SALS-TMIS: Secure, Anonymous and Lightweight Privacy-Preserving Scheme for IoMT-Enabled TMIS Environments

With the Telecare Medical Information System (TMIS), patients and doctors can access various healthcare services through wireless communication technology without visiting the hospital in person. However, TMIS must have the necessary security requirements, including authentication and anonymity because information of legitimate patient is transmitted via an open channel. Therefore, secure privacy-preserving schemes are essential to ensure reliable healthcare services for legitimate patient in TMIS. Recently, the existing schemes proposed a secure healthcare authentication protocol with attack-resilience and anonymous key agreement in TMIS environments. However, we demonstrate that their scheme cannot prevent impersonation, session key disclosure, and man-in-the-middle attacks and cannot ensure secure mutual authentication. To improve the security flaws of the existing schemes, we design a secure, anonymous, and lightweight privacy-preserving scheme in internet of medical things (IoMT)-enabled TMIS environments, called SALS-TMIS. Our scheme withstands potential security threats and ensures the essential security functionalities. We evaluate the security of the SALS-TMIS using informal and formal security analyses, including ROR oracle model and AVISPA implementation. We then compare the computation and communication costs of SALS-TMIS with existing schemes. SALS-TMIS provides superior security and efficiency than related schemes for IoMT-enabled TMIS.


I. INTRODUCTION
W Ith the advances in "5G communication" and "Internet of Medical Things (IoMT)" technologies, the doctors and patients can access healthcare services such as real-time health monitoring and diagnostics through telecare medical information systems (TMIS). IoMT-enabled TMIS applications offer various medical services, including rehabilitation, emergency health-response and so on [2], [3], [4]. These applications of IoMT-enabled TMIS can greatly help that the doctors and patients to provide convenient, reliable, and low-cost healthcare services and carry out exact telemedicine at any place. Generally, IoMT-enabled TMIS environments are composed of the TMIS server, gateway, and wearable device as shown in Figure 1. The sensor devices sense, collect, and monitor health data such as heart rate, blood pressure, and body temperature for the patients and transmit that information to the healthcare systems for decision-making and treatment. Moreover, TMIS server provides various healthcare services, and transmits other medical information to the doctor and the user, and also doctors may access those TMIS servers to obtain realtime patient status and health information. However, despite several advantages of TMIS, there are some difficulties and challenges to be solved. In TMIS environments, it may cause serious privacy problems [5] because the messages are exchanged via a public channel. If the sensitive information of the legitimate patients is revealed, a malicious adversary may attempt various security attacks. Moreover, since IoMT devices (sensors and wearable devices, etc.) have resourcelimited in terms of computing power and computation overhead [6], it is not suitable to apply symmetric and asymmetric key cryptography that generates high computation overhead. Thus, robust, lightweight, and anonymous authentication and key agreement (AKA) schemes are essential to ensure reliable healthcare services for legitimate patients in TMIS environments [8], [9], [10].

FIGURE 1: TMIS system model
In 2020, Hajian et al. [11] proposed a scalable healthcare authentication protocol with attack-resilience and anonymous key agreement (SHAPARAK) in TMIS environments. Hajian et al. claimed that SHAPARAK can prevent various security attacks, including impersonation, sensor device compromise, and privileged insider attacks, and also can provide anonymity and mutual authentication. However, we prove that SHAPARAK [11] suffers from many security drawbacks such as "man-in-the-middle (MITM)", "impersonation", and "session key disclosure" attacks. In addition, their scheme does not provide "mutual authentication". Therefore, we design a secure, anonymous, and lightweight three-factor based privacy-preserving scheme in IoMT-enabled TMIS environments (SALS-TMIS) to resolve the security flaws of SHAPARAK [11].

A. MOTIVATIONS
The main goal of this article is to identify and enhance the security shortcomings of Hajian et al.'s scheme [11]. This article shows that Hajian et al.'s scheme is fragile to potential security attacks and also does not ensure the necessary security functionalities. Hajian et al.'s scheme would have worked tirelessly to design a high-securityenabled cryptographic protocol. However, Hajian et al.'s scheme would not have viewed their protocol from the point of view that we have analyzed and proven. These facts motivated us to design a secure, anonymous, and lightweight three-factor based privacy-preserving scheme for IoMTenabled TMIS and ensure necessary security functionalities.

