Abstract
The healthcare ecosystem is migrating from legacy systems to the Internet of Things (IoT), resulting in a digital environment. This transformation has increased importance on demanding both secure and usable user authentication methods. Recently, a postquantum fuzzy commitment scheme (PQFC) has been constructed as a reliable and efficient method of biometric template protection. This paper presents a new twofactorbased user authentication protocol for the IoTenabled healthcare ecosystem in postquantum computing environments using the PQFC scheme. The proposed protocol is proved to be secure using random oracle model. Furthermore, the functionality and security of the proposed protocol are analyzed, showing that memorylesseffortless, user anonymity, mutual authentication, and resistance to biometric templates tampering and stolen attacks, stolen smart card attack, privileged interior attack are fulfilled. The costs of storage requirement, computation, communication and storage are estimated. The results demonstrate that the proposed protocol is more efficient than Mukherjee et al., Chaudhary et al., and Gupta et al. protocols.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
The healthcare ecosystem is undergoing modernization is known as a digital transformation. The Internet of Things (IoT) offers many benefits for the healthcare sector. The IoTenabled healthcare makes healthcare practical for an aging population, chronic diseases, automate patient care, health records assortment and analysis. The IoTenabled healthcare provided a better environment for both physician and patient during the outbreak of COVID19. The IoTenabled healthcare ecosystem refers to the interconnection of smart devices and applications via the Internet. The IoTenabled healthcare ecosystem enables the collection, monitoring, and analyzing patients’ condition measurements, remotely [1, 2]. Figure 1 illustrates a typical IoTenabled healthcare ecosystem, where a remote user (for instance, physicians and patient family) collect and monitor the patient’s biomedical conditions for further processing. The wearable or implantable IoT medical devices are deployed in the patient's body, which is measures and collects the patient biomedical conditions. These biomedical conditions transfer to a smartphone connected to the IoT medical devices via an app. Then, the smartphone sends the biomedical conditions to the healthcare server for further analysis and decision.
Unlike the social and fiscal identities, the heath records such as genetic, conditions, or biometrics data cannot be revoked once it is compromised. The most significant threats that IoTenabled healthcare poses are data security and privacy. Cybercriminals can misuse the patient’s health records to claim in the patient’s name, for instance, create fake IDs to buy drugs and medical equipment or file fraudulent Insurance. The IoTenabled healthcare security is mainly for secure health records, communication, and user authentication. User authentication is a keystone in IoTenabled healthcare security, which plays a crucial role in establishing trust between IoT healthcare users and devices and preventing attacks [3].
Nowadays, knowledgebased authentication such as passwords and PINs plays a central role in IoTbased healthcare. With the exponential increase in using online services based on the traditional authentication method such as passwords, passwords become not only frustrating for users but also costly to maintain. According to the 2020 Verizon Data Breach Investigation Report, more than 80% of data breaches due to passwords phishing and authentication systems’ security vulnerabilities [4]. Additionally, users will hold an increasing number of accounts with the average user memorizing 191 passwords, according to the LastPass report 2016.
Due to its advantages over traditional authentication methods, biometrics considered is a promising authentication method in the IoT era [5]. However, there are serious concerns about the security and privacy of the stored biometric template [6]. In the last decade, many researchers combined techniques from the areas of cryptography and errorcorrecting codes to secure the stored biometric template known as biometric template protection schemes [7,8,9,10]. However, errorcorrecting code is essential in the design of the traditional biometric template protection schemes, which degrade the security and performance of these schemes [11,12,13].
Currently, IoT systems rely on conventional cryptography algorithms based on integer factorization and discrete logarithm, for instance, Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). However, conventional cryptographic algorithms are no longer secure by upcoming quantum computing [14]. Furthermore, these conventional cryptographic algorithms are inadequate for IoT devices because of their complex computation requirements [2]. Therefore, postquantum cryptography primitives are a promising technique for securing communications between IoT users and devices. Due to its predominant features, such as resistance to quantum attacks, performance efficiency, work in classical computing, latticebased cryptography becomes ahead in the postquantum techniques [15].
Recently, a postquantum fuzzy commitment scheme (PQFC) [16] has been ensuring both security and accuracy efficiencies for biometric template protection. To tackle issues with IoTenabled healthcare ecosystems, we propose a new lightweight twofactor user authentication protocol for the IoTenabled healthcare ecosystem based on the security of PQFC scheme. The proposed protocol using biometrics and smartcard for authentication. The following are the main findings of the work:

1.
A new lightweight twofactor user authentication protocol for the IoTenabled healthcare ecosystem using a postquantum fuzzy commitment scheme.

2.
Formal theoretical analysis shows that the proposed protocol is secure against upcoming quantum threats using random oracle models.

3.
Our protocol is quantumsafe protocol.

4.
The biometric template safeguarded the biometric matching performed indirectly

5.
Our protocol is a memorylessbased user authentication protocol.

6.
Our protocol achieves important security and privacy properties, such as resistance to tampering and stolen of stored biometric template, stolen smart card, and privileged interior attacks.

7.
Our protocol provides good functionality features, such as memorylesseffortless, user anonymity, mutual authentication, renewable biometric, and lightweight protocol.

8.
The computational, communication, and storage costs of the proposed scheme are evaluated and compared with existing related protocols.

