Beruflich Dokumente
Kultur Dokumente
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
1
AbstractWith the rapid advancement of technology, healthcare systems have been quickly transformed into a pervasive
environment, where both challenges and opportunities abound.
On the one hand, the proliferation of smart phones and advances
in medical sensors and devices have driven the emergence
of wireless body area networks (WBAN) for remote patient
monitoring, also known as Mobile-Health (M-Health), thereby
providing a reliable and cost effective way to improving efficiency
and quality of health care. On the other hand, the advances of
M-Health systems also generate extensive medical data, which
could crowd todays cellular networks. Device-to-Device (D2D)
communications have been proposed to address this challenge,
but unfortunately, security threats are also emerging because of
the open nature of D2D communications between medical sensors
and highly privacy-sensitive nature of medical data. Even more
disconcerting is healthcare systems have many characteristics
that make them more vulnerable to privacy attacks than in
other applications. In this paper, we propose a Light-weight
and Robust Security-Aware (LRSA) D2D-assist data transmission
protocol for M-Health systems by using certificateless generalized
signcryption technique. Specifically, we first propose a new efficient CertificateLess Generalized SignCryption (CLGSC) scheme
which can adaptively work as one of the three cryptographic
primitives: signcryption, signature, or encryption, but within
one single algorithm. The scheme is proven to be secure, simultaneously achieving confidentiality and unforgeability. Based
on the proposed CLGSC algorithm, we further design a D2Dassist data transmission protocol for M-Health systems with
security properties including data confidentiality and integrity,
mutual authentication, contextual privacy, anonymity, unlinkability, and forward security. Performance analysis demonstrates
that the proposed protocol can achieve the design objectives
and outperform existing schemes in terms of computational and
communication overhead.
Index TermsD2D communications; Mobile-Health systems;
Security; Certificateless signcryption.
I. I NTRODUCTION
HE Mobile-Health (M-Health) system has been envisioned as a promising approach to improving healthcare
quality and save lives in the aging society [1], [2]. In MHealth systems, the Personal Health Information (PHI) is
collected by Body Area Network (BAN) and aggregated by
A. Zhang and L. Wang are with the Key Lab of Broadband Wireless
Communication and Sensor Network Technology, Nanjing University of Posts
and Telecommunications (NJUPT), Ministry of Education, China (e-mail:
aqzhang2006@163.com; wanglei@njupt.edu.cn). Xinrong Ye is
with Anhui Normal University (e-mail: yaya-ye@126.com). X. Lin is
with the Faulty of Business and Information Technology, University of Ontario Institute of Technology, Canada (e-mail: xiaodong.lin@uoit.ca).
A. Zhang is also with the Faulty of Business and Information Technology,
University of Ontario Institute of Technology and Anhui Normal University.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
2
anonymity, unlinkability, forward security, and contextual privacy. Moreover, the computational overhead and
communication overhead are also compared between our
proposed CLGSC algorithm and the other certificateless
generalized signcryption schemes.
The remainder of the paper is organized as follows. An
overview on security in M-Health systems and certificateless
public key cryptography is conducted in Section II. The system
model is presented in Section III, followed by the preliminaries
in Section IV. In Section V, the new CLGSC scheme is formed
and proved secure in details. Section VI describes the proposed
LRSA scheme and Section VII analyzes its security properties.
In Section VIII, the performances of the proposed scheme
are evaluated and compared with other schemes in terms of
computational overhead and communication overhead. Finally,
Section IX concludes this work.
II. R ELATED W ORK
Security has been a very important issue in MHealth/eHealth system and there is a substantial amount of
works [2], [6][11]. [6] highlights the challenges, drivers, and
standardization initiatives for security, compliance, and inter
operability while [7] presents the key challenges in order to
develop efficient and secure patient-centric monitoring system
of eHealth applications. The surveys above only provide
framework or research direction instead of specific security
solutions.
The authors in [10] present a promising commercialized
solution with system infrastructures and supporting techniques.
[8] focuses on authentication strategies with progressive privacy requirements in different interactions among participating
entities in M-Health systems. [9] and [2] mainly consider the
data processing techniques once the emergency happens in
M-Health systems. Different from the aforementioned works,
[11] proposes reputation systems to enhance eHealth systems
by bridging the gap between strong contractual agreements and
first-time domain exchanges. All the above works concentrate
on privacy or authentication of M-Health systems while neglecting security during data transmission processes.
