A Novel Three-Factor Authentication Protocol for Multiple Service Providers in 6G-Aided Intelligent Healthcare Systems

6G technology is now attracting many scientific researchers due to its prominent features including high mobility, high data rate, high operating frequency, and ultra-low end-to-end delay. Compared to the 5G, 6G has certain advantages that can transform smart healthcare to a new advanced intelligent healthcare system, where multiple issues and concerns of the services (e.g., slow ambulance response) are effectively resolved. In such a communication system, patients and service providers communicate with each other via an open internet channel. Since the healthcare data is important and very sensitive, security and privacy in the healthcare network become prominent. In this paper, we introduce a 6G-aided intelligent healthcare environment. Our work also proposes a solution called Centerless User-Controlled Single Sign-On (CL-UCSSO) for achieving a convenient and cost-saving communication in a multi-server system constructed. A three-factor mechanism (combining smart card, password and biometrics) and time bound property are integrated to design the protocol with fast authentication that allows patients and providers to efficiently establish secure communications. Security proof of the proposed protocol is provided using well-known verification tools including RoR model, AVISPA simulation and BAN logic. Results of performance comparisons on various aspects show that our work provides more functionalities and incurs less cost compared with the related works.


I. INTRODUCTION
5G communication technology has been successfully deployed in many countries and had a big impact on our society with diverse application scenarios [1]. However, for revolutionizing our daily life with higher quality of service (QoS) and quality of life (QoL), it still has certain drawbacks. For instance, holographic communication cannot be supported by 5G due to lower data rate [2], [3]. 6G The associate editor coordinating the review of this manuscript and approving it for publication was Mohamad Afendee Mohamed .
technology is now attracting many scientific researchers due to its prominent features including high mobility, high data rate, high operating frequency and ultra-low end-toend delay [2], [4]. Using the terahertz (THz) signal, 6G will provide a bandwidth three-time higher than the one of 5G [5], [6]. New Radio Lite (NR-Lite) of the 5G will be replaced by Intelligent Radio (IR) for intelligent communications [7]. More detailed comparisons between 5G and 6G were specifically discussed in [8]. 6G is expected to be fully backed by the satellite. In the core network, the Internet of Things (IoT) architecture will soon be replaced by the VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ Internet of Everything (IoE). From 2030 onward, 6G is also expected to revolutionize information management systems in various fields [9]. At present, 6G technologies have already been started for timely development in several countries, such as United States, China, Japan, Finland, etc. [10]- [12]. The current smart healthcare systems still cannot provide perfect medical services due to some unavoidable problems in terms of time and space. Ambulance service is taken as an example. In many cases, patients died in ambulance before reaching the hospital or even before the ambulances reached the spot. The reason is that we still lack an intelligent healthcare system with efficient accident detection mechanism [2]. This system requires a real-time detection that can provide services on time and on the spot. Intelligent healthcare is implemented partially till date with traditional smart systems. Moreover, the rural connectivity is still a challenge for the 5G as well as healthcare [13]. 6G technology is proposed with strict requirements for healthcare that address all connection issues and fully support an intelligent environment, which cannot be achieved by the 5G. The requirements include data rate of ≥ 1 Tbps, operating frequency of ≥ 1 THz, endto-end delay of ≤ 1 ms, reliability of 10 −9 , mobility of ≥ 1000 km/h and wavelength of ≤ 300µm [4]. These advantages truly support intelligent healthcare driven by artificial intelligence (AI) technology that enables various intelligent entities (IE) [14]. Services in the intelligent healthcare would include telesurgery, patient monitoring in Wireless Body Sensor Networks (WBSNs), holographic communications, augmented/virtual reality (AR/VR), etc. [2]. Hospital-to-Home (H2H) services will be implemented using mobile hospitals established by intelligent vehicles. These services are especially important when potential epidemic or pandemic (for instance,  outbreaks. Furthermore, Computed Tomography (CT) or Magnetic Resonance Imaging (MRI) services will be more efficiently provided using intelligent equipment. With the above strict requirements and advantages supporting various technologies including IE, AI, IoE, real-time mechanism, etc., 6G will completely transform the current smart healthcare to the new advanced intelligent healthcare. It would further construct a new communication environment called Intelligent Internet of Medical Things (IIoMT) [15].
Since communications in the 6G-aided intelligent healthcare systems are carried out via public internet channels and the health data is extremely sensitive, security and privacy issues are prominent concerns. Adversaries may perform various attacks (e.g., man-in-the-middle (MITM) attacks, etc.), which violate patient privacy or directly obstruct the healthcare systems [16]. In addition, legitimacy of the doctors (healthcare providers) in the communications also needs to be taken into account for avoiding fraud services. Two-factor authentication mechanism integrating user's password and smart card was discussed in many works to prevent possible risks [17], [18]. Nevertheless, the mechanism may not be robust once the adversaries effectuate password guessing attacks or stolen smart card attacks [16]. Along with the advent of intelligent systems and the need of healthcare, there would be an increasing number of medical services provided by multiple providers. The healthcare providers may include doctors, pharmacists, pathologists or data scientists who manage respective servers in the systems. Under this circumstance, the design of single-server architecture has been unable to meet the needs of users where they may want to use a massive number of services [17]. Thus, it is needed to design a more secure and functional authentication protocol that can efficiently address all the concerns. In addition, the protocol should also be designed with reasonable costs consumed.