9.
The security and performance analysis shows that the proposed protocol is suitable for application in an IoTenabled healthcare environment in comparison with the other existing competitive protocols.
The rest of the paper is organized as follows: Sects. 2 and 3 contain related work and preliminaries, respectively. The biometricbased PQFC authentication system is described in Sect. 4. The presented lightweight twofactor authentication protocol for IoTenabled healthcare and corresponding formal security analysis is presented in Sects. 5 and 6, respectively. Section 7 discusses the security and functionality analysis of the proposed protocol. The performance evaluation is done in Sect. 8. Section 9 presents the conclusions.
2 Related Work
Recently, many authentication protocols for secure communication between IoT users and devices in IoT environments have been proposed. Some of them use traditional publickey cryptography like Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). [17,18,19]. However, these protocols are inadequate for IoT devices because of their complex computation operations. Furthermore, these approaches are no longer secure by upcoming quantum computing [14]. There are also less efficient and secure authentication protocols [20,21,22,23], which are based on traditional biometric template protection. However, errorcorrecting code is essential in the design of these traditional biometric template protection schemes, which cause a downgrade of the security and performance of the system.
Latticebased cryptography techniques attracted many researchers to secure applications in IoT environments due to their security and functionality efficiencies [15]. Of late, several authentication protocols for IoT sectors have been proposed in the literature. Nan et al. [24] proposed a latticebased publickey encryption based on Needham and Schroeder scheme [25] and then used to construct a lightweight authentication protocol for smart city environment. They claimed their protocol is secure against different attacks using informal security analysis. The protocol was implemented in Contiki platform and evaluated using Coojabased emulation environment and Texas Instruments CC2538 hardware platform. Cao et al. [26] presented an access authentication and data distribution scheme for the 5G narrowband Internet of Things systems. The security of their protocol is based on the latticebased homomorphic encryption. To demonstrate the security of their protocol, they used BAN logic and Scyther tools. Zhou and Wang proposed an anonymous NTRUbased authentication scheme for mobile users in roaming service in ubiquitous networks [27]. Mukherjee et al. designed a latticebased conditional privacypreserving authentication protocol for vehicular ad hoc networks [28]. They showed that their protocol ensures the message integrity, authentication and privacy preservation using ROM model.
Chaudhary et al. [29] proposed a latticebased cryptosystem for smart healthcare in future smart cities. Then, they combined their cryptosystem with bilinear Diffie–Hellman to construct an authentication protocol for healthcare. However, the protocol is not lightweight because of using exponential operations and hence it’s not suitable for IoT applications. Sahu et al. [30] presented a lightweight multiparty authentication and keyestablishment protocol in IoTbased eHealthcare service access network using lattice identitybased encryption. They tested the security of their protocol using Scyther tool. Gupta et al. [31] presented a latticebased authentication and access control protocol for IoTbased healthcare. The security assumption of their based on the hardness of the LWE problem. They measured the protocol’s performance in terms of storage requirement and computational and communication costs and then compared with the existing related protocols.
All the aforementioned authentication protocols for IoT environments are relying solely on the password, which is falling apart if the password is not kept secure. However, passwords can be easily shared, stolen, forgotten, or phishing. Therefore, the rapid development of emerging technologies such as IoT, cloud computing, blockchain, quantum computing, and eservices makes the current research on user authentication protocols based on postquantum cryptography urgent.
Recently, a postquantum fuzzy commitment scheme (PQFC) [16] guaranteeing the security and accuracy efficiencies for biometrics template protection. The author provides a theoretical and experimental analysis of PQFC scheme, showing that the PQFC scheme is a promising technique to provide secure and usable method for users in IoTEnabled healthcare ecosystems.
3 Preliminaries
This section provides a mathematical preliminary which are essential for describing and analysis the proposed protocol.
3.1 Statistical Distance
Let \(D_{1}\) and \(D_{2}\) be two probability distributions over a common measurable sample space \(\Omega\). Suppose further, the nonnegative function \(\varepsilon = \varepsilon \left( k \right)\) is negligible if, for all polynomials \(p\left( k \right)\) we have that \(\varepsilon \left( k \right) < p\left( k \right)^{  1}\) for sufficiently large \(k\). The statistical distance \(SD\) between \(D_{1}\) and \(D_{2}\) is given by:
3.2 Collision Resistance Hash Function
A function \(h:\left\{ {0,1} \right\}^{*} \to \left\{ {0,1} \right\}^{k}\) is called a collision resistant hash function [32] if the following properties hold: (1) compression: \(h\) maps an input \(x\) of arbitrary finite bit length to an output \(h\left( x \right)\) of fixed bit length \(k\). (2) easy to compute: Given \(h\) and an input as \(x\), \(h\left( x \right)\) is easy to compute, (3) preimage resistance: For all specified output \(y\), it is computationally infeasible to find any input \(x{^{\prime}}\) such that \(h\left( {x^{\prime}} \right) = y\), (4) collision resistant: it is computationally infeasible to find any two distinct inputs \(x\), and \(x{^{\prime}}\) have the same hash valued, i.e., \(h\left( x \right) = h\left( {x^{\prime}} \right)\).
3.3 Lattice
Definition 1
A basis is defined as a set of linearly independent vectors \({\mathbf{\rm B}} = \left\{ {{\varvec{b}}_{1} ,{\varvec{b}}_{2} , \ldots ..,{\varvec{b}}_{{\varvec{n}}} } \right\}\) of Euclidian vector space \({\mathbb{R}}^{n}\) that spans the full space.
Definition 2
A lattice \({\mathcal{L}}\) is a discrete additive subgroup of \({\mathbb{R}}^{n}\) whose elements generated by the integer linear combinations of the basis \({\mathbf{\rm B}} = \left\{ {{\varvec{b}}_{1} ,{\varvec{b}}_{2} , \ldots ..,{\varvec{b}}_{{\varvec{n}}} } \right\}\).
3.4 lattice Computational Complexities
We now give definitions of wellknown lattice computational problems used to construct latticebased cryptography primitives.

LP1: Shortest Vector Problem (SVP): the shortest vector problem has three variants [33]:

P1) Find the length of the shortest nonzero vector in the lattice \({\mathcal{L}}\left( {\mathbf{\rm B}} \right)\).

P2) Find the shortest nonzero vector \({\varvec{v}} \in {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\) such that \(\left\{\varvec{v}} \right\ \in \lambda \left( {\mathcal{L}} \right)\).

P3) Find the basis \({\mathbf{\rm B}} = \left\{ {{\varvec{b}}_{1} ,{\varvec{b}}_{2} , \ldots ..,{\varvec{b}}_{{\varvec{n}}} } \right\}\) in \({\mathcal{L}}\) in which \(\mathop {\max }\limits_{i} \left\ {\varvec{b}}_{i} \right\\) is the smallest possible up to a polynomial factor.

LP2: Approximation Shortest Vector Problem (\({\text{SVP}}_{\gamma }\)) Given a basis \({\mathbf{\rm B}}\) of the lattice of n dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\), find a nonzero vector \({\varvec{v}} \in {\mathcal{L}}\) such that \(\left\{\varvec{v}} \right\ = \gamma \left( n \right).\lambda \left( {\mathcal{L}} \right)\), for approximation factor \(\gamma \ge 1\) taken as a polynomial of n [34].

