A Permissioned Blockchain-Based Identity Management and User Authentication Scheme for E-Health Systems

The growth of electronic healthcare (e-health) systems is promoted by the evolution of Internet of Things (IoT) technology, as this new environment provides a variety of alternatives for medical data collection. Traditional authentication models in e-health systems cannot be applied directly to scenarios requiring low-latency, real-time services. Providing a variety of means for data transmission is considered an important method to achieve effective control in e-health systems. However, this new approach also leads to security and privacy concerns as increasingly flexible communication services are introduced. Achieving effective authentication of medical data for different users while providing security guarantees in e-health systems is an interesting problem. In this paper, we present a permissioned blockchain-based identity management and user authentication(PBBIMUA) scheme for the e-health environment. Our scheme satisfies the extensive security requirements of medical data. An evaluation and security analysis show that performance, in terms of lightweight construction and lower network latency with high security standards, is improved in comparison to known methods. The experimental results show that the system has good efficiency.


I. INTRODUCTION
Internet of Things (IoT) has won wide attention because of its effects on society and the economy, and it is changing our lifestyle through greater convenience in actual application fields, such as smart healthcare [1]. IoT can provide optimum quality of service (QoS) for end users. In an IoT environment, plenty of devices are connected to each other through the Internet to sense, share and process data. The terminals in the IoT consist of a wide range of devices, such as sensors and laptops. Its goals are to exchange information through wired or wireless communication channels. With the development of wearable biomedical sensors, the emergence of the IoT The associate editor coordinating the review of this manuscript and approving it for publication was Longxiang Gao . has brought revolutionary changes in electronic healthcare (e-health). The IoT in medical care has been used to achieve remote health monitoring, study the impact of drug use, and use intelligent medical care to provide more thoughtful care.
In one e-health scenario, sensors are mounted on the patient's side and continuously sense parameters related to the health of the patient like stomach, blood pressure, heart rate and temperature. These health data collected from the terminal sensors are then transferred to the medical server(MS) and stored in the database repository. Doctors can monitor patients' health conditions in real time, even if treatment is being provided in remote areas. Medical treatment based on the IoT reduces medical costs and improves quality of life. Furthermore, patients' medical data are an important information resource containing a wealth of information, which VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ can be in the form of signals, text, voice data, images and so on. This information needs to be protected effectively. However, due to the vulnerability to network attacks of the medical system, sharing the sensitive information of patients in an IoT environment may result in a series of serious security and privacy issues. For example, disclosure of such information to any third party may cause misuse of health data. To provide secure data transmission and storage in an intelligent medical environment, cryptographic mechanisms must be used to protect privacy and avoid network attacks. Moreover, sensors in patients and doctors produce massive amounts of health data in real-time medical treatment, exceeding the processing power of the terminal. Because the storage capacity of the terminal is quite limited, it is not feasible to employ known key management and user authentication methods in the medical system. More precisely, the existing methods mainly rely on centralised management to perform authentication, which brings the burden of key management and the risk of health data leakage. A natural problem is how to transfer these health data more efficiently, which becomes a challenging task. The traditional medical data management methods mainly adopt centralised management. In such a model, medical data are usually stored in the database of the medical server. An attacker can delete or modify the data after obtaining the access permissions of the database. What is more serious is that medical servers can directly apply to the database administrator to replace these data. This method not only increases the burden of data management but also makes it difficult to provide effective security guarantees for medical data.
Recently, blockchain has arisen as a decentralised technology that can ensure the integrity of medical data. The advantage of blockchain technology is that it can realise distributed storage of medical data. The modification or deletion of the data of a few participants will not affect the medical data of other participants, and the medical data, with the help of the consensus mechanism of the blockchain, remain intact.
It is an interesting idea to address security and privacy problems for medical networks by making use of blockchain. For the key management and user authentication issues of medical networks, the task requires us to solve user anonymity, traceability and non-repudiation simultaneously. This paper provides an effective method to solve this kind of problem by using blockchain technology.

