Computer Networks 187 (2021) 107833

Contents lists available at ScienceDirect

Computer Networks
journal homepage: www.elsevier.com/locate/comnet

LAPCHS: A lightweight authentication protocol for cloud-based health-care

systems
Fahimeh Nikkhah, Masoumeh Safkhani ∗
Department of Computer Engineering, Shahid Rajaee Teacher Training University, Tehran, Postal code: 16788-15811, Iran

ARTICLE INFO ABSTRACT

Keywords: The development of technology has accelerated things and solved many problems. Among various technologies,
RFID the integration of the Internet of Things (IoT) into human social life brings the promise of an easier and better
Telecare Medical Information Systems life. The integration of IoT into the medical field, as well as the environments and patients associated with
Health-care
it, has provided a new context called the Telecare Medical Information Systems. It should be noted that the
Authentication
smart medicine, in addition to its significant benefits, carries many security threats, so privacy and especially
Secret disclosure attack
Real-or-Random model
anonymity is the largest concern in implementing a telecare medical information system.
AVISPA Due to the importance of privacy preservation and security in smart health-care systems, Fan et al. have
Scyther recently proposed a lightweight authentication protocol (IEEE Netw. 33 (2) (2019)) using quadratic residue
and pseudo random number generators, to be used in this platform. They believed that their scheme has
enough security, privacy preservation, and also good resistance to various attacks including tag traceability
attacks, replay attacks and also de-synchronization (DoS) attacks. The aim of the present study is to examine
the security of the mentioned protocol. In fact, a heuristic attack was presented, in which an adversary
could retrieve tag’s and reader’s current and previous identifier that contradicts anonymity and forward
untraceability properties of this protocol. Reader and tag impersonation attacks were also applied against
the protocol. Besides, a lightweight authentication protocol was proposed for cloud-based health-care systems
called LAPCHS. Security analysis of our new protocol, through heuristic security analysis and also formal
evaluations using Real-or-Random Model and simulations done on the AVISPA and the Scyther tools, confirms
its security against different attacks.

1. Introduction (RFID) technology, cloud-based architectures, or any platform and

All institutions and organizations, including health centers world-
wide, are moving towards advanced and efficient technologies for
a better and more comfortable life. The technology that has been
perfectly abled the communication and interactions with humans and
objects around us over the years is the Internet of Things (IoT). The
IoT has significant advantages in communicating, sending and receiving
data. One of these benefits is its integration with medical technology,
of which the Telecare Medical Information System (TMIS) is one of the
most well-known achievements.
With the increasing advancement of technology, physicians have
provided their services remotely and over the Internet. Providing med-
ical services using communication technologies is not limited to time
and place and the patient can benefit from treatment and medical
services without going to medical centers. In remote medical informa-
tion systems, sensors or tags transmit patient physiological information
via mobile devices, wireless networks, Radio Frequency Identification
channel that can send and receive. TMIS has become a driving force
for patients and physicians around the world, in fact, transforming the
classic physician–patient model into a new model as shown in Fig. 1.
The structure of TMIS consists of four main parts: patient, medical
personnel, database, and the Internet.
As shown in Fig. 1, the platform for telecare medical informa-
tion system can be based on RFID technology. RFID technology in
IoT is a prominent technology used to detect objects and people au-
tomatically [1]. Communication in this technology has three main
components: RFID tag, RFID reader and database server [2,3]. The
RFID tag is attached to the objects or people to send the information
to the database as shown in Fig. 1. This information can now turn to
signals related to the device or physiological data of the patient’s body.
In contrast, services such as patient status information, medication
information, care for the elderly, infectious diseases, treating infants,
tests, etc. can be part of the services provided by TMIS. Also, physicians

∗ Corresponding author.
E-mail address: Safkhani@srttu.edu (M. Safkhani).

https://doi.org/10.1016/j.comnet.2021.107833
Received 24 June 2020; Received in revised form 28 November 2020; Accepted 8 January 2021
Available online 14 January 2021
1389-1286/© 2021 Elsevier B.V. All rights reserved.
F. Nikkhah and M. Safkhani
Fig. 1. A typical telecare medical information system based on RFID technology.
can log in to the system and review patients’ medical records and
announce the necessary prescriptions, the results of tests, and the
prescription drugs to patients through the system.
In the medical industry, many problems of patients, including face-
to-face visits for treatment, timely examination of symptoms and reac-
tions of the patient’s body, etc., can be solved through an Electronic
health-care system by eliminating two main issues which are distance
and time [4–6]. When talking about the smart health-care systems, one
should consider several benefits such as improving the efficiency and
quality of services through its development in medical devices. How-
ever, there might be threats such as jeopardizing personal information
and the loss of privacy of patients which should be taken into account.
The most critical concern in a smart health-care system is the security
of personal medical information that is stored and transmitted through
interconnected devices, while most organizations are trying to keep
sensitive data safe and secure. They might not have enough control
over the security and safety of data through the access points used
to transfer information which causes significant security threats. The
threats increase with the advent of new devices that connect to the
network. Hence, the first step in such a system’s security is the design
and implementation of secure authentication protocols that are fast and
affordable.
All of these services depend on providing a platform and protocol
so that the users of this system can achieve mutual authentication in
complete security, while their anonymity and privacy are protected
from security threats [7,8]. The process of using the services of this
system is subject to the initial registration of the patient/user in the
TMIS server, then for each use of the services provided remotely, the
system server must be authenticated. In the authentication phase with
the server, an agreed key is introduced for each session, which allows
the patient/user to send and receive information through the agreed
key [9]. The authentication step requires mutual authentication so that
the provided services are not misused.
1.1. Main contribution
The contribution of this paper is several folds:
• Design and implementation of some important security attacks
against the Fan et al.’s protocol for health-care system;
• Resolve the Fan et al.’s protocol security pitfalls and suggest an
improved protocol called LAPCHS;
• Informally and formally proof of the LAPCHS protocol’s secu-
rity through Real-or-Random (RoR) model and doing simulations
based on both AVISPA and Scyther tools.
2
Computer Networks 187 (2021) 107833
1.2. Paper organization
This paper is structured as below: The related researches in this field
are reviewed in Section 2. In Section 3, the Fan et al.’s health-care
authentication protocol using cloud is reviewed. Security vulnerabili-
ties of the Fan et al.’s protocol are described in Section 4. Section 5
describes our proposed protocol i.e. LAPCHS, in order to employ in
health-care systems. The LAPCHS’s security analysis and its perfor-
mance and security comparison with the other protocols are explained
in Section 6 and Section 7, respectively. Finally, the conclusions are
presented in Section 8.
2. Related work
Chien et al. in [10], divided security protocols in terms of the type
of operation used, into four categories: full-fledged protocols such as
[11], simple protocols such as [12], lightweight protocols such as [13–
16], and ultra-lightweight protocols such as [17,18] and [19]. This
classification is represented in Fig. 2.
Full-fledged security protocols use a variety of cryptographic prim-
itives on the tag’s side. Simple protocols employ hash functions and
Pseudo Random Number Generators (PRNG)s on the tag’s side. In
lightweight protocols, only PRNGs and Cyclic Redundancy Codes
(CRC)s are supported on the tags recommended in EPC C1 G2 standard.
Finally, in ultra-lightweight security protocols, only bitwise operations
can be used on the tag’s side.
As shown in Fig. 3, the designing strategies of TMIS security proto-
cols can be classified into cryptographic based, multi factor based and
chaotic map based categories.
In the cryptography-based group, cryptographic schemes such as
hash function or symmetric key or public key encryption algorithms
like RSA, El-Gamal, Elliptic Curve Cryptography (ECC), Physically Un-
clonable Functions (PUF) [13,20] are used as the main operation of
the protocols. In multi factor based schemes such as [21–23] and [24],
it is necessary to provide more specific information, including user
biometric information along other information for example with smart
card, ID and password in the designed security scheme. In chaotic-based
group such as [25], chaotic functions have been used as a building
operation of the protocol.
So far, in related literatures, several protocols have been proposed
to provide a secure and efficient authentication for RFID systems. But
those protocols which are safe, have encountered a lot of complex-
ities for implementation in RFID systems, and those protocols that
have been implemented appropriately have not been adequately se-
cured. In this regard, Fan et al. [26] introduced a lightweight RFID
F. Nikkhah and M. Safkhani
Fig. 2. Classification of TMIS security protocols according to the used cryptographic primitives.
Fig. 3. Designing strategies of TMIS security protocols.
protocol and claimed that this scheme provides safe conditions for
maintaining the security of the exchanged information, however, Aghili
et al. [27] asserted that their protocol was vulnerable to reader im-
personation and tag traceability attacks given active adversary model.
Subsequently, Safkhani et al. [28] examined both Fan et al.’s [26]
and Aghili et al.’s [27] schemes in the Random Oracle Model (ROM)
and showed that their design is distinguishable in the ROM. They also
presented a secret disclosure attack on both the Aghili et al.’s and
the Fan et al.’s protocols, and were able to provide a lightweight mu-
tual RFID authentication protocol by improving it. Furthermore, Chen
et al. [29], re-examined Fan et al.’s proposed protocol [26] and proved
that their scheme was also vulnerable against tag impersonation attack.
Chen et al. in [29] also showed that the TMISP protocol [30] does
not resist against reader impersonation attack. Hence, countermeasures
were exerted for its development and as a result, the TMISP+ protocol
was presented.
Dass and Om [31] proposed an authentication protocol for RFID
using the hash function and bitwise operations. Gholami et al. [32]
3
Computer Networks 187 (2021) 107833
analyzed the security of this protocol and proved that the protocol has
weaknesses in terms of security and privacy. Then they tried to improve
the Dass and Om protocol and provided a new secure and lightweight
protocol by maintaining a small amount of computational overhead in
the database.
In 2018, an RFID-based authentication protocol which was success-
ful in accomplishing its purposes developed by Gope et al. [14]. This
protocol was able to have an agreeable execution time compared to
similar schemes.
In 2018, the ULRAS scheme with the claim to provide a high level
of security had been proposed by Fan et al. [19] in the m-commerce
era; however, Aghili et al. [33] could detect the security vulnerabilities
of their protocol’s against reader impersonation and secret disclosure
attacks and thereafter successfully improved it without imposing any
additional computational cost on its tag.
Salem et al. in [34] provided a security protocol based on crypto-
graphic El-Gamal for Telecare Medical Information Systems (TMIS) and
analyzed its security with the AVISPA tool [35].
F. Nikkhah and M. Safkhani
In most RFID authentication protocols using the cloud server, the
channel between the reader and the cloud server is considered secure.
In this regard, Xiao et al. [36] put forward an efficient protocol for
insecure channels between the reader and the cloud server. However,
the computational overhead of the tag is not relatively low because it
required the hash function operations. Also, Fan et al. [37] introduced
a cloud-based lightweight RFID protocol that used rotation logic op-
eration, permutation and data encryption. Their scheme reduced the
computational overhead of the tag significantly.
Recently, Fan et al. presented another authentication protocol [38]
to maintain a compromise between security and the complexity of
implementing authentication protocol on RFID systems. However, in
the present study, it will be presented that Fan et al.’s protocol has no
suitable security and is not recommended to be used in any application.
We will also address the security flaws of this protocol that leads to
the suggestion of an improved version, named LAPCHS. The security
of LAPCHS against different attacks will be proven both informally and
formally through Real-or-Random (RoR) model and doing simulations
via both AVISPA and Scyther tools.
3. Description of Fan et al.’s protocol
In this section, Fan et al.’s authentication protocol [38] is briefly
described for employing in the cloud-based health-care system includ-
ing the initialization phase, authentication phase, and secret values
updating phase which are depicted in Fig. 4. Throughout the paper,
notations listed in Table 1 are used.
Initialization Phase: In this phase, the administrator generates two
512-bit or larger prime numbers i.e. 𝑝 and 𝑞, computes 𝑛 = 𝑝.𝑞 and
stores 𝑝, 𝑞 and 𝑛 in the reader separately. Then it stores the tag’s
pseudonym i.e. 𝑆𝐼𝐷 and its secret key i.e. 𝑥 in each tag. It also stores
the reader’s pseudonym 𝑆𝑅𝐼𝐷 and its secret value 𝑦 in the reader. The
administrator stores each tag’s 𝑆𝐼𝐷 and also 𝑥′ which is 𝑥2 𝑚𝑜𝑑 𝑛 in the
cloud server tag’s index data table. Then it sets 𝑆𝐼𝐷𝑜𝑙𝑑 and 𝑥′𝑜𝑙𝑑 both to
0. In the corresponding operation, the administrator also stores 𝑆𝑅𝐼𝐷
and 𝑦′ which is 𝑦2 𝑚𝑜𝑑 𝑛 for each reader in the cloud server reader’s
index data table, and sets 𝑆𝑅𝐼𝐷𝑜𝑙𝑑 and 𝑦′𝑜𝑙𝑑 both to 0.
Authentication Phase: This phase of the protocol starts with the
reader as follows:
1. Reader → Tag: 𝑸𝒖𝒆𝒓𝒚, 𝑻 𝑹
The reader sends 𝑄𝑢𝑒𝑟𝑦 and the current timestamp 𝑇𝑅 to the tag.
2. Tag → Reader: 𝑴 𝑻 𝟏 , 𝑴 𝑻 𝟐
Upon the tag receives the message, computes 𝑀𝑇 1 = 𝑅𝑜𝑡(𝑇𝑅 ,
𝑆𝐼𝐷) ⊕ 𝑆𝐼𝐷, 𝑀𝑇 2 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑇𝑅 ) and sends 𝑀𝑇 1 , 𝑀𝑇 2 to
the reader.
3. Reader → Cloud: 𝑴 𝑹𝟏 , 𝑴 𝑹𝟐 , 𝑴 𝑻 𝟏 , 𝑻 𝑹
As soon as the message was received, the reader calculates
𝑀𝑅1 = 𝑅𝑜𝑡(𝑇𝑅 , 𝑆𝑅𝐼𝐷) ⊕ 𝑆𝑅𝐼𝐷, 𝑦′ = 𝑦2 𝑚𝑜𝑑 𝑛, 𝑀𝑅2 =
𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑇𝑅 ) and transmits them along with 𝑀𝑇 1 and 𝑇𝑅 to
the cloud server.
4. Cloud → Reader: 𝒙′ , 𝑻 𝑪
Upon receipt of the message, the cloud server checks whether
𝑇𝑡ℎ1 < 𝑇𝑆 − 𝑇𝑅 < 𝑇𝑡ℎ2 is or not. If the condition is true, the
cloud server searches its reader’s index table for finding 𝑆𝑅𝐼𝐷
corresponding to 𝑀𝑅1 . If it finds a match, it extracts the reader’s
𝑦′ and computes 𝑀𝑅2 ′ = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑇 ), and checks whether
𝑅
′ ?
𝑀𝑅2 == 𝑀𝑅2 is or not. If so, the cloud server authenticates
the reader. Then it searches its tag’s index data table for 𝑆𝐼𝐷
corresponding to 𝑀𝑇 1 . If it finds such a record extracts its related
𝑥′ and transmits it along with its current timestamp 𝑇𝐶 to the
reader.
5. Reader → Tag: 𝑴 𝑻 𝟑 , 𝑻 𝑪
When the message is received, the reader solves 𝑥′ = 𝑥2 𝑚𝑜𝑑 𝑛
using 𝑝 and 𝑞 and finds four solutions 𝑥1 , 𝑥2 , 𝑥3 and 𝑥4 . Then
with each of the solutions, it computes 𝑀𝑇′ 𝑅 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑇𝑅 )
4
Computer Networks 187 (2021) 107833
and checks whether there is any 𝑥𝑗 which its related 𝑀𝑇′ 𝑅 equals
to 𝑀𝑇 2 or not. If so, the reader successfully authenticates the tag.
Afterwards, the reader computes 𝑀𝑇 3 = 𝑃 𝑅𝑁𝐺(𝑥) and transmits
it along with 𝑇𝐶 to the tag.
6. Tag: If the tests succeed, the tag authenticates the reader.
Once the message is received, the tag computes 𝑀𝑇′ 3 = 𝑃 𝑅𝑁𝐺(𝑥)
?
and checks whether 𝑀𝑇′ 3 == 𝑀𝑇 3 is or not. If so, the tag success-
fully authenticates the reader. This is why only the legitimate
reader, who knows the factorization of 𝑛 i.e., 𝑝 and 𝑞, can solve
𝑥′ = 𝑥2 𝑚𝑜𝑑 𝑛.
Updating Phase: This phase of the protocol starts with the tag as
below:
1. Tag → Reader: 𝑨𝑻 𝟏
The tag computes 𝑆𝐼𝐷𝑛𝑒𝑤 = 𝑆𝐼𝐷 + 𝑇𝐶 , 𝑥𝑛𝑒𝑤 = 𝑅𝑜𝑡(𝑥, 𝑇𝐶 ) ⊕
𝑇𝐶 , 𝐴𝑇 1 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) and sends 𝐴𝑇 1 as updating
notification to the reader.
2. Reader → Cloud: 𝑨𝑹𝟏 , 𝑨𝑹𝟐 , 𝑨𝑻 𝟏 , 𝑨𝑻 𝟐
After receiving the message, in order to update tag’s record in
the cloud server, the reader computes 𝑥𝑛𝑒𝑤 = 𝑅𝑜𝑡(𝑥, 𝑇𝐶 )⊕𝑇𝐶 and
𝑥′𝑛𝑒𝑤 = 𝑥2𝑛𝑒𝑤 𝑚𝑜𝑑 𝑛. Moreover, it computes 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 = 𝑆𝑅𝐼𝐷 +
𝑇𝐶 , 𝑦𝑛𝑒𝑤 = 𝑅𝑜𝑡(𝑇𝐶 , 𝑦) and 𝑦′𝑛𝑒𝑤 = 𝑦2𝑛𝑒𝑤 𝑚𝑜𝑑 𝑛. Then it computes
𝐴𝑅1 = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ), 𝐴𝑅2 = 𝑅𝑜𝑡(𝑦′𝑛𝑒𝑤 , 𝑇𝑅 ⊕
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ) ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 , 𝐴𝑇 1 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ), 𝐴𝑇 2 =
𝑅𝑜𝑡(𝑥′𝑛𝑒𝑤 , 𝑇𝑅 ⊕𝑆𝑅𝐼𝐷𝑛𝑒𝑤 )⊕𝑆𝑅𝐼𝐷𝑛𝑒𝑤 and sends them to the cloud
server to be aware of updating.
3. Cloud → Reader: 𝑨𝑹𝟑 , 𝑨𝑻 𝟑
As soon as the message was received by the cloud server, it
computes 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 = 𝑆𝑅𝐼𝐷 + 𝑇𝐶 . Then it checks whether
?
𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) == 𝐴𝑅1 is or not firstly. If so, it re-
trieves 𝑦′𝑛𝑒𝑤 from 𝐴𝑅2 as 𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ (𝐴𝑅2 ⊕
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 )⋙(𝑇𝑅 ⊕𝑆𝑅𝐼𝐷𝑛𝑒𝑤 𝑚𝑜𝑑 𝐿) and updates its reader index data
table as 𝑦′𝑜𝑙𝑑 ← 𝑦′ , 𝑦′ ← 𝑦′𝑛𝑒𝑤 , 𝑆𝑅𝐼𝐷𝑜𝑙𝑑 ← 𝑆𝑅𝐼𝐷 and 𝑆𝑅𝐼𝐷 ←
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 . Secondly, it computes 𝑆𝐼𝐷𝑛𝑒𝑤 = 𝑆𝐼𝐷 + 𝑇𝐶 . Then
?
it checks whether 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) == 𝐴𝑇 1 is or not. If
the condition is true, then it retrieves 𝑥′𝑛𝑒𝑤 from 𝐴𝑇 2 as 𝑇𝑅 ⊕
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ (𝐴𝑇 2 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 )⋙(𝑇𝑅 ⊕𝑆𝑅𝐼𝐷𝑛𝑒𝑤 𝑚𝑜𝑑 𝐿) and updates
its tag’s index data table as 𝑥′𝑜𝑙𝑑 ← 𝑥′ , 𝑥′ ← 𝑥′𝑛𝑒𝑤 , 𝑆𝐼𝐷𝑜𝑙𝑑 ← 𝑆𝐼𝐷
and 𝑆𝐼𝐷 ← 𝑆𝐼𝐷𝑛𝑒𝑤 . In the following, it computes 𝐴𝑅3 =
𝑃 𝑅𝑁𝐺(𝑦′𝑛𝑒𝑤 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ), 𝐴𝑇 3 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ) ⊕
𝑃 𝑅𝑁𝐺(𝑥′𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) and sends them to the reader.
4. Reader → Tag: 𝑨𝑻 𝟒
Upon receipt of the message, the reader at first checks whether
?
𝑃 𝑅𝑁𝐺(𝑦′𝑛𝑒𝑤 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) == 𝐴𝑅3 is or not. If it is, that
means the cloud server successfully updates its reader’s index
data table. After that, the reader updates its 𝑆𝑅𝐼𝐷 and 𝑦 as
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 and 𝑦𝑛𝑒𝑤 respectively. Then it calculates 𝐴𝑇 4 = 𝐴𝑇 3 ⊕
𝑃 𝑅𝑁𝐺(𝑥′𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) and transmits it to the tag.
5. Tag: If the tests succeed, the tag updates its secret values.
Once the tag got the message, then it checks whether 𝑃 𝑅𝑁𝐺
?
(𝑆𝐼𝐷𝑛𝑒𝑤 ) == 𝐴𝑇 4 is or not. If it is true, so the cloud server
successfully updates its tag’s index data table. Then, the tag also
updates its 𝑆𝐼𝐷 and 𝑥 as 𝑆𝐼𝐷𝑛𝑒𝑤 and 𝑥𝑛𝑒𝑤 respectively.
4. Security analysis of Fan et al.’s protocol
In this section, it will be demonstrated that unfortunately Fan et al.’s
protocol suffers from various attacks such as the reader impersonation
attack, tag impersonation attack, secret values disclosure attack and
forward secrecy property contradiction attack.
F. Nikkhah and M. Safkhani Computer Networks 187 (2021) 107833

