Lightweight authentication and matrix-based key

Peer-to-Peer Networking and Applications https://doi.org/10.1007/s12083-018-0696-3

Lightweight authentication and matrix-based key agreement scheme for healthcare in fog computing Jian Shen 1,2,3 & Huijie Yang 1,2 & Anxi Wang 1,2 & Tianqi Zhou 1,3 & Chen Wang 1,2 Received: 4 July 2018 / Accepted: 16 October 2018 # Springer Science+Business Media, LLC, part of Springer Nature 2018

Abstract Healthcare in fog computing is a novel topic in recent year. With the development of technology, it is a pressing issue to accomplish the secure healthcare in fog computing. Moreover, how to ensure the security and efficiency of the transmission healthcare data in open channel is a challenge to be solved. In this paper, a lightweight authentication and matrix-based key agreement scheme is proposed to support the communication of multi parties in fog computing. On the one hand, the lightweight authentication technology is needed to verify the identity of multi-parties that assure the facticity of communication parties in the open channel. On the other hand, using the matrix-based key agreement technology encrypts the healthcare data and uploads to the cloud server with the aid of the doubly-linked cyclic (DLC) tables. The security analysis shows that the proposed scheme is secure to transmit the data for healthcare. The performance analysis shows that the proposed scheme reduces the communication cost. Keywords Lightweight authentication . Key agreement . Fog computing . Healthcare

1 Introduction With the development of the Internet of Things (IoT), fog computing is proposed to improve the disadvantages of cloud computing [1–3]. Fog computing is a distributed computing facilities of IoT, and concentrates the data, data processing and applications on an edge layer of network instead of in the cloud to complete the analysis and management locally [4–6]. Obviously, lower delay, wider geographical distribution, mobility, supporting for more edge nodes are the advantages of fog computing [7, 8]. In addition, the healthcare system has higher requirements of real-time and accuracy. The lonely elder people living at home are needed to monitor the medical data to prevent some sudden diseases. Thus, using the

advantages of fog computing to design a scheme for healthcare is feasible [9]. As usual, the patient uses sensors to measure medical data and sends those abnormal data to corresponding doctor. The doctor receives the medical data, evaluates the diseases and communicates with the patient. During this process, some security issues have explored and needed to be settled. Firstly, verify the identities of mentioned entities with a convenient method so that protect the privacy data not to be obtained by attackers. Secondly, the proposed scheme should ensure that the communication message among patient and doctor are secure. Finally, scheme should spend less computation or communication cost to upload to server. The above issues are taken into consideration by this paper.

1.1 Our contribution * Jian Shen [email protected] 1

School of Computer & Software, Jiangsu Engineering Center of Network Monitoring, Nanjing University of Information Science & Technology, Nanjing, China

2

Guangxi Key Laboratory of Cryptography and Information Security, Guilin, China

3

State Key Laboratory of Information Security, Institute of Information Engineering, Beijing, China

The healthcare in fog computing has been studied with few scholars. Thus, designing a scheme to verify the identity of multi parties and protect the privacy healthcare data in the open channel is important for scholars. In this paper, we present a lightweight authentication and matrix-based key agreement scheme. The main contributions are introduced as follows. 1) The complicated authentication is over the ability of sensor’s computation. Moreover, if sensors verify the patient

Peer-to-Peer Netw. Appl.

one by one, it will spend the higher communication cost. Thus, we design the lightweight authentication scheme phase to verify group of sensors once. 2) With the aid of matrix structure, delegation and generating key are accomplished at the key agreement phase. Afterwards, the encrypted healthcare data are stored into the DLC-table in the cloud sever, which reduces lots of computation cost since the computation complexities of deleting operation and uploading operation are O(1). 3) Many researchers have attributed to the authentication or key agreement in cloud computing. But the mentioned problems also exist in the fog computing and still need to be solved. In this paper, we combine the features of fog computing with authentication and key agreement for ensuring the security transmission data in healthcare system.

1.2 Related work In 2015, Wang et al. [10] proposes an enhanced scheme based on Kim-Kim’s scheme which is an efficient two-factor authentication scheme to resist various known attacks and offer users’ anonymity. This scheme is almost achieved with a little communication or computation cost. Besides, it is the first to define the model of user un-traceability and can resist the desynchronization attack on two-factor authentication scheme. In 2016, Kim [11] proposes a novel authentication scheme that by exchanging the message of personal health device measures the bio-information of a chronic disease patient at home. Specially, the proposed scheme can be used into IEEE 11073– 20,601 standard and added into the devices to finish more efficient and secure authentication function for healthcare environment. In 2016, Shen et al. [12] propose the direction densitybased secure routing protocol for dealing with healthcare data in a kind of network which is called incompletely predictable networks. This protocol protects the security of medical data communication and achieves the monitoring of health situation, which has inspired us to use some routers to monitor patients. After that, in 2018, Wang et al. [13] propose a secure scheme which bases the instant encrypted transmission for medical data in Internet of Things (IoT). Drawing support from other devices, this scheme guarantees the rapid transmission of users and security of user’s data.