A. RELATED WORKS
To ensure the security of medical services, it is very important to prevent malicious network intrusion. There is no doubt that the core issue of security is to verify whether the remote user is legal and provide medical data integrity assurance. Recently, many user authentication schemes in e-health have been proposed [2]- [21]. Wong et al. [2] employed the features of hash function and put forth a key management and user authentication scheme for e-health systems. However, Tseng et al. [3] pointed out that their schemes were vulnerable to replay, forgery and password-guessing attacks. In addition, Lee [4] found that the computational cost of Wong et al.'s scheme was too expensive to be suitable for lightweight devices. Das [5] presented an efficient two-factor authentication scheme for the IoT that improved efficiency in terms of computational cost. Unfortunately, Huang et al. [6] claimed that Das's scheme could not resist password-guessing attacks, user impersonation, etc. In addition, Das's scheme does not achieve user anonymity. Subsequently, Yoo et al. [7] declared that Huang et al.'s scheme was vulnerable to insider and parallel session attacks and could not achieve mutual authentication. Subsequently, Das [8] further claimed that Li et al.'s scheme [9] could not support strong authentication in the authentication process and could not achieve password updating locally. Meanwhile, An [10] claimed that Das's scheme [8] had security weaknesses, including vulnerability to user impersonation attacks, server-masquerading attacks, insider attacks, etc. An [10] also presented an enhanced version of the scheme. Unfortunately, Khan and Kumari [11] pointed out that this scheme could fail due to impersonation attacks and password-guessing attacks.
To achieve user anonymity, Chang et al. [12] presented a new key management and user authentication scheme for e-health systems. This scheme can update a secret value in the storage of a smart card every time authentication is performed. However, Das and Goswami [13] pointed out that their scheme had security failures, such as vulnerability to insider attacks and man-in-the-middle attacks, and did not support proper authentication. Arshad and Nikooghadam [14] presented a three-factor anonymous authentication scheme. They claimed that the scheme could provide better secure authentication and ensure user privacy. Afterwards, Lu et al. [15] proposed an improvement of Arshad et al.'s scheme by using an elliptic curve cryptosystem. Islam and Khan [16] presented an anonymous two-factor authentication scheme based on ECC in the random oracle model. They demonstrated that their scheme was secure under the computational Diffie-Hellman problem. Unfortunately, Zhang and Zu [17], Feng et al. [18] claimed that Islam and Khan [16] scheme had security flaws such as vulnerability to server-spoofing attacks and off-line passwordguessing attacks. Zhang and Zu [17] proposed a dynamic key management scheme supporting the biometric authentication function at a medical service centre, in which the specific value of the biometric template is not known by the medical service centre. Furthermore, Zhang et al. claimed that their scheme could achieve user anonymity during authentication and untraceability.
The authentication of the above schemes mainly relies on flexible security models, and these schemes are required in multiple interactions between users and medical service centres, which will be a major obstacle for mobile users to achieve efficient access to the data centre. Moreover, all these schemes assume that there is a trusted authority centre, which makes the networks vulnerable to damage to the database stored and maintained by the authority centre. Blockchain enables cross-data-centre authentication [18] and provides an efficient method to achieve data integrity.
Huawei et al. [19] presented a blockchain-based key management scheme for an e-health system, which provides an efficient mechanism for protecting sensitive medical data in the health blockchain. Tang et al. [20]and Omar et al. [21] proposed blockchain-based authentication schemes for e-health systems, which are blockchain-based health systems in the consortium blockchain environment. Cao et al. [22] put forward a blockchain based cloud-assisted eHealth system, which aims to avoid outsourced electronic health records from malicious modification. Cheng et al. [23] proposed a blockchain based two-way medical data authentication scheme, which provides an efficient solution in the medical data sharing between hospitals and blockchain nodes. Yazdinejadl et al. [24] put forth a blockchain-based decentralized authentication scheme for hospital networks. Since re-authentication is not required in a distributed network of affiliated hospitals, this architecture not only ensures security and privacy protection, but also reduces transmission overhead. Compared to prior cross-data-centre authentication schemes, cross-data-centre authentication schemes in a public blockchain can improve the efficiency of authentication and can also protect against the attacks mentioned. However, the ledger is distributed (involving all transactions of information) and made public to all network members. Identity management and user authentication based on blockchain has become an interesting and emerging research topic for protecting the privacy of users.

