ECC-based lightweight authentication and access control scheme for IoT E-healthcare

The E-healthcare system has a complex architecture, diverse business types, and sensitive data security. To meet the secure communication and access control requirements in the user–medical server, user–patient, patient–medical server, and other scenarios in the E-healthcare system, secure and efficient authenticated key agreement and access authorization scheme need to be studied. However, the existing multi-server solutions do not consider the authentication requirements of the Wireless Body Area Network (WBAN) and are not suitable for user–patient, patient–medical server scenarios; most of the existing WBAN authentication schemes are single-server type, which are difficult to meet the requirements of multi-server applications, and the study of user–patient real-time scenarios has not received due attention. This work first reveals the structural flaws and security vulnerabilities of the existing typical schemes and then proposes an authentication and access control architecture suitable for multiple scenarios of the E-healthcare system with separate management and business and designs a novel ECC-based multi-factor remote authentication and access control scheme for E-healthcare using physically unclonable function (PUF) and hash. Security analysis and efficiency analysis show that the new scheme has achieved improved functionality and higher security while maintaining low computational and communication overhead.


Introduction
In the near future, the medical industry will incorporate more artificial intelligence, sensor technology, and other high technologies to create smart hospital systems, regional health systems, and home health systems. They will use advanced Internet of things technology, cloud computing technology, big data technology, and artificial intelligence technology to achieve seamless interaction between patients and medical staff, medical institutions, medical equipment and make medical services truly digital and intelligent. Through the wireless network, the portable personal digital assistant (PDA) is used to easily connect various diagnos- tic and therapeutic instruments, so that medical staff can grasp the patient's medical record information and the latest diagnostic report at anytime and quickly formulate a diagnostic program anytime, anywhere; authorized medical staff and family members of patients can access the telemedicine server at anytime and any place to query medical image data and medical orders; the patient's referral information and medical records can be accessed through medical networking at any hospital, and special groups such as chronic diseases, old and young patients, mental retardation, disability, and infectious diseases can be monitored and taken care of through the telemedicine system.
For secure communication and access control among all these entities, we need a secure mutual authenticated key agreement and access authorization mechanism which can provide authentication among body sensors and personal gateways, personal gateways and health servers, personal gateways and users (i.e., medical staff and family members of patients), and health servers and users and can provide authorization for users and patients to access medical servers, and users to access patient sensors. However, due to the complex network structure of E-healthcare system (the server side is mostly secure and stable Ethernet, the user side is mostly WLAN or cellular mobile communication network, and the patient side is wireless sensor network), some nodes are resource-constrained devices (most medical servers are high-performance server cluster or cloud server, the user-side devices are mostly personal computers or mobile smart terminals, except for the relatively rich gateway on the patient side, the remaining sensors and other devices are cheap terminals with limited batteries, storage, and computing power), the interaction data involve individuals privacy (such as patient's name, home address, medical records, blood test results, DNA sequence, and other sensitive data) and other characteristics, so existing authentication and authorization scheme cannot be directly applied to E-healthcare system.

Motivation
The drawbacks of existing scheme include two aspects: architecture flaws and security vulnerability.
(1) Session key initialization between users and patients requires the assistance of a particular medical server, which is not in line with the design concept of separation of management and application.
(2) Single server mode cannot meet the application needs of a multi-server environment (Kumari et al. 2020). Common multi-server authentication schemes (Amin et al. 2019; Barman et al. 2019;Feng et al. 2018;He and Wang 2015;Lwamo et al. 2019;Odelu et al. 2015;Qi et al. 2018;Roy et al. 2019;Yao et al. 2019a, b) can meet the authentication or authorization requirements of the user-server scenario, but no multiple solution is proposed, and many schemes (Amin et al. 2019;Lwamo et al. 2019;Roy et al. 2019) that do not use the public key system suffer from the vulnerability of anonymity (Wang et al. 2016(Wang et al. , 2020b. (3) There are fewer schemes for the patient-server scenario, and most existing schemes (Aghili et al. 2019;Amin et al. 2018;Kirsal Ever 2018;Wazid et al. 2018;Zhang et al. 2018) are in the WBAN-server mode. (4) There are few schemes for the patient-user scenario.
The only few schemes also adopt the patient-server-user mode, which does not meet the requirements of separation of management and business (Wazid et al. 2018;Fu et al. 2018). (5) There are still some general security flaws in the existing schemes. Most schemes (Amin et al. 2019;Lwamo et al. 2019) that do not use public key cryptography suffer from the vulnerability of anonymity (Roy et al. 2019;Wang et al. 2020b). Some schemes (Feng et al. 2018;Lwamo et al. 2019) have lost their forward security due to ephemeral secrets being acquired by adversary (Yao et al. 2019b). Some schemes (Feng et al. 2018;Lwamo et al. 2019;Banerjee et al. 2019) are vulnerable to smart card loss attacks due to poor secret packaging in smart card, which can lead to offline dictionary attack, causing the schemes cannot resist user impersonation attack or device impersonation attack (Wang et al. 2020a;Yao et al. 2019bYao et al. , 2020.
To overcome the above challenges, this work uses PUF and biohash based on ECC cryptography to propose a secure and efficient multi-server authentication and access control scheme for E-healthcare. This proposal can provide mutual authentication and access authorization for entities in the Ehealthcare systems.

