Skip to main content

Scalable, efficient, and secure RFID with elliptic curve cryptosystem for Internet of Things in healthcare environment


The rapid development of IoT technology has led to the usage of various devices in our daily life. Along with the ever-increasing rise of the Internet of Things, the use of appropriate methods for establishing secure communications in health care systems is vital. The adoption of high-security optimal mechanisms for this purpose has been more effective regarding the efficiency of medical information systems; hence, many studies are being conducted in this field today. One of the most important components is the RFID cards that can be used for communication between entities in the environment. In healthcare systems, patient information is critical and nobody should have access to this information. Thus, providing security for these networks is essential. Recently, good researches have been done in the area of authentication for medical information systems, using RFID technology, which has a low computational cost. In this paper, we propose a novel method based on elliptic curve cryptography for vital and efficient and scalable authentication between RFID cards, card readers, and servers. This proposed method maintains security and has less computational cost and low elliptic curve point multiplication running time compared to similar recent methods.


The term “Internet of Things” was first introduced in 1999 [1]. The Internet of Things refers to the precise communication between the physical and digital world [2, 3]. In fact, it provides an extensive infrastructure for providing advanced services, such as sending and receiving information and interconnections using physical and virtual elements [3]. The Internet of Things consists of a set of sensors and radio frequency identification (RFID) technology that communicate through the network with various devices [2]. Technologies such as sensor technology, embedded smart technology, and nanotechnology as well as RFID technology can be widely used in the Internet of Things. In RFID technology, objects can communicate with one another through radio waves and exchange information among themselves [3, 4]. Some advantages of RFID technology in comparison with traditional barcodes are the ability to read and write, lack of direct exposure to the card-reader, simultaneous reading of multiple cards, and non-restrictions of using different barcodes [3, 5]. Considering the above-mentioned reasons, we can use these benefits for health care systems such as hospitals.

The components of RFID technology include servers, card readers, and cards. The cards include various parts including a chip that performs calculations, a memory for data storage, an antenna for transmitting and receiving data, and a special hardware that is used for encryption and decryption operations [6,7,8].

Cards can communicate with the card reader and transfer encrypted data between themselves. The cards themselves are divided into three categories, including a reactive card that gets the energy necessary to transmit its data through a wireless signal, a semi-active card with a small battery, and the active card that has a radio antenna and a small battery that is directly connected to the card reader [8, 9]. The cards can store and process data and then transfer information to the card reader using their radio transmitter [6, 7].

Card readers have a control unit, a memory unit, and a radio transmitter and receiver; in addition, the capacity of computations in card readers is more than cards, and its main function is to create authentication and exchange messages between the card and the server [8, 10].

A server is a trusted entity and stores all information and ID cards and card readers in its database for proper authentication process, and then the system starts up. The validity of the card can be determined using this information stored in the server [8, 10].

One of the instances that can be implemented by using RFID technology inside the Internet of Things and in healthcare settings is the identification of the newborn and patient [8, 11], tracing and validating the medical treatment of patients [8, 12], patient location and patient management in healthcare centers [8, 13], surgery process management [8, 14], equipment location tracking [5, 8, 15], blood pack tracing, monitoring, and pharmaceutical management.

All messages in healthcare environments are transmitted by using wireless waves through RFID cards in the latter environment. With rapid development and advances of RFID technology in healthcare environments, the need for safe and secure access to sensitive information should be considered, and ultimately, the exchange of this information should be taken into account through the Internet infrastructure of the objects more than before [8]. Transferring information by using RFID technology does not provide any security by itself. Therefore, these healthcare systems are vulnerable to attacks due to the use of RFID. In order to remove these vulnerabilities, various security protocols are provided for secure communication within these networks, some of which are based on symmetric cryptography [16,17,18,19,20,21,22,23,24,25], and others are based on asymmetric cryptography [3, 7, 26,27,28]. Some of these protocols deal with the authentication between the card and the server, in which they confirm each other [3, 7, 26,27,28] and others have authentication between the card and the reader [16, 17]. In order to ensure that the connection between the card, the card reader, and the server is secure, we need mutual authentication in RFID systems, which will affect the authentication process against various attacks [8].

In this paper, we propose a novel method based on elliptic curve cryptography for vital and efficient and scalable authentication between RFID cards, card readers, and servers. This proposed method maintains security and has less computational cost and low elliptic curve point multiplication running time compared to similar recent methods.

An elliptic curve over GF(2m) consists of all points (x, y GF(2m)) such that it satisfies an elliptic curve equation: E: y2 + xy = x3 + ax2 + b with a, b GF(2m), b ≠ 0 (let GF(2m) be a finite field of 2m elements, where m is an integer). For cryptographic purpose, those over the finite field of Fp and F2m are most suitable [29].

The addition of two points and doubling a point on an elliptic curve (generally over a set of real numbers) in a geometrical space are illustrated in Figs. 1 and 2. The Group Law is supported by following terms [29]:

  • Identity: P + O = O + P = P for all P = (x, y) E.

  • Negativity: Let P = (x, y) E and Q = (x, x + y) E therefore P + Q = O, that is to say, negative of P is Q.

