IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO.

11, JUNE 1, 2022 8883

Blockchain and PUF-Based Lightweight

Authentication Protocol for Wireless
Medical Sensor Networks
Weizheng Wang , Student Member, IEEE, Qiu Chen , Graduate Student Member, IEEE, Zhimeng Yin,
Gautam Srivastava , Senior Member, IEEE, Thippa Reddy Gadekallu , Senior Member, IEEE,
Fawaz Alsolami , Member, IEEE, and Chunhua Su , Member, IEEE

Abstract—Due to the emergence of heterogeneous Internet of I. I NTRODUCTION

Medical Things (IoMT) (e.g., wearable health devices, smart-
watch monitoring, and automated insulin delivery systems), large
volumes of patient data are dispatched to central cloud servers
for disease analysis and diagnosis. Although this direct mode
brings a lot of convenience for both patients and medical profes-
sionals (MPs), the open communication channel between them
also incurs several security and privacy issues, such as man-in-
the-middle attacks, eavesdropping attacks, and tracking attacks.
Based on the unsolved challenges in wireless medical sensor
networks (WMSNs), several researchers have proposed various
authentication and key agreement (AKA) protocols for this type
of healthcare system recently. However, most of these proto-
cols do not perceive physical-layer security and over-centralized
server problem in WMSN. In this article, to address these
two open problems, we propose a lightweight and reliable
authentication protocol for WMSN, which is composed of cutting-
edge blockchain technology and physically unclonable functions
(PUFs). In addition, a fuzzy extractor scheme is introduced
to deal with biometric information. Subsequently, two security
evaluation methods are used to prove the high reliability of
our proposed scheme. Finally, performance evaluation experi-
ments illustrate that the proposed mutual authentication protocol
requires the least computation and communication cost among
the compared schemes.
Index Terms—Blockchain, mutual authentication protocol,
physical unclonable functions (PUFs), security and privacy,
wireless medical sensor networks (WMSNs).
Manuscript received May 6, 2021; revised August 26, 2021; accepted
September 25, 2021. Date of publication October 5, 2021; date of cur-
rent version May 23, 2022. This work was supported by the Deanship of
Scientific Research (DSR) at King Abdulaziz University, Jeddah, under Grant
KEP-16-611-42. (Corresponding authors: Gautam Srivastava; Chunhua Su.)
Weizheng Wang and Zhimeng Yin are with the Department of
Computer Science, City University of Hong Kong, Hong Kong (e-mail:
weizheng.wang@ieee.org; zhimeyin@cityu.edu.hk).
Qiu Chen and Chunhua Su are with the Division of Computer Science,
University of Aizu, Aizuwakamatsu 965-8580, Japan (e-mail: d8222103@
u-aizu.ac.jp; chsu@u-aizu.ac.jp).
Gautam Srivastava is with the Department of the Mathematics and
Computer Science, Brandon University, Brandon, MB R7A 6A9, Canada,
and also with the Research Centre for Interneural Computing, China Medical
University, Taichung 404, Taiwan (e-mail: srivastavag@brandonu.ca).
Thippa Reddy Gadekallu is with the School of Information Technology,
Vellore Institute of Technology, Vellore 632014, India (e-mail:
thippareddy.g@vit.ac.in).
Fawaz Alsolami is with the Department of Computer Science,
King Abdulaziz University, Jeddah 21341, Saudi Arabia (e-mail:
falsolami1@kau.edu.sa).
Digital Object Identifier 10.1109/JIOT.2021.3117762
ITH the rapid development of the Internet of Things
W (IoT), several associated applications equipped with
near-field communication (NFC) and radio-frequency identi-
fication (RFID) tags are on the rise in the consumer market.
The Internet of Medical Things (IoMT) is a crucial IoT seg-
ment, which could be used to collect and analyze health
data from patients leading to improvement in quality of life
and deductions in medical expenses. For example, tiny and
lightweight wearable biosensors can monitor various health
indicators, such as temperature, heart, and breathing rate, pro-
viding health professionals with exact information to observe
the progression of illness or detect disease early. Application-
enabled smart thermometers can aggregate temperature data
on a regional or national basis, then help local authorities
to track, quarantine, and treat people who may be infected
with COVID-19; smartwatch monitoring systems can measure
a continuous stream of real-time health data (e.g., heart rate,
blood pressure, and glucose monitoring) and send information
to caregivers for further interpretation; automated insulin
delivery (AID) systems can assist diabetes mellitus patients
with automatic insulin delivery mode adjustment via con-
nected cloud servers. According to Acumen Research and
Consulting Corporation’s Report,1 the IoMT market is pro-
jected to increase around 27.2% from 2020 to 2027 and is
expected to touch the total market value of U.S. $155.8 bil-
lion by 2027. Hence, the number of IoMT-based applications
is increasing explosively.
To effectively manage the growth of IoMT, wireless med-
ical sensor networks (WMSNs) are implemented. Generic
WMSN usually has three parts: 1) sensor nodes (SNs); 2) gate-
way nodes (GWNs); and 3) medical professionals (MPs).
In a WMSN framework, wearable sensors first accumulate
patients’ physiological metrics, such as body temperature,
blood pressure, and blood glucose concentration, and then
transmit these data to an MP through a GWN for analy-
sis and diagnosis. Since SNs are resource-limited and can-
not conduct complex computation, GWN built with stronger
1 https://www.acumenresearchandconsulting.com/internet-of-medical-
things-iomt-market

