Zhang2016 PDF

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
Transactions on Information Forensics and Security
1
Light-weight and Robust Security-Aware D2D-assist

Data Transmission Protocol for Mobile-Health
Systems
Aiqing Zhang, Lei Wang, Xinrong Ye, Xiaodong Lin
AbstractWith the rapid advancement of technology, healthcare systems have been quickly transformed into a pervasive
environment, where both challenges and opportunities abound.
On the one hand, the proliferation of smart phones and advances
in medical sensors and devices have driven the emergence
of wireless body area networks (WBAN) for remote patient
monitoring, also known as Mobile-Health (M-Health), thereby
providing a reliable and cost effective way to improving efficiency
and quality of health care. On the other hand, the advances of
M-Health systems also generate extensive medical data, which
could crowd todays cellular networks. Device-to-Device (D2D)
communications have been proposed to address this challenge,
but unfortunately, security threats are also emerging because of
the open nature of D2D communications between medical sensors
and highly privacy-sensitive nature of medical data. Even more
disconcerting is healthcare systems have many characteristics
that make them more vulnerable to privacy attacks than in
other applications. In this paper, we propose a Light-weight
and Robust Security-Aware (LRSA) D2D-assist data transmission
protocol for M-Health systems by using certificateless generalized
signcryption technique. Specifically, we first propose a new efficient CertificateLess Generalized SignCryption (CLGSC) scheme
which can adaptively work as one of the three cryptographic
primitives: signcryption, signature, or encryption, but within
one single algorithm. The scheme is proven to be secure, simultaneously achieving confidentiality and unforgeability. Based
on the proposed CLGSC algorithm, we further design a D2Dassist data transmission protocol for M-Health systems with
security properties including data confidentiality and integrity,
mutual authentication, contextual privacy, anonymity, unlinkability, and forward security. Performance analysis demonstrates
that the proposed protocol can achieve the design objectives
and outperform existing schemes in terms of computational and
communication overhead.
Index TermsD2D communications; Mobile-Health systems;
Security; Certificateless signcryption.
I. I NTRODUCTION
HE Mobile-Health (M-Health) system has been envisioned as a promising approach to improving healthcare
quality and save lives in the aging society [1], [2]. In MHealth systems, the Personal Health Information (PHI) is
collected by Body Area Network (BAN) and aggregated by
A. Zhang and L. Wang are with the Key Lab of Broadband Wireless
Communication and Sensor Network Technology, Nanjing University of Posts
and Telecommunications (NJUPT), Ministry of Education, China (e-mail:
aqzhang2006@163.com; wanglei@njupt.edu.cn). Xinrong Ye is
with Anhui Normal University (e-mail: yaya-ye@126.com). X. Lin is
with the Faulty of Business and Information Technology, University of Ontario Institute of Technology, Canada (e-mail: xiaodong.lin@uoit.ca).
A. Zhang is also with the Faulty of Business and Information Technology,
University of Ontario Institute of Technology and Anhui Normal University.
smartphone. Then the data is sent to the healthcare center

via cellular networks [2]. With the increasing popularity of
mobile healthcare, the medical data sent to base stations may
aggravate the already over-burden cellular networks. Fortunately, Device-to-Device (D2D) communications are proposed
to be an advantageous solution to meet with the explosive
demanding of spectrum because they can be operated on the
same time/frequency resources over short distances [3][5].
Consequently, we propose to transmit the PHI data through
D2D communications in M-Health systems in this paper.
However, due to the intrinsically open nature of wireless
communications and dynamics of cellular networks, D2D
communications are vulnerable to security attacks such as
eavesdropping, fake message, privacy violation, etc. Currently,
security for M-Health systems has attracted extensive attentions [6][11]. Most of these works mainly focus on either
anonymous authentication or privacy-preserving issues while
ignoring the security during data transmission. Lin et al [1]
firstly consider this problem by proposing a strong privacypreserving scheme against global eavesdropping for eHealth
systems, followed by [12], [13]. These are pioneer works on
security-aware data transmission for M-Health systems while
they dont take into account the D2D-assist data transmission
scenarios.
Actually, security-aware D2D-assist PHI transmission for
M-Health systems is challenging due to the privacy sensitive
characteristics of PHI data and the insecure D2D transmission.
Specifically, the protocol design should consider the following
issues: i) How to guarantee the PHI not to be accessed by the
relays while the relays are able to judge whether the data is
altered by attackers? ii) How to achieve mutual authentication
between the source client of the data and its intended physician
without interaction? iii) The proposed protocol should be light
weigh in the sense that the mobile terminals have energy and
storage constraints, i.e., the computational and communication
cost should be low. iv) The protocol should be robust enough
to face the threat when part of the keys are exposed, i.e., the
PHI remains secure even if part of the keys are disclosed.
In order to address the above issues, we use certificateless
public key cryptography (CLPKC) to achieve the designed
security objectives. In CLPKC, the users private key is not
generated by the Key Generator Center (KGC) alone but a
combination of the contributions of the KGC and the user. The
KGC does not know the users private key but can authenticate
its public key. In this way, the key escrow problem of the
ID-based public key cryptography is solved. Additionally, the
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2631950, IEEE
2
CLPKC avoids the problem of certificate revocation, storage

and distribution in certificate-based public key cryptography.
Generally, the CLPKC has three techniques, i.e., certificateless
signature, certificateless encryption, and certificateless signcryption. The three techniques are usually realized by three
different algorithms and are applicable in different application
scenarios.
In order to adaptively work as a signcryption scheme, a
signature scheme, or an encryption scheme with only one
algorithm, a certificateless generalized signcryption (CLGSC)
scheme is put forward by Ji et al in [14]. Later, the authors in
[15], [16] propose more efficient CLGSC scheme. However,
all the existing CLGSC schemes are realized with pairing operations, which is time consuming and has low computational
efficiency. Motivated by the above, we propose a new CLGSC
scheme which is low in time consumption cost and proven to
be secure in confidentiality and unforgeability.
The new CLGSC algorithm can operate on three modes:
signcryption mode, signature mode, or encryption mode adaptively. We use CLGSC to design a light-weight and robust
security-aware (LRSA) D2D-assist data transmission protocol
for M-Health systems. Firstly, the PHI data is encapsulated
with signcryption mode and the sources identity is encrypted
with the encryption mode by the source client, thus achieving
data confidentiality and integrity, mutual authentication and
contextual privacy. In addition, a session key is introduced in
the signcryption algorithm to enhance the security strength.
And the session key is updated by a secure hash function
at the end of each transmission session to achieve forward
security. Moreover, the source client and all the relays sign
on the encrypted data to guarantee data integrity. Notably,
the proposed LRSA protocol can also achieve anonymity
and unlinkability by using the pseudo identity and a random
number in the ciphertext of the identity.
In summary, our contributions are threefold.
We propose a new efficient certificateless generalized
signcryption (CLGSC) scheme. The proposed CLGSC
is built based on Elliptic Curved Discrete Logarithm
Problem (ECDLP) and implemented without pairing. It
has the lowest computational cost comparing with the
existing CLGSC schemes. Moreover, it is proven to
achieve confidentiality and unforgeability in the random
oracle model (ROM) under the Discrete Logarithm Problem (DLP) and CDHP (Computational Diffie-Hellman
Problem) assumption.
We design a lightweight and robust security-aware (LRSA) D2D-assist data transmission protocol for M-Health
systems based on the proposed CLGSC scheme. LRSA
achieves data confidentiality and integrity, mutual authentication and contextual privacy by using the proposed
CLGSC scheme. Furthermore, anonymity and unlinkability are simultaneously realized by using the pseudo identity and choosing different random numbers at different
sessions. Additionally, LRSA has the characteristics of
forward security with hash chain of the session key.
We analyze security properties of the proposed LRSA and
compare it with the other protocols [26][28]in terms of
data confidentiality and integrity, mutual authentication,
anonymity, unlinkability, forward security, and contextual privacy. Moreover, the computational overhead and
communication overhead are also compared between our
proposed CLGSC algorithm and the other certificateless
generalized signcryption schemes.
The remainder of the paper is organized as follows. An
overview on security in M-Health systems and certificateless
public key cryptography is conducted in Section II. The system
model is presented in Section III, followed by the preliminaries
in Section IV. In Section V, the new CLGSC scheme is formed
and proved secure in details. Section VI describes the proposed
LRSA scheme and Section VII analyzes its security properties.
In Section VIII, the performances of the proposed scheme
are evaluated and compared with other schemes in terms of
computational overhead and communication overhead. Finally,
Section IX concludes this work.
II. R ELATED W ORK
Security has been a very important issue in MHealth/eHealth system and there is a substantial amount of
works [2], [6][11]. [6] highlights the challenges, drivers, and
standardization initiatives for security, compliance, and inter
operability while [7] presents the key challenges in order to
develop efficient and secure patient-centric monitoring system
of eHealth applications. The surveys above only provide
framework or research direction instead of specific security
solutions.
The authors in [10] present a promising commercialized
solution with system infrastructures and supporting techniques.
[8] focuses on authentication strategies with progressive privacy requirements in different interactions among participating
entities in M-Health systems. [9] and [2] mainly consider the
data processing techniques once the emergency happens in
M-Health systems. Different from the aforementioned works,
[11] proposes reputation systems to enhance eHealth systems
by bridging the gap between strong contractual agreements and
first-time domain exchanges. All the above works concentrate
on privacy or authentication of M-Health systems while neglecting security during data transmission processes.
[1] may be the first work to concentrate on security-aware
data transmission in eHealth system. They propose a scheme
against global eavesdropping to achieve both content privacy
and contextual privacy while they neglect the data integrity,
and authentication issues. Later, [18] presents different cryptographic security models for secure data exchange in eHealth
peer-to-peer database management system networks yet they
also neglect the data transmission processes. Recently, [19]
argues that the eHealth exchange, which is a federal initiative
for online exchange of healthcare information, needs to be
augmented to provide greater patient awareness and control.
The authors use digitally signed logs for the detection of
unauthorized and malicious sharing of health data while they
do not provide a secure transmission solution.
In this work, we focus on security-aware data transmission
for M-Health systems by using certificateless cryptography to
realize the expecting design objectives.
3
III. M ODELS AND GOALS