1.3 Organization The structure of this paper is organized as follows. Some preliminaries in cryptographic and scheme are introduced in Section 2. The security model is described in Section 3. The proposed scheme is performed in detail in Section 4. Section 5 and Section 6 present the security analysis and performance analysis, respectively. The conclusion is introduced in Section 7.

2 Preliminaries In this section, some necessary definitions are described, such as elliptic curve group, bilinear maps, the definitions of LBSW assumption and decisional Diffie-Hellman problem. The system model and framework of this scheme are also introduced in this section.

2.1 Elliptic curve group Assume p > 3 is a prime number, and a, b ∈ Zp are two numbers which meet the condition 4a3 + 27b2 ≠ 0 mod p. A cyclic addition group G is contained by two aspects, m consisting of points on Zp and the point at infinity O [14]. In a prime finite field Zp, the formula y2 = x3 + ax + b is defined to the elliptic curve group X. The rules of group G are briefly described as follows. The sum P + Q is considered to be the reflected points R, where the generators are P, Q ∈ G and the curve X with the line L generate a crossover point R. In addition, when P = Q is established, the line L is determined [15–17].

2.2 Cryptographic bilinear maps Definition 1: Given two group G, GT with the same prime order q, where q is a large prime. Generate P ∈ G, while G, GT are viewed as the multiplicate groups. A cryptographic bilinear maps that belongs to Weil pairing or Tate pairing will be established, when a mapping G × GT → G1 meets the following conditions [18]. 1) Bilinear: For any P, Q, R ∈ G and a, b ∈ Zq, we have e(Pa, Qb) = e(P, Q)ab and e(P, Q)e(P, R) = e(P, Q + R). 2) Non-degenerate: If P is a random generator of G, the e(P, P) ∈ Z q is a generator of G T. That is, e(P, P) ≠ 1. Otherwise, non-degenerate is unestablished. 3) Computable: For any P, Q ∈ G, e(P, Q) can be computed by an existed algorithm.

2.3 LRSW assumption Definition 2: Let G2 be a cyclic group of order q and X = gx, Y = gy, where g is a generator of group G2 and x, y ∈ G2. Assuming a random oracle Ox, y(·) is existed. Input a∈R G and n∈Z *q , then output the tuples (a, ay, ax + xyn). If any probabilistic polynomial time (PPT) adversary A is given the X, Y, Ox, y(·), then it is negligible to output the three tuples (a, ay, ax + xyn) without inquiry the oracle Ox, y(·).

Peer-to-Peer Netw. Appl.

2.4 Decisional Diffie-Hellman (DDH) problem Definition 3: (DDH Problem) In (G) the decisional DiffieHellman problem is defined as follows. Let g be a generator of G and x; y; z∈Z *q , compute gx, gy, gz ∈ G and z = xy mod q is of established [19]. Within the time t, the probability succDDH G this problem can be succeed to solve by any PPT adversary A with advantage ε,where ε is negligible [20]. If the following formula is established, the DDH problem is said to be difficult in (t, ε). ðAÞ ¼ Pr½Aðg x ; g y ; g z Þ; z ¼ xy mod q≤ ε succDDH G

2.5 System model In this paper, the patients are monitored with some sensors to protect their health at real time. For detecting onset diseases in the least time, the healthcare data of patients is transmitted directly to the edge layer of network instead of uploading to cloud server. Thus, the mainly scheme is established in the fog computing to transmit and deal with the data. The proposed scheme includes four entities, the sensor, patients’ phone, doctors’ phone and cloud server. The specific functions of those entities are introduced as follows. Figure 1 is the system model for this scheme. 1) The sensors. The great number of elder people who lives alone needs to be monitored at real time, otherwise the acute onset diseases or specific situations cannot be discovered. In order to monitor the data of patients, some sensors are installed at home or worn on the body of users. On one hand, the temperature, the pressure, the pulse and so on are necessary physiological indexes to measure health so that some sensors are distributed to measure Fig. 1 The system model

those indexes at real time. On the other hand, some dangerous situations are discovered by other devices, such as camera, the router. For instance, the user’s phone has received the signal which is sent out of the router at home. When the user has fell over himself, the time delay of signal can be calculated by the phone of patient. After that, the conclusion of the data is uploaded to the edge layer and sent to the corresponding doctor’s phone. What’s more, the lightweight authentication phase is proposed to ensure the relationship between the identity of sensors and the identity of patient’s phone. 2) The patients. The parts of the edge layer of network are the phones Pid of the users, and the purposes of phone pid are that it can receive and evaluate data. As usual, the sensors collect the healthcare data of user and transmit those data to the corresponding doctor’s phones pid at real time. Meantime, the phone pid checks those healthcare data and evaluates the situation of patient. Before the doctor did analyzes the records of patient, the patient pid needs to verify the identity of doctor did and gives the authorization to the corresponding doctor. After that, once some physiological indexes’ data are higher than the standard indexes’ data, the doctor will receive the message and contact with the hospital. Thus, the authorization phase is proposed to ensure the identity between the patients and the doctor. 3) The doctors. The parts of the edge layer of network are the phones Did of the doctors, and the main goals of phones did is to execute the professional diagnosis and commute with the patients via the open channel. The doctors are divided into different fields, such as the cardiologist, the neurologist, orthopedist, internist and so on. For assuring the security of privacy data and being allocated to the corresponding field of doctors, the doctors are awarded for the authentication from the patient pid. For

