An Energy Efficient and Formally Secured Certificate-Based Signcryption for Wireless Body Area Networks with the Internet of Things

Abstract

Recently, the spectacular innovations in the fields of wireless body area networks (WBAN) and the Internet of Things (IoT) have made e-Care services rise as a promising application domain, which significantly advances the quality of the medical system, however, due to the openness of the wireless environment and privacy of people’s physiological data, WBAN and IoT are prone to various cyber-attacks. There is a significant need for an efficient and highly secured cryptographic scheme that can meet the requirements of resource-constrained devices. Therefore, in this paper, we propose a certificate-based signcryption (CB-SN) scheme for the IoT-enabled WBAN. The proposed scheme is based on the concept of hyper-elliptic curve cryptography (HECC) that offers the same level of security as the elliptic curve and bilinear pairing with lower-key size. The formal security verification using the Automated Validation of the Internet Security Protocols and Applications (AVISPA) tool along with informal security analysis demonstrate that the proposed scheme is not just reducing the complexity of resource-constrained IoT devices, but proves to be secure against several well-known cryptographic attacks. Moreover, performance comparison with relevant existing schemes authenticates that the proposed scheme is far more secure and energy efficient.

1. Introduction

In the current era, the Internet of things (IoT) is one of the most debatable topics among the research community of information technology. The IoT includes all those devices, which have the capacity of computing, communication, and connection with the Internet [1]. The IoT has so many applications in our daily lives, i.e., it is used in smart cities, smart homes, and e-health, etc. [2]. By providing faster access to the treatment of patients, the wireless body area networks (WBAN) integrate with the Internet of things (IoT) and play an important role in the patient health care system, because this ecosystem, enables all the users and devices to access the patient’s psychological data from anywhere and anytime in the world by utilizing the Internet [3]. However, due to the open nature of the Internet, authenticity and data security are the two major concerns in the IoT based WBAN [4].

The authenticity of IoT is ensured through digital signature [5], and data security is met by using the encryption method [6], although the IoT has a resource hungry nature and cannot afford these two different algorithms separately, i.e., signature and then encryption at the same time. In 1997, Zheng was the pioneer to merge these two processes in one algorithm, called signcryption [7]. This scheme is based on the concept of old public key cryptography (PKC), which is suffering from certificate overheads, renewing, and revocation problems [8]. Shamir was the first to propose an alternate concept of PKC, called identity-based cryptography (IBC) [9]. This technique removed the limitations of PKC and used the identity in place of a certificate. Later, in 2002, Malone-Lee [10], for the first time merged the concept of IBC with the signcryption technique, namely, identity-based signcryption (IBS). The IBS includes three entities, for example, a sender (signcrypter), a receiver (unsigncrypter), and the private key generation center (PKGC), respectively. In this setup, the users (signcrypter and unsigncrypter) generate their identities and after that, send it to the PKGC. Then, the PKGC produces and delivers the private keys for all the participating users, by using the secured networks. Unfortunately, IBS suffers from the key escrow issue (KEI), because the private key is generated by the PKGC and one can easily use this key for forging the digital signature and decrypting the ciphertext [11].

To eliminate the above problem in IBS, in 2008, Barbosa and Farshim [12], put forward the concept of a certificateless signcryption (CL-SC) scheme. The CL-SC mechanism almost works the same as IBS, but the main difference is that the private key is generated by the users themselves. The central authority known as a key generation center (KGC) only provides the partial private key to the users by using an open link. Although it removes the issue of key escrow in IBS and certificate management in PKC-based signcryption, it still suffers from the needs of the partial private key distribution problem [13]. Another strategy, named heterogeneous signcryption was proposed by Sun [14]. This strategy contains two sub-methods, the first one works under the condition in which the sender belongs to the conventional PKC and the receiver belongs to the IBC, while in the second one, a sender uses the concept of IBC and receiver based on the PKC. Since, these two types (PKC and IBC) of the public key are suffering from some crucial problem, i.e., certificate overheads, renewing, certificate revocation, and KEI, respectively, these types of problems are not suitable for the IoT environment. To cater to this particular issue, heterogeneous signcryption was coined by Li et al. [14], in which the signcryption part belongs to the certificateless cryptosystem (CLC) and the unsigncryption side is based on the functionality of PKC, however, the scheme is affected by the secrete key distributions and certificate management issues. To remove the certificate management at the receiver side, Omala et al. [15], contributed a new heterogeneous signcryption scheme, in which the signcryption part belongs to the CLC and the unsigncryption part works under the notion of IBC. This method is also affected by the key escrow and the secret key distribution problem. A new type of cryptosystem was introduced by Gentry in 2003 [16], namely, certificate-based cryptography (CBC), in which one can use the functionality of old PKC in a better manner. The CBC enables each participant in the network to generate his public and private keys and give their public key to the certifier’s authority (CsA). Later, by using the concept of IBC encryption, based on the participants’ public key which serves its identity, CsA generates a certificate for each participant while using an open link. Noteably, this certificate acts as a partial private key and also uses a decryption key on the receiver side [17]. In 2008, Li et al. [18], provided a new scheme, which is used to merge the concept of CBC with signcryption, called certificate-based signcryption. In 2019, Braeken proposed pairing free certificate-based signcryption schemes using ECQV implicit certificates [19]. However, the proposed approach is based on a hyper-elliptic curve, i.e., it suffers from high computational cost. Moreover, the proposed scheme is not validated through any formal security tool.

