CKMIB: Construction of Key Agreement Protocol for Cloud Medical Infrastructure Using Blockchain

In the traditional medical healthcare system, each medical facility is responsible for preserving its own records. Sharing such records with another medical establishment is difficult for them. To tackle this challenge, the traditional medical system leverages internet technology to transform into a modern electronic system. In electronic healthcare systems, managing the security and privacy of patient data becomes a major issue. As an alternative, the healthcare sector might use blockchain technology to exchange digitised healthcare data. Blockchain technology is characterised by anonymity, decentralisation, and immutability. It is hard to keep all electronic healthcare data on blockchain due to the expense and volume. Cloud computing is the best solution for storing this type of data and resolving problems like these. To address these concerns, we offer a blockchain-based key agreement protocol for cloud medical network systems that enhances privacy and security. We demonstrate a formal and informal security analysis of the proposed protocol that shows that the proposed protocol is both secure and communicative. We provide security verification of the proposed protocol by using the AVISPA software tool against man in the middle attack and replay attack. Finally, we compute the computation and communication costs of the proposed protocol and other existing protocols, the proposed protocol has less computation and communication costs than other existing protocols in the electronic healthcare system.


I. INTRODUCTION
With embedded software and network connectivity, the medical health system is experiencing fast development. Modern medical systems constitute a separate type of cyber physical systems, which we call a Medical Cyber Physical Systems (MCPS). In current medical disciplines, the MCPS is a cyber physical system for integrated medical systems and distributed network systems with control devices that are utilised to display patient information. It uses embedded technologies, distributed computing and wireless communication networks to monitor and regulate the biological dynamics of patients. To certify each device and user identity and services, MCPS requires an independent and comprehensive security The associate editor coordinating the review of this manuscript and approving it for publication was Lo'ai A. Tawalbeh . verification and authorization mechanism [1], [2]. Authorizing user access to each gadget, MCPS needs to create security gateways. Because of the growing complexity and scale, new design, validation, and verification approaches are required to modify the dynamic data of patients [3]. Thus, MCPS needs the creation of a secure authentication framework and a distributed computing network. With the growing MCPS complexity, conventional identifying authentication technology devices, on the other hand, are becoming excessively long and unsafe. Thus, the traditional authentication system has gone through several stage transitioning from single to multiphasic authentication systems. Traditional identification technology depend on a third-party authentication mechanism that has been criticized. Many heterogeneous networks, numerous types of gadgets, and various user nodes make up the MCPS complex environment. Security authentication across device VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ nodes in MCPS using various identity authentication systems is relatively rare and data security sharing is challenging to do. Therefore, we propose blockchain and ECC based authentication protocol CKMIB for cloud medical networks to guarantee data integrity, security and accessibility. Furthermore, the CKMIB protocol allows for secure data sharing in healthcare systems via a public channel.