LP3: Closet Vector Problem (CVP) [35]: Given a basis \({\mathbf{\rm B}}\) of the lattice of n dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\) and a vector u (not necessarily in the lattice), find a nonzero vector \({\varvec{v}} \in {\mathcal{L}}\) that close to u.

LP4: Short Integer Solution (SIS) [36]: Given a matrix \({\mathbf{\rm A}} \in {\mathbb{Z}}_{q}^{m \times n}\) whose columns are uniformly random vector in \({\mathbb{Z}}_{q}^{n}\), find a nonzero vector \({\varvec{w}} \in \Lambda_{q}^{ \bot } \left( {\text{\rm A}} \right)\).

LP5: Decisional Approximate SVP \(\left( {{\text{G}}_{{{\text{AP}}}} {\text{SVP}}_{\gamma } } \right)\): Given a basis \({\mathbf{\rm B}}\) of an n dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\) and a number \(d\). In YES instance \(\lambda \left( {\mathcal{L}} \right) \le d\) or No instance \(\lambda \left( {\mathcal{L}} \right) > \gamma \left( n \right).d\).

LP6: Shortest Independent Vectors Problem \(\left( {{\text{SIVP}}_{\gamma } } \right)\) [36]: Given a basis \({\mathbf{\rm B}}\) of an n dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\). The goal is to output a set of \(n\) linearly independent lattice vectors of length at most \(\gamma \left( n \right).\lambda \left( {\mathcal{L}} \right)\).

LP7: Learn with Error (LWE) problem: We briefly describe the Learn with Error (LWE) that used to construct an efficient latticebased cryptography. Regev [36] introduced a reduction from worstcase lattice problems such as GAPSVP and SIVP to a learning with error problems. The author proved that the solution to the LWE problem implies that there is a quantum algorithm to GAPSVP and SIVP.
LWE distribution: For some integer \(k \ge 1\), let m, n = poly(k), and q (prime) are positive integers and let \({\mathcal{X}}\) be a distribution on \({\mathbb{Z}}_{q}\). The LWE distribution \({\mathcal{A}}_{{s,b_{i} }} \subseteq {\mathbb{Z}}_{q}^{n} \times {\mathbb{Z}}_{q}\) is sampled using the vector \(s \in {\mathbb{Z}}_{q}^{n} { }\) called secret and the matrix \({\mathbf{\rm A}} \in {\mathbb{Z}}_{q}^{m \times n}\) whose columns are vectors uniformly chosen random, \({\varvec{a}}_{{\varvec{i}}} \mathop \leftarrow \limits^{R} {\mathcal{U}}\left( {{\mathbb{Z}}_{q}^{n} } \right){ }\), for i = 1,2,…,k, choosing e \({ } \in {\mathbb{Z}}_{q}^{n}\) and the output is: \(b_{i} = \left\langle {{\varvec{a}}_{{\varvec{i}}} ,{\mathbf{s}}} \right\rangle + e_{i} { } \in {\mathbb{Z}}_{q}\) for all i = 1,2,…,n.
4 The BiometricBased PQFC Authentication System
In this section, we briefly describe the biometricbased PQFC authentication system [16], which is relies on the worstcase hardness shortest vector problem (SVP) of lattice cryptography. Let us now describe the construction of the biometricbased PQFC authentication system which consists of two main stages: enrollment and verification. The process of the system is described below:
4.1 Setup Stage
Positive integers m, n, and p (prime number) are chosen randomly. Then, generate the matrix \({\mathbf{\rm A}} \in {\mathbb{Z}}_{q}^{m \times n}\) whose columns are vectors in the lattice \({\mathcal{L}}\left( {\mathbf{\rm B}} \right)\).
4.2 Enrollment Stage
First, the user chooses a vector randomly \(v \in Z_{p}^{n}\) and generates a biometric reference template \(x_{r} \in Z_{2}^{m}\) using a specific software. The vector \(v\) and the template \(x_{r}\) are input to the PQFC function to generate the biometric reference commitment \(\beta_{r}\):
where \(\times_{q}\) applies matrix multiplication modulo \(q\) and \(+_{q,2}\) applies vector addition modulo q and the result goes through modulo 2.
4.3 Verification stage
The user generates his/her biometric query template \(x_{q} \in Z_{2}^{m}\) and then computes the biometric query commitment \(\beta_{q}\) as follows:
The biometric query commitment \(\beta_{q}\) is matched against the stored \(\beta_{r}\) using, e.g., Hamming distance. If the matching score is within the system threshold, then the user is authenticated.
5 Lightweight TwoFactor User Authentication protocol for the IoTEnabled Healthcare
The proposed protocol comprises four phases, namely the registration phase, the login phase, the authentication phase, and the biometric renewable phase. The protocol consists of three entities, namely (1) a user \({U}_{i}\), which is for instance physician, nurse, pharmacologist, or patient’s family member, (2) a medical server MS, and (3) a patient \({P}_{j}\). The \({U}_{i}\) must register and authenticate herself/himself with the medical server MS to access the patient’s medical data. It is worth noting that the patient’s medical data are collected and measured using smart devices implanted with the body of the patient. Then, these medical data transfer to the medical server MS. Details of the steps of these phases are described below.
5.1 Setup Phase
The main purpose of this phase is to generate the public parameter \(\vartriangle\).; that is, MS takes a unary \(1^{k}\) as input and executes the following steps:

S1: MS chooses a prime number \(p\) and two positive integers \(m\) and \(n\).

S2: MS generates randomly a matrix \({\rm A} \in {\rm Z}_{p}^{m \times n}\), which consists of \(n \) linearly independent vector of the lattice \(\Lambda_{p}\) And then chooses a cryptographic hash function \(h:\left\{ {0,1} \right\}^{*} \to \left\{ {0,1} \right\}^{k}\).

S3: MS chooses randomly a master key vector \(mk \in Z_{p}^{1 \times n}\) and computes public key \(pk = {\rm A}.mk^{T} { }\left( {{\text{mod }}p} \right) \in Z_{p}^{1 \times m}\).

