Lightweight Privacy-Preserving Data Sharing Scheme for Internet of Medical Things

Internet of Medical Things (IoMT) is a kind of Internet of Things (IoT) that includes patients and medical sensors. Patients can share real-time medical data collected in IoMT with medical professionals. This enables medical professionals to provide patients with efficient medical services. Due to the high efficiency of cloud computing, patients prefer to share gathering medical information using cloud servers. However, sharing medical data on the cloud server will cause security issues, because these data involve the privacy of patients. Although recently many researchers have designed data sharing schemes in medical domain for security purpose, most of them cannot guarantee the anonymity of patients and provide access control for shared health data, and further, they are not lightweight enough for IoMT. Due to these security and efficiency issues, a novel lightweight privacy-preserving data sharing scheme is constructed in this paper for IoMT. This scheme can achieve the anonymity of patients and access control of shared medical data. At the same time, it satisfies all described security features. In addition, this scheme can achieve lightweight computations by using elliptic curve cryptography (ECC), XOR operations, and hash function. Furthermore, performance evaluation demonstrates that the proposed scheme takes less computation cost through comparison with similar solutions. Therefore, it is fairly an attractive solution for efficient and secure data sharing in IoMT.


Introduction
Internet of Things (IoT) is a system, which connects different sorts of sensors and computing devices using network to gather and share medical data. IoT lets devices become smarter, processing becomes intelligent, and communication becomes informative [1]. IoT has bred kinds of new technology solutions used in many disparate domains due to its convenience. Certainly, IoT has also penetrated into the healthcare system and has brought great changes. Internet of Medical Things (IoMT) is substantially IoT devices applied to medical industry [2]. The application of IoMT brings lots of conveniences to patients and medical professionals. For example, in IoMT, medical professionals can receive the data and information they need and provide telemedicine for patients anywhere [3].
IoMT provides continuous health monitoring. It relies on different sorts of physiological sensors that are placed on the patients without reducing the user's comfort to collect live health data and information, such as oxygen saturation rate, heart rate, pulse, temperature, blood pressure, and respiration [4][5][6][7][8]. Due to the sensibility of personal health data and information and the limited resources of sensors, it is crucial that security and lightweight computation are included as a fundamental element in IoMT [9]. Cloud computing is a kind of outsourcing platform that has large storage memory and computing resources. Due to its advantages, it can be combined with IoMT to eliminate the issues of storing large data. With the help of cloud computing servers, patients can efficiently store, manage, and share great amount of medical information. By storing data in the cloud, it can be providing easy access for users and improve storage utilization of the health information system [10]. However, the information of the patients (such as the identity of the patients, electronic medical records, and personal condition related to health) is highly private and vulnerable. Data breaches are harmful to patients as the sensitive information will reveal patients' identity privacy and data security. Hence, the security of health data is the major concern for sharing schemes. Besides, the completeness of shared patients' health data is extremely important [11]. For example, if an adversary tampers patient's conditions related to health, it will mislead medical professionals into making faulty analyses and affect the patient's health. Therefore, integrity verification can prevent tampering by malicious attackers. Moreover, the scheme must provide authentication for users to verify users' legitimacy. This is due to the fact that unauthorized users may tamper with medical records; falsified data will lead to misdiagnosis by medical professionals [12]. Meanwhile, the physiological sensors, used in medical systems, have limited storage memory and power and low computation speed and bandwidth. Accordingly, this motivates us to design a low-cost and lightweight data sharing scheme applied to the IoMT, which consumes less power and meets higher security requirements.
Many researchers have devoted to designing effective data sharing schemes in cloud computing over the past few years. However, some [13][14][15] are not suitable to be deployed in IoMT system because of the use of bilinear pairings which lack efficiency. These heavy calculations with the high resource constraints are not lightweight enough. Analysis in [16] demonstrates that a bilinear pairing operation has very high computation cost. On the contrary, the computation complexity of elliptic curve cryptography (ECC) is several times smaller than that of pairing operation. This is because in the ECC algorithm, the arithmetic requirements are low, the key size is small, and the operand length is shorter. As a result, based on the previous discussion, ECC is regarded as a better encryption technology for resource-constrained devices.
Hence, for the purpose of ensuring the anonymity of patients, preserving shared data privacy, and improving the computation efficiency of physiological sensors in IoMT, this paper constructs a lightweight privacypreserving data sharing scheme applied to the IoMT using ECC. In this scheme, after collecting the health data, patients with physiological sensors must encrypt collected health data to prevent personal privacy from leaking. Then, the patient generates a fake identity to protect his identity and achieve anonymity. With the help of a cloud server, health data can be shared with authorized users after uploading by patients. Furthermore, to realize the authorized access, patients should designate the identity set of users. Before accessing the health data, users must authenticate to the cloud server. Users are eligible to access encrypted health data only if their identities and access time are valid. Finally, the main contributions of this paper are summarized below.
(1) A lightweight privacy-preserving data sharing scheme for IoMT using ECC is proposed, which anonymizes the identity of patients and designs authorized access to shared health data (2) The proposed scheme realizes lightweight computations by ECC, hash, and XOR operations, which does not require heavy computations such as bilinear pairings (3) The proposed protocol can resist possible attacks and achieve all desired security features, including replay attack, eavesdropping attack, correctness, freshness of encryption key, authentication, anonymity of patient, integrity certification, and forward secrecy of encryption key (4) Compared with the similar solutions, the proposed scheme satisfies all desired security features and achieves more lightweight computations on patients The remaining of this paper is adjusted as follows. Previous studies are conducted in Section 2. The basic knowledge of mathematical preliminaries is introduced in Section 3. Then, Section 4 illustrates the model of the proposed scheme including the network model, types of attack, security properties, design goals, and syntax of the proposed scheme. This data sharing scheme including three phases, system initialization, data encryption and upload, and data sharing, is given in Section 5. The security verification of this scheme is provided in Section 6. The performance evaluation and the comparisons with similar schemes in terms of computation cost and security are presented in Section 7. Finally, we culminate conclusions of this paper in Section 8.

