Internet of Medical Things (IoMT) is a kind of Internet of Things (IoT) that includes patients and medical sensors. Patients can share real-time medical data collected in IoMT with medical professionals. This enables medical professionals to provide patients with efficient medical services. Due to the high efficiency of cloud computing, patients prefer to share gathering medical information using cloud servers. However, sharing medical data on the cloud server will cause security issues, because these data involve the privacy of patients. Although recently many researchers have designed data sharing schemes in medical domain for security purpose, most of them cannot guarantee the anonymity of patients and provide access control for shared health data, and further, they are not lightweight enough for IoMT. Due to these security and efficiency issues, a novel lightweight privacy-preserving data sharing scheme is constructed in this paper for IoMT. This scheme can achieve the anonymity of patients and access control of shared medical data. At the same time, it satisfies all described security features. In addition, this scheme can achieve lightweight computations by using elliptic curve cryptography (ECC), XOR operations, and hash function. Furthermore, performance evaluation demonstrates that the proposed scheme takes less computation cost through comparison with similar solutions. Therefore, it is fairly an attractive solution for efficient and secure data sharing in IoMT.
Natural Science Foundation of Guangxi Province2018GXNSFDA281040Research Planning Project of National Language CommitteeYB135-40Fundamental Research Funds for the Central UniversitiesCCNU19TS019National Natural Science Foundation of China6207213362172181617722241. Introduction
Internet of Things (IoT) is a system, which connects different sorts of sensors and computing devices using network to gather and share medical data. IoT lets devices become smarter, processing becomes intelligent, and communication becomes informative [1]. IoT has bred kinds of new technology solutions used in many disparate domains due to its convenience. Certainly, IoT has also penetrated into the healthcare system and has brought great changes. Internet of Medical Things (IoMT) is substantially IoT devices applied to medical industry [2]. The application of IoMT brings lots of conveniences to patients and medical professionals. For example, in IoMT, medical professionals can receive the data and information they need and provide telemedicine for patients anywhere [3].
IoMT provides continuous health monitoring. It relies on different sorts of physiological sensors that are placed on the patients without reducing the user’s comfort to collect live health data and information, such as oxygen saturation rate, heart rate, pulse, temperature, blood pressure, and respiration [4–8]. Due to the sensibility of personal health data and information and the limited resources of sensors, it is crucial that security and lightweight computation are included as a fundamental element in IoMT [9]. Cloud computing is a kind of outsourcing platform that has large storage memory and computing resources. Due to its advantages, it can be combined with IoMT to eliminate the issues of storing large data. With the help of cloud computing servers, patients can efficiently store, manage, and share great amount of medical information. By storing data in the cloud, it can be providing easy access for users and improve storage utilization of the health information system [10]. However, the information of the patients (such as the identity of the patients, electronic medical records, and personal condition related to health) is highly private and vulnerable. Data breaches are harmful to patients as the sensitive information will reveal patients’ identity privacy and data security. Hence, the security of health data is the major concern for sharing schemes. Besides, the completeness of shared patients’ health data is extremely important [11]. For example, if an adversary tampers patient’s conditions related to health, it will mislead medical professionals into making faulty analyses and affect the patient’s health. Therefore, integrity verification can prevent tampering by malicious attackers. Moreover, the scheme must provide authentication for users to verify users’ legitimacy. This is due to the fact that unauthorized users may tamper with medical records; falsified data will lead to misdiagnosis by medical professionals [12]. Meanwhile, the physiological sensors, used in medical systems, have limited storage memory and power and low computation speed and bandwidth. Accordingly, this motivates us to design a low-cost and lightweight data sharing scheme applied to the IoMT, which consumes less power and meets higher security requirements.
Many researchers have devoted to designing effective data sharing schemes in cloud computing over the past few years. However, some [13–15] are not suitable to be deployed in IoMT system because of the use of bilinear pairings which lack efficiency. These heavy calculations with the high resource constraints are not lightweight enough. Analysis in [16] demonstrates that a bilinear pairing operation has very high computation cost. On the contrary, the computation complexity of elliptic curve cryptography (ECC) is several times smaller than that of pairing operation. This is because in the ECC algorithm, the arithmetic requirements are low, the key size is small, and the operand length is shorter. As a result, based on the previous discussion, ECC is regarded as a better encryption technology for resource-constrained devices.
Hence, for the purpose of ensuring the anonymity of patients, preserving shared data privacy, and improving the computation efficiency of physiological sensors in IoMT, this paper constructs a lightweight privacy-preserving data sharing scheme applied to the IoMT using ECC. In this scheme, after collecting the health data, patients with physiological sensors must encrypt collected health data to prevent personal privacy from leaking. Then, the patient generates a fake identity to protect his identity and achieve anonymity. With the help of a cloud server, health data can be shared with authorized users after uploading by patients. Furthermore, to realize the authorized access, patients should designate the identity set of users. Before accessing the health data, users must authenticate to the cloud server. Users are eligible to access encrypted health data only if their identities and access time are valid. Finally, the main contributions of this paper are summarized below.
A lightweight privacy-preserving data sharing scheme for IoMT using ECC is proposed, which anonymizes the identity of patients and designs authorized access to shared health data
The proposed scheme realizes lightweight computations by ECC, hash, and XOR operations, which does not require heavy computations such as bilinear pairings
The proposed protocol can resist possible attacks and achieve all desired security features, including replay attack, eavesdropping attack, correctness, freshness of encryption key, authentication, anonymity of patient, integrity certification, and forward secrecy of encryption key
Compared with the similar solutions, the proposed scheme satisfies all desired security features and achieves more lightweight computations on patients
The remaining of this paper is adjusted as follows. Previous studies are conducted in Section 2. The basic knowledge of mathematical preliminaries is introduced in Section 3. Then, Section 4 illustrates the model of the proposed scheme including the network model, types of attack, security properties, design goals, and syntax of the proposed scheme. This data sharing scheme including three phases, system initialization, data encryption and upload, and data sharing, is given in Section 5. The security verification of this scheme is provided in Section 6. The performance evaluation and the comparisons with similar schemes in terms of computation cost and security are presented in Section 7. Finally, we culminate conclusions of this paper in Section 8.
