An Anonymous Key Distribution Scheme for Group Healthcare Services in 5G-Enabled Multi-Server Environments

Fifth generation (5G) mobile technology enables a new kind of network that provides high peak data rates, ultra-low latency communication and high user density. Electronic healthcare (e-health) allows the data to be stored and shared in a highly efficient and flexible manner. Group e-health services help in improving long-term results of the treatments due to its collaborative characteristic. The services including real-time remote patient monitoring and transmission of large health data files can be facilitated by e-health systems enabled with the 5G network. Since the communication channel is open, security and privacy in the system should be taken into account. Our work proposes a key distribution scheme for group healthcare services in 5G network environments. We construct various healthcare domains and apply the proposed scheme to the group services. The paper also introduces Single Sign-On (SSO), a cost-efficient solution, for multi-server architecture of the constructed system. Security and privacy of the scheme are enforced by a three-factor authentication mechanism (integrating smart card, password and biometrics) and strong user anonymity property. We provide security proof of the proposed scheme using various well-known tools including RoR model, BAN logic and AVISPA simulation. Results of various performance comparisons indicate that our scheme provides most functions and bears rational costs, compared with its related works.


I. INTRODUCTION
Along with Internet of Things (IoT), Fifth Generation (5G) wireless technology is essential to various digitized applications. 5G technology provides high peak data rates with ultra-low latency and massive network capacity [1]. For obtaining such advances, unlike the previous generations (e.g., 4G), 5G is composed of two-tier heterogeneous cellular networks (HetNets) with integrated access and backhaul (IAB) [2]. Specifically, the network architecture is designed with macro base stations (MBSs) and small cell base stations (SBSs). Therein, the MBSs provide millimeters waves backhaul to the SBSs for extending the networks. The devices can 5G networks are able to support diverse applications with high reliability, information security, and seamless medical data transfer. Prominent uses cases include real-time remote monitoring for telemedicine, and transmission of large health data files. Since 5G provides the ultra-low latency, healthcare providers can monitor patients remotely and gather real-time data efficiently, without the worry of network blackouts, disconnections or lag time [15], [16]. It facilitates preventative care and other individually tailored healthcare provisions. Due to the high peak data rates supported by 5G, large data files in the systems can be efficiently transmitted between the users and providers for efficient patient treatments. For example, large image files created by Computerized Tomography (CT) or Magnetic Resonance Imaging (MRI) scans can quickly be transported to specialists for review [17], [18]. In addition, smart healthcare and the Internet of Medical Things (IoMT) [19]- [21] would be efficiently constructed due to the integration of 5G and e-health systems. Besides using individual services, multiple members of a family may join common healthcare services, for instance genetic testing [22]. In this way, they can conveniently know of the health status of the family members. Since families play an important role in promoting health and reducing the risk of illness [23], the services will significantly improve long-term results of medical treatments. The group health services can also be provided by healthcare teams at hospitals, healthcare institutions, or emergency centers. The whole treatment would be improved due to the collaborative work of the healthcare teams [24]- [26].

B. THE PROBLEMS
In a 5G-enabled healthcare environment, there are various e-health users [27], [28], including patients, physicians, pharmacists, medical researchers, caregivers, etc. The servers should be healthcare providers (e.g., hospitals), data center administrators, or medical professionals that provide services for specific users [29]. Since the users and servers carry out the communications throughout the open Internet, their sensitive information may be threatened to various attacks. Therefore, security and privacy of the e-health systems are of paramount importance [13], [30]. It requires a robust mechanism that can prevent possible security risks. Password-based or two-factor (integrating password and smart card) authentication schemes were proposed in many works to address the security issues [31], [32]. However, these are still not robust solutions. For example, in schemes designed with two-factor authentication, if the adversaries know of user' password, they can easily perform the attacks using a stolen smart card. With single-server architecture designed in a lot of works, the entities must store massive credentials (e.g., identities, passwords, etc.), for obtaining an increasing number of healthcare services [33]. Therefore, this architecture has been unable to meet the requirements of a convenient and cost-efficient communication.