B. MOTIVATION AND CONTRIBUTIONS
This paper makes the below contributions in achieving user authentication for e-health systems: • We put forth a new method to resolve the security weaknesses of the existing schemes, which enables flexible cross-data-centre authentication.
• Our scheme can be applied to medical systems in which terminal devices require only lightweight computation.
• We analyze the correctness of the functionality of our scheme under the BAN logic, proving that our proposal meets the security requirements, simulating the scheme in the NS shows the efficiency of our scheme.

C. OUTLINE
The rest of the paper is structured as follows: Section II mainly reviews the required preliminaries. In Section III, the network model and security requirements are discussed in detail. Our construction is proposed and a security analysis is described in Section IV and Section V, respectively. Then, we present the performance analysis in Section VI, the evaluation and simulation results is described in Section VII, Finally, Section VIII summarises the paper.

A. HARD PROBLEMS
A non-regular elliptic curve E p is defined by the equation where a, b ∈ Z * p and p is a large prime. The sufficient condition is 4a 3 + 27b 2 = 0 (mod p). In our scheme, there are two hard problems: the computational Diffie-Hellman problem (CDHP) and the discrete logarithm problem (DLP).
Definition 1 (Computational Diffie-Hellman Problem (CDHP): For any a, b ∈ Z * q , there is a generator P of the cycle group G of order q. As a result, for a given P, aP, bP, computing abP is a hard problem.
Definition 2 (Discrete Logarithm Problem (DLP): For any additive cycle group G of order q on the elliptic curve, there is xP ∈ G such that computing x is a hard problem.
Remark 1: From the above definitions, we note that there is an equivalent result: given xP, yP and zP in G, calculating z = xy is computationally infeasible.

B. PERMISSIONED BLOCKCHAIN SYSTEM
A blockchain consists of blocks that are interlinked to form a chain and protected by a cryptographic primitive, and a new block can be added to the blockchain. Blockchain contains many nodes, but these nodes are not required to trust each other; if enough nodes are honest, security in the blockchain can be guaranteed [25]. Specifically, each block includes three sections: a hash pointer (where the hash pointer points to the fore block), a time-stamp and transaction data. The validity of these transaction data can be verified by most nodes. As shown in Fig 1, Hash, Pre − Hash, Nonce, Time and Tr denote the current block hash value, previous block hash value, solutions for the proofs-of-work, time-stamp and transaction data, respectively.
Blockchain is an unchangeable ledger, which is constructed in a distributed way without central authorisation. Each member of the blockchain represents a node involved in the calculation. These nodes verify transactions in a process called ''mining'', and these nodes are known as ''miners''. These miners validate the transactions and produce blocks with an efficient set of transactions by reaching consensus using a consensus mechanism. Since Bitcoin was introduced to blockchain, different types of permissioned chains were introduced [26], such as public permissionless blockchain [27] and public permissioned blockchain [28], [29]. On the one hand, such blockchains are based on the idea that each participant is granted special permissions to execute specific functions. In a public blockchain, anyone can participate in mining without a designated identity. Public blockchains usually involve local cryptocurrencies and utilise economic incentives and consensus mechanisms [30] like proof-of-work (POW) and delegated proof-of-stake (DPOS). Completely private or limited to a finite group of authorised nodes is considered as private permissioned blockchain.
On the other hand, permissioned blockchain implements the blockchain with a set of known, specific participants and provides a method to ensure interaction between a set of entities with common goals but not full trust in each other. Permissioned blockchain is limited to a set of authorised participants, which permits participants to create a network, and multiple organisations can join the network by having their own peers. Our scheme chooses a permissioned blockchain based on the design criteria of our model. First, widely accepted consensus algorithms such as proof-of-work (PoW) in the current blockchain-based e-health systems consumes too many calculations, and the transaction confirmation speed in these networks is slow. Due to the limitation of the networks, it is difficult to meet the complex security requirements of PoW. Second, a remarkable feature of permissioned blockchain compared to other classes of blockchains is that it has an authorisation function.

