A Secure Mutual Batch Authentication Scheme for Patient Data Privacy Preserving in WBAN

The current advances in cloud-based services have significantly enhanced individual satisfaction in numerous modern life areas. Particularly, the recent spectacular innovations in the wireless body area networks (WBAN) domain have made e-Care services rise as a promising application field, which definitely improves the quality of the medical system. However, the forwarded data from the limited connectivity range of WBAN via a smart device (e.g., smartphone) to the application provider (AP) should be secured from an unapproved access and alteration (attacker) that could prompt catastrophic consequences. Therefore, several schemes have been proposed to guarantee data integrity and privacy during their transmission between the client/controller (C) and the AP. Thereby, numerous effective cryptosystem solutions based on a bilinear pairing approach are available in the literature to address the mentioned security issues. Unfortunately, the related solution presents security shortcomings, where AP can with ease impersonate a given C. Hence, this existing scheme cannot fully guarantee C’s data privacy and integrity. Therefore, we propose our contribution to address this data security issue (impersonation) through a secured and efficient remote batch authentication scheme that genuinely ascertains the identity of C and AP. Practically, the proposed cryptosystem is based on an efficient combination of elliptical curve cryptography (ECC) and bilinear pairing schemes. Furthermore, our proposed solution reduces the communication and computational costs by providing an efficient data aggregation and batch authentication for limited device’s resources in WBAN. These additional features (data aggregation and batch authentication) are the core improvements of our scheme that have great merit for limited energy environments like WBAN.


Introduction
Recall that recent innovations are done in the wireless sensor network (WSN), which have cleared the route for smart sensors that can be embedded on the human body to monitor glucose and respiratory rate, for example [1][2][3][4][5]. This interconnectedness of various advanced handheld gadgets worn or embedded in human systems is referred to as a wireless body area network (WBAN). WBAN commonly incorporates a cell phone at the client's side that acts as a center point/controller, obtaining the client's information and transferring it to a remote server or Application Provider (AP).
Despite the fact that WBAN has enhanced the e-Care administration system, the security and privacy of client's data remain a tremendous challenge to address [3][4][5][6][7][8][9][10][11][12][13][14][15][16]. For instance, a client should know about the AP dealing with his/her related information before asking for further data processing (data accountability issue). Therefore, there is a paramount need for the client, as well as the e-Care system agents (doctors, medical attendants, etc.), to authenticate each other to preserve data confidentiality.
Validation of Internet Security Protocols and Applications (AVISPA). However, the use of physiological signals implies that all sensors nodes measure the same physiological signal and introduce additional costs for the collecting and transforming of data, as well as maintaining all sensors synchronized.

Elliptic Curve Cryptography (ECC)
ECC is an asymmetric key encryption scheme based on elliptic curve theory that generates faster, smaller, and efficient cryptosystem keys. It was introduced by Koblitz [24] and Miller [25]. A fixed curve E over a field K can be described in a non-homogeneous manner by the following equation (Weierstrass equation) [26]: y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 (1) Where a , a , a , a , a ∈ K and ∆ 0, and where ∆ is the discriminant of E and is defined as follows: ∆ = −d d − 8d − 27d + 9d d d d = a + 4a ; d = 2a + a a ; d = a + 4a d = a a + 4a a − a a a + a a − a Based on the literature review, ECC can provide a strong secured cryptosystem with a 164-bit key, while others cryptographic schemes require a 1024-bit key. Therefore, ECC is more appropriate to achieve the desired security level with the lowest computation power cost and device battery usage. Thus, it is a suitable and efficient solution for limited mobile device applications. The security advantage of ECC lies in its competitive short security key size and the strong assumption to solve the elliptic curve discrete logarithm problem (ECDLP).