C. RELATED WORKS AND MOTIVATION
Jiang et al. [34] proposed a remote biometrics user authentication scheme in a multi server environment. Odelu et al. [35] proposed a secure biometrics-based multi-server authentication protocol using smart cards. In addition, Park and Park [36] also designed a three-factor user authentication and key agreement using elliptic curve cryptosystem in wireless sensor networks. Qi et al. [37] introduced a biometrics-based authentication key exchange protocol for multi-server telecare medical information system (TMIS) without sharing the system private key with distributed servers. However, all [34]- [37] did not design their schemes with center-less authentication, where the registration center does not participate in the key agreement process. Moreover, Jiang et al. [34], Park and Park [36] and Qi et al. [37]'s schemes did not provide user untraceability, multi-server architecture and three-factor authentication, respectively. Another secure three-factor authentication scheme was proposed by Xu et al. [38] with a multi-server architecture. Besides, Hsu et al. [39] presented a three-factor fast authentication scheme with user anonymity for TMISs. Liu et at. [40] introduced their work with a biometric-based authentication scheme and privacy protection. According to Hsu et al. [39], Liu et at. [40] does not provide three-factor authentication, user anonymity, and user untraceability. Jiang et al. [41] presented a three-factor authentication scheme with privacy protection for e-health clouds. It is observed that Jiang et al. [41]'s scheme is not resilient to replay attacks, stolen smart card attacks and desynchronization attacks [39]. Moreover, Liu et at. [40] and Jiang et al. [41] cannot prevent Denial-of-Service (DoS) attacks. Jiang et al. [41] also did not introduce multi-server architecture in their proposed protocol. Wong et al. [42] proposed an efficient three-factor authentication protocol for multi-server e-health systems in 5G wireless sensor networks. However, the biometric noise was not discussed and addressed in their scheme. Specifically, the valid biometric templates of an individual may not be exactly the same with the one stored in the smart card. Since the biometrics is then computed in a hash function, the result should not pass the verification process. This is an important issue that needs addressing in the schemes designed with biometrics-based authentication. The issue can be remedied by various solutions [43], such as error-correcting codes, fuzzy commitments, fuzzy vaults, and biohash function. Among them, biohash function provides the noise tolerance with an efficient operation. Furthermore, all above-mentioned works did not propose the mechanism for group service communications.
Harn et al. [44] presented a novel design of group key distribution using only the logic exclusive-or (XOR) operation, and demonstrated its applications in various network models. A group key distribution scheme was introduced by [45] for a large size of group communication. In addition, Jiao et al. [46] proposed an efficient group key distribution protocol that can meet forward security and backward security. Tselikis et al. [47] proposed an anonymous conference key distribution system, based on the elliptic curves, one-way hash functions and random pseudonyms. However, all the works of [44]- [47] introduced neither three-factor nor biometric-based authentication in their schemes. A secure authentication and group key distribution scheme for resource-limited Wireless Body Area Networks (WBANs) was proposed by Tan and Chung [48]. In their proposal, electrocardiogram (ECG) feature is applied as the unique synchronous factor for biometric authentication. Despite that, their scheme provided the identity authentication of the sensors, instead of the users with three-factor mechanism. Recently, Hsu and Le [49] proposed a group key distribution scheme with anonymous three-factor identification. The dynamic key distribution mechanism with complex steps in their work is not suitable to the group healthcare communication. Moreover, we found that their protocol did not address the biometric noise issue.

D. OUR CONTRIBUTIONS
In this paper, we propose an anonymous key distribution scheme for group healthcare services in 5G-enabled multiserver environments. Our scheme allows the servers to distribute a common key to a group of users for conducting group services. Main contributions of this paper can be presented as follows.
• We propose a 5G-enabled secure group communication model for various healthcare domains. The domains include personal care, home care and community care. Due to the proposed system model, the communications for group healthcare services can be efficiently facilitated by the high-speed 5G environments.
• The proposed scheme is designed with three-factor authentication integrating smart card, password, and biometrics, which provides a high security communication environment. User anonymity is also preserved during the communication process that is carried out via unreliable channels. Thus, the group key can be distributed in a secure and privacy-preserved manner. The common group key solution does not only enable group services, but also helps in saving the cost, due to the support of a single procedure (e.g., health data encryption) for all users. We employ Rabin cryptosystem in the scheme to achieve an efficient computation, since its encryption cost is much less than the one of Rivest-Shamir-Adleman (RSA) system.
• Our work introduces a single sign-on (SSO) solution [39], [40], [42] for group services in a multi-server environment. This solution allows users to use a single set of credentials stored in their smart cards to obtain services provided by multiple servers. It helps to significantly reduce the overhead, especially the storage cost. The SSO solution is achieved when the users store all information registered with multiple servers in the mobile devices [31], [39], [42].
• We provide a solid security proof of our scheme using various tools including Real-or-Random (RoR) model,

Burrows-Abadi-Needham (BAN) logic, and Automated
Validation of Internet Security Protocols and Applications (AVISPA) simulation. In addition, we also demonstrate that our work is resilient to a lot of well-known attacks, such as DoS attacks, replay attacks, man-inthe-middle (MITM) attacks, etc.
• Our work presents an exhaustive performance analysis in terms of functions, communication cost, storage cost, and computation cost. The results of various comparisons indicate that the proposed scheme supports the most functions and bears rational costs, compared with the competitive ones.

E. PAPER STRUCTURE
The rest of the paper is organized as follows. Section II, we provide technical preliminaries of the proposed scheme. Section III, we present the system construction, formal security model and security goals. Section IV, we provide the design details of the proposed scheme. Section V and Section VI present security analysis and security simulation of our work, respectively. Performance evaluation and the comparisons are provided in Section VII. Finally, we draw some conclusions and discuss several future works in the last section of the paper.

II. TECHNICAL PRELIMINARIES
In this section, we briefly describe Rabin cryptosystem, advanced encryption standard, one-way hash function and biohash function.