2. Related Work
Cloud computing has emerged as a convenient platform of sharing data that enables multiple users from different domains to obtain their needed information simultaneously. It is highly necessary to authenticate users who want to access the health data. However, it worth noting that existing solutions may suffer from a series of issues such as data owner privacy, completeness of the data, data access control, and computation cost in encryption/decryption. These issues have been of widespread concerns.
In 2010, Itani et al. [17] presented a lightweight protocol such that mobile clients can verify the completeness of storage information in mobile cloud computing. In 2013, Wang et al. [18] constructed a cloud storage system that can realize privacy protection, where users can use third-party auditor to verify the completeness of outsourced data. Later, in 2014, Wang et al. [19] presented a novel data integrity verification mechanism using ring signature that is able to ensure identity privacy. Yang et al. [20] designed a data sharing solution in cloud. This solution provided integrity verification while guarantying users’ identity privacy. In order to achieve sensitive data concealing in data integrity certificating, Shen et al. [21] presented an efficient data sharing protocol in 2019.
Due to the limited storage of small devices, the large data needs to be outsourced. Outsourced data may contain private information, so ensuring data security has become a challenge. Some works focused on designing valid schemes for this issue. For example, Wang et al. [22] provided a processing mechanism to achieve a flexible user access control. However, this solution takes no account of the energy consumption due to data owner needs to share the pairwise keys with users, which consumes plenty of storage memory. Later, a novel certificateless proxy reencryption (CL-PRE) scheme was presented by Xu et al. [23], which is used to share information in cloud server securely. This paper showed that the certificateless scheme can cut down the cost of computation and communication for data owners. Nevertheless, this scheme can consume a large amount of computation because of the use of bilinear pairing operation. Khan et al. [24] designed a proxy reencryption scheme for reducing the energy consumption and memory consumption, in which the computational complexity of bilinear pairing still remains. A cloud computing technology-based electronic health record system supporting data privacy preserving was presented in [25]. Ramesh et al. [26] proposed a secure model using e-stream cipher ChaCha20. This model provides integrity verification of sensitive data and guarantees the authenticity of the data. Wang et al. [27] constructed a system framework based on cloud for the electronic medical field. They had utilized identity-based encryption and proxy reencryption in this study for security purpose. This study also provided users authorized by the data owner with the right to access health information. He et al. [28] designed an encryption technology for wireless body area networks to check the completeness of the stored medical data that provides better performance.
A scheme for sharing personal health data and access control was designed by Jiang et al. [29]. This scheme is applied to mobile healthcare social networks, and it adopts attribute-based encryption as the main encryption method. Ding et al. [13] presented a health storage system to resolve data integrity verification, which provides convenience for the patient and physician safety communications. Sowjanya et al. [30] introduced an end-to-end authentication protocol. The protocol reduces the overall complexity due to the use of elliptic curve cryptography (ECC). Zhang et al. [31] presented a practical scheme for cloud-assisted electronic health information systems using identity-based encryption to enable the sensitive data sharing efficiently.
Most of the available schemes are not secure enough. In addition, some of the schemes use complex operations such as bilinear pairing, which make the calculation cost more and are not lightweight enough for IoMT. What is more, the anonymity of patients is often ignored by some schemes. As a result, to guarantee the anonymity of patients and provide access control for shared health data, we design a lightweight privacy-preserving data sharing scheme for IoMT that is based on ECC, hash, and XOR operations.
3. Preliminaries
The work of elliptic curve cryptosystem (ECC) was firstly put forth by Koblitz [32] and Miller [33] individually. ECC is a public key encryption technique. Elliptic curve is a kind of cubic curve over finite fields, which is based on the algebraic structure. ECC with the benefit of lightweight and high security has aroused widespread concerns in modern cryptography. 160-bit ECC key and 1024-bit RSA key can provide equivalent security, which leads to the fact that the encryption key generated by ECC is smaller and more efficient. An elliptic curve E is simply described by the equation y2modp=x3+ax+bmodp, where p is a large prime number. In addition, 4a3+27b2≠0modp needs to be satisfied in order to exclude singular elliptic curves. Zp indicates a prime finite field and a,b,x,y∈Zp. Then, we omit modp for the sake of simplicity. The three operations of ECC over GE are defined below.
Point addition: given two random points, P and Q, on the elliptic curve E, the point R on E represents the addition of these two points. The formula is as follows: P+Q+R=0. Here, R refers to the third point where the line connecting P and Q intersects the elliptic curve. And the point −R is the reflection of point R on the x-axis
Point doubling: it refers to the addition of a point on E with itself. The point Q represents the addition of a point P on the same curve E. The formula is as follows: 2P+Q=0. Here, the point −Q is the reflection of point Q (point of intersection of tangent line at P with E) on the x-axis
Scalar point multiplication: it means a point that repeatedly performs point doubling and point addition operations. Let n∈Zq∗ be a positive integer and then n∙P is given by P+P+⋯+P (n times)
There are two hard problems in the elliptic curve domain, which are widely used in designing encryption schemes because there is no probabilistic polynomial time algorithm that can effectively run on computer. The following computational hard problems over ECC [34] have been widely utilized for secure schemes.
Elliptic Curve Discrete Logarithm Problem (ECDLP): let k∈Zq∗ be a positive integer, and let P,Q∈G1 be two elliptic curve random points. The ECDLP is to determine k given P and Q, where P=k∙Q. It is obvious that knowing k and Q is easy to calculate P, but conversely, it is not feasible to calculate k by knowing P and Q, if the prime number q is large.
Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP): the ECCDHP is stated as it is difficult for any random instance (B, c∙B, d∙B) to compute the value c∙d∙B, where B is the base point of the elliptic curve and c,d∈Zq∗ are two positive integers.
4. Model of the Proposed Scheme
We first design a network model suitable for IoMT and a security model for the data sharing scheme in this section. And then, the types of attack and security properties and illustration of the design goals and the syntax of the proposed scheme are provided.
4.1. Network Model
A network model for IoMT is presented. It consists four types of entities, i.e., a trusted authority (TA), patients, cloud severs (CS), and users. Their relationship in the network model is shown in Figure 1.
