An improved pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks

Lifeng Zhou; Xinchun Yin

doi:10.1371/journal.pone.0268484

Abstract

In healthcare wireless medical sensor networks (HWMSNs), the medical sensor nodes are employed to collect medical data which is transmitted to doctors for diagnosis and treatment. In HWMSNs, medical data is vulnerable to various attacks through public channels. In addition, leakage of patients’ information happens frequently. Hence, secure communication and privacy preservation are major concerns in HWMSNs. To solve the above issues, Zhan et al. put forward a pairing-free certificateless aggregate signature (PF-CLAS) scheme. However, according to our cryptanalysis, the malicious medical sensor node (MSN_i) can generate the forged signature by replacing the public key in the PF-CLAS scheme. Hence, to address this security flaw, we design the improved PF-CLAS scheme that can achieve unforgeability, anonymity, and traceability. Since we have changed the construction of the partial private key, the improved PF-CLAS scheme can resist Type I and Type II attacks under the Elliptic Curve Discrete Logarithm assumption. In terms of the performance evaluation, the proposed scheme outperforms related CLAS schemes, which is more suitable for HWMSNs environments.

Citation: Zhou L, Yin X (2022) An improved pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. PLoS ONE 17(7): e0268484. https://doi.org/10.1371/journal.pone.0268484

Editor: Pandi Vijayakumar, University College of Engineering Tindivanam, INDIA

Received: March 15, 2022; Accepted: May 1, 2022; Published: July 11, 2022

Copyright: © 2022 Zhou, Yin. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper and its Supporting information files.

Funding: This work is supported by the National Natural Science Foundation of China (No. 61472343), funded by Xinchun Yin. The funder has the role in data collection, preparation of the manuscript, validation of the manuscript, review of the manuscript, and editing of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

Introduction

With the rapid development of wireless body area networks, healthcare wireless medical sensor networks (HWMSNs) are driving the progress of intelligent medical treatment. In the current HWMSNs environment, patients use wearable and implantable medical devices from which multifarious medical data is collected [1]. Then the data is transmitted to doctors for real-time processing and feedback. Since the outbreak of COVID-19, hospitals have been using HWMSNs to monitor and treat the symptoms of patients [2]. However, medical data is transmitted through insecure public channels, and adversaries are able to eavesdrop on, tamper with, and forge the data readily [3, 4]. Upon tampering and forgery, doctors may make accurate diagnoses that can harm patients [5]. Furthermore, if the identities of patients are exposed in the form of plaintext, the patients’ real identities will be divulged [6–8]. Consequently, it is of great importance to guarantee secure communication and privacy preservation in HWMSNs.

In recent years, various technologies have been used for HWMSNs [9, 10]. To ensure the security of medical data, Mamta et al. [11] adopted the blockchain technology to design a decentralized and efficient attribute-based searchable encryption scheme. Nguyen et al. [12] put forward a blockchain-based intrusion detection and data transmission scheme that can realize the high-security level of the system. To guarantee secure communication and build trustworthiness among nodes in networks, Mirsadeghi et al. [13] presented a trust infrastructure-based authentication scheme by using digital signature and encryption technologies. Vijayakumar et al. [14] constructed a secure and lightweight communication scheme that can provide authentication and confidentiality to the multicast SMS communication. To achieve privacy preservation in HWMSNs, Xu et al. [15] proposed a sanitizable signature scheme that can hide the sensitive data of patients.

In 2003, a cryptographic technology called aggregate signature (AS) was proposed by Boneh et al. [16]. They showed that the AS can realize the authentication and integrity of the message with high efficiency, which makes it suitable for resource-constrained environments. Therefore, many authentication schemes using the AS have been proposed [17–22]. In 2004, Lysyanskaya et al. [17] constructed an ordered AS scheme based on a one-way function with trapdoors. Signers need to aggregate their signatures in the corresponding order. Whereas Lysyanskaya et al.’s scheme is based on the traditional public key infrastructure, which greatly increases the burden of key management and verification overhead. Soon after, Cheon et al. [18] proposed the first identity-based AS scheme that avoided complex certificate management issues. However, most identity-based AS schemes suffer from key escrow problems. Certificateless public key cryptography is considered one of the solutions to overcome these [23]. In [24], the full private key consists of the partial private key generated by the key generation center (KGC) and the secret value selected by the unmanned aerial vehicle. The aerial vehicle only knows its secret value and cannot achieve the partial private key of KGC. Hence, Gong et al. [20] extended the AS to certificateless public key cryptography and first proposed two certificateless AS (CLAS) schemes. Nevertheless, the complicated verification algorithm caused these two schemes to be inefficient.

Shortly after, the CLAS technology was widely applied to HWMSNs environments to address security and privacy problems. In 2018, Kumar et al. [25] designed a CLAS scheme to ensure the secure transmission of medical data in HWMSNs. Nevertheless, Wu et al. [26] proved that Kumar et al.’s scheme [25] is vulnerable to malicious medical server attacks. To ensure the high efficiency of verification and the identity privacy of patients, Liu et al. [27] devised a certificateless anonymous batch verification scheme and asserted that their scheme can authenticate all medical data in one time. Unfortunately, Zhang et al. [28] declared that Liu et al.’s scheme [27] is unable to withstand malicious participant attacks and malicious data center attacks. In 2019, Gayathri et al. [29] devised an anonymous CLAS scheme without bilinear pairings to further reduce the computational overhead. However, Liu et al. [30] substantiated that Gayathri et al.’s scheme [29] cannot withstand malicious MS attacks and public key replacement attacks. In addition, Liu et al. [30] proposed an improved scheme to resist the above attacks.

Recently, Zhan et al. [31] found that Liu et al.’s improved scheme [30] is insecure for the reason that it cannot withstand malicious MS attacks. To solve these security issues, Zhan et al. [31] put forward a pairing-free CLAS (PF-CLAS) scheme for HWMSNs. In addition, Zhan et al. [31] asserted that the PF-CLAS scheme has high computational efficiency and is secure against forgery attacks on any message. However, after our analysis, we found that the PF-CLAS scheme is unable to achieve the expected target.

Contribution

The contributions of the proposed work are shown below.

We analyze Zhan et al.’s PF-CLAS scheme that cannot withstand malicious MSN_i attacks. Simultaneously, the process of how malicious MSN_i attacks successfully forge the signature is shown.
The reasons why Zhan et al.’s PF-CLAS scheme is insecure against malicious MSN_i attacks are explained. In addition, we design an improved PF-CLAS to address this security vulnerability.
We substantiate that our improved PF-CLAS scheme is secure under the random oracle model. Furthermore, the performance evaluation reveals that the proposed scheme is more efficient than the existing related schemes.

Preliminaries

In this section, we introduce the complexity assumption, system model, security requirement, and security model in HWMSNs environments.

Complexity assumption

Elliptic Curve Discrete Logarithm Problem (ECDLP).

The group G has the prime order q and generator P. Given two random points P, Q ∈ G, it is hard to work out .