2327-4662 
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
8884
computational power and larger storage space can be an ideal
intermediary between SN and MP. However, due to the public
nature of communication channels in WMSN, some security
breach incidents occur occasionally, which may bring numer-
ous unexpected threats. In 2018, [1] reported that a security
hole existing in the implanted cardiac defibrillators made by
Medtronic through which hackers even can gain access to
cause the death of patients.
Solutions for security and privacy problems that exist
in WMSN are needed. In recent years, researchers have
proposed several authentication protocols for WMSN based
on different mechanisms. In this regard, though the proposed
schemes successfully cope with some common attacks, such
as device capture attacks, man-in-the-middle (MITM) attacks,
and node impersonation attacks, physical-layer security of
SN/MP and centralized GWN are sometimes forgotten or
omitted. Focusing on the above-mentioned challenges, physi-
cally unclonable functions (PUFs) and blockchain-based smart
contracts seem to be appropriate countermeasures. Since PUFs
are physical-layer security primitives that utilize random vari-
ation features in submicroscopic and challenge–response (CR)
behavior, PUF could generate unique responses according to
different inputs. Smart contracts could decentralize excessive
centralization of GWN and make the entire interaction pro-
cess self-execute. Hence, in this article, we combine PUF with
smart contracts to construct a novel lightweight and reliable
authentication protocol for WMSN. Moreover, to enhance the
security level of SN, we also introduce a fuzzy extractor for
biometric information extraction and verification.
A. Motivation and Contributions
Most of the existing authentication schemes for WMSN
cannot provide an efficient measure to assure physical-layer
security for decentralized GWN. Hence, in this article, with the
aid of emerging blockchain-based smart contracts and PUF, we
design a lightweight and security-enhanced authentication pro-
tocol for WMSN which can assist with the above-mentioned
issues. The major contributions of this article are listed as
follows.
1) We propose a lightweight authentication protocol that is
only composed of one-way hash functions and bitwise
XOR operations for WMSN.
2) Modeled toward long-term unsolved physical-layer secu-
rity and centralized GWN, we utilize blockchain tech-
nology and PUF to enhance the security level of our
proposed protocol. In addition, a fuzzy extractor is
adopted for a biometric authentication process.
3) We prove the reliability and validity of our mutual
authentication protocol from two different perspectives
(i.e., formal security proof by an automatic crypto-
graphic protocol verifier as well as an informal security
proof).
4) We conduct security feature comparison and
performance evaluation. The analysis and experiment
outcomes show the obvious advantages of our protocol
in terms of security attributes and communication/
computation cost.
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 11, JUNE 1, 2022
The organization of the remaining sections is structured as
follows. In Section II, we review some recent research works
in the field of authentication protocols concerning WMSN.
Section III introduces three primitives that constitute our
proposed protocol for WMSN. The network model and threat
model of the proposed authentication framework are presented
in Section IV. In Section V, we describe the detailed process,
notations, and algorithms of the proposed protocol for WMSN.
Section VI evaluates the security of the proposed scheme by
using formal and informal security analysis. Section VII mea-
sures the communication/computation cost of the proposed
scheme and related existing schemes. Finally, we conclude
this article in Section VIII.
II. R ELATED W ORK
Li et al. [2] proposed a novel authentication protocol for
healthcare applications using WMSN with user anonymity and
biometric authentication. Later, Wu et al. [3] also proposed
an improved and anonymous two-factor authentication pro-
tocol for WMSN-based healthcare applications. However,
Das et al. [4] found Li et al.’s scheme [2] suffers from
privileged-insider attacks, node capture attacks, and user track-
ing attacks. To mitigate these existing problems, they proposed
a security-enhanced anonymous user authentication protocol
based on the smart card for healthcare applications under
WMSN. Srinivas et al. [5] also pointed out the possible
security breaches of Wu et al.’s scheme [2], which cannot
prevent Distributed Denial-of-Service (DDoS) attacks, offline
identity guessing attacks, offline password guessing attacks,
and user impersonation attacks. Hence, they designed an
efficient authentication protocol for healthcare with WMSN.
Amin et al. [6] suggested a lightweight and anonymous
patient monitoring system for WMSN, which only owns sim-
ple hash functions. Unfortunately, Jiang et al. [7] observed
that Amin et al.’s plan [6] cannot defend against sensor key
leakage attacks, desynchronization attacks, and stolen mobile
device attacks. To solve the mentioned attacks of [6], they
proposed an efficient end-to-end authentication scheme for
WMSN. Although [7] gave comprehensive security analysis,
Mo et al. [8] still noticed that Jiang et al.’s scheme [7] is
vulnerable to DDoS attacks, privileged-insider attacks, and
known session special temporary information attacks. At the
same time, Mo et al. [8] provided some countermeasures to
security issues regarding [7]. Fotouhi et al. [9] designed a
two-factor and lightweight authentication scheme for health-
care IoT under wireless body area networks (WBANs).
Based on the hash chain, the proposed protocol can be
secure against various known attacks and provide forward
secure protection. Li et al. [10] proposed PSL-MAAKA—a
lightweight mutual authentication and key agreement (AKA)
protocol composed of hash and XOR operations under
fully public channels for WMSN. Then, Masud et al. [11]
proposed a privacy-preserving and lightweight user authen-
tication protocol for healthcare-related IoT. Their proposed
scheme is solely constructed by a lightweight hash
function which can effectively alleviate the pressure
of SNs.
WANG et al.: BLOCKCHAIN AND PUF-BASED LIGHTWEIGHT AUTHENTICATION PROTOCOL
The schemes mentioned above are mostly constructed by
hash functions and bitwise XOR operations. These primi-
tives could be used to create ultralightweight authentica-
tion protocol but at the expense of a security degree. To
achieve a balance between security degree and performance
cost, some researchers utilized elliptical curve cryptogra-
phy (ECC) to design authentication protocols for WMSN in
recent years. Challa et al. [12] proposed an efficient prov-
ably secure three-factor user AKA protocol based on ECC for
WMSN. Xie et al. [13] suggested a cost effective and robust
certificates-less authentication protocol called CasCP for
WBANs. Besides, their protocol also supports batch authenti-
cation and conditional privacy preserving. Subsequently, based
on the security poles of [7], Li et al. [14] designed a secure
three-factor ECC-based user authentication scheme with bio-
metric information for WMSN, which can successfully handle
Denial-of-Service (DoS) attacks, mobile device stolen attacks,
desynchronization attacks, and sensor key exposure attacks.
Except for the ECC-based authentication protocol for WMSN,
several schemes have been proposed according to some novel
technologies. Shuai et al. [15] proposed a lightweight authen-
tication protocol for on-body wireless networks, which is
composed of a pseudonym and one-time hash chain to ensure
user anonymity and forward secrecy. Alladi et al. [16] uti-
lized hardware security primitives named PUF to establish a
two-way authentication protocol for WMSN, which can thwart
physical-layer threats. Subsequently, Saleem et al. [17] also
found security flaws (i.e., SN impersonation attack and user
link attack) of Li et al.’s protocol [14], so they suggested a
remedy plan by using password protection.
As mentioned above, although numerous research plans
have been proposed for WMSN to deal with some potential
attacks, significant physical layer and centralized GWN issues
are both obscure. Thus, in this article, we attempt to resolve
these problems and propose a novel lightweight authentication
protocol for WMSN.
III. P RELIMINARIES
In this section, we briefly describe the technologies, such as
blockchain technology, smart contracts, PUF, error-correcting
codes, and fuzzy extractors for biometric authentication.
A. Blockchain and Smart Contracts
Blockchain is a chain that can contain millions of blocks
and each block records multiple sets of transaction data in
the form of a Merkle tree. Typically, the blockchain is a com-
pletely distributed ledger and anyone can gain access to initiate
transactions. Once the transactions are logged in a blockchain,
it is extremely difficult to alter or remove them. In recent years,
blockchain technology has also led to the creation of a series
of applications, including smart contracts, decentralized cloud
storage, supply-chain communications, and proof of prove-
nance. The most famous and practical application is a smart
contract, which consists of program codes that take control of
the changes in state in the blockchain only if some predefined
threshold is achieved. As an example, using a smart contract,
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
8885
Alice could obtain x cryptocurrency units in a Cryptocurrency
Blockchain from Bob with valid computation outcomes.
B. Physically Unclonable Functions
Semiconductor-based PUF are physically unclonable, that
benefits from their random and unique variations during the
Integrated Circuit manufacturing process. The operation of
PUF depends on CR behavior. When a user inputs a challenge
c to the PUF, it can generate a unique response r. The detailed
operation could be illustrated as r = PUFs(c). Besides, PUF
also has two common mechanisms: 1) for the same, different
inputs will provide various outputs, and the same inputs will
output identical responses and 2) separately, equivalent inputs
always generate inconsistent results. However, sometimes in a
noisy environment, non-noise-resistance could generate some
responses with several bit errors, which will result in unex-
pected responses and intervene in a system’s normal execution.
Therefore, our proposed scheme should employ ideal or noise-
resistant environments that can correct some bit errors at the
cost of a higher computational cost. Fortunately, we can adopt
SRAM designed by Pandey et al. [18]. Their experimental
results show that this type of PUF can nearly remove all the
bit error rates.
C. Fuzzy Extractors for Biometrics Authentication
A fuzzy extractor is used to obtain user biometric
information (e.g., fingerprint, physiological recognition, and
voice) as key generation elements [19]. The comprehensive
extraction and verification process can be divided into the
following two steps.
1) Gen: A biometric secret key generation function is a
probabilistic algorithm and requires an advanced input
DBj within the metric space M. The formula of this func-
tion could be presented as Gen(DBj ) = {θj , σj }, where
θk ∈ {0, 1}m is a pair of biometric secret keys, m denotes
the number of bits belonging to θj , and σj is a public
restoration parameter.
2) Rep: A reproduction function is a deterministic algo-
rithm which accepts a noisy biometric input DBj and
search corresponding parameters θj and σj , respectively.
The equation of the reproduction function can be illus-
trated as Rep(DBj , σj ) = θj . Note that this equation holds
only when the Hamming distance between DBj and DBj
is equal to or less than a maximum error tolerance value
t: DBj ⊕ DBj  ≤ t.
IV. S YSTEM M ODELS
Before the formal description of the proposed protocol, in
this section, we primarily discuss network and threat models
defined in our framework.
A. Network Model
As shown in Fig. 1, three entities exist in our proposed
protocol: 1) SN; 2) GWN; and 3) MP which are described as
follows.
8886
Fig. 1. Network model of the proposed WMSNs authentication framework.
1) Sensor Nodes: SNs are responsible for collecting various
somatic data [e.g., electroencephalogram (EEG), electro-
cardiogram (ECG), and electromyography (EMG)] from
patients and transmitting them to the MP for analysis
and diagnosis. Before that, SN should first register with
GWN, and then negotiate a session key (SK) with MP
in the light of secret keys issued by GWN for future
communication. Note that SNs are equipped with PUF
by default.
2) Gateway Nodes: In traditional schemes, GWNs are
always centralized and assumed as credible. However,
in our proposed protocol, a cluster of GWN forms
the blockchain network and smart contracts within the
blockchain guide GWN to automatically deal with the
requests from SN and MP. GWN only maintains the
blockchain system according to predefined consensus
mechanisms [i.e., Proof of Work (PoW)] and does
not know any source code regarding event handling.
Moreover, suppose users are not willing to establish
a blockchain network using GWN by themselves. In
that scenario, users can also choose to build the smart
contract on some mature blockchain platform such as
Ethereum or EOS, which will decrease the related
development and communication cost to some degree.
Furthermore, GWNs have obligations to issue secret
keys in response to MP and SN registration requests. SN
and MP will conduct mutual authentication and SK gen-
eration in the public channel provided by GWN. Hence,
IEEE 802.11 and IEEE 802.15.4 protocols are used for
bidirectional communication between GWN and user,
respectively.
3) Medical Professionals: MPs need to input their pass-
words and biometrics for GWN registration. After suc-
cessful registration, GWNs distribute the corresponding
secret keys to MP for AKA with SN. Once the iden-
tity of a given MP is confirmed, the sensor will deliver
patients’ data to the MP for processing. Note that each
MP owns on-premise PUF.
B. Threat Model
In our proposed protocol, we use the famous Dolev–Yao
(DY) threat model [20] to presume the abilities of potential
adversaries A, who may exist in SN, GWN, or MP. A is
assumed to eavesdrop, modify or even delete the exchange
messages among all the public communication channels.
Moreover, due to the mobility of SN and MP, A can also
capture the SN/MP and extract secret information from them
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 11, JUNE 1, 2022
TABLE I
N OTATIONS
with the support of power analysis attacks [21]. Since GWN is
not completely trusted, A can attempt to conduct Sybil attacks
to compromise the blockchain network as well.
V. P ROPOSED P ROTOCOL
In this section, we describe the details of our proposed
blockchain and PUF-based lightweight authentication protocol
under WMSN. Our protocol includes five stages: 1) system ini-
tialization; 2) SN registration stage; 3) MP registration stage;
4) login and authentication stage; and 5) ID update stage. The
used abbreviations are presented in Table I.
A. System Initialization Stage
In this stage, the system developer needs to organize a
cluster of GWN and customize the blockchain, especially
the consensus mechanism GWN should execute. Note that
GWN within our WMSN framework adopts PoW consensus.
Subsequently, when the blockchain is initialized, the devel-
oper publishes the smart contract to issue the secret keys and
helps GWN authenticate with a given SN or MP. The devel-
oper could also set their system on some mature blockchain
platforms which will effectively prevent potential attacks (e.g.,
single point of failure, the third-party compromised attacks,
and DoS attacks) incurred by small-scale blockchain systems.
B. SN Registration Stage
Prior to the authentication process, SNi should invoke the
SNRegister function within SC to register in the blockchain
network via GWNk . The GWNk should execute the following
steps.
1) SNi transmits a 160-bit random identity IDSNi , func-
tion name  SNRegister and a set of CRs (CSN x , Rx )
i SNi
generated by its PUF to the GWNk .
2) After receiving {IDSNi ,  SNRegister , (CSN x , Rx )},
i SNi
GWNk calls the SNRegister function defined in the SC,
which first checks the uniqueness of IDSNi by com-
paring the identity verification table T . If IDSNi ∈ / T,
SC chooses a 160-bit long random secret key RSKSNi
and computes ECSNi = h(RSKSNi IDSNi ) as SNi ’s
ephemeral credential. Otherwise, SC rejects this request
by announcing IDSNi as repeated. Finally, SC returns
WANG et al.: BLOCKCHAIN AND PUF-BASED LIGHTWEIGHT AUTHENTICATION PROTOCOL
ECSNi to SNi through GWNk . Note that the SN regis-
tration is in a private communication channel.
3) SC saves RSKSNi , ECSNi , and (CSN
x , Rx ) in local.
i SNi
C. MP Registration Stage
To retrieve patients’ data from SN legitimately, MPj also
needs to register in the blockchain network in advance. The
detailed procedures are illustrated as follows.
1) First and foremost, MPj chooses a 160-bit random num-
ber as his identity IDMPj , a nonce NMPj , a password
PWMPj , and a biometric input DBj and generates a set
of CRs (CMP x , Rx ).
j MPj
2) MPj computes RPWMPj = h(PWMPj NMPj ) and
sends parameters {IDMPj , RPWMPj , (CMP x , N x ),
j MPj
 MPRegister  } to the nearby GWN
k for invoking
MPRegister function in the SC.
3) When GWNk obtains the {IDMPj , RPWMPj , (CMP x ,
 
