REAS-TMIS: Resource-Efficient Authentication Scheme for Telecare Medical Information System

The phenomenal growth of smartphones and wearable devices has begun crowd-sourcing applications for the Internet of Things (IoT). E-healthcare is considered the essential service for crowd-sourcing IoT applications that help remote access or storage medical server (MS) data to the authorized doctors, patients, nurses, etc., via the public Internet. As the public Internet is exposed to various security attacks, remote user authenticated key exchange (AKE) has become a pressing need for the secure and reliable use of these services. This paper proposes a new resource-efficient AKE scheme for telecare medical information systems, called REAS-TMIS. It uses authenticated encryption with associative data (AEAD) and a hash function. AEAD schemes are devised specifically for encrypted communication among resource-constricted IoT devices. These features of AEAD make REAS-TMIS resource-efficient. Moreover, REAS-TMIS dispenses with the elliptic curve point multiplication and chaotic map that are computationally expensive operations. In addition, REAS-TMIS renders the functionality of session key (SK) establishment for future encrypted communication between MS and users after validating the authenticity of the user. The security of SK is corroborated employing the well establish random oracle model. Moreover, Scyther-based security corroboration is implemented to show that REAS-TMIS is secure, and informal security analysis is executed to show the resiliency of REAS-TMIS against various security attacks. Besides, a thorough analysis shows that REAS-TMIS, while accomplishing the authentication phase, requires less computational, communication, and storage resources than the related authentication protocol.


I. INTRODUCTION
The Internet of Things (IoT) evolution has impacted the essence of human life in different directions by providing significant acumen's, productivity, and costeffectiveness [1], [2]. Consequently, many novel applications essential for smart city environment and Industry 4.0 have been created. For instance, healthcare sector incorporates IoT to advance patient monitoring with reduced cost and thereby strengthens innovation in patients' care. Essentially, the synthesis of IoT in the production and consumer sector The associate editor coordinating the review of this manuscript and approving it for publication was Parul Garg. is attributed to Industry 4.0. Similarly, Medicine 4.0 and Healthcare 4.0, the two major revolutions created by IoT for smart city environment, are boomed in healthcare sector, that has empowered innovative solutions for monitoring remote patient, dispensing medications, designing early warning and dynamic treatment strategies, and managing and maintaining medical equipment [3].
As one of the crucial applications of IoT in smart city environment, e-healthcare system is increasingly being used by the people all around the globe. Under certain circumstances, sharing the information associated with a patient with a group of medical professionals is essential to improving the treatment procedures [4]. For treatments where many specialists are concerned, crowd-sourcing the IoT in e-healthcare services is needed. Fig. 1 presents a design of IoT applications where the crowd-sourcing IoT for e-healthcare is necessitated. In this design, the gateway node acts as the interface between the medical server (MS) and the remote users. MS is the main component of e-healthcare system from where diverse users like doctors, nurses, patients, medical policymakers, legal authorities, and insurance agents retrieve and deposit medical information. The contemporary conception of smart mobile devices (MDs) has yielded crowd-sourcing IoT applications. Data collected by MDs can be further processed to assist intelligently in different promising services. In e-healthcare applications, data accumulated by MDs are saved in different MSs. An authorized user accesses the information stored on MSs for monitoring and diagnosing purposes via the public Internet. The information when being accessed by the user through the public Internet is prone to be attacked by pernicious users and intruders. Hence, a resource-efficient and reliable security scheme for crowd-sourcing in e-healthcare services require consideration to preserve the vital and private medical information associated with the patient. This requires designing remote users' authenticated key exchange (AKE) schemes to render secure access of sensitive resources to valid users [3]- [5].

