A Secure Mutual Batch Authentication Scheme for Patient Data Privacy Preserving in WBAN

Abstract

The current advances in cloud-based services have significantly enhanced individual satisfaction in numerous modern life areas. Particularly, the recent spectacular innovations in the wireless body area networks (WBAN) domain have made e-Care services rise as a promising application field, which definitely improves the quality of the medical system. However, the forwarded data from the limited connectivity range of WBAN via a smart device (e.g., smartphone) to the application provider (AP) should be secured from an unapproved access and alteration (attacker) that could prompt catastrophic consequences. Therefore, several schemes have been proposed to guarantee data integrity and privacy during their transmission between the client/controller (C) and the AP. Thereby, numerous effective cryptosystem solutions based on a bilinear pairing approach are available in the literature to address the mentioned security issues. Unfortunately, the related solution presents security shortcomings, where AP can with ease impersonate a given C. Hence, this existing scheme cannot fully guarantee C’s data privacy and integrity. Therefore, we propose our contribution to address this data security issue (impersonation) through a secured and efficient remote batch authentication scheme that genuinely ascertains the identity of C and AP. Practically, the proposed cryptosystem is based on an efficient combination of elliptical curve cryptography (ECC) and bilinear pairing schemes. Furthermore, our proposed solution reduces the communication and computational costs by providing an efficient data aggregation and batch authentication for limited device’s resources in WBAN. These additional features (data aggregation and batch authentication) are the core improvements of our scheme that have great merit for limited energy environments like WBAN.

1. Introduction

Recall that recent innovations are done in the wireless sensor network (WSN), which have cleared the route for smart sensors that can be embedded on the human body to monitor glucose and respiratory rate, for example [1,2,3,4,5]. This interconnectedness of various advanced handheld gadgets worn or embedded in human systems is referred to as a wireless body area network (WBAN). WBAN commonly incorporates a cell phone at the client’s side that acts as a center point/controller, obtaining the client’s information and transferring it to a remote server or Application Provider (AP).

Despite the fact that WBAN has enhanced the e-Care administration system, the security and privacy of client’s data remain a tremendous challenge to address [3,4,5,6,7,8,9,10,11,12,13,14,15,16]. For instance, a client should know about the AP dealing with his/her related information before asking for further data processing (data accountability issue). Therefore, there is a paramount need for the client, as well as the e-Care system agents (doctors, medical attendants, etc.), to authenticate each other to preserve data confidentiality. Thereby the physician can ascertain the correctness of physiological information diagnostic that may have cataclysmic consequences on a patient in case of wrong authentication. Hence developing a new cryptosystem that ensures integrity, authentication, accountability, accessibility, non-repudiation, and secrecy is considered a hot topic by the information security research community [3,4,5,6,7,8,9,10,11,12,13,14,15,16]. A cryptosystem that provides mutual authentication scheme between the controller (C) and AP is crucial in order to preserve data security. For this reason, several valuable contributions have been introduced to securely transmit data from a given C to AP [3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23]. Note that those existing authentication schemes use different approaches that can be classified as: (i) physiological value based, (ii) channel based, (iii) proximity based, and (iv) cryptographic based [4].

Our proposed solution uses the cryptographic technique tools. Likewise, various cryptosystem schemes are presented among the research community [3,4,5,6,7,8,9,10,11,12,13,14,15,16]. However, the traditional asymmetric encryption (public key infrastructure PKI) technique that acts as primary solution to provide security is an inefficient option for optimized lightweight cryptosystem design in constrained resource environments (WBAN). This reason is due to the inherent PKI database administration issues, i.e., capacity, data transfer, and annulment and confirmation of certificates. To address this certificate administration issue, researchers [5] presented a new idea of an identity-based encryption (IBE) cryptosystem. This novel identity-based public key cryptographic (IB-PKC) model allows the client’s secret key to be an element of his real identity, which is generated by a trusted outsider called a private key generator (PKG). In this way, a genuine public key does not require certificates [6]. However, the fact that PKG exclusively generates private keys for clients raises a security shortcoming known as a key escrow issue. With a specific end goal to tackle this mentioned issue, researchers in [7] presented a certificate-less (CL) cryptography scheme, generally denoted as CL-PKC.

Recall that WBAN is based on remote wireless sensors that can transmit only within short ranges, with low handling power and energy [7]. To address this short communication range issue of medical records to a longer distance, a smart intermediate mobile device (e.g., a cell phone, also named a controller) is used inside the WBAN’s communication range (refer to Figure 1). Therefore, all cryptosystems with high computation cost to guarantee a high data security level are inappropriate. Hence various efficient authentication models other than the traditional PKI are presented in the literature [3,4,8,9,10,11,12,13,14,15,16,18,20]. Security insurance issues have started to draw escalated consideration among researchers and, lately, authors in [4] raised the shortcoming of an impersonation attack in a related scheme [8]. This security shortcoming resulted from saving the encryption and decryption keys on an unreliable AP database, and therefore introduced a novel secured authentication solution [4]. Furthermore, authors in [9] also proved that the existing cryptosystem [8] could not address the well-known stolen verifier–table attack. Thus, they proposed an authentication protocol based on elliptic curve cryptography (ECC) [9], notwithstanding that researchers in [10] proved that a related model [9] could not provide genuine anonymous data, while client’s pseudo attributes could be utilized to track the corresponding clients. Therefore, an improved cryptosystem based on a user’s identity was presented [10] to securely authenticate the different entities using bilinear pairing.

Due to the openness and mobility of WBAN, the transmission must be anonymous and unlinkable as well. In this way, authors in [11] designed a scheme that allowed sensor nodes appended in a patient’s body to authenticate with a local server/hub node and establish a session key in an anonymous and unlinkable way. This scheme [11] was proposed to as efficient as possible, by using only two types of operations: the cryptographic hash function and the exclusive OR operation (XOR). Likewise, Aneesh and Deepthi [12] presented a hybrid anonymous authentication and key agreement scheme, which was an improvement based on Li et al.’s scheme [11] using the physiological signal to overcome the node impersonation issue [8]. In this proposed solution [12], authors provided additional security features to effectively address the node impersonation and key escrow issues [6,8]. Aneesh and Deepthi [12] highlighted some security shortcomings in Li et al.’s scheme [11] and used physiological signals to resolve them. This made the proposed scheme a hybrid scheme. Practically, the related schemes [11,12] security proofs used Burrows–Abadi–Needham (BAN) logic and the Automated Validation of Internet Security Protocols and Applications (AVISPA). However, the use of physiological signals implies that all sensors nodes measure the same physiological signal and introduce additional costs for the collecting and transforming of data, as well as maintaining all sensors synchronized.

Therefore, Marko et al.’s model [13] showed that the schemes [11,12] fell short of their goals, and, in fact, did not provide untraceability of the communicating sensor nodes. Based on that, the goal was to provide a solution [13] with anonymous participants without session linkability/ traceability. This new scheme achieved the untraceability property, while retaining computational complexity and reducing the communication costs. By achieving untraceability, the proposed solution could be a good candidate to improve Koya et al.’s scheme [12]. However, this scheme increased the required storage space. Furthermore, the security proof of the new scheme was discussed informally with some well-known attacks and was formally provided using the BAN logic, the AVISPA, and Scyther tool.

A new view of achieving user anonymity property has been introduced by using a Smartcard instead of traditional authentication scheme method to address the security and privacy issues in wireless multimedia sensor networks (WMSNs). Thereby, Ashok et al.’s [14] reviewed Li et al.’s scheme [11] and proved that their solution was still vulnerable to privileged-insider attack and sensor node capture attack, and failed to provide user anonymity properties. In order to address these security shortcomings found in Li et al.’s scheme [11], they proposed a secure biometrics-based user authentication scheme in WMSNs using a smartcard. This new scheme has been rigorously proven secure against possible known attacks and efficient in computation and communication as compared to Li et al.’s scheme [11]. As a further matter, a fresh approach has been tackled with the emergence of quantum computers to achieve the anonymity property. So far, most of the above-mentioned solutions are based on bilinear pairing and an elliptic curve cryptosystem. However, their security is based on the discrete logarithm on the elliptic curve, which has been proven to be limited by the development of quantum computers. To address the issue, Rui et al. [15] presented a new lightweight anonymous handover authentication (AHA) scheme based on the Number Theory Research Unit (NTRU) public key cryptosystem for wireless networks. Security analysis and experimental results showed that this scheme achieved mutual authentication with a greater security level to address known attacks. The advantages of the proposed scheme are the low computation cost, high efficiency, and ease of implementation as compared to related works like [11,12]. However, the disadvantage is that this scheme [15] cannot predict the misbehaving nodes and avoid the collusion attacks due to the lack of trust and reputation evaluation mechanism. Its correctness is only based on the certification results of both parties. Therefore, this proposed solution [15] is only suitable for the scenario of a single authentication model with a few participants.