Bilinear Pairings
Bilinear maps explained in [27] can be presented as follows: Let two cyclic groups E (additive) and E (multiplicative) of order p (prime number). Let g be a generator of E , and e a bilinear mapping; then, e: E × E → E . The bilinear mapping e satisfies these properties: ♦ Bilinearity: ∀ A, B ∈ E , ∀ d, f ∈ ℤ * , e(dA, fB) = e(A, B) ♦ Non-Degeneracy: ∃ A, B ∈ E 1 such that e (A, B) ≠ 1, and 1 is the identity element of E 2. ♦ Computation: For any A, B ∈ E , we have an efficient algorithm to compute e. Therefore, Marko et al.'s model [13] showed that the schemes [11,12] fell short of their goals, and, in fact, did not provide untraceability of the communicating sensor nodes. Based on that, the goal was to provide a solution [13] with anonymous participants without session linkability/ traceability. This new scheme achieved the untraceability property, while retaining computational complexity and reducing the communication costs. By achieving untraceability, the proposed solution could be a good candidate to improve Koya et al.'s scheme [12]. However, this scheme increased the required storage space. Furthermore, the security proof of the new scheme was discussed informally with some well-known attacks and was formally provided using the BAN logic, the AVISPA, and Scyther tool.
A new view of achieving user anonymity property has been introduced by using a Smartcard instead of traditional authentication scheme method to address the security and privacy issues in wireless multimedia sensor networks (WMSNs). Thereby, Ashok et al.'s [14] reviewed Li et al.'s scheme [11] and proved that their solution was still vulnerable to privileged-insider attack and sensor node capture attack, and failed to provide user anonymity properties. In order to address these security shortcomings found in Li et al.'s scheme [11], they proposed a secure biometrics-based user authentication scheme in WMSNs using a smartcard. This new scheme has been rigorously proven secure against possible known attacks and efficient in computation and communication as compared to Li et al.'s scheme [11]. As a further matter, a fresh approach has been tackled with the emergence of quantum computers to achieve the anonymity property. So far, most of the above-mentioned solutions are based on bilinear pairing and an elliptic curve cryptosystem. However, their security is based on the discrete logarithm on the elliptic curve, which has been proven to be limited by the development of quantum computers. To address the issue, Rui et al. [15] presented a new lightweight anonymous handover authentication (AHA) scheme based on the Number Theory Research Unit (NTRU) public key cryptosystem for wireless networks. Security analysis and experimental results showed that this scheme achieved mutual authentication with a greater security level to address known attacks. The advantages of the proposed scheme are the low computation cost, high efficiency, and ease of implementation as compared to related works like [11,12]. However, the disadvantage is that this scheme [15] cannot predict the misbehaving nodes and avoid the collusion attacks due to the lack of trust and reputation evaluation mechanism. Its correctness is only based on the certification results of both parties. Therefore, this proposed solution [15] is only suitable for the scenario of a single authentication model with a few participants.
In this paper, our contribution will be first to identify and propose a certificate-less mutual authentication scheme that addresses the impersonation issue in the related works [8][9][10]. Second, we design a lightweight cryptographic algorithm using an effective combination of ECC and bilinear pairings operation for limited devices in WBAN. Furthermore, our proposed solution is more efficient than the existing works [8][9][10]15] by providing a batch authentication process that reduces considerably the computation and communication costs for constrained resource devices in WBAN.
The rest of this work is sectioned as follows. Section 2 presents the background work, while Section 3 gives the detailed design of the proposed solution. Section 4 analyzes and evaluates the performance and security level of the proposed contribution. Then, we end this work in Section 5.

(2)
Based on the literature review, ECC can provide a strong secured cryptosystem with a 164-bit key, while others cryptographic schemes require a 1024-bit key. Therefore, ECC is more appropriate to achieve the desired security level with the lowest computation power cost and device battery usage. Thus, it is a suitable and efficient solution for limited mobile device applications. The security advantage of ECC lies in its competitive short security key size and the strong assumption to solve the elliptic curve discrete logarithm problem (ECDLP).

Bilinear Pairings
Bilinear maps explained in [27] can be presented as follows: Let two cyclic groups E 1 (additive) and E 2 (multiplicative) of order p (prime number). Let g be a generator of E 1 , and e a bilinear mapping; then, e: E 1 × E 1 → E 2 . The bilinear mapping e satisfies these properties: Bilinearity: ∀ A, B ∈ E 1 , ∀ d, f ∈ Z * p , e(dA, fB) = e(A, B) df Non-Degeneracy: ∃ A, B ∈ E 1 such that e (A, B) = 1, and 1 is the identity element of E 2 . Computation: For any A, B ∈ E 1 , we have an efficient algorithm to compute e.
Recall that a group that has such a mapping e is defined as a bilinear group on which the Decisional Diffie-Hellman issue can be easily solved, while the Computational Diffie-Hellman (CDH) issue is considered very hard. Therefore, our proposed solution is based on the below security computational assumptions.

