An Anonymous Authentication Protocol Based on Cloud for Telemedical Systems

. Telecaremedicalinformationsystems(TMIS)enablepatientstoaccesshealthcaredeliveryservicesconveniently.Withtheexplosive developmentoccurringincloudcomputingandservices,storageofpersonalmedicalandhealthinformationoutsourcingtocloud infrastructurehasbeenapotentialalternative.However,thishasentailedmanyconsiderablesecurityandprivacyissues.Inorder toaddressthesecurityloopholes,weproposeapromisingsolutionsatisfyingtherequirementsofcloudcomputingscenariosfor telemedicalsystems.Theproposedschemecouldprovidebothdataconfidentialityandmessageauthenticitywhilepreserving anonymity.Furthermore,theformalsecurityproofdemonstratesthattheproposedschemeisresistanttovariousattacks.The performancecomparisonsshowtheproposal’sworkabilityanditiswellsuitedtoadoptionintelemedicalservices.


Introduction
With the explosion of cloud computing and services, there has been a growing trend to use the cloud for large-scale data storage and management.It is a new style of computing that offers dynamically scalable network services to external customers delivered over the Internet.Cloud computing provides a powerful underlying architecture for telemedicine, which is an emerging treatment mode for delivering appropriate healthcare services remotely.It facilitates medical practitioners and patients to establish communication over public networks and patients can acquire the medical services via electronic networks conveniently.This will significantly lower the social and economic expenses, while enhancing the medical quality and efficiency.
Cloud computing introduces a new way for medical systems to store and manage medical data, which is complex task.As wearable devices are becoming more and more powerful, patients can obtain their health information timely.They also could upload and access their medical records to the cloud through mobile devices.This can help medical institutions to quickly obtain patients' physical condition in urgent cases for proper medical diagnosis and treatment process.Any delay in the access to medical record at the time of emergency would cause severe errors, which profoundly affects patient's therapeutic process.In the cloud based telecare medical information systems, the cloud database is responsible for storing patients' critical medical data and updates it as the medical treatment availed by the patient.However, the storage of patients' electronic medical records such as personal information, medical records, and physiological parameters in the medical server may result in the exposure of patients' privacy.Cloud computing offers expansively developing prospects of new and better models of healthcare; it also raises some security issues due to new potential ways for data theft.And hence, safeguarding security and patients' privacy in cloud based telecare medical information systems are very significant.Authentication mechanism is a prerequisite to verify the legality of all participants and tackle the illegal access in distributed systems, such as wireless interface systems [1,2], multiple server architecture based systems [3], smart card based system [4], and mobile radio systems [5,6].Furthermore, the anonymous authentication could protect users anonymity and prevent the disclosure of private information [7,8].Therefore, a secure authentication protocol is a proper solution to provide security and privacy for TMIS [9][10][11].Hitherto, authentication protocol for integration telemedical systems in cloud computing environment recently has drawn significant attention from academia [12][13][14][15][16][17][18][19][20].
In 2012, Padhy et al. [12] introduced a cloud based model for rural healthcare systems.In 2013, Banerjee et al. [13] presented a new architecture for cloud based healthcare application to serve patients in emergency.Nevertheless, their scheme is unable to offer confidentiality of transmitted data.One year later, Chen et al. [14] proposed a medical data exchange protocol in cloud computing environment.In their scheme, patients and doctors could be convenient to access medical resources outsourced in the cloud.Unfortunately, their scheme could not resist impersonation attacks or provide patient anonymity.To fix the defects, a modification was developed in the same year [15].In 2016, Chiou et al. [16] showed that their scheme still lacks privacy protection and message authentication.Then, the authors proposed a new privacy authentication scheme based on cloud for TMIS which provided a "real" and complete telemedicine system.However, in 2007, Mohit et al. [17], Cheng et al. [20], and Li et al. [18] identified Chiou et al. 's protocol that failed to preserve patients' privacy and forward security and suffers from mobile device stolen attack, respectively.Meanwhile, Mohit et al. [17] and Cheng et al. [20] both presented an improved mechanism for cloud-assisted medical care systems.Recently, Li et al. [19] pointed out that Mohit et al. 's proposal also was susceptible to health report revelation and inspection report forgery attacks.In Cheng et al. 's scheme [20], the inputs of bilinear maps are generators in the corresponding cyclic groups, rather than random numbers of integer field   .This will bring about errors in the authentication process.
In this paper, we design a telemedical information model based on cloud authentication which allows patients to remotely access medical services with privacy.Further, we discuss its security and prove that it can withstand various attacks.Compared with the state of the art, our scheme provides formal security proofs and achieves better efficiency in terms of computation cost.Performance and functionality analysis shows that it is more secure and practical for cloud based telemedicine system.
The remaining of this paper is organized as follows.Section 2 describes our robust cloud based authentication scheme for TMIS, together with formally proving its security in Section 3. Subsequently, we compare the performance with the previous schemes in Section 4. Finally, we draw the conclusions in Section 5.