Table 1
Symbols.
Symbol Description
𝑝, 𝑞 512-bit or larger prime numbers stored in the reader
𝑛 corresponds to 𝑝.𝑞 stored in the reader
𝑇𝑋 The entity 𝑋’s current time stamp
𝑇𝑡ℎ The system threshold for the time
𝑆𝐼𝐷 The tag’s pseudonym
𝑆𝐼𝐷𝑜𝑙𝑑 The old record of 𝑆𝐼𝐷 stored in the cloud server
𝑆𝑅𝐼𝐷 The reader’s pseudonym
𝑆𝑅𝐼𝐷𝑜𝑙𝑑 The old record of 𝑆𝑅𝐼𝐷 stored in the cloud server
𝑥 The tag’s secret value
𝑥′ corresponds to 𝑥2 𝑚𝑜𝑑 𝑛 stored in the cloud server
𝑦 The reader’s secret value
𝑦′ corresponds to 𝑦2 𝑚𝑜𝑑 𝑛 stored in the cloud server
𝑃 𝑅𝑁𝐺 The pseudo random number generator function
𝑅𝑜𝑡(𝑥, 𝑦) The left rotation of 𝑥 ⊕ 𝑦 amount of 𝑦 𝑚𝑜𝑑 𝐿 where 𝐿 is the length of 𝑦
𝓁 corresponds to 𝑦 𝑚𝑜𝑑 𝐿 where 𝐿 is the length of 𝑦
𝑥⋘𝑦 , 𝑥⋙𝑦 The left and right rotation of 𝑥 amount of 𝑦 respectively
𝐸𝐾 (.)∕𝐷𝐾 (.) Symmetric key encryption/decryption function using 𝐾 as a symmetric key
‖ Concatenation operation
𝑁 A random number which is generated by the tag
𝑧 The number of the registered tags in the cloud server

Fig. 4. The process of Fan et al.’s authentication protocol for cloud-based health-care system [38].

4.1. Reader impersonation attack parties of protocol that s/he is a legal reader and can be authenticated
by other protocol parties, and will access services that are allowed for a
A reader impersonation attack is an attack in which the attacker can legal reader. For example, as shown in Fig. 5, in the health-care system,
impersonate a legitimate reader and use messages to convince the other the attacker can impersonate a reader as a doctor or nurse and will

