An Anonymous Blockchain-Based Authentication Scheme for Secure Healthcare Applications

original


Introduction
Wireless body network [1], also referred to as body sensor network, is a network connecting various nodes such as electronic sensors and actuators, which can be wearable or embedded in a fxed position on the body or under the pores of the skin.Wireless body area network (WBAN) technology was frst developed based on the knowledge of wireless personal area network (WPAN) in 1995 to communicate around the human body.It took nearly six years to develop the technology known as "BAN," which refers to communication that occurs entirely within, on, or around the human body [2].
WBAN networks can be used in remote health monitoring, medicine, multimedia, sports, military, and a variety of other felds.Extending this technology into diferent felds can help with the exchange of information between people or between machines and people.Wireless body network initial applications are mainly in the healthcare sector [3].Te health parameters of the patients sufering from severe diseases such as asthma, heart attack, diabetes, etc., are monitored continuously.WBAN technology gateways enable wearable computing devices to connect over long distances.By using these gateway devices, the computing devices which are on the surface or inside the human body can be connected to the Internet.In this way, doctors can access patient data from anywhere and at any time via the Internet, regardless of the patient's or doctor's location.
Te WBAN device can be used to communicate with the hospital to alert them when the parameters in the patient's body vary and require assistance from the hospital.Te data collected by using the computing devices of the WBAN system plays a key role in the treatment of the patient.So a high quality of data is required to ensure an accurate decision.Moreover, if a large volume of data is generated by the system, then it is necessary to manage and maintain this data securely.In addition, various standards like Bluetooth, Wi-f, Zigbee, and so on are used for data exchange [4].In this case, the system must be scalable, efciently migrate between networks, and provide seamless connectivity.
Consumers are expecting low costs health monitoring systems with high-level functionalities.Tis is satisfed by WBAN system implementations as they are cost-optimized.But, the WBAN system's performance should be reliable even though they are cost-optimized.Moreover, the wireless links should be strong enough to accurately calibrate the measurements, even when the system is switched of/ switched on.Tis shows the consistency of the system.
Since the data is transferred over an open communication channel, security and privacy in the system are critical and appropriate action should be taken to protect data from reaching unauthorized users.Te data collected from each patient should be transferred to the doctor's end, without mixing up with other patients' data which is to be ensured.WBAN security requires authentication, confdentiality, integrity, data update, availability, and security management [5][6][7].Te IEEE 802.15.6, which is the most recent WBAN standard, attempts to aford security in WBAN, even though it has numerous security issues.
As the number of patients increases daily, continuous monitoring of patients' health is difcult, because patients rely entirely on doctors and other healthcare professionals, making it impossible to process all of the data at once.Even though WBAN technology helps in processing a large amount of data, security plays a key role during continuous health monitoring of patients and the processing of data.A patient's health can be also monitored by installing sensors inside the body or on the outer surface of the patient's body.Physiological parameters such as oxygen level, blood pressure, pulse, ECG, etc. are recorded and this data is transmitted to the doctor or the nursing staf who monitors the patient's health.During transmission of data from the patients to the doctor or vice versa, the information content should not be modifed.Terefore security plays an important role.Te data must be encrypted during transmission and decrypted at the receiver end for proper diagnosis and medication [8].Various data collected from diferent patients from diferent areas are stored in the database, and this database must be regulated by authentication.Te authenticated exchange of information reduces the potential for data abuse.
Te collected data can be intelligently monitored using the Internet of things (IoT).Due to technological advancements, doctors' data now faces new security and privacy risks.Te data collected may contain highly sensitive medical information.Te information sent by the doctor/ patient is easily intercepted and captured by adversaries due to insecure network connections.To address the aforementioned security threats, this paper introduces a physically secure blockchain-based lightweight privacypreserving anonymous authentication scheme for WBAN.Initially, mutual authentication occurs between the patient and the doctor in the proposed framework.Finally, patients are given a unique token to prove their authenticity.When a patient moves to a diferent doctor in a diferent location, frequent authentication for verifying the patient's identity consumes more computation and communication overhead, afecting system performance.As a result, to avoid frequent authentication and to reduce computation and communication overhead, a transfer authentication protocol is proposed in this work.Furthermore, the blockchain [9] is used to keep track of patient parameters and user authentication information and to maintain the doctor's trustworthiness.
Te research work's main contribution is as follows.
(i) To propose a privacy-preserving blockchain-based lightweight mutual authentication scheme for both the patient and doctor.(ii) To perform encryption and decryption of confdential data (i.e., biotic statistics data of patient and medical prescription of doctor) to ensure confdentiality.(iii) To propose a transfer authentication protocol by sharing the identity code of the patient to the new doctor.Hence, there is no need for the new doctor to reauthenticate the patient once again.(iv) To develop a conditional tracking mechanism for the end-users (doctors/patients) by the medical network.Tus, the medical network will revoke the misbehaving or compromised end-users from the network.
Te rest of the research is organized accordingly.Te review of relevant work is provided in Section 2. Preliminary steps and system models are discussed in Section 3. Section 4 describes the proposed framework.Te security analysis of the proposed framework is explained in Section 5. Section 6 discusses the efectiveness of the proposed scheme in terms of performance.Te concluding tasks are presented in Section 7.