[1] may be the first work to concentrate on security-aware
data transmission in eHealth system. They propose a scheme
against global eavesdropping to achieve both content privacy
and contextual privacy while they neglect the data integrity,
and authentication issues. Later, [18] presents different cryptographic security models for secure data exchange in eHealth
peer-to-peer database management system networks yet they
also neglect the data transmission processes. Recently, [19]
argues that the eHealth exchange, which is a federal initiative
for online exchange of healthcare information, needs to be
augmented to provide greater patient awareness and control.
The authors use digitally signed logs for the detection of
unauthorized and malicious sharing of health data while they
do not provide a secure transmission solution.
In this work, we focus on security-aware data transmission
for M-Health systems by using certificateless cryptography to
realize the expecting design objectives.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
3
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
4
Network manager
&
Medical service
provider (Physician)
Rn
&
&
Ri
R1
&
KGC
&N
...
&L
&M
&
WBAN client
CLGSC(IDA , IDB , m). With IDB as the receiver, Signcryption (signature or encryption) of the message m is performed by the sender IDA as follows:
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
5
Computes
f (IDA ),
f (IDB ),
h1
=
H1 (IDA , YA , XA , XN );
Computes v1
= xB f1 , v2 = zB f1 , m =
3
Checks H2 (f2 (XA +YA +h1 XN +f3 P ), IDA , m) = f3 .
If the equation holds, the message is accepted.
Correctness of the encryption.
H3 (v1 , v2 )
m =
m
= H3 (xB f1 , zB f1 ) m
= H3 (rXB , r(yB + xN H1 (IDi , Yi , Xi , XN )P )) m
= H3 (v1 , v2 ) m
= m
B. Security proof
In this subsection, we give the security proof of the proposed
CLGSC scheme in the random oracle model [21].
Lemma 1 Type-I Confidentiality. The proposed CLGSC
scheme in signcryption mode or encryption mode is secure
against any IND-CLGSC-CCA2-I adversary in the random
oracle model under the CDHP assumption.
Proof. See Appendix A.
Theorem 2 The proposed CLGSC scheme is EUF-CLGSCCMA unforgeability in signcryption mode or signature mode
under the DLP assumption.
VI. T HE PROPOSED LRSA
PROTOCOL
In this section we design a lightweight and robust securityaware (LRSA) D2D-assist data transmission protocol based on
the proposed CLGSC scheme. Due to generalized property of
CLGSC, the proposed protocol is able to effectively achieve
various security and privacy protection requirements at source,
relays and destinations. Firstly, we give an overview of the
proposed protocol. Then the protocol is described in details.
For simplification of expression, we may use client to
denote WBAN client. The pseudo identity of the client
is presented as identity.
A. Overview of the proposed protocol
In order to achieve the design goals, certificateless signcryption, certificateless encryption and certificateless signature are
jointly introduced into the protocol, as shown in Fig. 2.
Firstly, at the system initialization step, the clients and
physicians register to the NM to generate their full private keys
and public keys. Meanwhile, the clients connect to his physicians and generate the initial session key with him through key
agreement protocol. Then, the source client with pseudo identity S collects its PHI m and formulates the information as M =
(S ||eSH ||eH
N ), where S is the signcryption of m performed
by the source client, i.e., S = CLGSC(S, H, m). It can only
be decrypted and verified by the intended physician H with his
full private key. The identity of the source client is encrypted
by S with the public key of the physician using certificateless
encryption mode, i.e., eSH = CLGSC(, H, S). Meanwhile,
the identity of the intended physician is also encrypted with
the public key of the NM, i.e., eH
N = CLGSC(, N, H).
Notably, eSH and eH
protect
the
identity
privacy of source and
N
destination for the PHI to guarantee contextual privacy.
During data transmission process, the packet M is treated
as a whole before getting the NM, and is signed by the relays
to guarantee data integrity. Specifically, the source S signs on
m as S = CLGSC(S, , M ) and appends it with the data.
The relays verify the signature and forward the data with their
signatures. Fig. 2 shows the messages passing through the
path. Note that the NM parses the data to get eH
N and decrypts
it for the intended physician of the data.
