A Secure and Efficient Authentication Scheme with Privacy Protection for Internet of Medical Things

Abstract

The Internet of Medical Things represents a pivotal application of Internet of Things technology in Healthcare 4.0, offering substantial practical benefits in enhancing medical quality, reducing costs, and minimizing errors. In history, researchers have proposed numerous privacy-preserving authentication schemes to safeguard Internet of Medical Things applications. Nevertheless, due to design shortcomings, existing solutions still encounter significant security and performance challenges, rendering them impractical for real-world use. To resolve the issue, this work introduces a novel practical Internet of Medical Things-based smart healthcare system, leveraging a pairing-free certificateless signature scheme and hash-based message authentication code. Through formal security proofs under standard cryptographic assumptions, and performance analysis, our scheme demonstrates enhanced security while maintaining desirable computational and communication efficiency.

1. Introduction

The Internet of Things (IoT) builds a dynamic interactive intelligent network platform by seamlessly connecting numerous intelligent sensing devices, embedded systems, and the Internet. It not only realizes real-time data collection, transmission, and collaborative processing between devices, but also promotes revolutionary application scenarios in smart home, industrial automation, smart city, and medical health. The Internet of Medical Things (IoMT) emerges as a critical application subset within this framework, where healthcare devices/applications are intricately integrated with healthcare IT systems to furnish patients with high-quality health services. According to recent market insights from Grand View Research, the global IoMT market is anticipated to exceed USD 658.57 billion by 2030 [1], propelled by innovations in wearable technology, remote patient monitoring, and AI-driven diagnostics. This significant growth trajectory highlights the transformative impact of IoMT on healthcare in the Healthcare 4.0 era, promoting proactive disease management and the implementation of tailored treatment strategies [2].

In typical IoMT application environments, such as wireless body area networks and wireless medical sensor networks, wearable or implanted sensors on the human body capture vital health metrics, including blood oxygen saturation, temperature, heart rate, and respiratory rate [3,4]. Due to the constrained resources of these sensor devices, the gathered data are transmitted to a remote medical cloud server (MCS) for storage and subsequent analysis. Subsequently, healthcare providers can retrieve the patient’s health information (PHI) from the MCS to deliver prompt medical interventions.

Normally, PHI is frequently transmitted across inherently insecure public networks, such as the internet and wireless channels, where it faces a spectrum of security risks that compromise both its integrity and confidentiality. For example, during transmission, PHI may suffer from inadvertent or malicious tampering, leading to altered medical records or distorted diagnostic images. Such modifications can mislead healthcare providers into making clinically erroneous decisions. Beyond integrity threats, PHI inherently contains highly sensitive personal data. Unauthorized disclosure of this information, whether through eavesdropping, data breaches, or insufficient access controls, carries severe privacy repercussions [5,6]. For example, the harm from health data leakage may include financial fraud, identity theft, and reputational damage, leading to discrimination or stigma, and can also affect physical and mental well-being. It is said that healthcare breaches are the costliest of any industry, with average costs per incident reaching approximately USD 7.42 million in 2025. Breaches specifically involving IoMT average even higher, at an estimated USD 10 million per attack [7]. Therefore, these integrity and confidentiality risks underscore the critical need for robust privacy-preserving authentication frameworks to protect PHI.

Throughout the history of IoMT security research, numerous privacy-preserving authentication schemes have been proposed to ensure data integrity and authenticity [8]. Early implementations primarily rely on two kinds of cryptographic mechanisms, namely, public key infrastructure (PKI) and identity-based cryptography (IBC) [9,10]. However, both mechanisms exhibit inherent limitations in resource-constrained IoT applications. In particular, PKI-based systems demand substantial overhead for key certificate management, such as certificate issuance, distribution, update, and revocation, which are expensive for medical sensors. Meanwhile, an IBC system can address the certificate management problem. However, it suffers from the key escrow problem, where a key generation center (KGC) knows both the private and public keys of the user. In [9], Kumar et al. designed an escrow-free identity-based aggregated signcryption scheme for IoMT. They used an interactive system key generation method to address the key escrow problem. However, their design lacks formal security analysis, and the heavyweight bilinear pairing and map-to-point hash operations are unfriendly to resource-constrained medical sensors.

To eliminate the key management and key-escrow problems, a pivotal advancement emerged when the concept of certificateless cryptography (CLC) was introduced in [11]. The CLC paradigm redefines key generation by splitting user keys into two components, namely, a partial secret derived from a KGC and a user-generated private value. By eliminating both certificate management burdens and key escrow vulnerabilities, CLC strikes an optimal balance between security and efficiency. This also makes CLC an ideal cryptographic system for deployment in resource-limited IoMT applications.

1.1. Related Work and Motivation

Prior to that, to protect data integrity and confidentiality at the same time, many CLC-based privacy-preserving authentication schemes have been constructed for IoMT environments. Liu et al. [12] designed an RSA-based certificateless signcryption (CLSC) scheme for healthcare applications. Such a scheme can merge the digital signature and encryption operations into a single logical step. However, their computational and communication costs pose a performance challenge for resource-constrained sensor devices. Subsequently, some new CLSC schemes were proposed one after another, such as [13,14,15,16]. Considering the significant increase in the number of sensors in IoMT, the traditional mode of verifying signcrypted messages one by one can easily lead to network congestion. To this end, researchers have proposed a number of certificateless aggregate signcryption (CLASC) schemes that support batch signcryption verification, which have become a critical path for optimizing communication efficiency in IoMT scenarios [15,16,17,18,19,20,21,22]. However, these solutions still have some shortcomings in terms of security and performance.