A. RELATED WORKS
Based on Rabin cryptosystem [19], Jiang et al. [20] introduced a three-factor authentication protocol internetintegrated wireless sensor networks, which addresses the drawbacks of the two-factor mechanism. Another research proposed by Shuai et al. [21] also employed the Rabin system to design a secure password-based authentication protocol with forward secrecy for industrial IoT (IIoT). Recently, Lin and Hsu [22] proposed an authenticated key agreement protocol for 5G-based telemedicine systems. Their work did not provide user anonymity as the identity is not masked during the authentication phase via open channel. Lin et al. [23] proposed a smart card-based authentication scheme with multi-server architecture and user privacy protection for 5G-IoT healthcare systems. The public parameter N i for user verification in the first communication round of their scheme is revealed to the public while no timestamp is employed. Their work therefore is not robust to Denial of Service (DoS) attacks. Meshram et al. [24] introduced a smart card and password-based user authentication protocol based on extended chaotic maps. In the authentication procedure of their protocol, the server further stores an additional value SB i . Therefore, the work may be vulnerable to desynchronization attacks. Although the works of [23] and [24] can achieve user anonymity, both did not provide user untraceability because the messages in their schemes contains some constant values. Based on these values, adversaries may guess identity of the user. Furthermore, Lin et al. [23] is not free from stolen smart card attacks since users' private credentials are directly stored in the card without being masked. Similarly, the work proposed by Le and Hsu [16] only prevents the smart card capture attacks partially as the adversaries can perform power analysis to obtain passwords of the users [25]. In this way, multiple attacks can be performed once they obtain users' biometrics. Thus, three-factor authentication mechanism in their work will become ineffective. Le and Hsu [16] also did not provide password update solution to enhance the security. This solution was proposed in another anonymous three-factor authentication protocol introduced by Xu et al. [26]. Dharminder et al. [27] introduced a construction of authenticated key exchange protocol based on Rivest-Shamir-Adleman (RSA) encryption [28] for healthcare services. Thakare and Kim [29] presented a cryptographic protocol for user authentication in IoT environments.
Besides, Tanveer et al. [30] proposes an anonymous and reliable authentication protocol for smart grid systems. All above-mentioned works, except [26] and [16], did not design their protocols with three-factor authentication. Moreover, only [26] and [16] achieves user untraceability during the communication in the protocols. Multi-server architecture, a solution that affiliates communications among multiple users and multiple servers, was only introduced in the proposals of [16], [23], [26].

B. CONTRIBUTIONS
In this article, we propose a user anonymity-preserving three-factor authentication protocol for multi-server intelligent healthcare systems enabled by 6G communication technology. Specifically, our work allows the patients and the servers to mutually authenticate each other, so that they can securely establish a reliable shared session key. Efficiency of the communication in the proposed work is also taken into account. Main contributions of this paper can be summarized as follows.
• We introduce a 6G-IoE intelligent healthcare application in a multi-provider environment. In particular, 6G helps in transforming smart healthcare (aided by the traditional 5G technology) to the intelligent one truly driven by AI. In the proposed model, healthcare services are provided by multiple servers along with the help of intelligent objects, in a real-time manner.
• We design the protocol with three-factor mechanism combing password (something you know), smart card (something you have) and biometrics (something you are), which assures a high security for the authentication. Rabin cryptosystem is employed in the protocol, which improve the performance of the RSA's encryption process. A perfect user privacy is achieved with forward secrecy of the session keys, user anonymity, user untraceability and message unlinkability. The generated session keys are used to secure the real time healthcare services that are achieved by the advantages of 6G discussed in Section I. Fast authentication is proposed for allowing users and servers to quickly compute additional shared session keys for subsequent communications within a short time. This solution is carried out with fewer steps and simplified computation after the initial authentication. Therefore, it can accelerate the communication processes and is suited for AI-driven low-power devices in the 6G network [31]. In our work, the users can update their password to assure a higher security. We also considered biometrics update function in the protocol. However, the biometrics is a unique identity of each individual; and in healthcare scenario, an account should belong to a single person only for privacy preservation. Updating biometrics (especially face or iris) is nearly equivalent to adding a new user. Instead, the user can create new account for this purpose. Therefore, biometrics change is not needed in the pro-posed work. The designed protocol is much less complex without this function, but with a similar security assured.
• As mentioned, multi-server architecture is employed in the proposed architecture with multiple healthcare service providers. The number of servers depends directly upon the number of services that a patient wants to use. Our protocol allows the users to store a single set of credentials registered with multiple servers in a smart card. They only need to enter the credentials once per session then choose specific servers from the list in the device for using multiple services. In this way, a User-Controlled Single Sign-On (UCSSO) function is achieved. It significantly alleviates storage cost and computation cost. The proposed UCSSO is designed without the participant of registration center. This solution also reduces communication cost, as well as security risks where adversaries may attack the center to compromise the whole system. A secure and efficient centerless (CL)-UCSSO is established. When the proposed CL-UCSSO is implemented for the multi-server architecture, the number of users may drastically increase due to its convenience and functionality. Since the introduced 6G-aided network provides tremendously high bandwidth, massive patients in the proposed protocol can simultaneously communicate with multiple servers in an efficient manner.
• In healthcare scenarios, a user may use services provided by multiple servers. Each provider may provide services with different working times. For instance, a remote doctor provides a daily service from 9:00 to 12:00; working time of a local doctor is from 14:00 to 18:00; while a nurse starts the work at 11:00 every day. Thus, a time-bound-based authentication is introduced in our work, which facilitates communications of the allotted services in such scenarios. Time-allotted services provide a more efficient healthcare process. This solution also addresses bottleneck issues in online communications when massive patients may request the services at the same time. In addition, this authentication function increases the protocol security because some timebound-related parameters (specified later in Section IV) are kept secret to the users only.
• Security certificate of our protocol is provided using three formal verification tools: Real-or-Random (RoR) model, Automated Validation of Internet Security Protocols and Applications (AVISPA) software, and Burrows-Abadi-Needham (BAN) logic. Moreover, a further informal analysis is also included to explain various well-known security attacks (e.g., replay attacks, MITM attacks, etc.) that can be prevented by our protocol.
• A comprehensive performance comparison of our work and the related works is presented, in terms of various aspects including functionality, computation cost, communication cost, and storage cost. The analytical results indicate that our protocol consumes less energy and lower cost but provides more functionalities, compared with its competitive works.