S4: MS publishes the public parameters of the system \(\vartriangle = \left\{ {m,n,p,{\rm A},pk,h\left( \cdot \right)} \right\}\) and keeping \(mk\) as a secret.
5.2 Registration Phase
When the user \(U_{i}\) needs to register with the medical server MS, she/he performs the following steps:

R1:\(U_{i}\) selects her/his unique identity \(D_{i}\).

R2:\(U_{i}\) uses specific software to generate cryptographic key \(k_{i} \in Z_{2}^{l}\) and generates a random number N, then computes \(c_{i} = h(k_{i} N)\).

R3:\(U_{i}\) presents her/his personal biometric data \(B_{i}\) on biometric reader and the biometric reference template \(x_{r} \in Z_{2}^{t}\) extracted such that \(m = t + l\). Then, \(U_{i}\) chooses randomly \(v_{i} \in Z_{p}^{n}\) and computes the following:
$$\beta_{r} = {\rm A} \times_{q} v_{i} +_{q,2} (x_{r} k_{i} ){ ,}$$(5)$$r_{i} = h\left( {c_{i} \beta_{i} } \right),$$(6)$$w_{i} = {\rm A} \times_{q} v_{i} { ,}$$(7)$$Z_{i} = { }w_{i} \times_{q} pk^{T} ,$$(8)$$\delta_{i} = h\left( {w_{i} } \right) \oplus h(ID_{i} r_{i} )$$(9) 
R4: \(U_{i}\) sends the registration message \(\left\{ {ID_{i} ,{ }r_{i} ,{ }Z_{i} ,\delta_{i} } \right\}\) to the medical server MS.

R5: MS computes \(e_{i} = h(ID_{i} mk) \oplus r_{i}\) and loads \(\left\{ {{ }r_{i} ,{ }Z_{i} ,\delta_{i} ,{ }e_{i} ,s} \right\}\) on \(U_{i} {^{\prime}}s\) smart card, then sends the smart card to the user \(U_{i}\).

R6: Upon receiving the smart card, the user stores the random number N and \(\beta_{r}\) in her/his smart card.
5.3 Login Phase
Whenever the user \(U_{i}\) wants to access the health profile of the patient \(P_{j}\), she/he must log in to the medical serer MS by performing the following steps:

L1: \(U_{i}\) inserts her/his smart card into the card reader and keys her/his identity \(ID_{i}\).

L2: The smart card sends the login message request \(\left\{ {Z_{i} ,\delta_{i} ,r_{i} } \right\}\) to the medical server MS.

L3: Upon receiving the login request, the medical server MS computes \(w{^{\prime}}_{i} = \left( {{ }Z_{i} \cdot {\rm A}} \right) \cdot mk^{T} { }\left( {{\text{mod }}p} \right)\) and sends \(w{^{\prime}}_{i}\) to the user \(U_{i}\) via a public channel.

L4: Upon receiving \(w{^{\prime}}_{i}\), the user \(U_{i}\) presents her/his biometric data \(B_{i}\) on biometric reader and a biometric query template \(x_{q}\) extracted. The smart card calculates \(\beta_{q} = w{^{\prime}}_{i} +_{q,2} (x_{q} 0)\) and verifies \(dist\left( {\beta_{q} ,\beta_{r} } \right) \le d_{th}\).

L5: If the above biometrics verification fails, the session will be terminated; otherwise, the smart card extracts \(k{^{\prime}}_{i} = \beta_{r} \oplus \beta_{q}\) and computes \(r{^{\prime}}_{i} = h\left( {h(k{^{\prime}}_{i} N)\beta_{q} } \right)\), and then the smart card verifies \(r_{i} = r{^{\prime}}_{i}\).

L6: If the above key verification fails, the session will be terminated; otherwise, the smart card continued computing the following: \(\theta_{1} = e_{i} \oplus r{^{\prime}}_{i}\), \(\theta_{2} = \theta_{1} \oplus R_{u}\), \(\theta_{3} = h(sR_{u} )\), \(\theta_{4} = c_{i} \oplus \theta_{3}\), \(\theta_{5} = h\left( {\theta_{2} \theta_{3} \theta_{4} } \right)\), and \(\theta_{6} = \theta_{3} \oplus ID_{i}\).

L7: The smart card sends the message \(\left\{ {\theta_{1} ,\theta_{2} ,\theta_{4} ,\theta_{5} ,\theta_{6} } \right\}\) to the medical server for authentication.
5.4 Authentication Phase
When MS received the message \(\left\{ {\theta_{1} ,\theta_{2} ,\theta_{4} ,\theta_{5} ,\theta_{6} } \right\}\), the medical server MS and the user \(U_{i}\) perform the following steps to authenticate each other.

A1: MS computes \(\theta_{7} = \theta_{2} \oplus \theta_{1}\) and \(ID{^{\prime}}_{i} = \theta_{6} \oplus h(s\theta_{1} \oplus \theta_{2} )\).

A2: MS checks the format of \(ID{^{\prime}}_{i}\). If \(ID{^{\prime}}_{i}\) is valid, MS computes and verifies \(\theta_{5} = h(\theta_{2} \theta_{8} \theta_{4} )\), if it does not hold, MS rejects the login request and terminates the session. Otherwise, MS accepts the user \(U_{i}\) log in and stores \(\left\{ {ID_{i} ,\theta_{7} } \right\}\) in the database system to resist the reply and maninthemiddle attacks.

A3: MS computes \(\theta_{9} = \theta_{4} \oplus \theta_{8}\), \(\theta_{10} = h\left( {\theta_{9} \left {\left {ID_{s} } \right} \rights} \right) \oplus \theta_{8} \oplus R_{s}\), \(\theta_{11} = h(\theta_{1} \theta_{9} \left {\left s \right} \rightR_{s} )\), then MS sends \(\left\{ {\theta_{10} ,\theta_{11} } \right\}\) to the user \(U_{i}\).