Trusted authority (TA): TA acts as a public and private secret generation system and is a fully trusted authority. In this scheme, system initialization is performed by TA. Patients and users must register with TA before receiving system services. In addition, TA could communicate with different entities via a secure channel. The fact that a secure channel exists does not mean that the data can be shared through the secure channel, due to shared data can be in a large amount
Patient: it refers to data owners with physiological sensors. Patients gather personal health data through these physiological sensors. Patients must register with TA before accepting the service of system. And then, they can upload data to cloud server for storing and sharing health data with authenticated legitimate users due to their own limited memory. Since all shared data is uploaded to cloud server through a public channel, patients should encrypt the gathering information and hide identity to preserve personal privacy and health information security. Besides, his real identity is only known by TA and authorized users
Cloud server (CS): CS is responsible for storing the encrypted information of patients and authenticating users who want to access data because it has a large storage memory and strong computing power. Besides, CS is considered as semitrusted. In other words, if the stored data is lost, it may fake the missing data to hide it from users for economic reasons
User: this entity appertains to medical professional, who can communicate with CS to obtain patients’ health information for medical analysis and diagnosis. Before accessing the health data, legitimate users should register with TA. In this scheme, it is important to note that only identified and authorized users can obtain the required health information from CS and decrypt the patients’ encrypted data
Proposed architecture for IoMT.
Now, we will give the description of our proposed scheme. There are three main phases in the proposed sharing scheme, namely, (1) system initialization phase, (2) data encryption and upload phase, and (3) data sharing phase. The subphases of these phases are detailed below.
Setup: trusted authority (TA) executes this phase for defining the system public parameters, choosing a unique nonce STA∈Zq∗ as its own private key, and computing the public key PKTA, separately
User registration: this phase is processed by the TA. After TA receives the identity Uid sent by user, it generates the warrant of the user warr and private key skUid. Further, TA sends (warr, skUid) to the user via secret channel
Patient registration: it is performed by the patient and the TA. Firstly, it is run by the patient for generating the temporary identity Ptid and choosing user identity set S and then sends them to TA. Secondly, it is run by the TA for checking the patient’s Ptid and computes the intermediate result an for data encryption and then sends an to the patient via secret channel and S to CS
Encryption: this phase is performed by patients and it encrypts sensitive data M to M′
Upload: it is performed by the patient, by sending the ciphertext M′ and related parameters to the CS
User request: it is executed at the user side, by sending request to the CS
Verify integrity: this phase is performed by the user and the CS, for verifying the integrity of the ciphertext M′
Decryption: it is performed by the user, and the cipher text M is decrypted by taking input the ciphertext M′ and related parameters
4.2. Security Model
To analyze the security of the proposed data sharing scheme more accurately, we briefly introduce the two types of attacks. Then, we define the required security features and design goals. The detailed security analysis about these security requirements will be described in Section 6.
We consider the following two types of attack.
Replay attack: this attack may repeat the message or delay the message. This can be done by adversary who intercept the message of an old conversation and retransmit it
Eavesdropping attack: it refers to the attacker passively monitoring the communication between users to obtain the transmitted data when the network communications are unsecure
For secure data sharing, the proposed scheme must meet the following security properties.
Correctness: the proposed scheme allows legitimate users to correctly detect whether the information stored in CS is complete. Besides, only authorized users can obtain encrypted data within a valid time and restore the data correctly
Freshness of encryption key: the encryption key generated by the patient in the data encryption and upload phase is only used once. Freshness of encryption key ensures that attackers cannot reuse one encryption key to recover other encrypted sensitive data
Authentication: the purpose of authenticating user is to ensure that, for a given user U, any user N other than U, executing the agreement and impersonating U, CS or TA will not accept the identity of U. The proposed scheme should be required to guarantee that only authorized users designated by the patient himself could access the encrypted health data through CS. And unauthorized users cannot obtain the shared health information. What is more, the authorized users could only access the data for a limited time. The authentication process can prevent user impersonation attack in which attackers act like a legitimate user
Anonymity of patient: since the patient’s identity will reveal privacy-sensitive information, it is essential to keep the user’s identity confidential. Anonymity means hiding the patient’s identity to prevent others from knowing it. In this scheme, the anonymity of patient is ensured if any attackers cannot obtain the real identity Pid of any patient
Integrity certification: the messages transmitted on the public channel can be certificated by the receiver. Besides, any incomplete shared data will be detected by users before decrypting the data. This feature is very important to verify that health data has not been tampered with during transmission and storage process
Forward secrecy of encryption key: the forward secrecy could ensure that past users cannot access the sensitive data uploaded in the future
Furthermore, it is important to propose a solution for security and privacy in IoMT, which should reduce the computational cost and consume few resources. Hence, the security design goals of our data sharing scheme for IoMT should meet the following points.
Privacy preserving: data privacy includes the privacy of the patient’s identity and the privacy of shared medical data. The medical data contains electronic medical records and personal condition related to health. If the health information is leaked or accessed by unauthorized adversaries, there is no doubt that it will have a great impact on patients. Hence, it is necessary to guarantee that shared health data is kept confidential from CS and any unauthorized users. Then, this article needs to provide access control for shared data. All users who want to access data need to verify their identity. Any unauthorized users that are not defined by the patient and CS cannot access the encrypted health data. In addition, the proposed scheme needs to anonymize the identity of patients to protect the identity information from being leaked. Consequently, the proposed scheme should provide the anonymity of patient and data access control to ensure the privacy of patient identity and the security of personal health information.
Lightweight operations: the physiological sensors deployed on patients are resource-constrained devices; therefore, the proposed scheme needs to reduce the amount of calculation of patients to improve efficiency of data sharing. To address this issue, we aim to design a lightweight data sharing scheme using ECC. This is because ECC can implement higher security with a small key. Besides, it can also insulate privacy with lower computational complexity as compared to bilinear pairing. Accordingly, this scheme realizes lightweight computations by ECC, hash, and XOR operations.
Effectiveness: in the proposed scheme, it is important to ensure that patients can efficiently share health data with users. Firstly, patients should securely upload health data to CS for sharing with authorized users. Secondly, authorized users should be able to decrypt the required health data for effective medical analysis.