III. NETWORK MODEL, NETWORK ASSUMPTIONS AND SECURITY REQUIREMENTS A. NETWORK MODEL
In our model, we assume a blockchain network in which each member holds a related distributed ledger. The network systems are formed with the following main participants: Founder, the user (U i ), registration center(RC), and medical server (MS j ). In essence, our model establishes a blockchain network containing trusted members, such as Founder, RC and MS j . Founder is responsible for supervising RC and managing users. The responsibility of RC is to check the user's identity information and add this information to the blockchain as a transaction for mining user enrolment requests. After successful execution of the process, RC generates the credentials of user U i , and U i then proves himself to the medical server MS j . The resulting network model is shown in Fig 2.

1) REGISTRATION CENTER (RC)
RC is a trusted server, which is in charge of enrolling U i and tracing illegal participants. RC assigns all participants to key materials, and it can use smart contracts to record participants' key materials in the blockchain.

2) MEDICAL SERVER(MS j )
The main responsibility of MS j is to coordinate the access of end users. Each MS j is responsible for supervising and managing a group of U i . This enables better scalability and expands the limited functionality of U i . MS j reduces the burden of storage, memory, and computation involved in the authentication process for U i . In addition, it serves as a trusted recorder for only key publishing and updating in our model.

3) END USERS
End users are terminals requesting access rights from smart contracts to access certain MS j . Once each U i gains access rights through a smart contract, U i contracts MS j , which completes the process of authentication and access.
In our scheme, suppose our scheme is in the permissioned blockchain environment. Based on the network, each legitimate member has a distributed ledger, and the system allows new members to join the network and accepts most existing members. Moreover, the transactions in our scheme are used to stimulate smart contracts for registration, while smart contracts help record public keys for efficient identity and maintain a key material table. The system uses the underlying smart contract to support conditional anonymous authentication for the participants.

B. NETWORK ASSUMPTIONS
For convenience, we consider the following network assumptions: • We use blockchain technology as a distributed ledger, and smart contract records are considered reliable throughout the process.
• In e-health systems, the medical server and registration centre construct a permissioned blockchain network.
• Under normal conditions, the key of the medical server does not need to be updated in our scheme.

C. SECURITY REQUIREMENTS
Our distributed model in blockchain must meet the following design goals with regard to security and performance: • Mutual authentication: Only enrolled U i and MS j are present in the e-health system to implement our scheme for verifying identity information before message exchange. • User anonymity: To ensure the identity privacy of U i , no potential attacker in the system can capture the identity information of U i in the process of authentication.
• Non-repudiation property: Upon completing the related transaction, no adversary can deny the facts in the process of communication.
• Impersonation attack: In carrying out an impersonation attack, no adversary can impersonate one of the communicators during the authentication process.
• Conditional traceability: To monitor the malicious or misbehaving communicators, we assume that only a third party declares the real identity of the participants.
• Session key agreement: During the execution of the proposed scheme to further exchange confidential messages, the session key is shared only between participants, RA cannot even acquire any knowledge about the session key.
• Resilience against other attacks: Next, we consider some other types of attacks. Namely, our proposal should support the features resilient other main attacks including man-in-the-middle attack(MitM), stolen smart card attack and offline password-guessing attack.

IV. OUR CONSTRUCTION
In this part, we introduce an identity management and user authentication scheme maintained on a medical server. The proposal provides mutual authentication and privacy protection. Then, the details of the scheme are given. Some notation is described in Table 1. Normally, identity password information stored in a remote database is used to authenticate the medical server. Upon obtaining the login message of a user, the medical server inquires the identity information from the database, calculates the related password or the hash value with the target string, and compares it to see whether it matches previous values. However, identity password information may be subject to a series of attacks, such as stolen smart card attacks and anonymity exposure.
To overcome these weaknesses, we adopt the technology of Wazid et al. [31] and design a new identity management and user authentication scheme. The specific details are as follows:

A. INITIALISATION PHASE
For two large primes p, q and a non-regular elliptic curve E p , there is an elliptic curve additive cyclic group G of order q and a generator P of G. Initially, Founder utilizes ECC to initialize e-health system, the system constructs a permissioned blockchain network with a trusted forum of members, including RC and MS j , where the required participants (such as the RC and medical server (MS j ) form a consortium.
Founder writes smart contracts in order to provide access control function. Specifically, RC and MS j establish a consortium blockchain and rely on practical Byzantine fault tolerance (PBFT) for the consensus mechanism. For simplicity, RC and MS j can directly join a known blockchain system. They execute the operations below to initialise a series of system parameters: (1) Choose a cryptographic hash function h.
(2) RC calculates R = αP by choosing a long-term secret key α and pushes it into the blockchain network. (3) MS j calculates A j = β j P by choosing a long-term secret key β j and pushes it into the blockchain network. (4) Publish the system parameters (R, A j , P, h).

