An Online-Offline Certificateless Signature Scheme for Internet of Health Things

The Internet of Health Things (IoHT) is an extended breed of the Internet of Things (IoT), which plays an important role in the remote sharing of data from various physical processes such as patient monitoring, treatment progress, observation, and consultation. The key benefit of the IoHT platform is the ease of time-independent interaction from geographically distant locations by offering preventive or proactive healthcare services at a lower cost. The communication, integration, computation, and interoperability in IoHT are provided by various low-power biomedical sensors equipped with limited computational capabilities. Therefore, conventional cryptographic solutions are not feasible for the majority of IoHT applications. In addition, executing computing-intensive tasks will lead to a slow response time that can deteriorate the performance of IoHT. We strive to resolve such a deficiency, and thus a new scheme has been proposed in this article, called an online-offline signature scheme in certificateless settings. The scheme divides the signing part into two phases, i.e., online and offline. In the absence of a message, the offline phase performs computationally intensive tasks, while lighter computations are executed in the online phase when there is a message. Security analyses and comparisons with the respective existing schemes are carried out to show the feasibility of the proposed scheme. The results obtained authenticate that the proposed scheme offers enhanced security with lower computational and communication costs.


Introduction
IoHT is an IoT submarket, capable of grouping all medical devices and applications for gathering, analyzing, and exchanging physiological data of patients over the Internet [1]. Patient data can be collected through biomedical sensors and processed via user terminal devices such as computers, smart phones, smart watches, or even a specific embedded device [2]. Patient data may include breathing rate, blood pressure, chest sound, body temperature, respiratory rate, electrocardiogram (ECG), patient position (accelerometer), etc. [3][4][5][6][7]. In addition to medical applications, IoHT can also be used to monitor environmental conditions such as patient-care venues, room status, laboratory shift times, treatment times, and staff-to-patient ratios. e user terminal devices are linked to a gateway via short-range wireless technologies such as Bluetooth Low Energy (BLE), Wi-Fi, and Zigbee. e BLE, however, uses strong features such as moderate data rate, lowpower consumption, and unlicensed band, making them the most preferable options for connecting wearable sensor nodes. e gateway may be further connected to a (clinical) server or cloud services via fifth-generation (5G) wireless link for high storage and intensive data processing. In a health information system, patient details can be maintained as electronic health records, which are available to the medical professionals when the patient visits the hospital.
Since a large scale of interactions between biomedical sensors and mobile devices is undertaken on an open wireless channel in IoHT environment, which poses a range of challenges, the most significant of which is the security and privacy of health-related information of patients [8]. To steal or fabricate patient health-related information, an intruder may capture the communication between the sensors and mobile devices. Likewise, with high probability, the attacker may gain access to the disease or health status of the patient. In addition, most devices involved in the IoHT platform have limited computing capabilities and, consequently, fail to perform conventional cryptographic calculations. For example, heavy computations are needed for most of the public key cryptosystems proposed in the literature; therefore, their implementation has not been considered acceptable for IoHT devices. An online-offline approach can be used to address heavy computation issues. When the IoHT devices have reported a message, the online phase is used to perform light computations only, while the offline computations or heavy computations are performed if no message has been recorded by the IoHT devices. Authentication is a major concern for securing IoHT devices. In general, the digital signature is used for authentication in cryptography. erefore, the digital signature can be used with the online-offline approach for securing IoHT devices. e offline-computed signature value is generated in the offline phase, while the online phase operates with the same offline signature value. e two basic methods used to validate the public keys are Identity-Based Cryptography (IBC) and Public Key Infrastructure (PKI) in public key cryptosystems. is includes a Certificate Authority (CA) signature, which provides a unique signature link [9]. e CA specifies the public keys with the certificates as defining a participant. However, shortcomings such as distribution, storage, and manufacturing difficulties are associated with PKI systems. Instead, IBC is suggested to decrease the cost of public-key management [10]. e trusted Private Key Generator (PKG) has first-hand data about the participants' private keys with the expense of private key escrow issues [11,12]. erefore, certificateless cryptosystem can be used with the signature scheme to accommodate the key escrow problem.
Some computationally hard problems, such as bilinear pairing, Rivest-Shamir-Adleman (RSA), and elliptic curve cryptosystems, usually measure the efficiency of signature schemes. e RSA cryptosystem [13,14] uses a large key of 1024 bits [15]. Likewise, due to the massive pairing and mapto-point function computation, bilinear pairing is 14.31 times lower than RSA [16]. Similarly, in order to remove the shortcomings of RSA and bilinear pairing, the elliptic curve was introduced [17]. e security hardness and efficiency of elliptic curve cryptography are based on 160-bit keys compared to bilinear pairing and RSA [18]. Despite this, for resource-hungry devices, the 160-bit key is also undesirable and not affordable. erefore, a new form, the generalization of the elliptic curve, called the hyperelliptic curve was thus suggested [19]. e hyperelliptic curve offers the same degree of protection as the elliptic curve, bilinear pairing, and RSA using 80-bit keys, identity, and certificate size [20,21]. For energy-constrained IoHT devices, the hyperelliptic curve would be a better option. erefore, the data generated by the anticipated massive number of biomedical sensors and IoT devices would need to be collected, processed, and analyzed efficiently in real-time to ensure safe and timely management of patient health [22]. Considering the above objectives, a new scheme, called the online-offline certificateless signature scheme, has been introduced for IoHT. e scheme uses the concept of the hyperelliptic curve and is characterized by the small key size. In comparison, it is uncompromisingly identical to the solutions introduced by the elliptical curve method with half key size. e research study conducted has the following excellent characteristics: (i) A lightweight security scheme, namely, online-offline certificateless signature, has been proposed for an IoHT platform. (ii) e proposed scheme divides the certificateless signature scheme into two phases, i.e., online and offline. Lighter computations are performed when there is a message in the online phase, while the offline phase performs computing-intensive tasks in the absence of a message. (iii) e scheme uses the hyperelliptic curve cryptography that tackles the limitations faced by IoHT devices such as limited energy and computing capabilities. (iv) e proposed scheme has shown to be immune to numerous attacks through formal security analysis. (v) Our approach offers better efficiency in terms of computational cost and communication overhead when compared to the existing equivalent schemes.
1.1. Structure of the Paper. e rest of the article is structured as follows. In Section 2, the relevant work is discussed. Section 3 includes preliminaries. e proposed online-offline certificateless signature system is introduced in Section 4. Security analysis can be found in Section 5. e cost analysis is provided in Section 6 with current solutions. Concluding remarks are available in Section 7.