Related Work
Cloud computing has emerged as a convenient platform of sharing data that enables multiple users from different domains to obtain their needed information simultaneously. It is highly necessary to authenticate users who want to access the health data. However, it worth noting that existing solutions may suffer from a series of issues such as data owner privacy, completeness of the data, data access control, and computation cost in encryption/decryption. These issues have been of widespread concerns.
In 2010, Itani et al. [17] presented a lightweight protocol such that mobile clients can verify the completeness of storage information in mobile cloud computing. In 2013, Wang et al. [18] constructed a cloud storage system that can realize privacy protection, where users can use third-party auditor to verify the completeness of outsourced data. Later, in 2014, Wang et al. [19] presented a novel data integrity verification mechanism using ring signature that is able to ensure identity privacy. Yang et al. [20] designed a data sharing solution in cloud. This solution provided integrity verification while guarantying users' identity privacy. In order to achieve sensitive data concealing in data integrity certificating, Shen et al. [21] presented an efficient data sharing protocol in 2019.
Due to the limited storage of small devices, the large data needs to be outsourced. Outsourced data may contain private information, so ensuring data security has become a challenge. Some works focused on designing valid schemes for this issue. For example, Wang et al. [22] provided a processing mechanism to achieve a flexible user access control. However, this solution takes no account of the energy consumption due to data owner needs to share the pairwise keys with users, which consumes plenty of storage memory. Later, a novel certificateless proxy reencryption (CL-PRE) 2 Wireless Communications and Mobile Computing scheme was presented by Xu et al. [23], which is used to share information in cloud server securely. This paper showed that the certificateless scheme can cut down the cost of computation and communication for data owners. Nevertheless, this scheme can consume a large amount of computation because of the use of bilinear pairing operation. Khan et al. [24] designed a proxy reencryption scheme for reducing the energy consumption and memory consumption, in which the computational complexity of bilinear pairing still remains. A cloud computing technology-based electronic health record system supporting data privacy preserving was presented in [25]. Ramesh et al. [26] proposed a secure model using e-stream cipher ChaCha20. This model provides integrity verification of sensitive data and guarantees the authenticity of the data. Wang et al. [27] constructed a system framework based on cloud for the electronic medical field. They had utilized identity-based encryption and proxy reencryption in this study for security purpose. This study also provided users authorized by the data owner with the right to access health information. He et al. [28] designed an encryption technology for wireless body area networks to check the completeness of the stored medical data that provides better performance. A scheme for sharing personal health data and access control was designed by Jiang et al. [29]. This scheme is applied to mobile healthcare social networks, and it adopts attribute-based encryption as the main encryption method. Ding et al. [13] presented a health storage system to resolve data integrity verification, which provides convenience for the patient and physician safety communications. Sowjanya et al. [30] introduced an end-to-end authentication protocol. The protocol reduces the overall complexity due to the use of elliptic curve cryptography (ECC). Zhang et al. [31] presented a practical scheme for cloud-assisted electronic health information systems using identity-based encryption to enable the sensitive data sharing efficiently.
Most of the available schemes are not secure enough. In addition, some of the schemes use complex operations such as bilinear pairing, which make the calculation cost more and are not lightweight enough for IoMT. What is more, the anonymity of patients is often ignored by some schemes. As a result, to guarantee the anonymity of patients and provide access control for shared health data, we design a lightweight privacy-preserving data sharing scheme for IoMT that is based on ECC, hash, and XOR operations.