A. System model
Motivated by [2], we consider an M-Health system consisting of three entities: Network manager (NM), WBAN clients,
and medical service providers, as shown in Fig. 1.
Network manager (NM). NM is a powerful entity in charge
of the whole system, e.g., initializing the system, membership
management. In the proposed scheme, the NM also works as
the key generation center. As the NM may be acted by the Mhealth center or a commercial organization, it cant be fully
trusted. Consequently, the NM only generates partial private
key for the registers to avoid the key escrow problem and is
prohibited to access the patient health information.
WBAN clients. The WBAN client is a medical user equipped
with personal BAN and a mobile phone. The BAN consists of
many body sensors such as blood pressure, oxygen saturation,
temperature sensor, and so on. All the data sensed by the
devices formulates the PHI, which is reported to the mobile
phone. Note that mobile phone is a key component of the client
as it processes PHI and sends the data to the NM for reaching
the corresponding physician. Different from the in-bed patient
at home or hospital, the WBAN clients are mobile users in
our model, i.e., walking outside [2], [22]. The WBAN clients
have to register to the NM for joining the M-health system
before enjoying the medical service.
Medical service providers. Medical service providers, such
as the physician, clinic or hospital, provide physician consultation or medical services to the clients. They also need to be
preloaded with the system parameters and register to the NM
before they serve for the clients. In our model, we assume that
the physicians take the role of medical service providers.
We assume that at session t, the WBAN client S wants
to report his PHI to the physician H 1 while it is unable to
reach the NM directly. So it searches other clients for help
relaying the data. We assume that a reliable routing from the
source client S to the NM has been established in our system
model2 , as shown in Fig. 1. The n clients Ci1 , Ci2 , . . . Cin
formulate the relay set, denoted by R = {R1 , R2 , . . . Rn }.
Here, R1 denotes the first relay receiving the data from the
source, and Rn denotes the last relay which sends the data to
the NM. Upon receiving the data from the relay Rn , the NM
distributes the data to the intended physician.
B. Threat model and design goals
Threat model. As the PHI data passes through the relays
and NM before arriving at the physician, it faces the threat
of revealing the sources private information. Specifically, the
relays or eavesdroppers may disclose the health status of the
source client from the PHI if the PHI is not confidential, which
is called content oriented privacy. Even if the PHI is confidential to them, the relays or the eavesdroppers may deduce the
1 In order to reduce the burden of the NM and the physician, usually the
data may be transmitted at a low frequency, i.e., once for three hours. Note
that in emergency circumstance, i.e., a heart attack bursts, the data should be
transmitted and processed in emergent way [2]. We consider the former case.
2 Here, reliable represents that the routing is stable and all the relays are
cooperative in forwarding the data.
sources disease once they find the intended physician of the

client. On the other hand, as the NM delivers the data to the
intended physician, he may find out the WBAN clients health
information if he knows the source of the data. This privacy
of the data source or destination is called contextual privacy
[1]. Moreover, semi-trustable NM may also access the clients
PHI or impersonate the clients and physicians for commercial
benefits. Some malicious attackers may modify or fabricate
the data for their own purposes.
Security objectives. Based on the above system model and
potential threats, the design goals of our scheme are as follows: 1) Data confidentiality and integrity. Data confidentiality
protects PHI from revealing the sources privacy-sensitive
information while data integrity ensures that the message is
not altered during the transmission. 2) Mutual authentication.
The WBAN client and the physician can authenticate each
other to guarantee that the data comes from the claimed source
and arrives at the intended destination. 3) Anonymity. The real
identity of the WBAN clients should be confidential to anyone
(including the NM) except the intended physician. 4) Unlinkability. The transmissions of any two sessions should not be
linked to the same source WBAN clients. 5) Forward security.
If the full private key of the entity in the current session is
exposed, the transmission protected by the previous session
key remains secure. 6) Contextual privacy. The eavesdroppers
or entities in the system, i.e., relays and NM, dont have the
ability to link the source and the destination of the data if they
dont collude.
IV. P RELIMINARIES
A. The intractable problem assumption
Definition 1 Elliptic Curved Discrete Logarithm Problem
(ECDLP) [23]. Given an elliptic curve E, we consider a
primitive element P , and another element T . We denote E
the number of points on the curve. The ECDLP is finding the
integer d, where 1 d E, such that:
P + P + + P = dP = T
|
{z
}
d
In cryptosystems, d is the private key which is an integer,

while the public key T is a point on the curve with coordinates
T = (xT , yT ).
DLP assumption. It is assumed to be intractable within
polynomial time to solve the ECDLP.
Definition 2 Computational Diffie-Hellman Problem (CDHP). Given an elliptic curve E, we consider a cyclic group
G on E with order q and its generator P . Given the tuple
aP G, bP G, where a, b Zq , the CDHP is to compute
abP .
CDHP assumption. It is assumed to be intractable within
polynomial time to solve the CDHP.
B. Certificateless generalized signcryption (CLGSC)
A generalized signcryption scheme can adaptively work as
a signcryption scheme, a signature scheme, or an encryption
4
Network manager
&
Medical service
provider (Physician)
Rn
&
&
Ri
R1
&
KGC
&N
...
&L
&M
&
WBAN client
Fig. 1. System model of the M-health system.
scheme within one single algorithm, which is suitable for

storage-constrained applications. The users may perform the
algorithm according to the security requirements in different
environments. As analyzed in [20], a certificateless cryptography may subject to two types of adversary: Type I adversary
may request entitys public keys and replace public keys with
values of its choice but is not allowed to access the master
private key; and Type II adversary may access to the master
private key but is not allowed to replace the public keys of the
entities.
The security of a CLGSC scheme includes confidentiality
for the signcryption and encryption modes, and unforgeability
for the signcryption and signature modes. The security proof
of a CLGSC scheme can be viewed as an interactive game
between a challenger C and an adversary A. There are four
games for confidentiality and unforgeability proof between
the challenger, and Type I adversary and Type II adversary,
respectively. [16] gives detailed descriptions for the four
games. To avoid reinventing the wheel, we refer to [16] for the
security model for a CLGSC. We directly give the definitions
based on the games defined in [16].
Definition 3 Confidentiality of CLGSC. A CLGSC scheme is
said to be IND-CLGSC-CCA2 confidentiality in encryption or
signcryption mode if it is negligible to win the IND-CLGSCCCA2-I game for all PPT adversary AI , and it is negligible
to win the IND-CLGSC-CCA2-II game for all PPT adversary
AII .
Definition 4 Unforgeability of CLGSC. A CLGSC scheme is
said to be EUF-CLGSC-CMA unforgeability in signature or
signcryption mode if it is negligible to win the EUF-CLGSCCMA-I game for all PPT forgery FI , and it is negligible to
win the EUF-CLGSC-CMA-II game for all PPT forgery FII .
A. The Proposed CLGSC

The proposed CLGSC scheme is composed by the following
four algorithms:
Setup(k). Given the security parameter k, the KGC generates two primes p and q such that q|p 1. P is a generator
of cycle group G, which is on ECC with order q. the KGC
randomly selects xN Zq as the master private key and computes the public key XN = xN P . Moreover, the KGC chooses
three secure hash functions: H1 : {0, 1} G G G Zq ,
H2 : Zq Zq Zq , H3 : Zq Zq {0, 1} . Define an
index function f (ID) as follows: f (ID) = 0 if ID = ,
otherwise f (ID) = 1. The system parameter is published as
params = (p, q, P, XN , H1 , H2 , H3 ).
KeyGeneration(IDi ). The algorithm is performed by
the user IDi and the KGC interactively.
CLGSC(IDA , IDB , m). With IDB as the receiver, Signcryption (signature or encryption) of the message m is performed by the sender IDA as follows:
V. D ESIGN BASIS : T HE P ROPOSED CLGSC

In this section, we propose a certificateless generalized
signcryption scheme, working as the design basis of our
proposed LRSA protocol. Moreover, we prove security of the
scheme in the random oracle model.
The user IDi randomly selects xi Zq as the secret

value and computes Xi = xi P as its partial public key.
The user sends its identity and partial public key
(IDi , Xi ) to the KGC.
The KGC randomly selects yi Zq and computes Yi =
yi P, zi = yi + xN H1 (IDi , Yi , Xi , XN ) for the user with
partial public key Xi .
The partial private key zi is sent to the user through
secure channel and the public key (Xi , Yi ) is stored in
the public tree by the KGC. The full private key of user
IDi is (xi , zi ). The full public key is (Xi , Yi ). Note that
IDi may judge the validity of the partial private key by
checking whether Yi + H1 (IDi , Yi , Xi , XN )XN = zi P .
Computes f (IDA ), f (IDB );

IDA randomly picks r Zq , and computes h1 =
H1 (IDB , YB , XB , XN );
Computes f1 = rP , f2 = rf (IDA )/(xA + zA + f3 ),
f3 = H2 (f1 , IDA , m);
Computes m = (H3 (v1 , v2 )f (IDB )) m, where v1 =
rXB , v2 = r(YB + h1 XN );
Return = (f1 , f2 , f3 , m ) as the ciphertext.
UCLGSC(IDA , IDB , ). The receiver IDB decrypts and

verifies i as follows:
5
Computes
f (IDA ),
f (IDB ),
h1
=
H1 (IDA , YA , XA , XN );
Computes v1
= xB f1 , v2 = zB f1 , m =
(H3 (v1 , v2 )f (IDB )) m ;
3
Checks H2 (f2 (XA +YA +h1 XN +f3 P ), IDA , m) = f3 .
If the equation holds, the message is accepted.
Correctness of the encryption.
H3 (v1 , v2 )
Proof. See Appendix D.

