1 Introduction

The healthcare ecosystem is undergoing modernization is known as a digital transformation. The Internet of Things (IoT) offers many benefits for the healthcare sector. The IoT-enabled healthcare makes healthcare practical for an aging population, chronic diseases, automate patient care, health records assortment and analysis. The IoT-enabled healthcare provided a better environment for both physician and patient during the outbreak of COVID-19. The IoT-enabled healthcare ecosystem refers to the interconnection of smart devices and applications via the Internet. The IoT-enabled healthcare ecosystem enables the collection, monitoring, and analyzing patients’ condition measurements, remotely [1, 2]. Figure 1 illustrates a typical IoT-enabled healthcare ecosystem, where a remote user (for instance, physicians and patient family) collect and monitor the patient’s biomedical conditions for further processing. The wearable or implantable IoT medical devices are deployed in the patient's body, which is measures and collects the patient biomedical conditions. These biomedical conditions transfer to a smartphone connected to the IoT medical devices via an app. Then, the smartphone sends the biomedical conditions to the healthcare server for further analysis and decision.

Fig. 1
figure 1

A typical IoT-enabled healthcare ecosystem architecture

Unlike the social and fiscal identities, the heath records such as genetic, conditions, or biometrics data cannot be revoked once it is compromised. The most significant threats that IoT-enabled healthcare poses are data security and privacy. Cybercriminals can misuse the patient’s health records to claim in the patient’s name, for instance, create fake IDs to buy drugs and medical equipment or file fraudulent Insurance. The IoT-enabled healthcare security is mainly for secure health records, communication, and user authentication. User authentication is a keystone in IoT-enabled healthcare security, which plays a crucial role in establishing trust between IoT healthcare users and devices and preventing attacks [3].

Nowadays, knowledge-based authentication such as passwords and PINs plays a central role in IoT-based healthcare. With the exponential increase in using online services based on the traditional authentication method such as passwords, passwords become not only frustrating for users but also costly to maintain. According to the 2020 Verizon Data Breach Investigation Report, more than 80% of data breaches due to passwords phishing and authentication systems’ security vulnerabilities [4]. Additionally, users will hold an increasing number of accounts with the average user memorizing 191 passwords, according to the LastPass report 2016.

Due to its advantages over traditional authentication methods, biometrics considered is a promising authentication method in the IoT era [5]. However, there are serious concerns about the security and privacy of the stored biometric template [6]. In the last decade, many researchers combined techniques from the areas of cryptography and error-correcting codes to secure the stored biometric template known as biometric template protection schemes [7,8,9,10]. However, error-correcting code is essential in the design of the traditional biometric template protection schemes, which degrade the security and performance of these schemes [11,12,13].

Currently, IoT systems rely on conventional cryptography algorithms based on integer factorization and discrete logarithm, for instance, Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). However, conventional cryptographic algorithms are no longer secure by upcoming quantum computing [14]. Furthermore, these conventional cryptographic algorithms are inadequate for IoT devices because of their complex computation requirements [2]. Therefore, post-quantum cryptography primitives are a promising technique for securing communications between IoT users and devices. Due to its predominant features, such as resistance to quantum attacks, performance efficiency, work in classical computing, lattice-based cryptography becomes ahead in the post-quantum techniques [15].

Recently, a post-quantum fuzzy commitment scheme (PQFC) [16] has been ensuring both security and accuracy efficiencies for biometric template protection. To tackle issues with IoT-enabled healthcare ecosystems, we propose a new lightweight two-factor user authentication protocol for the IoT-enabled healthcare ecosystem based on the security of PQFC scheme. The proposed protocol using biometrics and smartcard for authentication. The following are the main findings of the work:

  1. 1.

    A new lightweight two-factor user authentication protocol for the IoT-enabled healthcare ecosystem using a post-quantum fuzzy commitment scheme.

  2. 2.

    Formal theoretical analysis shows that the proposed protocol is secure against upcoming quantum threats using random oracle models.

  3. 3.

    Our protocol is quantum-safe protocol.

  4. 4.

    The biometric template safeguarded the biometric matching performed indirectly

  5. 5.

    Our protocol is a memoryless-based user authentication protocol.

  6. 6.

    Our protocol achieves important security and privacy properties, such as resistance to tampering and stolen of stored biometric template, stolen smart card, and privileged interior attacks.

  7. 7.

    Our protocol provides good functionality features, such as memoryless-effortless, user anonymity, mutual authentication, renewable biometric, and lightweight protocol.

  8. 8.

    The computational, communication, and storage costs of the proposed scheme are evaluated and compared with existing related protocols.

  9. 9.

    The security and performance analysis shows that the proposed protocol is suitable for application in an IoT-enabled healthcare environment in comparison with the other existing competitive protocols.

The rest of the paper is organized as follows: Sects. 2 and 3 contain related work and preliminaries, respectively. The biometric-based PQFC authentication system is described in Sect. 4. The presented lightweight two-factor authentication protocol for IoT-enabled healthcare and corresponding formal security analysis is presented in Sects. 5 and 6, respectively. Section 7 discusses the security and functionality analysis of the proposed protocol. The performance evaluation is done in Sect. 8. Section 9 presents the conclusions.

2 Related Work

Recently, many authentication protocols for secure communication between IoT users and devices in IoT environments have been proposed. Some of them use traditional public-key cryptography like Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). [17,18,19]. However, these protocols are inadequate for IoT devices because of their complex computation operations. Furthermore, these approaches are no longer secure by upcoming quantum computing [14]. There are also less efficient and secure authentication protocols [20,21,22,23], which are based on traditional biometric template protection. However, error-correcting code is essential in the design of these traditional biometric template protection schemes, which cause a downgrade of the security and performance of the system.