Our contributions
The contributions of this article are summarized below.
(1) We cryptanalyze existing authentication schemes such as LACO (Aghili et al. 2019), revealing the reasons why their anonymity and forward security are vulnerable and cannot resist user impersonation or device impersonation attacks.
(2) We first proposed a multiple solution architecture for authentication and authorization in user-server, patientserver, user-patient, and other scenarios in E-healthcare. (3) Based on the above architecture, we combine PUF-based patient WBAN authentication with ECC-based remote multi-server authentication and use a hash function to design a remote authentication and access control scheme that integrates three factors of identity, password, and biometric, named SEMAS. (4) Formal security proof, non-formal security analysis, comparative analysis of functional and security properties, comparative analysis of computing efficiency and communication efficiency are given.

Paper outline
The rest of this work is organized as follows. In Sect. 2, we briefly discuss the related work. Basic notations, ECC security assumptions, physically unclonable function, communication model, and threat model definition will be described in Sect. 3. The LACO is reviewed, and its weaknesses are analyzed in Sects. 4 and 5, respectively. We describe the details of our scheme in Sect. 6. The security analysis and performance evaluation will be given in Sects. 7 and 8, respectively. Finally, we present our conclusions in Sect. 9. key cryptography-based schemes according to the cryptography they rely on. Although symmetric cryptography-based schemes are generally computationally efficient, it is almost difficult to effectively achieve strong anonymity (Wang et al. 2020b;Yao et al. 2020). Therefore, authentication and access control schemes with privacy protection are usually designed based on public key cryptography. However, most public key cryptography-based schemes are difficult to apply to the IoT environment due to high overhead, such as RSAbased schemes (Lwamo et al. 2019;Dharminder et al. 2020), bilinear-pairing-based schemes (Amin and Biswas 2015;Nikravan and Reza 2020) and chaotic-maps-based schemes (Chatterjee et al. 2016;Roy et al. 2018). In the IoT scenario, the short key feature of ECC cryptography gives it an advantage in balancing resources and efficiency. In 2010, Yang and Yang (2010) propose the first threefactor EDLP-based authenticated key exchange scheme. In the same year, Yoon and Yoo (2013) propose another EDLPbased three-factor authenticated key exchange scheme. However, He (2011) show that Yoon and Yoo's scheme cannot resist insider attack and hardware factor loss attack and give an improvement (He and Wang 2015). In 2015, Odelu et al. (2015) show that He et al. scheme's anonymity is vulnerable and cannot resist replay attack and user impersonation attack. Chuang and Chen (2014) also show the anonymity problem of Yoon-Yoo's scheme and use a random number and hash function to construct a lightweight improvement scheme. In 2017, Kumari et al. show that Chuang et al.'s scheme cannot resist intermediate data attacks, user impersonation attack, and forward security attack and propose an improvement using digital signature (Kumari and Om 2017;. In 2018, Feng et al. (2018) show that Kumari et al.'s scheme ) is vulnerable to user anonymity and impersonation attacks and an improvement is given. However, Yao et al. show that Feng et al.'s scheme is vulnerable to anonymity and cannot resist ephemeral secrets leak attacks, and causing replay attacks and session key security attacks (Yao et al. 2019a). In 2018, Lwamo et al. (2019) find that Kumari-Om's scheme  used too many exponential operations, resulting in excessive computational overhead. They propose a new RSA-based remote authentication scheme for the single-and multi-server environments to achieve lower computational overhead and higher security. However, Yao et al. show that the anonymity of Lwamo et al.'s scheme is vulnerable and cannot resist hardware loss attack, so incurred offline dictionary attack and user impersonation attack (Yao et al. 2019b). In 2018, Zhang et al. (2018) propose a lightweight three-factor authenticated key agreement scheme for E-health systems to protect user privacy through the use of a dynamic authentication mechanism. In 2019, Aghili et al. (2019) show that Zhang et al.'s scheme suffers from several attacks including desynchronization attack, denial of service attack, and insider attacks and propose an improvement scheme named LACO. Recently, we find that although LACO solves some of the security problems of Zhang et al.'s scheme and also considers the ownership transfer in access control, there are security vulnerability and algorithm errors. In 2020, Wazid et al. (2020) proposed a new lightweight authentication and real-time data access scheme for cloud-based IoT environments. In 2020, Alsahlani and Popa (2020) show that the Wazid et al. (2020) scheme lacks flexibility and has no access control mechanism. In 2021, Chaudhry et al. (2021) reveal that Wazid et al. (2020) cannot provide mutual authentication between system entities in the case of multiple registered users. To the best of our knowledge, most of the existing symmetric-cryptography-based lightweight authentication schemes are vulnerable to security (anonymity and forward security are fragile), and the structure is incomplete (lack of access control mechanism, poor support for multiple business scenarios) and cannot meet the requirements of identity authentication, authorization, and key exchange in IoT E-healthcare environments.