Peer-to-Peer Netw. Appl.

example, some indexes of patient P1 are unusual to the normal values. The phone p1 analyzes those indexes and determines to inquiry which kinds of doctors. Afterward, patient P1 and doctor D1 create a connection to verify the identity. When the patient P1 makes sure the verity of doctor D1, they start to transmit the relevant data about his potential disease. Besides, in order to protect the data security, patients and doctors should negotiate a key to encrypt the healthcare data or communication messages. Thus, the key agreement phase which draws support from the matrix is proposed to assure the security of the healthcare data. 4) The cloud server. The whole data in the sensors data are the healthcare data that need to be stored into the server so that provide the reference for the treatment of patients in the later. Thus, the message or healthcare data are encrypted and upload to the cloud server.

Finally, the system model is set up complete.

2.6 Framework of scheme In this paper, the proposed scheme contains four phases, sensor-patient authentication phase, patient-doctor authentication phase, key agreement phase and uploading DLC-table phase. The phases are briefly introduced as follows. 1) The sensor-patient (SA) lightweight authentication phase. The malicious sensors may fake an actual sensor to create the wrong data to cheat the patient or gain the other healthcare data. The malicious patients may pretend a true patient P2 to inquiry the data from P2. Thus, an authentication should be created between the sensor and patient. 2) The patient-doctor (PD) authentication phase. The malicious patients may fake identity so that he can inquire the real information about the actual patient. The malicious doctor may try his best to exchange the information with true patient so that some important messages have leak to the malicious doctor. As a result, it is necessary to design an authentication phase between patients and doctors. 3) The key agreement phase. If some message which are taken into consideration the detail of disease are needed to be transmitted between the doctor and patient, the security of messages should be ensured. Those information should not be leaked to others and only be decrypted by both sides. For persevering the privacy healthcare data, the key agreement phase is designed. 4) The uploading DLC-table phase. The DLC-table has been stored into the cloud server, which has the abilities to save the resources and store the records about the whole healthcare data.

3 Security model In the healthcare communication environment, the security healthcare data are encrypted and transmitted among entities via the open channel. To preserve the channel and information in the channel, the proposed scheme should resist some attacks.

3.1 Threat model Many attacks are resisted by the proposed lightweight authentication, and two attacks as examples to be illustrated in detail [21–25]. 1) Replay attack: Through capturing the healthcare data, adversary tries to replay those data to one of the authenticator and cheat them. For example, the patient P1 and sensors S1 have already verified each other, and begin to transmit the healthcare data among them. If some part of data have captured by adversary A who tries his best to fake the identity of sensors S1. Moreover, adversary A uses the information from sensors S1 to cheat authentication of patient P1. Once he achieves this authentication, he will obtain the P1’s data unimpeded. Thus, supposing that the adversary A completes the replay attack, the system will face security issues. 2) Man-in-the-middle attack: Consider SA authentication phase. When a connection will be established between the sensor S2 and patient P2, adversary A intercepts the communication information which will be forwarded to sensor S2 and patient P2. That is, adversary A can modify the message from the sensor S2 and then forwards to patient P2 round after round. From S2 and P2 standpoint, the message is transmitted directly. However, the message has been modified by the adversary A and privacy healthcare data has leaked to an untrustworthy party.

3.2 The indistinguishability under chosen plaintext attack (IND-CPA) This IND-CPA game is proposed to verify the security of key agreement phase. 1) Setup: The healthcare system S is generated by the challenger C. The initialization algorithm is executed to adversary A and gives some public parameters (G, H3(∙)). 2) Queries: The queries are asked from adversary A to challenger C as follows. The adversary A wants to obtain the key of patient, and then challenger C sends the key to adversary A with running the algorithm of key agreement phase. What’s more, A generates a message M, and then gets message M′ is encrypted by system S.

Peer-to-Peer Netw. Appl.