Related Works
Te smart physical sensors accumulate and progress sensitive data from the patient body.Te security, reliability, and trustworthiness of sensitive data collected and processed by smart physical sensors are critical as they are related to the welfare of human beings.Some of the related works related to the security of WBAN are discussed as follows.Liu et al. [10] proposed a scheme based on the certifcateless signature.Te anonymity of the end-user is preserved by the network manager.However, this scheme sufers from a lack of traceability of confdential information.Ibrahim et al. [11] proposed a scheme where the anonymity of the patient's sensor is preserved.In this work, mutual authentication takes place between the end-users in a secured way.However, the confdentiality of the user data is not preserved.
Zhao et al. [12] proposed a healthcare oriented blockchain scheme.In this scheme, blockchain is used for preserving the patient's data.Tough blockchain is considered a public network, there may be a possibility of attackers gaining access to confdential data.But, here the data is 2 Security and Communication Networks stored in the form of a public address and it is difcult for an attacker to corrupt the data.Moreover, the scheme is suitable for storing a large volume of information.However, there is no transfer authentication protocol followed for the transfer of confdential information of the patients from one doctor to another doctor.Tus the computational complexity increases in this scheme.Debiao et al. [13] proved the possibility of impersonation attacks in the existing anonymous authentication schemes.Te security provided by this scheme is high enough to withstand impersonation attacks.But the confdentiality and traceability of the confdential data are not addressed in this scheme.Li et al. [14] proposed an unlinkable, confdentiality preserving authentication scheme for WBAN users.Te patient's authenticated data is collected by the sensor nodes and they are transmitted to the required end-users anonymously.Tough confdentiality and anonymity are preserved, the computational cost for authenticating the patients is high.Moreover, the patients need to be authenticated again when they move to the new doctors.Tus the performance analysis of the scheme is degraded.Li et al. [15] proposed a more secure authentication scheme based on a single round method to avoid the drawbacks in Liu et al. [10].Security analysis is performed based on both informal and formal methods.Tough the communication cost is reduced in this scheme, it does not provide traceability of patients' confdential data.Luo et al. [16] proposed a new privacy protector scheme for an IoT-based healthcare environment.A new type of coding method named Slepain-Wolf is used in this scheme.To prevent data loss, the selfrepairing protocol is employed in this scheme.However, truly speaking the confdential data loss cannot be compromised.Te summary of related works is tabulated in Table 1.
Shen et al. [17] proposed cloud-based authentication protocol for healthcare applications.Since the storage of data forms a key factor, a large volume of data can be stored only with the help of cloud-aided system.Since the storage of confdential data takes place in the cloud, the scheme is vulnerable to diferent types of security threats.Li et al. [18] proposed an authentication scheme based on IoT.Tis scheme can withstand replay attacks and message modifcation attacks.However, there is no transfer authentication protocol.Deebak et al. [19] proposed a scheme based on hash-based RFID.However, the scheme is vulnerable to several security threats.Alzahrani et al. [20] proposed an efective, safe, and anonymous WBAN valid key agreement protocol.Tough the privacy of the user is preserved in this work, it lacks the confdentiality of the information transferred.Jabeen et al. [21] proposed a scheme for the protection of data based on a genetic algorithm.But the complexity of the algorithm leads to an increase in the computational cost analysis.Rehman et al. [22] proposed an authentication protocol based on a reliable base node.A three-level topology is used for the key agreement scheme.Tis protocol is free from several attacks like compromise attacks and impersonation attacks.Amjad et al. [23] proposed a work based on an optimization problem.A gamma distribution function is used to continuously monitor the health conditions of the patients.Te energy optimization algorithm is used to preserve the energy consumption during the transfer of data in the form of packets.Tis algorithm does not deal with the relative authentication or the security of data during transmission.Kumar et al. [24] proposed an efcient scheme based on trust assessment without encryption techniques.Moreover, trust evaluator, attack-resistant features are incorporated in this work.In addition, trust is developed on the data received from the sensor and the efciency obtained through this work is noteworthy.Lara et al. [25] proposed a Two-Party Authentication scheme.Here public keys are generated based on ECC.Since ECC is used, the computational cost for executing this scheme is notable.Tough the performance analysis of this work is notable, the end-users need to be authenticated every time.Ning et al. [26] proposed a monitoring mechanism for the patients based on 5G technology.Moreover, a cost-efcient monitoring mechanism for the patients located in the home is embarked.Te basic security features like authentication and privacy are not focused on in this work.Kumar and Chand [27] proposed a scheme based on cloud computing.Tis work mainly focused on the large resource allocation for the data received from the patients.Since the sensors used in the patients are resource-limited, they cannot store a large amount of information.Hence an efcient protocol is designed in this work.But this scheme sufers from privacy leakage and security threats.Guo et al. [28] proposed a homomorphic cryptosystem architecture.Tis work is mainly focused on the real-time health monitoring of the patients.Moreover, the Dife-Hellman key exchange protocol is used to ensure security.But mutual authentication between the end-users is not provided in this work.

