ECC based certificateless aggregate signature scheme for healthcare wireless sensor networks

Abstract

Wireless sensor networks (WSNs) are heavily used in applications like remote monitoring, vehicle management, manufacturing and healthcare. In healthcare, they are used to collect the data from the patients and transmit to the doctors. Patients wear the healthcare devices such as fit bands, watches, ECG and BP monitors to collect the various health indicators including temperature, oxygen, blood pressure and heart rate, and then this information is sent over the public network to the designated doctor for the assessment. The healthcare information is very sensitive for the patients, so it becomes important to protect the information from the various possible attacks. In this paper, a certificateless aggregate signature scheme based on ECC called E-CLAS is proposed. The proposed scheme generates the aggregate signature on the healthcare information produced by the n number of patients and then this aggregate signature is verified by the designated doctor. The formal security analysis of the scheme using random oracle model proves that it is secure against forgery attack. Its formal security verification using the AVISPA tool shows that it is secure against active and passive attacks. In the performance analysis, we show that the proposed scheme has less computation cost than the related schemes.

Full text

Translate

Turn on search term navigation

Introduction

Recent advances in the wireless technology have enabled to employ the wireless sensor network in the applications like smart healthcare, operation management and vehicle management. Smart healthcare [1] involves the healthcare wireless sensor network (HWSN) to collect and monitor the data produced by the patients. In the HWSNs [2], patients wear the various healthcare wearables and each wearable has the biomedical sensors to measure the various signals. Sensors have been made to measure and record the health-related data like oxygen, blood pressure, ecg signals, temperature, heart rate. Patients send the recorded health information to the designated doctor over the network for the medical assessment and then accordingly, doctor treats the patient.

The medical information contains the sensitive data [3] which includes the past medical history, personal information about the patients such as family background, psychological defects and reproductive history. Unfortunately, during the last decade, malicious attacks on patients information have become too common [4, 5]. Any unauthorised or unintentional exposure of patient information might jeopardise the patients privacy or result in the loss of user property. The medical information in HWSNs is transferred among the patients and doctor over the public network which is more dangerous. If the patient information is subjected to attacks such as, eavesdropping, tampering, and interception, then doctors may be misled and issue a wrong assessment, which is highly threatening to the patient’s life. As a result, maintaining the integrity, validity and availability of patients medical information in HWSNs possess several issues. Therefore, it is necessary to safeguard the patients information in HWSNs from the possible malicious attacks [5]. To address the integrity and privacy issues of healthcare data, various digital signature schemes [3, 6, 7–8], have been proposed for the HWSNs.

Nowadays, the certificateless signature schemes (CLS) [9] have been used in the HWSNs as the CLS removes the traditional public key infrastructure’s certification management problem and intrinsic key escrow problem of identity based signature. But traditional CLS schemes cannot be directly used in the HWSNs as the sensor nodes are resource constrained devices and when a high number of patients medical information is delivered online, both the computation and communication cost increase drastically. Due to which, the aggregate CLS [10] is used in the HWSNs so that computational cost involved in the scheme can be reduced. To provide the better security, the aggregate CLS needs to be verified only by the designated verifier. Hence, the aggregate CLS scheme with designated verifier can provide the better computation cost as well as security. On keeping these two points under the consideration, the paper presents a certificateless aggregate anonymous signature scheme with designated verifier for the HWSNs [11].

The paper is organized as follows: Sect. 2 reviews the existing schemes and Sect. 3 introduces the preliminaries including the mathematical background and notations. In Sect. 4, system model, its security requirements and security model are presented. Section 5 presents the proposed scheme in detail. The formal security analysis and verification of the proposed scheme is presented in Sect. 6. Section 7 presents the performance analysis of the proposed scheme along with the related schemes. Lastly, the paper is concluded in Sect. 8.

Literature survey

The medical information in HWSNs is transferred from the patient to the doctor over the public channel for the medical assessment. As the data is sent through an insecure public channel, it is vulnerable to many attacks such as interception, eavesdropping and alteration [2, 5]. Since, modification attack may lead to doctors making incorrect assessments, which can be incredibly damaging to patient’s lives [12]. Hence to prevent the patients medical information, many signature schemes have been proposed for HWSNs. Initially, the public key cryptography (PKC) [7, 13] is employed for protecting the medical information in HWSNs. Sangari et al. [7] developed a protocol for secure communication using the PKC between the inter-node. The scheme has the high computation cost and no detection mechanism for detecting the faulty node. Both the schemes [7, 13] suffer from the certificate management problem. The PKC comes with the drawback in managing and storing the certificate and has high computation and communication costs. These drawbacks make the PKC unsuitable for the HWSNs. And then researchers solved this issue by employing the ID based cryptography (IDBC) [14]. The ID based cryptography uses the information of the patients in generating the signature [15, 16]. Tan et al. [15] used IDBC to remove the issues of public key infrastructure. But if once the key generation center (KGC) is exposed, then key escrow problem will be a major security issue. Shen et al. [16] also used IDBC and the number of needed pairing operations rises linearly with the number of patients, resulting in a significant computation cost. However, the ID based cryptography has the inherent private key escrow problem [14].

Riyami and Pterson [9] solved the certificate management problem of traditional PKC and inherent key escrow problem of IDBC by introducing a new certificateless public key cryptography (CLPKC). After the scheme [9], many signature schemes have been proposed using the CLPKC [17, 18, 19–20] for the HWSNs. Boneh et al. [10] proposed the concept of aggregate signature. In the aggregate signature, the n number of users singed n data and generates n signatures and these n signatures are aggregated to a single sign which result in the less verification time. The verifier verifies the single aggregate signature. The concept of CLKPC is usually used with the aggregate signature to provide the secure communication as well as less computation overhead. As a result, the combination of these two concepts is employed in the signature schemes designed for HWSNs.

Many signature schemes were [3, 6, 8, 21, 22, 23, 24–25] proposed which use both the concept of CLKPC and aggregate signature. In all the CLAS schemes, n number of patients sign the n data and produce n signatures and then these n signatures are aggregated into a single signature by the aggregator. The aggregator sends the single aggregated signature to the doctor and then the doctor has to verify only one signature which results in less verification time. Kumar et al. [21] constructed a certificateless aggregate signature scheme using the Bilinear pairing for the HSWNs. But the scheme is found to be vulnerable to malicious-but-passive attacks and the scheme did not provide the patients privacy protection and has high computation overhead. Xie et al [3] improved the scheme [21] using the elliptic curve cryptography and reduce the computation cost. Liu et al. [22] presented a new CLAS based on bilinear mapping for mobile healthcare crowd sensing. The scheme [22, 26] is vulnerable to the forgery attacks. Gayathri et al. [8] introduced a new pairing free signature scheme based on the elliptic curve group. The scheme is forgeable as anyone can able to forge the signature. The schemes [11, 27, 28–29] do not require bilinear pairing. But the schemes [11, 27, 28] have high computational costs which make them unsuitable for the HSWNs and the scheme [29] is delegatable.

All the schemes [3, 7, 8, 11, 15, 16, 21, 22, 26, 27–28, 30] can be verified by any doctor. In designated verifier (DV) signature scheme, signature is verified only by the designated verifier and provides better data security. Deng et al. [6] constructed a signature scheme based on the CLAS and DV for the HWSNs. But the signature has too much computational overhead.