3) Challenge: The adversary A outputs two messages M0, M1 of the same length. The challenger C chooses randomly γ → {0, 1}, encrypts message Mγ, and then sends C(Mγ) which is needed to decrypt to adversary A. 4) Guess: According to the features of message C(Mγ), the adversary A chooses γ′. If γ = γ′ corrects, adversary A is said to have ability to attack key agreement phase. Even if the adversary doesn’t finish the above game, he also has the 12 of probability to win this game. Finally, the advantage of adversary A is defined by the following function.   
 1 AdvCPA ¼ Pr M A * ¼ M C * −  2

Step 1. The phone of patient sends a query to sensors. The sensors encrypt their idi, t with RSA and add their identity number to a formula d = RSA(id1,1)‖RSA(id1, 2)‖…‖RSA(id1, t). The last sensor decrypts d with RSA to get d′ = id1, 1‖id1, 2‖…‖id1, t . The sensor generates Ri ∈Z *q and a time stamp T i . Compute U i = H1(ξi | ∣ Ti), Di = H1(Ri‖id1, 1‖id1, 2‖…‖id1, t‖Ti) and M1 = Ui ⊕ Di, V1 = H1(Di‖ft‖Ti). The idi, t represents the t-th types of sensors of i-th patients. The sensor sends the M = M1‖V1‖Ti to patient. Step 2. The patient receives the message M and begins to 0 0 0 verify V1. He computes U i ¼ H 1 ðξi j j T i Þ, Di ¼ U i
0  0 ⊕M 1 and V 1 ¼ H 1 Di ‖f t ‖T i . The patient deter0

4 The proposed scheme In this section, we propose a lightweight authentication and matrix-based key agreement scheme for healthcare system. As we have shown above, four entities are included into the scheme, the sensors, the patients, the doctors and the cloud server. Besides, this proposed scheme contains four phases as follows. We illustrate with the specific case that a patient has sickness and he needs to communicate with the corresponding doctor. Moreover, this system can be extended to multipatients and multi-doctors.

4.1 System initialization The initialization is run in the secure channel. Input the security parameters η1 ; η2 ∈Z *q , a large prime order q and a bilinear mapping e = (g, g). The addition group G generates an element g ∈ G. Given two collision-resistant hash functions H 1 f0; 1g* →f0; 1gl , H 2 f0; 1g* →f0; 1gl2 and H 3 f0; 1g* →Z *q , where the bits lengths l1, l2 are determined by η1, η2. During the first connection among the sensors and their patient’s phone, sensors and phone record the connection time ft. The integers ξi which should correspond the patient PIDi are stored into the memories of sensors SIDi, t and his phone Pi respectively. Exchange the sensors idi, t with the phone pi. The integers λi are stored into the memories of patients PIDi and the doctors DIDi. Exchange the patient pi with the doctor di. The number ft, ξi, idi, t, pi, di are stored into the memories of sensors or phones with a security method, which can’t be explored to others. 1

4.2 The SA lightweight authentication phase This phase is run in the open channel. The patient wants to verify which sensors belong to himself. For saving the computation cost, sensors as a group verify with patient.

mines V 1 ¼ V 1 . If the formula establishes, the authentication from sensor to patient has finished. In 0 addition, the patient generates Ri ∈Z *q and a time
0 0 0 0 stamp T i . Compute M 2 ¼ T i ‖Ri ⊕U i and
 0 0 V 2 ¼ H 1 pi ‖T i ‖Ri , where i represents the i-th patient. The patient sends the message M′ = (M2‖V2) to the sensor. 0 Step 3. The sensor receives the M′. Compute M 2 ¼ U i ⊕M 2
 0 0 and V 2 ¼ H 1 pi ‖M 2 . Finally, the sensor verifies 0

V 2 ¼ V 2 . If it establishes, the authentication from patient to sensor has completed. Finally, the lightweight authentication between sensors and patient has been verified to ensure the data security in the open channel.

4.3 The PD authentication phase This phase is run in the open channel. In the healthcare, an adversary may fake a doctor to cheat patient and obtain the healthcare data to do some illegal issues. Yet, patient is unnecessary to forge identity in majority situation. Thus, in this phase an authentication is proposed from doctor to patient. Step 1. The public information about doctor has divided into

¼ M i;1 ‖M i;2 ‖…‖M i;t . In parts, and is described M particular, the doctor belongs to which field is written ~ .The doctor generates randomly a; b∈Z *, and in M q computes SK = (x, y) = ( η2a, η2b), X ¼ gη x and Y ¼ gη y , where public keys are PK = (X, Y). Let a ∈ G, compute A = aH3(di)η1, B = Ay, C ¼ Ax BxH ðM
Þ . Doctor generates a
 time stamp Td. Compute M 5 ¼ H 2 ðdi ‖λi ‖T d Þ⊕H 2 M~ , M6 =
Þ. M5 ⊕ B, M7 = M5 ⊕ A, M ¼ M 5 ‖M 6 ‖M 7 ‖H 3 ðM What’s more, the doctor computes V3 = H2(e(C, g)), V4 = H2(e(A, Y)), and then sends (M, V3, V4, Td) to the patient’s phone with waiting authentication via the open channel. 2

3

2

Peer-to-Peer Netw. Appl.