Related Work
In scientific literature, the security and privacy concerns using the online-offline approach have not received ample consideration. us, the problems need to be thoroughly investigated. A well-designed security framework would greatly minimize the risk of the data being hacked, regardless of the devilish strategy involved. Some research studies are devoted to addressing IoHT platform data security problems. e offline-online signature technique was first suggested by Even et al. [23], which is suitable for limited-storage devices. When the message to be signed is known, the execution of their procedure enables the use of the offline mechanism to do moderate computations. After the message is understood to be authenticated, the second phase is carried out electronically. e protection of their method is dependent on the intractability of the large integer factoring mechanism. eir device is protected by chosen messages from attacks. However, their approach is not so successful in practice.
In 2001, to create an effective online-offline signature scheme, Shamir and Tauman [24] used chameleon hash functions based on an ordinary digital signature. In the proposed scheme, the key scale and signature sizes are reduced according to the original scheme. A new type of hash function, called the trapdoor hash function, has been introduced in their model to increase the system security. If the signer repeatedly uses the same hash value to get two signatures on two distinct messages, the recipient can gain a hash collision and use it to retrieve trapdoor information from the signer, which is the secret key of the signer. However, the proposed scheme uses many chameleon hash values for various messages. e main disclosure issue of chameleon hashing is known as this concern.
Yu and Tate [25] suggested an effective online-offline signature scheme that is known to be secure without a random oracle under the RSA assumption. ey did not use the hash function at the trapdoor. erefore, the second key pair did not need to be handled by their scheme and did not have to include in their signature the random commitment attribute. However, the proposed scheme is not affordable for resource-constrained IoHT devices due to the RSA cryptosystem, which is based on hard problems and incurs the high computational cost. Wu et al. [26], using bilinear pairing, suggested a successful online-offline signature scheme.
e security of the model is connected to the theoretical Diffie-Hellman assumption in the random oracle model. Addobea et al. [27] also proposed an offline-online signature scheme called the MHCOOS for M-Health devices based on bilinear pairing. However, bilinear pairing involves high pairing and map-to-point function operations, which is not suitable for resource-constrained IoHT devices.
All of the above schemes are based on complex cryptographic techniques, i.e., elliptic curve and bilinear pairing, and thus suffer from high costs of computation and communication overhead. ese schemes are thus not compatible with IoHT systems equipped with minimal computing capability. To create a viable IoHT cryptographic solution that needs less computation, there is a critical need to use the state-of-the-art online-offline certificateless signature technique. Our proposed scheme is based on hyperelliptic curve cryptography, which is an advanced version of the elliptic curve. It provides the same degree of protection with the smaller key size as compared to an elliptical curve, bilinear pairing, and modular exponential.