Motivation and contribution

In HWSNs, a doctor has to serve many patients. If a doctor verifies the signature of every patient separately, there will be burden of computational cost on the doctor. An aggregate signature scheme reduces the verification time of the doctor as it verifies the legibility of the signatures of multiple patients at a time. The health data of a patient is required to be secured as it is very sensitive and important. Most of the time, a patient does not want his health related data to be leaked except the designated doctor (DD). The existing certificateless aggregate schemes [3, 8, 11, 16, 21, 22, 26, 27–28, 30] for HWSNs can be verified by the public and these are not suitable for this environment. Therefore, it is required to design a certificateless aggregate signature scheme for HWSNs, which can be verified by a designated verifier. Our contribution in this paper is presented as follows:

A certificateless aggregate signature scheme for HWSNs is proposed based on ECC. In this scheme, each SN generates a signature and transmits it to the aggregator (AG). AG uses the doctor’s public key to aggregate n signatures into one signature and sends it to the DD. The doctor verifies the validity of the signature using his private key.
The security attributes like unforgeability for SN, indistinguishability for doctor, anonymity for SN and doctor, identity-identifiable for SN and doctor are investigated for the proposed scheme.
Its formal security verification is done using a well known tool AVISPA.
In the performance analysis, the computation and communication costs of the proposed scheme are compared with the other related schemes [3, 6, 8, 31]. It is also shown that the proposed scheme has less computation cost as compared to that of the related schemes.

Preliminaries

Table 1. Notations used in the proposed scheme

Notation	Description
P, Q	Two large prime numbers
$F_{q}$	A prime finite field
$Z_{q}^{*}$	Multiplicative group of order $q - 1$
G	An additive group with generator X
$E / F_{q}$	An elliptic curve E over $F_{q}$
$τ$	Security parameter
$P K_{ms}$	Public key of MS
$H_{i}, i = 1, 2, 3$	Hash function
vars	${τ, a, b, X, q, P K_{ms}, H_{1}, H_{2}, H_{3}}$
\|\|	Concatenation operator
$⨁$	Bitwise XOR operator
$I D_{i}$	Real identity of $S N_{i}$
$U I D_{i}$	Unique identifier of $S N_{i}$
$P I D_{i}$	Pseudo-identity of $S N_{i}$
$P P K_{i}$	Partial Private Key of $S N_{i}$
$S K_{i}, P K_{i}$	Secret value & Public key of $S N_{i}$
$I D_{d}$	Real identity of doctor
$U I D_{d}$	Unique identifier of doctor
$P I D_{d}$	Pseudo-identity of doctor
$P P K_{d}$	Partial Private Key of doctor
$S K_{d}, P K_{d}$	Secret value & Public key of doctor
$T s_{i}$	Time stamp used by the $S N_{i}$
$m_{i}$	Message of $S N_{i}$
$σ_{i}$	Signature on $m_{i}$ by $S N_{i}$
$D = {P I D_{1}, . . ., P I D_{n}}$	Set of pseudo identities of the n SNs
$K = D \cup {P K_{i} : P I D_{i} \in D}$	Set of pseudo identities public keys of n SNs
$M = {m_{1}, . . ., m_{n}}$	Set of n messages
$T = {T s_{1}, . . . T s_{n}}$	Set of n timestamps
$σ$	Aggregate signature

This section covers the mathematical background including elliptic curve group and complexity assumptions. Notations are defined in Table 1.

Elliptic curve group and complexity assumptions

Let E be an elliptic curve over finite field $F_{q}$ and $q > 3$ is defined as $E : y^{2} = x^{3} + a x + b mod p$ , where $a, b \in F_{q}$ and $4 a^{3} + 27 b^{2} \neq 0$ . An additive group G with q as order and P as generator is obtained by the points over $E / F_{q}$ and O as a point at infinity.

Elliptic curve discrete logarithmic problem (ECDLP): For a given two points $X_{1}, X_{2} \in G$ , where $X_{2} = k X_{1}$ and $k \in Z_{q}^{*}$ , it is hard to compute k from $X_{2}$ .

System model and security model

The section presents the system model, security requirements, E-CLAS scheme and security model as follows:

[See PDF for image]

Fig. 1

Architecture for HWSNs

System model

The HWSNs comprises of four entities: Medical Server (MS), Patients (SNs), Aggregator (AG) and Designated Doctor (DD) which are shown in Fig. 1.

MS: It is responsible for generating and publishing system parameters. It also produces PID and partial private key for patients and doctor, and then it sends them to the patients and doctor.
SN: It is worn by the patient in the form of wearable devices, and it produces a signature for the data acquired on a regular basis and sends it to the AG.
AG: It collects n signatures from n SNs, combines them into one signature, and transmits it to a DD.
DD: It receives a signature from AG and checks it with his private key to see if it was created by n SNs.

E-CLAS scheme

An E-CLAS scheme for HSWNs has eight algorithms as listed below:

Setup: MS run the setup algorithm and takes security parameter as input and generates the public and private keys for MS and vars.
PID Generation: MS takes the patients and designated doctor ID as input and generates the pseudo identity for the patients and doctor using the PID generation algorithm.
PPK Generation: The algorithm is executed by MS to generate the partial private key for the patients and doctor.
Secret Value Generation: Patients and doctor execute the algorithm to generate the secret value.
Public Key Generation: Patients and doctor execute the algorithm to generate the public key.
Signature Generation: This algorithm takes the medical information as input and generates the signature of the patients on medical information.
Aggregation: Aggregator runs this algorithm to produce the single aggregate signature from the n patients signatures.
Aggregate-Verification: Designated doctor verifies the aggregate’s signature sent by the aggregator using this algorithm.

Security requirements

The medical information is shared over an open channel among the doctor and patients in the HWSNs and so information is susceptible to various security threats. Hence, the E-CLASS for HWSNs need to satisfy the following security requirements to protect patient privacy and data security:

Anonymity: An E-CLAS scheme must keep the patients anonymous so that the no one can extract the real IDs of the patients except the MS in the HWSNs.
Conditional Traceability: An E-CLAS scheme has MS in HWSNs which can able to extract the real IDs of patients whenever it is needed.
Nonrepudiation: An E-CLAS scheme must provide the non-repudiation so that the patients cannot refuse data once it has been sent in HWSNs.
Message integrity and authentication: An E-CLAS scheme for HWMSNs is required to assure message authentication and integrity, and access medical services to authorised patients.

Security model

Definition 1

The proposed scheme is said to be unforgeable in the random oracle model if there is no eve who can win the two games: Game I and Game II. Game I and Game II are played between challenger $ζ$ and Eve $ξ_{1}$ or $ξ_{2}$ , respectively.

Game 1: $ζ$ plays the game with a Type I Eve $ξ_{1}$ to prove the unforgeability.

Initialization: $ζ$ executes the setup algorithm and obtains the s and vars, then sends the vars to $ξ_{1}$ .

$Q u e r y_{H}$ : $ξ_{1}$ inputs a data to obtain the hash of data.
$Q u e r y_{CU}$ : $ζ$ creates a $I D \in {\{0, 1\}}^{*}$ for a new user, if ID is already a user, then $ζ$ does nothing.
$Q u e r y_{PPK}$ : $ξ_{1}$ submits $P I D_{i}$ or $P I D_{d}$ , then obtains $P P K_{i}$ or $P P K_{d}$ .
$Q u e r y_{PK}$ : $ξ_{1}$ inputs a $P I D_{i}$ or $P I D_{d}$ , and gets $S K_{i}$ or $S K_{d}$ .
$Q u e r y_{UPK}$ : $ξ_{1}$ submits a $(P I D_{i}, P K_{i}^{'})$ or $(P I D_{d}, P K_{d}^{'})$ , then $P K_{i}$ , $P K_{d}$ is update to be $P K_{i}^{'}$ , $P K_{d}^{'}$ .
$Q u e r y_{Sign}$ : $ξ_{1}$ submits $(m_{i}, P I D_{i}, P K_{i})$ , then gets signature $σ_{i}$ .

