Anticollusion Attack Noninteractive Security Hierarchical Key Agreement Scheme in WHMS

provided the


Introduction
Wireless Health Monitoring System (WHMS) is a dedicated network environment that supports the biometric information acquisition devices to gather people's health data anytime and anywhere [1].Moreover, WHMS is a typical example of using wireless technologies to reduce medical expense and improve social benefits, such as detecting the lonely stroke patients timely [2,3].Security and privacy are the major concerns in medical activities, and WHMS is not an exception [4][5][6].To provide privacy and security assurances in WHMS, it is important to provide security services by using cryptographic algorithms.Thus, obtaining cryptographic keys is an essential operation to achieve the security goals in WHMS.There are several key agreement schemes that have been proposed for WHMS applications [5,[7][8][9][10].
The noninteractive scheme is becoming a very active direction in the sensors networks [11][12][13][14] because sensor nodes have limited energy and processing and storage abilities.A noninteractive hierarchical key agreement scheme, called the Freshness-Preserving Noninteractive Hierarchical Key Agreement Protocol (FNKAP), was proposed by Kim [8] in 2014.The major advantages of the proposed scheme in Kim [8] go as follows.Firstly, there is only one-round communication to agree on a session key between two entities.Secondly, it is declared that the FNKAP achieves the patient anonymity and the session key confidentiality, and it can resist active and passive security attacks.However, we found that there is a flaw in the FNKAP when the physicians are not to be trusted.The scheme is not strong enough against the collusion attack where there are two adversaries who are a physician and a patient, separately.More precisely, in order to obtain a specific patient's electronic medical data, the adversary can pretend to be sick and become the same physician's patient with the victim in the real world.Then, the adversary bribes any other physician to get the private values of a physician.Finally, the adversary could calculate the session key and decrypts the victim's electronic health data freely.Note that a physician can casually expose the private values because the disclosed values are untraceable in Kim's scheme.As a result, this method of attack is reasonable and straightforward to implement.
The contributions of this paper are twofold.First, we illustrate that there is a weakness in FNKAP and introduce specific attack methods.Second, we propose an enhanced security hierarchical key agreement scheme with noninteracting for WHMS based on pairings.Security proof and analysis illustrate our scheme enhances security strength of FNKAP, and it can resist the collusion attack.Moreover, theoretical analysis results show that our scheme is more efficient than Kim's work.
The rest of this paper is organized as follows.We formalize a basic system structure for WHMS in Section 2, and we also give the security model and define the adversary's ability in the same section.We simply highlight Kim's scheme [8] in Section 3. The weakness of Kim's scheme is discussed in Section 4. We detail our enhanced security hierarchical key agreement scheme against the security attacks in Section 5. We present the analysis of our improvements regarding correctness and security in Section 6.We compare our scheme with Kim's scheme in terms of functionality and performance in Section 7. Finally, this paper is concluded in Section 8.

Preliminaries
We first illustrate the basic system structure of WHMS in this section.Moreover, we introduce security threats, security model, bilinear group, and mathematic assumption, separately.Basic notations are provided in Notations section.
As the root authority, SV is responsible for managing the entities' authorities in WHMS.SV produces the private keys of entities such as GW, SN, and PH.When PA wants to use WHMS, his/her GW and SN should agree on the session keys with the physician (PH), separately.Similarly, when PH wants to send a diagnostic report to PA, he/she should also agree on a session key with PA.

Security Threats.
Kim assumes that the physicians are trusted in paper [8].However, we point out that the scheme should take the risk of the physician's corruption because it is more practical.In practice, not all physicians are trusted all the time.For example, as reported, the staff of a famous hospital sold the patient's personal medical data in USA [7], and 500 patients' medical information may have been compromised at a medical center in LA because an employee's laptop was stolen [15].Thus, we assume a security model in which the adversary has the following abilities.First, the adversary can totally control the channel.Therefore, the adversary can eavesdrop, intercept, modify, replay, or inject any data via the channel.Second, the adversary can compromise the secure information from the physicians except for the victim's current physician.Third, the adversary can also compromise several sensor nodes and gateways except for the victim's current GW and SN.
We aim to achieve the following security goals under the above security threats.Key Agreement.Two entities establish a session key which is only known by specific entities.
Anonymity and Untraceability.The identities of GW and SN should be kept confidential from the adversary and cannot be traced by the adversary.
Resistance Passive and Active Attacks.The scheme is secure against the passive and active attacks.