A. RABIN CRYPTOSYSTEM
Rabin cryptosystem is an asymmetric encryption method, which relies on intractability of the integer factorization problem assumption (IFPA) [50], [51]. The cryptosystem consists of three algorithms: key generation, encryption and decryption. Although Rabin's decryption speed is roughly the same as the one of RSA, its encryption speed is much faster since it is computed using a modular squaring. Algorithms of the Rabin system are described as follows.
• Key generation: Two distinct primes (p, q) are randomly selected as the private keys of the system, in which p ≡ q ≡3 mod 4. The corresponding public key is computed by n = p.q.
• Decryption: Applying the Chinese Remainder Theorem (CRT), we can decrypt c by computing m = √ c mod n. The private key (p, q) are necessary to efficiently factor N . m can be entirely recovered by adding some predefined padding. Definition 1 (IFPA): Suppose there is a positive composite integer n (n is sufficiently large, for instance 1024 bits) and two distinct primes (p, q), where n = p.q. It is computationally hard is to derive and from the given n.

B. ADVANCED ENCRYPTION STANDARD
Advanced Encryption Standard (AES) [52] is a symmetric encryption technique that provides high degree of security. The AES encryption converts data into an unintelligible form, called ciphertext. Conversely, the decryption converts this ciphertext into its original form, called plaintext. AES algorithm is capable of generating block ciphertexts of 128 bits, with three different key sizes, namely, 128, 192 and 256 bits.

C. ONE-WAY HASH FUNCTION
One-way hash function is a cryptographic function that provides irreversibility and collision resistance to the hashed data. Given an arbitrary-length message m and a hash function h(·), some characteristics of the function are described in the following definitions [51].
Definition 2: A fixed-size output C = h(m) should be produced.
Definition 3: It is easy to compute C = h(m), but it is computationally hard to find m from the given C.
Definition 4: It is computationally hard to find n = m with h (n) = h(m).
Definition 5: It is computationally hard to find any pair (m, m) with h (m) = h(n).

D. BIOHASH FUNCTION
Biohash function is designed to map an individual's biometrics to a specific binary string that provides the tolerance of noise [43]. The biohash function holds the same security with the one-way hash functions.
Definition 6: Suppose B i and B i are respectively the original and the newly input biometric templates of an individual. The input B i is not exactly the same with B i , but within a bearable threshold. Given the biohash function H Bio , we have

III. PROBLEM STATEMENT
In this section, we provide a system model of the proposed scheme and its formal security model. Some important security goals are also discussed.
A. SYSTEM CONSTRUCTION Our proposed system model includes three healthcare domains [42], namely, personal care, home care and community care, in a 5G-enabled multi-server environment, as shown in Figure 1. E-health users U i and service provider servers S j are two main roles in our construction. U i can receive services from multiple S j only with a single login enabled by the SSO solution.
A personal care domain consists of various wearable sensors (electroencephalogram, respiratory rate, fall detection, gait detection, etc.) installed in U i 's body, within a WBAN [39]. The sensors are used to collect the health data, thus providing a continuous health monitoring on U i without any constraint on their normal daily life activities [42]. With the support of wireless technologies (for instance, Bluetooth), sensing data is then transmitted to U i 's mobile device for further communications. Personal care is the sub-domain of the home or community care domains.
In a home care domain, U i registers with S j using the smart card, password and biometrics. After a mutual authentication, S j distributes a secret group key to U i . Based on this key, sensing data from the personal care domain is encrypted and securely uploaded to the systems for the remote monitoring. This communication can quickly be carried out by the help of 5G networks for the real-time process. In this case, S j should be private doctors or family medical professionals. S j can also use the key to encrypt the healthcare related data including treatment details or medical testing results, VOLUME 9, 2021 then send it to U i . In this way, everyone in the family is able to query and access health data of their own and of the other family members since they have a common group key. In smart homes, there may be various IoT devices that can connect to the network, such as smart light, camera, TV, etc. U i can set the group key as a key used to conveniently control these devices, even though U i is not available at home. In the 5G network, U i communicates with S j through either SBSs or MBSs as long as they have spectrum opportunities. The service providers may employ edge servers to achieve better response times and transfer rates [31]. U i can also use mobile devices to directly communicate with each other for the sharing of access connection or additional information. Furthermore, communications between U i and S j in our scheme are time stamped for the purpose of security, which is discussed later in subsequent sections.
The communications in a community care domain are similar to the one in the home care domains. However, the setting of communicating entities should be different. We take the communication of a healthcare group in hospital as an example. Members in the group (patients, doctors, pharmacists, researchers, etc.) should be the users U i . S j may be a hospital. administrator or a medical doctor who is the leader of the healthcare team. After U i receives the distributed group key, they are able to obtain the similar services provided by S j . As a doctor, pharmacist or researcher in a healthcare team, U i can monitor patients' health status and provide prescriptions, verify the correctness of the prescriptions, or analyze the data sent by S j , respectively [39]. U i , as a CT or MRI specialist, may also communicate the large image files of the patients with S j (as another specialist) for expedited reviews and treatments, due to high-speed data transmission of the 5G network. In smart hospitals, there may be modern IoMT devices used for specific treatments. U i of the team can also utilize the group key distributed by the administrator to operate (turn on, control or turn off) these connected devices. Similarly, U i in this domain can perform the D2D communications for additional purposes.