In this paper, our contribution will be first to identify and propose a certificate-less mutual authentication scheme that addresses the impersonation issue in the related works [8,9,10]. Second, we design a lightweight cryptographic algorithm using an effective combination of ECC and bilinear pairings operation for limited devices in WBAN. Furthermore, our proposed solution is more efficient than the existing works [8,9,10,15] by providing a batch authentication process that reduces considerably the computation and communication costs for constrained resource devices in WBAN.

The rest of this work is sectioned as follows. Section 2 presents the background work, while Section 3 gives the detailed design of the proposed solution. Section 4 analyzes and evaluates the performance and security level of the proposed contribution. Then, we end this work in Section 5.

2. Proposed Solution Construction

2.1. Preliminaries

2.1.1. Elliptic Curve Cryptography (ECC)

ECC is an asymmetric key encryption scheme based on elliptic curve theory that generates faster, smaller, and efficient cryptosystem keys. It was introduced by Koblitz [24] and Miller [25]. A fixed curve E over a field K can be described in a non-homogeneous manner by the following equation (Weierstrass equation) [26]:

$${\mathrm{y}}^2+{\mathrm{a}}_1\mathrm{xy}+{\mathrm{a}}_3\mathrm{y}={\mathrm{x}}^3+{\mathrm{a}}_2{\mathrm{x}}^2+{\mathrm{a}}_4\mathrm{x}+{\mathrm{a}}_6$$

(1)

where ${\mathrm{a}}_1,{\mathrm{a}}_2,{\mathrm{a}}_3,{\mathrm{a}}_4,{\mathrm{a}}_6\in \mathrm{K}$ and $\Delta \ne 0$, and where $\Delta$ is the discriminant of E and is defined as follows:

$$\{\begin{array}{c}\Delta =-{\mathrm{d}}_2{}^2{\mathrm{d}}_8-8{\mathrm{d}}_4{}^3-27{\mathrm{d}}_6{}^2+9{\mathrm{d}}_2{\mathrm{d}}_4{\mathrm{d}}_6\\ {\mathrm{d}}_2={\mathrm{a}}_1{}^2+4{\mathrm{a}}_2;{\mathrm{d}}_4=2{\mathrm{a}}_4+{\mathrm{a}}_1{\mathrm{a}}_3;{\mathrm{d}}_6={\mathrm{a}}_3{}^2+4{\mathrm{a}}_6\\ {\mathrm{d}}_8={\mathrm{a}}_1{}^2{\mathrm{a}}_6+4{\mathrm{a}}_2{\mathrm{a}}_6-{\mathrm{a}}_1{\mathrm{a}}_3{\mathrm{a}}_4+{\mathrm{a}}_2{\mathrm{a}}_3{}^2-{\mathrm{a}}_4{}^2\end{array}$$

(2)

Based on the literature review, ECC can provide a strong secured cryptosystem with a 164-bit key, while others cryptographic schemes require a 1024-bit key. Therefore, ECC is more appropriate to achieve the desired security level with the lowest computation power cost and device battery usage. Thus, it is a suitable and efficient solution for limited mobile device applications. The security advantage of ECC lies in its competitive short security key size and the strong assumption to solve the elliptic curve discrete logarithm problem (ECDLP).

2.1.2. Bilinear Pairings

Bilinear maps explained in [27] can be presented as follows: Let two cyclic groups ${\mathrm{E}}_1$ (additive) and ${\mathrm{E}}_2$ (multiplicative) of order p (prime number). Let g be a generator of ${\mathrm{E}}_1$, and e a bilinear mapping; then,

e: ${\mathrm{E}}_1$ × ${\mathrm{E}}_1$ → ${\mathrm{E}}_2$. The bilinear mapping e satisfies these properties:

♦

Bilinearity: $\forall \mathrm{A},\mathrm{B}\in {\mathrm{E}}_1,\forall \mathrm{d},\mathrm{f}\in {\mathbb{Z}}_{\mathrm{p}}^{*},$

   $\mathrm{e}\left(\mathrm{dA},\mathrm{fB}\right)=\mathrm{e}{\left(\mathrm{A},\mathrm{B}\right)}^{\mathrm{df}}$

♦

Non-Degeneracy: ∃ A, B ∈ E₁ such that e (A, B) ≠ 1, and 1 is the identity element of E₂.

♦

Computation: For any A, B ∈ ${\mathrm{E}}_1$, we have an efficient algorithm to compute e.

Recall that a group that has such a mapping e is defined as a bilinear group on which the Decisional Diffie–Hellman issue can be easily solved, while the Computational Diffie–Hellman (CDH) issue is considered very hard. Therefore, our proposed solution is based on the below security computational assumptions.

2.2. Security Assumption

We propose an efficient mutual batch authentication solution relying on strong security computation assumptions.

Problem 1:

Consider a multiplicative cyclic group G of order p, with generator g. A probabilistic polynomial–time adversary has a negligible chance to compute${\mathrm{g}}^{\mathrm{ab}}$, from$\mathrm{g}$,${\mathrm{g}}^{\mathrm{a}}$,${\mathrm{g}}^{\mathrm{b}}$for random$\mathrm{a},\mathrm{b}\in {\mathrm{Z}}_{\mathrm{p}}^{*}$.

Problem 2:

Elliptic curve discrete logarithm problem (ECDLP). Let E be elliptic curve over a finite field K. Suppose points$\mathrm{P},\mathrm{Q}\in \mathrm{E}\left(\mathrm{K}\right)$, it is difficult to determine k such that$\mathrm{Q}=\left[\mathrm{k}\right]\mathrm{P}$, with$\mathrm{Q}\in \mathrm{E}\left(\mathrm{K}\right)$.

Here, we propose an architecture that is depicted by Figure 1, which is comprised of the WBAN, the controller/client (C), the network manager (NM), and the application provider (AP). WBAN is a particular environment where a sensor is organized to work self-sufficiently by connecting to different medicinal sensors, situated inside and outside of a human body system. The sensors transmit medical information to a remote AP server via C. Therefore, in our proposed solution we focus on the mutual authentication between C and AP to guarantee data integrity and confidentiality. The main steps in this mutual authentication scheme, i.e., initialization, registration, and authentication between C and AP [4,7,28,29], are done via a reliable outsider NM as depicted in Figure 2. In this scenario, C and AP register with NM to get the different partial cryptographic keys. Thereby, NM assumes the duty of the key generator center (KGC). Contrary to related works in the literature, where NM is completely trustworthy, we assume in this paper that NM could be curious and dishonest. Therefore, C and AP register with NM to obtain not the full key but partial cryptographic key parameters for stronger data privacy protection. In order to address the various attacks (passive or active) [30], our scheme provides the following security requirements:

(i)

Mutual authentication: It will ensure that exclusive genuine and approved C gets access privileges from AP and similarly just approved AP will receive and process data from C.

(ii)

Anonymity: This prerequisite guarantees that an attacker does not have access to the genuine partaker’s identity (C and AP) in their identification procedure.

(iii)

Unlinkability: This condition guarantees that an attacker cannot interface C’s identity to a particular session while asking for computations from AP.

(iv)

Furthermore, our proposed solution provides resilience to replay and impersonation attack. Further, used keys cannot be recovered by an attacker, and our solution does not use verification table.

Recall that the principal objective of this work is to design an efficient batch mutual certificate-less authentication scheme between C and AP that ascertains their identity in the communication process. Thereby a passive attacker (eavesdropper) should have a slight chance to impersonate either C or AP. Further, by providing anonymity, we upgrade the client’s privacy protection since the unlinkability property is guaranteed.

2.3. Related Work

Wang and Zhang proposed a new anonymous authentication scheme for WBAN [7] to overcome the security weaknesses of Zhao’s model [9]. We can describe the different steps, i.e., Initialization, Registration, and Authentication phases of their model as follows.

♦

Initialization phase: It mainly consists of generating keys and system parameters and it is done by the NM shown below.

(i)

NM computes a large prime number q, two groups ${\mathrm{G}}_1$, ${\mathrm{G}}_2$, a pairing map

$\mathrm{e}:{\mathrm{G}}_1\times {\mathrm{G}}_1\to {\mathrm{G}}_2.$

(ii)

NM selects two secured hashing maps h and H, where $\mathrm{h}:\left\{0,1\right\}*\to \mathrm{Zq}$ and $\mathrm{H}:\left\{0,1\right\}*\to {\mathrm{G}}_1$.