B. CONTRIBUTIONS
The detailed contributions of SALS-TMIS can be summarized as below: • We prove the security flaws of SHAPARAK [11] and then design a secure, anonymous, and lightweight three-factor based privacy-preserving scheme for IoMT-enabled TMIS to enhance the security flaws of SHAPARAK. SALS-TMIS provides low computation overheads suitable for IoT-based wearable devices by using only hash function and XOR operation. • We evaluate the formal (mathematical) security analysis performing "Real-or-Random (ROR) oracle model" [12] to prove the session key security of SALS-TMIS. We perform the formal (simulation) security analysis to demonstrate the security of SALS-TMIS by using "Automated Validation of Internet Security Protocols and Applications (AVISPA)" simulation tool [13]. Furthermore, we demonstrate that SALS-TMIS ensures mutual authentication between each entity by performing Burrows-Abadi-Needham (BAN) logic [14]. • We perform the testbed experiments for cryptographic operations using the well-known "Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)" [15]. • We evaluate the performance comparison of SALS-TMIS with related schemes in terms of "security properties", "computation costs", and "communication costs".

C. ORGANIZATIONS
The rest of the paper is organized as follows. Section II presents the related works for TMIS. Section III reviews SHAPARAK [11] and Sections IV prove the security weaknesses of SHAPARAK. In Section V, we design a more secure, anonymous, and lightweight three-factor based privacy-preserving scheme for IoMT-enabled TMIS to enhance the security shortcomings of SHAPARAK. Section VI analyzes the security of SALS-TMIS using informal security and formal security analyses. In Section VII, we introduce the testbed experiments for cryptographic primitives using MIRACL. Section VIII compares the computation costs and communication costs of SALS-TMIS and previous schemes. Finally, we summarize the conclusion in Section IX.

II. RELATED WORKS
In the past few decades, many authentication and key agreement schemes [16], [17], [18] have been presented for healthcare in TMIS environments to provide security and privacy for legitimate users. In 2015, Amin et al. [19] introduced "an AKA scheme using elliptic curve cryptography (ECC)" that allows users and servers to share temporal secret keys aided by a central medical server. However, Irshad et al. [20] demonstrated that Amin et al.'s scheme [19] is not resistant to masquerade and offline password guessing attacks and also has a high computation cost.
In 2017, Irshad et al. [20] presented a "provably secure multi-server AKA scheme" for TMIS to improve the security problems of Amin et al.'s scheme [19]. In 2016, Arshad and Rasoolzadegan [21] proposed a "privacy-preserving AKA scheme for TMIS using the ECC and symmetric key encryption" to share a common session key. However, their scheme [21] cannot resist the ephemeral secret leakage, impersonation, and offline password guessing attacks. In 2018, Challa et al. [22] presented an "ECC-based secure and efficient three-factor AKA scheme" for healthcare services. However, Challa et al.'s scheme [22] cannot resist forgery and replay attacks, and also does not ensure mutual authentication. In 2020, Li et al. [23] designed an "efficient three-factor AKA scheme using ECC for wireless medical sensor systems". Nevertheless, their scheme [23] is fragile to the replay and privileged insider attacks. In addition, these schemes [19], [20], [21], [22], [23] are not suitable for practical TMIS environments because they utilize ECC which generates with high computation and communication overheads.
To resolve the security threats and efficiency associated with ECC-based AKA schemes for TMIS, many researchers have been presented a lightweight AKA scheme in TMIS environments [24], [25], [26] that utilizes only XOR and hash operations to ensure secure and efficient healthcare services. In 2019, Sharma et al. [27] designed a "lightweight AKA scheme for cloud-IoT enabled healthcare services". Unfortunately, their scheme [27] is fragile to sensor node compromise and insider attacks, and does not ensure untraceability and anonymity. In 2019, Wazid et al. [28] presented a "lightweight AKA scheme based on hash and XOR functions for edge-based IoT environments", called LDAKM-EIoT. However, LDAKM-EIoT has low scalability and also is fragile to the forgery and desynchronization attacks. Moreover, LDAKM-EIoT does not include user pre-validation and passwords cannot be changed locally. In 2019, Zhou et al. [29] presented a "lightweight IoTenabled AKA scheme applicable to in cloud-based TMIS". However, Zhou et al.'s scheme [29] does not provide user pre-validation and is insecure against potential security attacks such as MITM, insider, and replay attacks. Thus, these AKA schemes for IoT-based TMIS [27], [28], [29] are still fragile to various security attacks and also provide inefficient scalability and user friendly because it is not included user pre-validation and passwords cannot be efficiently changed without server involvement.
In recent years, the secure and efficient three-factor based AKA schemes for TMIS [30], [31], [32] have been designed to enhance the scalability, security, and efficiency issues. In 2019, Gupta et al. [32] designed a "lightweight anonymous AKA scheme for wearable device-based healthcare services". Gupta et al's scheme [32] ensures low computational overheads and high scalability because it does not require a secure channel in the sensor device registration process. However, Hajian et al. [11] discovered that Gupta et al.'s scheme [32] is susceptible to various security attacks such as privileged insider, offline guessing, desynchronization, and impersonation attacks as well as attacks on compromised sensor devices. In 2020, Hajian et al. [11] presented a "scalable healthcare AKA scheme in TMIS environments" to resolve the security weaknesses of Gupta et al.'s scheme [32]. Hajian et al.'s scheme [11] claimed that their protocol resists various security attacks and also provides efficient scalability, mutual authentication, anonymity, and user friendly. However, we discover that Hajian et al.'s scheme [11] is still fragile to impersonation, MITM, and session key disclosure attacks and also does not ensure mutual authentication. Moreover, these schemes [30], [31], [32] ensures high scalability but may be vulnerable to physical capture attacks because it does not require secure channel in the sensor device registration process. Thus, we design a "secure, anonymous, and lightweight three-factor based privacy-preserving scheme in IoMT-enabled TMIS environments" to resolve the security drawbacks of Hajian et al.'s scheme [11].

