A Multi-Message Multi-Receiver Signcryption Scheme with Edge Computing for Secure and Reliable Wireless Internet of Medical Things Communications

: Thanks to recent advancements in biomedical sensors, wireless networking technologies, and information networks, traditional healthcare methods are evolving into a new healthcare infrastructure known as the Internet of Medical Things (IoMT). It enables patients in remote areas to obtain preventative or proactive healthcare services at a cheaper cost through the ease of time-in-dependent interaction. Despite the many benefits of IoMT, the ubiquitously linked devices offer significant security and privacy concerns for patient data. In the literature, several multi-message and multi-receiver signcryption schemes have been proposed that use traditional public-key cryptography, identity-based cryptography, or certificateless cryptography methods to securely transfer patient health-related data from a variety of biomedical sensors to healthcare professionals. How-ever, certificate management, key escrow, and key distribution are all complications with these methods. Furthermore, in terms of IoMT performance and privacy requirements, they are imprac-tical. This article aims to include edge computing into an IoMT with secure deployment employing a multi-message and multi-receiver signcryption scheme to address these issues. In the proposed method, certificate-based signcryption and hyperelliptic curve cryptography (HECC) have been coupled for excellent performance and security. The cost study confirms that the proposed scheme is better than the existing schemes in terms of computational and communication costs.


Introduction
The Internet of Medical Things (IoMT) is an emerging paradigm in the IoT sub-marketplace that can group all medical devices and applications over the Internet to collect, examine, and exchange physiological data of patients [1]. Figure 1 depicts the general architecture of the IoMT system, which includes a number of biomedical sensors, special embedded devices and wireless technologies. The biomedical sensors are used in IoMT settings to collect patient data such as breathing rate, blood pressure, chest noise, body temperature, breathing rate, electrocardiogram (ECG), and patient location, etc. Likewise, patient data can then be examined through special embedded devices such as computers, smartphones, and smartwatches, etc. [2]. Short-range wireless technologies such as Bluetooth Low Energy (BLE), Wi-Fi, and Zigbee, among others, can be used to communicate collected and examined data. The special embedded devices (controllers) can be further linked to cloud servers using the Fifth Generation (5G) wireless connection for high storage and intense data processing. The collected data from the patient monitoring sensors are usually too large to be handled by the local server. It requires a high level of storage and computational capabilities. Fortunately, the emerging 5G mobile networking architecture includes a Multiaccess Edge Computing (MEC) facility. When MEC is used in an IoMT system, it provides high storage and intense processing capabilities. The healthcare professionals can access the cloud server to review the health information and provide the patient with the appropriate assistance. In addition, when any medical indicators of the patient appear irregular, healthcare professionals will immediately contact the patient to provide guidance and medical examinations [3][4][5][6]. Furthermore, patient data can be stored in the health information system as electronic health records, which are accessible to medical practitioners when patients visit the hospital.
On the one hand, the IoMT system provides several benefits, but on the other hand, the widespread use of linked devices over an open wireless channel raises significant security and privacy concerns [7][8][9][10]. In addition, most biomedical devices have limited computational resources and, as a result, fail to perform conventional cryptographic operations. To address these flaws, an integrated scheme known as "signcryption" can be employed [11][12][13]. Signcryption is a public key cryptographic scheme that performs both encryption and digital signature operations at the same time. It is much more efficient and cost-effective than any of the alternates, i.e., performing the encryption and digital signature individually. In addition, the Multi-message and Multi-receiver Signcryption (MMSC) method is an extension of the signcryption scheme in which multiple messages are transmitted in one ciphertext to multiple receivers [14]. The use of the multicast channel will speed up the communication process; however, the basic security features such as confidentiality, unforgeability and anonymity should be maintained.
To find the solution for the aforementioned security attributes, several Multi-message and Multi-receiver Signcryption (MMSC) schemes [15][16][17][18][19][20][21] have been proposed by using the Public Key Infrastructure (PKI)-based cryptography [22], Identity (ID)-based cryptography [23] or Certificateless (CL)-based cryptography [24]. However, the conventional PKI-based MMSC schemes suggested in [15,16] suffer from a heavy burden of certificate management. In addition, the ID-based MMSC scheme introduced in [17] imposes the key escrow issue, while the heterogeneous ID-based and CL-based MMSC schemes implemented in [18,19] pose the key distribution problem. The CL-based MMSC schemes introduced in [20,21] bring about the key distribution problem. The schemes proposed in [15][16][17][18][19][20][21] either have poor performance in terms of computation cost or failure to meet the security requirements. In general, the proposed schemes are based on mathematical models that employ bilinear pairing or Elliptic Curve Cryptography (ECC), both of which have been proven to impose significant computational and communication burdens. In contrast to these two methods, Hyper Elliptic Curve Cryptography (HECC) is a lightweight cryptosystem, which provides the same level of security as opposed to ECC and bilinear pairing with a lower key size. In HECC, the key size is 80 bits, whereas ECC requires a key size of 160 bits.