B. FORMAL SECURITY MODEL
Since the communication between U i and S j is carried out via an open channel, their transmitted information may be threatened to various risks. In a three-factor authenticationbased group key distribution environment, an adversary A can perform various attacks on a challenger C by making the following queries [40].
• Send(C, M sg ): This is an active attack. A requests message M sg to C, and C replies to A based on the rules of our scheme.
• Execute(U i , S j ): This is a passive attack. A eavesdrops the communicated messages of U i and S j .
• Reveal(C): This query reveals the group key distributed by C to A.
• Corrupt(U i , a): C returns U i 's password, biometrics, and parameters stored in the smart card and mobile device to A, based on a value a ∈ {1, 2, 3}. • Test(C): A requests C for the group key, C flips a coin b and probabilistically replies to A. Definition 7: Let Adv 5G−AGKDS C be the advantage of A in breaking the semantic security system, then Adv 5G−AGKDS where 5G − AGKDS denotes the proposed scheme, and b denotes the guessed bit.

C. SECURITY GOALS
Since user privacy and the healthcare data are very sensitive and important, possible attacks can induce big consequences, such as financial loss, system obstruction, etc. It may also directly affect the treatment process and quality of the healthcare services [39]. We therefore determine some essential security goals of the proposed scheme below, so that S j can securely distribute the group key to U i .
• Mutual authentication: U i must be authenticated as a legitimate user to receive the group key distributed by S j . Likewise, U i must also authenticate S j to verify its legitimacy for the true services.
• Robustness against well-known attacks: The proposed scheme should be resilient to various well-known security attacks, typically, replay attacks and MITM attacks.
• User anonymity and untraceability: Identity of U i must be preserved during the communication carried out via an open channel. In addition, any two past messages sent by the same U i should not be identified.
• Forward secrecy: Our work aims to prevent A from using information of the current communication session to derive the secret group key distributed in the past sessions.

IV. OUR PROPOSED SCHEME
Our proposed scheme allows the servers to distribute secure common keys to the groups of users, so that they can enjoy the group healthcare services. The procedure includes four  phases: initialization, registration, login, and authentication.
After the system initialization, the registration (key predistribution) procedure is conducted in a trusted channel, whereas the login procedure and authentication procedure are carried out via an unreliable channel. Table 1 describes some notations and functions used in the scheme. The design details are depicted in Figure 2.

A. INITIALIZATION PHASE
In this phase, system parameters are generated in order to be used to carry out the entire communication process. To this end, S j first selects two large primes (p j , q j ) as private keys, and computes n j = p j .q j as the corresponding public key, which satisfies p j ≡ q j ≡ 3(mod 4). Next, S j randomly selects s j as its secret symmetric key. S j secretly stores [(p j , q j ), s j ] in DB j . In user side, SC i randomly selects and stores a string ω.

B. REGISTRATION PHASE
U i must register with S j for using its services. To this end, U i and S j perform the following steps to complete the registration procedure.
Step R1 : U i enters his/her identity ID i , password PW i and biometrics Step R2 : Upon receiving (ID i , BW , P), S j uses encryption key s j to compute Finally, U i stores their credentials {ω, ID i , PW i } and server-related parameters {δ j , ID S j , n j } in SC i and MD i respectively.

C. LOGIN PHASE
In this procedure, U i inserts SC i , and enters password PW i and biometrics B i . PW i is first checked by SC i . U i then computes Q j = ω ⊕ δ j , and randomly chooses a number m. Next, , and a ciphertext z = AE n j (ID S j ||ID i ||Q j ||m||r 1 ||t i ). Thereafter, U i sends message M sg1 = z to S j .

D. AUTHENTICATION PHASE
Upon the login request from U i , S j and U i carry out the following two steps to complete the authentication procedure, which allows U i to obtain a secret group key distributed by S j .
Step A1 : Upon receiving M sg1 , S j uses its private keys (p j , q j ) to decrypt z and confirms the validity of the timestamp t i . Next, S j uses s j to decrypt Q j (obtained from message z) and verifies h(s j ), ID i and ID S j . If they are valid, S j computes r 1 = (BW ⊕ P ⊕ t i ), then checks if r 1 (obtained from z) and r 1 are identical. If there is a match, S j calculates r 2 = H (m) ⊕ t j , k ij = H (m||Q j ), and a ciphertext W = SE k ij (r 2 ||t j ). Next, S j computes H ij = h 4 (k ij ||t j ), chooses group key Gk j , and calculates a set of coefficients (x 1 , x 2 , . . . , x u ) as follows, in which u is the total number of users in a group communication.   calculation.
In this way, each user of the same groups obtains a common secret key for using specific group services provided by the healthcare servers.

V. SECURITY ANALYSIS
This section provides security proof of our scheme using RoR model and BAN logic. In addition, we also discuss some further security features of the scheme.