Theorem 2 is directly derived from Lemma 3 and Lemma 4.
m =
m
= H3 (xB f1 , zB f1 ) m
= H3 (rXB , r(yB + xN H1 (IDi , Yi , Xi , XN )P )) m
= H3 (v1 , v2 ) m
= m
Correctness of the signature:

H2 (f2 (XA + YA + h1 XN + f3 P ), IDA , m)
r
= H2 (
(xA P + zA P + f3 P ), IDA , m)
xA + zA + f3
= f3 .
B. Security proof
In this subsection, we give the security proof of the proposed
CLGSC scheme in the random oracle model [21].
Lemma 1 Type-I Confidentiality. The proposed CLGSC
scheme in signcryption mode or encryption mode is secure
against any IND-CLGSC-CCA2-I adversary in the random
oracle model under the CDHP assumption.
Proof. See Appendix A.
Lemma 2 Type-II Confidentiality. The proposed CLGSC

scheme in signcryption mode or encryption mode is secure
against any IND-CLGSC-CCA2-II adversary in the random
oracle model under the CDHP assumption.
Proof. See Appendix B.
Theorem 1 is directly derived from Lemma 1 and Lemma 2.
Theorem 1 The proposed CLGSC scheme is IND-CLGSCCCA2 confidentiality in signcryption mode or encryption mode
under the CDHP assumption.
Lemma 3 Type-I Unforgeability. The proposed CLGSC
scheme in signcryption mode or signature mode is secure
against any EUF-CLGSC-CMA-I forgery in the random oracle
model under the DLP assumption.
Proof. See Appendix C.
3 In
Lemma 4 Type-II Unforgeability. The proposed CLGSC

scheme in signcryption mode or signature mode is secure against any EUF-CLGSC-CMA-II forgery in the random oracle
model under the DLP assumption.
encryption mode, the verification equation is H2 (f1 , IDA , m) = f3
Theorem 2 The proposed CLGSC scheme is EUF-CLGSCCMA unforgeability in signcryption mode or signature mode
under the DLP assumption.
VI. T HE PROPOSED LRSA
PROTOCOL
In this section we design a lightweight and robust securityaware (LRSA) D2D-assist data transmission protocol based on
the proposed CLGSC scheme. Due to generalized property of
CLGSC, the proposed protocol is able to effectively achieve
various security and privacy protection requirements at source,
relays and destinations. Firstly, we give an overview of the
proposed protocol. Then the protocol is described in details.
For simplification of expression, we may use client to
denote WBAN client. The pseudo identity of the client
is presented as identity.
A. Overview of the proposed protocol
In order to achieve the design goals, certificateless signcryption, certificateless encryption and certificateless signature are
jointly introduced into the protocol, as shown in Fig. 2.
Firstly, at the system initialization step, the clients and
physicians register to the NM to generate their full private keys
and public keys. Meanwhile, the clients connect to his physicians and generate the initial session key with him through key
agreement protocol. Then, the source client with pseudo identity S collects its PHI m and formulates the information as M =
(S ||eSH ||eH
N ), where S is the signcryption of m performed
by the source client, i.e., S = CLGSC(S, H, m). It can only
be decrypted and verified by the intended physician H with his
full private key. The identity of the source client is encrypted
by S with the public key of the physician using certificateless
encryption mode, i.e., eSH = CLGSC(, H, S). Meanwhile,
the identity of the intended physician is also encrypted with
the public key of the NM, i.e., eH
N = CLGSC(, N, H).
Notably, eSH and eH
protect
the
identity
privacy of source and
N
destination for the PHI to guarantee contextual privacy.
During data transmission process, the packet M is treated
as a whole before getting the NM, and is signed by the relays
to guarantee data integrity. Specifically, the source S signs on
m as S = CLGSC(S, , M ) and appends it with the data.
The relays verify the signature and forward the data with their
signatures. Fig. 2 shows the messages passing through the
path. Note that the NM parses the data to get eH
N and decrypts
it for the intended physician of the data.
Upon receiving the data (S ||eSH ) from the NM, the physician firstly decrypts eSH to obtain source WBAN clients
pseudo identity S. Then the physician decrypts and verifies
S with its full private key and Ss public key for accessing
the PHI and providing the corresponding services.
6
( M || S || s S )
R1
( M || R1 || s R1 )

Rn
( M || Rn || s Rn )
NM
( m S || e HS )
mS = CLGSC(S , H , M )
e HS = CLGSC(f , H , S )
e NH = CLGSC(f , N , H )
M = m S || e HS || e NH
Verifys S
s R1 = CLGSC( R1 , f , M )
Verifys Rn-1
Verifys Rn
Decrypt eHS
s Rn = CLGSC( Rn , f , M )
Decrypt eNH
Verify m s
s S = CLGSC(S , f , M )
Fig. 2. The proposed protocol.
B. The proposed LRSA protocol

The proposed LRSA protocol is composed by the following four phases: System initialization, data formulation, data
transmission, and data receiving.
Phase 1 System initialization.
System parameter generation. Given the security parameter
k, the network manager NM generates two primes p and
q such that q|p 1. P is a generator of cycle group G,
which is on ECC with order q. Moreover, the NM randomly
selects xN Zq as the master private key and computes
the public key XN = xN P . The NM additionally chooses four secure hash functions: H0 : Zq Zq , H1 :
{0, 1} G G G Zq , H2 : G Zq Zq Zq ,
H3 : Zq Zq Zq {0, 1} . The system parameter is
published as params = (p, q, P, XN , H0 , H1 , H2 , H3 ).
Registration. Both the WBAN clients and physicians
(named user) register to the NM for joining the system.
The WBAN clients use pseudo identity, denoted by C, for
anonymity while the physicians use real identity H.
The user D {C, H} randomly selects xD Zq as

the secret value and computes XD = xD P as its partial
public key.
The user sends its identity and partial public key (D, XD )
to the NM for registration.
The NM randomly selects yD Zq and computes YD =
yD P, zD = yD +xN H1 (D, YD , XD , XN ) for the register
D with partial public key XD .
The partial private key zD is sent to the register through
secure channel and the public key (XD , YD ) is stored in
the public tree by the NM.
The full private key of user D is (xD , zD ). Note that D

may judge the validity of the partial private key by checking
whether YD + H1 (D, YD , XD , XN )XN = zD P .
Remark 1 As the source client encrypts the physicians identity with the NMs public key by performing certificateless
encryption, the NM also generates a partial private key and
partial public key for himself. Specifically, the NM randomly
picks yN Zq and computes YN = yN P , zN = yN +
xN H1 (N, YN , XN ), where N denotes the identity of NM. The
full public key of NM (XN , YN ) is also stored in the public
tree for accessing.
Initial session key agreement. When a WBAN client and

a physician establish client/server relationship, they should
negotiate an initial symmetric session key for their coming
data transmission. They may generate the symmetric key at
both sides via a secure key agreement protocol, i.e., DiffieHellman key exchange [24]. Substantially, the main purpose
of this process lies in constructing a consensus between the
WBAN client and his physician for their first communication
event. The security of their successive communications are
Di
is a
realized based on their former session key, i.e., Kt+1
Di
function of Kt . The corresponding session key is refreshed
after each transmission.
Phase 2 Data formulation.
This step is performed by the source client with identity
S. Firstly, S selects his intended physician H for receiving
the PHI m and refers to its key record table for the session
key with H, denoted by Kt , at current session t. Then S runs
certificateless signcryption algorithm CLGSC(S, H, m) on m
as follows:
S randomly chooses r Zq and computes h1 =

H1 (IDH , YH , XH , XN );
Computes f1 = rP , f2 = r/(xS + zS + f3 ), f3 =
H2 (f1 , IDS , m);
Computes m = H3 (v1 , v2 , Kt )
m, where v1 = rXH ,
v2 = r(YH + h1 XN );
Return S = (f1 , f2 , f3 , m ) as the ciphertext.

The signcryption of S for H on m is presented as S =
(f1 , f2 , f3 , m , t).
Moreover, the source client performs certificateless encryption on his identity S and intended physician identity H for
contextual privacy. I {H, N } denotes the entity NM or
the physician and D {S, H} denotes the identity of S or
H. The certificateless encryption algorithm CLGSC(, I, D) is
performed as follows:
S randomly picks r Zq and computes f1 = rP , f3 =

H2 (f1 , I, D);
Computes D = H3 (v1 , v2 )
D, where v1 = rXI , v2 =
r(YI + XN H1 (I, YI , XI , XN )).
D is encrypted as eD
I = (f1 , f3 , D ) with the public key
S
of entity I. Specifically, eH is an encryption on S with Hs
public key, which can only be decrypted with Hs private key.
eH
N is an encryption on H with N s public key, which can
only be decrypted with N s private key.
7
Thereafter, the PHI is formulated as M = (S ||eSH ||eH

N ) by
the source S. Before sending the data out, the source client
signs on the data by implementing certificateless signature
algorithm CLGSC(S, , M ) as follows:
S randomly chooses r Zq ;
Computes f1 = rP , f2 = r/(xS + zS + f3 ), f3 =
H2 (f1 , S, M ).
The signature of S on M is S = (f1 , f2 , f3 ). The client