Preliminaries and background
In this section, we describe the preliminaries which is necessary to understand the rest of this work.

Notation
Notations used in this paper and their descriptions are shown in Table 1.

EDLP and ECDH
The elliptic curve over the finite field F p is a finite cyclic group G satisfying y 2 = x 3 + ax + b (mod p) and containing the infinity point O, where a, b ∈ F p and 4a 3 + 27b 2 = 0 (mod p) (Koblitz 1987). There are two operations of addition and scalar multiplication on G, and the scalar multiplication is defined as the same point accumulation.
The cryptosystem constructed using the elliptic curve discrete logarithm problem (EDLP) and the elliptic curve Diffie-Hellman problem (ECDH) is widely used in security protocols. The security assumptions of the EDLP and ECDH are given by the following two lemmas, for any probability polynomial time (PPT) adversary A: Definition 3.1 EDLP Security Assumption: Given k ∈ Z p and P ∈ G, it is easy to calculate Q = k P ∈ G, but given P, Q ∈ G, the advantage Adv DELP (A) for solving k ∈ Z p is bounded by the negligible probability negl (λ).
Definition 3.2 ECDH Security Assumption: Given P, y P and x P ∈ G, but unknown x or y ∈ Z p , the advantage

Physically unclonable function
A physically unclonable function is a physical circuit that maps unique challenge C to unique response R based on the random variations introduced by the chip manufacturing process (Böhm and Hofer 2012). The R = PUF l (C) of device l is correct if: (2) For any PUF l (·) and PUF l (·), , which means that the min-entropy of the PUF l (·) output is always larger than with high probability.

Communication model
In a multi-server scenario, medical servers, patients, and users need to register with a registration authority (RA). The local RA is responsible for the management and access authorization of servers, users, and patients in the region, and the central RA (CRA) is responsible for the management of region RA and the authentication and authorization between regions. Medical servers such as Electronic Medical Records (EMR) and Hospital Information Systems (HIS) work in central computer rooms with relatively high security. Users such as medical staff, academics, and patients in wards, homes, jobs, and streets need to access the medical server or access each other through the Internet. As shown in Fig. 1, patients and users can access the medical servers after the authentication and authorization obtained by the RA, and users can access the patient's sensors after the authentication and authorization obtained by the RA.

Threat model
According to the widely accepted Dolev-Yao threat model (Dolev and Yao 1983) and the Canetti-Krawczyk adversary model (Canetti and Krawczyk 2002), the adversary A attacking E-healthcare multi-server scheme has the ability to fully control the channel and get ephemeral secrets of the session. Adversary capabilities include: (1) A can interfere with communication between entities by means of interception, modification, deletion, insertion, etc.
(2) Medical server, patient gateway, and sensor are unreliable, and A can learn long-term secrets from the captured devices.
(3) A has the ability to obtain ephemeral secrets of the incompletely corrupted object. (4) All servers are honest and curious.

Registration
As shown in Fig. 2, when the LACO system is initialized, the server generates system parameters and issues written secrets sensor to the patient. When the user registers, the server issues the smart card for subsequent authentication.

Authentication and session key agreement
As shown in Fig. 3, LACO needs to perform smart card login authentication locally before initiating remote authentication and then sends an authentication request to the server after login. If the authentication passes, the server forwards the relevant information to the sensor. If the authentication passes, the sensor calculates the session key and directly sends an authenticated key agreement request to the user. If the authentication passes, the user calculates the session key.