Security Assumption
We propose an efficient mutual batch authentication solution relying on strong security computation assumptions.
Problem 1: Consider a multiplicative cyclic group G of order p, with generator g. A probabilistic polynomial-time adversary has a negligible chance to compute g ab , from g, g a , g b for random a, b ∈ Z * p .
Problem 2: Elliptic curve discrete logarithm problem (ECDLP). Let E be elliptic curve over a finite field K. Suppose points P, Q ∈ E(K), it is difficult to determine k such that Q = [k]P, with Q ∈ E(K).
Here, we propose an architecture that is depicted by Figure 1, which is comprised of the WBAN, the controller/client (C), the network manager (NM), and the application provider (AP). WBAN is a particular environment where a sensor is organized to work self-sufficiently by connecting to different medicinal sensors, situated inside and outside of a human body system. The sensors transmit medical information to a remote AP server via C. Therefore, in our proposed solution we focus on the mutual authentication between C and AP to guarantee data integrity and confidentiality. The main steps in this mutual authentication scheme, i.e., initialization, registration, and authentication between C and AP [4,7,28,29], are done via a reliable outsider NM as depicted in Figure 2. In this scenario, C and AP register with NM to get the different partial cryptographic keys. Thereby, NM assumes the duty of the key generator center (KGC). Contrary to related works in the literature, where NM is completely trustworthy, we assume in this paper that NM could be curious and dishonest. Therefore, C and AP register with NM to obtain not the full key but partial cryptographic key parameters for stronger data privacy protection. In order to address the various attacks (passive or active) [30], our scheme provides the following security requirements: (i) Mutual authentication: It will ensure that exclusive genuine and approved C gets access privileges from AP and similarly just approved AP will receive and process data from C. (ii) Anonymity: This prerequisite guarantees that an attacker does not have access to the genuine partaker's identity (C and AP) in their identification procedure. (iii) Unlinkability: This condition guarantees that an attacker cannot interface C's identity to a particular session while asking for computations from AP. (iv) Furthermore, our proposed solution provides resilience to replay and impersonation attack.
Further, used keys cannot be recovered by an attacker, and our solution does not use verification Recall that a group that has such a mapping e is defined as a bilinear group on which the Decisional Diffie-Hellman issue can be easily solved, while the Computational Diffie-Hellman (CDH) issue is considered very hard. Therefore, our proposed solution is based on the below security computational assumptions.

Security Assumption
We propose an efficient mutual batch authentication solution relying on strong security computation assumptions.
Problem 1: Consider a multiplicative cyclic group G of order p, with generator g. A probabilistic polynomial-time adversary has a negligible chance to compute g , from g,g ,g for random a, b ∈ Z * . Problem 2: Elliptic curve discrete logarithm problem (ECDLP). Let E be elliptic curve over a finite field K. Suppose points P, Q ∈ E(K), it is difficult to determine k such that Q = k P, with Q ∈ E(K).
Here, we propose an architecture that is depicted by Figure 1, which is comprised of the WBAN, the controller/client (C), the network manager (NM), and the application provider (AP). WBAN is a particular environment where a sensor is organized to work self-sufficiently by connecting to different medicinal sensors, situated inside and outside of a human body system. The sensors transmit medical information to a remote AP server via C. Therefore, in our proposed solution we focus on the mutual authentication between C and AP to guarantee data integrity and confidentiality. The main steps in this mutual authentication scheme, i.e., initialization, registration, and authentication between C and AP [4,7,28,29], are done via a reliable outsider NM as depicted in Figure 2. In this scenario, C and AP register with NM to get the different partial cryptographic keys. Thereby, NM assumes the duty of the key generator center (KGC). Contrary to related works in the literature, where NM is completely trustworthy, we assume in this paper that NM could be curious and dishonest. Therefore, C and AP register with NM to obtain not the full key but partial cryptographic key parameters for stronger data privacy protection. In order to address the various attacks (passive or active) [30], our scheme provides the following security requirements: (i) Mutual authentication: It will ensure that exclusive genuine and approved C gets access privileges from AP and similarly just approved AP will receive and process data from C. (ii) Anonymity: This prerequisite guarantees that an attacker does not have access to the genuine partaker's identity (C and AP) in their identification procedure. (iii) Unlinkability: This condition guarantees that an attacker cannot interface C's identity to a Recall that the principal objective of this work is to design an efficient batch mutual certificate-less authentication scheme between C and AP that ascertains their identity in the communication process. Thereby a passive attacker (eavesdropper) should have a slight chance to impersonate either C or AP. Further, by providing anonymity, we upgrade the client's privacy protection since the unlinkability property is guaranteed.