Cagalaban and Kim [20], proposed an effective signcryption scheme for access control in the WBAN under the functionalities of IBC, which is suffering from KEI. Similarly, Hu et al. [21], proposed an access control for WBAN using the idea of fuzzy attribute-based signcryption, however, the proposed scheme suffered from high computational cost. In 2016, Li and Hong [22], proposed a signcryption scheme for access control in WBAN while utilizing both CLC and bilinear pairing (BP). In 2018, Li et al. [23], presented a CL-SC approach for an efficient access control in WBAN. These approaches [22,23], faced the issues of secrete key exchange and extra energy consumption. In the same year, Omala et al. [15], by using signcryption, designed an access control scheme for WBAN, where they used CLC in the signcryption part and IBC in the unsigncryption part. Recently, in May 2019, Gao et al. [24], developed a CL-SC with an elliptic curve for secure and efficient access control in WBAN. Nevertheless, these two schemes [15,24] are commonly affected by the secret key distribution problems, more energy utilization, and extra bandwidth consumption.

1.1. Authors’ Motivations and Contributions

The authors, motivated by the aforementioned limitations regarding signcryption-based access control in WBAN, propose a new scheme, called an energy efficient and formally secured certificate-based signcryption (CB-SN), which does not suffer from the problems such as secret key distribution problems, more energy utilization, and extra bandwidth consumption. Some of the salient features signifying contributions of our research work, in this paper, are as follows:

• We first provide the basic syntax for certificate based signcryption and then construct the scheme practically for WBAN with IoT;
• The proposed scheme is shown to be resistant against various attacks through informal security analysis concerning integrity, confidentiality, replay, unforgeability, and forward secrecy, respectively;
• We also generate the high level protocol specification language (HLPSL) code for our scheme in AVISPA Tool for the formal security checking, and the simulation results authenticates that the proposed scheme is SAFE, according to the checking structure of two well-known checker models, i.e., on-the-fly model checker (OFMC) and constraint logic-based attack searcher (ATSE);
• We perform the computational cost and communication overhead comparison analysis with the relevant existing schemes, which demonstrates the presented scheme, in addition, is far more efficient.

1.2. Structure of The Paper

The remainder of the paper is organized as follows: Section 2 gives the basic knowledge of preliminaries, Section 3 presents proposed architecture, Section 4 contains the construction of the proposed scheme, Section 5 presents the informal security analysis, Section 6 give the proposed scheme implementation detail in WBAN, Section 7 delivers implementation of the proposed scheme in AVISPA, and includes the discussion about performance with relevant existing schemes, and, finally, Section 8 culminates conclusions of the entire work.

2. Preliminaries

2.1. Hyper-Elliptic Curve

This section briefly discusses the basic mathematics of a hyper-elliptic curve (hε𝒸). Suppose ℑ_𝑡 is a predetermined set and presume 𝜕 is the genus of hε𝒸 having order as 𝜕 ⪰ 2. Let (𝓋), f(𝓋)𝜖ℑ_𝑡[𝓋], and deg (𝒽(𝓋)) ⪯ 𝜕; and f(𝓋) is a monic polynomial having deg (f(𝓋)) = 2𝜕 + 1 [25]. Therefore, hε𝒸 of genus 𝜕 ⪰ 2 over ℑ_𝑡 is the set of points (𝓋,) ℑ_𝑡 * ℑ_𝑡 as shown in the Equation (1).

hε𝒸: 𝓌² + (𝓋) 𝓌 = f(𝓋)

(1)

Note, hε𝒸 points are different from elliptic curve [26]. It forms the divisors which are the formal sum of finite integers like 𝒹 = ∑𝑥_i𝑧_i, where 𝑥_i𝜖 ℑ_𝑡 and 𝑧_i𝜖 hε𝒸. Furthermore, it forms a Jacobian group $ℐ$_hε𝒸 (ℑ_𝑡) having the following order:

(√𝑡 − 1)^2𝜕 ⪯ $ℐ$_hε𝒸 (ℑ_𝑡) ⪯ (√𝑡 + 1)^2𝜕

(2)

2.2. Hyper-Elliptic Curve Discrete Logarithm Problem $\left(h\epsilon 𝒸-dl{\rm P}\right)$

Assume 𝒹 is the divisor which ispublicly available in the network and $ℒ$ is the randomly picked private number from ℑ_𝑡. Recovering $ℒ$ from 𝒹₁ = 𝒹, $ℒ$ is said to be $h\epsilon 𝒸 - dl{\rm P}$ [27].

2.3. Automated Validation Tool for Security Validation and Application (AVISPA)

Currently, AVISPA is the utmost valuable tool among researchers of information security, in which they check the authenticity of their newly designed cryptographic protocol security properties. For the overall structure of AVISPA, it can be a better choice to see the article [24], in which it includes the most expensive formal language called high level protocol specification language (HLPSL), a compilation translator called HLPSL2IF, an intermediate format (IF), and the four backends models for checking the security properties, i.e., on-the-fly model checker (O-f-M-C), constraint logic-based attack searcher (CL-ATSe), SAT-based model checker (Sat-M-C), and tree automata based on automatic approximations for the analysis of security protocols (TA-4 SP), respectively. If the cryptographic user famines to trial their approach security, then he/she first compose the HLPSL code for their approach in SPAN, which is the graphical user interface (GUI) for AVISPA, furthermore, the HLPSL2IF is responsible for compiling this code into IF, and IF handover the code to the four model checkers, for example, (O-f-M-C), (CL-ATSe), (SAT-M-C), and (TA-4 SP) for the checking of man-in-the-middle attack and replay attack. Therefore, if these two attacks are possible in their respective protocol then these model checkers give UNSAFE simulation results and if it is not possible then it shows the SAFE results.