A. RELATED WORK
Various AKE schemes have been proposed in the existing literature to enable secure and privacy-preserving communication within telecare medical information systems (TMIS). An AKE scheme checks the authenticity of the user and establishes a session key (SK) to enable encrypted communication between the medical server (MS) and the user. For this purpose, Kumari et al. [6] devised an elliptic curve cryptography (ECC)-based AKE scheme to enable a user to access the information from MS securely. However, the scheme cannot prevent password guessing (PGU), smart card/device loss (SMCL), user anonymity (URA), privilege insider (PIN), user impersonation (URIM), and de-synchronization (D-SYN) attacks. Khatoon et al. [7] proposed a user bi-linear-pairing (BP) based AKE scheme for TMIS. However, their scheme is incapable of thwarting URIM and PIN attacks and cannot provide URA feature. Similarly, the AKE scheme presented by Li et al. [8] is unable to impede PGU, IDGU, URIM, PIN, and SMCL attacks. Das et al. [9] proposed an SHA-based scheme, which cannot thwart server impersonation (SIM), man-in-the-middle (MATM), URIM, and PIN attacks and is unable to provide URA property.
The user AKE scheme proposed by Madhusudhan et al. [10] cannot resist replay, MATM, PIN, and SIM, and does not provide Mutual authentication (MA) and URA features. The AKE scheme presented in [11] is incapable of resisting denial-of-service (DoS), PIN, and masquerade attacks and does not provide URA and MA features. The authors proposed an AKE scheme in [12], which is prone to ephemeral secret leakage (EPLE), DoS, and key compromised attacks. The scheme presented by Garg et al. [13] in 2019, was proved insecure against key compromise impersonation and it was also argued in [14] that Garg et al.'s scheme does not provide meter anonymity and forward secrecy. Similarly, the authors in [15], [16] presented the AKE schemes using an authenticated encryption with associative data (AEAD) and secure hash algorithm (SHA). However, their schemes cannot encompass all the security requirements stipulated by resource constrained IoT devices deployed for TMIS. A detailed summary of the various user AKE protocol for the TMIS environment is given in Table 1.

B. MOTIVATION
As described in Table 1, most of the schemes proposed to ensure indecipherable communications in the TMIS are unprotected against SIM, URIM, EPLE, and DoS attacks. In addition to this, some of the schemes are incapable of thwarting the D-SYN, PIN, and do not render the features, such as URA and MA. It is worth noting that public key cryptography and chaotic map-based user AKE scheme require significantly high computational resources because modular exponentiation and elliptic curve cryptography (ECC) based point multiplication operations are computationally expensive for the resource limited IoT devices. However, symmetric-key cryptography [41] is a feasible option for such devices. Stating more precisely, the recently proposed authenticated encryption with associative data cryptographic primitive are specifically designed for the resource constricted IoT devices. An AEAD scheme is efficient in terms of computational resource requirements and is therefore designed explicitly for resource-limited devices. In addition, an AEAD scheme provides the confidentiality, authenticity, and integrity of the data simultaneously. Therefore, using an AEAD scheme can reduce the computational time required to complete the authentication phase by reducing the cryptographic operation involved in the authentication process. Therefore, by leveraging the benefits of an AEAD scheme and hash function, we propose a lightweight and secure AKE scheme for the TIMS with the following contributions [42], [43].
C. RESEARCH CONTRIBUTION 1) We propose a resource-efficient authentication scheme for the TMIS, called REAS-TMIS, that utilizes the lightweight cryptography-based authenticated encryption with associative data (ASCON) and hash function ''Esch256''. REAS-TMIS enables users and servers to set up SK for indecipherable communication after accomplishing the mutual authentication to ensure encrypted communication between users and medical servers. Moreover, REAS-TMIS ensures the anonymity and privacy of the user during the accomplishment of the AKE phase. 2) We leverage the Random oracle model (ROM) to validate the authenticity of the established SK. In addition, we utilize Scyther-based analysis and illustrate that REAS-TMIS is secure and resilient against various  covert security threats, including MATM, replay, D-SYN, URIM, SIM, and SMCL attacks. 3) We show that, in addition to rendering comparatively enhanced security functionalities, REAS-TMIS accomplishes the AKE process with the requirement of 54.04% lower computational and 19.79% lesser communication costs than the related AKE scheme. The remaining of this paper is organized as follows. System models are elaborated in Section II. The proposed REAS-TMIS is explained in Section IV. The security validation is presented in Section V. The efficiency and effectiveness of REAS-TMIS are described in Section VI. Finally, the paper ends with concluding remarks in Section VII.