Related Work
Wang and Zhang proposed a new anonymous authentication scheme for WBAN [7] to overcome the security weaknesses of Zhao's model [9]. We can describe the different steps, i.e., Initialization, Registration, and Authentication phases of their model as follows.
Initialization phase: It mainly consists of generating keys and system parameters and it is done by the NM shown below.
NM computes a large prime number q, two groups G 1 , G 2 , a pairing map e : NM selects two secured hashing maps h and H, where h : {0, 1} * → Zq and NM generates randomly a number s NM ∈ Z q as its secret key and compute Q = s NM P as its public key. (iv) Finally, NM provides as public parameters params = {q, G 1 , G 2 , e, P, h, H, Q NM }.
Registration phase: It is during this step that C and AP get registered with NM to get their different partial private key. Authentication phase: At this phase C/AP mutually authenticates each other and computes secured keys to encrypt patient records as follows: (i) C generates a random number r C ∈ Z q * , calculates Q AP = H (ID AP ), Q C = H(ID C ), R C = r C Q C , K C = e (S C , r C Q AP ), and Auth C = E KC (ID C ||T C ||R C ). With, T C the current timestamp. Then, C sends a message M 1 = {R C , T C , Auth C } to AP. (ii) With M 1 = {R C , T C , Auth C }, AP verifies the freshness of T C and rejects if it is not fresh. AP computes K AP = e (S AP , R C ) and gets (ID C ||T C ||R C ) by decrypting Auth C . Then AP compares if T C and the decrypted one are equal. If not matching, AP cancels the access process. Else, AP computes randomly a number r AP ∈ Z q * and computes Receiving M 2 , C verifies the freshness of T AP . If not, C stops the access demand. Otherwise, C computes L C = r C R AP , and checks the correctness of the equation , else the answer is rejected.

The Security Shortcoming
Based on the above description of Wang and Zhang's model (WZ) [7], a given AP can simulate a client (K C = K AB ). Therefore, a malicious AP could impersonate C as following: the attacker picks r C ∈ R Z q * , sets Q C = H 1 (ID C ), and computes R C = r C Q C . Thereby the attacker can compute his/her own K * AB = e (S AP , R C ) = K C and then generate a correct login {M 1 = R C , Auth C , T}, and Auth C = h (T||K C ||R C ). This security weakness is due to the absence of an authenticator in the generated K C . Therefore, the WZ solution presents a security shortcoming during the C/AP authentication process. To address this shortcoming, authors in [29] proposed an effective remote identity validation scheme. Based on their experiment results [29], this existing solution can provide a malignant insider security, as well as reduce running time of C by 51% when contrasted with Wang and Zhang's model [7]. However, those related works do not provide data aggregation and batch mutual identity validation processes to reinforce the data privacy protection.

Proposed Solution
Authentication issues related to patients in the e-Care system have begun to draw intense attention in the literature [31]. Therefore, we present in this section our contribution by designing a strong mutual certificate-less authentication scheme between C and AP. The Table 1 summarizes the different abbreviations used in this paper. Our proposed solution satisfies the following security requirements to guarantee that an attacker cannot impersonate either AP or C and modifies the transmitted data (integrity of data and privacy of the client C assurance).
(1) Subscriber authentication: AP should confirm the various C's identity to guarantee their authenticity.
(2) Provider validation: A client C is permitted to verify the different AP's identity it visits to keep away from potential forgery and various malevolent attacks. (3) Key generation: A different encryption key is generated each time C and AP initiate a session to ensure the protection of the transferred data. (4) Anonymous Client: Apart NM, the client C is unknown and its operations are unlinkable to anybody including the AP.

Security System Settings
NM sets the entire system (sets parameters) and computes the partial secret keys by running the following steps based on elliptic curve E/Fq and random generator P for G 1 (cyclic additive group).
NM randomly selects a number S N M ∈ Z q * as master private key and calculates his related public key PK N M = S N M P.

