Privacy-Preserving Wireless Medical Sensor Network - Paris Descartes

2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

Privacy-Preserving Wireless Medical Sensor Network Xun Yi College of Engine. and Sci. Victoria University Melbourne, VIC 8001 Australia Email: [email protected]

Jan Willemson STACC and Cybernetica Tartu 51003, Estonia Email: [email protected]

in-clinic, and open environment monitoring (e.g., athlete health monitoring). CodeBlue [2], [3] is a popular healthcare research project based on WMSN developed at the Harvard Sensor Network Lab. In this architecture, several medical sensors (e.g., pulse oximeter, EMG, EKG, and SpO2 sensors) are placed on the patient’s body. These medical sensors sense the patient body and transmit it wirelessly to the end-user devices (PDAs, laptops, and personal computers) for further analysis. Furthermore, the CodeBlue architecture facilitates RF-based localization, which is accurate enough to locate a patient’s or medical professional’s position. Alarm-Net [4] is a heterogeneous network architecture designed at the University of Virginia for patient health monitoring in the assisted-living and home environments. Alarm-Net consists of body sensor networks and environmental sensor networks. Three network tiers are applied to the proposed assisted-living and home environments, where the AlarmGate is a gateway between the wireless sensor and IP networks, and is also connected to a back-end server. UbiMon (Ubiquitous Monitoring environment for wearable and implantable sensors) [5] is a BSN (Body Sensor Network) architecture composed of wearable and implantable sensors using an ad hoc network. The aim of the project is to provide continuous monitoring of an individual’s physiological states and capture transient as well as life threatening abnormalities that can be detected and predicted. MEDiSN [6] is designed at Johns Hopkins University for patients’ monitoring in hospital and during disaster events was reported. It comprises multiple physiological monitors (called PMs), which are battery powered motes and equipped with medical sensors for collecting patients’ physiological health information’s (e.g., blood oxygenation, pulse rate, electrocardiogram signals, etc.). Moreover, MEDiSN is connected with a back-end database that constantly stores medical data and presents them to authenticated GUI clients. In wireless healthcare applications, wireless sensor network certainly improve patient’s quality-of-care without disturbing their comfort. The medical sensor senses patient sensitive body data and transmits it over the wireless channels which are more susceptible than wired networks. Thus, when patient sensitive physiological variables are transmitted from

Abstract—In a wireless medical sensor network, the sensitive patient data is transmitted through the open air. It is more vulnerable to eavesdropping, spoofing, altering and replaying attacks, compared with the wired network. Some work has been done to secure the wireless medical sensor network using efficient symmetric key cryptosystems. The efforts can protect the patient data during transmission, but cannot stop the inside attack where the administrator of the patient database reveals the sensitive patient data. To prevent from the inside attack, more advanced cryptographic techniques, such as attributebased encryption, may be used. However, it is too expensive to implement the techniques in the wireless sensor networks with low-power and low-cost sensor nodes. In this paper, we propose a practical approach to prevent from the inside attack by using Sharemind system, developed by Cybernetica to perform computations on input data without compromising its privacy. This paper has two main contributions. One contribution is proposing a lightweight encryption algorithm to protect the communication between the sensor node and the Sharemind system. Another contribution is employing Sharemind system to protect patient data privacy and support medical research. Keywords-Medical sensor network, SHA-3, Sharemind, privacy-preserving computation

I. I NTRODUCTION In recent years, we have witnessed that wireless sensor networks have been widely used in healthcare applications, such as hospital and home patient monitoring. A wireless sensor network (WSN) consists of spatially distributed autonomous sensors to monitor physical or environmental conditions, such as temperature, sound, pressure, etc. and to cooperatively pass their data through the network to a main location. The more modern networks are bi-directional, also enabling control of sensor activity. The development of wireless sensor networks was motivated by military applications such as battlefield surveillance; today such networks are used in many industrial and consumer applications, such as industrial process monitoring and control, machine health monitoring, and so on. Healthcare applications are considered as promising fields for wireless sensor networks, where patients can be monitored in hospitals and even at home using wireless medical sensor networks (WMSNs). In recent years, several WMSN projects have been proposed [1], which aim to provide continuous patient monitoring, in-ambulatory, in-hospital, 978-0-7695-5022-0/13 $26.00 © 2013 IEEE DOI 10.1109/TrustCom.2013.19