The Proposed Scheme
In this section, we present an anonymous authentication scheme on the basis of cloud for medical environment.There are five participants in our scheme: including patients , healthcare center , doctors , cloud , and sensors .Healthcare center is trusted medical center.The cloud servers possess the jurisdiction to store patients' medical data which can be accessed by patients and doctors remotely.Sensors can collect and measure the patient's health information timely.In Figure 1, we depict the structure of the cloud based authentication system for TMIS simply.
Our scheme consists of four phases which are described as follows.In order to initialize this protocol, the key generation center () chooses a multiplication cyclic group  and a generator  ∈  with order , where  is a large prime number.Then  selects random numbers   ∈   ( = {, , , }) and computes   =    mod .Finally,  issues the public key and secret key pairs (  ,   ) to the participants.
We list the used notations of the proposal as follows.(  1, patient  makes a health inspection in the healthcare center  and  uploads the generated inspection record to the cloud server .In Figure 2, we will further describe the authentication process of the phase.
Step 1.After generating the inspection report,  selects a random number   and computes , where  1  is the current timestamp.After that, it sends {  ,  1 ,  1   ,  1 } to the cloud .
Step 3. Upon receiving the reply message,  checks the validity of

Patient Uploading Phase.
As shown in steps 2.1 and 2.2 in Figure 1, patient  collects health information   measured by body sensors  and he could upload the health data to the cloud.In Figure 3, we will depict the detailed process.
Step 1.When 's mobile phone collects the measured information, then it generates the timestamp  1   and a random number Step 2. After receiving the messages,  verifies the freshness of is the acquired timestamp.Finally,  transmits the { 4 ,  7 ,  2 ,  3   } to patient .
Step 3. On receiving response,  checks the validity of Step 4. On receiving the reply message,  decrypts  8 with   and obtains   ,  4 ,    7 .After that, the cloud server verifies 's validity by checking whether   7 equals to  7 or not.If so,  stores  4 in 's storage space to replace  2 ; otherwise, it resumes the procedure.

Treatment Phase.
As shown in steps 3.1 and 3.2 in Figure 1,  is appointed by  and obtains 's identity   and appointment sequence value .Subsequently,  can download 's inspection report and measured health information from , and he/she also can upload the diagnosing records with his/her signature to .The details of the execution steps are further illustrated in Figure 4.
Step 3. On receiving { 6 ,  11 ,  4 ,   1, patient  can access the cloud to obtain the medical record via the mobile phone.In Figure 5, we depict the detailed process of the phase.
Step 1.  generates the timestamp  2   and a random number , where V  and  6  are generated random value and the acquired timestamp, respectively.After that,  sends the { 8 ,  15 ,  6 ,  6   } to .