5. Proposed Scheme
For the purpose of privacy protection, we design a secure data sharing scheme for IoMT. This scheme contains the following three phases: (1) system initialization phase, (2) data encryption and upload phase, and (3) data sharing phase. In addition, Table 1 provides the main notations used throughout this paper.
Notation table.
No.
Notation
Explanation
1
p
A large prime number
2
E
An elliptic curve of prime order p
3
GE
An additive elliptic curve group of order q
4
B
Base point of GE
5
q
Order of GE
6
O
Point at infinity
7
Zq
A set with q elements
8
Zq∗
Zq∗=Zq−0
9
h
One-way hash function, h:0,1×G⟶Zq∗
10
STA
Secret key of trusted authority (TA)
11
PKTA
Public key of TA
12
warr
Warrant of user
13
Uid, Pid
Identity of user and patient
14
skUid,skCS
Secret key of the user and cloud server (CS)
15
Ptid
Temporary identity of patient
16
M
Health data
17
M′
Encrypted data
18
X∥Y
Concatenate operation
19
⊕
Bitwise XOR operation
20
A⟶B
Entity A sends the message towards entity B through a public channel
5.1. System Initialization Phase
Firstly, TA generates public parameters and its own secret key. Then, any user in the scheme who wants to access health data should first register with TA. Next, he can obtain his secret key and warrant generated by TA. Like users, patients also need to register with TA before receiving system services. During registration, the patient transfers his temporary identity instead of his real identity via open channel. Hence, the patient’s identity information is protected. In addition, the patient needs to define a user identity set. This phase is described in detail below and its process is described in Figure 2.
Setup: firstly, TA selects a hash function h:0,1×G⟶Zq∗. Then, TA selects its secret key STA∈Zq∗ and CS’s secret key skCS∈Zq∗ and calculates its public key according to PKTA=STA∙B. TA keeps secret key STA secretly and publishes public system parameters {E, B, h, PKTA, GE}. Besides, TA sends skCS to CS via a secure channel
User registration: after receiving identity Uidj∈0,1∗ from user, TA selects random r∈Zq∗ and computes the private key skUid=Uidj·r for him. Then, TA chooses random a1,a2∈Zq∗ and computes b1=a1·B, b2=a2·B. Then, the warrant of the user is warr=a1+a2·hUidjt1, where t1 means that authorized users can effectively access shared health information within this time. Next, TA transfers skUid and warr towards user through a secure channel. Finally, TA computes E1=skCS∙hUidjb1b2t1 and sends {Uidj, b1, b2,t1,E1} to CS. After receiving {Uidj, b1, b2,t1,E1}, CS computes E1′=skCS∙hUidj′b1′b2′t1′ and checks whether the equation E1′=E1 holds. If not established, CS terminates this session. On the contrary, CS keeps {Uidj, b1, b2,t1} locally for the later computation
Patient registration: patient Pid first chooses k∈Zq∗ and computes P1=k·B, P2=k·PKTA, yn=hP2⨁Pid. Next, the patient defines a set, S=Uidjj=1t, which represents a collection of the identities of users who can access his health information. If the identity of user meets Uidj⊆S and the access time is valid, he can access shared data M. Then, the patient generates a timestamp t2 and computes his temporary identity Ptid=hPidP2St2. After receiving register information S,P1,Ptid,yn,t2 from the patient, TA checks the validity of the predicate t∗−t2?/<∆t, where t∗ is the message receiving time and the maximum transmission delay is described by ∆t, and aborts if the predicate is not justified. Otherwise, TA calculates P2∗=P1·STA, Pid∗=yn⊕hP2∗, Ptid∗=hPid∗∥P2∗∥S∥t2. After that, TA checks whether the equation Ptid∗=Ptid holds. If not, CS drops the received message and terminates this session. Otherwise, TA computes an=hS·STA and transfers an to the patient via a secure channel. Then, TA computes E2=skCS∙hS and sends {E2,S,hPid} to CS. After receiving {E2,S,hPid}, CS computes E2′=skCS∙hS′ and checks whether the equation E2′=E2 holds. If the equation does not hold, CS terminates the session. On the contrary, CS keeps S locally for the later verification
System initialization phase.
5.2. Data Encryption and Upload Phase
In this proposed scheme, we are given that the maximum length of shared health data is l. Patient should encrypt data M∈0,1l to M′ to ensure the privacy of M and then upload M′ to CS. This phase is described in detail below and its process is described in Figure 3.
Encryption: patient Pid needs to encrypt the gathering data M with a fresh encryption key K. Firstly, the patient randomly chooses random x,y∈Zq∗, and computes d1=an⨁x⨁Pid, Y=y·B, Z=x·Y, α=hPidd1Y, K=hxanZPid. And then, the patient uses the formula M′=K⊕M to encrypt M and get ciphertext M′
Upload: patient Pid generates a timestamp t3 and computes β=hM′Pidt3. Then, the patient sends hPid,Y,d1,α,β,M′,t3 to CS. On receiving this message, CS firstly examines the freshness of the timestamp t3. If examination is successful, CS stores the information. On the contrary, CS drops this message and terminates this session
Data encryption and upload phase.
5.3. Data Sharing Phase
In order to obtain shared health data, user should verify his identity with TA and CS. He first generates timestamp and forwards related parameters towards CS through public channel. Then, CS will send encrypted data and intermediate parameters to the user if his warrant is valid and his visit time is within the valid time. Next, user verifies that the encrypted data is complete. If verification is successfully done, the user needs to verify himself with TA and obtain the intermediate parameter. If verified successfully, he can download and decrypt M′. This phase is described in detail below and its process is described in Figure 4.