(iii)

NM generates randomly a number ${\mathrm{s}}_{\mathrm{NM}}\in {\mathrm{Z}}_{\mathrm{q}}$ as its secret key and compute $\mathrm{Q}={\mathrm{s}}_{\mathrm{NM}}\mathrm{P}$ as its public key.

(iv)

Finally, NM provides as public parameters $\mathrm{params}=\left\{\mathrm{q},{\mathrm{G}}_1,{\mathrm{G}}_2,\mathrm{e},\mathrm{P},\mathrm{h},\mathrm{H},{\mathrm{Q}}_{\mathrm{NM}}\right\}$.

♦

Registration phase: It is during this step that C and AP get registered with NM to get their different partial private key.

(i)

The entity C/AP transmits his identity ${\mathrm{ID}}_{\mathrm{O}}$ to NM.

(ii)

With ${\mathrm{ID}}_{\mathrm{O}}$, NM computes the partial secret key ${\mathrm{S}}_{\mathrm{O}}={\mathrm{s}}_{\mathrm{NM}}{\mathrm{Q}}_{\mathrm{O}}$, where ${\mathrm{Q}}_{\mathrm{O}}=\mathrm{H}\left({\mathrm{ID}}_{\mathrm{O}}\right)$. NM then sends secret key ${\mathrm{S}}_{\mathrm{O}}$ to O through a secure channel.

(iii)

C/AP secretly stores its partial private key ${\mathrm{S}}_{\mathrm{O}}$.

♦

Authentication phase: At this phase C/AP mutually authenticates each other and computes secured keys to encrypt patient records as follows:

(i)

C generates a random number ${\mathrm{r}}_{\mathrm{C}}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$, calculates ${\mathrm{Q}}_{\mathrm{AP}}=\mathrm{H}\left({\mathrm{ID}}_{\mathrm{AP}}\right),{\mathrm{Q}}_{\mathrm{C}}=\mathrm{H}\left({\mathrm{ID}}_{\mathrm{C}}\right)$, ${\mathrm{R}}_{\mathrm{C}}={\mathrm{r}}_{\mathrm{C}}{\mathrm{Q}}_{\mathrm{C}},{\mathrm{K}}_{\mathrm{C}}=\mathrm{e}\left({\mathrm{S}}_{\mathrm{C}},{\mathrm{r}}_{\mathrm{C}}{\mathrm{Q}}_{\mathrm{AP}}\right),{\mathrm{and}\mathrm{Auth}}_{\mathrm{C}}={\mathrm{E}}_{\mathrm{KC}}\left({\mathrm{ID}}_{\mathrm{C}}\left|\left|{\mathrm{T}}_{\mathrm{C}}\right|\right|{\mathrm{R}}_{\mathrm{C}}\right)$. With, ${\mathrm{T}}_{\mathrm{C}}$ the current timestamp. Then, C sends a message ${\mathrm{M}}_1=\left\{{\mathrm{R}}_{\mathrm{C}},{\mathrm{T}}_{\mathrm{C}},{\mathrm{Auth}}_{\mathrm{C}}\right\}$ to AP.

(ii)

With ${\mathrm{M}}_1=\left\{{\mathrm{R}}_{\mathrm{C}},{\mathrm{T}}_{\mathrm{C}},{\mathrm{Auth}}_{\mathrm{C}}\right\}$, AP verifies the freshness of ${\mathrm{T}}_{\mathrm{C}}$ and rejects if it is not fresh. AP computes ${\mathrm{K}}_{\mathrm{AP}}=\mathrm{e}\left({\mathrm{S}}_{\mathrm{AP}},{\mathrm{R}}_{\mathrm{C}}\right)$ and gets $\left({\mathrm{ID}}_{\mathrm{C}}\left|\left|{\mathrm{T}}_{\mathrm{C}}\right|\right|{\mathrm{R}}_{\mathrm{C}}\right)$ by decrypting ${\mathrm{Auth}}_{\mathrm{C}}$. Then AP compares if ${\mathrm{T}}_{\mathrm{C}}$ and the decrypted one are equal. If not matching, AP cancels the access process. Else, AP computes randomly a number ${\mathrm{r}}_{\mathrm{AP}}$ ∈ ${\mathrm{Z}}_{\mathrm{q}}{}^{*}$ and computes ${\mathrm{Q}}_{\mathrm{C}},{\mathrm{Q}}_{\mathrm{AP}},{\mathrm{R}}_{\mathrm{AP}}={\mathrm{r}}_{\mathrm{AP}}{\mathrm{Q}}_{\mathrm{C}},{\mathrm{L}}_{\mathrm{AP}}={\mathrm{r}}_{\mathrm{AP}}{\mathrm{R}}_{\mathrm{C}}$ ${\mathrm{Auth}}_{\mathrm{AP}}=\mathrm{h}\left({\mathrm{T}}_{\mathrm{C}}\left|\left|{\mathrm{R}}_{\mathrm{C}}\right|\right|{\mathrm{R}}_{\mathrm{AP}}\left|\left|{\mathrm{K}}_{\mathrm{AP}}\right|\right|{\mathrm{L}}_{\mathrm{AP}}\right)$ session key ${\mathrm{sk}}_{\mathrm{AP}}=\mathrm{h}\left({\mathrm{T}}_{\mathrm{C}}\left|\left|{\mathrm{R}}_{\mathrm{C}}\right|\right|{\mathrm{T}}_{\mathrm{AP}}\left|\left|{\mathrm{R}}_{\mathrm{AP}}\right|\right|{\mathrm{L}}_{\mathrm{AP}}\right)$, where ${\mathrm{T}}_{\mathrm{AP}}$ is the actual time stamp. Then, AP transfers message ${\mathrm{M}}_2=\left\{{\mathrm{R}}_{\mathrm{AP}},{\mathrm{T}}_{\mathrm{AP}},{\mathrm{Auth}}_{\mathrm{AP}}\right\}$ to C.

(iii)

Receiving ${\mathrm{M}}_2$, C verifies the freshness of ${\mathrm{T}}_{\mathrm{AP}}$. If not, C stops the access demand. Otherwise, C computes ${\mathrm{L}}_{\mathrm{C}}={\mathrm{r}}_{\mathrm{C}}{\mathrm{R}}_{\mathrm{AP}}$, and checks the correctness of the equation ${\mathrm{Auth}}_{\mathrm{AP}}=\mathrm{h}\left({\mathrm{T}}_{\mathrm{C}}\left|\left|{\mathrm{R}}_{\mathrm{C}}\right|\right|{\mathrm{R}}_{\mathrm{AP}}\left|\left|{\mathrm{K}}_{\mathrm{AP}}\right|\right|{\mathrm{L}}_{\mathrm{AP}}\right)$. Then, C computes session key ${\mathrm{Sk}}_{\mathrm{C}}=\mathrm{h}\left({\mathrm{T}}_{\mathrm{C}}\left|\left|{\mathrm{R}}_{\mathrm{C}}\right|\right|{\mathrm{T}}_{\mathrm{AP}}\left|\left|{\mathrm{R}}_{\mathrm{C}}\right|\right|{\mathrm{L}}_{\mathrm{C}}\right),$ else the answer is rejected.

2.4. The Security Shortcoming

Based on the above description of Wang and Zhang’s model (WZ) [7], a given AP can simulate a client (${\mathrm{K}}_{\mathrm{C}}$ = ${\mathrm{K}}_{\mathrm{AB}}$). Therefore, a malicious AP could impersonate C as following: the attacker picks ${\mathrm{r}}_{\mathrm{C}}{\in }_{\mathrm{R}}{\mathrm{Z}}_{\mathrm{q}}{}^{*}$, sets ${\mathrm{Q}}_{\mathrm{C}}={\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{C}}\right),\mathrm{and}$ computes ${\mathrm{R}}_{\mathrm{C}}={\mathrm{r}}_{\mathrm{C}}{\mathrm{Q}}_{\mathrm{C}}$. Thereby the attacker can compute his/her own ${\mathrm{K}}^{*}{}_{\mathrm{AB}}=\mathrm{e}\left({\mathrm{S}}_{\mathrm{AP}},{\mathrm{R}}_{\mathrm{C}}\right)={\mathrm{K}}_{\mathrm{C}}$ and then generate a correct login $\left\{{\mathrm{M}}_1={\mathrm{R}}_{\mathrm{C}},{\mathrm{Auth}}_{\mathrm{C}},\mathrm{T}\right\}$, and ${\mathrm{Auth}}_{\mathrm{C}}=\mathrm{h}\left(\mathrm{T}\left|\left|{\mathrm{K}}_{\mathrm{C}}\right|\right|{\mathrm{R}}_{\mathrm{C}}\right)$. This security weakness is due to the absence of an authenticator in the generated ${\mathrm{K}}_{\mathrm{C}}$. Therefore, the WZ solution presents a security shortcoming during the C/AP authentication process. To address this shortcoming, authors in [29] proposed an effective remote identity validation scheme. Based on their experiment results [29], this existing solution can provide a malignant insider security, as well as reduce running time of C by 51% when contrasted with Wang and Zhang’s model [7]. However, those related works do not provide data aggregation and batch mutual identity validation processes to reinforce the data privacy protection.

