MHCOOS:AnOffline ...downloads.hindawi.com/journals/scn/2020/7085623.pdfleverage the portability these mobile platforms can oﬀer. Some of the new mobile apps speciﬁcally target

Research ArticleMHCOOS AnOffline-Online Certificateless Signature Scheme forM-Health Devices

Abigail Akosua Addobea 1 Jun Hou 2 and Qianmu Li 134

1School of Cyber Science and Technology Nanjing University of Science and Technology Nanjing 210094 China2School Social Sciences Nanjing Institute of Industry Technology Nanjing 210023 China3Intelligent Manufacturing Department Wuyi University Jiangmen 529020 China4Jiangsu Zhongtian Internet Technology Co Ltd Nantong 226009 China

Correspondence should be addressed to Jun Hou houjunnjust163com and Qianmu Li qianmunjusteducn

Received 24 May 2019 Revised 11 November 2019 Accepted 13 November 2019 Published 28 January 2020

Academic Editor Huaizhi Li

Copyright copy 2020 Abigail Akosua Addobea et al is is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in anymedium provided the original work isproperly cited

Current trends of mobile technology have seen a tremendous growth in its application in smart healthcareis has resulted in theadoption and implementation of mobile health (m-health) systems by providing health assistance to the aging population Despiteits advantageous benefits its computational complexities cannot be overlooked M-health devices are portable processing tinyequipment with limited computational capabilities thereby making them complex for the implementation of public keycryptosystems In spite of this an Offline-Online signature scheme called theMHCOOS has been proposed to solve the difficultiesin the computational ability e scheme enjoys the following benefits by splitting the signing part into both offline and onlinephases e offline phase performs heavy computations when a message is absent whereas lighter computations are performed atthe online stage when a message is present Secondly the online computations are extremely fast due to the already computedoffline signature value and lighter pairings involved Our performance analysis demonstrates how the proposed scheme out-performs other schemes Finally the hardness of the scheme is proven under the Bilinear DiffiendashHellman (BDH) and Com-putational DiffiendashHellman (CDH) problem in the random oracle model

1 Introduction

M-health is a current technology by which its innovationuses mobile devices or smartphones to support public healthand medicinal purposes It forms a connection betweenElectronic Health (E-health) and smart phone technologye practice involves monitoring capturing analyzing andprocessing body signals recorded from biosensors embeddedin the mobile devices and transferring the information ontoa virtual cloud system e ubiquitous advantage of mobilehealth technology allows patients and healthcare profes-sionals to access their data anywhere and anytime One ofthe advantages the m-health program provides is the re-duction of the number of outpatientrsquos visits to the hospitalssince patients can manage their health problems in theirhome without the need to travel to the health care units It isan effective and a better health solution system when the

patientsrsquo live very far away from their health facilities Mobilehealth platforms enable health practitioners to remotelymonitor their patientsrsquo health and give advice or prescrip-tions without the patient having to travel to the healthcenter It is without any doubt that mobile platforms arebecoming more and more user friendly computationallypowerful readily available and this has led innovators tobegin to develop mobile apps of increasing complexity toleverage the portability these mobile platforms can offerSome of the new mobile apps specifically target the assis-tance of individuals in relation to their own health andwellness management

Other mobile apps target towards healthcare providersto improve and facilitate the delivery of patient care Withthe advent of mobile health manufacturers incorporatecommercial health apps during manufacturing into mobiledevices to record health data statistics such as the heart rate

HindawiSecurity and Communication NetworksVolume 2020 Article ID 7085623 12 pageshttpsdoiorg10115520207085623

check pulses monitor blood pressure and check the fitnesslevels of patients whereas some mobile health sensors areimplanted into the body to monitor and observe the physicalactivity of patients e European Commission funds aproject named theMobiHealthey explained how patientswear a lightweight monitoring system in accordance withtheir health needs eir system requires shorter or longermonitoring where patients need not stay in the hospital formonitoring (httpwwwmobihealthorg)

Despite the enormous advantages m-health has to offerthe problems encountered cannot be overlooked Mostmobile devices that carry out health functions are fragilelightweight devices with limited computational capabilitiesand minimal processing power Its interactivity to largecooperated networks obstructs their functionality Mostpublic key cryptosystems proposed in the literature involveheavy computations and its implementation has not beensuitable for mobile health devices Likewise their limitedprocessing nature makes it difficult to perform excessivecomputational tasks Algorithms in security protocols in-volve heavy computations that impede the security per-formance of m-health devices