Farid Nait-Abdesselam Faculty of Math. and Comp. Sci. Universit of Paris Descartes 75270 Paris, France Email: [email protected]

118

sensor nodes to the server, they must remain secure and private from security threats. Based on public key cryptography, some security mechanisms have been proposed to provide confidentiality, authentication and integrity for WMSNs, such as [9], [10], [11], [12], [13], [14]. Public key cryptography is too expensive for wireless sensor networks with low-cost and low-power sensor nodes. Security protocols for sensors networks must rely exclusively on efficient symmetric key cryptography. Some protocols to secure wireless medical sensor networks have been proposed on the basic of symmetric key cryptosystems as follows. Muhammed et al. [15] proposed a biometric based distributed key management protocol, named BARI+, for wireless body area networks. The BARI+ architecture consists of a PS (personal server), MS (medical server), and WBAN (wireless body area network). In their scheme the WBAN is managed by four keys, namely, communication key, administrative key, basic key, and secret key that shared by sensor node and medical database/server. The BARI+ protocol is divided into three phases: (i) initial deployment phase: all initial keys are deployed in the PS, MS and WBAN in this phase; (ii) re-keying phase: in order to refresh the communication key, PS computes a value from the patients biometrics, encrypts it, and broadcasts it into the network; and (iii) node addition phase: if a new node is added then the MS informs the PS about new deployments by sending identities, basic keys and other relevant information of the new node to the PS. Dagtas et al. [16] proposed a real time and secure architecture for health monitoring in smart homes using ZigBee technology. The proposed framework has the following features: (a) the ability to detect signals wirelessly within a body area sensor network (BSN); (b) low-power and reliable data transmission using ZigBee technology; (c) secure transmission of medical data over BSN; (d) efficient channel allocation over wireless networks, and (e) optimized analysis of data using an adaptive framework that maximizes the processing and computational capacity. A secure key management protocol was proposed to establish secure session keys in body sensor networks and the cryptographic keys facilitate security services, e.g., confidentiality, authentication, and data integrity. An authentication protocol was used between the body sensors and the handheld device of the mobile patient. Kumar et al. [17] proposed a secure health monitoring (SHM) using medical wireless sensor networks. SHM provides security services such as confidentiality, authenticity, and integrity to the patient data at low computation and communication cost. The proposed scheme has the following components: (a) the ability to detect ECG signals wirelessly within the patient body, (b) low-power and reliable data transmission using Telos-B technology. In SHM, the confidentiality is achieved by PingPong-128 stream cipher

cryptography, and authentication and integrity are achieved by PingPong-MAC, i.e., message authentication code. To the best of our knowledge, SAGE [14] is the only eHealth system for privacy-preserving WMSNs. However, the system is build on elliptic curve cryptography (public key cryptography) and cannot be implemented in WMSNs with low-power and low-cost sensor nodes. In this paper, we propose an efficient solution for privacypreserving WMSNs based on a symmetric key cryptosystem implemented by a hash function SHA-3 [18]. Our solution is built on Sharemind system [19], [20] developed by Cybernetica and can be easily implemented in WMSNs with low-power and low-cost sensor nodes. We consider a wireless medical sensor network (WMSN), composed of three data servers and some sensor nodes, each sensor node share three secret keys with the three data servers, respectively. Our basic idea is when a sensor node wishes to upload a patient data (such as temperature reading) to the patient data database, it first splits the data into three numbers such that the sum of them is equal to the original data, and then uploads them to three data servers through different secure channels. When a doctor queries a patient data, each data server checks his credential and replies him with one component of the patient data through a secure channel if the doctor satisfies the access control policies. Then, the doctor can get the patient data after combining the three components of the patient data. The privacy of the patient data is preserved if three data servers never collude. We have two main contributions in this paper. At first, we propose a lightweight encryption algorithm based on the hash function SHA-3 to protection the communications between each sensor node and each data server. Then we employ the Sharemind system to protect the patient data privacy. Our system supports statistic analysis on patient data without compromising the patient data privacy. The rest of the paper is organized as follows. Section II introduces the basic building blocks by which our solution is constructed. Section III describes our solution. Security and performance analysis is performed in Section IV. Conclusions are drawn in the last section. II. P RELIMINARIES Two basic building blocks of our solution are SHA-3 and Sharemind. A. SHA-3 SHA-3, originally known as Keccak [18], is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michal Peeters, and Gilles Van Assche. On October 2, 2012, Keccak was selected as the winner of the NIST hash function competition [21]. SHA-3 uses the “sponge construction”, where input is “absorbed” into the hash state at a given rate, then an

