An improved pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks.

In healthcare wireless medical sensor networks (HWMSNs), the medical sensor nodes are employed to collect medical data which is transmitted to doctors for diagnosis and treatment. In HWMSNs, medical data is vulnerable to various attacks through public channels. In addition, leakage of patients' information happens frequently. Hence, secure communication and privacy preservation are major concerns in HWMSNs. To solve the above issues, Zhan et al. put forward a pairing-free certificateless aggregate signature (PF-CLAS) scheme. However, according to our cryptanalysis, the malicious medical sensor node (MSNi) can generate the forged signature by replacing the public key in the PF-CLAS scheme. Hence, to address this security flaw, we design the improved PF-CLAS scheme that can achieve unforgeability, anonymity, and traceability. Since we have changed the construction of the partial private key, the improved PF-CLAS scheme can resist Type I and Type II attacks under the Elliptic Curve Discrete Logarithm assumption. In terms of the performance evaluation, the proposed scheme outperforms related CLAS schemes, which is more suitable for HWMSNs environments.

Introduction

With the rapid development of wireless body area networks, healthcare wireless medical sensor networks (HWMSNs) are driving the progress of intelligent medical treatment. In the current HWMSNs environment, patients use wearable and implantable medical devices from which multifarious medical data is collected [1]. Then the data is transmitted to doctors for real-time processing and feedback. Since the outbreak of COVID-19, hospitals have been using HWMSNs to monitor and treat the symptoms of patients [2]. However, medical data is transmitted through insecure public channels, and adversaries are able to eavesdrop on, tamper with, and forge the data readily [3, 4]. Upon tampering and forgery, doctors may make accurate diagnoses that can harm patients [5]. Furthermore, if the identities of patients are exposed in the form of plaintext, the patients’ real identities will be divulged [6-8]. Consequently, it is of great importance to guarantee secure communication and privacy preservation in HWMSNs.

In recent years, various technologies have been used for HWMSNs [9, 10]. To ensure the security of medical data, Mamta et al. [11] adopted the blockchain technology to design a decentralized and efficient attribute-based searchable encryption scheme. Nguyen et al. [12] put forward a blockchain-based intrusion detection and data transmission scheme that can realize the high-security level of the system. To guarantee secure communication and build trustworthiness among nodes in networks, Mirsadeghi et al. [13] presented a trust infrastructure-based authentication scheme by using digital signature and encryption technologies. Vijayakumar et al. [14] constructed a secure and lightweight communication scheme that can provide authentication and confidentiality to the multicast SMS communication. To achieve privacy preservation in HWMSNs, Xu et al. [15] proposed a sanitizable signature scheme that can hide the sensitive data of patients.

In 2003, a cryptographic technology called aggregate signature (AS) was proposed by Boneh et al. [16]. They showed that the AS can realize the authentication and integrity of the message with high efficiency, which makes it suitable for resource-constrained environments. Therefore, many authentication schemes using the AS have been proposed [17-22]. In 2004, Lysyanskaya et al. [17] constructed an ordered AS scheme based on a one-way function with trapdoors. Signers need to aggregate their signatures in the corresponding order. Whereas Lysyanskaya et al.’s scheme is based on the traditional public key infrastructure, which greatly increases the burden of key management and verification overhead. Soon after, Cheon et al. [18] proposed the first identity-based AS scheme that avoided complex certificate management issues. However, most identity-based AS schemes suffer from key escrow problems. Certificateless public key cryptography is considered one of the solutions to overcome these [23]. In [24], the full private key consists of the partial private key generated by the key generation center (KGC) and the secret value selected by the unmanned aerial vehicle. The aerial vehicle only knows its secret value and cannot achieve the partial private key of KGC. Hence, Gong et al. [20] extended the AS to certificateless public key cryptography and first proposed two certificateless AS (CLAS) schemes. Nevertheless, the complicated verification algorithm caused these two schemes to be inefficient.

Shortly after, the CLAS technology was widely applied to HWMSNs environments to address security and privacy problems. In 2018, Kumar et al. [25] designed a CLAS scheme to ensure the secure transmission of medical data in HWMSNs. Nevertheless, Wu et al. [26] proved that Kumar et al.’s scheme [25] is vulnerable to malicious medical server attacks. To ensure the high efficiency of verification and the identity privacy of patients, Liu et al. [27] devised a certificateless anonymous batch verification scheme and asserted that their scheme can authenticate all medical data in one time. Unfortunately, Zhang et al. [28] declared that Liu et al.’s scheme [27] is unable to withstand malicious participant attacks and malicious data center attacks. In 2019, Gayathri et al. [29] devised an anonymous CLAS scheme without bilinear pairings to further reduce the computational overhead. However, Liu et al. [30] substantiated that Gayathri et al.’s scheme [29] cannot withstand malicious MS attacks and public key replacement attacks. In addition, Liu et al. [30] proposed an improved scheme to resist the above attacks.

