊲X}$: If P receives and reads X via C, then P believes that X has arrived on C and P sees X.

Rule 2. $\frac{P⊲C(X, Y)}{P⊲X, P⊲Y}$: If P sees a hybrid message (X, Y), then P sees X and Y separately.

Rule 3. $\frac{P|\equiv (w(C) = \{P, Q\})}{P|\equiv (P⊲X|C)\to Q|~X}$: If P believes that C can only be written by P and Q, then P believes that if P receives X via C, then Q said X.

Rule 4. $\frac{P|\equiv (Q|~(X, Y))}{P|\equiv (Q|~X), P\equiv (Q|~Y)}$: If P believes that Q said a hybrid message (X, Y), then P believes that Q has said X and Y separately.

Rule 5. $\frac{P|\equiv ({\stackrel{s_{\mathit{ij}}}{\to }}_{\mathit{ECMDH}(\mathit{sec}\mathit{ret})}P), P|\equiv ({\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}Q)}{P|\equiv (P\stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }Q)}$: If P believes that $s_{\mathit{ij}}$ is its extended chaotic maps-based Diffie–Hellman secret and that ${\omega }_t$ is the extended chaotic maps-based Diffie–Hellman component from Q, then P believes that ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$ is the symmetric key shared between P and Q.

Rule 6. $\frac{P|\equiv (Q|~X), P|\equiv \#(X)}{P|\equiv (Q|~X)}$: If P believes that another Q said X and P also believes that X is fresh, then P believes that Q has recently said X.

Rule 7. $\frac{P|\equiv \#(X)}{P|\equiv \#(X, Y)}$: If P believes that a part of a mixed message X is fresh, then it believes that the whole message (X, Y) is fresh.

Rule 8. $\frac{P|\equiv {(\Phi }_1\to {\Phi }_2), P|\equiv {\Phi }_1}{P|\equiv {\Phi }_2}$: If P believes that Φ₁ implies Φ₂ and P believes that Φ₁ is true, then P believes that Φ₂ is true.

The proposed scheme is described in logic as below.

Step 1. ${\mathit{GW}}_t⊲$ (${\stackrel{{\mu }_{\mathit{ij}}}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{CN}}_{\mathit{ij}}$, $C_{{\mathit{GW}}_t{, \mathit{CN}}_{\mathit{ij}}}$(${{(P}_t{, P}_{\mathit{ij}}{, \mathsf{\mu }}_{\mathit{ij}})}_K$)

Step 2. ${\mathit{CN}}_{\mathit{ij}}⊲$ (${\stackrel{{\mathsf{\omega }}_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t$, $C_{{\mathit{CN}}_{\mathit{ij}}{, \mathit{GW}}_t}{{(P}_{\mathit{ij}}{, P}_t{, \omega }_t)}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}},$ ${\omega }_t$)

Table 2. Assumptions of logic of the proposed scheme.

Assumptions	Definitions
A1. A $\in$ r(CA, B)	A can read from the channel CA, B.
A2. A |$\equiv$ (w(CA, B) = {A, B})	A believes that A and B can write on CA, B.
A3. A |$\equiv$ (B|~$\mathsf{\Phi }\to \mathsf{\Phi }$)	A believes that B only says what it believes.
A4. A |$\equiv$ #(NA)	A believes that NA is fresh.
A5. A |$\equiv$ (${\stackrel{s_{\mathit{ij}}}{\to }}_{\mathit{ECMDH}(\mathit{secret})}$A)	A believes that $s_{\mathit{ij}}$ is its extended chaotic maps-based Diffie-Hellman secret.

lists used assumptions, where A and B are ${\mathit{CN}}_{\mathit{ij}}$ and ${\mathit{GW}}_t$, but A $\ne$ B.

Based on to the assumptions and logical analyses, the proposed scheme must realize goals in

Table 3. Goals of the proposed scheme.