Security Proof
In this section, we will prove our scheme to be secure in standard model.We reduce the security of our authentication scheme to cryptography basic elements [21,22].At first, in order to achieve this goal, we will introduce the definitions of security, a structured security model, and the basic assumptions.Then we use all of them to prove the result.
Definition 1 (semantic security).For arbitrary security parameter , if and only if any polynomial time adversary has a negligible advantage against the scheme, we say the scheme has semantic security.
The definitions are inherited and modified from the methodology of Bellare, Pointcheval, and Rogaway [23] and the game-based structure [24] is used to prove this scheme achieving semantic security.Security Model.In the security model, the adversary plays a game with an oracle.The oracle runs the real protocol and answers the queries of adversary to simulate the real interaction of participants.After a range of queries, the adversary gets different capabilities.When  The complexity assumptions needed for proving security of our scheme are reviewed as follows: Assumption 2 (DDH).Let  be a cyclic group with order . ∈  is a generator and ,  ∈  *  .It is difficult to judge if an element in  equals   by just given   and   .
We denote upper bound of adversaries' advantage against DDH as   .So   should be negligible if the assumption is right.

Assumption 3 (hash)
. There exists a secure irreversible hash function which achieves strong collision resistance.
We denote the advantage of adversaries against the hash function as  ℎℎ .So  ℎℎ should be negligible if the assumption is right.
Assumption 4 (signature).There exists a secure digital signature scheme.
We denote advantage of adversaries against this signature scheme as   .So   should be negligible if the assumption is right.

Assumption 5 (encryption).
There is a symmetry encryption that achieves CPA security.
We denote advantage of adversaries against this encryption scheme as   .So   should be negligible if the assumption is right.
Proof.A PPT adversary A is attacking the protocol.We use a series of games to bound the advantage of A. The advantage of A in Game  is defined as The games used to bound the advantages of A are listed in the following.We analyse the advantage difference in nearly games and bound them.In Game 0, it would be the real protocol.
Game 0. A interacts with the initial security model.

Game 1.
In this game, we modify Execute queries.When the states of   ,   , and  are all void, B simulates a real protocol but replaces  1 ,   ,  5 ,   ,  9 ,   ,  13 and    with random numbers in .

Lemma 1. |𝐴𝑑V
Proof.We just replace the s of traditional DH protocol with random numbers.The advantage difference between two games is caused by DDH problem.And hence, Lemma 1 is proved by DDH assumption right.
Game 2. This game is based on Game 1 and we also modify Execute queries.When the states of   ,   , and  are all void, B simulates a real protocol but replaces  2 ,  3 ,  6 ,  7 ,  10 ,  11 ,  14 ,  15 with uniform random numbers in the range of hash function.

Lemma 2. |𝐴𝑑V
Proof.We just replace the real hash results with random numbers.Without the knowledge of inputs, the probability that A can distinguish the real hash results and random numbers is less than the advantage of A that captures the hash.And hence, if the hash function is secure, the probability is negligible.Proof.We just replace the encryption results by random numbers.Without the knowledge of inputs, the probability that A can distinguish the real encryption results and random numbers is less than the advantage of A that captures the CPA security symmetric encryption.If the symmetric encryption is secure, the probability is negligible.
In Game 6, we notice that   and   of test query neither are corrupted.For any  without being corrupted, the Execute and Send queries are all randomized.So in Game 6, the advantage of A is zero.So, we can compute the V 0 as follows: which is a negligible value.