5
F. Nikkhah and M. Safkhani
Fig. 5. An example of the reader impersonation attack.
access patient information and medications. For performing this attack
against Fan et al.’s protocol, it is enough that the adversary carries out
the following:
• Eavesdrops one session between a targeted reader and a legiti-
mate tag and stores transferred messages i.e., 𝑀𝑇1 , 𝑀𝑇2 , 𝑀𝑇3 , 𝑇𝑅
and 𝑇𝐶 . It also intercepts 𝑀𝑇3 till not be received by the tag. So,
the tag does not go to the update phase.
• Subsequently, the adversary pretends to be a legitimate reader
and sends eavesdropped 𝑇𝑅 along with 𝑄𝑢𝑒𝑟𝑦 to the target tag.
• Once the message is received, the tag computes 𝑀𝑇 1 = 𝑅𝑜𝑡(𝑇𝑅 ,
𝑆𝐼𝐷)⊕𝑆𝐼𝐷, 𝑀𝑇 2 = 𝑃 𝑅𝑁𝐺(𝑥⊕𝑇𝑅 ) and sends them to the reader
which is the adversary.
• The adversary once received the message, responds to the tag
with eavesdropped 𝑀𝑇3 , and 𝑇𝐶 .
• When the tag receives the message, computes 𝑀𝑇′ 3 = 𝑃 𝑅𝑁𝐺(𝑥)
? did not change it. Then the cloud server extracts its related 𝑥′ and
and checks whether 𝑀𝑇′ 3 == 𝑀𝑇 3 which it is. So, the tag
successfully authenticates the adversary as the reader. This attack
succeeds with the probability of ‘‘1’’, and its complexity is only
two executions of the protocol.
Remark 1. It is worth noting that Fan et al.’s protocol’s vulnerability
against reader impersonation attack is due to the tag’s failure to ran-
domize messages because the tag in this protocol does not generate any
random values that be used in transferred messages. In the proposed
protocol, LAPCHS, we have fixed this problem by generating a random
number on the tag’s side and using it in the protocol’s exchanged
messages.
4.2. Tag impersonation attack
A tag impersonation attack is an attack in which the attacker poses
as a legal tag and tries to convince the other parties of the protocol
about its legality. For example, as shown in Fig. 6, in a health-care
system, the attacker pretends that a patient has certain conditions and,
for example, receive the flu vaccine. For applying this attack against
Fan et al.’s protocol, the adversary can perform as follows:
• Eavesdrops one session between a legitimate reader and a tar-
geted tag and also between the same reader and a cloud server
and stores transferred messages i.e. 𝑀𝑇1 , 𝑀𝑇2 , 𝑀𝑇3 , 𝑇𝑅 , 𝑀𝑅1 ,
𝑀𝑅2 , 𝑥′ and 𝑇𝐶 .
• It also intercepts 𝑀𝑇3 till it will not received by the tag. So the
tag will not be updated.
• The adversary waits until the reader starts the protocol and sends
𝑄𝑢𝑒𝑟𝑦 and 𝑇𝑅 to the tag.
• The adversary stops 𝑄𝑢𝑒𝑟𝑦 and 𝑇𝑅 , so the tag does not receive it.
6
Computer Networks 187 (2021) 107833
• The adversary also pretends to be the tag and generates a random
number i.e., 𝑢 instead of 𝑥 and computes 𝑀𝑇 2 = 𝑃 𝑅𝑁𝐺(𝑢 ⊕ 𝑇𝑅 )
and sends it together with eavesdropped 𝑀𝑇 1 to the reader.
• When the reader receives the message, computes 𝑀𝑅1 = 𝑅𝑜𝑡(𝑇𝑅 ,
𝑆𝑅𝐼𝐷) ⊕ 𝑆𝑅𝐼𝐷, 𝑦′ = 𝑦2 𝑚𝑜𝑑 𝑛, 𝑀𝑅2 = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑇𝑅 ) and sends
them along with 𝑀𝑇 1 and 𝑇𝑅 to the cloud server.
• Upon receipt of the message, the cloud server checks whether
𝑇𝑡ℎ1 < 𝑇𝑆 − 𝑇𝑅 < 𝑇𝑡ℎ2 is or not, which is true. Therefore, the
cloud server searches its reader’s index table for finding 𝑆𝑅𝐼𝐷
corresponds to 𝑀𝑅1 which it finds a match, so it extracts the
reader’s 𝑦′ and computes 𝑀𝑅2 ′ = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑇𝑅 ), and checks
?
whether 𝑀𝑅2 ′ == 𝑀
𝑅2 which it holds. Because 𝑀𝑅2 was produced
by a legal reader and the attacker did not change it. So, the
cloud server authenticates the reader. Then it searches its tag’s
index data table for 𝑆𝐼𝐷 corresponds to 𝑀𝑇 1 and finds such a
record, since 𝑀𝑇 1 was produced by a legal tag and the attacker
transmits it along with its current timestamp 𝑇𝐶 to the reader.
• The adversary intercepts 𝑥′ , and instead of it sends 𝑢′ = 𝑢2 𝑚𝑜𝑑 𝑛
to the reader. Note that this 𝑢 is the same 𝑢 previously produced
by the attacker and used to generate message 𝑀𝑇 2 as 𝑃 𝑅𝑁𝐺(𝑢 ⊕
𝑇𝑅 ).
• When the reader receives 𝑢′ , solves 𝑢′ = 𝑢2 𝑚𝑜𝑑 𝑛 using 𝑝 and 𝑞
and finds four solutions 𝑢1 , 𝑢2 , 𝑢3 and 𝑢4 . Then with each of the
solutions computes 𝑀𝑇′ 𝑅 = 𝑃 𝑅𝑁𝐺(𝑢 ⊕ 𝑇𝑅 ) and checks whether
there is any 𝑢𝑗 , which its related 𝑀𝑇′ 𝑅 equals to 𝑀𝑇 2 or not
which it holds. Therefore, the reader successfully authenticates
the adversary as a tag. After successful authentication of the
adversary as a legal tag, the reader computes 𝑀𝑇 3 = 𝑃 𝑅𝑁𝐺(𝑢)
and sends it along with 𝑇𝐶 to the tag, which is the adversary.
The success probability of above-mentioned tag impersonation attack
is ‘‘1’’, and its complexity is only two executions of the protocol.
Remark 2. It is worth noting that Fan et al.’s protocol’s vulnerability
against tag impersonation attack is due to sending 𝑥′ which is 𝑥2 𝑚𝑜𝑑 𝑛
openly in the insecure channel. In proposed protocol in this paper,
i.e. LAPCHS, we have fixed this problem by sending 𝑥′ ⊕ 𝑦′ instead of
𝑥′ and only the reader who knows the value of 𝑦′ can get the amount
of 𝑥′ from the received value.
4.3. Secret values disclosure attack
Secret values disclosure attack is an attack in which the attacker
tries to access the secret information of protocol parties by using mes-
sages exchanged in an insecure channel and performing calculations
on these messages. For example, in a health-care system, the attacker
can access secret values such as the nurse and patient IDs and their
secret keys and can easily misuse this information. As shown in Fig. 7,
F. Nikkhah and M. Safkhani
Fig. 6. An example of the tag impersonation attack.
the adversary can penetrate the system and gain access to all secret
information and all health services provided by the health-care system
by obtaining the tag and the reader’s secret values. Here, we show how
an adversary can disclose the tag’s and the reader’s identifiers.
4.3.1. Retrieving tag’s identifier
This section shows how to obtain the tag’s 𝑆𝐼𝐷, which is a secret
value in Fan et al.’s protocol. This attack includes two phases as below:
Learning Phase: In this phase, the attacker eavesdrops two successive
sessions of the protocol without permitting the protocol to go to the
update stage and update the tag and the reader’s secret values i.e. 𝑆𝐼𝐷,
𝑥, 𝑆𝑅𝐼𝐷 and 𝑦 respectively. So, in this phase, the adversary retrieves
and stores 𝑇𝑅 , 𝑀𝑇 1 , 𝑀𝑇 2 , 𝑀𝑅1 , 𝑀𝑅2 , 𝑀𝑇 3 , 𝑇𝐶 , and also 𝑇𝑅′ , 𝑀𝑇′ 1 ,
𝑀𝑇′ 2 , 𝑀𝑅1
′ , 𝑀 ′ , 𝑀 ′ and 𝑇 ′ which have been eavesdropped from
𝑅2 𝑇3 𝐶
first and the second run of the protocol, respectively. The adversary
also interrupts the message 𝑀𝑇 3 and 𝑇𝐶 , and so at the end of the first
run of the protocol, the tag and the reader are not permitted to enter
the updating phase. As a result, their secret values remain unchanged.
The main observation, which is used in the secret disclosure attack is
defined as Observation 1:
Observation 1. In Fan et al.’s protocol, we prove that there is 𝑀𝑇 1 ⊕
𝑀𝑇′ 1 = (𝑇𝑅 ⊕ 𝑇𝑅′ )⋘𝓁 relationship between 𝑀𝑇 1 , 𝑇𝑅 , 𝑀𝑇′ 1 , 𝑇𝑅′ and 𝓁 where
𝓁 = 𝑆𝐼𝐷 𝑚𝑜𝑑 𝐿 and 𝐿 is the length of 𝑆𝐼𝐷.
Proof. In Fan et al.’s protocol, 𝑀𝑇 1 is defined as 𝑅𝑜𝑡(𝑇𝑅 , 𝑆𝐼𝐷) ⊕ 𝑆𝐼𝐷
where 𝑅𝑜𝑡(𝑥, 𝑦) is defined as (𝑥 ⊕ 𝑦)⋘𝑦 𝑚𝑜𝑑 𝐿 . So, we can write 𝑀𝑇 1 as
(𝑇𝑅 ⊕ 𝑆𝐼𝐷)⋘𝓁 ⊕ 𝑆𝐼𝐷 = 𝑇𝑅⋘𝓁 ⊕ 𝑆𝐼𝐷⋘𝓁 ⊕ 𝑆𝐼𝐷 where 𝓁 = 𝑆𝐼𝐷 𝑚𝑜𝑑 𝐿.
Similarly, we have 𝑀𝑇′ 1 = 𝑇𝑅′⋘𝓁 ⊕𝑆𝐼𝐷⋘𝓁 ⊕𝑆𝐼𝐷. If we do an exclusive
OR (XOR) operation between 𝑀𝑇 1 = 𝑇𝑅⋘𝓁 ⊕𝑆𝐼𝐷⋘𝓁 ⊕𝑆𝐼𝐷 and 𝑀𝑇′ 1 =
𝑇𝑅′⋘𝓁 ⊕ 𝑆𝐼𝐷⋘𝓁 ⊕ 𝑆𝐼𝐷, we retrieve 𝑀𝑇 1 ⊕ 𝑀𝑇′ 1 = (𝑇𝑅 ⊕ 𝑇𝑅′ )⋘𝓁 . □
As mentioned before in observation 1, the value of 𝓁 in 𝑀𝑇 1 equals
to 𝑆𝐼𝐷 𝑚𝑜𝑑 𝐿 and so, it is clear 0 ≤ 𝓁 ≤ 𝐿−1. In Algorithm 1, we show
that the value of 𝓁 can be obtained, using 𝑀𝑇 1 ⊕ 𝑀𝑇′ 1 = (𝑇𝑅 ⊕ 𝑇𝑅′ )⋘𝓁 .
Because in this relationship all values except 𝓁 are known. We recall
that 𝑀𝑇 1 = 𝑇𝑅⋘𝓁 ⊕ 𝑆𝐼𝐷⋘𝓁 ⊕ 𝑆𝐼𝐷, so we can rewrite it as Eq. (1):
𝑆𝐼𝐷 ⊕ 𝑆𝐼𝐷⋘𝓁 = 𝑀𝑇 1 ⊕ 𝑇𝑅⋘𝓁
If obtained 𝓁 was an odd number, in Algorithm 1, we show that the
adversary can retrieve 𝑆𝐼𝐷 from Eq. (1). In cases, the 𝓁 which is not
odd, the adversary allows the protocol to be updated, so the secret
values (i.e. 𝑆𝐼𝐷 and 𝑆𝑅𝐼𝐷) be changed. Then the adversary repeats
4.3.1 phase. In fact, the adversary is looking for information that will
make 𝓁 an odd number. Because then, the tag’s and the reader’s secret
identifiers are easier to get.
Tag’s Secret Disclosure Phase: In this phase of the attack, the ad-
versary using eavesdropped values in the learning phase, based on
observation 1 and following steps can retrieve the tag’s identifier
i.e. 𝑆𝐼𝐷 as below. It should be pointed out that the tag’s identifier is
retrieved bit by bit.
Computer Networks 187 (2021) 107833
• Initially, the adversary sets the first bit of 𝑆𝐼𝐷 equal to zero
i.e., 𝑆𝐼𝐷0 = 0, and retrieves the other 𝑆𝐼𝐷 bits using Algorithm
1. Checking 𝑆𝐼𝐷0 = 0 by the obtained 𝑆𝐼𝐷0 , determines whether
the 𝑆𝐼𝐷 recovery operation is successful or not.
• Secondly, the adversary sets the first bit of 𝑆𝐼𝐷 equal to one
i.e., 𝑆𝐼𝐷0 = 1, and retrieves the other 𝑆𝐼𝐷 bits using Algorithm
1. In this turn, checking the 𝑆𝐼𝐷0 = 1 by the obtained 𝑆𝐼𝐷0 ,
determines whether the 𝑆𝐼𝐷 recovery operation is successful or
not.
• By using retrieved values for 𝑆𝐼𝐷 in previous steps, one can
compute 𝑀𝑇∗ 1 = 𝑇𝑅 ⋘𝓁 ⊕ 𝑆𝐼𝐷⋘𝓁 ⊕ 𝑆𝐼𝐷 and checks whether
?
𝑀𝑇∗ 1 == 𝑀𝑇 1 is or not. If it holds, then the retrieved 𝑆𝐼𝐷 is
proper.
As mentioned above, the first step of 𝑆𝐼𝐷 discovery strategy is to set
the least-significant 𝑆𝐼𝐷 bit with 0 and 1, and as shown in Fig. 14, the
other 𝑆𝐼𝐷 bits can be obtained by applying merely exclusive-OR (XOR)
operations. Ultimately, by computing 𝑀𝑇∗ 1 = 𝑇𝑅 ⋘𝓁 ⊕ 𝑆𝐼𝐷⋘𝓁 ⊕ 𝑆𝐼𝐷
?
using 𝑆𝐼𝐷 values obtained from Eq. (1) and checking whether 𝑀𝑇∗ 1 ==
𝑀𝑇 1 is or not, the original 𝑆𝐼𝐷 value is determined. The details of the
tag’s secret disclosure attack is shown in Algorithm 1.
4.3.2. Retrieving reader’s identifier
Similarly to what mentioned about retrieving tag’s identifier in
Section 4.3.1, we can rewrite 𝑀𝑅1 = 𝑅𝑜𝑡(𝑇𝑅 , 𝑆𝑅𝐼𝐷) ⊕ 𝑆𝑅𝐼𝐷 as 𝑀𝑅1 =
(𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷)⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷 = 𝑇𝑅⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷. Then we can
write Eq. (2) based on 𝑀𝑅1 = 𝑇𝑅⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷 as follows:
𝑆𝑅𝐼𝐷 ⊕ 𝑆𝑅𝐼𝐷⋘𝓁 = 𝑀𝑅1 ⊕ 𝑇𝑅⋘𝓁 (2)
Therefore, by using the value of 𝓁 obtained from 𝑀𝑇 1 ⊕ 𝑀𝑇′ 1 = (𝑇𝑅 ⊕
𝑇𝑅′ )⋘𝓁 , we can retrieve 𝑆𝑅𝐼𝐷 from Eq. (2), because in this relationship
all of the values except 𝑆𝑅𝐼𝐷 are known.
Reader’s Secret Disclosure Phase: In this phase of the attack, the
adversary using eavesdropped values in the learning phase, can retrieve
the reader’s identifier i.e., 𝑆𝑅𝐼𝐷 based on Observation 1 and following
(1) steps. It should be noted that the reader’s identifier is retrieved bit by
bit. The details of this phase are shown in Algorithm 2.
• In the first stage, the adversary sets the first bit of 𝑆𝑅𝐼𝐷 equal
to zero i.e., 𝑆𝑅𝐼𝐷0 = 0, and retrieves the other 𝑆𝑅𝐼𝐷 bits
using Algorithm 2. Checking 𝑆𝑅𝐼𝐷0 = 0 by the obtained 𝑆𝑅𝐼𝐷0 ,
determines whether the 𝑆𝑅𝐼𝐷 recovery operation is successful or
not.
• In the second stage, the adversary sets the first bit of 𝑆𝑅𝐼𝐷
equal to one i.e., 𝑆𝑅𝐼𝐷0 = 1, and retrieves the other 𝑆𝑅𝐼𝐷
bits using Algorithm 2. In this turn, checking the 𝑆𝑅𝐼𝐷0 = 1
by the obtained 𝑆𝑅𝐼𝐷0 , determines whether the 𝑆𝑅𝐼𝐷 recovery
operation is successful or not.
7
F. Nikkhah and M. Safkhani Computer Networks 187 (2021) 107833

