Practical pairing-Free sensor cooperation scheme for cloud-Assisted wireless body area networks

Nowadays, the design and construction of efficient internet of things (IoTs) has become a new strategies for improving living quality of all aspects. Emerging as one of the most significant extension of medical IoTs, wireless body area networks (WBANs) is capable of monitoring crucial physiological and behavioral information through wearable sensors, offering a new paradigm for the next-generation healthcare systems. As a matter of fact, due to the inherent open wireless communicating characteristics, data security and user privacy issues of WBANs have attracted attentions from both industry and academia. So far, lots of relevant researches emphasize on secure transmission and privacy protection. However, the computation and communication limitations for individual WBAN sensor have not been taken proper consideration. Moreover, the implementation of cloud computing infrastructure has provided WBANs with superior transmission and processing qualities. Emphasizing on the above issues, this paper construct a pairing-free authentication and sensor cooperation scheme in cloud-assisted WBANs, where most of the practical requirements for WBAN sensors could be satisfied. Our design guarantee the sensor anonymity in the whole transmission session. Note that our design offers pairing-free validation procedure followed with active sensor cooperation, which is suitable for massive sensor scenarios. The security analysis proves that our designed scheme is capable of achieving desired security properties and offer adequate resistances to the charted malicious attacks. Meanwhile, security comparison demonstrates that the proposed protocol is secure compared with the state-of-the-arts.


Introduction
Wireless Body Network (WBAN) is considered to be the basic infrastructure of IoT-based healthcare system in the future. Recent rapid advances in wireless communications and sensor manufacturing have accelerated the explosive popularity of WBAN applications and services. WBAN provides real-time, reliable medical monitoring for specific users (Liu et al. 2014). In the medical fields, WBAN can be used to continuously monitor the patient's health and to send menstrual information to medical institu-the personal controller (PC), and many wireless medical sensors. These sensors can perform important biomedical information collection in various ways (Ji et al. 2018;Sambandam et al. 2020). Therefore, appropriate physiological data related to heart rate, body temperature and blood pressure can be measured separately through sensors. The collected personal physical information is then sent to the HC and processed. Based on this, regular medical services can be provided to large numbers of patients simultaneously (Zhang et al. 2013). It is important to note that HC is considered as a secure data center and an effective entity responsible for distributing core information. Hence, we assume that all participating sensors and PC secret key information is always safely stored at the HC side. Personal controller (PC) is a portable device used to aggregate personal sensor data (Yuan et al. 2020). Sensitive biomedical data is then transmitted to the remote server via PC. WBAN sensors (includes wearable and implantable sensors) are the low-power wireless medical devices subject to computing, communication, power supply, and storage Anjum et al. 2020). On the other hand, increasing the calculation and transmission load on the sensor side will release more energy into heat and eventually damage the human organs. As a result, low-cost operations should be performed in WBAN sensors side.
In actual WBAN scenarios, the frequent data exchange between the sensor and the PC is carried out in the open wireless environment, and the important biometric data transmitted is easily affected by various security attacks and privacy risks (Yang and Chang 2009;Li et al. 2018;Huang et al. 2020;Xiong and Qin 2015). In this case, advanced security strategies and privacy protection technologies are essential to WBANs. The effective authentication mechanism between wireless entities is mandatory, providing preliminary protection for WBAN interactions (Shen et al. 2016;He et al. 2017). Therefore, various charts and unknown security threats such as eavesdropping, impersonation, message replaying can be prevented . After mutual authentication, efficient group key distribution and management of all verified wearable sensors is of great significance (Anjum et al. 2020). Therefore, subsequent private biometric data can be safely transmitted. Message broadcasting between all legal sensors can also be realized (Liu et al. 2014).
In this paper, we develop a pairing-free authentication and sensor cooperation scheme in cloudassisted WBANs, where major security requirements for WBAN sensors could be satisfied. Our design guarantee the sensor anonymity in the whole transmission session. Note that our design offers pairing-free validation procedure followed with active sensor cooperation, which is suitable for massive sensor scenarios. The security analysis proves that our designed scheme is capable of achieving desired security properties and offer adequate resistances to the charted malicious attacks. Meanwhile, security comparison demonstrates that the proposed protocol is superior to other existing schemes.