Step 2. The patient receives the message. According to the sensors’ information, the phone has pre0 ~ . judgment to consult which kinds of doctor M Compute M8 = H2(di‖λi‖Td), and then compare  0 0 ~ . If the above comM 5 ¼ M 8 ⊕M 5 with H 2 M parison is equal, the correct doctor is found out by the patient. Moreover, the authentication among patient and doctor is done for the first time. In addition, compute M 6 ¼ M 8 ⊕B, M 7 ¼ M 8 ⊕A.   In order to verify, V 3 ¼ H 2 eðA; X ÞeðB; X ÞH ðM
Þ and 0

3

0

¼ V 3 and V 4 ¼ V 4 are established, the authentication from doctor to patient is accomplished. Finally, the authentication between doctor and patient has been verified to ensure the transmitted data or message security in the open channel.

4.4 The key agreement phase For transmitting the security healthcare message between patient and doctor, the key should be made sure. The patient computes
0
 ~ and mi, j = H3(pi). The doctor m1;1 ¼ H 3 V 3 , m1;2 ¼ H 3 M computes n1, 1 = H3( V4) and ni, j = H3(di). Create two matrix for patient and doctor respectively, D=

1 ⋯ ni;1 ⋱ ⋮A ⋯ ni; j

. m1, 2…mi,

j−1

0 m1;1 P¼@ ⋮ mi; j

⋯ ⋱ ⋯

1 mi;1 ⋮ A mi; j

… n1; j Þ

-R j ¼ @

m1;1 n1;1 −r1 ⋮ mi;1 ni;1 −r1

⋯ ⋱ ⋯

1 m1; j n1; j −r j A ⋮ mi; j ni; j −r j

3) Through using the 1–2-OT protocol, the patient gets the result Qi = XjDi − Rj = Mi × eDi − Rj. Finally, the patient computes Ra ¼ H 2

e

∑




X j Di −R j



!

which is the key for the

i; j¼1

communication.

4.5 The uploading DLC-table phase

1 ⋯ 0 ⋱ ⋮A ⋯ 0

,

0 0 ⋯ Xe ¼ @⋮ ⋱ 0 ⋯

which has been used the hash

1 mi;1 ⋮ A mi; j

To save the healthcare data for doctor, we use doubly-linked cyclic tables which has been proposed in other schemes by authors to store the records in the cloud server. Saving the storage resources and protecting the privacy data are two advantages about this table. On one hand, with the aid of pointers in the tables, lots of computation cost reduce since the computation complexities of deleting operation and uploading operation are O(1). On the other hand, this cyclic table has ruled the storage size about each block and the refusion algorithm. That is, the blocks are reused and their content cannot be guessed by the malicious attackers. Thus, the DLC tables are put in the cloud server to store the healthcare records, which save the resources of storage and ensure data security. Figure 2 is the DLC-table in the server.

and

function H3 represent the public information about patient. n1, 2…ni, j − 1 which are used the hash function H3 describe the public information about doctor. In case, the number of mi, j or ni, j are not equal with information, the other values are filled with the random number. After that, the patient consults a number c with doctor, which assures that it is impossible to compute 2c by using addition operation. The e random matrix is generated by patient, and P = X1 + X2 + … + Xe is established, such as 0 m1;1 X1 ¼ @ ⋮ m1; j

0

0 1 m1;1 ¼ @ … Að n1;1 m1; j

0

0

V 4 ¼ H 2 ðeðB; gÞÞ need to assure by patient. If V 3

n1;1 @⋮ ni; j

1

0

0

0

computes N

5 Security analysis The SA lightweight authentication phase and PD authentication phase are executed in the open channel, the security about

and so on . For each j =

1, …, e, the following processes will be executed. 1) A secret number i = {1, p} is randomly generated with patient. The patient sends the mutative matrixes (M1, …, Mp) to doctor, which Mi=Xj and other Mq are random matrixes. The mutative matrixes are M

1

0 1 0 1 m1;1 m1;2 ¼ @ … A M2 ¼ @ … A mi;1 mi;2

,

and so on.

Because the number i is a secret number that only is known with patient, the doctor shouldn’t determine which Xj is Mi. 2) For any i = 1, 2, …, e, the doctor computes Ni = MiDi − Rj, where Rj is a random matrix, D1 = (n1, 1 … n1, j), D2 ¼ ð n2;1 … n2; j Þ and Di ¼ ð n1;1 … ni; j Þ. For example,

Fig. 2 The DLC-table in the server

Peer-to-Peer Netw. Appl.

those phases need to analyze. Besides, the processes security of generating key also need to ensure.

5.2 The correctness about PD authentication phase Theorem 1: The generated message V3, V4 by doctor are equal 0 0 with the generated message V 3 ; V 4 by patient.