  • Point addition: If P = (x1, y1) E and Q = (x2, y2) E such that P ≠ ± Q, then P + Q = (x3, y3) is calculated by following equation:

Fig. 1

Addition on elliptic curves

Fig. 2

Doubling a point

$$ {\mathrm{x}}_3={\uplambda}^2+\uplambda +{\mathrm{x}}_1+{\mathrm{x}}_2+\mathrm{a},{\mathrm{y}}_3=\uplambda \left({\mathrm{x}}_1+{\mathrm{x}}_3\right)+{\mathrm{x}}_3+{\mathrm{y}}_1,\mathrm{with}\;\uplambda =\frac{{\mathrm{y}}_2+{\mathrm{y}}_2}{{\mathrm{x}}_2+{\mathrm{x}}_2} $$
  • Point doubling: If P = (x1, y1) E and P ≠ − P, then 2P = (x2, y2) is defined by following equation:

x2 = λ2 + λ + a, y2 = λ(x1 + x2) + x2 + y1, with λ = x1 +\( \frac{y_1}{x_1} \)

Scalar multiplication as a fundamental operation in ECC is obtained by performing the elliptic curve addition operation k times: \( Q= kP=\underset{k}{\underbrace{P+P\dots +P}}. \)

Calculating Q is relatively easy when k and P are given, but it is a hard problem to determine k when Q and P are specified. This problem is called the elliptic curve discrete logarithm problem (ECDLP). Thus, the scalar multiplication on elliptic curves over finite fields is considered as a one-way function which is useful in cryptographic applications [30].

The structure of the paper is organized as follows: Section 2 reviews the related papers; Section 3 describes the proposed solution, including the initializing phase and the authentication phase; Section 4 describes the dynamic key management; in Section 5, the analysis of the proposed solution as well as security and its efficiency has been addressed; and finally, the conclusions are presented in Section 6.

Methods and related work

Due to the sensitive information that can be exchanged with RFID technology, security for these networks is critical. RFID technology is one of the most important steps in establishing secure communication in these networks. However, the messages exchanged between the card, the card reader, and the server have always been exposed to a variety of security attacks. In this paper, we use the elliptic curve cryptography to secure the connection between the card and reader. The proposed solution preserves security and computational costs less than the previous methods. Furthermore, key management solutions are presented for dynamic access problems in RFID cards in order to be able to develop scalability healthcare networks

Various research and articles have been conducted for RFID security in a variety of applications, which, in addition to providing effective security schemes, identify and discuss the following security issues [3, 7, 10, 16, 18, 25,26,27,28, 31,32,33,34,35,36,37,38,39]:

Mutual authentication

In most researches, interconnection between the card, the card reader, and the server is required prior to the initialization of the operation. The relationship between the card and the card reader is insecure and needs to be reciprocally authenticated, while the communication channel between the server and card reader is assumed to be secure.


Each secret key of the card, the card reader, or their ID must not be recovered by attackers. If the attacker accesses the card or card reader’s secret key, he/she can introduce his/her card or card reader to the server and access sensitive information of the network. To prevent this, data must be encrypted before being transmitted between the card and the card reader.


An RFID authentication scheme is necessary for anonymity of the card and card reader. If the attacker recognizes the identity of the card or card reader, he can in fact violate their privacy; in order to prevent this issue, the ID of the card and card reader should be encrypted in a mutual authentication process.


The RFID authentication process should be implemented accurately over the available lifetime of the card or the card reader. To provide anonymity, for most RFID authentication schemes, the secret keys between the card and the card reader should be updated during the implementation of the authentication process. If the attacker in any way eliminates the process of updating secret keys between the card and the card reader, the authentication scheme will be invalid.

Forward security

In many authentication schemes, if an attacker can access the secret key, he can get the old location of the card or access the old information of that card, which will result in the violation of the privacy of the owner of the card. It is therefore necessary to have the forward-looking security within the authentication plan.


An authentication scheme should be able to support the number of cards or card readers in the network. For example, if the number of cards has multiplied or the card has been deleted, added, or its location has changed, or even the location of the card reader has changed, the authentication scheme should be able to maintain and continue to work well and correctly manage the key for the steps listed.

Resists various attacks

A strong authentication scheme should be able to secure the exchange of information between the card and the card reader against multiple attacks, such as man-in-the-middle attack, replay attack, forging attack, internal attacks, and external attacks.

Various methods are used for the authentication problem in healthcare and health systems based on the Internet of Things that use symmetric and asymmetric cryptography (elliptical curve cryptography) [7, 25, 31, 40,41,42]. The authors of papers did not use asymmetric cryptographic methods, because the key length is long in asymmetric cryptography and thus the speed is very low, but the implemented elliptical curve cryptography methods [43, 44] have proven less storage space than the SHA3 hashing algorithms [7]. Using elliptic curve cryptography, we can easily expand our network and do not have a scalability problem while being safe against various attacks. In contrast, symmetric encryption always suffers from scalability problem [32, 33, 45,46,47,48,49,50].