III. REVIEW OF HAJIAN ET AL.'S SCHEME
This section reviews Hajian et al.'s scheme for TMIS. Hajian et al.'s scheme is comprised of three processes: system setup, registration, and authentication. Table 1 summarizes the notations used in this paper.
Common Session key between GW i and SD j K i S's master key X GD i Shared secret key between GW i and S X SD j Shared secret key between SD j and S E k /D k () Encryption and decryption ∆T Maximum transmission delay h(·) One-way hash function ⊕ Bitwise XOR operation || Concatenation operation

A. SYSTEM SETUP PROCESS
This process includes into two parts: the sensor device and the gateway setup processes. S registers SD j and assigns the secret credentials to it. S chooses a sensor device's temporal identity T SID j , a sensor device's identity SID j , and a shared secret key X SDj for each SD j . Then, S stores {T SID j , SID j , X SDj } in the memory of each SD j . After that, S stores {T SID j , SID j , X SDj , h(·)} in secure database. To register a GW i , S chooses a shared secret key X GDi , a gateway's identity GID i , and a temporal identity T GID i for each GW i and then stores {T GID i , GID i , X GDi , h(·)} in the memory of GW i . After that, S stores {T GID i , GID i , X GDi , h(·)} in secure database.

B. REGISTRATION PROCESS
This process includes two parts: the sensor device and the gateway registration processes. The detailed descriptions are as follows: 1) Sensor Device Registration Process SD j should register within S to access healthcare services. All messages are exchanged through a public channel. We present the sensor device registration process of Hajian et al.'s scheme and the detailed descriptions are below: • SDR-1: SD j selects a random nonce r j and computes M P j = h(SID j ||T SID j ||r j ||T 1 ), M N j = h(X SDj , T 1 ) ⊕ r j and sends the message {T SID j , M N j , M P j , T 1 } to the GW i to the GW i . The current timestamp T i is denoting the time that the message is generated. • SDR-2: GW i obtains the message {T SID j , M N j , M P j , T 1 } and evaluates the freshness of T 1 . If it is incorrect, GW i aborts the message and terminates the session. Otherwise, GW i calculates T I i = h(GID i ||T SID j ||T 2 ) and sends the message If it is valid, S authenticates GW i and restores r * j using the shared secret key X SDj as Then, S sends the message {e j , T I Ser , T I j , T 3 } to the GW i , otherwise terminates the curruent session. • SDR-4: GW i obtains {e j , T I Ser , T I j , T 3 } and verifies freshness of T 3 . GW i authenticates S. Then, GW i stores {T SID j } in its memory and sends the message {e j , T I Ser , T I j , T 3 , T 4 } to the SD j . • SDR-5: SD j receives the message {e j , T I Ser , T I j , T 3 , , the SD j ensures the message integrity and accuracy of f * j . Finally, SD j calculates f j = f j ⊕ SID j and stores {f j , r j } in its memory.

