Body area networks (BANs) require secure intra-body communication, yet sensor nodes are too resource-constrained for conventional public-key cryptography, and pre-shared key schemes conflict with plug-and-play clinical workflows. This paper introduces PhysioKey, a TinyML-based key agreement framework that derives symmetric session keys from physiological signals without pre-shared secrets or trusted third parties. A lightweight 1D-CNN (6320 parameters, INT8-quantized, 31.2 KB flash) extracts embeddings from ECG and PPG windows on ARM Cortex-M4 class devices, which are reconciled through fuzzy commitment with BCH error-correcting codes. Patient-level 5-fold cross-validation on PTB-XL (500 patients, dual-ECG) achieves EER of 7.8%±0.8% with ROC AUC 0.978±0.004; on BIDMC (53 patients, ECG + PPG), a dual-encoder architecture reduces cross-modal EER to 30.6%±1.2%. Since standalone PhysioKey yields only 7–24 effective key bits, the recommended deployment mode is a hybrid PhysioKey + ECDH protocol providing 128-bit security while PhysioKey adds physical on-body authentication; standalone operation suits energy-constrained scenarios with its 27× advantage over ECDH. HKDF-SHA-256 post-processing yields session keys passing all six NIST SP 800-22 tests (≥96% at the 1024-bit level).
Alnemari et al. (Thu,) studied this question.