A. RELATED WORK Lee [4] stated that the traditional authentication system become complicated with the advancement of information technology so the traditional key framework is not reliable requires upgrading. Zhang et al. [5] suggested session initiate protocol authentication key framework. However, their SIP authentication not stand with security vulnerability trust. Tu et al. [6] suggested the improved smart card based session key authentication framework. Xu et al. [7] suggested a efficient and secure two factor mutual authentication key framework based on ECC for sharing patients healthcare data in medical system. Subsequently, with the help of crypt-analysis the improved two factor authentication framework primarily formulated on ECC is also suggested [8], [9]. Zhang et al. [5] organise the data supply secure certification problem based on blockchain and trusted SGX hardware. The certificateless signature framework for wireless network region suggested by Liu et al. [10] which is defined on the elliptic curve has security vulnerabilities. Thus, they returned to the earlier approach, which was entirely based on their own work, and proposed an upgraded authentication framework. Renuka et al. [11] proposed a three-factor USB-based authentication architecture for smart healthcare medical systems. Lin et al. [12] stated that the conventional authentication is improved due to the decentralization feature of block chain. The certificate for the present X.509 certificate standards is given by AI-Bassam [13], however cannot sign best identification characteristic statistics which is totally based on the smart agreement, with the passage of time it is improved and the feature records are authenticated [14]- [19].
Alexopoulos et al. [20] using open distributed ledger feature of blockchain technology for the secure authentication management system and design their model. Perera and Patel [21] introduced a multiple users verification in mobile active authentication, due to this the identification step and verification approach is introduced in multi-user system. Lin et al. [12] suggested a new TCUGA framework which strictly needs to use node signatures. The trapdoor hash function used in his framework allows the users to successfully update the certificate without resign the node. Fan et al. [22] introduced a block chain based information system management in medical healthcare system to record patients information, called as MedBlock. MedBlock accesses the electronic medical record of patients efficiently through the distributed ledger feature of blockchain and have secure access control protocols. As a result, it has the potential to play a critical role in the sharing of patient data in the medical health-care system. Li et al. [23] presented a prototype of a data preservation system built entirely on the blockchain ethereum technology. That provide an authentic storage solution in the medical healthcare system to ensure the verifiability and primitiveness of stored data. However, these blockchain-based protocols for the electronic healthcare system should take into account that maintaining or storing all electronic healthcare data in blockchain is too difficult because to the price and size of block chain [24]. Consequently, these protocols needs a cloud storage mechanism in the electronic health care system and decentralized mechanisms using blockchain. Latterly, many research studies have been done regarding the cloud-based electronic healthcare record using blockchain to solve storage problem that is associated with blockchain technology [25], [26]. Using blockchain Weng et al. [25] proposed electronic healthcare data sharing scheme that ensure data security by using proxy re-encryption. Sahoo et al. [27] proposed a mutual authentication framework for the electronic healthcare system in 2020 to solve security issues in similar existing schemes. They stated that their scheme can withstand attacks such as offline password guessing, and insider attacks. However, Ryu et al. [28] discovered that Sahoo et al. approach is still vulnerable to insider, privileged insider, and patient anonymity attacks and they proposed a three factor bio-metric based mutual authentication scheme for electronic healthcare system using ECC. Cheng et al. [29] proposed a mutual authentication framework for medical data sharing scheme based on block chain technology that also utilizing cloud technology. They using bilinear mapping for medical data sharing scheme. However, Itoo et al. [30] find some design flaws in Cheng et al. scheme. Later, Olakanmi and Odeyemi [31] proposed an improved key agreement approach for healthcare systems. It maintains the medical healthcare data in cloud stroage. However, these schemes [27]- [29], [31] cannot specifically considered for secure electronic health records based on cloud computing. Therefore, we proposed a CKMIB protocol that provides secure data sharing in electronic healthcare system viva public channel using ECC.