Recently, Zhan et al. [31] found that Liu et al.’s improved scheme [30] is insecure for the reason that it cannot withstand malicious MS attacks. To solve these security issues, Zhan et al. [31] put forward a pairing-free CLAS (PF-CLAS) scheme for HWMSNs. In addition, Zhan et al. [31] asserted that the PF-CLAS scheme has high computational efficiency and is secure against forgery attacks on any message. However, after our analysis, we found that the PF-CLAS scheme is unable to achieve the expected target.

Contribution

The contributions of the proposed work are shown below.

We analyze Zhan et al.’s PF-CLAS scheme that cannot withstand malicious MSN attacks. Simultaneously, the process of how malicious MSN attacks successfully forge the signature is shown.

The reasons why Zhan et al.’s PF-CLAS scheme is insecure against malicious MSN attacks are explained. In addition, we design an improved PF-CLAS to address this security vulnerability.

We substantiate that our improved PF-CLAS scheme is secure under the random oracle model. Furthermore, the performance evaluation reveals that the proposed scheme is more efficient than the existing related schemes.

Preliminaries

In this section, we introduce the complexity assumption, system model, security requirement, and security model in HWMSNs environments.

Complexity assumption

Elliptic Curve Discrete Logarithm Problem (ECDLP)

The group G has the prime order q and generator P. Given two random points P, Q ∈ G, it is hard to work out .

Computational Diffie-Hellman Problem (CDHP)

The group G has the order q and genera-tor P. Given two random points aP, bP ∈ G, it is hard to work out abP ∈ G, where .

System model of HWMSNs

As is described in Fig 1, the system model contains four entities: Medical Sensor Node (MSN), Medical Server (MS), Cluster Head (CH), and Authorized Healthcare Professionals (AHP). MS is able to generate the public parameters and send it to MSN. When MSN applies for the partial private key, MS will utilize the master secret key to generate the partial private key and send it to MSN. Simultaneously, MSN takes advantage of its secret key and partial private key to create the signature and transmits it to CH. Multiple signatures can be aggregated into one signature by CH. Afterward, the aggregate signature can be transmitted to MS by CH. MS sends the aggregate signature to AHP after confirming the validity of the aggregate signature.

Fig 1

System model for HWMSNs.

Security requirements of HWMSNs

Message Authentication and Integrity

The messages received by the receiver are reliable and have not been tampered with during transmission.

Anonymity

No entity can know the real identity of MSN except MS and MSN itself.

Traceability

If abnormal MSN provides false medical data, MS will trace and extract the real identity of MSN.

Security model of HWMSNs

The CLAS scheme contains two types of adversaries: malicious MSN and malicious MS.

Malicious MSN

It is Type I adversary in HWMSNs environments. Malicious MSN can replace the public key of MSN, but it is incapable of achieving the master secret key s.

Malicious MS

It is Type II adversary in HWMSNs environments. Malicious MS can achieve the master secret key s, but it is incapable of replacing public keys.

The existential unforgeability of the PF-CLAS scheme is guaranteed by the following two games.

Game 1:

Setup: The System Initialization algorithm is executed by the challenger ζ1. Given the security parameter v, the algorithm returns system parameters params and master secret key s. ζ1 transmits params to while s is kept secretly.

Query Phase: carries out a bounded number of queries in polynomial time. The specific process is shown below.

PPK Query: When makes queries on the partial private key with PID, ζ1 returns d to .

PK Query: When makes queries on the public key of MSN, ζ1 returns PK to .

SV Query: When makes queries on the secret value of MSN with PID, ζ1 returns x to .

PK Replacement Query: When chooses a new public key of MSN with PID, ζ1 records this replacement.

Signature Query: When makes queries on the signature with PID and PK, ζ1 returns σ to in the tuple (m, PID, PK).

Forgery: returns identities , public keys , messages , timestamps , and an AS σ*. can win Game 1 if the following three situations happen:

σ* is a valid CLAS;

PPK Query has never been performed for at least one of ;

Signature Query under the tuple has never been performed, where 1 ≤ i ≤ n.