Goals	Definitions
G1. ${\mathit{CN}}_{\mathit{ij}}$ |$\equiv$ (${\mathit{CN}}_{\mathit{ij}}$ $\stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t$)	Constrained node ${\mathit{CN}}_{\mathit{ij}}$ believes that ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}=H_3(T_{s_t}({\mu }_{\mathit{ij}}) \mathrm{mod} p)$ is a symmetric key shared between participants ${\mathit{CN}}_{\mathit{ij}}$ and ${\mathit{GW}}_t$.
G2. ${\mathit{GW}}_t$ |$\equiv$ (${\mathit{CN}}_{\mathit{ij}}$ $\stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t$)	Gateway node ${\mathit{GW}}_t$ believes that ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}=H_3(T_{s_t}({\mu }_{\mathit{ij}}) \mathrm{mod} p)$ is a symmetric key shared between participants ${\mathit{CN}}_{\mathit{ij}}$ and ${\mathit{GW}}_t$.
G3. ${\mathit{CN}}_{\mathit{ij}}$ |$\equiv$ ${\mathit{GW}}_t$ |$\equiv$ (${\mathit{CN}}_{\mathit{ij}}$ $\stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t$)	Constrained node ${\mathit{CN}}_{\mathit{ij}}$ believes that Sj is convinced of ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}=H_3(T_{s_t}({\mu }_{\mathit{ij}}) \mathrm{mod} p)$. is a symmetric key shared between ${\mathit{CN}}_{\mathit{ij}}$ and ${\mathit{GW}}_t$
G4. ${\mathit{GW}}_t$ |$\equiv$ ${\mathit{CN}}_{\mathit{ij}}$ |$\equiv$ (${\mathit{CN}}_{\mathit{ij}}$ $\stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t$)	Gateway node ${\mathit{GW}}_t$ believes that U is convinced of ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}=H_3{(T}_{s_t}({\mu }_{\mathit{ij}}) \mathrm{mod} p)$ is a symmetric key shared between ${\mathit{CN}}_{\mathit{ij}}$ and ${\mathit{GW}}_t$.

.

To accomplish the Goal 1, we have Equations (42) and (43). Equations (42) and (43) must hold because of Rule 5 and A5.

$${\mathit{CN}}_{\mathit{ij}} |\equiv ({\stackrel{s_{\mathit{ij}}}{\to }}_{\mathit{ECMDH}(\mathit{secret})}{\mathit{CN}}_{\mathit{ij}})$$

(42)

$${\mathit{CN}}_{\mathit{ij}} |\equiv ({\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t)$$

(43)

Next, we have Equations (44) and (45) that must hold because of A3 and Rule 8 to accomplish Equation (43).

$${\mathit{CN}}_{\mathit{ij}} |\equiv ({\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t, C_{{\mathit{CN}}_{\mathit{ij}}{, \mathit{GW}}_t}{{(P}_{\mathit{ij}}{, P}_t, {\omega }_t)}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}},{\omega }_t) \to ({\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t)$$

(44)

$${\mathit{CN}}_{\mathit{ij}} |\equiv ({\mathit{GW}}_t |~{\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t)$$

(45)

We have Equation (46) which must hold because of Rule 6 and 7 and A4 to accomplish Equation (45).

$${\mathit{CN}}_{\mathit{ij}} |\equiv \#({\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t)$$

(46)

We have Equations (47)–(49) which must hold because of Rule 1, 2, and 3, and A1 and A2 to accomplish Equation (46).

$${\mathit{CN}}_{\mathit{ij}} \in r(C_{{\mathit{GW}}_t{, \mathit{CN}}_{\mathit{ij}}})$$

(47)

$${\mathit{CN}}_{\mathit{ij}} |\equiv (w(C_{{\mathit{GW}}_t{, \mathit{CN}}_{\mathit{ij}}})=\{{\mathit{CN}}_{\mathit{ij}}, {\mathit{GW}}_t\})$$

(48)

$${\mathit{CN}}_{\mathit{ij}} |\equiv ⊲C_{{\mathit{GW}}_t{, \mathit{CN}}_{\mathit{ij}}}({\stackrel{{\omega }_t}{\to }}_{\mathit{ECMDH}(\mathit{public})}{\mathit{GW}}_t)$$

(49)

We have the proposed scheme realizes that G1 is achieved by using Rule 5. Similarly, we have that the proposed scheme realizes G2 by using the same arguments of G1.