Hyperelliptic Curve Discrete Logarithm Problem
(HC DL P). Suppose a given instance of hyperelliptic curve δ � ε. en, the HCDLP is to determine ε from the given instance.

reat Model.
e security models of the proposed scheme include message c, unforgeability against the adversaries called Type 1 adversary (A 1 ), and Type 2 adversary (A 2 ), respectively. A 1 is a malicious adversary who has the ability to replace the user's public key besides the system master keys, while A 2 means an honest-but-curious KGC who knows the system master keys but is not allowed to replace the user's public key. e specific security models under different adversaries are as same as [28] such that unforgeability regarding EUF-CMA-A 1 and unforgeability regarding EUF-CMA-A 2 .

Proposed Online-Offline Certificateless
Signature Scheme

Network
Model. An initiative to incorporate the proposed scheme must be preceded by careful consideration of the following assumptions: (1) Patient data input can be obtained by sensors and analyzed by user terminal devices, such as laptops, tablets, smart watches, or even a particular embedded system (2) Each of the medical sensors and the user terminal are connected through BLE (3) e user terminal can be further linked with the cloud server using 5G, equipped with cloud computing services (4) e medical server presumes the role of administrators (5) e medical server is linked with the local computer in which electronic health records (HER) can be viewed by the medical personnel (6) e HER is stored securely in the database server for future consultations IoHT can be implemented in various settings, depending on the requirements as shown in Figure 1. e required gadgets are usually included in the medical sensors according to the patient's illness. Using short-range radio transceivers (i.e., BLE), the sensors can be connected with the gateway router. On a frequency band of 2.4 GHz, the BLE works.
ere are valid reasons for selecting this level of technology. ey function, for example, in the unlicensed spectrum and provide fair data rates and consume very low power [29]. e aggregated data from the patient monitoring sensors may be too big to be handled by the local server. It demands a high ability for storage and computing. Fortunately, with its architecture, the emerging fifth-generation (5G) mobile networking introduces multiaccess edge computing (MEC) facility. MEC performs high storage and intensive processing facilities when integrated into an IoHT setting.

Construction of the Proposed Scheme.
is section covers the construction of the proposed scheme. Notations used in the proposed scheme are illustrated in Table 1. e proposed Journal of Healthcare Engineering scheme can be made from the following computational constructions [28]: Setup: the following computations can be used for this phase: (i) e security parameter η can choose by KGC (ii) It selects a hyperelliptic curve (hc) with field f(n), where the size of n ≥ 2 80 (iii) Select a D devisor from hyperelliptic curve (hc) (iv) en, choose three irreversible and collision resistance hash functions h x , h y , and h z (v) KGC picks Q ∈ 1, 2, . . . , n − 1 { } as a master key and then computes the public key as K � Q · D (vi) KGC produces ψ � {K, ℎ?, ℎ?, ℎ?, D, hc, (?), ?≥ 2 80 as global parameter set and publishes it publicly Secret value setting: the participating entity with identity id i picks l i ∈ 1, 2, . . . , n − 1 { }as a secret value and computes V i � l i · D as a public key Partial private key setting: for a participating entity with identity , and sends Γ i � (w ? ,? ? ) to entity with id i via secure network Private key setting: the participating entity, with identity id i , sets N i � (Γ i , l i )of its private key.
Public key setting: the participating entity, with identity id i , set s Z i � (V i , μ i ) of its public key. Certificateless online/offline signature: the sender computations can be divided into the following two substeps, e.g., Online and Offline.  Offline phase: this part will be run over the server that is equipped with high resources and the construction step is carried out as follows: (i) It picks ∈∈ 1, 2, . . . , n − 1 { } and computes t� � d·V s (ii)Compute P�ℎ? (???, ??, ?, t) and X�ℎ? (???, V?, ?, t) (iii) en, it gives (d, t, P, X) to the sensor nodes Online phase: this part will be run on the sensor nodes and the construction step consists as follows: (i)Compute S � l s ·d− (l s · X + P · w?) (ii) Set ϕ � (t, S) as a signature and send it to the receiver Certificateless online/offline signature verification: upon reception ϕ, a receiver can verify S as follows:

Correctness.
e verifier/receptionist can verify the signature if the following computation is successfully processed: is validates the correctness of the proposed scheme.