5.1 The security analysis about SA lightweight authentication phase In the section 3.1, the threat attackers are proposed for this phase and this phase also resists other attacks as follows. 1) Replay attack. Even if adversary has captured some parts of the transmitted message, and replay those messages to patient or doctor. Attempting to achieve the authentication is impossible. Since each time stamp is randomly generated and the hash functions are used to verify, which ensure the message of authentication that are irregular. Besides, the method combining integers ξi which store in the security memory with the time stamp that assures the captured healthcare data uselessly. Thus, this phase resists the replay attack. 2) Man-in-the-middle attack. The message is transmitted among the sensors and patient, the adversary A can intercept the message from sensors or patient, modify and send them to patient or sensors. However, the integers ξ i have appeared in each round of authentication phase. Even if the attackers want to modify the message, the patient or doctor can figure out immediately. Thus, this phase can resist the man-in-the-middle attack. 3) Un-traceability. During the process of authentication, the randomly numbers Ri and R′i are generated by the sensors and patients, respectively. At the same time, the time stamp has changed each round and stamps do not have connection with the former one. As a result, the attackers cannot analyze some important information from the capturing message and distinguish the similar tags. What’s more, according to the feature of stamp, a tag has lots of stamps which used to finish authentication. So the context of message cannot be taken and speculated. 4) Anti-counterfeiting. The sensors which belong to the same patient have an integer ξi. Each round of authentication has generated the randomly numbers. This phase uses those numbers to verify the identity of patient and doctor. Therefore, the hash function is used to protect the security of message. This method can effectively attack against forged identity. Thus, though this lightweight authentication phase is executed in the open channel, the security of information can be ensured.

0

0

Proof Verify V 3 ¼ V 3 and V 4 ¼ V 4 .  
0 The patient computes V 3 ¼ H 2 eðA; X ÞeðB; X ÞH 3 ðM Þ 
H 3 ðM
Þ  ¼ H 2 eðaH 3 ðd i Þη1 ; g η2 x Þe aH 3 ðd i Þη1 η2 b ; g η2 x   2
¼ H 2 eðaH 3 ðd i Þη1 ; g Þη2 aþη2 abH 3 ðM Þ ¼ H 2 ðeðC; g ÞÞ ¼ V 3



 0 V 4 ¼ H 2 ðeðB; gÞÞ ¼ H 2 e aH 3 ðd i Þη1 η2 b ; g

 ¼ H 2 e aH 3 ðd i Þη1 ; gη2 b ¼ H 2 ðeðA; Y ÞÞ ¼ V 4

The other computing processes have been omitted. Finally, 0 0 the V 3 ¼ V 3 and V 4 ¼ V 4 are verified.

5.3 IND-CPA Theorem 2: The secure of this key agreement phase is designed on the DDH problem assumption. Proof: Adversary A tries to settle this DDH problem. Setup: The whole healthcare system has been designed by challenger C. Queries: The adversary A asks some parameters and the generated key from challenger C. The C runs the corresponding algorithm and sends




 0 G; H 3 ð∙Þ; V 3 ; V 4 ; K a ¼ H 2

e

∑




X j Di −R j

! 

to the

i; j¼1

0

adversary A. In addition, the A generates randomly d 0 i ; pi ; H 3
0 * ~ ∈Z and message M. The message M has been sent to the M q challenger C for encrypting. The encrypted message is M′. What’s more, the adversary A asks C to provide the algorithm of key agreement. The challenger C sends the algorithm to A: Challenge: According to the connection of M′ and M, the adversary A simulates the encrypting process by using the
0 0 ~ and algorithm of key agreement. number d 0 i ; p ; H 3 M i

After that, the adversary A outputs two message M0, M1 and sends them to challenger C. The challenger C chooses randomly γ → {0, 1}, encrypts message Mγ. Guess: According to the features of message C(Mγ), the adversary A chooses γ′. Comparing γ′ with γ, we will discuss the following situations. Table 1

Comparison of the computational time for SA phase

Scheme

Chuang’s

Shi’s

Our

Registration

1Th+ 1Txor 8Th+ 5Txor

3Th + Tsm

–

12Th + 6Tsm

7Th+ 3Txor

Authentication

Peer-to-Peer Netw. Appl. Table 2

Comparison of the computational time for PD phase

Scheme

Hwang’s

Tan’s

Our

Online authentication Offline authentication

8Th + 8Te + 1Tm + 2Tsys + 1Tinv 4Th + 2Tsys

4Th + 2Te + 2Tm + 1Tsys 8Th + 4Tsys

7Th + 5Te + 1Tm + 6Txor –

Firstly, it is a neglable probability that the adversary A can
0 0 ~ correctly. Secondly, if the adversary A has guess d 0 i ; pi ; H 3 M
0 0 ~ by using special method, the the right number of d 0 i ; pi ; H 3 M  
  ′ probability of the γ = γ success is Pr G; H 3 ð∙Þ; V 3 ; V 4 ; d0 i ; pi ; H 3 M~ . The probability of adversary A guessing the number {0, 1} di
0  rectly is Pr γ ¼ γ  ¼ 12. However, the DDH problem is difficult to solve, so   
0  
0 0 0  ~ −Pr γ ¼ γ  < negl i s Pr G; H 3 ð∙Þ; V 3 ; V 4 ; d 0 i ; pi ; H 3 M 0

0

0

established. The negl is a neglable function. Thus, the matrix-based key agreement is secure.