The elliptic curve ciphering identification for RFID technology was presented for the first time in 2006, by Batina and Tuyls [51], and then, various methods were presented by different authors, or the vulnerability of these methods was investigated by other researchers or new protocols have been introduced to improve their cost and security. For example, in Lee’s paper [52], works of Batina and Tuyls [51] and Batina et al. [53] were investigated, and the problem of the unidentified card was addressed.

Another article by Zhang and Qi [26] has addressed the problems in Chou’s work [34], namely availability of the information inside the card by the attacker, interacting with the server, and card tracking, and aimed to improve Chou’s authentication method. A recent paper by Farash et al. [7] has recently been presented in the field of RFID technology using elliptic curve cryptography for health care systems, in which, by reviewing the methods proposed by Zhang and Qi [26] and Zhao [3], first, addresses the security problem of these two methods in insecure sending of the information, and then presents his own security method. Another paper proposed by Yang et al. [10] addresses the problems of the Kaur [54] scheme, being a high computational cost; with changes made to the Kaur scheme, he has presented a new scheme reducing the high cost of computation.

Proposed scheme

In our proposed method, the server, the card reader, and the card are all participating; first, the server generates the keys for both the card reader and the card. Then, the server loads the keys on them.

The proposed method has two phases: (1) initializing phase and (2) authentication phase. The details of these two phases are fully described below. The symbols are listed in Table 1.

Table 1 Definition of notations used in the proposed scheme

Initializing phase

This phase includes the following steps:

  • Step 1: The server selects the size and type of the Galois field GF(q) which can be chosen p = q, where p must be a large prime number or q=2m (this field is usually chosen because the calculations on the GF(2m) field can be done quickly, and a fast and efficient algorithm has been provided for required calculations on GF(2m) field); m represents the size of the field.

  • Step 2: The server uses two parameters a,b ϵ Fq in order to define the elliptic curve equation E on the field Fq shown in (1):

$$ {y}^2+ xy={x}^3+{ax}^2+b $$

Then, the server chooses the basic point (G) for the elliptic curve (basic point means the point on the elliptic curve that has the highest n order) that is nG = O.

  • Step 3: For each card Ti, the server inserts a random integer \( {p}_{r_i} \) from the interval [1, n − 1] as the private key and then calculates and inserts \( {p}_{u_i} \)=\( {p}_{r_i} \)G into the card. Also, the inverted private key \( {p_r}_i^{-1} \) is inserted into the card. Then, this procedure is repeated for each card reader.

Note: Given the discrete logarithm for the elliptic curve, having \( {p}_{u_i} \) and G, calculation of \( {p}_{r_i} \) is complicated in practice.

  • Step 4: The server has a one-way hashing function h(x) for converting a point on the elliptic curve E to a number v, where chooses v ϵ Fq.

  • Step 5: The server selects a random integer li from the range [1, n − 1] for each card and then calculates the Ui according to (2).

$$ {U}_i={l}_iG $$

Therefore, the secret key for each card is obtained from Eq. (3).

$$ {SK}_i=h\left({U}_i\right) $$
  • Step 6: The server specifies the public dots for the reader, as in Eq. (4), in which the parameter j represents the card reader.

$$ {M}_{i,\kern0.5em j}={l}_j\ \left({p}_{U_i}\right),{M}_{j,\kern0.5em i}={l}_i\left({p}_{U_j}\right) $$

In the end, the server stores the parameters Eq, G, n, h, \( {p_r}_i^{-1} \), \( {p}_{U_i} \), \( {p}_{r_i} \) and li for the card and the parameters Eq, G, n, h, \( {p_r}_j^{-1} \), \( {p}_{U_j} \), \( {p}_{r_j} \) and Mi, j = lj\( \left({p}_{U_i}\right) \), \( {M}_{j,\kern0.5em i}={l}_i\left({p}_{U_j}\right) \) for the card reader.

Authentication phase

In this phase, the card and card reader authenticate each other using the secret key. This phase includes the following steps:

Step 1: To calculate Uj, each card reader is to get its public points and inverted private key already loaded by the server at the initial phase, then Uj is calculated by Eq. (5):

$$ {U}_j={l}_jG={p_r}_j^{-1}{M}_{i,\kern0.5em j} $$

It should be noted that \( {p_r}_j^{-1} \) denotes inversion in a finite field, which is an operation required in the digital signature algorithm of the elliptic curve [55].

Step 2: Determining the secret key according to Eq. (6):

$$ {SK}_j=h\left({U}_j\right) $$

Step 3: In this step, we obtain the value of w according to Eq. (7):

$$ w=h\left({SK}_j+{SK}_j\right) $$

w is used for two-way authentication. The card reader calculates the value of w, which is hashing of the sum of values SKj and SKj. It is used in the symmetric encryption procedure that encrypts the message (m) if the card is able to calculate the value of w, then is able to authenticate the card reader.