User request: user Uidj first sends his request to CS when he wants to access the shared data M. Then, he generates a timestamp t4 and transfers Uidj,hPid,t4,warr to CS
Verify integrity: firstly, CS checks whether Uidj is in the corresponding set S. If not, CS drops user’s requested message and terminates this session. Next, CS checks the validity of the timestamp t4. Then, CS checks user’s warrant with the equation warr·B=b1+b2·hUidjt1. If they are equal, CS sends β,M′,t3 towards the user. After receiving β,M′,t3, the user examines that the data M is complete by computing the equation β=hM′Pidt3. If the equation is true, the user proceeds to the next step. Otherwise, the user terminates this session
Decryption: the user first generates a timestamp t5, computes bn=Pid⊕skUid, cn=hbnskUidt5, and sends Uidj,bn,cn,t5 to TA in order to obtain intermediate parameters for decrypting. After receiving this message, TA verifies the freshness of the timestamp t5 and the legitimacy of identity Uidj. If not, TA drops this message and terminates the session. Otherwise, TA verifies the equation cn=hbnskUidt5 and computes Pid=bn⊕skUid and then transfers the an of patient Pid to user via a secure channel for decrypting data. After getting M′,Y,d1,α from CS, the user first verifies the equation α=hPidd1Y. If the equation holds, he retrieves symmetric key K by computing x=d1⊕an⊕Pid, Z=x·Y, K=hxanZPid. Finally, the user gets the plain text of encrypted data by computing M=K⊕M′
Data sharing phase.
6. Security Analysis
This section analyzes how the proposed scheme can effectively meet the security properties and two types of attack of the proposed scheme presented in Section 4.2.
6.1. Security Properties
Correctness: in the data sharing phase, legitimate user verified by CS can correctly examine that the encrypted data is complete, which is stored in CS. After receiving β,M′,t3 from CS, the user first examines the completeness of data M′ by computing hM′Pidt3. The user compares the calculated result with the received value β=hM′Pidt3. Other illegal users cannot fake this authentication response since the secret identity of patient, Pid, is unknown to them. In data encryption and upload phase, the correctness of this property is guaranteed by the one-way nature of hash function. Besides, only authorized users can obtain encrypted data within a valid time and restore the data correctly. Legitimate user can obtain decryption key K by computing the following equations, x=d1⊕an⊕Pid, Z=x·Y, and K=hxanZPid. Finally, the user computes M=K⊕M′ to recover the plaintext of shared data
Freshness of encryption key: in the data encryption, the encryption key, K=hxanZPid, is a hash output, where x is a random integer selected by the patient. This key is different in every encryption
Authentication: since the data transmission is carried out on a public channel, it is important to authenticate users who want to access shared information. The authenticity of the user identity is confirmed by TA and CS. In the data sharing phase, the user first sends his request Uidj,hPid,t4,warr to CS. CS checks whether the Uidj is in the corresponding set S. If not, TA drops user’s requested message and terminates the session. Next, CS checks the validity of the timestamp t4. Then, CS checks user warrant with the equation warr·B=b1+b2·hUidjt1. If the equation does not hold, CS terminates the session. After the user passes the CS verification, he must also verify with the TA to obtain the intermediate parameter required for decryption. Hence, the user sends Uidj,bn,cn,t5 to TA to get intermediate parameter of decryption, where bn=Pid⊕skUid, cn=hbnskUidt5. On receiving Uidj,bn,cn,t5, TA verifies the validity of the timestamp t5 and Uidj; if verification is successful, then TA verifies the equation cn=hbnskUidt5 and computes Pid=bn⊕skUid. Next, TA transfers an of patient Pid to user secretly for data decryption. Since the user’s private key skUid and Pid are secret and are not known by others, no adversary can pretend to be him to authenticate to the TA. Therefore, authentication of the user’s identity before obtaining sensitive data ensures more secure communication
Anonymity of patient: the patient transmits messages through a public channel. Because the user’s identity Pid is hidden in Ptid or hPid, the proposed scheme can guarantee the anonymity of user, as identity of the patient Pid is masked as Ptid or hPid. In the system initialization phase, the patient transfers his temporary identity, Ptid=hPidP2St2 to TA, where P2=k·PKTA=P1·STA. Besides, in other phases, the patient’s identity information is transmitted in the form of hash values, hPid. Hence, adversary cannot obtain the real identity Pid of any patient
Integrity certification: to satisfy integrity service, all transmitted messages of the proposed scheme are attached with a verifiable value. In the system initialization phase, TA receives the message S,P1,Ptid,yn,t2 and checks the integrity of Ptid and S by verifying the timestamp condition t∗−t2<∆t and verifies Ptid∗=Ptid by computing P2∗=P1·STA, Pid∗=yn⊕hP2∗, and Ptid∗=hPid∗P2∗Svt2. CS receives {Uidj, b1, b2,t1,E1} or {E2,S,hPid} and checks the integrity of {Uidj, b1, b2,t1} or S by computing E1′=skCS∙hUidj′b1′b2′t1′ and checking whether the equation E1′=E1 holds or by computing E2′=skCS∙hS′ and checking whether the equation E2′=E2 holds. In the data sharing phase, after receiving β,M′,t3, the user verifies that the data M is complete by computing the equation β=hM′Pidt3. During decryption, TA receives the message Uidj,bn,cn,t5 and checks the integrity of bn by verifying the timestamp condition t∗−t2<∆t and verifies the equation cn=hbnskUidt5. User receives the message M′,Y,d1,α and checks the integrity of d1 and Y by verifying the equation α=hPidd1Y. As a result of using Pid and skUid over the transmitted messages (which are not known by any adversary), any modification on the data by adversaries is detectable. The proposed scheme takes advantage of the one-way nature of the hash function to ensure that the attacker cannot tamper with the transmitted data
Forward secrecy of encryption key: the disclosure of encryption key K does not influence the security of any past encrypted data. The freshness of the encryption key K=hx∥an∥Z∥Pid ensures that the proposed scheme meets this feature. The one-way nature of the hash function h prevents all secret parameters from being obtained by attackers. In addition, x, an, and Z are all dynamic change with the sessions, where an=hS·STA, Z=x·Y
6.2. Possible AttacksTheorem 1 (replay attack).
The proposed scheme can resist the replay attack.
Proof.