Cryptanalysis of LACO scheme
The drawbacks of LACO scheme include three aspects: architecture flaws, fatal algorithm error, and security vulnerability.

The architecture flaws of LACO
A lame system architecture does not meet the needs of future E-healthcare applications.
(1) Session key initialization between medical staff and patients requires the assistance of a particular medical server, which is not in line with the design concept of separation of management and application.
(2) Single-server mode cannot meet the application needs of a multi-server environment. And dynamic updates and revocations of medical staff, patients, and medical servers are not considered.

Fatal algorithm error in LACO
There is fatal algorithm error in the LACO scheme, causing the protocol to fail to run as expected. In Step2, the server needs to find the {X ni , Z nl } that satisfies h 3 = X ni Z nl or h 3 = h r i X ni Y ni h r i Y ni Z nl from the user regis- is true and then achieves authentication of ID i . However, ID j and ID i updated Step4 and Step5, respectively. However, B ni has not been updated in the user's smart card, which means that I D i calculates and B ni is still the old one. However, the server calculates Obviously, , so the protocol is aborted here.

The security drawbacks of LACO
In addition to architectural flaws and algorithm error, LACO also has security flaws such as lack of session key privacy, cannot resist user impersonation attack and multi-factor security, and forward security vulnerability.
(1) Lack of session key privacy: During the authentication and key agreement phase of LACO, the server is able to calculate the session key ss s = h A l ID l K u K p between the user and the patient.
(2) Cannot resist user impersonation attack: If the adversary A obtains the secret {ID l , Cr l } in the sensor's memory, she/he can bypass the server authentication, impersonating the server to forge M * 2 to pass the ID l authentication and establish a session with it. Details are as follows: and sends M * 2 to ID l ; and sends M 3 to A; Step4: A calculates K p = h 9 ⊕ K * u and ss A = h A * l ID l K * u K p after receiving M 3 ; A session between A and the patient is established.
(3) Multi-factor security vulnerability: When A knows the biometric B i and the smart card secret {A 1i , B 1i , X ni , Y ni }, although LACO has anonymity, since the user ID and password are low-entropy short strings, the probability that A guesses the user password 100 times is 32% -73% (Wang et al. 2016). When A knows the user password PW i and the smart card secrets {A 1i , B 1i , X ni , Y ni }, A can use a center search attack to derive the user's biometric information (Simoens et al. 2012).
(4) Forward security vulnerability: Once the sensor's secret information is leaked, A will be able to derive the session key between the user and the patient from the captured M 3 and M 4 . Details are as follows:

Proposed scheme
To overcome the security architecture flaws and security drawbacks of previous authentication protocols such as the LACO (Aghili et al. 2019) adopted for E-health systems, we propose a secure and efficient protocol called SEMAS. In addition to providing preserving-privacy mutual authentication, key agreement, and access control, resisting known Internet attacks, the proposal also meets the authentication and access control requirements of the E-healthcare multiserver scenario.
The proposed scheme consists of six important phases: Initialization, Registration, Authentication and Key Agreement, Password Update and Ownership Transfer.

Initialization
R A initializes the system parameters, it selects a finite field F p with a large prime p as the order and defines an elliptic curve E p over it, then selects an additive group G with order q and generator P over E p , and then selects the system private key sk ∈ F p and computes the public key PK = skP, and finally, RA selects the secure hash algorithm h (·), the biohash algorithm h b (·) and physically unclonable function algorithm PU F (·) and publishes the public parameters P, PK, E p , h (·) , h b (·) .

Registration
As shown in Fig. 4, during the registration phase, medical servers, users, and patients need to register with the RA in a secure manner. Details are as follows:

Medical server registration
(1) Server selects ID ID j and sends tuple ID j to RA.
(2) After RA verifies that ID j is valid, it selects random number r j , calculates credential Cr j and sends tuple Cr j to ID j , and writes ID j , r j to the server registration list L S . (3) ID j writes ID j , Cr j to its memory.

User registration
(1) User selects ID ID i and password PW i , generates biometric B i , calculates α i , β i and sends {ID i , α i , β i } to RA.
(2) After RA verifies that ID i is valid, it selects random number r i , calculates credential Cr i , η i and γ i , returns the message of successful registration, and writes {ID i , r i , η i , γ i } to the user registration list L U . Fig. 4 Registration phase of our scheme

Patient registration
(1) Patient selects ID ID k and password PW k , generates biometric B k , calculates α k , β k and sends tuple {ID k , α k , β k } to RA. (2) After RA verifies that ID k is valid, it selects random number r k and calculates credential Cr k , η k and γ k ; RA selects sensor ID l according to the needs of ID k , generates random number C l and writes {h b (·) , PUF (·)} to ID l 's memory. (3) ID l calculates R l = h b (PUF (C l )) and α l = R l ⊕ ID l and inserts α l into ID l 's memory and issues it to ID k . (4) RA writes {ID k , r k , η k , γ k , {ID l }} to the patient registration list L P and sends tuple {Cr k , {ID l , R l , C l }} to ID k . (5) Patient gateway ID k calculates κ k , β l and γ l and writes {κ k , {I D l , β l , γ l }} to its memory.