Upon receiving the data (S ||eSH ) from the NM, the physician firstly decrypts eSH to obtain source WBAN clients
pseudo identity S. Then the physician decrypts and verifies
S with its full private key and Ss public key for accessing
the PHI and providing the corresponding services.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
6
( M || S || s S )
R1
( M || R1 || s R1 )
Rn
( M || Rn || s Rn )
NM
( m S || e HS )
mS = CLGSC(S , H , M )
e HS = CLGSC(f , H , S )
e NH = CLGSC(f , N , H )
M = m S || e HS || e NH
Verifys S
s R1 = CLGSC( R1 , f , M )
Verifys Rn-1
Verifys Rn
Decrypt eHS
s Rn = CLGSC( Rn , f , M )
Decrypt eNH
Verify m s
s S = CLGSC(S , f , M )
Computes m = H3 (v1 , v2 , Kt )
m, where v1 = rXH ,
v2 = r(YH + h1 XN );
Computes D = H3 (v1 , v2 )
D, where v1 = rXI , v2 =
r(YI + XN H1 (I, YI , XI , XN )).
D is encrypted as eD
I = (f1 , f3 , D ) with the public key
S
of entity I. Specifically, eH is an encryption on S with Hs
public key, which can only be decrypted with Hs private key.
eH
N is an encryption on H with N s public key, which can
only be decrypted with N s private key.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
7
S randomly chooses r Zq ;
Computes f1 = rP , f2 = r/(xS + zS + f3 ), f3 =
H2 (f1 , S, M ).
(f1 , f3 , H ) by computing
v1 = xN f1 , v2 = zN f1 , H = H3 (v1 , v2 ) H .
If H2 (f1 , N, H) = f3 holds, the NM sends (S ||eSH ) to the
corresponding physician H.
Phase 4 Data receiving and processing.
Similar to the NM, the physician H decrypts eSH with his
private key after receiving the data S ||eSH and obtains the
source identity S of the PHI. Then, H accesses the public
tree for the sources public key (XS , YS ) and refers to his
session key record table for the session key Kt with S. H
decrypts and verifies S = (f1 , f2 , f3 , m , t) as follows:
Computes v1 = xH f1 , v2 = zH f1 , m =
H3 (v1 , v2 , Kt ) m ;
Checks H2 (f2 (XS + YS + h1 XN + f3 P ), IDS , m) = f3 .
If the equation holds, the message m is accepted.
A. Security properties
The proposed protocol achieves PHI data confidentiality
and integrity. PHI data confidentiality is double protected by
the session key Kt and the public key encryption. Specifically,
the source client S encrypts the PHI with the algorithm
CLGSC(S, H, m) by using the public key of the intended
physician H and the session key with
H. The message m
is encrypted as m = H3 (v1 , v2 , Kt ) m, where v1 and v2
can only be recovered by private key of H, and Kt is only
stored by S and H. Even if the session key Kt is exposed
to the adversary, Theorem 1 demonstrates that the encryption
achieves confidentially under CDHP assumption.
The PHI data integrity is guaranteed by the signcryption of the source client S and the signature of the relays Ri , (i = {1, 2, . . . , n}), simultaneously. Firstly, the
source client signcrypts the message by performing the algorithm CLGSC(S, H, m) and outputs the ciphertext S =
(f1 , f2 , f3 , m , t). By decrypting and verifying the ciphertext,
the intended receiver is able to check the integrity of the
data. Meanwhile, the relays signatures on the encrypted data
M ensures the integrity of the data during the transmission
processes.
The proposed protocol achieves mutual authentication. The
source client authenticates the physician by the signcryption
of the message S and the encryption of the identity eSH . In
particular, only the intended physician who holds the private
key (xH , zH ) can recover the source identity of the data from
eSH and can further decrypt the ciphertext S . Even if the
adversary steals the private key of the physician, it still cant
access the PHI data if the session key is secure. On the other
hand, the physician authenticates the source client by verifying
the signcryption S . From Theorem 2 we find out that the
signcryption is unforgeable under the DLP assumption. Thus,
the adversary without the full private key is unable to forge
the signature on the message.
The proposed protocol achieves anonymous. During the
whole data transmission processes, the WBAN client uses its
pseudo identity (The pseudo identity may be generated from
its real identity.) for communication and achieves anonymous
to some extent. However, the fix pseudo identity may bring
linkability problem which may also reveal the users privatesensitive information to the malicious entities. To address this
issue, the proposed protocol realizes unlinkability as analyzed
below.
The proposed protocol achieves unlinkability. In the proposed protocol, the source identity of the data is encrypted as
eSH which can only be decrypted with the full private key of
H. Recall that eSH = (f1 , f3 , S ) is formulated by computing
S = H3 (rXH , r(YH + XN H1 (H, YH , XH , XN ))) S. (1)
Here, S is encrypted as S , which hides the source identity.