Game 2:

Setup: The System Initialization algorithm is executed by the challenger ζ2. Given the security parameter v, the algorithm returns system parameters params and master key s. ζ2 transmits params and s to .

Query Phase: carries out a bounded number of queries in polynomial time. The specific process is shown below.

PK Query: When makes queries on the public key of MSN, ζ2 returns PK to .

SV Query: When makes queries on the secret value of MSN with PID, ζ2 returns x to .

Signature Query: When makes queries on the signature with PID and PK, ζ2 returns σ to in the tuple (m, PID, PK).

Forgery: returns identities , public keys , messages , timestamps , and an AS σ*. can win Game 2 if the following three situations happen:

σ* is a valid CLAS;

SV Query has never been performed for at least one of ;

Signature Query under the tuple has never been performed, where 1 ≤ i ≤ n.

Review of PF-CLAS scheme in [31]

Here, we summarize the notations of the PF-CLAS scheme in Table 1 and review the PF-CLAS scheme in [31].

Table 1

Notations used in PF-CLAS scheme.

Notation	Description
q	A prime number
P	A generator of G
s	Master secret key
P pub	Master public key
k	Security parameter
params	System parameter
RID i	Real identity of MSNi
PID i	Pseudo identity of MSNi
T i	Valid time period of pseudo identity
d i	Partial private key of MSNi
x i	Secret value of MSNi
(pki, ski)	Public and private key pair of MSNi
σ	An aggregate signature
t i	Current timestamp

System Initialization (1) → (params): Given the security parameter , MS performs the following procedures:

Selects an additive group G of order q and its generator P.

Selects as the master secret key at random and computes P = sP as the master public key.

Selects hash functions: , and .

Publishes params = {P, G, q, P, H, H} as the system parameter and keeps s secretly.

Generate-PPK (params, s, RID) → (PID, d): Given s, RID and params, MS performs the following procedures:

Selects randomly and calculates R = r P.

Computes PID = RID⊕H(r P, T), where T is the valid time period of PID.

Computes l = H1(R, PID, P), d = (r + sl) mod q.

Sets D = (d, R) as the private key and sends (D, PID) to MSN through secure channels.

Generate-PK/SK (params, PID, d) → (pk, sk): Given params, PID and d, MSN performs the following procedures:

Verifies whether the equation d P = R + l P holds, if it holds, MSN accepts the private key d. Otherwise, it needs to reapply to MS for the partial private key.

Selects randomly and calculates X = x P.

Sets pk = (R, X) as its own public key and sk = (d, x) as its own private key.

Generate-Signature (params, PID, pk, sk, m, t) → (σ): Given params, PID, pk, sk, a message m and timestamp t, MSN performs the following procedures:

Chooses randomly and calculates Y = y P.

Calculates and b = H3(PID, m, t, pk).

Calculates w = [a y + b(d + x)] mod q.

Outputs σ = (Y, w) and transmits (σ, m, t, pk) to CH through public channels.

Verify-Signature (params, pk, {m, t})→ VALID or INVALID: Given params, pk and a set of message signature pairs (m, σ), CH performs the following procedures:

Computes l = H1(R, PID, P), a = H2(PID, m, t, Y, pk) and b = H3(PID, m, t, pk).

Verifies whether the equation W−a Y = b(X + R + l P) holds, if it holds, CH outputs VALID and accepts the signature. Otherwise, CH outputs INVALID and rejects the signature.

Generate-AS (params, pk, {m, t, σ}1 ≤ ) → (σ): Given params and a set of message signature pairs (m, σ), CH performs the following procedures:

Computes .

Computes .

Computes .

Outputs an aggregate signature σ = (A, w) and transmits (σ, m, t, pk) to MS through public channels.

Verify-AS (params, {m, t}1 ≤ , σ) → VALID or INVALID: Given params, pk, {m, t}1 ≤ and σ, MS performs the following procedures:

Computes l = H1(R, PID, P), a = H2(PID, m, t, Y, pk) and b = H3(PID, m, t, pk), where 1 ≤ i ≤ n.

Checks whether the equation holds. If it holds, MS outputs VALID and accepts the aggregate signature σ. Otherwise, MS outputs INVALID and rejects the aggregate signature σ.

Cryptanalysis of PF-CLAS schemes

In this section, we first describe the detailed process of malicious MSN attacks, and then show the reason why this scheme cannot resist this type of attack. Finally, we present methods to withstand malicious MSN attacks.