Contributions
This article proposes a Multi-message Multi-receiver Signcyption (MMSC) scheme in a certificate-based setting. The proposed scheme is based on the concept of HECC, which is an enhanced version of the ECC that provides the same level of security as ECC and bilinear pairing with a smaller key size. Some of the key features that distinguish the contributions of our research in this work are as follows:

•
Firstly, for an IoMT system, a multi-message and multi-receiver signcryption scheme has been proposed. In multicast channels under the Random Oracle Model (ROM), the proposed scheme guarantees confidentiality, unforgeability, and receiver anonymity. • Secondly, for encryption and signature authentication, the proposed scheme makes use of hyperelliptic curve cryptography.

•
Thirdly, we introduce a 5G architecture for IoMT with an edge computing facility.

•
Finally, a thorough comparative analysis is performed to assess the performance of the proposed scheme. The findings show that the proposed scheme is efficient in terms of computation and communication costs from its counterpart schemes.

Organization of the Paper
The article is structured as follows. The related work is discussed in Section 2. The preliminaries are clarified in Section 3. The network model, threat model and syntax are provided in Section 4. The proposed scheme is provided in Section 5. Security analysis is carried out in Section 6. In Section 7, a performance comparison is carried out. Finally, the concluding ideas are included in Section 8.

Related Work
In this section, we examine and evaluate current MMSC schemes in terms of their research aims, security requirements, and computational and communication overheads.
In 2017, a heterogeneous MMSC scheme for ad hoc networks was proposed by Wang et al. [25]. In heterogeneous forms, the suggested scheme achieves a two-way signcryption that can move between PKI cryptography and IBC. Wang et al.'s [25] scheme uses PKI and IBC and thus creates an unavoidable key escrow issue as well as PKI certificate management burdens. Additionally, bilinear pairing is inefficient in terms of computation and communication costs due to the costly pairing operations. Niu et al. [18] implemented a heterogeneous MMSC signature later in the same year that can move from IBC under the ROM to certificateless cryptography. Unfortunately, Niu et al.'s scheme suffers from the problems such as private key distribution and key escrow. Furthermore, the scheme efficiency is based on bilinear pairing, which is not suitable for IoMT systems due to the high computation cost.
Gao et al. [20] proposed an efficient and practical certificateless signcryption scheme for wireless body area networks. The scheme is based exclusively on the widely used RSA cryptosystem and does not involve bilinear pairing. RSA is not suitable for IoMT because, like bilinear pairing, it is computationally costly. Pang et al. [26] constructed an anonymous MMSC scheme under the ROM. The proposed scheme aimed to remove the issue encountered during the distribution of the partial private key. However, the efficiency of the given scheme is again based on ECC, which is comparatively inefficient in terms of computation cost as opposed to HECC.
In 2019, Pang et al. [27] proposed an anonymous and efficient certificateless MMSC scheme. The authors aimed to eliminate the key escrow problem, which is commonly linked with IBC, as well as the certificate management problem, which is associated with PKI-based cryptography. However, the given scheme needs a secure channel for the distribution of partial private keys and therefore suffers from partial private key distribution problems. In 2019, Peng et al. [21] suggested a certificateless MMSC scheme using ECC. However, for the delivery of partial private keys, the scheme needs a secure channel. Finally, in 2020, Ming et al. [28] proposed an efficient anonymous certificate-based MMSC scheme for healthcare Internet of Things. The proposed method is based on ECC and employs certificate-based cryptography. It eliminates certificate management, key escrow, and key distribution issues, but, owing to ECC, it incurs high computational cost.
All of the schemes discussed above are based on computationally complex problems of ECC and bilinear pairing. In this paper, we propose a lightweight and secure security scheme termed MMSC in a certificate-based setting using HECC. The HECC approach is suitable for the IoMT system since it facilitates small keys.

Preliminaries
This section includes some explanations about HEC and formal definitions as well as the notions used in the proposed scheme, which are illustrated in Table 1.