II. SYSTEM MODEL A. NETWORK MODEL
The network model presented in Fig. 1 is considered for the proposed REAS-TMIS. The model comprises registration center (RC), medical server (MS), and users (UR x |x = 1, 2, 3, · · · , K ), where K is the number of users. The users can be doctors, nurses, or family members authorized to access the information stored at MS. RC is responsible for the deployment of MS. Moreover, RC is also responsible for the registration of UR x before giving them access to the network resources, i.e., to view the patient record and the availability of other services provided by the medical center. MS stores all the information related to the health of a patient, which are obtained from the patient monitoring system. In addition, MS stores the sensitive registration information associated with the UR x . It is often the case that UR x requires the data/information stored at MS. Thus, a security mechanism is required to enable safe communication between UR x and MS. To provide UR x with secure access to the system resources, an AKE scheme is required.

B. ATTACK MODEL
The Dolev-Yao (DY) [44], [45] is considered as the threat model (TM) for the proposed REAS-TMIS. Under the DY model, an adversary, denoted by A, has the capabilities of seizing all the messages exchanged during the AKE phase. In addition to this, A can capture the message or drop it, update the message content, and can re-transmit the modified message. Moreover, the smart user device is not considered to be a trusted device because A can capture the user's smart device and can procure the sensitive information stored in the memory of the device or smart card [46]. Similarly, MS is considered to be placed in a secure environment, and A can not capture it physically. However, the insider A can retrieve the sensitive information stored in the database of MS and can perform various malicious activities on behalf of a particular user. Furthermore, we employ the postulates of the CK-adversary model [47]. It is an effective TM than the DY model and is considered a substantially acceptable model for devising an AKE scheme.

III. PRELIMINARIES
This section renders the background knowledge of different preliminaries utilized in devising the REAS-TMIS.

A. FUZZY EXTRACTOR
Fuzzy extractor (FE) is used to derive a unique secret key from the user's bio-metric template. FE comprises bio-metric key generation and reproduction functions, denoted by Gen(·) and Rep(·), respectively. The function Gen(·) is a probabilistic function and takes input of user bio-metric (BIO UR ) information and generates a unique key BIK ∈ [0, 1] lbbk and RP, where lbbk is the length of BIK and RP is the reproduction parameter. Moreover, Rep(·) deterministic function and reproduces BIK by taking BIO UR and RP as the inputs with the condition (BIO UR , BIO UR ≤ Et), where BIO UR and Et are the bio-metric information entered at the time of login and error tolerance.

B. ASCON
ASCON [48] is an online AEAD scheme, which provides the confidentiality, integrity, and authentic of the data simultaneously. The encryption and decryption processes of the ASCON can be expressed as follows. where CT , Tag/Tag , Ke, IV , AD, and PT denote the ciphertext, authentication Tag, key, initialization vector, associative data, and plaintext, respectively.

C. Esch256
Esch256 is a lightweight hash algorithm that is designed for resource-constricted IoT devices. Moreover, Esch256 provides high security than SHA-160 with reduced computational cost. We denote the Esch256 hash operation by the expression H (·). The detail description of ''Esch256'' hash function can be found in [49].