In fact, when the card reader communicates with the cards, it can authenticate them, and it is enough to calculate the secret key for the card; also, the card must calculate the value of w in order to authenticate the card reader. The authentication phase is shown in Fig. 3:

Fig. 3

The authentication phase

For example, Fig. 4 illustrates a cluster with card reader and cards with a certain relationship. In this figure, there are 7 cards and one card reader. There is a bidirectional relationship between each card and card reader, and only the card reader is able to calculate the secret key for the cluster members. The server determines the public parameters Mi, j and Mj, i and declares them to the card reader. The set of required public parameters for deriving the secret key by card reader is shown as follows:

$$ \mathrm{Reader}:\left\{{M}_{1,1}={l}_1\left({P}_{u_1}\right)\right.,{M}_{1,2}={l}_2\left({P}_{u_1}\right),{M}_{1,3}={l}_3\left({P}_{u_1}\right),{M}_{1,4}={l}_4\left({P}_{u_1}\right),{M}_{1,5}={l}_5\left({P}_{u_1}\right),{M}_{1,6}={l}_6\left({P}_{u_1}\right),{M}_{1,7}={l}_7\left({P}_{u_1}\right),{M}_{1,8}={l}_8\left.\left({P}_{u_1}\right)\right\} $$
Fig. 4

Communication between cluster members and card reader

Therefore, the card reader in addition to its secret key can derive secret keys of cluster members as follows:

$$ {\displaystyle \begin{array}{l}\mathrm{Reader}=h\left({U}_1\right)=h\left({P}_{r_1}^{-1}{M}_{1,1}\right)\\ {}\kern3em =h\left({U}_2\right)=h\left({P}_{r_1}^{-1}{M}_{1,2}\right)\\ {}\kern3em =h\left({U}_3\right)=h\left({P}_{r_1}^{-1}{M}_{1,3}\right)\\ {}\kern3em =h\left({U}_4\right)=h\left({P}_{r_1}^{-1}{M}_{1,4}\right)\\ {}\kern3em =h\left({U}_5\right)=h\left({P}_{r_1}^{-1}{M}_{1,5}\right)\\ {}\kern3em =h\left({U}_6\right)=h\left({P}_{r_1}^{-1}{M}_{1,6}\right)\\ {}\kern3em =h\left({U}_7\right)=h\left({P}_{r_1}^{-1}{M}_{1,7}\right)\\ {}\kern3em =h\left({U}_8\right)=h\left({P}_{r_1}^{-1}{M}_{1,8}\right)\end{array}} $$

Note that no card or card reader can operate autonomously unless it has permission from the server, in which case it must receive the required public points from the server.

Solution to key management of dynamic access problems

In this section, the concept and problems of dynamic key management for RFID technology in healthcare environments such as adding a new card, removing an existing card, revoking an existing relationship and creating a new relationship (switch card reader), and changing secret keys will be discussed.

Adding new card

Imagine that a new card Tx is added to Fig. 4. In this case, the private, public keys, and reverse private key will be embedded within new card by the server, then steps 5 to 6 of initializing phase will repeat, and the type of relationship between the card and card reader will be a bidirectional one like the other cards. The details are as follows:

  • Step 1: Select a random integer \( {P}_{r_x} \) from the interval [1, n − 1] as a secret parameter for each new card Tx by the server; then, the point \( {P}_{u_x} \)= \( {P}_{r_x} \)G is computed as a public parameter, and both of them are embedded in the new card. Moreover, the reverse private key \( {P}_{r_x}^{-1} \) is embedded within the new card too.

  • Step 2: The server selects a random integer lx for the new card from interval [1, n − 1]. Thus, the secret key of the card Tx is SKx = h(Ux) = h(lxG)

  • Step 3: The server determines the points Mi, x = lx(\( {P}_{u_i} \)) and Mx, x = lx(\( {P}_{u_x} \)) to communicate between the card reader and the new card and declares it publicly.

Removing the existing card

Imagine there is a need for a card to be removed from Fig. 4 for any reason, like the case when cards are captured by an attacker. Under this condition, the server should remove all parameters in contact with the card mentioned above and revoke the access to the card too. In addition, the secret key of the card reader must be changed as follows:

  • Step 1: The server reselects a random integer \( {l}_x^{\ast } \) from the interval [1, n − 1] for card reader. As a result, the new secret key of the card reader is \( {SK}_x^{\ast } \) = h(Ux).

Revoking an existing relationship and creating a new relationship (switch card reader)

Imagine that a new card reader is selected for cluster members (cards), and the previous card reader continues to carry out tasks in another cluster (as shown in Fig. 5).

Fig. 5

Switch card reader and communication between cluster members and new card reader

Then, all communications which the card reader has with cards must be removed. Furthermore, all public parameters and those which connect the cluster members to the card reader and vice versa should also are removed. To build communication between the cluster members and the new card reader, steps 5 to 6 of initializing phase should be executed as follows:

  • Step 1: The server selects a random integer li from interval [1, n − 1] for each card. Therefore, the secret key for each the card is SKi = h(Ui) = h(liG).

  • Step 2: The server determines the points Mj, j = lj(\( {P}_{u_j} \)) and Mi, j = lj(\( {P}_{u_i} \)) for communication between the new card reader and each single card, and declares it publicly.

