A Secure and Efficient Group Key Management Protocol with Cooperative Sensor Association in WBANs

The wireless body area network (WBAN) is considered as one of the emerging wireless techniques in the healthcare system. Typical WBAN sensors, especially implantable sensors, have limited power capability, which restricts their wide applications in the medical environment. In addition, it is necessary for the healthcare center (HC) to broadcast significant notifications to different patient groups. Considering the above issues, in this paper, the novel practical WBAN system model with group message broadcasting is built. Subsequently, a secure and efficient group key management protocol with cooperative sensor association is proposed. In the proposed protocol, the Chinese remainder theorem (CRT) is employed for group key management between HC and the personal controller (PC), which also supports batch key updating. The proposed sensor association scheme is motivated by coded cooperative data exchange (CCDE). The formal security proofs are presented, indicating that the proposed protocol can achieve the desired security properties. Moreover, performance analysis demonstrates that the proposed protocol is efficient compared with state-of-the-art group key management protocols.


Introduction
Development of wireless communication and sensor technologies has enabled remarkable improvement in both academic research and practical applications of wireless body area networks (WBAN), which offer ubiquitous wireless communication services to users [1]. In the medical field, WBAN is used to monitor patients' real-time health status and seamlessly transmit physiological data to medical institutions including hospitals, community clinics and emergency centers. Consequently, the doctor could conduct remote diagnostics on the patients and provide timely medical assistance. Additionally, with necessary symptom detection, early warnings, as well as precautionary measurements for certain diseases including asthma, AIDS, cancer and influenza can be provided [2].
Nowadays, as a crucial part of the Internet of Thing (IoT), WBANs have continuously attracted much attention. Its architecture varies greatly, so as to adjust to diverse requirements of different practical scenarios. In general, a typical WBAN designed for the healthcare system mainly consists of the healthcare center (HC), personal controller (PC) and many low-power wireless medical sensors implanted inside or attached to the patient's body [1]. Through these sensors, vital biomedical information such as heartbeat and blood pressure can be measured and then transmitted to the healthcare center (HC) through the personal controller (PC). Therefore, the doctor or physician could be aware of a patient's real-time physical parameters by analyzing the acquired biomedical information. According to these analysis results, appropriate remote diagnostics and timely medical assistance are 1. A novel WBAN model with message broadcasting: In practical medical WBAN scenarios, patients who receive services from HC are allocated to different departments according to their physical conditions and diseases. As a result, it is necessary for HC to provide a notification service to different patient groups. To the best of our knowledge, we are the first to propose the system model providing a specific group communication channel for message broadcasting between HC and patients. Moreover, the medical data transmission channel from sensors to PC is also taken into consideration in our design. 2. Group key management between HC and PC with CRT: The Chinese remainder theorem is employed for the group key management between HC and PC, which also supports batch key updating. In this case, HC is capable of broadcasting messages to different patient groups. Moreover, patients in the same group are capable of exchanging information about their physical conditions. 3. Group key management between PC and sensors with CCDE: In our design, the group key management between PC and sensors is motivated by coded cooperative data exchange for the purpose of minimizing the communication rounds for group key generation. Hence, the communication and computation complexity can be drastically reduced, which is efficient for resource-limited wireless sensors in WBAN.
The remainder of this paper is organized as follows. Section 2 briefly surveys the relevant research achievements. Section 3 introduces some necessary preliminary works and the designed system model in order to allow the reader to obtain a better understanding of the topic. Section 4 presents the proposed sensor association and group key management protocol in detail. Section 5 demonstrates the security analysis. Section 6 displays the performance analysis. The conclusion is drawn in Section 7.

Related Works
To the best of our knowledge, many research achievements have been made on group key management for wireless body area networks. Theoretically, the traditional public key cryptosystem (TPKC) had been implemented in wireless body area networks previously [10][11][12][13][14][15]. A certificate generated by a third party is required to combine the identity of the user and the associated public key. However, in TPKC-based schemes, complex modular exponentiation is calculated so that more computation and storage are required in resource-limited wireless sensor devices. Therefore, these TPKC-based group key management schemes cannot meet the practical requirements. In order to alleviate the computation and storage burden on the sensor side, several authentication and group management schemes [4,[16][17][18] based on elliptic curve cryptography (ECC) have been proposed, which provide the same security with a smaller key size compared to TPKC-based schemes.
Many researchers applied the idea of identity-based public key cryptography (ID-PKC) [19], which was a cryptography technique first proposed by Shamir [20] in order to address the certificate management problem in TPKC. In ID-PKC, the public key of the user can be calculated from his/her publicly-known identity, while the secret key of each user is generated by a fully-trusted key generation center (KGC). In 2009, Yang et al. [21] proposed an ID-PKC-based key management scheme for mobile devices. However, Yoon and Chang [22] proved that the proposed scheme was vulnerable to impersonation attacks. Subsequently, several ID-based key agreement protocols were proposed [23][24][25].
Certificateless public key cryptography (CL-PKC) was first introduced by Al-Riyami and Paterson [26] in 2003. In CL-PKC, the private key of the user consists of two parts, which are respectively generated by a semi-trusted key generation center (KGC) and by the user himself/herself. Hence, the key escrow problem, as well as the certificate management problem can be addressed. Liu et al. [2] proposed two certificateless authentication protocol in the WBAN environment. However, Xiong [27] demonstrated that Liu et al.'s protocols could not provide forward security and scalability. Additionally, a new certificateless encryption scheme and the signature scheme with efficient revocation against short-term key exposure were proposed in [28]. Thereafter, He et al. [3] proposed an efficient certificateless public auditing (CLPA) scheme with the purpose of addressing integrity issues in cloud-assisted WBANs.
Furthermore, the Chinese remainder theorem (CRT) has been applied in many existing group key distribution schemes [29][30][31][32]. Zheng et al. proposed two centralized group key management protocols based on CRT [29]. The main contribution of this work is that the transmission passes for group key distribution are minimized, which is available in wireless networks with sourced restriction. After that, Zhou et al. proposed a key tree and CRT-based group key distribution scheme [30]. Note that in this scheme, the key server uses the root keys of the group member subtrees and CRT for group key distribution. Moreover, the computation on the user side is minimized. Based on this, Vijayakumar et al. proposed CRT-based centralized group key management for secure multicast communication [33]. The proposed key management scheme could prominently reduce the computation complexity of the key server.
Coded cooperative data exchange (CCDE) as first introduced by Rouayeb et al. [34] in 2010 and has drawn increasing attention [35][36][37]. Milosavljevic et al. proposed a deterministic algorithm for CCDE [38], where a novel divide and conquer-based architecture was presented in order to determine the number of bits each node should transmit in the public channel. Subsequently, Sprinston et al. [39] presented a randomized algorithm with a high probability to minimize the number of transmissions over the public channel. In 2016, Courtade et al. characterized the minimum number of public transmissions for key agreement [40] with an arbitrary key distribution.
The aforementioned group key management schemes vary greatly with different security techniques. The existing research emphasizes the secure data transmission between sensors and PC, while the communication and access control for patients remain to be enhanced. In this paper, we design an integral system model involving both HC-PC and PC-sensor communication. In practical scenarios, a high turnover of patients brings frequent key updating in the hospital environment. In this case, we adopt the CRT to PC group key distribution, which could provide fast and effective key updating. Additionally, the CCDE is adopted in sensor group key distribution. Note that the decentralized cooperative key generation strategy drastically decreases the communication cost, which is suitable for resource-limited WBAN sensors. The corresponding security and performance analysis demonstrates that the proposed protocol could provide adequate security assurance and efficiency.