Lattice-based cryptography techniques attracted many researchers to secure applications in IoT environments due to their security and functionality efficiencies [15]. Of late, several authentication protocols for IoT sectors have been proposed in the literature. Nan et al. [24] proposed a lattice-based public-key encryption based on Needham and Schroeder scheme [25] and then used to construct a lightweight authentication protocol for smart city environment. They claimed their protocol is secure against different attacks using informal security analysis. The protocol was implemented in Contiki platform and evaluated using Cooja-based emulation environment and Texas Instruments CC2538 hardware platform. Cao et al. [26] presented an access authentication and data distribution scheme for the 5G narrowband Internet of Things systems. The security of their protocol is based on the lattice-based homomorphic encryption. To demonstrate the security of their protocol, they used BAN logic and Scyther tools. Zhou and Wang proposed an anonymous NTRU-based authentication scheme for mobile users in roaming service in ubiquitous networks [27]. Mukherjee et al. designed a lattice-based conditional privacy-preserving authentication protocol for vehicular ad hoc networks [28]. They showed that their protocol ensures the message integrity, authentication and privacy preservation using ROM model.

Chaudhary et al. [29] proposed a lattice-based cryptosystem for smart healthcare in future smart cities. Then, they combined their cryptosystem with bilinear Diffie–Hellman to construct an authentication protocol for healthcare. However, the protocol is not lightweight because of using exponential operations and hence it’s not suitable for IoT applications. Sahu et al. [30] presented a lightweight multi-party authentication and key-establishment protocol in IoT-based e-Healthcare service access net-work using lattice identity-based encryption. They tested the security of their protocol using Scyther tool. Gupta et al. [31] presented a lattice-based authentication and access control protocol for IoT-based healthcare. The security assumption of their based on the hardness of the LWE problem. They measured the protocol’s performance in terms of storage requirement and computational and communication costs and then compared with the existing related protocols.

All the aforementioned authentication protocols for IoT environments are relying solely on the password, which is falling apart if the password is not kept secure. However, passwords can be easily shared, stolen, forgotten, or phishing. Therefore, the rapid development of emerging technologies such as IoT, cloud computing, blockchain, quantum computing, and e-services makes the current research on user authentication protocols based on post-quantum cryptography urgent.

Recently, a post-quantum fuzzy commitment scheme (PQFC) [16] guaranteeing the security and accuracy efficiencies for biometrics template protection. The author provides a theoretical and experimental analysis of PQFC scheme, showing that the PQFC scheme is a promising technique to provide secure and usable method for users in IoT-Enabled healthcare ecosystems.

3 Preliminaries

This section provides a mathematical preliminary which are essential for describing and analysis the proposed protocol.

3.1 Statistical Distance

Let \(D_{1}\) and \(D_{2}\) be two probability distributions over a common measurable sample space \(\Omega\). Suppose further, the non-negative function \(\varepsilon = \varepsilon \left( k \right)\) is negligible if, for all polynomials \(p\left( k \right)\) we have that \(\varepsilon \left( k \right) < p\left( k \right)^{ - 1}\) for sufficiently large \(k\). The statistical distance \(SD\) between \(D_{1}\) and \(D_{2}\) is given by:

$$SD\left( {D_{1} ,D_{2} } \right) = \mathop \sum \limits_{x \in \Omega } \left| {\Pr \left[ {D_{1} \left] { - \Pr } \right[D_{2} } \right]} \right| = \varepsilon$$
(1)

3.2 Collision Resistance Hash Function

A function \(h:\left\{ {0,1} \right\}^{*} \to \left\{ {0,1} \right\}^{k}\) is called a collision resistant hash function [32] if the following properties hold: (1) compression: \(h\) maps an input \(x\) of arbitrary finite bit length to an output \(h\left( x \right)\) of fixed bit length \(k\). (2) easy to compute: Given \(h\) and an input as \(x\), \(h\left( x \right)\) is easy to compute, (3) pre-image resistance: For all specified output \(y\), it is computationally infeasible to find any input \(x{^{\prime}}\) such that \(h\left( {x^{\prime}} \right) = y\), (4) collision resistant: it is computationally infeasible to find any two distinct inputs \(x\), and \(x{^{\prime}}\) have the same hash valued, i.e., \(h\left( x \right) = h\left( {x^{\prime}} \right)\).

3.3 Lattice

Definition 1

A basis is defined as a set of linearly independent vectors \({\mathbf{\rm B}} = \left\{ {{\varvec{b}}_{1} ,{\varvec{b}}_{2} , \ldots ..,{\varvec{b}}_{{\varvec{n}}} } \right\}\) of Euclidian vector space \({\mathbb{R}}^{n}\) that spans the full space.

Definition 2

A lattice \({\mathcal{L}}\) is a discrete additive subgroup of \({\mathbb{R}}^{n}\) whose elements generated by the integer linear combinations of the basis \({\mathbf{\rm B}} = \left\{ {{\varvec{b}}_{1} ,{\varvec{b}}_{2} , \ldots ..,{\varvec{b}}_{{\varvec{n}}} } \right\}\).

$${\mathcal{L}}\left( {\mathbf{\rm B}} \right): = \left\{ {{\varvec{v}}_{i} = \sum\limits_{i = 1}^{n} {z_{i} {\varvec{b}}_{i} : \quad z_{i} \in {\mathbb{Z}}} } \right\}$$
(2)

3.4 lattice Computational Complexities

We now give definitions of well-known lattice computational problems used to construct lattice-based cryptography primitives.