S sends the data M , his signature, and his identity in the
formate data = (M ||S||S ) to the predetermined relay R1 .
Simultaneously, S updates his key record table by refreshing
its session key with H as Kt+1 = H0 (Kt ).
Phase 3 Data transmission
After receiving the data from the source S, R1 parses the
senders identity S and signature S from data. Then, R1
searches the public tree for the senders public key (XS , YS )
and verifies the signature as follows:
Computes f1 = f2 (XS + YS + H1 (S, YS , XS , XN )XN +
?
f3 P ), where f3 = H2 (f1 , S, M ), and checks f1 = f1 .
If the equation holds, R1 accepts the data. Before sending
M to the next relay R2 , R1 also signs on M by performing
algorithm CLGSC(R1 , , M ) with his private key (xR1 , zR1 )
and generates its signature R1 . Similarly, R1 appends M with
his identity and signature, formulating data = (M ||R1 ||R1 ),
and sends it to the next relay R2 . All the other relays forward
the data in the same way, i.e., verifying the signature of the
sender, generating his signature on M , sending it to the next
relay, as shown in Fig. 2.
When the data arrives at the NM, the NM firstly checks
the validity of the senders signature as the relays have done.
H
Then, the NM parses M as (S ||eSH ||eH
N ) and decrypts eN =
(f1 , f3 , H ) by computing
v1 = xN f1 , v2 = zN f1 , H = H3 (v1 , v2 ) H .
If H2 (f1 , N, H) = f3 holds, the NM sends (S ||eSH ) to the
corresponding physician H.
Phase 4 Data receiving and processing.
Similar to the NM, the physician H decrypts eSH with his
private key after receiving the data S ||eSH and obtains the
source identity S of the PHI. Then, H accesses the public
tree for the sources public key (XS , YS ) and refers to his
session key record table for the session key Kt with S. H
decrypts and verifies S = (f1 , f2 , f3 , m , t) as follows:
Computes v1 = xH f1 , v2 = zH f1 , m =
H3 (v1 , v2 , Kt ) m ;
Checks H2 (f2 (XS + YS + h1 XN + f3 P ), IDS , m) = f3 .
If the equation holds, the message m is accepted.
Additionally, the physician H refreshes its session key with S

as Kt+1 = H0 (Kt ).
VII. S ECURITY A NALYSIS
In this section, we analyze security properties of the proposed protocol in terms of the security objectives mentioned
in Section III. We also analyze how the protocol achieves
robustness.
A. Security properties
The proposed protocol achieves PHI data confidentiality
and integrity. PHI data confidentiality is double protected by
the session key Kt and the public key encryption. Specifically,
the source client S encrypts the PHI with the algorithm
CLGSC(S, H, m) by using the public key of the intended
physician H and the session key with
H. The message m
is encrypted as m = H3 (v1 , v2 , Kt ) m, where v1 and v2
can only be recovered by private key of H, and Kt is only
stored by S and H. Even if the session key Kt is exposed
to the adversary, Theorem 1 demonstrates that the encryption
achieves confidentially under CDHP assumption.
The PHI data integrity is guaranteed by the signcryption of the source client S and the signature of the relays Ri , (i = {1, 2, . . . , n}), simultaneously. Firstly, the
source client signcrypts the message by performing the algorithm CLGSC(S, H, m) and outputs the ciphertext S =
(f1 , f2 , f3 , m , t). By decrypting and verifying the ciphertext,
the intended receiver is able to check the integrity of the
data. Meanwhile, the relays signatures on the encrypted data
M ensures the integrity of the data during the transmission
processes.
The proposed protocol achieves mutual authentication. The
source client authenticates the physician by the signcryption
of the message S and the encryption of the identity eSH . In
particular, only the intended physician who holds the private
key (xH , zH ) can recover the source identity of the data from
eSH and can further decrypt the ciphertext S . Even if the
adversary steals the private key of the physician, it still cant
access the PHI data if the session key is secure. On the other
hand, the physician authenticates the source client by verifying
the signcryption S . From Theorem 2 we find out that the
signcryption is unforgeable under the DLP assumption. Thus,
the adversary without the full private key is unable to forge
the signature on the message.
The proposed protocol achieves anonymous. During the
whole data transmission processes, the WBAN client uses its
pseudo identity (The pseudo identity may be generated from
its real identity.) for communication and achieves anonymous
to some extent. However, the fix pseudo identity may bring
linkability problem which may also reveal the users privatesensitive information to the malicious entities. To address this
issue, the proposed protocol realizes unlinkability as analyzed
below.
The proposed protocol achieves unlinkability. In the proposed protocol, the source identity of the data is encrypted as
eSH which can only be decrypted with the full private key of
H. Recall that eSH = (f1 , f3 , S ) is formulated by computing
S = H3 (rXH , r(YH + XN H1 (H, YH , XH , XN ))) S. (1)
Here, S is encrypted as S , which hides the source identity.
However, the auditor may find that two sessions come from
the same source if the two sessions have the same eSH , which
might reveal some information of the source. We deal with
this problem by using the random r in the proposed protocol.
Specifically, S chooses different random r in different sessions
in Eq. (1) and obtains different ciphertext S . From the
8
point view of the listeners, eSH and the data may come from
different senders. Similarly, the receiver unlinkability can also
be ensured by eH
N with different random r.
The proposed protocol achieves forward security. At the end
of each transmission, the session key is updates as Kt+1 =
H0 (Kt ). Due to the secure one-way hash function H0 , the
attackers cant recover the previous session key. Additionally,
even if the full private key of the physician is corrupted, the
previous transmission remains confidentiality as the previous
session key is secure.
The proposed protocol achieves contextual privacy. Contextual privacy is protected by the eSH and eH
N . For the relays,
they only know the data is forwarded to the NM but having
no idea about the intended physician. They even dont know
where the data comes from since the source client S may also
be considered as a relay for the first relay R1 . Consequently,
if all the relays dont collude, they dont know where the data
comes from and goes to.
For the NM, it may get the destination of the data by deciphering eH
N . But the NM doesnt know where the data comes
from since it receives the data from the last relay Rn and cant
judge whether Rn is a relay or the source. However, if all the
relays and the NM collude, i.e., all the relays cooperate to
discover the source and the NM reveals the destination, the
contextual privacy will lose its effectiveness. Note that, the
proposed protocol still achieves contextual privacy against the
global eavesdropping with the mix technique presented in [1].
B. Robustness analysis
Robustness property requires that the PHI remains secure
even if part of the private keys are disclosed. The proposed
LRSA protocol achieves this objective from three aspects.
Due to the fact that certificateless cryptography is adopted, the NM only generates partial private key in LRSA,
thus avoiding impersonation attack by the NM. In other
words, the NM is not able to access the PHI data and
impersonate the clients.
As the PHI data is double protected by the session
key and the full private key of the intended physician,
exposure of one key will not affect the confidentiality of
the data.
Both the signcryption of the PHI data performed by the
source client and the signature conducted by the relays
guarantee data integrity. Even if the relays are captured
by the attackers and forge a signature on the data, this
malicious behavior will be discovered by the intended
physician who is able to verify the signcryption of the
source client.
VIII. P ERFORMANCE E VALUATION AND C OMPARISONS
In this section, we compare the security properties and
the efficiencies of the proposed LRSA protocol with several
protocols. Due to the fact there is no data transmission
protocol for D2D-assisted M-Health systems currently, we
choose certificateless-based authentication protocols [26][28]
proposed recently as benchmarks since we share the same
design basis. Moreover, we compare the computational and
communication overhead of our proposed certificateless generalized signcryption scheme with its counterparts.
A. Comparisons of security properties
Table I compares the security properties of our LSRA
protocol with Liu-I [26], Liu-II [26], Xiong-14 [27], and Xiong15 [28] for WBANs. The table demonstrates that only our
proposed protocol has the property of contextual privacy as
well as the other seven properties.
B. Computational overhead
Up to this end, there are only three certificateless generalized signcryption schemes [14][17]. We compare our
proposed CLGSC scheme with the four schemes in terms of
computational and communication overhead. As the operations
on pairing, exponentiation and multiplication dominate the
computational overhead in the schemes, we only consider the
three operations. We denote te the time consumed for one
exponentiation operation, tm the time consumed for one scalar
multiplication in G, and tp the time for one pairing operation.
In our proposed CLGSC scheme, it takes one multiplication
operation in G to compute the signature f1 , f2 , and three
multiplication operations to compute the ciphertext m in
signcryption mode. In the signature mode, the operations
for the ciphertext are unnecessary thus the signature mode
only costs tm overhead. While the encryption mode needs
to compute m as well as f1 , thus the computational cost
of this mode is 4tm . For the unsigncryption algorithm, it
needs two multiplication operations to recover the message
m from m and one multiplication operations to verify the
signature, bringing 3tm overhead for the unsigncryption mode.
In unsignature mode, the message is directly sent to the
receiver thus 2tm cost is saved compared to the unsigncryption
mode. The decryption mode spends 2tm for recovering the
message.
The computational overhead for our proposed CLGSC
scheme and the other certificateless generalized signcryption
schemes are compared in Table II. The observation of the table
demonstrates that the existing three CLGSC schemes have
operations on exponentiation, multiplication, and/or pairing
while the proposed scheme is implemented without paring and
exponentiation.
To quantify the running time of the operations, the standard
open source MIRACL Crypto SDK [29] is employed as
the benchmark. Specifically, the Koblitz elliptic curve y 2 =
x3 +x2 +1 defined on F2163 has been used to achieve the same
security level to 1024-bits RSA. In [28], where the algorithms
are implemented on an Intel PXA270 processor at 624 MHz
installed on the Linux personal digital assistant, the running
time are te = 53.85ms, tm = 30.67ms, tp = 96.20ms,
respectively. We evaluate the performance with the similar
settings. The computational time is demonstrated in Fig. 3.
The figure demonstrates that our proposed CLGSC scheme
needs much few computational time than the other four
schemes in all the three modes. This is due to the fact that the
pairing and exponentiation operations take much longer time
than the multiplication operation while our proposed scheme
9
TABLE I
C OMPARISONS OF THE SECURITY PROPERTIES WITH CERTIFICATELESS - BASED AUTHENTICATION
PROTOCOLS
Properties
Data confidentiality
Data integrity
Mutual authentication
Anonymous
Unlinkability
Forward security
Contextual privacy
Liu-I [26]
Xa
X
X
X
Liu-II [26]
Xa
X
X
X
X
Hu-14 [27]
Xa
X
X
X
X
X
Hu-15 [28]
Xa
X
X
X
X
X
Our protocol
X
X
X
X
X
X
X
a As the protocol has the property of session key establishment, it can achieve data confidentiality.
TABLE II
C OMPARISONS OF THE COMPUTATIONAL OVERHEAD AMONG THE CLGSC
Scheme
Ji [14]
Kushwah [15]
Zhou [16]
Shi [17]
Proposed scheme
Signcryption
3te + 2tm
2te + 3tm
te + 4tm + tp
4te
4tm
CLGSC
Signature
te + tm
te + 2tm
4tm
te
tm
Encryption
3te + tm
2te + 2tm
te + tm + tp
4te
4tm
300
Signcryption
Signature
Encryption
Time consumption of CLGSC (ms)
250
Unsigncryption
te + tm + 2tp
te + 3tm + 2tp
tm + 5tp
te
3tm
SCHEME
UCLGSC
Verification
te + tp
2tm + tp
4tp
5te
tm
Decryption
te + 2tp
te + tm + tp
tm + 3tp
te
2tm
TABLE III
C OMPARISONS OF THE COMPUTATIONAL OVERHEAD AMONG THE
PROTOCOLS
200
Scheme
Liu-II [26]
Xiong-14 [27]
Xiong-15 [28]
LRSA
150
100
50
Ji[14]
Kushwah[15]
Zhou[16]
Shi[1\7]
Client
2tm
3tm
11te + tp
9tm
AP
tp
6tm
8tp + 3te
6tm
Proposed
(a) CLGSC algorithm
Time consumption of UCLGSC (ms)
600
Unsigncryption
Verification
Decryption
500
400
300
200
100
JI[14]
Kushwah[15]
Zhou[16]
Shi[17]
Proposed
(b) UCLGSC algorithm