A. FORMAL SECURITY PROOF USING ROR MODEL
Formal security proof of the proposed scheme is proven using widely-accepted ROR model [39], [40]. The model includes various queries (Send, Execute, Reveal, Corrupt and Test) that can be made by A to guess the shared secret key of U i and S j . The proof in RoR consists of a number of games, in which A can attack the scheme in various ways by the increased probability. The purpose is to demonstrate the total probability of A in successfully attacking the proposed scheme is negligible. Table 2 provides some notations used in the proof. Based on the formal security model specified in Section III-B, we prove the security of our work as follows.  Table 2 respectively, we have that A only has a negligible probability, in the following equation, in breaking our scheme. Our work therefore is semantically secure. Proof: Our proof consists of six games: G 0 , G 1 , G 2 , G 3 , G 4 and G 5 . We define Succ i (i = 0, 1, 2, 3, 4, 5) as the events where A succeeds in guessing the bit b with the Test query. The success probabilities are denoted by Pr[Succ i ] accordingly.
• Game G 0 : In the RoR model, this initial game is identical to the actual scheme. The coin b is flipped to start the game. Based on Definition 7, we have, • Game G 1 : In this game, we simulate all the queries including Hash, Send, Execute, Reveal, Corrupt, and Test.  • Game G 3 : In this game, we calculate the collision probabilities of all remaining oracle queries with specific messages. To this end, two cases corresponding with two communication rounds are considered as follows. Case 1: This case considers the query Send(S j , Msg 1 ). Msg 1 is computed from two hashes (BW , P ) and two other values (Q j , r 1 ), which totally results in a probability at most 4 q h 2 l h . In addition, the random number m contained in this message has the probability as q s 2 lr . Case 2: We consider Send(U i , Msg 2 ) query in this case. Similarly, Msg 2 contains r 2 and k ij , which should be known to A, for performing the attacks. The corresponding probability is up to 2 q h 2 l h . Due to the indistinguishability of G 2 and G 3 , we can obtain the following total probability, • Game G 4 : This game considers the Corrupt query in which A performs guessing attacks on users' passwords and biometrics. We have the probabilities of guessing PW i and B i are at most C .q s s and max{q s ( 1 2 l b , ε bm )} respectively [40]. In addition, A is able to break the security system with the most probability as q h Adv IFPA A (t A ). Since G 3 and G 4 are identical, we have, • Game G 5 : We consider the perfect forward secrecy feature of our work in this final game. Based on the old messages communicated between U i and S j , A similarly executes Execute, Send, and hash oracle queries. We simulate this game using the advantage of the IFPA assumption. The Test query is also executed to return the real group key for each instance. Since G 4 and G 5 are indistinguishable without this attack, we can obtain, After executing all above games, A guesses the bit b for obtaining Gk j with the probability as follows. Based on Equations (4)-(11), we can achieve, Multiplying both sides of Equation (12) by a factor of 2, we can obtain the final result as follows, Since Equations (3) and (13) are consistent, it is indicated that A only has a negligible success probability in breaking the proposed scheme. Our work therefore is semantically secure, and Theorem 1 is proven.

B. AUTHENTICATION PROOF USING BAN LOGIC
In this section, we use BAN logic [31], [39], [53] to provide authentication proof of our work. BAN logic provides the rules used for analyzing authentication protocols. Based on these rules and logic analysis, we can indicate that communicating parties believe the authenticated parameter is a secret shared key only known by them. The notations used in this proof are defined as follows.
• M | ≡ X : M believes statement X . According to the procedures of the BAN logic, the proposed scheme should satisfy the following goals of the authentication.
Goal 1: S j | ≡ (U i k ij ↔ S j ). S j believes k ij is a secret value sent by U i , and k ij is a shared value between them.
. U i believes Gk j is a secret group key distributed by S j , and Gk j is a shared key between them.
Our scheme includes two messages described as follows.
The idealized form of the messages in the BAN logic is given below.
Some logical rules of the BAN logic used in our scheme are given as follows. M |≡X . Based on the logic, we also make the following assumptions of the proposed scheme.
• A1: , (x 1 , x 2 , . . . x u )). Based on the above-mentioned assumptions and logical rules, we analyze the procedure of the proposed scheme and provide the authentication proof as follows.
we can obtain, U i | ≡ (U i Gk j ←→ S j ) (Goal 2) Thus, the proposed scheme achieves both Goal 1 and Goal 2, which ensures that both U i and S j mutually authenticate each other.

C. DISCUSSION ON SOME OTHER FEATURES
We provide semantic analysis of our scheme in terms of some more security features. The detailed discussion is presented in the following. 53416 VOLUME 9, 2021

1) PROVIDES ROBUST MUTUAL AUTHENTICATION
Upon the received message M sg1 , S j decrypts Q j and verifies H s j , ID S j , ID i . Moreover, S j also check the value r 1 = (BW ⊕ P ⊕ t i ) by r 1 ? = r 1 . On the other hand, the value r 2 = H (m)⊕t j sent by the server is also checked by U i . Since r 1 and r 2 are only correctly computed by the legitimate user and server respectively, the mutual authentication is robust. The group key Gk j will not be accepted unless the above checks hold. Thus, conclusion is established.

2) PROVIDES USER ANONYMITY
The user identity ID i included in P and z is protected by the one-way hash function h and Rabin encryption respectively. ID i is kept secret to U i and S j only, and it is not revealed to the public during the authentication process. Therefore, user anonymity is achieved in our scheme.