Forgery attacks from malicious MSN

Although malicious MSN hardly gets the master key s, it can replace the public key pk. In addition, if malicious MSN eliminates l P by replacing the public key pk, then it will bypass the system master key s to forge a valid signature. Malicious MSN can forge the valid signature on any stochastically chosen message that satisfies the condition . The concrete descriptions are shown below.

Public Key Replacement: Malicious MSN executes the following procedures to replace the original public key pk.

Selects and randomly.

Calculates and , where PID and P are public.

Computes to replace X and sets as the new public key.

Forgery: Malicious MSN executes the following procedures to forge the signature .

Chooses and computes .

Computes , and .

Sets as the forged signature and sends to CH.

Verification: CH executes the following procedures to check the validity of the forged signature .

Calculates , and .

Checks whether the equation holds. If the equation holds, CH takes over the forged signature. Otherwise, malicious MSN fails to forge the signature.

Correctness of the Forged Signature: The validity of forged signature is supported by the verifiable equation.

Comments on the reason for malicious MSN attacks

Although Zhan et al.’s scheme [31] has strived to solve the vulnerabilities of Liu et al.’s scheme in [30], it still suffers from malicious MSN attacks. In Zhan et al.’s PF-CLAS scheme [31], there’s no connection between d and X, which is the main reason why malicious MSN can succeed in launching public key replacement attacks. The partial private key is defined as d = r+ sl in the literature [31], where l = H1(R, PID, P). We can easily find that hash function l does not contain the public key X, implying that the change of X cannot influence the partial private key d. Hence, malicious MSN can bypass d by replacing X with . To avoid the public key replacement attacks launched by malicious MSN, we only need to add the element X to hash functions l in Generate-PPK algorithm. After modification, it is obvious that the equation d P = R + l P will not be valid if the public key X is replaced by adversaries, where l = H1(R, PID, P, X).

Improved PF-CLAS scheme

In this section, we devise an improved PF-CLAS scheme to avoid malicious MSN attacks in HWMSNs. The detailed algorithms are shown as follows.

System Initialization (1)→(params): Given the security parameter , MS performs the following procedures:

Selects an additive group G of order q and its generator P.

Selects as the master secret key at random and computes P = sP as the master public key.

Selects hash functions: , , and .

Publishes params = {P, G, q, P, H, H} as the system parameter and keeps s secretly.

Generate-SV (params)→(x, X): Given params, MSN performs the following procedures:

Selects randomly and calculates X = x P.

Transmits X to MS through public channels.

Generate-PPK (params, s, RID, X)→(PID, d): Given s, RID and params, MS performs the following procedures:

Selects randomly and calculates R = r P.

Computes PID = RID⊕H(r P, T), l = H1(R, PID, P, X) and d = (r + sl) mod q.

Sets D = (d, R) as the private key and sends (D, PID) to MSN through secure channels.

Generate-PK/SK (params, PID, d)→(pk, sk): Given params, PID and d, MSN performs the following procedures:

Verifies whether the equation d P = R + l P holds, if it holds, MSN accepts the private key d. Otherwise, it needs to reapply to MS for the partial private key.

Sets pk = (R, X) as its own public key and sk = (d, x) as its own private key.

Generate-Signature (params, PID, pk, sk, m, t)→(σ): Given params, PID, pk, sk, a message m and timestamp t, MSN performs the following procedures:

Chooses randomly and calculates Y = y P.

Calculates b = H2(PID, m, t, pk, Y) and w = [y + b(d + x)] mod q.

Outputs σ = (Y, w) and transmits (σ, m, t, pk) to CH through public channels.

Verify-Signature (params, pk, {m, t}) → VALID or INVALID: Given params, pk and a set of message signature pairs (m, σ), CH performs the following procedures:

Computes l = H1(R, PID, P, X), b = H2(PID, m, t, pk, Y).

Verifies whether the equation W−Y = b(X + R + l P) holds, if it holds, CH outputs VALID and accepts the signature. Otherwise, CH outputs INVALID and rejects the signature.

Generate-AS (params, pk, {m, t, σ}1 ≤ , pk)→(σ): Given params, pk and the tuple (σ, m, t), CH performs the following procedures:

Computes .

Outputs an aggregate signature σ = (Y1, Y2, …, Y, w) and transmits (σ, m, t, pk) to MS through public channels.

Verify-AS (params, {m, t}1 ≤ , σ, sk)→ VALID or INVALID: Given params, pk, {m, t}1 ≤ and σ, MS performs the following procedures:

Computes l = H1(R, PID, P, X) and b = H2(PID, m, t, pk, Y).