System Overview
Te basic concept regarding the system model architecture and bilinear pairing is explained in the succeeding section.

System Model Architecture.
A brief view regarding the proposed system model architecture and transfer authentication protocol is depicted in Figures 1 and 2, respectively.Te system model is unique.In this model, there are three main entities, namely, medical network, data sensor regulator, and end-users (doctor/patient).Te role of each entity is unique in nature.Te medical network acts as the centralized trusted third party network and it is responsible for the initial ofine registration of both patients and doctors.Moreover, it provides the required credentials to the end-users.Te role of data sensor regulator is not only to collect the sensitive data from the patients but also to store the data, providing the data to the doctors in an encrypted way.In addition, reauthentication is not required in our proposed system as blockchain is utilized to store the confdential data of the patient.

Medical Network (MN).
MN is considered as the fully trusted authority.It is responsible for the generation of public parameters, initialization of the system, registration of   Two-party authentication scheme Te end-users need to be authenticated every time Ning et al. [26] Edge computing 5G scheme Authentication and privacy are not focused Kumar and Chand [27] Cloud computing scheme for WBAN Privacy leakage and security threats Guo et al. [28] Homomorphic cryptosystem scheme Mutual authentication between the end-users is not provided 4 Security and Communication Networks the end-users, and the key generation for the end-users.

Security and Communication Networks
Initially, all the end-users should register in the trusted MN by giving their confdential credentials.Once the registration is successfully performed, the MN issues the required credentials to the authenticated end-users.

Data Sensor Regulator.
Normally, the patient is provided with two types of sensors.Te sensors may be present on the surface of the body or may be implanted inside the body.Te information or the data collected from these sensors are transmitted through the data sensor regulator to the required doctor through the open wireless medium.Te data sensor regulator is designed to perform the communication and computation efciently.Moreover, it is provided with random access memory (RAM) for data storage.Te data collected from the MN and the required internal data of the patient are retained in the data sensor regulator.In addition, the regulator has the capability of storing the data in an encrypted way which prevents the intruder from accessing the original content of the data.

End-Users.
Te end-users may be either the doctor or the patient.Te MN provides the required keys and credentials to the authenticated end-users.In addition, the keys generated by the end-users are used for mutual authentication between them.Moreover, the biotic statistics of the patient and the confdential medical prescription of the doctors are encrypted and securely transferred with the help of these keys which prevents illegal injection of data from the intruder.