2) Gateway Registration Process
GW i should register within S to access healthcare services. We present the gateway registration process of Hajian et al.'s scheme and the detailed descriptions are below: Then, S sends the message {e i } to the GW i via a secure channel. After that, S stores {M I i , x i } in its database. • GR-3: Upon receiving the message, GW i computes

C. AUTHENTICATION AND KEY AGREEMENT PROCESS
This process is initiated when U I sends information to GW i and finishes by establishing a session key between the SD j and the GW i . All messages are exchanged through a public channel. The detailed descriptions for the Hajian et al. scheme's AKA processes are below: • AKG-2: Upon getting the message, SD j checks the freshness of T 1 . If it is not fresh, it terminates the current session; otherwise SD j computes A j = h(M I i ||X SDj ||f j ||T 1 ), x j = h(r j ||X SDj ) and retrieves f j = SID j ⊕ f j . After that, SD j generates a random nonce K j and calculates f t , and sends the message is the temporal identity of SD j which is updated in each round, f t j is temporal secret parameter for mutual authentication between SD j and GW i . After that, S sends the message {H i , F ij , S, T 4 } to GW i .
• AKG-5: After getting the message, GW i checks the message freshness, and verifies whether . Then, GW i selects a random nonce K i and calculates the temporal session key between GW i and SD j and computes it ensures that the current session's integrity is protected and that the key is secure. After that,

IV. SECURITY FLAWS OF HAJIAN ET AL.'S SCHEME
In this section, we prove the security flaws such as MITM, impersonation, and session key disclosure attacks of SHA-PARAK [11]. Moreover, their scheme does not ensure mutual authentication.

A. ADVERSARY MODEL
We present the attack assumptions comprising the wellknown "Dolev-Yao (DY)" model [33] and "Canetti-Krawczyk (CK)" model [34] to examine the security of SALS-TMIS. The capabilities of an adversary are as follows: • Based on DY model [33], [35], a malicious adversary (M A) can eavesdrop, modify, inject, resend, and block the exchanged messages over a public channel. • Based on CK model [34], M A can reveal secret credentials and session states through session-hijacking attacks. Thus, a session key between each entity should be dependent on both "long-term secret" and "shortterm secret" parameters. • M A can steal smart phone of legal user and extract the stored secret credentials in memory by using the poweranalysis attacks [36]. Furthermore, M A has capacities to physically capture some IoT sensor devices as the sensor devices can be deployed in TMIS environments, and then M A can extract the stored secret credentials in those captured sensor devices. • After getting the secret credentials of the smart phone or sensor device, M A may attempt potential security attacks such as the "off-line password guessing", "replay", "stolen verifier" attacks and so on [37], [38].

1) MITM Attack
In Hajian et al.'s scheme, they claimed that SHAPARAK can resist MITM attacks because M A cannot obtain the secret credentials. However, we prove that SHAPARAK cannot resist MITM attacks as follows: Step 1: According to Section IV-A, M A first intercepts the transmitted messages via a public channel and then computes f t Step 2: After that, M A chooses a random nonce K M A and calculates Step 3: Upon getting the message, SD j com-

2) Impersonation Attack
In this attack, M A attempts to impersonate the legitimate user. Referring to Section IV-A, we assume that M A can eavesdrop, inject, modify, delete, block, and resend the exchanged messages via a public channel. Moreover, we suppose that M A extract the secret credentials {M I i , n i , m i } in memory of smart phone using poweranalysis attacks [36]. After getting these parameters, M A generates a random nonce K M A and calculates

3) Session Key Disclosure Attack
Referring to Section IV-A1 and IV-A2, we prove that M A can impersonate as a legitimate user. In addition, M A obtains the random nonces {K i , K j } of the GW i and SD j and secret credentials {f t j , T SID new j }. Then, M A calculates a session key SK ij = h(K i ||K j ) between SD j and GW i successfully. As a result, SHAPARAK is insecure against session key disclosure attacks.