Related work
Recently, many research papers have been published, which focus on secure data transmission for WBANs. Firstly, the traditional public key cryptography (TPKC) techniques has been utilized to the wireless mobile environment (Horn and Preneel 1998;Shen et al. 2017;Zhang et al. 2020). However, relatively large computation cost is made, which is not practical for resource-constrained sensors. Thereafter, many schemes with elliptic curve cryptography (ECC) have been presented (Zhang et al. 2013).
Meanwhile, several identification and key agreement mechanisms have been proposed in (Yang and Chang 2009;Wang 2015), which all adopt the identity-based key cryptography (ID-PKC). In ID-PKC, the key generation center (KGC) is responsible for generating public keys, which could drastically decrease the computation cost for encrypting and decrypting procedure.
However, ID-PKC schemes is vulnerable to key escrow problem. Hence, certificateless public key cryptography (CL-PKC) is proposed (Al-Riyami and Paterson 2003). So far many certificateless authentication schemes have been proposed. Xiong (2014) proved that protocols of (Liu et al. 2014) cannot provide scalability and forward security. Liu et al. (2014) designed the enhanced CL-PKC protocol for WBAN scenarios. Meanwhile, the certificateless encrypting and signing mechanism is developed in (Xiong and Qin 2015). The efficient and scalable identity revocation mechanism is adopted. Li et al. (Li and Hong 2016) designed an efficient certificateless signcryption scheme with the corresponding access control method. Thereafter, ciphertext-policy attribute-based encryption is deployed (Hu et al. 2016). Focusing on preserving the user real identity, another anonymousidentity authenticating scheme is presented , which overcomes the security vulnerability in (Liu et al. 2014). In 2018, Ji et al. presented an certificateless conditional privacy-preserving authentication (CPPA) scheme for WBAN (Ji et al. 2018). The proposed method offers batch authentication towards massive number of participant users, which could significantly reduce the computational cost of the WBAN service provider (SP). Currently, several novel WBAN authentication mechanisms are proposed (Li et al. 2018). Thereafter, X. Li and L. Wang (Li and Wang 2012) proposed a fast certificateless authentication scheme employing bilinear pairing in wireless communication scenarios.

Model definition and preliminaries
In this section, the related preliminaries are introduced. Thereafter, the corresponding notations, and system model are illustrated as follows.

Elliptic curve cryptosystem (ECC)
We define p > 3 as a large prime, F p be the finite field of order p, where a, b ∈ F p could satisfy 4a 3 + 27b 2 (mod p) = 0. The elliptic curve E p (a, b) on a finite field F p is defined as follows where (x, y) ∈ F p . As for E p (a, b), the addition operation on this curve is defined as point doubling when the two points are identical. Otherwise, it is defined as point addition. All the points on the curve E p (a, b), and the point at the infinity ∞ could form an additive Abelian group E F p . In this way ∞ = (−∞) acts as the identity element.

Bilinear pairing
We define G 1 as a cyclic additive group generated by the large prime number q, and G 2 as the cyclic multiplicative group with the same prime order. A mapping functionê : G 1 ×G 1 → G 2 is constructed as the bilinear pairing if and only if the following three properties could be satisfied all: 2 Non-degeneracy: ∃P, Q ∈ G 1 such that e (P, Q) = 1 G 2 , where 1 G 2 is defined as the identity element of G 2 . 3 Computability: ∀P, Q ∈ G 1 , there exists an efficient algorithm to computeê (P, Q).
In this way, the bilinear mapê that satisfies the above three properties can be constructed with the modified Weil pairing or Tate pairing under the supersingular elliptic curve G 1 . The following related characteristics are presented.