Bilinear Pairing.
Let G x , G y , and G z be the cyclically multiplicative groups of order q.Te generators of the groups G x and G y are represented as g x and g y , respectively.Te isomorphism ∇ for these groups is represented as ∇(g y ) � g x .Te bilinear map e: G x × G y ⟶ G z satisfes the following properties.
Bilinearity: e(g ρ x , g σ y ) � e(g x , g y ) ρσ , g x ∈ G x &g y ∈ G y and ∀x, y ∈ Z * q Nondegeneracy: e(g x , g y ) ≠ 1 G z Computability: the bilinear map e: G x × G y ⟶ G z and isomorphism ∇ are computable

Proposed System
In this work, blockchain-based anonymous authentication for WBAN is proposed.Initially, mutual authentication takes place between the patient and the doctor in an anonymous way.Initially patient and the doctor should perform ofine registration with the medical network (MN).Te MN preserves the private information of the patients and doctors in a secured manner.Moreover, MN maintains a tracking list that contains the real and dummy identity of the doctors and patients.In case of any dispute, MN will revoke the particular patient or doctor from the network with the help of the tracking list.In this work, MN is linked with the blockchain network along with the doctors.Once the initial registration of the doctors and patients with MN is completed, MN issues the required identity code (IC) and dummy identities to the end-users (doctors and patients).Based on the IC, the doctors will authenticate the patients using the distributed ledger of the blockchain network.So, if the intruder tries to acquaint with any security threats, the same will be refected in the distributed ledger.MN reports the change in the block hash value and the particular end-user (intruder) is revoked from the network.In the suggested scheme, once the mutual authentication process is completed between the doctors and patients, transfer authentication protocol takes place between the doctors.For instance, if the patient moves from one doctor to another doctor, there is no need for the current  Security and Communication Networks new doctor to authenticate the patient once again.Te required authentication parameters of the patient are transferred between the previous and the current doctor.Tus, the performance analysis of this work is well esteemed.
4.1.System Initialization.Initial registration is performed by the medical network ofine.Both the doctors and patients should initially register in the medical networks by providing their required credentials like ID proof, mobile number, etc. through ofine mode.Te MN chooses two random numbers s,t as its master key and private key such that s,t ∈∈Z * q .Based on these keys, the public key and the conditional parameter are generated by MN.Te public key is represented as PU MN � g t+s x and the conditional parameters are represented as A 1 � g 1/s+t x .Moreover, the secure one-way hash function is given by H(•).Finally, the MN broadcasts the system parameters as (G x , G y , H, e, q, g x , g y , PU MN ).

End-User Registration.
Initially, both the patient and the doctor should perform ofine registration with MN by providing their credentials.
(1) Te MN picks random numbers a i , r, y 1 , y 2 ∈ Z * p such that the public key is calculated as PU pa � g a i x .
In addition, session key for the patient is calculated from the public key of the doctor as S pa � PU a i D .Moreover, the decryption key for the patient is provided by MN as β � g 1/a i x (2) Te dummy identity of the patient is calculated as DI pa � g a i +t+s x . Moreover, MN also calculates x , S 1 � g s x , and T 1 � g t x .Tese parameters are provided to the patient and doctors.
(3) In addition, the identity code for each patient is generated by MN as IC(t) �  n i�1 u i v i /n where u i is the identity value generated by MN for the patient.v i is the identity value of the patient given by the patient to MN. n is the number of patients in the network.(4) Te IC and DI pa are concatenated and kept in the blockchain network.In addition, IC is encrypted and broadcasted to the remaining MN in the system.So, whenever updation occurs in IC, the MN also updates its data list.(5) MN maintains a tracking list for the patient as (PU pa , TR pa , DI pa ), where TR pa � g t+a i x .Tis tracking list is used to revoke the misbehaving patient from the WBAN by MN.

Patient's Key Generation.
Mutual authentication should take place between patients and doctors before the start of transferring the authenticated data.Te data sensor regulator of the patient selects q j � g θ j y as the short time public key, where θ j is the short time private key such that θ j ∈ Z * p and j < p.Ten the patient's data sensor regulator chooses four random numbers (μ 1 , μ 2 , μ 3 , μ 4 ) ∈ Z * p and computes ∅ 0 , ∅ 1 , ∅ 2 , and ∅ 3 , where , and

and acceptor key as
Moreover, the certifcate for the patient is generated as cer pa � (℘ i d ‖Ak‖q j ‖∅ 0 ‖z 1 ‖z 2 ‖z 3 ‖X‖Y‖ Z).Ten the data sensor regulator calculates zz � H(cer pa ) and yy � (cer pa ‖zz‖TS) where TS represents the current time stamp.