Security Model.
Inspired by the security model for a noninteractive hierarchical key agreement scheme [11] and the original Bellare-Rogaway key exchange model [16], the security model of our scheme is stated as follows.
Participants.We model the scheme participants as a finite set  of fixed size with each  being a Probabilistic Polynomial Time (PPT) turing machine.Each scheme participant  ∈  may execute a polynomial number of protocol instances in parallel.We will refer to th instance of principal  communicating with peer  as ∏  , .
Adversary Model.The adversary A is modeled as a PPT Turing machine and can be given all public parameters of the system, and he/she can access the oracle by issuing some specified queries: (i) Send(∏  , , ).The adversary A sends the message  to the session  executed by  communicating with .Since our proposal is a noninteractive scheme, the query does not need to be responded to.(ii) Establish().The adversary A names a node  and obtains all the secret values held by the node.Neither of the patient's gateway and sensor nodes named in the test query or any of their ancestors can be established.(iii) Reveal(∏  , ).If the query is achieved, the system returns the session key to the adversary A. The session between the target patient's facilities (a gateway and sensor nodes) and the physician cannot be revealed.(iv) Test(∏  , ).Only one query of this form is allowed for the adversary A. The adversary A names ID  and ID  and executes this query at any time.Then, a number sk is returned as follows.A bit  is chosen at random in {0, 1}.If  = 1 then the adversary gets the secret key shared between the two nodes, and if  = 0 it gets     The ith physician The 1st physician PA i,j 's gateway GW i,j SN i,j,1 GW i,j 's kth sensor node SN i,j,d a key chosen at random from the set of all possible shared keys.
Definition 1 (HKA-security).As a function of the security parameter , we define the advantage Adv HKA A,∑ of the PPT adversary A in an attacking scheme ∑ as Here, Succ HKA A,∑ is the probability that the adversary queries Test(∏  , ) and outputs a bit  * such that  is used by the test query.We call a hierarchical key agreement scheme ∑ to be HKA secure if for any PPT adversary the A function is negligible.

Bilinear Groups
Definition 2 (bilinear map). 1 is an additive cyclic group of prime order  and  2 is a multiplicative cyclic group of prime order .The bilinear pairing is a map ê :  1 ×  1 →  2 with the following properties [17].
Nondegeneracy.The map does not send all pairs in  1 ×  1 to the identity in  2 .

Mathematic Assumption.
The mathematic assumptions used in the paper are listed as follows.

Notations.
To provide a quick reference, the basic notations used in the paper are listed in Notations section.

Review of the Kim's Scheme
In this section, we briefly review Kim's key agreement scheme [8], which consists of three phases: System Initialization Phase, Physician and Patient Registration Phase, and Noninteractive Key Agreement and Secure Communication Phase.

System Initialization
Phase.SV generates two groups  1 and  2 of prime order  with a bilinear map ê :  1 ×  1 →  2 .Also, it chooses a cryptographic hash function  : {0, 1} * →  1 .After that, SV picks four random numbers  1 ,  2 ,  3 ,  4 ←  *  as the master private keys.Then, SV computes an amplified identity AD SV = (ID SV ) and a public key  1 AD SV .Finally, SV keeps the master private keys and the amplified identity, securely.

Physician and
Finally, GW , and SN ,, store their received information, securely.

Noninteractive Key Agreement and Secure Communication.
In this phase, the sensor node SN ,, and the gateway GW , of the patient PA  and the physician PH  agree on a fresh session key for establishing a secure communication channel.Here, the statement  →  :  denotes that  receives a message  from  via a unsecure channel.The Noninteractive Key Agreement and Secure Communication is basically shown in Figure 3. Step K1 (SN ,, → SV : { 1 ,  1 , AD SN ,, , MAC 1 }).SN ,, chooses a random number  1 and computes  1 =  1 AD SN ,, .The fresh session key sk 1 is computed as follows:
Step K2.When PH  is authenticated by SV, he/she can check the data of the patient PA  .PH  computes the fresh session key sk  1 as follows: Then, PH  computes MAC  1 = (sk  1 ‖  1 ‖  1 ).Only if MAC   1 is equal to MAC 1 does PH  assure the correctness of sk  1 .Then, PH  decrypts  1 to get Data  by using the key sk  1 .
Step K4.When GW , is authenticated by SV, he/she can receive the report of the patient PA  from SV. GW , computes the fresh session key sk  2 as follows: Then, GW

Security Analysis of Kim's Scheme
The author of [8] proposed a noninteractive key agreement scheme for freshness-preserving in WHMS.Under our security model, there is a weakness in the scheme as explained in the following section.

GW i,j
Step A4 Step A3 Step A1 Step A2 Step A1 and Step A2.Register PH  and PA Step A3 and A4.Eavesdrop Step A6.Decrypt