A4: \(U_{i}\) computes \(\theta_{12} = h\left( {c_{i} \left {\left {ID_{s} } \right} \rights} \right) \oplus R_{u}\) and verifies \(\theta_{11} = h(\theta_{1} c_{s} \left {\left s \right} \right\theta_{12} )\). If it does not hold, \(U_{i}\) terminates the session. Otherwise, the medical server MS is authenticated by the user \(U_{i}\). Finally, the user and the medical server computes \(h(c_{i} \left {\left {\theta_{3} } \right} \right\theta_{12} ID_{s} ) = K_{{{\text{sess}}}} = h(\theta_{9} \left {\left {\theta_{8} } \right} \rightR_{s} ID_{s} )\) respectively, which is taken as the session key \(K_{sess}\).
5.5 Biometric Revocation Phase
To reregister her/his same biometric \(B_{i}\),\({ }U_{i}\) performs a biometric revocation phase as follows:

V1: \(U_{i}\) inserts her/his smart card, keys identity \(ID_{i}\), and presents her/his biometrics \(B_{i}\) in the biometric reader, which generates a biometric template \(x_{r}^{{{\text{new}}}}\) that will be used for a biometric verification approach as described in steps L2–L5 in the login phase. the cryptographic key \(k{^{\prime}}_{i}\) is retrieved, and the user will generate a new cryptographic key \(k_{i}^{{{\text{new}}}}\).

V2: If this verification fails, the session will be terminated. Otherwise, the smart card computes \(e{^{\prime}}_{i} = e_{i} \oplus r{^{\prime}}_{i}\), \(\beta_{r}^{{{\text{new}}}} = {\rm A}^{T} \times_{q} v_{i}^{{{\text{new}}}} +_{q,2} (x_{r}^{{{\text{new}}}} k_{i}^{{{\text{new}}}} ){ }\), \(c_{i}^{{{\text{new}}}} = h(k_{i}^{{{\text{new}}}} N)\), \(r_{i}^{{{\text{new}}}} = h\left( {c_{i}^{{{\text{new}}}} \beta_{r}^{{{\text{new}}}} } \right)\), \(e_{i}^{{{\text{new}}}} = e_{i} \oplus r_{i}^{{{\text{new}}}}\),\(w_{i}^{{{\text{new}}}} = {\rm A}^{T} \times_{q} v_{i}^{{{\text{new}}}} { }\), \(Z_{i}^{{{\text{new}}}} = pk \times_{q} { }w_{i}^{{{\text{new}}}} { }\), and \(\delta_{i}^{{{\text{new}}}} = h\left( {w_{i}^{{{\text{new}}}} } \right) \oplus h(ID_{i} r_{i}^{{{\text{new}}}} )\).

V3: Finally, \(e_{i}^{{{\text{new}}}}\), \(r_{i}^{{{\text{new}}}}\), \(\beta_{r}^{{{\text{new}}}}\), \(Z_{i}^{{{\text{new}}}}\), and \(\delta_{i}^{{{\text{new}}}}\) are stored in \(U_{i}\) smart card.
6 Security Analysis
In this section, a formal security analysis of the proposed protocol is given using the random oracle model (ROM). Theorem 1 shows that the adversary \(A^{Q}\) can breaches the proposed protocol by learn the biometric reference template \(x_{r}\) and the cryptographic key \(k_{i}\) from \(F_{i}\) only with negligible probability. Theorem 2 proves that the adversary \(A^{C}\) is able to breach the proposal protocol if he/she is able to invert the oneway hash function. To this end, we simulate two random oracle model.
6.1 Quantum Random Oracle Model
This model specifies as a game that a probabilistic polynomialtime algorithm (possibly quantum) \(A^{Q}\) adversary plays with a challenger. The game works as follows:
The challenger takes unary \(\left( {1^{k} } \right)\) and generates vectors \(v \in {\rm Z}_{p}^{m}\) and \(x \in {\rm Z}_{2}^{n}\), and sends it to the adversary \(A^{Q}\) as input.
The adversary \(A^{Q}\) takes \(v\) and \(x\) as input to the function \(F\left( {v,x} \right)\) and is allowed to make queries \(q_{F}\) to the challenger. The adversary outputs a value \(F\), which is sent to the challenger.
The challenger then looks at \(\left( {v,x} \right)\), \(F\), and the queries \(q_{F}\) made by the adversary \(A^{Q}\). Finally, the challenger outputs 1 or 0.
6.2 Classical Random Oracle Model
This model specifies as a game that a probabilistic polynomialtime algorithm \(A^{C}\) adversary plays with a challenger. The game works as follows:
The challenger takes unary \(\left( {1^{k} } \right)\) and generates a value \(x\) and sends it to the adversary \(A^{C}\) as its input.
The adversary \(A^{C}\) takes \(x\) as input to the hash function \(h\left( . \right)\) and is allowed to make queries \(q_{h}\) to the challenger. The adversary then outputs a value \(y\), which it sends to the challenger.
The challenger then looks at \(x\) and \(y\) and the queries \(q_{h}\) made by the adversary \(A^{C}\). Finally, the challenger outputs 1 or 0.
Theorem 1
Assume that \(D^{{R{^{\prime}}\left( {{\rm A},.} \right)}}\) and \(D^{R\left( . \right)}\) are two distributions of outputs of a probabilistic polynomialtime algorithm adversary \(A^{Q}\). The first distribution for the oracle of chosen matrix \({\rm A} \in Z_{p}^{m \times n}\) and the second distribution is taken over the true oracles with \(q_{F}\) quantum oracle queries. Then, the distributions \(D^{{R{^{\prime}}\left( {{\rm A},.} \right)}}\) and \(D^{R\left( . \right)}\) are statistically close (at most \(\varepsilon < p^{  n} 2^{  m} q_{F}\)).
Proof of Theorem 1
Let \(R\) be a random oracle, \(D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)\) and \(D^{R\left( . \right)} \left( {1^{k} } \right)\) are two random oracle distributions taken over sample space \(\Omega\), which are the output of possible quantum adversary \(A^{Q}\).
For \(m\) and \(n\) being positive integers \(\left( {m > n} \right)\), which are polynomial of the security parameter \(k\), let \(p\) be a prime number. For \(v \in Z_{p}^{m}\) and \(x \in Z_{2}^{n}\) chosen randomly, we define the statistical distance between the two distributions as follows:
where \(Pr_{{\left( {x,v} \right) \leftarrow D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right] = \mathop \sum \limits_{v} pr\left[ v \right]Pr[Fv]\) and \(x = [x_{r} k_{i} ]\).
Fix \(x_{0} \in Z_{2}^{n}\) such that \(F\left( {x_{0} ,v_{0} } \right) = F_{0}\) for some \(v_{0} \in Z_{p}^{m}\), and then the following probability can be computed as follows:
where \(\varphi \left( F \right)\) is the set of all preimages of the function \(F\). We defined the size of \(\varphi\) as the number of quantum queries \(q_{F}\).
Now, we are computing the probability of the distribution:
Then, we are ready to estimate the probability between the two distributions. \(\begin{gathered} \varepsilon = \sum \left Pr_{{\left( {x,v} \right) \leftarrow D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right]\right. \hfill\\ \qquad\left. Pr_{{\left( {x,v} \right) \leftarrow D^{R\left( . \right)} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right] \right \hfill \\ \quad < \mathop \sum \limits_{v \in \varphi \left( F \right)} \frac{1}{{p^{m} }}\frac{1}{{2^{2} }} = \frac{1}{{p^{m} }}\frac{1}{{2^{2} }}\left {q_{F}^{^{\prime}}  q_{F} } \right \hfill \\ \end{gathered}\) □
Theorem 2
Suppose that for \(k_{i} \in Z_{2}^{l}\), \(N\), and \(F_{i}\) are generated randomly. If a probabilistic polynomialtime algorithm (classical) \(A^{C}\) adversary breaches the security of the proposed protocol, then the adversary is able to invert the oneway hash function \(h\left( z \right)\) on a random input \(z \in D \subseteq \left\{ {0,1} \right\}^{n}\) in polynomial time with a nonnegligible probability \(\varepsilon {^{\prime}} > 2^{  k  n} q_{h} .\)
Proof of Theorem 2
Assume that \(A^{C}\) runs a random oracle algorithm to retrieve user cryptographic key \(k_{i}\) from the oneway hash function \(h\) with a number of queries \(q_{h}\). We define the adversary advantages as the probability \(Adv_{{A^{C} }} \left( D \right) = Pr_{z \leftarrow D} \left[ {A^{C} \left( z \right) = 1} \right]\). This advantage is determined by the number of queries \(q_{h}\) for the classical random oracle model. Then, the advantage probability is computed as follows:
\(\begin{aligned} Adv_{{A^{C} }} \left( D \right) & = Pr_{z \leftarrow D} \left[ {A^{C} \left( z \right) = 1} \right] = Pr_{z \leftarrow D} \left[ {z:h\left( z \right) = y} \right] \\ & = \mathop \sum \limits_{z} Pr\left[ y \right] \cdot Pr[zy] \le \mathop \sum \limits_{z} \frac{1}{{2^{k} }} \cdot \frac{1}{{2^{n} }} \le \frac{{q_{h} }}{{2^{k + n} }}{ }. \\ \end{aligned}\) □
7 Security and Functionality Features
In this section, we discuss the security and functionality features of our proposed protocol and compare with the related latticebased authentication protocols [28, 29, 31] as shown in Table 1.