Forge:

ξ_{1}

generates

σ = (γ^{*}, β_{1}^{*},, . . ., β_{n}^{*}, M^{*}, T s^{*}, P I D^{*},

P K^{*})

. If the following requirements are satisfied, the winner is

ξ_{1}

where

D^{*} = {P I D_{1}^{*}, P I D_{2}^{*}, \dots, P I D {_{n}}^{*}}

K^{*} = D^{*} \cup {P K_{i}^{*} : P I D_{i}^{*} \in D^{*}}

M^{*} = {m_{1}^{*}, m_{2}^{*}, \dots, m_{n}^{*}}

σ

must be a legal aggregate signature on

(I D_{i}, m_{i}, P K_{2 i}, T s_{i}), i = (1 \leq i \leq n) .

At least

(I D_{i}, P I D_{i})

has not been used in the

Q u e r y_{PPK}

and

(m_{i}, P I D_{i}, P K_{i})

has not been used in the

Q u e r y_{Sign}

. Advantage of

ξ_{1}

is defined as

A d_{ξ_{1}}^{unforgeable} = P r [ξ_{1} w i n s]

Game 2: $ζ$ plays the game with a Type II Eve $ξ_{1}$ to prove the unforgeability. Initialization: $ζ$ executes the setup algorithm and obtains the s and vars, then sends the vars to $ξ_{2}$ .

$Q u e r y_{H}$ : $ξ_{2}$ inputs a data to obtain the hash of data.
$Q u e r y_{CU}$ : $ζ$ creates a $I D \in {\{0, 1\}}^{*}$ for new user, if ID is already a user, the $ζ$ does nothing.
$Q u e r y_{PK}$ : $ξ_{2}$ inputs a $P I D_{i}$ or $P I D_{d}$ , and gets $S K_{i}$ or $S K_{d}$ .
$Q u e r y_{Sign}$ : $ξ_{2}$ submits $(m_{i}, P I D_{i}, P K_{i})$ , then gets signature $σ_{i}$ .

Forge:

ξ_{2}

generates

σ = (γ, β_{1}, β_{2}, β_{3}, . . ., β_{n})

ξ_{1}

generates

σ = (γ^{*}, β_{1}^{*}, β_{2}^{*}, β_{3}^{*}, . . ., β_{n}^{*}, M^{*}, T s^{*}, P I D^{*}, P K^{*})

. If the following requirements are satisfied, the winner is

ξ_{2}

where

D^{*} = {P I D_{1}^{*}, P I D_{2}^{*}, . . ., P I D {_{n}}^{*}}

K^{*} = D^{*} \cup {P K_{i}^{*} : P I D_{i}^{*} \in D^{*}}

M^{*} = {m_{1}^{*}, m_{2}^{*}, . . ., m_{n}^{*}}

σ

must be a legal aggregate signature on

(I D_{i}, m_{i}, P K_{2 i}, T s_{i}), i = (1 \leq i \leq n) .

(I D_{i}, P I D_{i})

has been utilised in the

Q u e r y_{PK}

and

(m_{i}, P I D_{i}, P K_{i})

has not been used in the

Q u e r y_{Sign}

Advantage of $ξ_{2}$ is defined as $A d_{ξ_{2}}^{unforgeable} = P r [ξ_{2} w i n s]$ .

[See PDF for image]

Fig. 2

Setup

[See PDF for image]

Fig. 3

PID Generation

Proposed scheme

This section presents the E-CLAS scheme for the HWSNs. The scheme takes the n signatures from the n SNs and aggregates into the single aggregate signature by AG and then this single aggregate signature is verified only by the DD. The scheme has eight algorithms as shown below:

Setup: MS takes $τ$ as input and generates the $(s, P K_{ms})$ as its private and public keys as shown in Fig. 2.
PID Generation: The MS computes the PID of patients (SNs) and doctor(DD) using the algorithm as shown in Fig. 3.
PPK Generation: The MS computes the PPK of patients (SNs) and doctor(DD) using the algorithm shown in the Fig. 4.
Secret value generation: $S N_{i}$ and DD run the algorithm as shown in Fig. 5 to produce their secret values $S K_{i}$ and $S K_{d}$ , respectively.
Public Key Generation: $S N_{i}$ and DD run the algorithm as shown in Fig. 6 to produce the public key pair (SK, PK).
Signature: $S N_{i}$ generates signature $σ_{i}$ on healthcare information $m_{i}$ using the algorithm as shown in Fig. 7.
Aggregation: Aggregator receives the n signatures from n $S N_{i}$ and generates an aggregate certificateless signature $σ$ using the algorithm as shown in Fig. 8.
Aggregate Verify: Doctor receives $σ = (γ, β_{1}, β_{2}, β_{3}, . . .,) (β_{n})$ on the message ${m_{i} | | T s_{i}}$ where $i = (1 \leq i \leq n)$ , The doctor runs the algorithm as shown in Fig. 9 to verify the signature.

[See PDF for image]

Fig. 4

PPK Generation

[See PDF for image]

Fig. 5

Secret value generation

[See PDF for image]

Fig. 6

Public key generation

[See PDF for image]

Fig. 7

Signature

[See PDF for image]

Fig. 8

Aggregation

[See PDF for image]

Fig. 9

Aggregate-Verify

Proof of Correctness: $\begin{matrix} γ = & (w_{2 d} + Q w_{1 d}) \sum_{i = 1}^{n} [β_{i} + H_{i} P K_{2 i} + P K_{ms}] \\ = & (w_{2 d} + Q w_{1 d}) \sum_{i = 1}^{n} [r_{i}, P, K_{1 i}) \\ (+ e_{i} R_{i} + H_{i} P K_{2 i} + P K_{ms}] \\ = & (w_{2 d} + Q w_{1 d}) \sum_{i = 1}^{n} [r_{i}, w_{1 i}, X) \\ (+ e_{i} R_{i} + H_{i} P K_{2 i} + P K_{ms}] \\ = & (w_{2 d} + Q w_{1 d}) \sum_{i = 1}^{n} [r_{i}, w_{1 i}, X) \\ (+ e_{i} f_{i} X + H_{i} P K_{2 i} + P K_{ms}] \\ = & (w_{2 d} + Q w_{1 d}) \sum_{i = 1}^{n} [r_{i}, w_{1 i}, X) \\ (+ e_{i} f_{i} X + H_{i} w_{2 i} X + P K_{ms}] \\ = & (w_{2 d} + Q w_{1 d}) \sum_{i = 1}^{n} [r_{i}, w_{1 i}, X) \\ (+ e_{i} f_{i} X + H_{i} w_{2 i} X + s X] \\ = & \sum_{i = 1}^{n} [r_{i} w_{1 i} + e_{i} f_{i} + H_{i} w_{2 i} + s] (w_{2 d} + Q w_{1 d}) X \\ = & \sum_{i = 1}^{n} [r_{i} w_{1 i} + H_{i} w_{2 i} + n_{i}] (w_{2 d} + Q w_{1 d}) X \\ = & α . (w_{2 d} + Q w_{1 d}) X \\ = & α . (P K_{2 d} + Q P K_{1 d}) \end{matrix}$

Security analysis

This section presents the security analysis and security requirements of the proposed scheme. The formal verification of the scheme is also done using AVISPA in this section.

Security analysis using random oracle model

Theorem 1

The proposed CL-DVAAS scheme is unforgeable against the eve $ξ_{1}$ if the DLP is intractable.