Computational Diffie-Hellman Problem (CDHP).

The group G has the order q and genera-tor P. Given two random points aP, bP ∈ G, it is hard to work out abP ∈ G, where .

System model of HWMSNs

As is described in Fig 1, the system model contains four entities: Medical Sensor Node (MSN_i), Medical Server (MS), Cluster Head (CH), and Authorized Healthcare Professionals (AHP). MS is able to generate the public parameters and send it to MSN_i. When MSN_i applies for the partial private key, MS will utilize the master secret key to generate the partial private key and send it to MSN_i. Simultaneously, MSN_i takes advantage of its secret key and partial private key to create the signature and transmits it to CH. Multiple signatures can be aggregated into one signature by CH. Afterward, the aggregate signature can be transmitted to MS by CH. MS sends the aggregate signature to AHP after confirming the validity of the aggregate signature.

Download:

Fig 1. System model for HWMSNs.

https://doi.org/10.1371/journal.pone.0268484.g001

Security requirements of HWMSNs

Message Authentication and Integrity.

The messages received by the receiver are reliable and have not been tampered with during transmission.

Anonymity.

No entity can know the real identity of MSN_i except MS and MSN_i itself.

Traceability.

If abnormal MSN_i provides false medical data, MS will trace and extract the real identity of MSN_i.

Security model of HWMSNs

The CLAS scheme contains two types of adversaries: malicious MSN_i and malicious MS.

Malicious MSN_i.

It is Type I adversary in HWMSNs environments. Malicious MSN_i can replace the public key of MSN_i, but it is incapable of achieving the master secret key s.

Malicious MS.

It is Type II adversary in HWMSNs environments. Malicious MS can achieve the master secret key s, but it is incapable of replacing public keys.

The existential unforgeability of the PF-CLAS scheme is guaranteed by the following two games.

Game 1:

Setup: The System Initialization algorithm is executed by the challenger ζ₁. Given the security parameter v, the algorithm returns system parameters params and master secret key s. ζ₁ transmits params to while s is kept secretly.

Query Phase: carries out a bounded number of queries in polynomial time. The specific process is shown below.

PPK Query: When makes queries on the partial private key with PID_i, ζ₁ returns d_i to .
PK Query: When makes queries on the public key of MSN_i, ζ₁ returns PK_i to .
SV Query: When makes queries on the secret value of MSN_i with PID_i, ζ₁ returns x_i to .
PK Replacement Query: When chooses a new public key of MSN_i with PID_i, ζ₁ records this replacement.
Signature Query: When makes queries on the signature with PID_i and PK_i, ζ₁ returns σ_i to in the tuple (m_i, PID_i, PK_i).

Forgery: returns identities , public keys , messages , timestamps , and an AS σ*. can win Game 1 if the following three situations happen:

σ* is a valid CLAS;
PPK Query has never been performed for at least one of ;
Signature Query under the tuple has never been performed, where 1 ≤ i ≤ n.

Game 2:

Setup: The System Initialization algorithm is executed by the challenger ζ₂. Given the security parameter v, the algorithm returns system parameters params and master key s. ζ₂ transmits params and s to .

Query Phase: carries out a bounded number of queries in polynomial time. The specific process is shown below.

PK Query: When makes queries on the public key of MSN_i, ζ₂ returns PK_i to .
SV Query: When makes queries on the secret value of MSN_i with PID_i, ζ₂ returns x_i to .
Signature Query: When makes queries on the signature with PID_i and PK_i, ζ₂ returns σ_i to in the tuple (m_i, PID_i, PK_i).

Forgery: returns identities , public keys , messages , timestamps , and an AS σ*. can win Game 2 if the following three situations happen:

σ* is a valid CLAS;
SV Query has never been performed for at least one of ;
Signature Query under the tuple has never been performed, where 1 ≤ i ≤ n.

Review of PF-CLAS scheme in [31]

Here, we summarize the notations of the PF-CLAS scheme in Table 1 and review the PF-CLAS scheme in [31].

Download:

Table 1. Notations used in PF-CLAS scheme.

https://doi.org/10.1371/journal.pone.0268484.t001

System Initialization (1^k) → (params): Given the security parameter , MS performs the following procedures:
1. Selects an additive group G of order q and its generator P.
2. Selects as the master secret key at random and computes P_pub = sP as the master public key.
3. Selects hash functions: , and .
4. Publishes params = {P, G, q, P_pub, H, H_{i, i = 1,2,3}} as the system parameter and keeps s secretly.
Generate-PPK (params, s, RID_i) → (PID_i, d_i): Given s, RID_i and params, MS performs the following procedures:
1. Selects randomly and calculates R_i = r_i P.
2. Computes PID_i = RID_i⊕H(r_i P_pub, T_i), where T_i is the valid time period of PID_i.
3. Computes l_i = H₁(R_i, PID_i, P_pub), d_i = (r_i + sl_i) mod q.
4. Sets D_i = (d_i, R_i) as the private key and sends (D_i, PID_i) to MSN_i through secure channels.
Generate-PK/SK (params, PID_i, d_i) → (pk_i, sk_i): Given params, PID_i and d_i, MSN_i performs the following procedures:
1. Verifies whether the equation d_i P = R_i + l_i P_pub holds, if it holds, MSN_i accepts the private key d_i. Otherwise, it needs to reapply to MS for the partial private key.
2. Selects randomly and calculates X_i = x_i P.
3. Sets pk_i = (R_i, X_i) as its own public key and sk_i = (d_i, x_i) as its own private key.
Generate-Signature (params, PID_i, pk_i, sk_i, m_i, t_i) → (σ_i): Given params, PID_i, pk_i, sk_i, a message m_i and timestamp t_i, MSN_i performs the following procedures:
1. Chooses randomly and calculates Y_i = y_i P.
2. Calculates and b_i = H₃(PID_i, m_i, t_i, pk_i).
3. Calculates w_i = [a_i y_i + b_i(d_i + x_i)] mod q.
4. Outputs σ_i = (Y_i, w_i) and transmits (σ_i, m_i, t_i, pk_i) to CH through public channels.
Verify-Signature (params, pk_i, {m_i, t_i})→ VALID or INVALID: Given params, pk_i and a set of message signature pairs (m_i, σ_i), CH performs the following procedures:
1. Computes l_i = H₁(R_i, PID_i, P_pub), a_i = H₂(PID_i, m_i, t_i, Y_i, pk_i) and b_i = H₃(PID_i, m_i, t_i, pk_i).
2. Verifies whether the equation W_i−a_i Y_i = b_i(X_i + R_i + l_i P_pub) holds, if it holds, CH outputs VALID and accepts the signature. Otherwise, CH outputs INVALID and rejects the signature.
Generate-AS (params, pk_i, {m_i, t_i, σ_i}_{1 ≤ i ≤ n}) → (σ): Given params and a set of message signature pairs (m_i, σ_i), CH performs the following procedures:
1. Computes .
2. Computes .
3. Computes .
4. Outputs an aggregate signature σ = (A, w) and transmits (σ, m_i, t_i, pk_i) to MS through public channels.
Verify-AS (params, {m_i, t_i}_{1 ≤ i ≤ n}, σ) → VALID or INVALID: Given params, pk_i, {m_i, t_i}_{1 ≤ i ≤ n} and σ, MS performs the following procedures:
1. Computes l_i = H₁(R_i, PID_i, P_pub), a_i = H₂(PID_i, m_i, t_i, Y_i, pk_i) and b_i = H₃(PID_i, m_i, t_i, pk_i), where 1 ≤ i ≤ n.
2. Checks whether the equation holds. If it holds, MS outputs VALID and accepts the aggregate signature σ. Otherwise, MS outputs INVALID and rejects the aggregate signature σ.