Fig. 7. An example of the secret disclosure attack.

Data: 𝑀𝑇 1 , 𝑀𝑇′ 1 , 𝑇𝑅 , 𝑇𝑅′ Data: 𝑀𝑇 1 , 𝑀𝑇′ 1 , 𝑀𝑅1 , 𝑀𝑅1

′ ,𝑇 ,𝑇′
𝑅 𝑅
Result: Obtains 𝓁, 𝑆𝐼𝐷 Result: Obtains 𝓁, 𝑆𝑅𝐼𝐷

Function 𝑅𝑂𝐿(num: int,n: int) is Function 𝑅𝑂𝐿(num: int,n: int) is

left rotation the 𝑛𝑢𝑚 value. left rotation the 𝑛𝑢𝑚 value.
end end
Function 𝑔𝑒𝑡_𝑏𝑖𝑡(num: int,n: int) is Function 𝑔𝑒𝑡_𝑏𝑖𝑡(num: int,n: int) is
return the 𝑛𝑡ℎ bit. return the 𝑛𝑡ℎ bit.
end end
𝑆𝐼𝐷_𝐵𝐼𝑇 𝑆 = 32 𝑆𝑅𝐼𝐷_𝐵𝐼𝑇 𝑆 = 32
𝑇𝑅 _𝐵𝐼𝑇 𝑆 = 32 𝑇𝑅 _𝐵𝐼𝑇 𝑆 = 32
𝐿 = 𝑆𝐼𝐷_𝐵𝐼𝑇 𝑆 𝐿 = 𝑆𝑅𝐼𝐷_𝐵𝐼𝑇 𝑆
for 𝓁 = 0 to 𝐿 − 1 do for 𝓁 = 0 to 𝐿 − 1 do
if 𝑀𝑇 1 ⊕ 𝑀𝑇′ 1 == (𝑇𝑅 ⊕ 𝑇𝑅′ )⋘𝓁 then if 𝑀𝑇 1 ⊕ 𝑀𝑇′ 1 == (𝑇𝑅 ⊕ 𝑇𝑅′ )⋘𝓁 then
discloses 𝓁 discloses 𝓁
end end
end end
if 𝓁 𝑚𝑜𝑑 2 != 0 then if 𝓁 𝑚𝑜𝑑 2! = 0 then
sets 𝑆𝐼𝐷 = 0 sets 𝑆𝑅𝐼𝐷 = 0
sets 𝑝𝑜𝑠 = 0 sets 𝑝𝑜𝑠 = 0
for 𝑖 = 1 to 𝑆𝐼𝐷_𝐵𝐼𝑇 𝑆 do for 𝑖 = 1 to 𝑆𝑅𝐼𝐷_𝐵𝐼𝑇 𝑆 do
𝑝𝑜𝑠 = (𝑝𝑜𝑠 − 𝓁) mod 𝑆𝐼𝐷_𝐵𝐼𝑇 𝑆 𝑝𝑜𝑠 = (𝑝𝑜𝑠 − 𝓁) mod 𝑆𝑅𝐼𝐷_𝐵𝐼𝑇 𝑆
𝑏𝑖𝑡 = 𝑔𝑒𝑡_𝑏𝑖𝑡(𝑀𝑇 1 ⊕ 𝑇𝑅⋘𝓁 , 𝑝𝑜𝑠)⊕ 𝑔𝑒𝑡_𝑏𝑖𝑡(𝑆𝐼𝐷, 𝑝𝑜𝑠) 𝑏𝑖𝑡 = 𝑔𝑒𝑡_𝑏𝑖𝑡(𝑀𝑇 1 ⊕ 𝑇𝑅⋘𝓁 , 𝑝𝑜𝑠)⊕ 𝑔𝑒𝑡_𝑏𝑖𝑡(𝑆𝑅𝐼𝐷, 𝑝𝑜𝑠)
𝑆𝐼𝐷𝑝𝑜𝑠 = 𝑏𝑖𝑡 𝑆𝐼𝐷𝑝𝑜𝑠 = 𝑏𝑖𝑡
end end
𝑀𝑇∗ 1 = 𝑇𝑅⋘𝓁 ⊕ 𝑆𝐼𝐷⋘𝓁 ⊕ 𝑆𝐼𝐷 𝑀𝑅1∗ = 𝑇 ⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷
𝑅
if 𝑀𝑇∗ 1 == 𝑀𝑇 1 then discloses 𝑆𝐼𝐷 ∗ == 𝑀
if 𝑀𝑅1 𝑇 1 then discloses 𝑆𝑅𝐼𝐷
𝑀𝑇∗ 1 = 𝑇𝑅⋘𝓁 ⊕ 𝑁𝑜𝑡(𝑆𝐼𝐷)⋘𝓁 ⊕ 𝑁𝑜𝑡(𝑆𝐼𝐷) 𝑀𝑅1∗ = 𝑇 ⋘𝓁 ⊕ 𝑁𝑜𝑡(𝑆𝑅𝐼𝐷)⋘𝓁 ⊕ 𝑁𝑜𝑡(𝑆𝑅𝐼𝐷)
𝑅
if 𝑀𝑇∗ 1 == 𝑀𝑇 1 then discloses 𝑆𝐼𝐷 ∗ == 𝑀
if 𝑀𝑅1 𝑅1 then discloses 𝑆𝑅𝐼𝐷
end end

Algorithm 1: The tag’s identifier disclosure attack against Fan et al.’s Algorithm 2: The reader’s identifier disclosure attack against Fan et
authentication protocol. al.’s authentication protocol.

• By using retrieved values for 𝑆𝑅𝐼𝐷 in previous steps, one can 4.4. Implementation of the secret values disclosure attack
compute 𝑀𝑅1 ∗ = 𝑇𝑅 ⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷⋘𝓁 ⊕ 𝑆𝑅𝐼𝐷 and check whether
? In this section, the demonstration of how secret values disclosure
𝑀𝑅1 ∗ == 𝑀𝑅1 is or not. If it holds, then the retrieved 𝑆𝑅𝐼𝐷 is
attack leads to reveal secret values is described. The attack scenario
proper.
is executed using given parameters whose length is 𝐿 = 16 bits
i.e. |𝑀𝑇 1 | = |𝑀𝑅1 | = |𝑆𝐼𝐷| = |𝑆𝑅𝐼𝐷| = |𝑇𝑅 | = 𝐿.