Checks whether the equation holds. If it holds, MS outputs VALID and accepts σ. Otherwise, MS outputs INVALID and rejects σ.

Correctness

Given params, pk, {m, t}1 ≤ and σ, the validity of the following equation is checked by CH.

Given params, pk, {m, t}1 ≤ and σ, the validity of the following equation is checked by MS.

Security analysis

In this section, we give Theorem 1 and Theorem 2 to prove that our improved PF-CLAS scheme can resist malicious MSN attacks and malicious MS attacks.

Theorem 1: If (malicious MSN) can successfully forge the signature in polynomial time with the non-negligible probability ε1, then there will be a challenger ζ1 that can work out the ECDLP with the probability , where e, , q, q, q are the natural logarithm base and the most times of Hash Query, Signature Query, PPK Query, SV Query.

Proof: The challenger ζ1 is a solver of the ECDLP. Given the tuple (P, P = sP)∈G×G, the goal of ζ1 is to calculate .

Setup: ζ1 performs System Initialization algorithm to generate params and s. ζ1 sends params to and keeps s secretly.

Query Phase: The challenger ζ1 cannot get the identity PID which is selected by . Therefore, ζ1 guesses a random identity as the identity, where ζ1 can correctly guess with probability .

H1 Query: ζ1 creates an empty list1. When receiving a query H1(R, PID, P, X) from , if there is a tuple (R, PID, P, X, l) in the list1, ζ1 will return l to ; Otherwise, ζ1 selects at random and adds the tuple (R, PID, P, X, l) into list1. Finally, ζ1 returns l to .

H2 Query: ζ1 creates an empty list2. When receiving a query H2(m, PID, t, pk, Y) from , if there is a tuple (m, PID, t, pk, Y, b) in the list2, ζ1 will return b to ; Otherwise, ζ1 selects at random and adds the tuple (m, PID, t, pk, Y, b) into list2. Finally, ζ1 returns b to .

SV Query: ζ1 creates an empty list3. When receiving a query about the secret value of MSN from , if there is x in the list3, ζ1 will return x to ; Otherwise, ζ1 selects at random and adds x into list3. Finally, ζ1 returns x to .

PPK Query: ζ1 creates an empty list4. When receiving a query about the partial private key of MSN with PID from , if there is a tuple (R, PID, d) in the list4, ζ1 will return (R, d) to ; Otherwise, ζ1 queries the corresponding tuple (R, PID, P, X, l) of MSN with PID ∈ list1, selects at random, computes R = d P − l P and adds the tuple (R, PID, d) into list4. Finally, ζ1 returns (R, d) to .

PK Query: ζ1 creates an empty list5. When receiving a query about the public key of MSN with PID from , if there is a tuple (R, PID, X) in the list5, ζ1 will return (R, X) to ; Otherwise, ζ1 performs following steps.

If , ζ1 selects at random, computes X = x P and R = d P − l P. Then, ζ1 adds the tuple (R, PID, X) into list5 and returns (R, X) to .

If , ζ1 selects at random, computes X = x P and R = r P. Then, ζ1 sets d as ⊥ and adds the tuple (R, PID, X) into list5. Finally, it returns (R, X) to .

PK Replacement Query: When selects a new public key and sends to ζ1. When receiving a query about the public key replacement of MSN with PID from , ζ1 updates list5 and records this replacement.

Signature Query: ζ1 creates an empty list6. When receiving a query about the signature of MSN with PID from , if there is a tuple (m, PID, x, ω) in the list6, ζ1 selects at random, computes Y = y P, b = H2(PID, m, t, Y, pk) and w = y + b(x + d) mod q. Then ζ1 returns (Y, w) to ; Otherwise, ζ1 selects at random, computes Y = w P−b(X + R + l P) and adds the tuple (Y, w) into list6. Finally, ζ1 returns (Y, w) to .

Forgery: After polynomial bounded times of queries, outputs forged signature under the tuple . According to the forking lemma [32], generates another forged signature . Therefore, according to the equation and the equation , s can be obtained as a valid solution. Otherwise, ζ1 cannot handle the ECDLP.

In order to succeed in forging a signature, the outputs of ζ1 need to satisfy the following conditions:

T1: ζ1 has never aborted the process of quering;

T2: ζ1 has never aborted the process of forging the signature;

T3: is a valid signature.

According to the above conditions, we can get that P[T1] ≥ 1 − c, and . Consequently, the probability that ζ1 can work out the ECDLP is .