B. BLOCKCHAIN TECHNOLOGY
Nakamoto proposed blockchain in 2008 [34]. The blockchain is made up of blocks that are linked together in a chain. The block includes contains such as the block number, the previous blocks hash value, a nonce, and transaction data. The chain is formed by adding the hash value of the previous block in each block. The ledger is the label given to this chain. Figure 1 illustrates a basic blockchain ledger. Every network device has its own ledger. Blockchain utilizes agreement mechanisms to verify transactions and update the entire ledger [35]. When a new transaction is added to the ledger, all nodes in the network verify that information, if approved, then update their ledger with new transaction. Each user joins the network by registering a pair of public and private keys, which is accomplished through the recording of a transaction. The keys are kept in the wallets of each user. The blocks were built by miners. Miners are nodes in the blockchain network who are responsible for generating and approving  blocks. To create a block, the associated node must first solve a difficult challenge. The public and private blockchains are the two forms of blockchain. On a public blockchain, everyone can participate in block generation and agreement, but only pre-approved nodes can do so on a private blockchain. Hyperledger is a private-type blockchain, whereas Bitcoin and Ethereum are public-type blockchains.

C. CLOUD BASED ELECTRONIC HEALTHCARE RECORD SYSTEM MODEL USING BLOCKCHAIN
In an electronic health care system, the patient medical record is stored. To maintain the security and efficiency of medical data it needs a secure model to share the electronic record. We built the system model electronic health care system based on four entities such as patient, medical center, network administrator and cloud server. The system model of the proposed protocol given in Figure 2.
• The patient visits the medical center to receive health care in order to receive health care it is a must to transmit the health data to the medical center through some devices and sensors. The patient health care data are saved in an electronic health care system with proper health care services provided by the medical center.
• A network administrator is a reliable administer that supervises the registration of any participant in the blockchain.
• The network administrator registers the medical center in the blockchain. The medical center stores the healthcare record of patients in a cloud server for sharing with another medical center. For any medical center to obtain the medical data of any medical center it needs to login the data request to the private blockchain in the form of a transaction.
• Cloud storage is a reliable entity that has enough capacity and computing power to manage and store electronic health care data and provide secure data sharing. It obtains data from the medical centre and distributes it to medical centres that have requested electronic health care data using the register secret key.

D. THE DESCRIPTION OF PROPOSED ELECTRONIC HEALTH CARE COMMUNICATION MODEL
• With the help of the network administrator the patient and doctor registering their identities for accessing electronic healthcare services.
• A session key is generating between patent and doctor for future communication.
• Medical center obtains the information from the patient with help of the session key. Then the electronic health record are generated by a medical centre. After that this record is uploaded in the block chain by medical centre.
• The electronic health record of the patient is encrypted through the medical center by using secret-key then send to the cloud server. The electronic health record is then decrypted by a cloud server and finally stores in the database.  • If the other medical center requests the data of the medical center to a cloud server. Then the cloud server encrypts the data with a secret key of medical center and sends it to the medical center through a secure channel.
• When the medical center receives the electronic health care data it decrypts first and then uploads the transaction of the patient and medical center identities, timestamp, and the signature in the blockchain.

E. MOTIVATION AND CONTRIBUTION
A technique must be used in the medical healthcare system to protect the system from misbehaving/compromised users. Doctors prefer to diagnose and monitor patients remotely using IoT-enabled wireless sensor nodes in electronic healthcare systems because of communicable diseases such as Covid19. As a consequence, the records were transferred to a digital healthcare device through wireless media. The security and privacy of patients sensitive information, as indicated in the preceding section remains a key concern. To do harm to medical devices, a hostile opponent may use sensitive information or gain control of medical equipment. Designers must develop a system that cannot misbehave/be hacked and is free of security dangers to avoid these security problems in medical systems. As a consequence, we develop a blockchain-based key agreement framework for cloud medical networks that employ ECC to provide secure data transmission in an electronic healthcare system through wireless channels. The proposed protocol is safe against a variety of cryptographic attacks, as well as eliminating side-channel attacks, reducing communication costs, and providing extra security features. We integrate cloud computing, blockchain, and authentication in CKMIB to enable safe key agreement authentication between network administrators and users, which makes it more suitable for electronic medical healthcare applications. In section 1.1, we review the numerous authentication protocol proposed by various researchers for the medical health system. While some of them are based on ECC, none of them meet all of the security requirements in the electronic health care system. We proposed a blockchain-based key agreement architecture for cloud medical networks as a way to improve things. Table 1 shows the comparative study of the procedures with our suggested protocols. The following are the key aspects of the CKMIB protocol: • We propose new key agreement and authentication protocol for cloud medical system using blockchain.
• The proposed protocol is secure in many security attacks such as impersonation attack, eavesdropping attack, stolen verifier attack, insider assault attack, replay attack, and man in the middle attack. Furthermore, proposed protocol manages various security properties such as, patient anonymity, unlinkability, mutual authentication, traceability, key freshness, and perfect forward security.
• We perform a formal security analysis of the proposed protocol using a random oracle model.
• We use simulation tool AVISPA ''Automated Validation of Inter-net Security Protocols and Applications'' for the verification of security against replay and man-in-themiddle attacks.
• In the proposed protocol user can easily update his/her password through proposed protocol.

F. ADVERSARY MODEL
We follow Dolev-Yao model [36] throughout the proposed protocol CKMIB to perform the security analysis. Dolev-Yao (DY) model is based on the following assumptions: • An attacker A can delete the message, injects the unwanted messages and intercept the message that is transmitted throughout the public channel.
• An attacker A may endeavor numerous attacks such as eavesdropping attack, session key stolen attack, replay attack, prevention of insider attack and so on.