119

The system is based on solid cryptographic foundations. Secret sharing is used to preserve the privacy of the data and secure multi-party computation allows the user to work with the data.

output hash is “squeezed” from it at the same rate. SHA3 is a family of sponge functions as shown in Fig.1, where P1 , P2 , · · · , Pi are inputs and Z0 , Z1 are outputs. The sponge function is a generalization of the concept of cryptographic hash function with infinite output and can perform all symmetric cryptographic functions, from hashing to pseudo-random number generation to authenticated encryption.

Figure 2.

Figure 1.

Sharemind

The high level description of the Sharemind framework is depicted in Fig. 2. Essentially, one can view Sharemind as a virtual processor that provides secure storage for shared inputs and performs privacy-preserving operations on them. Each miner node Pi has a local database for persistent storage and a local stack for storing intermediate results. All values in the database and stack are shared among all miners P1 , P2 , P3 by using an additive secret sharing over Z232 . For example, an integer a is shared by the three miners such that each miner keeps an integer ai and (a1 + a2 + a3 )(mod 232 ) = a. The framework provides efficient protocols for basic mathematical operations so that one could easily implement more complex tasks. In particular, one should be able to construct such protocols without any knowledge about underlying cryptographic techniques. For that reason, all implementations of basic operations in the Sharemind framework are perfectly universally composable. The current version of Sharemind framework is based on three miner nodes and tolerates semi-honest corruption of a single node, i.e., no information is leaked unless two miner nodes collaborate. Initially, the database is empty and data donors have to submit their inputs by sending the corresponding shares privately to miners who store them in the database. After the input data is collected, a data analyst can start privacy-preserving computations by sending instructions to the miners. Each arithmetic instruction invokes a secure multi-party protocol that provides new shares. For instance, suppose the three miners, each keeps ai and bi such that (a1 + a2 + a3 )(mod 232 ) = a < 216 and (b1 + b2 + b3 )(mod 232 ) = b < 216 , wish to privately compute a · b = c. They run a privacy-preserving multiplication protocol and each miner obtains one share ci of c such that

SHA-3

As primitive used in the sponge construction, the Keccak instances call one of seven permutations named Keccakf [r + c], with r + c = 5 × 5 × 2 ( = 0, 1, 2, · · · , 6) and the size of Pi and Zj is r bits. r is called bitrate and c is called capacity. The largest permutation is Keccak-f [1600], but smaller (or more “lightweight”) permutations can be used in constrained environments. Each permutation consists of the iteration of a simple round function. The round function further consists of 5 invertible step mappings: • θ for diffusion; • ρ for inter-slice dispersion; • π for disturbing horizontal/vertical alignment; • χ for non-linearity; • ι to break symmetry; from (3-Dimension) 5×5×2 array of bits to (3-Dimension) 5 × 5 × 2 array of bits. Each round has 12 + 2 iterations of the five sub-rounds. For details, please refer to [18]. The choice of operations in SHA-3 is limited to bitwise XOR, AND and NOT and rotations. The authors claim 12.5 cycles per byte [22] on an Intel Core 2 CPU. However, in hardware implementations it is notably faster than all other finalists [23]. B. Sharemind Sharemind [20] is a data processing system capable of performing computations on input data without compromising its privacy. Basically, it can process data without seeing it.

120

(c1 + c2 + c3 )(mod 232 ) = c. The current implementation of Sharemind framework provides privacy-preserving addition, multiplication, division and greater-than-or-equal comparison of two shared values. It can also allow to multiply a shared value with a constant and extract its bits as shares. Share conversion from Z2 to Z232 and bitwise addition are mostly used as components in other protocols, but they are also available to the programmer. Bit extraction and arithmetic primitives together are sufficient to implement any Boolean circuit with a linear overhead and thus the Sharemind framework is also Turing complete.