Fig. 3. The computational time of the CLGSC scheme
is implemented without pairing. Additionally, our proposed

CLGSC need not conduct exponentiation operations. Thus,
CLGSC is a lightweight scheme. Notably, the decryption mode
of the scheme [17] has a slight lower computational cost
than our proposed scheme. This is because it only needs one
exponentiation operation while the proposed scheme requires
two scalar multiplication operations.
We also compare the computational overhead of the proposed LRSA protocol with the aforementioned three protocols
[26][28]. As the three authentication protocols only use

signatures to achieve the design objectives, we only compare
the signature mode of our scheme for the consistency of the
benchmark. In [26][28], a supersingular elliptic curve E/Fp :
y 2 = x3 + x along with the Tate pairing e : G G GT
defined over this curve is used, where the embedding degree
of the curve is 2. We have the similar processor settings at the
WBAN client and the AP as that in [28].
Remark 2 The time consumption at the relay nodes mainly
lies in the signature on the data, which is tm as analyzed
in Table II. The computational overhead is tolerable in most
of the mobile terminals. Thus we mainly consider the time
consumption at the source client. In our proposed LRSA
protocol, the source client needs to conduct signcyption on
the PHI message, encryption on the identity, and signature
on M . All these operations take up 4tm + 4tm + tm = 9tm
computational overhead.
In Table III, we compare the computational overhead at
the client and the AP, respectively. Note that the physician
in our scheme plays the same role as the AP in [26][28].
Usually, an AP or physician working on the desktop has
higher performance in processors and memory compared to
the mobile terminals. As estimated in [28], the running time
10
200
Client
AP
Time consumption of the client and AP
180
160
TABLE IV
C OMPARISONS OF THE COMMUNICATION OVERHEAD
Scheme
Liu-II [26]
Xiong-14 [27]
Xiong-15 [28]
LRSA
140
120
100
Client
2|G| + 2|Q| + |E|
4|G| + |E|
|G| + 8|Q| + |E|
4|G| + 6|Q| + 2|E|
AP
|Q|
|G| + |Q|
|G| + |Q|
0
Total Overhead
2|G| + 3|Q| + |E|
5|G| + |Q| + |E|
2|G| + 9|Q| + |E|
4|G| + 6|Q| + |E|
80
60
40
20
0
LiuII[26]
Xiong14[27]
Xiong15[28]
LRSA
Fig. 4. Time consumption at the client and the AP.
physician only receives the message and does not feedback

thus its communication overhead is 0 in our proposed LRSA
scheme. However, in the other protocols the APs have to
interact with the clients for mutual authentication and session
key establishment.
IX. C ONCLUSIONS
of the AP, which runs on a PIV-3GHz processor featured

with Windows XP OS and 512M bytes memory, are te =
11.2ms, tm = 6.38ms, tp = 20.01ms, respectively. The time
consumption at the client and AP are shown in Fig. 4.
Note from the above figure that our proposed LRSA scheme
has a slightly expensive computational cost than the protocols
of Liu [26] and Xiong-14 [27]. This happens because our
scheme implements twice encryption operations on the identity
and twice signature operations on the data to achieve contextual privacy, which are absent in the two protocols. Notably, the
protocol Xiong-15 [28] has much higher cost in computation
because of its revocation functionality, which is not able to
achieve in the other protocols.
C. Communication overhead
We consider the communication overhead at a session. The
communication overhead of the proposed LRSA comes from
the data M and the signature on M at the source client
and the relays. Specifically, the data M = S ||eSH ||eH
N is
composed by the signcryption S = (f1 , f2 , f3 , m , t), and
encryption eSH (eH

N ) = (f1 , f3 , D ). The signature on M is
= (f1 , f2 , f3 ). We denote |G|, |Q|, |E|, |m | the size of an
element in G, the size of an element in Zq , the length of
identity D , and the length of m4 , respectively. The length
of the message sent by the source client and the relays is
|G| + 2|Q| + |m | + 2|G| + 2|E| + 2|Q| + |G| + 2|Q| =
4|G| + 6|Q| + 2|E| + |m |.
To be consistent for the comparisons, we assume the session key established in the protocols of [26][28] is used
for encrypting the message with a symmetric cryptography
algorithm, say AES. The size of the encrypted message is also
m . Consequently, we skip the length of the ciphertext m in
all the protocols. The communication overhead is displayed
in Table IV5 . The group C corresponds to the group G1
in [26] and [27]. We assume that the identity ID has the
same size as that of D in our LRSA protocol. Note that the
4 As the length of session t is 2 << |G|, we omit it in the communication
overhead.
5 The communication overhead caused by the timestamp in [26][28] is also
omitted.
In this paper, we have proposed a new efficient certificateless generalized signcryption (CLGSC) scheme, which is
proven to be secure in confidentiality and unforgeability in
the ROM under the DLP and CDHP assumption. Based on
the proposed CLGSC scheme, we designed a lightweight and
robust security-aware (LRSA) D2D-assist data transmission
protocol for M-Health systems. Security analysis demonstrated
that the LRSA protocol can achieve data confidentiality and
integrity, mutual authentication, contextual privacy, anonymity, unlinkability, as well as forward security. Moreover, the
LRSA protocol outperforms the existing schemes in terms of
computational and communication overhead.
For future work, we will consider relay selection strategies
for the security-aware D2D-assist data transmission for MHealth systems.
A PPENDIX A: P ROOF OF L EMMA 1
A challenger C is given with an instance of CDHP, denoted
by < P, aP, bP >. The aim of the challenger is to compute
abP . Let AI an adversary who is capable of breaking the INDCLGSC-CCA-I security. C can make use of AI to compute
the solution of the CDHP instance by playing the following
interactive game with AI .
Setup. C sets the master public key XN = bP and gives AI
the tuple (p, q, P, XN , H1 , H2 , H3 ) as the parameters, where
H1 , H2 , H3 are random oracles controlled by C. C randomly
selects an index such that 1 < < qH1 , where qH1 denotes
the maximal number of queries to H1 .
Training phase. AI performs a set of polynomial bounded
number of queries as follows. C keeps lists L1 , L2 , L3 , LS , LP
to maintain the consistency between the responses and the hash
queries. All the lists are empty at the beginning.
H1 -queries (IDi , Yi , Xi , XN ): C checks list L1 . If the tuple
of the form < IDi , Yi , Xi , XN , h1 > exists in the list, returns
h1 . Otherwise, C randomly selects h1 Zq , adds the tuple
< IDi , Yi , Xi , XN , h1 > to L1 , and returns h1 .
H2 -query (f1 , IDi , m): C checks list L2 . If the tuple of
the form < f1 , IDi , m, f3 > exists in the list, returns f3 .
Otherwise, C randomly selects f3 Zq , and adds the tuple
< f1 , IDi , m, f3 > to L2 , and returns f3 .
11
H3 -query (v1 , v2 ): C checks list L3 . If the tuple of the form