G. ORGANISATION OF THE PAPER
The remaining work of this paper is organised as follows: the preliminaries are given in the section 2, that will helpful to demonstrate the proposed scheme. We presented the proposed scheme in the section 3. In the section 4, we perform the security analysis of proposed protocol using formal and informal security analysis. The overall performance evaluation of the proposed scheme with the associated schemes is given in section 5. Finally, we draw the conclusion.

II. PRELIMINARIES
In this section, we give the required mathematical terminologies and notations which are helpful for explanation of this paper.

A. NOTATIONS
In Table 2, we give the meaning of each useful notation or symbol that are used in the proposed paper.
be a non singular elliptic curve over a finite field Z q where i, j ∈ Z q with 4i 3 + For the given pair (Y , eY ), where e ∈ Z q , Y ∈ G, It is hard to find e by any polynomial bounded algorithm. The probability that the attacker can evaluate ECDLP as Adv ECDLP where is comparatively very small positive quantity.

E. BIOMETRIC FUZZY EXTRACTOR
Fuzzy extractor is defined in pair of function in which one function uses to generate the uniform random bits from the pre-defined input values and the other one uses to retrieve the string from the input value that is close to the authentic input value within the pre-defined approach.The mathematical representation of fuzzy extractor is (L, J , M) where, M is biometric input of data of metric-space of finite dimension and L bit length of output string. The fuzzy extractor also consists of two algorithms which are Rep(.) and Gen(.) [38].
• Gen(.) : The Gen(.) is probabilistic method which takes bio-metric B i ∈ M input and gives secret key data i ∈ {0, 1} l as output and τ i a public reproduction variable for the bio-metric input data

III. THE PROPOSED PROTOCOL
The proposed protocol CKMIB is based on three phases such as initialization phase, registration phase and authentication phase that are explained as bellow:

A. INITIALIZATION PHASE
In the proposed protocol CKMIB, NA selects a random number q on elliptic curve E q (i, j) her/his hash function h(.), also the biometeric is executed by using the algorithm of fuzzy extractor [39]. The Gen(.) and Rep(.) algorithms are executed during the login. Further, NA generates a random value y ∈ Z q , selects it as his/her private key and computes public key as P pub = yg. Furthermore, NA publish the attributes {τ p (.), σ (.), q, g, h(.), E q (s, t)}

B. REGISTRATION PHASE
There are two phase in CKMIB protocol, first is patient registration phase and second is medical centre registration phase which are describes as follows:

1) PATIENT REGISTRATION PHASE
To receive the medical diagnosis the patient must have to register his/her identity with the network administrator. The NA help patient to register his/her public and private key and this is executed over a secure channel. The details of the registration section are mentioned below and shown in Table 3.
• Step 1: p i request network administrator for registration. p i inputs ID p , password PW p and imprint his biometric B p . Then generates r q ∈ Z q . Computes (σ p , τ p ) = Gen(B p ), computes A = h(PW p σ p ) ⊕ r q and sends {ID p , A} to NA viva secure channel to the network administrator.
• Step 2: On received message, NA computes B = h(ID p C p y) where y is secret key of network administrator and stores {ID p , C p } in his data base for further communication and then computes again α = B ⊕ A and stores {α, C p } in his data base for corresponding ID p then sends {α, C p } to patient.

2) MEDICAL CENTRE REGISTRATION PHASE
The medical centre must have to register with the network administration to have the accesses for exchange the information with other medical centre. The detail of the medical centre registration phase are given below and illustrated in Table 4.

C. LOGIN AND AUTHENTICATION PHASE
In the authentication phase, p communicates with NA and MC in public channel. The detailed illustration of login and authentication phase are given below and shown in Table 5: = α 2 if yes then generates a ∈ Z q , computes K 1 = h(A C p ), H 1 = h((A ⊕ ag) K 1 ) and computes E 1 = E K 1 (ID p , ag, H 1 ). The p again computes H 2 = h(ID p C p T 1 ) and encrypts E 2 = E K 2 (E 1 , H 2 ) where K 2 = h(A α 1 ID p ). Finally sends M 1 = {E 2 , T 1 } to NA. = H 2 if yes then computes K 3 = h(ID cm C cm ) and

F. UPDATING OF PASSWORD AND BIOMETRIC PHASE
When p wants to update his/her password. He/she takes following steps: •

IV. SECURITY ANALYSIS
In this section, we analysis of CKMIB. We prove that CKMIB is secure against various malicious security attacks. We also prove that CKMIB is secure against replay attacks and MITM by using random oracle model.