Preliminaries
The work of elliptic curve cryptosystem (ECC) was firstly put forth by Koblitz [32] and Miller [33] individually. ECC is a public key encryption technique. Elliptic curve is a kind of cubic curve over finite fields, which is based on the algebraic structure. ECC with the benefit of lightweight and high security has aroused widespread concerns in modern cryptography. 160-bit ECC key and 1024-bit RSA key can provide equivalent security, which leads to the fact that the encryption key generated by ECC is smaller and more efficient. An elliptic curve E is simply described by the equation y 2 ðmod pÞ = x 3 + ax + bðmod pÞ, where p is a large prime number. In addition, ð4a 3 + 27b 2 Þ ≠ 0ðmod pÞ needs to be satisfied in order to exclude singular elliptic curves. Z p indicates a prime finite field and a, b, x, y ∈ Z p . Then, we omit ð mod pÞ for the sake of simplicity. The three operations of ECC over G E are defined below.
(1) Point addition: given two random points, P and Q, on the elliptic curve E, the point R on E represents the addition of these two points. The formula is as follows: P + Q + R = 0. Here, R refers to the third point where the line connecting P and Q intersects the elliptic curve. And the point −R is the reflection of point R on the x-axis Let n ∈ Z * q be a positive integer and then n•P is given by P + P + ⋯+P (n times) There are two hard problems in the elliptic curve domain, which are widely used in designing encryption schemes because there is no probabilistic polynomial time algorithm that can effectively run on computer. The following computational hard problems over ECC [34] have been widely utilized for secure schemes.
Elliptic Curve Discrete Logarithm Problem (ECDLP): let k ∈ Z * q be a positive integer, and let P, Q ∈ G 1 be two elliptic curve random points. The ECDLP is to determine k given P and Q, where P = k•Q. It is obvious that knowing k and Q is easy to calculate P, but conversely, it is not feasible to calculate k by knowing P and Q, if the prime number q is large.
Elliptic Curve Computational Diffie-Hellman Problem

Model of the Proposed Scheme
We first design a network model suitable for IoMT and a security model for the data sharing scheme in this section. And then, the types of attack and security properties and illustration of the design goals and the syntax of the proposed scheme are provided.