We consider two types of attacks to our system, the outside attack and the inside attack. The outside attacker does not know any secret key in our system, but the inside attacker knows some secret keys. For example, one server, which knows the secret keys between all medical sensors and it, may be a potential inside attacker. We require that the patient data can be accessed only by the authorized doctors. Each server in Sharemind must not get access to any patient data in plain. B. Secure Communication Protocol To protect the communication between the medical sensor and each server, we employ a lightweight encryption algorithm based on the smallest version of SHA-3 with r = 40 and c = 160 [24] as follows. Suppose that the size of the secret key K is 80 bits, the sensor uses the smallest version SHA-3 with the 80-bit secret key K plus an initial vector IV to generate a stream of encryption keys k1 , k2 , · · · , each takes the first 32 bits out of a 40-bit output (because Sharemind operates on 32-bit integers), as shown in Fig. 4.

III. P RIVACY-P RESERVING W IRELESS M EDICAL S ENSOR N ETWORK A. Our Model In our model, we consider a scenario where medical sensors collect the data from the body of the patient and forward the data to the Sharemind system with three data servers as shown in Fig. 3. The patient data is shared among the three data servers, which cooperate to control access to the patient data.

Server 1

private computation protocols

Server 2

Server 3

Sharemind Figure 3.

Our Model

Figure 4.

When a doctor wishes to get access to the patient data, he needs to send a request to the three data servers, each of them checks the doctor’s credential with the access control list at first and then replies the doctor with the patient data. We assume that each medical sensor shares three secret keys with three data servers, respectively. The three secret keys are embedded into each sensor when we deploy it. Each secret key is used to protect the communication between the sensor and one server. Considering that a sensor node usually has limited memory, communication and computation capabilities, we assume that each sensor includes the smallest version of SHA-3 (r = 40 and c = 160) [22] only. It does not contain any secret key cryptosystem, such as DES and AES, or any public key cryptosystem, such as RSA and ElGamal.

Key Stream and MAC Generation Algorithms

The initial vector IV has 80 bits as well and includes the current time stamp to prevent from the replaying attack. The stream of encryption keys k1 , k2 , · · · is used to encrypt plain integers. To encrypt a sequence of plain integers m1 , m2 , · · · , from the medical sensor to the server, the sensor computes a sequence of ciphertexts c1 , c2 , · · · where ci = mi ⊕ ki for i = 1, 2, · · · and ⊕ stands for XOR, and sends IV, c1 , c2 , · · · to the server. To decrypt a sequence of ciphertexts c1 , c2 , · · · from the medical sensor, the server generates the sequence of encryption keys k1 , k2 , · · · with the same secret key K and the same initial vector IV as shown in Fig.4 and then compute the sequence of plain integers c 1 ⊕ k 1 , c2 ⊕ k 2 , · · · .

121

For example, the sensor senses a reading ρ from the patient, e.g., the temperature (represented as 32 bits), it chooses two random 32-bit integers α, β and computes

The encryption and decryption procedures are correct because ci ⊕ ki = (mi ⊕ ki ) ⊕ ki = mi .

γ = ρ − α − β(mod 232 ).

To ensure the authenticity and integrity of plain integers from the medical sensor to the server, the sensor also needs to generate a message authentication code (MAC) with the secret key K and the initial vector IV and the plaint integers as the padded message as shown in Fig. 4 and send the MAC to the server along with the sequence of the ciphertexts. To verify the authenticity and integrity of the message, the server compares the MAC computed with the secret key K and the initial vector and the decrypted integers m1 , m2 , · · · as shown in Fig. 4 and the MAC received from the sensor. If the computed MAC matches with the received MAC, the message is genuine and discarded otherwise.