11 Our Contributions We propose an Offline-Online Cer-tificateless Scheme for m-health devices (mobile health de-vices) e idea is to split the Certificateless signature intooffline and online methods e motivation for choosing bothschemes was influenced by Certificateless cryptography (CL-PKC) as introduced byAl-Riyami [1]He identified the benefitsof being suitable for the lightweight infrastructure e CL-PKC dealt with the elimination of the certificate managementproblem in the traditional PKI and also eliminated the keyescrow problem in Identity-Based Cryptography (IBC)Similarly CL-PKC is appropriate for low-bandwidth andlower power situations such as themobile security applications[1]e offline-online signature methods as presented by Evenet al [2] are useful for storage-limited devicese execution oftheir method makes use of the offline phase to execute ex-cessive computations whilst the device is at the idle state andno message is available It further stores the message withoutknowing the signed message [2]

MHCOOS scheme has the following advantages

(i) It is a lightweight signature scheme that incorpo-rates both Certificateless signature and Offline-Online Methods into one signature scheme usthe Certificateless signature scheme is lightweightbecause the signature part is divided into bothOffline and Online signing phases

(ii) e Offline computations are performed wheneverthe mobile health device has not recorded anymessage (thus there is no message available) andthe online computations are performed when thedevice has recorded a message Secondly heavycomputations occur at the Offline phase which anoffline-computed signature value is produced whilstlighter computations take place at the online phasewith the already computed offline signature value

(iii) Our scheme is attractive for mobile devices used forhealth applications because it does not requireheavy cryptographic computations especially at thesigning stage where most computations take placeHeavy computations such as bilinear pairings werenot initiated which present great advantages to ourscheme

(iv) Due to the lighter computations initiated there isoptimum reduction in the overall operationaloverhead cost us the operational overhead cost(computation and communication cost) is muchlower and insignificant

e proposed scheme is existential unforgeable under theadaptive chosen message attack against the Type I and Type IIadversaries Furthermore the scheme is proven to be hardunder the CDH and BDH assumptions in the random oracle

12 System Requirements For every IOT health systemthere are some fundamental requirements needed to achievein the design process which are mentioned and expoundedas follows

(i) Authentication entities within the system shouldregister and have legitimate access to themedical server

(ii) Device traceability unauthorized persons shouldnot be able to track messages (health data) sent fromthe clientrsquos mobile device to the server during theonline phase

(iii) Message availability clientrsquos health informationshould be readily available at the server side for easyaccess by the Healthcare Terminal Point

(iv) Anti-interception attack no unscrupulous personscan gain access to the system to alter messagesbetween the mobile device and the server as well asthe server and the Healthcare Terminal Point

(v) User anonymity Adversaries should not be able toextract userrsquos identity whilst the users submit their IDto the medical server during the registration phase

13 Related Work Security is a major issue in the imple-mentation of the m-health system Many public key cryp-tosystems have been proposed for devices with lowoperational functionality An example is the introduction ofElliptic Curve cryptography (ECC) Mana gave severalimportant traditional cryptomethods which fit intom-health context He further suggested ECC to be an effi-cient public key cryptographic system suitable for mobiledevices e use of ECC for devices on the mobile healthnetwork is due to its smaller key sizes but its energy re-quirements are far higher as compared to symmetriccryptosystems [3] Tan andWang [4] proposed a lightweightIdentity-Based Encryption (IBE) for Body Sensor Networks(BSN) eir approach had several shortcomings higherexecution time greater energy consumption due to in-creased computational overhead and higher storage re-quirements because of public key storage Some other book

2 Security and Communication Networks

of thoughts proposed several schemes desirable for deviceswith acute bandwidth problems e notion of the Offline-Online digital signature scheme was proposed by Even et al[2] eir scheme was applicable for low power constraineddevices where any digital signature scheme can be convertedinto an offline and online signing methods