•
Hyper Elliptic Curve Suppose represents a non-finite field and * is an algebraic closure of . The following equation represents hyper elliptic curve ( ) over considering its solutions ( , ) belong to ⨯ , while ⩾ 1 is the genus.
: + ℎ( ) = ( ). Therefore, ℎ( ): a polynomial and belongs to ( ) having degree at most . ( ): represents a monic polynomial having degree is equal to 2 + 1. The points on further form a set called Jacobian, which is the quotient group = / , where represents zero-degree devisors and rational function-oriented devisors. Furthermore, each element of the Jacobian is represented as ( ) and can be denoted individually through a divisor =Ʃ , and represents a formal sum of points of * .
. is called HECDHP. , private key of sender and receivers 10 , public key of sender and receivers 11 , certificate of sender and receivers 12 , multi-cipher text and multi-plaintext 13 , encryption and decryption 14 multi-encryption and multi-decryption key

Network Model, Threat Model and Syntax
In this section, we will define the network model, threat model and syntax of the proposed scheme.

Network Model
The network model of the proposed certificate-based MMSC scheme consists of biomedical sensors, special embedded devices, ambulance, medical personal, medical server, cloud computing/MEC server and wireless technologies (BLE, Wi-Fi and 5G), as shown in Figure 1. Biomedical sensors can monitor and extract patient physiological data, which can further analyze with special embedded devices, such as smartphones, smartwatches or even a special embedded unit. Each of the biomedical sensors and the special embedded devices is wirelessly linked through short range communication technology known as BLE.
Special embedded devices can be further linked to the cloud computing/MEC server via Wi-Fi and 5G mobile communication to provide access. In addition, the medical server claims to be a local computer-attached administrator, where hospital professionals can view electronic health records (HERs) of patients. For future consultations, the HER is kept safely on the storage server.

Threat Model
The threat model includes three games, which will be played among a malicious agent/forger (ℳ /ℳℱ) and a challenger ζ [29]. The first game is played for confidentiality regarding indistinguishability in contradiction of adaptive chosen multi-ciphertext attacks (IND-CBMMS-CCA). In this game, ℳ with non-ignorable advantages ϵ, wants to break IND-CBMMS-CCA of a proposed CBMMS. ζ selects a random number and Υ, then makes available to ℳ . Furthermore, ℳ selects ID * as a sender identity, ID * as receivers group identities, and two different natures but the same length set of messages (m , m ). Further, ζ chooses ϱϵ{0,1}, to investigate which set of messages will be multi-signcryption. For this game ℳ asks the queries such as ℋ (m ), Create Entity (ID ), Corrupt Entity (ID ), and multi-message multi-receiver signcryption, respectively.
The second game is played for unforgeability regarding existential forgeability against adaptive chosen multi-message attacks (EUF-CBMMS-CMA). In this game ℳℱ with ϵ can solve HECDLP with the help of ζ. ζ selects a random number and Υ, then makes available to ℳℱ. Furthermore, ℳℱ selects ID * as a sender identity, ID * as receivers group identities. For this game, ℳℱ asks the queries such as ℋ (m ), Create Entity (ID ), Corrupt Entity (ID ), Multi-Message Multi-receiver Signcryption, and Multi-Message-Multi-receiver Un-signcryption, respectively. ℳℱ can win this game if it is making the solution for HECDLP.
The third game is about anonymity property, e.g., anonymous indistinguishability beneath the taken multi-ciphertext attack (ANON-CBMMS-CCA). In this game, ℳ with non-ignorable advantages ϵ wants to break ANON-CBMMS-CCA of a proposed CBMMS. ζ selects a random number and Υ, then makes available to ℳ . Furthermore, ℳ selects a target identity set TGL and two different natures but with the same set length of messages (m , m ). Further, ζ chooses ϱϵ{0,1} to investigate which set of messages will be multi signcryption. For this game ℳ ask the queries such as ( ), Create Entity ( ), Corrupt Entity ( ), and multi-message multi-receiver signcryption, respectively.
Note that the queries, such as ( ), Create Entity ( ), Corrupt Entity ( ), multi-message multi-receiver signcryption, and multi-message multi-receiver Un-signcryption, are defined clearly in Theorem1, Theorem 2, and Theorem 3 of the security analysis section.

Syntax
The following six steps the comprise syntax for the proposed CBMMS [

. Set-Public-and-Private-Key:
An entity with identity computes as a private key and computes his/her public key as β .

Multi-message-Multi-receiver Signcryption:
A sender with identity ( ) can take ( , , , ) as an in input and make a Multi-Message-Multi-receiver signcryption tuple . 6. Multi-message-Multi-receiver Un-signcryption: Each recipient with identity ( ) can take the tuple for verification of a multi-signature and for recovering multiencryption data.