The use of timestamp can protect the information transmitted in the proposed scheme from replay attack launched by the adversary. CS and TA can distinguish a replay attack by the examination of the freshness of the timestamp ti as t∗−ti<∆t, where t∗ is the current time that the CS or TA gets the message and ∆t is the maximum transmission delays. Besides, the use of timestamp ti ensures the transmitted message cannot be tampered with by an adversary. For example, in the system initialization phase, there is an adversary A and he intercepted a messageS,P1,Ptid,yn,t2. A replays message S′,P1′,Ptid′,yn′,t2′. But process will terminate since on receiving S′,P1′,Ptid′,yn′,t2′, TA verifies the freshness of the timestamp t2′ by computing t∗−t2′ and found that the message S′,P1′,Ptid′,yn′,t2′ is not fresh, as shown in the following equation t∗−t2′>∆t. In the data encryption and upload phase, A records message hPid,Y,d1,α,β,M′,t3. A initiates a session by transmitting message hPid′,Y′,d1′,α′,β′,M′′,t3′. But process will terminate since after obtaining the message, CS checks the freshness of the timestamp t3′. And similarly, in the data sharing phase, A records message Uidj,hPid,t4,warr or Uidj,bn,cn,t5. A initiates a session by transmitting message Uidj′,hPid′,t4′,warr′ or Uidj′,bn′,cn′,t5′. But process will terminate since after obtaining the message, CS or TA can detect this message is illegal by verifying the freshness of the timestamp t4′ or the timestamp t5′. Hence, the proposed scheme stands with the replay attack.☐
Theorem 2 (eavesdropping attack).
From the intercepted communication parameters, an adversary cannot obtain any secret information.
Proof.
In the data sharing phase of the proposed scheme, an adversary A can capture the transmitted data by monitoring public channels. He collects the tuple M′,Y,d1,α from CS to user and the tuple Uidj,bn,cn,t5 from user to TA. It is noted that the encryption key K=hxanZPid. A cannot reach x, an, Z, and Pid, depending on the intercepted messages. This is due to the parameter x, selected at random by patient, is unknown to A. And since an is secretly transmitted by TA to user and patient, no one else knows the value of an. The parameter d1=an⨁x⨁Pid guarantees that even if A obtains d1, he cannot calculate x, Pid, and an. The hash function h guarantees that even if A obtains parameter α=hPidd1Y, he cannot guess the input parameter of h. Besides, A cannot calculate Z=x·Y because A does not know x. Finally, the parameter bn=Pid⊕skUid guarantees that even if A obtains bn, he cannot calculate skUid and Pid. Therefore, the proposed scheme can protect the encryption key K from being learned by the adversary A, and A cannot obtain sensitive data from the ciphertext M′. In conclusion, the proposed scheme stands with eavesdropping attack.☐
7. Performance Analysis
We concretely analyze the performance of the proposed scheme, including computational and communication overheads. Besides, there is a comparison regarding the execution time and security of the proposed scheme and other schemes in [6, 13, 30].
7.1. Computation Cost
The computation cost is analyzed by calculating the operations used in each phase of the scheme. It is noting that the proposed scheme uses th, txor, tecm, and tadd to denote the calculating time needed for the hash function, XOR operation, ECC scalar multiplication, and addition operation, respectively.
7.1.1. System Initialization Phase
In setup, TA selects its secret key STA∈Zq∗ and CS’s secret key skCS∈Zq∗ and computes PKTA=STA∙B, and the computation overhead is tecm. In user registration, TA first picks a random r∈Zq∗ and computes the private key skUid=Uidj·r for user. Next, TA picks random a1,a2∈Zq∗ and computes b1=a1·B, b2=a2·B. The warrant of user represents as warr=a1+a2·hUidjt1. Then, TA computes E1=skCS∙hUidjb1b2t1. After receiving {Uidj, b1, b2,t1,E1}, CS computes E1′=skCS∙hUidj′b1′b2′t1′.Hence, the calculation cost is 6tecm+3th+tadd. In patient registration, patient Pid first chooses k∈Zq∗ and computes P1=k·B, P2=k·PKTA, yn=hP2⨁Pid. Next, the patient chooses S=Uidjj=1t, generates a timestamp t2, and computes his temporary identity Ptid=hPidP2St2. Then, TA computes P2∗=P1·STA, Pid∗=yn⊕hP2∗, Ptid∗=hPid∗P2∗St2, an=hS·STA, and E2=skCS∙hS. After receiving {E2,S,hPid}, CS computes E2′=skCS∙hS′. Hence, the computation overhead of the algorithm is 6tecm+6th+2txor.
7.1.2. Data Encryption and Upload Phase
In encryption, patient Pid picks random x,y∈Zq∗ and computes d1=an⨁x⨁Pid, Y=y·B, Z=x·Y, α=hPidd1Y, and K=hxanZPid. Then, the patient uses the formula M′=K⊕M to encrypt M. Hence, the calculation cost is 2tecm+2th+3txor. In upload, the patient generates a timestamp t2 and computes β=hM′Pidt3 and the computation overhead is th.
7.1.3. Data Sharing Phase
In user request, the user generates timestamp t4 and transfers Uidj,hPid,t4,warr to CS. Hence, the computation cost of the algorithm is 0. In verify integrity, CS examines user’s warrant by computing the formula warr·B=b1+b2·hUidj∥t1. Next, the user examines the completeness of data M by computing the formula β=hM′∥Pid∥t3, so the computation cost of the algorithm is tecm+2th+tadd. In decryption, the user generates a timestamp t5, computes bn=Pid⊕skUid, cn=hbn∥skUid∥t5, and sends Uidj,bn,cn,t5 to TA. Then, TA verifies the equation cn=hbn∥skUid∥t5 and computes Pid=bn⊕skUid. Finally, the user downloads M′,Y,d1,α from CS and verifies the equation α=hPid∥d1∥Y, computing x=d1⊕an⊕Pid, Z=x·Y, K=hx∥an∥Z∥Pid, and M=K⊕M′. Hence, the computation overhead of the algorithm is tecm+4th+5txor.
The calculation cost of the XOR operation is so small that it can be ignored. Table 2 illustrates the calculated cost of each stage in the proposed scheme.
Computation cost of the proposed scheme.