Proof

If $ξ_{1}$ has an advantage $ϵ$ in forging a signature, then $ξ_{1}$ wins Game I if it can create $ζ$ with a non-negligible probability of solving the ECDLP. If $ζ$ has $Y = s X$ , where $s \in Z_{q}^{*}$ , Y and X are two points on $E / F_{q}$ , then the $ζ$ ’s goal is to calculate s by modelling $ξ_{1}$ . Setup: $ζ$ chooses ID’ randomly and transmits $v a r s = {τ, a, b, X, q, P K_{ms}, H_{1}, H_{2}, H_{3}}$ to $ξ_{1}$ and also selects a $P K_{ms} = s X$ randomly, and keeps empty hash lists $L_{H P_{i}}, L_{H D_{i}}, L_{FP}$ and $L_{FD}$ , where $i = 0, 1,$ and 2. The following random oracle queries can be executed by $ξ_{1}$ in the game I. $Q u e r y_{H_{1}}$ : On receiving query on data $m_{i}$ , $ζ$ sends $ω_{H P_{1}}$ to $ξ_{1}$ if $(m_{i}, ω_{H P_{1}})$ is in $L_{H P_{1}}$ ; else, it picks a random $ω_{H P_{1}} \in Z_{q}^{*}$ , inserts the tuple $(m_{i}, ω_{H P_{1}})$ in $L_{H P_{1}}$ , and then submits $L_{H P_{1}}$ to $ξ_{1}$ . $Q u e r y_{H_{2}}$ : $ζ$ keeps a list $L_{H P_{2}} = {(I D_{i}, U I D_{i}, e_{i}), (I D_{ms},) (s, v a r s, I D_{i}, f_{i})}$ . $ξ_{1}$ send $Q u e r y_{H_{2}}$ to $ζ$ and then $ζ$ checks if the tuple $(I D_{i}, U I D_{i}, e_{i})$ and $(I D_{ms}, s, I D_{i}, v a r s, f_{i})$ are in $L_{H P_{2}}$ then sends $e_{i}$ or $f_{i}$ to $ξ_{1}$ ; otherwise, selects $e_{i}$ , $f_{i} \in Z_{q}^{*}$ , adds them to the list $L_{H P_{2}}$ , and submits $e_{i}$ or $f_{i}$ to $ξ_{1}$ . $Q u e r y_{H_{3}}$ : $ζ$ keeps a list $L_{H P_{2}}$ of the form $(P I D_{i}, m_{i}, β_{i}) (, P K_{2 i}, T s_{i}, H_{i})$ . $ξ_{1}$ sends query $Q u e r y_{H_{3}}$ to $ζ$ . $ζ$ checks if the tuple $(P I D_{i}, m_{i}, β_{i}, P K_{2 i}, T s_{i}, H_{i})$ is in $L_{H P_{3}}$ then $ζ$ returns $H_{i}$ to $ξ_{1}$ ; else, $ζ$ selects a random $H_{i} \in Z_{q}^{*}$ , and adds to $L_{H P_{3}}$ , and submits $H_{i}$ to $ξ_{1}$ . $Q u e r y_{CU}$ : For SN: $ζ$ keeps list $L_{FP} = (I D_{i}, P P K_{i} = (n_{i}, R_{i}), S K_{i} = (w_{2 i}, w_{1 i}), P K_{i} = (P K_{1 i}, P K_{2 i}), P I D_{i})$ . $ξ_{1}$ queries $I D_{i}$ and then $ζ$ looks in $L_{FP}$ and does the following:

If $(I D_{i}, P P K_{i} = (n_{i}, R_{i}), S K_{i} = (w_{2 i}, w_{1 i}), P K_{i} = (P K_{1 i}, P K_{2 i}), P I D_{i})$ is in $L_{FP}$ , then submits $P K_{i}$ to $ξ_{1}$ .
If $I D_{i} \neq I D_{i}^{'}$ , chooses two random numbers $a_{i}, b_{i} \in Z_{q}^{*}$ , computes $e_{i} = a_{i}, n_{i} = a_{i} b_{i}, R_{i} = b_{i} X - a^{- 1} P K_{ms}$ , adds $(I D_{i}, P P K_{i}, = (n_{i}, R_{i}), S K_{i} = (w_{2 i}, w_{1 i}), P K_{i} = (P K_{1 i}, P K_{2 i}), P I D_{i})$ to $L_{FP}$ , and then submits $P K_{i}$ to $ξ_{1}$ . The computed $P P K_{i}$ can be validated using $n_{i} . X = e_{i} R_{i} + P K_{ms} .$
If $I D_{i} = I D^{'}$ , selects randomly $a_{i}, b_{i}, c_{i} \in Z_{q}^{*}$ , computes $R_{i} = a_{i} X, n_{i} = Θ, S K_{i} = (b_{i}, c_{i})$ and $P K_{i} = (b_{i} X, c_{i} X)$ , add $(I D_{i}, Θ, R_{i}, S K_{i} = (b_{i}, c_{i}), P K_{i}) (, P I D_{i})$ into the list $L_{FP}$ , and submits $P K_{i}$ to $ξ_{1}$ .

For Doctor:

ζ

keeps list

L_{FD} = (I D_{d}, P P K_{d} = (n_{d}, R_{d}), S K_{d} = (w_{2 d}, w_{1 d}), P K_{d} = (P K_{1 d}, P K_{2 d}), P I D_{d})

ξ_{1}

queries

I D_{d}

and then

ζ

looks in

L_{FD}

and does the following:

If $(I D_{d}, P P K_{d} = (n_{d}, R_{d}), S K_{d} = (w_{2 d}, w_{1 d}), P K_{d} = (P K_{1 d}, P K_{2 d}), P I D_{d})$ is in $L_{FD}$ , then submits $P K_{d}$ to $ξ_{1}$ .
If $I D_{d} \neq I D_{d}^{'}$ , chooses a random $a_{d}, b_{d} \in Z_{q}^{*}$ , computes $e_{d} = a_{d}, n_{d} = a_{d} b_{d}, R_{d} = b_{d} X - a^{- 1} P K_{ms}$ , adds $(I D_{d}, P P K_{d}, = (n_{d}, R_{d}), S K_{d} = (w_{2 d}, w_{1 d}), P K_{d} = (P K_{1 d}, P K_{2 d}), P I D_{d})$ to $L_{FD}$ , and then submits $P K_{d}$ to $ξ_{1}$ . The computed $P P K_{d}$ can be validated using $n_{d} . X = e_{d} R_{d} + P K_{ms} .$
If $I D_{d} = I D^{'}$ , selects randomly $a_{d}, b_{d}, c_{d} \in Z_{q}^{*}$ , computes $R_{d} = a_{d} X, n_{d} = Θ, S K_{d} = (b_{d}, c_{d})$ and $P K_{d} = (b_{d} X, c_{d} X)$ , add $(I D_{d}, Θ, R_{d}, S K_{d} = (b_{d}, c_{d}), P K_{d},) (P, I, D_{d})$ into the list $L_{FD}$ , and submits $P K_{d}$ to $ξ_{1}$ .

Q u e r y_{PPK}

: For SN:

ξ_{1}

queries on

I D_{i}

ζ

and it does as follows:

If $I D_{i} = I D^{'}$ , aborts the game.
If $I D_{i} \neq I D^{'}$ , if $(I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i})$ is in $L_{FP}$ and then submits $P P K_{i}$ to $ξ_{1}$ .

For Doctor:

ξ_{1}

queries on

I D_{d}

ζ

and it does as follows:

If $I D_{d} = I D^{'}$ , aborts the game.
If $I D_{d} \neq I D^{'}$ , if $(I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d})$ is in $L_{FD}$ and then submits $P P K_{d}$ to $ξ_{1}$ .