Patient's Signature Generation.
To preserve the integrity of the information, patient's data sensor regulator generates the signature as sig pa � g 1/H(DI pa )+θ j x .Finally, the message is generated and sent to the doctor as mess pa � (DI pa ‖ q j ‖yy‖sig pa ).

Patient's Certifcate
Verifcation.Moreover, from the received message, the doctor checks the validity of the time stamp to avoid reply attack.If the timing value is less than the mutually agreed timing delay between the doctor and the patient, then the doctor accepts the message, else rejects it.Ten, the doctor computes the parameters T 1 ′ , S 1 ′ , ∅ 1 ′ , ∅ 2 ′ , and , and . Finally, doctor computes the doctor's acceptor key as then the acceptor key of the patient is accepted by the doctor, else rejected.
Proof of correctness 6 Security and Communication Networks .S ( ) � e(g x , g y ), then the message is accepted by the doctor and the doctor considers the patient as the authenticated patient.After confrming the patient, the doctor performs the diagnosis for the patient.
Proof of correctness e sig pa , q j .g ( Only if the signature and certifcate are verifed by the doctor, the patient is considered as the authenticated user and the doctor can get the required biotic statistics (BS) from the patient.If any one of the verifcation processes fails, then the patient is considered as an illegal user.

Doctor's Authentication.
Here, the patient checks the authenticity of the doctor.Before sending the BS to the doctor, the patient should anonymously authenticate the doctor.Terefore, the doctor generates an anonymous competitor key as Co D � H (e(g x , g x )‖DI D ‖PU D ) and generates the certifcate as cer D � (DI D ‖PU D ‖TS‖ A D ).Te competitor key and certifcate are sent to the patient's data sensor regulator.Initially, the TS value is checked by the patient.If the timing value is acceptable, then the patient's data sensor regulator checks e(DI D .A D , A 1 ) � e(g x , g x ).
Proof of correctness e DI D .A D , A 1  � e g s+d i x .gt− d i x , g 1/s+t x   � e g s+t x , g 1/s+t x   � e g x , g x . ( Ten the patient's data sensor regulator calculates the patient competitor key as Co pa � H(e(DI D .A D , A 1 ) ‖DI D ‖PU D ).If Co pa � Co D , then the patient considers the doctor as the legitimate user and send his/her biotic statistics.
4.9.Confdentiality.To maintain confdentiality, the medical prescription (MP) of the doctor and the biotic statistics (BS) of the patient are encrypted using elliptic curve cryptography (ECC) encryption algorithm.

Encryption by the Patient.
Initially a random number is chosen by the patient as l i and the patient computes the cipher text as CI pa � (BS‖PU pa ‖T pa )⊕H(e(g y , g y ) l i ).Terefore, the decrypted message can be calculated as (BS‖PU pa ‖T pa ) � CI pa ⊕H(e(g y , g y ) l i ).(5)

Transfer Authentication.
In the current scenario, when the patient moves from one doctor to another doctor in another region for medical diagnosis, the new doctor in another region needs to authenticate the patient once again.But in the proposed scheme, transfer authentication is performed between the previous doctor and the current doctor.Te previous doctor sends the IC of the particular patient to the current doctor.If the IC ≠ 0, then the corresponding patient is considered as the authenticated patient and he will be accepted to get the service from the current doctor.Moreover, if IC ≠ 0 then the previous doctor provides the BS of the corresponding patient and other required information.Hence, it is not required for the current doctor to authenticate the IC again.Te following steps are executed as follows.
(1) Te previous doctor chooses a random number x ∈ Z * q and generates two transfer keys TK represent the public key of the previous and current doctor, respectively.Moreover, the transfer key TK 2 is sent to the particular patient.
(2) Ten the current doctor picks a random number c ∈ Z * q as its private key and computes the transfer keys as TK D � g c x and TK D,1 � g c y .Here, TK D is kept as secret by the current doctor and TK D,1 is given to the particular patient.
(3) Moreover, the current doctor generates the session transfer keys as and TK β,1 � TK β .TK D .Here, d i+1 ∈ Z * q is the private key of the current doctor.Te current doctor generates the new session key as SN D � e(g y , TK β,1 ).(4) Hence, by receiving the transfer keys TK 2 and TK D,1 from the previous and current doctor, the patient computes the patient's transfer keys as and TK pa,1 � TK pa .TK D,1 , respectively.
(5) Finally, the patient calculates the patient's new session key.( 6) SN pa � e(TK pa,1 , g x ).If SN D � SN pa , then the current doctor accepts the particular patient's data and the transfer authentication task is accomplished.