F1: Quantum attack resistant: The IoT is encountering security and privacy threats. However, with quantum computing, these security and privacy threats will increase more and more. The security of the proposed protocol is based on PQFC scheme, which is provable secure against quantum attacks.

F2: Tampering with stored biometric templates attack: This property applies when an attacker gets access to the system database or the token, temporarily or permanently cannot modify the template in the system database/token to gain server authentication. In the proposed protocol, the attacker needs to break the SVP problem to obtain the biometric reference template.

F3: Biometric template thefts resistant: This property applies to an attacker that gets access to the database system or token and obtain the user’s biometric template; she/he can use it for other purposes. In our protocol, the user’s biometric template is protected using PQFC scheme. Hence, there is no clear stored template to be stolen.

F4: Privileged insider attack resistant: Insider attacker with privileged access to the database server can pose a serious threat to the server database. One of the breaches can lead to stealing/tampering with the stored biometric templates in the database. The proposed protocol offers an opportunity for the user to hide her/his biometric template from privileged insiders in the registration phase by allowing her/him to send it to authentication server in encrypted format, which will prevent an inside attacker from getting it.

F5: Smart card/token attack resistant: Assume that the user’s smart card is lost or stolen. An attacker having the smart card has no way to obtain secret information stored in the smartcard. If the attacker retrieves the information \(\mathcal{w}\), the attacker has to find \(v\) by solving lattice SVP problem to gain information, which is contradiction to shortest vector problem (SVP).

F6: ManintheMiddle attack resistant: In the maninthemiddle attack, the attacker sits in the middle and negotiates the cryptographic parameters with the user and server to gain access as a legitimate. In the registration phase of the proposed protocol, the user sends request to the authentication server. The server replies by sending the message including the matrix \(\user2{\rm A}\); assume the maninthemiddle attacker intercepts the server message and replaces the matrix \(\user2{\rm A}\) by \(\user2{\hat{\rm A}}\); the user will compute \(F_{{{\mathcal{U}}_{i} }}^{r} = \left( {\user2{\hat{\rm A}} \cdot v{\text{ mod }}q + t_{{{\mathcal{U}}_{i} }}^{r} } \right){\text{ mod }}2\) and send to the server. Then, the maninthemiddle attacker cannot learn the biometric template \(t_{{{\mathcal{U}}_{i} }}^{r}\) from \(F_{{{\mathcal{U}}_{i} }}^{r}\), only if she/he solves the LWE lattice problem.

F7: Renewable biometric template: Unlike passwords, biometrics are limited and once it compromised cannot be revoked. A biometric is the principle means of authentication in our protocol. If the biometric template is compromised by any attacks, it can be used again with new registration parameters.

F8: Memorylesseffortless: An authentication protocol that does not require any users to remember any secret per service called memorylesseffortless. By this definition, the proposed authentication protocol is memorylesseffortless

F9: User anonymity: An important security property of authentication protocol for IoT applications is the confidentiality of the user’s identity. It is desirable to keep user’s identity hiding from attackers. In the proposed protocol, the plaintext user's identity \(ID_{{{\mathcal{U}}_{i} }}\) is neither stored in the user's smart card nor sent in the login and authentication messages over secure or insecure channels. If the attacker is able to retrieve the values \(e_{i}\) and \(r_{i}\) from the user's smart card, it is obvious that an attacker is determining \(ID_{{{\mathcal{U}}_{i} }}\) which is equivalent to find the collision in the hash function \(h\).