j legitimate user. Otherwise, MPj is declined by the SC
NMPj ), MPRegister } from MPj , it constructs a trans-
x
action with these parameters to the SC.
4) SC verifies the validness of IDMPj by checking the T .
If IDMPj ∈ T , SC declines this registration request.
Otherwise, SC applies the DBj to the fuzzy extractor
probabilistic generation function Gen which generates
Gen(DBj ) = {θj , σj }, where θj is a biometric secret key
and σj is a reproduction parameter.
5) SC selects a 160-bit random secret key as
RSKMPj and calculates RBj = h(θj IDMPj ),
Aj = h(RSKMPj σj RBj ) ⊕ RPWMPj , ECMPj =
h(RSKMPj IDMPj ), and Bj = ECMPj ⊕ RPWMPj . SC
stores {σj , θj , IDMPj , RPWMPj , RSKMPj , (CMP
x , Rx )} in
its database.
j MPj
6) SC submits {RBj , Aj , Bj , σj Rep(·)} to MPi through
GWNk in a secret channel.
7) MPi stores {RBj , Aj , Bj , σj Rep(·), RPWMPj , NMPj } in its
mobile device.
D. Login and Authentication Stage
At this stage, an MPj needs to login in his/her mobile device
at first. Subsequently, if MPj would like to have the access to
SN’s data, the corresponding three parties (i.e., SNi , GWNk ,
and MPj ) must conduct the mutual authentication beforehand.
The comprehensive steps are listed as follows.
 ,
1) First, MPj imprints his identity IDMPj , password PWMP j whether M6 = M6 . When the equation holds, SNi selects