B. ENROLMENT PHASE
In this part, user U i contacts RC with his/her personal biometric information. Under the process, RC checks the identity of U i , issues him/her with a smart card and records the identity information of U i on the blockchain. The details of this process are as below: Step 1. U i chooses ID i and a random number k i ∈ Z * q and calculates RID i = h(k i ID i ). U i then pushes the personal biometric data Bio i into the reader and enables the fuzzy extractor to obtain the biometric information (σ i , θ i ); we have (σ i , θ i ) ← Gen(Bio i ), where σ i and θ i denote secret and public parameters, respectively. U i then sends an enrolment request RID i to RC.
Step 2. Upon receipt of the enrolment request, RC chooses t i ∈ Z * q and calculates Next, RC sends the user enrolment-transaction RT = (RID i , R, s i , T i ) to the blockchain system. Once RC completes mining, the information RT in the blockchain ledger is updated. Then, RC saves SC = (RID i , s i , k i , T i ) on the smart card and returns it to U i securely.
Step 3. After receiving SC from RC, U i chooses µ i ∈ Z * q and computes

C. LOGIN PHASE
A registered user is eager to obtain the medical services provided by MS j via a public channel, U i produce login messages after obtaining information from MS j by executing the below steps.
Step 1. U i adds his/her smart card into the reader and submits his/her identity ID i and password PW i ; then, a search is performed to obtain the biometric Bio i .
Step 2. Using the information stored on the smart card, U i computes as follows: Upon completing the above computations, U i checks that the validity of the equation CH * i = CH i holds. If it holds, the above verification passes. Otherwise, U i terminates the session.
Step 3. U i then chooses two random numbers a i , b i , creates the current time-stamp TS 1 , and performs the following operations using the stored information on the smart card: Then, U i hands the login request (B i , η i , S i , T i , TS 1 ) to the medical server MS j .

D. MUTUAL AUTHENTICATION AND KEY AGREEMENT PHASE
In this part, MS j validates user U i using the identity information recorded in the blockchain ledger. Next, the medical server MS j establishes a session key with user U i , as summarised in Fig 3. The related process is executed below.
Step 1. MS j checks the freshness of TS 1 with TS 1 − TS 1 ≤ TS 1 , where TS 1 denotes the current time-stamp of U i . If this condition holds, MS j calculates = a i b i and then, MS j checks whether B i = η i S i . If so, the login request message is considered to be efficient. Otherwise, MS j ends the session. Step 2. MS j chooses two random numbers c j , d j and the current time-stamp TS 2 and calculates By using the current values, MS j calculates the session key shared with U i as K ij = h((V j + C j ) B i TS 1 TS 2 ). MS j hands (V j , C j , w j , TS 2 ) to U i .
Step 3. Upon obtaining the messages (V j , C j , w j , TS 2 ) from the medical server MS j , user U i checks the freshness of TS 2 with TS 2 − TS 2 ≤ TS 2 , where TS 2 denotes the current time-stamp of U i . If it holds, U i further checks if w j P = (β j z j + d j )P + c j P = V j + C j = W j . If so, U i believes that this is a valid login response message. Otherwise, the connection ends. U i creates the session key shared with MS j as Auth ij = h(W j B i TS 1 TS 2 ). U i then obtains the current time-stamp TS 3 , computes K ij = h(Auth ij TS 3 ), and sends the message (K ij , TS 3 ) to MS j via a public channel.
Step 4. Upon receiving (K ij , TS 3 ) from U i , MS j checks the freshness of TS 3 with TS 3 − TS 3 ≤ TS 3 , where TS 3 denotes the current time-stamp of MS j . If it holds, MS j calculates K * ij = h(K ij TS 3 ) and checks whether K * ij = K ij . If so, this is K * ij = K ij . Otherwise, MS j terminates the process. The above verification ensures successful mutual authentication between U i and MS j . Finally, U i and MS j generate a common secret session key SK ij = Auth ij = K ij = h(W j B i TS 1 TS 2 ).