Changing secret keys

Sometimes changing a secret key is felt necessary perhaps to ensure higher network security and efficiency. Changing the secret key of a card Tx from SKx to \( {SK}_x^{\ast } \) follows the below procedure:

  • Step 1: The server selects a random integer \( {l}_x^{\ast } \) from interval [1, n − 1]. Therefore, the new secret key of the card Tx is \( {SK}_x^{\ast } \) = h(\( {l}_x^{\ast } \)G)

  • Step 2: The server determines the points Mx, x = \( {l}_x^{\ast } \) (\( {P}_{u_x} \)) and Mi, x = \( {l}_x^{\ast } \) (\( {P}_{u_i} \)) declares it publicly.

Security and performance results and discussions


The following are some of the important attacks and the resistance of the proposed method against them and some security requirements:

Man-in-the-middle attack

In this attack, the attacker is trying to retrieve secret and private keys through intercepting communication channel between the card and card reader. In this case, the attacker cannot extract any useful information. Even if we assume that the attacker retrieves w while the card and card reader are communicating, but based on ECDLP, he cannot get the private key to use it and communicate with the card reader or card.

Forging attack

Identity forging attacks are difficult to detect in these networks because the attacker is trying to forge an authorized card ID in order to get the card’s secret key. Now, assume that the attacker is trying to get the card’s secret key, which requires solving discrete logarithm for the elliptic curve. Given the resistance of the discrete logarithm for the elliptic curve, as outlined in Johnson et al. [56], the proposed method will be reliable against this attack.

Mutual authentication

In the proposed method, if the value of SKj is equal to SKi, then the card reader has been able to authenticate the card, and if the card can calculate the value of w, it will authenticate the card reader.


Based on ECDLP, the attacker cannot retrieve the private key from the messages.

Masquerade attack

There is an extraordinarily important attack whenever a card wants to compute authorized secret keys. Imagine that a malicious card reader masquerades like the server and distributes some planned public parameters Mi, j and Mj, i. Then, assume some cards use these public parameters to compute secret keys SKi. If this card uses SKi as a proper symmetric key and sends it to the card reader encrypted confidential data, then the malicious card reader, with the proper secret key SKi, can decrypt and access those confidential data. An authentication mechanism such as the proposed scheme in Nikooghadam et al. [57], improved by the changes suggested by the present researchers, is able to stand against this attack. Although a number of overheads are imposed, they are fewer than ECDSA digital signature algorithm [56] used in [58]. Furthermore, suppose a constant and unique private key such as α has been selected by the server, and the resultant public key Q = αG is registered in the server as trusted for all cards and has been registered in the server. In the following, the employment of digital signature is described step by step.

  1. (a)

    The server prepares special information corresponding to each public parameter Mi, j and Mj, i, like a digital signature as follows:

    1. 1.

      Selecting a random integer such as β.

    2. 2.

      Computing the point R = βG = (x0, y0) on agreed elliptic curve and assigning r = x0 mod n. If r = 0, then go to step 1.

    3. 3.

      Converting all public parameter Mi, j and Mj, i into an integer e using a secure one-way hash function as follows: e = hash(Mi, j||Mj, i).

    4. 4.

      Computing s = (αre + β) mod n.

    5. 5.

      Publishing certain couple information (s,R) along with public parameters Mi, j and Mj, i according to Fig. 4.

  2. (b)

    Each card verifies the validity of public parameters Mi, j and Mj, i before using it to compute the assigned secret key as follows:

    1. 1.

      Converting received Mi, j and Mj, i to e by hash function.

    2. 2.

      Computing v = sG.

    3. 3.

      Computing s= erQ + R; consider that r is the x-coordinate of the received point R and Q is the reliable public key of the server.

    4. 4.

      If v = s, then signature is valid; otherwise, it is rejected.

As an example for card reader, the server signs all public parameter Mi, j and Mj, i of the cluster members which have been converted to an integer e by one-way hash function and sends besides the public parameters (Mi, j,Mj, i) to the card reader. Then, card reader public parameter converts to one integer e and investigates the signature verification following the steps explained above.

Table 2 shows the security comparison between related protocols and the proposed method. This is a comparison between recent research papers such as Farash et al. [7], Alamr et al. [35], Zhang and Qi [26], Zhao [3], Liao and Hsiao [36], Shen et al. [28], and the proposed method in this research.

Table 2 Security comparison among related protocols


To evaluate the performance, we have compared our proposed method with similar recent research papers such as Farash et al. [7], Alamr et al. [35], Zhang and Qi [26], Zhao [3], Liao and Hsiao [36], Shen et al. [28]. We estimated the cost of the authentication phase for each of the six methods, for both the card reader and card. In Table 3, we present some of the various symbols used in this section.

Table 3 Definition of some notations used in performance evaluation of the proposed scheme

On the other hand, according to the method proposed in Nikooghadam et al. [59], the complexity of time for implementation of various operational phases is calculated using modular exponentiation. The results are specified in Table 4.

Table 4 Unit conversion of various operations in terms of TMUL [59]

The comparison between the six methods is shown in Table 5. Since all of the public and private keys and other main parameters are loaded into the card and card reader in the initialization phase, thus, the computational cost of the private and public keys and other parameters is zero. In the authentication phase of our method, the computational cost is 2TH + 1TPM and 2TH + 1TPM for the card and card reader, respectively. Therefore, our proposed method has lower computational cost, when compared to other methods.