A. INFORMAL SECURITY ANALYSIS
We did analysis informal security of CKMIB and show that CKMIB is secure against various security threats. Moreover, CKMIB assure the patient's confidentiality and secure authentication.

1) IMPERSONATION ATTACK
A attempt to attack a authorized p to acquire the sensitive information. To impersonate the p, A to compute a message M 1 = {E 2 , T 1 }. However, E 2 is encrypted by secret key K 2 and adversely cannot compute the secret key because it is encrypted by K 2 = h(A α 1 ID p ). Therefore, the CKMIB is secure against impersonation attack.

2) EAVESDROPPING ATTACK
According to the eavesdropping attack, A can intercept the all messages convey through insecure medium. Therefore, A can intercept messages. But in the proposed protocol all the parameters are protected by hash function and also fresh random number which are chosen in every round of authentication. So, A neither get any parameter nor get identity of user. In addition of this the A cannot calculate SK p = h(H 4 ID p ID cm abg β T 5 ). Therefore A cannot obtain ID p , M i and SK p .

3) SESSION KEY DISCLOSURE ATTACK
If A tries to obtain the session key SK p = h(H 4 ID p ID cm abg β T 5 ), the adversely must know the random number's a, b, and base point of elliptic curve g which is hard to obtain and know the identity of p and as well as of medical center MC. Therefore, CKMIB is secure against the session key disclosure.

4) KEY FRESHNESS
Key freshness is likely about when the new keys are generated so that future interconnection cannot be deformed even if the old keys are compromised. Therefore, for the utilization of freshness of keys in the cryptography always take two principal values such as selecting random number and time stamp. In CKMIB in each step, we chose fresh random number as well as fresh timestamp. Therefore, the freshness of key agreement is maintained in CKMIB.

5) PERFECT FORWARD SECRECY
If by chance A knows the private secret key, A cannot obtain the previous key SK p = h(H 4 ID p ID cm abg β T 5 ) because the previous key does not contain SK NA . Further, if the parameters K 2 and K 3 are compromised, but A cannot obtain abg,which is compute to hard as Deffie-Hellman problem.
A tries to transmit a massage to perform a reply attack. But A cannot perform reply attack because the transmitted messages includes verifying conditions, random number and secure hash function. Thus, CKMIB can resist the reply attack.

7) INSIDER ATTACK
The massage transmitted by p is conformed by NA and then upload to cloud based blockchain. After receiving p s message in blockchain, the p s identity still remains mask by p private key K 1 . The p private key remains always secret that can be known only by p. The other entity cannot obtain the patient information because it is masked by the secret key. The patient only can decrypts the massage by his/her secret key. Therefore, the attacker fails to use his/her identity to obtain the other user information or the users identity password for other services login attempts. Therefore, CKMIB is secure against the insider attack.

8) PATIENT ANONYMITY
A cannot known the patient real identity because it is masked by hash function or encrypted with random number or secret key. Therefore, in CKMIB the users identity is secure.

9) TRACEABILITY
An attacker monitors the authentication request messages from two different sessions and compares them to see if they are similar. If both messages are identical, the authentication request messages have the same origin, indicating that the user/patient for both requests is the same. The adversary cannot track the user/patient in our scheme even after listening/stealing the authentication messages M i = {E i , , t i } because these messages contain encrypted parameters E K 1 (ID p , ag, H 1 ) with a private key K 1 , one way hash function, and current timestamp t i that are chosen a fresh timestamp for each new session, resulting in the formation of new M i . Hence, the identity of the user/patient and medical center cannot be traced. Thus, our scheme is resistant to untraceability attacks.