Liu [5] considered their scheme [2] inefficient because ofthe quadratic factor increment Most of the schemes pro-posed in the literature based on Identity-Based Cryptog-raphy (IBC) were suitable for most Sensor Networks but notfor devices with limited computational power However thisapproach suffers from the key escrow problem where anuntrusted Key Generation Center (KGC) could computeprivate keys of users since the KGC has the power togenerate private keys

To solve the key escrow problem Al-riyami and Paterson[1] proposed the Certificateless cryptography where usersneed not worry about the compromise of their private keysIn Certificateless cryptography the KGC computes thepartial private keys after the user sends their identity euser then computes the full private keys It also stated in theirliterature that their scheme supports lightweight infra-structure with low-bandwidth requirements

It is difficult to find a cryptographic scheme suitable form-health and a number of literatures written focus more onthe security and privacy aspect Other literature studiesbarely focused on the proposal of the cryptographic schemefor m-health devices Zhou [6] proposed a lightweightSigncryption protocol (CLGSC) designed for data trans-mission in m-health systems In our work we focused onproposing a technique for m-health devices by splitting ourCertificateless scheme into both offline and online phases tofurther lessen the computational time during the deviceoperation

14 Organization of the Paper e rest of the paper is di-vided into the following sections Section 2 highlights onthe preliminary and complexity assumptions In Section 3a brief description of the Offline-Online CertificatelessSignatures model is given e formal model of theMHCOOS scheme is introduced in Section 4 Section 5deals with the performance comparison of our scheme withother schemes in the literature Section 6 presents theconclusion

2 Preliminaries

is section highlights the conceptual properties of bilinearpairings Let G1 be an additive group of order q(G1 +) andG2 a multiplicative group of the same order (G2 times ) and P

being a generator e structure of bilinear pairing is rep-resented as e

and G1 times G1⟶ G2 with the following properties

(1) Bilinearity forall R S T isin G1 eand

(R + S T) eand

(R T)eand

(S T) and eand

(R S + T) eand

(R S)eand

(R T)

(2) Nondegeneracy eand

(P P)ne 1G2

(3) Computability there exists an efficient algorithmeand

(P Q) for all P Q isin G1

(4) For all u isin G1 v isin G2 a b isin Ζ eand(ua vb) e

and(u v)ab

e bilinear maps are derived from both Weil and TatePairing of an elliptic curve over a finite field Boneh andFranklin [7] gave a more detailed approach on BilinearPairings on Tate and Weil pairings and elliptic curves forefficiency and security

21 Complexity Assumptions is paper is based on thefollowing computational assumptions which are assumed tobe hard to break by an attacker by any probabilistic poly-nomial time (PPT) algorithm

(a) Discrete Logarithmic Problem (DLP) Given an in-stance (g ga) isin G1 with g as the generator anda isin Zlowastr where a is unknown e discrete loga-rithmic problem (DLP) in G requires the value of a

to be computed us the advantage for anyprobabilistic polynomial time algorithm A com-puting a is negligibly small

(b) Computational DiffiendashHellman Problem (CDH)Given (g ga gb) isin G1 with generator g anda b isin Zlowastr where a b are unknowns Our task is tocompute C gab in G1 e CDH problem is as-sumed to be a computationally hard problem ismeans that for any probabilistic polynomial timealgorithm A the advantage of computing the al-gorithm is negligibly small

(c) Bilinear DiffiendashHellman Parameter Generator (BDH-PG) A Bilinear DiffiendashHellman parameter generator(BDH-PG) is defined as the probabilistic polynomialtime- (PPT-) bounded algorithm that takes the se-curity parameter k isin Zlowastr as the input and generatesa tuple (r G1 G2 e

and P)

(d) MHCOOS scheme is secure against Type i adversaryif the probability that an adaptively chosen messageAdvBDHminus CMA

MLCOOSAi(k) can win Game i where i 1 2 e

MHCOOS scheme is secure if AdvBDHminus CMAMLCOOSAi

(k) isnegligible us AdvBDHminus CMA

MLCOOSAi(k)le ε

(e) MHCOOS is existentially unforgeable against adaptivemessage attack if it is secure against adversary i usAdvBDHminus CMA

MLCOOSAi(k)le ε holds respectively

3 Formal Model of the Offline-OnlineCertificateless Signature Scheme

In this section we provide a conventional model of anOffline-Online Certificateless Signature (OOCS) Schemee OOCS scheme consists of six polynomial time algo-rithms Table 1 presents the symbols and notations used inthis paper with their corresponding meanings