and biometric information Bj to the MDj .
2) Mobile device applies DBj to a deterministic reproduc-
tion function as Rep(DBj , σj ) = θj . Then, MPj figures
out RBj = h(θj IDMPj ), RPWMP 
j
= h(PWMP N
j MPj )
? ?
and checks RBj = RBj and RPWMP  = RPWMPj . If
j
both equations hold, MPj logins at the MDj successfully.
Otherwise, MDj aborts this process.
3) MPj chooses a pair of (CMP 1 , R1 ) from its preloaded
j MPj
CRs (CMPj , RMPj ) in the PUF and calculates ECMPj =
x x
Bj ⊕ RPWMPj , M1 = h(ECMPj NMPj R1MPj ), M2 =
h(Aj RPWMPj ) ⊕ M1 , and M3 = M2 ⊕ R1MPj .
Finally, MPj sends a set of messages S1 =
1 , TS ,  MPAuth } to the GWN
{IDMPj , M1 , M3 , CMP
j 1 k
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
8887
via MDj in the public channel, where TS1 is the
current timestamp and  MPAuth is the name of invoked
function.
4) While obtaining the S1 from MPj , GWNk first checks the
freshness of TS1 . If TS1 does not expire, GWNk builds
a transaction with S1 to the SC.
5) SC confirms the validness of the GWN address provided
in the blockchain and counter of MPMPj . Note that since
we set counters for each SNi and MPj , if the failure
request reaches a predefined threshold (e.g., five times),
the corresponding part will be blocked for some time.