Network Model.
A network model for IoMT is presented. It consists four types of entities, i.e., a trusted authority (TA), patients, cloud severs (CS), and users. Their relationship in the network model is shown in Figure 1.
(1) Trusted authority (TA): TA acts as a public and private secret generation system and is a fully trusted 3 Wireless Communications and Mobile Computing authority. In this scheme, system initialization is performed by TA. Patients and users must register with TA before receiving system services. In addition, TA could communicate with different entities via a secure channel. The fact that a secure channel exists does not mean that the data can be shared through the secure channel, due to shared data can be in a large amount (2) Patient: it refers to data owners with physiological sensors. Patients gather personal health data through these physiological sensors. Patients must register with TA before accepting the service of system. And then, they can upload data to cloud server for storing and sharing health data with authenticated legitimate users due to their own limited memory. Since all shared data is uploaded to cloud server through a public channel, patients should encrypt the gathering information and hide identity to preserve personal privacy and health information security. Besides, his real identity is only known by TA and authorized users (3) Cloud server (CS): CS is responsible for storing the encrypted information of patients and authenticating users who want to access data because it has a large storage memory and strong computing power. Besides, CS is considered as semitrusted. In other words, if the stored data is lost, it may fake the missing data to hide it from users for economic reasons (4) User: this entity appertains to medical professional, who can communicate with CS to obtain patients' health information for medical analysis and diagnosis. Before accessing the health data, legitimate users should register with TA. In this scheme, it is important to note that only identified and authorized users can obtain the required health information from CS and decrypt the patients' encrypted data Now, we will give the description of our proposed scheme. There are three main phases in the proposed sharing scheme, namely, (1) system initialization phase, (2) data encryption and upload phase, and (3) data sharing phase. The subphases of these phases are detailed below.
(1) Setup: trusted authority (TA) executes this phase for defining the system public parameters, choosing a unique nonce S TA ∈ Z * q as its own private key, and computing the public key PK TA , separately (2) User registration: this phase is processed by the TA.
After TA receives the identity Uid sent by user, it generates the warrant of the user warr and private key sk Uid . Further, TA sends (warr, sk Uid ) to the user via secret channel (3) Patient registration: it is performed by the patient and the TA. Firstly, it is run by the patient for generating the temporary identity Ptid and choosing user identity set S and then sends them to TA. Secondly, it is run by the TA for checking the patient's Ptid and computes the intermediate result a n for data encryption and then sends a n to the patient via secret channel and S to CS  To analyze the security of the proposed data sharing scheme more accurately, we briefly introduce the two types of attacks. Then, we define the required security features and design goals. The detailed security analysis about these security requirements will be described in Section 6. We consider the following two types of attack.
(1) Replay attack: this attack may repeat the message or delay the message. This can be done by adversary who intercept the message of an old conversation and retransmit it (2) Eavesdropping attack: it refers to the attacker passively monitoring the communication between users to obtain the transmitted data when the network communications are unsecure For secure data sharing, the proposed scheme must meet the following security properties.
(1) Correctness: the proposed scheme allows legitimate users to correctly detect whether the information stored in CS is complete. Besides, only authorized users can obtain encrypted data within a valid time and restore the data correctly (2) Freshness of encryption key: the encryption key generated by the patient in the data encryption and upload phase is only used once. Freshness of encryption key ensures that attackers cannot reuse one encryption key to recover other encrypted sensitive data (3) Authentication: the purpose of authenticating user is to ensure that, for a given user U, any user N other than U, executing the agreement and impersonating U, CS or TA will not accept the identity of U. The proposed scheme should be required to guarantee that only authorized users designated by the patient himself could access the encrypted health data through CS. And unauthorized users cannot obtain the shared health information. What is more, the authorized users could only access the data for a limited time. The authentication process can prevent user impersonation attack in which attackers act like a legitimate user (4) Anonymity of patient: since the patient's identity will reveal privacy-sensitive information, it is essential to keep the user's identity confidential. Anonymity means hiding the patient's identity to prevent others from knowing it. In this scheme, the anonymity of patient is ensured if any attackers cannot obtain the real identity Pid of any patient (5) Integrity certification: the messages transmitted on the public channel can be certificated by the receiver.
Besides, any incomplete shared data will be detected by users before decrypting the data. This feature is very important to verify that health data has not been tampered with during transmission and storage process (6) Forward secrecy of encryption key: the forward secrecy could ensure that past users cannot access the sensitive data uploaded in the future Furthermore, it is important to propose a solution for security and privacy in IoMT, which should reduce the computational cost and consume few resources. Hence, the security design goals of our data sharing scheme for IoMT should meet the following points.
Privacy preserving: data privacy includes the privacy of the patient's identity and the privacy of shared medical data. The medical data contains electronic medical records and personal condition related to health. If the health information is leaked or accessed by unauthorized adversaries, there is no doubt that it will have a great impact on patients. Hence, it is necessary to guarantee that shared health data is kept confidential from CS and any unauthorized users. Then, this article needs to provide access control for shared data. All users who want to access data need to verify their identity. Any unauthorized users that are not defined by the patient and CS cannot access the encrypted health data. In addition, the proposed scheme needs to anonymize the identity of patients to protect the identity information from being leaked. Consequently, the proposed scheme should provide the anonymity of patient and data access control to ensure the privacy of patient identity and the security of personal health information.
Lightweight operations: the physiological sensors deployed on patients are resource-constrained devices; therefore, the proposed scheme needs to reduce the amount of calculation of patients to improve efficiency of data sharing. To address this issue, we aim to design a lightweight data sharing scheme using ECC. This is because ECC can implement higher security with a small key. Besides, it can also insulate privacy with lower computational complexity as compared to bilinear pairing. Accordingly, this scheme realizes lightweight computations by ECC, hash, and XOR operations.
Effectiveness: in the proposed scheme, it is important to ensure that patients can efficiently share health data with users. Firstly, patients should securely upload health data to CS for sharing with authorized users. Secondly, authorized users should be able to decrypt the required health data for effective medical analysis.