31 Syntax

(1) Setup KGC chooses 1k as a security parameterreturns a master secret key msk and publishes a listof system public parameters list l

Security and Communication Networks 3

(2) Partial-Private-Key-Extract is algorithm takes asinputs system public parameter list lmsk theidentity of a user IDi isin 0 1 lowast and returns anoutput DID as the partial private key

(3) Set-Secret-Value User performs this algorithm bytaking system public parameters l and a userrsquosIDi isin 0 1 lowast as inputs and returns a secret value xi

(4) Set-Private-Key e algorithm takes system publicparameters l the secret value xi the partial privatekey DID and returns private key SKID

(5) Set-Public-Key e algorithm takes system publicparameters l the secret value xi and returns publickey PKID

(6) CL-OffSign Using system public parameters l theprivate key SKID of the user with identityIDi isin 0 1 lowast and without the availability of themessage this algorithm generates an offline com-ponent value σ

(7) CL-OnSign Given the message m isin 0 1 lowast thesignerrsquos identity IDi the full private key SKID andthe offline component σ as the input the signerexecutes this algorithm in the online phase with theavailability of the message and generates the sig-nature value δ

(8) Verify e verification algorithm performed to de-termine if the signature is valid or not It takes theidentity IDi of the signer the message m isin 0 1 lowast theCertificateless Signature δ and the Public key PKIDof the signer e algorithm generates true if thesignature δ is valid and null perp if it is invalid

Figure 1 gives a diagrammatic approach of the respectivephases of an Offline-Online scheme in the ordinary literature

32 System Model We provide a description of the entitieswithin the MHCOOS model and their functionalities within

the system in Figure 2 e MHCOOS system consists of theuserrsquos mobile device (MD) medical server collection unit(MS) and the Healthcare Terminal Point (HTP)

(a) e userrsquos mobile device (MD) has installed sensornodes that read sense and collect all vital infor-mation and store them onto to the mobile devicee MD first registers and authenticates itself to theMS e mobile device further transfers all collectedvital data to the medical server collection unit

(b) e medical server collection unit (MS) stores the re-ceived vital information from the userrsquos mobile deviceIt is responsible for the registration and authenticationof the mobile clients as well as the users (doctors andnurses) from the Healthcare Terminal Point

(c) e Healthcare Terminal Point requests for the vitalinformation of users from the medical server col-lection unit It further provides the necessary pre-scription in case of any detected health disorder

4 Proposed Scheme

We propose the MHCOOS Scheme in this section escheme consists of six algorithms

41 System Initialization Phase e medical server firstlyinitializes the system by setting up the following processesusing a security parameter 1k to perform the following steps

(a) Given two cyclic groups (G1 +) and (G2 times ) ofprime order r a pairing map e

and G1 times G1⟶ G2

(b) langPrang becomes a generator of an additive group(G1 +) of prime ordr(P)

(c) e MS selects its secret value s isin RZlowastr and sets

Ppub sP(d) Chooses three one-way hash functions

H1 0 1 lowast ⟶ G1 and H2 0 1 lowast times G1⟶ Zlowastr H3 0 1 lowast times G1 times G1⟶ Zlowastr

(e) MS performs this algorithm to generate mskmpk1113864 1113865master secret keys and master public keys respec-tively en publishes in the public directory listl G1 G2 e

and r Ppub H1 H2 H3

42RegistrationPhase emobile user registers its identityID with the medical server MS e MS fetches the publicdirectory list l its master secret key msk and obtains theuserrsquos identity ID isin 0 1 lowast from the user to register theuserrsquos details in the system by making the followingcomputations

(a) Compute QID H1(ID) hashes the userrsquos identity(b) Compute partial private key DID sH1(ID) sQID

43 Key Setup Phase e user obtains the already computedPartial Private Key from MS and further sets up its deviceregistration by firstly generating a secret value It then

Table 1 Key symbols used in the paper

Symbols Meaning(G1 +) Additive notation in group 1(G2 times) Multiplication notation in group 2H1 H2 H3 ree one-way hash functionss Secret value selected by KGCmskmpk Master secret keys and master public keysIDi Identity of the userL Secret value of the user in the MHCOOS schemeSKID Private keyxi Secret value of the OOCS schemePKID Public keyprime ordr Prime order r