6) SC searches the related R1MPj on the basis of pro-
1
vided CMP j
from its database. Subsequently, SC cal-

culates M2 = M3 ⊕ R1MPj , M4 = h(Aj RPWMPj ) =
h(RSKMPj σj RBj RPWMPj ), M4 = M2 ⊕ M1 and con-
?
firms M4 = M4 . If the equation holds, MPj is a
and the corresponding counter counts failure time.
7) To prove its identity to MPj , SC chooses a new CR pair
of (CMP 2 , R2 ) from existing (Cx , Rx ) and com-
j MPj MPj MPj
putes M5 = h(M4 R2MPj ) ⊕ Aj . Finally, SC delivers a set
of messages S2 = {M5 , CMP 2 , TS } to the MP through
j 2 j
GWNk , where TS2 is the current timestamp. At this step,
the MPAuth function terminates.
8) After receiving S2 , as usual, MPj initially checks the
freshness of TS2 . If TS2 is valid, MPj selects associated

R2MPj from on-premise set (CMP x , Rx ) and figures out
j MPj

M5 = h(M1 ⊕ M2 R2MPj ) ⊕ Aj . At the final step, MPj
?
checks M5 = M5 . If it is equal, then GWNk is considered
legitimate.
9) Simultaneously, to retrieve patient’s data from SNi ,
GWNk automatically invokes the SNAuth function in the
SC. Then, the SC chooses a pair of CR (CSN 1 , R1 )
i SNi
from the accessible CR set (CSNi , RSNi ) and computes
x x
M6 = h(R1SNi ECSNi ), M7 = M4 ⊕ M6 . Finally, SC
sends a set of message S3 = {IDMPj , M7 , CSN 1 , TS } to
i 3
SNi via GWNk , where TS3 is the current timestamp.
10) While SNi receives M3 , it first checks the freshness

of TS3 and selects R1SNi according to received CSN 1 .
i
 
Then, SNi calculates M6 = h(RSNi ECSNi ) and checks
1
?
a new pair of (CSN2 , R2 ) from PUF and computes
SNi
i
M4 = M7 ⊕ M6 , M8 = h(ECSNi IDSNi R2SNi ), session
key (SK) as SKSNi = h(M4 M8 ) and masked SK as
MSK = SKSNi ⊕ R2SNi . Finally, SNi returns a set of mes-
sage S4 = {M8 , MSK, CSN2 , TS ,  SNAuth } to GWN ,
i 4 k
where TS4 is the current timestamp and  SNAuth is the
SC function name.
11) Once obtaining {M8 , MSK, CSN2 , TS ,  SNAuth }, GWN
i 4 k
verifies the timeliness of TS4 . If verification suc-
ceeds, GWNk calls SNAuth function in the SC to