Table 5 Performance comparison computation costs among related protocols in the authentication phase

It should be noted, due to the fact that time complexity for modular exponentiation in operating unit TH and TPA is not high, the related values are excluded from Table 5.

As shown in Fig. 6, the performance comparison is illustrated in Table 5.

Fig. 6

Performance comparison illustrated in Table 5

It is also possible to calculate the execution time of the most complex operations on elliptic curve, that is, the elliptic curve point multiplication in milliseconds. For instance, we assume that all of the related articles use an elliptic curve with an equal key length of 160 bits. The execution time of the elliptical curve point multiplication on 5 MHZ cards equals 0.064 s. The running time of the elliptic curve point multiplication among the related protocols for both the card and the card reader is given in Table 6.

Table 6 The running time of the elliptic curve point multiplication among related protocols in authentication phase


Considering the constant developments of the Internet of Things and its applications in fields such as health care systems, where patient information is critical and nobody should have access to this information, then providing security for these networks is essential. Various studies have been done recently to address security and computational cost problems. In this paper, we have proposed an elliptic curve cryptography method that, in addition to maintaining security, has less computational cost compared to similar studies. Furthermore, key management solutions are presented for dynamic access problems in RFID cards in order to be able to develop scalability healthcare networks. For future work, a hardware implementation can also be done in order to evaluate the precise security and computational cost of the proposed method.



Elliptic curve cryptography


Internet of Things


  1. 1.

    H. Sundmaeker, P. Guillemin, P. Friess, S. Woelfflé, Vision and challenges for realising the Internet of Things. Cluster of European Research Projects on the Internet of Things, European Commision3(3), 34–36 (2010)

    Google Scholar 

  2. 2.

    L. Atzori, A. Iera, G. Morabito, Computer networks: the International Journal of Computer and Telecommunications Networking. Volume54, 2787–2805 (2010)

    MATH  Google Scholar 

  3. 3.

    Z. Zhao, A secure RFID authentication protocol for healthcare environments using elliptic curve cryptosystem. Journal of medical systems38(5), 46 (2014)

    Google Scholar 

  4. 4.

    A. Juels, RFID security and privacy: a research survey. IEEE journal on selected areas in communications24(2), 381–394 (2006)

    MathSciNet  Google Scholar 

  5. 5.

    D.C. Ranasinghe, M. Sheng, S. Zeadally, Unique radio innovation for the 21st century: building scalable and global RFID networks (2010)

    Google Scholar 

  6. 6.

    S. Cai, Y. Li, T. Li, and R. H. Deng, "Attacks and improvements to an RFID mutual authentication protocol and its extensions," in Proceedings of the second ACM conference on Wireless network security, 2009, pp. 51-58: ACM.

  7. 7.

    M.S. Farash, O. Nawaz, K. Mahmood, S.A. Chaudhry, M.K. Khan, A provably secure RFID authentication protocol based on elliptic curve for healthcare environments. Journal of medical systems40(7), 165 (2016)

    Google Scholar 

  8. 8.

    D. He, S. Zeadally, An analysis of RFID authentication schemes for internet of things in healthcare environment using elliptic curve cryptography. IEEE internet of things journal2(1), 72–83 (2015)

    Google Scholar 

  9. 9.

    Q. Z. Sheng, X. Li, and S. Zeadally, "Enabling next-generation RFID applications: solutions and challenges," Computer, vol. 41, no. 9, 2008.

  10. 10.

    X. Yang, X. Yi, Y. Zeng, I. Khalil, X. Huang, and S. Nepal, "An improved lightweight RFID authentication protocol for Internet of Things," in International Conference on Web Information Systems Engineering, 2018, pp. 111-126: Springer.

  11. 11.

    Y. Hung, "The study of adopting RFID technology in medical institute with the perspectives of cost benefit," in International Medical Informatics Symposium in Taiwan, Taiwan, 2007.

  12. 12.

    J.E. Katz, R.E. Rice, Public views of mobile medical devices and services: a US national survey of consumer sentiments towards RFID healthcare technology. International journal of medical informatics78(2), 104–114 (2009)

    Google Scholar 

  13. 13.

    J. Leu, The benefit analysis of RFID use in the health management center—the experience in Shin Kong Wu Ho-Su Memorial Hospital (National Taiwan University, 2010)

  14. 14.

    W. Yao, C.-H. Chu, Z. Li, The adoption and implementation of RFID technologies in healthcare: a literature review. Journal of medical systems36(6), 3507–3525 (2012)

    Google Scholar 

  15. 15.

    P. Najera, J. Lopez, R. Roman, Real-time location and inpatient care systems based on passive RFID. Journal of Network and Computer Applications34(3), 980–989 (2011)

    Google Scholar 

  16. 16.

    F. Rahman, M.Z.A. Bhuiyan, S.I. Ahamed, A privacy preserving framework for RFID based healthcare systems. Future Generation Computer Systems72, 339–352 (2017)

    Google Scholar 

  17. 17.