However, the auditor may find that two sessions come from
the same source if the two sessions have the same eSH , which
might reveal some information of the source. We deal with
this problem by using the random r in the proposed protocol.
Specifically, S chooses different random r in different sessions
in Eq. (1) and obtains different ciphertext S . From the
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
8
point view of the listeners, eSH and the data may come from
different senders. Similarly, the receiver unlinkability can also
be ensured by eH
N with different random r.
The proposed protocol achieves forward security. At the end
of each transmission, the session key is updates as Kt+1 =
H0 (Kt ). Due to the secure one-way hash function H0 , the
attackers cant recover the previous session key. Additionally,
even if the full private key of the physician is corrupted, the
previous transmission remains confidentiality as the previous
session key is secure.
The proposed protocol achieves contextual privacy. Contextual privacy is protected by the eSH and eH
N . For the relays,
they only know the data is forwarded to the NM but having
no idea about the intended physician. They even dont know
where the data comes from since the source client S may also
be considered as a relay for the first relay R1 . Consequently,
if all the relays dont collude, they dont know where the data
comes from and goes to.
For the NM, it may get the destination of the data by deciphering eH
N . But the NM doesnt know where the data comes
from since it receives the data from the last relay Rn and cant
judge whether Rn is a relay or the source. However, if all the
relays and the NM collude, i.e., all the relays cooperate to
discover the source and the NM reveals the destination, the
contextual privacy will lose its effectiveness. Note that, the
proposed protocol still achieves contextual privacy against the
global eavesdropping with the mix technique presented in [1].
B. Robustness analysis
Robustness property requires that the PHI remains secure
even if part of the private keys are disclosed. The proposed
LRSA protocol achieves this objective from three aspects.
Due to the fact that certificateless cryptography is adopted, the NM only generates partial private key in LRSA,
thus avoiding impersonation attack by the NM. In other
words, the NM is not able to access the PHI data and
impersonate the clients.
As the PHI data is double protected by the session
key and the full private key of the intended physician,
exposure of one key will not affect the confidentiality of
the data.
Both the signcryption of the PHI data performed by the
source client and the signature conducted by the relays
guarantee data integrity. Even if the relays are captured
by the attackers and forge a signature on the data, this
malicious behavior will be discovered by the intended
physician who is able to verify the signcryption of the
source client.
VIII. P ERFORMANCE E VALUATION AND C OMPARISONS
In this section, we compare the security properties and
the efficiencies of the proposed LRSA protocol with several
protocols. Due to the fact there is no data transmission
protocol for D2D-assisted M-Health systems currently, we
choose certificateless-based authentication protocols [26][28]
proposed recently as benchmarks since we share the same
design basis. Moreover, we compare the computational and
communication overhead of our proposed certificateless generalized signcryption scheme with its counterparts.
A. Comparisons of security properties
Table I compares the security properties of our LSRA
protocol with Liu-I [26], Liu-II [26], Xiong-14 [27], and Xiong15 [28] for WBANs. The table demonstrates that only our
proposed protocol has the property of contextual privacy as
well as the other seven properties.
B. Computational overhead
Up to this end, there are only three certificateless generalized signcryption schemes [14][17]. We compare our
proposed CLGSC scheme with the four schemes in terms of
computational and communication overhead. As the operations
on pairing, exponentiation and multiplication dominate the
computational overhead in the schemes, we only consider the
three operations. We denote te the time consumed for one
exponentiation operation, tm the time consumed for one scalar
multiplication in G, and tp the time for one pairing operation.
In our proposed CLGSC scheme, it takes one multiplication
operation in G to compute the signature f1 , f2 , and three
multiplication operations to compute the ciphertext m in
signcryption mode. In the signature mode, the operations
for the ciphertext are unnecessary thus the signature mode
only costs tm overhead. While the encryption mode needs
to compute m as well as f1 , thus the computational cost
of this mode is 4tm . For the unsigncryption algorithm, it
needs two multiplication operations to recover the message
m from m and one multiplication operations to verify the
signature, bringing 3tm overhead for the unsigncryption mode.
In unsignature mode, the message is directly sent to the
receiver thus 2tm cost is saved compared to the unsigncryption
mode. The decryption mode spends 2tm for recovering the
message.