< v1 , v2 , h3 > exists in the list, returns h3 . Otherwise, C
randomly selects h3 Zq , adds the tuple < v1 , v2 , h3 > to
L3 , and returns h3 .
Secret-value-extraction (IDi ): if IDi = ID , C aborts
simulation. Otherwise, C checks list LS . If the tuple of the
form < IDi , xi , Xi > exists in the list, returns xi . Otherwise,
C randomly selects xi Zq , computes Xi = xi P , adds the
tuple < IDi , xi , Xi > to LS , and returns xi .
Partial-private-key-extraction (IDi , Xi ): If IDi = ID ,
then C randomly selects y Zq and computes Y = y P ,
adds the tuple of the form < ID , X , , Y > in the list
LP and returns . Otherwise, C checks list LP . If the tuple
of the form < IDi , Xi , zi , Yi > exists in the list, returns
zi . Otherwise, C randomly selects zi , h1 Zq , computes
Yi = zi P h1 XN , adds the tuple < IDi , Xi , zi , Yi > to
LP and < IDi , Yi , Xi , XN , h1 > to L1 , and returns zi .
Public-key-extraction (IDi , Xi ): To respond to this query,
C checks list LP . If the tuple of the form < IDi , Xi , zi , Yi >
exists in the list, returns (Xi , Yi ). Otherwise, C performs the
Partial-private-key-extraction (IDi , Xi ) query to himself and
returns (Xi , Yi ).
Replace-public-key-query (IDi , Yi ): C updates the tuple <
IDi , Xi , zi , Yi > of the list LP with < IDi , Xi , , Yi >.
CLGSC-query (m, IDi , IDj ): For the signcryption query on
a message m with IDi as the sender and IDj as the receiver,
if IDi = , IDj = , it equals to encryption oracle, which just
needs the public parameters. C answers the query according
to the actual encryption algorithm. If IDi = , C performs as
follows:
1) If IDi = ID and IDj = IDi , C performs as the actual
signcryption algorithm because C knows the private key
of the sender IDi .
2) If IDi = ID and IDi = IDj , then:
C randomly selects f2 , f3
Zq . It obtains h1 by either checking the list L1 for <
ID , Y , X , XN , h1 > or calling the H1 query,
and computes f1 = f2 (X + Y + h1 XN + f3 P ). C
defines f3 = H2 (f1 , ID , m), aborting the simulation if such a hash queries has been responded with
a different value before.
C
searches the list LS for the tuple
< IDj , xj , Xj >, and the list LP for the
tuple < IDj , Xj , zj , Yj >. It computes v1 = xj f1 ,
v2 = zj f1 , and goes through L3 for < v1 , v2 , h3 >.
If the tuple does not exist in the list, it uses a random
h3 and updates the list L3 with < v1 , v2 , h3 >.
Computes m
= h3 m and returns c =
(f1 , f2 , f3 , m )
UCLGSC-query (c, IDi , IDj ): For the unsigncryption query
on a ciphertext c = (f1 , f2 , f3 , m ) with IDi as the sender and
IDj as the receiver, C does the following:
1) If IDj = ID and IDi = IDj , C performs as the actual
unsigncryption algorithm because C knows the private
key of the receiver IDj .
2) If IDj = ID and IDi = IDj , C runs the
above simulation algorithm H1 to get a tuple <
ID , Y , X , XN , h1 >. Then, it goes through the list

L3 . If there exists < v1 , v2 , h3 > L3 such that:
f1 = rP , m = h3 m , v1 = rX , v2 = r(Y +h1 XN ),
checks H2 (f2 (Xi +Yi +h1 XN +f3 P ), IDi , m) = f3 . If
the equation holds, return m and reject otherwise. Due to
the fact that the encryption function is injective with respect to < ID , Y , X , XN >, the pair < v1 , v2 , h3 >
that satisfies the above condition uniquely exists in the
list L3 .
Challenge. AI outputs two equal length messages
(m0 , m1 ), and an arbitrary sender identity IDA and receiver
identity IDB . If IDA = ID (As the adversary picks the
identity at random among the qH1 queries, the probability that
IDA = ID is 1/qH1 ), C performs as follows:
1) Randomly selects m {0, 1} , and {0, 1}.
2) Randomly selects f2 , f3 Zq , computes f1 = f2 (X +
Y + h1 XN + f3 P ). C defines f3 = H2 (f1 , ID , m ),
aborting the simulation if such a hash queries has been
responded with a different value before.
3) Set f1 = aP , = YB + h1 XN , and h1 =
H1 (IDB , YB , XB , XN ).
4) Define H3 (aXB , a ) = m m .
5) Return c = (f1 , f2 , f3 , m ).
AI adaptively queries the oracles as in Training phase.
Note that no UCLGSC-query should be made on c with the
identity ID as the receiver.
Guess. When AI outputs = , C computes the set S =
{(v2i y f1 )/h1 | for i [1, qH3 ], v1i = x f1 }, where v1i
and v2i are the first and the second component of queries to
H3 . C selects one of the element in S as the solution of the
CDHP instance.
In the above challenge query, the sender IDi can be for
the encryption mode, otherwise it works as signcryption. Thus,
the proof is suitable for the two modes.
A PPENDIX B: P ROOF OF L EMMA 2
Proof. A challenger C is given with an instance of CDHP,
say < P, aP, bP >. The aim of the challenger is to compute
abP . Let AII an adversary who is capable of breaking the
IND-CLGSC-CCA-II security. C can make use of AII to
compute the solution of the CDHP instance by playing the
following interactive game with AII .
Setup. C randomly picks xN Zq as the systm master
private key and computes XN = xN P as the system public
key. C gives the parameters (p, q, P, XN , H1 , H2 , H3 ) and the
master key xN to the adversary AII , where H1 , H2 , H3 are
random oracles controlled by C. C randomly selects an index
such that 1 < < qH1 , where qH1 denotes the maximal
number of queries to H1 .
Training phase. In this phase, AII performs the same
queries as in the proof of Lemma 1 except Replace-public-keyquery. C responds the queries in the same way as in Lemma
1 except Partial-private-key-extraction which is answered as
follows:
Partial-private-key-extraction (IDi , Xi ): If IDi = ID ,
then C sets Y = bP and stores the tuple of the form
< ID , X , , Y > in the list LP and returns . Otherwise,
12
C randomly selects zi , h1 Zq , computes Yi = zi P h1 XN ,

adds the tuple < IDi , Xi , zi , Yi > to LP and the tuple
< IDi , Yi , Xi , XN , h1 > to L1 , and returns zi .
Challenge. AII outputs two equal length messages
(m0 , m1 ), and an arbitrary sender identity IDA and receiver
identity IDB . If IDA = ID , C performs as follows:
1) Randomly selects m {0, 1} , and {0, 1}.
2) Randomly selects f2 , f3 Zq , computes f1 = f2 (X +
Y + h1 XN + f3 P ). C defines f3 = H2 (f1 , ID , m ),
aborting the simulation if such a hash queries has been
responded with a different value before.
3) Set f1 = aP , = YB + h1 XN , and h1 =
H1 (IDB , YB , XB , XN ).
4) Define H3 (aXB , a ) = m m
5) Return c = (f1 , f2 , f3 , m )
AII adaptively queries the oracles as in Training phase.
Note that no UCLGSC-query should be made on c with the
identity ID as the receiver.
Guess. When AII outputs = , C computes the set S =
{v2i xN h1 f1 | for i [1, qH3 ], v1i = x f1 }, where v1i and
v2i are the first and the second component of queries to H3 .
Then C selects one of the element in S as the solution of the
CDHP instance.
In the above challenge query, the sender IDi can be for
the encryption mode, otherwise it works as signcryption. Thus,
A PPENDIX C: P ROOF OF L EMMA 3
A challenger C is given with an instance of DLP, say <
P, aP >. The aim of the challenger is to compute a. Let FI
an forgery who is capable of breaking the EUF-CLGSC-CMAI security. C can make use of FI to compute the solution of
the DLP instance by playing the following interactive game
with FI .
Setup. C sets the master public key XN = aP and gives FI
the tuple (p, q, P, XN , H1 , H2 , H3 ) as the parameters, where
H1 , H2 , H3 are random oracles controlled by C. C randomly
selects an index such that 1 < < qH1 , where qH1 denotes
the maximal number of queries to H1 .
Training phase. In this phase, FI performs the same queries
as in the proof of Lemma 1. C responds the queries in the same
way as in Lemma 1.
Forgery. In this phase, FI sends C a forged signcryption
(1)
(1)
(1)
c(1) = (f1 , f2 , f3 , m(1) ) with IDA as the sender and
IDB as the receiver. It is worthy noting that the partial private
key of IDA should not be queried by FI during the Training
phase. Moreover, c(1) should not be any response for any
signcryption queries by FI . If the forged signature is valid, C
can obtain the solution for the DLP instance as follows:
1) If IDA = ID 6 ,
C goes through the list L2 and L3 . If there exist
(1)
(1)
< f1 , ID , m, f3 > L2 and < v1 , v2 , h3 >
(1)
(1)
L3 such that: m
= h3 m, v1 = xB f1 , v2 =
(1)
zB f1 , extracts m and aborts otherwise.
6 The
probability that IDA = ID is 1/qH1 .
If c(1) passes the verification during the unsigncryption, C replays the game with the same random tape but different hash oracle for H1 and
H2 . From the forgery lemma [25], FI will output
(2)
(2)
(2)
another two signatures (f1 , f2 , f3 , m(2) ) and
(3)
(3)
(3)
(f1 , f2 , f3 , m(3) ). If the signatures are valid,
the following equations hold
(j)
(j)
(j)
(j)
f2 (X +Y +h1 XN +f3 P ) = f1 , j = 1, 2, 3
(A1)
(j)
As X = x P, Y = y P, XN = aP, f1 = rP ,
Eq. (A1) can be denoted as
(j)
(j)
(j)
f2 (x + y + h1 a + f3 ) = r, j = 1, 2, 3. (A2)
In the two equations, only x , r, and a are unknown to the challenger. Consequently, C solves the
two values from the above two linear independent
equations, and output a as the solution of the DLP
problem.
2) If IDA = ID C aborts the game.
In the above forgery query, the receiver IDj can be for
the signature mode, otherwise it works as signcryption. Thus,
A PPENDIX D: P ROOF OF L EMMA 4
A challenger C is given with an instance of DLP, say <
P, aP >. The aim of the challenger is to compute a. Let FI
an forgery who is capable of breaking the EUF-CLGSC-CMAII security. C can make use of FII to compute the solution of
the DLP instance by playing the following interactive game
with FII .
Setup. The same as in the proof of Lemma 2.
Training phase. In this phase, FII performs the same
queries as in the proof of Lemma 2. C responds the queries in
the same way as in Lemma 2.
Forgery. In this phase, FI outputs a forged signcryption
(1)
(1)
(1)
c(1) = (f1 , f2 , f3 , m(1) ) with IDA as the sender and
IDB as the receiver. The forged signcryption c(1) has the
same constraints as in the forgery phase of Lemma 3. If the
forged signature is valid, C can obtain the solution for the DLP
instance as follows:
1) If IDA = ID , C performs as follows:
(1)
(1)
If there exist < f1 , ID, m, f3