Preliminaries and Model Definitions
This section introduces some necessary preliminaries to facilitate the reader's understanding, including bilinear pairing, the coded cooperative data exchange problem (CCDE) and the Chinese remainder theorem (CRT). Meanwhile, the system model and network assumption are presented.

Coded Cooperative Data Exchange Problem
A set X = {x 1 , ..., x n } of n packets each belonging to a finite alphabet A needs to be delivered to a set of k clients C = {c 1 , ..., c k }. Each client c i ∈ C initially holds a subset X i of packets denoted by X i ⊆ X. We denote by n i = |X i | the number of packets initially available to client c i and by X i = X\X i the set of packets required by c i . We assume that the clients collectively know all packets in X (∪ c i ∈C X i = X). Each client can communicate to all its peers through an error-free broadcast channel capable of transmitting a single packet in A. The data are transmitted in communication rounds. For example, in round i, one of the clients c j broadcasts a packet x to all its outgoing neighbors in C. The transmitted information x may be one of the original packets in X j or some encoding of packets in X j and the information previously transmitted to c j [34,37].
The problem is to find a scheme that enables each client c i ∈ C to obtain all packets in X i (and thus, in X) while minimizing the total number of broadcasts [35].

Chinese Remainder Theorem
Let k 1 , ..., k n be positive integers that are relatively prime in pairs. Then, for any given integers a 1 , ..., a n , the system of congruences: [1,n] has a unique solution modulo ∂ g = ∏ n i=1 k i . The solution is given by:

System Model
As shown in Figure 1, the entire system model consists of three entities: the healthcare center (HC), the personal controller (PC) and the sensors. The description of these three entities is given below. The healthcare center (HC) is a trustworthy authority providing medical service to the patients. HC is assumed to have adequate storage and computation power. In our system model, HC communicates with PCs to obtain physiology data of patients. Hence, the patient's physical condition can be remotely monitored.
The personal controller (PC) is a mobile device responsible for both biomedical information gathering from sensors and communication with HC. Note that each patient is combined with one PC. The PC employed in this paper is assumed to be professional equipment designed specifically for medical purposes.
Sensors are low-power wireless medical devices either implanted inside or attached to a patient's body. These sensors have limited computation ability and restricted battery capacity. The sensors are responsible for real-time measurement of various physiological parameters of patients.

Network Assumption
According to Figure 1, there are several departments in the healthcare center. Patients with different diseases are assigned to different departments. In each department, the patients are arranged to be one patient group. HC is assumed to provide service to all the departments (patient groups).
A secure communication channel for data transmission between HC and PC is essential. Furthermore, as mentioned above, a specific group communication channel between HC and a particular patient group is indispensable. As for individual patient, the secure association between PC and multiple sensors is crucial so that the vital physical data from sensors can be safely transmitted.
In our system model, the PC is designed to communicate directly with HC through a wireless channel, which is different from other existing WBAN models using Internet communication between PC and HC [3,28]. PC is designed as a professional medical device with appropriate treatment units. As part of the medical facility, it is assumed that PC works within the effective range of HC [41,42]. After the patient fully recovers from the disease, his/her PC will be removed and arranged with other new patients.

Proposed Schemes
In this section, we explain our cooperative sensor association and group key management protocol, which can be generally divided into two parts: the group key management between HC and PCs affiliated with the same patient group and the cooperative association between sensors and the related PC. According to Figure 1, we assume that HC is in charge of r departments in total. Each department consists of multiple PCs. In this case, one PC is combined with one patient. Consequently, the patient and the relevant PC in this paper are considered as one entity. In department j (j ∈ [1, r]) with n PCs (patients) in total, PC i (i ∈ [1, n]) is in contact with the corresponding patient P i . As for P i , m sensors are arranged in or on different parts of P i ' body in order to monitor various physiological parameters.
In our design, we are motivated to build a group key management scheme between HC and all the n PCs in department j. At the same time, group key agreement between PC i and the m sensors is provided accordingly. We introduce our protocol based on department j. Meanwhile, the design for the multiple department situation is similar. The notations used in our protocol are described in the following subsection. Thereafter, the detailed description of our protocol is given, which contains four parts: group key generation for HC and PCs, PC join and leave operation, group key generation for PC and sensors and sensor join and leave operation.

Notations
The notations used in our protocol and a brief description are listed in Table 1.