The computational overhead for our proposed CLGSC
scheme and the other certificateless generalized signcryption
schemes are compared in Table II. The observation of the table
demonstrates that the existing three CLGSC schemes have
operations on exponentiation, multiplication, and/or pairing
while the proposed scheme is implemented without paring and
exponentiation.
To quantify the running time of the operations, the standard
open source MIRACL Crypto SDK [29] is employed as
the benchmark. Specifically, the Koblitz elliptic curve y 2 =
x3 +x2 +1 defined on F2163 has been used to achieve the same
security level to 1024-bits RSA. In [28], where the algorithms
are implemented on an Intel PXA270 processor at 624 MHz
installed on the Linux personal digital assistant, the running
time are te = 53.85ms, tm = 30.67ms, tp = 96.20ms,
respectively. We evaluate the performance with the similar
settings. The computational time is demonstrated in Fig. 3.
The figure demonstrates that our proposed CLGSC scheme
needs much few computational time than the other four
schemes in all the three modes. This is due to the fact that the
pairing and exponentiation operations take much longer time
than the multiplication operation while our proposed scheme
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
9
TABLE I
C OMPARISONS OF THE SECURITY PROPERTIES WITH CERTIFICATELESS - BASED AUTHENTICATION
PROTOCOLS
Properties
Data confidentiality
Data integrity
Mutual authentication
Anonymous
Unlinkability
Forward security
Contextual privacy
Liu-I [26]
Xa
X
X
X
Liu-II [26]
Xa
X
X
X
X
Hu-14 [27]
Xa
X
X
X
X
X
Hu-15 [28]
Xa
X
X
X
X
X
Our protocol
X
X
X
X
X
X
X
a As the protocol has the property of session key establishment, it can achieve data confidentiality.
TABLE II
C OMPARISONS OF THE COMPUTATIONAL OVERHEAD AMONG THE CLGSC
Scheme
Ji [14]
Kushwah [15]
Zhou [16]
Shi [17]
Proposed scheme
Signcryption
3te + 2tm
2te + 3tm
te + 4tm + tp
4te
4tm
CLGSC
Signature
te + tm
te + 2tm
4tm
te
tm
Encryption
3te + tm
2te + 2tm
te + tm + tp
4te
4tm
300
Signcryption
Signature
Encryption
250
Unsigncryption
te + tm + 2tp
te + 3tm + 2tp
tm + 5tp
te
3tm
SCHEME
UCLGSC
Verification
te + tp
2tm + tp
4tp
5te
tm
Decryption
te + 2tp
te + tm + tp
tm + 3tp
te
2tm
TABLE III
C OMPARISONS OF THE COMPUTATIONAL OVERHEAD AMONG THE
PROTOCOLS
200
Scheme
Liu-II [26]
Xiong-14 [27]
Xiong-15 [28]
LRSA
150
100
50
Ji[14]
Kushwah[15]
Zhou[16]
Shi[1\7]
Client
2tm
3tm
11te + tp
9tm
AP
tp
6tm
8tp + 3te
6tm
Proposed
600
Unsigncryption
Verification
Decryption
500
400
300
200
100
JI[14]
Kushwah[15]
Zhou[16]
Shi[17]
Proposed
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
10
200
Client
AP
180
160
TABLE IV
C OMPARISONS OF THE COMMUNICATION OVERHEAD
Scheme
Liu-II [26]
Xiong-14 [27]
Xiong-15 [28]
LRSA
140
120
100
Client
2|G| + 2|Q| + |E|
4|G| + |E|
|G| + 8|Q| + |E|
4|G| + 6|Q| + 2|E|
AP
|Q|
|G| + |Q|
|G| + |Q|
0
Total Overhead
2|G| + 3|Q| + |E|
5|G| + |Q| + |E|
2|G| + 9|Q| + |E|
4|G| + 6|Q| + |E|
80
60
40
20
0
LiuII[26]
Xiong14[27]
Xiong15[28]
LRSA
In this paper, we have proposed a new efficient certificateless generalized signcryption (CLGSC) scheme, which is
proven to be secure in confidentiality and unforgeability in
the ROM under the DLP and CDHP assumption. Based on
the proposed CLGSC scheme, we designed a lightweight and
robust security-aware (LRSA) D2D-assist data transmission
protocol for M-Health systems. Security analysis demonstrated
that the LRSA protocol can achieve data confidentiality and
integrity, mutual authentication, contextual privacy, anonymity, unlinkability, as well as forward security. Moreover, the
LRSA protocol outperforms the existing schemes in terms of
computational and communication overhead.