Security against Collusion
Attack.We now demonstrate that Kim's scheme is vulnerable to the collusion attack as claimed.One adversary A 1 has registered as a legal physician PH A , and the other adversary A 2 has registered as a normal patient PA A , as shown in Figure 4.The adversaries can obtain the electronic health data of any patient who is diagnosed by the same physician PH  with the adversary A 2 .The adversaries attack a patient PA , as follows.
Step A1.Assume that A 1 is an attacker who has registered as a physician PH A in SV, and then he/she can legally receive a private key set ( 1 AD SV ,  2 AD PH A ,  3 ,  4 ) from SV (Step R1).Then, A 1 sends a part of private key set Step A2.A 2 is an adversary who has registered as a patient of the physician PH  .He/she can legally receive a secure data set (AD SV , AD PH  , AD GW ,A ) and a private key set Step A3.Suppose SN ,, is a victim PA's smart node that sends information through the gateway GW , .PA is diagnosed by the same physician PH  with A 2 .When SN ,, runs the Step K1, an adversary can intercept the data { 1 ,  1 , AD SN ,, , MAC 1 } because the communications are unsecure between SN ,, and SV.
Step A4.When PH  sends the electronic health report to PA  at the Step K3, an adversary can intercept data { 2 ,  2 , AD GW , , MAC 2 } because the communications are also unsecure between PH  and SV.
Step A5.A 2 can compute the session key after the above steps.A 2 receives ( 3 ,  4 ) from A 1 at Step A1.Then, he/she gets ( 1 AD SV ,  2 AD PH  ) and (AD SV , AD PH  ) at Step A2.Moreover, the information { 1 ,  1 , AD SN ,, , MAC 1 } and { 2 ,  2 , AD GW , , MAC 2 } is intercepted at Steps A3 and A4, separately.Therefore, A 2 can compute the same session keys sk 1 and sk 2 as follows: Step A6.A 2 decrypts  1 and  2 to obtain the victim's medical information using the session keys sk A 1 and sk A 2 , respectively.

Our Proposed Scheme
In this section, we propose an improved scheme that can overcome the flaw of Kim's scheme in Section 4. Our scheme construction is inspired by the practical noninteractive key distribution scheme in [12] and Kim's paper [8].Our scheme consists of four operational phases: Setup Phase, Key Generation Phase, Key Agreement from SN to PH Phase, and Key Agreement from PH to GW Phase.The details of our scheme are described as follows.
5.1.Setup Phase.In this phase, the u-Health Server SV, as the Private Key Generator (PKG), takes as inputs a security parameter  and the maximal number of the physicians .Then, SV outputs the system public parameters params and the master private key sets sk.SV publishes params and keeps sk private.
Similar to the identity-based cryptography scheme, SV generates two groups  1 and  2 of prime order  with a bilinear map ê :  1 ×  1 →  2 .However, it chooses three cryptographic hash functions Here,  0 is used to verify the correctness of the secret key sets.
It is important to note that although our proposal increase the storage space because of the values   ,  ∈ [1, ], there is a one-to-one mapping between a physician PH  and a value   .In addition, the list of physicians must be stored in SV.Thus, we can use the mapping to reduce the storage space.For instance, SV gets the list of the registration physicians.Then, SV chooses a secret hash function  * : {0, 1}  →  *  and a random value  0 .Finally, SV can compute the  times hash function  * (⋅) to get the secret value   =  * (⋅ ⋅ ⋅ ( * ( 0 ))).In this way, SV only needs to store the selected hash function and initial value  0 , secretly.On one hand, the proposal can save the storage resources by using the hash function.On the other hand, it increases the consumption of the computing resources.In order to balance the computing cost and the storage space, SV can store not only the initial value  0 , but also some intermediate random values   .We introduce the scheme by using the secret values   ,  ∈ [1, ] to help the analysis.

Key Generation
In addition, SV packs a data package containing a private key set and two amplified identities {sk PH  ‖ (AD SV  , AD PH  )} and delivers the data package to PH  via a secure channel.Here, the secure channel could be a smart card passed by a trusted person.Finally, PH  keeps the received information, securely. Step Next, PH  packs a data package containing a private key set and three amplified identities {sk GW , ‖ (AD SV  , AD PH  , AD GW , )} and delivers the data package to GW , via a secure channel.Furthermore, SV packs a data package containing a private key set {sk SN ,, ‖ (AD SV  , AD PH  , AD GW , , AD SN ,, )} and delivers it to SN ,, via a secure channel.Finally, GW , and SN ,, store their received information in a secure area, respectively.

Key Agreement from SN to PH Phase.
In this phase, a sensor node SN ,, of the patient PA , makes a connection with the physician PH  .The sensor node SN ,, and the physician PH  achieve a key agreement.
Step 1.When a sensor node SN ,, wants to upload the patient's medical data, SN ,, chooses a random number  1 and computes  1 =  1 AD SN ,, using its amplified identity AD SN ,, .The session key sk 1 is calculated as follows: Then, SN ,, computes  1 =  sk 1 (Data ,, ) and Step 2. After receiving the data package  1 , SV verifies the timestamp  1 whether it is within the valid time for communication.If it is invalid, the key agreement terminates.Otherwise, it can assure the package by judging  * 1 =  1 as follows: Only if  * 1 is equal to  1 included in  1 does SV assure the source of package from a sensor node AD SN ,, and send a notice to PH  .Finally, SV store the package  1 in its database.
Step 3. When PH  is authenticated by SV, he/she can check the data of a sensor node SN ,, .PH  computes the fresh session key sk  1 as follows: In addition, PH  computes 1 is equal to  1 does PH  assure the correctness of sk  1 and decrypt  1 to get Data ,, by using the key sk  1 .