IV. THE PROPOSED REAS-TMIS SCHEME
The details of the proposed REAS-TMIS are presented in this section. REAS-TMIS comprises four phases: UR registration phase, AKE phase, password update (PUD) phase, and revocation (RV) phase. Exclusive-OR on W a 1 and W b 2 , which are two chunks of W 1 . Now, the size of P 1 has become 128 bits where as the size of W 1 was 256 bits. To make all the parameters compatible with AEAD encryption scheme (ASCON), we will perform the above operation.
2) STEP URR-2 RC on procuring P 1 , picks random number NP, and computes 3 ) and sends {PID, SP UR x } to UR x . In addition, RC, stores the credentials {SID, SP UR x } in MS's database.

3) STEP URR-3
On procuring the secret credentials form RC, UR x computes

C. AKE PHASE
In this phase, UR x performs the local authentication by validating its secret credentials and then sends the AKE request to MS. After achieving the mutual authentication both UR x and MS establish SK to achieve the indecipherable communication. Following steps are imperative to execute to accomplish the AKE process.

1) STEP AKE-1
inputs password PSW l UR x , and identity ID l UR x , imprints biometric BIO UR x and computes the followings where BIK l UR x is the bio-metric key of associated with UR x , which is obtained by using Rep(·) function of of FE. The parameter P 1 is determined by performing hash operation on ID UR x and PSW UR x . Moreover, the secret encryption key Ke l is determined by concatenating (P a l ⊕ P b l ) and BIK l UR x , where P a l and P b l are derived from P l . Furthermore, PT UR x and Tag l UR x are the output of the ASCON decryption algorithm. Finally, smart user device UD x checks the the following condition If the condition does not hold, UD x promptly terminates the AKE process and generates the login failure message. Otherwise, UD x retrieves PT UR x = {PID, SP UR x } and proceeds with the AKE process and picks R a , R b , and TS 1 . In addition to this, UD x computes where Ke 1 is secret key used in the encryption process. Finally, UD x constructs the message MES 1 : {TS 1 , PID, CT 1 , Tag where MP 2 is parameter generated by using the hash function with inputs ID MS and MK MS . The parameter P 1 is obtained from (14) and Ke 2 is derived in (15), where P 1 is divided into two chunks. The parameter P 3 is obtained from (16) and AD 3 is determined from (17), where P 3 is divided in to two chunks. Finally, by using ASCON decryption process, MS generates the parameter Tag 2 . In addition, MS validates Tag 1   ? = Tag 2 , if holds, MS retrieves R a . Moreover, MS computes The parameter Q 5 is obtained by performing the hash operation on the parameter P 1 and MK MS and SID is derived after performing XORing Q a 5 and Q b 5 , which are two parts of Q 5 . SID is used to retrieves the secret parameter SP UR x from the database of MS. Furthermore, MS picks TS 2 , R c , and NP 2 , and computes where Ke 3 is the secret key which is used in the encryption process, which is derived by splitting QM into two parts. PID new is the new pseudo identity, which is will be used UR x to accomplish the new AKE session. In addition, we derive as AD 3 = AD 4 , where AD 3 is derived in (17). SK SM denotes the session key, which is used to ensure the encrypted communication with UR x . SKv is the session key verification parameter and its size is 128 bits, which used to validate the SK at user side. The parameter PT MS denotes the plaintext, which is generated by concatenating R c , PID new , and SKv. Moreover, MS by using ASCON encryption algorithm generates the parameters CT 2 and Tag Furthermore, UD x computes SKv 1 = (SK a UR x ⊕ SK b UR x ) and checks the condition SKv ? = SKv 1 . If the condition is satisfied, UD x updates PID with PID new and determines PT new UR x = {PID new , SP UR x }. In addition to this, UD x picks R new UR x and computes where Tag new UR x } in its own memory. The AKE phase of REAS-TMIS is summarized in Fig.2.

D. RV PHASE
If an adversary loses his smart device or card, UR x can procure new device as follows. To accomplish RV phase, UR x needs to compute P 1 = H (ID UR x PSW o UR x ) and sends P 1 to RC. RC derives SID as SID = (W a 2 ⊕ W b 2 ). In addition to this, RC searches SID from the database of MS, if it is found, MS removes the record related to SID. After that UR x start the new registration process. For the new registration process we follow the same process as executed in Step URR-1 to Step URR-3.