Q u e r y_{PK}

: For SN: On receiving the query,

ζ

does as follows:

If $(I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i})$ is in $L_{FP}$ , then returns $S K_{i}$ to $ξ_{1}$ ; else, selects randomly $x_{i}, y_{i} \in Z_{q}^{*}$ , computes $P K_{i} = (x_{i} X, y_{i} X)$ , then transmits $S K_{i} = (x_{i}, y_{i})$ to $ξ_{1}$ .
If $(I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i})$ is not in $L_{FP}$ , $ξ_{1}$ makes $S K_{i} = Θ$ ; if $P K_{i} = Θ$ , $ξ_{1}$ selects randomly $x_{i} \in Z_{q}^{*}$ , calculates $P K_{i} = x_{i} . X$ , submits $P K_{i}$ to $ξ_{1}$ , and inserts $(I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i})$ in the list $L_{FP}$ .

For Doctor: On receiving the query,

ζ

does as follows:

If $(I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d})$ is in $L_{FD}$ , then returns $S K_{d}$ to $ξ_{1}$ ; else, selects randomly $x_{d}, y_{d} \in Z_{q}^{*}$ , computes $P K_{d} = (x_{d} X, y_{d} X)$ , then transmits $S K_{d} = (x_{d}, y_{d})$ to $ξ_{1}$ .
If $(I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d})$ is not in $L_{FD}$ , $ξ_{1}$ makes $S K_{d} = Θ$ ; if $P K_{d} = Θ$ , $ξ_{1}$ selects randomly $x_{d} \in Z_{q}^{*}$ , calculates $P K_{d} = x_{d} . X$ , submits $P K_{d}$ to $ξ_{1}$ , and inserts $(I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d})$ in the list $L_{FD}$ .

Q u e r y_{UPK}

: For SN:

ξ_{1}

receives query on

I D_{i}

and then

ζ

performs the following:

If $(I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i})$ is in $L_{FP}$ , makes $S K_{i} = Θ$ , and replaces $P K_{i}$ with $P K_{i}^{'}$ .

For Doctor:

ξ_{1}

receives query on

I D_{d}

and then

ζ

performs the following:

If $(I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d})$ is in $L_{FD}$ , makes $S K_{d} = Θ$ , and replaces $P K_{d}$ with $P K_{d}^{'}$ .

Q u e r y_{Sign}

ξ_{1}

sends a query on

(m_{i}, I D_{i})

ζ

performs as follows:

Choose randomly $H_{i}, α_{i} \in Z_{q}^{*}$ .
Calculates $β_{i} = α_{i} X - H_{i} P K_{2 i} - P K_{ms}$
submits $(α_{i}, β_{i})$ to $ξ_{1}$ and adds the result to the corresponding list.

Forgery:

ξ_{1}

submits a tuple

σ = (γ^{*}, β_{1}^{*}, β_{2}^{*},, . . ., β_{n}^{*}, M^{*},) (T s^{*}, P I D^{*}, P K^{*})

that fulfills the requirements of Game I. The

ζ

provides the solution to problem as

\{(α_{i}^{*} H_{i}^{- 1} - α_{i} H_{i}^{- 1})) (- (H_{i}^{*^{- 1}} - H_{i}^{- 1} w_{2}^{i})\} {(H_{i}^{*^{- 1}} - H_{i}^{- 1})}^{- 1}

Probabilistic analysis: Assume $ϵ$ be the probability of $ξ_{1}$ in forging a valid signature within time $ϖ$ , $ξ_{1}$ runs any query only once using the same input. $Γ_{1}, Γ_{2}, Γ_{3}$ happens, $ζ$ wins the game. $Γ_{1}$ : $Q u e r y_{PPK}$ by $ξ_{2}$ is not terminated. $Γ_{2}$ : $ξ_{1}$ creates a certificateless signature that is valid. $Γ_{3}$ : Likelihood of $ξ_{1}$ creating a legal forgery and $ζ$ not terminating the procedure. Probability of $ξ_{1}$ wins Game I is $P [Γ_{1} Λ Γ_{2} Λ Γ_{3}] = P [Γ_{1}] P [Γ_{2} | Γ_{1}] P [Γ_{3} | Γ_{2} Λ Γ_{1}] \geq (1 - \frac{1}{q_{c} + 1}) . ϵ . \frac{1}{q_{c} + 1} \geq ({\frac{q_{C}}{q_{c} + 1}}^{q_{ppk}}) (\frac{ϵ}{q_{c} + 1})$ , where, $q_{c}$ be the number of $Q u e r y_{CU}$ and $q_{ppk}$ be the number of $Q u e r y_{PPK}$ So, $ζ$ solves ECDLP with $ϵ$ . However, intractability of the ECDLP makes a contradiction with it. Hence, the proposed scheme is proved to be unforgeable against $ξ_{1}$ in the random oracle model. $□$

Theorem 2

The proposed CL-DVAAS scheme is unforgeable against the eve $ξ_{2}$ when the DLP is intractable.

Proof

If $ξ_{2}$ successfully forges a signature with an advantage $ϵ$ , then $ξ_{2}$ wins Game II if it can create $ζ$ with a non-negligible probability of solving the ECDLP. If $ζ$ has $Y = s X$ , and $s \in Z_{q}^{*}$ ,Y and X are points on $E / F_{q}$ ; $ζ$ ’s goal is to calculate the s with modelling $ξ_{2}$ . Setup: $ζ$ chooses ID’ randomly and transmit $v a r s = {τ, a, b, X, q, P K_{ms}, H_{1}, H_{2}, H_{3}}$ to $ξ_{1}$ and also selects a $P K_{ms} = s X$ randomly, and keeps empty hash lists $L_{H P_{i}}, L_{H D_{i}}, L_{FP}$ and $L_{FD}$ , where $i = 0, 1,$ and 2. $ξ_{2}$ has the master secret key so it does not need to execute the $Q u e r y_{PPK}$ and $Q u e r y_{UPK}$ . The following random oracle queries can be executed by $ξ_{2}$ in the game I. $Q u e r y_{H_{1}}$ , $Q u e r y_{H_{2}}$ , $Q u e r y_{H_{3}}$ are the same as Theorem 1. $Q u e r y_{CU}$ : For SN: $ζ$ keeps list $L_{FP} = (I D_{i}, P P K_{i} = (n_{i}, R_{i}), S K_{i} = (w_{2 i}, w_{1 i}), P K_{i} = (P K_{1 i}, P K_{2 i}), P I D_{i})$ . $ξ_{1}$ queries $I D_{i}$ and then $ζ$ looks in $L_{FP}$ and does the following:

If $(I D_{i}, P P K_{i} = (n_{i}, R_{i}), S K_{i} = (w_{2 i}, w_{1 i}), P K_{i} = (P K_{1 i}, P K_{2 i}), P I D_{i})$ is in $L_{FP}$ , then submits $P K_{i}$ to $ξ_{1}$ .
If $I D_{i} \neq I D_{i}^{'}$ , chooses a random $a_{i}, b_{i} \in Z_{q}^{*}$ , computes $e_{i} = H_{1} (I D_{i}, U I D_{i}), f_{i} = H_{1} (I D_{ms}, s, I D_{i}, v a r s), R_{i} = f_{i} X, n_{i} = e_{i} f_{i} + s, S K_{i} = (e_{i}, f_{i}), P K_{1 i} = a_{i} X, P K_{2 i} = b_{i} X, P K_{i} = (P K_{1 i}, P K_{2 i}),$ adds ${I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i}}$ to $L_{FP}$ , and then submits $P K_{i}$ to $ξ_{2}$ .
If $I D_{i} = I D^{'}$ , computes $e_{i} = H_{1} (I D_{i}, U I D_{i}), f_{i} = H_{1} (I D_{ms}, s, I D_{i}, v a r s), R_{i} = f_{i} X, S K_{i} = Θ, P K_{i} = ψ,$ adds $(I D_{i}, P P K_{i}, Θ, P K_{i}, P I D_{i})$ to $L_{FP}$ , and submits $P K_{i}$ to $ξ_{2}$ .