Key
Agreement from PH to GW Phase.In this phase, the physician PH  makes a connection with a patient's gateway GW , , and they agree on a fresh session key for communication.
Step 1.When PH  wants to communicate with PA , such as sending the electronic health report, he/she chooses a random number  2 and computes  2 =  2 AD PH  .PH  computes the fresh session key sk 2 as follows: In addition, PH  computes  2 =  sk 2 (Data , ) and Only if  * 2 is equal to  2 included in  2 does SV assure the source of package from a physician AD PH  and send a notice to PA , .Finally, SV stores the package  2 in its database.
Step 3. When GW , is authenticated by SV, he/she can get the report of the patient PA , from SV. GW , computes the fresh session key sk  2 as follows: Then, GW , computes 2 is equal to  2 does GW , assure the correctness of sk  2 and decrypt  2 to get Data , by using the key sk  2 .

Correctness and Security
In this section, we present the correctness of our improved scheme.Then, we illustrate that our enhanced key agreement scheme can overcome the two security weaknesses of security analysis of FNKAP by security analysis.
6.1.Correctness.We verify the correctness of key agreement in our scheme as follows: Thus, the agreed session keys sk 1 , sk * 1 , and sk  1 computed by PH  , SV, and SN ,, are equal.The same as above, we prove that sk 2 is equal to sk  2 because  2 is equal to  * 2 and   2 : (17)

Security Proof.
In the following, we will show that our scheme is provably secure under DBDH assumption in the random oracle model.We treat  1 ,  2 , and  3 as three random oracles.
Theorem 6.Let  1 and  2 be two groups of order  and ê be a bilinear mapping that together satisfy the DBDH assumption.Let the hash functions  1 ,  2 , and  3 used in the scheme be modeled as the random oracles.Suppose that the DBDH assumption holds; the proposed scheme is a secure key agreement in our security model.
Proof.Suppose an adversary A is an attack algorithm that breaks our scheme in the probability ; we will show how to use the ability of A to build an algorithm B that solves the DBDH assumption with probability of at least   .Thus, A's advantage must be negligible because the DBDH assumption holds.
We refer to B as "the simulator" because it simulates a real attacking environment for A. B is initialized with the DBDH parameters { 1 ,  2 , ê, } and the points {, , ,  ∈  1 , ,  ∈  2 },  = ê(, )  , and  = ê(, )  .The idea of the proof is that B will embed the DBDH problem into the queries issued by A. Since the hash function  2 is modeled as random oracle, after the adversary issues the test query, it has only two unneglected cases to distinguish the tested session key sk 1 or sk 2 from a random string.
Case 1 (key-replication attack).The adversary A forces a nonmatching session to have the same session key with the Test(∏  , ).In this case, the adversary A can get the session key by querying the nonmatching session.However, the input of hash function  2 includes the entities' identities and the random nonce.Furthermore, they and a timestamp are integrally protected by  3 .For example, in Step 1, the session key sk 1 =  2 ( 1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) includes the identities AD PH  and AD SN ,, and the random nonce  1 .The certification value  1 =  3 (sk 1 ‖  1 ‖  1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) includes them and the timestamp  1 .Therefore, two nonmatching sessions cannot have the same values and when  2 and  3 are modeled as a random oracle, the success probability of key-replication attack is negligible.
Case 2 (forging attack).The adversary A queries  2 on the value  2 ( 1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) or  2 ( 2 ‖  2 ‖ AD PH  ‖ AD GW , ) in the test query.Obviously, in this case the adversary A can compute the value  1 or  2 by itself.
In the following, we mainly analyze the Case 2 forging attack.A simulator B is interested in using the A to turn A's advantage in distinguishing the tested session key from a random string into an advantage in solving the DBDH problem.During the game, B has to answer all queries of the A.
Queries.When the adversary A makes his/her queries, the simulator B answers the queries in arbitrary order as follows.Note that ID PH  , ID GW , , and ID SN ,, are the guessed victims physician and devices.
1 (⋅).In order to enhance simulation's fidelity, B maintains an initially empty list B looks in the list  list 2 and returns the value sk 1 or sk 2 to the adversary A.
The test query is answered by B with its DBDH input  or .Consider the following two cases: (i) If  = , since  = ê(, )  in the DBDH instance, then Thus, the response by B corresponds to the real values sk 1 and sk 2 .
(ii) If  = , since  = ê(, )  is random, then the response by B to the test query of A is a random element in  2 .
If the adversary A succeeds in getting the session key sk 1 or sk 2 , it shall distinguish between the value sk 1 or sk 2 and a random value; then, it outputs the correct bit  = 1 or  = 0. B can give the correct answer to the DBDH problem by using A's output.
The success probability of B is Here,  is the probability that the adversary A succeeds in launching the attack.() is the polynomial bound on the number of the adversary A's queries.If the adversary A succeeds with nonnegligible probability to attack our scheme, we can also solve the DBDH problem with a nonnegligible probability.Thus, our scheme is based on the DBDH problem.