  • LP1: Shortest Vector Problem (SVP): the shortest vector problem has three variants [33]:

  • P1) Find the length of the shortest nonzero vector in the lattice \({\mathcal{L}}\left( {\mathbf{\rm B}} \right)\).

  • P2) Find the shortest nonzero vector \({\varvec{v}} \in {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\) such that \(\left\|{\varvec{v}} \right\| \in \lambda \left( {\mathcal{L}} \right)\).

  • P3) Find the basis \({\mathbf{\rm B}} = \left\{ {{\varvec{b}}_{1} ,{\varvec{b}}_{2} , \ldots ..,{\varvec{b}}_{{\varvec{n}}} } \right\}\) in \({\mathcal{L}}\) in which \(\mathop {\max }\limits_{i} \left\| {\varvec{b}}_{i} \right\|\) is the smallest possible up to a polynomial factor.

  • LP2: Approximation Shortest Vector Problem (\({\text{SVP}}_{\gamma }\)) Given a basis \({\mathbf{\rm B}}\) of the lattice of n- dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\), find a nonzero vector \({\varvec{v}} \in {\mathcal{L}}\) such that \(\left\|{\varvec{v}} \right\| = \gamma \left( n \right).\lambda \left( {\mathcal{L}} \right)\), for approximation factor \(\gamma \ge 1\) taken as a polynomial of n [34].

  • LP3: Closet Vector Problem (CVP) [35]: Given a basis \({\mathbf{\rm B}}\) of the lattice of n- dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\) and a vector u (not necessarily in the lattice), find a nonzero vector \({\varvec{v}} \in {\mathcal{L}}\) that close to u.

  • LP4: Short Integer Solution (SIS) [36]: Given a matrix \({\mathbf{\rm A}} \in {\mathbb{Z}}_{q}^{m \times n}\) whose columns are uniformly random vector in \({\mathbb{Z}}_{q}^{n}\), find a nonzero vector \({\varvec{w}} \in \Lambda_{q}^{ \bot } \left( {\text{\rm A}} \right)\).

  • LP5: Decisional Approximate SVP \(\left( {{\text{G}}_{{{\text{AP}}}} {\text{SVP}}_{\gamma } } \right)\): Given a basis \({\mathbf{\rm B}}\) of an n- dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\) and a number \(d\). In YES instance \(\lambda \left( {\mathcal{L}} \right) \le d\) or No instance \(\lambda \left( {\mathcal{L}} \right) > \gamma \left( n \right).d\).

  • LP6: Shortest Independent Vectors Problem \(\left( {{\text{SIVP}}_{\gamma } } \right)\) [36]: Given a basis \({\mathbf{\rm B}}\) of an n- dimensional lattice \({\mathcal{L}} = {\mathcal{L}}\left( {\mathbf{\rm B}} \right)\). The goal is to output a set of \(n\) linearly independent lattice vectors of length at most \(\gamma \left( n \right).\lambda \left( {\mathcal{L}} \right)\).

  • LP7: Learn with Error (LWE) problem: We briefly describe the Learn with Error (LWE) that used to construct an efficient lattice-based cryptography. Regev [36] introduced a reduction from worst-case lattice problems such as GAPSVP and SIVP to a learning with error problems. The author proved that the solution to the LWE problem implies that there is a quantum algorithm to GAPSVP and SIVP.

LWE distribution: For some integer \(k \ge 1\), let m, n = poly(k), and q (prime) are positive integers and let \({\mathcal{X}}\) be a distribution on \({\mathbb{Z}}_{q}\). The LWE distribution \({\mathcal{A}}_{{s,b_{i} }} \subseteq {\mathbb{Z}}_{q}^{n} \times {\mathbb{Z}}_{q}\) is sampled using the vector \(s \in {\mathbb{Z}}_{q}^{n} { }\) called secret and the matrix \({\mathbf{\rm A}} \in {\mathbb{Z}}_{q}^{m \times n}\) whose columns are vectors uniformly chosen random, \({\varvec{a}}_{{\varvec{i}}} \mathop \leftarrow \limits^{R} {\mathcal{U}}\left( {{\mathbb{Z}}_{q}^{n} } \right){ }\), for i = 1,2,…,k, choosing e \({ } \in {\mathbb{Z}}_{q}^{n}\) and the output is: \(b_{i} = \left\langle {{\varvec{a}}_{{\varvec{i}}} ,{\mathbf{s}}} \right\rangle + e_{i} { } \in {\mathbb{Z}}_{q}\) for all i = 1,2,…,n.

4 The Biometric-Based PQFC Authentication System

In this section, we briefly describe the biometric-based PQFC authentication system [16], which is relies on the worst-case hardness shortest vector problem (SVP) of lattice cryptography. Let us now describe the construction of the biometric-based PQFC authentication system which consists of two main stages: enrollment and verification. The process of the system is described below:

4.1 Setup Stage

Positive integers m, n, and p (prime number) are chosen randomly. Then, generate the matrix \({\mathbf{\rm A}} \in {\mathbb{Z}}_{q}^{m \times n}\) whose columns are vectors in the lattice \({\mathcal{L}}\left( {\mathbf{\rm B}} \right)\).

4.2 Enrollment Stage

First, the user chooses a vector randomly \(v \in Z_{p}^{n}\) and generates a biometric reference template \(x_{r} \in Z_{2}^{m}\) using a specific software. The vector \(v\) and the template \(x_{r}\) are input to the PQFC function to generate the biometric reference commitment \(\beta_{r}\):

$$\beta_{r} = F\left( {v,u} \right) = {\rm A} \times_{q} v +_{q,2} u_{r} { ,}$$
(3)

where \(\times_{q}\) applies matrix multiplication modulo \(q\) and \(+_{q,2}\) applies vector addition modulo q and the result goes through modulo 2.