C. PAPER ORGANIZATION
The remainder of this article is structured as follows. Section II, we provide some preliminaries employed in the proposed protocol. Section III, we present the system construction including architecture model and adversarial capabilities. Section IV, we specifically present the proposed protocol. Security analysis and performance evaluation of our work are provided in Section V and Section VI, respectively. Finally, we conclude the work and discuss some future research directions in the last section of the article.

II. PRELIMINARIES
We discuss some important technical preliminaries including biohash function, time bound, security assumption and formal security model, used in our proposal.

A. BIOHASH FUNCTION
Biohash function is designed to map the biometrics of an individual to a specific binary string that provides the tolerance of noise [32]. It provides the same security features with the traditional one-way hash functions [33]. Compared to other ideas (e.g., fuzzy extractor) that address biometrics noise issue, biohash function bears a much less computation cost [32]. Definition 1: Suppose BIO and BIO are the original and the newly input biometric templates of an individual, respectively. Therein, BIO is not completely identical to BIO, but the difference is still within a bearable threshold. With the given biohash function h bio , we can obtain: h bio (BIO) = h bio BIO .

B. TIME BOUND PROPERTY
We define the time bound used for the authentication in the proposed protocol as follows.
exists when and only when t 1 ≤ t ≤ t 2 .

C. SECURITY ASSUMPTIONS
Security assumptions used in our protocol are defined as follows.

Definition 3 (Integer Factorization Problem):
Suppose there is a positive composite integer n and two distinct primes (p, q), where n = p.q. The value n must be sufficiently large, e.g., 1024 bits. The Integer Factorization Problem (IFP) explains that it is mathematically hard is to retrieve p and q from the given n.
Definition 4 (Minimum Trust): Each healthcare server is accepted as trustworthy, because users (patients) register their secret information to gain services from them.

D. FORMAL SECURITY MODEL
We employ Real-or-Random (RoR) model for a formal security proof in our work. RoR model is a well-known tool used to analyze the advantage of adversaries in breaking cryptographic protocols [34]. Suppose there exits two parties, patient P and healthcare server S, carrying out their communication via an open channel. An adversary A can make the following various queries to perform the attacks, where C is a protocol challenger and M is a communicated message.
• Send(C, M ): This active attack allows A to request M to C, and C replies to A in accordance with the rules of the protocol.
• Execute(P, S): In this passive attack, eavesdrops the transmitted messages between U and S.
• Reveal(C): attempts to retrieve the secret session key computed by C to A.
• Corrupt (P, a): In a protocol with three-factor authentication, this query returns P's password (if a = 1), biometrics (if a = 2), and parameters stored in a smart card and an intelligent device (if a = 3) to A.
• Test(C): A requests C for the secret session key, C probabilistically replies to A based on the outcome of a tossed coin b. Definition 5: Let Adv 6GHC C be the advantage of running in polynomial time in breaking the semantic security system of our work; 6GHC and b denotes the proposed protocol (for 6G healthcare services) and the guessed bit of session keys, respectively. We can obtain, Adv 6GHC

III. SYSTEM CONSTRUCTION
We describe the system model of the proposed protocol in this section. It primarily presents the communications enabled in a 6G-aided intelligent healthcare system. In addition, adversarial capabilities are also discussed.

A. ARCHITECTURE MODEL
The proposed model includes two main entities, namely, patient P i and healthcare provider S j , who are communicating in a multi-server environment. As shown in Figure 1, P i can carry out the CL-UCSSO that uses a single set of credentials (stored in the smart card) to directly gain services from multiple S j , without the participation of a central party. The services include medical treatment, prescription, H2H, MRI, CT scan, etc. They may be provided by local doctors in a hospital or by remote doctors. We take the patient monitoring service carried out through the WBSN as an example. The network consists of multiple medical sensors (e.g., respiratory rate, fall detection, etc.) worn by P i [35]. The sensors collect various health data and transmit it to P i 's mobile device with the support of a wireless technology (e.g., Wi-Fi, ZigBee or Bluetooth). Then, the sensing data is securely transmitted to S j via the IR signal of the 6G network for further communications. The service provides a continuous realtime monitoring on P i without any constraints on patients' normal daily life activities [36]. With extremely high data rate, the 6G also provides faster speed of data transfer (especially large image files produced by MRI or CT scanners) for timely treatments. In addition, healthcare data may be stored for further services such as pathology or data analysis. It is noted that the mobile devices (of P i ), MRI, and CT machines (equipped for respective services at the hospital) and so on are AI-enabled intelligent entities. Other than smart functionalites of a traditional device, they have ability to automatically launch healthcare services when noticing unusual symptoms from P i . For instance, the mobile device would launch a H2H service on a fall or a respiratory depression detected. Whereas the MRI machine would automatically communicate with the most appropriate doctor for the service once it finds abnormal signal intensity on the images. For securing the communica-tion between P i and S j , the proposed protocol allows them to establish an authenticated session key used to encrypt the communicated messages. To this end, P i chooses a device to registers with S j using smart card, password and biometrics for achieving a three-factor authentication mechanism. Time bound property is also integrated to authenticate P i at specific time points of services. We further design a fast procedure of key negotiation after the initial authentication process, so that P i and S j can quickly compute the multiple new shared keys. This solution significantly accelerates communication process and reduces computational load on low-power devices in the proposed 6G-IoE healthcare environment.