> L2 and
< v1 , v2 , h3 > L3 such that: m(1) = h3 m,
(1)
(1)
v1 = xB f1 , v2 = zB f1 , extracts m and aborts
otherwise.
From the forgery lemma, Similar to the proof of
Lemma 3, the following equations hold:
(j)
(j)
(j)
(j)
f2 (X +Y +h1 XN +f3 P ) = f1 , j = 1, 2, 3
(A3)
(j)
As X = x P, Y = aP, XN = xN P, f1 = rP ,
Eq. (A3) can be denoted as
(j)
(j)
(j)
f2 (x + a + h1 xN + f3 ) = r.
(A4)
In the three equations, only a, r and x are unknown to the challenger. Consequently, C solves the
13
two values from the above two linear independent

equations, and output a as the solution of the DLP
problem.
2) If IDA = ID C aborts the game.
In the above forgery query, the receiver IDj can be for
the signature mode, otherwise it works as signcryption. Thus,
R EFERENCES
[1] X. Lin, R. Lu, X. Shen, Y. Nemoto, and N. Kato, SAGE: A strong
privacy-preserving scheme against global eavesdropping for eHealth
systems, IEEE Journal on Selected Areas in Communications, vol. 27,
no. 4, pp. 365-377, 2009.
[2] R. Lu, X. Lin, and X. Shen, SPOC: A secure and privacy-preserving
opportunistic computing framework for mobile-healthcare emergency,
IEEE Transaction on Parallel and Distributed Systems, vol. 24, no. 3,
pp. 614-624, 2013.
[3] L. Zhou, R. Q. Hu, Y. Qian, and H-H Chen, Energy-Spectrum Efficiency
Tradeoff for Video Streaming over Mobile Ad Hoc Networks, IEEE
Journal on Selected Areas in Communications, vol. 31, no. 5, pp. 981991, 2013.
[4] A. Zhang, J. Chen, R. Hu, and Y. Qian, SeDS: Secure data sharing
strategy for D2D communication in LTE-Advanced networks, IEEE
Transactions on Vehicular Technology, doi: 10.1109/TVT.2015.2416002.
[5] L. Wei, R. Q. Hu, Y. Qian, and G. Wu, Enabling Device-to-Device Communications Underlaying Cellular Networks: Challenges and Research
Aspects, IEEE Communications, vol.52, no.6, pp. 90-96, 2014.
[6] S. Sabnis, and D. Charles, Opportunities and challenges: Security in
eHealth, Bell Labs Technical Journal, vol. 17, no. 3, pp. 105-112, 2012.
[7] A. Sawand, S. Djahel, Z. Zhang, and F. Nait-Abdesselam, Toward
energy-efficient and trustworthy eHealth monitoring system, China Communications, vol. 12, no. 1, pp. 46-65, 2015.
[8] L. Guo, C. Zhang, J. Sun, Member, and Y. Fang, A privacy-preserving
attribute-based authentication system for mobile health networks, IEEE
Transactions on Mobiel Computing, vol. 13, no. 9, pp. 1927-1941, 2014.
[9] X. Liang, R. Lu, L. Chen, X. Lin, and X. Shen, PEC: A privacypreserving emergency call scheme for mobile healthcare social networks,
Journal of Communications and Networks, vol. 13, no. 2, pp. 102-112,
2011.
[10] X. Liang, X. Li, M. Barua, L. Chen, R. Lu, X.(Sherman) Shen, and H.
Y. Luo, Enable Pervasive Healthcare through Continuous Remote Health
Monitoring, IEEE Wireless Communications, vol. 19, no. 6, pp. 10-18,
2012.
[11] G. Tormo, F. Marmol, J. Girao, and G. Perez, Identity managementin
privacy we trust: Bridging the trust gap in eHealth environments, IEEE
Security and Privacy, vol. 11, no. 6, pp. 34-41, 2013.
[12] A. G. Fragopoulos, J. Gialelis1, and D. Serpanosl, Imposing Holistic
Privacy and Data Security on Person Centric eHealth Monitoring Infrastructures, 12th IEEE International Conference on e-Health Networking
Applications and Services (Healthcom), 2010.
[13] M. Barua, R. Lu, and X. Shen, SPS: Secure personal health information
sharing with patient-centric access control in cloud computing, IEEE
Global Communications Conference, pp. 647-652, 2013.
[14] H. F. Ji, W. B. Han, and L. Zhao, Certificateless generalized signcryption, Cryptology ePrint Archive, Report 2010/204.
[15] P. Kushwah, and S. Lai, Efficient generalized signcryption schemes,
Cryptology ePrint Archive, Report 2010/346. http://eprint.iacr.org (2010).
[16] C. Zhou, W. Zhou, and X. Dong, Provable certificateless generalized
signcryption scheme, Design, Codes and Cryptography, 71: 331-346,
2014.
[17] W. Shi, N. Kumar, P. Gong , and Z. Zhang, Cryptanalysis and
improvement of a certificateless signcryption scheme without bilinear
pairing, Frontiers of Computer Science, vol. 8, no. 4, pp. 656-666, 2014.
[18] S. Rahman, M. Masud, C. Adams, K. El-Khatib, H. Mouftah, and
E. Okamoto, Cryptographic security models for eHealth P2P database
management systems network, IEEE Annual International Conference
on Privacy, Security and Trust, 2011.
[19] M. Ahmed, M. Ahamad, and T. Jaiswal, Augmenting security and
accountability within the eHealth Exchange, IBM Journal of Research
and Development, vol. 58, no. 1, 8:1-8:11, 2014.
[20] S. Al-Riyami, and K. Paterson, Certificateless public key cryptography, Advances in Cryptology-Asiacrypt2003, Lecture Notes in Computer
Science, Springer-Verlag 2894: 452-473, 2003.
[21] M. Bellare, and P. Rogaway, Random Oracles are Practical: a Paradigm

for Designing Efficient Protocols, ACM CCCS, pp. 62-73, 1993.
[22] Exercise and walking is great for the alzheimers and
dementia patients physical and emotional health, http://freealzheimerssupport.com/wordpress/2010/06/exercise-and-walking/, June
2010.
[23] C. Paar, J. Pelzl, Understanding cryptography-A textbook for students
and practitioners, Springer, 2010.
[24] W. Diffie, and M. E, Hellman New directions in cryptography, IEEE
Transactions on Information Theory, IT-22: 644-654, 1976.
[25] P. David, and S. Jacque, Security arguments for digital signatures and
blind signatures, Journal of Cryptology, vol. 13, no. 2, pp. 361-396,
2000.
[26] J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, Certificateless remote
anonymous authentication schemes for wireless body area networks,
IEEE Transactions on Parallel Distributed Systems, vol. 25, no. 2, pp.
332-342, 2014.
[27] H. Xiong, Cost-effective scalable and anonymous certificateless remote
authentication protocol, IEEE Transactions on Information Forensics and
Security, vol. 9, no. 12, pp. 2327-2339, 2014.
[28] H. Xiong, and Z. Qin, Revocable and Scalable Certificateless Remote
Authentication Protocol With Anonymity for Wireless Body Area Networks, IEEE Transactions on Information Forensics and Security, vol.
10, no. 7, pp. 1442-1455, 2015.
[29] Shamus Software Ltd, Multiprecision Integer and Rational
Arithmetic Cryptographic Library (MIRACL), [Online]. Available:
http://www.certivox.com/miracl/, accessed Jan. 2014.
[30] M. Scott, Efficient implementation of cryptographic pairings, 2007.
Revision Report
Manuscript ID: T-IFS-06200-2016.R1

Manuscript Title: Light-weight and Robust Security-Aware D2D-assist Data Transmission Protocol for Mobile-Health Systems
Authors: Aiqing Zhang, Lei Wang, Xinrong Ye, Xiaodong Lin
Dear Editors,
We have further carefully revised our paper according to the comments from the three reviewers
and you. All the questions and comments have been addressed and incorporated into our revision
and response letter. Also, we have further improved the presentation of our paper. We are now
submitting the revised manuscript along with our response letter. We are looking forward to receiving your further comments.
Thank you for your time and eort on processing our paper.
Sincerely,
Xiaodong
Xiaodong Lin, PhD, SMIEEE