retrieve R2SNi according to CSN2 and compute M8 =

i
?
h(ECSNi IDSNi R2SNi ), then checks M8 = M8 . If the
equation holds, SC restores SKSNi = MSK ⊕ R2SNi and
8888
Fig. 2. Summary of the proposed protocol.
computes M9 = M8 ⊕ ECMPj , M10 = SKSNi ⊕ ECMPj .
Otherwise, the same counter calculates failure times
of SNi . Finally, SC transmits a set of messages S5 =
{IDSNi , M9 , M10 , TS5 } to MPj via GWNk . At this point,
SNAuth function finishes.
12) When MPj gets S5 and TS5 does not expire, MPj extracts
M8 = M9 ⊕ ECMPj , SKSNi = M10 ⊕ ECMPj and
calculates SKMPj = h(M4 M8 ). If SKSNi = SKMPj ,
SKSNi and SKMPj can be used for the subsequent
communication through GWNk .
E. ID Update Stage
To ensure that an adversary A cannot track the interaction
between SNi and MPj , at the end of each key agree-
ment and authentication, the identities of SNi and MPj
should be dynamically adjusted according using the following
steps.
1) SNi and MPj compute the new identities as
ID∗SNi = h(IDSNi IDMDj RxSNi ) and ID∗MPi = h(IDSNi
IDMDj RxMDi ), respectively.
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 11, JUNE 1, 2022
2) Since (RxMPj , RxMPj ) are preloaded in the SC, which can
automatically generate the novel ID∗MDi and ID∗SNi .
3) Each participant needs to drop all the CR pairs used in
this round. The detailed process of our protocol can be
referred to Fig. 2.
VI. S ECURITY A NALYSIS
In this section, we evaluate the security of our proposed
protocol for WMSN using a formal security analysis (e.g.,
the widely accepted AVISPA automated verification tool)2 and
informal security analysis. The formal security analysis mainly
checks the semantic security of our proposed protocol which
can defend against an adversary in breaking SK security. On
the other hand, the informal security analysis illustrates some
common attacks that our protocol may encounter.
A. Formal Security Analysis
When it comes to cryptographic protocols’ security evalua-
tion, AVISPA is a popular verification tool. In AVISPA, users
2 http://www.avispa-project.org/
WANG et al.: BLOCKCHAIN AND PUF-BASED LIGHTWEIGHT AUTHENTICATION PROTOCOL
Fig. 3. Outcomes of the evaluation using OFMC and CL-AtSe backends.
can specify the definitions and security properties of a large
number of protocols. Besides, four common automatic analysis
techniques (e.g., OFMC, CL-AtSe, SATMC, and TA4SP) [22]
concerning protocol are integrated into AVISPA.
In our proposed protocol, we choose OFMC and CL-AtSe
backends to judge whether our scheme can defend against the
adversary defined in Section IV-B threat model. As depicted in
Fig. 3, the experimental results show our protocol can achieve
the security requirements under OFMC and CL-AtSe backends.
B. Informal Security Analysis
1) Stolen Mobile Device Attack: In this attack,
we assume adversary A steals a mobile device from
MPj . Then, A can extract the secret credentials
{RBj , Aj , Bj , σj , Rep(·), RPWMPj , NMPj } from device by using
the power analysis method [21]. Although {RPWMPj , NMPj }
are known to the A, who still cannot restore the same
 = h(PWMP  N
RPWMP j j MPj ) due to the undiscovered pass-
 eavesdropping on the communication channel. In our proposed
word PWMPj . As a consequence, A fails to login in the mobile
device. In addition, regarding biometric authentication, since
A does not know the correct biometric input Bj , A is not
able to pass the biometric verification as well. Therefore, our
protocol can prevent a stolen mobile device attack.
2) GWN Impersonation Attack: To conduct a GWN imper-
sonation attack, A needs to counterfeit S2 = {M5 , CMP 2 , TS }
j 2
and S3 = {IDMPj , M7 , CSNi , TS3 } to the corresponding MPj
1
and SNi , respectively. However, since responses {R2MPj , R1SNi }
are preloaded in the SC and not leaked in the communi-
cation, GWNk has no access to obtain both of them. On
the other side, for M5 = h(Aj RPWMPj R2MPj ) ⊕ Aj , M7 =
{h(R1SNi ECSNi ⊕ h(Aj RPWMPj )}, Aj and ECSNi are stored in
the SC without explicit transmission. Hence, A is not possible
to initiate a GWN impersonation attack in our protocol.
3) MP Impersonation Attack: If A attempts to masquerade
as SNi , which means A must forge authentication messages
S1 = {IDMPj , M1 , M3 , CMP 1 , TS ,  MPAuth }. From analyz-
j 1
ing the construction of M1 = h(ECMPj NMPj R1MPj ), M3 =
M2 ⊕ R1MPj , we can know {ECMPj , NMPj , R1MPj } are pri-
vate. However, without these parameters, it is hard for A
to form valid confirmation message M4 = M2 ⊕ M1 =
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
8889
M3 ⊕ R1MPj ⊕ M1 . As a result, our protocol can defend an
MP impersonation attack successfully.
4) SN Impersonation Attack: To impersonate as a valid SNi ,
A needs to generate S4 = {M8 , MSK, CSN 2 , TS ,  SNAuth }. It
i 4
is clear that A cannot succeed in getting {ECSNi , R2SNi } for M8
due to the difficulty of cracking a one-way hash function h(ů).
Hence, our scheme has the ability to resist SN impersonation
attack.
5) Man-in-the-Middle Attack: Assume that A eavesdrops
the bidirectional communication between SNi and MPj . Hence,
A can intercept all the authentication messages {S1 , S2 , S3 , S4 }.
For A, the main objectives of this MITM attack are to modify
the transmitted messages and compromise the SK. However,
owing to the CR pairs used in our protocol, even if the
x , Cx } are leaked, A is still infeasible to construct the
{CSN i MPj
modified {S1 , S2 , S3 , S4 } for getting rid of identity check and
restore the SKSNi = MSK ⊕ R2SNi trivially.
6) Perfect Forward Secrecy: Perfect forward secrecy
assures that A cannot infer the SK generated in previous
sessions with all secret keys. In our scheme, the SK is
computed as SKSNi = h(M4 M8 ) = h(h(RSKMPj σj RBj
h(ECSNi IDSNi R2SNi ))). Since R2SNi is dynamically dropped
after each key agreement and authentication process, even if
the current SK is compromised, A is not able to produce
the SK of the last round. Hence, perfect forward secrecy is
achieved in our scheme.
7) Replay Attack: When messages {S1 , S2 , S3 , S4 , S5 }
exchange, unique timestamps {TS1 , TS2 , TS3 , TS4 , TS5 } are
inserted. If A would like to retransmit the authentication
information to deceive the interaction partner, the freshness of
timestamps will cease to be effective. Hence, replay attacks
can be observed and mitigated in our protocol.
8) Tracing Attack: A tracing attack refers to A who can
distinguish a user’s identity in the different sessions through
protocol, once each key agreement and authentication com-
pletes, related SNi and MPj will apply the recently used
responses {R2SNi , R2MPj } to update their identities as ID∗SNi and
ID∗MPj accordingly for next stage. However, in the communi-
cation process, only the challenges {CSN x , Cx } are obvious.
i MPj
Due to the random variations of PUF, A cannot induce
the above-mentioned responses. Consequently, our proposed
protocol is immune to tracing attacks.
9) DDoS Attack: In our protocol, counters are used to count
the failures of each participant. If the total count reaches a
predefined threshold, the corresponding part will be blocked
for a long time. Therefore, DDoS attacks can be defended
against in our protocol.
10) Blockchain System Attack: If A attempts to tamper
some data in the blockchain, it requires him to take control of
over 50% GWN. According to the PoW consensus adopted,
our proposed protocol can observe this attack at an early stage
and effectively remove this attack.
11) Physical-Layer Attack: Even if the challenges
x , Cx ) of SN or MP are intercepted by A, who is still
(CSN i MPj i j
unable to restore the corresponding responses (RxSNi , RxMPj )
due to the physically unclonable feature of PUF. Hence, our
8890 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 11, JUNE 1, 2022