For Doctor:

ζ

keeps list

L_{FD} = (I D_{d}, P P K_{d} = (n_{d}, R_{d}), S K_{d} = (w_{2 d}, w_{1 d}), P K_{d} = (P K_{1 d}, P K_{2 d}), P I D_{d})

ξ_{1}

queries

I D_{d}

and then

ζ

looks in

L_{FD}

and does the following:

If $(I D_{d}, P P K_{d} = (n_{d}, R_{d}), S K_{d} = (w_{2 d}, w_{1 d}), P K_{d} = (P K_{1 d}, P K_{2 d}), P I D_{d})$ is in $L_{FD}$ , then submits $P K_{d}$ to $ξ_{1}$ .
If $I D_{d} \neq I D_{d}^{'}$ , chooses a random $a_{d}, b_{d} \in Z_{q}^{*}$ , computes $e_{d} = H_{1} (I D_{d}, U I D_{d}), f_{d} = H_{1} (I D_{ms}, s, I D_{d}, v a r s), R_{d} = f_{d} X, n_{d} = e_{d} f_{d} + s, S K_{d} = (e_{d}, f_{d}), P K_{1 d} = a_{d} X, P K_{2 d} = b_{d} X, P K_{d} = (P K_{1 d}, P K_{2 d}),$ adds { $I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d}}$ to $L_{FD}$ ,and then submits $P K_{d}$ to $ξ_{2}$ .
If $I D_{d} = I D^{'}$ , computes $e_{d} = H_{1} (I D_{d}, U I D_{d}), f_{d} = H_{1} (I D_{ms}, s, I D_{d}, v a r s), R_{d} = f_{d} X, S K_{d} = Θ, P K_{d} = ψ,$ adds $(I D_{d}, P P K_{d}, Θ, P K_{d}, P I D_{d})$ to $L_{FD}$ , and submits $P K_{d}$ to $ξ_{2}$ .

Q u e r y_{PK}

: For SN:

ξ_{2}

sends query on

I D_{i}

ζ

and then

ζ

does the following:

If $I D_{i} = I D^{'}$ , aborts the game.
If $I D_{i} \neq I D^{'}$ , if $(I D_{i}, P P K_{i}, S K_{i}, P K_{i}, P I D_{i})$ is in $L_{FP}$ , then submits $S K_{i}$ to $ξ_{2}$ .

For Doctor:

ξ_{2}

sends query on

I D_{d}

ζ

and then

ζ

does the following:

If $I D_{d} = I D^{'}$ , aborts the game.
If $I D_{d} \neq I D^{'}$ , if $(I D_{d}, P P K_{d}, S K_{d}, P K_{d}, P I D_{d})$ is in $L_{FD}$ , then submits $S K_{d}$ to $ξ_{2}$ .

Q u e r y_{Sign}

ξ_{2}

sends a query on

(m_{i}, I D_{i})

ζ

and

ζ

does as follows:

Selects randomly $H_{i}, α_{i} \in Z_{q}^{*} .$
Calculates $β_{i} = α_{i} X - H_{i} P K_{2 i} - P K_{ms}$
Submits $(α_{i}, β_{i})$ to $ξ_{2}$ and inserts results to the corresponding list.

Forgery:

ξ_{2}

submits a tuple

σ = (γ^{*}, β_{1}^{*}, β_{2}^{*},, . . ., β_{n}^{*}, M^{*},) (P I D^{*}, T s^{*}, P K_{*})

that fulfils the requirements of Game II. The

ζ

provides the solution to problem as

(α_{i}^{*} - α_{i}) {(H_{i}^{*} - H_{i})}^{- 1}

. Probabilistic analysis: Assume

ϵ

be the probability of

ξ_{2}

forge a valid signature within the time period

ϖ

and

ξ_{2}

has not run any hash query more than once with same input in the game.

Γ_{1}, Γ_{2}, Γ_{3}

happens,

ζ

wins the game.

Γ_{1}

Q u e r y_{PK}

x i_{2}

is not terminated.

Γ_{2}

ξ_{2}

creates a certificateless signature that is valid.

Γ_{3}

: Likelihood of

ξ_{2}

creating a legal forgery and

ζ

not terminating the procedure. Probability of

ξ_{2}

wins Game I is

P [Γ_{1} Λ Γ_{2} Λ Γ_{3}] = P [Γ_{1}] P [Γ_{2} | Γ_{1}] P [Γ_{3} | Γ_{2} Λ Γ_{1}] \geq {(1 \frac{1}{q_{c} + 1})}^{q_{pk}} . ϵ . \frac{1}{q_{c} + 1} \geq {\frac{q_{C}}{q_{c} + 1}}^{q_{pk}} (\frac{ϵ}{q_{C} + 1})

. Where,

q_{c} =

the number of

Q u e r y_{CU}

and

q_{pk} =

be the number of

Q u e r y_{PK}

So,

ζ

solves ECDLP with

ϵ

. However, intractability of the ECDLP makes a contradiction with it. Hence, the proposed scheme is proved to be unforgeable against

ξ_{2}

in the random oracle model.

□

[See PDF for image]

Fig. 10

Simulation result in OFMC back-end

[See PDF for image]

Fig. 11

Simulation result in CL-Atse back-end

Table 2. Computation cost

Schemes	Sign-Agg	Agg-Verify	Total Execution Cost (ms)
[3]	1.768n	$2.21 n + 2.21$	$3.978 n + 2.21$
[6]	$0.442 n + 1.326$	$1.326 n + 0.442$	$1.768 n + 1.768$
[8]	1.768n	$0.884 n + 0.442$	$2.652 n + 0.442$
[31]	0.442n	$1.326 n + 0.442$	$1.768 n + 0.442$
[32]	$0.884 n + 0.442$	1.326n	$2.210 n + 0.442$
Our Scheme	$0.442 n + 0.884$	$0.884 n + 0.442$	$1.326 n + 1.326$

[See PDF for image]

Fig. 12

Comparison of Computation Cost for n=100

Security requirements

Table 3. Communication cost

Schemes	Single Signature	Aggregate Signature	Size
[3]	489n	$163 n + 326$	$652 n + 326$
[6]	489n	$326 n + 163$	$815 n + 163$
[8]	489n	489	$489 n + 489$
[31]	489n	326n	815n
[32]	326n	326	$326 n + 326$
Our Scheme	326n	$326 n + 163$	$652 n + 163$