4) Mutual Authentication
Hajian et al.'s scheme claimed that SHAPARAK provides secure mutual authentication between each participant. However, according to Section IV-A1, M A can generate an authentication message {R ij , M ij } of the GW i and VOLUME 4, 2016 achieve mutual authentication with SD j successfully. Thus, SHAPARAK does not provide secure mutual authentication.

V. PROPOSED SCHEME
We design a secure, anonymous, and lightweight threefactor based privacy-preserving scheme in IoMT-enabled TMIS environments to improve the security shortcomings of SHAPARAK [11]. SALS-TMIS provides superior scalability since it utilizes an insecure channel during each sensor device's registration process. Moreover, SALS-TMIS involves the same process used by SHAPARAK and also contains a password and biometric update process without relying on the involvement of a trusted authority.

A. SYSTEM SETUP PROCESS
This process is equal to the system setup process presented in SHAPARAK [11].

B. REGISTRATION PROCESS
This process consists of two parts: the gateway registration, and the sensor device processes. The detailed descriptions are as below:

1) User Registration Process
The user (U i /GW i ) must register with S to access the healthcare services. We present the gateway registration process of SALS-TMIS and this detailed process is described as follows: • GR-1: The user selects a ID i , P W i and generates a random number RU i . Then, U i /GW i computes HID i = h(ID i ||RU i ), HP W i = h(P W i ||RU i ) and sends {HID i , HP W i } to the S via a secure channel. • GR-2: Upon receiving the message, S computes . Then, S sends {X i } to the U i through a secure channel. Finally, S computes W i = E Ki (X i , HID i ) and stores {W i } in secure database. • GR-3: After receiving the message, the user imprints a biometric BIO i and computes 2) Sensor Device Registration Process SD j must register with S to access healthcare services. We present the sensor device registration process of SALS-TMIS and this process is described in detail as follows: • SDR-1: SD j first generates a random number RS j and computes SI j = h(T SID j ||SID j ||RS j ) and N j = h(SID j ||X SDj ||T SID j )⊕RS j . After that, SD j sends {SI j , T SID j , N j } to the GW i via a public channel.  = T S j . If it is valid, SD j computes C j = (d j ||RS j ) ⊕ h(X SDj ||SID j ) and then stores {C j } in the memory.

C. AUTHENTICATION AND KEY AGREEMENT PROCESS
The registered GW i and SD j perform the mutual authentication with S to establish a common session key between GW i and SD j . All messages are transmitted through a public channel. In Figure 2, we present the AKA process of SALS-TMIS and the detailed descriptions are as follows: • AKP-1: U i inputs a unique ID i , P W i , and imprints BIO i into GW i . Then, GW i computes If it is not equal, GW terminates the current session; otherwise, it generates a random nonce R u and computes M 1 = R u ⊕ h(X i ||X GDi ||T GID i ) and Auth u = h(HID i ||T GID i ||R u ||X i ||X GDi ). After that, GW i sends {M 1 , Auth u , T GID i } to the SD j through a public channel. • AKP-2: After obtaining the message, SD j computes (d j ||RS j ) = C j ⊕ h(X SDj ||SID j ). After that, SD j generates a random nonce R s and computes M 2 = R s ⊕ h(RS j ||d j ||X SDj ||T SID j ) and Auth s = h(SID j ||T SID j ||RS j ||R s ||X SDj ) and then sends {M 1 , Auth u , T GID i , M 2 , Auth s , T SID j } to the S. This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication.
Checks whether Auth * Finally, SD j sends {M 4 , Auth tu , Auth su } to the GW i . = Auth su . If it is correct, GW i updates T SID j with T SID new j in the memory. Consequently, the mutual authentication between each entity is successful, and also a common session key is established between GW i and SD j successfully.

D. PASSWORD AND BIOMETRIC UPDATE PROCESS
If an authorized user needs to change a password and biometric, U i can easily update their own old password. In SALS-TMIS, The password and biometric update process is performed at the local level without the involvement of S The detailed descriptions are as follows: • PBU-1: U i first inputs a unique identity ID i , a old password P W old i , and imprints a old biometric BIO old

VI. SECURITY ANALYSIS
We perform security analysis to evaluate security of SALS-TMIS by using the informal security and formal security analyses such as ROR oracle model and AVISPA.