4.3 Verification stage

The user generates his/her biometric query template \(x_{q} \in Z_{2}^{m}\) and then computes the biometric query commitment \(\beta_{q}\) as follows:

$$\beta_{q} = F\left( {v,u} \right) = {\rm A} \times_{q} v +_{q,2} x_{q} { }$$
(4)

The biometric query commitment \(\beta_{q}\) is matched against the stored \(\beta_{r}\) using, e.g., Hamming distance. If the matching score is within the system threshold, then the user is authenticated.

5 Lightweight Two-Factor User Authentication protocol for the IoT-Enabled Healthcare

The proposed protocol comprises four phases, namely the registration phase, the login phase, the authentication phase, and the biometric renewable phase. The protocol consists of three entities, namely (1) a user \({U}_{i}\), which is for instance physician, nurse, pharmacologist, or patient’s family member, (2) a medical server MS, and (3) a patient \({P}_{j}\). The \({U}_{i}\) must register and authenticate herself/himself with the medical server MS to access the patient’s medical data. It is worth noting that the patient’s medical data are collected and measured using smart devices implanted with the body of the patient. Then, these medical data transfer to the medical server MS. Details of the steps of these phases are described below.

5.1 Setup Phase

The main purpose of this phase is to generate the public parameter \(\vartriangle\).; that is, MS takes a unary \(1^{k}\) as input and executes the following steps:

  • S1: MS chooses a prime number \(p\) and two positive integers \(m\) and \(n\).

  • S2: MS generates randomly a matrix \({\rm A} \in {\rm Z}_{p}^{m \times n}\), which consists of \(n -\) linearly independent vector of the lattice \(\Lambda_{p}\) And then chooses a cryptographic hash function \(h:\left\{ {0,1} \right\}^{*} \to \left\{ {0,1} \right\}^{k}\).

  • S3: MS chooses randomly a master key vector \(mk \in Z_{p}^{1 \times n}\) and computes public key \(pk = {\rm A}.mk^{T} { }\left( {{\text{mod }}p} \right) \in Z_{p}^{1 \times m}\).

  • S4: MS publishes the public parameters of the system \(\vartriangle = \left\{ {m,n,p,{\rm A},pk,h\left( \cdot \right)} \right\}\) and keeping \(mk\) as a secret.

5.2 Registration Phase

When the user \(U_{i}\) needs to register with the medical server MS, she/he performs the following steps:

  • R1:\(U_{i}\) selects her/his unique identity \(D_{i}\).

  • R2:\(U_{i}\) uses specific software to generate cryptographic key \(k_{i} \in Z_{2}^{l}\) and generates a random number N, then computes \(c_{i} = h(k_{i} ||N)\).

  • R3:\(U_{i}\) presents her/his personal biometric data \(B_{i}\) on biometric reader and the biometric reference template \(x_{r} \in Z_{2}^{t}\) extracted such that \(m = t + l\). Then, \(U_{i}\) chooses randomly \(v_{i} \in Z_{p}^{n}\) and computes the following:

    $$\beta_{r} = {\rm A} \times_{q} v_{i} +_{q,2} (x_{r} ||k_{i} ){ ,}$$
    (5)
    $$r_{i} = h\left( {c_{i} ||\beta_{i} } \right),$$
    (6)
    $$w_{i} = {\rm A} \times_{q} v_{i} { ,}$$
    (7)
    $$Z_{i} = { }w_{i} \times_{q} pk^{T} ,$$
    (8)
    $$\delta_{i} = h\left( {w_{i} } \right) \oplus h(ID_{i} ||r_{i} )$$
    (9)
  • R4: \(U_{i}\) sends the registration message \(\left\{ {ID_{i} ,{ }r_{i} ,{ }Z_{i} ,\delta_{i} } \right\}\) to the medical server MS.

  • R5: MS computes \(e_{i} = h(ID_{i} ||mk) \oplus r_{i}\) and loads \(\left\{ {{ }r_{i} ,{ }Z_{i} ,\delta_{i} ,{ }e_{i} ,s} \right\}\) on \(U_{i} {^{\prime}}s\) smart card, then sends the smart card to the user \(U_{i}\).

  • R6: Upon receiving the smart card, the user stores the random number N and \(\beta_{r}\) in her/his smart card.

5.3 Login Phase

Whenever the user \(U_{i}\) wants to access the health profile of the patient \(P_{j}\), she/he must log in to the medical serer MS by performing the following steps:

  • L1: \(U_{i}\) inserts her/his smart card into the card reader and keys her/his identity \(ID_{i}\).

  • L2: The smart card sends the login message request \(\left\{ {Z_{i} ,\delta_{i} ,r_{i} } \right\}\) to the medical server MS.

  • L3: Upon receiving the login request, the medical server MS computes \(w{^{\prime}}_{i} = \left( {{ }Z_{i} \cdot {\rm A}} \right) \cdot mk^{T} { }\left( {{\text{mod }}p} \right)\) and sends \(w{^{\prime}}_{i}\) to the user \(U_{i}\) via a public channel.

  • L4: Upon receiving \(w{^{\prime}}_{i}\), the user \(U_{i}\) presents her/his biometric data \(B_{i}\) on biometric reader and a biometric query template \(x_{q}\) extracted. The smart card calculates \(\beta_{q} = w{^{\prime}}_{i} +_{q,2} (x_{q} ||0)\) and verifies \(dist\left( {\beta_{q} ,\beta_{r} } \right) \le d_{th}\).