8
F. Nikkhah and M. Safkhani
Fig. 8. The authentication process of LAPCHS.
Assume that the values used in the two executions of Fan et al.’s
protocol without the secret values being updated at the end of the first
execution of the protocol are as follows:
𝑆𝐼𝐷 = 1101 1001 0011 0011 = 0𝑥𝑑933
𝑇𝑅 = 1100 0011 1001 1010 = 0𝑥𝑐39𝑎
𝑇𝑅′ = 1001 1001 1100 0011 = 0𝑥99𝑐3
𝑀𝑇 1 = 0000 1100 0111 1011 = 0𝑥0𝑐7𝑏
𝑀𝑇′ 1 = 1101 1110 0001 1100 = 0𝑥𝑑𝑒1𝑐
First, based on given parameters, the value of (𝓁) can be obtained
using 𝑀𝑇 1 ⊕ 𝑀𝑇′ 1 = (𝑇𝑅 ⊕ 𝑇𝑅′ )⋘𝓁 that with these assumed values,
the value of 𝓁 is equal to 3. Therefore, the values of (𝑇𝑅⋘𝓁=3 ), and
𝑀 = 𝑀𝑇 1 ⊕ 𝑇𝑅⋘𝓁=3 , are computed as below:
𝑇𝑅⋘𝓁=3 = 0001 1100 1101 0110
𝑀 = 0001 0000 1010 1101
As easily can be seen in Fig. 14, the 𝑆𝐼𝐷⋘𝓁=3 and 𝑆𝐼𝐷 bit positions
specified in a way that are bit wisely sorted below each other. Assuming
𝑆𝐼𝐷 be 16 bits, 𝑆𝑖 is the 𝑖th bit of 𝑆𝐼𝐷, and also 𝑀𝑖 is the 𝑖th bit of
𝑀. Next, the 𝑆0 value is set as zero (𝑆0 = 0) based on the tag’s secret
disclosure phase of the proposed attack. The proposed attack in Fig. 14
consists of 𝐿 steps, which are described as follows:
Step 1. According to Eq. (1), 𝑀𝑖 = 𝑆𝐼𝐷𝑖 ⊕ 𝑆𝐼𝐷𝑖⋘𝓁 . Based on the
rotation value primarily achieved as 𝓁 = 3, the 𝑆𝐼𝐷 value will have
9
Computer Networks 187 (2021) 107833
3 bit changes in its bit stream. Therefore the bit arrangement based on
Eq. (1) is as follow: 𝑀0 = 𝑆0 ⊕ 𝑆13 ⋘𝓁 , 𝑀 = 𝑆 ⊕ 𝑆 ⋘𝓁 , 𝑀 = 𝑆 ⊕ 𝑆 ⋘𝓁
1 1 14 2 2 15
and etc.
According to 𝓁 = 3, the value of 𝑆13 can be obtained from 𝑀0 ⊕ 𝑆0
where 𝑀0 = 1 and 𝑆0 = 0, therefore 𝑆13 = 1.
Step 2. Now, as depicted in Fig. 14, by having 𝑆13 and 𝑀13 and doing
an XOR operation between them, we can retrieve 𝑆10 value.
Step 3. By having 𝑆10 value and then by doing an XOR operation
between 𝑀10 and 𝑆10 as 𝑀10 ⊕ 𝑆10 , 𝑆7 value can be reached.
Step 4. So far, the 𝑆0 , 𝑆13 , 𝑆10 , and 𝑆7 values are retrieved. Same as
previous steps, 𝑆4 value can be retrieved from 𝑀7 ⊕ 𝑆7 .
Analogously, all 𝐿 steps can be performed as above which at each
step, one bit of the 𝑆𝐼𝐷 value is obtainable. At the final step, the
value of 𝑆0 will equal zero as is set primarily. According to the tag’s
secret disclosure phase, the values of 𝑆𝐼𝐷 are obtained once assuming
𝑆0 = 0 and the other time assuming 𝑆0 = 1. For 𝑆0 = 1, 𝑁𝑂𝑇 (𝑆𝐼𝐷)
can be calculated in comparison with calculating all the above steps
instead, which improves the executive order of Algorithm 1. Following
Algorithms 1 and 2, we obtain the value of 𝑀𝑇∗ 1 and 𝑀𝑅1 ∗ using the
values of 𝑆𝐼𝐷, 𝑁𝑂𝑇 (𝑆𝐼𝐷), 𝑆𝑅𝐼𝐷 and 𝑁𝑂𝑇 (𝑆𝑅𝐼𝐷).
4.5. Forward secrecy contradiction attack
Forward secrecy is a property that assumes, if an adversary retrieves
the keys and secret values of the current session, be unable to obtain
F. Nikkhah and M. Safkhani
the keys and secret values used in the previous sessions. In this section,
we unfortunately show that, Fan et al.’s protocol does not have this
property. The reason is the invertible function which is used to update
𝑆𝐼𝐷, i.e. 𝑆𝐼𝐷𝑛𝑒𝑤 = 𝑆𝐼𝐷 + 𝑇𝐶 . Hence, given the current 𝑆𝐼𝐷 value
and the 𝑇𝐶 which have been used in the current session, it is just
enough that the adversary subtracts the eavesdropped 𝑇𝐶 from the
current tags or reader secret identifiers as 𝑆𝐼𝐷𝑜𝑙𝑑 = 𝑆𝐼𝐷 − 𝑇𝐶 and
𝑆𝑅𝐼𝐷𝑜𝑙𝑑 = 𝑆𝑅𝐼𝐷 − 𝑇𝐶 respectively. The details of forward secrecy
contradiction attack is represented in Algorithm 3.
Data: 𝑆𝐼𝐷, 𝑆𝑅𝐼𝐷, 𝑇𝐶
Result: Obtains 𝑆𝐼𝐷 , 𝑆𝑅𝐼𝐷
Obtains 𝑆𝐼𝐷 using Algorithm 1
Obtains 𝑆𝑅𝐼𝐷 using Algorithm 2
𝑆𝐼𝐷𝑜𝑙𝑑 = 𝑆𝐼𝐷 − 𝑇𝐶
𝑆𝑅𝐼𝐷𝑜𝑙𝑑 = 𝑆𝑅𝐼𝐷 − 𝑇𝐶
Algorithm 3: The algorithm of finding previous secret identifiers of tag
and reader in Fan et al.’s protocol.
5. Improved protocol: LAPCHS
Here, we remedy Fan et al.’s protocol’s security weaknesses, which
leads to proposing a new security protocol for the cloud-based health-
care system, which was called LAPCHS. Our focus in this section has
been to fix Fan et al.’s protocol’s security flaws, not to design a protocol
from scratch. Therefore, we have preserved the main structure of Fan
et al.’s protocol in the proposed protocol.
LAPCHS protocol includes three phases: initialization phase, authen-
tication phase and updating phase. The last two phases are represented
in details in Fig. 8.
Initialization Phase: In this phase, the administrator generates two
512-bit or larger prime numbers i.e. 𝑝 and 𝑞, computes 𝑛 = 𝑝.𝑞 and
stores 𝑝, 𝑞 and 𝑛 in the reader. Then the administrator stores the tag’s
pseudonym i.e. 𝑆𝐼𝐷 and its secret key 𝑥 in each tag. It also stores the
reader’s pseudonym i.e. 𝑆𝑅𝐼𝐷 and its secret value 𝑦 in the reader. The
administrator for each tag, stores its 𝑆𝐼𝐷 and also 𝑥′ , which equals to
𝑥2 𝑚𝑜𝑑 𝑛 in the tag’s index data table in the cloud server. It sets 𝑆𝐼𝐷𝑜𝑙𝑑
and 𝑥′𝑜𝑙𝑑 both to 0. The administrator also for each reader, stores the
reader’s pseudonym 𝑆𝑅𝐼𝐷 and also 𝑦′ , which equals to 𝑦2 𝑚𝑜𝑑 𝑛 in the
reader’s index data table in the cloud server. It sets 𝑆𝑅𝐼𝐷𝑜𝑙𝑑 and 𝑦′𝑜𝑙𝑑
both to 0.
Authentication Phase: This phase of the protocol starts with the
reader as below:
1. Reader → Tag: 𝑸𝒖𝒆𝒓𝒚, 𝑻 𝑹
The reader sends 𝑄𝑢𝑒𝑟𝑦 and the current timestamp 𝑇𝑅 to the tag.
2. Tag → Reader: 𝑴 𝑻 𝟏 , 𝑴 𝑻 𝟐 , 𝑵
As soon as the message received, the tag generates a random
number 𝑁, computes 𝑀𝑇 1 = 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝐼𝐷) ⊕ 𝑆𝐼𝐷, 𝑀𝑇 2 =
𝑃 𝑅𝑁𝐺((𝑥 ⊕ 𝑇𝑅 ) ∥ 𝑁) and sends 𝑁, 𝑀𝑇 1 and 𝑀𝑇 2 to the reader.
3. Reader → Cloud: 𝑴 𝑹𝟏 , 𝑴 𝑹𝟐 , 𝑴 𝑻 𝟏 , 𝑵
Once receipt of the message, the reader computes 𝑀𝑅1 =
𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷) ⊕ 𝑆𝑅𝐼𝐷, 𝑦′ = 𝑦2 𝑚𝑜𝑑 𝑛, 𝑀𝑅2 = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕
𝑇𝑅 ) and transmits them along with 𝑁, 𝑀𝑇 1 and 𝑇𝑅 to the cloud
server.
4. Cloud → Reader: 𝒙′ ⊕ 𝒚 ′ , 𝑻 𝑹
When the message was received, the cloud server checks whether
𝑇𝑡ℎ1 < 𝑇𝑆 − 𝑇𝑅 < 𝑇𝑡ℎ2 is or not. If it is ok, it searches its reader’s
index data table for finding 𝑆𝑅𝐼𝐷 corresponds to 𝑀𝑅1 . If it
finds a match, it extracts the reader’s 𝑦′ and using it computes
′ = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑇 ) and checks whether 𝑀 ′ == 𝑀 ?
𝑀𝑅2 𝑅 𝑅2 is or
𝑅2
not. If so, it authenticates the reader. Then it searches its tag’s
index data table for 𝑆𝐼𝐷 corresponds to 𝑀𝑇 1 . If it finds such a
record extracts its related 𝑥′ and transmits 𝑥′ ⊕ 𝑦′ along with its
current timestamp 𝑇𝐶 to the reader.
10
Computer Networks 187 (2021) 107833
5. Reader → Tag: 𝑴 𝑻 𝟑 , 𝑻 𝑪
When the reader receives the message, retrieves 𝑥′ as 𝑥′ ⊕ 𝑦′ ⊕ 𝑦′
and then solves 𝑥′ = 𝑥2 𝑚𝑜𝑑 𝑛 using 𝑝 and 𝑞 and finds four
solutions 𝑥1 , 𝑥2 , 𝑥3 and 𝑥4 . Then with each of the solutions,
computes 𝑀𝑇′ 𝑅 = 𝑃 𝑅𝑁𝐺((𝑥 ⊕ 𝑇𝑅 ) ∥ 𝑁) and checks whether
there is any 𝑥𝑗 which its related 𝑀𝑇′ 𝑅 equals to 𝑀𝑇 2 or not. If
so, the reader successfully authenticates the tag. After that, the
reader computes 𝑀𝑇 3 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑁) and sends it along with
𝑇𝐶 to the tag.
6. Tag: If the tests succeed, the tag authenticates the reader.
As soon as the message received, the tag calculates 𝑀𝑇′ 3 =
?
𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑁) and checks whether 𝑀𝑇′ 3 == 𝑀𝑇 3 is or not. If so,
the tag successfully authenticates the reader. That is the reason
why only the legitimate reader who knows the factorization of
𝑛 i.e. 𝑝 and 𝑞 can solve 𝑥′ = 𝑥2 𝑚𝑜𝑑 𝑛.
Updating Phase: This phase of the protocol starts with the tag as
below:
1. Tag → Reader: 𝑨𝑻 𝟏
The tag computes 𝑆𝐼𝐷𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺
(𝑆𝐼𝐷+𝑇𝐶 ), 𝑥𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑥⊕𝑇𝐶 )⊕𝑇𝐶 , 𝐴𝑇 1 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕
𝑇𝑅 ) and sends 𝐴𝑇 1 as updating notification to the reader.
2. Reader → Cloud: 𝑨𝑹𝟏 , 𝑨𝑹𝟐 , 𝑨𝑻 𝟏 , 𝑨𝑻 𝟐
After receiving the message, in order to update tag’s record in the
cloud server, the reader computes 𝑥𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑇𝐶 ) ⊕ 𝑇𝐶
and 𝑥′𝑛𝑒𝑤 = 𝑥2𝑛𝑒𝑤 𝑚𝑜𝑑 𝑛. Moreover, it calculates 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 =
𝑃 𝑅𝑁𝐺(𝑆𝑅𝐼𝐷 + 𝑇𝐶 ), 𝑦𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑦 ⊕ 𝑇𝐶 ) ⊕ 𝑇𝐶 and 𝑦′𝑛𝑒𝑤 =
𝑦2𝑛𝑒𝑤 𝑚𝑜𝑑 𝑛. Then it computes 𝐴𝑅1 = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕
𝑇𝑅 ), 𝐴𝑅2 = 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ) ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑦′𝑛𝑒𝑤 , 𝐴𝑇 1 =
𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) and 𝐴𝑇 2 = 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ) ⊕ 𝑥′𝑛𝑒𝑤
and sends them to the cloud server.
3. Cloud → Reader: 𝑨𝑹𝟑 , 𝑨𝑻 𝟑
As soon as the message is received, the cloud server firstly cal-
culates 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑆𝑅𝐼𝐷 + 𝑇𝐶 ). Then it checks whether
?
𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) == 𝐴𝑅1 is or not. If it is ok, the
cloud server retrieves 𝑦′𝑛𝑒𝑤 from 𝐴𝑅2 as 𝑦′𝑛𝑒𝑤 = 𝐴𝑅2 ⊕𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 )⊕𝑆𝑅𝐼𝐷𝑛𝑒𝑤 and updates its reader’s index data table as
𝑦′𝑜𝑙𝑑 ← 𝑦′ , 𝑦′ ← 𝑦′𝑛𝑒𝑤 , 𝑆𝑅𝐼𝐷𝑜𝑙𝑑 ← 𝑆𝑅𝐼𝐷 and 𝑆𝑅𝐼𝐷 ← 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 .
Secondly, it computes 𝑆𝐼𝐷𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷 + 𝑇𝐶 ). Then it
?
checks whether 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) == 𝐴𝑇 1 is or not. If it
is ok, the cloud server retrieves 𝑥′𝑛𝑒𝑤 from 𝐴𝑇 2 as 𝑥′𝑛𝑒𝑤 = 𝐴𝑇 2 ⊕
𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ) and updates its tag’s index data table
as 𝑥′𝑜𝑙𝑑 ← 𝑥′ , 𝑥′ ← 𝑥′𝑛𝑒𝑤 , 𝑆𝐼𝐷𝑜𝑙𝑑 ← 𝑆𝐼𝐷 and 𝑆𝐼𝐷 ← 𝑆𝐼𝐷𝑛𝑒𝑤 .
Then it computes 𝐴𝑅3 = 𝑃 𝑅𝑁𝐺(𝑦′𝑛𝑒𝑤 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ), 𝐴𝑇 3 =
𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑁) ⊕ 𝑃 𝑅𝑁𝐺(𝑥′𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) and transmits them to
the reader.
4. Reader → Tag: 𝑨𝑻 𝟒
Upon receiving the message, the reader at first checks whether
?
𝑃 𝑅𝑁𝐺(𝑦′𝑛𝑒𝑤 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) == 𝐴𝑅3 is or not. If it is, that
means the cloud server successfully updates its reader’s index
data table. Afterwards, the reader updates its 𝑆𝑅𝐼𝐷 and 𝑦 as
𝑆𝑅𝐼𝐷𝑛𝑒𝑤 and 𝑦𝑛𝑒𝑤 respectively. Then it calculates 𝐴𝑇 4 = 𝐴𝑇 3 ⊕
𝑃 𝑅𝑁𝐺(𝑥′𝑛𝑒𝑤 ⊕ 𝑇𝑅 ) and transmits it to the tag.
5. Tag: If the tests succeed, the tag updates its secret values.
Once received the message, the tag checks whether 𝑃 𝑅𝑁𝐺
?
(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕𝑁) == 𝐴𝑇 4 is or not. If so, means that the cloud server
successfully updates its tag’s index data table. Then, the tag also
updates its 𝑆𝐼𝐷 and 𝑥 as 𝑆𝐼𝐷𝑛𝑒𝑤 and 𝑥𝑛𝑒𝑤 respectively.
6. LAPCHS security analysis
In this section, by using informal, also formal method and per-
forming simulations, we prove that our proposed protocol i.e., LAPCHS
provides a high level of security and privacy protection.
F. Nikkhah and M. Safkhani
Fig. 9. The LAPCHS protocol written in HLPSL (a) The reader role in HLPSL specification; (b) The tag role in HLPSL specification; (c) The simulation results by the OFMC security
checker; (d) The simulation results by the Cl-AtSe security checker.
6.1. Informal proof
Here, we show that the LAPCHS protocol is resistant against the tag,
and reader secret disclosure attack, forward secrecy contradiction at-
tack, tag impersonation attack and reader impersonation attack, which
are presented in this paper. We also show that it provides sufficient
security against other security attacks such as de-synchronization and
replay attacks.
11
Computer Networks 187 (2021) 107833
Secret Values Disclosure Attack
Since the vulnerability presented in this paper are due to the use
of 𝑅𝑜𝑡(𝑥, 𝑦) = (𝑥 ⊕ 𝑦)⋘𝓁 where 𝓁 = 𝑦 𝑚𝑜𝑑 𝐿 in Fan et al.’s protocol’s
transferred messages, in the proposed protocol such 𝑅𝑜𝑡(𝑥, 𝑦) function
was not applied and 128-bit output length 𝑃 𝑅𝑁𝐺 function was used
instead. Therefore, the proposed secret values disclosure attacks in this
paper are ineffective to the LAPCHS protocol, and it can resist against
all kinds of secret values disclosure attacks.
F. Nikkhah and M. Safkhani
Fig. 10. The LAPCHS protocol written in SPDL.
Forward Secrecy Contradiction Attack
As mentioned before, we used 128-bit output length 𝑃 𝑅𝑁𝐺 func-
tion instead of 𝑅𝑜𝑡(𝑥, 𝑦) = 𝑥 ⊕ 𝑦⋘𝓁 and also changed 𝑆𝐼𝐷 and 𝑆𝑅𝐼𝐷
update equations to 𝑆𝐼𝐷𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷 + 𝑇 𝐶) and 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 =
𝑃 𝑅𝑁𝐺(𝑆𝑅𝐼𝐷+𝑇 𝐶) respectively. Therefore, given that it is not feasible
to retrieve 𝑥 given 𝑃 𝑅𝑁𝐺(𝑥) because 𝑃 𝑅𝑁𝐺 is a one-way function, the
mentioned forward secrecy contradiction attack in this paper does not
affect the LAPCHS.
Impersonation and Replay Attacks
In the LAPCHS, 𝑀𝑇 1 and 𝑀𝑇 2 are related to 𝑇𝑅 which are generated
every session. Also, the tag generates a random number 𝑁 and sends
it to the reader. The reader computes 𝑀𝑇3 using it. Thus, the attacker
cannot use authentication messages of the previous sessions i.e., 𝑀𝑇1 ,
𝑀𝑇2 , and 𝑀𝑇3 to authenticate his/her as a legitimate reader to the tag.
The Fan et al.’s protocol’s vulnerability against tag impersonation
attack is due to sending 𝑥′ = 𝑥2 𝑚𝑜𝑑 𝑛 openly in the insecure channel,
12
Computer Networks 187 (2021) 107833
however in the LAPCHS protocol, it was sent through an insecure
channel as 𝑥′ ⊕ 𝑦′ , so if the adversary follows the tag impersonation
attack’s scenario which is presented in this paper and generates 𝑢′ as
𝑥′ and 𝑣′ as 𝑦′ randomly and sends 𝑢′ ⊕ 𝑣′ to the reader as 𝑥′ ⊕ 𝑦′ , the
reader understands and does not authenticate the tag.
Besides, the computation of the update messages is related to 𝑇𝐶 ,
𝑇𝑅 , and 𝑁, so replaying them cannot lead to de-synchronization, and
the cloud server would not accept them. As a result, the LAPCHS
protocol has resistance against all possible impersonation and replay
attacks.
De-synchronization Attack
As previously mentioned about the resistance of the improved proto-
col against impersonation and replay attacks, the attacker cannot cause
the de-synchronization attack by replaying old update messages nor
can s/he disrupt the synchronization by stopping the update messages,
because the cloud server holds two copies of the old and new secret
F. Nikkhah and M. Safkhani Computer Networks 187 (2021) 107833