B. ADVERSARIAL CAPABILITIES
Possible attacks in the healthcare systems can induce tremendous consequences, such as patient privacy violation, financial loss, system obstruction, etc. The attacks may also directly affect the treatment process and reduce the quality of medical services [35]. In the proposed work, we have observed various potential risks, and assume that A has the following capabilities to break the security system [37], [38].
• A has the control over the public communication channel where they can intercept, delete, insert or replay any transcripts conveyed between P i and S j .
• A may steal P i ' smart card and intelligent device, then perform power analysis attacks 25] to extract the secret parameters.
• A attempts to attack the ciphertexts communicated between P i and S j in the past once they have obtained the session key in current communication session.  • A may be a privileged insider of the healthcare system (i.e., administrator) who may compromise registered information of P i stored in the server side.
• Legitimate users may behave as A and launch similar attacks.

IV. OUR PROPOSED PROTOCOL
The proposed protocol allows P i (using an intelligent device) and S j to mutually authenticate each other over a public 6G communication channel. Then, they negotiate a session key for securing communication of the healthcare service. Thereafter, fast authentications are carried out so that P i and S j can quickly compute new session keys. P i is also allowed to update their password for the purpose of security. Our work includes four main phases in the protocol including system initialization, registration, login and authentication, and password update. Table 1 describes notations and cryptographic functions used in the protocol.

A. SYSTEM INITIALIZATION
Our protocol employs Rabin cryptosystem for an efficient computation as its encryption operation (based on modular squaring operation) is much faster than the RSA cryptosystem [21]. S j chooses two arbitrary large primes p j , q j as server's private keys, then compute the corresponding public key n j = p j .q j , where p j ≡ q j ≡ 3(mod 4). Based on the IFP assumption specified in Definition 3, it is computationally hard to derive p j and q j from n j . S j also randomly selects x j as its master secret key.

B. REGISTRATION
This phase is conducted via a secure channel, in which P i registers with S j as a legitimate patient for using the service. As shown in Fig. 2, both sides perform the following steps to complete the registration procedure.
Step R1: P i first inputs the identity ID i , password PW i and imprints the biometrics B i . P i chooses a random number σ , and computes W = Step R2: Upon receiving {ID i , PB, W }, S j chooses a symmetric encryption algorithm (e.g., Advanced Encryption Standard (AES) [39]) then uses the secret key x j to compute Step R3: Upon receiving the above message, device HD i and the card SC i , respectively. SC i can be either a traditional or a contactless smart card.

C. LOGIN AND AUTHENTICATION
In this phase, P i is allowed to login and mutually authenticate with S j for using its service. A fast authentication procedure is then provided so that P i can quickly perform the mutual authentication with S j to compute the new session keys. Each fast authentication is carried out based on the parameters from the previous session, without the complex procedure of the initial process. This phase consists of three procedures including login, initial authentication and fast authentication, which are carried out via an open channel. The whole phase is depicted in Fig. 3.
. P i chooses a server S j and computes . Thereafter, P i randomly chooses a number r and an integer v then com-

2) INITIAL AUTHENTICATION
There are two steps in this procedure in which P i and S j mutually authenticate each other for an initial shared session key.
Step IA1: Upon the received message, S j uses its private keys p j , q j to decrypt C 1 and obtains = h(h t−1 (X ) ||h 24−t (Y ) ||PB). If there is a match, S j computes A 2 = h(F||T j ), a session key SK = h(F||z j ), and a ciphertext C 2 = SE SK (A 2 ||T j ). C 2 is transmitted to P i for the next step. Step IA2: Upon the received C 2 , P i computes SK = h(F||z j ) and uses it to decrypt C 2 . P i checks the timestamp T j and A 2 ?
= h(F||T j ). If the checks hold, a session key SK is established between P i and S j .

3) FAST AUTHENTICATION
Based on the parameters r, v, F and session key SK in the previous sessions, P i and S j can quickly authenticate and compute new shared session keys.
Step FA1: the initial authentication is recalled, otherwise, P i computes a ciphertext α ε = SE SK (F ε ). Next, P i transmits α ε to S j .
Step FA2: Upon receiving the message, S j uses SK to decrypt α ε and checks h(F ε ) ? = F. If there is a match, F is replaced by F ε for the next fast authentication. Thereafter, S j computes a new session key SK new = h(F ε ||SK ) and uses it to generate a ciphertext β ε = SE SK new (F ε ). β ε is transmitted to P i for the next step. Step FA3: Upon the message received from S j , P i computes a new session key SK new = h(F ε ||SK ) and confirms it by checking SE SK new (F ε ) ? = β ε . If the check holds, the new session key SK new is established for the service communication.

D. PASSWORD UPDATE
P i is allowed to update their password for the purpose of security. As shown in Fig. 4, the procedure is presented as follows.
Step U1: . If the check holds, SC i requests P i to enter the new password.
Step U2: Upon the request,

V. SECURITY ANALYSIS
We provide the security analysis of our proposed protocol with RoR model, AVISPA simulation, and BAN logic. In addition, further security features are also discussed by a semantic analysis. The proof is primarily presented for the initial authentication. Using the similar arguments, we can also achieve a similar proof of the fast authentication.