Computational diffie-Hellman problem (CDHP)
We define P, aP, bP ∈ G 1 for a, b ∈ Z * q , where P is the generator of G 1 , the advantage for any probabilistic polynomial-time (PPT) algorithm A in computing abP so as to solve the CDHP problem is negligible, which can be defined as:

Elliptic curve discrete logarithm problem (ECDLP)
Given P, Q ∈ G 1 , where Q = aP. In order to solve the ECDLP problem, the advantage for any probabilistic polynomial-time (PPT) algorithm A in finding the integer a ∈ Z * q can be defined as:

Hash function
The one-way hash function is defined to be secure if the following three properties can be satisfied: 1 If input a message x which is of arbitrary length, it is computationally easy to compute a message digest of the fixed length output h(x).

Notations
The notations used in our design are briefly introduced in Table 1.

System model
The structure of our cloud-assisted WBANs is shown in Fig. 1, where the whole WBAN system consists of three essential entities: the cloud-based healthcare center (HC), the personal controller (PCs) and the medical sensors. Note that the HC consists of medical database, central authority (CA), and law enforcement agency (LEA). Description of these entities are respectively illustrated below.

Healthcare center (HC)
HC is mainly composed of the central authority (CA), the medical database, and the law enforcement agency (LEA). Each of the entities play different roles. CA is responsible for processing the vital system operations, including patient registration and secret key generation. The significant user personal information, such as identity number and the private password, are stored in the medical database. It is worth noting that the remote cloud server could provide adequate storage for database. CA is infeasible to be compromised by the adversaries. The remaining LEA is for the illegal behavior management, which is usually performed as the government department. All the sensor revocation and registration process by CA should be fully acknowledged to the LEA department. The three entities: LEA, CA, and database together, are considered as the cloud-assited HC. Typically, HC is defined as a medical service provider and a trusted key management center. The important personal data will be transmitted to HC, which could reflect the patient's real-time physical condition. Therefore, the corresponding medication for the specific patient is available.

Personal controllers (PCs)
In general, personal controllers (PCs) are defined as specialized medical equipment with specific medical purposes. It is assumed that the PC is a portable device with a function of collecting and communicating biometric information with HC. In other words, the importan physiological data collected from several WBANs sensors will be delivered to the personal controller. Note that each user of WBAN is connected with a specific personal controller.

Sensors
The sensor is assumed to be implanted or attached to the user's body as a wireless biomedical device. Sensors have limited computational power and battery capacity.

Proposed authentication and key distribution scheme
In this section, we describe the proposed practical authentication and key distribution scheme in cloud-assisted WBANs. The proposed scheme consists of two subsections: PC-to-sensor mutual authentication, and group key generation between sensors, which will be described respectively.