6 Performance analysis We compare our lightweight authentication phase with Chuang et al. [26] and Shi et al. [27]. Chuang et al. [26] have three aspects of his lightweight authentication, and we choose the relatively lower computation cost of those three aspects for comparison. We use the following notations. B-^ means the computational cost is empty value. Th means the time of a one-way hash function. Txor means the time of XOR operation. Tsm means the time of a scalar multiplication operation. Table 1 shows that the comparison of computational cost for SA phase. We compare our PD authentication phase with Tan. [28] and Hwang et al. [29]. In this phase, we have generated the public and private key to encrypt the message, so we change the comparison objects [30]. Since this phase has involved the encryption, we compare the online and offline authentication. Besides, we just choose their MU aspect to compare. Tinv means the time of one inverse operation. Te means the time of pairing operation. Tm means the time of modular operation. Tsys means the time of encryption. Table 2 shows that the comparison of computational cost for PD phase.

uploading, we combine the matrix-based key agreement phase with DLC-table storing data. In addition, the structure of DLCtable guarantees data anonymity and save the storage space. The security analysis and theoretical proof indicate that the security of our scheme. The performance analysis shows that our scheme can be executed more efficient than other schemes in healthcare environment. Acknowledgements This work is supported by the National Natural Science Foundation of China under Grant No. 61672295, No. 61672290, and No. 61772280, Guangxi Key Laboratory of Cryptography and Information Security under Grant No. GCIS201715, the CICAEET fund, and the PAPD fund.

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References 1.

2.

3.

4.

5.

6.

7 Conclusions With the development of fog computing, some security issues of healthcare can be settled. In this paper, we propose a lightweight authentication and matrix-based key agreement scheme for healthcare. To accomplish the security transmission among sensors, patients and doctors in the open channel, we design the lightweight authentication phase so that ensure the identity of each other. What’s more, to finish the security healthcare

7.

8. 9.

10.

Zhu N, Craddock I, Diethe T et al (2015) Bridging e-health and the internet of things: the SPHERE project[J]. IEEE Intell Syst 30(4): 39–46 Shen J, Zhou T, Chen X, Li J, Susilo W (2018) Anonymous and traceable group data sharing in cloud computing. IEEE Trans Inf Forensics Secur 13(4):912–925 Chen S-L, Nie J, Lin T-L, Chung R-L, Hsia C-H, Liu Z-Y, Wu H-X (2018) VLSI implementation of an ultra low-cost and low-power image compressor for wireless camera networks. J Real-Time Image Proc 14(4):803–812 Hsia C-H, Dai Y-J, Chen S-L, Lin T-L, Shen J (2018) A gait sequence analysis for IP camera using a modified LBP. Journal of Internet Technology (JIT) 19(2):451–458 Shen J, Zhou T, He D, Zhang Y, Sun X, Xiang Y (2017) Block design-based key agreement for group data sharing in cloud computing. IEEE Trans Dependable Secure Comput 2017. https://doi. org/10.1109/TDSC.2017.2725953 Vasilakos AV, Vasilakos AV, Vasilakos AV et al (2017) Fog computing for sustainable smart cities: a survey[J]. ACM Comput Surv 50(3):32 Shen J, Shen J, Chen X, Huang X, Susilo W (2017) An efficient public auditing protocol with novel dynamic structure for cloud data. IEEE Trans Inf Forensics Secur 12(10):2402–2415 Hsia C-H (2018) New verification method for finger-vein recognition system. IEEE Sensors J 18(2):790–797 Hsia C-H, Guo J-M, Wu C-S (2017) Finger-vein recognition based on parametric-oriented corrections. Multimedia Tools and Applications (MTAP) 76(23):25179–25196 Wang D, Wang N, Wang P, Qing S (2015) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity[J]. Inf Sci 321:162–178

Peer-to-Peer Netw. Appl. 11.

12.

13.

14.

15. 16.

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

29.