Authentication and session key agreement
As shown in Figs. 5 and 6, during the authentication and key agreement phase, users and servers, users and patients can achieve authenticated key agreement and access authorization under RA authentication and authorization. The patient-server authentication is similar to the user-server and will not be repeated here. The process of user ID i and patient ID k 's sensor ID l mutual authentication and establishing a secure session is as follows: ( (4) After patient gateway ID k verifies that timestamp is valid, it derives ID l and ID i from h 23 and h 24 and calculates Cr k and derives R l and C l from β l and γ l , respectively; ID k calculates h 29 = h (ID l C l R l T 9 ) and sends tuple {C l , h 29 , T 9 } to sensor I D l . (5) After I D l verifies that timestamp is valid, it calcu- is false, abort the protocol, else calculates session key ss lk = h (R l T 10 ) between ID l and ID k and calculates R * l = h b (PUF l (h (C l T 9 ))) and updates α l = α * l = R * l ⊕ R l ⊕ α l and calculates h 30 and sends tuple R * l ⊕ R l , h 30 , T 10 to I D K . (6) After verifying that timestamp is valid, ID k calculates session key ss kl = h (R l T 10 ) between ID k and ID l and updates β * l = R * l ⊕ R l ⊕Cr k ⊕ R l , γ * l = h (C l T 9 )⊕Cr k .  (7) If h 30 = h ID l C l R l R * l ss kl T 10 is false, I D k , abort the protocol and returns ⊥, else derives access control string r ik , and if h 27 = h h 23 h 24 h 25 r ik β k is false, abort the protocol, else calculates session key ss ki = h ID i r ik r 5 h 14 and digest h 31 , and sends tuple {h 19 , h 26 , h 28 , h 31 , T 11 } to I D i request authentication and initializes the value of the time to live of access control string r ik to T ikl = T 11 , and calculates access control label A ikl = h ID i ID l r ik and writes tuple A ikl , ID i , ID l , T ikl , r ik to cache. In fact, the user checks the validity of the relevant access control authorization before initiating a authentication request; that is, if T current − T ikl ≤ ΔL is true, the session key is negotiated directly by r ik ; otherwise, the authentication and authorization requests are initiated according to the algorithm shown in Fig. 6, and ID k and ID l still use the dynamic shared secret R l to achieve authenticated key agreement. Details are as follows: (1) If T 6 − T ikl ≤ ΔL is true, ID k selects random number r 4 and inputs ID i , and calculates h 14 = r 4 P, h 15 = I D i ⊕ h (r ik 1), h 16 = I D l ⊕ h (r ik 2) and

Password update
As shown in Fig. 7, users or patients can update their passwords online at anytime, anywhere. Details are as follows: (1) User inputs ID i , old password PW i and new password PW * i , generates biometric B i , and calculates β i and β * i ; ID i selects random number r 7 , and calculates h 33 = r 7 P,

Ownership transfer
In this proposal, users can transfer ownership after passing RA authentication and authorization. Suppose ID i1 wants to transfer ownership of patient ID k to ID i2 , the details are as follows: (1) ID i1 generates a transfer request according to the algo- rithm FIG.6.Step1 and sends it to ID i2 . (2) After verifying that the timestamp is valid, ID i2 also generates a transfer request according to the algorithm FIG.6.Step1 and sends it to RA. (3) After verifying that the timestamp is valid, the RA verifies the identity of ID i1 and ID i2 according to the algorithm  FIG.6.Step3. If it is false, abort the protocol, else if searches for ID i1 in the access control list AL k of ID k is false, aborts the protocol, else writes ID i2 to AL k , and returns the message of successful transfer.

Security analysis
In this section, we analyze our proposed scheme SEMAS informally and formally. Moreover, we show that the proposed scheme is provably secure based on the threats model defined in Sect. 3.5, using ROR model (Abdalla et al. 2005), BAN-logic (Burrows et al. 1990), and AVISPA tool (Armando et al. 2005).