  • L5: If the above biometrics verification fails, the session will be terminated; otherwise, the smart card extracts \(k{^{\prime}}_{i} = \beta_{r} \oplus \beta_{q}\) and computes \(r{^{\prime}}_{i} = h\left( {h(k{^{\prime}}_{i} ||N)||\beta_{q} } \right)\), and then the smart card verifies \(r_{i} = r{^{\prime}}_{i}\).

  • L6: If the above key verification fails, the session will be terminated; otherwise, the smart card continued computing the following: \(\theta_{1} = e_{i} \oplus r{^{\prime}}_{i}\), \(\theta_{2} = \theta_{1} \oplus R_{u}\), \(\theta_{3} = h(s||R_{u} )\), \(\theta_{4} = c_{i} \oplus \theta_{3}\), \(\theta_{5} = h\left( {\theta_{2} ||\theta_{3} ||\theta_{4} } \right)\), and \(\theta_{6} = \theta_{3} \oplus ID_{i}\).

  • L7: The smart card sends the message \(\left\{ {\theta_{1} ,\theta_{2} ,\theta_{4} ,\theta_{5} ,\theta_{6} } \right\}\) to the medical server for authentication.

5.4 Authentication Phase

When MS received the message \(\left\{ {\theta_{1} ,\theta_{2} ,\theta_{4} ,\theta_{5} ,\theta_{6} } \right\}\), the medical server MS and the user \(U_{i}\) perform the following steps to authenticate each other.

  • A1: MS computes \(\theta_{7} = \theta_{2} \oplus \theta_{1}\) and \(ID{^{\prime}}_{i} = \theta_{6} \oplus h(s||\theta_{1} \oplus \theta_{2} )\).

  • A2: MS checks the format of \(ID{^{\prime}}_{i}\). If \(ID{^{\prime}}_{i}\) is valid, MS computes and verifies \(\theta_{5} = h(\theta_{2} ||\theta_{8} ||\theta_{4} )\), if it does not hold, MS rejects the login request and terminates the session. Otherwise, MS accepts the user \(U_{i}\) log in and stores \(\left\{ {ID_{i} ,\theta_{7} } \right\}\) in the database system to resist the reply and man-in-the-middle attacks.

  • A3: MS computes \(\theta_{9} = \theta_{4} \oplus \theta_{8}\), \(\theta_{10} = h\left( {\theta_{9} \left| {\left| {ID_{s} } \right|} \right|s} \right) \oplus \theta_{8} \oplus R_{s}\), \(\theta_{11} = h(\theta_{1} ||\theta_{9} \left| {\left| s \right|} \right|R_{s} )\), then MS sends \(\left\{ {\theta_{10} ,\theta_{11} } \right\}\) to the user \(U_{i}\).

  • A4: \(U_{i}\) computes \(\theta_{12} = h\left( {c_{i} \left| {\left| {ID_{s} } \right|} \right|s} \right) \oplus R_{u}\) and verifies \(\theta_{11} = h(\theta_{1} ||c_{s} \left| {\left| s \right|} \right|\theta_{12} )\). If it does not hold, \(U_{i}\) terminates the session. Otherwise, the medical server MS is authenticated by the user \(U_{i}\). Finally, the user and the medical server computes \(h(c_{i} \left| {\left| {\theta_{3} } \right|} \right|\theta_{12} ||ID_{s} ) = K_{{{\text{sess}}}} = h(\theta_{9} \left| {\left| {\theta_{8} } \right|} \right|R_{s} ||ID_{s} )\) respectively, which is taken as the session key \(K_{sess}\).

5.5 Biometric Revocation Phase

To re-register her/his same biometric \(B_{i}\),\({ }U_{i}\) performs a biometric revocation phase as follows:

  • V1: \(U_{i}\) inserts her/his smart card, keys identity \(ID_{i}\), and presents her/his biometrics \(B_{i}\) in the biometric reader, which generates a biometric template \(x_{r}^{{{\text{new}}}}\) that will be used for a biometric verification approach as described in steps L2–L5 in the login phase. the cryptographic key \(k{^{\prime}}_{i}\) is retrieved, and the user will generate a new cryptographic key \(k_{i}^{{{\text{new}}}}\).

  • V2: If this verification fails, the session will be terminated. Otherwise, the smart card computes \(e{^{\prime}}_{i} = e_{i} \oplus r{^{\prime}}_{i}\), \(\beta_{r}^{{{\text{new}}}} = {\rm A}^{T} \times_{q} v_{i}^{{{\text{new}}}} +_{q,2} (x_{r}^{{{\text{new}}}} ||k_{i}^{{{\text{new}}}} ){ }\), \(c_{i}^{{{\text{new}}}} = h(k_{i}^{{{\text{new}}}} ||N)\), \(r_{i}^{{{\text{new}}}} = h\left( {c_{i}^{{{\text{new}}}} ||\beta_{r}^{{{\text{new}}}} } \right)\), \(e_{i}^{{{\text{new}}}} = e_{i} \oplus r_{i}^{{{\text{new}}}}\),\(w_{i}^{{{\text{new}}}} = {\rm A}^{T} \times_{q} v_{i}^{{{\text{new}}}} { }\), \(Z_{i}^{{{\text{new}}}} = pk \times_{q} { }w_{i}^{{{\text{new}}}} { }\), and \(\delta_{i}^{{{\text{new}}}} = h\left( {w_{i}^{{{\text{new}}}} } \right) \oplus h(ID_{i} ||r_{i}^{{{\text{new}}}} )\).