F10: Lightweight: A protocol with less computational and communication complexities is called a lightweight protocol.
8 Performance Analysis
In this section, we evaluate the performance of our protocol based on the following metrics: the storage requirements, communication costs, and computational complexities. Furthermore, we have compared the proposed protocol with the recent related protocols for IoT systems [28, 31]. Table 2 shows the computational costs comparison between the proposed protocol and the protocols in [28, 31]. Let \(T_{{{\text{Mp}}}}\), \(T_{{{\text{Vp}}}}\), \(T_{{{\text{add}}}}\), and \(T_{h}\) denote the operation time required to execute the matrix multiplication modulo \(p\), vector multiplication modulo \(p\), vector addition modulo \(p\), and oneway hash function, respectively. The total computational time cost of our protocol is \({\varvec{4T}}_{{{\mathbf{Mp}}}} + {\varvec{2T}}_{{{\mathbf{add}}}} + {\varvec{19T}}_{{\varvec{h}}}\). Furthermore, we have estimated the execution time of the above mentioned operations as \(T_{{{\text{Mp}}}} = 4\;{\text{ms}}\), \(T_{{{\text{Vp}}}} = 1\;{\text{ms}}\), \(T_{{{\text{add}}}} = 2\;{\text{ms}}\), and \(T_{h} = 0.0023\;{\text{ms}}\). The tasks are executed using MATLAB 2020b on PC workstation with Intel(R) Core(TM) i710,700 CPU @ 2.90 GHz 2.90 GHz RAM 16.0 GB. Thus, the total execution time for the proposed protocol is 20.0437 ms.
For computational complexity comparison, we followed the parameters reported in [31] as follows: assume that \(m = n = O\left( {k \log p} \right)\), \(p = O\left( {k^{2} } \right)\) and \(\left p \right = \log \left( p \right)\). The computational complexity for the operations: matrix multiplication modulo \(p\), vector multiplication modulo \(p\), and vector addition modulo \(p\) is \(O\left( {{\text{mn }}\left {p^{2} } \right} \right)\), \(O\left( {m{ }\left {p^{2} } \right} \right)\), and \(O\left( {m\left p \right} \right)\), respectively. Thus, the total computational complexity of the proposed protocol is \(8k \log^{2} \left( k \right)\left( {8k \log^{2} \left( k \right) + 1} \right)\). Table 3 shows the comparison result of our protocol with the related protocols.
Furthermore, the storage requirement and the communication cost comparisons between the proposed protocol and the related protocols [28, 31] are evaluated and shown in Table 4. In the evaluation, we consider the login and authentication phases in the comparison. Note that the registration phase is not performed frequently. In all protocols, we assume the length of the identity, output size of the hash function, and number in \(Z_{p}\) are \(\left p \right = 2logk\). Thus, the total communication cost of our protocol sending messages \(\left\{ {ID_{i} ,Z_{i} ,\beta_{i} ,r_{i} } \right\}\), \(\left\{ {w{^{\prime}}_{i} } \right\}\), and \(\left\{ {\theta_{1} ,\theta_{2} ,\theta_{4} ,\theta_{5} ,\theta_{6} } \right\}\) is \(\left( {m + 11} \right)\left p \right = 2\log k\left( {2k\log \left( k \right) + 11} \right)\). The storage requirements of our protocol and the related protocols [28, 31] are computed. The total storage cost for storing master key \(mk \in Z_{p}^{1 \times n}\), matrix \(A \in Z_{p}^{m \times n}\), public key \(pk \in Z_{p}^{1 \times m}\), and seven hash value is \(\left( {n + mn + m + 7} \right)\left p \right = 2\log k\left( {4k^{2} \log^{2} k + 4k\log k + 7} \right)\).
9 Conclusion
This paper proposed a new lightweight twofactorbased user authentication protocol for the IoTenabled healthcare ecosystem. We evaluated the security of the proposed protocol through the formal security analysis using random oracle model (ROM), showing that our protocol is secure against today and upcoming quantum attacks. The proposed protocol achieved the following functionality and security properties: memorylesseffortless, user anonymity, mutual authentication, and resistance to tampering and stolen of biometric template, stolen smart card, privileged interior attacks.
The proposed protocol was evaluated in terms of the performance metrics: storage requirement, computation and communication. The results demonstrated that our protocol is more efficient than Mukherjee et al., Chaudhary et al., and Gupta et al. protocols. The overhead of the computational costs of our protocol becomes larger naturally since the proposed protocol exploits these computations to provide several significant security and functionality properties.
The overall performance demonstrates that the proposed protocol is suitable for the Internet of Things applications.
References
Alsubaei, F., Abuhussein, A., Shiva, S.: A framework for ranking IoMT solutions based on measuring security and privacy. In: Advances in Intelligent Systems and Computing (2019)
Sun, Y.; Lo, F.P.W.; Lo, B.: Security and privacy for the internet of medical things enabled healthcare systems: a survey. IEEE Access. (2019). https://doi.org/10.1109/ACCESS.2019.2960617
Yang, W.; Wang, S.; Zheng, G.; Yang, J.; Valli, C.: A privacypreserving lightweight biometric system for internet of things security. IEEE Commun. Mag. (2019). https://doi.org/10.1109/MCOM.2019.1800378
Campbell, M.: Putting the Passe into passwords: how passwordless technologies are reshaping digital identity. Computer (Long. Beach. Calif) (2020). https://doi.org/10.1109/MC.2020.2997278
Karimian, N., Wortman, P.A., Tehranipoor, F.: Evolving authentication design considerations for the Internet of biometric things (IoBT). In: 2016 International Conference on Hardware/Software Codesign and System Synthesis, CODES+ISSS 2016 (2016)
Riaz, N.; Riaz, A.; Khan, S.A.: Biometric template security: an overview. Sens. Rev. 38(1), 120–127 (2018). https://doi.org/10.1108/SR0720170131
AlSaggaf, A.A.: Secure method for combining cryptography with Iris biometrics. J. Univers. Comput. Sci. 24(4), 341–356 (2018)