3. Proposed Solution

Authentication issues related to patients in the e-Care system have begun to draw intense attention in the literature [31]. Therefore, we present in this section our contribution by designing a strong mutual certificate-less authentication scheme between C and AP. The

Table 1. Notations.

Symbols	Description
NM	Network manager
AP	Application provider
C	WBAN client/controller
q	Large prime number
${\mathrm{G}}_1$	Additive group with order q
${\mathrm{H}}_{\mathrm{i}}$	Secure hash function with i = 1, 2
${\mathrm{s}}_{\mathrm{NM}}$	Network manager private key
$\mathrm{E}/\mathrm{Fq}$	Elliptic curve over prime field
$\mathrm{Fq}$	Prime field
e || f	Concatenation of strings e and f
$\mathrm{P}$	Generator of group G
${\mathrm{pid}}_{\mathrm{cj}}$	Client pseudo-ID, with j = 1, 2, 3
${\mathrm{ID}}_{\mathrm{AP}}$	Application identity
${\mathrm{PK}}_{\mathrm{NM}}$	Network manager public key

summarizes the different abbreviations used in this paper.

Our proposed solution satisfies the following security requirements to guarantee that an attacker cannot impersonate either AP or C and modifies the transmitted data (integrity of data and privacy of the client C assurance).

(1)

Subscriber authentication: AP should confirm the various C’s identity to guarantee their authenticity.

(2)

Provider validation: A client C is permitted to verify the different AP’s identity it visits to keep away from potential forgery and various malevolent attacks.

(3)

Key generation: A different encryption key is generated each time C and AP initiate a session to ensure the protection of the transferred data.

(4)

Anonymous Client: Apart NM, the client C is unknown and its operations are unlinkable to anybody including the AP.

3.1. Security System Settings

NM sets the entire system (sets parameters) and computes the partial secret keys by running the following steps based on elliptic curve $E/Fq$ and random generator P for ${\mathrm{G}}_1$ (cyclic additive group).

NM randomly selects a number $S_{NM}\in Z_q{}^{*}$ as master private key and calculates his related public key $P{K}_{NM}=S_{NM}\mathrm{P}$.

Then, NM picks below hashing mappings:

${\mathrm{H}}_1:{\left\{0,1\right\}}^{\mathrm{l}}\times {\mathrm{G}}_1{}^2\to {\mathrm{Z}}_{\mathrm{q}}{}^{*},$${\mathrm{H}}_2:{\mathrm{G}}_1{}^2\times {\left\{0,1\right\}}^{2\mathrm{l}}\to {\mathrm{Z}}_{\mathrm{q}}{}^{*}$, with l and k specifying identity’s length and size in ${\mathrm{Z}}_{\mathrm{q}}{}^{*}$. NM publishes system public parameters $\mathrm{params}=\left\{{\mathrm{P}}_{\mathrm{NM}},{\mathrm{H}}_1,{\mathrm{H}}_2,\mathrm{P},\mathrm{E}/\mathrm{Fq},{\mathrm{G}}_1\right\}$

3.2. Registration Phase

We use data privacy preserving tools relying on pseudonyms. C usually has enough storage backup to handle a huge quantity of preloaded pseudonyms from NM. An effective work [32] addresses the data backup issue related to preload anonymous cryptosystem keys (pseudonyms). In this paper, the proposed scheme requires a pool of pseudonyms with short live times (based on expiry date), where the memory consumption is limited to the related work’s results [32]. This approach is used by several existing models and has been proven efficient, especially for wireless environments.

The NM then provides a list of pseudonyms (pseudo identity/pseudo-ID) for C and generates partially the secret keys for both AP and C, respectively, like in [28] with some modifications in the registration phase.

3.2.1. The Client C Registration

C with its identity ${\mathrm{ID}}_{\mathrm{c}}\in {\left\{0,1\right\}}^{\mathrm{l}}$ picks randomly ${\mathrm{x}}_{\mathrm{C}}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$ as its secret value, computes its public key as ${\mathrm{PK}}_{\mathrm{C}}={\mathrm{x}}_{\mathrm{C}}\mathrm{P},$ then C transfers ${\mathrm{ID}}_{\mathrm{c}}$, ${\mathrm{PK}}_{\mathrm{C}}$ to NM that first verifies the C’s identity validity. If ${\mathrm{ID}}_{\mathrm{c}}$ is genuine, then NM randomly picks a family of unlinkable pseudo-ID:

${\mathrm{PID}}_{\mathrm{C}}=\left\{{\mathrm{pid}}_{\mathrm{c}1},{\mathrm{pid}}_{\mathrm{c}2},\dots \right\}$ With a specified-lived valid period. Then NM generates a secret random number ${\mathrm{r}}_{\mathrm{c}}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$, and computes ${\mathrm{P}}_{\mathrm{C}}={\mathrm{r}}_{\mathrm{c}}\mathrm{P}$.

For each pseudo-ID ${\mathrm{pid}}_{\mathrm{cj}}\in {\mathrm{PID}}_{\mathrm{C}}$, NM computes the secret value ${\mathrm{S}}_{\mathrm{C}}=({\mathrm{r}}_{\mathrm{c}}+{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}},{\mathrm{PK}}_{\mathrm{C}},{\mathrm{P}}_{\mathrm{C}}\right){\mathrm{S}}_{\mathrm{NM}})\mathrm{mod}\mathrm{q}$ and sets C’s partial private key as ${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$. Then NM sends securely all the tuples (${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right),{\mathrm{P}}_{\mathrm{C}},{\mathrm{S}}_{\mathrm{C}}\mathrm{P}$) back to C. Thereby C can ascertain the validation of its partial secret key by verifying if the equation ${\mathrm{S}}_{\mathrm{C}}\mathrm{P}={\mathrm{P}}_{\mathrm{C}}+{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}},{\mathrm{PK}}_{\mathrm{C}},{\mathrm{P}}_{\mathrm{C}}\right){\mathrm{PK}}_{\mathrm{NM}}$ holds for each ${\mathrm{pid}}_{\mathrm{cj}}\in {\mathrm{PID}}_{\mathrm{C}}$. Therefore, the full private key of C is generated and known by C only with the value equal to $\left({\mathrm{x}}_{\mathrm{C}},{\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)\right)$. Doing so, C can change its pseudo-ID $\left({\mathrm{pid}}_{\mathrm{cj}}\right)$, in the valid time period to achieve identity privacy in mutual authentication process with AP.

3.2.2. Application Provider AP Registration

Similarly, AP and its identity ${\mathrm{ID}}_{\mathrm{AP}}\in {\left\{0,1\right\}}^{\mathrm{l}}$ sets ${\mathrm{x}}_{\mathrm{AP}}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$ as secret key, computes its public key as ${\mathrm{PK}}_{\mathrm{AP}}={\mathrm{x}}_{\mathrm{AP}}\mathrm{P},$ then transfers ${\mathrm{ID}}_{\mathrm{AP}},{\mathrm{PK}}_{\mathrm{AP}}$ to NM. Again, NM chooses random number ${\mathrm{r}}_{\mathrm{AP}}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$, computes ${\mathrm{P}}_{\mathrm{AP}}={\mathrm{r}}_{\mathrm{AP}}\mathrm{P}$, ${\mathrm{S}}_{\mathrm{AP}}=({\mathrm{r}}_{\mathrm{AP}+}{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}},{\mathrm{PK}}_{\mathrm{AP}},{\mathrm{P}}_{\mathrm{AP}}\right){\mathrm{S}}_{\mathrm{NM}})\mathrm{mod}\mathrm{q}.$

Then NM sets as partial private key ${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{AP}}\right)$ for AP and secretly (e.g., using a secure transmission protocol) sends (${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{AP}}\right)$, ${\mathrm{P}}_{\mathrm{AP}},{\mathrm{S}}_{\mathrm{AP}}\mathrm{P}$) to AP. In order to verify the correctness of ${\mathrm{S}}_{\mathrm{AP}}$, AP verifies if ${\mathrm{S}}_{\mathrm{AP}}\mathrm{P}={\mathrm{P}}_{\mathrm{AP}}+{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}},{\mathrm{PK}}_{\mathrm{AP}},{\mathrm{P}}_{\mathrm{AP}}\right){\mathrm{PK}}_{\mathrm{NM}}$ holds and keeps this value. Likewise, AP sets its full private key as $({\mathrm{x}}_{\mathrm{AP}},{\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{AP}}\right)$).