Cryptanalysis of PF-CLAS schemes

In this section, we first describe the detailed process of malicious MSN_i attacks, and then show the reason why this scheme cannot resist this type of attack. Finally, we present methods to withstand malicious MSN_i attacks.

Forgery attacks from malicious MSN_i

Although malicious MSN_i hardly gets the master key s, it can replace the public key pk_i. In addition, if malicious MSN_i eliminates l_i P_pub by replacing the public key pk_i, then it will bypass the system master key s to forge a valid signature. Malicious MSN_i can forge the valid signature on any stochastically chosen message that satisfies the condition . The concrete descriptions are shown below.

Public Key Replacement: Malicious MSN_i executes the following procedures to replace the original public key pk_i.
1. Selects and randomly.
2. Calculates and , where PID_i and P_pub are public.
3. Computes to replace X_i and sets as the new public key.
Forgery: Malicious MSN_i executes the following procedures to forge the signature .
1. Chooses and computes .
2. Computes , and .
3. Sets as the forged signature and sends to CH.
Verification: CH executes the following procedures to check the validity of the forged signature .
1. Calculates , and .
2. Checks whether the equation holds. If the equation holds, CH takes over the forged signature. Otherwise, malicious MSN_i fails to forge the signature.
Correctness of the Forged Signature: The validity of forged signature is supported by the verifiable equation.

Comments on the reason for malicious MSN_i attacks

Although Zhan et al.’s scheme [31] has strived to solve the vulnerabilities of Liu et al.’s scheme in [30], it still suffers from malicious MSN_i attacks. In Zhan et al.’s PF-CLAS scheme [31], there’s no connection between d_i and X_i, which is the main reason why malicious MSN_i can succeed in launching public key replacement attacks. The partial private key is defined as d_i = r_i+ sl_i in the literature [31], where l_i = H₁(R_i, PID_i, P_pub). We can easily find that hash function l_i does not contain the public key X_i, implying that the change of X_i cannot influence the partial private key d_i. Hence, malicious MSN_i can bypass d_i by replacing X_i with . To avoid the public key replacement attacks launched by malicious MSN_i, we only need to add the element X_i to hash functions l_i in Generate-PPK algorithm. After modification, it is obvious that the equation d_i P = R_i + l_i P_pub will not be valid if the public key X_i is replaced by adversaries, where l_i = H₁(R_i, PID_i, P_pub, X_i).

Improved PF-CLAS scheme

In this section, we devise an improved PF-CLAS scheme to avoid malicious MSN_i attacks in HWMSNs. The detailed algorithms are shown as follows.

System Initialization (1^k)→(params): Given the security parameter , MS performs the following procedures:
1. Selects an additive group G of order q and its generator P.
2. Selects as the master secret key at random and computes P_pub = sP as the master public key.
3. Selects hash functions: , , and .
4. Publishes params = {P, G, q, P_pub, H, H_{i, i = 1,2,3}} as the system parameter and keeps s secretly.
Generate-SV (params)→(x_i, X_i): Given params, MSN_i performs the following procedures:
1. Selects randomly and calculates X_i = x_i P.
2. Transmits X_i to MS through public channels.
Generate-PPK (params, s, RID_i, X_i)→(PID_i, d_i): Given s, RID_i and params, MS performs the following procedures:
1. Selects randomly and calculates R_i = r_i P.
2. Computes PID_i = RID_i⊕H(r_i P_pub, T_i), l_i = H₁(R_i, PID_i, P_pub, X_i) and d_i = (r_i + sl_i) mod q.
3. Sets D_i = (d_i, R_i) as the private key and sends (D_i, PID_i) to MSN_i through secure channels.
Generate-PK/SK (params, PID_i, d_i)→(pk_i, sk_i): Given params, PID_i and d_i, MSN_i performs the following procedures:
1. Verifies whether the equation d_i P = R_i + l_i P_pub holds, if it holds, MSN_i accepts the private key d_i. Otherwise, it needs to reapply to MS for the partial private key.
2. Sets pk_i = (R_i, X_i) as its own public key and sk_i = (d_i, x_i) as its own private key.
Generate-Signature (params, PID_i, pk_i, sk_i, m_i, t_i)→(σ_i): Given params, PID_i, pk_i, sk_i, a message m_i and timestamp t_i, MSN_i performs the following procedures:
1. Chooses randomly and calculates Y_i = y_i P.
2. Calculates b_i = H₂(PID_i, m_i, t_i, pk_i, Y_i) and w_i = [y_i + b_i(d_i + x_i)] mod q.
3. Outputs σ_i = (Y_i, w_i) and transmits (σ_i, m_i, t_i, pk_i) to CH through public channels.
Verify-Signature (params, pk_i, {m_i, t_i}) → VALID or INVALID: Given params, pk_i and a set of message signature pairs (m_i, σ_i), CH performs the following procedures:
1. Computes l_i = H₁(R_i, PID_i, P_pub, X_i), b_i = H₂(PID_i, m_i, t_i, pk_i, Y_i).
2. Verifies whether the equation W_i−Y_i = b_i(X_i + R_i + l_i P_pub) holds, if it holds, CH outputs VALID and accepts the signature. Otherwise, CH outputs INVALID and rejects the signature.
Generate-AS (params, pk_i, {m_i, t_i, σ_i}_{1 ≤ i ≤ n}, pk_ver)→(σ): Given params, pk_ver and the tuple (σ_i, m_i, t_i), CH performs the following procedures:
1. Computes .
2. Outputs an aggregate signature σ = (Y₁, Y₂, …, Y_n, w) and transmits (σ, m_i, t_i, pk_i) to MS through public channels.
Verify-AS (params, {m_i, t_i}_{1 ≤ i ≤ n}, σ, sk_ver)→ VALID or INVALID: Given params, pk_i, {m_i, t_i}_{1 ≤ i ≤ n} and σ, MS performs the following procedures:
1. Computes l_i = H₁(R_i, PID_i, P_pub, X_i) and b_i = H₂(PID_i, m_i, t_i, pk_i, Y_i).
2. Checks whether the equation holds. If it holds, MS outputs VALID and accepts σ. Otherwise, MS outputs INVALID and rejects σ.