Fig. 11. The verification result of the LAPCHS’s security claims using the Scyther tool.

values. On the other side, in calculating of update messages, it used Table 2

Scyther tool security claims.
secret values of each session and also 𝑇𝐶 , 𝑇𝑅 , and 𝑁, then the attacker
cannot forge them. Therefore, against the de-synchronization attack, Security Claim Description

the proposed protocol is resistant. Secret The term claimed by Secret must be protected from
unauthorized access in executions of the protocol except
as defined in the protocol
6.2. Formal proof Niagree Indicates that the sender and receiver agree on their
shared and secret variables exchanged
Here, using the RoR model, we prove that the LAPCHS protocol is Nisynch Means that the receiving and sending events are executed
by the roles, respectively, and with the intended main
completely secure. content
Alive When a role claims and executes this event, s/he thinks
6.2.1. Security proof in ROR model that the other agents are trusted and have already
executed an event
To provide formal security proof of LAPCHS, in this section we
conduct its security in Real-or-Random oracle (RoR) model which is
a widely accepted approach to prove the security of cryptographic
protocols. To prove the security of the target protocol  in this model, time upper-bounded by 𝑡 and makes at most 𝑅 queries, its advantage
the adversary  eligible to do the following query types [39]: to win this game, 𝐴𝑑𝑣𝑅𝑜𝑅 (𝑡, 𝑅), is defined as follows:
,
( )
• Execute query, a query type that can be used to model a passive 𝐴𝑑𝑣𝑅𝑜𝑅
,
(𝑡, 𝑅) = (𝑃 𝑟( → 𝑏0 = 1 ∶ 𝑏 = 1)) − (𝑃 𝑟( → 𝑏0 = 1 ∶ 𝑏 = 0))
adversary  that eavesdrops on the channel.
• Send(𝑆) query, a query type that can be used to model an active The target protocol  offers RoR semantic security if 𝐴𝑑𝑣𝑅𝑜𝑅
,(𝑡,𝑅)
<
adversary. 𝜀(.) where 𝜀(.) being some negligible function. The maximum advantage
• Test(𝑈𝑖 ) query, a query type that can be used to model the is taken over all.
adversary  capability to identify the correct session key of 𝑈𝑖 .
Theorem 1. The upper bound of the adversary’s advantage to distinguish
We also use a predefined bit 𝑏 at the beginning of the security evalua- LAPCHS from an ideal protocol 𝑅𝑊 is as follows, after respectively 𝑞𝑒𝑥𝑒 ,
tion and  is expected to guess it using a clever choice of the queries to 𝑞𝑠𝑒𝑛𝑑 and 𝑞𝑡𝑒𝑠𝑡 queries to Execute, Send and Test oracles to LAPCHS/𝑅𝑊 :
win the game. Finally,  outputs its prediction of 𝑏 as 𝑏0 . The game is
called semantic security in the Real-or-Random (RoR). Assuming  uses 𝐴𝑑𝑣𝑅𝑜𝑅
,𝑅𝑃
(𝑡, 𝑞𝑒𝑥𝑒 ; 𝑞𝑡𝑒𝑠𝑡 ; 𝑞𝑠𝑒𝑛𝑑 ) − 𝐴𝑑𝑣𝑅𝑜𝑅
,𝑅𝑊
(𝑡, 𝑞𝑒𝑥𝑒 ; 𝑞𝑡𝑒𝑠𝑡 ; 𝑞𝑠𝑒𝑛𝑑 ) ≤

13
F. Nikkhah and M. Safkhani Computer Networks 187 (2021) 107833

Fig. 12. The communication cost of LAPCHS compared to other similar protocols.

Table 3 message is selected uniformly random from related domain and

Security comparison.
𝐴𝑑𝑣𝑅𝑜𝑅−0
,𝑅𝑊
(𝑡, 𝑅) = 0
Protocol A1 A2 A3 A4 A5 Game 1 : Compared to 0 , in 1 where ever we have a transferred
Gholami et al. [32] ✓ ✓ ✓ ✓ ✓ message of the structure 𝑃 𝑅𝑁𝐺(.) ⊕ 𝑥 we replace 𝑃 𝑅𝑁𝐺(.) by a true
Chen et al. [29] ✓ ✓ ✓ ✓ ✓
random value but preserve the rest of the message. For example, 𝑀𝑇 1 =
Chiou et al. [40] ✓ ✓ ✓ ✓ ✓
Mansoor et al.[41] ✓ ✓ ✗ ✓ ✓ 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝐼𝐷) ⊕ 𝑆𝐼𝐷 is modified as 𝑀𝑇 1 = 𝑅𝐴𝑁𝐷 ⊕ 𝑆𝐼𝐷 where
Xiao et al. [36] ✓ ✓ ✓ ✓ ✓ 𝑅𝐴𝑁𝐷 is a fresh random string of identical length of 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕𝑆𝐼𝐷).
Fan et al.[38] ✗ ✗ ✗ ✗ ✗ Similarly, we do the same modification to 𝑀𝑅1 = 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕𝑆𝑅𝐼𝐷)⊕
LAPCHS ✓ ✓ ✓ ✓ ✓ 𝑆𝑅𝐼𝐷, 𝐴𝑅2 = 𝑃 𝑅𝑁𝐺(𝑇𝑅 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ) ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑦′𝑛𝑒𝑤 , 𝐴𝑇 4 =
A1: Secret Disclosure attack; A2: Backward/Forward Secrecy Contradiction Attack; 𝐴𝑇 3 ⊕𝑃 𝑅𝑁𝐺(𝑥′𝑛𝑒𝑤 ⊕𝑇𝑅 ), 𝐴𝑇 3 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕𝑁)⊕𝑃 𝑅𝑁𝐺(𝑥′𝑛𝑒𝑤 ⊕𝑇𝑅 )
A3: De-synchronization attack; A4: Impersonation and Replay Attacks; 𝑥𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑇𝐶 ) ⊕ 𝑇𝐶 and 𝑦𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑦 ⊕ 𝑇𝐶 ) ⊕ 𝑇𝐶 . However,
A5: Traceability attack and Anonymity; ✓: Resistant; ✗: Vulnerable.
from information theory, it is clear that the entropy of 𝑅𝐴𝑁𝐷 and
𝑅𝐴𝑁𝐷 ⊕ 𝑥 are identical, for any value of 𝑥. Hence, this modification
Table 4
does not increase the adversary’s advantage, and it can be indicated
Complexity comparison, in terms of number of calls to each function and 𝑧 denotes
the number of the registered tags in the cloud server. that:
Protocol F1 F2 F3 F4 F5 F6 F7 F8 𝐴𝑑𝑣𝑅𝑜𝑅−0
,𝑅𝑊
(𝑡, 𝑅) = 𝐴𝑑𝑣𝑅𝑜𝑅−1
,𝑅𝑊
(𝑡, 𝑅)
Gholami et al.[32] 0 0 7 22 0 0 0 0
Chen et al.[29] 0 0 23 19 0 0 0 33 Game 2 : This game is identical to 𝐺1 exclude that any message
Chiou et al.[40] 0 10 10 0 6 2 0 0 which is computed purely by 𝑃 𝑅𝑁𝐺(.) in real world is also com-
Mansoor et al.[41] 0 0 6 8 0 0 2 22 puted identically in 2 . Hence, we compute these messages as 𝑀𝑇 2 =
Xiao et al.[36] 0 0 10 15 0 0 4 25
Fan et al.[38] 8+𝑧 17 33 0 3 1 0 0
𝑃 𝑅𝑁𝐺((𝑥 ⊕ 𝑇𝑅 ) ∥ 𝑁), 𝑀𝑅2 = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑇𝑅 ), 𝑀𝑇 3 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕ 𝑁),
LAPCHS 0 29 + 𝑧 45 0 3 1 0 2 𝐴𝑇 1 = 𝑃 𝑅𝑁𝐺(𝑆𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ), 𝐴𝑅1 = 𝑃 𝑅𝑁𝐺(𝑦′ ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 )
F1:# of 𝑅𝑜𝑡; F2: # of 𝑃 𝑅𝑁𝐺; F3: # of ⊕; F4: # of ℎ(.); F5: # of modulo squaring;
and 𝐴𝑅3 = 𝑃 𝑅𝑁𝐺(𝑦′𝑛𝑒𝑤 ⊕ 𝑆𝑅𝐼𝐷𝑛𝑒𝑤 ⊕ 𝑇𝑅 ). However, the input of
F6: # of square root solving; F7: # of 𝐸(.)∕𝐷(.); F8: # of concatenation. the 𝑃 𝑅𝑁𝐺(.) functions are modified in each session. Hence, it is not
possible to distinguish the game exclude that we can distinguish the
𝑃 𝑅𝑁𝐺(.) from an ideal random generator or achieve a collision in the
(12.𝑞)2 + (6.𝑞)2 (6.𝑞)2 180.𝑞 2 36.𝑞 2 input of the 𝑃 𝑅𝑁𝐺(.) to distinguish 𝑃 𝑅𝑁𝐺(.) from an ideal random
2.𝑞.𝜀𝑄𝑅 + + = 2.𝑞.𝜀𝑄𝑅 + + 𝑛
2𝑙 2 𝑛 2𝑙 2 generator. Therefore, we can conclude that:
where 𝜀𝑄𝑅 denotes the maximum advantage of solving the quadratic residue 𝑅𝑜𝑅− 𝑅𝑜𝑅− (6.𝑞)2
problem on each query, 𝜀𝑃 𝑅𝑁𝐺 denotes the maximum advantage of con- 𝐴𝑑𝑣,𝑅𝑊 2 (𝑡, 𝑅) − 𝐴𝑑𝑣,𝑅𝑊 1 (𝑡, 𝑅) ≤ 6.𝑞.𝜀𝑃 𝑅𝑁𝐺 +
2𝑙
tradicting indistinguishability property of the used 𝑃 𝑅𝑁𝐺(.) from a true where 𝑞 = 𝑞𝑒𝑥𝑒 + 𝑞𝑡𝑒𝑠𝑡 + 𝑞𝑠𝑒𝑛𝑑 and 𝑙 is the minimum input length of
random function and 𝑞 = 𝑞𝑒𝑥𝑒 + 𝑞𝑡𝑒𝑠𝑡 + 𝑞𝑠𝑒𝑛𝑑 . In addition 𝑙 denotes the 𝑃 𝑅𝑁𝐺(.), in those messages.
minimum input length of 𝑃 𝑅𝑁𝐺 in this protocol and 𝑛 is its output length. Game 3 : In this game, we replace the random values which have
been used in 1 by 𝑃 𝑅𝑁𝐺(.). However, similar to 2 , the input of
Proof. To prove the theorem, a game based approach was followed the 𝑃 𝑅𝑁𝐺(.) functions for the involved messages are modified in each
which has been already used in [39,42,43]. In this approach, series of session and it is not possible to distinguish the game exclude that we
games  are defining to bound the adversary’s advantage to distinguish can distinguish the 𝑃 𝑅𝑁𝐺(.) from an ideal random generator or there
the real word from the random one, starting from random world is a collision in the input/output of the 𝑃 𝑅𝑁𝐺(.). Therefore:
𝑅𝑊 and ended in real world LAPCHS for instance. To determine the
adversary’s gains while switching from game 𝑛 to game 𝑛−1 , an event 𝑅𝑜𝑅− 𝑅𝑜𝑅− (12.𝑞)2 (6.𝑞)2
𝑅𝑜𝑅−
𝐴𝑑𝑣,𝑅𝑊 3 (𝑡, 𝑅) − 𝐴𝑑𝑣,𝑅𝑊 2 (𝑡, 𝑅) ≤ 6.𝑞.𝜀𝑃 𝑅𝑁𝐺 + +
𝐴𝑑𝑣, 𝑛 (𝑡, 𝑅) is defined which is corresponding to the adversary’s 2𝑙 2𝑛
advantage to correctly guess the hidden bit 𝑏. It should be noted that where 𝑛 denotes the output length of 𝑃 𝑅𝑁𝐺(.).
the structure of the trivial messages was kept identical in both worlds, Game 4 : In this game, we use the quadratic residue to compute
e.g. timestamps. 𝑥′𝑛𝑒𝑤 = 𝑥2𝑛𝑒𝑤 𝑚𝑜𝑑 𝑛 and 𝑦′𝑛𝑒𝑤 = 𝑦2𝑛𝑒𝑤 𝑚𝑜𝑑 𝑛. However, 𝑥𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑥 ⊕
Game 0 : This game exactly defines 𝑅𝑊 . Hence, any transferred 𝑇𝐶 ) ⊕ 𝑇𝐶 and 𝑦𝑛𝑒𝑤 = 𝑃 𝑅𝑁𝐺(𝑦 ⊕ 𝑇𝐶 ) ⊕ 𝑇𝐶 and we have already given
message is true random string of desired length and any transferred the adversary’s advantage of distinguishing them from random values.