In addition to signcryption construction, in [23], Chang et al. introduced a new IoMT-based smart healthcare system (SHS) on the basis of a homomorphic certificateless signature (CLS) scheme and a hash-based message authentication code (HMAC) [24]. Compared to the conventional CLS scheme, their homomorphic CLS scheme can achieve public verifiability, i.e., allowing internal or external entities to check the integrity of data without knowing the actual PHI data stored in MCS [9]. Meanwhile, the HMAC construction can encrypt the PHI by using only XOR and hash operations, which are quite lightweight. However, in [25], Xu et al. demonstrated that the design in [23] cannot resist signature forgery attacks by public key replacement attackers. In particular, such an attack allows the attacker to extract the signer’s full private key, thereby compromising the basic data integrity guarantee. To address the issue, Xu et al. proposed a security-enhanced CLS scheme and designed a new IoMT-based SHS. However, using theoretical analysis methods, their design still has security vulnerabilities. More concretely, in their design, each biomedical sensor encrypts its encrypted data to a personal-assisted device (PAD), which then signs the data and further sends the data–signature pair to an MCS for subsequent processing. In this process, the PAD does not know the actual PHI data. However, in real-world environments, it cannot detect whether this encrypted data has been unintentionally or maliciously tampered with during transmission. Note that once the data integrity is compromised, the patient may receive incorrect medical services, causing significant health risks. In summary,

Table 1. Feature comparison of our design with related work.

Scheme	F1	F2	F3	F4	F5	F6	F7
[9]	√	√	√	−	−	√	×
[10]	×	×	√	−	×	√	×
[17]	√	√	√	√	√	√	×
[18]	√	√	×	×	√	×	√
[20]	√	√	×	×	√	√	×
[16]	√	√	×	×	√	×	×
[23]	√	√	×	×	√	×	×
[25]	√	√	×	√	√	√	√
Ours	√	√	√	√	√	√	√

F: feature; F1: address key management problem; F2: address key-escrow problem; F3: achieve data integrity; F4: resist public key replacement attack; F5: resist malicious-but-passive KGC attack; F6: achieve data confidentiality; F7: without expensive pairing/exponentiation operation. √ or ×: A property is achieved/exists or not; −: not mentioned.

compares the features of several related works. Therefore, there still exists a research gap for an IoMT-based SHS that provides both data integrity and confidentiality assurance.

In view of this, this work aims to answer the following research question: Can we design a practical IoMT-based SHS that can simultaneously protect data integrity and confidentiality?

1.2. Contribution

To answer the above research question, we mainly design a practical IoMT-based SHS. The scheme overview is shown in Section 3. The main contributions are as follows:

• We design a new IoMT-based SHS based on a new pairing-free CLS signature and the ChaCha20-Poly1305 algorithm. Our solution achieves data integrity and privacy protection throughout the entire process from data generation to data usage.
• We formally prove the security of our design based on standard cryptographic assumptions in the random oracle (RO) model.
• Through comparative evaluation with existing research, we assess the efficacy of our proposed scheme. The results show that our solution has ideal computational and communication costs while ensuring high security, making it suitable for resource-constrained IoMT applications.

1.3. Road Map

The structure of the remaining paper is as follows: We revisit required preliminaries in Section 2. Section 3 presents our new IoMT-based SHS with related security proofs. Section 4 evaluates its performance, and Section 5 ends the paper.

2. Preliminaries

We introduce some preliminaries in this section, including general symbols, the elliptic curve discrete logarithm problem (ECDLP), and the ChaCha20-Poly1305 algorithm.

2.1. Symbols

Some symbols are described in

Table 2. Symbols.

Symbols	Descriptions
$\zeta$	System security parameter
$(\alpha ,P{K}_{kgc})$	Master private/public key of the system
$ppa$	Public parameters of the system
$I{D}_i$	Identity of entity i, $i\in \{BMS,PAD\}$
$k_{cp1}/k_{cp2}$	Key of ChaCha20-Poly1305
$k_i$	A random authentication key
$({S{K}_{ID}}_i,{P{K}_{ID}}_i)$	PAD’s full private–public key pair
t	Timestamp
$c_j$	Ciphertext for $m_j$
${\tau }_j/{\tau }_j^{\prime }$	ChaCha20-Poly1305-related tag for $m_j$
$\sigma$	Signature on M

.

2.2. ECDLP

Let G be a q-order cyclic elliptic curve group and P be a generator of G. Given $\alpha P\in G$ for some unknown $\alpha \in Z_q^{*}$, the ECDLP’s goal is to find $\alpha$.

2.3. ChaCha20-Poly1305

ChaCha20-Poly1305 [26] is an authenticated encryption algorithm that combines the ChaCha20 stream cipher for confidentiality and the Poly1305 message authentication code for integrity and authenticity. It is a fast, secure, and efficient symmetric-key algorithm used in protocols like Transport Layer Security and Secure Shell to protect data. At a high level, ChaCha20-Poly1305 consists of three algorithms:

• CP.KeyGen: Given a security parameter $\zeta$, the algorithm returns a 32-byte key $k_{cp}$.
• CP.Enc-Auth: Given a message $m\in {\{0,1\}}^{*}$, a 12-byte random nonce $iv$, an a variable length associate data $t\in {\{0,1\}}^{*}$, and the key $k_{cp}$, the algorithm returns a ciphertext c and a 16-byte tag $\tau$.
• CP.Verify: Given the key $k_{cp}$, ciphertext c, tag $\tau$, nonce $iv$, and associate data t, the algorithm returns a message m or ⊥ indicating decryption failure.