Performance and Functionality Analysis
Herein, we evaluate the performance and functionality of the proposed scheme and compare it with three related schemes for cloud based telemedicine systems, including Chen et al. 's scheme [15], Chiou et al. 's scheme [16], and Cheng et al. 's scheme [20].
The comparisons on the key security properties among these systems are given in Table 1.It is visible that our scheme could achieve all security properties and it is superior to the rest three related schemes.Chen et al. 's scheme [15] fails to provide anonymity and complete mutual authentication, while Chiou et al. 's scheme [16] could not achieve the complete mutual authentication.Furthermore, Cheng et al. 's scheme [20] could not preserve users' privacy, complete mutual authentication, and confidentiality.Note that the proposed scheme offers important security features and it is better suitable for cloud based telemedicine environment.
Meanwhile, we present the comparisons of efficiency in terms of computation loading among these schemes in Table 2. Compared with the other three related schemes, the proposed scheme needs not perform the bilinear pairing and could provide more additional security features.Furthermore, our scheme achieves the provably security in the standard model.
More   Chen et al [15] Chiou et al [16] Cheng et al [20] Ours implemented in Python 3.5.2using an Intel(R) Core(TM) i5-4590 CPU at 1.65GHZ with 1540MB RAM and Ubuntu 16.04 system.The one-way hash function used is SHA-256, and the symmetric encryption/decryption algorithm is advanced encryption standard.We use the ElGamal signature scheme and ElGamal encryption scheme with 1024-bit security parameter for digital signature algorithm and the asymmetric encryption/decryption algorithm, respectively.Moreover, the bilinear paring is simulated in two MNT asymmetric groups, "MNT224".Figure 6 shows the main cost on the cloud computing of interacting with multiple patients and doctors for authentication simultaneously.It demonstrates that our proposal costs less time for the cloud to authenticate doctors and patients.Figure 7 illustrates the main cost on healthcare center, patients, doctors, and cloud for one round authentication in healthcare center uploading phase, patient uploading phase, treatment phase, and checking report phase, respectively.
From Figure 7 we can conclude that our scheme is the most efficient to finish one round mutual authentication.

Conclusion
In this article, we proposed an anonymous authentication scheme based on cloud for medical environment, which provided both data confidentiality and message authenticity.Subsequently, we stated that the proposed scheme was provably secure in the standard model.The comparisons with existing competitive protocols also observe that our scheme is suitable for the cloud based telecare medical information systems.

Data Availability
The data used to support the findings of this study are included within the article.
detailed efficiency comparisons are shown in Figures 6 and 7. We implement the cloud of authentication schemes for cloud based telemedicine systems in Python 3.5.2using an Intel(R) Core(TM) i5-4590 CPU @ 3.30GHZ with 3300MB RAM and Ubuntu 16.04 system.The simulations of platform for healthcare center, patients, and doctors are Wireless Communications and Mobile Computing

Figure 6 :
Figure 6: Cost time on cloud computing.