Theorem 2: If (malicious MS) can successfully forge the signature in polynomial time with the non-negligible probability ε2, then there will be a challenger ζ2 that can work out the ECDLP with the probability , where e, , q, q are the natural logarithm base and the most times of Hash Query, Signature Query, SV Query.

Proof: The challenger ζ2 is a solver of the ECDLP. Given the tuple (P, X = x P) ∈ G × G, the goal of ζ2 is to calculate .

Setup: ζ2 performs System Initialization algorithm to generate params and s. ζ2 sends params and s to .

Query Phase: The challenger ζ2 cannot get the identity PID which is selected by . Therefore, ζ2 guesses a random identity as the identity, where ζ2 can correctly guess with probability .

H1 Query: ζ2 creates an empty list1. When receiving a query H1(R, PID, P, X) from , if there is a tuple (R, PID, P, X, l) in the list1, ζ2 will return l to ; Otherwise, ζ2 selects at random and adds the tuple (R, PID, P, X, l) into list1. Finally, ζ2 returns l to .

H2 Query: ζ2 creates an empty list2. When receiving a query H2(m, PID, t, pk, Y) from , if there is a tuple (m, PID, t, pk, Y, b) in the list2, ζ2 will return b to ; Otherwise, ζ2 selects at random and adds the tuple (m, PID, t, pk, Y, b) into list2. Finally, ζ2 returns b to .

SV Query: ζ2 creates an empty list3. When receiving a query about the secret value of MSN from , if there is x in the list3, ζ2 will return x to ; Otherwise, ζ2 selects at random and adds the tuple x into list3. Finally, ζ2 returns x to .

PK Query: ζ2 creates an empty list4. When receiving a query about the public key of MSN with PID from , if there is a tuple (R, PID, X) in the list4, ζ2 will return (R, X) to ; Otherwise, ζ2 performs following steps.

If , ζ2 selects at random, computes X = x P and R = d P−l P. Then, ζ2 adds the tuple (R, PID, X) into list4 and returns (R, X) to .

If , ζ2 selects at random, computes X = x P and R = r P. Then, ζ2 sets d as ⊥ and adds the tuple (R, PID, X) into list4. Finally, it returns (R, X) to .

Signature Query: ζ2 creates an empty list5. When receiving a query about the signature of MSN with PID from , if there is a tuple (m, PID, x, ω) in the list5, ζ2 selects at random, computes Y = y P, b = H2(PID, m, t, Y, pk) and w = y + b(x + d) mod q. Then ζ2 returns (Y, w) to ; Otherwise, ζ2 selects at random, computes Y = w P−b(X + R + l P) and adds the tuple (Y, w) into list5. Finally, ζ2 returns (Y, w) to .

Forgery: After polynomial bounded times of queries, outputs forged signature under the tuple . According to the forking lemma [32], generates another forged signature . Therefore, according to the equation and the equation , x can be obtained as a valid solution. Otherwise, ζ2 cannot handle the ECDLP.

In order to succeed in forging a signature, the outputs of ζ2 need to satisfy the following conditions:

T1: ζ2 has never aborted the process of quering;

T2: ζ2 has never aborted the process of forging the signature;

T3: is a valid signature.

According to the above conditions, we can get that P[T1]≥1−c, and . Consequently, the probability that ζ2 can work out the ECDLP is .

Message authentication and integrity: According to Theorem 1 and Theorem 2, neither Type I nor Type II attackers can pass the verification by forging a signature.

Anonymity: In the improved PF-CLAS scheme, PID is the pseudo identity of MSN, where PID = RID⊕H(r P, T). Any adversary cannot extract the real identity of MSN. Hence, our scheme provides strong anonymity.

Traceability: If MSN transmits illegal information, MS can track abnormal MSN and extract its real identity by computing RID = PID⊕H(sR), where sR = r P.

Performance evaluation

In this section, we will provide the performance analysis in terms of computational overhead, communication overhead, and security features. In the meantime, the efficiency of the improved scheme will be compared with the related schemes [15, 24, 25, 27, 29, 33, 34]. We utilize MIRACL library to simulate cryptographic operations on a Windows 10 laptop with an Intel i7–1195G7 @2.9 GHz processor and 8 GB of memory. The measured runtime of different operations is shown in Table 2.

Table 2

Runtime of cryptographic operations.