Informal security analysis
In this section, we will discuss how this proposal (SEMAS) provides mutual authentication, access control, session key privacy, and forward security, and how to resist known Internet attacks such as insider attacks, multi-factor security attacks, and impersonation attacks.

Mutual Authentication
In SEMAS, the user (or patient) mutually authenticates with the RA by β i , the server mutually authenticates with RA by Cr j , and the user and server mutually authenticate with the shared secret r i j issued by the RA. ID i encapsulates ID i and β i with the public key of RA. If h 3 and β i are valid, RA believes that ID i is a legitimate user. RA encapsulates the shared secret r i j with β i . If h 11 is valid, ID i believes that RA is the holder of the private key corresponding to the system public key. ID j encapsulates ID with the public key of RA. If h 6 is valid, RA believes that ID j is a legitimate server. RA encapsulates the shared secret r i j with Cr j . If h 10 is valid, ID j believes that RA is the holder of the private key corresponding to the system public key. On the basis of mutual authentication with RA, if h 12 is valid, ID i believes that ID j is the common secret holder of RA certificated; if h 13 is valid, ID j believes that ID i is the common secret holder of RA certificated. 2. Access Control In SEMAS, the RA manages access authorization of server (or patient's sensor). The RA periodically generates an access control string r i j for an authenticated and authorized user ID i . A session can be established only if ID i and ID j hold the same access control string that meets the time limit. 3. Session Key Security In SEMAS, the user I D i and the server I D j independently compute the session key ss i j = h I D i r i j r 1 r 2 P , and the random numbers r 1 , r 2 , and r i j are selected freshly each session, and the advantage of the enemy A to solve r 1 , r 2 , and r i j is the advantage of attacking the EDLP security assumption, and it is negligible. So A needs to know all the random numbers and ID i to calculate ss i j , and RA needs to know the random number r 1 and r 2 to calculate ss i j . 4. Forward Security In SEMAS, the user I D i and the server I D j independently compute the session key ss i j = h I D i r i j r 1 r 2 P , and the random numbers r 1 , r 2 , and r i j are selected freshly each session, and the advantage of the enemy A to solve r 1 , r 2 , and r i j is the advantage of attacking the EDLP security assumption, and it is negligible. So A can't calculate the previously generated session key even if it obtains all the long-term secrets of all protocol entities. 5. Privacy Protection In the authentication and key agreement phase of the protocol, both I D i and I D j are transmitted in random pseudonym form h 1 and h 5 , and the advantage of adversary A attacking these pseudonyms is equivalent to the advantage of attacking EDLP security assumption, which is negligible, so the advantage of A obtains I D i and I D j also is negligible. In addition, the information exchanged in the protocol is ECC ciphertexts and hash values generated by fresh random numbers. Therefore, the advantage of adversary tracking session is equivalent to the advantage of attacking EDLP security assumptions, which is negligible. In SEMAS, the biometric vector in the registration phase is encapsulated in γ i by the RA's private key. According to the hash security assumption, the adversary's advantage of getting β i from RA's L U is 1 , which is negligible; during the authentication phase, the biometric vector is encapsulated in h 2 by a random number and RA's private key. According to the ECC security assumption, the adversary's advantage in obtaining β i from h 2 is negligible. 6. Against Privileged Insider Attack In SEMAS, the password PW i and biometric B i of I D i are encapsulated by a hash function. According to the one-way security of the secure hash, the curious R A cannot obtain the user's password and biometric. 7. Against Multi-factor Security Attack In SEMAS, it is assumed that ID i has been leaked. When PW i is leaked, according to the hash security assumption and birthday paradox, the advantage of the adversary attack scheme multi-factor security is 1 . When B i is leaked, the advantage of the adversary attack scheme multi-factor security by guessing password is 1 D PW . 8. Against Impersonation Attack In SEMAS, mutual agreement is achieved between each agreement entity, and the premise of an adversary to impersonate the agreement entity is to obtain all the long-term secrets of the entity. All the information exchanged in the protocol are ECC ciphertexts and hash values generated from fresh random values. According to the ECC security assumption and hash security assumption, the advantage of adversary deriving the entity's long-term secret from {M 1 , M 2 , M 3 , M 4 , M 5 } is negligible. 9. Against Intermediate Data Attack In SEMAS, the communication link between sever and RA is relatively secure. The intermediate data attack mainly occurs on the open link between user (patient) and server. SEMAS introduces a timestamp authentication mechanism and has good anonymity, and adversary can't get ID i and ID j and can't track the session, so the replay attack against SEMAS is difficult to work. In addition, only hash values and ECC ciphertexts are forwarded between protocol entities, and the secrets that generates these values are freshly selected for each session, so the man-in-themiddle attack against SEMAS is also difficult to work.