DID Partial private keyl System public parameter list published by the KGCσ Offline signature valueδ Online signature valueMS Medical server unitMD Userrsquos mobile deviceHTP Healthcare Terminal Point


further computes its full private key and public keyrespectively

(a) Set-Secret-Value e user ID randomly picks a se-cret value L isin Zlowastr

(b) Set-Private-Keys With the secret value L and withpartial Private key DID user generates its full Privatekey SKID (1(L + sH1(ID)))P

(c) Set-Public-Key User sets its public key PKID LPPub

44 Authentication Phase e device of the mobile userperforms various signing processes at both stages to au-thenticate itself and transmit the captured health data to themedical server (MS)

45 Signing Phase is stage of the algorithm is split intotwo namely CL-Offline signature and CL-Online signaturerespectively e algorithm works as follows

Setup Partial-Private-Key Extract

Public key setup Private key setup

Set-Secret-Value

CL-Offline-Signature

CL-Online-Signature Verification

Takes parameters list l master secret key msk and useridentity IDiReturns Partial private key DID

(i) User takes parameters listl identity IDi

(i)

(ii)

Takes IDi message m Online signature δand Public key PKID

(i)

Checks signature for validityValid (if δ = true) Invalid (if δ = false)

(ii)(iii)Generates Online Signature value δ(ii)

User takes IDi SKID available message(exist m) and an offline computed value σ

(i)

User takes l xi DID(i)Returns userrsquos Privatekey SKID

(ii)

Returns userrsquos secretvalue = xi

(ii)

Chooses 1k(i)Returns master secret key = msk(ii)Publishes system public parameters list = l

(iii)

User takes l SKID and nomessage present (∄ m)

(i)

Obtains an offline pre-computed value σ

(ii)

User takes parameters listl secret value xi

(i)

Obtains userrsquos Public keyPKID

(ii)

Figure 1 Descriptive model of the OOCS schemee diagram describes the respective phases of an ordinary Offline-Online scheme in theliterature

Figure 2 A typical mobile health (m-health) model


451 CL-Offline Signature Usually there is no messagepresent thus the mobile device has not recorded any healthactivity such as checking pulses or the heart rate and anyother activities It performs the following minor operationsto generate an offline signature value σ used to authenticateitself to the MS

is part of the signing algorithm uses the followingparameter public directory list l SKID user ID isin 0 1 lowast

without the presence of a message (m empty) to perform thefollowing operations to generate an offline signature value σ

(a) Choose randomly s1 t isin RZlowastr

(b) Compute U s1P

(c) Set Y H2 (U ID PKID)

(d) Compute X tSKID

Returns Offline signature value σ where σ (U Y t s1)

452 CL-Online Signature During the online signaturephase when the mobile device has recorded some healthactivities thus with the presence of a message (mneempty) itperforms the following online operations with the alreadyoffline computed signature value and transmits them se-curely on to the medical server MS e MS further storesthese values in a secure form till information is requested

(a) Compute h H3(m U IDi SKID)

(b) Compute θ s1htminus 1modp

(c) Output online signature value δ (U X θ)

46 Verify At this stage the Healthcare Terminal Pointaccesses theMS to request for the userrsquos data and also verifiesthe veracity of userrsquos health data

(a) Compute h H3(m isin 0 1 lowast U IDi SKID )

(b) If eand(Xδ LP + Ppub) e

and(U P)h accept signature

(c) If eand(Xδ LP + Ppub)ne e

and(U P)h reject signature

47Correctness for Signature eHTP further verifies usingthe correctness signature which is as follows

eand Xθ LP + Ppub1113872 1113873 e

and (U P)

h

eand tSKIDs1ht

minus 1P LP + sP1113872 1113873

eand tSKIDs1ht

minus 1P (L + s)P1113872 1113873

eand t

1(L + s)

Pshtminus 1

(L + s)P1113888 1113889

eand s1hP P( 1113857

eand s1P P( 1113857

h

eand (U P)

h

(1)

e proposed algorithm MHCOOS scheme performsbetter in the sense that the offline-online approach introducedat the signature stage is to reduce excess computational costand communication overhead No pairing computation isadopted at the signature stage owing to the fact that pairingcomputations are time consuming and are slower to executewhen compared to other cryptographic computations like thescalar multiplication and hashing At the offline stage there isnomessage computation whilst minimal offline computationstake place to generate an offline-computed value When themobile device records a message (health data) the onlinesignature uses the message and the precomputed offline valueto generate the online signature is method promotes fasterand quicker signature execution process