  • V3: Finally, \(e_{i}^{{{\text{new}}}}\), \(r_{i}^{{{\text{new}}}}\), \(\beta_{r}^{{{\text{new}}}}\), \(Z_{i}^{{{\text{new}}}}\), and \(\delta_{i}^{{{\text{new}}}}\) are stored in \(U_{i}\) smart card.

6 Security Analysis

In this section, a formal security analysis of the proposed protocol is given using the random oracle model (ROM). Theorem 1 shows that the adversary \(A^{Q}\) can breaches the proposed protocol by learn the biometric reference template \(x_{r}\) and the cryptographic key \(k_{i}\) from \(F_{i}\) only with negligible probability. Theorem 2 proves that the adversary \(A^{C}\) is able to breach the proposal protocol if he/she is able to invert the one-way hash function. To this end, we simulate two random oracle model.

6.1 Quantum Random Oracle Model

This model specifies as a game that a probabilistic polynomial-time algorithm (possibly quantum) \(A^{Q}\) adversary plays with a challenger. The game works as follows:

The challenger takes unary \(\left( {1^{k} } \right)\) and generates vectors \(v \in {\rm Z}_{p}^{m}\) and \(x \in {\rm Z}_{2}^{n}\), and sends it to the adversary \(A^{Q}\) as input.

The adversary \(A^{Q}\) takes \(v\) and \(x\) as input to the function \(F\left( {v,x} \right)\) and is allowed to make queries \(q_{F}\) to the challenger. The adversary outputs a value \(F\), which is sent to the challenger.

The challenger then looks at \(\left( {v,x} \right)\), \(F\), and the queries \(q_{F}\) made by the adversary \(A^{Q}\). Finally, the challenger outputs 1 or 0.

6.2 Classical Random Oracle Model

This model specifies as a game that a probabilistic polynomial-time algorithm \(A^{C}\) adversary plays with a challenger. The game works as follows:

The challenger takes unary \(\left( {1^{k} } \right)\) and generates a value \(x\) and sends it to the adversary \(A^{C}\) as its input.

The adversary \(A^{C}\) takes \(x\) as input to the hash function \(h\left( . \right)\) and is allowed to make queries \(q_{h}\) to the challenger. The adversary then outputs a value \(y\), which it sends to the challenger.

The challenger then looks at \(x\) and \(y\) and the queries \(q_{h}\) made by the adversary \(A^{C}\). Finally, the challenger outputs 1 or 0.

Theorem 1

Assume that \(D^{{R{^{\prime}}\left( {{\rm A},.} \right)}}\) and \(D^{R\left( . \right)}\) are two distributions of outputs of a probabilistic polynomial-time algorithm adversary \(A^{Q}\). The first distribution for the oracle of chosen matrix \({\rm A} \in Z_{p}^{m \times n}\) and the second distribution is taken over the true oracles with \(q_{F}\) quantum oracle queries. Then, the distributions \(D^{{R{^{\prime}}\left( {{\rm A},.} \right)}}\) and \(D^{R\left( . \right)}\) are statistically close (at most \(\varepsilon < p^{ - n} 2^{ - m} q_{F}\)).

Proof of Theorem 1

Let \(R\) be a random oracle, \(D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)\) and \(D^{R\left( . \right)} \left( {1^{k} } \right)\) are two random oracle distributions taken over sample space \(\Omega\), which are the output of possible quantum adversary \(A^{Q}\).

For \(m\) and \(n\) being positive integers \(\left( {m > n} \right)\), which are polynomial of the security parameter \(k\), let \(p\) be a prime number. For \(v \in Z_{p}^{m}\) and \(x \in Z_{2}^{n}\) chosen randomly, we define the statistical distance between the two distributions as follows:

$$\begin{aligned} & SD\left( D^{R\left( {\rm A},. \right)} \left( 1^{k} \right),D^{R\left( ,. \right)} \left( 1^{k} \right) \right) \\ & \quad= \sum \left| Pr_{\left( x,v \right) \leftarrow D^{R\left( {\rm A},.\right)} \left( 1^{k}\right)} \left[ A^{Q} \left( x,v\right) = 1\right] \right.\\ & \qquad \left.- Pr_{\left( x,v \right) \leftarrow D^{R\left( . \right)} \left( 1^{k}\right)} \left[ A^{Q} \left( x,v\right) = 1\right]\right|\end{aligned}$$
(10)

where \(Pr_{{\left( {x,v} \right) \leftarrow D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right] = \mathop \sum \limits_{v} pr\left[ v \right]Pr[F|v]\) and \(x = [x_{r} |k_{i} ]\).

Fix \(x_{0} \in Z_{2}^{n}\) such that \(F\left( {x_{0} ,v_{0} } \right) = F_{0}\) for some \(v_{0} \in Z_{p}^{m}\), and then the following probability can be computed as follows:

$$Pr\left[ {F_{0} |v_{0} } \right] = \left\{ {\begin{array}{*{20}c} {\frac{1}{{2^{m} }}} & {v_{0} \in \varphi \left( {F_{0} } \right)} \\ 0 & {else{ }where} \\ \end{array} } \right.$$
(11)

where \(\varphi \left( F \right)\) is the set of all preimages of the function \(F\). We defined the size of \(\varphi\) as the number of quantum queries \(q_{F}\).