We have Equations (50) and (51) which must hold because of Rule 3 and A3 to accomplish G3.

$${\mathit{CN}}_{\mathit{ij}} |\equiv ({\mathit{GW}}_t|~({\mathit{CN}}_{\mathit{ij}}\stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t)\to {\mathit{GW}}_t |\equiv ({\mathit{CN}}_{\mathit{ij}} \stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t))$$

(50)

$${\mathit{CN}}_{\mathit{ij}} |\equiv ({\mathit{GW}}_t|~({\mathit{CN}}_{\mathit{ij}} \stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t)$$

(51)

We have Equations (51) and (52) which must hold because of Rule 6 and 7 and A4 to accomplish Equation (51).

$${\mathit{CN}}_{\mathit{ij}} |\equiv \#({\mathit{CN}}_{\mathit{ij}} \stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t)$$

(52)

We have Equations (47), (48), and (53) which must hold because of Rule 1, 2, and 3, and A1 and A2 to accomplish Equation (53).

$${\mathit{CN}}_{\mathit{ij}} ⊲C_{{\mathit{CN}}_{\mathit{ij}}{, \mathit{GW}}_t}({\mathit{CN}}_{\mathit{ij}} \stackrel{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{\leftrightarrow }{\mathit{GW}}_t)$$

(53)

Thus, the proposed scheme realizes G3 is achieved. Similarly, using the same arguments of G3, the proposed scheme realizes G4. Therefore, the proposed scheme realizes G1, G2, G3, and G4.

4.2. Theoretical Analyses

We present theoretical analyses to prove that proposed scheme can achieve security properties and resist potential common attacks.

4.2.1. Security of Secret Key

We assume that adversary wants to get the master secret key obtained by remote server node, gateway node ${\mathit{GW}}_i$ and constrained node ${\mathit{CN}}_{\mathit{ij}}$, such like $Q_0{ = T}_{s_0}(x) \mathrm{mod} p$ and $Q_i{ = T}_{s_i}(x) \mathrm{mod} p$. The adversary must have to solve the question based on CMDLP. If an adversary wants to get the gateway node ${\mathit{GW}}_i$’s secret key by compute $S_i{ = T}_{s_0}{(P}_i{) \mathrm{mod} p = T}_{s_0}{(H}_1{(\mathit{ID}}_i)) \mathrm{mod} p$, adversary needs to solve the question based on CMDLP. On the other hand, the gateway node ${\mathit{GW}}_i$ generates the secret key for the constrained node ${\mathit{CN}}_{\mathit{ij}}$. by performing $S_{\mathit{ij}}{ = S}_i{T}_{s_i}{(P}_{\mathit{ij}}{) \mathrm{mod} p = T}_{s_0}{(H}_1{(\mathit{ID}}_i{))T}_{s_i}{(H}_2{(Q}_{\mathit{ij}}{, \mathit{ID}}_i)) \mathrm{mod} p$. The gateway node ${\mathit{GW}}_i$ use private key $S_i$ and its own secret $s_i$ in the computing process, hence only gateway node ${\mathit{GW}}_i$. can know the constrained node ${\mathit{CN}}_{\mathit{ij}}$’s secret key.

4.2.2. Session Key Confirmation and Security of Session Key

We provide session key confirmation which can guarantee the correctness of the encryption key in the session through message authentication code ${\mathit{MAC}}_{{\mathit{GW}}_t}$ and ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$. If the adversary wants to obtain a session key ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$, the adversary has to solve CMDHP even with knowledge of ${\omega }_t$. Moreover, session key ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$ is not the same every time because of random number $a_{\mathit{ij}}$.