Security Analysis
Te various possible security attacks and the security features provided by the suggested scheme are explained in this section.

Resistance to Impersonation Attack.
In order to perform impersonation attack and to fnd the secret parameters of the authorized doctor/patient, the attacker should pretend to act like an authorized doctor/patient.Te certifcate for the patient is calculated as cer pa � (℘ i d ‖Ak‖q j ‖∅ 0 ‖ z 1 ‖ z 2 ‖‖z 3 ‖‖X‖ Y‖ Z).To fnd the values of X, Y, and Z, the randomly chosen numbers y 1 , y 2 and the secret key of MN such as s should be known by the adversary.Since the numbers y 1 and y 2 are random, the values of X, Y, and Z are also random which is difcult to fnd due to ECDLP and the secret key of MN is also difcult to fnd by an adversary.Similarly, the certifcate of the doctor is calculated as cer d �((DI D ‖PU D ‖TS‖ A D ).Here, A D is calculated from the doctor's private key and MN private key, where x .Since the private keys are secret and are known only to MN, it is difcult for an intruder to fnd the values of A D and to forge the certifcate.Moreover, a unique identity code is generated by MN for each authorized patient and it is stored in the blockchain network.Any change in the identity code will be refected in the succeeding blocks in the blockchain.So, the miners in the network will remove the particular unauthenticated patient (adversary) from the network.

Resistance to Fake Message Attack.
To send fake message, adversary should create a bogus message similar to the original real message as mess pa � (DI D ‖q j ‖yy‖ sig pa ).Here DI pa is calculated from the secret keys of MN and patient, so it is difcult for an adversary to fnd the value of DI pa .Moreover, the value of yy involves X, Y, and Z.As the Security and Communication Networks values of X, Y, and Z are calculated based on the random numbers y 1 and y 2 , it is difcult to fnd yy due to ECDLP.To fnd the values of y 1 and y 2 , there is a complexity of O[f 1/2+o(1) log ω] where ′ ω ′ represents number of patients registered in the network.

Resistance to Message Alteration Attack.
To perform message alteration/modifcation attack, the adversary should decrypt the data sent by the authenticated doctor or the authenticated patient.In order to perform the decryption operation, the adversary should have a knowledge regarding the decryption keys of patient/doctor.But these decryption keys ( ∝ , β) are provided by the MN during the initial ofine registration of doctor and patient in a secure way.Moreover, to calculate the decryption keys, the private key of the doctor (d i ) and the private key of the patient (a i ) provided by the MN should be known to the adversary.In addition, during the authentication process, signature is generated as sig pa � g 1/H(DI pa )+θ j x , which involves short-life private key θ j and dummy identity DI pa of the patient which are hard to trace.Hence, it is difcult for an adversary to undergo message alteration attack.

Conditional Privacy Preservation.
In this proposed scheme, the doctor and the patient use anonymous certificate and signature to hide their real original identity.Only the dummy identity of the end-user is used during the mutual authentication process.So, even though the adversary fnds the dummy identity of the end-users, it is a challenging phenomenon for an adversary to trace the real identity.Moreover, if the end-users are compromised, then by using the tracking list, the MN revokes the compromised end-users from the network.Tus in this proposed scheme, conditional privacy is preserved.

Resistance to Repudiation
Attack.In this suggested scheme, the end-users cannot repudiate once the information is received.Here, the doctor sends the MP to the authenticated patient and the patient sends the BS to the authenticated doctor.Te MP is sent in the form of cipher text CI D � (MP‖PU D ‖T D )⊕H(e(g x , g x ) l j ) by including the tracking parameter.So, in case of any dispute due to wrong prescription of the doctor, the MN can track the doctor from the doctor's tracking parameter list.Similarly, the BS of the patient is sent in the form of cipher text CI pa � (BS‖PU D ‖T pa )⊕H(e(g y , g y ) l j ) to the doctor.So, if any wrong information/data is sent by the patient, then the MN can easily track the patient based on the patient's tracking parameter list.So, the end-users cannot repudiate.

Resistance to Reply Attack.
In the reply attack, the adversary wants to capture the message within a specifc time interval, modify/create the message, and send it to the endusers.But in the proposed scheme, timestamps (TS) are attached to the anonymous message.Due to the presence of the TS, the adversary cannot perform the message modifcation/creation in the given stipulated time.Tus, the proposed scheme is resistant to reply attack.