Now, we are computing the probability of the distribution:

$$Pr_{{\left( {x,v} \right) \leftarrow D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right] = \mathop \sum \limits_{v} pr\left[ v \right]Pr[F|v] = \mathop \sum \limits_{v \in \varphi \left( F \right)} \frac{1}{{p^{m} }}\frac{1}{{2^{2} }} = \frac{{q_{F} }}{{2^{n} .p^{m} }}$$
(12)

Then, we are ready to estimate the probability between the two distributions. \(\begin{gathered} \varepsilon = \sum \left| Pr_{{\left( {x,v} \right) \leftarrow D^{{R\left( {{\rm A},.} \right)}} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right]\right. \hfill\\ \qquad\left.- Pr_{{\left( {x,v} \right) \leftarrow D^{R\left( . \right)} \left( {1^{k} } \right)}} \left[ {A^{Q} \left( {x,v} \right) = 1} \right] \right| \hfill \\ \quad < \mathop \sum \limits_{v \in \varphi \left( F \right)} \frac{1}{{p^{m} }}\frac{1}{{2^{2} }} = \frac{1}{{p^{m} }}\frac{1}{{2^{2} }}\left| {q_{F}^{^{\prime}} - q_{F} } \right| \hfill \\ \end{gathered}\)

Theorem 2

Suppose that for \(k_{i} \in Z_{2}^{l}\), \(N\), and \(F_{i}\) are generated randomly. If a probabilistic polynomial-time algorithm (classical) \(A^{C}\) adversary breaches the security of the proposed protocol, then the adversary is able to invert the one-way hash function \(h\left( z \right)\) on a random input \(z \in D \subseteq \left\{ {0,1} \right\}^{n}\) in polynomial time with a non-negligible probability \(\varepsilon {^{\prime}} > 2^{ - k - n} q_{h} .\)

Proof of Theorem 2

Assume that \(A^{C}\) runs a random oracle algorithm to retrieve user cryptographic key \(k_{i}\) from the one-way hash function \(h\) with a number of queries \(q_{h}\). We define the adversary advantages as the probability \(Adv_{{A^{C} }} \left( D \right) = Pr_{z \leftarrow D} \left[ {A^{C} \left( z \right) = 1} \right]\). This advantage is determined by the number of queries \(q_{h}\) for the classical random oracle model. Then, the advantage probability is computed as follows:

\(\begin{aligned} Adv_{{A^{C} }} \left( D \right) & = Pr_{z \leftarrow D} \left[ {A^{C} \left( z \right) = 1} \right] = Pr_{z \leftarrow D} \left[ {z:h\left( z \right) = y} \right] \\ & = \mathop \sum \limits_{z} Pr\left[ y \right] \cdot Pr[z|y] \le \mathop \sum \limits_{z} \frac{1}{{2^{k} }} \cdot \frac{1}{{2^{n} }} \le \frac{{q_{h} }}{{2^{k + n} }}{ }. \\ \end{aligned}\)

7 Security and Functionality Features

In this section, we discuss the security and functionality features of our proposed protocol and compare with the related lattice-based authentication protocols [28, 29, 31] as shown in Table 1.

  • F1: Quantum attack resistant: The IoT is encountering security and privacy threats. However, with quantum computing, these security and privacy threats will increase more and more. The security of the proposed protocol is based on PQFC scheme, which is provable secure against quantum attacks.

  • F2: Tampering with stored biometric templates attack: This property applies when an attacker gets access to the system database or the token, temporarily or permanently cannot modify the template in the system database/token to gain server authentication. In the proposed protocol, the attacker needs to break the SVP problem to obtain the biometric reference template.

  • F3: Biometric template thefts resistant: This property applies to an attacker that gets access to the database system or token and obtain the user’s biometric template; she/he can use it for other purposes. In our protocol, the user’s biometric template is protected using PQFC scheme. Hence, there is no clear stored template to be stolen.

  • F4: Privileged insider attack resistant: Insider attacker with privileged access to the database server can pose a serious threat to the server database. One of the breaches can lead to stealing/tampering with the stored biometric templates in the database. The proposed protocol offers an opportunity for the user to hide her/his biometric template from privileged insiders in the registration phase by allowing her/him to send it to authentication server in encrypted format, which will prevent an inside attacker from getting it.

  • F5: Smart card/token attack resistant: Assume that the user’s smart card is lost or stolen. An attacker having the smart card has no way to obtain secret information stored in the smartcard. If the attacker retrieves the information \(\mathcal{w}\), the attacker has to find \(v\) by solving lattice SVP problem to gain information, which is contradiction to shortest vector problem (SVP).

  • F6: Man-in-the-Middle attack resistant: In the man-in-the-middle attack, the attacker sits in the middle and negotiates the cryptographic parameters with the user and server to gain access as a legitimate. In the registration phase of the proposed protocol, the user sends request to the authentication server. The server replies by sending the message including the matrix \(\user2{\rm A}\); assume the man-in-the-middle attacker intercepts the server message and replaces the matrix \(\user2{\rm A}\) by \(\user2{\hat{\rm A}}\); the user will compute \(F_{{{\mathcal{U}}_{i} }}^{r} = \left( {\user2{\hat{\rm A}} \cdot v{\text{ mod }}q + t_{{{\mathcal{U}}_{i} }}^{r} } \right){\text{ mod }}2\) and send to the server. Then, the man-in-the-middle attacker cannot learn the biometric template \(t_{{{\mathcal{U}}_{i} }}^{r}\) from \(F_{{{\mathcal{U}}_{i} }}^{r}\), only if she/he solves the LWE lattice problem.

  • F7: Renewable biometric template: Unlike passwords, biometrics are limited and once it compromised cannot be revoked. A biometric is the principle means of authentication in our protocol. If the biometric template is compromised by any attacks, it can be used again with new registration parameters.