14
F. Nikkhah and M. Safkhani Computer Networks 187 (2021) 107833

Fig. 13. The computational cost of LAPCHS compared to other similar protocols for 𝑧 = 100, as the number of the tags registered in the cloud server.

Table 5
Computational and communication cost comparison where 𝑧, the number of tags on the server, is considered 100 in the calculations.
Protocol Communication cost (bits) Computational cost (ms)
Server Reader Tag
Gholami et al.[32] 36𝑙𝑖𝑑 +2𝑙ℎ +4𝑙𝑟 =1280 3𝑇ℎ + 4𝑡𝑝𝑛𝑔 = 1.6 3𝑇ℎ = 0.76 4𝑇𝑝𝑛𝑔 = 0.08
Chen et al.[29] 3𝑙𝑖𝑑 +2𝑙𝑟 +10𝑙ℎ +7𝑙𝑡 =1920 9𝑇ℎ = 2.28 2𝑇ℎ = 0.51 8𝑇ℎ = 2.02
Chiou et al. [40] 3𝑙𝑖𝑑 +3𝑙𝑝 +2𝑙𝑡 +3𝑙𝑚 = 4000 5𝑇𝑝𝑛𝑔 + 2𝑇𝑚 + 2𝑇𝑠𝑙𝑣 = 10.86 5𝑇𝑝𝑛𝑔 + 2𝑇𝑚 = 3.86 2𝑇𝑝𝑛𝑔 + 2𝑇𝑚 = 3.83
Mansoor et al.[41] 𝑙𝑖𝑑 +3𝑙𝑟 +6𝑙ℎ +5𝑙𝑡 +4𝑙𝑒 = 1728 4𝑇ℎ + 2𝑇𝑒𝑛𝑐 = 18.41 2𝑇ℎ = 0.51 2𝑇ℎ = 0.51
Xiao et al. [36] 𝑙𝑖𝑑 +2𝑙𝑟 +6𝑙ℎ +3𝑙𝑒 =1376 2𝑇ℎ + 𝑇𝑒𝑛𝑐 = 9.21 8𝑇ℎ + 3𝑇𝑒𝑛𝑐 = 28.12 2𝑇ℎ = 1.52
Fan et al.[38] 5𝑙𝑖𝑑 +9𝑙𝑝 +4𝑙𝑡 + 𝑙𝑚 + 𝑙𝑞 = 2800 6𝑇𝑝𝑛𝑔 = 0.13 7𝑇𝑝𝑛𝑔 + 3𝑇𝑚 + 𝑇𝑠𝑙𝑣 = 9.32 4𝑇𝑝𝑛𝑔 = 0.09
LAPCHS 14𝑙𝑝 + 2𝑙𝑟 +4𝑙𝑡 + 𝑙𝑚 + 𝑙𝑞 = 3072 9𝑇𝑝𝑛𝑔 + 𝑧 = 2.289 13𝑇𝑝𝑛𝑔 + 3𝑇𝑚 + 𝑇𝑠𝑙𝑣 = 9.44 7𝑇𝑝𝑛𝑔 = 0.15

Hence, the adversary will be able to distinguish this game if s/he can searcher), SATMC (sat based model-checker) and TA4SP(tree automata-
solve the quadratic residue challenge. Therefore: based protocol analyzer). Finally, it shows that whether security proto-
𝑅𝑜𝑅− 𝑅𝑜𝑅− cols are safe or not against various security attacks in Dolev–Yao (DY)
𝐴𝑑𝑣,𝑅𝑊 4 (𝑡, 𝑅) − 𝐴𝑑𝑣,𝑅𝑊 3 (𝑡, 𝑅) ≤ 2.𝑞.𝜀𝑄𝑅
adversary model [47].
However, this game is identical to LAPCHS, because we follow its In the HLPSL specification of the LAPCHS, it comprises five roles:
structure for any transferred message. Hence: (1) role reader which has been played by 𝑅, (2) role tag which has been
𝑅𝑜𝑅− 𝑅𝑜𝑅−
played by 𝑇 , (3) role cloud which has been played by 𝐶, (4) role session
𝐴𝑑𝑣𝑅𝑜𝑅 𝑅𝑜𝑅 4 0
,𝐿𝐴𝑃 𝐶𝐻𝑆 (𝑡, 𝑅) − 𝐴𝑑𝑣,𝑅𝑊 (𝑡, 𝑅) ≤ 𝐴𝑑𝑣,𝑅𝑊 (𝑡, 𝑅) − 𝐴𝑑𝑣,𝑅𝑊 (𝑡, 𝑅) ≤ for describing how to combine participants, (5) role environment that
(12.𝑞)2 + (6.𝑞)2 (6.𝑞)2 180.𝑞 2 36.𝑞 2 includes initial knowledge of the intruder and the scenario to be exe-
2.𝑞.𝜀𝑄𝑅 + + = 2.𝑞.𝜀𝑄𝑅 + +
2𝑙 2𝑛 2𝑙 2𝑛 cuted. The section goal explains the security properties of the LAPCHS
which completes the proof. □ protocol. The headers of roles contain agents, nonces, functions, and
send/receive channels of the Dolev–Yao (DY) model [47].
6.3. Simulations Fig. 9 shows HLPSL specification of LAPCHS protocol’s roles and
also security analysis results of the LAPCHS protocol by the AVISPA
In this section, LAPCHS protocol has been simulated using the tool. This figure indicates OFMC and Cl-AtSe back-ends results that
AVISPA [44] and the Scyther tools [45]. show the LAPCHS protocol is safe and confirm that all security goals
have been obtained.
6.3.1. Avispa tool
The AVISPA tool receives the protocol in High-Level Protocol Spec- 6.3.2. Scyther tool
ification Language (HLPSL) [46], then its Hlpsl2if translator converts In this paper, we also used the Scyther tool [45] for security analysis
an HLPSL specification into the Intermediate Format (IF) and gen- of the LAPCHS protocol. The Scyther tool receives a protocol as input
erates the security verification result under four back-ends including in Security Protocol Description Language (SPDL) and detects possible
OFMC(on-the-fly model checker), CL-AtSe(constraint-logic-based attack attacks and protocol behaviors based on its different attacks scenarios.