Unlinkability.
Te data sensor regulator of the patient selects q j � g θ j y as the short time public key, where θ j is the short time private key such that θ j ∈ Z * p and j < p. Short-life private keys are used for the certifcate and signature generation.Te validity of these private keys is only for a short duration.So, once the verifcation process is completed, the validity of these keys get expired.Terefore, there is an unlinkability existing in the generation of the certifcates.Hence, an adversary cannot link the two certifcates generated by the same end-users.

Man-in-Middle
Attack.Te proposed work is resistant to man-in-middle (MM) attack.During the exchange of information, the patient sends their biotic statistics (BS) to the doctor in the form of cipher text by including the timestamp.Similarly, the doctor sends the medical prescription (MP) in an encrypted way by attaching the timestamp.In our work, if the intruder tries to capture the BS/MP, only a zero knowledge is obtained from the exchanged data.Moreover, if the intruder sends the new fake data in place of original data, because of the presence of timestamp, the data will be received with a delay and hence it is not accepted.Hence MM attack is not possible.

Performance Analysis
Te performance analysis of the suggested scheme is analyzed in terms of computational complexity and communication cost.
6.1.Computational Complexity.Computational complexity of the proposed scheme is compared with the relative existing schemes like Liu et al. [29], Zhao [30], Hu et al., [31] and Al-Riyami and Paterson [32].Computational complexity is analyzed in terms of cryptographic functions like T m , T h , T e , and T p .Here, T m , T h , T e , and T p are the representations used for one point multiplication, one point hash function, exponential function, and bilinear pairing operation.Moreover, cryptographic operations are implemented with core i7 processor having 8 GB RAM using PBC library [33].In addition, the platform used for the execution process is Cygwin [34].Te time required for the execution of T m , T h , T e , and T p is 0.7 ms, 2.6 ms, 0.6 ms, and 1.72 ms, respectively.Here 'ms' represents milliseconds.Table 2 shows the computational cost for diferent schemes in terms of certifcate and verifcation cost.Generally the time required for the hashing operation and pairing operation is higher when compared to other operations.In our suggested scheme, only two pairing operations and one hashing operation are required for verifying the signature and certificate of single patient/doctor, whereas Liu et al. [29] scheme requires three pairing and three hashing operations.Zhao [30] scheme requires three pairing and eleven hashing operations.Hu et al. [31] scheme requires four pairing and Security and Communication Networks six hashing operations.Similarly, Al-Riyami and Paterson [32] scheme require four pairing operations and one hashing operation.Te suggested scheme consumes less computational cost when compared to the existing related schemes.Te verifcation cost for the single patient is 12.12 ms and the verifcation cost for the single doctor is 6.02 ms whereas the related schemes like [29][30][31][32]  Te graphical representation of the computational cost for the diferent schemes with respect to patients and doctors is shown in Figures 3 and 4, respectively.It is clearly observed that the proposed scheme consumes only 209.91 ms and 38.51 ms for the verifcation of 20 certifcates and 20 signatures for the patients and doctors, respectively.As a result, within the stipulated time, proposed scheme can verify the certifcate and signature signifcantly.Te verifcation cost for the existing related schemes is higher than 260 ms for the verifcation of signature and certifcate for the same number of end-users.Tus the verifcation cost is very low when compared to the related existing works.

Communication Cost.
Te communication cost of the proposed work is compared with existing works, namely, Liu et al. [29], Zhao [30], Hu et al. [31], and Al-Riyami and Paterson [32].Tis section deals with the cost incurred during the exchange of information between the doctors and patients.As per Liu et al. [29] scheme, the number of bits required for single message is 3840 bits.Zhao [30] scheme requires 2112 bits for transferring a single message.Hu [31] and Al-Riyami and Paterson [32] schemes require 2496 bits and 1536 bits, respectively.Tus when compared to the existing schemes, the suggested scheme consumes less communication cost which improves the efciency of the proposed scheme.In this work, type A elliptic curve is used for the calculation of the communication cost.Table 3 shows the communication cost for diferent schemes.Te bit size for the parameters used in the groups G x , G y , and G z is 160 bits.Moreover, the bit size of the elements belonging to Z * q is 160 bits, time stamp's bit size is 32 bits, and the bit size of hash function's output is 160 bits.In the proposed scheme, the cipher text for the patient and the doctor is calculated as CI pa � (BS‖PU D ‖T pa )⊕H(e(g y , g y ) l j ) and CI D � (MP‖P U D ‖T D )⊕H(e(g x , g x ) l j ).Moreover, time stamp is used   Security and Communication Networks during the mutual authentication between the doctor and patient and it consumes 64 bits.MP and BS are the elements belonging to Z * q and they totally consume 320 bits.PU pa , T pa , PU D , and T D are the elements in the groups and they totally consume 640 bits.Te output of the two hash functions consumes 320 bits.So totally, 1344 bits are required as the communication cost for the proposed scheme.Figure 5 shows the pictorial representation of the communication cost for diferent schemes.From Figure 5, it is clear that the proposed work consumes less bit size when compared to the related works.