  • F8: Memoryless-effortless: An authentication protocol that does not require any users to remember any secret per service called memoryless-effortless. By this definition, the proposed authentication protocol is memoryless-effortless

  • F9: User anonymity: An important security property of authentication protocol for IoT applications is the confidentiality of the user’s identity. It is desirable to keep user’s identity hiding from attackers. In the proposed protocol, the plaintext user's identity \(ID_{{{\mathcal{U}}_{i} }}\) is neither stored in the user's smart card nor sent in the login and authentication messages over secure or insecure channels. If the attacker is able to retrieve the values \(e_{i}\) and \(r_{i}\) from the user's smart card, it is obvious that an attacker is determining \(ID_{{{\mathcal{U}}_{i} }}\) which is equivalent to find the collision in the hash function \(h\).

  • F10: Lightweight: A protocol with less computational and communication complexities is called a lightweight protocol.

Table 1 Comparisons of security and functionality features of the proposed protocol with the related protocols

8 Performance Analysis

In this section, we evaluate the performance of our protocol based on the following metrics: the storage requirements, communication costs, and computational complexities. Furthermore, we have compared the proposed protocol with the recent related protocols for IoT systems [28, 31]. Table 2 shows the computational costs comparison between the proposed protocol and the protocols in [28, 31]. Let \(T_{{{\text{Mp}}}}\), \(T_{{{\text{Vp}}}}\), \(T_{{{\text{add}}}}\), and \(T_{h}\) denote the operation time required to execute the matrix multiplication modulo \(p\), vector multiplication modulo \(p\), vector addition modulo \(p\), and one-way hash function, respectively. The total computational time cost of our protocol is \({\varvec{4T}}_{{{\mathbf{Mp}}}} + {\varvec{2T}}_{{{\mathbf{add}}}} + {\varvec{19T}}_{{\varvec{h}}}\). Furthermore, we have estimated the execution time of the above mentioned operations as \(T_{{{\text{Mp}}}} = 4\;{\text{ms}}\), \(T_{{{\text{Vp}}}} = 1\;{\text{ms}}\), \(T_{{{\text{add}}}} = 2\;{\text{ms}}\), and \(T_{h} = 0.0023\;{\text{ms}}\). The tasks are executed using MATLAB 2020b on PC workstation with Intel(R) Core(TM) i7-10,700 CPU @ 2.90 GHz 2.90 GHz RAM 16.0 GB. Thus, the total execution time for the proposed protocol is 20.0437 ms.

Table 2 Comparisons of computational costs of our protocol with the related protocols

For computational complexity comparison, we followed the parameters reported in [31] as follows: assume that \(m = n = O\left( {k \log p} \right)\), \(p = O\left( {k^{2} } \right)\) and \(\left| p \right| = \log \left( p \right)\). The computational complexity for the operations: matrix multiplication modulo \(p\), vector multiplication modulo \(p\), and vector addition modulo \(p\) is \(O\left( {{\text{mn }}\left| {p^{2} } \right|} \right)\), \(O\left( {m{ }\left| {p^{2} } \right|} \right)\), and \(O\left( {m\left| p \right|} \right)\), respectively. Thus, the total computational complexity of the proposed protocol is \(8k \log^{2} \left( k \right)\left( {8k \log^{2} \left( k \right) + 1} \right)\). Table 3 shows the comparison result of our protocol with the related protocols.

Table 3 Comparisons of computational complexities of our protocol with the related protocols

Furthermore, the storage requirement and the communication cost comparisons between the proposed protocol and the related protocols [28, 31] are evaluated and shown in Table 4. In the evaluation, we consider the login and authentication phases in the comparison. Note that the registration phase is not performed frequently. In all protocols, we assume the length of the identity, output size of the hash function, and number in \(Z_{p}\) are \(\left| p \right| = 2logk\). Thus, the total communication cost of our protocol sending messages \(\left\{ {ID_{i} ,Z_{i} ,\beta_{i} ,r_{i} } \right\}\), \(\left\{ {w{^{\prime}}_{i} } \right\}\), and \(\left\{ {\theta_{1} ,\theta_{2} ,\theta_{4} ,\theta_{5} ,\theta_{6} } \right\}\) is \(\left( {m + 11} \right)\left| p \right| = 2\log k\left( {2k\log \left( k \right) + 11} \right)\). The storage requirements of our protocol and the related protocols [28, 31] are computed. The total storage cost for storing master key \(mk \in Z_{p}^{1 \times n}\), matrix \(A \in Z_{p}^{m \times n}\), public key \(pk \in Z_{p}^{1 \times m}\), and seven hash value is \(\left( {n + mn + m + 7} \right)\left| p \right| = 2\log k\left( {4k^{2} \log^{2} k + 4k\log k + 7} \right)\).

Table 4 Comparisons of storage and communication costs of our protocol with the related protocols

9 Conclusion

This paper proposed a new lightweight two-factor-based user authentication protocol for the IoT-enabled healthcare ecosystem. We evaluated the security of the proposed protocol through the formal security analysis using random oracle model (ROM), showing that our protocol is secure against today and upcoming quantum attacks. The proposed protocol achieved the following functionality and security properties: memoryless-effortless, user anonymity, mutual authentication, and resistance to tampering and stolen of biometric template, stolen smart card, privileged interior attacks.

The proposed protocol was evaluated in terms of the performance metrics: storage requirement, computation and communication. The results demonstrated that our protocol is more efficient than Mukherjee et al., Chaudhary et al., and Gupta et al. protocols. The overhead of the computational costs of our protocol becomes larger naturally since the proposed protocol exploits these computations to provide several significant security and functionality properties.

The overall performance demonstrates that the proposed protocol is suitable for the Internet of Things applications.