We refer the readers to [26] for a detailed description of the ChaCha20-Poly1305.

3. The Proposed IoMT-Based SHS

To illustrate the IoMT-based SHS, similar to prior work [9,23,25], we consider one patient as a concrete example. As depicted in Figure 1, five core entities interact within the system: The KGC mainly builds the system and issues the partial private key to the PAD. Wearable/implantable biomedical sensors (BMSs), with constrained resources, continuously collect PHI. During System Setup, each BMS securely obtains two ChaCha20-Poly1305 keys from the PAD and SD, respectively, which it subsequently uses for PHI encryption and authentication. This process can be achieved through authenticated key-exchange protocols [27], which is beyond the scope of the work. Acting as a data aggregator, the PA receives encrypted PHI from multiple BMSs, checks the data integrity, signs the “compressed” ciphertext, and transmits the validated data to a MCS. On the healthcare provider side, the SD authorizedly access stored PHI through MCS to deliver healthcare services to the patient.

In the following, we will introduce the detailed implementation of our proposed SHS, which integrates a new CLS scheme with a secure ChaCha20-Poly1305 mechanism (using algorithms (CP.KeyGen, CP.Enc-Auth, CP.Verify)), whose specifications are given in Section 2.3.

3.1. System Setup

The KGC sets up the system by generating the required system parameters. PAD and SD interact with KGC, respectively, to establish their public–private key pairs. Without loss of generality, we assume that a PAD is linked to n BMSs. Algorithm 1 provides a detailed description of the phase.

Algorithm 1 System Setup.

1: Given a security parameter $\zeta$, the KGC sets a system master key $\alpha \in {\mathbb{Z}}_q^{*}$ at random and public parameters $ppa=\{\mathbb{G},P,q,P{K}_{kgc},H_i\}$. Specifically, $\mathbb{G}$ is a q-order cyclic group, P is a generator of $\mathbb{G}$, and $P{K}_{kgc}=\alpha P$. In addition, $H_i:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $i=1,2,\dots ,3$ are cryptographic hash functions. 2: To generate a public–private key pair, the PAD with identity $I{D}_i$ picks a secret value $x_i\in {\mathbb{Z}}_q^{*}$ at random and calculates $X_i=x_{i}P$. It provides KGC with $(I{D}_i,X_i)$. Then, the KGC picks $r_i\in {\mathbb{Z}}_q^{*}$ at random, calculates $R_i=r_{i}P$, $h_{1i}=H_1(I{D}_i,X_i,R_i,P_{kgc})$, $d_i=r_i+\alpha h_{1i}$, and sends $D_i=(d_i,R_i)$ to the PAD as its partial private key. After checking the correctness of $d_i$ by verifying $d_{i}P=R_i+h_{1i}{P}_{kgc}$, the PAD sets its private key $S{K}_i=(x_i,d_i)$ and public key $P{K}_i=(X_i,R_i)$. 3: For j-th BMS, the PAD executes CP.KeyGen($\zeta$) to generate a symmetric private key $k_{cp1j}$. The SD also executes CP.KeyGen($\zeta$) to generate the symmetric private key $k_{cp2j}$. Then, $(k_{cp1j},k_{cp2j})$ are securely stored in the non-volatile memory of the j-th BMS.

3.2. Data Flow from BMS to PAD

This part describes how the BMS sends its collected data to the PAD. Assuming that $m_j$ is the PHI gathered by BMS_j, $1\le j\le n$, at time t, Algorithm 2 provides a detailed description of the phase.

Algorithm 2 BMS-to-PAD data sharing.

1: For $m_j\in {\{0,1\}}^{\zeta }$, BMSj randomly picks 12-byte $i{v}_{1j},i{v}_{2j}\in {\{0,1\}}^{*}$, calculates $(c_{1j},{\tau }_{1j})=\mathsf{CP}.\mathsf{Enc}-\mathsf{Auth}(k_{cp2j},m_j,i{v}_{2j},t)$, where (associate data) t is a timestamp. For $M_j=(c_{1j},{\tau }_{1j})$, BMSj further computes $(c_{1j}^{\prime },{\tau }_{1j}^{\prime })=\mathsf{CP}.\mathsf{Enc}-\mathsf{Auth}(k_{cp1j},M_j,i{v}_{1j},t)$ and sets $M_j^{\prime }=(c_{1j}^{\prime },{\tau }_{1j}^{\prime })$. 2: Send $\{I{D}_j,t,M_j^{\prime },i{v}_{1j},i{v}_{2j}\}$ to PAD for further processing.

3.3. Data Flow from PAD to MCS

For each received item $\{I{D}_j,t,M_j^{\prime },i{v}_{1j},i{v}_{2j}\}$ with regard to BMS_j, the PAD first checks and confirms its validity. Then, it generates a signature $\sigma$ for messages sent by n BMSs, and sends the message–signature pair to the MCS for subsequent processing. Note that in this phase, the PAD does not access the actual PHI as the transmitted message component $M_j$ is securely maintained in encrypted format. Algorithm 3 shows the phase.