2.4. Syntax of Certificate-based Signcryption (CB-SN)

The proposed CB-SN scheme is the improved version of the Braeken et al. [17] scheme, and includes five algorithms such as, setup, public variable generation (PVG), certificate generation (CG), actors key generation (AKG), signcryption generation (SG), and unsigncryptions (US), respectively. We explain the syntax of CB-SN in the following steps:

• Setup: Certifier’s authority (C_sA) recognizes a security parameter 𝜇 as input data and runs the setup algorithm to make essential parameters set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃} and a master secret key Y and public key T = 𝛶.𝒹, respectively. The essential parameters set is directly accessible on a network, anyway Y is kept by the C_sA secret.
• Public variable generation (PVG): Each actor with identity ID_A, runs the PVG algorithm to produce his public variable PV_A by taking input, an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}. Then, the actor having identity ID_A, has sent the pair (PV_A, ID_A) to C_sA via an insecure link.
• Certificate generation (CG): By taking input (PV_A, ID_A), the essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃} and Y, C_sA run the CG algorithm to produce a certificate Cert_A for each actor with identity ID_A and hand over a certificate with auxiliary variable ($𝒞$𝑒𝓇𝑡_A, 𝒶𝓊𝓍_A) to the actors via unsecured link.
• Actor’s key generation (AKG): Inputting the pair of an auxiliary variable (Cert_A, aux_A), an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃} and the identity ID_A of each actor, the participated actor’s with identity ID_A produces his private and public keys (A_A, Q_A).
• Signcryption generation (SG): The SG algorithm is executed by the sender actor to produce signcryption text 𝜓 = {C,A,S}, of a message, m, and delivers 𝜓 to the receiver through an unsecured network. It takes as input the certificate of the sender and receiver (Cert_s, Cert_u), the identity of a sender and receivers (ID_s, ID_u), private and public key of the sender (A_s, Q_s), a message (m), an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}, and public key of receiver Q_u.
• Unsigncryptions (US): The US algorithm is executed by the receiver actor to verify and decrypts the received signcryption text 𝜓 = {C,A,S}. It takes as input the certificate of the sender Cert_s, the identity of a sender and receivers (ID_s, ID_u), private and public key of the receiver (A_u,Q_u), a signcryption text 𝜓 = {C,A,S}, and essential parameter set.

3. Proposed Architecture

Figure 1 indicates the overall working of a newly designed model of this paper, which includes three main actors, i.e., a certifiers authority (CsA), application providers (APs) and WBAN of a patient’s body, respectively. Hence, in this model, it is the responsibility of CsA to create a certificate for APs and WBAN by using its own secret key and obtained identity with a public variable from actors (APs and WBAN). The APs are responsible for monitoring patient conditions and any time get access to the health related information HRI, by computing certificate-based signcryption of an access request query. The WBAN contains sensor nodes, which are already planted in the body of the patient and at least contain one controller, which receives PHRI. Upon the request from the access control query from APs, the controller checks the authorization of an actor and if the actor is legitimate, then, it sends the data regarding the query request, otherwise it rejects the query demand.

Safe node and health node are the two wearable sensor nodes on each subject for environmental monitoring and for physiological parameters’ measurements, respectively, in the proposed system. Furthermore, safe node is equipped with four environmental sensors to monitor the ambient temperature, relative humidity, CO2, and ultraviolet (UV) sensor. The health node is comprised of a Bluetooth 5 (802.15.1) module that is used to enable WBAN communication, a photoplethysmogram (PPG) sensor for heart rate monitoring, and a body temperature sensor. Bluetooth 5 (802.15.1) is considered the most favored option for wearable sensor nodes because of its low cost and low power consumption [28], however, to address the short communication range issue of Bluetooth 5 for medical records to a longer distance, a smart android-based mobile device, named “controller”, is used inside the WBAN’s communication range. At the end of this section, in

Table 1. Notations used in proposed algorithm.

S.NO	Symbol	Explanation
1	hε𝒸	Hyper-elliptic curve
2	$\partial$	Genus of hyper-elliptic curve
3	𝒹	Divisor in hyper-elliptic curve
4	$ℐ$hε𝒸	Jacobian of hyper-elliptic curve
5	𝛶	Master secret key
6	𝛵	Master public key
7	$\mathscr{H}$1, $\mathscr{H}$2, $\mathscr{H}$3	Hash functions
8	$𝒬$s, $𝒬$u	Public keys of sender and receiver
9	𝒜s, 𝒜u	Private keys of sender and receiver
10	$𝒞$𝑒𝓇𝑡s, $𝒞$𝑒r𝑡u	Certificates for sender and receiver
11	IDs, IDu	Identities for sender and receiver
12	$𝒮$$𝒦$	Session secret key
13	N	A fresh nonce
14	𝓂/$𝒞$	Message/encrypted message
15	ℇ$𝒮$$𝒦$/$𝒟$$𝒮$$𝒦$	Encryption/decryption
16	𝜓	Signcryption text
17	‖	Concatenation

, we provide an explanation about the symbols used in algorithm.