Hao, F.; Anderson, R.; Daugman, J.: Combining crypto with biometrics effectively. IEEE Trans. Comput. (2006). https://doi.org/10.1109/TC.2006.138
Christian, R.; Andreas, U.: A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. Inf. Secur. 2011(3), 1–25 (2011). https://doi.org/10.1186/1687417X20113
Juels, A., Wattenberg, M.: Fuzzy commitment scheme. In: Proceedings of the ACM Conference on Computer and Communications Security (1999)
Rathgeb, C.; Uhl, A.: Statistical attack against fuzzy commitment scheme. IET Biom. (2012). https://doi.org/10.1049/ietbmt.2011.0001
Ignatenko, T.; Willems, F.M.J.: Information leakage in fuzzy commitment schemes. IEEE Trans. Inf. Forensics Secur. (2010). https://doi.org/10.1109/TIFS.2010.2046984
Tams, B.: Decodability attack against the fuzzy commitment scheme with public feature transforms. 1–19 (2014)
Shor, P.W.: Polynomial time algorithms for discrete logarithms and factoring on a quantum computer. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (1994)
Asif, R.: Postquantum cryptosystems for internetofthings: a survey on latticebased algorithms. IoT (2021). https://doi.org/10.3390/iot2010005
AlSaggaf, A.A.: A postquantum fuzzy commitment scheme for biometric template protection: an experimental study. IEEE Access. (2021). https://doi.org/10.1109/ACCESS.2021.3100981
Mumtaz, M., Akram, J., Ping, L.: An RSA based authentication system for smart IoT environment. In: Proceedings—21st IEEE International Conference on High Performance Computing and Communications, 17th IEEE International Conference on Smart City and 5th IEEE International Conference on Data Science and Systems, HPCC/SmartCity/DSS 2019 (2019)
Xu, G.; Qiu, S.; Ahmad, H.; Xu, G.; Guo, Y.; Zhang, M.; Xu, H.: A multiserver twofactor authentication scheme with untraceability using elliptic curve cryptography. Sensors (Switzerland) (2018). https://doi.org/10.3390/s18072394
Soni, P.; Pal, A.K.; Islam, S.H.: An improved threefactor authentication scheme for patient monitoring using WSN in remote healthcare system. Comput. Methods Programs Biomed. (2019). https://doi.org/10.1016/j.cmpb.2019.105054
Ayub, M.F.; Mahmood, K.; Kumari, S.; Sangaiah, A.K.: Lightweight authentication protocol for ehealth clouds in IoT based applications through 5G technology. Digit. Commun. Netw. (2020). https://doi.org/10.1016/j.dcan.2020.06.003
Rehman, H.U.; Ghani, A.; Chaudhry, S.A. et al.: A secure and improved multi server authentication protocol using fuzzy commitment. Multimed. Tools Appl. 80, 16907–16931 (2021). https://doi.org/10.1007/s1104202009078z
Mohammed, A.J.; Yassin, A.A.: Efficient and flexible multifactor authentication protocol based on fuzzy extractor of administrator’s fingerprint and smart mobile device. Cryptography (2019). https://doi.org/10.3390/cryptography3030024
Taher, B.H.; Jiang, S.; Yassin, A.A.; Lu, H.: Lowoverhead remote user authentication protocol for IoT based on a fuzzy extractor and feature extraction. IEEE Access 7, 256 (2019). https://doi.org/10.1109/ACCESS.2019.2946400
Li, N.; Liu, D.; Nepal, S.: Lightweight mutual authentication for IoT and its applications. IEEE Trans. Sustain. Comput. (2017). https://doi.org/10.1109/TSUSC.2017.2716953
Needham, R.M.; Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM (1978). https://doi.org/10.1145/359657.359659
Cao, J.; Yu, P.; Xiang, X.; Ma, M.; Li, H.: Antiquantum fast authentication and data transmission scheme for massive devices in 5G NBIoT system. IEEE Internet Things J. (2019). https://doi.org/10.1109/JIOT.2019.2931724
Zhou, Y.; Wang, L.: A latticebased authentication scheme for roaming service in ubiquitous networks with anonymity. Secur. Commun. Netw. (2020). https://doi.org/10.1155/2020/2637916
Mukherjee, S.; Gupta, D.S.; Biswas, G.P.: An efficient and batch verifiable conditional privacypreserving authentication scheme for VANETs using lattice. Computing (2019). https://doi.org/10.1007/s0060701806893
Chaudhary, R.; Jindal, A.; Aujla, G.S.; Kumar, N.; Das, A.K.; Saxena, N.: LSCSH: latticebased secure cryptosystem for smart healthcare in smart cities environment. IEEE Commun. Mag. (2018). https://doi.org/10.1109/MCOM.2018.1700787
Sahu, A.K.; Sharma, S.; Puthal, D.: Lightweight multiparty authentication and keyagreement protocol in IoT based ehealthcare service. ACM Trans. Multimed. Comput. Commun. Appl. (2020). https://doi.org/10.1145/3398039
Gupta, D.S.; Islam, S.H.; Obaidat, M.S.; Karati, A.; Sadoun, B.: LAAC: lightweight latticebased authentication and access control Protocol for Ehealth systems in IoT environments. IEEE Syst. J. (2020). https://doi.org/10.1109/jsyst.2020.3016065
Dang, Q.: Changes in federal information processing standard (FIPS) 180–4, secure hash standard. Cryptologia (2013). https://doi.org/10.1080/01611194.2012.687431
Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Annual ACM Symposium on Theory of Computing (1996)
Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. (2016). https://doi.org/10.1561/0400000074
Micciancio, D., Regev, O.: Latticebased cryptography. In: PostQuantum Cryptography (2009)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM. (2009). https://doi.org/10.1145/1568318.1568324
Acknowledgements
The authors thank King Fahd University of Petroleum & Minerals for providing facilities for this research.
Funding
This work is a part of the project supported by the King Fahd University of Petroleum and Minerals under Grant SR191031.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no conflict of interest.
Rights and permissions
Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author selfarchiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Alsaggaf, A.A., Sheltami, T., Alkhzaimi, H. et al. Lightweight TwoFactorBased User Authentication Protocol for IoTEnabled Healthcare Ecosystem in Quantum Computing. Arab J Sci Eng 48, 2347–2357 (2023). https://doi.org/10.1007/s13369022072350
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13369022072350