Registration Phase
We use data privacy preserving tools relying on pseudonyms. C usually has enough storage backup to handle a huge quantity of preloaded pseudonyms from NM. An effective work [32] addresses the data backup issue related to preload anonymous cryptosystem keys (pseudonyms). In this paper, the proposed scheme requires a pool of pseudonyms with short live times (based on expiry date), where the memory consumption is limited to the related work's results [32]. This approach is used by several existing models and has been proven efficient, especially for wireless environments.
The NM then provides a list of pseudonyms (pseudo identity/pseudo-ID) for C and generates partially the secret keys for both AP and C, respectively, like in [28] with some modifications in the registration phase.

The Client C Registration
C with its identity ID c ∈ {0, 1} l picks randomly x C ∈ Z q * as its secret value, computes its public key as PK C = x C P, then C transfers ID c , PK C to NM that first verifies the C's identity validity. If ID c is genuine, then NM randomly picks a family of unlinkable pseudo-ID: PID C = pid c1 , pid c2 , . . . With a specified-lived valid period. Then NM generates a secret random number r c ∈ Z q * , and computes P C = r c P.
For each pseudo-ID pid cj ∈ PID C , NM computes the secret value S C = (r c + H 1 pid cj , PK C , P C S NM ) mod q and sets C's partial private key as S NM .H 1 (S C ). Then NM sends securely all the tuples (S NM .H 1 (S C ), P C , S C P) back to C. Thereby C can ascertain the validation of its partial secret key by verifying if the equation S C P = P C + H 1 pid cj , PK C , P C PK NM holds for each pid cj ∈ PID C . Therefore, the full private key of C is generated and known by C only with the value equal to (x C , S NM .H 1 (S C )). Doing so, C can change its pseudo-ID pid cj , in the valid time period to achieve identity privacy in mutual authentication process with AP.

Application Provider AP Registration
Similarly, AP and its identity ID AP ∈ {0, 1} l sets x AP ∈ Z q * as secret key, computes its public key as PK AP = x AP P, then transfers ID AP , PK AP to NM. Again, NM chooses random number r AP ∈ Z q * , computes P AP = r AP P, S AP = (r AP+ H 1 (ID AP , PK AP , P AP )S NM )mod q.
Then NM sets as partial private key S NM .H 1 (S AP ) for AP and secretly (e.g., using a secure transmission protocol) sends (S NM .H 1 (S AP ), P AP , S AP P) to AP. In order to verify the correctness of S AP , AP verifies if S AP P = P AP + H 1 (ID AP , PK AP , P AP )PK NM holds and keeps this value. Likewise, AP sets its full private key as (x AP , S NM .H 1 (S AP )).
In the above registration process, NM appends Expire Date into each pid cj ∈ PID C . The validity of the partial private keys is then set before a specific date. Thus, the partial secret keys are automatically removed after that date, and fresh partial secret keys with new validity date are generated by NM. This key management approach securely can be given to C (even damaged, hacked, or stolen) without compromising seriously the system security. More, we avoid key and certificate management like in the traditional PKI environment and provide user revocation.

Authentication Phase
The focus here is to provide a secured mutual authentication scheme between C and AP that ascertains their identity to guarantee the physiological data's privacy during their communication process. Below are the different steps involved in this authentication process between C and AP depicted by the Figure 3: (1). C picks a random unused pseudo-ID (pid cj ) and its corresponding partial private key S NM .H 1 (S C ).
Then C chooses randomly α Z q * and compute U C = x C P, and a session verifier V C = (U C ) α .
(3). The client C computes a signature σ C = H 2 (M C ).S NM H 1 (S C ) and sends a request message to AP: Req = {M C , σ C , V C } with ∆t the valid transmission delay calculated by C. (4). Upon receiving the request message (Req) at time t 2 from C, AP first verifies the expiry date in pid cj . If the expiry date is valid, AP then checks the freshness of t 1 by verifying if t 2 − t 1 ≤ ∆t. If t 1 is fresh, AP with the public parameters params, verifies the validity of C's signature σ C by checking if the Equation (3)  We thereby enable explicit mutual authentication between legitimate C and AP. Our proposed solution additionally empowers one-sided anonymous identity validation for C. Further, after successful authentication process, AP and C also can set secured symmetric cryptosystem for future data exchange process. Each data exchange session will be solely identified by (pid cj , ID AP ).

Security Analysis
We tackle the proposed system security level to verify whether the requirements mentioned in subsection security assumption have been satisfied. We will show how our scheme provides secure mutual authentication between C and AP, anonymity for C, leaked key security, unlinkability, and impersonation attack. Moreover, aggregated values in our proposed solution hide the contained accumulated individual records, which empower individual C's data privacy protection. Recall the definition of the Decisional Bilinear Diffie-Hellman (DBDH) assumption in the random oracle model.