Algorithm 3 PAD-to-MCS data sharing.

1: Check and decrypt $M_j=\mathsf{CP}.\mathsf{Verify}(k_{cp1j},M_j^{\prime },i{v}_{1j},t)$ for $1\le j\le n$. 2: For $M_1,M_2,\dots ,M_n$, the PAD calculates $M=H_2(M_1,M_2,\dots ,M_n)$. It randomly picks $u_i\in {\mathbb{Z}}_q^{*}$ and calculates $U_i=u_{i}P$ and $h_{3i}=H_3(M,I{D}_i,P{K}_i,U_i,t)$. Then, it computes $V_i=u_i+h_{3i}(x_i+d_i)$ and sets ${\sigma }_i=(U_i,V_i)$ as the signature. 3: Send the item $\{I{D}_i,{\{I{D}_j,M_j,i{v}_{2j}\}}_{j=1}^n,t,{\sigma }_i\}$ to MCS for storage.

3.4. Data Access

To facilitate patient-specific medical services utilizing data aggregated by the MCS, the SD must securely access authenticated and encrypted PHI data $\{I{D}_i,{\{I{D}_j,M_j,i{v}_{2j}\}}_{j=1}^n,t,{\sigma }_i\}$. The operational workflow for this phase is defined in Algorithm 4.

Algorithm 4 Data access.

1: The SD downloads the data $\{I{D}_i,{\{I{D}_j,M_j,i{v}_{2j}\}}_{j=1}^n,t,{\sigma }_i\}$ from the MCS. 2: Compute $M=H_2(M_1,M_2,\dots ,M_n)$, $h_{i2}=H_2(I{D}_i,X_i,R_i,P_{kgc})$, and $h_{3i}=H_3(M,I{D}_i,P{K}_i,U_i,t)$. 3: Use the equation $V_{i}P=U_i+h_{3i}(X_i+R_i+h_{1i}{P}_{kgc})$ to check the validity of ${\sigma }_i$. The correctness: $$\begin{array}{cc}\hfill V_{i}P& =(u_i+h_{3i}(x_i+d_i))P=u_{i}P+h_{3i}(x_i+d_i))P\hfill \\ & \hfill =U_i+h_{3i}(x_{i}P+d_{i}P)=U_i+h_{3i}(X_i+R_i+h_{1i}{P}_{kgc}).\end{array}$$ The SD stops the verification if ${\sigma }_i$ is invalid; otherwise, it operates as follows. 4: Check and decrypt $m_j=\mathsf{CP}.\mathsf{Verify}(k_{cp2j},M_j,i{v}_{2j},t)$ for $1\le j\le n$.

3.5. Security Proof

Now, we prove the security of our IoMT-based SHS. Note that our design consists of an underlying CLS scheme and the ChaCha20-Poly1305 algorithm. For the CLS scheme, two types of adversaries should be considered, namely, a public-key replacement attacker (called a Type 1 adversary) and a malicious-but-passive KGC (called a Type 2 adversary). In particular, a Type 1 attacker knows a target user’s secret value. However, the adversary cannot access the user’s partial private key. In addition, a Type 2 attacker knows the KGC’s private key but cannot know the target user’s secret value. For more security definitions and security models, we refer the readers to [28] for details.

Theorem 1. 

In the RO model, if the underlying CLS scheme and ChaCha20-Poly1305 algorithm are secure, then our IoMT-based SHS is secure.

Proof. 

This theorem demonstrates that if an attacker exists who can compromise the security of our SHS, then another attacker must exist who can break either the underlying CLS scheme or the ChaCha20-Poly1305 algorithm. As ChaCha20-Poly1305 algorithm is specified in RFC 7539, we omit its security analysis. Given this in mind, the proof for our theorem incorporates the demonstrations detailed in Theorems 2–4. □

Theorem 2. 

Our underlying CLS scheme is secure against a Type 1 adversary if the ECDLP is hard.

Proof. 

This theorem demonstrates that if a Type 1 adversary ${\mathcal{A}}_1$ compromises the underlying CLS scheme, then it must be possible to construct an adversary $\mathcal{B}$ that can solve the ECDLP. Now, ${\mathcal{A}}_1$ and $\mathcal{B}$ perform the following:

• Step-1: $\mathcal{B}$ runs as System Setup to obtain system parameters $ppa=\{\mathbb{G},P,q,P{K}_{kgc},H_i\}$, where $P_{kgc}=\alpha P$ for some unknown $\alpha \in {\mathbb{Z}}_q^{*}$. It then sends $ppa$ to ${\mathcal{A}}_1$. For simplicity, let $I{D}_i^{*}$ be ${\mathcal{A}}_1$’s target identity. During the forgery game, ${\mathcal{A}}_1$ keeps a series of lists as defined below to record the query results. In the initial stage, these lists are empty.
• Step-2: In this stage, $\mathcal{B}$ responds to ${\mathcal{A}}_1$’s adaptive queries as below.
  $H_1$-Query: When an $H_1$ query is received from ${\mathcal{A}}_1$ for $(I{D}_i,X_i,R_i,P_{kgc})$, if the item $(I{D}_i,X_i,R_i,P_{kgc},h_{1i})$ exists in the list $L_{H_1}$, $\mathcal{B}$ returns $h_{1i}$ to ${\mathcal{A}}_1$. Otherwise, $\mathcal{B}$ picks $h_{1i}\in {\mathbb{Z}}_q^{*}$ at random, inserts $(I{D}_i,X_i,R_i,P_{kgc},h_{1i})$ to $L_{H_1}$, and responds $h_{1i}$ to ${\mathcal{A}}_1$.
  $H_3$-Query: For an $H_3$ query on $(m_i,I{D}_i,P{K}_i,U_i,t_i)$, if the item $(m_i,I{D}_i,P{K}_i,U_i,t_i,h_{3i})$ exists in the list $L_{H_3}$, $\mathcal{B}$ returns $h_{3i}$ to ${\mathcal{A}}_1$. Otherwise, $\mathcal{B}$ randomly picks $h_{3i}\in {\mathbb{Z}}_q^{*}$, inserts $(m_i,I{D}_i,P{K}_i,U_i,t_i,h_{3i})$ to the list, and responds $h_{3i}$ to ${\mathcal{A}}_1$.
  Secret value-Query: ${\mathcal{A}}_1$ can issue such query on $I{D}_i$. $\mathcal{B}$ searches the tuple $(I{D}_i,x_i,X_i)$ from the list $L_{sv}$ and provides it to ${\mathcal{A}}_1$. Otherwise, $\mathcal{B}$ selects $x_i\in {\mathbb{Z}}_q^{*}$ at random, stores $(I{D}_i,x_i,X_i)$ to $L_{sv}$, and responds $x_i$ to ${\mathcal{A}}_1$.
  Partial private key-Query: ${\mathcal{A}}_1$ can issue such query regarding $I{D}_i$. If $I{D}_i=I{D}_i^{*}$, $\mathcal{B}$ reports failure. Otherwise, $\mathcal{B}$ finds the tuple $(I{D}_i,d_i,R_i)$ from the list $L_{ppk}$ and then responds it to ${\mathcal{A}}_1$. Note that if $(I{D}_i,d_i,R_i)$ does not exist in $L_{ppk}$ and the tuple $(I{D}_i,X_i,R_i,P_{kgc},h_{1i})$ does not exist in $L_{H_1}$, $\mathcal{B}$ selects $d_i,h_{1i}\in {\mathbb{Z}}_q^{*}$ at random, computes $R_i=d_{i}P-h_{1i}{P}_{kgc}$, and sets $h_{1i}=H_2(I{D}_i,X_i,R_i,P_{kgc})$. $\mathcal{A}$ updates lists $L_{H_1}$ and $L_{ppk}$ and returns $(I{D}_i,d_i,R_i)$ to ${\mathcal{A}}_1$.
  Public key-Query: Once $\mathcal{B}$ receives ${\mathcal{A}}_1$’s query on $I{D}_i$ ($I{D}_i=I{D}_i^{*}$), $\mathcal{B}$ checks if $(I{D}_i,x_i,X_i,d_i,R_i)$ exists in the list $L_{key}$. If it exists, $\mathcal{B}$ returns $(X_i,R_i)$. Otherwise, $\mathcal{B}$ runs as Secret value-Query and Partial private key-Query to generate and update $(I{D}_i,x_i,X_i,d_i,R_i)$, and then returns $(X_i,R_i)$.
  Public key replacement-Query: Once $\mathcal{B}$ receives a query for the tuple $(I{D}_i,P{K}_i,P{K}_i^{\prime })$ from ${\mathcal{A}}_1$, $\mathcal{B}$ searches the tuple $(I{D}_i,P{K}_i)$ from the list $L_{key}$ and replaces it with $(I{D}_i,\perp ,X_i^{\prime },d_i,R_i)$.
  Signing-Query: For ${\mathcal{A}}_1$’s query on $(m_i,I{D}_i)$, $\mathcal{B}$ performs as below. If $I{D}_i\ne I{D}_i^{*}$, $\mathcal{B}$ scans the lists to obtain the required parameters and runs as Signing to generate a signature ${\sigma }_i=(U_i,V_i)$ as the response. Otherwise, $\mathcal{B}$ picks $h_{1i}$, $h_{3i},V_i\in {\mathbb{Z}}_q^{*}$ at random, sets $U_i=V_{i}P-h_{3i}(X_i+R_i+h_{1i}{P}_{kgc})$, and returns ${\sigma }_i=(U_i,V_i)$.
• Step-3: Eventually, ${\mathcal{F}}_1$ either admits failure or returns its forgery ${\sigma }_i^{*}=(U_i^{*},V_i^{*})$ on $m_i^{*}$.

If in the case that ${\sigma }_i^{*}$ is a valid forgery under $(I{D}_i^{*},m_i^{*})$, the verification equation $V_i^{*}P=U_i^{*}+h_{3i}^{*}(X_i^{*}+R_i+h_{1i}^{*}{P}_{kgc})$ holds. By applying the forking lemma in [29], $\mathcal{B}$ replays ${\mathcal{A}}_1$ with the same random tape, but provides two distinct values of $H_1$ hash. ${\mathcal{A}}_1$ can output another valid signature ${\sigma }_i^{*}=(U_i^{*},V_i^{{*}^{\prime }})$. Hence, we have $V_i^{{*}^{\prime }}P=U_i^{*}+h_{3i}^{*}(X_i^{*}+R_i+h_{1i}^{{*}^{\prime }}{P}_{kgc})$. Therefore, $\mathcal{B}$ calculates $\alpha =(V_i^{*}-{V_i^{*}}^{\prime }){\left(h_{3i}^{*}(h_{1i}^{*}-h_{1i}^{{*}^{\prime }})\right)}^{-1}$ as a solution to the ECDLP. □

Theorem 3. 