A. FORMAL SECURITY PROOF USING ROR MODEL
We provide formal security proof of the proposed protocol using widely-accepted ROR model [34], [35]. The proof includes a number of games where various queries specified in Section II-D are made by A in order to perform possible attacks. The security of our work is proven in the following.
Definition 6: Upon receiving the last expected message in the proposed protocol, the challenger C goes to an accepted state. The ordered concatenation of all communicated messages C 1 , C 2 form a session with the identification ''s_id''.  been submitted; and 3) Less than two Corrupt(P i , a) queries have been submitted; in reality, our protocol is still safe even when A has submitted the queries Corrupt(P i , 1) and Corrupt(P i , 3).
Definition 9: Let Adv IFP A (t A ) be the advantage of A in breaking the IFP assumption. Since the assumption holds, Adv IFP A (t A ) is defined as a negligible probability with the execution time t A .
The following notations are used in the proof. Definition 10: The value max C .q s s , q s 1 2 l b , ε b is sufficiently small, so that A cannot guess the credentials of P i [35].
Theorem 1: The proposed protocol is semantically secure because A only has the following negligible probability in breaking our security system.
Proof: We includes a number of six games in the proof including G 0 , G 1 , G 2 , G 3 , G 4 , G 5 , in which probability of A gradually increases. The purpose of A is to obtain the bit b with the Test query after each of the games is finished. The success probabilities are denoted by Pr[S i ] where S i (i = 0, 1, 2, 3, 4, 5) are the events in respective games. In the games, A sets a simulator B to play the role of C.
G 0 : This is the starting game. We assume this game is identical to the real protocol in random oracles. B tosses the coin b to start the game. We can obtain, G 1 : This game simulates all the queries specified in the model. Simulation of the queries are presented in Table 2 in accordance with the rule of the proposed protocol. In this way, the game creates three lists: L H , L A and L T . Due to the indistinguishability of G 0 and G 1 , we have, G 2 : We consider collision probability of the hash oracle and random oracle queries in this game, for all communicated transcripts between P i and S. Using the birthday paradox, we can obtain the most probability of hash queries as In the login and initial authentication phases, there are two randomly generated numbers r and v, included in two messages C 1 and C 2 . Since v is an integer equal to the number of fast authentications, it should be an easy-to-find value. Therefore, we only consider r as a random number for the random oracle queries. Its collision probability is at most q s +q e 2 lr +1 . Since G 1 and G 2 are indistinguishable, we can obtain, G 3 : G 3 is similar to G 2 but the queries are executed for specific transcripts sent by P i or S j . The game includes two cases of two corresponding communicated messages (C 1 and C 2 ) as follows.
Case 1: This case considers the query Send(S j , C 1 ). The messages C 1 is computed from two hashes (A 1 , F) and another value z, which totally results in a probability at most 3 q h 2 l h . Note that we do not consider ID * i in C 1 for the hash oracle as the identities are not hard to retrieved. Moreover, ID * i is stored in server's database and may be compromised by a privileged insider. In addition, the random number r contained in C 1 has the probability as q s 2 lr . Case 2: The query Send(P i , C 2 ) is considered in this case. The values A 2 and SK contained the messages C 2 should be known to A for performing the attacks. The maximum probability is up to 2 q h 2 l h . Overall, we can obtain the following total probability, G 4 : We consider guessing attacks executed by A in this game. Three cases are presented as follows.
Case 1: In this case, A makes the Corrupt(P i , 1) query to guess U i 's password. Thereafter, A executes the Send(S j , C 1 ) query for the attacks. Thus, the probability is at most (C .q s s ). Case 2: A executes the Corrupt(P i , 2) query to retrieve P i 's biometrics in this case. Since also makes the Send(S j , C 1 ) query in this case, the maximum probability is up to max{q s ( 1 2 l b , ε bm )}. Case 3: In this case, A attempts to break the IFP assumption (using Hash oracle queries) to compromise the message C 1 . Its collision probability is at most q h Adv IFP A (t A ). Since G 3 and G 4 are identical without above attacks, we obtain, In this final game, the forward secrecy property of the proposed work is considered. Based on the old transcripts sent by P i and S j , A makes Execute, Send, and Hash oracle queries to compromise the protocol. The game is simulated using the advantage in breaking the IFP assumption. Thereafter, the Test query is made to return the real session key to A. Without considering the attack in this game, G 4 and G 5 are indistinguishable. Thus, we have, After executing all the games, A guesses the bit b with the probability of the Test query as follows.
Based on Equations (2)-(9), we can achieve the following equation, The final result can easily be obtained as follows, Therefore, we claim Theorem 1, and the proposed protocol is semantically secure.