E. PASSWORD UPDATE PHASE
As a legitimate user U i , it is ready to update his/her password or biometrics for security reasons during the user registration phase, our scheme will perform the updating of the password and biometrics. For each user U i , his/her biometric information is unique and unchanged. The steps below complete the process.
Step 2. MS j replaces the prior values with the newly generated values in memory.

V. SECURITY EVALUATION
In this part, we consider a relevant security analysis that aims to analyze the below properties of our proposal, which can resist existing attacks and provides some additional features, such as conditional traceability and the non-repudiation property. Next, we provide some related methods to achieve security proof, such as BAN logic [33] and the Scyther tool [34], [35].

A. SECURITY ANALYSIS 1) MUTUAL AUTHENTICATION
Only an authenticated U i can exchange information with MS j . MS j verifies the legitimacy of U i based on the equation below, the robustness of which is shown next.
An attacker cannot learn the information of a i , b i because of the hardness of the CDHP. That is, the value of B i cannot be calculated by a malicious user. Therefore, MS j achieves the authentication of U i . Additionally, MS j can be authenticated by U i by verifying the above equation. Therefore, our scheme has the mutual authentication feature.

2) USER ANONYMITY
Our scheme uses a randomly produced unique identity RID i = h(ID i k i ) for each enrolled user and stores RT = {RID i , R, A j , T i } as identity information on the blockchain, which is similar to storing a public key in a public blockchain.
In each authentication phase, U i 's pseudo-identity RID i is adopted instead of the actual identity ID i . Furthermore, in the network enrolment phase, RC stores RID i in the blockchain, which does not leak ID i . In short, the identity of U i is hidden, and our scheme achieves anonymity.

3) NON-REPUDIATION PROPERTY
To obtain the non-repudiation property, personal user biometrics are built in our scheme. User biometrics have the following characteristics: uniqueness, unforgeability and difficulty of replication. Moreover, our scheme also provides some additional features. Namely, if a user inadvertently loses the certificate, the system performs revocation and reissue/update of user credentials. This information is also recorded in the blockchain ledger. Thus, our scheme supports the non-repudiation property. In other words, once a transaction is completed and successfully logged, it cannot be rejected.

4) IMPERSONATION ATTACK
During the implementation of our scheme, there may be two types of attacks: Case 1. RC impersonates user U i : In this case, RC tries to create a valid request with the key K ij , where K ij denotes the shared key between U i and MS j . However, RC creating such a key is equivalent to computing a i b i P. Moreover, the confirmation message is considered to be Auth ij = h(W j B i TS 1 TS 2 ). However, using the above available tuple to compute the key a i b i P is as hard as the CDHP in G.
Case 2. MS j impersonates user U i : As above, It is not feasible for adversaries to create valid requests and confirmations without user secrets, including MS j . Suppose that the transmitted messages can be captured by an attacker A. Now, A attempts to extract a series of sensitive pieces of information to convince a medical server (MS j ) that it is a legitimate user. In this way, A may create an effective message as a login request. Still, any knowledge of these parameters can be obtained by A. To create a new login request, it is not feasible to simulate the message captured by A's task to impersonate a user. Thus, our proposal can aviod impersonation attacks by any A, including MS i and RC.

5) CONDITIONAL TRACEABILITY
Assume U i is found to have behaved maliciously using identity information RID i . RC is able to trace U i and reveal the actual identity ID i after specifying the malicious authentication message, as follows:

6) SESSION KEY AGREEMENT
Upon capturing the proper session key, A may attempt to capture the information (V j , C j , w j ), where z j = h(ID MS j A j T i ), v j = β j z j + d j , V j = v j P, C j = c j P, and w j = v j + c j mod q. Even if the random number c j and identity ID MS j are leaked to A, the random nonce c j and d j cannot be exchanged over the public channel, and the attacker can learn an efficient session only if A solves the DLP.