4. Constructions of CB-SN

The proposed scheme is an extension of the scheme presented by Braeken et al. [17], and the working steps of the newly designed CB-SN scheme are as follows:

• Setup: The C_sA produce an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃} and after that the C_sA select a master secret key Y{1,2, …, t − 1} and calculate the master public key T = Y.d, respectively. The essential parameters set is directly accessible on a network and the master secret key Y is kept by the C_sA secret.
• PVG: Given an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}, each actor with identity ID_A, choose a random number 𝜔_A and computes his public variable $𝒫$$𝒱$_A = 𝜔_A.𝒹. Then the actor with identity ID_A delivers (PV_A, ID_A) to the C_sA by using the open channel.
• CG: Given an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}, public variable and identity of each actor (PV_A, ID_A) and master secret key Y, C_sA select a random number 𝜒_A𝜖 {1, 2…., 𝑡 − 1} and calculate 𝜑_A = 𝜒_A.𝒹. After that, C_sA computes the certificate Cert_A = 𝜑_A + PV_A and auxiliary variable aux_A = $\mathscr{H}$₁ (Cert_A, ID_A). 𝜒_A + 𝛶, then, hands over a certificate Cert_A with auxiliary variable (Cert_A, aux_A) to the actors via insecure link.
• AKG: Given the tuple (Cert_A, aux_A), identity ID_A of each actor, and essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}, each actor makes their private key A_A = H₁ (Cert_A, ID_A). w_A + aux_A make their public key as Q_A = A_A. d.
• SG: Given an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}, the sender and receiver’s certificates (Cert_s, Cert_u), the identity of the sender and the receiver (ID_s, ID_u), the private and public key of the sender (A_s, Q_s), a massage (m), and public key of receiver Q_u. Then the sender produces a signcryption tuple 𝜓 = {C, A} by utilizing the following steps:
  • The sender first computes the public key of receiver Q_u ≟ H₂ (Cert_u, ID_u). Cert_u + T;
  • Next, choose a random number 𝛺𝜖 {1, 2, …, t − 1} and compute 𝛽 = 𝛺 . 𝒹;
  • Select a fresh nonce N;
  • Compute the session key $𝒮$$𝒦$ = 𝛺 . $𝒬$_u and produced the cipher text $𝒞$ = ℇ_$𝒮$$𝒦$ (𝓂‖ N);
  • Compute the hash value 𝛬 = $\mathscr{H}$₂(𝓂‖ N) and signature $𝒮$ = 𝛺 - 𝛬 , A_s;
  • Then, hand over 𝜓 = {$𝒞$, 𝛬, $𝒮$} to the receiver using insecure channel.
• US: Given the sender’s certificate Cert_s, identity of a sender and receivers (ID_s, ID_u), private and public key of the receiver (A_u,Q_u), a signcryption text 𝜓 = {C, A, S}, essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃}, and public key of sender Q_s. The receiver performs the following steps to verify and decrypts the received signcryption text 𝜓= {C. A, S}.
  • The receiver first computes the public key of sender Q_s ≟ H₂ (Cert_s, ID_s). Cert_s + 𝛵;
  • Compute 𝛽 = S . d + 𝛬 . Q_s;
  • Recover the secret key SK = A_u . 𝛽 and produced the plaintext (m‖ N) = D_$𝒮$$𝒦$ (C);
  • Compute the hash value 𝛬^/ = H₂(m‖ N);
  • Accept the signcryption text 𝜓 = {$𝒞$,𝛬,$𝒮$} if 𝛬^/ = H₂(m‖ N) ≟ 𝛬 = H₂(m‖ N).

4.1. Correctness

The sender can compute the public key of receiver from the following computations:

• $𝒬$_u ≟ $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u). $𝒞$𝑒𝓇𝑡_u + 𝛵
• = $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) . (𝜑_u+ $𝒫$$𝒱$_u ) + 𝛶, where $𝒞$𝑒𝓇𝑡_u= 𝜑_u+ $𝒫$$𝒱$_u and 𝛵 = 𝛶.𝒹
• = $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) . (𝜑_u+ 𝜔_u.𝒹) + 𝛶. 𝒹, where $𝒫$$𝒱$_u = 𝜔_u.𝒹
• = $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) . (𝜒_u.𝒹 + 𝜔_u.𝒹) + 𝛶. 𝒹, where 𝜑_u= _u.𝒹
• = 𝜒_u .𝒹. $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) + 𝜔_u.𝒹. $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) + 𝛶.𝒹
• = (𝜒_u . $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u)+ 𝜔_u. $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u)+ 𝛶). 𝒹
• = (𝒶𝓊𝓍_u + 𝜔_u. $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u)), where 𝒶𝓊𝓍_u = $\mathscr{H}$₁ ($𝒞$𝑒𝓇𝑡_u, ID_u) . 𝜒_u + 𝛶
• = 𝒜_u, where 𝒜_u = $\mathscr{H}$₁ ($𝒞$𝑒𝓇𝑡_u, ID_u).𝜔_u + 𝒶𝓊𝓍_u
• = 𝒜_u .𝒹 = $𝒬$_u , while it same process at the receiver side for making the public key of the sender, by using the following computations.
• $𝒬$_s ≟ $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) . $𝒞$𝑒𝓇𝑡_s + 𝛵
• = $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) . (𝜑_s + $𝒫$$𝒱$_s ) + 𝛶. 𝒹, where $𝒞$𝑒𝓇𝑡_s = 𝜑_s + $𝒫$$𝒱$_s and 𝛵 = 𝛶.𝒹
• = $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) . (𝜑_s + 𝜔_s . 𝒹) + 𝛶, where $𝒫$$𝒱$_s = 𝜔_s . 𝒹
• = $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) . (𝜒_s . 𝒹 + 𝜔_s.𝒹) + 𝛶. 𝒹, where 𝜑_s = 𝜒_s . 𝒹
• = 𝜒_s . 𝒹 . $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) + 𝜔_s . 𝒹 . $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) + 𝛶. 𝒹
• = (𝜒_s . $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) + 𝜔_s . $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s) + 𝛶) . 𝒹
• = (𝒶𝓊𝓍_s + 𝜔_s . $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_s, ID_s)) . 𝒹 where 𝒶𝓊𝓍_s = $\mathscr{H}$₁ ($𝒞$𝑒𝓇𝑡_s, ID_s) . 𝜒_s + 𝛶
• = 𝒜_s . 𝒹, where 𝒜_s = $\mathscr{H}$₁ ($𝒞$𝑒𝓇𝑡_s, ID_s) . 𝜔_s + 𝒶𝓊𝓍_s
• = 𝒜_s . 𝒹 = $𝒬$_s
• And the receiver also recovers the secret key by using the following steps:
• $𝒮$$𝒦$ = 𝒜_u . 𝛽
• = 𝒜_u . ($𝒮$.𝒹 + 𝛬 . $𝒬$_s), where 𝛽 = $𝒮$ . 𝒹 + 𝛬 . $𝒬$_s
• = 𝒜_u . ($𝒮$ . 𝒹 + 𝛬 . 𝒜_s . 𝒹), where $𝒬$_s = 𝒜_s . 𝒹
• = 𝒜_u . (𝛺 – 𝛬 . 𝒜_s . 𝒹 + 𝛬 . $\mathrm{(𝒜}$_s . 𝒹)), where $𝒮$ = 𝛺 – 𝛬 . 𝒜_s
• = 𝒜_u . 𝒹 (𝛺 – 𝛬 . 𝒜_s + 𝛬 . 𝒜_s) = 𝒜_u . 𝒹= $𝒬$_{u .} (𝛺) = $𝒮$$𝒦$, where 𝒜_u . 𝒹 = $𝒬$_u

5. Informal Security Analysis

The proposed CB-SN scheme ensures the following informal security requirements.

5.1. Confidentiality

Confidentiality means that the contents of a plain text (m) should hide from intruders and the intruders cannot get any meaning from the signcrypted text without knowing the shared secret key. In the proposed CB-SN scheme, if the intruders desire to scramble the contents of a plain text from a signcryption text 𝜓 = {C,A, S}, then it is mandatory for them to reveal the shared secret key SK by computing Equation (2). To compute this equation, it is important for the intruders to extract 𝛺 from Equation (3), which is hard for them because this leads to computing $h\epsilon 𝒸-dl{\rm P}$. Thus, our CB-SN scheme ensures cipher text confidentiality.

$𝒮$$𝒦$ = 𝛺 . $𝒬$_u

(3)

𝛽 = 𝛺 . 𝒹

(4)

5.2. Integrity

Integrity means that the contents of a plain text (m) can only be modified by the intended participant or user. In our CB-SN scheme, the sender computes a hash value of a message (m) like 𝛬 = H₂(m‖ N) and delivers the value 𝛬 with a cipher text to the receiver. Therefore, if an event occurred, i.e., an intruder tries to modify in cipher text C like C^*, then, the intruder must modify m into m^* and 𝛬 = H₂(m‖ N) into 𝛬^* = H₂(m‖ N)^*, which is infeasible because of the collision resistance property of a hash function.

5.3. Unforgeability

Without the private key of a sender, the illegal user cannot produce the original signature which is called unforgeability. In our proposed CB-SN scheme, the sender computes a digital signature, i.e., $𝒮$ = 𝛺 − 𝛬 . 𝒜_s. This includes the sender private number 𝛺 and private key 𝒜_s, which is only known to the sender. If the intruder tries to create the same signature, he cannot do it, because discovering two unknown variables from the same equation is infeasible. Therefore, our CB-SN scheme meets the unforgeability security service.

5.4. Public Verifiability

Public verifaibility is the property of signcryption , in which the third party removes the clash among the sender and receiver, which is already causing. In our case, the sender computes the digital signature for a plain text by using his private key and it is common practice in asymmetric cryptosystem that the public key of a user is related to his private key. Therefore, for eliminating a conflict, the third party/judge can use either $𝒬$_u ≟ $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) . $𝒞$𝑒𝓇𝑡_u + 𝛵 or $𝒬$_u ≟ $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_u, ID_u) . $𝒞$𝑒𝓇𝑡_u + 𝛵, in which the equality of the previous two equations is available in the Section 4.1 of this paper.

5.5. Forward Secrecy

When the private key of a legitimate sender is compromised by an intruder, then, the existing communicated messages that is still safe is called forward secrecy. In our case, the sender encrypts the message (𝓂) like C = ℇ_$𝒮$$𝒦$ (𝓂‖N), by utilizing the secret shared key SK. If the intruder compromised the private key of the sender, furthermore, he needs the secret shared SK from Equation (2), for the decryption of cipher text. Hence, computing the secret key SK from Equation (2) is infeasible for the intruder, which is already discussed in the confidentiality section.