10) UNLINKABILITY
The identity and location of the user/patient are two important privacy concerns. Adversary must be kept in the dark about the patient identity and associated information. It is impossible for the adversary to deduce the patient identity in the proposed protocol CKMIB, because we uses anonymous identity ID p and also encrypted it with private key K 1 as E 1 = E K 1 (ID p , ag, H 1 ). In addition, each session uses a distinct temporary identity ID p to protect p privacy. Outsiders have no knowledge who is communicating with MC because ID p is unlinkable. The adversary has no idea about the identity involved in two runs of protocol is same are different. Therefore, the proposed scheme prevents the leakage of user identity and protects users privacy.

11) MAN IN THE MIDDLE ATTACK
A can endeavor to utilize the past messages of login in the server side. = H 3 . Thus, A is not competent to compute with original entity because we uses fresh random values and anonymous identity. Hence our proposed protocol withstands against this attack.

12) EPHEMERAL SECURITY LEAKAGE ATTACK
Let A can obtain access to the secret parameters short-term (ephemeral) and long-term (permanent) values. After that, A can try to calculate SK p = h(H 4 ID p ID cm abg β T 5 ) between the patient and the medical centre. The two cases are illustrated below.
• Assume that A knows about the short-term secret parameters a and b. Then A tries to calculate SK, that cannot be computed without the long-term secret parameters K 1 and K 2 , even though A can compute abg with the short-term secret parameters but cannot calculate H 4 .
• Assume that A has access to the long-term secret parameters K 1 and K 2 . On the other hand, A is still unable to compute SK since she is unaware of the short-term secret parameters a and b, which is impossible due to ECDHM. To create the right SK in the above two cases, A must be aware of both short-term and long-term secret factors. As a result, ephemeral security leakage attack is not possible in our proposed framework CKMIB.

13) DoS ATTACK
During the login phase in the proposed protocol CKMIB, p inputs ID p , B p and PW p and gets σ p = Rep(τ p , B p ) and NA computes H * 2 = h(ID * p C p T 1 ) and verifies H *

?
= H 1 . The session is terminated if this condition is not met. Thus, the authentication request is only sent to p if NA confirms authenticity. p also protects against replay attacks by checking the messages freshness. Therefore, even if attacker tries to overload NA by replaying numerous valid legitimate users past login requests, NA rejects these requests by checking the message freshness. Hence, CKMIB is resistant to DoS attacks.

14) SIDE CHANNEL ATTACK
In well-known shared key encryption, there are several side channel attacks. The side channel attack can be used to get the AES encryption key used in the challenge-response for a single password based authentication scheme. The AES encryption key in our protocol is made up of numerous keys that have been xored together, and those keys cannot be recovered from the encryption key. An attacker cannot determine the values of the keys used in authentication simply by knowing the encryption key. As a result, a side channel attack cannot be used to obtain the entire secure vault by construct a duplicate device or insert a false message into the channel.