B. FORMAL SECURITY VALIDATION USING AVISPA
In this section, the widely accepted AVISPA simulation [16], [17] is employed to validate the security of the proposed protocol. It is a push-button tool that automatically verifies the resistance of cryptographic protocols to MITM attacks and replay attacks. The simulation is executed using the High-Level Protocol Specification Language (HLPSL) [40]. In our setting, AVISPA tool is installed with the Security Protocol Animator (SPAN), in order to build an interactive message sequence charts and friendly user interface.
Two main roles, Patient P and Server S, are included in the simulation, which are fully specified using HLPSL code. Some important definitions and operations are described as follows. Since the communication in registration phase is carried out in a trusted channel, we define TrustedChannel as a symmetric key used to protect communicated messages. The registered information and user credentials are then stored by both sides in a secure manner. PublicKey is defined as a public key of Rabin cryptosystem. P uses PublicKey to compute the ciphertext C1, which protects the parameters {A1, F, Zj, IDi', Ti} in the login phase. Upon receiving C1, S uses the corresponding private key inv(PublicKey), which is generated automatically by the tool, to decrypt C1 and verifies P's login request. After the user authentication, a session key SK is computed by S. SK is used to compute the ciphertext C2 for securely transmitting the parameters {A2, Tj} to P, in order that P can complete the mutual authentication and key agreement. Note that some mathematical operators (e.g., subtraction) used in the protocol are specified as hash functions, as the HLPSL only supports XOR, concatenation and exponentiation operations.
The tool simulates cryptographic schemes with two security properties: secrecy and authentication. The secrecy property is to protect the secret parameters and user credentials in the registration phase. In this way, some secrecy goals considered for the verification of our protocol are described as follows. VOLUME 10, 2022 • secrecy_of xj: Xj is the master secret key of the server. Therefore, it is specified to be kept secret to S only.
• secrecy_of o: since symbol σ (the random value chosen by P in the registration phase) is not supported in the HLPSL, we use O to represent it. O is kept secret to P.
• secrecy_of idi: IDi is the identity of the patient. To achieve user anonymity in the public channel, IDi is specified to be kept secret to P and S.
• secrecy_of pwi: PWi is the password of the patient. Therefore, it must be a secret known by P only.
• secrecy_of bi: Bi is the biometrics of the patient. It therefore is specified to be a secret known by P only.
In addition, the security of the time bound (T1, T2) should also be considered. However, it is not computationally hard to derive these values. The secrecy of {TB1, TB2} is primarily dependent on the security of {Xj, O, IDi, PWi, Bi} rather than {T1, T2}. Thus, we do not include the time bound in the specification of secrecy goals. Furthermore, the authentication property of the tool is provided to verify the legitimacy of the new random parameters generated in the login and authentication phase. We have the following goals of the mutual authentication between P and S considered in the simulation.
• authentication_on r: S authenticates P based on the randomly selected value R.
• authentication_on ti: S authenticates P based on the timestamp Ti generated by P.
• authentication_on tj: P authenticates S based on the timestamp Tj generated by S.
In addition to the basic roles P and S, Session and Environment roles are required in the simulation. Session role specifies all components used in a communication session by both P and S. The components include roles/agents (P and S), different keys (TrustedChannel, PublicKey and SK), mathematical and cryptographic operations, and communication channel established for P (SP, RP) and S (SS, RS). In Environment role, other than some similar parameters defined in Session role, there exists a protocol_id that denotes all constants associated with the stated security goals. The composition in this role specifies all communication sessions with the participation of an intruder i. The role also defines intruder_knowldege including {p, s, publickey, ki (intruder's own public key), inv(ki) (intruder's own private key), ski (intruder's sysmetric key)}, so that the intruder can perform possible attacks on both P and S.
There are four backends for the verification results in the AVIPSA tool including Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), SAT-based ModelChecker (SATMC), On-the-fly Model-Checker (OFMC), and Constraint Logic based Attack Searcher (CL-AtSe). Among them, the SATMC backend and TA4SP back-end do not support algebraic properties of modular exponentiation and XOR operator, which are required in the proposed protocol. Therefore, we execute the validation operation under the OFMC and CL-AtSe backends only. The OFMC approach is employed for efficient falsification of protocols and verification of a bounded number of communication sessions, without considering the generated messages of intruders. On the other hand, each step of the simulated protocol is modeled by constraints on the intruder's knowledge in the CL-AtSe backend. After fully translating the protocol into HLPSL language with sufficient specification, we run the tool using above two suitable backends. Based on the results shown in Figure 5, the stated secrecy goals and authentication goals are satisfied for specific communication sessions specified in the environment role. It is indicated that the simulated protocol has passed the verification. Thus, MITM attacks and replay attacks are prevented in our work.

C. AUTHENTICATION PROOF USING BAN LOGIC
BAN logic has been a well-known tool employed to provide mutual authentication proof of cryptographic protocols in many works [16], [17], [35]. Based on these rules provided by the tool and relevant logic analysis, we aim to prove that P i and S j believe the session key computed is a secret shared value only known to them. The notations we use for the proof in this section are defined as follows.
• A| ≡ X : A believes statement M . Based on principle of the BAN logic, the following authentication goals should be satisfied for the proof.
Goal 1: S j | ≡ (S j SK ←→ P i ). S j believes SK is a secret value sent by P i , and SK is a shared key negotiated by them. (G1).
Goal 2: P i | ≡ (P i SK ←→ S j ). U i believes SK is a secret group key distributed by S j , and Gk j is a shared key between them. (G2).
In the login and authentication phase of our protocol, there are two communicated messages described as follows.
Message 2 (C 2 ). S j → P i :(SE SK (A 2 ||T j )). The idealized form of these messages used the proof procedure of the BAN logic is given below.
Some logical rules of the tool that are used in our proposed protocol are specified as follows. A|≡M . Consistent with the idealized form, the following assumptions are also made for the proof of our protocol.
Based on the above rules and assumptions, we analyze the procedure of our protocol and perform the mutual authentication proof in the following.
• S 1 : According to the message C 1 , we have, S j ( A 1 ||F||z j ||ID i ||T i n ).
• S 7 : Based on R6, we obtain, S j | ≡ A 1 , S j | ≡ F, S j | ≡ z j , and S j | ≡ T i .
• S 15 : Based on S 9 , we can obtain, Thus, the protocol achieves both G1 and G2. Hence, it is ensured that both P i and S j mutually authenticate each other.