For future work, we will consider relay selection strategies
for the security-aware D2D-assist data transmission for MHealth systems.
A PPENDIX A: P ROOF OF L EMMA 1
A challenger C is given with an instance of CDHP, denoted
by < P, aP, bP >. The aim of the challenger is to compute
abP . Let AI an adversary who is capable of breaking the INDCLGSC-CCA-I security. C can make use of AI to compute
the solution of the CDHP instance by playing the following
interactive game with AI .
Setup. C sets the master public key XN = bP and gives AI
the tuple (p, q, P, XN , H1 , H2 , H3 ) as the parameters, where
H1 , H2 , H3 are random oracles controlled by C. C randomly
selects an index such that 1 < < qH1 , where qH1 denotes
the maximal number of queries to H1 .
Training phase. AI performs a set of polynomial bounded
number of queries as follows. C keeps lists L1 , L2 , L3 , LS , LP
to maintain the consistency between the responses and the hash
queries. All the lists are empty at the beginning.
H1 -queries (IDi , Yi , Xi , XN ): C checks list L1 . If the tuple
of the form < IDi , Yi , Xi , XN , h1 > exists in the list, returns
h1 . Otherwise, C randomly selects h1 Zq , adds the tuple
< IDi , Yi , Xi , XN , h1 > to L1 , and returns h1 .
H2 -query (f1 , IDi , m): C checks list L2 . If the tuple of
the form < f1 , IDi , m, f3 > exists in the list, returns f3 .
Otherwise, C randomly selects f3 Zq , and adds the tuple
< f1 , IDi , m, f3 > to L2 , and returns f3 .
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
11
Computes m
= h3 m and returns c =
(f1 , f2 , f3 , m )
UCLGSC-query (c, IDi , IDj ): For the unsigncryption query
on a ciphertext c = (f1 , f2 , f3 , m ) with IDi as the sender and
IDj as the receiver, C does the following:
1) If IDj = ID and IDi = IDj , C performs as the actual
unsigncryption algorithm because C knows the private
key of the receiver IDj .
2) If IDj = ID and IDi = IDj , C runs the
above simulation algorithm H1 to get a tuple <
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
12
If c(1) passes the verification during the unsigncryption, C replays the game with the same random tape but different hash oracle for H1 and
H2 . From the forgery lemma [25], FI will output
(2)
(2)
(2)
another two signatures (f1 , f2 , f3 , m(2) ) and
(3)
(3)
(3)
(f1 , f2 , f3 , m(3) ). If the signatures are valid,
the following equations hold
(j)
(j)
(j)
(j)
f2 (X +Y +h1 XN +f3 P ) = f1 , j = 1, 2, 3
(A1)
(j)
As X = x P, Y = y P, XN = aP, f1 = rP ,
Eq. (A1) can be denoted as
(j)
(j)
(j)
f2 (x + y + h1 a + f3 ) = r, j = 1, 2, 3. (A2)
In the two equations, only x , r, and a are unknown to the challenger. Consequently, C solves the
two values from the above two linear independent
equations, and output a as the solution of the DLP
problem.
2) If IDA = ID C aborts the game.
In the above forgery query, the receiver IDj can be for
the signature mode, otherwise it works as signcryption. Thus,
the proof is suitable for the two modes.
A PPENDIX D: P ROOF OF L EMMA 4
A challenger C is given with an instance of DLP, say <
P, aP >. The aim of the challenger is to compute a. Let FI
an forgery who is capable of breaking the EUF-CLGSC-CMAII security. C can make use of FII to compute the solution of
the DLP instance by playing the following interactive game
with FII .
Setup. The same as in the proof of Lemma 2.
Training phase. In this phase, FII performs the same
queries as in the proof of Lemma 2. C responds the queries in
the same way as in Lemma 2.
Forgery. In this phase, FI outputs a forged signcryption
(1)
(1)
(1)
c(1) = (f1 , f2 , f3 , m(1) ) with IDA as the sender and
IDB as the receiver. The forged signcryption c(1) has the
same constraints as in the forgery phase of Lemma 3. If the
forged signature is valid, C can obtain the solution for the DLP
instance as follows:
1) If IDA = ID , C performs as follows:
(1)
(1)
(j)
(j)
(j)
f2 (X +Y +h1 XN +f3 P ) = f1 , j = 1, 2, 3
(A3)
(j)
As X = x P, Y = aP, XN = xN P, f1 = rP ,
Eq. (A3) can be denoted as
(j)
(j)
(j)
f2 (x + a + h1 xN + f3 ) = r.