Kim SS (2016) Mutual authentication scheme between biosensor device and data manager in healthcare environment[J]. J Supercomput 72(1):1–8 Shen J, Wang C, Lai CF, Wang A, Chao HC (2016) Direction density-based secure routing protocol for healthcare data in incompletely predictable networks[J]. IEEE Access 4:9163–9173 Wang C, Shen J, Liu Q, Ren Y, Li T (2018) A novel security scheme based on instant encrypted transmission for internet of things[J]. Security and Communication Networks (SCN) 2018:1–7. https:// doi.org/10.1155/2018/3680851 Shen J, Wang C, Wang A, Ji S, Zhang Y (2018) A searchable and verifiable data protection scheme for scholarly big data. IEEE Transactions on Emerging Topics in Computing (TETC). https:// doi.org/10.1109/TETC.2018.2830368 Cilardo A, Coppolino L, Mazzocca N, Romano L (2006) Elliptic curve cryptography engineering[J]. Proc IEEE 94(2):395–406 Shi W, Gong P (2013) A new user authentication protocol for wireless sensor networks using elliptic curves cryptography. Int J Distrib Sens Netw 2013(730831):51–59 Shen J, Shen J, Lai C-F, Liu Q, Zhou T (2018) Cloud based data protection in anonymously controlled SDN. Security and Communication Networks (SCN) 2018:1–8. https://doi.org/10. 1155/2018/9845426 Barua R, Dutta R, Sarkar P (2003) Extending Joux’s protocol to multi party key agreement. In: International Conference on Cryptology in India, vol 2904. Springer, Berlin, Heidelberg, pp 205–217 Chen X, Li J, Weng J, Ma J, Lou W (2016) Verifiable computation over large database with incremental updates. IEEE Trans Comput 65(10):3184–3195 Shen J, Liu D, Bhuiyan MZA, Shen J, Sun X, Castiglione A (2017) Secure verifiable database supporting efficient dynamic operations in cloud computing[J]. IEEE Transactions on Emerging Topics in Computing (TETC). https://doi.org/10.1109/TETC.2017.2776402 Xu J, Xue K, Yang Q, Hong P (2018) PSAP: pseudonym-based secure authentication protocol for NFC applications[J]. IEEE Trans Consum Electron 64(1):83–91 Ni J, Lin X, Shen XS (2018) Efficient and Secure service-oriented authentication supporting network slicing for 5G-Enabled IoT. IEEE J Sel Areas Commun 36(3):644–657 Madhusudhan R, Mittal RC (2012) Dynamic ID-based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl 35(4):1235–1248 Shen J, Liu D, He D, Huang X, Xiang Y (2017) Algebraic signatures-based data integrity auditing for efficient data dynamics in cloud computing. IEEE Transactions on Sustainable Computing (T-SUSC). https://doi.org/10.1109/TSUSC.2017.2781232 Chen X, Li J, Ma J, Tang Q, Lou W (2014) New algorithms for secure outsourcing of modular exponentiations. IEEE Transactions on Parallel & Distributed Systems(TPDS) 25(9):2386–2396 Chuang MC, Lee JFTEAM (2011) Trust-extended authentication mechanism for vehicular ad hoc networks[C]//. International Conference on Consumer Electronics, Communications and Networks. International Conference on Consumer Electronics, Communications and Networks (CECNet):1758–1761 Shi W, Gong P. A new user authentication protocol for wireless sensor networks using elliptic curves cryptography[J]. International Journal of Distributed Sensor Networks (IJDSN), 2013, (2013–4–11), 2013, 2013(730831):51–59 Tan Z. Secure delegation-based authentication for telecare medicine information systems[J]. IEEE Access, 2018, PP(99):1–1, 6, 26091, 26110 Hwang S J, You C H. A delegation-based Unlinkable authentication protocol for portable communication systems with non-

30.

repudiation[J]. 2013 Shen J, Zhou T, Wei F et al (2018) Privacy-preserving and lightweight key agreement protocol for V2G in the social internet of things[J]. IEEE Internet Things J 2017. https://doi.org/10.1109/ JIOT.2017.2775248

Jian Shen received the M.E. and Ph.D. degrees in Computer Science from Chosun University, South Korea, in 2009 and 2012, respectively. Since late 2012, he has been a professor at Nanjing University of Information S c i e n c e a n d Te c h n o l o g y, Nanjing, China. His research interests include public key cryptography, secure data sharing and data auditing in cloud.

Huijie Yang received the B.E. degree from Nanjing University of Information Science and Technology, Nanjing, China, in 2017. She is currently working toward the M.E. degree in NUIST, Nanjing, China. Her research interests include computer and network security, cryptography and secure multi-party computation.

Anxi Wang received the B.E. degree in 2016 and is currently working toward the M.E. degree at NUIST, Nanjing, China. He focuses on routing protocols in wireless sensor networks and group user authentication scheme in networks. His research interests include ad-hoc networks and systems, information security, and wireless sensor networks.

Peer-to-Peer Netw. Appl. Tianqi Zhou received the B.E. degree from Nanjing University of Information Science and Technology, Nanjing, China, in 2016. She is currently working toward the M.E. degree in NUIST, Nanjing, China. Her research interests include computer and network security, security systems and cryptography.

Chen Wang received the B.E. degree in 2016 and is currently working toward the M.E. degree at Nanjing University of Information Science and Technology, Nanjing, China. He focuses on information security and incompletely predictable ad hoc networks. His research interests include information security, ad- hoc networks and systems, and wireless sensor net- works.