Then the sensor sends α, β, γ with MACs to the three servers through three secure channels, respectively. If the three servers do not collude, none can understand the patient data ρ. Remark: Some work to design efficient Cryptographic Pseudo-Random Number Generator (CPRNG) for wireless sensor networks has been done. For example, TinyRNG [25], a CPRNG for wireless sensor nodes, uses the received bit errors as one of the sources of randomness. It has been shown that transmission bit errors on a wireless sensor network are a very good source of randomness. These errors are randomly distributed and uncorrelated from one sensor to another and difficult to observe and manipulate by an attacker. Each server will create a database to store the patient data. The database structure looks like the patient’s identity, shares of sensor’s readings and etc. To get access to the patient data ρ shared by the three servers in three databases, the doctor needs to send a request including the patient’s identity, the doctor’s credential to the three servers in Sharemind, respectively. If the doctor’s credential passes the authentication and meets the access control policies, the three servers in Sharemind reply α, β, γ to the doctor through three secure channels, respectively. Finally, the doctor combines the three integers to obtain the patient data ρ by computing

Remark. The patient data may be decimal numbers with two digits after the point. In this case, the sensor should amplify the decimal numbers by 100 so that the above encryption algorithm can be used to upload the patient data to the three servers, and tell the servers the amplification. Remark. A server can manage the secret keys shared with the sensors by one master secret key M K only. The secret key between the server and a sensor with the identity ID can be computed by SHA-3 as H(ID, M K). C. Data Collection and Access Control Protocol Our lightweight encryption algorithm can be used to create three secure channels between the medical sensor and three servers in Sharemind, respectively. Through one secure channel, the medical sensor sends a sequence of integers (each less than 232 ) to one server securely. To prevent a server from understanding the patient data and revealing the patient privacy (the inside attack), the medical sensor splits the patient data into three components and sends them to the three servers through three secure channels, respectively, as shown in Fig. 5.

ρ = α + β + γ(mod 232 ). Remark: Because the servers and the doctor’s computing device usually have powerful computation and communication capabilities. Public key cryptosystem can be used for each server to authenticate the doctor and to create the secure channels between the doctor and three servers in Sharemind, respectively. D. Private Computation Protocol

α

α

β

β

Our system supports not only access control to patient data but also privacy-preserving statistic analysis on patient data for medical research, where the three servers in Sharemine help the medical researcher analyse patient data without compromising the patient privacy. Our system is built on Sharemind and the current implementation of Sharemind framework provides privacy preserving addition, multiplication, division and greater-thanor-equal comparison of two shared values, and other basic algebraic operations [19]. To demonstrate that our system can help the medical researcher analyse patient data without compromising the

Sensor

ρ

γ

ρ

γ

Sharemind

Figure 5.

Data Collection and Access Control

122

patient privacy, we consider an example of private regression analysis on ten patients’ data listed in Tab. 1 [26].

• • •

Table 1 IL-6 levels in brain and serum (pg/ml) of 10 patients with subarachnoid hemorrhage Patient i

Serum IL-6 (pg/ml) x

Considering that the medical sensors are usually lowpower and low-cost, we introduce a lightweight encryption scheme on the basis of the smallest version of SHA-3 with r = 40 and c = 160 to protect the communications between the medical sensors and the three servers. In the encryption scheme, the size of the secret key shared by the medical sensor and each server is 80, which is sufficient large to withstand the brute-force attack. Like most secure network protocols, we use massage authentication codes (MACs) to ensure the authenticity of messages. We use SHA-3 to generate MAC on the basis of the hash-based message authentication code scheme [27]. SHA-3 proposal sets a conservative c = 2n, where n is the size of the output hash. Our MAC scheme (as shown in Fig. 4) has c = 160 and n = 2r = 80 and meets the conservation. In both our encryption and MAC schemes, the initial vector contains the current time stamp to prevent from the replaying attack. In our system, the medical sensor splits a meaningful patient data into three random shares at first and then encrypt them under three different secret keys. Because the sensor just encrypts random shares, the security of communications between the sensor and the three servers should be strengthened. Because the three servers and the doctor’s computing device are usually much more powerful in computation and communication than the medical sensor, public key cryptography may be employed to provide confidentiality and authentication for the communications among the three servers and the communications between the doctor and the three servers.