Correctness

Given params, pk_i, {m_i, t_i}_{1 ≤ i ≤ n} and σ_i, the validity of the following equation is checked by CH.

Given params, pk_i, {m_i, t_i}_{1 ≤ i ≤ n} and σ, the validity of the following equation is checked by MS.

Security analysis

In this section, we give Theorem 1 and Theorem 2 to prove that our improved PF-CLAS scheme can resist malicious MSN_i attacks and malicious MS attacks.

Theorem 1: If (malicious MSN_i) can successfully forge the signature in polynomial time with the non-negligible probability ε₁, then there will be a challenger ζ₁ that can work out the ECDLP with the probability , where e, , q_s, q_ppk, q_v are the natural logarithm base and the most times of Hash Query, Signature Query, PPK Query, SV Query.

Proof: The challenger ζ₁ is a solver of the ECDLP. Given the tuple (P, P_pub = sP)∈G×G, the goal of ζ₁ is to calculate .

Setup: ζ₁ performs System Initialization algorithm to generate params and s. ζ₁ sends params to and keeps s secretly.

Query Phase: The challenger ζ₁ cannot get the identity PID_i which is selected by . Therefore, ζ₁ guesses a random identity as the identity, where ζ₁ can correctly guess with probability .

H₁ Query: ζ₁ creates an empty list₁. When receiving a query H₁(R_i, PID_i, P_pub, X_i) from , if there is a tuple (R_i, PID_i, P_pub, X_i, l_i) in the list₁, ζ₁ will return l_i to ; Otherwise, ζ₁ selects at random and adds the tuple (R_i, PID_i, P_pub, X_i, l_i) into list₁. Finally, ζ₁ returns l_i to .
H₂ Query: ζ₁ creates an empty list₂. When receiving a query H₂(m_i, PID_i, t_i, pk_i, Y_i) from , if there is a tuple (m_i, PID_i, t_i, pk_i, Y_i, b_i) in the list₂, ζ₁ will return b_i to ; Otherwise, ζ₁ selects at random and adds the tuple (m_i, PID_i, t_i, pk_i, Y_i, b_i) into list₂. Finally, ζ₁ returns b_i to .
SV Query: ζ₁ creates an empty list₃. When receiving a query about the secret value of MSN_i from , if there is x_i in the list₃, ζ₁ will return x_i to ; Otherwise, ζ₁ selects at random and adds x_i into list₃. Finally, ζ₁ returns x_i to .
PPK Query: ζ₁ creates an empty list₄. When receiving a query about the partial private key of MSN_i with PID_i from , if there is a tuple (R_i, PID_i, d_i) in the list₄, ζ₁ will return (R_i, d_i) to ; Otherwise, ζ₁ queries the corresponding tuple (R_i, PID_i, P_pub, X_i, l_i) of MSN_i with PID_i ∈ list₁, selects at random, computes R_i = d_i P − l_i P_pub and adds the tuple (R_i, PID_i, d_i) into list₄. Finally, ζ₁ returns (R_i, d_i) to .
PK Query: ζ₁ creates an empty list₅. When receiving a query about the public key of MSN_i with PID_i from , if there is a tuple (R_i, PID_i, X_i) in the list₅, ζ₁ will return (R_i, X_i) to ; Otherwise, ζ₁ performs following steps.
1. If , ζ₁ selects at random, computes X_i = x_i P and R_i = d_i P − l_i P_pub. Then, ζ₁ adds the tuple (R_i, PID_i, X_i) into list₅ and returns (R_i, X_i) to .
2. If , ζ₁ selects at random, computes X_i = x_i P and R_i = r_i P. Then, ζ₁ sets d_i as ⊥ and adds the tuple (R_i, PID_i, X_i) into list₅. Finally, it returns (R_i, X_i) to .
PK Replacement Query: When selects a new public key and sends to ζ₁. When receiving a query about the public key replacement of MSN_i with PID_i from , ζ₁ updates list₅ and records this replacement.
Signature Query: ζ₁ creates an empty list₆. When receiving a query about the signature of MSN_i with PID_i from , if there is a tuple (m_i, PID_i, x_i, ω_i) in the list₆, ζ₁ selects at random, computes Y_i = y_i P, b_i = H₂(PID_i, m_i, t_i, Y_i, pk_i) and w_i = y_i + b_i(x_i + d_i) mod q. Then ζ₁ returns (Y_i, w_i) to ; Otherwise, ζ₁ selects at random, computes Y_i = w_i P−b_i(X_i + R_i + l_i P_pub) and adds the tuple (Y_i, w_i) into list₆. Finally, ζ₁ returns (Y_i, w_i) to .

Forgery: After polynomial bounded times of queries, outputs forged signature under the tuple . According to the forking lemma [32], generates another forged signature . Therefore, according to the equation and the equation , s can be obtained as a valid solution. Otherwise, ζ₁ cannot handle the ECDLP.

In order to succeed in forging a signature, the outputs of ζ₁ need to satisfy the following conditions:

T₁: ζ₁ has never aborted the process of quering;
T₂: ζ₁ has never aborted the process of forging the signature;
T₃: is a valid signature.

According to the above conditions, we can get that P_r[T₁] ≥ 1 − c, and . Consequently, the probability that ζ₁ can work out the ECDLP is .

Theorem 2: If (malicious MS) can successfully forge the signature in polynomial time with the non-negligible probability ε₂, then there will be a challenger ζ₂ that can work out the ECDLP with the probability , where e, , q_s, q_v are the natural logarithm base and the most times of Hash Query, Signature Query, SV Query.

Proof: The challenger ζ₂ is a solver of the ECDLP. Given the tuple (P, X_i = x_i P) ∈ G × G, the goal of ζ₂ is to calculate .

Setup: ζ₂ performs System Initialization algorithm to generate params and s. ζ₂ sends params and s to .

Query Phase: The challenger ζ₂ cannot get the identity PID_i which is selected by . Therefore, ζ₂ guesses a random identity as the identity, where ζ₂ can correctly guess with probability .