Group Key Generation for HC and PCs
In this section, the group key generation for HC and PCs affiliated with department j is described. It is worth noting that the generation procedures for multiple departments are similar. The proposed group key generation for HC and PCs can be divided into three phases. The first phase is the registration phase, which is responsible for secret key allocation to each PC and other necessary precomputation. The second phase is the group key computation phase, where the group key is generated and distributed to PCs. At last, in the group key derivation phase, each PC derives the group key from the received keying message. The detailed descriptions of these three phases are as follows.

Registration Phase
Before the group key generation procedure, some essential operations should be previously conducted by HC in the registration phase [43]. Initially, let P 1 , ..., P n be n patients who are assigned to department j (j ∈ [1, r]). First, patient P i∈ [1,n] registers to HC so that HC could acquire P i 's personal information including name, age, gender, phone number, and so on. Thereafter, HC allocates PC i to P i . Next, HC generates the symmetric key hsk and the secret key PSK i for PC i∈ [1,n] by conducting SecKeGen. Subsequently, HC executes PreCom for necessary precomputation. The design of SecKeGen and PreCom is presented below.

•
SecKeGen: The HC conducts SecKeGen to generate information for PC i∈ [1,n] . Z * p and Z * s are defined as two nonnegative integers sets less than p and s, respectively, where p and s are two large prime numbers. Additionally, G is defined as a multiplicative group of p, and g is a generator of G. HC randomly chooses SSK and PSK i∈ [1,n] from Z * p , where PSK i is the secret key of PC i and SSK is the HC master key. Moreover, HC chooses hsk ∈ Z * s for symmetric encryption. As a result, the HC temporary identity HID is generated as: where TS is the current time stamp. During the registration phase, HC assigns PSK i , HID, hsk to PC i∈ [1,n] of department j and keeps the master key SSK only in its memory. In other words, HC maintains a key list for each department, where SSK, hsk, HID and PSK i of n PCs are stored. Each PC i possesses PSK i , HID, hsk . Note that SSK is the confidential information only known to HC, while HID and hsk are assumed to be known to all PCs in department j.
• PreCom: The HC conducts PreCom to compute the essential intermediate values [44]. First, HC selects PSK i from the key list and computes: involving n registered PCs of department j. Then, for each PC i∈ [1,n] , HC computes: and obtains {x 1 , ..., x n }. That is, x i for PC i∈ [1,n] is the multiplication of all the remaining PSK i . Subsequently, HC computes y i for each x i (i ∈ [1, n]), which satisfies: That is, y i is the modular multiplicative inverse of x i to the modulus PSK i . Hereafter, HC acquires the variables var i∈ [1,n] according to: Thus, the intermediate value µ can be computed as: Upon completion, HC stores the value of µ for the following group key computation. At this point, the precomputation based on CRT is completed.

Group Key Computation Phase
In this phase, the group key of department j is generated by HC. Let q be a large prime number where q ≤ p/2 . First, HC chooses a random value from Z * p as the group key PGK j . Then, PGKCom is conducted by HC in order to obtain the keying message. Finally, HC conducts SecHtoP to distribute the keying message to all PC i∈ [1,n] . The design of PGKCom and SecHtoP is described in detail below.
• PGKCom: In our design, the HC conducts PGKCom to get the keying message γ j for department j, which is illustrated as: Particularly, for department j, only one PGK j and one µ are effective in the same time interval. Furthermore, the keying message γ j is available for all PCs.
• SecHtoP: The HC conducts SecHtoP to distribute the keying message γ j to department j. First, HC encrypts the keying message, illustrated as: where S_ENC x (M) denotes the symmetric encryption using x. Next, HC computes the certificate SIG SSK (TS||HID||E(γ j )) according to: In this way, the certificate can be obtained as: Following the above calculation, the message: is finally broadcast to PC i∈ [1,n] of department j.

Group Key Derivation Phase
In this phase, the main task for PC i is to verify the validity of the received message by employing AuthMess. Subsequently, PC i derives the group key PGK j using GrKeCom. The design of AuthMess and GrKeCom is described in detail below.
• AuthMess: PC i conducts AuthMess to verify the received message from HC. First, PC i checks the time stamp TS from the broadcast message. If TS matches the current time, PC i checks whether: e(SIG SSK (TS||HID||E(γ j )), g) ? =ê(H(HID||E(γ j )), HID) holds. The correctness is elaborated as follows: If the certificate is valid, PC i derives E(γ j ) from the message and decrypts the message illustrated as: where S_DEC hsk (M) denotes symmetric decryption using hsk. At this point, the keying message γ j is securely transmitted.
• GrKeCom: This algorithm is designed for group key derivation from the received keying message γ j . In GrKeCom, a modulo division on the PC i side is conducted as: where PSK i is the allocated secret key. As defined above, holds, which guarantees that the derived group key PGK j is equal to the original one. At this point, the group key generation is finished. All the PC i of department j share PGK j with HC.

PC Join and Leave Operations
In the practical scenario, patients frequently join or leave the department [4,45]. Assume patient P i of department j is restored to health after receiving the treatment. PC i is not allowed to obtain the broadcast message after revocation for the purpose of privacy protection towards the remaining patients. Moreover, the newly joined patient needs to be allocated the group key. Consequently, the group key should always be updated when join or leave operations happen.
In this section, the key updating scheme is illustrated respectively from two aspects, namely the PC join operation and the PC leave operation. Note that we demonstrate the join and leave operations in the single-PC case. That is, only one PC is to join or leave the department at the same time. Subsequently, the scenario of multiple PCs joining and leaving the same department is studied in the batch updating operation phase. The detailed description of the join and leave operations, as well as the batch updating operation is as follows.

