A Note on "Design of a Password Authentication and Key Agreement Scheme to Access e-Healthcare Services"

We show that the Kumari-Renuka key agreement scheme (Wirel Pers Commun 117:27-45, 2021) fails to keep user anonymity, not as claimed, because an adversary can retrieve the user's identity IDi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$ID_i$$\end{document} from the pseudonym PIDi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$PID_i$$\end{document}. The loss of anonymity originates from the misuse of bitwise operator, which requires that both operands have an equal bit-length, otherwise the partial string in the long operand will be exposed. We also suggest a remedy method to fix the flaw by using a hash function to convert a point over the underlying elliptic curve into a random string with fixed length.