In the above registration process, NM appends Expire Date into each ${\mathrm{pid}}_{\mathrm{cj}}\in {\mathrm{PID}}_{\mathrm{C}}$. The validity of the partial private keys is then set before a specific date. Thus, the partial secret keys are automatically removed after that date, and fresh partial secret keys with new validity date are generated by NM. This key management approach securely can be given to C (even damaged, hacked, or stolen) without compromising seriously the system security. More, we avoid key and certificate management like in the traditional PKI environment and provide user revocation.

3.3. Authentication Phase

The focus here is to provide a secured mutual authentication scheme between C and AP that ascertains their identity to guarantee the physiological data’s privacy during their communication process. Below are the different steps involved in this authentication process between C and AP depicted by the Figure 3:

(1).

C picks a random unused pseudo-ID (${\mathrm{pid}}_{\mathrm{cj}}$) and its corresponding partial private key ${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$. Then C chooses randomly $\mathsf{\alpha }\mathsf{ϵ}{\mathrm{Z}}_{\mathrm{q}}{}^{*}$ and compute ${\mathrm{U}}_{\mathrm{C}}={\mathrm{x}}_{\mathrm{C}}\mathrm{P}$, and a session verifier ${\mathrm{V}}_{\mathrm{C}}={\left({\mathrm{U}}_{\mathrm{C}}\right)}^{\mathsf{\alpha }}$.

(2).

C computes ${\mathrm{h}}_{\mathrm{C}1}={\mathrm{H}}_1\left({\mathrm{U}}_{\mathrm{C}},{\mathrm{ID}}_{\mathrm{AP}},{\mathrm{PK}}_{\mathrm{AP}}\right)$, ${\mathrm{h}}_{\mathrm{C}2}={\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}},{\mathrm{h}}_{\mathrm{C}1}\right)$ and composes message ${\mathrm{M}}_{\mathrm{C}}=\left({\mathrm{pid}}_{\mathrm{cj}}\left|\left|{\mathrm{h}}_{\mathrm{C}2}\right|\right|{\mathrm{t}}_1\right)$.

(3).

The client C computes a signature ${\mathsf{\sigma }}_{\mathrm{C}}={\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$ and sends a request message to AP: $\mathrm{Req}=\left\{{\mathrm{M}}_{\mathrm{C}},{\mathsf{\sigma }}_{\mathrm{C}},{\mathrm{V}}_{\mathrm{C}}\right\}$ with $\Delta \mathrm{t}$ the valid transmission delay calculated by C.

(4).

Upon receiving the request message (Req) at time ${\mathrm{t}}_2$ from C, AP first verifies the expiry date in ${\mathrm{pid}}_{\mathrm{cj}}$. If the expiry date is valid, AP then checks the freshness of ${\mathrm{t}}_1$ by verifying if ${\mathrm{t}}_2-{\mathrm{t}}_1\le \Delta \mathrm{t}.$ If ${\mathrm{t}}_1$ is fresh, AP with the public parameters params, verifies the validity of C’s signature ${\mathsf{\sigma }}_{\mathrm{C}}$ by checking if the Equation (3) holds.

$$\mathrm{e}\left({\mathsf{\sigma }}_{\mathrm{C}},\mathrm{P}\right)=\mathrm{e}\left({\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right),{\mathrm{PK}}_{\mathrm{NM}}\right)$$

(3)

Verification:

$$\mathrm{e}\left({\mathsf{\sigma }}_{\mathrm{C}},\mathrm{P}\right)=\mathrm{e}\left({\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right),\mathrm{P}\right)$$

$$=\mathrm{e}\left({\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right),{\mathrm{S}}_{\mathrm{NM}}\mathrm{P}\right)$$

$$\mathrm{e}\left({\mathsf{\sigma }}_{\mathrm{C}},\mathrm{P}\right)=\mathrm{e}\left({\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right),{\mathrm{PK}}_{\mathrm{NM}}\right)$$

(5).

AP selects randomly $\mathsf{\beta }\mathsf{ϵ}{\mathrm{Z}}_{\mathrm{q}}{}^{*}$ and computes: ${\mathrm{U}}_{\mathrm{AP}}={\mathrm{x}}_{\mathrm{AP}}\mathrm{P},$ ${\mathrm{V}}_{\mathrm{AP}}={\left({\mathrm{U}}_{\mathrm{AP}}\right)}^{\mathsf{\beta }}$ (session verifier), and ${\mathrm{L}}_{\mathrm{AP}}={\mathrm{V}}_{\mathrm{AP}}.{\mathrm{V}}_{\mathrm{C}}$.

(6).

Then AP computes a private session key ${\mathrm{PK}}_{\mathrm{AP}-\mathrm{C}}=\mathrm{e}\left({\mathrm{L}}_{\mathrm{AP}}.{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}}\right),{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}}\right)\right)$ and generates an authentication code ${\mathrm{auth}}_1={\mathrm{H}}_2\left({\mathrm{PK}}_{\mathrm{AP}-\mathrm{C}}\left|\left|{\mathrm{pid}}_{\mathrm{cj}}\right|\right|{\mathrm{ID}}_{\mathrm{AP}}\right)$ and sends {${\mathrm{auth}}_1,{\mathrm{V}}_{\mathrm{AP}}$, ${\mathrm{t}}_3,{\mathrm{ID}}_{\mathrm{AP}},{\mathrm{pid}}_{\mathrm{cj}}$} to C.

(7).

Upon receiving {${\mathrm{auth}}_1,{\mathrm{V}}_{\mathrm{AP}}$, ${\mathrm{t}}_3,{\mathrm{ID}}_{\mathrm{AP}},{\mathrm{pid}}_{\mathrm{cj}}$} at ${\mathrm{t}}_4$ from AP, the client C verifies the freshness of ${\mathrm{t}}_3$ by checking if ${\mathrm{t}}_4-{\mathrm{t}}_3\le \Delta {}^{\prime }\mathrm{t}$, with ∆${}^{\prime }\mathrm{t}$ the valid transmission delay calculated by AP. If ${\mathrm{t}}_3$ is fresh, C computes ${\mathrm{L}}_{\mathrm{C}}={\mathrm{V}}_{\mathrm{C}}.{\mathrm{V}}_{\mathrm{AP}}$, and a private symmetric session key with AP like: ${\mathrm{PK}}_{\mathrm{C}-\mathrm{AP}}=\mathrm{e}\left({\mathrm{L}}_{\mathrm{C}}.{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}}\right),{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}}\right)\right).$ Furthermore, C generates an authentication verification ${\mathrm{auth}}_2={\mathrm{H}}_2\left({\mathrm{PK}}_{\mathrm{C}-\mathrm{AP}}\left|\left|{\mathrm{pid}}_{\mathrm{cj}}\right|\right|{\mathrm{ID}}_{\mathrm{AP}}\right)$ code and compares with ${\mathrm{auth}}_1$. If ${\mathrm{auth}}_2={\mathrm{auth}}_1$, then C can ascertain the identity of AP as legitimate; otherwise, C stops the communication process with AP and reports it to NM. In this scenario C can verifies if ${\mathrm{auth}}_2={\mathrm{auth}}_1$ if and only if ${\mathrm{PK}}_{\mathrm{C}-\mathrm{AP}}={\mathrm{PK}}_{\mathrm{AP}-\mathrm{C}}$:

$${\mathrm{PK}}_{\mathrm{C}-\mathrm{AP}}=\mathrm{e}\left({\mathrm{L}}_{\mathrm{C}}.{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}}\right),{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}}\right)\right)$$

$$=\mathrm{e}\left({\mathrm{V}}_{\mathrm{C}}.{\mathrm{V}}_{\mathrm{AP}}.{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}}\right),{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}}\right)\right)$$

$$=\mathrm{e}\left({\mathrm{V}}_{\mathrm{AP}}.{\mathrm{V}}_{\mathrm{C}}.{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}}\right),{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}}\right)\right)$$

$$=\mathrm{e}\left({\mathrm{L}}_{\mathrm{AP}}.{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}}\right),{\mathrm{H}}_1\left({\mathrm{ID}}_{\mathrm{AP}}\right)\right)$$

$${\mathrm{PK}}_{\mathrm{C}-\mathrm{AP}}={\mathrm{PK}}_{\mathrm{AP}-\mathrm{C}}$$

We thereby enable explicit mutual authentication between legitimate C and AP. Our proposed solution additionally empowers one-sided anonymous identity validation for C. Further, after successful authentication process, AP and C also can set secured symmetric cryptosystem for future data exchange process. Each data exchange session will be solely identified by (${\mathrm{pid}}_{\mathrm{cj}}$, ${\mathrm{ID}}_{\mathrm{AP}}$).