Conclusion
In this work, an efcient blockchain-based lightweight mutual anonymous authentication protocol for the endusers (patients and doctors) is proposed.Te proposed work can be practically deployed between the patients and doctors in hospitals.Here, the encryption of both BS data of the patient and the confdential MP of the doctor is performed to preserve confdentiality.Only the authenticated end-user can decrypt the data.In addition, the certifcate and signature verifcation signifes the message's integrity.Moreover, the suggested scheme can withstand several security threats.Further, transfer authentication protocol helps to avoid the reauthentication of the patient again, when they move to the new doctor which reduces the communication and computational cost signifcantly.Since blockchain is used, there is a continuous tracking of data, as they are stored in the distributed ledger.As a result, there is no tampering/modifcation of data.Tus, the proposed scheme can be efectively deployed in the hospitals for monitoring the patient's data.
Te main advantage of the proposed scheme is to preserve the confdentiality, integrity, and security of the transferred data.However, the scheme is limited to the inclusion of biometric authentication.Future work direction can be extended to cloud-assisted blockchain-based schemes to enhance the storage of large volumes of confdential information, not only enhancing the data storage by using the cloud-assisted blockchain, but also enhancing the monitoring process of the patient's data.Moreover, fne tuning method can be incorporated to enhance the data quality.Furthermore, high-level requirements are downconverted into low level requirements for the doctors to improve the efciency.

Figure 2 :
Figure 2: Transfer authentication protocol of proposed scheme.

( 6 )
Similarly, MN chooses a random number for b i and d i as its master key and private key for the doctor and computes the session secret keys S D � g b i x and S D,1 � PU d i pa .(7) Moreover, MN calculates the public key for the doctor as PU D � g d i y and PU D,1 � g b i y .In addition, decryption key for the doctor is ∝ � g 1/d i y and conditional parameter A D � g t− d i x .(8) Te dummy identity and the tracking identity of the doctor are calculated as DI D � g d i +t+s y and TR D � g d i +t y .MN maintains the tracking list for the doctor as (DI D , TR D , PU D ).Te tracking list is used to revoke the misbehaving doctor from the WBAN.
1 and TK 2 , where TK 1 � S xH(DI p ‖ IC ) D,1 and TK 2 � PU xd i D+1 .Tese transfer keys are sent to the current doctor.Moreover, PU D � g d i y and PU D+1 � g d i +1 y

Figure 3 :Figure 4 :
Figure 3: Computational cost for diferent schemes with respect to patients.

Table 1 :
Summary of diferent existing works.
[25] et al.[25] Doctor.Once the cipher text is received by the doctor, he performs the decryption operation as CI pa ⊕H(e(PU D , ∝ l i ) � (BS‖PU pa ‖T pa ).‖T D )⊕H(e(g x , g x ) l j ).Te decrypted message can be calculated as (MP‖PU D ‖T D ) CI D � ⊕H(e(g x , g x ) l j ).Decryption by the Patient.Once the cipher text is received by the patient, he performs the decryption operation as CI D ⊕H(e(PU pa , β l j ) � (MP‖PU D ‖T D ).
take 15.03 ms, 23.84 ms, 40.03 ms, and 12.84 ms, respectively.Verifcation cost for single certifcate and single signature in the suggested work for the patient and the doctor patient is 2T p + T h + T m + 2T e and 2T p + T h , respectively.In a nutshell, only two pairing functions and one hashing function required verifying a single certifcate and single signature.If n number of end-users is taken into consideration, proposed work consumes (n + 1)T p pairing and nT h hashing operation.

Table 3 :
Communication cost for diferent schemes.