48 Security Analysis

Theorem 1 MHCOOS Scheme is proved to be existentiallyunforgeable (EUF-CMA) in the random oracle under the CDHassumption problem in G1 if Type 1 adversary AI can win thegame with advantage ε at time T it can make the followingqueries qHi

to the Hash oracles Hi (where i 1 2 3) qE

queries to the private-key extraction oracle qPK queries to thepublic-key request oracle and qsig queries to the signing oracleand then the BDH problem can be solved with probability

isinprime gt isin minus3kqsig qH2 + qsigqE1113872 1113873 + 2 2minus qH1( )

qE qEqH1+ 11113872 1113873

2minus k⎛⎝ ⎞⎠

T tprime + O qsig + k1113872 1113873tp

+ O qH1qH2 + qEqH1qH2( 1113857 te

(2)

where T represents the total running time the adversarywould perform various queries tp is the time to perform onepairing operation and te is the time to compute one ex-ponentiation in G2

Proof e main purpose of the Challenger C is to computeabcP from a tuple (P aP bP cp) with the assumption thatthere exists an adversary AI capable of attacking theMHCOOS scheme with the above advantage

481 System Initialization Phase Let P be a generator of thegroup and a be an unknown master key e Challenger C setsPpub aP e Challenger then updates an initially empty list licontaining the tuple li (IDi DID SKID PKID) During thegame AI starts issuing various queries in qHi as follows

(i) H1 queries the adversary AI is allowed to make qHi

number of queries to the oracle Hi with a list identityIDi AI selects j isin R[1 qH1] where qH1 denotes themaximum number of queries An identity IDi issubmitted to the oracle H1 where i isin R[1 qH1] eChallenger C checks if i j and IDi IDlowast if this istrue it updates a list l1 containing the tuple l1

(IDi Qi yi) and set Qi bP and yi perp (to indicatefailure) If ine j and IDi ne IDlowast the challenger gets yi


and randomly sets Qi yiP and saves the tuplel1 (IDi Qi yi)

49 Key Setup Extraction Queries

(a) Partial key extraction queries if IDi IDlowast C per-forms a number of tasks and updates l with(SKID PKID) respectively after getting an identityIDi query from AI e tasks are as follows C checksif l (IDi DID SKID PKID) DID perp1113864 1113865 If bothconditions are true C returns DID to the adversaryAI If the conditions are false C sets partial privatekey DID yi Ppub yi(aP)1113966 1113967 and returns DID to AI

and updates the list lBy inspection if the list lne (IDi DID SKID PKID) C

updates the list l (IDi DID SKID PKID) by settingthe following 1113864DID yi Ppub yi(aP) and (SKID

PKID) perp1113865 and adds them to the list l(b) Public key extraction queries C performs a number

of tasks and updates l respectively based on a querymade by AI on identity IDi e tasks are as followsC checks the following l (IDi DID SKID PKID)1113864

andPKID neperp If both conditions are true C returnsPKID to the adversary AI If the conditions are falseC selects L isin RZ

lowastr and sets the following

PKID LPpub SKID L1113966 1113967 and returns PKID to AIand then updates the list l1By inspection if the list lne (IDi DID SKID PkID) C

updates the list l with ( SKID PKID) C selectsLlowast isin RZ

lowastr and sets the following PKID LPpub1113966

SKID L and then updates l with (SKID PKID)(c) Secret value extraction queries if IDi IDlowast C

performs a number of tasks and updates the list l

with (SKID DID) after obtaining an identity IDi

query from AI C checks the following l

(IDi DID SKID PKID) PKID perp DID perp If theseconditions are true C executes Partial Key Extrac-tion and Public Key Extraction Queries to obtainDID PKID LlowastPpub SKID Llowast1113966 1113967 respectivelyBy inspection if the list lne (ID DID SKID PKID) C

executes Partial Key Extraction and Public KeyExtraction Queries to obtain DID (PKID SKID)1113864 1113865

and updates the list l with full private keys(DID SKID) respectively

(d) Public key replacement (IDi PKIDprime ) queries C

performs the following operations and updates thelist when AI makes the query on (IDi PKIDprime ) C setsPKID PKIDprime SKID1113864 1113865 if the list l contains