E. PUD PHASE
To enhance the security of TMIS, it is necessary for UR x to update its password frequently. The proposed REAS-TMIS renders the functionality. UR x need to execute the following necessary step to update its password. 1) STEP PUD-1 UR x enters its old secret credentials, such as PSW o UR x and ID UR x and imprints its bio-metric information BIO o UR x at the available interface of UD x . Moreover, UD x computes , RP n , R n UR x } in its own memory.

V. SECURITY ANALYSIS
In this section, the resiliency of the proposed REAS-TMIS against various security treats is demonstrated by conducting informal analysis and SK security is proved through ROM based formal security analysis. In addition to this, the security of REAS-TMIS is illustrated through Scyther-based validation.

A. INFORMAL SECURITY ANALYSIS
This subsection demonstrates the informal security analysis of REAS-TMIS scheme, to show its resistance against various security attacks.
= Tag UR x . However, A cannot not perform the decryption process without knowing the valid secret credentials of UR x . In addition, the bio-metric keys are difficult to predict/generate or guess. Therefore, REAS-TMIS is capable of resisting PGU/PUD attack.

3) ANONYMITY AND UNTRACEABILITY
REAS-TMIS ensure the anonymity of entities of the network. There are two messages exchanged, i.e, MES 1 : {TS 1 , PID, CT 1 , Tag 1 , R b } and MES 2 :{TS 2 , CT 2 , Tag 3 } to complete the AKE process. After capturing MES 1 and MES 2 , A cannot extract the real identity of UR x from PID = ((TID UR x ) NP) ⊕MP. Thus, REAS-TMIS capable of resisting IDGU attack. In addition, MES 1 and MES 2 are dynamic as they are generated using random numbers and current timestamps. Hence, A cannot generate correlate the messages captured from two different AKE sessions. Therefore, REAS-TMIS ensure the URA and untraceablity features.

4) REPLAY ATTACK
As described in Sections IV-C, during the AKE process, the exchanged messages incorporate the latest current timestamps. During the AKE phase, the exchanged message procuring entities verify the timestamp received with the messages to guarantee it is not greater than the allowed time delay Td. Therefore, REAS-TMIS is resistant to replay attack.

5) MATM ATTACK
To effectuate MATM attack, A expropriates the message = Tag 2 to ensure the authenticity of the received MES 1 . This will not hold because it is hard for A to generate a valid message on behalf of UR x without knowing its secret credentials P 1 and SP UR x . In addition, A cannot succeed in generating a valid message MES 2 :{TS 2 , CT 2 , Tag 3 } without knowing the secret credentials of MS, such as P 1 , R a , MK MS , and SP UR x . Thus, REAS-TMIS is resilient against MATM attack.

6) DoS ATTACK
In the proposed REAS-TMIS, UR x can send the AKE request to MS after achieving the local authentication. Local authentication phase prevents UR x from sending a large volume of AKE request to MS to overwhelm the message processing resources of MS. So, in REAS-TMIS, UD x checks the condition Tag l UR x ? = Tag UR x to accomplish local authentication. In this way, REAS-TMIS is capable of resisting DoS attack.

7) IMPERSONATION ATTACK
To deploy URIM attack, A captures the message MES 1 : {TS 1 , PID, CT 1 , Tag 1 , R b } disseminated during the AKE process and fabricates MES 1 , which is a modified message. A then disseminates the MES 1 to MS to make believe MS that MES 1 is from a legitimate entity of the network. However, A cannot succeed in generating a licit MES 1 with out knowing the secret credential P 1 and SP UR x . In addition, A succeed in generating MES 2 :{TS 2 , CT 2 , Tag 3 } without knowing the secret credentials P 1 , R a , MK MS , and SP UR x . Thus, REAS-TMIS is resilient against URIM and SIM attacks.