B. FORMAL SECURITY ANALYSIS
In the following subsection, we define the formal security analysis for CKMIB. The proposed security model is acceptable and appropriate based on literature [40]. In CKMIB, we define the three factors p, NA and MC. In addition, ϒ i p , ϒ j NA and ϒ k MC represent the occurrence of i, j and k of p, NA and MC accordingly, called as oracles. The attacker can make the following queries and are illustrated in Table 6: This inquiry is used to model the eavesdropping attack,i.e the attacker can intercept all message's that are convey through this channel by this request.
• Reveal (ϒ i ): This inquiry is used to model the session key disclosure attack. The attacker can redeem the session key in the current session generated by (ϒ i p ). • Send (ϒ i , ϒ j , message(m) : This inquiry imitates an active attack by attacker. The attacker behaves as ϒ i p and communicate a message (m) to ϒ j . If m is authenticate, then following the protocol, the attacker can retrieve a corresponding message as feedback message, otherwise the inquire is terminated.
• Test(ϒ i ): This inquiry is a model of lingual security of the session key among p and NA. Earlier than this, a bit e is developed randomly, and the output is secret to attacker. When A creates this query, if Sk comes up, for example ϒ i returns the original Sk when e = 1, or random number of same length as the Sk when e = 0 otherwise the production is null and void. Finally, the simatic security of the Sk is defined. In the proposed model, a attacker desires to differentiate whether the session key between ϒ i p and ϒ j NA is actual or a random variety. Attacker could make the check question to the instances ϒ i p or ϒ j NA , and then verify the constancy of its output with the random bit e. Subsequently, attacker wishes to guess a bit e . When e = e is satisfied, it means that attacker wins the game. The succ is used to represent the event that attacker wins the game. The probability that A breaks through the semantic safety of the protocol to obtain an advantage is described Adv CKMIB (A) = |2.prob[Succ] − 1|, where prob represents the probability of occurrence of the event E. If Adv CKMIB (A) is negligible, protocol is considered secure on this proposed model.
Theorem: Let the attacker ongoing in a polynomial time in the proposed model against the proposed protocol. Assume NA is not negotiated, so the dominance of attacker in breaking the semantic security of protocol for obtaining the session key between the p and NA is: where Q s , Q h , Q e , n and l s represents execute queries, hash oracle queries, range space of the random number generation, and the length of the hash function output value.
Proof: In this proof we take three factor game which are G i , where i = 1, 2, 3. Let Succ i denotes the event that the A successfully evaluate the bit e in the game G i .
• G 1 : The attacker execute attack on protocol. Before the game starts e is selected randomly, we get • G 2 : The attacker executes an eavesdropping attack on protocol. The attacker first makes Execute queries and then make a Test query. The session key in the proposed protocol is SK p = h(H 4 ID p ID cm abg β T 5 ).
The attacker have to differentiate whether the result returned after performing Test query is actually a random number or a session key, it can get all the parameters } transmitted in the channel by making execute queries, but cannot obtain SK p . Hence, eavesdropping attacks do not increase the probability of attacker winning, therefore we obtain: • G 3 : During the authentication phase G 2 simulates the random number and all hash collisions. The session key is generated by hash function and random numbers in the proposed protocol. According to the birthday paradox, probability of a random number collision is (Q s +Q e ) 2 2n and Q 2 h 2 ls+1 is the probability of hash collision.Therefore, we have All the queries are simulated in G 2 . The session key is independently generated between p and NA in the proposed protocol. Therefore, the attacker cannot get any information about bit e. The attacker can win game only if attacker get bit e after making test query. Thus, it is obtained: The following result is obtained from equation (1), (2) and (4): From the equation (3) and (5) following results are obtained: C. SIMULATION STUDY USING AVISPA TOOL Formal verification of the proposed work is performed using the AVISPA software tool, which uses a formal and modular language to express the security protocol needs and features. Further, the AVISPA is a one-button tool for Automated Validation of Internet Security Protocols and Applications [41]. The goal of this tool is to create a rich language for describing threat models and security objectives. Additionally, AVISPA helps security organisations to identify weaknesses and risks in authentication protocols. In order to perform security verification of security framework is modeled in a modular and role-based language called the High Level Protocol Specification Language (HLPSL). This formal language supports the specification of structures, intruder models, crypto primitives with their complex properties. Eventually, there is a translator in AVISPA namely, HLPSL2IF which automatically translates HLPSL specification into equivalent Intermediate Format (IF). Later, which are in turn fed to one of the backends in AVISPA to display a result.

V. PERFORMANCE ANALYSIS
In the following section we exhibit the performance of CKMIB with the corresponding schemes [10], [27], [29], [31]- [33]. We analysis the computation as well as communication cost of the related scheme with the CKMIB.

A. SECURITY ATTRIBUTES COMPARISON
The comparative security analysis of CKMIB with related schemes [10], [27], [29], [31]- [33] in the same environment are shown in Table 7. Thus, CKMIB with stand against the following attacks such as: impersonation attack, prevention of insider attack, eavesdropping attack, replay attack and man in middle attack and having the security features such as session key disclosure, forward secrecy, patient anonymity, unlinkability and traceability.