A. INFORMAL SECURITY ANALYSIS
We perform the informal security analysis to evaluate the security of SALS-TMIS. We demonstrate that TMIS can resist various security threats, including offline password guessing, impersonation and stolen verifier attacks. Moreover, SALS-TMIS guarantees mutual authentication, scalability, and anonymity.

1) Impersonation Attack
Assumes that M A may attempt to impersonate by eavesdropping the transmitted messages over a public channel. However, M A cannot successfully generate the authentication request message {M 1 , Auth u , T GID i }, {M 1 , Auth u , T GID i , M 2 , Auth s , T SID j } or the response message {M 3 , Auth tu , Auth ts }, {M 4 , Auth tu , Auth su } since M A does not obtain random nonces {R u , R s } and secret credentials {X i , d j , RS j }. Therefore, SALS-TMIS is secure against impersonation attacks since M A cannot generate the correct authentication messages of all participants.

2) Mobile Device Stolen Attack
According to Section IV-A, M A can steal the smart phone (M D i ) of the legitimate user and extract the secret credentials {A i , B i } stored in the memory utilizing power-analysis attacks [36]. Based on the extracted the secret parameters, M A tries to impersonate other entities. However, M A cannot obtain the legitimate user's sensitive data since the secret parameters stored in the M D i are masked by using XOR operation and hash function. Therefore, SALS-TMIS is resilient against mobile device stolen attacks.

3) Session Key Disclosure Attack
In SALS-TMIS, M A must obtain the random nonces (shortterm secrets) {R u , R s }, and the secret credentials (longterm secrets) {X i , d j } to generate the correct session key SK = h(R u ||R s ||T GID j ||T SID j ). However, M A cannot compute since {X i , d j } is masked with the SD j 's shared secret key {X SDj }, U i 's password P W i and biometric BIO i using hash and XOR functions. Furthermore, M A cannot obtain {R u , R s } because M A does not know the real identity {ID i , SID j } of U i and SD j , the secret credentials {X i , Z j } and shared secret key {X GDi , X SDj }. Hence, SALS-TMIS is secure against session key disclosure attacks based on the CK threat model as discussed in Section IV-A.

4) Offline Password Guessing Attack
Assumes that M A tries to guess the real password P W i of the legitimate user U i and also extract all secret parameters {A i , B i } in the memory of M D i by utilizing power-analysis attacks [36]. Even if M A can guess the real password of U i , M A should calculate a series of equations during the polynomial times and should compute some equations and the valid credentials with the guessed P W i . However, M A must know a unique biometric BIO i , a real identity ID i , and a random number RU i to obtain valid equations and credentials. Hence, it is impossible for M A correctly guess the real password P W i of U i since M A cannot obtain U i 's biometric BIO i , identity ID i , and random number RU i .

5) MITM Attack
Referring to Section IV-A, M A can eavesdrop on the exchanged messages over a public channel. Therefore, a MITM attack may be possible. However, M A cannot successfully generate the authentication messages and session key because M A cannot get the random nonces {R u , R s }, real identity {ID i , SID j }, shared secret key {X GDi , X SDj }. As a result, SALS-TMIS is resilient against MITM attacks since M A cannot obtain the sensitive data of each participant.

6) Stolen Verifier Attack
In this attack, M A steals the information related to U i and SD j which is stored in the database of S and attempts to impersonate a legitimate entity. However, even if M A gets the stored information {W i , SA j } in the database of S, he/she cannot impersonate the legitimate entity because M A cannot obtain the secret information related to U i and SD j without S's master key K i . Thus, the stolen verifier attack is not feasible in SALS-TMIS.

7) Mutual Authentication
During AKA process, all participants carry out mutual authentication successfully. After obtaining the message {M 1 , Auth u , T GID i } for the U i /GW i , the S verifies whether Auth * u ? = Auth u . If it is equal, S authenticates U i /GW i . After getting the message {M 2 , Auth s , T SID j } for SD j , the S checks whether Auth * s ? = Auth s . If it is valid, S authenticates SD j . After obtaining the message {M 3 , Auth tu , Auth ts } from S, the SD j verifies whether Auth * ts ? = Auth ts . If it is correct, SD j authenticates S. After getting the message {M 4 , Auth tu , Auth su } for SD j and S, the U i /GW i checks whether Auth * tu ? = Auth tu and Auth * su ? = Auth su . If it is valid, U i /GW i authenticates SD j and S and also establishes a common session key SK between SD j . Hence, all participants are mutually authenticated and M A cannot generate the authentication messages successfully.