Our underlying CLS scheme is secure against any Type 2 adversary if the ECDLP is hard.

Proof. 

This theorem demonstrates that if a Type 2 adversary ${\mathcal{A}}_2$ compromises the underlying CLS scheme, then it must be possible to construct an adversary $\mathcal{B}$ that can solve the ECDLP. Now, ${\mathcal{A}}_2$ and $\mathcal{B}$ perform the following:

• Step-1: $\mathcal{B}$ runs as System Setup to obtain system parameters $ppa=\{\mathbb{G},P,q,P{K}_{kgc},H_i\}$, where $P_{kgc}=\alpha P$ and $\alpha \in {\mathbb{Z}}_q^{*}$. It then sends $(ppa,\alpha )$ to ${\mathcal{A}}_2$. For simplicity, let $I{D}_i^{*}$ be ${\mathcal{A}}_2$’s target identity. During the forgery game, ${\mathcal{A}}_2$ keeps a series of lists as defined below to record the query results. In the initial stage, all lists are empty.
• Step-2: In this phase, $\mathcal{B}$ responds to ${\mathcal{A}}_2$’s adaptive queries. The queries $H_1$-Query, $H_3$-Query, Public key replacement-Query, and Signing-Query are the same as in the proof of Theorem 2.
  Secret value-Query: ${\mathcal{A}}_2$ can issue the secret value query on $I{D}_i$. If $I{D}_i=I{D}_i^{*}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ searches the tuple $(I{D}_i,x_i,X_i)$ from the list $L_{sv}$ and returns it to ${\mathcal{A}}_2$. Otherwise, $\mathcal{B}$ selects $x_i\in {\mathbb{Z}}_q^{*}$ at random, stores $(I{D}_i,x_i,X_i)$ to $L_{sv}$, and responds $x_i$ to ${\mathcal{A}}_2$.
  Partial private key-Query: For ${\mathcal{A}}_2$’s query on $I{D}_i$, $\mathcal{B}$ operates as the following: If $I{D}_i=I{D}_i^{*}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ checks $L_{sv}$ to find $(I{D}_i,x_i,X_i)$, picks $h_{1i},r_i\in {\mathbb{Z}}_q^{*}$ at random, computes $R_i=r_{i}P$, and sets $d_i=r_i+\alpha h_{1i}$ and $h_{1i}=H_1(I{D}_i,X_i,R_i,P_{kgc})$. Then, it inserts $(I{D}_i,x_i,X_i,d_i,R_i)$ and $(I{D}_i,X_i,R_i,P_{kgc},h_{1i})$ to lists $L_{key}$ and $L_{H_1}$, respectively, and returns $D_i=(d_i,R_i)$ to ${\mathcal{A}}_2$.
  Public key-Query: Once $\mathcal{B}$ receives ${\mathcal{A}}_1$’s query on $I{D}_i$, $\mathcal{B}$ performs the steps as below. If $I{D}_i\ne I{D}_i^{*}$, $\mathcal{B}$ runs as Secret value-Query and Partial private key-Query to obtain and update $(I{D}_i,x_i,X_i,d_i,R_i)$, and then returns $(X_i,R_i)$. Otherwise, $\mathcal{B}$ first sets $x_i=\perp ,X_i=\beta P$ for some unknown $\beta \in {\mathbb{Z}}_q^{*}$, and operates as Partial private key-Query to generate $D_i=(d_i,R_i)$. Then, $\mathcal{B}$ records the item $(I{D}_i,\perp ,X_i,d_i,R_i)$ to $L_{key}$ and returns $(X_i,R_i)$.
• Step-3: Eventually, ${\mathcal{F}}_1$ either admits failure or returns its forgery ${\sigma }_i^{*}=(U_i^{*},V_i^{*})$ on $m_i^{*}$.

If in the case that ${\sigma }_i^{*}$ is a valid forgery under $(I{D}_i^{*},m_i^{*})$, the verification equation $V_i^{*}P=U_i^{*}+h_{3i}^{*}(X_i^{*}+R_i+h_{1i}^{*}{P}_{kgc})$ holds. By applying the forking lemma in [29], $\mathcal{B}$ replays ${\mathcal{A}}_2$ with the same random tape, but provides two distinct values of $H_3$. ${\mathcal{A}}_1$ can output another valid signature ${\sigma }_i^{*}=(U_i^{*},V_i^{{*}^{\prime }})$. Hence, we have $V_i^{{*}^{\prime }}P=U_i^{*}+h_{3i}^{{*}^{\prime }}(X_i^{*}+R_i+h_{1i}^{*}{P}_{kgc})$. Therefore, $\mathcal{B}$ obtains two independent equations satisfying $V_i^{*}=U_i^{*}+h_{3i}^{*}(\beta +d_i)$ and $V_i^{{*}^{\prime }}=U_i^{*}+h_{3i}^{{*}^{\prime }}(\beta +d_i)$ [30]. Therefore, $\mathcal{B}$ can compute the value of $\beta$, which is a solution to the ECDLP. □

Theorem 4. 

Our SHS achieves privacy preservation if the underlying ChaCha20-Poly1305 algorithm is secure.

Proof. 