4.2.3. Mutual Authentication

In the authentication process, constrained node ${\mathit{CN}}_{\mathit{ij}}$ and gateway node ${\mathit{GW}}_i$ compute their session key $K$ by public parameters (${\mathit{ID}}_i{, \mathit{ID}}_{\mathit{ij}}{, Q}_{\mathit{ij}}{, X, \mathit{ID}}_t, Y$). In addition, each party generates message authentication code ${\mathit{MAC}}_{{\mathit{GW}}_t}$ and ${\mathit{MAC}}_{{\mathit{CN}}_{\mathit{ij}}}$ by $K$ and ${\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}$ respectively to verify their validity. Moreover, because the feature of HIDC, gateway node ${\mathit{GW}}_t$ can realize constrained node ${\mathit{CN}}_{\mathit{ij}}$ comes from which cloud services provider by public parameter ${\mathit{ID}}_{\mathit{ij}}$.

4.2.4. Device Anonymity

After mutual authentication phase, constrained node ${\mathit{CN}}_{\mathit{ij}}$ can obtain pseudonym private key ${\mathit{aS}}_{\mathit{ij}}$ corresponding to pseudonym identity ${\mathit{aID}}_{\mathit{ij}}$ from supplier gateway node ${\mathit{GW}}_t$. The pseudonym identity ${\mathit{aID}}_{\mathit{ij}}$ involve not only constrained node ${\mathit{CN}}_{\mathit{ij}}$’s ${\mathit{ID}}_{\mathit{ij}}$ but also time stamp $t_s$, that is to ensure every time the constrained node can obtain different pseudonym identity to avoid attack by remove the linkage between the real identity and pseudonym identity. Besides, ${\mathit{aID}}_{\mathit{ij}}$ is computed by a supplier with its own secret. That is, only the supplier who gave ${\mathit{aID}}_{\mathit{ij}}$ to the constrained node ${\mathit{CN}}_{\mathit{ij}}$ can recover the constrained node’s real identity.

4.2.5. Traceability of Anonymity

Server node S can audit transmission history by recovering anonymous ID ${\mathit{aID}}_{\mathit{ij}}$. The gateway node ${\mathit{GW}}_t$ decrypts ${\mathit{aID}}_{\mathit{ij}}$ with secret $s_i$ to recover anonymous real identity by performing ${(\mathit{ID}}_{\mathit{ij}}{\left|\right|t}_t{) = D}_{{\mathit{sk}}_{{\mathit{GW}}_t\leftrightarrow {\mathit{CN}}_{\mathit{ij}}}}{(\mathit{aID}}_{\mathit{ij}})$.

4.2.6. Unforgeability

If the adversary wants to forge validated anonymous identity, adversary has to acquire gateway node ${\mathit{GW}}_i$’s secret $s_i$ and private key $S_i$. The adversary has to solve CMDLP if adversary wants to compute gateway node ${\mathit{GW}}_i$’s secret $s_i$ and private key $S_i$ from public parameter $Q_i$.

4.2.7. Without Assistance of Registration Center

Ying and Nayak [4] and Ul Haq et al. [5] proposed scheme for multi-server 5G networks which included a registration center (RC) in their system structures. RC is a third party for both sides of communication, and two parties have to go through registration phase to RC before communication. Privilege attack or malicious insider attack may occur if the adversary is in RC, and risk of message leakage may happen. If privilege attack or malicious insider attack happen in telemedicine system, patience privacy may be damaged. Moreover, system structure including RC in 5G networks is no difference from the one in conventional networks. In proposed scheme, we introduced hierarchical system structure which is suitable for 5G networks without RC or trusted third party.

4.2.8. Non-Repudiation and Security of Signature

When constrained node ${\mathit{CN}}_{\mathit{ij}}$ executes signature function based on Chebyshev chaotic maps with anonymous private key ${\mathit{aS}}_{\mathit{ij}}$ to generate signature ${\sigma }_{\mathit{ij}}$. Gateway node ${\mathit{GW}}_t$ can verify ${\eta }_{\mathit{ij}}$. As the result, non-repudiation can be achieved. We apply signature Meshram et al.’s ID-based online short signature scheme [45] in anonymous signature and verification phase, and security of signature has been proven using Bellar et al.’s method [69].