Proposed Scheme
For the purpose of privacy protection, we design a secure data sharing scheme for IoMT. This scheme contains the following three phases: (1) system initialization phase, (2) data encryption and upload phase, and (3) data sharing phase. In addition, Table 1 provides the main notations used throughout this paper. 5 Wireless Communications and Mobile Computing 5.1. System Initialization Phase. Firstly, TA generates public parameters and its own secret key. Then, any user in the scheme who wants to access health data should first register with TA. Next, he can obtain his secret key and warrant generated by TA. Like users, patients also need to register with TA before receiving system services. During registration, the patient transfers his temporary identity instead of his real identity via open channel. Hence, the patient's identity information is protected. In addition, the patient needs to define a user identity set. This phase is described in detail below and its process is described in Figure 2.
(1) Setup: firstly, TA selects a hash function h : f0, 1g × G ⟶ Z * q . Then, TA selects its secret key S TA ∈ Z * q and CS's secret key sk CS ∈ Z * q and calculates its public key according to PK TA = S TA •B. TA keeps secret key S TA secretly and publishes public system parameters {E, B, h, PK TA , G E }. Besides, TA sends sk CS to CS via a secure channel (2) User registration: after receiving identity Uid j ∈ f0, 1g * from user, TA selects random r ∈ Z * q and computes the private key sk Uid = Uid j · r for him. Then, TA chooses random a 1 , a 2 ∈ Z * q and computes b 1 = a 1 · B, b 2 = a 2 · B. Then, the warrant of the user is warr = a 1 + a 2 · hðUid j kt 1 Þ, where t 1 means that authorized users can effectively access shared health information within this time. Next, TA transfers sk Uid and warr towards user through a secure channel. Finally, TA computes E 1 = sk CS •hðUid j kb 1 kb 2 k t 1 Þ and sends {Uid j , b 1 , b 2 , t 1 , E 1 } to CS. After receiving {Uid j , b 1 , b 2 , t 1 , E 1 }, CS computes E 1 ′ = sk CS •hð Uid j ′ kb 1 ′ kb 2 ′ kt 1 ′ Þ and checks whether the equation E 1 ′ = E 1 holds. If not established, CS terminates this session. On the contrary, CS keeps {Uid j , b 1 , b 2 , t 1 } locally for the later computation (3) Patient registration: patient Pid first chooses k ∈ Z * q and computes P 1 = k · B, P 2 = k · PK TA , y n = hðP 2 Þ ⨁ Pid. Next, the patient defines a set, S = hUid j i t j=1 , which represents a collection of the identities of users who can access his health information. If the identity of user meets Uid j ⊆ S and the access time is valid, he can access shared data M. Then, the patient generates a timestamp t 2 and computes his temporary identity Ptid = hðPid kP 2 kSkt 2 Þ. After receiving register information hS, P 1 , Ptid, y n , t 2 i from the patient, TA checks the validity of the predicate ðt * − t 2 ð?/<ÞΔtÞ, where t * is the message receiving time and the maximum transmission delay is described by Δt, and aborts if the predicate is not justified. Otherwise, TA calculates P * 2 = P 1 · S TA , Pid * = y n ⊕ hðP * 2 Þ, Ptid * = hð Pid * ∥P * 2 ∥S∥t 2 Þ. After that, TA checks whether the equation Ptid * = Ptid holds. If not, CS drops the In this proposed scheme, we are given that the maximum length of shared health data is l. Patient should encrypt data M ∈ f0, 1g l to M′ to ensure the privacy of M and then upload M′ to CS. This phase is described in detail below and its process is described in Figure 3.
(1) Encryption: patient Pid needs to encrypt the gathering data M with a fresh encryption key K. Firstly, the patient randomly chooses random x, y ∈ Z * q , and computes d 1 = a n ⨁ x ⨁ Pid, Y = y · B, Z = x · Y, α = hðPidkd 1 kYÞ, K = hðxka n kZkPidÞ. And then, the patient uses the formula M′ = K ⊕ M to encrypt M and get ciphertext M′ Next, user verifies that the encrypted data is complete. If verification is successfully done, the user needs to verify himself with TA and obtain the intermediate parameter. If verified successfully, he can download and decrypt M′. This phase is described in detail below and its process is described in Figure 4.
(1) User request: user Uid j first sends his request to CS when he wants to access the shared data M. Then, he generates a timestamp t 4 and transfers hUid j , hð PidÞ, t 4 , warri to CS

Security Analysis
This section analyzes how the proposed scheme can effectively meet the security properties and two types of attack of the proposed scheme presented in Section 4.2.