5.6. Anti-Replay Attack

When an intruder has captured the already communicated signcrypted text and continuously transmits this text to the receiver it is called a replay attack. Therefore, the replay attack is not possible in our case, because the sender sends a fresh nonce (N) in the encrypted text (C), and furthermore, the encryption process (C = ℇ_$𝒮$$𝒦$ (𝓂‖N)) is processed through a shared secret key SK, in which the nonce (N) and secret key SK are renewed for every session of communication. Therefore, the anti-replay attack is provided in this paper.

6. CB-SN Access Control for WBAN

Figure 2 and Figure 3 illustrate the overall process of implementation, which contains the following four steps:

6.1. Initialization

The CsA calls the setup process where CAs produce an essential parameter set {hε𝒸, δ, ℑ_𝑡, 𝒹, $ℐ$_hε𝒸, 𝛵, $\mathscr{H}$₁, $\mathscr{H}$₂, $\mathscr{H}$₃} and after that select a master secret key 𝛶 from {1,2, …, 𝑡 − 1} and calculate the master public key 𝛵 = 𝛶 . 𝒹, respectively. The essential parameters set is directly accessible on a network and the master secret key Y is kept by the C_sA secret.

6.2. Registration

In addition, each actor (APs and controller) with identity ID_A, chooses a random number 𝜔_A and computes their public variable $𝒫$$𝒱$_A = 𝜔_A.𝒹. Then, the actor (APs and controller) with identity ID_A delivers (PV_A, ID_A) to the C_sA by using open channel. Furthermore, the C_sA selects a random number 𝜒_A𝜖 {1,2, …, 𝑡 − 1}, calculates 𝜑_A = 𝜒_A . 𝒹, computes the certificate Cert_A = 𝜑_A+ PV_A, computes auxiliary variable 𝒶𝓊𝓍_A = $\mathscr{H}$₁ ($𝒞$𝑒𝓇𝑡_A, ID_A) . 𝜒_A + 𝛶 and, then, hand over a certificate Cert_A with auxiliary variable (Cert_A, aux_A) to the actors (APs and controller) via insecure link. Moreover, each actor (APs and controller) creates his private key A_A = H₁ (Cert_A, ID_A) . w_A + aux_A and make his public key as Q_A = A_A . d.

6.3. Querying Phase

The APs call the SG algorithm, that is, the APs compute the public key of controller Q_c ≟ H₂ (Cert_c, ID_c) . Cert_c + T. Next, they choose a random number 𝛺𝜖 {1, 2, …, 𝑡 − 1} and compute 𝛽 = 𝛺 . 𝒹, select a fresh nonce N, compute the session key SK = 𝛺 . Q_c and produced the cipher text C = ℇ_$𝒮$$𝒦$ (𝓂 ‖ N), compute the hash value 𝛬 = H₂(𝓂 ‖ N) and signature $𝒮$ = 𝛺 – 𝛬 . A_ap, then, hand over 𝜓 = {C,S} to the controller using insecure channel.

6.4. Verification and Response

For this purpose, the controller first calls a US algorithm, that is, the controller, first, computes the public key of APs $𝒬$_ap ≟ $\mathscr{H}$₂ ($𝒞$𝑒𝓇𝑡_ap, ID_ap) . $𝒞$𝑒𝓇𝑡_s + 𝛵, computes 𝛽 = $𝒮$. 𝒹 + 𝛬 . $𝒬$_ap, recovers the secret key $𝒮$$𝒦$ = 𝒜_c . 𝛽 and produces the plaintext (𝓂 ‖ N) = $𝒟$_$𝒮$$𝒦$ ($𝒞$), computes the hash value 𝛬^/ = $\mathscr{H}$₂(𝓂 ‖ N), accepts the signcryption text 𝜓 = {$𝒞$,𝛬,$𝒮$}, if 𝛬^/ = $\mathscr{H}$₂(𝓂‖ N) ≟ 𝛬 = $\mathscr{H}$₂(𝓂 ‖ N) and encrypts the data QR = E_$𝒮$$𝒦$ (PHRI) for Aps, and delivers it using the open networks.

7. Performance

We choose three main parameters that are security services, energy (computational cost), and bandwidth (communication cost), in the proposed CB-SN access control scheme and existing ones, i.e., Li et al. [22], Omala et al. [15], Gao et al. [24], Braeken et al. [17], Braeken et al. [19] Schemes 1, 2, and 3, for measuring the performance. Appendix A shows the mplementations of CB-SN Access Control Scheme in AVISPA.

7.1. Security Performance

The security performance of a designed and existing access control scheme as shown in

Table 2. Comparison with respect to security properties.

Security Services	[22]	[15]	[24]	[17]	[19] S1	[19] S2	[19] S3	Proposed
CFY	√	√	√	√	√	√	√	√
UFY	√	√	√	√	√	√	√	√
ATN	√	√	√	√	√	√	√	√
ITY	√	√	√	√	√	√	√	√
ARA	√	√	√	⨵	⨵	⨵	⨵	√
FSY	⨵	⨵	⨵	√	√	√	√	√
PVY	⨵	⨵	⨵	⨵	⨵	⨵	⨵	√
ROM	√	√	√	⨵	⨵	⨵	⨵	⨵
FVTA	⨵	⨵	⨵	⨵	⨵	⨵	⨵	√

, in which we pick the security services and verification tool, i.e., confidentiality, unforgeability, authentication, integrity, anti-replay attack, forward secrecy, public verifiability, random oracle model, and formal verification through AVISPA, respectively. The symbols CFY, UFY, ATN, ITY, ARA, FSY, PVY, ROM, FVTA, √, and ⨵ indicate confidentiality, unforgeability, authentication, integrity, anti-replay attack, forward secrecy, public verifiability, random oracle model, formal verification through AVISPA, satisfying the service, and does not satisfy, respectively. Therefore, it is clearly shown that, our proposed CB-SN meet all the claimed security services and the schemes, i.e., Li et al. [22], Omala et al. [15], Gao et al. [24], Braeken et al. [17], Braeken et al. [19] Schemes 1, 2, and 3 do not meet the services such as FSY and PVY, as well as FVTA or some other verification tool.