Operations	Abbreviations	Runtime (ms)
Pairing-based scalar multiplication	T sm	2.2560
Pairing-based point addition	T pa	0.1732
Bilinear pairing computation	T p	4.6028
Map-to-point hash	T h	5.1240
ECC-based scalar multiplication	T esm	0.7648
ECC-based point addition	T epa	0.0435

Computational overhead

As is described in Table 3, we mainly count the computational overhead of Generate-Signature algorithm, Verify-Signature algorithm, Generate-AS algorithm, and Verify-AS algorithm. In Xu et al.’s scheme [15], the computational overhead of the single signing and verification is ≈ 143.7864 ms. Similarly, Kumar et al.’s scheme [25], Liu et al.’s scheme [27], and Shen et al.’s scheme [34] need 38.724 ms, 21.444ms, 36.1212 ms, respectively. As is shown in Fig 2 the computational overhead of the above schemes is extremely high. The root cause is that these schemes all use bilinear pairing and map-to-point hash operations to construct the signature. Hence, we use pairing-free operations to improve the efficiency of the improved PF-CLAS scheme. In literatures [24, 29, 33], their schemes also don’t use bilinear pairings. Hence, they only need 3.9545 ms, 5.4841 ms, 4.1793 ms, respectively. The computational overhead of the single signing and verification only needs 3.9545ms, which saves 97.2%, 89.8%, 81.6%, 27.9%, 5.4%, 89.1% of the computational overhead than Xu et al.’s scheme [15], Kumar et al.’s scheme [25], Liu et al.’s scheme [27], Gayathri et al.’s scheme [29], Verma et al.’s scheme [33], Shen et al.’s scheme [34]. In the aggregate signing and aggregate verification phases, we set the number of signatures participating in the aggregation as n = 50. Since references [15, 24] have no connection with the aggregate signature, we don’t describe them too much. As is shown in Fig 3, the computational overhead of the aggregate signing and verification of Kumar et al.’s scheme [25], Liu et al.’s scheme [27], Gayathri et al.’s scheme [29], Verma et al.’s scheme [33], Shen et al.’s scheme [34] is 422.0506 ms, 147.9858 ms, 95.5493 ms, 85.9013 ms, 472.56 ms, respectively. Our improved PF-CLAS scheme needs 88.0328 ms, which saves 79.2%, 41%, 7.9%, 27.9%, 5.4%, 81.4% than Kumar et al.’s scheme [25], Liu et al.’s scheme [27], Gayathri et al.’s scheme [29], Shen et al.’s scheme [34]. Although the total computational overhead of Verma et al.’s scheme [33] is basically the same as our scheme, Verma et al.’s scheme [33] cannot achieve secure communication. Hence, the computational overhead of our improved PF-CLAS scheme reaches the upstream level of the relevant schemes.

Table 3

Comparison of computational overhead.

Schemes	Sign (ms)	Verify (ms)	AggregateSign (ms)	AggregateVerify (ms)
[15]	14Tsm+4Tpa+Th ≈ 37.4008	22Tp+Th ≈ 106.3856	—	—
[24]	Tesm ≈ 0.7648	4Tesm+3Tepa ≈ 3.1897	—	—
[25]	3Tsm+2Tpa+Th ≈ 12.2384	3Tp+Tsm+Tpa+2Th ≈ 26.4856	(n−1)Tpa ≈ 8.4846	3Tp+nTsm+(3n−2)Tpa+(n+ 1)Th ≈ 413.566
[27]	2Tsm+Tpa ≈ 4.6852	2Tp+Tsm+Tpa+Th ≈ 16.7588	nTsm+(3n−1)Tpa ≈ 138.607	2Tp+Tpa ≈ 9.3788
[29]	2Tesm ≈ 1.5296	5Tesm+3Tepa ≈ 3.9545	2nTesm+(2n−2)Tepa ≈ 11.911	(2n+ 1)Tesm+(2n+ 1)Tepa ≈ 81.6383
[33]	2Tesm ≈ 1.5296	4Tesm+3Tepa ≈ 3.1897	(n−1)Tepa ≈ 2.1315	(2n+ 1)Tesm+3nTepa ≈ 83.7698
[34]	3Tsm+Tpa+ Th ≈ 12.0652	3Tp+2Th ≈ 24.0560	nTp+Tsm+ (n−1)Tpa ≈ 236.28	nTp+Tsm+ (n−1)Tpa ≈ 236.28
Our scheme	Tesm ≈ 0.7648	4Tesm+3Tepa ≈ 3.1897	(n−1)Tepa ≈ 2.1315	(2n+ 1)Tesm+(4n−1)Tepa ≈ 85.9013

We set the number of signatures participating in the aggregation as n = 50.

Fig 2

Computational overhead of the single signing and verification.