Anonymity: The scheme uses the pseudoidentity to protect a patient’s and doctor’s privacy. If an attacker hijacks all of the patient’s information exchanged via the public network, it has no way of knowing the patient’s or doctor’s real identity as the proposed scheme protects the real id of a patient $I D_{i}$ or doctor $I D_{d}$ by masking the real id in pseudoidentity $P I D_{i} = H_{1} (s, I D_{i}, t_{i}) \oplus U I D_{i}$ . or $P I D_{d} = H_{1} (s, I D_{d}, t_{d}) \oplus U I D_{d}$ . An attacker cannot gain the real id $I D_{i}$ or $I D_{d}$ because $s, I D_{i}, I D_{d}, t_{i}$ and $t_{d}$ are secret values, and $H_{1}$ is one-way hash function. As a result, the proposed scheme is capable of achieving anonymity.
Conditional traceability: Despite the fact that a patient’s identity $I D_{i}$ is masked under its pseudoidentity $P I D_{i}$ the MS can access it if required. The MS has power to calculate the pseudoidentity on a contentious message. MS recovers patient’s real id since it has $(I D_{i}, U I D_{i}, P P K_{i},) (t_{i})$ and s. On receiving contentious message signed by patient with $P I D_{i}^{*}$ , MS computes $P I D_{i} = H_{1} (s, I D_{i}, t_{i}) \oplus U I D_{i}$ and verifies if $P I D_{i} = P I D_{i}^{*}$ . If this is true, the signer of the message is a $I D_{i}$ .
Non-repudiation: The MS can identify a patient’s identity on the message. As a result, no patient can refuse the signature on that message. The MS can perform signature verification and conditional traceability.
Message integrity and authentication: The proposed scheme has been shown to be safe against forgery attacks using Theorem 1 and 2. As a result, $ξ_{1}$ or $ξ_{2}$ cannot tamper the healthcare information which are signed by the SNs. The eves also cannot impersonate the SNs or patient. When the doctor receives a certificateless aggregate signature $σ = (γ, β_{1}, β_{2}, β_{3}, . . ., β_{n})$ on ${m_{1}, m_{2}, . . ., m_{n}}$ signed by ${I D_{1}, I D_{2}, . . ., I D_{n}}$ , it checks the validity of $σ$ and if it is valid, doctor confirms that messages ${m_{1}, m_{2}, . . ., m_{n}}$ are sent by $I D_{i}$ for $i = 1, 2, . ., n$ and also these message are not tampered during the transmission. As a result, the proposed system ensures message integrity and authenticity.

[See PDF for image]

Fig. 13

Comparison of communication cost for n=100

Formal verification using AVISPA

Automated Validation of Internet Security Protocols and Applications (AVISPA) is used to evaluate the security protocol’s resistance to active and passive threats. We use the AVISPA tool to verify the security of the proposed scheme formally. To specify our scheme in AVISPA, High Level Protocols Specification Language (HLPSL) is used. The code is available at. https://github.com/ilalitnegi/AVISPA_CLAS.

Out of four AVISPA backends, OFMC and CL-AtSe are used as the other backend TA4SP and SATMC do not support feature like bitwise XOR. Figure 10 and Fig. 11 present the simulation results using OFMC and CL-AtSe, respectively. The summary section in the figures show that the proposed scheme is SAFE. Thus, our scheme is resistant to the active and passive attacks such as man-in-the-middle, replay attacks, etc.

Performance analysis

This section presents the performance of the proposed scheme and the related existing schemes [3, 6, 8, 31, 32] in the terms of computation and communication costs. We take n be the number of patients in HWSNs for computing computation and communication costs.

Computation cost

The computation cost is calculated by the summation of time taken to perform the scalar multiplication operation in the signature, aggregation and aggregate-verify algorithms as these algorithms are executed frequently. We use the same running time $(T_{mul} \approx 0.442 m s)$ of ECC based scalar multiplication operation $(O_{mul})$ as in Du et al. [3]. Xie et al. [3] requires $(9 n + 5)$ $O_{mul}$ . So its total computation cost is $(9 n + 5) T_{mul} = (3.978 n + 2.21) m s$ . Gayathri et al. [8] requires $(6 n + 1)$ $O_{mul}$ . Its total computation cost is $(6 n + 1) T_{mul} = (2.652 n + 0.442) m s$ . Du et al. [31] requires $(4 n + 1)$ $O_{mul}$ . Its total computation cost is $(4 n + 1) T_{mul} = (1.768 n + 0.442) m s$ . Deng et al. [6] requires $(4 n + 4)$ $O_{mul}$ . Its total computation cost is $(4 n + 4) T_{mul} = (1.768 n + 1.768) m s$ . Yang et al. [32] has the total computation cost of $(5 n + 1) T_{mul} = (2.210 n + 0.442) m s$ . In the proposed scheme, signature of each patient requires $(n + 2)$ $O_{mul}$ in G. So, the computation time required is $(n + 2) T_{mul}$ . Time required to generate aggregate signature is $(2 n + 1) T_{mul}$ as it requires $(2 n + 1)$ $O_{mul}$ in G. Hence, the total computation cost of the proposed scheme is $(n + 2) T_{mul} + (2 n + 1) T_{mul} = 0.442 n + 0.884 + 0.884 n + 0.442 = (1.326 n + 1.326)$ ms. The comparison of the computation cost of all the existing related schemes [3, 6, 8, 31, 32] and the proposed scheme is shown in Table 2. Figure 12 shows the computation cost for the proposed scheme and the related schemes [3, 6, 8, 31] for 100 patients in the HWSNs. From Table 2 and Fig. 12, it can be clearly seen that the proposed system has the least computation cost as compared to the other related schemes [3, 6, 8, 31].

Communication cost

The communication cost is calculated by adding the size of signature of n patients and the aggregate signature. Assume that the size of G and $Z_{q}^{*}$ are 163 bits each. In the proposed scheme, signature of patient has one-one element in G and $Z_{q}^{*}$ . So, the size of signature for n patients is $n (| G | + |, Z_{q}^{*}, |)$ . Size of aggregate signature is $(n + 1) | G | + n | Z_{q}^{*} |$ as it has $n + 1$ elements in G and n elements in $Z_{q}^{*}$ . Hence, the total communication cost of the proposed scheme is $n (| G | + |, Z_{q}^{*}, |) + (n + 1) | G | + n | Z_{q}^{*} | = n (163 + 163) + (n + 1) 163 + (n) 163 = 652 n + 163$ bits. The comparison of the communication cost of the related schemes [3, 6, 8, 31, 32] and that of the proposed scheme is shown in Table 3. From this table, it can be clearly seen that the proposed system has lower communication cost than the schemes [3, 6, 31] and higher than the scheme [8, 32]. However, the scheme [8] is vulnerable to malicious medical server and public key replacement attacks [33] and the scheme [32] has more computation cost than the proposed scheme, which is already shown in Table 2. Figure 13 shows that the communication cost of the proposed scheme and the existing schemes [3, 6, 8, 31, 32] for 100 patients in the HWSNs.

Conclusion

In HWSNs, the patients real time medical data like BP, oxygen and heart rate is recorded through the wearable devices and then it is sent to the doctors for the assessment over the public network. As the patients medical data contains the sensitive information, so the main issue in the HWSNs becomes to send the data to the designated doctor with full integrity while maintaining the privacy of the patient and reducing the computation cost. To provide a secure communication between patients and doctors, this paper have presented a certificateless aggregate signature scheme called E-CLAS based on ECC for healthcare environment. We have analyzed its security using random oracle model formally. The performance analysis has revealed that the computation cost of the proposed scheme is less than the that of the existing related schemes.

Funding

Not applicable.

Availability of supporting data

Not applicable.

Declarations

Conflict of interest

The authors have no relevant financial or non-financial interests to disclose.