Proposed Scheme
The proposed scheme is described in detail in this section, which is made from the following six computational steps:  (2)

Security Analysis
This section contains the following three theorems for proving the three games, which are discussed in the threat model. . Further, chooses {0,1} to investigate which set of messages will be multi-signcryption and, in the user list , divorces the identity data associated with * . It fixed = * . Therefore, for the determination of multi-cipher text, it set = . Then, generates some value for and chooses , from {1,2,3,4, … … . , − 1}. Further, its stores the corresponding values in the user list that are ℋ . and ℋ . . Finally, sends a triple ( , , ) to ℳ . Consequently, the ℳ can ensue with the following queries, which are answered through .  Entity ( ) and generates ( , , ).
When the above query is finished successfully, then ℳ is decided upon ϱ. When is able to find the solution for a hyper elliptic curve discrete logarithm problem and determines ( , , , ) from ℋ , then ℳ will able with ϵ to win this game.

1.
( ): maintains a list ℋ and initially stored and . Note that, for the hash of , the result is obtained as where (j=1,2,3). If the requested value is not existing in ℋ , then generates a new hash value for ℳℱ. The ℳℱ has access to ℋ .

Create Entity ( ):
If is not previously added in , then we define two conditions, which are: the first condition is if = * , then = * and chooses a random number for * . Further, it adds ( * , ⫝, * , * ) into and ( * , ⫝, * ) into ℋ . The second condition is if is not equal to * , then computes = ℓ.

Corrupt Entity ( ):
If the requested value for does not belongs to , calls the Create Entity ( ) query to generate α and dispatches it to ℳℱ.

Multi-message-Multi-receiver Signcryption:
will stop further processing, if = * or = * , otherwise searches in , if the entry exists for and . If such entry does not exist in , then it calls Create Entity ( ) and generates ( , , ).

Multi-message-Multi-receiver Un-signcryption:
can check the validity of multi-ciphertext, which is basically generated by for and then it recovers the multiplaintext.
When the above query is finished successfully, then ℳℱ and will create their respective Multi-message-Multi-receiver Signcryption triples, which are ( , , ) and ( * , * ,, ). Therefore, we can obtain the following results [24]: . + . = * . + * . The ℳℱ can solve HECDLP with the probability of ℋ , and this means that our proposed scheme provides EUF-CBMMS-CMA security regarding unforgeability.
Therefore, the ℳ can solve HECDHP with the probability of ℋ and this means that our proposed scheme provides IND-CBMMS-CCA security regarding confidentiality.

Performance Comparison
In this section, we compare our scheme's communication and computation costs with the corresponding current three existing schemes, i.e., Pang et al. [20], Peng et al. [21] and Ming et al. [28], on the basis of expensive mathematical operations used such as Scalar Elliptic curve point Multiplication (SEM) and Scalar HyperElliptic curve divisor Multiplication (SHEM) to show the efficiency, security and superiority. While the operation, such as addition, division, subtraction, hashing, encryption and decryption, is neglected because of its minimum numerical length. We consider the following kinds of operations for our comparative study.  Table 2. To calculate the efficiency of the proposed solution, the Multi-precision Integer and Rational Arithmetic C Library (MIR-ACL) [30] is used to test the runtime of simple cryptographic operations up to 1000 times.
The following specs are observed on a workstation: Intel Core i7-4510U Processor @ 2.0 GHz, 8 GB RAM and Windows 7 Home Standard 64-bit Operating System [31]. We compared our scheme with Pang et al. [20], Peng et al. [21] and Ming et al. [28] by considering the same settings, and the findings are shown in Tables 3-5. The time required for SHEM is 0.48 ms [32,33].
Moreover, the results of a comparative study with current equivalents suggest that, as seen in Figures 2 and 3, the new scheme is defined by the lowest cost of computation. In comparison, from the related existing schemes, as shown in Figure 4, the ciphertext size is comparatively less in our proposed scheme.

Conclusions
In the remote sharing of patient data, such as monitoring, treatment progression, diagnosis and consultation, the Internet of Medical Things (IoMT) plays a major role. Multiple biomedical sensors are ubiquitously linked with the Internet in IoMT, thereby offering seamless communication with effective usage of resources. However, because of the resource-constrained biomedical devices, traditional cryptographic approaches are not practical for the majority of IoMT implementations. Fortunately, the envisioned 5G mobile communication architecture includes an edge computing facility that can provide on-demand processing, computation, and storage. In this paper, we proposed a lightweight security scheme, using the hyperelliptic curve (HEC) principle together with a certificatebased cryptography called a Multi-message and Multi-receiver Signcryption. The HEC solution is a reliable technique due to the small key size and therefore has huge potential for future IoMT applications. The formal security analysis using ROM confirms confidentiality, unforgeability, and receiver anonymity by the proposed scheme. Furthermore, after a comparative comparison with the key existing schemes, the proposed scheme proved to be effective in terms of both the cost of computation and communication.