Fig 3

Computational overhead of the aggregate signing and aggregate verification.

Communication overhead

As shown in Table 4, we list parameters and length specifications for pairing-based and ECC-based schemes [29]. In addition, the size of the group is 160 bits in our scheme. In [15, 25, 27, 34], the communication overhead of the single signature is 1024 bits, 2048 bits, 2048 bits, and 2048 bits, respectively, because all the elements of σ belong to G1. In our improved PF-CLAS, we set σ as (Y, w), where Y ∈ G, . Compared with the schemes [15, 24, 25, 27, 29, 34], the communication overhead of the single signature in our scheme is reduced by 53.1%, 40%, 76.57%, 76.57%, 25%, 76.57%. As is described in Fig 4, it is obvious that our scheme has higher efficiency than the above schemes in the single signature phase. Since references [15, 24] have no connection with the aggregate signature, we don’t describe them too much in the aggregate signature phase. In the meantime, we can know from Fig 5 that the communication overhead of the aggregate signatures in our scheme is lower than Kumar et al.’s scheme [25] and Shen et al.’s scheme [34] with the increase of the number of medical sensor nodes. Although Liu et al.’s scheme [27] and Gayathri et al.’s scheme [29] have lower communication overhead than our scheme, their schemes have serious security flaws. As shown in Table 5, even though our scheme has the same communication overhead as Verma et al.’s scheme [33], their scheme cannot meet the security requirements of HWMSNs. Therefore, our scheme has certain advantages in terms of communication overhead.

Table 4

Length of parameters in bilinear pairing and ECC.

Type of the scheme	Type of the curve	Pairing	Cyclic group	Size of the prime	Size of the group
Bilinear Pairing	E: y2 = x3+ x mod p	e: G1×G1 → GT	G1(P)	p=512 bits	|G1|=1024 bits
ECC	E: y2 = x3+ ax+ b mod p	—	G(P)	p=160 bits	|G|=320 bits

Fig 4

Communication overhead of single signatures.

Fig 5

Communication overhead of aggregate signatures.

Table 5

Comparison of communication overhead and security features.

Schemes	Single signatures	Aggregate signatures	Type I attacks	Type II attacks	Anonymity	Traceability
[15]	|G1| = 1024 bits	—	—	—	×	×
[24]	|G|+3|Zq*|=800 bits	—	✔	✔	×	×
[25]	2|G1| = 2048 bits	(n+1)|G1| = 1024(n+1) bits	✔	×	×	×
[27]	2|G1| = 2048 bits	3|G1| = 3072 bits	×	×	✔	×
[29]	|G|+2|Zq*|=640 bits	2|G|+|Zq*|=800 bits	×	×	✔	✔
[33]	|G|+|Zq*|=480 bits	n|G|+|Zq*|=160(2n+1) bits	×	✔	×	×
[34]	2|G1| = 2048 bits	(n+1)|G1| = 1024(n+1) bits	✔	✔	×	×
Our scheme	|G|+|Zq*|=480 bits	n|G|+|Zq*|=160(2n+1) bits	✔	✔	✔	✔

Security features

As shown in Table 5, Xu et al.’s scheme [15], Xu et al.’s scheme [24], Kumar et al.’s scheme [25], Verma et al.’s scheme [33], and Shen et al.’s scheme [34] don’t consider the anonymity of patients’ identities and tracing of malicious medical sensor nodes, which are unsuitable for HWMSNs scenarios. Although Liu et al.’s scheme [27] and Gayathri et al.’s scheme [29] can meet the security requirements of HWMSNs, these schemes have security drawbacks that cannot withstand Type I and Type II attacks. The proposed scheme has been proved that resist Type I and Type II attacks under the random oracle model. Besides, our scheme is able to realize anonymity and traceability, which is more practical in HWMSNs.

Conclusion

In this paper, we found that Zhan et al.’s PF-CLAS scheme [31] cannot withstand malicious MSN attacks. In the meantime, we showed the reason why this scheme was vulnerable to malicious MSN attacks. It is obvious that Zhan et al.’s scheme cannot guarantee the identity privacy of patients and secure transmission of medical data. Hence, we gave methods to fix the vulnerability and constructed an improved PF-CLAS scheme that could ensure provable security. In addition, the performance evaluation indicated that our improved scheme can realize privacy preservation and secure communication at low overhead. In the future, how to combine blockchain and edge computing technologies to design a more lightweight and secure CLAS scheme for HWMSNs is still an interesting problem.

(XLS)

Click here for additional data file.

(XLS)

Click here for additional data file.