(a) (b)

(c) (d)

Fig. 4. Computation cost comparison. (a) Computation cost of SN. (b) Computation cost of MP. (c) Computation cost of GWN/SC. (d) Total computation
cost.

TABLE II
C OMPUTATIONAL C OST C OMPARISON
protocol can prevent physical-layer attacks successfully by
using PUF.
VII. P ERFORMANCE E VALUATION
In this section, we compare our proposed protocol against
several recent works [9], [10], [14].
A. Computation Cost
As shown in Table II and Fig. 4, we compare the com-
munication cost of several existing schemes [3], [6], [9], [10]
among the login and authentication phase. To maintain fair-
ness, precision, and reliability of the compassion results, the
selected methods [3], [6], [9], [10] are all composed of pure
one-way hash function and bitwise XOR operations. When
the computation cost in terms of a hash function Th , which
takes 0.0005 s. Note that this measurement was conducted
on a desktop with CPU: Intel Core i7-4710HQ 2.50 GHz,
memory: 8 GB, and OS: Win8 64 bit. The experiments show
our proposed protocol for WMSN needs the least computa-
tion cost regards overall computation time (i.e., 0.0065 ms in
total) and achieves obvious advantages when compared with
related schemes regardless of any side (i.e., 0.0015 ms for SN,
0.003 ms for MP, and 0.002 ms for GWN/SC, respectively). In
detail, the computation cost of SN, MP, GWN/SC, as well as
overall in our proposed protocol is reduced by around 57.1%,
50.0%, 81.8%, and 68.3%, respectively.
B. Communication Cost
In this section, we evaluate the communication cost
concerning our proposed protocol and some related
works [3], [6], [9], [10]. We assume the identity of MP
is 160 bits, identities of SN and GWN are 32 bits, a public
key of the system is 512 bits, a timestamp is 32 bits,
“SNAuth/Auth” is 64 bits, and the length of the challenge
generated by PUF is 32 bits.
In our proposed protocol, five sets of messages are trans-
1 , TS ,  MPAuth },
mitted, namely, S1 = {IDMPj , M1 , M3 , CMP 1
j

compared with hash operations, the computation cost for bit- S2 = {M5 , CMP2 , TS }, S = {ID
j 2 3 MPj , M 7 , C 1 , TS }, S =
SNi 3 4
{M8 , MSK, CSN 2 , TS ,  SNAuth }, and S = {ID , M9 ,
wise XOR operations is infinitesimal, so we only measure i 4 5 SN i

Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
WANG et al.: BLOCKCHAIN AND PUF-BASED LIGHTWEIGHT AUTHENTICATION PROTOCOL
TABLE III
C OMMUNICATION C OST C OMPARISON
M10 , TS5 }. From Table III, we can see the overall commu-
nication cost of our proposed protocol is 2048 bits, which
are lightweight compared with the above-mentioned schemes.
Although the communication cost at the SN of Amin et al. [6]
and Wu et al.’s [3] protocols (e.g., both are 320 bits) are less
than ours (i.g., at 448 bits), the timestamp is overlooked in
their interaction process, which may offer an opportunity for
an adversary to conduct a replay attack successfully. Finally,
our proposed protocol can provide higher security with a
lower communication cost (i.e., 13Th = 2048 bits) compared
with the above-mentioned schemes (i.e., 36Th = 2144 bits
for Amin et al. [6], 34Th = 2336 bits for Wu et al. [3],
41Th = 2784 bits for Fotouhi et al. [9], and 26Th = 2144 bits
for Li et al. [10]).
VIII. C ONCLUSION AND F UTURE W ORK
To achieve physical-layer security which can include decen-
tralized trust while resisting multiple common attacks, in this
article, emerging blockchain technology is combined with PUF
to envision a secure and lightweight authentication for WMSN.
Our scheme can support dynamic identity updates after each
authentication and key agreement. Furthermore, our proto-
col contains a biometric fuzzy extractor to extract biometric
information and conduct proper authentication. The AVISPA
tool is used to verify the security of our protocol as well as
informal security analysis is given that lists some attacks often
occur in real environments and discusses comprehensive coun-
termeasures of our proposed protocol. Finally, performance
evaluation highlighting communication and computational cost
is compared with similar protocols, showing that our proposed
protocol has an overall low overhead. In future work, certifi-
cateless signatures will be used to enhance the security of the
proposed AKA protocol.
ACKNOWLEDGMENT
The authors thank DSR for technical support.
R EFERENCES
[1] A. Baranchuk et al., “Cybersecurity for cardiac implantable electronic
devices: What should you know?” J. Amer. Coll. Cardiol., vol. 71,
no. 11, pp. 1284–1288, 2018.
[2] X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, and M. K. Khan, “A new
authentication protocol for healthcare applications using wireless med-
ical sensor networks with user anonymity,” Security Commun. Netw.,
vol. 9, no. 15, pp. 2643–2655, 2016.
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on March 09,2023 at 14:12:10 UTC from IEEE Xplore. Restrictions apply.
8891
[3] F. Wu et al., “A lightweight and robust two-factor authentication
scheme for personalized healthcare systems using wireless medical
sensor networks,” Future Gener. Comput. Syst., vol. 82, pp. 727–737,
May 2018.
[4] A. K. Das, A. K. Sutrala, V. Odelu, and A. Goswami, “A secure
smartcard-based anonymous user authentication scheme for healthcare
applications using wireless medical sensor networks,” Wireless Pers.
Commun., vol. 94, no. 3, pp. 1899–1933, 2017.
[5] J. Srinivas, D. Mishra, and S. Mukhopadhyay, “A mutual authentication
framework for wireless medical sensor networks,” J. Med. Syst., vol. 41,
no. 5, p. 80, 2017.
[6] R. Amin, S. H. Islam, G. P. Biswas, M. K. Khan, and N. Kumar, “A
robust and anonymous patient monitoring system using wireless medical
sensor networks,” Future Gener. Comput. Syst., vol. 80, pp. 483–495,
Mar. 2018.
[7] Q. Jiang, J. Ma, C. Yang, X. Ma, J. Shen, and S. A. Chaudhry,
“Efficient end-to-end authentication protocol for wearable health moni-
toring systems,” Comput. Elect. Eng., vol. 63, pp. 182–195, Oct. 2017.
[8] J. Mo, Z. Hu, and Y. Lin, “Cryptanalysis and security improvement of
two authentication schemes for healthcare systems using wireless med-
ical sensor networks,” Security Commun. Netw., vol. 2020, Feb. 2020,
Art. no. 5047379.
[9] M. Fotouhi, M. Bayat, A. K. Das, H. A. N. Far, S. M. Pournaghi, and
M. Doostari, “A lightweight and secure two-factor authentication scheme
for wireless body area networks in health-care IoT,” Comput. Netw.,
vol. 177, Aug. 2020, Art. no. 107333.
[10] J. Li, Z. Su, D. Guo, K.-K. R. Choo, and Y. Ji, “PSL-MAAKA: Provably
secure and lightweight mutual authentication and key agreement protocol
for fully public channels in Internet of medical things,” IEEE Internet
Things J., vol. 8, no. 17, pp. 13183–13195, Sep. 2021.
[11] M. Masud, G. S. Gaba, K. Choudhary, M. S. Hossain, M. F. Alhamid,
and G. Muhammad, “Lightweight and anonymity-preserving user
authentication scheme for IoT-based healthcare,” IEEE Internet Things
J., early access, May 14, 2021, doi: 10.1109/JIOT.2021.3080461.
[12] S. Challa et al., “An efficient ECC-based provably secure three-factor
user authentication and key agreement protocol for wireless healthcare
sensor networks,” Comput. Elect. Eng., vol. 69, pp. 534–554, Jul. 2018.
[13] Y. Xie, S. Zhang, X. Li, Y. Li, and Y. Chai, “CasCP: Efficient and
secure certificateless authentication scheme for wireless body area
networks with conditional privacy-preserving,” Security Commun. Netw.,
vol. 2019, Jun. 2019, Art. no. 5860286.
[14] X. Li, J. Peng, M. S. Obaidat, F. Wu, M. K. Khan, and C. Chen, “A
secure three-factor user authentication protocol with forward secrecy for
wireless medical sensor network systems,” IEEE Syst. J., vol. 14, no. 1,
pp. 39–50, Mar. 2020.
[15] M. Shuai, B. Liu, N. Yu, and L. Xiong, “Lightweight and secure three-
factor authentication scheme for remote patient monitoring using on-
body wireless networks,” Security Commun. Netw., vol. 2019, Jun. 2019,
Art. no. 8145087.
[16] T. Alladi, V. Chamola, and Naren, “HARCI: A two-way authentication
protocol for three entity healthcare IoT networks,” IEEE J. Sel. Areas
Commun., vol. 39, no. 2, pp. 361–369, Feb. 2021.
[17] M. A. Saleem, S. Shamshad, S. Ahmed, Z. Ghaffar, and K. Mahmood,
“Security analysis on ‘a secure three-factor user authentica-
tion protocol with forward secrecy for wireless medical sensor
network systems”’ IEEE Syst. J., early access, May 5, 2021,
doi: 10.1109/JSYST.2021.3073537.
[18] S. Pandey, S. Deyati, A. Singh, and A. Chatterjee, “Noise-resilient
SRAM physically unclonable function design for security,” in Proc.
IEEE 25th Asian Test Symp. (ATS), Hiroshima, Japan, 2016, pp. 55–60.
[19] M. Wazid, A. K. Das, V. Odelu, N. Kumar, M. Conti, and M. Jo, “Design
of secure user authenticated key management protocol for generic
IoT networks,” IEEE Internet Things J., vol. 5, no. 1, pp. 269–282,
Feb. 2018.
[20] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE
Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208, Mar. 1983.
[21] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-
card security under the threat of power analysis attacks,” IEEE Trans.
Comput., vol. 51, no. 5, pp. 541–552, May 2002.
[22] L. Viganò, “Automated security protocol analysis with the AVISPA tool,”
Electron. Notes Theor. Comput. Sci., vol. 155, pp. 61–86, May 2006.