To protect the privacy of PHI data, in our design, each BMS adopts a widely used ChaCha20-Poly1305 algorithm to encrypt data. As fully analyzed by Bellare et al. in [31], this encrypt-then-MAC paradigm provides both privacy and integrity. In particular, the privacy property inherently implies the security of indistinguishability under chosen-ciphertext attacks. We omit the rigorous proof here for simplicity. □

4. Performance Evaluation

This section presents a comparative performance analysis of our proposed SHS, benchmarking its computational and communication costs against prior art solutions detailed in studies [9,19,23,25].

The proposed SHS system consists of four sequential phases: System Setup (A), BMS-to-PAD data sharing (B), PAD-to-MCS data sharing (C), and SD’s data access (D). As stage A can be executed once during the offline phase to complete the establishment of system parameters and entity registration, we will omit the performance comparison for this stage.

4.1. Computational Costs Comparison

To evaluate the computational efficiency of these schemes, we set up a benchmark experiment for testing several cryptographic operations. More concretely, a Raspberry Pi 3B+ device simulates the BMS, while a PC equipped with a 2.5 GHz Intel Core i5-13400 processor and 16 GB RAM simulates the PAD and SD. In particular, to test related cryptographic operations, the secp256k1 curve defined by $E:y^2=x^3+ax+bmodq$ is used for schemes based on the elliptic curve cryptography (ECC), where the prime q is 32 bytes and $a,b\in {\mathbb{Z}}_q^{*}$. To achieve the same security level (i.e., about 128 bit), for schemes, we leverage the bilinear pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$, ${\mathbb{G}}_1$ is a $\overline{q}$-order group constructed on a BLS12-381 curve $\widehat{E}:y^2=x^3+4 mod \overline{p}$, where primes $\overline{p}$ and $\overline{q}$ are 48 bytes and 32 bytes, respectively.

For ease of presentation, the time cost for one pairing operation, modular exponentiation operation, pairing-related point multiplication operation, pairing-related point addition operation, ECC-related point multiplication operation, ECC-related point addition operation, map-to-point hash, and a general hash are denoted by the symbols $bp$, $e.bp$, $pm.bp$, $pa.bp$, $pm.ec$, $pa.ec$, $mtp$, and h, respectively. We also use $cp.enc$ and $cp.ver$ to denote encryption and decryption operations related to Chacha20-Poly1305 algorithm, respectively. Specifically, omitting the lightweight XOR operation, the running times for these different operations are presented in

Table 3. Cryptographic operations with their time costs (in ms).

Symbols	$\mathit{bp}$	$\mathit{e}.\mathit{bp}$	$\mathit{pm}.\mathit{bp}$	$\mathit{pa}.\mathit{bp}$	$\mathit{pm}.\mathit{ec}$	$\mathit{pa}.\mathit{ec}$	$\mathit{mtp}$	h	$\mathit{cp}.\mathit{enc}$	$\mathit{cp}.\mathit{ver}$
Time (BMS side)	6790.140	107.585	120.192	0.340	24.948	0.630	56.986	0.013	7.546	7.533
Time (PAD/SD side)	408.935	22.082	6.870	0.023	1.851	0.044	3.499	0.001	0.720	0.691

.

In phase B of our design, BMS_j needs to compute two encryption operations to obtain $M_j^{\prime }$. Hence, the time cost for this phase is $2cp.enc=15.092$ ms. In the next phase, the PAD executes n encryption operations and one general hash operation to check the validity of $M_j^{\prime }$ and obtain M. Then, to generate a signature $\sigma$ on M, it computes one ECC-related point multiplication and one general hash operation. Hence, the total cost of this phase is $pm.ec+2h+2$$cp.enc=0.691n+1.853$ ms. In phase D, the SD executes one general hash to check M. Then, it computes two general hash, three ECC-related point multiplication, and three point addition operations to verify $\sigma$. After that, it computes n decryption operations to obtain $m_j$. Therefore, the total cost of this phase is $3pm.ec+3pa.ec+3h+2$$cp.enc=0.691n+5.688$ ms. Similarly, we calculate the computational costs of the schemes [9,19,23,25], and the results are provided in

Table 4. Computational cost comparison (in ms).

Scheme	B	C	D
[9]	$bp+pm.bp+2mtp+3h$ $\approx 7024.343$	$h+pm.bp$$\approx 6.871$	$3bp+npm.bp+2(n-1)pa.bp+(n+1)h$ $\approx 6.917n+1226.76$
[19]	$3pm.bp+2pa.bp+3h$ $\approx 361.295$	−	$(4n+1)pm.bp+(4n-3)pa.bp+3nh$ $\approx 27.575n+6.801$
[23]	h$\approx 0.013$	$(n+1)e.bp+(n+1)pm.bp+mtp$ $\approx 28.952n+32.451$	$ne.bp+(n+1)pm.bp+3bp+2mtp+h$ $\approx 28.952n+1240.674$
[25]	h$\approx 0.013$	$pm.ec+3h$$\approx 1.854$	$4pm.ec+3pa.ec+(n+4)h$ $\approx 0.001n+7.54$
Ours	2$cp.enc$ $\approx 15.092$	$pm.ec+2h+n$$cp.ver$ $\approx 0.691n+1.853$	$3pm.ec+3pa.ec+3h+n$$cp.ver$ $\approx 0.691n+5.688$

.