PC Join Operation Phase
As mentioned above, the PC join operation in department j is considered in this section. It is obvious that the HC should update the group key PGK j as soon as a specific patient, named P join , joins department j. We would like to emphasize that P join should register to HC first, which is in accordance with the actual situations. Then, P join is assigned PC join and obtains its own necessary secret key set PSK join , HID join , hsk from HC. Subsequently, JoKeUpdate is conducted by HC to generate the rekeying message of PC join and other n PCs of department j. Finally, by conducting JoKeDerive, the updated group key is distributed to all the n + 1 PCs of department j. The design of JoKeUpdate and JoKeDerive is described in detail below.
• JoKeUpdate: The HC conducts JoKeUpdate to generate the rekeying message for both PC join and the current n PCs. A few steps are necessary as introduced below: First, for PC join , HC computes its corresponding x join and y join according to the PreCom algorithm in Section 4.2. Hence, the variable var join can be computed as: In this way, HC computes the intermediate value µ join defined as: Consequently, HC selects a new group key PGK j−join and generates the rekeying message γ j−join by computing: Thereafter, by conducting the SecHtoP algorithm introduced in Section 4.2, the rekeying message γ j−join can be securely transmitted to the n + 1 PCs, which includes one new joining PC join and existing n PCs of department j.
• JoKeDerive: This algorithm is designed for the aforementioned n + 1 PCs to derive the updated group key PGK j−join from γ j−join . After the verification process through AuthMess in Section 4.2, the PC i∈[1,n]∪{join} conducts a modulo division, illustrated as: Note that the secret key PSK join of PC join is included in µ join so that the derived new group key PGK j−join is equal to the original one. The process of JoKeDerive is similar to the group key derivation phase presented in Section 4.2.

PC Leave Operation Phase
In this section, we assume that the patient P leave is restored to health. Hence, HC deletes this patient and the corresponding PC leave from department j. Moreover, if some PCs in department j were compromised, HC would delete the compromised PC in the same way. In this case, the effective compromised detection strategy is necessary. As for this paper, some existing schemes can be applied in order to detect the compromised PCs periodically [46,47].
In this phase, HC conducts the LeKeUpdate algorithm first to generate the rekeying message µ j−leave and transmits it to the remaining n − 1 PC i∈[1,n]\{leave} securely. Then, LeKeDerive is adapted on the PC i side. Hence, the updated group key PGK j−leave is derived by HC and the rest of the n − 1 PCs. The design of LeKeUpdate and LeKeDerive is described in detail below.
• LeKeUpdate: The HC conducts LeKeUpdate to generate the rekeying message concerning the remaining n − 1 PCs. A few steps are necessary as introduced below: First, HC obtains µ leave of PC leave demonstrated as: where var leave is stored in HC's memory. Consequently, HC selects a new group key PGK j−leave and computes the rekeying message γ j−leave according to: Thereafter, by conducting the SecHtoP algorithm introduced in Section 4.2, the rekeying message γ j−leave can be securely transmitted.
• LeKeDerive: After the verification process with the AuthMess algorithm in Section 4.2, PC i∈[1,n]\{leave} conducts LeKeDerive to derive the updated group key PGK j−leave , illustrated as: Note that the secret key PSK leave of PC leave is excluded in µ leave so that the removed patient P leave cannot derive the correct group key. The process of LeKeDerive is similar to the group key derivation phase presented in Section 4.2.

Batch Updating Phase
With the particular feature of CRT, batch updating for multiple PCs can be achieved accordingly, which meets the practical requirements for medical WBAN. In this section, we present the batch updating involving the join and leave operations of multiple PCs at the same time. Suppose that P bj∈ [1,w] delegate w joining patients in department j. Similarly, P bl∈ [1,z] denote z leaving patients at the same time. P bj and P bl are respectively combined with PC bj and PC bl . Hence, after updating, the number of PCs in department j is n + w − z.
In our design, first, HC conducts the BaKeUpdate algorithm to generate the batch rekeying message γ j−batch and uses SecHtoP to distribute it to all the n + w PCs. Afterwards, AuthMess is conducted for verification on the PC side. Finally, BaKeDerive is conducted so that the updated group key PGK j−batch is obtained by n + w − z PCs in department j. It is noteworthy that the SecHtoP and AuthMess algorithms are the same as the ones presented in Section 4.2. The design of BaKeUpdate and BaKeDerive is described in detail below.
• BaKeUpdate: The HC conducts BaKeUpdate to generate the batch rekeying message for the n + w − z PCs. A few steps are necessary as introduced below: First, with the aforementioned PreCom algorithm described in Section 4.2, HC computes the corresponding x bj and y bj of w PC bj∈ [1,w] . Hence, the variable for PC bj is obtained as: Consequently, the sum var + b involving all the w joining PCs can be computed as: Similarly, the sum var − b involving all the z leaving PCs can be computed as: Hence, the intermediate value including w joining PCs and z leaving PCs is defined as follows: As a result, HC chooses a new group key PGK j−batch and generates the batch rekeying message γ j−batch , demonstrated as: Afterwards, by conducting the SecHtoP algorithm introduced in Section 4.2, the batch rekeying message γ j−batch can be distributed to all the n + w PCs.
• BaKeDerive: After the verification process using the AuthMess algorithm in Section 4.2, PC i∈ [1,n+w] derives the updated group key PGK j−batch from γ j−batch using BaKeDerive. The PC i∈[1,n+w−z] conducts a modulo division, illustrated as: Note that the w secret keys PSK bj of new join PC bj are included in µ j−ba so that the derived PGK j−join is equal to the original one. Additionally, the secret keys of PC bl∈ [1,z] are excluded in µ j−ba so that the removed patient P bl∈ [1,z] cannot get the correct group key.
At this point, the batch updating procedure interrelated with w joining patients and z leaving patients is completed. The group key for all the n + w − z PCs in department j is updated securely.