Definition (DBDH assumption):
The bilinear decisional Diffie-Hellman (BDDH) problem is defined in such a way that for known values g, g , g , g unknown random values x, y, z ∈ R Z , and T ∈ R, G , it is considered difficult to set T = e(g, g) from any random element in the target group. The (t, ϵ)-BDDH assumption is verified in G, if no t time algorithm has the probability of at least + ϵ to solve the BDDH problem for non-negligible ϵ.
♦ Anonymity: Each C gets a set of pseudo-identity pid ∈ PID and its related partial secret key S . H ( S ), uring registration process from NM. These pseudo-identities, rather than C's real identity, provide strong privacy protection. Not any involved entity, not even AP, can identify C or recollect different transactions launched by the same C except NM. In practice, C sends a random message request Req = {M , σ , V } each time to AP. This message request contains secret values (x , α ) and pseudo-ID pid that are random (not constant) values each time that C initiates an authentication process with AP. Only C can compute V = (U ) and σ = H (M ). S H ( S )since these values require both secret values (x , α ) and partial private keys S H ( S ) for their calculation. Therefore, an attacker including NM, in order to compute V must solve the inherited CDH problem; that is, he should perform U = x P and then V = (U ) for unknown random secret values x , α which contradicts the CDH assumption.
Therefore, C is anonymous and cannot be impersonated through our scheme. Therefore, our scheme guarantees data anonymity and identicalness (aggregated values) based on BDBH assumption in random oracle to resist chosen-plaintext attacks.

Security Analysis
We tackle the proposed system security level to verify whether the requirements mentioned in subsection security assumption have been satisfied. We will show how our scheme provides secure mutual authentication between C and AP, anonymity for C, leaked key security, unlinkability, and impersonation attack. Moreover, aggregated values in our proposed solution hide the contained accumulated individual records, which empower individual C's data privacy protection. Recall the definition of the Decisional Bilinear Diffie-Hellman (DBDH) assumption in the random oracle model.