As presented in the table, in phase B, compared to the schemes in [9,19], the computational cost of all other schemes, including ours, is the same and quite lightweight. For example, compared with the scheme in [9], our computational efficiency is 465 times higher. To better analyze the cost in phases C and D, we visually present the numerical results in Figure 2. As can be seen from Table 4 and Figure 2, in phase C, the computational overheads of schemes [9,25] are both constant, namely, 6.871 ms and 1.854 ms. The cost is positively correlated with the number of BMS n in both [23] and our design. Nevertheless, our solution still achieves a very low computational cost. For example, consider a patient utilizing 50 BMSs (we believe that this quantity is sufficient): the execution times of our proposal and the scheme in [23] are $0.118$ ms and $36.403$ ms, respectively. At this point, even compared to the most efficient scheme in [25], the gap between our two solutions is acceptable. Also note that, compared to the scheme in [25], our solution can achieve higher security. In phase D, the computational cost of all schemes increases linearly with the size of n. As can be seen from Table 4, the computational cost of our solution is lower than that of solutions [9,19,23], but higher than that of solution [25]. For example, when $n=50$, the time cost of our solution is 40.238 ms, while such a cost for remaining schemes are 1572.61 ms, 1385.551 ms, 2688.274 ms, and 7.59 ms. The above analysis indicates that our proposal achieves ideal computational cost while ensuring enhanced security.

4.2. Communication Costs Comparison

We will quantitatively evaluate the communication overhead of our SHS against four prior works in [9,19,23,25] regarding phases B, C, and D. According to the curve parameters mentioned earlier, elements in ${\mathbb{Z}}_{\overline{q}}^{*}$, ${\mathbb{G}}_1$, ${\mathbb{Z}}_q^{*}$, and $\mathbb{G}$ occupy 48 bytes, 32 bytes, 32 bytes, and 64 bytes, respectively [25]. Cryptographic operations employ SHA-256 as the foundational hash function, producing 32-byte digests. We assume that the message is 20 bytes. Auxiliary fields include 4-byte timestamps and 4-byte identity markers [32]. We exclude the cost of the message as it is the same in all schemes. In phase B of our design, the BMS_j sends $\{I{D}_j,t,M_j^{\prime },i{v}_{1j},i{v}_{2j}\}$ to the PAD, where $M_j^{\prime }=(c_{1j}^{\prime },{\tau }_{1j}^{\prime })$. In this process, $I{D}_{bms}$ is the identity and t is the timestamp. Both $i{v}_{1j}$ and $i{v}_{2j}$ are 12-byte nonce. $c_{1j}^{\prime }$ and ${\tau }_{1j}^{\prime }$ are the outputs of the ChaCha20-Poly1305 algorithm. Therefore, the cost is $4+4+20+12+12+16=$ 68 bytes.

In the next phase, the PAD sends the tuple $\{I{D}_i,{\{I{D}_j,M_j,i{v}_{2j}\}}_{j=1}^n,t,{\sigma }_i\}$ to the MCS, where $I{D}_i$ is PAD’s identity and the signature $\sigma =(U_i,V_i)$. In this regard, the cost is $4+(4+20+12)n+4+32+64=(36n+104)$ bytes.

Next, in phase D, the SD downloads the tuple $\{I{D}_i,{\{I{D}_j,M_j,i{v}_{2j}\}}_{j=1}^n,t,{\sigma }_i\}$ from the MCS to obtain the encrypted PHI data for further processing. Hence, the communication cost is quantified as $(36n+104)$ bytes. For comprehensive evaluation, we further count the designs in [9,19,23,25] and present the numerical results in Figure 3.

As presented in Figure 3a, the cost of our design in phase B is lower than the schemes in [9,19,23,25]. In the meantime, Figure 3b reveals that the communication expense of each scheme in phases C and D exhibits a linear growth relative to the number of messages transmitted. Among the compared schemes, our proposed scheme is the most efficient in terms of communication cost scalability in phases C and D. For example, when $n=50$, the cost for our scheme is 3468 bytes, while the costs of other schemes [9,19,23,25] are 7444 bytes, 5220 bytes, 3532 bytes, 3644 bytes, and 1904 bytes, respectively. In particular, compared to these recent works, the percentage range of our performance improvement is from ${\displaystyle \frac{3532-1904}{3532}}\approx 46.1\%$ to ${\displaystyle \frac{7444-1904}{7444}}\approx 74.4\%$.

In summary, it is evident that our proposed system not only has ideal computational efficiency but also maintains the lowest overheads. Consequently, it is well suited for IoMT-based SHS.

5. Conclusions

In this paper, we explored the security and privacy issue of IoMT applications. To address the shortcomings in security and performance of existing work, we proposed a new IoMT-based SHS based on a new pairing-free CLS signature and the ChaCha20-Poly1305 algorithm. Our solution can achieve data integrity and privacy protection throughout the entire process from PHI data generation to data usage. We proved the security of our design based on standard cryptographic assumptions in the RO model. We evaluated the performance of our solution by comparing it with relevant work. The results show that our solution has ideal computational and communication costs while ensuring high security, making it suitable for resource-constrained IoMT applications.

Similar to many existing approaches, the private keys of entities in our scheme are used throughout the entire system lifecycle. This limitation lies in the absence of countermeasures for key compromise scenarios. Therefore, building an efficient key update mechanism to achieve forward security is still an open research question. In addition, designing an IoMT-based SHS that is more resource-efficient for sensors with severe resource constraints is also one of our future research interests.