PC-to-Sensor mutual authentication
Our design on PC-to-sensor authentication does not need the secure transmission channels for crucial key extraction. As a matter of fact, the constant device identity and private password are the only two required parameters. The security assurance of our mechanism is based on the hardness of the previously introduced CDH problem, which has been briefly introduced in the previous section. The authenticating process of our design is shown in Fig. 2. Firstly, in our design, each medical sensor should register to the LEA initially before use. Each sensor is assigned the unique identity number, which is defined as the static parameter representing the original identity of certain sensor. It is worth noting that the allocated identity will be kept unchanged since the beginning. Meanwhile, the confidential password for each sensor will be randomly generated by the WBAN managing system. In this way, the identity number, and the confidential password for each sesnor i, which are respectively denoted as i and κ i , are We define G H as the cyclic additive group which is generated by the generator P with an order q. CA then chooses the system master key s randomly and then computes the system public key P pub in the way of P pub = sP.
( 1 ) The secure hash functions used in our method H 1 , H 2 and H 3 are respectively defined as follows: where Z * P is defined as the nonnegative integer set less than the predefined large prime number P.
It is worth noting that the generator P, the public key P pub , the three one-way hash function H 1 , H 2 , and H 3 , as well as G H will all be published to the nearby WBAN devices, while the system master key s is kept secret during the whole session. The detailed steps for WBAN authentication are as follows: First, each sensor i random generates ξ i as the original key seed. Hence, sensor will compute R i according to Thereafter, the parameter υ i is calculated, which combines the original identity number i and the generated random number ξ i . Note that the value of i remain constant. Hence, the random value ξ i could help improve the resistance to several malicious attacks. The υ i is calculated as For different authentication session, the υ i is dynamic in this case. Also, it is worth emphasizing that CA will not reveal the identity number i of individual i to any user (PC). In this way, the real identity of sensor is beyond PC's reach. Thus, under extreme occasions with collision by malicious PC, the adversaries cannot retrieve the confidential message by tracing the unique identity of particular sensor. Moreover, instead of using the private secret key totally from the PC, the generated ξ i is considered as the partial private key and safely stored in sensor side. Subsequently, the corresponding φ i is generated by sensor i as follows: where the sensor i adopts its previous generated password κ i . Vehicle i then gathers R i , υ i , φ i and forwards it to PC. As mentioned above, our method assign the heavy computation and storage task to the remote cloud server (medical database and CA). In this way, the portable PCs does not need to process the heavy tasks. Instead, PCs perform as the forwarding channel between massive sensors and cloud CA. It means a lot for practical consideration since the computation and storage of each PC are related restricted compared to the cloud server.
Moreover, in our system model we consider the PCs as the benign entities in most of the time. As mentioned above, in certain cases the PCs may be compromised or disabled physically. Hence in our assumption the PCs do not need to act as the vital key generation and verification center. In fact, in our design, upon receiving the message R i , υ i , φ i from sensor i, PC is designed to directly forward the acquired medical data to the cloud-based CA, which is responsible for partial secret key distribution and identification.
As illustrated previously, the sensor i's identity number i and the corresponding password κ i are stored in cloud medical database. Initially, the value of H 1 ( i ) for all the sensors are also calculated and stored in database. In this case, upon receiving the request, CA computes using the received υ i . Then CA first add R i to all the stored H 1 ( i ) as follows In this way, CA compares the computed i with the received υ i and finally searches the I i of the requesting sensor from remote database. Then CA checks the correctness of The correctness is elaborated as follows: If the above i is validated, CA will also check the correctness of the received φ i by combing the stored sensor information ( i , κ i ) with the received R i .
In practical application scenario with n assumed sensors, the verifying process in CA side is similar to the above single sensor situation. CA will then check the correctness as That is, In the occasions where both υ i and φ i are proved to be correct, CA is then capable of deriving ξ i by where ξ i is stored in the medical database. The database processing is briefly shown in Fig. 3. Note that ξ i is shared between CA and sensor i, while PC has zero knowledge about it.
In the next, CA generates random value k i for each sensor i. The value of W i and y i are calculated in the way of Note that R i , W i , y i will be broadcast to sensor i through PC. Sensor derives the assigned key PSK i by The validity of the received information will also be checked by sensor i:

Fig. 3 Cloud Medical Database
That is, As for multiple sensors, the following batch checking process can be done: In this way, the sensor and CA are mutually authenticated. As for PC, necessary information are allocated by remote CA to help build the secure data transmission channel. Thus CA computes and send to PC. At this point, the sensitive medical data M i from sensor i is delivered as The related verification can be done by PC as The batch verification process is as follow:

Sensor revocation
If expired or illegal sensors detected, the relevant acknowledgment message should be sent to the law enforcement agency. After approval, the PC will revoke the sensors by deleting the stored i and ϒ i from its storage. The revocation can be done in this way.

Sensor group key distribution
In this subsection the sensor group key distribution scheme is presented, where all the participating sensors will cooperate with each other as shown in Fig. 4. The detailed steps are presented as follows: We assume there are n legitimate sensor in PC's effective range. At first, all the sensors (i ∈[ 1, n]) randomly generates its own γ i and computes n]) is broadcast to all. All the n sensors can be informed of the rest n − 1 messages.