Formal security proof using ROR model
In this section, we formally analyze SEMAS's semantic security of the session key using the Real-Or-Random (ROR) (Abdalla et al. 2005) security model.

ROR security model
In this section, we follow the adversary capabilities defined in Sect. 3.5 to modify the ROR model defined in Abdalla et al. (2005) to a security model suitable for SEMAS. The protocol participants in SEMAS are P = U ∪S ∪RA, where user U ∈ U, server S ∈ S, and registered authorization party RA ∈ RA. P x represents the x th instance of P. Definition 7.1 Partnering: The notion of partnering refers to the instances sharing the same non-null session identifications (sid). The sid is a partial transcript of the conversation between the participants' instances.
Definition 7.2 Freshness: The instance P x is considered fresh if their corresponding session key is not revealed to the adversary A. Definition 7.3 Adversary: The adversary A is assumed to have a full control over the communications as mentioned in Sect. 3.5. During the running of the protocol, A can initiate multiple parallel sessions to P. The ability of A is simulated by the following oracle queries: -E xecute(P x 1 , P y 2 ): This oracle models the passive attack ability of A. The input of this oracle is empty, and the output is a copy of the interactive information of the protocol instance.
-Send(P x , m): This oracle models an active attack. This query allows A to send a message M to a participant instance P x and to receive a response message. -Corrupt(P x , θ): This oracle models the ability of A to completely corrupt P x . The input of this oracle is the long-term secret of P x except θ , and the output is the long-term secret factor θ of P x leakage.

The formal proof in ROR model
In this section, we formally analyze the semantic security of LMAASIoT in Theorem 1.
where q h , q s , |D I D |, |D PW |, |D Bio |, and |D H | denote the number of Hash queries, the number of Send queries, the range space of D I D , D PW , D Bio , D H , respectively.
Proof Let Succ i be the event that A wins game G i . These games begin from the real attack scenario. We gradually change the simulation rules of each game. In the final game, A will have no other advantage except to flip the coin. G 0 : G 0 is the real attack scenario; according to the definition 7.4, we have

Adv SE M AS
(1) , and E xecute(P y j , P x i ) are added to simulate the passive attack ability of A. However, A has to execute T est(I D x i ) and T est(I D y j ). Because both user ID i and server ID j calculate the session key ss i j = h(I D i r i j r 1 r 2 P) independently, and the random numbers r 1 , r 2 and r i j are selected freshly each session, and the advantage of A to solve r 1 , r 2 , and r i j is the advantage of attacking the EDLP security assumption, it is negligible. A cannot gain the advantage of calculating the session key by eavesdropping on M1, M2, M3, M4, and M5. Thus, we have , and Send(I D y j , M * 5 ) with the help of Hash query to implement active attacks. Since random numbers are introduced in M1, M2, M3, M4, and M5, the Hash query will not cause conflicts. According to the birthday attack, we have G 3 : We transfer G 2 to this game by adding the Corrupt I D x i , PW i or Corrupt I D x i , Bio i oracle to enhance attack ability of A. We assume that A has acquired the I D i , and then, there are three strategies to attack two-factor security, and he/she chooses the one with the highest probability.
Case1: A fakes the β i with the result of the Hash query when the PW i has been compromised. According to the birthday attack, we have Case2: A also fakes the β i by guessing result Bio * i when the PW i has been compromised; we have Case3: A fakes the h 2 by guessing result PW * i when the Bio i has been compromised; we have Combining the Case1-Case3 of G 3 and comparing to G 2 , we have After using all the attack capabilities simulated by the oracle, A can only use test query to find the session key, so Finally, from Eqs. (1) and (8) we have According to the triangle inequality theorem, combining equations (2), (3), (7), (9), and Definition 3.1, we have

Formal security proof with BAN-logic
We utilize the widely recognized BAN-logic (Burrows et al. 1990) to prove that in the proposed scheme, the mutual authentication between a registered legitimate user ID i and medical server ID j is achieved with the help of RA. Notations used in the BAN-logic are shown in Table 2.

Rules
In this section, we present some of the main BAN-logic rules for security proof.