8) Anonymity
Referring to Section IV-A, M A is able to extract the secret credentials stored in M D i and eavesdrop the exchanged messages in all session. However, M A cannot obtain U i 's real identity {ID i } and SD j 's real identity {SID j } since the exchanged messages are masked with random nonce {R u , R s }, secret credentials {X i , d j }, shared secret key {X GDi , X SDj }, and biometric {BIO i } by using hash and XOR functions. Hence, SALS-TMIS provides secure anonymity of U i and SD j .

9) Scalability
In SALS-TMIS, the sensor device registration process is performed via a public channel. In addition, SALS-TMIS do not need to authenticate an intermediate device for the sensor device registration process. Thus, SALS-TMIS provides the effective scalability than other previous schemes that carry out the registration process in a secure channel. Consequently, SALS-TMIS provides a good solution that is compatible with the growing popularity of IoMT-enabled TMIS environments and 5G communication networks.

B. FORMAL SECURITY ANALYSIS USING ROR ORACLE MODEL
This section evaluates a session key (SK) security of SALS-TMIS from a passive/active adversary M A by performing ROR oracle model [12]. We first introduce the ROR oracle model prior to proving SK security for SALS-TMIS.
In SALS-TMIS, there are three participants: the user P t1 U , the sensor device P t2 SD , and the TMIS server P t3 S , where P t1 U , P t2 SD , and P t3 S are instances t th 1 of U i , t th 2 of SD j , and t th 3 of S, respectively. In Table 2, we present queries indicates the advantages of M A in violating SK security for SALS-TMIS. Then, we can derive as follows: Hash, q send , and q h are the number of Hash query, Send() query, and the range space of hash function h(·), respectively. Furthermore, C, s, and l b are the Zipf's parameters [39].
Proof. We demonstrate the sequence of five games namely GM i (i ∈ [0, 4]). We indicate that Adv SALS−T M IS M A,GMi is the probability of M A winning the GM i . All games are described in detail as follows: Game GM 0 : This game is considered as an actual attack executed by M A in SALS-TMIS. The bit c is selected randomly before the beginning of GM 0 . According to this game GM 0 , we get the following result: This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3181182 the transmitted messages does not increase. We get the following result: FIGURE 4: AVISPA implementation results using SPAN Based on the HLPSL implementation of SALS-TMIS, we simulated SALS-TMIS utilizing the Security Protocol ANimator (SPAN) for AVISPA [42]. The simulation results using OFMC and CL-AtSe back-ends are as shown in Figure  3. Moreover, the simulation result for the malicious intruder using SPAN is shown in Figure 4. Consequently, we prove that SALS-TMIS is secure against various security attacks because the simulation results are output to SAFE.

D. FORMAL SECURITY ANALYSIS USING BAN LOGIC
We perform the BAN logic [14] to prove the secure mutual authentication of the SALS-TMIS. We introduce the BAN logic notations as shown in Table 3. Moreover, we introduce the goals, the rules, the assumptions, and the idealized form for the BAN logic analysis. We prove that SALS-TMIS ensures mutual authentication between U i , SD j , and S.
← → ϕ ζ and ϕ have shared secret key K

5.
Belief rule (BR) : To prove the BAN logic, we present the goals of SALS-TMIS are as below. This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3181182

2) Idealized forms
There are four messages in SALS-TMIS. The idealized forms of the messages are as below.

3) Assumptions
The assumptions in our scheme are as below.

4) BAN logic proof
The BAN logic proof then proceeds as follows: Step 1: According to M SG 1 , we get Step 21: Based on the BP 19 and A 10 with the JR, we obtain Based on goals 1-4, we demonstrated that U , SD, and S are mutually authenticated successfully. We proved that SALS-TMIS ensured secure mutual authentication between U , SD, and S.