Security Properties
(1) Correctness: in the data sharing phase, legitimate user verified by CS can correctly examine that the encrypted data is complete, which is stored in CS. After receiving hβ, M ′ , t 3 i from CS, the user first examines the completeness of data M ′ by computing hðM′kPidkt 3 Þ. The user compares the calculated result with the received value β = hðM ′ kPidkt 3 Þ.
Other illegal users cannot fake this authentication response since the secret identity of patient, Pid, is unknown to them. In data encryption and upload phase, the correctness of this property is guaranteed Encryption Upload Picks random x, y ∈ Z q ⁎ Computes d 1 = a n ⊕ x ⊕ Pid   Wireless Communications and Mobile Computing by the one-way nature of hash function. Besides, only authorized users can obtain encrypted data within a valid time and restore the data correctly. Legitimate user can obtain decryption key K by computing the following equations, x = d 1 ⊕ a n ⊕ Pid, Z = x · Y, and K = hðxka n kZkPidÞ. Finally, the user computes M = K ⊕ M ′ to recover the plaintext of shared data (2) Freshness of encryption key: in the data encryption, the encryption key, K = hðxka n kZkPidÞ, is a hash output, where x is a random integer selected by the patient. This key is different in every encryption (3) Authentication: since the data transmission is carried out on a public channel, it is important to authenticate users who want to access shared information. The authenticity of the user identity is confirmed by TA and CS. In the data sharing phase, the user first sends his request hUid j , hðPidÞ, t 4 , warri to CS. CS checks whether the Uid j is in the corresponding set S. If not, TA drops user's requested message and terminates the session. Next, CS checks the validity of the timestamp t 4 . Then, CS checks user warrant with the equation warr · B = b 1 + b 2 · hðUid j kt 1 Þ. If the equation does not hold, CS terminates the session. After the user passes the CS verification, he must also verify with the TA to obtain the intermediate parameter required for decryption. Hence, the user sends hUid j , b n , c n , t 5 i to TA to get intermediate parameter of decryption, where b n = Pid ⊕ sk Uid , c n = hðb n ksk Uid kt 5 Þ. On receiving hUid j , b n , c n , t 5 i, TA verifies the validity of the timestamp t 5 and Uid j ; if verification is successful, then TA verifies the equation c n = hðb n ksk Uid k t 5 Þ and computes Pid = b n ⊕ sk Uid . Next, TA transfers a n of patient Pid to user secretly for data decryption. Since the user's private key sk Uid and Pid are secret and are not known by others, no adversary can pretend to be him to authenticate to the TA. Therefore, authentication of the user's identity before obtaining sensitive data ensures more secure communication (4) Anonymity of patient: the patient transmits messages through a public channel. Because the user's identity Pid is hidden in Ptid or hðPidÞ, the proposed scheme can guarantee the anonymity of user, as identity of the patient Pid is masked as Ptid or hð PidÞ. In the system initialization phase, the patient transfers his temporary identity, Ptid = hðPidkP 2 kS kt 2 Þ to TA, where P 2 = k · PK TA = P 1 · S TA . Besides, in other phases, the patient's identity information is transmitted in the form of hash values, hðPidÞ. Hence, adversary cannot obtain the real identity Pid of any patient (5) Integrity certification: to satisfy integrity service, all transmitted messages of the proposed scheme are attached with a verifiable value. In the system initialization phase, TA receives the message hS, P 1 , Ptid, y n , t 2 i and checks the integrity of Ptid and S by verifying the timestamp condition t * − t 2 < Δt and verifies Ptid * = Ptid by computing P * 2 = P 1 · S TA , Pid * = y n ⊕ hðP * 2 Þ, and Ptid * = hðPid * kP * 2 kSvkt 2 Þ. CS receives {Uid j , b 1 , b 2 , t 1 , E 1 } or {E 2 , S, hðPidÞ} and checks the integrity of {Uid j , b 1 , b 2 , t 1 } or S by computing E 1 ′ = sk CS •hðUid j ′ kb 1 ′ kb 2 ′ kt 1 ′ Þ and checking whether the equation E 1 ′ = E 1 holds or by computing E 2 ′ = sk CS •hðS ′ Þ and checking whether the equation E 2 ′ = E 2 holds. In the data sharing phase, after receiving hβ, M ′ , t 3 i, the user verifies that the data M is complete by computing the equation β = hðM ′ kPidkt 3 Þ. During decryption, TA receives the message hUid j , b n , c n , t 5 i and checks the integrity of b n by verifying the timestamp condition t * − t 2 < Δt and verifies the equation c n = hðb n ksk Uid kt 5 Þ. User receives the message hM′, Y, d 1 , αi and checks the integrity of d 1 and Y by verifying the equation α = hðPidkd 1 kYÞ. As a result of using Pid and sk Uid over the transmitted messages (which are not known by any adversary), any modification on the data by adversaries is detectable. The proposed scheme takes advantage of the one-way nature of the hash function to ensure that the attacker cannot tamper with the transmitted data (6) Forward secrecy of encryption key: the disclosure of encryption key K does not influence the security of any past encrypted data. The freshness of the encryption key K = hðx∥a n ∥Z∥PidÞ ensures that the proposed scheme meets this feature. The one-way nature of the hash function h prevents all secret parameters from being obtained by attackers. In addition, x, a n , and Z are all dynamic change with the sessions, where a n = hðSÞ · S TA , Z = x · Y