Brain IL-6 (pg/ml) y

1

22.4

2

51.6

167.0

3

58.1

132.3

4

25.1

80.2

5

65.9

100.0

6

79.7

139.1

7

75.3

187.2

8

32.4

97.2

9

96.4

192.3

10

85.7

199.4

134.0

In Tab. 1, suppose the Serum IL-6 level xi and Brain IL-6 level yi of patient i are shared among three servers which need to privately determine α and β in the linear equation yi = α + βxi , where the formulas for the least squares estimates are n (x − x)(yi − y) i=1 n i β = 2 i=1 (xi − x) α = y − βx n

x

n

The communications between the medical sensors and the three servers; The communications among the three servers; The communications between the doctor and three servers;

y

i i and y = i=1 . Suppose that we wish where x = i=1 n n to keep one digit after the point. To privately compute α, β with Sharemind, we initially amplify xi and yi by 10 and let the three servers share 10xi and 10yi , respectively. Firstly, the three servers run the private 10addition protocol repeatedly to compute and share X = i=1 10xi and Y = 10 i=1 10yi . In fact, X = 100x, Y = 100y. Secondly, the three servers run the private addition and multiplication protocol repeatedly to compute and share (100xi − X)(100yi − Y ) and (100xi − X)2 for i = 1, 2, · · · , 10 and run the private 10addition protocol repeatedly to compute and share A = i=1 (100xi − X)(100yi − Y ) 10 2 and B = i=1 (100xi − X) . Then the three servers run the private division protocol to compute and share 10A/B = 10β (please refer to [19] for the detail private division protocol). At last, the three servers run the private multiplication protocol and the private addition protocol to compute and share 1000α = 10Y − (10β)X. After the data analyst receives the shares of 1000α and 10β, he can easily combine the shares to get α and β.

B. Privacy Analysis In our system, Sharemind is employed to provide privacy for patient data. The privacy proofs of Sharemind [19] are built on the universal composability framework of Canetti [28]. To be precise, Sharemind assumes that we have three distinct computational entities P1 , P2 , P3 , all of which have an ideally secure authenticated channel to the two others. Privacy is proven in the passive (honest-but-curious) model in which the adversary is allowed to corrupt at most one of the three parties before the execution of the protocol. The adversary is then handed both the inputs and all the incoming messages of the corrupted party (“curiosity”), but he has no control over its outputs, which are assumed to be chosen as specified in the protocols (“honesty”). This model roughly corresponds to the real-world situation where we assume the protocol implementations are fairly hard to tamper with,

IV. S ECURITY AND P RIVACY A NALYSIS A. Security Analysis In our system, there are three parts of communications as shown in Fig. 3.

123

whereas their inputs and outputs could be eavesdropped on which is a sensible assumption for most practical purposes. In Sharemind [20], privacy is defined as follows.

connected with network interface cards allowing for speeds up to 1Gb/s. To process a single input, the private multiplication, division, and equal comparison takes about 25.9 ms, 390 ms and 101 ms, respectively. In particularly, Sharemind allows private computations in parallel. For example, to process up to 24000 inputs in parallel, each private multiplication takes 1.8 μs in average only. For details, please refer to [19]. We have implemented the private regression computation protocol in the Sharemind system and run the program on the basis of the patient data given in Tab. 1 on a Desktop with processor Intel(R) Core(TM) i5 CPU M480 @ 2.67GHz. The program takes less than 1 second to output 10β = 11 and 1000α = 77684 (i.e., α = 77.684 and β = 1.1). In our system, the medical sensor employs the smallest version of SHA-3 (r = 40, c = 160) to achieve confidentiality (through encryption), integrity and authentication (through MAC). From the viewpoint of hardware implementation, our solution can save the space in the medical sensor and thus reduce the sensor cost. In other word, our solution facilitates sensor hardware implementation.