4. Security and Performance Analysis

4.1. Security Analysis

We tackle the proposed system security level to verify whether the requirements mentioned in subsection security assumption have been satisfied. We will show how our scheme provides secure mutual authentication between C and AP, anonymity for C, leaked key security, unlinkability, and impersonation attack. Moreover, aggregated values in our proposed solution hide the contained accumulated individual records, which empower individual C’s data privacy protection. Recall the definition of the Decisional Bilinear Diffie–Hellman (DBDH) assumption in the random oracle model.

Definition (DBDH assumption):

The bilinear decisional Diffie–Hellman (BDDH) problem is defined in such a way that for known values g, ${\mathrm{g}}^{\mathrm{x}},{\mathrm{g}}^{\mathrm{y}},{\mathrm{g}}^{\mathrm{z}}and$ unknown random values $\mathrm{x},\mathrm{y},\mathrm{z}\in {\mathrm{R}\mathrm{Z}}_{\mathrm{P}},\mathrm{and}\mathrm{T}\in \mathrm{R},{\mathrm{G}}_{\mathrm{T}}$, it is considered difficult to set $\mathrm{T}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{xyz}}$ from any random element in the target group. The (t, ϵ)–BDDH assumption is verified in G, if no t time algorithm has the probability of at least $\frac{1}{2}+\mathsf{ϵ}$ to solve the BDDH problem for non-negligible $\mathsf{ϵ}$.

♦

Anonymity: Each C gets a set of pseudo-identity ${\mathrm{pid}}_{\mathrm{cj}}\in {\mathrm{PID}}_{\mathrm{C}}$ and its related partial secret key ${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right),$ uring registration process from NM. These pseudo-identities, rather than C’s real identity, provide strong privacy protection. Not any involved entity, not even AP, can identify C or recollect different transactions launched by the same C except NM. In practice, C sends a random message request $\mathrm{Req}=\left\{{\mathrm{M}}_{\mathrm{C}},{\mathsf{\sigma }}_{\mathrm{C}},{\mathrm{V}}_{\mathrm{C}}\right\}$ each time to AP. This message request contains secret values (${\mathrm{x}}_{\mathrm{C}},\mathsf{\alpha }$) and pseudo-ID ${\mathrm{pid}}_{\mathrm{cj}}$ that are random (not constant) values each time that C initiates an authentication process with AP. Only C can compute ${\mathrm{V}}_{\mathrm{C}}={\left({\mathrm{U}}_{\mathrm{C}}\right)}^{\mathsf{\alpha }}$ and ${\mathsf{\sigma }}_{\mathrm{C}}={\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$ since these values require both secret values (${\mathrm{x}}_{\mathrm{C}},\mathsf{\alpha }$) and partial private keys ${\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$ for their calculation. Therefore, an attacker including NM, in order to compute ${\mathrm{V}}_{\mathrm{C}}$ must solve the inherited CDH problem; that is, he should perform ${\mathrm{U}}_{\mathrm{C}}={\mathrm{x}}_{\mathrm{C}}\mathrm{P}$ and then ${\mathrm{V}}_{\mathrm{C}}={\left({\mathrm{U}}_{\mathrm{C}}\right)}^{\mathsf{\alpha }}$ for unknown random secret values ${\mathrm{x}}_{\mathrm{C}}$, $\mathsf{\alpha }$ which contradicts the CDH assumption. Therefore, C is anonymous and cannot be impersonated through our scheme. Therefore, our scheme guarantees data anonymity and identicalness (aggregated values) based on BDBH assumption in random oracle to resist chosen-plaintext attacks.

♦

Mutual Authentication: The client C’s signature ${\mathsf{\sigma }}_{\mathrm{C}}={\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$ is in fact a signed based pseudo-identity. Therefore, it is impracticable to fake a genuine signature without prior access to the secret values ${\mathrm{S}}_{\mathrm{C}}=({\mathrm{r}}_{\mathrm{c}}+{\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{cj}},{\mathrm{PK}}_{\mathrm{C}},{\mathrm{P}}_{\mathrm{C}}\right){\mathrm{S}}_{\mathrm{NM}})\mathrm{mod})$ and ${\mathrm{U}}_{\mathrm{C}}={\mathrm{x}}_{\mathrm{C}}\mathrm{P}$ due to the NP-hard calculation complexity of the Diffie–Hellman assumption in ${\mathrm{G}}_1$. Thereby it is very hard to deduce the partial private key ${\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$ using ${\mathrm{pid}}_{\mathrm{cj}}$, and ${\mathrm{PK}}_{\mathrm{NM}}$. Similarly, an attacker with no prior knowledge of AP’s partial private key ${\mathrm{S}}_{\mathrm{NM}}.{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{AP}}\right)$ and secret values ${\mathrm{U}}_{\mathrm{AP}}={\mathrm{x}}_{\mathrm{AP}}\mathrm{P}$ and $\mathsf{\beta }$ cannot make a legitimate authentication code ${\mathrm{auth}}_1$. Further an adversary cannot compute ${\mathrm{auth}}_2$ and verify the equation ${\mathrm{auth}}_2={\mathrm{auth}}_1$ since he cannot solve CDH (definition 1) as described in the section above. Furthermore, only legitimate C and AP can compute ${\mathrm{L}}_{\mathrm{C}}={\mathrm{L}}_{\mathrm{AP}}={\mathrm{V}}_{\mathrm{C}}.{\mathrm{V}}_{\mathrm{AP}}$, due to the randomness and secrecy of ${\mathrm{U}}_{\mathrm{C}}$ and ${\mathrm{U}}_{\mathrm{AP}}$ respectively. Therefore, a secured authentication process between C and AP is achieved by our scheme.

♦

Unlinkability: Recall that C uses different pseudo-identity ${\mathrm{pid}}_{\mathrm{cj}}\in {\mathrm{PID}}_{\mathrm{C}}$ during each authentication process with an AP. Furthermore, only NM is aware of the relation between a given pseudo-identity and its original C’s identity. For that reason, excluding NM and C, no other entity is able to determine C or relate different authentication processes launched by the same C.

♦

Leaked key security: As described in Section 3, our scheme provides a random distinct session key each time an authentication process is initiated by C with AP. It is due to the randomness of the choice of secret values α$,\mathsf{\beta },{\mathrm{x}}_{\mathrm{AP}},{\mathrm{x}}_{\mathrm{C}}\mathsf{ϵ}{\mathrm{Z}}_{\mathrm{q}}{}^{*}$ by C and AP. Doing so, an attacker with a used key has a very slight chance to compromise succeeding sessions.

♦

Impersonation attack: To impersonate C or AP, an adversary should generate the correct values of ${\mathrm{auth}}_1$ and ${\mathrm{auth}}_2$, respectively, which is practically infeasible, as explained above (mutual authentication process section). Further an AP cannot generate a correct C’s signature ${\mathsf{\sigma }}_{\mathrm{C}}={\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{C}}\right).{\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{C}}\right)$ and ${\mathrm{V}}_{\mathrm{C}}$ in the message request, since he cannot access ${\mathrm{S}}_{\mathrm{C}}$ and ${\mathrm{x}}_{\mathrm{C}}$ otherwise the attack can be detected by C in verifying ${\mathrm{auth}}_1$. Likewise, an adversary that intercepts the message ${\mathrm{M}}_{\mathrm{C}}=\left({\mathrm{pid}}_{\mathrm{cj}}\left|\left|{\mathrm{h}}_{\mathrm{C}2}\right|\right|{\mathrm{t}}_1\right)$ and tries to impersonate AP has a negligible chance of success due to the CDH assumption (mutual authentication process section) that is believed to be difficult. The performance analysis section highlights the security functional results comparison between our scheme and related works [7,8,9].