    J. Kang, Lightweight mutual authentication RFID protocol for secure multi-tag simultaneous authentication in ubiquitous environments. The Journal of Supercomputing, 1–14 (2016)

  18. 18.

    L. Gao, L. Zhang, M. Ma, Low cost RFID security protocol based on rabin symmetric encryption algorithm. Wireless Personal Communications, 1–14 (2017)

  19. 19.

    M.H. Dehkordi, Y. Farzaneh, Improvement of the hash-based RFID mutual authentication protocol. Wireless personal communications75(1), 219–232 (2014)

    Google Scholar 

  20. 20.

    M. Safkhani, P. Peris-Lopez, J.C. Hernandez-Castro, N. Bagheri, Cryptanalysis of the Cho et al. protocol: a hash-based RFID tag mutual authentication protocol. Journal of Computational and Applied Mathematics259, 571–577 (2014)

    MathSciNet  MATH  Google Scholar 

  21. 21.

    M.R. Alagheband, M.R. Aref, Simulation-based traceability analysis of RFID authentication protocols. Wireless Personal Communications77(2), 1019–1038 (2014)

    Google Scholar 

  22. 22.

    C.L. Chen, Y.C. Huang, T.F. Shih, A novel mutual authentication scheme for RFID conforming EPCglobal class 1 generation 2 standards. Information Technology And Control41(3), 220–228 (2012)

    Google Scholar 

  23. 23.

    W.C. Kuo, B.-L. Chen, L.-C. Wuu, Secure indefinite-index RFID authentication scheme with challenge-response strategy. Information Technology And Control42(2), 124–130 (2013)

    Google Scholar 

  24. 24.

    M.R. Alagheband, M.R. Aref, Unified privacy analysis of new-found RFID authentication protocols. Security and Communication Networks6(8), 999–1009 (2013)

    Google Scholar 

  25. 25.

    M.S. Farash, Cryptanalysis and improvement of an efficient mutual authentication RFID scheme based on elliptic curve cryptography. The Journal of Supercomputing70(2), 987–1001 (2014)

    MathSciNet  Google Scholar 

  26. 26.

    Z. Zhang, Q. Qi, An efficient RFID authentication protocol to enhance patient medication safety using elliptic curve cryptography. Journal of medical systems38(5), 47 (2014)

    Google Scholar 

  27. 27.

    H.-Y. Chien, Elliptic curve cryptography-based RFID authentication resisting active tracking. Wireless Personal Communications94(4), 2925–2936 (2017)

    Google Scholar 

  28. 28.

    H. Shen, J. Shen, M.K. Khan, J.-H. Lee, Efficient RFID authentication using elliptic curve cryptography for the internet of things. Wireless Personal Communications96(4), 5253–5266 (2017)

    Google Scholar 

  29. 29.

    D. Hankerson, S. Vanstone, A. Menezes, Guide to elliptic curve cryptography, Springer-Verlag (New York, 2004)

  30. 30.

    P. Deepthi, P. Sathidevi, New stream ciphers based on elliptic curve point multiplication. Computer Communications32(1), 25–33 (2009)

    MATH  Google Scholar 

  31. 31.

    M.S. Farash, Cryptanalysis and improvement of ‘an improved authentication with key agreement scheme on elliptic curve cryptosystem for global mobility networks’. International Journal of Network Management25(1), 31–51 (2015)

    Google Scholar 

  32. 32.

    C.-T. Li, C.-Y. Weng, C.-C. Lee, A secure RFID tag authentication protocol with privacy preserving in telecare medicine information system. Journal of medical systems39(8), 77 (2015)

    Google Scholar 

  33. 33.

    K. Srivastava, A.K. Awasthi, S.D. Kaul, R. Mittal, A hash based mutual RFID tag authentication protocol in telecare medicine information system. Journal of medical systems39(1), 153 (2015)

    Google Scholar 

  34. 34.

    J. Chou, "A secure RFID authentication protocol to enhance patient medication safety using elliptic curve cryptography," J. Supercomput, 2014.

    Google Scholar 

  35. 35.

    A.A. Alamr, F. Kausar, J. Kim, C. Seo, A secure ECC-based RFID mutual authentication protocol for internet of things. The Journal of Supercomputing, 1–14 (2016)

  36. 36.

    Y.-P. Liao and C.-M. Hsiao, "A secure ECC-based RFID authentication scheme using hybrid protocols," in Advances in Intelligent Systems and Applications-Volume 2: Springer, 2013, pp. 1-13.

  37. 37.

    S. Amendola, R. Lodato, S. Manzari, C. Occhiuzzi, G. Marrocco, RFID technology for IoT-based personal healthcare in smart spaces. IEEE Internet of things journal1(2), 144–152 (2014)

    Google Scholar 

  38. 38.

    C. Lai, H. Li, X. Liang, R. Lu, K. Zhang, X. Shen, CPAL: a conditional privacy-preserving authentication with access linkability for roaming service. IEEE Internet of Things Journal1(1), 46–57 (2014)

    Google Scholar 

  39. 39.

    Y.-P. Liao, C.-M. Hsiao, A secure ECC-based RFID authentication scheme integrated with ID-verifier transfer protocol. Ad Hoc Networks18, 133–146 (2014)

    Google Scholar 

  40. 40.