Security Analysis
e purpose of this section is to explain the usefulness of the suggested method in resisting attacks.

Theorem 1. e proposed scheme resists against an adaptive chosen message attack, if an adversary A 1 would not be able to solve the hyperelliptic curve discrete logarithm problem (HECDLP).
Proof . Suppose there is a challenger ζ which helps A 1 to extract ℓ from the given instance f � ℓ · D of HECDLP. Further, to figure out HECDLP, ζ can set the master key secret key as Q � ℓ and master public key as K � ℓ · D.

en, ζ generates ψ as a global parameter set and four empty lists (L h x , L h y , L h z , L k ) for holding the value of h x , h y , h z , and keys.
Create (id i ): after reception, Create id i query, ζ selects α i , β i , l i ∈ 1, 2, .. . . . ., n − 1 en, ζ answers in the following two steps: (i) If id i ≭ id s , with the identity id i , ζ outputs will be Hash queries ( h x , h y , h z ): after reception, Hash queries ( h x , h y , h z ), ζ searches for the values Ω i , P i , X i in lists L h x , L h y , L h z ; if it finds in these lists then retunes to A 1 ; otherwise, the values Ω i , P i , X i for each Hash query will select by ζ in a random manner and send it to the A 1 . Secret value setting queries: after reception, this query, then, (ζ) answers in the following two steps: such a tuple is found, then it results in l i ; otherwise, ζ calls Create id i query and gets (id i , Γ i , N i , Z i ) and then sends l i to A 1 . Partial private key setting queries: after reception, this query, then, (ζ) answers in the following two steps: (i) If id i � id s , ζ aborts the process.
such a tuple is found, then it sends Γ i to A 1 .
Public key setting queries: after reception, this query, then, (ζ) answers in the following two steps: such a tuple is found, then it results in Z i � (V i , μ i ); otherwise, ζ calls Create id i query and gets (id i , Γ i , N i , Z i ) and then sends Public key replacement queries: after reception, this query, then, (ζ) will look for (id i , Certificateless online/offline signature queries: after reception, this query, then, (ζ) checks. If id i � id s , then it aborts the process; otherwise, it will perform the following steps: (i) ζ first gets access to L h y , L h z , and L k .
Offline phase: We suppose that μ s � β s · K + α s · D and K � ℓ · D. So, when the subtractions between these two equations are performed, then we can get the following computations: So,  (i) e winning probability of Create query must be greater than (1 − Q h x Q create /n ) (ii) e succeeded probability of h y must be greater than (1 − Q h y /n) (iii) e succeeded probability of h z must be greater than (1 − Q h y /n) (iv) e succeeded probability of certificateless online/ offline signature queries must be greater than ( Q s /n) (v) id i � id s satisfies with probability (1/Q create ) Note that Q create , Q h x , Q h y , Q h z , and Q s represent Create queries and Hash queries to h x , h y , h z , and certificateless online/offline signature queries, respectively. So, overall advantage of A 1 is towards its success as Theorem 2. By using the random oracle model, the proposed scheme resists against an adaptive chosen message attack, if an adversary A 2 would not be able to solve the hyperelliptic curve discrete logarithm problem (HECDLP).
Proof . Suppose there is a challenger ζ which helps A 1 to extract ℓ from the given instance f � ℓ · Dof HECDLP. Further, to figure out HECDLP, ζ picks b and sets master public key as K � b · D. en, ζ generates ψ as a global parameter set, and similar to eorem 1, it picks four empty lists (L h x , L h y , L h z , L k ) for holding the value of h x , h y , h z , and keys.
Create (id i ): after reception, Create id i query, ζ answers in the following steps: Hash queries ( h x , h y , h z ): these are the same as performed in eorem 1. Secret value setting queries: after reception, this query, then, (ζ) answers in the following two steps.
such a tuple is found, then it results in l i ; otherwise, ζ calls Create id i query and gets (id i , Γ i , N i , Z i ) and then sends l i to A 2 . Partial private key setting queries: after reception, this query, then, (ζ) answers in the following two steps: (i) If id i � id s , ζ aborts the process. (ii) If ?? ? ≭ ?? ? , ζ will look for (id i , such a tuple is found, then it sends Γ i to A 2 .
Public key setting queries: after reception, this query, then, (ζ) answers in the following two steps: (ii) If id i � id s , ζ aborts the process. (iii) If ?? ? ≭ ?? ? , ζ will look for (id i , such a tuple is found, then it results in Z i � (V i , μ i ); otherwise, ζ calls Create id i query and gets (id i , Γ i , N i , Z i ) and then sends Certificateless online/offline signature queries: after reception, this query, then, (ζ) checks. If id i � id s , then it aborts the process; otherwise, it will perform the following steps: (i) ζ first gets access to L h y , L h z , and L k .
Certificateless online/offline signature verification query: after reception, this query, then, (ζ) checks. If id i � id s , then it aborts the process; otherwise, it will perform the certificateless online/offline signature verification algorithm for the verifications of signature. Forgery: at the end, A 1 results in a lawful signature ϕ� (t ? , S i ). If id i � id s , ζ aborts the process; otherwise, ζ checks for a list L h x , and according to forking lemma [], it generates another signature We suppose that μ s � β s · K + α s · D and K � ℓ · D. So, when the subtractions between these two equations are performed, then we can get the following computations: So, ℓ � (S * i − S)/(X * − X) as the solution of HECDLP. e probability analysis is same as eorem 1 and as follows: e utilized advantages of A 2 towards its success are as follows:

Cost Analysis
is section contrasts the efficiency of the proposed scheme with the existing equivalents suggested by the schemes of Yu and Tate [25], scheme 1, Yu and Tate [25], scheme 2, Wu et al. [26], and Addobea et al. [27]. Table 2 displays the key results derived from the analysis. Elliptic curve scalar multiplication and bilinear pairings are used in the existing schemes, all of which are more expensive alternatives. erefore, we add the multiplication of the hyperelliptic divider. Observations have shown that the time it takes for a single scalar multiplication to be processed differs considerably: elliptic curve point multiplication (ECPM), 0.97 milliseconds; bilinear pairing (P), 14.90 ms; pairing-based point multiplications (BPM), 4.31 ms; and modular exponentiation (E), 1.25 ms [16]. e Multiprecision Integer and Rational Arithmetic C Library (MIRACL) [30] is used to calculate the performance of the proposed system. It checks roughly 1000 times the runtime of specific cryptographic operations. A workstation with the following requirements is used for evaluating simulation results: Intel Core i7-4510U Processor @ 2.0 GHz, 8 GB RAM, and Windows 7 Home Standard 64-bit Operating System [29]. e hyperelliptic curve divisor multiplication (HM) is believed to be 0.48 milliseconds in length due to a smaller key size of 80 bits [31][32][33][34]. It is apparent from the results in Tables 2 and 3 that our solution is much more effective in terms of the computational cost as shown in Figure 2.

Communication Cost.
is subsection is aimed at discussing the comparison results from the perspective of communication costs. e proposed approach is compared with the existing schemes presented by Yu and Tate [25] scheme 1, Yu and Tate [25] scheme 2, Wu et al. [26], and    Addobea et al. [27]. In comparative analysis, the variables, i.e. |G| � 1024 bits, |m| � 1024 bits, and |n| � 80 bits, along with the respective values, are depicted in Table 4 and illustrated in Figure 3.

Conclusion
e Internet of Health ings (IoHT) plays an important role as an extension of the Internet of ings (IoT) in the remote data-sharing of multiple physical processes, such as patient monitoring, treatment progression, observation, and consultation. In IoHT, multiple sensors, actuators, and controllers allow communication, computation, and interoperability, thus providing seamless connectivity with efficient resource utilization. However, for the majority of IoHT implementations, conventional cryptographic methods are not feasible due to the energy constraints of low-power embedded devices. erefore, we suggested a lightweight security scheme in this article, using the idea of the hyperelliptic curve (HEC), called an online-offline certificateless signature scheme. In the limited key size, the HEC solution is powerful and is also acceptable for IoHT environments. e formal security analysis shows the intensity of the proposed approach in avoiding multiple attacks. In addition, after a comparative comparison with the main existing schemes, the proposed scheme proved to be efficient in terms of both computational and communication costs.
An extension of the proposed scheme is required that offers encryption and digital signature in one go. We also plan to improve the security by adding some other aspects of formal analysis, such as the real-or-random (ROR) for the solutions against different attacks. All these aspects are in the development phase and will be taken into account in our future work.

Data Availability
All data generated or analyzed during this study are included in this published article.