Fig. 4 Sensor Communicating Structure
According to the value of z i , the sensor i could sort the received message. Then the sequence of is generated. Each sensor listed in this sequence computes where W i−1 and W i+1 refers to the values from sensor i's neighbors, that is, sensor i − 1 and sensor i + 1. In this way, all the n sensors acquire F i and then broadcast I, F i , H 2 (I, F i ) to all, where I is the sequence number of sensors in z 1 , ..., z i−1 , z i , z i+1 , ..., z n (I ∈[ 1, n]) The sensor cooperation procedure is shown in Fig. 5. In this way, each sensor could finally received n − 1 requests. After checking the validity of the hashed value H 2 (I, F i ), sensor i will combine all the values together in the way as follows where Y is defined as the intermediate key. In this way, all the sensors acquire the same Y. As we previous introduced, PC randomly choose ω and delivered ωP pub to all the sensors i first. Hence the final group key K is achieved by combing Y with ωP generated by PC. That is,

Security analysis
In this section, we briefly describe the security properties of the proposed authentication scheme.

Certificateless authentication
As illustrated above, certificateless key distribution design is adopted in our scheme. That is, the CA only generates part of the secret for each sensors. Hence the key escrow problem can be addressed. That is, during the  authentication phase, both HC and PC have zero knowledge on the self-generated random partial secret key in the sensor side. In this way, impersonation attack on specific sensor cannot pass the validation. The generated key is not revealed to PC during the whole process. Hence, the compromising of PC will not brings negative effect to the whole WBAN system. In this way, the certificateless authentication property is provided.

Mutual authentication
Our scheme deploys the proper authenticating strategies, which is able to provide mutual authentication property between the remote CA and sensors. Note that only two communication rounds are required during our mutual authentication process. Moreover, the batch authentication on multiple sensors is also available, which provides new prospect for practical implementation of WBANs.

Sensor anonymity & conditional privacy
In our design, instead of using the device's real identity, we apply the self-generated anonymous identity, which also combines the stored static identity information i . Hence illegal tracing towards certain sensor can be prevented. Moreover, the real identity of the sensor can be revealed if abnormal behavior is detected under extreme situations. Hence the accountability is presented.

Resistance to mITM attack
In the proposed scheme, the hash function is utilized in the whole authentication session with the purpose of resisting the Man-In-The-Middle attack. The MITM attack is conducted by modifying the legitimate messages without being detected. In our design, the receiver side will check the validity upon receiving every message. With the adopted hash function for message confidentiality preservation, the MITM attack can be prevented.

Resistance to replay attack
As mentioned above, the pseudo-random value generator is adopted in both HC and sensor side, which could guarantee the resistance to replay attack. In this way, the reusing on the previously acquired information can not pass the current authentication session. On the other hand, each transmitted packet set contain obvious time-related information (time-stamp) revealing precise time sequence.

Cooperative sensor key establishment
In our scheme, the sensors group key is cooperatively generated by all the participating sensors. Note that neither CA nor PC has full control of the group key generation.

Comparison on security properties
In this section, we present the comparison in terms of the crucial security properties for WBANs authentication scenarios. Our WBAN authentication design is compared with the state-of-the-art WBAN authentication and key agreement schemes including MLAP , ATCC (Jiang et al. 2017), and HAKE (Drira et al. 2012) with the aim of demonstrating its superiority on security.
The security comparison results are presented in Table 2, showing that the proposed scheme could satisfy all the desired security requirements.

Conclusion
In this paper, an efficient cloud-assisted pairing-free grouping authentication scheme in cloud-assisted WBANs is presented. In our design, the sensor anonymity is provided during the whole communication. Moreover, the cooperative sensor association mechanism is given, where the sensor group key is generated by the intercommunication between the legitimate participating WBAN sensors. The proposed scheme could satisfy desired security properties and provide resistance to major security attacks.