H₁ Query: ζ₂ creates an empty list₁. When receiving a query H₁(R_i, PID_i, P_pub, X_i) from , if there is a tuple (R_i, PID_i, P_pub, X_i, l_i) in the list₁, ζ₂ will return l_i to ; Otherwise, ζ₂ selects at random and adds the tuple (R_i, PID_i, P_pub, X_i, l_i) into list₁. Finally, ζ₂ returns l_i to .
H₂ Query: ζ₂ creates an empty list₂. When receiving a query H₂(m_i, PID_i, t_i, pk_i, Y_i) from , if there is a tuple (m_i, PID_i, t_i, pk_i, Y_i, b_i) in the list₂, ζ₂ will return b_i to ; Otherwise, ζ₂ selects at random and adds the tuple (m_i, PID_i, t_i, pk_i, Y_i, b_i) into list₂. Finally, ζ₂ returns b_i to .
SV Query: ζ₂ creates an empty list₃. When receiving a query about the secret value of MSN_i from , if there is x_i in the list₃, ζ₂ will return x_i to ; Otherwise, ζ₂ selects at random and adds the tuple x_i into list₃. Finally, ζ₂ returns x_i to .
PK Query: ζ₂ creates an empty list₄. When receiving a query about the public key of MSN_i with PID_i from , if there is a tuple (R_i, PID_i, X_i) in the list₄, ζ₂ will return (R_i, X_i) to ; Otherwise, ζ₂ performs following steps.
1. If , ζ₂ selects at random, computes X_i = x_i P and R_i = d_i P−l_i P_pub. Then, ζ₂ adds the tuple (R_i, PID_i, X_i) into list₄ and returns (R_i, X_i) to .
2. If , ζ₂ selects at random, computes X_i = x_i P and R_i = r_i P. Then, ζ₂ sets d_i as ⊥ and adds the tuple (R_i, PID_i, X_i) into list₄. Finally, it returns (R_i, X_i) to .
Signature Query: ζ₂ creates an empty list₅. When receiving a query about the signature of MSN_i with PID_i from , if there is a tuple (m_i, PID_i, x_i, ω_i) in the list₅, ζ₂ selects at random, computes Y_i = y_i P, b_i = H₂(PID_i, m_i, t_i, Y_i, pk_i) and w_i = y_i + b_i(x_i + d_i) mod q. Then ζ₂ returns (Y_i, w_i) to ; Otherwise, ζ₂ selects at random, computes Y_i = w_i P−b_i(X_i + R_i + l_i P_pub) and adds the tuple (Y_i, w_i) into list₅. Finally, ζ₂ returns (Y_i, w_i) to .

Forgery: After polynomial bounded times of queries, outputs forged signature under the tuple . According to the forking lemma [32], generates another forged signature . Therefore, according to the equation and the equation , x_i can be obtained as a valid solution. Otherwise, ζ₂ cannot handle the ECDLP.

In order to succeed in forging a signature, the outputs of ζ₂ need to satisfy the following conditions:

T₁: ζ₂ has never aborted the process of quering;
T₂: ζ₂ has never aborted the process of forging the signature;
T₃: is a valid signature.

According to the above conditions, we can get that P_r[T₁]≥1−c, and . Consequently, the probability that ζ₂ can work out the ECDLP is .

Other security analysis

Message authentication and integrity: According to Theorem 1 and Theorem 2, neither Type I nor Type II attackers can pass the verification by forging a signature.
Anonymity: In the improved PF-CLAS scheme, PID_i is the pseudo identity of MSN_i, where PID_i = RID_i⊕H(r_i P_pub, T_i). Any adversary cannot extract the real identity of MSN_i. Hence, our scheme provides strong anonymity.
Traceability: If MSN_i transmits illegal information, MS can track abnormal MSN_i and extract its real identity by computing RID_i = PID_i⊕H(sR_i), where sR_i = r_i P_pub.

Performance evaluation

In this section, we will provide the performance analysis in terms of computational overhead, communication overhead, and security features. In the meantime, the efficiency of the improved scheme will be compared with the related schemes [15, 24, 25, 27, 29, 33, 34]. We utilize MIRACL library to simulate cryptographic operations on a Windows 10 laptop with an Intel i7–1195G7 @2.9 GHz processor and 8 GB of memory. The measured runtime of different operations is shown in Table 2.

Download:

Table 2. Runtime of cryptographic operations.

https://doi.org/10.1371/journal.pone.0268484.t002

Computational overhead

As is described in Table 3, we mainly count the computational overhead of Generate-Signature algorithm, Verify-Signature algorithm, Generate-AS algorithm, and Verify-AS algorithm. In Xu et al.’s scheme [15], the computational overhead of the single signing and verification is ≈ 143.7864 ms. Similarly, Kumar et al.’s scheme [25], Liu et al.’s scheme [27], and Shen et al.’s scheme [34] need 38.724 ms, 21.444ms, 36.1212 ms, respectively. As is shown in Fig 2 the computational overhead of the above schemes is extremely high. The root cause is that these schemes all use bilinear pairing and map-to-point hash operations to construct the signature. Hence, we use pairing-free operations to improve the efficiency of the improved PF-CLAS scheme. In literatures [24, 29, 33], their schemes also don’t use bilinear pairings. Hence, they only need 3.9545 ms, 5.4841 ms, 4.1793 ms, respectively. The computational overhead of the single signing and verification only needs 3.9545ms, which saves 97.2%, 89.8%, 81.6%, 27.9%, 5.4%, 89.1% of the computational overhead than Xu et al.’s scheme [15], Kumar et al.’s scheme [25], Liu et al.’s scheme [27], Gayathri et al.’s scheme [29], Verma et al.’s scheme [33], Shen et al.’s scheme [34]. In the aggregate signing and aggregate verification phases, we set the number of signatures participating in the aggregation as n = 50. Since references [15, 24] have no connection with the aggregate signature, we don’t describe them too much. As is shown in Fig 3, the computational overhead of the aggregate signing and verification of Kumar et al.’s scheme [25], Liu et al.’s scheme [27], Gayathri et al.’s scheme [29], Verma et al.’s scheme [33], Shen et al.’s scheme [34] is 422.0506 ms, 147.9858 ms, 95.5493 ms, 85.9013 ms, 472.56 ms, respectively. Our improved PF-CLAS scheme needs 88.0328 ms, which saves 79.2%, 41%, 7.9%, 27.9%, 5.4%, 81.4% than Kumar et al.’s scheme [25], Liu et al.’s scheme [27], Gayathri et al.’s scheme [29], Shen et al.’s scheme [34]. Although the total computational overhead of Verma et al.’s scheme [33] is basically the same as our scheme, Verma et al.’s scheme [33] cannot achieve secure communication. Hence, the computational overhead of our improved PF-CLAS scheme reaches the upstream level of the relevant schemes.

Download:

Fig 2. Computational overhead of the single signing and verification.

https://doi.org/10.1371/journal.pone.0268484.g002

Download:

Fig 3. Computational overhead of the aggregate signing and aggregate verification.

https://doi.org/10.1371/journal.pone.0268484.g003

Download:

Table 3. Comparison of computational overhead.

https://doi.org/10.1371/journal.pone.0268484.t003

Communication overhead

As shown in Table 4, we list parameters and length specifications for pairing-based and ECC-based schemes [29]. In addition, the size of the group is 160 bits in our scheme. In [15, 25, 27, 34], the communication overhead of the single signature is 1024 bits, 2048 bits, 2048 bits, and 2048 bits, respectively, because all the elements of σ_i belong to G₁. In our improved PF-CLAS, we set σ_i as (Y_i, w_i), where Y_i ∈ G, . Compared with the schemes [15, 24, 25, 27, 29, 34], the communication overhead of the single signature in our scheme is reduced by 53.1%, 40%, 76.57%, 76.57%, 25%, 76.57%. As is described in Fig 4, it is obvious that our scheme has higher efficiency than the above schemes in the single signature phase. Since references [15, 24] have no connection with the aggregate signature, we don’t describe them too much in the aggregate signature phase. In the meantime, we can know from Fig 5 that the communication overhead of the aggregate signatures in our scheme is lower than Kumar et al.’s scheme [25] and Shen et al.’s scheme [34] with the increase of the number of medical sensor nodes. Although Liu et al.’s scheme [27] and Gayathri et al.’s scheme [29] have lower communication overhead than our scheme, their schemes have serious security flaws. As shown in Table 5, even though our scheme has the same communication overhead as Verma et al.’s scheme [33], their scheme cannot meet the security requirements of HWMSNs. Therefore, our scheme has certain advantages in terms of communication overhead.