3) PROVIDES USER UNTRACEABILITY
In the proposed scheme, the ciphertexts are computed using the random number m. In addition, the timestamps t i , t j included in the messages are different in every session. As such, A cannot identify any two past messages sent by the same U i . Therefore, our work achieves user untraceability.

4) PROVIDES FORWARD SECRECY
In login phase of the scheme, the nonce k ij is computed using a random number m. Moreover, the group key Gk j is also a randomly selected value. Suppose A has obtained these parameters in the current communication session, he/she is still not able to compromise the group keys of the past sessions. Thus, our scheme provides perfect forward secrecy.

5) RESISTS DOS ATTACKS
Our scheme provides smart card verification. SC i will checks PW i , and reject it if the verification is not successful. Therefore, A is not able to use its candidate passwords (and biometrics) to flood S j . Moreover, timestamp t i is also checked after z is decrypted. Retransmitting z repeatedly to make S j disrupted will not work efficiently in this case. Hence, the proposed scheme can avoid DoS attacks.

6) RESISTS ONLINE PASSWORD GUESSING ATTACKS
A may attempt to guess a candidate password and input it to the system, in order to initialize the login request. However, A's candidate password will easily be checked and declined by SC i 's verification. Thus, the conclusion is established.

7) RESISTS OFFLINE PASSWORD GUESSING ATTACKS
Suppose A has somehow obtained the hash values computed by U i , then tries to guess PW i . In our scheme, PW i is included in BW = H (PW i ||H Bio (B i )) and P = H (h(PW i ||ω)||(h(ID i ⊕ ID S j ) ⊕ ω)). A attempts to compute the hash values B and P and compare them with the ones he has obtained. However, A does not know of the biometrics B i and the random parameter ω. Therefore, A is not able to compute the desired hash values for guessing the correct PW i . Thus, our work resists offline password guessing attacks.

8) RESISTS IMPERSONATION ATTACKS
This attack happens when the attacker has obtained the identity ID i and tries to impersonate U i . Even if ID i is revealed to A, our work is still safe due to the resistance to password guessing attacks. Moreover, since A does not know of the parameter ω, they cannot compute the correct values B, P to impersonate U i . The conclusion is therefore established.

9) RESISTS REPLAY ATTACKS
In the proposed scheme, S j can verify whether the message z is resent by checking the timestamp t i . Similarly, U i can check the validity of the message W , [x 1 , x 2 , . . . x n ] by confirming the timestamp t j . Therefore, it is not possible for A to perform the replay attacks on the current communication session using the intercepted message from the last session. Hence, replay attacks are prevented in our work.

10) RESISTS MITM ATTACKS
In the login phase of our scheme, A can use the public key n j of S j to generate a candidate login request message z . In this case, A may act as a middle man to change the correspondence between U i and S j who trust they are straightforwardly communicating with each other. However, without the knowledge of s j or H (s j ), the attacker cannot pass the verification of S j . Moreover, as stated, since our scheme can resist offline password guessing attacks and impersonation attacks, A is not able to compute the correct z. Therefore, MITM attacks are completely resisted in the proposed scheme.

11) RESISTS TAMPERING ATTACKS
This attack happens when A blocks the login request z generated by legitimate users, modifies the contents, and sends a tampered one to S j . However, A cannot tamper with z since this ciphertext is only successfully decrypted using the private keys p j and q j , which are only known to S j . Therefore, our scheme resists data tampering attacks.

12) RESISTS DESYNCHRONIZATION ATTACKS
In the proposed scheme, the parameters BW , P and timestamps t i , t j are used to compute the acknowledgement values r 1 and r 2 . They will be deleted after the communication sessions finish. No redundant parameters are stored by U i and S j . Therefore, the conclusion is established.

13) RESISTS INSIDER ATTACKS
This attack happens when a privileged insider in the server side acts as A and uses the information of the targeted U i to carry out the attack. In our scheme, S j may know of the parameters ID i , BW , P. Nevertheless, A cannot use ID i to perform the attacks since as stated our work can resist impersonation attacks. Moreover, as stated, it is also not possible for A to carry out the offline password guessing attacks based on BW and P. In addition, biometric databases and verification tables are all not required in our work. The proposed scheme can therefore withstand insider attacks. VOLUME 9, 2021 Suppose SC i is lost and A somehow obtains it. In our scheme, B i is not directly stored in SC i . Moreover, SC i can protect secret values from unauthorized disclosure [39]. Therefore, A is not able to obtain the information (ω, ID i , PW i ) stored in SC i to perform the attacks even if A can obtain SC i and MD i at the same time. Hence, our work is free from lost smart card attacks.