(A4)
In the three equations, only a, r and x are unknown to the challenger. Consequently, C solves the
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
13
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
Revision Report
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
Response to Review-3
We identify the reviewer-3s concerns into four specic problems, and reply them one by one as
follows.
Question 1: Form the security comparison, we can nd that they compare their
scheme with [26,27,28]. However, from the computational overhead, they compare their scheme with [14,15,16,17]. Please compare your scheme with [14, 15,
16, 17 ,26, 27, 28] in therm of security and eciency if you want to compare
your scheme with some useless authentication schemes. It also means that this
topic of this study is too old. If the editor accepts this paper, none has any interest on this study..
Reply: Thank you for your review. Our work includes two main contributions. First, we
proposed a CerticateLess Generalized SignCryption (CLGSC) scheme. Thus, we compare
our proposed certicateless Signcryption scheme with other existing Signcryption schemes
[14, 15, 16, 17]. A Signcryption scheme must achieve required security properties, which
mainly include condentiality and unforgeability. We prove that our proposed certicateless
signcryption scheme can achieve condentiality and unforgeability simultaneously under the
CDHP assumption and DLP assumption, respectively. Consequently, our proposed certicateless signcryption scheme has the same security properties with the schemes [14, 15, 16,
17]. Therefore, the comparision between our proposed certicateless Signcryption scheme and
other existing ones is focused on computational cost, which is the main factor that aects the
feasibility of a Signcryption algorithm.
Second, based on the proposed certicateless Signcryption scheme, we further designed a lightweight and secure D2D-assist data transmission (LRSA) protocol for mobile-health systems.
Our secure protocol can achieve various security properties, inlcuding mutual authentication,
contextual privacy, anonymity, unlinkability, and forward security. Therefore, we compare
our protocol with other similar protocols [26,27,28] from two perspectives. Specically, we
not only compare the security properties of our protocol with [26,27,28], but also look into
their computational overhead, as shown in Table III and Fig. 4 of the original manuscript.
Notably, the time consumption at the relay nodes mainly lies in the signature on the data,
which is tm as analyzed in Table II. The computational overhead is tolerable in todays
powerful mobile terminals. Thus we mainly consider the time consumption at the source
client. In our proposed LRSA protocol, the source client needs to conduct signcyption on the
PHI message, encryption on the identity, and signature on M . All these operations take up
4tm + 4tm + tm = 9tm computational overhead. Note from the gure that our proposed LRSA
2
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
scheme has a slightly expensive computational cost than the protocols of Liu [26] and Xiong14 [27]. This happens because our scheme implements twice encryption operations on the
identity and twice signature operations on the data to achieve unlinkability and contextual
privacy, which are absent in the two protocols.
Also, the reviewer claimed that the authentication schemes [26,27,28] are useless authentication schemes and the topic is too old. We kind of disagree. The reasons are as follows: i) The
schemes [27,28] are published in IEEE Transactions on Information Forensics and Security
very recently, in 2014 and 2015, respectively. The scheme [26] is published in IEEE Transactions on Parallel Distributed Systems in 2014. They have proved to have values since they
are published in these leading publication venues. ii) Up to this end, the schemes [26,27,28]
have been cited by more times, for example, in the litertures of [13]. Just to name a few.
Question 2: The eciency comparison is incorrect. The scheme by authors required 4te if they claimed that Shi [17] reuqired 4te to perform signcryption phase.
As a result, their eciency comparisons are all wrong. From the eciency, I
do not think that this scheme has the better performance. In addition, please
rewrite all your Section VIII.
Reply: Thank you for your review. In our manuscript, we denote te the time consumed for
one exponentiation operation, tm the time consumed for one scalar multiplication in G. In Shi
[17] the ciphertext of the generalized signcryption scheme can be expressed as c = (c1 , c2 , c3 ),
where c1 = g rA mod p, c2 = (H3 ()f (IDBob ))m, c3 = (kA zA +tA )f (IDAlice )/(rA +h). Thus,
the computational overhead of signcryption in Shi [17] is dominated by four exponentiations
4te , i.e., g rA , ukBB , y hB and (ukBB wB y hB )rA . In the signcryption mode of our proposed CLGSC
scheme, it takes one multiplication operation in G to compute the signature f1 , f2 , f3 , where
f1 = rP , f2 = r/(xA + zA + f3 ), f3 = H2 (f1 , IDA , m), and three multiplication operations to
compute the ciphertext m . Here m = H3 (v1 , v2 ) m, where v1 = rXB , v2 = r(YB + h1 XN ).