Download:

Fig 4. Communication overhead of single signatures.

https://doi.org/10.1371/journal.pone.0268484.g004

Download:

Fig 5. Communication overhead of aggregate signatures.

https://doi.org/10.1371/journal.pone.0268484.g005

Download:

Table 4. Length of parameters in bilinear pairing and ECC.

https://doi.org/10.1371/journal.pone.0268484.t004

Download:

Table 5. Comparison of communication overhead and security features.

https://doi.org/10.1371/journal.pone.0268484.t005

Security features

As shown in Table 5, Xu et al.’s scheme [15], Xu et al.’s scheme [24], Kumar et al.’s scheme [25], Verma et al.’s scheme [33], and Shen et al.’s scheme [34] don’t consider the anonymity of patients’ identities and tracing of malicious medical sensor nodes, which are unsuitable for HWMSNs scenarios. Although Liu et al.’s scheme [27] and Gayathri et al.’s scheme [29] can meet the security requirements of HWMSNs, these schemes have security drawbacks that cannot withstand Type I and Type II attacks. The proposed scheme has been proved that resist Type I and Type II attacks under the random oracle model. Besides, our scheme is able to realize anonymity and traceability, which is more practical in HWMSNs.

Conclusion

In this paper, we found that Zhan et al.’s PF-CLAS scheme [31] cannot withstand malicious MSN_i attacks. In the meantime, we showed the reason why this scheme was vulnerable to malicious MSN_i attacks. It is obvious that Zhan et al.’s scheme cannot guarantee the identity privacy of patients and secure transmission of medical data. Hence, we gave methods to fix the vulnerability and constructed an improved PF-CLAS scheme that could ensure provable security. In addition, the performance evaluation indicated that our improved scheme can realize privacy preservation and secure communication at low overhead. In the future, how to combine blockchain and edge computing technologies to design a more lightweight and secure CLAS scheme for HWMSNs is still an interesting problem.

Supporting information

S1 Data. Runtime of cryptographic operations.

https://doi.org/10.1371/journal.pone.0268484.s001

(XLS)

S2 Data. Comparison of computational overhead.

https://doi.org/10.1371/journal.pone.0268484.s002

(XLS)

Acknowledgments

We thank the anonymous reviewer for your review and approval.