Group Key Generation for PC and Sensors
In this section, our design is motivated by coded cooperative data exchange (CCDE). Assume that k packages are loaded to t clients previously. In simple terms, the goal of CCDE is to recover the k packages for t clients in minimal transmission. Upon completion, each client obtains all the k packages. So far, many research achievements have been made on solving the CCDE problem. According to [38] and [48], if the t clients are fully connected, the CCDE problem can be solved in polynomial time. Inspired by the group key agreement designed in [5], we consider assigning in total k master keys to all the sensors in department j. The master key distribution follows the rule that every two sensors share at least one master key. Hence, the sensors of department j are fully connected with each other. With the assistance of the corresponding PC, the sensors can build the group key cooperatively. Based on Definition 1 in [5], the CCDE-based scheme is feasible for efficient sensor association for the purpose of achieving optimal transmission passes.
For a better description, we take a patient P i with PC i , for instance, where P i is in department j. Let C i = {SN v |v ∈ [1, m], m ∈ N * } be a set of m wireless sensors allocated to P i . The association of these m sensors will be conducted after PC i successful registers to HC. The proposed sensor association scheme can be divided into two phases: the setup phase and the key generation phase. The setup phase is responsible for secret key allocation and some necessary preparation. Thereafter, the group key is generated in the next key generation phase. The detailed descriptions of these two phases are presented as follows.

Setup Phase
In this phase, PC i assigns necessary secret information to the m sensors. First, the PC i conducts SecKeDis to generate temporary identity PID i and symmetric secret key nsk. Thereafter, PC i conducts MasKeDis to distribute the predefined master keys to sensor SN v∈ [1,m] . The design of SecKeDis and MasKeDis is described in detail below.
• SecKeDis: The PC i conducts SecKeDis to generate nsk and PID i . Let Z * h be a nonnegative integer set less than h, where h is assumed to be a large prime number. Additionally, G T is defined as a multiplicative group of h, and u is the generator of G T . First, PC i randomly chooses nsk from Z * h . Hence, PID i is generated, illustrated as follows: where PSK i is the confidential information of PC i . Thereafter, PC i stores PSK i , PID i , nsk in its memory.
• MasKeDis: The PC i conducts MasKeDis to distribute a set of master keys among the m sensors. Let Q i = {k h |h ∈ [1, c], c > m ∧ c ∈ N * } be the c master keys to be allocated. According to our design, In this way, each sensor SN v ∈ C i shares at least one master key with each remaining sensor. Upon completion, PC i assigns PID i , nsk, B v to sensor SN v .

Key Generation Phase
In this phase, PC i is responsible for distributing the keying message to all the sensors securely. First, PC i conducts MasKeSel 1 to select the most widely-shared master key k 1 Ψ ∈ Q i in all the m subsets B v∈ [1,m] and computes the session key Sk 1 Ψ . Afterwards, PC i transmits the session key Sk 1 Ψ to sensors with SecPtoS. Subsequently, AuthSess is conducted by sensor SN v ∈ C i so as to guarantee the validity of the received session key and to compare it with B v . Hence, the sensors preloaded with k 1 Ψ are classified as one subset Λ 1 ⊆ C i . Other sensors without k 1 Ψ abandon the received message. Thereafter, PC i runs MasKeSel 2 to select the second master key k 2 Ψ . Similarly, the sensors preloaded with k 2 Ψ are classified as the second subset Λ 2 ⊆ C i . According to our design, Λ 1 ∩ Λ 2 = ∅. In other words, at least one sensor is preloaded with both k 1 Ψ and k 2 Ψ . Let SN be the sensors such that SN Ψ and k 2 Ψ conducts GrKeEnc so that the sensors in Λ 2 (Λ 1 ∩ Λ 2 ) can derive the session key Sk 1 Ψ . Note that Sk 1 Ψ is considered as the group key SGK i . Now, Sk 1 Ψ is distributed to the sensors in Λ 1 ∩ Λ 2 . Subsequently, PC i repeatedly conducts the above process in order to distribute Sk 1 Ψ to the remaining sensors in C i (Λ 1 ∪ Λ 2 ). In this way, after several broadcast transmission passes, all the SN v ∈ C i can finally get Sk 1 Ψ as the group key. Hence, the key generation phase is completed. The design of MasKeSel 1 , SecPtoS, AuthSess, MasKeSel 2 and GrKeEnc is respectively described in detail below.
• MasKeSel 1 : This algorithm is designed for PC i to select the master key k 1 Ψ . It is assumed that PC i primarily chooses the master key involving more sensors. As a result, the corresponding session key Sk 1 Ψ is generated, illustrated as: • SecPtoS: After the computation of session key Sk 1 Ψ , PC i conducts SecPtoS for session key distribution. First, Sk 1 Ψ is encrypted by PC i following: As illustrated before, S_ENC x (M) denotes the symmetric encryption. Next, PC i computes the certificate SIG PSK i (TS||PID i ||E 1 (Sk 1 Ψ ) according to Equation (9). Hence, the certificate SIG PSK i (TS||PID i ||E 1 (Sk 1 Ψ )) can be obtained by computing: After the above calculation, the message: is finally broadcast to SN v ∈ C i . It is noteworthy that the entire process of SecPtoS is similar to the aforementioned SecHtoP.
• AuthSess: This algorithm is designed for sensors to verify the received certificate from PC i . The whole process is similar to the aforementioned AuthMess algorithm. PC i checks whether: holds. The correctness is elaborated as follows: If the certificate is valid, SN v derives E 1 (Sk 1 Ψ ) from the message and decrypts the message as: where S_DEC nsk (M) denotes symmetric decryption using nsk. As a result, the keying message Sk 1 Ψ is securely transmitted.
• MasKeSel 2 : This algorithm is designed for PC i to select the second master key k 2 Ψ . It is required that at least one sensor in Λ 1 stores master key k 2 Ψ in its master key subset. That is, ∃SN Ω ∈ Λ 1 , k 2 Ψ ∈ B Ω holds. Following this rule, PC i chooses the master key involving more sensors in C i Λ 1 . After that, session key Sk 2 Ψ is generated according to: Next, . It is noteworthy that the transmission process is similar to the aforementioned SecPtoS. At last, After the message checking process employing AuthSess, sensors in Λ 2 (Λ 1 ∩ Λ 2 ) derive the session key Sk 1 Ψ . Hence, Sk 1 Ψ is distributed as the group key SGK i . The above process repeats until: holds, where ρ denotes the transmission times on the PC i side. At this point, the group key generation for PC and sensors is completed.