Definition 1. We say that a computing protocol preserves privacy if there exists an efficient universal non-rewinding simulator S that can simulate all protocol messages to any real-world adversary A so that for all input shares, the output distributions of A and S(A) coincide. In order to prove privacy, the incoming views of all the computing parties are considered. For some basic private computing protocols, such as private addition, multiplication and division protocols, it has been proved that they are independent of the input shares of the other parties, hence the simulator exists. Therefore, these computating protocols preserve privacy according to Definition 1. In addition, Sharmind [20] has the following property. Lemma 1. If all sub-protocols of a protocol preserve privacy, then the protocol preserves privacy as well. V. P ERFORMANCE A NALYSIS Our lightweight encryption scheme and MAC scheme are both built on the smallest version of the SHA-3 with r = 40, c = 160, which can provide a security level sufficient for many applications. It makes use of SHA-3-f [200] (where 200 = 5 × 5 × 23 ). In the hardware implementation of SHA-3, the core can use the system memory instead of having all the storage capabilities internally. The state of SHA-3 will be stored in memory and the coprocessor is equipped with registers for storing only temporary variables. This kind of coprocessor is suitable for smart cards or wireless sensor networks where area is particularly important since it determines the cost of the device and there is no rich operating system allowing to run different processes in parallel. Bertoni et al. [22] depicted an architecture where a memory buffer is reserved for the state, and another memory buffer is reserved for temporary values. In this instantiation the computation of the SHA-3-f [200] permutation takes 3870 clock cycles. The coprocessor has a critical path of 1.4 nanoseconds and can run up to 714 MHz resulting in a throughput of of 6.87 Mbit/s. The area for attaining this clock frequency is 1.6 kgate, If the core is synthesized for a clock frequency limited to 200MHz (500MHz), the area requirement is reduced to 1.3 (1.4) kgate and the corresponding throughput is 1.9 (4.8) Mbit/s. In both cases the amount of area needed for the registers is in the order of 100 gates. As the performance of Sharemind, for privacy-preserving multiplication, equal comparison, division and etc., Bogdanov et al. [19] have done some experiments on a high performance computation cluster: the servers run the Debian Linux operating system, contain 12-core IntelXeonprocessors, have 48 GB of memory and are

VI. C ONCLUSION In this paper, we have presented a practical system for privacy-preserving medical sensor networks. Our solution uses the smallest version of SHA-3 (r = 40, c = 160) to achieve confidentiality, integrity and authentication in the medical sensors, and Sharemind to achieve patient privacy. It facilitates hardware implementation in the low-power and low-cost medical sensors and can preserve the patient data privacy if the three data servers in the Sharemind system do not collude. To the best of our knowledge, our system is, so far, the only solution for privacy-preserving medical sensor networks mainly on the basis of the symmetric key cryptosystem. ACKNOWLEDGMENT This work was done when Xun Yi visited STACC. We would like to appreciate Arnis Parˇsovs and Reimo Rebane in STACC for their suggestion about the encryption scheme and their help with Sharemind. R EFERENCES [1] P. Kumar and H. J. Lee. Security Issues in Healthcare Applications Using Wireless Medical Sensor Networks: A Survey. Sensors 12: 55-91, 2012. [2] D. Malan, T. F. Jones, M. Welsh, S. Moulton. CodeBlue: An Ad-Hoc Sensor Network Infrastructure for Emergency Medical Care. In Proc. MobiSys 2004 Workshop on Applications of Mobile Embedded Systems (WAMES’04), Boston, MA, USA, 69 June 2004. [3] K. Lorincz, D. J. Malan, T. R. F. Fulford-Jones, A. Nawoj, A. Clavel, V. Shayder, G. Mainland, M. Welsh. Sensor Networks for Emergency Response: Challenges and Opportunities. Pervas. Comput. 3: 16-23, 2004.

124

[17] P. Kumar, Y. D. Lee, H. J. Lee. Secure Health Monitoring Using Medical Wireless Sensor Networks. In Proc. 6th International Conference on Networked Computing and Advanced Information Management, Seoul, Korea, 16-18 August 2010. pp. 491-494.

[4] A. Wood, G. Virone, T. Doan, Q. Cao, L. Selavo, Y. Wu, L. Fang, Z. He, S. Lin, J. Stankovic. ALARM-NET: Wireless Sensor Networks for Assisted-Living and Residential Monitoring. Technical Report CS-2006-01; Department of Computer Science, University of Virginia: Charlottesville, VA, USA, 2006.

[18] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche. The Keccak Sponge Function Family. Available at http://keccak.noekeon.org/

[5] J. Ng, B. Lo, O. Wells, M. Sloman, N. Peters, A. Darzi, C. Toumazou, G. Z. Yang. Ubiquitous Monitoring Environment for Wearable and Implantable Sensors (UbiMon). In Proc. 6th International Conference on Ubiquitous Computing (UbiComp04), Nottingham, UK, 7-14 September 2004.