Security Analysis.
In the following, we will directly analyze how our proposed scheme achieves entity anonymity and untraceability and resists collusion attack and whether the security requirements have been satisfied.Proposition 7. The proposed scheme can resist the replay attack.
Proof.It should be noted that our proposed scheme inherits the structure of FNKAP.We also use the random numbers  1 and  2 to achieve the freshness key agreement.The adversary cannot compute the   ,  ∈ {1,2} from  1 =  he/she cannot get the information except whens he/she can solve the ECDL problem.Similarly, an insider adversary cannot launch an attack to the key agreement from PH to GW phase, because he/she cannot get the value  2   AD GW , .Thus, our proposal resists the collusion attack, effectively.

Functionality and Performance Comparison
In this section, security and functionality are compared between our scheme and FNKAP.Then, we illustrate a comparison of the communication and computation costing performances.

Functionality Comparison.
As shown in Table 1, our scheme not only provides the functionality in [8] but also resists the collusion attack.Therefore, we can conclude that the proposed scheme achieves a higher security level than FNKAP.

Performance Comparison.
To compare the actual computational costs, we have implemented our scheme and Kim's scheme with JPBC Library (Java Pairing-Based Cryptography Library [19]) in an ARM platform and a desktop platform.The detailed parameters of the platform are listed in Table 2. To provide a similar environment in WHMS, the weak processing ability is simulated on an android smartphone (HTC M7) running Android 4.1 with Snapdragon APQ8064 1.7 GHz, and the powerful processing ability is simulated on a desktop computer running Windows 7 with Intel Core i5-3470.
Table 3 summarizes the detailed parameters about the elliptic curve and pairing parameters for JPBC.We use a 512 bits elliptic curve  3 =  3 +  to evaluate our scheme in the platforms.In Table 4, top row is the results in the ARM platform, and the second row is the result in the desktop platform.Here, all the experiment results are averaged over 10 independent runs.
In order to provide detailed comparison, we test the basic operation in  *  ,  1 , and  2 , separately.The time of a pairing computation is indicated by   .The time of a hash operation is indicated by  ℎ .The time complexity of computing multiplication in  *  ,  1 , and  2 is indicated by    ,   1 , and   2 , respectively.The time of the addition in  *  and  1 is indicated by    and   1 , independently.The time of the exponentiation in  2 is indicated by   .Note that the time of hash operation  ℎ is the smallest because it needs very limited computation.On the contrary, the time of pairing operation   is the highest consumption.
Tables 5 and 6 illustrate the performance comparison with Kim's scheme.In Tables 5 and 6, the notation id is a unit length of identity; the notation pr is a unit length of private key.First, in order to achieve the session key freshness, we maintain one-round communication to exchange a random value  1 or  2 in FNKAP.Second, our scheme increases the amplified identity randomness against the passive offline attack.However, the amplified identity space is equal to that of FNKAP because the amplified identity is still a hash value.Third, the private key space of GW and SN decreases because we reduce the redundancy of private key information to GW and SN.Moreover, it shrinks the risk of insider attack because only SV knows total secure information.Fourth, the computation time of our scheme is near half of FNKAP because we decrease half of the pairing operations.Finally, we should point out that our scheme computation and store cost for the SV are higher than those of Kim's work.More precisely, we should choose and store  random numbers more than FNKAP, and 4 multiplications in  *  should be added in Initial Section.Commonly, the above propositions only increase the computation cost and the storage requirement in SV.SV has enough computing and storing power to hold the operations because the u-Health Server is usually a server cluster.Furthermore, the computing operations are only increased in Initial Phase.For the resources limited entities GW and SN, the computation and storage requirements do not increase instead of decreasing.Thus, the scheme is feasible to key agreement in WHMS.
Our proposed scheme inherits the advantage of Kim's hierarchical scheme in WHMS.At the same time, our scheme provides security enhancement against collusion attack in our security model.Furthermore, it preserves the low computation and private key space in SN and GW compared to FNKAP.Therefore, it is an enhanced security hierarchical key agreement scheme with the noninteractive property that is suitable for the application in WHMS.

Conclusions
In this paper, we have illustrated that there is a security weakness in Kim's work [8] under a practical security model with the physicians corruption.The security flaw is due to the fact that the physicians' parts of the private key are the same.Therefore, the adversary, as a legal physician, can acquire the entire patient's private information.To enhance the scheme, we proposed an authenticated key agreement scheme which randomizes each physician's private key.Moreover, we have reduced the numbers of the private keys and the operations of the bilinear pairing.Thus, the performance of our scheme is more suitable for the WHMS environment than Kim's work.We also prove the security of our scheme.The proof shows that the proposed scheme is secure under the DBDH assumption in the random oracle model.

Notations PH 𝑖 :
Th e th physician PA , : Th e th physician's th patient SV: The u-Health Server GW , : Th e P A , 's gateway SN ,, : Th e P A , 's th sensor node ID  : The identity of an entity  AD  : The amplified identity of ID  sk 1 and sk 2 : Th e s e s s i o n k e y established between two entities (⋅),  1 (⋅),  2 (⋅), and  3 (⋅): The cryptographic hash functions   (): Encryption of a message  using an symmetric key  ⋅ : Multiplication operator ‖: Concatenation operator.