Sensor Join and Leave Operations
In this section, the occasions of sensor joining and leaving C i are considered respectively.

Sensor Join Operation
In our system model, the sensor join operation should be available in order to offer continuous treatment for the current patient. Assume patient P i is equipped with m wireless sensors in department j. SN join denotes the new sensor to be assigned. It is worth emphasizing that the existing m sensors have already been associated with PC i through the generated group key SGK i . In this case, the joining sensor SN join first registers to PC i and obtains PID i , nsk, B join . Additionally, B join denotes the master key subset allocated to SN join . For ∀v ∈ [1, m], Bv ∩ B join = ∅ and Bv ∪ B join ⊆ Q i hold. After that, PC i selects the master key k join Ψ . Note that k join Ψ is preloaded to B join and at least one existing sensor in C i simultaneously. That is, for k join Ψ ∈ B join , ∃v ∈ [1, m], k join Ψ ∈ Bv ∩ B join holds. The next process for the joining sensor is similar to Section 4.4. As a result, all the m + 1 sensors obtain the group key SGK i . The sensor join operation is completed. Furthermore, the occasion with multiple sensors joining the group is similar to the above single-sensor case.
In conclusion, the above sensor join scheme emphasizes allocating the existing group key SGK i to the new join sensor. However, in order to enhance the security properties, the existing group key should be updated whenever a new sensor joins C i , which is supported by the aforementioned group key generation process.

Sensor Leave Operation
According to our system model, the sensors are assigned to each patient by the healthcare center and will not be frequently removed from the patient's body. In most cases, the allocated sensors are combined with the related patient and keep working till the patient leaves the department. However, if the sensor is compromised or disabled, the current group key should be refreshed in timely manner. It is notable that in our design, the sensors are closely attached to or in the patient's body so that the sensors are fully controlled by the patient, where the patient is assumed to be a benign user. Hence, for security consideration, PC i should assign a new secret message and conduct the group key generation process again.

Security Analysis
In this section, we analyze the security properties of the proposed protocol. The security theorems, as well as the corresponding proofs are given below.

Resistance to Replay Attack
The adversary can conduct a replay attack by reusing the previous messages [49,50]. We analyze the resistance to replay attack in the proposed protocol. Theorem 1. During the authentication process in the group key management between HC and PCs, replay attack can be prevented. That is, the reuse of the previous message sent from HC cannot pass the current authentication process on the PC side.
Proof of Theorem 1. The security of replay attack resistance is formally defined through game G 1 . Let A 1 be a probabilistic time adversary. C 1 denotes the challenger, and h and H denote the random oracles. It is worth emphasizing that C 1 has the ability to simulate all the oracles and to output the signing message as a real signer [2,3]. In G 1 , it is assumed that A 1 can conduct the following corresponding queries to C 1 : h query:A 1 can query the random oracle h at any time. C 1 simulates this random oracle by maintaining a list L h of tuple {j, PC i }, where L h is initialized to be empty. When the oracle is queried with input j, if the query j is already in L h , C 1 outputs PC i to A 1 . Otherwise, C 1 generates a random PC i and returns it to A 1 . Note that {j, PC i } is added to L h .
Extract query: Upon receiving the query from A 1 , C 1 executes the SecKeGen algorithm to generate relevant secret information {TS, PSK i , SSK, g, hsk}. It is notable that TS denotes the current time stamp. After that, C 1 computes HID and E(γ j ). Finally, {PC i , HID, TS, g, E(γ j )} is returned to A 1 .
H query: A 1 can query the random oracle H at any time. C 1 simulates this random oracle H by maintaining a list L H of tuple {PC i , Y i }, where L h is initialized to be empty. When the oracle is queried with input PC i , if the PC i is already in L h , C 1 outputs PC i to A 1 . Otherwise, C 1 generates a random number Y i and returns it to A 1 . Meanwhile, {PC i , Y i } is added to L h .
SigGen query: C 1 simulates the signature oracle by responding to the signature query of message E(γ j ). C 1 executes the SecHtoP algorithm to generate the signature SIG(TS||HID||E(γ j )) and return it to A 1 .
Replay query: Upon receiving the signature from A 1 , C 1 simulates the replay operation by conducting the AuthMess algorithm to check the validity of the received signature. The received signature is compared with the newly-generated signature after a certain time interval ∆t by replaying the process.
As a result, A 1 obtains the signature SIG(TS||HID||E(γ j )), where the generated signature is valid and the following equation:ê (SIG(TS||HID||E(γ j )), g) holds. At this point, TS||HID||E(γ j )||SIG(TS||HID||E(γ j )) is obtained by A 1 , while the newly-generated signature SIG(TS||g SSK||TS ∆t ||E(γ j )) involving the corresponding information satisfies: where TS ∆t is the time stamp at time ∆t generated by C 1 (TS ∆t > TS). Accordingly, by conducting the replay query, C 1 runs the AuthMess algorithm as follows: e(SIG(TS ∆t ||HID||E(γ j )), g) It is obvious that the reused previous signature can pass the authentication only when Y i = Y i and HID = HID . That is, TS ∆t = TS, which contradicts the aforementioned definition. Hence, the replay attack is not available in the proposed group key management scheme between HC and PCs.

Theorem 2.
During the authentication process in the group key management between PC and sensors, the replay attack can be prevented. That is, the reuse of the previous message sent from PC cannot pass the current authentication process on the sensor side.
Proof of Theorem 2. The proof of Theorem 2 is similar to the above proof of Theorem 1.

Resistance to Forgery Attack
In this section, we analyze the resistance to the forgery attack of the proposed protocol. Theorem 3. The proposed group key management scheme between HC and PCs is existentially unforgeable in the random oracle model.