[19] D. Bogdanov, S. Laur, J. Willemson. Sharemind: a Framework for Fast Privacy-Preserving Computations. In Proc. 13th European Symposium on Research in Computer Security (ESORICS’08), LNCS, vol. 5283, pp. 192-206. Springer, Heidelberg, 2008

[6] J. Ko, J. H. Lim, Y. Chen, R. Musaloiu-E., A. Terzis, G. M. Masson. MEDiSN: Medical Emergency Detection in Sensor Networks. ACM Trans. Embed. Comput. Syst. 10: 1-29, 2010.

[20] Introduction to Sharemind. Available http://sharemind.cyber.ee/ introduction-to-sharemind

[7] R. Chakravorty. A Programmable Service Architecture for Mobile Medical Care. In Proc. 4th Annual IEEE International Conference on Pervasive Computing and Communication Workshop (PERSOMW06), Pisa, Italy, 13-17 March 2006.

at

[21] NIST Selects Winner of Secure Hash Algorithm (SHA3) Competition. Available at http://www.nist.gov/itl/csd/sha100212.cfm.

[8] T. Dimitriou, K. Loannis. Security Issues in Biomedical Wireless Sensor Networks. In Proc. 1st International Symposium on Applied Sciences on Biomedical and Communication Technologies (ISABEL08), Aalborg, Denmark, 25-28 October 2008.

[22] G. Bertoni, J. Daemen, M. Peeters, G. V. Assche, R. V. Keer. Implementation Overview Version 3.2. Available at http://keccak.noekeon.org /Keccak-implementation-3.2.pdf [23] X. Guo, S. Huang, L. Nazhandali, P. Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. NIST 2nd SHA-3 Candidate Conference, August 2010

[9] Y. M. Huang, M. Y. Hsieh, H. C. Hung, J. H. Park. Pervasive, Secure Access to a Hierarchical Sensor-Based Healthcare Monitoring Architecture in Wireless Heterogeneous Networks. IEEE J. Select. Areas Commun. 27: 400-411, 2009.

[24] J. Daemen, G. Bertoni, M. Peeters, G. V. Assche, Permutation-based Encryption, Authentication and Authenticated Encryption, DIAC’12, Stockholm, 6 July 2012. Available at http://www.hyperelliptic.org/DIAC/slides/Permutation DIAC2012.pdf

[10] K. Malasri, L. Wang. Design and Implementation of Secure Wireless Mote-Based Medical Sensor Network. Sensors 9: 6273-6297, 2009. [11] X. H. Le, M. Khalid, R. Sankar, S. Lee. An Efficient Mutual Authentication and Access Control Scheme for Wireless Sensor Network in Healthcare. J. Networks 27: 355-364, 2011.

[25] A. Francillon, C. Castelluccia. TinyRNG: A Cryptographic Random Number Generator for Wireless Sensors Network Nodes. 5th Intl. Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WIOPT’07), 2007.

[12] J. Misic, V. Misic. Enforcing Patient Privacy in Healthcare WSNs Through Key Distribution Algorithms. Secur. Commun. Network 1: 417-429, 2008.

[26] C. Yu. Simple Linear Regression. Available at http:// www.cs.sunysb.edu/ mueller/teaching/.../ch18Reg.ppt. [27] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for Message Authentication. February 1997. Available at http://www.ietf.org/rfc/rfc2104.txt

[13] M. M. Haque, A. Pathan, C. S. Hong. Securing u-Healthcare Sensor Networks Using Public Key Based Scheme. In Proc. 10th International Conference of Advance Communication Technology, Pyeongchang, Korea, 19-22 February 2008. pp. 1108-1111.

[28] R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In Proc. 42nd Annual Symposium on Foundations of Computer Science (FOCS’01), pp. 136-145, 2001.

[14] X. Lin, R. Lu, X. Shen, Y. Nemoto, N. Kato. SAGE: A Strong Privacy-Preserving Scheme Against Global Eavesdropping for eHealth System. IEEE J. Select. Area Commun. 27: 365-378, 2009. [15] K. Muhammed, H. Lee, S. Lee, Y. K. Lee. BARI+: A Biometric Based Distributed Key Management Approach for Wireless Body Area Networks. Sensors 10: 3911-3933, 2010. [16] S. Dagtas, G. Pekhteryev, Z. Sahinoglu, H. Cam, N. Challa. Real-Time and Secure Wireless Health Monitoring. Int. J. Telemed. Appl. 2008, doi: 10.1155/2008/135808.

125