Figure 1 :
Figure 1: Basic hierarchical key agreement structure in WHMS.
{(s 1 AD SV , s 2 AD PH  , s 3 , s 4 ) ‖ (AD SV , AD PH  )} {(s 1 AD SV , s 2 AD PH  , s 3 AD GW , , s 4 AD SN ,, ) ‖ (AD SV , AD PH  , AD GW , , AD SN ,, )} Patient Registration Phase.Before providing service, the patient PA and his/her physician PH must register in SV.Here, the statement  ⇒  :  denotes that  receives a message  from  via a secure channel.The Physician and Patient Registration Phase is basically shown in Figure2.PH  : Reg PH  ).When a physician PH  wants to be a legal e-medical physician, he/she sends his/her identity ID PH  to SV via a secure channel.Then, SV validates the identity ID PH  .If the solution is positive, SV sendsReg PH  = {( 1 AD SV ,  2 AD PH  ,  3 ,  4 ) ‖ (AD SV , AD PH  )}.Here, AD PH  = (ID PH  ).Finally, PH  stores the received information, securely.Step R2 (SV ⇒ GW , : Reg GW , and SV ⇒ SN ,, : Reg SN ,, ).When a patient PA , of PH  wants to use the service in the WHMS, he/she should register his/her gateway GW , and  sensor nodes SN ,, , 1 ≤  ≤  in SV.SV validates the identity ID PH  submitted by PA , .If the solution is positive, SV receives the gateway's identity ID GW , and the sensor nodes' identity ID SN ,, , 1 ≤  ≤ .Then, SV sends Reg GW , and Reg SN ,, to them via a secure channel.Here, Reg GW , and Reg SN ,, as follows: , computes MAC  2 = (sk  2 ‖  2 ‖  2 ).Only if MAC  2 is equal to MAC 2 does GW , assure the correctness of sk  2 .Then, GW , decrypts  2 to get Data  by using the key sk  2 .
, ‖ AD PH  ).Here, Data ,, is the data collected by SN ,, and  1 is a current timestamp.
).Here, Data , is the electronic health report composed by PH  , and  2 is a current timestamp.Finally, PH  sends a message package  2 = { 2 , AD PH  , AD GW , ,  2 ,  2 ,  2 } to SV.Otherwise, SV can assure the package by judging  * 2 =  2 as follows: Step 2. After receiving the data package  2 , SV checks the validity of the timestamp  2 .If it has grown stale, SV quits the session.
list 1 of tuples (ID  ,   ,   , ℎ ,  ) ∈ {0, 1} * × 1 × *  ×{0, 1}  .When A queries the oracle  1 as an input (ID  ‖   ), B responds to the query in the following way.(i) B checks the list  list 1 ; if (ID  and   ) are already there, then B responds with stored value ℎ ,  .(ii) Otherwise, if ID  = ID PH  and   =   , B randomly chooses  PH  ∈  *  , and it computes ℎ PH  ,  =  PH  .Then, it inserts (ID PH  ,   ,  PH  , ℎ PH  ,  ) into the  list 1 .Finally, it responds with  1 (ID PH  ‖   ) = ℎ PH  ,  .(iii) Otherwise, if ID  = ID GW , , B randomly chooses  GW , ∈  *  and computes the value ℎ GW , , , =  GW , .Then, it inserts (ID GW , ,  , ,  GW , , ℎ GW , , , ) into the  list 1 .Here,  , =   .Finally, it responds with  1 (ID GW , ‖  , ) = ℎ GW , , , =  GW , .(iv) Otherwise, if ID  = ID SN ,, , B randomly chooses  SN ,, ∈  *  and computes the value ℎ SN ,, , , =  SN ,, .Then, it inserts (ID SN ,, ,  , ,  SN ,, , ℎ SN ,, , , ) into the  list 1 .Here,  , =   .Finally, it responds with  1 (ID GW , ‖  , ) = ℎ GW , , , =  SN ,, .(v) Otherwise, B randomly chooses   ∈  *  , computes ℎ ,  =   , and inserts (ID  ,   ,   , ℎ ,  ) in the list.Finally, it responds with  1 (ID  ‖   ) = ℎ ,  =   . 2 (⋅).The simulator B maintains an initially empty list  list 2 with entries of the form (  ,   , AD  , AD  , ℎ ,  ) ∈  2 ×  3 1 × {0, 1}  .When A queries the oracle  2 as a input (  ,   , AD  , AD  ), the simulator B responds to the query in the following way.(i) B checks the list  list 2 ; if (  ,   , AD  , AD  ) is already there, B responds with the value ℎ ,  .(ii) Otherwise, B randomly chooses ℎ ,  ∈ {0, 1}  and sends back the value to A. Finally, B stores the new tuple (  ,   , AD  , AD  , ℎ ,  ) in the list  list 2 . ,   ,   ,   , AD  , AD  , ℎ ,  ) ∈ {0, 1}  × {0, 1} * ×  3 1 × {0, 1}  .The simulator B responds to these queries in the following ways.(i) B checks the list  list 3 ; if (  ,   ,   ,   , AD  , AD  ) is already there, B responds with the value ℎ ,  .(ii) Otherwise, B randomly chooses ℎ ,  ∈ {0, 1}  and sends back ℎ ,  to A. Finally, B stores the new tuple (  ,   ,   ,   , AD  , AD  , ℎ ,  ) in the list  list 3 .ℎ(  ).When receiving this query, B responds to the query in the following way.(i) If ID  is the target physician or the target patient's gateway or sensor nodes, B aborts the game.