VI. FORMAL SECURITY VERIFICATION USING AVISPA SIMULATION TOOL
We provide security verification of the proposed scheme using the widely accepted AVISPA tool, which was frequently used in a lot of relevant works [31], [42], [54]. Unlike RoR model and BAN logic, AVISPA is a push-button software for the automated validation of cryptographic protocols and applications. Specifically, it is employed to formally verify the resilience of the protocols to replay attacks and MITM attacks, based on predetermined goals. The tool executes a simulation specified by the High-Level Protocol Specification Language (HLPSL) [55]. In our simulation, Security Protocol Animator (SPAN) is integrated with AVISPA tool, which helps to interactively build message sequence charts of the protocol execution. The AVIPSA tool includes four backends: On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Mod-elChecker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). At present, both SATMC and TA4SP back-ends do not support algebraic properties of modular exponentiation and XOR operator, which are required in the proposed scheme. We therefore only report the simulation results under OFMC and CL-AtSe backends. The OFMC backend can be employed not only for efficient falsification of protocols, but also for verification for a bounded number of sessions, without bounding the messages an intruder can generate. Whereas in the CL-AtSe approach, each protocol step is modeled by constraints on the intruder's knowledge (server's public key, intruder's own keys, etc.).
Consistent with the construction of the proposed scheme, we include two main roles in the simulation: User U and E-Health Server S. Each role is fully specified using HLPSL codes. Since including the codes within the text is too cumbersome, only some important notations and operations are provided as follows. ''Trust'' is a symmetric key used to enable the communication in a trusted channel at the registration stage. ''REncrypt'' is specified as a public key (of Rabin cryptosystem) used by U to compute the message Z in the login phase. In the authentication phase, S uses the corresponding private key ''inv(REncrypt)'' to decrypt the message and verifies the login request. The decryption using ''inv(REncrypt)'' is an operation automatically executed by the tool. We define ''Gkj'' as the group key that is securely distributed by S. Suppose there are three users using a group service provided by S, the parameters [x 1 , x 2 , . . . , x u ] in M sg2 are simulated using ''X 1'', ''X 2'' and ''X 3''. These parameters are then sent to U for group key calculation. Note that based on requirement of the HLPSL, the first letter of each parameter in the specification of main roles must be capitalized. In addition, since the language only supports concatenation, XOR and exponentiation, the mathematical operators including subtraction, addition, multiplication and division in the scheme are defined as hash functions in the simulation.
Other than two basic roles U and S, roles session and environment are also required by the tool. Specifically, the role session indicates all components used in a single communication session, including cryptographic keys (e.g., Trust, REncrypt, etc.), communication channel (Receive and Send channels between U and S), mathematical operators, main roles (U and S), etc. The role environment specifies specific sessions that we want to simulate in the tool, where the intruder impersonates U or S. For this purpose, an extra role named intruder denoted by ''i'' is included in the specification. The intruder ''i'' is also assigned with its own keys (symmetric key kui, public asymmetric key ki, and private asymmetric key inv(ki)), so that it can carry out possible attacks on the simulated scheme. In the role environment, all letters of each parameter are written in lower case.
AVISPA tool simulates the protocols with two kinds of goals, namely, secrecy goal and authentication goal. The former one is to preserve the secret parameters and registered credentials. The latter one is to verify if the newly generated parameters in the login and authentication phase are truly sent by legitimate parties. Following this, six secrecy goals considered for the verification of our scheme are described as follows.
1) ''sj'': is the secret symmetric key of the server, and it is kept secret to S only. 2) ''w'': represents parameter ω in the scheme (since the tool does not support this symbol), which is generated in the registration phase. It is kept secret to U only. 3) ''idi'': is the identity of U , which is kept secret to U and S. This goal is to enable the user privacy in our scheme. 4) ''pwi'': is the user password, which is a secret known by U only. 5) ''bi'': is the user biometrics, and it is kept secret to U only. 6) ''kij'': is the secret value computed by both U and S.
It is kept secret to them only and is used for securely distributing the group key. We also consider three authentication goals between U and S, which are specified in the following. 1) ''m'': is a random value selected by U in the login phase. It should be authenticated to be sent by a legitimate user. 2) ''ti'': is a timestamp generated by U , which is not identical in every communication session. Its validity should be authenticated by S. 3) ''tj'': is a timestamp generated by S. U should ensure that this parameter is sent by a legitimate server. After executing the tool, the results demonstrate the proposed scheme has passed the AVISPA verification under   OFMC and CL-AtSe backends, as shown in Figure 3. The stated secrecy and authentication goals are satisfied for the specified sessions. Thus, the proposed scheme is safe against relay attacks and MITM attacks.

VII. PERFORMANCE ANALYSIS
We evaluate the performance of our work and compare it with the predecessor schemes in terms of functions, communication cost, storage cost, and computation cost.

A. FUNCTIONS
In Table 4, we provide the comparison results on functions of our scheme and some relevant schemes discussed in Section I-A. We use symbol √ to denote that the scheme achieves the specific function. Also, symbol × denotes that the function is not achieved by the scheme. It is observed that our work provides the most functional scheme compared with the competitive ones. In particular, only the proposed work supports secure group communications in 5G healthcare environments. Group key distribution mechanism with three-factor authentication is only introduced in ours and Hsu and Le [49]'s schemes.