(IDi DID SKID PKID) Otherwise C setsDID PKID PKIDprime SKID perp and updates the list l

accordingly

(i) H2 queries C checks the listl2 (IDi m θlowast PkID bi) following a query fromAI on (m θ PKID) It then returns the list l2 to

AI if the list exists Otherwise it adds bi as a hashvalue to the list l2 by selecting bi isin RZ

lowastr

(ii) H3 queries C checks the list l3 (IDi m θ

PKID bi cj) following query from AI on (IDi

m θ PkID cj) C then returns the list l3 to AI ifl3 exists Otherwise C adds cj as a hash value tothe list L3 by selecting cj isin RZ

lowastr

410 Queries at the Authentication Phase

(a) Signature queries AI queries the challenger C for asignature on an adaptive chosen message mi of a userIDi e Challenger C checks the list l (IDi

DID SKID PKID) C runs Partial Key Extraction andPublic Key Extraction queries respectively ifDID neempty (SKID PKID)neempty1113864 1113865 AI is also allowed togenerate a corresponding signature of any arbitrarylength message mi with its full private key (DID

SkID) under the condition that IDi IDlowast and PKIDare the public key and SKID 1(L + a) as the pri-vate key where a L isin Zlowastr e signature valuereturned from the Challenger is not a valid signaturesince the public key has been replaced by AI and theChallenger may not know the corresponding public key

e Challenger computes the following

4101 CL-Offline Signature

(a) Choose randomly s1 t a b isin RZr

(b) Compute U slowast1 P and set slowast1 ab

(c) Set Y H2 (U IDi PKID)

(d) Compute X tSKID

(e) Output offline signature σ where σ (U Y t slowast1 )

4102 CL-Online Signature

(a) Compute cj H3(m U IDi SKID)

(b) Compute θlowastlowast slowast1 ctminus 1modp


For hash queries l3 (IDi m θ PKID bi cj) setθ lowastlowast slowast1 ctminus 1modp and update θ θlowast lowast

411 Correctness for Signature e Correctness for Signa-ture is depicted as follows

eand Xθ lowastlowast LP + Ppub1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)


Hence this is the BDH instance to the above problemwhich is solved for the given random list (P aP

bP cP) where a b c isin RZlowastr It is assumed that the BDHproblem is difficult to break by any probabilistic polynomialtime (PPT) algorithm erefore the MHCOOS scheme issecure under adaptive chosen message attacker AI in therandom oracle

Theorem 2 MHCOOS Scheme is proved to be existen-tially unforgeable (EUF-CMA) in the random oracle underthe CDH assumption problem in G1 if the Type II adversaryAII can win the game with advantage ε at time T canmake the following queries qHi

to the Hash oracles (Hi

where i 1 2 3) qE queries to the private-key extractionoracle qPK queries to the public-key request oracle and qsigqueries to the signing oracle then the CDH problem can besolved with probability

εprime gt ε minus3kqsig qH2 + qsigqE1113872 1113873 + 2 2minus qH1( )

qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)

Proof e theorem relies on the assumption that thereexists an adversary AII with considerable powers having theadvantage to attack the scheme without any constraint egoal is to compute abP from a tuple (P aP bP) with as-sumption that there exists an adversary AII capable ofattacking the MHCOOS

412 System Initialization Phase At the Setup phaseChallenger C sets P as the generator G1 and sets Ppub sPwhere s is the master key of the KGC Adversary AII can actas the dishonest KGC C then updates an initially empty listli containing the list (IDi SKID PKID) during the game andresponds to the various queries in qHi

as follows

(i) H 1 queries the adversary AII makes qH1 number ofqueries to the oracle H1 with an identity IDi AII

selects j isin R[1 qH1] where qH1 denotes the maxi-mum number of queries e Challenger C checks ifi j and IDi IDlowast if this true it updates a list l1containing the tuple (IDi Qi yi) and sets Qi aP

and yi perp for failure If ine j and IDi ne IDlowast thechallenger gets yi randomly and sets Qi yiP andupdates the tuple (IDi Qi yi)