8) EPLE ATTACK
In the proposed REAS-TMIS, SK is construed as It is obvious, that SK UR x (= SK MS ) is constructed using ephemeral secrets (ES), such as{R a , R c , R b , NP} and long-term secrets (LTS), such as {P 1 , MK MS , SP UR x }. Therefore, to compromise SK, A requires to know both ES and LTS. Thus, REAS-TMIS is resistant to EPLE attack.

B. ROM-BASED FORMAL SECURITY ANALYSIS
This section renders the ROM-based analysis of the proposed REAS-TMIS protocol to verify SK's security, established between UR x and MS. Under the ROM, the security of the proposed REAS-TMIS is given in Theorem 1. According to the ROM of the REAS-TMIS the t th instance of an entity is denoted by p . Moreover, UR x and MS are denoted as the entities UR x and MS , and their t th 1 and t th 2 instances are represented as p1 UR x and p2 MS , respectively. The hash function (SHA-256) is irreversible and collision resistant, which is modeled as random oracle Shash. Moreover, the ROM describes the queries Tabulated in Table 3, which are utilized by A to simulate an attack.
Definition 1: Let A is polynomial time plt adversary running against the AEAD scheme and effectuates Que queries of length lth, then A's online chosen ciphertext attack (OCCA3) advantage can be described as follows [50]- [52].
Proof: We define the following five games (Gm h |h = 0, 1, 2, 3, 4) to establish the proof of theorem 1. In addition A's advantage in breaking SK's security is represented as Reveal and Test to validate whether the constructed key is real key or a random number. As discussed in the Section IV-C, the established SK SK UR x (= SK MS ) = H (P 3 P 1 R a R c PID new ) is constructed by utilizing ES {R a , R b } and LTS {P 1 , ID MS , ID UR x , SP UR x }, which are unknown to A. Therefore, A derive SK. Thus, Gm 0 and Gm 1 are indistinguishable and following can be achieved.

Ad REAS−TMIS
Gm 2 : By the simulating the Hash oracle, A attempts to effectuate an active attack. During the AKE process, MES 1 incorporates PID = ((TID UR x ) NP) ⊕MP, which is protected by MP = H (ID MS MK MS ) and MP is protected by hash function (SHA-256). AS the hash function is irreversible and collision resistant. Thus, A cannot extract the sensitive parameter P 1 from PID. Therefore, by birthday paradox, we can deduce .
Gm 3 : In Gm 3 , A effectuates an active attack by utilizing the CorruptUR( p1 UR x ) query (defined in Table 3). By utilizing this, A can extricate the information, such as {CT UR x , Tag UR x , Gen(·), Rep(·), RP, R UR x } stored in the memory of UD x by utilizing PA attack. However, in REAS-TMIS, the stored information are in the encrypted form and encryption is performed using the credentials {PSW UR x , ID UR x BIK UR x }, where BIK UR x (barometric key) is difficult to guess and generate. Thus, without the knowledge of valid credentials {PSW UR x , ID UR x BIK UR x }, it is impractical for A to extract the secret credentials used in the AKE process. Moreover, the length of the bio-metric key is 1 2 lbbk , where lbbk denotes the length of bio-metric key. Therefore, the probability of guessing BIK UR x is negligible. In addition to this, only a limited number wrong password attempts are allowed. Under these, condition following can be deduced Gm 4 : In Gm 4 , A lunches an active attack against by eavesdropping the exchanged messages, such as MES 1 : {TS 1 , PID, CT 1 , Tag 1 , R b } and MES 2 :{TS 2 , CT 2 , Tag 3 }. After capturing MES 1 and MES 2 , A to extract the secret parameter, which are used to construct SK. However, these secret parameters are encrypted with ASCON, which is an AEAD scheme. Therefore, A cannot extract the secret credential form the encrypted information. Thus, by the definition (1), we can deduced ASCON ,A (plt). (37) To this end, all the relevant queries associated with the above Gm z are accomplished. The only event is left to imagine the arbitrary bit B after accomplishing the Reveal and Test queries. Consequently, we have