(ii) Otherwise, if ID  is a physician PH  , B looks in  list 1 for the entries (ID SV  ,   ,  SV  , ℎ SV  ,  ) and (ID PH  ,   ,  PH  , ℎ PH  ,  ).Then, B returns {(   PH  ,  2   ,  3   ) ‖  SV  ,  PH  }.SV  ,   ,  SV  , ℎ SV  ,  ), (ID PH  ,   ,  PH  , ℎ PH  ,  ), and (ID GW , ,   ,  GW , , ℎ GW , ,  ).Then, B returns {(   PH  ,  2    GW , ) ‖  SV  ,  PH  ,  GW , }.(iv) Otherwise, if ID  is a physician SN ,, , the simulator B looks in  list 1 for the entries (ID SV  ,   ,  SV  , ℎ SV  ,  ), (ID PH  ,   ,  PH  , ℎ PH  ,  ), (ID GW , ,   ,  GW , , ℎ GW , ,  ), and (ID SN ,, ,   ,  SN ,, , ℎ SN ,, ,  ).Then, B returns {(   PH  ,  3    SN ,, ) ‖  SV  ,  PH  ,  GW , ,  SN ,, }.(∏  , , ).Since the  2 and  3 are the random oracles, the adversary cannot change the communication message.the simulator B needs only to store the values according to the scheme.Moreover, the parameters are included in the data , which can be found in the lists  list 3 and  list 2 .V(∏  , ).B maintains a list sk list with tuples of the form (ID  , ID  ,   , ∏  , ).The simulator B responds to the query in the following way.(i) If ID  and ID  are the target physician and the target patient's gateway or sensor nodes, B aborts the game.(ii) Otherwise, if ID  is a target physician PH  and ID  is not target patients' facilities, B proceeds in the following way to respond: (a) If ID  is an identity of gateway, B computes   = ê( GW , * ,    PH  ) ⋅ ê( 2    GW , * ,  2 ).Then, B finds the value ℎ ,  from  list 2 and returns ℎ ,  as the response.(b) Otherwise ID  should be an identity of sensor node; the simulator B computes   = ê( SN , * , * ,    PH  ) ⋅ ê( 1 ,  3    PH  ).Then, B finds the value ℎ ,  from  list 2 and returns ℎ ,  as the response.(iii) Otherwise, if ID  is another physician PH  and ID  is his/her patients facilities, B proceeds in the following way to respond: (a) If ID  is an identity of gateway, B computes   = ê( GW , * ,    PH  ) ⋅ ê( 2    GW , * ,  2 ).Then, B finds the value ℎ ,  from  list 2 and returns ℎ ,  as the response.(b) Otherwise ID  should be an identity of sensor node; B computes   = ê( SN , * , * ,    PH  ) ⋅ ê( 1 ,  3    PH  ).Then, B finds the value ℎ ,  from  list 2 and returns ℎ ,  as the response.(∏  , ).A issues a test query.Suppose the identity tuple of the first node  is ID PH  and the second target node  is ID GW , or ID SN ,, .(i) If  and  do not belong to our guessed victims PH  and PA , , B aborts the game.(ii) Otherwise, B queries AD SV  , AD PH  , AD GW , , and AD SN ,, .(a) If  = GW , , B computes  2 3 (⋅).The simulator B maintains an initially empty list  list 3 with entries of the form ( (iii) Otherwise, if ID  is a patient's GW , , B looks in  list 1 for the entries (ID (1)D SN ,, and  2 =  2 AD PH  because of the difficulty of the ECDL problem.Moreover, the proposed scheme can efficiently resist the replay attack by considering the following scenarios.(1)Anadversarycannotreplaythe data package  1 to cheat SV and PH  .During the Key Agreement from SN to PH Phase, when SV receives a data package  1 , it verifies the timestamp  1 with the current time.If the data package is a replay attack, SV will detect it.Moreover, if the adversary changes the timestamp  1 in  1 , SV will find the behavior by checking the equation * 1 =  3 (sk * 1 ‖  1 ‖  1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) because itcannot obtain the session key sk * 1 .(2)An adversary cannot replay the data package  2 to cheat SV and PH  .Similar to the above, an adversary cannot replay the data package  2 to cheat SV and PA , .During the key agreement from PH to GW Phase, when SV receives a data package  2 , it verifies the timestamp  2 with the current time.If the data package is a replay attack, then SV will detect it.Moreover, if the adversary changes the timestamp  2 in  2 , SV will find the behavior by checking the equation  * 2 =  3 (sk * 2 ‖  2 ‖  2 ‖  2 ‖ AD PH  ‖ AD GW , ) because it cannot know the session key sk * 2 .To establish session key between SN and PH, SN ,, and PH  use various  1 AD SN ,, for each session.Thus, the current session key sk 1 =  2 ( 1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) is disclosed, and an adversary cannot obtain the information about  1 = ê(AD SN ,, ,  1   AD PH  )⋅ê( 3   AD SN ,, , AD PH  )  1 .In other words, the adversary cannot get more opportunities to guess previous key sk * 1 =  2 ( * 1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) than before, even if he/she knows the current key sk 1 .Similarly, because  2 is equal to  2 AD PH  , the adversary cannot gain any benefits to guess previous key sk * 2 =  2 ( * 2 ‖  2 ‖ AD PH  ‖ AD GW , ) between PH and GW compared to before, even if he/she knows the current key sk 2 .Thus, our proposal can provide basic forward secrecy.The proposed scheme can prevent fraud attack.Proof.Our proposal provides mutual authentication between PH  and GW , or PH  and SN ,, .The proposed scheme can prevent fraud attack by considering the following scenarios.(1)An adversary cannot impersonate SN ,, to cheat PH  .PH  can authenticate SN ,, by verifying   1 in Step 3. Since the adversary cannot obtain  3   or  3    1 AD SN ,, , he/she cannot compute   1 = ê(AD SN ,, ,  1   AD PH  ) ⋅ ê( 1 , AD PH  )  3   ,  * 1 = ê(AD SN ,, , AD PH  )  1   ⋅ ê( 1 , AD PH  )  3   , or  1 = ê(AD SN ,, ,  1   AD PH  ) ⋅ ê( 3   AD SN ,, , AD PH  )  1 .Thus, the adversary cannot get sk  1 =  2 (  1 ‖  1 ‖ AD SN ,, ‖ AD PH  ) and   1 =  3 (sk  1 ‖  1 ‖  1 ‖ AD SN ,, ‖ AD PH  ‖  1 ), sequentially.Thus, the adversary cannot generate the valid verifier to PH  .(2)An adversary cannot impersonate PH  to cheat GW , .Similar to the above, GW , can authenticate PH  by verifying   2 in Step 3. Since the adversary cannot obtain  2   or  2   AD GW , , he/she cannot compute   2 ,  * 2 , or  2 .Thus, the adversary cannot get sk  2 and   2 , sequentially.Thus, the adversary cannot generate the valid verifier to GW , .In the proposed scheme, the adversary can obtain the amplified identities  1 (ID SV ‖   ),  1 (ID PH  ‖   ),  1 (ID GW , ‖  , ), and  1 (ID SN ,, ‖  , ) instead of (ID SV ), (ID PH  ), (ID GW , ), and (ID SN ,, ) in Steps K1 and K3.Here,   and  , are big random numbers in  *  .Therefore, the adversary cannot verify whether the guessed identity is correct or incorrect by testing all possible identities without the secret   and  , .For example, to guess  1 (ID PH  ‖   ), the adversary should input the guess values of ID PH  and   at the same time.Suppose the identity ID PH  is composed of  bits; it is infeasible for adversary to launch an exhausted search for 2 + possible solutions.Here,  is the group order of  *  , and it is a big random number.In particular, if the physicians reregister on a period,   would be fresh regularly.Thus, this risk of corruption will be lower to ID PH  .Moreover,  , is also a big random number in  *  , and each patient has a different value.Even if it is the same patient, there are different values on the various diagnoses.Based on the similar reason, the adversary cannot know the identities of ID GW , and ID SN ,, or trace them.Furthermore, it is also intractable to derive the identity from  1 (ID SV ‖   ),  1 (ID PH  ‖   ),  1 (ID GW , ‖  , ), and  1 (ID SN ,, ‖  , ) because  1 is a secure one-way cryptography hash function.Thus, our proposal can achieve anonymity and untraceability.In our proposal, SV distributes different secret values ( 1   AD PH  ,  2   ,  3   ) for various physicians PH  .Thus, the adversary physician PH A and his/her patients PA A, cannot get the victim's information  2  i ,  3   , directly.Furthermore, the adversary A who has registered as a normal patient of the physician PH  can legally obtain ( 1   AD PH  ,  2   AD GW , ) from SV.However, he/she cannot obtain  1   or  2   from ( 1   AD PH  ,  2   AD GW , ) except when he/she can solve the ECDL problem.Similarly, the adversary A cannot obtain  3   from  3   AD SN ,, because of the difficulty of the ECDL problem.Obviously, our scheme destructs the attack conditions at Steps A1 and A2 in Section 4. As a result, the scheme can resist the collusion attack and prevent the adversary from generating the session keys sk 1 and sk 2 .Furthermore, if an insider adversary wants to attack the key agreement from SN to PH, he/she should get the secure information about  3   AD SN ,, .The adversary receives up to  3   AD SN ,, * ;

Table 1 :
Security and functionality comparison with Kim's scheme.

Table 3 :
Detailed elliptic curve and pairing parameters.