B. COMMUNICATION COST
In this subsection, comparison on communication cost of different schemes is considered based on the total communication rounds and the length of communicated messages. Since the schemes proposed by [34]- [37] were not designed with the center-less authentication, they are not included in this comparison. For a strong security, we assume the length of asymmetric encryptions/decryptions (for instance Rabin cryptosystem) is 1024 bits. Symmetric encryption/decryptions have the block length of 256 bits. The identities, passwords and biometrics have the same length of 128 bits. 160 bits is the length of the random numbers and hash values. In addition, elliptic curve point multiplications and time timestamps are with the length of 320 bits and 32bits respectively. Unlike in our and Hsu and Le [49]'s schemes, in order to achieve the group communication feature, users in the other schemes are assumed to communicate with each other in the groups of two. This assumption is consistent with the support of D2D communications in the proposed 5G-enabled environments. In this way, a user can share the session key to all remaining users for achieving the group services. For example, in Wong et al. [42]'s scheme, the number of communication rounds in the scheme is 2u. The users need additional 2C u 2 = 2 u! 2!(u−2)! = u! (u−2)! rounds for the D2D communication. Therefore, the total rounds are 2u + u! (u−2)! . The corresponding communication cost is 1344 + 160u! (u−2)! , in which each session key is a hash value. Following this, communication costs of Liu et al. [40], Hsu et al. [39] and Xu et al. [38] are 2912 + 160u! (u−2)! , 1344 + 160u! (u−2)! and 1344 + 160u! (u−2)! , respectively. Since Jiang et al. did not design their scheme with multi-server architecture, computation result of its cost is 1152v + 160v.u! (u−2)! . Whereas with group key distribution property, our and Hsu and Le [49]'s schemes only bear the costs of 1280 + 160u and 1312 + 160u, respectively. Table 5 specifically tabulates the comparison results. It is easily observed that when u and v gradually increase, our scheme achieves the most efficient communication compared with the others.

C. STORAGE COST
Storage costs of different schemes are calculated based on the parameters provided in Section VII-B. We consider the VOLUME 9, 2021 FIGURE 5. Computation cost of different schemes in two scenarios: a) a single server provides service for multiple users; and b) a single user receives services provided by multiple servers.  storage for the parameters stored by the user and the server in the system initialization phase and registration phase. In addition, consistent with the scenario specified in Section VII-B, the users have to temporarily store the shared session keys received from the D2D communications. Therefore, an extra cost of the temporary storage is included for the user side. The costs will drastically increase when massive users simultaneously login to the system. Whereas, in our and [49]'s schemes, the users do not need to share and store the session keys due to the group key property. Table 6 tabulates the comparison on the storage cost of different schemes. The comparison results are also depicted in Figure 4. We can see that the proposed scheme bears the least storage cost when u increases, compared with the other schemes. Our work is even more efficient in the SSO-enabled multi-server environments.

D. COMPUTATION COST
This subsection provides the comparison of our work with the others in terms of computation cost. Table 7 provides the notations we use in this analysis. Since XOR operations consume a negligible computation cost [39], we do not include it in the time estimation. In Table 8, we present the results of this comparison for the single user and server in specific schemes. We also use the setting of [39] to do some experiments on the schemes. Based on the data retrieved from Table 8, we depict the results of the experiments in Figure 5 with two different scenarios. In Figure 5a, a single server provides service for multiple users. Figure 5b shows the scenario that a single user receives services provided by multiple servers. Since the cost difference of most schemes is not big (except Liu et al. [40]'s and Jiang et al. [41]'s schemes), the figures appear with superimposed plot lines. The cost of Jiang et al. [41]'s scheme drastically increases in direct proportion to the number of servers (as shown in Figure 5b), since multi-server architecture is not available in their work. In both scenarios, we can observe that the proposed work is the most efficient scheme when the numbers of users and serves gradually increase.
Furthermore, we discuss an additional computation cost when applying all schemes in a specific healthcare application. Employing the group key distribution scheme, the server only needs to use a single group session key to encrypt the health data once. Therefore, it significantly reduces the cost. Since our scheme provides this mechanism, the additional cost should only be 0.00054ms, in which a single server provides the services for multiple users of a healthcare group. In case of using a key agreement scheme for this service, the server has to encrypt the data multiple times for the corresponding multiple users. For example, in Wong et al. [42], the cost will be 0.00054u ms. In this way, we can determine the costs of all remaining schemes. Figure 6 depicts the comparison result, which shows that computation in our and Hsu and Le [49]'s schemes is the most efficient.

VIII. CONCLUSION
E-health systems enabled with 5G network architecture provide fast and seamless access to patient's data, thus achieving rapid medical analysis reports for groups of the patients. However, security and privacy are prominent concerns in the systems. In this paper, we have proposed an anonymous key distribution scheme for group healthcare services in 5G-enabled multi-server environments with SSO solution. The proposed scheme with secure three-factor authentication and user anonymity is a good fit to the group communications in 5G architecture environments for various healthcare domains. We achieve a solid security proof of the proposed scheme using the RoR model, BAN logic and AVISPA simulation. Our work is demonstrated to withstand various well-known security attacks. Compared with the related works, the proposed scheme is the most functional one and bears the least cost.
In future works, access control to the health data for the groups with specific attributes will be considered. We would also consider integrating e-health systems with a consortium blockchain architecture, in the scenarios of collaborative healthcare programs between multiple providers. The solution can help to preserve the integrity of some sensitive data.