Ad REAS−TMIS
From (33) and (34), we get From (39), we get By using (38) and ( Scyther [53] is a python-based software tool used to verify the security of a security scheme. We use the Scyther tool to validate the security robustness of REAS-TMIS against various covert and pernicious security threats. Scyther can identify different security lapses efficiently. Scyther has found its footprints in the extensive utilization in validating and analyzing AKE schemes or security protocols. Scyther presented superior performance contrasted to existing tools employed to verify AKE schemes' security. REAS-TMIS is coded in Scyther utilizing Security Protocol Description Language (SPDL). In the SPDL script, there are two roles defined, i.e., (i) UR (user role) and (ii) MS (server role). In addition, we define the claims, such as claim(UR, Secret, SK ) and claim(MS, Secret, SK ) manually., which are validated by the Scyther as shown in Fig. 3. Moreover, the claims generated automatically by Scyther, such as for the user role, the claim(UR, Alive), claim(UR, Weakagree), claim(UR, Niagree), and claim (UR, Nisynch) are verified. Moreover, for MS role, the claim (MS, Alive), claim(MS, Weakagree), claim(MS, Niagree), and claim( MS, Nisynch) are also validated by Scyther as shown in Fig. 3. Therefore, REAS-TMIS is secure against various malicious security threats.

VI. PERFORMANCE EVALUATION
To evaluate the effectiveness and efficiency of the proposed REAS-TMIS, we compare it with the related AKE schemes in terms of security functionalities and computational, communication, and storage overheads. The related AKE schemes include the scheme of Qui et al. [18], Kumari et al. [6], Mo et al. [35], Arshad et al. [54], and Ostad et al. [55]. In addition to this, to simulate UD x and MS, we use the platform with specification given in Table 4. Moreover, we use the Python based ''PyCrypto'' library along with ASCON reference code to obtain the experimental execution time of various cryptographic primitives and ASCON.

A. COMPARISON SECURITY FUNCTIONALITIES
An AKE scheme must be secure to impede various security threats. Additionally, an AKE scheme must ensure the anonymity and untraceablity of communicating entities. Table 6 provide a comparative analysis of REAS-TMIS and the related AKE schemes. The scheme of Kumari et al. [6] is unable to impede PGU, SMCL, PIN, URIM, and D-SYN attacks and cannot render URA features. The scheme of Qui et al. [18] is incapable of impeding URIM attack and unable to provide URA feature. The scheme of Mo et al. [35] cannot render protection against replay, stolen verifier, DoS, and EPLE attacks. The scheme of Arshad et al. [54] cannot resist replay, MATM, PIN, and SIM attacks. Moreover, the scheme does not provide MA and URA features. The scheme of Ostad et al. [55] is incapable of preventing PGU, key compromise, and impersonation attacks. Contrarily, REAS-TMIS is secure and ensures the anonymous communication during the AKE phase.

VII. CONCLUSION
Security and privacy are imperative for critical environments like TMIS where sensitive information is communicated through the public Internet. In this paper, we have used AEAD and hash function and proposed an AKE scheme, called REAS-TMIS, for the TMIS environment that enables users to efficiently make authentication and establish SK with MS. REAS-TMIS is computationally inexpensive and fitting for resource-constrained IoT devices in TMIS. Moreover, the scheme enables doctors and nurses to securely access the information stored at MS. Aside from this, we have formally proved the security of the SK through the ROM. Moreover, we have also proved, through informal analysis, the strength of the scheme against various security attacks, such as replay, impersonation, and DoS attacks. Additionally, we have executed Scyther-based formal security analysis and have showed the security strength of the scheme. Moreover, a comparison with the state-of-the-art is presented to show that REAS-TMIS incurs 54.04% low computational and 19.79% low communication overheads while providing the enhanced security features than the related AKE scheme.