Phase
Algorithm
Explanation
System initialization phase
Setup
tecm
User registration
6tecm+3th+tadd
Patient registration
6tecm+6th+2txor≈6tecm+6th
Data encryption and upload phase
Encryption
2tecm+2th+3txor≈2tecm+2th
Upload
th
Data sharing phase
User request
0
Verify integrity
tecm+2th+tadd
Decryption
tecm+4th+5txor≈tecm+4th
7.2. Communication Cost
Table 3 lists the communication cost consumed by each transmission. The proposed scheme chooses SHA-1 as hash function, and the SHA-1 outputs a hash digest with length of 160 bits. In addition, we presume the length of elliptic curves q=160 bits, the shared data M=320 bits, the timestamp ti=32 bits, and the identity id=32 bits. In the transmission user⟶TA, user sends Uidj during the system initialization phase and Uidj,bn,cn,t5 during the data sharing phase. The size of these messages is 32×2+160×2+32=416 bits. In the transmission user⟶CS, user sends the tuple, Uidj,hPid,t4,warr of size 384 bits. In the transmission patient⟶TA, the patient sends the tuple, S,P1,Ptid,yn,t2of size 512+32t bits, where t is the number of user identity to access his health data. In the transmission patient⟶CS, the patient sends the tuple hPid,Y,d1,α,β,M′,t3 of size 1152 bits.
Communication cost of the proposed scheme.
Communication between entities
Communication cost
User⟶TA
416 bits
User⟶CS
384 bits
Patient⟶TA
512+32t
Patient⟶CS
1152 bits
7.3. Comparisons with Related Schemes
In order to compare several schemes more intuitively, we construct Table 4 according to [7]. Table 4 illustrates the calculation cost of different operations. And we demonstrate the calculation overheads of the proposed scheme and other schemes in [6, 13, 30] according to Table 4. Table 5 summarizes the calculation overheads by patient in the proposed data sharing scheme and other recently proposed schemes. From the comparison in Table 5, the proposed scheme is extremely more lightweight than schemes in [6, 13, 30], because of the executing of ECC, hash, and XOR operations.
Calculation overheads of different operations withth as the time unit.
Symbol
Description
Cost
th
SHA-1 hash function
th
tecm
ECC scalar multiplication
72.5th
texp
Modular exponentiation
600th
tsym
Symmetric encryption
th
tmm
Modular multiplication
2.5th
tma
Modular addition
0.3th
Comparisons of the computation cost by patient.
Schemes
Computation cost by patient
Ding et al. [13]
3tecp+th+tmm+tma=1803.8th
Chen and Peng [6]
3tecm+texp=817.5th
Sowjanya et al. [30]
8tecm+3th+tsym=584th
Ours
4tecm+5th=295th
According to the data in Table 5, the proposed scheme reduced the computational cost from Ding et al. [13] which is 1803.8th−295th/1873.5th=83.6%. Computation cost reduction from Chen and Peng [6] is 817.5th−295th/817.5th=63.91%. Computation cost reduction from Sowjanya et al. [30] is 584th−295th/584th=49.49%.
The analysis of security features for the proposed scheme in comparison with the scheme of Ding et al. [13], Chen and Peng [6], and Sowjanya et al. [30] is in Table 6. From this table, the schemes in [6, 13] do not meet the anonymity of patients. Besides, Ding et al. [13] do not give the protection against replay attack. Chen and Peng [6] and Sowjanya et al. [30] may suffer from eavesdropping attack. It is clear from the result of the comparison that the proposed scheme is more secure than these similar schemes because it can resist the above two kinds of attacks and can meet all desired security features.
Comparisons of security features.
Security features
Ding et al. [13]
Chen and Peng [6]
Sowjanya et al. [30]
Ours
F1
No
Yes
Yes
Yes
F2
Yes
No
No
Yes
F3
Yes
Yes
Yes
Yes
F4
No
No
Yes
Yes
F5
Yes
Yes
Yes
Yes
F6
Yes
Yes
Yes
Yes
F1: resist replay attack; F2: resist eavesdropping attack; F3: provide authentication; F4: provide anonymity of patient; F5: provide integrity certification; F6: provide forward security.
In summary, compared with the three similar schemes, it is seen that the proposed scheme can perform less computations and meet more security features. Besides, our scheme provides the anonymity of patient’s identity and the authentication of access to shared health data. Thus, the proposed scheme is more lightweight and secure for IoMT.
8. Conclusions
We propose a novel design of lightweight privacy-preserving data sharing scheme for IoMT. The presented scheme can not only provide anonymous feature for patient while achieving the data sharing between patients and users but also ensure that only authorized users designated by the patient himself could access the encrypted health data. Furthermore, this scheme realizes lightweight computations by ECC, hash, and XOR operations. Compared with similar solutions, the proposed scheme can satisfy all desired security features as well as achieve more lightweight computations on both patients and users. It is absolutely attractive for data sharing in IoMT.
Data Availability
The data used to support the findings of this study are included within the article.
Ethical Approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Consent
Informed consent was obtained from all individual participants included in the study.
Conflicts of Interest
The authors declare that they have no conflict of interest.
Acknowledgments
This work was partially supported by the National Nature Science Foundation of China (Grant Nos. 61772224, 62172181, and 62072133), the Fundamental Research Funds for the Central Universities (No. CCNU19TS019), the Research Planning Project of National Language Committee (No. YB135-40), and the key projects of Guangxi Natural Science Foundation (no. 2018GXNSFDA281040).