♦

Data Aggregation: Moreover, aggregated values in our proposed solution hide the accrued single value that enforces the privacy preservation of single C compared to related works [7,8,9]. To achieve this additional aggregated data feature, we designed a modified additively homomorphic IBE scheme from the Boneh–Franklin IBE cryptosystem [33]. The security proof lies on BDDH assumption in a random oracle (refer to security analysis section). This cryptosystem [33] is appropriate for our proposed solution (small sensing data reading) to achieve data aggregation and batch authentication. Our modified IBE scheme has four algorithms and we use ${\mathrm{G}}_1$, ${\mathrm{G}}_2$ of prime order q, P as generator of ${\mathrm{G}}_1$, and a bilinear mapping e: ${\mathrm{G}}_1$ × ${\mathrm{G}}_1$ → ${\mathrm{G}}_2$, such that $\mathrm{e}\left({\mathrm{P}}^{\mathrm{a}},{\mathrm{Q}}^{\mathrm{b}}\right)=\mathrm{e}{\left(\mathrm{P},\mathrm{Q}\right)}^{\mathrm{ab}}$, $\forall \mathrm{P},\mathrm{Q}\in {\mathrm{G}}_1,\forall \mathrm{a},\mathrm{b}\in {\mathbb{Z}}_{\mathrm{q}}^{*}$, and e(P, Q) ≠ $1_{{\mathrm{G}}_2}$ whenever $\mathrm{P},\mathrm{Q}\in {\mathrm{G}}_1$.

Setup: NM randomly picks as master private key (msk) a number ${\mathrm{S}}_{\mathrm{NM}}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$ and calculates its related public encryption key ${\mathrm{PK}}_{\mathrm{NM}}={\mathrm{S}}_{\mathrm{NM}}\mathrm{P}$. Then NM chooses a hash function defined as ${\mathrm{H}}_1:{\left\{0,1\right\}}^{\mathrm{l}}\to {\mathrm{G}}_1{}^{*},$ where the message space is $ℳ=\left\{0,\dots ,\mathrm{l}-1\right\}\subseteq {\mathrm{Z}}_{\mathrm{q}}{}^{*}$ with $\mathrm{l}=\mathrm{p}\left(\mathrm{n}\right)<\mathrm{q}$ for some polynomial p and the cipher-text space is $\mathrm{C}={\mathrm{G}}_1{}^{*}\times {\mathrm{G}}_2.$

Extract (${\mathrm{PK}}_{\mathrm{NM}}$, msk, ${\mathrm{pid}}_{\mathrm{ci}}$): NM computes and sets $\mathrm{k}={\mathrm{P}}^{{\mathrm{S}}_{\mathrm{NM}}}$. Output ${\mathrm{SK}}_{{\mathrm{pid}}_{\mathrm{ci}}}={\mathrm{H}}_1{\left({\mathrm{pid}}_{\mathrm{ci}}\right)}^{{\mathrm{S}}_{\mathrm{NM}}}\mathrm{and}\mathrm{k}$.

Enc (${\mathrm{PK}}_{\mathrm{NM}}$, ${\mathrm{pid}}_{\mathrm{ci}}$, m). C randomly picks $\mathrm{b}\in {\mathrm{Z}}_{\mathrm{q}}{}^{*}$; outputs ${\mathrm{C}}_{{\mathrm{mpid}}_{\mathrm{ci}}=}\left({\mathrm{P}}^{\mathrm{b}},{\mathrm{P}}^{-\mathrm{m}}.\mathrm{e}{\left({\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{ci}}\right),\mathrm{k}\right)}^{\mathrm{b}}\right)$.

Dec (${\mathrm{PK}}_{\mathrm{NM}}$,${\mathrm{SK}}_{{\mathrm{pid}}_{\mathrm{ci}}}$,${\mathrm{C}}_{{\mathrm{mpid}}_{\mathrm{ci}}}$). AP parses ${\mathrm{C}}_{{\mathrm{mpid}}_{\mathrm{ci}}}\mathrm{as}\left({\mathrm{c}}_1,{\mathrm{c}}_2\right)$ and compute

${\mathrm{m}}^{*}={\mathrm{c}}_2/\mathrm{e}\left({\mathrm{SK}}_{{\mathrm{pid}}_{\mathrm{ci}}},{\mathrm{c}}_1\right)$ and $\mathrm{m}={\log }_{\overline{\mathrm{P}}}{\mathrm{m}}^{*}$. The verification of our modified IBE lies on the fact that

$${\log }_{\overline{\mathrm{P}}}({\mathrm{m}}^{*})={\log }_{\overline{\mathrm{P}}}\left({\mathrm{c}}_2/\mathrm{e}\left({\mathrm{SK}}_{{\mathrm{pid}}_{\mathrm{ci}}},{\mathrm{c}}_1\right)\right)$$

$${\log }_{\overline{\mathrm{P}}}\left({\mathrm{m}}^{*}\right)={\log }_{\overline{\mathrm{P}}}\left(\frac{{\mathrm{P}}^{-\mathrm{m}}.\mathrm{e}{\left({\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{ci}}\right),\mathrm{k}\right)}^{\mathrm{b}}}{\mathrm{e}\left({\mathrm{H}}_1{\left({\mathrm{pid}}_{\mathrm{ci}}\right)}^{{\mathrm{S}}_{\mathrm{NM}}},{\mathrm{P}}^{\mathrm{b}}\right)}\right)$$

$${\log }_{\overline{\mathrm{P}}}\left({\mathrm{m}}^{*}\right)={\log }_{\overline{\mathrm{P}}}\left(\frac{{\mathrm{P}}^{-\mathrm{m}}.\mathrm{e}{\left({\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{ci}}\right),{\mathrm{P}}^{{\mathrm{S}}_{\mathrm{NM}}}\right)}^{\mathrm{b}}}{\mathrm{e}\left({\mathrm{H}}_1{\left({\mathrm{pid}}_{\mathrm{ci}}\right)}^{{\mathrm{S}}_{\mathrm{NM}}},{\mathrm{P}}^{\mathrm{b}}\right)}\right)=\mathrm{m}$$

(4)

We prove that our proposed homomorphic cryptosystem is additive in message space by multiplying cipher texts:

$${\mathrm{C}}_1\times {\mathrm{C}}_2=({\mathrm{P}}^{\mathrm{b}}\times {\mathrm{P}}^{{\mathrm{b}}^{\prime }},{\mathrm{P}}^{-\mathrm{m}}.\mathrm{e}{\left({\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{ci}}\right),\mathrm{k}\right)}^{\mathrm{b}}\times {\mathrm{P}}^{-{\mathrm{m}}^{\prime }}.\mathrm{e}{\left({\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{ci}}\right),\mathrm{k}\right)}^{\mathrm{b}})$$

$${\mathrm{C}}_1\times {\mathrm{C}}_2=({\mathrm{P}}^{\mathrm{b}+{\mathrm{b}}^{\prime }},{\mathrm{P}}^{-\mathrm{m}+{\mathrm{m}}^{\prime }}.\mathrm{e}{\left({\mathrm{H}}_1\left({\mathrm{pid}}_{\mathrm{ci}}\right),\mathrm{k}\right)}^{\mathrm{b}+{\mathrm{b}}^{\prime }})$$

$${\mathrm{C}}_1\times {\mathrm{C}}_2=\mathrm{Enc}\left({\mathrm{PK}}_{\mathrm{NM}},{\mathrm{pid}}_{\mathrm{ci}},\mathrm{m}+{\mathrm{m}}^{\prime }\mathrm{mod}\mathrm{q}\right)$$

Note that the two disadvantages that come along with our modified additively homomorphic IBE scheme (i.e., the limited messages backup capacity and computing a discrete logarithm function to decrypt the data) are acceptable in many practical areas and especially in the e-Care system. Therefore, it does not affect the performance of our proposed solution.

Table 2. Security comparison analysis.

Scheme	Wang and Zhang [7]	Liu [8]	Zhao [9]	Omala, A.A. et al. [29]	Our Scheme
Data aggregation	×	×	×	×	√
Mutual authentication	√	√	√	√	√
Anonymity	√	√	×	√	√
Impersonation attack	×	√	√	√	√
Unlinkability	√	×	√	√	√
Leaked key security	√	√	√	√	√
Batch authentication	×	×	×	×	√

shows clearly that our scheme is a good candidate to address the security shortcomings in the related works [7,8,9,29].