References

1. Hossain ME, Khan A, Moni MA, Uddin S. Use of electronic health data for disease prediction: A comprehensive literature review. IEEE/ACM transactions on computational biology and bioinformatics. 2019;18(2):745–758.
- View Article
- Google Scholar
2. Masud M, Gaba GS, Alqahtani S, Muhammad G, Gupta BB, Kumar P, et al. A Lightweight and Robust Secure Key Establishment Protocol for Internet of Medical Things in COVID-19 Patients Care. IEEE Internet of Things Journal. 2021;8(21):15694–15703.
- View Article
- Google Scholar
3. Vijayakumar P, Obaidat MS, Azees M, Islam SH, Kumar N. Efficient and secure anonymous authentication with location privacy for IoT-based WBANs. IEEE Transactions on Industrial Informatics. 2019;16(4):2603–2611.
- View Article
- Google Scholar
4. Xu Z, He D, Kumar N, Choo K-KR. Efficient certificateless aggregate signature scheme for performing secure routing in VANETs. Security and Communication Networks. 2020;2020(2):1–12.
- View Article
- Google Scholar
5. Kumar M, Chand S. A lightweight cloud-assisted identity-based anonymous authentication and key agreement protocol for secure wireless body area network. IEEE Systems Journal. 2021;15(2):2779–2786.
- View Article
- Google Scholar
6. Jegadeesan S, Azees M, Sekar A, Al-Turjman F. Lightweight Privacy and Confidentiality Preserving Anonymous Authentication Scheme for WBANs. IEEE Transactions on Industrial Informatics. 2022;18(5): 3484–3491.
- View Article
- Google Scholar
7. Ye X, Xu G, Cheng X, Li Y, Qin Z. Certificateless-based anonymous authentication and aggregate signature scheme for vehicular ad hoc networks. Wireless Communications and Mobile Computing. 2021;2021(5):1–16.
- View Article
- Google Scholar
8. Odelu V, Saha S, Prasath R, Sadineni L, Conti M, Jo M. Efficient privacy preserving device authentication in WBANs for industrial e-health applications. Computers & Security. 2019;83:300–312.
- View Article
- Google Scholar
9. Al-Ayyoub M, AlZu’bi S, Jararweh Y, Shehab MA, Gupta BB. Accelerating 3D medical volume segmentation using GPUs. Multimedia Tools and Applications. 2018;77(4):4939–4958.
- View Article
- Google Scholar
10. Al-Qerem A, Alauthman M, Almomani A, Gupta B. IoT transaction processing through cooperative concurrency control on fog–cloud computing environment. Soft Computing. 2020;24(8):5695–5711.
- View Article
- Google Scholar
11. Gupta BB, Li K-C, Leung VC, Psannis KE, Yamaguchi S. Blockchain-assisted secure fine-grained searchable encryption for a cloud-based healthcare cyber-physical system. IEEE/CAA Journal of Automatica Sinica. 2021;8(12):1877–1890.
- View Article
- Google Scholar
12. Nguyen GN, Le Viet NH, Elhoseny M, Shankar K, Gupta B, Abd El-Latif AA. Secure blockchain enabled Cyber–physical systems in healthcare using deep belief network with ResNet model. Journal of Parallel and Distributed Computing. 2021;153:150–160.
- View Article
- Google Scholar
13. Mirsadeghi F, Rafsanjani MK, Gupta BB. A trust infrastructure based authentication method for clustered vehicular ad hoc networks. Peer-to-Peer Networking and Applications. 2021;14(4):2537–2553.
- View Article
- Google Scholar
14. Vijayakumar P, Pandiaraja P, Karuppiah M, Deborah LJ. An efficient secure communication for healthcare system using wearable devices. Computers & Electrical Engineering. 2017;63:232–245.
- View Article
- Google Scholar
15. Xu Z, Luo M, Kumar N, Vijayakumar P, Li L. Privacy-protection scheme based on sanitizable signature for smart mobile medical scenarios. Wireless Communications and Mobile Computing. 2020;2020(1):1–10.
- View Article
- Google Scholar
16. Boneh D, Gentry C, Lynn B, Shacham H. Aggregate and verifiably encrypted signatures from bilinear maps. International conference on the theory and applications of cryptographic techniques. 2003:416-432.
17. Lysyanskaya A, Micali S, Reyzin L, Shacham H, editors. Sequential aggregate signatures from trapdoor permutations. International Conference on the Theory and Applications of Cryptographic Techniques. 2004:74-90.
18. Cheon JH, Kim Y, Yoon HJ. A new ID-based signature with batch verification. Cryptology EPrint Archive. 2004: 131.
- View Article
- Google Scholar
19. Lin X, Sun X, Ho PH, Shen X. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology. 2007;56(6):3442–3456.
- View Article
- Google Scholar
20. Gong Z, Long Y, Hong X, Chen K. Two certificateless aggregate signatures from bilinear maps. Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. 2007:188-193.
21. Ma D. Practical forward secure sequential aggregate signatures. Proceedings of the 2008 ACM symposium on Information, computer and communications security. 2008:341–352.
- View Article
- Google Scholar
22. Chen J, Yue H, Huang Z. Secure certificate-based aggregate signature scheme. Computer Engineering and Applications. 2013;49(21):60–64.
- View Article
- Google Scholar
23. Xu Z, He D, Vijayakumar P, Choo K-KR, Li L. Efficient NTRU lattice-based certificateless signature scheme for medical cyber-physical systems. Journal of medical systems. 2020;44(5):1–8. pmid:32189085
- View Article
- PubMed/NCBI
- Google Scholar
24. Xu Z, Luo M, Vijayakumar P, Peng C, Wang L. Efficient certificateless designated verifier proxy signature scheme using UAV network for sustainable smart city. Sustainable Cities and Society. 2022;80:103771.
- View Article
- Google Scholar
25. Kumar P, Kumari S, Sharma V, Sangaiah AK, Wei J, Li X. A certificateless aggregate signature scheme for healthcare wireless sensor network. Sustainable Computing: Informatics and Systems. 2018;18:80–89.
- View Article
- Google Scholar
26. Wu L, Xu Z, He D, Wang X. New certificateless aggregate signature scheme for healthcare multimedia social network on cloud environment. Security and Communication Networks. 2018;2018:1–13.
- View Article
- Google Scholar
27. Liu J, Cao H, Li Q, Cai F, Du X, Guizani M. A large-scale concurrent data anonymous batch verification scheme for mobile healthcare crowd sensing. IEEE Internet of things Journal. 2018;6(2):1321–1330.
- View Article
- Google Scholar
28. Zhang Y, Shu J, Liu X, Jin L, Dong Z. Comments on “A Large-Scale Concurrent Data Anonymous Batch Verification Scheme for Mobile Healthcare Crowd Sensing”. IEEE Internet of Things Journal. 2019;6(1):1287–1290.
- View Article
- Google Scholar
29. Gayathri N, Thumbur G, Kumar PR, Rahman MZU, Reddy PV. Efficient and secure pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2019;6(5):9064–9075.
- View Article
- Google Scholar
30. Liu J, Wang L, Yu Y. Improved security of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2020;7(6):5256–5266.
- View Article
- Google Scholar
31. Zhan Y, Wang B, Lu R. Cryptanalysis and improvement of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2021;8(7):5973–5984.
- View Article
- Google Scholar
32. Pointcheval D, Stern J. Security proofs for signature schemes. International conference on the theory and applications of cryptographic techniques. 1996: 387-398.
33. Verma GK, Kumar N, Gope P, Singh B, Singh H. SCBS: A Short Certificate-Based Signature Scheme With Efficient Aggregation for Industrial-Internet-of-Things Environment. IEEE Internet of Things Journal. 2021;8(11):9305–9316.
- View Article
- Google Scholar
34. Shen L, Ma J, Liu X, Wei F, Miao M. A secure and efficient ID-based aggregate signature scheme for wireless sensor networks. IEEE Internet of Things Journal. 2016;4(2):546–54.
- View Article
- Google Scholar

[ref1] 1. Hossain ME, Khan A, Moni MA, Uddin S. Use of electronic health data for disease prediction: A comprehensive literature review. IEEE/ACM transactions on computational biology and bioinformatics. 2019;18(2):745–758.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Masud M, Gaba GS, Alqahtani S, Muhammad G, Gupta BB, Kumar P, et al. A Lightweight and Robust Secure Key Establishment Protocol for Internet of Medical Things in COVID-19 Patients Care. IEEE Internet of Things Journal. 2021;8(21):15694–15703.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Vijayakumar P, Obaidat MS, Azees M, Islam SH, Kumar N. Efficient and secure anonymous authentication with location privacy for IoT-based WBANs. IEEE Transactions on Industrial Informatics. 2019;16(4):2603–2611.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Xu Z, He D, Kumar N, Choo K-KR. Efficient certificateless aggregate signature scheme for performing secure routing in VANETs. Security and Communication Networks. 2020;2020(2):1–12.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Kumar M, Chand S. A lightweight cloud-assisted identity-based anonymous authentication and key agreement protocol for secure wireless body area network. IEEE Systems Journal. 2021;15(2):2779–2786.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Jegadeesan S, Azees M, Sekar A, Al-Turjman F. Lightweight Privacy and Confidentiality Preserving Anonymous Authentication Scheme for WBANs. IEEE Transactions on Industrial Informatics. 2022;18(5): 3484–3491.
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref7] 7. Ye X, Xu G, Cheng X, Li Y, Qin Z. Certificateless-based anonymous authentication and aggregate signature scheme for vehicular ad hoc networks. Wireless Communications and Mobile Computing. 2021;2021(5):1–16.
View Article
Google Scholar

[20] View Article

[21] Google Scholar

[ref8] 8. Odelu V, Saha S, Prasath R, Sadineni L, Conti M, Jo M. Efficient privacy preserving device authentication in WBANs for industrial e-health applications. Computers & Security. 2019;83:300–312.
View Article
Google Scholar

[23] View Article

[24] Google Scholar

[ref9] 9. Al-Ayyoub M, AlZu’bi S, Jararweh Y, Shehab MA, Gupta BB. Accelerating 3D medical volume segmentation using GPUs. Multimedia Tools and Applications. 2018;77(4):4939–4958.
View Article
Google Scholar

[26] View Article

[27] Google Scholar

[ref10] 10. Al-Qerem A, Alauthman M, Almomani A, Gupta B. IoT transaction processing through cooperative concurrency control on fog–cloud computing environment. Soft Computing. 2020;24(8):5695–5711.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref11] 11. Gupta BB, Li K-C, Leung VC, Psannis KE, Yamaguchi S. Blockchain-assisted secure fine-grained searchable encryption for a cloud-based healthcare cyber-physical system. IEEE/CAA Journal of Automatica Sinica. 2021;8(12):1877–1890.
View Article
Google Scholar