D. SEMANTIC ANALYSIS
Various security features achieved by the proposed protocol are further discussed and explained in this section. The details are as follows.

1) ROBUST MUTUAL AUTHENTICATION
Upon receiving the login request message C 1 from P i , S j decrypts z j and confirms {ID * i , h x j }. If they pass the confirmation, S j then verifies the acknowledgement value of P i In the server sides, P i also checks the acknowledgement value A 2 of S j before they confirm the share session key. If the verifications of A 1 and A 2 do not hold, the communication session will terminate without establishing a shared key. Therefore, a robust mutual authentication is achieved in our work.

2) PERFECT FORWARD SECRECY
Suppose A has somehow obtained a session key in the current session and attempts to use it to attack the past communications between P i and S j . In each communication session, the session key SK is a nonce computed using the random number r and by multiple operations of the hash function. Therefore, it is not possible for A to use that key to perform the attacks. Hence, the conclusion is established.

3) USER ANONYMITY, USER UNTRACEABILITY AND MESSAGE UNLINKABILITY
The identity ID i of P i is protected in the ciphertext C 1 . Both of the messages conveyed between P i and S j do not publicly contain ID i . Therefore, ID i cannot be revealed to A during the communication. It is a secret known by P i and S j only. Both C 1 and C 2 are nonce values and they are completely different in every communication session. A is not able to identify any two transcripts conveyed by the same patient P i . Furthermore, A cannot find any constants when linking C 1 with C 2 for the purpose of tracing P i . Thus, the proposed protocol achieves user anonymity, user untraceability and message unlinkability.

4) RESISTANCE TO PASSWORD GUESSING ATTACKS
In this case, A enters a guessed password (along with an identity and biometrics) to the system for the purpose of login. Nevertheless, SC i will check the value V and easily decline A' candidate password. Suppose the value W has been obtained by A, then attempts A to guess P i 's password based on this hash value. However, other than PW i , W also contains the identity ID i and random number σ . Without ID i and σ , it is not possible for A to compute a hash value W and compare it with W for guessing the correct password. Hence, our work can resist both online and offline password guessing attacks. Furthermore, password update function is also provided in the proposed protocol, which enhances the security of PW i .

5) RESISTANCE TO IMPERSONATION ATTACKS
Suppose A has somehow obtained ID i then use it for computing a login request, in order to impersonate P i . Due to the stated resistance to password guessing attacks, PW i cannot be revealed to A, Moreover, B i is kept secret to P i only. Even though A knows of ID i , it is not possible for A to compute W and PB without PW i and B i . In addition, A also lacks the correct A 1 and z j for forging the ciphertext C 1 . Hence, impersonation attacks are resisted in the proposed protocol.

6) RESISTANCE TO MITM ATTACKS
In the login procedure, A can directly use n j to encrypt a candidate message and forge C 1 . In this way, A acts as a middle man to change the conveyed messages between P i and S j while P i and S j totally do not notice the attack. Nevertheless, since A does not know of x j and the value h(x j ) for the verification, S j will easily reject the above login request. In addition, as stated, the proposed protocol can prevent password guessing attacks and impersonating attacks. Therefore, it is not possible for A to calculate a correct C 1 . A may also block C 1 , modifies its contents, and sends a tampered message to S j . A is not able to perform this act since they do not know of the private keys p j and q j to decrypt and tamper with C 1 . Hence, our protocol is completely free from MITM attacks.

7) RESISTANCE TO REPLAY ATTACKS
A may intercept and resend C 1 to S j for performing a replay attack on the subsequent communication sessions. In our protocol, timestamp T i is employed to verify if C 1 is resent. In other words, T i assures C 1 is used only once for the purpose of login. In a similar way, timestamp T j can be used to check the validity of the message C 2 sent to P i . Moreover, the acknowledgement values A 1 and A 2 are also used to check the legitimacy of P i and S j respectively. Therefore, the conclusion is established.

8) RESISTANCE TO DESYNCHRONIZATION ATTACKS
In the proposed protocol, the acknowledgements A 1 and A 2 are computed based on the values PB, X , Y and timestamp T j , which are deleted after the communication. P i and S j do not further store any redundant parameters after each session finishes. Therefore, the proposed work does resist desynchronization attacks.

9) RESISTANCE TO INSIDER ATTACKS
Due to the Definition 2, S j is assumed to be a trusted entity during the registration of P i . In the database of S j , only the identity ID i of P i is stored after the registration procedure. If a privileged insider acts as A to perform an attack on a target patient using ID i , they will not be successful due to the prevention of impersonation attacks as discussed. In addition, our work does not require biometrics database as well as pass-word table in the protocol. Thus, our protocol can withstand insider attacks.

10) RESISTANCE TO STOLEN SMART CARD ATTACKS
Suppose A somehow has stolen SC i from P i . Then, A perform a power analysis attack and obtain all values stored in SC i . In the proposed protocol, password PW i and biometrics B i are not directly stored in SC i . Even though A is able to obtain HD i and SC i at the same time and pass the verification of SC i , they still cannot compute a valid C 1 without these important parameters. Hence, our protocol can prevent stolen smart card attacks.

11) RESISTANCE TO DoS ATTACKS
In each login phase of the proposed protocol, SC i always checks the legitimacy of P i based on their input values. Specifically, SC i will verify V and immediately terminate the session if the verification does not hold. Therefore, A is not able to flood the system with subsequent computation steps. In addition, S j also verify the freshness of timestamp T i right after decrypting C 1 . Repeatedly retransmitting C 1 to make S j 's services disrupted would not work efficiently for A once the resource in the server side is redundant. Since the risk of DoS attacks in the design is low, T i is put inside C 1 to reduce communication cost. The conclusion is established.