Thus the computational cost of this mode is 4tm .
Therefore, from the eciency our proposed scheme has better performance than Shi [17] as
te > t m .
Question 3: In the authors response, the authors compared their study with ve
certicateless signcryption scheme. However, the authors only compared their
scheme with four studies. One study is disappeared. Please do not hide any
related work just for publish. From your response, we can nd that [4] has the
3
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
Reply: Thank you for your review. In our previous revision, we didnt compare our study
with [4]. However, we have already clearly explained its rational behind it in our response
letter that this is because the computational cost of the extractor and NIZK argument operation is not specied in [4]. So it is simply infeasible to determine the value of tx and
tn , where tx and tn denote the cost of the extractor Ext and the cost of NIZK argument
operation, respectively. The computational overhead between [4] and our proposed scheme
is incomparable. As a result, the comparison computational overhead between [4] and the
proposed scheme is not considered in the revised manuscript.
Nevertheless, [4] is a good work since it gave a general construction for leakage-resilient
certicateless signcryption scheme without bilinear pairing. Our scheme can be considered
as a special construction of the scheme to some extent. But we go further by introducing
an element f3 in the signature f2 = rf (IDA )/(xA + zA + f3 ), where f3 helps to verify the
integrity of the message m. As a result, even when the proposed scheme works on signature
mode, the receiver is also able to check the integrity of the message. While the signature
mode of the generalized scheme for [4] is not able to achieve it.
Question 4: In this paper, a new security property, called contextual privacy, is
used in this study. The authors claimed that their paper has this security property. However, I think that this security property is the same as unlinkability.
Please point out what dierence between them is.
Reply: Thank you for your review. Contextual privacy requires that the eavesdroppers or
entities in the system dont have the ability to obtain the source and the destination of the
data simultaneously. In other words, they can know either source or destination of the data
but can not know both the source and destination at the same time. This is important
specically for healthcare. For example, if an attacker knows that a patient goes to visit a
medical center that is specialized in heart attack. The attacker can simply conclude that the
patient has a heart attack/desease, which results in privacy violation. Unlinkability requires
that the transmissions of any two sessions should not be linked to the same source WBAN
clients. The dierences between them are as follows: Contextual privacy considers the source
and destination of the data at one session while unlinkability considers the source of the data
at two or more sessions.
Although the proposed protocol achieves both contextual privacy and unlinkability by en-
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
crypting the identity of the users, the security properties are achieved from dierent aspects:
i) Contextual privacy is protected by the encryption of the source eSH and encryption of the
S
H
destination eH
N . As none of the entities is able to decrypt the eH and eN simultaneously, none
of them can get both the source and destination of the data.
ii) Unlinkalbility is achieved by the encryption of the source eSH . Recall that eSH = (f1 , f3 , S ),
where the source identity S is encrypted as S ,
S = H3 (rXH , r(YH + XN H1 (H, YH , XH , XN ))) S.
(1)
By choosing dierent random r in dierent sessions in Eq. (1) and obtains dierent ciphertext
S , the listeners can not judge whether the data comes from dierent senders.
References
[1] C. Lin, P. Wang, H. Song, Y. Zhou, Q. Liu, G. Wu, A dierential privacy protection scheme for sensitive
big data in body sensor networks, Annals of Telecommunications, 2016, ISSN 0003-4347.
[2] A. Siva Sangari, J. Martin Leo Manickam, Secure Communication over BSN Using Modied Feather
Light Weight Block (MFLB ) Cipher Encryption, Journal of Software, vol. 10, pp. 961, 2015, ISSN
1796217X.
[3] T. Hayajneh, B. Mohd, M. Imran, G. Almashaqbeh, A. Vasilakos. Secure Authentication for Remote
Patient Monitoring with Wireless Medical Sensor Networks, Sensors, vol. 16, pp. 424, 2016, ISSN 14248220.
[4] Y. Zhou, B. Yang, W. Zhang, Provably secure and ecient leakage-resilient certicateless signcryption
scheme without bilinear pairing, Discrete Applied Mathematics, vol. 204, no. 5, pp. 185202, 2016.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.