Proof of Theorem 3.
Similarly, the proof of forgery attack resistance is formally defined through game G 2 . Let A 2 be a probabilistic time adversary. C 2 denotes the challenger, and h and H denote the random oracles. It is worth noting that C 2 has the ability to simulate all the oracles and to output the signing message as a real signer. In G 2 , it is assumed that A 2 can conduct the following corresponding queries to C 2 : h query: This is the same as the definition in Theorem 1. Extract query: Upon receiving the query from A 2 , C 2 executes the SecKeGen algorithm to generate relevant secret information {TS, PSK i , SSK, g, hsk}. Note that TS denotes the current time stamp. {PC i , HID, TS, g} is returned to A 2 .
SyEnc query: C 2 maintains a list L S of tuple {PC i , γ j , E(γ j )}, where L S is initialized to be empty. When queried by A 2 , C 2 generates a random number as γ j and checks the list L S . If {PC i , γ j } is already in L S , C 2 randomly chooses another value again. Otherwise, C 2 computes E(γ j ) with hsk. Finally, {PC i , γ j , E(γ j )} is returned to A 2 and also added to L S .
H query: This is the same as the definition in Theorem 1.
SigGen query: This is the same as the definition in Theorem 1. Replay query: Upon receiving the signature from A 2 , C 2 simulates the replay operation by conducting the AuthMess algorithm to check the validity of the received signature. The received signature is compared with the newly-generated signature of E(γ j ) (γ j = γ j ).
Finally, the adversary A 2 obtains the signature SIG(TS||HID||E(γ j )), as well as {TS, HID, E(γ j )} of PC i by querying C 2 . As a result, the equationê(SIG(TS||HID||E(γ j )), g) =ê(Y i , HID) holds. Furthermore, C 2 outputs another signature SIG(TS||HID||E(γ j )) to A 2 . Assume the signature can pass the authentication, illustrated as:ê Thus, the forged signature can pass the authentication only when Y i = Y i and HID = HID . That is, g SSK ||TS = HID , so that SSK = SSK , which contradicts the aforementioned assumption. Hence, the forgery according to the acquired message is not available in the proposed group key management scheme between HC and PCs. Theorem 4. The proposed group key management scheme between PC and sensors is existentially unforgeable in the random oracle model.
Proof of Theorem 4. The proof of Theorem 4 is similar to the above proof of Theorem 3.

Forward Security
In this section, we analyze the forward security property of the proposed protocol.
Theorem 5. The proposed group key management scheme between HC and PCs provides forward security against an adversary. That is, the revoked PCs (patients) cannot get access to the current communication.
Proof of Theorem 5. This theorem is analyzed through game G 3 . Let A 3 be the adversary by colluding with the revoked PC i in department j. It is worth noting that A 3 obtains all the secret information stored in PC leave and wants to derive the current group key PGK j−leave . After receiving the keying message γ j−leave = PGK j−leave × µ leave from HC, A 3 conducts the modulo division to derive the group key. However, as described in the aforementioned sections, for the revoked PC leave , HC subtracts var leave from µ so that the µ leave = µ − var leave . In this case, the rekeying message only involves information of the rest of the n − 1 PCs. Hence, the revoked PC leave cannot derive the correct group key. That is, PGK j−leave = γ j−leave mod PSK leave . Thereafter, the rest of the n − 1 PCs in department j can update their new group key securely. We assume that the size of PSK leave is bits. As a result, A 3 has to perform 2 times in order to obtain one PSK i of the rest of the n − 1 PCs. Accordingly, the probability that A 3 can successfully obtain PGK j−leave is n−1 2 . Thus, the forward security is provided in our protocol between HC and PCs. Theorem 6. The proposed group key management scheme between PC and sensors provides forward security against an adversary. That is, the revoked sensors cannot get access to the current communication.
Proof of Theorem 6. As illustrated above, the sensors are closely attached on or in the patient's body and are fully controlled by the patient. Assume a sensor is removed from the patient's body. In this case, PC i assigns new secret messages including PID i , nsk and a master key subset to the remaining sensor. The whole group key generation process will be conducted again to refresh the group key. In this way, the revoked sensor cannot derive the new group key since the vital secret information is different.

Resistance to Collusion Attack
In this section, we analyze the collusion attack resistance of the proposed protocol.
Theorem 7. The proposed group key management scheme between PC and sensors provides forward security against an adversary. That is, the revoked sensors cannot get access to the current communication.
Proof of Theorem 7. We define the collusion attack through game G 4 . Let A 1 4 and A 2 4 be the adversaries removed from department j at time t 1 and t 2 (t 1 < t 2 ), respectively. At time t 1 , A 1 4 leaves the department with the acquired group key PGK t 1 − . Meanwhile, the rekeying message γ t 1 is obtained by A 2 4 . Additionally, the updated group key PGK t 1 + is derived by A , PGK t 1 − , PGK t 1 + , γ t 1 , γ t 2 . With the above information, PGK t 2 + is computed according to PGK t 2 + = γ t 2 mod PSK A η 4 with η ∈ {1, 2}.
Assume the size of PSK A η 4 is bits. The probability that A 1 4 and A 2 4 can successfully obtain the group key is n−2 2 . Hence, the collusion attack is prevented.

Performance Analysis
In this section, we present the performance analysis towards the proposed protocol. As illustrated in the above sections, our scheme consists of two parts: the group key management between HC and PCs and group key management between PC and sensors. The performances of the two schemes are respectively considered. Subsequently, the corresponding simulations and results are presented.

Group Key Management between HC and PCs
The proposed protocol is compared with two state-of-the-art grouping key management protocols: ESSA [4] and DAKM [44]. The comparison of the computational cost and storage, as well as the communication cost are demonstrated as follows.

Computational Cost and Storage
The computational cost is defined as the total time consumption for group key generation [44]. Additionally, the storage mentioned here refers to the required memory size for the corresponding operations. The comparison result with ESSA and DAKM is given in Table 2. We denote the modulo operation as mod, the exponential operation as Ex and the bilinear pairing as e. Enc and Dec refer to encryption and decryption. Additionally, H, M, D and A represent the one-way hash function, multiplication operation, division operation and addition operation, respectively. Finally, the point multiplication operation is defined as p.  Table 3. Accordingly, both DAKM and our protocol require one broadcast for the whole process, which is efficient for resource-constrained wireless sensors.