7) RESISTANCE TO OTHER ATTACKS
Our proposal is believed that can resist a series of existing attacks.

a: MitM ATTACK
To resist MitM attacks, it is assumed that the attacker A has the ability to intercept the exchanged messages in the implementation of our proposal. A then attempts to alter these messages to deceive U i . Furthermore, to modify the messages, A tries to intercept secret information (θ i , L i , H i , CH i , s * i , T i ). For similar reasons, A also may not modify other messages. This manifests that our proposal can avoid the MitM attack.

b: REPLAY ATTACK
It is assumed that an attacker has the ability to capture the transmitted message. Even if the attacker responds to these messages later, we can verify the validation of the sent message by analyzing the relevant timestamp TS in this message. Since TS is very small, the proposal can against replay attack.

c: STOLEN SMART CARD ATTACK
After intercepting the information of the smart card, the attacker may extract secret information related to users. Conversely, even if RT is captured by the attacker, U i can still control the smart card, and the unidirectionality of the hash function makes it almost impossible for the attacker to guess ID i . Thus, our proposal can avoid stolen smart card attacks launched by the attacker.
Offline password-guessing attack: Upon obtaining the information (V j , C j , w j ), the attacker aims to guess both ID i and PW i to satisfy the equation. Calculating the above parameters correctly simultaneously is impossible. Therefore, our proposal can avoid offline password-guessing attacks.

B. LOGIC PROOF BY BAN LOGIC
Burrows et al. [33] proposed a logic of authentication in 1989, which is popular in checking the correctness of authentication protocols. BAN logic is a belief-based model logic that can be used to prove whether the implementation of the protocol can achieve the expected goals and to discover shortages in the proposal design. The main notations are listed in Table 2.
Based on the idea, our proposal considers the below logical rules in our proof. The method of using BAN logic for security proof is to infer from the security that the desired security target follows the four security assumptions given above.
TS 3 ). Idealized form: The idealized form of our scheme is as below: In terms of our scheme description, we provide the below security hypothesises in our scheme.
In addition, we provide the below security goals that aim to prove our scheme.
According to the Message 1 message, there is We employ MMR and the assumption H 1, this is: We use the FPR, NVR and the assumption H 7, this is According to (25), (26) and H 4, we employ NVR, this is In addition, according to (27) and the assumption H 7, we use JR, this is: From the Message 2 message, there is We use MMR and the assumption H 3, this is: According to H2 and (30), we employ FPR, this is By (30) and (31), we use NVR, this is According to the Message 3 message, there is and (32) via MMR, this is: Then, we employ FPR, this is According to (35) and H 8, we use JR, this is Thus, the proof of the goals are achieved according to H 3, (28), (32) and (36).

C. SCYTHER TOOL VERIFICATION
In the part, the test is performed by the formal method Scyther tool [34], [35]. As an efficient test tool, the tool automatically validates some security protocols. It can achieve the proof of the protocols by using Scyther claims with the unbounded number of sessions, there are four claims including Alive, Nisynch, Secret and Commitment. The phase of achieving expected communication in certain events is called ''Alive''. The attack model over Scyther tool is under the Dolev-Yao model [36]. In addition, Scyther produces a class of attacks graph by detecting possible attacks. Specifically, the verification process of our proposal is shown as below. From Fig 4, we find that Scyther can check the security requirements of our scheme, and confirm the four claims. Thus, the results show that our proposal can avoid the known main attacks and guarantee the related security requirements.

VI. PERFORMANCE ANALYSIS
In this part, under the idea of performance evaluation, we provide a comparison with prior relevant schemes [15], [16], [19], [21], [32] in the literature in terms of functionality and computational/communication overhead. However, we only evaluate the performance of the authentication process.  Table 3 shows the comparison of functionality features for the relevant key management and user authentication schemes [15], [16], [19], [21], [32]. We note that only our scheme meets the known security requirements in the fields of the core networks. Furthermore, our scheme considers a permissioned blockchain network with the features of blockchain. In the network, each legitimate member participates in the system and holds distributed ledgers. Unlike our scheme, the three schemes [15], [16], [32] [21] does not provide the feature of private permissioned blockchain. Therefore, our scheme can achieve better performance.