Possible Attacks
Theorem 1 (replay attack). The proposed scheme can resist the replay attack.
Proof. The use of timestamp can protect the information transmitted in the proposed scheme from replay attack launched by the adversary. CS and TA can distinguish a replay attack by the examination of the freshness of the timestamp t i as t * − t i < Δt, where t * is the current time that the CS or TA gets the message and Δt is the maximum transmission delays. Besides, the use of timestamp t i ensures the transmitted message cannot be tampered with by an adversary. For example, in the system initialization phase, there is an adversary A and he intercepted a messagehS, P 1 , Ptid, y n , t 2 i. A replays message hS′, P 1 ′, Ptid′ , y n ′ , t 2 ′i. But process will terminate since on receiving hS′, P 1 ′ , Ptid ′ , y n ′ , t 2 ′ i, TA verifies the freshness of the timestamp Theorem 2 (eavesdropping attack). From the intercepted communication parameters, an adversary cannot obtain any secret information.
Proof. In the data sharing phase of the proposed scheme, an adversary A can capture the transmitted data by monitoring public channels. He collects the tuple hM ′ , Y, d 1 , αi from CS to user and the tuple hUid j , b n , c n , t 5 i from user to TA. It is noted that the encryption key K = hðxka n kZkPidÞ. A cannot reach x, a n , Z, and Pid, depending on the intercepted messages. This is due to the parameter x, selected at random by patient, is unknown to A. And since a n is secretly transmitted by TA to user and patient, no one else knows the value of a n . The parameter d 1 = a n ⨁ x ⨁ Pid guarantees that even if A obtains d 1 , he cannot calculate x, Pid, and a n . The hash function h guarantees that even if A obtains parameter α = hðPidkd 1 kYÞ, he cannot guess the input parameter of h. Besides, A cannot calculate Z = x · Y because A does not know x. Finally, the parameter b n = Pid ⊕ sk Uid guarantees that even if A obtains b n , he cannot calculate sk Uid and Pid. Therefore, the proposed scheme can protect the encryption key K from being learned by the adversary A, and A cannot obtain sensitive data from the ciphertext M ′ . In conclusion, the proposed scheme stands with eavesdropping attack.☐

Performance Analysis
We concretely analyze the performance of the proposed scheme, including computational and communication overheads. Besides, there is a comparison regarding the execution time and security of the proposed scheme and other schemes in [6,13,30].

Computation Cost.
The computation cost is analyzed by calculating the operations used in each phase of the scheme. It is noting that the proposed scheme uses t h , t xor , t ecm , and t add to denote the calculating time needed for the hash function, XOR operation, ECC scalar multiplication, and addition operation, respectively.