7.2. Computational Cost

The comparison among the proposed CB-SN access control scheme and existing ones, i.e., Li et al. [22], Omala et al. [15], Gao et al. [24], Braeken et al. [17], Braeken et al. [19] Schemes 1, 2, and 3, on the basis of major operations is provided in this section. Normally, the computational cost includes an expensive mathematical operation, for example, bilinear pairing (𝒷𝓅), modular exponential (𝓂𝓍𝓅), elliptic curve scalar multiplication (𝑒𝓈𝓂), and hyper-elliptic curve divisor scalar multiplication (𝒽𝓈𝓂), while designing a cryptographic algorithm. Next, in

Table 3. Comparison with respect to major operations.

Schemes	Signcryption Generation (SG) (APs)	Unsigncryption (US) (Controller)	Total
Li et al. [22]	1 𝓂𝓍𝓅 + 4 𝑒𝓈𝓂	2 𝒷𝓅 + 2 𝑒𝓈𝓂 +1 𝓂𝓍𝓅	2 𝒷𝓅 + 6 𝑒𝓈𝓂 +2 𝓂𝓍𝓅
Omala et al. [15]	3 𝑒𝓈𝓂	3 𝑒𝓈𝓂	6 𝑒𝓈𝓂
Gao et al. [23]	3 𝑒𝓈𝓂	4 𝑒𝓈𝓂	7 𝑒𝓈𝓂
Braeken et al. [17]	4 𝑒𝓈𝓂	5 𝑒𝓈𝓂	9 𝑒𝓈𝓂
Braeken et al. [19] Scheme 1	5 𝑒𝓈𝓂	2 𝑒𝓈𝓂	7 𝑒𝓈𝓂
Braeken et al. [19] Scheme 2	3 𝑒𝓈𝓂	4 𝑒𝓈𝓂	7 𝑒𝓈𝓂
Braeken et al. [19] Scheme 3	4 𝑒𝓈𝓂	4 𝑒𝓈𝓂	8 𝑒𝓈𝓂
Proposed CB-SN	3 𝒽𝓈𝓂	4 𝒽𝓈𝓂	7 𝒽𝓈𝓂

, we provide a required major operation of the proposed CB-SN access control scheme and existing ones, i.e., Li et al. [22], Omala et al. [15], Gao et al. [24], Braeken et al. [17], Braeken et al. [19] Schemes 1, 2, and 3. The calculated values of Table 3, regarding 𝒷𝓅, 𝓂𝓍𝓅, and 𝑒𝓈𝓂 are based on [27], and 𝓈𝓂 is based on the assumption of [29]. Therefore, according to [29], the single 𝒷𝓅 required 14.90 ms, single 𝓂𝓍𝓅 consumes 1.25 ms, and single 𝑒𝓈𝓂 needs 0.97 ms, while the assumption of [29], about single 𝒽𝓈𝓂 is that, it required 0.48 ms. The experiment was performed by using the hardware resources, i.e., Intel Core i74510UCPU, 8 GB RAM, and 2.0GHz processor and software resources such as C++ with Multi-precision Integer and Rational Arithmetic C Library (MIRACL) and window 7. By using the data of Table 3, our scheme reduced the computational cost on the basis of ms from Li et al. [22] is (2𝒷𝓅 + 6𝑒𝓈𝓂 + 2𝓂𝓍𝓅) - (7𝒽𝓈𝓂)/ (2𝒷𝓅 + 6𝑒𝓈𝓂 + 2𝓂𝓍𝓅) = 36.94 – 3.36/36.94*100 = 90.90%, Omala et al. [15] is (6𝑒𝓈𝓂) - (7 𝒽𝓈𝓂)/(6 𝑒𝓈𝓂) = 5.82 – 3.36/5.82*100 = 42.26%, Gao et al. [23] is (7𝑒𝓈𝓂) - (7𝒽𝓈𝓂)/(7𝑒𝓈𝓂) = 6.77 – 3.36/6.77*100 = 50.36%, Braeken et al. [17] is (9𝑒𝓈𝓂) - (7𝒽𝓈𝓂)/(9𝑒𝓈𝓂) = 8.73 – 3.36/8.73*100 = 61.51%, Braeken et al. [19] scheme 1(S1) is (7𝑒𝓈𝓂) - (7𝒽𝓈𝓂)/(7𝑒𝓈𝓂) = 6.77 – 3.36/6.77*100 = 50.36%, Braeken et al. [19] scheme 2(S2) is (7𝑒𝓈𝓂) - (7𝒽𝓈𝓂)/(7𝑒𝓈𝓂) = 6.77 – 3.36/6.77*100 =50.36%, Braeken et al. [19] scheme 3(S3) is (8𝑒𝓈𝓂) - (7𝒽𝓈𝓂)/(8𝑒𝓈𝓂) = 7.76 – 3.36/7.76*100 = 56.70%, respectively. Moreover, in

Table 4. Computational cost comparison in milliseconds.