    H. Shen, C. Gao, D. He, L. Wu, New biometrics-based authentication scheme for multi-server environment in critical systems. Journal of Ambient Intelligence and Humanized Computing6(6), 825–834 (2015)

    Google Scholar 

  41. 41.

    D. He, S. Zeadally, Authentication protocol for an ambient assisted living system. IEEE Communications Magazine53(1), 71–77 (2015)

    Google Scholar 

  42. 42.

    D. He, An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings. Ad Hoc Networks10(6), 1009–1016 (2012)

    Google Scholar 

  43. 43.

    D.M. Hein, J. Wolkerstorfer, N. Felber, ECC is ready for RFID-a proof in silicon. Selected Areas in Cryptography5381, 401–413 (2008) Springer

    Google Scholar 

  44. 44.

    Y.K. Lee, K. Sakiyama, L. Batina, I. Verbauwhede, Elliptic-curve-based security processor for RFID. IEEE Transactions on Computers57(11), 1514–1527 (2008)

    MathSciNet  MATH  Google Scholar 

  45. 45.

    H. Ning, H. Liu, J. Mao, Y. Zhang, Scalable and distributed key array authentication protocol in radio frequency identification-based sensor systems. IET communications5(12), 1755–1768 (2011)

    MathSciNet  Google Scholar 

  46. 46.

    B. Alomair, A. Clark, J. Cuellar, R. Poovendran, Scalable RFID systems: a privacy-preserving protocol with constant-time identification. IEEE Transactions on Parallel and Distributed Systems23(8), 1536–1550 (2012)

    Google Scholar 

  47. 47.

    B. Alomair, R. Poovendran, Privacy versus scalability in radio frequency identification systems. Computer Communications33(18), 2155–2163 (2010)

    Google Scholar 

  48. 48.

    B. Song, C.J. Mitchell, Scalable RFID security protocols supporting tag ownership transfer. Computer Communications34(4), 556–566 (2011)

    Google Scholar 

  49. 49.

    P. Guo, J. Wang, X. H. Geng, C. S. Kim, and J.-U. Kim, "A variable threshold-value authentication architecture for wireless mesh networks," vol. 15, no. 6, pp. 929-935, 2014.

  50. 50.

    J. Shen, H.-W. Tan, J. Wang, J.-W. Wang, and S.-Y. Lee, "A novel routing protocol providing good transmission reliability in underwater sensor networks," vol. 16, no. 1, pp. 171-178, 2015.

  51. 51.

    P. Tuyls and L. Batina, "RFID-tags for anti-counterfeiting," in Cryptographers’ Track at the RSA Conference, 2006, pp. 115-131: Springer.

  52. 52.

    Y. K. Lee, L. Batina, and I. Verbauwhede, "EC-RAC (ECDLP based randomized access control): provably secure RFID authentication protocol," in RFID, 2008 IEEE International Conference on, 2008, pp. 97-104: IEEE.

  53. 53.

    L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, and I. Verbauwhede, "Public-key cryptography for RFID-tags," in Pervasive Computing and Communications Workshops, 2007. PerCom Workshops' 07. Fifth Annual IEEE International Conference on, 2007, pp. 217-222: IEEE.

  54. 54.

    K. Kaur, N. Kumar, M. Singh, and M. S. Obaidat, "Lightweight authentication protocol for RFID-enabled systems based on ECC," in Global Communications Conference (GLOBECOM), 2016 IEEE, 2016, pp. 1-6: IEEE

  55. 55.

    A. ANSI, "X9. 62-1998: public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA)," American National Standards Institute (ANSI), Washington, DC, 1998.

  56. 56.

    D. Johnson, A. Menezes, S. Vanstone, The elliptic curve digital signature algorithm (ECDSA). International Journal of Information Security1(1), 36–63 (2001)

    Google Scholar 

  57. 57.

    M. Nikooghadam, A. Zakerolhosseini, M.R. Bonyadi, A protocol for digital signature based on the elliptic curve discrete logarithm problem. Journal of Applied Sciences 8(10), 1919–1925 (2008)

    Google Scholar 

  58. 58.

    Azarderakhsh et al. A key management scheme for cluster based wireless sensor networks.2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

  59. 59.

    M. Nikooghadam, A. Zakerolhosseini, M.E. Moghaddam, Efficient utilization of elliptic curve cryptosystem for hierarchical access control. Journal of Systems and Software83(10), 1917–1929 (2010)

    Google Scholar 

Download references


Not applicable.

Author information




The authors declare no conflict of interest. The authors read and approved the final manuscript.

Corresponding author

Correspondence to Hassan Shakeri.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Noori, D., Shakeri, H. & Niazi Torshiz, M. Scalable, efficient, and secure RFID with elliptic curve cryptosystem for Internet of Things in healthcare environment. EURASIP J. on Info. Security 2020, 13 (2020).

Download citation


  • Elliptic curve cryptography (ECC)
  • Internet of Things (IoT)
  • RFID
  • Healthcare
  • Authentication
  • Key management