Figure 7 :
Figure 7: Cost time on healthcare center, patients, doctors, and cloud.
i)   : the identity of and compares it with the decrypted  2 .If the equivalence holds, the legitimacy of  is assured.Then  generates a random number   and acquires the timestamp  1  to compute  2 =    ,   =    1 =      , and  3 = ℎ( (  ,   ),  4 =    (  ,  2 ,  3 ) and uploads  4 to the cloud.Step 4. On receiving  4 ,  decrypts it with   to recover   ,  2 ,   3 and verifies whether   3 is equal to  3 or not.If it is true, the healthcare center is authentic.After that, it verifies whether  is a new user or not.If  is a new user,  stores (  ,  2 ) in a new storage space; else, it stores  2 in 's database.
1  ) and compares   3 with the received  3 .If they are not equal, the uploading phase is given up by ; else,  signs 's medical report   = (  ,   ,   ) with its secret key:   =    (  ).Note that   is the current timestamp when  makes health inspection.After that,  calculates  2 =      (  ,   ) = 1  by checking whether  2  −  1  ≤ △ or not.If it is valid,  decrypts  3 to obtain the values   and  6 with the computed   5 = =      .After that,  calculates   6 = ℎ(    ‖  1  ) and verifies whether the equation   6 =  6 holds.If it does,  is legitimate user.Then  selects random numbers   and computes  4 3  ) and verifies  7 is valid by checking whether   7 =  7 holds.If so,  decrypts  2 with the computed     to recover   = (  ,   ,   ) and   .Subsequently, he/she verifies the validity of 's signature   .If   is valid,  chooses a random number  and computes  4 =      (  ,   ,   ) =       (  ,   ,   ), where   = (  ,   ,   ) is the collected measured data.Note that   is the current timestamp when the body sensors  monitor 's physical condition.Then  calculates  8 =    (  ,  4 ,  7 ) and uploads  8 to the .
the adversary finishes the training and obtains enough messages, oracle should answer the test query once.Finally, we judge if the adversary wins or loses by what the adversary gets.The adversary and the oracle are denoted by A and B, respectively.Init: before replying to queries of A, B generates the system parameters including security parameter , a multiplication cyclic group , and a generator  ∈  with order , where  is a large prime number related .Then B selects random numbers   ∈   and computes   =    mod  for  ∈ {, , , }.We notice that in a complete system  and  are not unique.Then B prepares public key and secret key pairs denoted by (   ,    ) and (   ,    ) for   and   , where  ∈ [1,] and  ∈ [1,].B marks up all  and  with void state.Then it maintains a list of  recording simulated conversations.    ,  represents the th conversation involved   and   .Noticeably, any  has a void state before being invoked.After the init phase, A is allowed to make queries for simulating the real protocol.Corrupt(  ): B gives    back to A and marks up the state of   with corrupted.Corrupt(  ): B gives    back to A and marks up the state of   with corrupted.If the state of     ,  is void, B executes a real conversation and gives  (being used to encrypt ) to A. Then the result of     ,  is changed into revealed.(2) Else, if the state of     ,  is not void, B answers A according to the conversation in the list and adds revealed to its state.When one or both of   and   are corrupted, B checks the state of     ,  .(a) If void, B executes a real conversation, gives to A data transferred over the network, and changes the state of     ,  into executed.(b) Else, if not void, B answers A using the conversation in the list and adds executed into its state.(2) When neither of   and   is corrupted, B checks the state of     ,  .b) Else, B outputs that A is refused.(2) When neither of   and   is corrupted, B answers A as follows.(a) If message is verified successfully, B answers A as the real protocol and adds this conversation into list with sent state.(b) Else, B outputs that A is refused.Test( 0 ,  1 ): B chooses   and   whose both states are void.Then it randomly chooses a coin  and simulates a real conversation with inputting   .A guesses the result of .
,  ): this query simulates abuse of session keys .(a)Ifvoid,B executes a real conversation, gives to A data transferred over the network, and changes the state of     ,  into executed.(b)Else,ifnot void, B answers A using the conversation in the list and adds executed into its state.Send(  ,   , Message): this query simulates active attacks.(1)Whenone or both of   and   are corrupted, B executes a real conversation to answer A.(a) If message is verified successfully, B answers A as the real protocol and adds this conversation into list with sent state.(

Table 1 :
Comparisons of properties.This game is based on Game 2 and we modify Execute queries.When the states of   ,   , and  are all void, B simulates a real protocol but replaces  1 ,  2 ,  4 ,  3 ,  4 ,  8 ,  5 ,  6 ,  12 ,  7 ,  8 ,  16 with uniform random numbers in the range of encryption.|V 2 − V 3 | ≤ .Proof.We just replace the symmetric encryption results with random numbers.Without knowing inputs, the probability that A can distinguish the real encryption results and random numbers is less than the advantage of A that captures the CPA security symmetric encryption.Thereby, if the symmetric encryption is secure, the probability is negligible.This game is based on Game 3 and we modify Send queries.When the states of   and   are both void, B simulates a real protocol but replaces  1 ,   ,  5 ,   ,  9 ,   ,  13 and    with random numbers in .This game is based on Game 4 and we modify Send queries.When the states of   and   are both void, B simulates a real protocol but replaces  2 ,  3 ,  6 ,  7 ,  10 ,  11 ,  14 ,  15 with uniform random numbers in the range of hash function.This game is based on Game 5 and we also modify Send queries.When the states of   and   are both void, B simulates a real protocol but replaces  1 ,  2 ,  4 ,  3  4 ,  8 ,  5 ,  6 ,  12 ,  7 ,  8 ,  16 with uniform random numbers in the range of encryption.

Table 2 :
Comparisons of computation loading.  : time consumption for executing the symmetric encryption/decryption operation.  : time consumption for executing a modular exponent operation.  : time consumption for executing a bilinear pairing operation.  : time consumption for executing/verifying a signature.  : time consumption for executing an asymmetric encryption/decryption operation.  : time consumption for executing a multiplication operation.
ℎ : time consumption for executing a hash function.