RayP. P.A survey on Internet of Things architectures201830329131910.1016/j.jksuci.2016.10.0032-s2.0-85005952241Al-TurjmanF.NawazM. H.UlusarU. D.Intelligence in the Internet of Medical Things era: a systematic review of current and future trends202015064466010.1016/j.comcom.2019.12.030IslamM. M.RahamanA.IslamM. R.Development of smart healthcare monitoring system in IoT environment20201311110.1007/s42979-020-00195-yLatréB.BraemB.MoermanI.BlondiaC.DemeesterP.A survey on wireless body area networks201117111810.1007/s11276-010-0252-42-s2.0-79951723271ShuaiM.LiuB.YuN.XiongL.WangC.Efficient and privacy-preserving authentication scheme for wireless body area networks202052, article 10249910.1016/j.jisa.2020.102499ChenR.PengD.Analysis and improvement of a mutual authentication scheme for wireless body area networks201943211010.1007/s10916-018-1129-92-s2.0-85058835800LiX.IbrahimM. H.KumariS.SangaiahA. K.GuptaV.ChooK. K. R.Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks201712942944310.1016/j.comnet.2017.03.0132-s2.0-85016030664GuanZ.LvZ.DuX.WuL.GuizaniM.Achieving data utility-privacy tradeoff in Internet of Medical Things: a machine learning approach201998606810.1016/j.future.2019.01.0582-s2.0-85063254569ArmbrustM.FoxA.GriffithR.JosephA. D.KatzR.KonwinskiA.LeeG.PattersonD.RabkinA.StoicaI.ZahariaM.A view of cloud computing2010534505810.1145/1721654.17216722-s2.0-77950347409WuJ.PingL.GeX.YaW.FuJ.Cloud storage as the infrastructure of cloud computing2010 International Conference on Intelligent Computing and Cognitive Informatics2010Kuala Lumpur, Malaysia38038310.1109/ICICCI.2010.1192-s2.0-77958450169MingY.ZhangT.Efficient privacy-preserving access control scheme in electronic health records system20181810, article 352010.3390/s181035202-s2.0-8505507663330340411SchröderD.SchröderH.Verifiable data streamingProceedings of the 2012 ACM Conference on Computer and Communications Security2012Raleigh North Carolina USA95396410.1145/2382196.23822972-s2.0-84869465679DingR.ZhongH.MaJ.LiuX.NingJ.Lightweight privacy-preserving identity-based verifiable IoT-based health storage system2019658393840510.1109/JIOT.2019.29175462-s2.0-85073418254ChenX.SusiloW.LiJ.WongD. S.MaJ.TangS.TangQ.Efficient algorithms for secure outsourcing of bilinear pairings201556211212110.1016/j.tcs.2014.09.0382-s2.0-84926306709OdeluV.DasA. K.Design of a new CP-ABE with constant-size secret keys for lightweight devices using elliptic curve cryptography2016917405910.1002/sec.15872-s2.0-84992456179DingS.LiC.LiH.A novel efficient pairing-free CP-ABE based on elliptic curve cryptography for IoT20186273362734510.1109/ACCESS.2018.28363502-s2.0-85046998703ItaniW.KayssiA.ChehabA.Energy-efficient incremental integrity for securing storage in mobile cloud computing2010 International Conference on Energy Aware Computing2010Cairo, Egypt1210.1109/ICEAC.2010.57022962-s2.0-79952030338WangC.ChowS. S. M.WangQ.RenK.LouW.Privacy-preserving public auditing for secure cloud storage2013622362375Boyang WangBaochun LiHui LiOruta: privacy-preserving public auditing for shared data in the cloud201421435610.1109/TCC.2014.22998072-s2.0-84922271700YangG.YuJ.ShenW.SuQ.FuZ.HaoR.Enabling public auditing for shared data in cloud storage supporting identity privacy and traceability201611313013910.1016/j.jss.2015.11.0442-s2.0-84962382590ShenW.QinJ.YuJ.HaoR.HuJ.Enabling identity-based integrity auditing and data sharing with sensitive information hiding for secure cloud storage201914233134610.1109/TIFS.2018.28503122-s2.0-85049147415WangW.LiZ.OwensR.BhargavaB.Secure and efficient access to outsourced dataProceedings of the 2009 ACM workshop on Cloud Computing Security2009Chicago Illinois USA556610.1145/1655008.16550162-s2.0-74049154660XuL.WuX.ZhangX.CL-PRE: a certificateless proxy re-encryption scheme for secure data sharing with public cloudProceedings of the 7th ACM symposium on Information, Computer and Communications Security2012Seoul Korea878810.1145/2414456.24145072-s2.0-84872004857KhanA. N.KiahM. L. M.MadaniS. A.AliM.KhanA. U. R.ShamshirbandS.Incremental proxy re-encryption scheme for mobile cloud computing environment201468262465110.1007/s11227-013-1055-z2-s2.0-84901987724NayakS. K.TripathyS.Privacy preserving provable data possession for cloud based electronic health record system2016 IEEE Trustcom/BigDataSE/ISPA2016Tianjin, China86086710.1109/TrustCom.2016.01492-s2.0-85015187374RameshD.MishraR.EdlaD. R.Secure data storage in cloud: an e-stream cipher-based secure and dynamic updation policy201742287388310.1007/s13369-016-2357-22-s2.0-85012186783WangX. A.MaJ.XhafaF.ZhangM.LuoX.Cost-effective secure E-health cloud system using identity based cryptographic techniques20176724225410.1016/j.future.2016.08.0082-s2.0-84994885361HeD.ZeadallyS.WuL.Certificateless public auditing scheme for cloud-assisted wireless body area networks2018121647310.1109/JSYST.2015.24286202-s2.0-85043268105JiangS.ZhuX.WangL.EPPS: efficient and privacy-preserving personal health information sharing in mobile healthcare social networks2015159224192243810.3390/s1509224192-s2.0-8494099243226404300SowjanyaK.DasguptaM.RayS.An elliptic curve cryptography based enhanced anonymous authentication protocol for wearable health monitoring systems202019112914610.1007/s10207-019-00464-92-s2.0-85072051076ZhangX.TangY.CaoS.HuangC.ZhengS.Enabling identity-based authorized encrypted diagnostic data sharing for cloud-assisted E-health information systems202054, article 10256810.1016/j.jisa.2020.102568KoblitzN.Elliptic curve cryptosystems19874817720320910.1090/S0025-5718-1987-0866109-52-s2.0-84968503742MillerV. S.WilliamsH. C.Use of elliptic curves in cryptography1985218Berlin, HeidelbergSpringer417426Lecture Notes in Computer Science10.1007/3-540-39799-X_312-s2.0-85015402934RayS.BiswasG. P.DasguptaM.Secure multi-purpose mobile-banking using elliptic curve cryptography20169031331135410.1007/s11277-016-3393-72-s2.0-84989901385