4.2.9. Resistant to Bergamo et al.’s Attack

Bergamo et al.’s attack [70] is based on two conditions: Attackers can obtain related elements (x, $a_{\mathit{ij}}$, ${\mu }_{\mathit{ij}}$, ${\omega }_t$) or several Chebyshev polynomials pass through the same point due to the periodicity of cosine function. In the authenticated key exchange phase of the proposed scheme, attackers cannot obtain any of the related elements (x, $a_{\mathit{ij}}$, ${\mu }_{\mathit{ij}}$, ${\omega }_t$) because they are encrypted in transmitted messages and only the user and server can retrieve the decryption key. Moreover, the proposed protocol utilizes the extended Chebyshev polynomials, in which the periodicity of the cosine function is avoided by extending the interval of x to $(-\infty , +\infty )$ [40]. As a result, our scheme can resist the attack proposed by Bergamo et al. [70].

5. Performance Analysis

We present comparisons of Yan et al.’s [30], Hu et al.’s [71], Ying and Nayak’s [4], Ul Haq et al.’s [5], and proposed schemes concerning security requirements and computational complexity comparison.

5.1. Security Requirements Comparison

As shown in

Table 4. Security requirements comparison.

Security Requirements	Yan et al. [30]	Hu et al. [71]	Ying and Nayak [4]	Ul Haq et al. [5]	Ours
Mutual authentication	X	O	X	O	O
Session key confirmation	X	X	X	O	O
Anonymity	X	O	O	O	O
Traceability of anonymity	X	X	X	X	O
Unforgeability	X	X	X	X	O
Non-repudiation	X	X	X	X	O
Without RC	O	O	X	X	O

, proposed scheme provides all listed security requirements. Yan et al.’s [30] and Hu et al.’s [71], and proposed schemes utilize hierarchical system structure. Yan et al.’s [30] and Ying and Nayak’s [4] only achieve one security requirement. Hu et al.’s [71] scheme achieves mutual authentication and anonymity, and Ul Haq et al.’s [5] scheme achieves mutual authentication, session key confirmation, and anonymity. None of mentioned previous schemes achieve traceability of anonymity, unforgeability, and non-repudiation except proposed scheme.

5.2. Computational Complexity Comparison

We present a computational complexity comparison of our scheme with Yan et al.’s [30], Hu et al.’s [71], Ying and Nayak’s [4], and Ul Haq et al.’s [5] schemes in

Table 5. Computational complexity comparison.

	Scheme	Yan et al. [30]	Hu et al. [71]	Ying and Nayak [4]	Ul Haq et al. [5]	Ours
Role
Sender/constrained node		${2T}_h+T_{\mathrm{ecc}}$ $={128.18T}_h$	${2T}_e+T_{\mathrm{ecc}}$ $={2214.16T}_h$	${8T}_h+{5T}_{\mathrm{ecc}}$ $={638.8T}_h$	${6T}_h+{5T}_{\mathrm{ecc}}$ $={636.8T}_h$	${3T}_{\mathrm{ch}}+{3T}_h$ $={129.12T}_h$
Receiver/gateway note		${2T}_h+T_{\mathrm{ecc}}$ $={128.18T}_h$	${2T}_{\mathrm{ecc}}$ $={252.32T}_h$	${4T}_h+{5T}_{\mathrm{ecc}}$ $={634.8T}_h$	${4T}_h+{5T}_{\mathrm{ecc}}$ $={634.8T}_h$	${3T}_{\mathrm{ch}}+{6T}_h$ $={132.12T}_h$
Both ends		${4T}_h+{2T}_{\mathrm{ecc}}$ $={256.36T}_h$	${2T}_e+{3T}_{\mathrm{ecc}}$ $={2466.48T}_h$	${12T}_h+{10T}_{\mathrm{ecc}}$ $={1273.6T}_h$	${10T}_h+{10T}_{\mathrm{ecc}}$ $={1271.6T}_h$	${6T}_{\mathrm{ch}}+{9T}_h$ $={261.24T}_h$