VI. PERFORMANCE ANALYSIS
In this section, we present a detailed comparative study of our protocol and some recent related protocols discussed in Section I-A, which are the most similar ones to ours. The performance comparison includes various aspects, namely, functionality, storage cost, communication cost, and computation cost.

A. FUNCTIONS
We tabulate the comparison results of various functions achieved by different protocols in Table 3. Symbol √ denotes that the protocol achieves a specific function. We also use symbol × to denote that the function is not achieved by the protocol. Symbol -means the function is not available in the protocol. It is observed that the proposed protocol provides the supports of more security properties and functionalities compared with the competitive ones. In particular, only our work introduces fast authentication and time-bound authentication solutions in the proposed 6G-IoE intelligent healthcare environment.

B. STORAGE AND COMMUNICATION COST
We define some parameters used in the comparisons as follows. The lengths of asymmetric encryptions or decryptions (e.g., RSA cryptosystem) and Chebyshev polynomials are assumed to be 1024 bits for assuring strong security. Symmetric encryptions and decryptions have a 256-bit length of each block. Each identity, password and biometrics has a similar length of 128 bits. 160 bits is the length of a single random number and hash value. The elliptic curve point  multiplication operation and timestamp are with the length of 320 bits and 32 bits, respectively. The storage cost is the total length of the parameters that P i and S j store after registration phase. For instance, in our protocol, P i stores {ε j , n j , t 1 , t 2 , TB 1 , TB 2 } and {σ, V } in their device and card respectively, which incurs a total length of 1920 bits. S j only stores ID i of each P i in their database, the length of which is 128 bits. Storage cost of all other protocols can be computed in a similar way. Table 4 presents the costs of different protocols. It is observed that our work consumes the least storage cost. Since ours, Lin et al. [23] and Le and Hsu [16] employ SSO solution in the protocols, the cost in the P i 's side will not increase in direct proportion to the number of servers. Suppose s is the total number of servers, Figure 6 further describes the comparison results on the storage cost.
In terms of communication cost, in the initial authentication, when P i enters ID * i , PW * i , B * i (from HD i ) to SC i , it bears a cost of 384 bits. After the verification, SC i sends σ, PB * back to P i for further computations. This process consumes a cost of 320 bits. The total is 384 bits + 320 bits = 704 bits. Similarly, in fast authentication phase, these communications only bear a total cost of 384 bits. We also consider the total communication rounds and the length of all transcripts  conveyed between P i and S j in each authentication session. In our work, the transcripts include (C 1 , C 2 ) and (α ε , β ε ) in the initial and fast authentication procedures, which consume a total length of 1280 bits and 512 bits, respectively. The number of communication rounds between P i and S j are 2 in both procedures. In 6G networks, the end-to-end communication latency is less than 1 ms [4], [41]. Therefore, the round-trip times for each session in the proposed protocol are estimated to be less than 2 ms. Detailed comparison on communication cost of different protocols is provided in Table 5. We can observe that the proposed protocol is one of the most efficient ones with the initial authentication. When the fast authentication is performed, it bears the least cost. Since most of the protocols are designed based on smart card mechanism for achieving a high security, such communication costs with the round-trip times required should be reasonable.

C. COMPUTATION COST
We assume the time of computing an XOR operation is negligible since it is extremely fast. According to [32], the execution times of a biohash function and a one-way hash function are similar. For the sake of simplicity, they are assumed to be the same one. We denote the following cryptographic functions and operations for the evaluation on computation cost.  Table 6. Suppose all time bounds set by servers are the same and v is set to 5. Figure 7 depicts the comparison of the proposed work and the related works with the data retrieved from Table 6 for the first 20 communication sessions. The results show that our protocol with fast authentication achieves the highest efficiency.
Furthermore, we describe a scenario where a single patient is using services provided by multiple servers. Since our work introduces the UCSSO, some computations in the protocol, such as PB * = h(ID * i ||h bio (B * i )) and V ? = h(σ ||PW * i ||PB * ), are only operated once for the communications with multiple servers. It significantly enhances the efficiency of the protocol. We also calculate the computation costs of the other protocols and depict the comparison results in Figure 8. It shows that the initial authentication procedure in our protocol bears an acceptable computation cost considering the superior to the others in terms of functions and security properties, discussed in Section VI-A. When it comes to the fast authentication procedure, we obviously achieve an efficient communication with the least cost consumed. It is a good fit for 6G-IoE healthcare environments where resourceconstrained devices should only consume little computation energy.

VII. CONCLUSION
In this paper, we have proposed a three-factor fast authentication protocol with time-bound property for multiple service providers in the constructed 6G-aided intelligent healthcare environment. CL-UCSSO solution is introduced for achieving a cost-efficient communication in the system. The proposed protocol allows patients and providers to securely and efficiently establish healthcare communications. A perfect user privacy is achieved with forward secrecy of session keys computed, user anonymity, user untraceability and message unlinkability. We provide security proof of the protocol using various tools, namely, RoR model, AVISPA simulation, and BAN logic. A performance evaluation on various aspects indicates that our work achieves most functionalities and incurs least cost compared with its predecessor works.
In future works, we will consider further improving the efficiency of the work with only one-way hash function, biohash function and XOR operation employed in the design. A post-quantum signature scheme may be integrated for providing non-repudiation of the health data in the quantum world. In addition, data immutability enabled by blockchain technology for some communications in the healthcare systems would also be an interesting research direction.