4.2. Performance Analysis

We describe our proposed solution performance analysis in comparison with related works [7,8,9]. First our scheme provides batch authentication between different client C and AP, which reduces efficiently the communication and computation cost. Upon receiving a gain access demand from C, AP checks the message’s signature authenticity in order to ascertain its related C (as described in Section 3). Further our scheme provides batch authentication, i.e., an AP can verify at the same time different message requests from various Cs securely through the help of NM. Thus, each ${\mathrm{C}}_{\mathrm{i}}$ sends its message requests $\left\{{\mathrm{M}}_{\mathrm{Ci}},{\mathsf{\sigma }}_{\mathrm{Ci}},{\mathrm{V}}_{\mathrm{Ci}}\right\}$ to NM, which collects and forwards them as aggregated data to AP. Therefore upon receiving n distinct message requests denoted $\left\{{\mathrm{M}}_{\mathrm{C}1},{\mathsf{\sigma }}_{\mathrm{C}1},{\mathrm{V}}_{\mathrm{C}1}\right\},\left\{{\mathrm{M}}_{\mathrm{C}2},{\mathsf{\sigma }}_{\mathrm{C}2},{\mathrm{V}}_{\mathrm{C}2}\right\},\left\{{\mathrm{M}}_{\mathrm{C}3},{\mathsf{\sigma }}_{\mathrm{C}3},{\mathrm{V}}_{\mathrm{C}3}\right\},\dots ,\left\{{\mathrm{M}}_{\mathrm{Cn}},{\mathsf{\sigma }}_{\mathrm{Cn}},{\mathrm{V}}_{\mathrm{Cn}}\right\}$, respectively, from n different ${\mathrm{C}}_{\mathrm{i}}$ denoted as ${\mathrm{C}}_1,{\mathrm{C}}_2,{\mathrm{C}}_3,\dots ,{\mathrm{C}}_{\mathrm{n}}$, with their respective signature ${\mathsf{\sigma }}_{\mathrm{C}1},{\mathsf{\sigma }}_{\mathrm{C}2},{\mathsf{\sigma }}_{\mathrm{C}3},\dots ,{\mathsf{\sigma }}_{\mathrm{Cn}}$, AP checks the correctness of this equation:

$$\mathrm{e}\left({{\displaystyle \sum }}_{\mathrm{i}=1}^{\mathrm{n}}{\mathsf{\sigma }}_{\mathrm{Ci}},\mathrm{P}\right)\begin{array}{c}?\\ =\end{array}\mathrm{e}\left({{\displaystyle \sum }}_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{Ci}}\right).{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{Ci}}\right),{\mathrm{PK}}_{\mathrm{NM}}\right).$$

(5)

Verification

$$\mathrm{e}\left({\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathsf{\sigma }}_{\mathrm{Ci}},\mathrm{P}\right)=\mathrm{e}\left({\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{Ci}}\right).{\mathrm{S}}_{\mathrm{NM}}{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{Ci}}\right),\mathrm{P}\right)$$

$$\mathrm{e}\left({\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathsf{\sigma }}_{\mathrm{Ci}},\mathrm{P}\right)=\mathrm{e}\left({\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{Ci}}\right).{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{Ci}}\right),{\mathrm{S}}_{\mathrm{NM}}\mathrm{P}\right)$$

$$\mathrm{e}\left({\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathsf{\sigma }}_{\mathrm{Ci}},\mathrm{P}\right)=\mathrm{e}\left({\displaystyle \sum }_{\mathrm{i}=1}^{\mathrm{n}}{\mathrm{H}}_2\left({\mathrm{M}}_{\mathrm{Ci}}\right).{\mathrm{H}}_1\left({\mathrm{S}}_{\mathrm{Ci}}\right),{\mathrm{PK}}_{\mathrm{NM}}\right)$$

This data aggregation support in our model at the NM side has significant practical advantages for sensor networks. It facilitates efficiently keeping down the communicating cost between C and AP and empowers the privacy protection of a single ${\mathrm{C}}_{\mathrm{i}}$. Our proposed solution keeps down the number of transmitted data by sending one aggregated assessment (almost the size of a single report) instead of distinct individual message requests. Furthermore, this data aggregation feature hides the accrued single value, which enforces the privacy preservation of a single C compared to related works [7,8,9], and [29].

Note that the two disadvantages that come along with our modified additively homomorphic IBE scheme (i.e., the limited messages backup capacity and computing a discrete logarithm function to decrypt the data) are acceptable in many practical areas and especially in the e-Care system. Therefore, it does not affect the performance of our proposed solution (see Functioning Evaluation section). Based on this data aggregation and batch authentication support, the computing cost that AP needs to validate n signatures is largely composed of n point multiplications and two pairing calculations. Thus, the required time for AP to authenticate a large number of signatures from distinct C is obviously brought down. Therefore, it reduces the transmission loss proportion imputable to a possible bottleneck of digital signature authentication at the AP side. Recall that this batch verification operation has great merit for a limited power environment like WBAN.

For efficiency purposes, the multiprecision integer and rational arithmetic cryptographic library (MIRACL) [34] and cost-efficient pairing based cryptography (PBC) libraries are implemented into our proposed solution’s experiments to yield a 1024-bit security level. Experimental platforms are PCs with different computational power: Pentium(R) Dual-Core E6700 CPU 3.20 GHz, 4 GB RAM and 64-bit Intel®, 624 MHz processor, and 128MB memory to simulate AP and C, respectively. In the experiment, ${\mathrm{G}}_1$ and ${\mathrm{G}}_2$ are depicted by 160, 161, and 960 bits, respectively, and ${\mathrm{pid}}_{\mathrm{cj}}$, Timestamp, and ${\mathrm{ID}}_{\mathrm{AP}}$ by 32 bits. A Miyaji-Nakabayashi-Takano (MNT) curve is implemented with 160 bits, k = 6, depicting the order and embed degree, respectively, in ${\mathrm{Z}}_{\mathrm{q}}{}^{*}$. The performance evaluation is done based on related work experimental conclusions [8] depicted in

Table 3. Cryptography running time operation based on results in [8].

	AP (ms)	C (ms)
TME	13.21	63.51
TSM	6.38	30.67
TP	20.04	96.35
THG	3.04	14.62

. We focus on computations with expensive calculation costs, like modular exponentiation (TSM), ECSM (TSM), Hashing to point in ${\mathrm{G}}_1$ (TGH) and bilinear pairing (TP) operations. Therefore, a computing time-based comparison study is done with the exiting related models as shown in

Table 4. Functioning Evaluation (Execution Time).

Schemes	AP (ms)	C (ms)
Wang and Zhang [7]	2TSM + 1TP ≈ 32.80	3TSM + 1Tp ≈ 188.36
Liu [8]	1TME + 1TSM + 1Tpq ≈ 39.63	1TME + 4TSM ≈ 186.19
Zhao [9]	6TSM ≈ 38.28	3TSM ≈ 92.01
Our Scheme	1TSM + 2TP ≈ 46.46	1TSM + 1Tp ≈ 127.02

.

Note that the computation cost for AP and C is one point multiplication for both two and one pairing calculations, respectively. Recall that the computing cost for a pairing function is much more expensive than a multiplication calculation. The client C may be a limited device; this low computation cost is a significant advantage for our scheme compared to the related work [7].

Based on Table 4 analysis, we can highlight our scheme efficiency on the obvious reduction of computation and communication costs for verifying n different signatures (batch authentication) from multiple clients by AP that consists of n point multiplications and two pairing calculations only. We also reduce the computation cost of C, which is a limited resource device in comparison to Wang and Zhang’s Model. This result is a desirable attribute for constrained power environments like WBAN.

5. Conclusions

This work presents a novel batch mutual authentication cryptosystem between WBAN’s controller/client C and an application provider AP. This proposed solution empowers the cryptosystem security level by providing batch authentication and data aggregation supports. We keep low the data transmission and computing over heads of C and AP using a lightweight ECC and efficient cryptographic pairing tools. Additionally, our solution needs only two handshakes between C and AP, without key certificate management like in the original asymmetric cryptography environment (PKI). Furthermore, our scheme efficiently provides an additive homomorphic IBE operation, in which a given AP can compute securely aggregated values from various WBAN clients. Our scheme reinforces privacy protection and reduces the running time on the client side. This is a great benefit for limited devices in environments like WBAN. However, we will improve the performance and security level by designing in our future work, a lightweight additive homomorphic IBE scheme with auxiliary input to address the side-channel attacks at the end user’s side.