$T_{\mathit{ch}}$: Time for performing a Chebyshev chaotic maps operation; $T_{\mathit{ecc}}$: Time for performing an elliptic curve point multiplication; T_sym: Time for performing a symmetry encryption operation; T_e: Time for performing an exponentiation operation; $T_h$: Time for performing a one-way hash function operation; $T_{\mathit{ch}}$ = 42.04$T_h$; $T_{\mathit{ecc}}$ = 126.16$T_h$; T_sym = 17.4$T_h$; T_e = 1044$T_h$; $T_h=0.006 \mathrm{ms}.$

. We can ignore the time taken for computing XOR operation because the value is too low to influence the result. Hu et al.’s [71], Ying and Nayak’s [4], and Ul Haq et al.’s [5] schemes take more computational cost than Yan et al.’s [30] and ours. Hu et al.’s scheme [71] takes the most computational cost, and the reason may be that Hu et al.’s scheme [71] is the only scheme which performs exponentiation operations among them. Ying and Nayak’s [4] and Ul Haq et al.’s [5] schemes take more computational cost than Yan et al.’s [30] and ours because Ying and Nayak’s [4] and Ul Haq et al.’s [5] schemes perform more not only one-way hash function operations but elliptic curve point multiplications. The results have proven that performing an elliptic curve point multiplication takes more time than a Chebyshev chaotic maps operation, and, compared to RSA and ECC, Chebyshev polynomials can offer smaller key size and faster computation [42,43,72,73,74]. However, Yan et al.’s scheme [30] performs only two elliptic curve point multiplications in total while our scheme performs six Chebyshev chaotic maps operations. For the above reason, Yan et al.’s scheme [30] takes less time than our scheme. Although Yan et al.’s scheme [30] is more efficient than our scheme by a narrow margin, Yan et al.’s scheme [30] cannot provide key confirmation because of lacking session key agreement, and neither can Ying and Nayak’s scheme [4]. Moreover, Yan et al.’s scheme [30] cannot provide mutual authentication, anonymity, traceability of anonymity, unforgeability, and non-repudiation. Figure 8. illustrates computational complexity of receiver/gateway node with varying number of devices.

6. Conclusions

5G networks has an efficient effect in energy consumption and provides quality of experience and amount of devices communication, and 5G will change connected services and devices through higher reliability, connectivity, and cloud storage. IoT applying 5G infrastructure changes application scenario in many fields especially real-time communication between machines, data, and people. IoT with 5G environment provides solutions of network layer, including enhancing quality of service, router and jamming control, and resource optimization, to solve challenges of smart medical healthcare. Medical privacy is important in smart medical healthcare because data leaking brings potential harm to patients and hospital. We propose a FAIDM for medical privacy protection in 5G telemedicine systems which provides federated identity management which provide a secure way to protect medical privacy. To achieve privacy preservation, we provide anonymous identity to constrained nodes for reducing exposure of personal private data. Our scheme provides features below. (i) Proposed scheme provides federated identity management which can manage identity of devices in a hierarchical structure efficiently. (ii) Identity authentication will be achieved by mutual authentication between devices and SBSs/MBSs. (iii) The proposed scheme provides session key to secure transmitted data which is related to privacy of patients. (iv) The proposed scheme provides anonymous identities for devices in order to reduce the possibility of leaking transmitted medical data and real information of device and its owner. (v) If one of devices transmit abnormal data, the proposed scheme provides traceability of anonymous identities for servers of medical institute to check specific device. (vi) the proposed scheme provides anonymous signature for non-repudiation of devices, and records of signatures can be used for periodical audit of medical institute.