15
F. Nikkhah and M. Safkhani
Fig. 14. Numerical results of the proposed 𝑆𝐼𝐷 disclosure attack against Fan et al.’s protocol.
The fundamental component of a security protocol in SPDL is its
security claims that are analyzed by the Scyther tool. The security
claims of Scyther and their description are listed in Table 2.
The LAPCHS protocol in Scyther language i.e. Security Protocol
Description Language (SPDL) and its security verification result of the
LAPCHS protocol, are shown in Fig. 10 and Fig. 11 respectively. It
can be seen that, all the security features of this protocol are verified
correctly.
7. Performance comparison
In this section, we compare our proposed protocol, i.e. LAPCHS,
with other similar protocols. In Tables 3–5, we compare the security
properties, computational time and the communication cost of the
LAPCHS protocol with similar protocols in this area, respectively. For
comparison, we used protocols similar in terms of operations type used
in Fan et al.’s and LAPCHS protocols, and omitted the comparison
of protocols that are quite different in terms of operations used. Ta-
ble 3 shows that LAPCHS, unlike previous protocols, was able to meet
different types of security features.
Using [40], the symbols used in Table 4 are as follows: 𝑙𝑖𝑑 as the
length of 𝑆𝐼𝐷, 𝑆𝑅𝐼𝐷 and 𝐼𝐷 (e.g. 96 bits), 𝑙ℎ as the output length
of hash function (e.g. 128 bits), 𝑙𝑒 as the output length of symmetric
encryption/decryption function (e.g. 128 bits), 𝑙𝑡 as the length of time
(e.g. 32 bits), 𝑙𝑚 as the length of modulo squaring (e.g. 1024 bits), 𝑙𝑟
as the length of random number (e.g. 64 bits), 𝑙𝑝 as the output length
of 𝑃 𝑅𝑁𝐺 (e.g. 128 bits), 𝑙𝑞 as the length of query or Hello message
16
Computer Networks 187 (2021) 107833
(e.g. 16 bits), 𝑇ℎ as the time required for performing a hash operation,
𝑇𝑒𝑛𝑐 as the time required for performing an encryption/decryption
operation, 𝑇𝑝𝑛𝑔 as the time required for performing a 𝑃 𝑅𝑁𝐺 function,
𝑇𝑟𝑜𝑡 as the time required for performing a rotation operation, 𝑇𝑥𝑜𝑟 as
the time required for performing an exclusive-OR (XOR) operation, 𝑇𝑚
as the time required for performing a modulo squaring, 𝑇𝑐𝑜𝑛 as the
time required for performing a concatenation operation and 𝑇𝑠𝑙𝑣 as
the time required for solving a square root are used. Based on [48],
in an experimental simulation environment with an Intel Core i5-
2.30 GHz processor and RAM 4 GB, the computation time for the hash
function, symmetric encryption/decryption, modulo squaring, square
root solving and 𝑃 𝑅𝑁𝐺 are 0.253 ms, 8.7 ms, 1.896 ms, 3.481 ms,
and 0.021 ms, respectively. We also ignored the computational time
of 𝑅𝑜𝑡, 𝑋𝑂𝑅, and concatenation operations for all protocols, because
these operations are ultra-lightweight and not costly. As can be easily
seen in Tables 4 and 5, Figs. 12 and 13, the cost of the LAPCHS protocol
in the tag side is among the smallest costs, in the reader and the
server side is also reasonable, compared with other related protocols.
However, if we increase number of tags in the database, the server’s
computational cost increases linearly in the term of number of tags.
However, servers are usually not computationally constrained and this
increase in server cost due to providing security could be acceptable for
many applications, because this cost is paid to provide desired security
against various known active and passive attacks including preserving
privacy (see Table 3).
F. Nikkhah and M. Safkhani
8. Conclusion
In this paper, we presented a heuristic and efficient reader and
tag secret identifiers disclosure attack, forward secrecy contradiction
attack, reader impersonation and tag impersonation attacks against
one cloud-based RFID health-care authentication protocol. The success
probability of any attack, presented in this paper, is one and their com-
plexity is only two sessions eavesdropping, interrupting one message of
protocol and doing some negligible computations.
We also proposed a new secure cloud-based RFID authentication
protocol for employment in health-care systems named LAPCHS. Our
informal and formal security analysis of the LAPCHS protocol through
Real-or-Random (RoR) model and also security simulations through
AVISPA and Scyther tools showed a suitable security level against
different attacks.
Examining the security of protocols and presenting various attacks
against them assists to the development of the science of designing
security protocols. It also allows protocol designers to be aware of
these attack scenarios, which are largely based on the creativity of the
analyst, as well as designing their protocol in such a way that can be
resistant against different active and passive attacks.
CRediT authorship contribution statement
Fahimeh Nikkhah: Conception and design of study, Acquisition of
data, Analysis and/or interpretation of data, Software, Writing - origi-
nal draft, Writing - review & editing. Masoumeh Safkhani: Conception
and design of study, Acquisition of data, Analysis and/or interpretation
of data, Validation, Supervision, Formal analysis, Writing - original
draft, Writing - review & editing.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Acknowledgments
We would like to thank Dr. Negin Daneshpour for her valuable
comments, which helped us improve the manuscript.
This work was supported by Shahid Rajaee Teacher Training Uni-
versity, Iran.
References
[1] C.-T. Li, C.-Y. Weng, C.-C. Lee, A secure RFID tag authentication protocol with
privacy preserving in telecare medicine information system, J. Med. Syst. 39 (8)
(2015) 77.
[2] J. Kang, Lightweight mutual authentication RFID protocol for secure multi-tag
simultaneous authentication in ubiquitous environments, J. Supercomput. 75 (8)
(2019) 4529–4542.
[3] K. Finkenzeller, RFID Handbook: Fundamentals and Applications in Contactless
Smart Cards, Radio Frequency Identification and Near-Field Communication,
John wiley & sons, 2010.
[4] V. Sureshkumar, R. Amin, M.S. Obaidat, I. Karthikeyan, An enhanced mutual
authentication and key establishment protocol for TMIS using chaotic map, J.
Inf. Secur. Appl. 53 (2020) 102539.
[5] D. Kumar, H.S. Grover, et al., A secure authentication protocol for wearable
devices environment using ECC, J. Inf. Secur. Appl. 47 (2019) 8–15.
[6] P. Dodangeh, A.H. Jahangir, A biometric security scheme for wireless body area
networks, J. Inf. Secur. Appl. 41 (2018) 62–74.
[7] L. Sportiello, ‘‘Internet of Smart Cards’’: A pocket attacks scenario, Int. J. Crit.
Infrastruct. Prot. 26 (2019) 100302.
[8] C.-C. Lee, T.-H. Lin, C.-S. Tsai, A new authenticated group key agreement in a
mobile environment, Ann. Telecommun. 64 (11–12) (2009) 735.
[9] P. Porambage, A. Braeken, C. Schmitt, A. Gurtov, M. Ylianttila, B. Stiller,
Group key establishment for secure multicasting in IoT-enabled wireless sensor
networks, in: 2015 IEEE 40th Conference on Local Computer Networks (LCN),
IEEE, 2015, pp. 482–485.
17
Computer Networks 187 (2021) 107833
[10] H.-Y. Chien, SASI: a new ultralightweight RFID authentication protocol provid-
ing strong authentication and strong integrity, IEEE Trans. Dependable Secur.
Comput 4 (4) (2007) 337–340.
[11] S. Kumar, C. Paar, Are standards compliant elliptic curve cryptosystems feasible
on RFID, in: Workshop on RFID Security, Citeseer, 2006, pp. 12–14.
[12] S. Sundaresan, R. Doss, S. Piramuthu, W. Zhou, A secure search protocol for low
cost passive RFID tags, Comput. Netw. 122 (2017) 70–82.
[13] P. Gope, J. Lee, T.Q. Quek, Lightweight and practical anonymous authentication
protocol for RFID systems using physically unclonable functions, IEEE Trans. Inf.
Forensics Secur. 13 (11) (2018) 2831–2843.
[14] P. Gope, R. Amin, S.H. Islam, N. Kumar, V.K. Bhalla, Lightweight and privacy-
preserving RFID authentication scheme for distributed IoT infrastructure with
secure localization services for smart city environment, Future Gener. Comput.
Syst. 83 (2018) 629–637.
[15] R. Doss, R. Trujillo-Rasua, S. Piramuthu, Secure attribute-based search in
RFID-based inventory control systems, Decis. Support Syst. (2020) 113270.
[16] W. Zhang, S. Liu, S. Wang, B. Yi, L. Wu, An efficient lightweight RFID
authentication protocol with strong trajectory privacy protection, Wirel. Pers.
Commun. 96 (1) (2017) 1215–1228.
[17] M. Khalid, U. Mujahid, N.-u.-I. Muhammad, Ultralightweight RFID authentication
protocols for low-cost passive RFID tags, Secur. Commun. Netw. 2019 (2019).
[18] H. Luo, G. Wen, J. Su, Z. Huang, SLAP: succinct and lightweight authentication
protocol for low-cost RFID system, Wirel. Netw. (2018).
[19] K. Fan, N. Ge, Y. Gong, H. Li, R. Su, Y. Yang, An ultra-lightweight RFID
authentication scheme for mobile commerce, Peer-to-Peer Netw. Appl. 10 (2)
(2017) 368–376.
[20] P. Gope, Y. Gheraibia, S. Kabir, B. Sikdar, A secure IoT-based modern healthcare
system with fault-tolerant decision making process, IEEE J. Biomed. Health Inf.
(2020).
[21] M. Shuai, B. Liu, N. Yu, L. Xiong, Lightweight and secure three-factor authenti-
cation scheme for remote patient monitoring using on-body wireless networks,
Secur. Commun. Netw. 2019 (2019).
[22] F. Wang, G. Xu, G. Xu, Y. Wang, J. Peng, A robust IoT-based three-factor
authentication scheme for cloud computing resistant to session key exposure,
Wirel. Commun. Mob. Comput. 2020 (2020).
[23] C.-T. Li, C.-C. Lee, C.-Y. Weng, A secure cloud-assisted wireless body area
network in mobile emergency medical care system, J. Med. Syst. 40 (5) (2016)
117.
[24] C.-T. Li, C.-C. Lee, C.-Y. Weng, An extended chaotic maps based user au-
thentication and privacy preserving scheme against DoS attacks in pervasive
and ubiquitous computing environments, Nonlinear Dynam. 74 (4) (2013)
1133–1143.
[25] C.-C. Lee, C.-W. Hsu, Y.-M. Lai, A. Vasilakos, An enhanced mobile-healthcare
emergency system based on extended chaotic maps, J. Med. Syst. 37 (5) (2013)
9973.
[26] K. Fan, W. Jiang, H. Li, Y. Yang, Lightweight RFID protocol for medical privacy
protection in IoT, IEEE Trans. Ind. Inf. 14 (4) (2018) 1656–1665.
[27] S.F. Aghili, H. Mala, P. Kaliyar, M. Conti, SecLAP: Secure and lightweight RFID
authentication protocol for medical IoT, Future Gener. Comput. Syst. 101 (2019)
621–634.
[28] M. Safkhani, S. Rostampour, Y. Bendavid, N. Bagheri, IoT in medical & pharma-
ceutical: Designing lightweight RFID security protocols for ensuring supply chain
integrity, Comput. Netw. 181 (2020) 107558.
[29] X. Chen, D. Geng, J. Zhai, W. Liu, H. Zhang, T. Zhu, Security analysis and
enhancement of the most recent RFID protocol for telecare medicine information
system, Wirel. Pers. Comun. (2020).
[30] M. Benssalah, M. Djeddou, K. Drouiche, Security analysis and enhancement of
the most recent RFID authentication protocol for telecare medicine information
system, Wirel. Pers. Commun. 96 (4) (2017) 6221–6238.
[31] P. Dass, H. Om, A secure authentication scheme for RFID systems, Procedia
Comput. Sci. 78 (2016) 100–106.
[32] V. Gholami, M.R. Alagheband, Provably privacy analysis and improvements
of the lightweight RFID authentication protocols, Wirel. Netw. 26 (3) (2020)
2153–2169.
[33] S.F. Aghili, H. Mala, Security analysis of an ultra-lightweight RFID authentication
protocol for m-commerce, Int. J. Commun. Syst. 32 (3) (2019) e3837.
[34] F.M. Salem, R. Amin, A privacy-preserving RFID authentication protocol based
on el-gamal cryptosystem for secure TMIS, Inform. Sci. (2019).
[35] A. Team, et al., HLPSL tutorial the beginner’s guide to modelling and analysing
internet security protocols, 2006.
[36] H. Xiao, A.A. Alshehri, B. Christianson, A cloud-based RFID authenti-
cation protocol with insecure communication channels, in: 2016 IEEE
Trustcom/BigDataSE/ISPA, IEEE, 2016, pp. 332–339.
[37] K. Fan, Q. Luo, K. Zhang, Y. Yang, Cloud-based lightweight secure RFID mutual
authentication protocol in IoT, Inform. Sci. (2019).
[38] K. Fan, S. Zhu, K. Zhang, H. Li, Y. Yang, A lightweight authentication scheme
for cloud-based RFID healthcare systems, IEEE Netw. 33 (2) (2019) 44–49.
F. Nikkhah and M. Safkhani
[39] M. Abdalla, P. Fouque, D. Pointcheval, Password-based authenticated key ex-
change in the three-party setting, in: S. Vaudenay (Ed.), Public Key Cryptography
- PKC 2005, 8th International Workshop on Theory and Practice in Public Key
Cryptography, Les Diablerets, Switzerland, January 23–26, 2005, Proceedings,
in: Lecture Notes in Computer Science, vol. 3386, Springer, 2005, pp. 65–84.
[40] S.-Y. Chiou, S.-Y. Chang, An enhanced authentication scheme in mobile RFID
system, Ad Hoc Netw. 71 (2018) 1–13.
[41] K. Mansoor, A. Ghani, S.A. Chaudhry, S. Shamshirband, S.A.K. Ghayyur, A.
Mosavi, Securing IoT-based RFID systems: A robust authentication protocol using
symmetric cryptography, Sensors 19 (21) (2019) 4752.
[42] M. Hosseinzadeh, O.H. Ahmed, S.H. Ahmed, C. Trinh, N. Bagheri, S. Kumari, J.
Lansky, B. Huynh, An enhanced authentication protocol for RFID systems, IEEE
Access 8 (2020) 126977–126987.
[43] M. Safkhani, N. Bagheri, S. Kumari, H. Tavakoli, S. Kumar, J. Chen, RESEAP: an
ECC-based authentication and key agreement scheme for IoT applications, IEEE
Access 8 (2020) 200851–200862.
[44] A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuéllar, P.H.
Drielsma, P.-C. Héam, O. Kouchnarenko, J. Mantovani, et al., The AVISPA tool
for the automated validation of internet security protocols and applications, in:
International Conference on Computer Aided Verification, Springer, 2005, pp.
281–285.
[45] C.J.F. Cremers, Scyther: semantics and verification of security protocols,
Eindhoven University of Technology Eindhoven, Netherlands, 2006.
[46] D. Von Oheimb, The high-level protocol specification language HLPSL developed
in the EU project AVISPA, in: Proceedings of APPSEM 2005 Workshop, 2005,
pp. 1–17.
18
Computer Networks 187 (2021) 107833
[47] D. Dolev, A. Yao, On the security of public key protocols, IEEE Trans. Inf. Theory
29 (2) (1983) 198–208.
[48] Z. Zhou, P. Wang, Z. Li, A quadratic residue-based RFID authentication protocol
with enhanced security for TMIS, J. Ambient Intell. Humaniz. Comput. 10 (9)
(2019) 3603–3615.
Fahimeh Nikkhah received her B.Sc. degree in Computer
Software from the department of computer engineering at
Dr. Shariati vocational and Technical College in 2011. She is
currently an M.Sc. student at Shahid Rajaee Teacher Train-
ing University, Tehran, Iran. She is interested in Security of
Telecare Medical Information Systems and RFID.
Masoumeh Safkhani is an Associate Professor at Computer
Engineering Department, Shahid Rajaee Teacher Training
University, Tehran, Iran. She received her Ph.D. in Electrical
Engineering from Iran University of Science and Technology
(IUST), 2012, with the security analysis of RFID protocols
as her major field. Her current research interests include the
security analysis of lightweight and ultra-lightweight proto-
cols, targeting constrained environments such as RFID, IoT,
VANET and WSN. She is the author/coauthor of more than
50 technical articles in information security and cryptology
in major international journals and conferences.