Ethical approval

Not applicable.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References

1. Sakthidharan G, Chitra S (2012) A survey on wireless sensor network: an application perspective. In: 2012 international conference on computer communication and informatics. IEEE, pp 1–5

2. Ko, J; Lu, C; Srivastava, MB; Stankovic, JA; Terzis, A; Welsh, M. Wireless sensor networks for healthcare. Proc IEEE; 2010; 98, 11 pp. 1947-1960. [DOI: https://dx.doi.org/10.1109/JPROC.2010.2065210]

3. Xie, Y; Li, X; Zhang, S; Li, Y. $iclas$ : an improved certificateless aggregate signature scheme for healthcare wireless sensor networks. IEEE Access; 2019; 7, pp. 15170-15182. [DOI: https://dx.doi.org/10.1109/ACCESS.2019.2894895]

4. Thamilarasu G, Odesile A (2016) Securing wireless body area networks: challenges, review and recommendations. In: 2016 IEEE international conference on computational intelligence and computing research (ICCIC). IEEE, pp 1–7

5. Al Ameen, M; Liu, J; Kwak, K. Security and privacy issues in wireless sensor networks for healthcare applications. J Med Syst; 2012; 36, 1 pp. 93-101. [DOI: https://dx.doi.org/10.1007/s10916-010-9449-4]

6. Deng, L; Yang, Y; Gao, R. Certificateless designated verifier anonymous aggregate signature scheme for healthcare wireless sensor networks. IEEE Internet Things J; 2021; 8, 11 pp. 8897-8909. [DOI: https://dx.doi.org/10.1109/JIOT.2021.3056097]

7. Sangari AS, Manickam JML (2014) Public key cryptosystem based security in wireless body area network. In: 2014 international conference on circuits, power and computing technologies [ICCPCT-2014]. IEEE, pp 1609–1612

8. Gayathri, N; Thumbur, G; Kumar, PR; Rahman, MZU; Reddy, PV et al. Efficient and secure pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. IEEE Internet Things J; 2019; 6, 5 pp. 9064-9075. [DOI: https://dx.doi.org/10.1109/JIOT.2019.2927089]

9. Al-Riyami SS, Paterson KG (2003) Certificateless public key cryptography. In: International conference on the theory and application of cryptology and information security. Springer, pp 452–473

10. Boneh D, Gentry C, Lynn B, Shacham H (2003) Aggregate and verifiably encrypted signatures from bilinear maps. In: International conference on the theory and applications of cryptographic techniques. Springer, pp 416–432

11. Islam, SH; Biswas, G. Provably secure certificateless strong designated verifier signature scheme based on elliptic curve bilinear pairings. J King Saud Univ Comput Inf Sci; 2013; 25, 1 pp. 51-61.

12. Keerthika, M; Shanmugapriya, D. Wireless sensor networks: active and passive attacks-vulnerabilities and countermeasures. Glob Transit Proc; 2021; 2, 2 pp. 362-367. [DOI: https://dx.doi.org/10.1016/j.gltp.2021.08.045]

13. Li, M; Lou, W; Ren, K. Data security and privacy in wireless body area networks. IEEE Wirel Commun; 2010; 17, 1 pp. 51-58. [DOI: https://dx.doi.org/10.1109/MWC.2010.5416350]

14. Gorantla MC, Saxena A (2005) An efficient certificateless signature scheme. In: International conference on computational and information science. Springer, pp 110–116

15. Tan CC, Wang H, Zhong S, Li Q (2008) Body sensor network security: an identity-based cryptography approach. In: Proceedings of the first ACM conference on wireless network security, pp 148–153

16. Shen, L; Ma, J; Liu, X; Wei, F; Miao, M. A secure and efficient id-based aggregate signature scheme for wireless sensor networks. IEEE Internet Things J; 2016; 4, 2 pp. 546-554. [DOI: https://dx.doi.org/10.1109/JIOT.2016.2557487]

17. Huang X, Susilo W, Mu Y, Zhang F (2005) On the security of certificateless signature schemes from asiacrypt 2003. In: International conference on cryptology and network security. Springer, pp 13–25

18. Zhang, L; Zhang, F. A new certificateless aggregate signature scheme. Comput Commun; 2009; 32, 6 pp. 1079-1085.3469259 [DOI: https://dx.doi.org/10.1016/j.comcom.2008.12.042]

19. Au M.H, Mu Y, Chen J, Wong D.S, Liu J.K, Yang G (2007) Malicious kgc attacks in certificateless cryptography. In: Proceedings of the 2nd ACM symposium on information, computer and communications security, pp 302–311

20. He, D; Huang, B; Chen, J. New certificateless short signature scheme. IET Inform Secur; 2013; 7, 2 pp. 113-117. [DOI: https://dx.doi.org/10.1049/iet-ifs.2012.0176]

21. Kumar, P; Kumari, S; Sharma, V; Sangaiah, AK; Wei, J; Li, X. A certificateless aggregate signature scheme for healthcare wireless sensor network. Sustain Comput Inform Syst; 2018; 18, pp. 80-89.

22. Liu, J; Cao, H; Li, Q; Cai, F; Du, X; Guizani, M. A large-scale concurrent data anonymous batch verification scheme for mobile healthcare crowd sensing. IEEE Internet Things J; 2018; 6, 2 pp. 1321-1330. [DOI: https://dx.doi.org/10.1109/JIOT.2018.2828463]

23. Rabie, OBJ; Selvarajan, S; Hasanin, T; Mohammed, GB; Alshareef, AM; Uddin, M. A full privacy-preserving distributed batch-based certificateless aggregate signature authentication scheme for healthcare wearable wireless medical sensor networks (hwmsns). Int J Inform Secur; 2024; 23, 1 pp. 51-80. [DOI: https://dx.doi.org/10.1007/s10207-023-00748-1]

24. Zhou, L; Yin, X. An improved pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. Plos one; 2022; 17, 7 0268484. [DOI: https://dx.doi.org/10.1371/journal.pone.0268484]

25. Qiao, Z; Yang, Q; Zhou, Y; Yang, B; Zhang, M. A novel construction of certificateless aggregate signature scheme for healthcare wireless medical sensor networks. Comput J; 2023; 66, 11 pp. 2810-2824.4668004 [DOI: https://dx.doi.org/10.1093/comjnl/bxac123]

26. Hashimoto, K; Ogata, W. Unrestricted and compact certificateless aggregate signature scheme. Inform Sci; 2019; 487, pp. 97-114. [DOI: https://dx.doi.org/10.1016/j.ins.2019.03.005]

27. Yang B, Hu Z, Xiao Z (2009) Efficient certificateless strong designated verifier signature scheme. In: 2009 international conference on computational intelligence and security. IEEE, vol 1, pp 432–436

28. Duan, M; Zhu, J; Li, Y. Efficient and provably-secure certificateless strong designated verifier signature scheme without pairings. Tehnički vjesnik; 2018; 25, 6 pp. 1801-1809.

29. Lin, H-Y. A new certificateless strong designated verifier signature scheme: non-delegatable and ssa-kca secure. Ieee Access; 2018; 6, pp. 50765-50775. [DOI: https://dx.doi.org/10.1109/ACCESS.2018.2809437]

30. Xiong, H; Guan, Z; Chen, Z; Li, F. An efficient certificateless aggregate signature with constant pairing computations. Inform Sci; 2013; 219, pp. 225-235.2991567 [DOI: https://dx.doi.org/10.1016/j.ins.2012.07.004]

31. Du, H; Wen, Q; Zhang, S. An efficient certificateless aggregate signature scheme without pairings for healthcare wireless sensor network. IEEE Access; 2019; 7, pp. 42683-42693. [DOI: https://dx.doi.org/10.1109/ACCESS.2019.2907298]

32. Yang X, Wen H, Diao R, Du X, Wang C (2023) Improved security of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet Things J

33. Liu, J; Wang, L; Yu, Y. Improved security of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet Things J; 2020; 7, 6 pp. 5256-5266. [DOI: https://dx.doi.org/10.1109/JIOT.2020.2979613]

Word count: 6105

Show less

ECC based certificateless aggregate signature scheme for healthcare wireless sensor networks

Content area

Abstract

Full text