Definition (DBDH assumption):
The bilinear decisional Diffie-Hellman (BDDH) problem is defined in such a way that for known values g, g x , g y , g z and unknown random values x, y, z ∈ R Z P , and T ∈ R, G T , it is considered difficult to set T = e(g, g) xyz from any random element in the target group. The (t, )-BDDH assumption is verified in G, if no t time algorithm has the probability of at least 1 2 + to solve the BDDH problem for non-negligible .
Anonymity: Each C gets a set of pseudo-identity pid cj ∈ PID C and its related partial secret key S NM .H 1 (S C ), uring registration process from NM. These pseudo-identities, rather than C's real identity, provide strong privacy protection. Not any involved entity, not even AP, can identify C or recollect different transactions launched by the same C except NM. In practice, C sends a random message request Req = {M C , σ C , V C } each time to AP. This message request contains secret values (x C , α) and pseudo-ID pid cj that are random (not constant) values each time that C initiates an authentication process with AP. Only C can compute V C = (U C ) α and σ C = H 2 (M C ).S NM H 1 (S C ) since these values require both secret values (x C , α) and partial private keys S NM H 1 (S C ) for their calculation. Therefore, an attacker including NM, in order to compute V C must solve the inherited CDH problem; that is, he should perform U C = x C P and then V C = (U C ) α for unknown random secret values x C , α which contradicts the CDH assumption. Therefore, C is anonymous and cannot be impersonated through our scheme. Therefore, our scheme guarantees data anonymity and identicalness (aggregated values) based on BDBH assumption in random oracle to resist chosen-plaintext attacks. Mutual Authentication: The client C's signature σ C = H 2 (M C ).S NM H 1 (S C ) is in fact a signed based pseudo-identity. Therefore, it is impracticable to fake a genuine signature without prior access to the secret values S C = (r c + H 1 pid cj , PK C , P C S NM ) mod) and U C = x C P due to the NP-hard calculation complexity of the Diffie-Hellman assumption in G 1 . Thereby it is very hard to deduce the partial private key S NM H 1 (S C ) using pid cj , and PK NM . Similarly, an attacker with no prior knowledge of AP's partial private key S NM .H 1 (S AP ) and secret values U AP = x AP P and β cannot make a legitimate authentication code auth 1 . Further an adversary cannot compute auth 2 and verify the equation auth 2 = auth 1 since he cannot solve CDH (definition 1) as described in the section above. Furthermore, only legitimate C and AP can compute L C = L AP = V C .V AP , due to the randomness and secrecy of U C and U AP respectively. Therefore, a secured authentication process between C and AP is achieved by our scheme. Unlinkability: Recall that C uses different pseudo-identity pid cj ∈ PID C during each authentication process with an AP. Furthermore, only NM is aware of the relation between a given pseudo-identity and its original C's identity. For that reason, excluding NM and C, no other entity is able to determine C or relate different authentication processes launched by the same C.
Leaked key security: As described in Section 3, our scheme provides a random distinct session key each time an authentication process is initiated by C with AP. It is due to the randomness of the choice of secret values α, β, x AP , x C Z q * by C and AP. Doing so, an attacker with a used key has a very slight chance to compromise succeeding sessions. Impersonation attack: To impersonate C or AP, an adversary should generate the correct values of auth 1 and auth 2 , respectively, which is practically infeasible, as explained above (mutual authentication process section). Further an AP cannot generate a correct C's signature σ C = H 2 (M C ).S NM H 1 (S C ) and V C in the message request, since he cannot access S C and x C otherwise the attack can be detected by C in verifying auth 1 . Likewise, an adversary that intercepts the message M C = pid cj ||h C2 ||t 1 and tries to impersonate AP has a negligible chance of success due to the CDH assumption (mutual authentication process section) that is believed to be difficult. The performance analysis section highlights the security functional results comparison between our scheme and related works [7][8][9]. Data Aggregation: Moreover, aggregated values in our proposed solution hide the accrued single value that enforces the privacy preservation of single C compared to related works [7][8][9]. To achieve this additional aggregated data feature, we designed a modified additively homomorphic IBE scheme from the Boneh-Franklin IBE cryptosystem [33]. The security proof lies on BDDH assumption in a random oracle (refer to security analysis section). This cryptosystem [33] is appropriate for our proposed solution (small sensing data reading) to achieve data aggregation and batch authentication. Our modified IBE scheme has four algorithms and we use G 1 , G 2 of prime order q, P as generator of G 1 , and a bilinear mapping e: G 1 × G 1 → G 2 , such that e P a , Q b = e(P, Q) ab , ∀ P, Q ∈ G 1 , ∀ a, b ∈ Z * q , and e(P, Q) = 1 G 2 whenever P, Q ∈ G 1 .
Setup: NM randomly picks as master private key (msk) a number S NM ∈ Z q * and calculates its related public encryption key PK NM = S NM P. Then NM chooses a hash function defined as . . , l − 1} ⊆ Z q * with l = p(n) < q for some polynomial p and the cipher-text space is C = G 1 * × G 2 .
Extract (PK NM , msk, pid ci ): NM computes and sets k = P S NM . Output SK pid ci = H 1 pid ci S NM and k.
Dec (PK NM ,SK pid ci ,C mpid ci ). AP parses C mpid ci as (c 1 , c 2 ) and compute m * = c 2 /e SK pid ci , c 1 and m = log P m * . The verification of our modified IBE lies on the fact that log P (m * ) = log P c 2 /e SK pid ci , c 1 log P (m * ) = log P We prove that our proposed homomorphic cryptosystem is additive in message space by multiplying cipher texts: C 1 × C 2 = (P b+b , P −m+m .e H 1 pid ci , k b+b ) C 1 × C 2 = Enc PK NM , pid ci , m + m mod q Note that the two disadvantages that come along with our modified additively homomorphic IBE scheme (i.e., the limited messages backup capacity and computing a discrete logarithm function to decrypt the data) are acceptable in many practical areas and especially in the e-Care system. Therefore, it does not affect the performance of our proposed solution. Table 2 shows clearly that our scheme is a good candidate to address the security shortcomings in the related works [7][8][9]29].