[32] View Article

[33] Google Scholar

[ref12] 12. Nguyen GN, Le Viet NH, Elhoseny M, Shankar K, Gupta B, Abd El-Latif AA. Secure blockchain enabled Cyber–physical systems in healthcare using deep belief network with ResNet model. Journal of Parallel and Distributed Computing. 2021;153:150–160.
View Article
Google Scholar

[35] View Article

[36] Google Scholar

[ref13] 13. Mirsadeghi F, Rafsanjani MK, Gupta BB. A trust infrastructure based authentication method for clustered vehicular ad hoc networks. Peer-to-Peer Networking and Applications. 2021;14(4):2537–2553.
View Article
Google Scholar

[38] View Article

[39] Google Scholar

[ref14] 14. Vijayakumar P, Pandiaraja P, Karuppiah M, Deborah LJ. An efficient secure communication for healthcare system using wearable devices. Computers & Electrical Engineering. 2017;63:232–245.
View Article
Google Scholar

[41] View Article

[42] Google Scholar

[ref15] 15. Xu Z, Luo M, Kumar N, Vijayakumar P, Li L. Privacy-protection scheme based on sanitizable signature for smart mobile medical scenarios. Wireless Communications and Mobile Computing. 2020;2020(1):1–10.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref16] 16. Boneh D, Gentry C, Lynn B, Shacham H. Aggregate and verifiably encrypted signatures from bilinear maps. International conference on the theory and applications of cryptographic techniques. 2003:416-432.

[ref17] 17. Lysyanskaya A, Micali S, Reyzin L, Shacham H, editors. Sequential aggregate signatures from trapdoor permutations. International Conference on the Theory and Applications of Cryptographic Techniques. 2004:74-90.

[ref18] 18. Cheon JH, Kim Y, Yoon HJ. A new ID-based signature with batch verification. Cryptology EPrint Archive. 2004: 131.
View Article
Google Scholar

[49] View Article

[50] Google Scholar

[ref19] 19. Lin X, Sun X, Ho PH, Shen X. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology. 2007;56(6):3442–3456.
View Article
Google Scholar

[52] View Article

[53] Google Scholar

[ref20] 20. Gong Z, Long Y, Hong X, Chen K. Two certificateless aggregate signatures from bilinear maps. Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. 2007:188-193.

[ref21] 21. Ma D. Practical forward secure sequential aggregate signatures. Proceedings of the 2008 ACM symposium on Information, computer and communications security. 2008:341–352.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref22] 22. Chen J, Yue H, Huang Z. Secure certificate-based aggregate signature scheme. Computer Engineering and Applications. 2013;49(21):60–64.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref23] 23. Xu Z, He D, Vijayakumar P, Choo K-KR, Li L. Efficient NTRU lattice-based certificateless signature scheme for medical cyber-physical systems. Journal of medical systems. 2020;44(5):1–8. pmid:32189085
View Article
PubMed/NCBI
Google Scholar

[62] View Article

[63] PubMed/NCBI

[64] Google Scholar

[ref24] 24. Xu Z, Luo M, Vijayakumar P, Peng C, Wang L. Efficient certificateless designated verifier proxy signature scheme using UAV network for sustainable smart city. Sustainable Cities and Society. 2022;80:103771.
View Article
Google Scholar

[66] View Article

[67] Google Scholar

[ref25] 25. Kumar P, Kumari S, Sharma V, Sangaiah AK, Wei J, Li X. A certificateless aggregate signature scheme for healthcare wireless sensor network. Sustainable Computing: Informatics and Systems. 2018;18:80–89.
View Article
Google Scholar

[69] View Article

[70] Google Scholar

[ref26] 26. Wu L, Xu Z, He D, Wang X. New certificateless aggregate signature scheme for healthcare multimedia social network on cloud environment. Security and Communication Networks. 2018;2018:1–13.
View Article
Google Scholar

[72] View Article

[73] Google Scholar

[ref27] 27. Liu J, Cao H, Li Q, Cai F, Du X, Guizani M. A large-scale concurrent data anonymous batch verification scheme for mobile healthcare crowd sensing. IEEE Internet of things Journal. 2018;6(2):1321–1330.
View Article
Google Scholar

[75] View Article

[76] Google Scholar

[ref28] 28. Zhang Y, Shu J, Liu X, Jin L, Dong Z. Comments on “A Large-Scale Concurrent Data Anonymous Batch Verification Scheme for Mobile Healthcare Crowd Sensing”. IEEE Internet of Things Journal. 2019;6(1):1287–1290.
View Article
Google Scholar

[78] View Article

[79] Google Scholar

[ref29] 29. Gayathri N, Thumbur G, Kumar PR, Rahman MZU, Reddy PV. Efficient and secure pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2019;6(5):9064–9075.
View Article
Google Scholar

[81] View Article

[82] Google Scholar

[ref30] 30. Liu J, Wang L, Yu Y. Improved security of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2020;7(6):5256–5266.
View Article
Google Scholar

[84] View Article

[85] Google Scholar

[ref31] 31. Zhan Y, Wang B, Lu R. Cryptanalysis and improvement of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2021;8(7):5973–5984.
View Article
Google Scholar

[87] View Article

[88] Google Scholar

[ref32] 32. Pointcheval D, Stern J. Security proofs for signature schemes. International conference on the theory and applications of cryptographic techniques. 1996: 387-398.

[ref33] 33. Verma GK, Kumar N, Gope P, Singh B, Singh H. SCBS: A Short Certificate-Based Signature Scheme With Efficient Aggregation for Industrial-Internet-of-Things Environment. IEEE Internet of Things Journal. 2021;8(11):9305–9316.
View Article
Google Scholar

[91] View Article

[92] Google Scholar

[ref34] 34. Shen L, Ma J, Liu X, Wei F, Miao M. A secure and efficient ID-based aggregate signature scheme for wireless sensor networks. IEEE Internet of Things Journal. 2016;4(2):546–54.
View Article
Google Scholar

[94] View Article

[95] Google Scholar

Figures

Abstract

Introduction

Contribution

Preliminaries

Complexity assumption

Elliptic Curve Discrete Logarithm Problem (ECDLP).

Computational Diffie-Hellman Problem (CDHP).

System model of HWMSNs

Security requirements of HWMSNs

Message Authentication and Integrity.

Anonymity.

Traceability.

Security model of HWMSNs

Malicious MSNi.

Malicious MS.

Review of PF-CLAS scheme in [31]

Cryptanalysis of PF-CLAS schemes

Forgery attacks from malicious MSNi

Comments on the reason for malicious MSNi attacks

Improved PF-CLAS scheme

Correctness

Security analysis

Other security analysis

Performance evaluation

Computational overhead

Communication overhead

Security features

Conclusion

Supporting information

S1 Data. Runtime of cryptographic operations.

S2 Data. Comparison of computational overhead.

Acknowledgments

References

Malicious MSN_i.

Forgery attacks from malicious MSN_i

Comments on the reason for malicious MSN_i attacks