B. COMPUTATIONAL OVERHEAD
For easy analysis, we employ the related cryptographic operations in the C/C++ OPENSSL library, which aims to simulate the computational overhead of a medical server and end user. We obtain the execution times from [37] and [38], as is described in Table 4. Next, we provide a comparison using these parameters. The results are listed in Table 5.
From Table 5, the computational overhead of He et al. [32] and Huawei [19] is lower than that of other schemes because the two schemes use hash functions. Comparatively speaking, the other four schemes are based on ECC. On the contrary, our proposal is lower than that of the other three schemes. However, the computational overhead of our scheme is not much different from that of scheme [16] and [21].
Although the methods of He et al. [32] and Huawei [19] seem to be more efficient than our proposal in terms of the number of participants, as expounded in Table 3, the results    of the above methods are insecure. From the perspective of security, this makes our scheme a more appropriate method. Therefore, our proposal provides better security than others (shown in Table 3).

C. COMMUNICATION OVERHEAD
To better analyse our scenario, we define the bit size of the parameters in our experiments below, in Table 6. A comparison of the communication overhead between our proposal and previous methods is presented for e-health systems in Table 7.
In terms of communication overhead, we provide an analysis in Table 7. From this point of view, it is obvious that our proposal is more efficient than the others. Next, we analyse the the bandwidth consumption of the related schemes, which is described in Table 7.  these schemes in [15], [16], [19], [21], but slightly larger than that of the scheme in [32].
In this context, the efficiency of the scheme in [15] is low, as it has a high communication overhead. Users in the schemes in [16], [19], [21] exchange messages with the  medical server remotely. Thus, the communication overhead incurred by the end users in these schemes is also very high.

VII. NS3 SIMULATION
In the section, our proposal is evaluated employing NS-3 V3.28 simulator [39]. We provide an efficient test method by using relevant feasible parameters. NS-3 is a practical network simulator that is widely used in many research fields, such as blockchain. The parameters of our evaluation proposal are shown in Table 8. In our scenario, the network simulation is performed about 1500 seconds, during which different medical transactions happened. For simplicity, we consider throughput, time overhead in the simulation metrics.
To compare the performance indicators of the scenario, we consider a single scenario in the simulation process as a basic case. Based on this, the basic model does not employ blockchain technology. Furthermore, these protocols only use traditional approaches to authenticate users in the medical systems, which require a third party and various medical servers that perform communication process between different entities.

A. THROUGHPUT
In our scheme, throughput represents the number of health transaction requests that are completed between different medical servers. In Fig. 6, since we use blochchain networks  and optimized patient authentication algorithms among the medical servers. From Fig. 6, it can be noted that the throughput is expanding with the increasing of the number of users.

B. TIME OVERHEAD
Here it represents the processing time in the authentication process. As indicated in Fig 7, the authentication process of our model for patients/doctors and other entities that is an effective manner of transmission. In addition, it is worth noticing that the time overhead increases with the growth of the number of users.

C. ENERGY CONSUMPTION
Here it represents the consumption when recording, creating or updating medical data during the transactions. It can be calculated as follows: where EC t represents the whole energy consumption during transactions, U represents the number of user transactions, MS represents the number of medical service centres, e j represents energy consumption during each transaction, T denotes the time.
In traditional application scenario, it takes a lot of energy to re-authentication between the user and the medical service center. In our model, we provide an efficient authentication method during transactions that do not require re-authentication. In comparison, our solution reduces energy consumption. However, the energy consumption is also increasing when the number of transactions increases. The relevant results are illustrated in Fig 8.

VIII. CONCLUSION
The capability to achieve secure and efficient identity management and key authentication is crucial in e-health systems. In this paper, we put forward a PBBIMUA scheme for e-health systems using personal biometrics, which is a new key distribution mechanism. As far as we know, this is the first such scheme that achieves privacy protection by recording identity information using blockchain technology. The findings of the rigorous security analysis confirm that our proposal is secure and can avoid known attacks such as replay, impersonation, and MitM attacks. In addition, a highlight of our proposal is that it supports the function of user credential reissue/update with reduced communication overhead and computational overhead. The performance evaluation indicates that the proposal has better efficiency than most prior schemes. Thus, our scheme has strong scalability and can be widely used in IoT-based e-health environments.