Performance Analysis
We describe our proposed solution performance analysis in comparison with related works [7][8][9]. First our scheme provides batch authentication between different client C and AP, which reduces efficiently the communication and computation cost. Upon receiving a gain access demand from C, AP checks the message's signature authenticity in order to ascertain its related C (as described in Section 3). Further our scheme provides batch authentication, i.e., an AP can verify at the same time different message requests from various Cs securely through the help of NM. Thus, each C i sends its message requests {M Ci , σ Ci , V Ci } to NM, which collects and forwards them as aggregated data to AP. Therefore upon receiving n distinct message requests denoted {M C1 , σ C1 , V C1 }, {M C2 , σ C2 , V C2 }, {M C3 , σ C3 , V C3 }, . . . , {M Cn , σ Cn , V Cn }, respectively, from n different C i denoted as C 1 , C 2 , C 3 , . . . , C n , with their respective signature σ C1 , σ C2 , σ C3 , . . . , σ Cn , AP checks the correctness of this equation: This data aggregation support in our model at the NM side has significant practical advantages for sensor networks. It facilitates efficiently keeping down the communicating cost between C and AP and empowers the privacy protection of a single C i . Our proposed solution keeps down the number of transmitted data by sending one aggregated assessment (almost the size of a single report) instead of distinct individual message requests. Furthermore, this data aggregation feature hides the accrued single value, which enforces the privacy preservation of a single C compared to related works [7][8][9], and [29].
Note that the two disadvantages that come along with our modified additively homomorphic IBE scheme (i.e., the limited messages backup capacity and computing a discrete logarithm function to decrypt the data) are acceptable in many practical areas and especially in the e-Care system. Therefore, it does not affect the performance of our proposed solution (see Functioning Evaluation section). Based on this data aggregation and batch authentication support, the computing cost that AP needs to validate n signatures is largely composed of n point multiplications and two pairing calculations. Thus, the required time for AP to authenticate a large number of signatures from distinct C is obviously brought down. Therefore, it reduces the transmission loss proportion imputable to a possible bottleneck of digital signature authentication at the AP side. Recall that this batch verification operation has great merit for a limited power environment like WBAN.
For efficiency purposes, the multiprecision integer and rational arithmetic cryptographic library (MIRACL) [34] and cost-efficient pairing based cryptography (PBC) libraries are implemented into our proposed solution's experiments to yield a 1024-bit security level. Experimental platforms are PCs with different computational power: Pentium(R) Dual-Core E6700 CPU 3.20 GHz, 4 GB RAM and 64-bit Intel®, 624 MHz processor, and 128MB memory to simulate AP and C, respectively. In the experiment, G 1 and G 2 are depicted by 160, 161, and 960 bits, respectively, and pid cj , Timestamp, and ID AP by 32 bits. A Miyaji-Nakabayashi-Takano (MNT) curve is implemented with 160 bits, k = 6, depicting the order and embed degree, respectively, in Z q * . The performance evaluation is done based on related work experimental conclusions [8] depicted in Table 3. We focus on computations with expensive calculation costs, like modular exponentiation (TSM), ECSM (TSM), Hashing to point in G 1 (TGH) and bilinear pairing (TP) operations. Therefore, a computing time-based comparison study is done with the exiting related models as shown in Table 4. Note that the computation cost for AP and C is one point multiplication for both two and one pairing calculations, respectively. Recall that the computing cost for a pairing function is much more expensive than a multiplication calculation. The client C may be a limited device; this low computation cost is a significant advantage for our scheme compared to the related work [7].
Based on Table 4 analysis, we can highlight our scheme efficiency on the obvious reduction of computation and communication costs for verifying n different signatures (batch authentication) from multiple clients by AP that consists of n point multiplications and two pairing calculations only. We also reduce the computation cost of C, which is a limited resource device in comparison to Wang and Zhang's Model. This result is a desirable attribute for constrained power environments like WBAN.

Conclusions
This work presents a novel batch mutual authentication cryptosystem between WBAN's controller/client C and an application provider AP. This proposed solution empowers the cryptosystem security level by providing batch authentication and data aggregation supports. We keep low the data transmission and computing over heads of C and AP using a lightweight ECC and efficient cryptographic pairing tools. Additionally, our solution needs only two handshakes between C and AP, without key certificate management like in the original asymmetric cryptography environment (PKI). Furthermore, our scheme efficiently provides an additive homomorphic IBE operation, in which a given AP can compute securely aggregated values from various WBAN clients. Our scheme reinforces privacy protection and reduces the running time on the client side. This is a great benefit for limited devices in environments like WBAN. However, we will improve the performance and security level by designing in our future work, a lightweight additive homomorphic IBE scheme with auxiliary input to address the side-channel attacks at the end user's side.