B. COMPUTATION COST COMPARISON
We have evaluate the computation cost of proposed protocol with other existing protocols [10], [27], [29], [31]- [33], the time analysis of different operation in milliseconds are as: hash function t h has 0.0001ms, bilinear pairing t bp has 4.211ms, bilinear pairing operation of scaler multiplication t bp−sm has 1.709ms, bilinear pairing operation of addition t bp−ad has 0.0071ms, elliptic curve operation of scalar multiplication t ec−sm has 0.442ms, exponential t exp has 3.886ms, elliptic curve decryptions t ec−dec has 0.7399ms, elliptic curve encryption t ec−enc has 0.5102ms, elliptic curve addition t ec−ad has 0.0018ms. The computation cost of the proposed protocol and other existing protocols based on Kim et al. [33] in which they performed these simulation on laptop with an Intel Core i5 processor, 8 GB of RAM, and a GeForce 920M graphics card for simulating. This device can calculate 250 K hashes per second. The first two components of the simulations focus on transaction processing time. The outcome is solely determined by the total number of transactions. We correlate the computation costs of CKMIB throughout the authentication phase between the medical center and the patient with the corresponding schemes are as: • Liu et al. [10] scheme consists of six bilinear pairing operation of scaler multiplication, three bilinear pairing operation of addition, two exponential operation and six hash functions used that has total computation cost approximately 22.2583 ms.
• Sahoo et al. [27] scheme consists of three elliptic curve encryption and three elliptic curve decryptions, seven elliptic curve scalar multiplication and fifteen hash functions that has total computation cost approximately 6.8458 ms.
• Chang et al. [29]scheme consists of eight bilinear pairing operation of scaler multiplication, two bilinear pairing operation of addition, one exponential operation and six hash functions that has total computation cost approximately 17.5728 ms.
• Olakanmi and Odeyemi [31] scheme consists of two elliptic curve scalar multiplication, two bilinear pairing operations and four hash functions that has total computation cost approximately 9.3064 ms.
• Renuka et al. [32] scheme consists of nine elliptic curve operation of scalar multiplication, one elliptic curve encryption, two elliptic curve decryptions and fifteen hash functions that has total computation cost approximately 5.2296 ms.
• Kim et al. [33] scheme consists of two elliptic curve encryption, two elliptic curve decryptions, two elliptic curve scaler addition operations, two elliptic curve scaler multiplication operation and ten hash functions that has total computation cost approximately 3.3878 ms.    • The proposed scheme consists of two elliptic curve encryption, two elliptic curve decryptions and fifteen hash functions that has total computation cost approximately 2.5017 ms. The detailed illustration are shown in Table 8 and the efficiency of proposed protocol and other existing protocol given in Figure 4.

C. COMMUNICATION COST COMPARISON
We evaluate the communication cost of proposed protocol and other existing protocols [10], [27], [29], [31]- [33]. For communication cost we take the message authentication code is 160 bits, identity is 128 bits, hash function 160 bits, timestamp 32 bits, additive group G 1 is 1024 bits, multiplicative group G is 320 bits, the symmetric-key encryption is 256 bits and ECC-based encryption is 320 bits. We compute the communication cost of the proposed framework based on [33]. The communication cost of CKMIB and the related schemes are shown in Table 9. Here, communication cost of our proposed protocol is much less than the other existing protocol. Thus, the proposed protocol is more efficient in communication than the other existing protocol. The efficiency of proposed protocol and other existing protocol given in Figure 5.

VI. CONCLUSION
In this article, we have proposed an effective blockchain and cloud based mutual authentication protocol for electronic healthcare systems. The proposed CKMIB security system protects user privacy, anonymity, and is also resistance to various attacks. In the electronic healthcare system, every record is being replaced by electronic files due to the rapid advancement of technology. These electronic healthcare records contain personal information about patients, they must be kept secure. In this paper, we presented a secure CKMIB protocol based on blockchain and cloud computing technologies. The proposed protocol is secure under the random oracle model. In addition, formal security verification and validation has been performed through AVISPA using HLPSL. The proposed protocol is also more secure and has more security measures than other similar schemes in the same context. Hence, the proposed protocol is lightweight, efficient, possess less communication and computational cost as compared to the other existing authentication protocols in a similar environment. Our proposed framework opens the door to new opportunities in the future. This ECC-based authentication protocol can be used to securely transfer data for applications such as aerospace, smart vehicles, national security, the Internet of Things (IoT), wireless networks, online voting systems, and other government schemes.