VII. TESTBED EXPERIMENTS USING MIRACL
We present the testbed experiments for measuring the computational time required for necessary cryptography used in SALS-TMIS and other related schemes using the widelyaccepted MIRACL [15].
In the testbed experiments, we utilize two scenarios for measuring the computational time of necessary cryptographic operations. We denote T bp , T ecpm , T f e , T h , and T sed to estimate the execution time needed for a "bilinear pairing", an "elliptic curve scalar point multiplication", a "fuzzy extractor" [43], a "hash function" (for example, Secure Hash Algorithm (SHA-256) [44]), and a "symmetric key encryption/decryption" (for example, Advanced Encryption Standard (AES) [45]), respectively.
In these scenarios, we have considered a Raspberry PI setting as follows: "Model: Raspberry PI 4B (2019), CPU Architecture: 64 bit, Processor: 1.5 GHz Quad-core, OS: Ubuntu 20.04.2 LTS with 8 GB memory" as shown in Figure. 5. Each cryptographic primitive has also run for 100 times and we then measure the average, minimum and maximum time in milliseconds for the primitives. The experimental results under Raspberry PI 4 setting are provided in Table 4.

A. COMMUNICATION COSTS
We demonstrate the communication cost comparison analysis of SALS-TMIS with the previous schemes [11], [27], [28], [29] for TMIS. Referring to [11], we denote that the bit lengths for the ECC, hash function, random nonce, identity, and timestamp are 320, 256, 128, 128, and 32 bits, respectively. During AKA process of SALS-TMIS, the transmitted messages {M 1 , Auth u , T GID i },   As shown in Figure 6, SALS-TMIS has a better communication cost compared with previous AKA schemes because sending fewer bits reduces network latency, the number of network collisions, and the sensing device's power consumption. Consequently, SALS-TMIS has a superior communication cost compared with existing AKA schemes as shown in Table 5.   Table 4. In this scenario, we have taken T bp ≈ 18.294 ms, T ecpm ≈ 2.848 ms, T h ≈ 0.309 ms and T sed ≈ 0.012 ms. We then demonstrate the performance results for the computational cost comparison in Table 5 and Figure 7. Although SALS-TMIS has a somewhat computation cost than SHAPARAK [11], it offers better security functionalities and also ensures a better computation cost of those compared with other related schemes [27], [28], [29]. Thus, the proposed scheme is suitable for IoMT-enabled TMIS environments.

C. SECURITY PROPERTIES
We perform the security properties comparison of SALS-TMIS with the previous schemes [11], [27], [28], [29]. Table 6 tabulates the security properties of SALS-TMIS and the previous schemes. The security properties are as follows: SP 1 : "Mobile device/smart card stolen attack", SP 2 : "Impersonation attack", SP 3 : "Off-line password guessing 14 VOLUME 4, 2016 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3181182 attack", SP 4 : "Session key disclosure attack", SP 5 : "Replay attack", SP 6 : "MITM attack", SP 7 : "Physical capture attack", SP 8 : "privileged insider attack", SP 9 : "stolen verifier attack", SP 10 : "Mutual authentication", SP 11 : "User anonymity", SP 12 : "Scalability", SP 13 : "Local password updating", SP 14 : "Formal (mathematical) analysis". Referring to Table 6, the previous schemes [11], [27], [28], [29] suffer from various security attacks, and also some protocols cannot ensure mutual authentication and anonymity. In contrast, SALS-TMIS is secure against various security attacks, and also provides authentication and anonymity. Thus, SALS-TMIS offers the necessary security requirements compared with the previous schemes [11], [27], [28], [29]. In this paper, we demonstrated that Hajian et al.'s scheme is not resilient to potential security threats, including impersonation, session key disclosure, and MITM attacks, and also does not guarantee mutual authentication. We design a secure, anonymous, and lightweight three-factor based privacy-preserving scheme in IoMT-enabled TMIS environments to resolve the security weaknesses of Hajian et al.'s scheme. We proved that SALS-TMIS prevents various security attacks, and also ensures the necessary security functionalities, including user anonymity, scalability, and mutual authentication. We then evaluated the security of SALS-TMIS by performing ROR oracle model, BAN logic, and AVISPA implementation. Moreover, we evaluated the performance comparison in terms of computation and communication costs of SALS-TMIS with related schemes. Thus, SALS-TMIS improved security level and also ensured low computation and communication costs compared with related schemes. Consequently, SALS-TMIS is applicable for IoMT-enabled TMIS environments because it is more superior security and efficiency compared with related schemes.