Group Key Management between PC and Sensors
In this section, the proposed protocol is analyzed and compared with the ESSA protocol [4]. The comparisons of the computational cost and storage, as well as the communication cost are illustrated as follows.

Computational Cost and Storage
The comparison result with ESSA [4] on the computational cost and storage is given in Table 4. The notations used in the table are the same as those in Table 2. As illustrated above, the sensors in subset Λ M ⊆ C i get the session key Sk M Ψ . Note that the process repeats for ρ times so that M ∈ [1, ρ]. For abetter description, we assume that there are Θ M sensors in Λ M . Meanwhile, there are Φ M sensors in subset Λ M ∩ Λ M+1 . In this case, the computational cost on the PC i side is (ρ + 1)Ex + 2ρH + ρEnc. On the sensor side, we consider the average required computation for message authentication and encryption. The detailed procedures are as follows: First, after receiving the first message from PC i , the computation for each sensor in subset Λ 1 is 1e + 1H + 1Dec so that the total computation is Θ 1 (1e + 1H + 1Dec). Similarly, in the second round, after receiving the message from PC i , the computation for all the Θ 2 sensors in subset Λ 2 is Θ 2 (1e + 1H + 1Dec). After that, Φ 1 sensors in Λ 1 ∩ Λ 2 broadcast the message to others with computation 1Enc + 1H + 1Ex. Next, the Θ 2 − Φ 1 sensors in Λ 2 (Λ 1 ∩ Λ 2 ) computes for 1e + 1H + 1Dec. Hence, we can conclude that the total computation in the i-th rounds is: In conclusion, the total computational cost for all the sensors is computed according to: Consequently, the average computational cost on the sensor side is: We consider the extreme situation where PC i needs to conduct m − 1 broadcasting. In this assumption, the computational cost reaches the upper limitation. That is, In this way, the maximum average computation cost on the sensor side is: According to the practical requirement, m 6; thus: AveComp_Sen(i) ≈ 4(e + H + Dec).
Subsequently, the storage comparison with ESSA is shown in Table 4. It is notable that the value k PSK i in the table denotes a certain storage allocated for the preloaded master keys on the both PC and sensor side.
After this comparison with the existing two protocols on the group key management in WBAN, the simulations for the three protocols are presented, so as to prove the efficiency of the proposed protocol.
Subsequently, the storage comparison with ESSA is shown in Table 4. It is notable that the value k in the table denotes a certain storage allocated for the preloaded master keys on both the PC and sensor side. The comparison result shows that our protocol requires less memory size compared with the ESSA protocol.

Communication Cost
The comparison result on the communication cost is given in Table 5. In ESSA [4], the transmission type during the authentication between PC and sensors is unicast. After that, broadcast is used for group key derivation. PC i communicates with each sensor for four rounds. Hence, the total communication cost is 4m + 1. As described above, PC i broadcasts for ρ times to assign necessary messages to sensors. Moreover, each sensor in subset Λ M ∩ Λ M+1 (M ∈ [1, ρ − 1]) broadcasts the keying message to other sensors. In this way, the total communication cost is ρ + ∑ ρ−1 i=1 Φ i . Similar to the above section, we set ρ = m − 1 and Φ i = 2, i ∈ {1, ..., ρ − 1} to compute the maximum communication cost. That is, In this case, we can get 3m − 5 < 4m + 1. It is obvious that our protocol requires less communication cost for group key management between PC and sensors.

Simulation Experiments and Results
In the previous two sections, adequate performance analysis and comparison emphasizing computational and communication cost are provided, along with a mathematical discussion and estimation for extreme cases. In addition, relevant simulations are presented in order to prove the efficiency of our protocol. It is worth noting that the time consumption for group key generation and distribution is particularly concerned, which is the crucial factor in the performance evaluation of WBANs.
The experiments were conducted on Windows 10 with a 2.70-GHz Intel(R) Core i7-6820HK CPU and 16 GB memory. Two parts of the proposed protocol, namely the group key management between HC and PCs and group key management between PC and sensors, were performed in Visual Studio 2015 with C++ language. Moreover, the Pairing-Based Cryptography (PBC) library was adopted accordingly.
The experiments on group key management between HC and PCs were conducted first. Note that the assignment of necessary secret information was designed to be done before the formal group key generation. Hence, the time consumption for SecKeGen was not included. The simulation was performed for several times based on different numbers of PCs. The comparison results with ESSA [4] and DAKM [44] are presented in Figures 2 and 3. As shown in Figure 2, it is obvious that our protocol required less running time.
When the number of PCs increased, the running time for our protocol and DAKM [44] was similar. Additionally, the running time for each PC was affected by the key size, where in Figure 3, our protocol obviously required less running time on the PC side when the key size was set to 512 bits.  After that, the group key updating time of HC was considered in order to prove the efficiency of our group key updating scheme based on CRT. Note that both the joining and revoked PCs were defined to be the updated PCs. In this way, the key updating time is shown in Figure 4.  Similarly, the comparison result with ESSA [4] on group key generation time between PC and sensors is given in Figure 5. In a word, the above simulation results demonstrate that our protocol could provide better performance than the state-of-the-art group key management protocols.

Conclusions
In this paper, first, a novel practical WBAN system model with a notification channel is designed. Moreover, an efficient group key management protocol employing the Chinese remainder theorem (CRT) between HC and PCs is introduced, which supports secure group key updating. In this way, the HC is capable of broadcasting the message to different patient groups. Additionally, the group key scheme between PC and sensors is designed, which is motivated by coded cooperative data exchange (CCDE). Formal security analysis is given, indicating that the proposed protocol can achieve the desired security properties. Furthermore, performance analysis demonstrates that the proposed protocol is efficient compared with the state-of-the-art.