Data Encryption and Upload
Phase. In encryption, patient Pid picks random x, y ∈ Z * q and computes d 1 = a n ⨁ x ⨁ Pid, Y = y · B, Z = x · Y, α = hðPidkd 1 kYÞ, and K = hðxka n kZkPidÞ. Then, the patient uses the formula M′ = K ⊕ M to encrypt M. Hence, the calculation cost is 2t ecm + 2 t h + 3t xor . In upload, the patient generates a timestamp t 2 and computes β = hðM′kPidkt 3 Þ and the computation overhead is t h . 7.1.3. Data Sharing Phase. In user request, the user generates timestamp t 4 and transfers hUid j , hðPidÞ, t 4 , warri to CS. Hence, the computation cost of the algorithm is 0. In verify integrity, CS examines user's warrant by computing the formula warr · B = b 1 + b 2 · hðUid j ∥t 1 Þ. Next, the user examines the completeness of data M by computing the formula β = hðM′∥Pid∥t 3 Þ, so the computation cost of the algorithm is t ecm + 2t h + t add . In decryption, the user generates a timestamp t 5 , computes b n = Pid ⊕ sk Uid , c n = hðb n ∥sk Uid ∥t 5 Þ, and sends hUid j , b n , c n , t 5 i to TA. Then, TA verifies the equation c n = hðb n ∥sk Uid ∥t 5 Þ and computes Pid = b n ⊕ sk Uid . Finally, the user downloads hM′, Y, d 1 , αi from CS and verifies the equation α = hðPid∥d 1 ∥YÞ, computing x = d 1 ⊕ a n ⊕ Pid, Z = x · Y, K = hðx∥a n ∥Z∥PidÞ, and M = K ⊕ M ′ . Hence, the computation overhead of the algorithm is t ecm + 4t h + 5t xor .
The calculation cost of the XOR operation is so small that it can be ignored. Table 2 illustrates the calculated cost of each stage in the proposed scheme. Table 3 lists the communication cost consumed by each transmission. The proposed scheme chooses SHA-1 as hash function, and the SHA-1 outputs a hash digest with length of 160 bits. In addition, we presume the length of elliptic curves jqj = 160 bits, the shared data j Mj = 320 bits, the timestamp jt i j = 32 bits, and the identity jidj = 32 bits. In the transmission ðuser ⟶ TAÞ, user sends Uid j during the system initialization phase and hUid j , b n , c n , t 5 i during the data sharing phase. The size of these messages is 32 × 2 + 160 × 2 + 32 = 416 bits. In the transmission ðuser ⟶ CSÞ, user sends the tuple, hUid j , hðPidÞ, t 4 , warri of size 384 bits. In the transmission ðpatient ⟶ TAÞ, the patient sends the tuple, hS, P 1 , Ptid, y n , t 2 i of size 512 + 32t bits, where t is the number of user identity to access his health data. In the transmission ðpatient ⟶ CSÞ, the patient sends the tuple hhðPidÞ, Y, d 1 , α, β, M ′ , t 3 i of size 1152 bits.

Comparisons with Related Schemes.
In order to compare several schemes more intuitively, we construct Table 4 according to [7]. Table 4 illustrates the calculation cost of different operations. And we demonstrate the calculation overheads of the proposed scheme and other schemes in [6,13,30] according to Table 4. Table 5 summarizes the calculation overheads by patient in the proposed data sharing scheme and other recently proposed schemes. From the comparison in Table 5, the proposed scheme is extremely more lightweight than schemes in [6,13,30], because of the executing of ECC, hash, and XOR operations.
The analysis of security features for the proposed scheme in comparison with the scheme of Ding et al. [13], Chen and Peng [6], and Sowjanya et al. [30] is in Table 6. From this table, the schemes in [6,13] do not meet the anonymity of patients. Besides, Ding et al. [13] do not give the protection against replay attack. Chen and Peng [6] and Sowjanya et al. [30] may suffer from eavesdropping attack. It is clear from the result of the comparison that the proposed scheme is more secure than these similar schemes because it can resist     In summary, compared with the three similar schemes, it is seen that the proposed scheme can perform less computations and meet more security features. Besides, our scheme provides the anonymity of patient's identity and the authentication of access to shared health data. Thus, the proposed scheme is more lightweight and secure for IoMT.

Conclusions
We propose a novel design of lightweight privacy-preserving data sharing scheme for IoMT. The presented scheme can not only provide anonymous feature for patient while achieving the data sharing between patients and users but also ensure that only authorized users designated by the patient himself could access the encrypted health data. Furthermore, this scheme realizes lightweight computations by ECC, hash, and XOR operations. Compared with similar solutions, the proposed scheme can satisfy all desired security features as well as achieve more lightweight computations on both patients and users. It is absolutely attractive for data sharing in IoMT.

Data Availability
The data used to support the findings of this study are included within the article.

Ethical Approval
This article does not contain any studies with human participants or animals performed by any of the authors.

Consent
Informed consent was obtained from all individual participants included in the study.

Conflicts of Interest
The authors declare that they have no conflict of interest.