Schemes	Signcryption Generation (SG)(APs)	Unsigncryption (US) (Controller)	Total
Li et al. [22]	5.13 ms	31.81 ms	36.94 ms
Omala et al. [15]	2.91 ms	2.91 ms	5.82 ms
Gao et al. [23]	2.91 ms	3.88 ms	6.77 ms
Braeken et al. [17]	3.88 ms	4.85 ms	8.73 ms
Braeken et al. [19] Scheme 1	4.85 ms	1.92 ms	6.77 ms
Braeken et al. [19] Scheme 2	2.91 ms	3.88 ms	6.77 ms
Braeken et al. [19] Scheme 3	3.88 ms	3.88 ms	7.76 ms
Proposed CB-SN	1.44 ms	1.92 ms	3.36 ms

, we deliver the computational cost on the basis of milliseconds (ms) among the proposed CB-SN access control and those of Li et al. [23], Omala et al. [15], and Gao et al. [24]. Furthermore, in Figure 4, the clear computational cost reduction is shown.

7.3. Communication Cost

We compare our newly proposed CB-SN access control scheme with the existing related access control schemes, i.e., Li et al. [22], Omala et al. [15], Gao et al. [24], Braeken et al. [17], Braeken et al. [19] Schemes 1, 2, and 3 on the basis of communication cost. Usually, the communication cost of the signcryption schemes is calculated by using the cipher text and the extra parameters such as signature, hash value, and identity, etc., during the communication process. For the comparison, we suppose that, |𝔖₁| = |𝔖| = |𝔖₂| = 1024 bits, |𝒵_𝓆| = 160 bits, |𝒵_n| = 80 bits, and |H| = 512 bits, |𝓂| = 1024 bits, and |ID| = 80 bits. According to our suppositions, the communication cost for Li et al. [22] is 3|𝔖₁| + |ID| + |𝓂|, for Omala et al. [15] is |𝔖₁| + |ID| + |𝓂| + |𝒵_𝓆|, for Gao et al. [2] is |ID| + |𝓂| + 5|𝒵_𝓆|, for Braeken et al. [17] |ID| + |𝓂| + 5|𝒵_𝓆|, for Braeken et al. [19] Scheme 1 is |ID| + |𝓂| + 5|𝒵_𝓆|, for Braeken et al. [19] Scheme 2 is |ID| + |𝓂| + 5|𝒵_𝓆|, Braeken et al. [19] Scheme 3 is |ID| + |𝓂|+5|𝒵_𝓆|, and for our designed CB-SN access control scheme is |𝒵_n| + |H| + |𝓂|, respectively.

• The reduction in communication cost of the proposed CB-SN access control scheme from Li et al. [22] is (3|𝔖₁| + |ID| + |𝓂|) (|𝒵_n| + |H| + |𝓂|)/(3|𝔖₁| + |ID| + |𝓂|) = (4176 −1616)/(4176)*100 = 61.30%,
• The reduction in communication cost of our designed CB-SN access control scheme from Omala et al. [15] is (|𝔖₁| + |ID| + |𝓂| + |𝒵_𝓆|)(|𝒵_n| + |H|+|𝓂|)/(|𝔖₁|+ |ID| + |𝓂| + |𝒵_𝓆|) = (2288 − 1616)/(2288)*100 = 29.37%.
• The reduction in communication cost of of the proposed CB-SN access control scheme from Gao et al. [23] is (|ID| + |𝓂| + 5|𝒵_𝓆|) − (|𝒵_n| + |H| + |𝓂|)/(|ID| + |𝓂| + 5|𝒵_𝓆|) = (1904 − 1616)/(1904)*100 = 15.12%.
• The reduction in communication cost of the proposed CB-SN access control scheme from Braeken et al. [17] and Braeken et al. [19] Scheme 1, 2, and 3 is (|𝓂| +|H| + |𝒵_𝓆|) − (|𝒵_n| + |H| + |𝓂|)/|𝓂| + 2|𝒵_𝓆|) = (1696 − 1616)/(1696)*100 = 4.71%.

Comparative analysis of communication cost of the proposed CB-SN scheme with relevant existing schemes are provided in Figure 5, which shows a clear savings of communication cost.

8. Conclusions

Connected health brings together multidisciplinary technologies, such as the Internet of things (IoT) and wireless body area networks (WBAN), to provide preventive or proactive healthcare services by connecting devices and persons to build up the modern healthcare system. However, due to the openness of the wireless environment, the privacy of people’s physiological data, and resource-constrained nature of IoT devices, especially in terms of energy supply, often body sensors are vulnerable to different kinds of known and unknown cryptographic attacks. To tackle these issues, a comprehensive review of the existing certificate-based signcryption schemes was carried out in the literature. We found that these schemes are based on hard problems, i.e., elliptic curve and bilinear pairing, suffering from high computational cost and communication overhead. Therefore, to solve this problem, a new design scheme, called certificate-based signcryption access control scheme, is introduced, because the new scheme involves a hyper-elliptic curve, which offers the same level of security as the elliptic curve and bilinear pairing with lower key size. Furthermore, in the proposed scheme addresses and resolves intelligently the issues of increased computational cost and undesired communication overhead.