Associate Professor
Faculty of Business and Information Technology
University of Ontario Institute of Technology (UOIT)
2000 Simcoe Street North, Oshawa, ON, L1H 7K4, Canada
Email: Xiaodong.Lin@uoit.ca
http://www.hrl.uoit.ca/ xdlin/
T: 1 905-721-8668 ext. 3749
Response to Review-3
We identify the reviewer-3s concerns into four specic problems, and reply them one by one as
follows.
Question 1: Form the security comparison, we can nd that they compare their
scheme with [26,27,28]. However, from the computational overhead, they compare their scheme with [14,15,16,17]. Please compare your scheme with [14, 15,
16, 17 ,26, 27, 28] in therm of security and eciency if you want to compare
your scheme with some useless authentication schemes. It also means that this
topic of this study is too old. If the editor accepts this paper, none has any interest on this study..
Reply: Thank you for your review. Our work includes two main contributions. First, we
proposed a CerticateLess Generalized SignCryption (CLGSC) scheme. Thus, we compare
our proposed certicateless Signcryption scheme with other existing Signcryption schemes
[14, 15, 16, 17]. A Signcryption scheme must achieve required security properties, which
mainly include condentiality and unforgeability. We prove that our proposed certicateless
signcryption scheme can achieve condentiality and unforgeability simultaneously under the
CDHP assumption and DLP assumption, respectively. Consequently, our proposed certicateless signcryption scheme has the same security properties with the schemes [14, 15, 16,
17]. Therefore, the comparision between our proposed certicateless Signcryption scheme and
other existing ones is focused on computational cost, which is the main factor that aects the
feasibility of a Signcryption algorithm.
Second, based on the proposed certicateless Signcryption scheme, we further designed a lightweight and secure D2D-assist data transmission (LRSA) protocol for mobile-health systems.
Our secure protocol can achieve various security properties, inlcuding mutual authentication,
contextual privacy, anonymity, unlinkability, and forward security. Therefore, we compare
our protocol with other similar protocols [26,27,28] from two perspectives. Specically, we
not only compare the security properties of our protocol with [26,27,28], but also look into
their computational overhead, as shown in Table III and Fig. 4 of the original manuscript.
Notably, the time consumption at the relay nodes mainly lies in the signature on the data,
which is tm as analyzed in Table II. The computational overhead is tolerable in todays
powerful mobile terminals. Thus we mainly consider the time consumption at the source
client. In our proposed LRSA protocol, the source client needs to conduct signcyption on the
PHI message, encryption on the identity, and signature on M . All these operations take up
4tm + 4tm + tm = 9tm computational overhead. Note from the gure that our proposed LRSA
2
scheme has a slightly expensive computational cost than the protocols of Liu [26] and Xiong14 [27]. This happens because our scheme implements twice encryption operations on the
identity and twice signature operations on the data to achieve unlinkability and contextual
privacy, which are absent in the two protocols.
Also, the reviewer claimed that the authentication schemes [26,27,28] are useless authentication schemes and the topic is too old. We kind of disagree. The reasons are as follows: i) The
schemes [27,28] are published in IEEE Transactions on Information Forensics and Security
very recently, in 2014 and 2015, respectively. The scheme [26] is published in IEEE Transactions on Parallel Distributed Systems in 2014. They have proved to have values since they
are published in these leading publication venues. ii) Up to this end, the schemes [26,27,28]
have been cited by more times, for example, in the litertures of [13]. Just to name a few.
Question 2: The eciency comparison is incorrect. The scheme by authors required 4te if they claimed that Shi [17] reuqired 4te to perform signcryption phase.
As a result, their eciency comparisons are all wrong. From the eciency, I
do not think that this scheme has the better performance. In addition, please
rewrite all your Section VIII.
Reply: Thank you for your review. In our manuscript, we denote te the time consumed for
one exponentiation operation, tm the time consumed for one scalar multiplication in G. In Shi
[17] the ciphertext of the generalized signcryption scheme can be expressed as c = (c1 , c2 , c3 ),
where c1 = g rA mod p, c2 = (H3 ()f (IDBob ))m, c3 = (kA zA +tA )f (IDAlice )/(rA +h). Thus,
the computational overhead of signcryption in Shi [17] is dominated by four exponentiations
4te , i.e., g rA , ukBB , y hB and (ukBB wB y hB )rA . In the signcryption mode of our proposed CLGSC
scheme, it takes one multiplication operation in G to compute the signature f1 , f2 , f3 , where
f1 = rP , f2 = r/(xA + zA + f3 ), f3 = H2 (f1 , IDA , m), and three multiplication operations to
compute the ciphertext m . Here m = H3 (v1 , v2 ) m, where v1 = rXB , v2 = r(YB + h1 XN ).
Thus the computational cost of this mode is 4tm .
Therefore, from the eciency our proposed scheme has better performance than Shi [17] as
te > t m .
Question 3: In the authors response, the authors compared their study with ve
certicateless signcryption scheme. However, the authors only compared their
scheme with four studies. One study is disappeared. Please do not hide any
related work just for publish. From your response, we can nd that [4] has the
3
better performance than your scheme during CLGSC. It is because tm is heavier

than the other operations.
Reply: Thank you for your review. In our previous revision, we didnt compare our study
with [4]. However, we have already clearly explained its rational behind it in our response
letter that this is because the computational cost of the extractor and NIZK argument operation is not specied in [4]. So it is simply infeasible to determine the value of tx and
tn , where tx and tn denote the cost of the extractor Ext and the cost of NIZK argument
operation, respectively. The computational overhead between [4] and our proposed scheme
is incomparable. As a result, the comparison computational overhead between [4] and the
proposed scheme is not considered in the revised manuscript.
Nevertheless, [4] is a good work since it gave a general construction for leakage-resilient
certicateless signcryption scheme without bilinear pairing. Our scheme can be considered
as a special construction of the scheme to some extent. But we go further by introducing
an element f3 in the signature f2 = rf (IDA )/(xA + zA + f3 ), where f3 helps to verify the
integrity of the message m. As a result, even when the proposed scheme works on signature
mode, the receiver is also able to check the integrity of the message. While the signature
mode of the generalized scheme for [4] is not able to achieve it.
Question 4: In this paper, a new security property, called contextual privacy, is
used in this study. The authors claimed that their paper has this security property. However, I think that this security property is the same as unlinkability.
Please point out what dierence between them is.
Reply: Thank you for your review. Contextual privacy requires that the eavesdroppers or
entities in the system dont have the ability to obtain the source and the destination of the
data simultaneously. In other words, they can know either source or destination of the data
but can not know both the source and destination at the same time. This is important
specically for healthcare. For example, if an attacker knows that a patient goes to visit a
medical center that is specialized in heart attack. The attacker can simply conclude that the
patient has a heart attack/desease, which results in privacy violation. Unlinkability requires
that the transmissions of any two sessions should not be linked to the same source WBAN
clients. The dierences between them are as follows: Contextual privacy considers the source
and destination of the data at one session while unlinkability considers the source of the data
at two or more sessions.
Although the proposed protocol achieves both contextual privacy and unlinkability by en-
crypting the identity of the users, the security properties are achieved from dierent aspects:
i) Contextual privacy is protected by the encryption of the source eSH and encryption of the
S
H
destination eH
N . As none of the entities is able to decrypt the eH and eN simultaneously, none
of them can get both the source and destination of the data.
ii) Unlinkalbility is achieved by the encryption of the source eSH . Recall that eSH = (f1 , f3 , S ),
where the source identity S is encrypted as S ,
S = H3 (rXH , r(YH + XN H1 (H, YH , XH , XN ))) S.
(1)
By choosing dierent random r in dierent sessions in Eq. (1) and obtains dierent ciphertext
S , the listeners can not judge whether the data comes from dierent senders.
References
[1] C. Lin, P. Wang, H. Song, Y. Zhou, Q. Liu, G. Wu, A dierential privacy protection scheme for sensitive
big data in body sensor networks, Annals of Telecommunications, 2016, ISSN 0003-4347.
[2] A. Siva Sangari, J. Martin Leo Manickam, Secure Communication over BSN Using Modied Feather
Light Weight Block (MFLB ) Cipher Encryption, Journal of Software, vol. 10, pp. 961, 2015, ISSN
1796217X.
[3] T. Hayajneh, B. Mohd, M. Imran, G. Almashaqbeh, A. Vasilakos. Secure Authentication for Remote
Patient Monitoring with Wireless Medical Sensor Networks, Sensors, vol. 16, pp. 424, 2016, ISSN 14248220.
[4] Y. Zhou, B. Yang, W. Zhang, Provably secure and ecient leakage-resilient certicateless signcryption
scheme without bilinear pairing, Discrete Applied Mathematics, vol. 204, no. 5, pp. 185202, 2016.

Zhang2016 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Zhang2016 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

This article has been accepted for publication in a future issue of this journal, but has not been

Light-weight and Robust Security-Aware D2D-assist

smartphone. Then the data is sent to the healthcare center

CLPKC avoids the problem of certificate revocation, storage

III. M ODELS AND GOALS

sources disease once they find the intended physician of the

In cryptosystems, d is the private key which is an integer,

Fig. 1. System model of the M-health system.

scheme within one single algorithm, which is suitable for

A. The Proposed CLGSC

V. D ESIGN BASIS : T HE P ROPOSED CLGSC

The user IDi randomly selects xi Zq as the secret

Computes f (IDA ), f (IDB );

UCLGSC(IDA , IDB , ). The receiver IDB decrypts and

(H3 (v1 , v2 )f (IDB )) m ;

Proof. See Appendix D.

Correctness of the signature:

Lemma 2 Type-II Confidentiality. The proposed CLGSC

Lemma 4 Type-II Unforgeability. The proposed CLGSC

encryption mode, the verification equation is H2 (f1 , IDA , m) = f3

Fig. 2. The proposed protocol.

B. The proposed LRSA protocol

The user D {C, H} randomly selects xD Zq as

The full private key of user D is (xD , zD ). Note that D

Initial session key agreement. When a WBAN client and

S randomly chooses r Zq and computes h1 =

Return S = (f1 , f2 , f3 , m ) as the ciphertext.

S randomly picks r Zq and computes f1 = rP , f3 =

Thereafter, the PHI is formulated as M = (S ||eSH ||eH

The signature of S on M is S = (f1 , f2 , f3 ). The client

Additionally, the physician H refreshes its session key with S

Time consumption of CLGSC (ms)

(a) CLGSC algorithm

Time consumption of UCLGSC (ms)

(b) UCLGSC algorithm

is implemented without pairing. Additionally, our proposed

[26][28]. As the three authentication protocols only use

Time consumption of the client and AP

Fig. 4. Time consumption at the client and the AP.

physician only receives the message and does not feedback

of the AP, which runs on a PIV-3GHz processor featured

encryption eSH (eH

H3 -query (v1 , v2 ): C checks list L3 . If the tuple of the form

ID , Y , X , XN , h1 >. Then, it goes through the list

C randomly selects zi , h1 Zq , computes Yi = zi P h1 XN ,

probability that IDA = ID is 1/qH1 .

If there exist < f1 , ID, m, f3

two values from the above two linear independent

[21] M. Bellare, and P. Rogaway, Random Oracles are Practical: a Paradigm

Manuscript ID: T-IFS-06200-2016.R1

Xiaodong Lin, PhD, SMIEEE

better performance than your scheme during CLGSC. It is because tm is heavier

Das könnte Ihnen auch gefallen