Analysis
Based on the idealized message, BAN-logic rules, and initial condition hypotheses, the security analysis of our scheme is as follows: According to the message M 1 , hypothesis H yp 4 , and rule Rul 1 , we have

#(X )
The statement X is fresh P X P sees the statement X P| ∼ X P once said the statement X P| ⇒ X P has jurisdiction over statement X P K ↔ Q K is a secret shared by P and Q P X Q X is a secret shared by P and Q and TTP (X , Y ) X or Y is one part of (X , Y ) {X } K X is encrypted under the key K (X ) K X is hashed with the key K X K X is XORed with the key K

Fig. 8 SEMAS's verification results using AVISPA
We select the widely accepted OFMC and CL-AtSe backends to verify the security of SEMAS in Dolev and Yao (1983) threat model as mentioned in Sect. 3.5. As shown in Fig. 8, SEMAS is "SAFE," which means that it is proven by AVISPA to resist known Internet attacks.

Performance analysis
This section demonstrates that SEMAS how to satisfy the security goals and application requirements from the security and functionality properties, computational complexity, and communication overhead.    Table 3.
The results show that some schemes have weak forward security (Feng et al. 2018;Das et al. 2019) and anonymity (He and Wang 2015;Qi et al. 2018;Feng et al. 2018), and some schemes cannot resist the smart card loss attack, which in turn leads to other attacks (He and Wang 2015;Qi et al. 2018;Feng et al. 2018). Most schemes cannot support multiple business scenarios and do not have access control mechanisms.

Computation cost comparison
To evaluate the computational efficiency of SEMAS, we calculate and compare the computation overhead of authenticated key agreement phases of discussed protocols, including SEMAS, as shown in Table 5. We used gcc 5.4.0 to compile and run the SEMAS related operations based on the MIR-ACL library (MIRACL Crypto SDK, MIRACL 2021). The time-consuming overhead of the basic operations involved in these protocols is shown in Table 4 (Intel(R) Core(TM) i3-M380@2.53GHz processor, 8 GB RAM and with Ubuntu 16.04 operating system), and the notations T H , T S , and T E represent the computational cost of hash operation, symmetric encryption/decryption operation, and ECC scalar point multiplication operation, respectively. We assume that the computational complexity of the fuzzy extractor and ECC scalar point multiplication is close. Regardless of the overhead of XOR, hash, and point addition operation, the computation overhead of SEMAS is almost the same as that of other schemes, at about 0.01 ms (He and Wang 2015;Qi et al. 2018;Feng et al. 2018;Odelu et al. 2015;Das et al. 2019;Shuai et al. 2020;Luo et al. 2021) (Tables 5, 6).

Communication overhead comparison
To evaluate the communication efficiency of SEMAS, we calculate and compare the communication overhead of authenticated key agreement phases of discussed protocols, including SEMAS, as shown in Table 7. The byte length of the data structure transferred in these protocols is shown in Table 6. The notations T I , T H , T E , T S , and T N represent the byte length of identity, hash string, ECC block, symmetric ciphertext, random string, respectively. As in Odelu et al. (2015), we also assume that the length of the identity I D i , I D j , I D k , I D l (the time stamp is equal to the length), the hash value (e.g., SHA-1), and an elliptic curve point P = P x , P y are 8 bytes, 20 bytes, and 40 bytes, respectively. In addition, we assume that the block size of symmetric ciphertext (e.g. AES) and a random number are 16 bytes, respectively (Table 6). It can be seen from Table. 7 that the user side overhead of SEMAS is almost the same as that of other online protocols, but the total communication overhead is higher than that of other protocols. The main reason is that in order to achieve   access control, anonymity and forward security, immune to offline password attack, and smart card loss attack, SEMAS introduces time stamp authentication mechanism and the user sends one more ECC block.

Conclusion
The secure communication and access control in the Ehealthcare systems are very important, and the key means to achieve this goal is the authenticated key agreement and access authorization mechanism. This work first performs a cryptanalysis of existing schemes such as LACO and reveals the main reasons for the vulnerability of anonymity and forward security of these schemes, which can lead to impersonation attacks. Second, we proposed a multiple solution architecture for authentication and authorization in userserver, patient-server, user-patient, and other scenarios in E-healthcare. Third, based on the architecture, we design a secure and efficient multi-server authentication and access control scheme for E-healthcare. Security analysis shows that the proposed scheme can provide mutual authentication, access control, session key security, anonymity, and forward security and can resist known Internet attack such as insider attack, multi-factor security attacks, impersonation attacks, and intermediate data attacks. Efficiency analysis shows that under the premise of higher security, the proposed scheme has better computational efficiency than similar typical schemes. Due to high security, the communication efficiency is slightly lower than similar typical schemes. Nevertheless, the total communication overhead of the proposed scheme is only 520 bytes, while the user side communication overhead is almost the same as other schemes.