(a) Public key extraction queries C performs number oftasks and updates l with (SKID PKID) after gettingan identity IDi query from AII e tasks are asfollows C checks the following l (IDi SKID1113864

PKID) PKID perp If both conditions are true C

returns PKID to the adversary AI If the conditionsare false it sets PKID neperp C selects L isin Zlowastr and sets

PKID bPpub SKID L1113966 1113967 and returns PKID to AIIBy inspection if the tuple does not contain

(IDi SKID PKID) C updates the list l with(SKID PKID) by selecting L isin Zlowastr and sets

PKID bPpub SKID L1113966 1113967 and returns PKID to AII(b) Secret value extraction queries if IDi IDlowast C

performs some tasks and updates l with SKID aftergetting an identity IDi query from AII e tasks areas follows C checks the followingl (IDi SKID PKID)PKID perp1113864 1113865 If the conditionsreturn true C executes Public Key ExtractionQueries to obtain SKID L PKID LPpub1113966 1113967 Byinspection if lne (IDi SKID PKID) C executesPublic Key Extraction Queries to obtain(PKID SKID) and updates the list l with full privatekeys SKID

(i) H2 queries C searches a list l2 if it contains thetuple (m θ PKID hi) following AII query on(m θ PKID) C then returns the tuple to AII ifthe tuple exists Otherwise C adds bi as a hashvalue to the tuple l2 by selecting bi isin RZ

lowastr

(ii) H3 queries C searches the list l3 (m θ PkID

bi cj) following query from AII on (m θ PKID

bi) C then returns the list l3 to AI if l3 existsOtherwise C adds cj as a hash value to the list l3by selecting cj isin RZ

lowastr


(a) Signature queries AII obtains (IDi mi) and allowedquery the Challenger C for a corresponding signatureunder the condition that (IDi ne IDlowast)

e Challenger C then searches for a list l containingthe tuple (IDi SKID PKID) C executes Public Key ex-traction Queries if the following are not found (SKID PKID)AII is also allowed to generate a corresponding signature onany arbitrary length message mi with its full private key(DID SKID) under the condition that IDi IDlowast


eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)

is is an instance to the CDH problem It is known thatthe CDH problem is difficult to break by any probabilisticpolynomial time (PPT) algorithm Hence the MHCOOSscheme is secure in CDH under adaptive chosen messageattacker AII in the random oracle

5 Performance Analysis

is section presents the performance of the proposedMHCOOS scheme with other similar certificateless schemesin the literature in terms of communication cost compu-tational cost and the security performance


51 Simulation Setup Environment e simulation envi-ronment was setup on Windows 10 Operating system on anIntel (R) Core i5-4210U CPU and 8GB memory Weimplemented our work on a Dev C++ IDE built onMINGW64

511 Communication Cost e simulation environmentfor the proposed scheme (MHCOOS) was setup on a DevC++ IDE built on MINGW64 Windows 10 Operatingsystem on an Intel (R) Core i5-4210U CPU using theMIRACL multiprecision library e pairing operation isdefined over a supersingular elliptic curve ofy2 x3 + 1modr over GF (p) with 512 bits using Type 1pairings

e compilation time of the proposed scheme wascompared with CL-SDVS [8] in Figure 3 and Table 2 ecompilation results were generated by using a demo C++code to test the library e total execution time of theproposed scheme generated 113 s after two rounds of ex-ecution and that of the CL-SDVS [8] was 6793 Bothschemes used the MIRACL multiprecision library for itsexecution MHCOOS scheme achieved a lower communi-cation cost due to the lighter operations used in the algo-rithm generation CL-SDVS [8] used a lot of pairingcomputations which take longer time to execute Further-more it did not adopt offlineonline alternative Wetherefore conclude that execution process is faster whenalgorithms adopt an offline-online approach

512 Computation Cost is section compares the com-putational operations of the proposed scheme (MHCOOS)with other schemes in the literature Table 3 elaborates thecomparison analysis of our scheme and other schemes intextWe denoted pairing operations p hashing operation hscalar multiplication sm and exp exponentiation in G1

According to Table 3 the proposed scheme (MHCOOS)Selvi [12] and L-OOCLSHRAAP scheme [9] only includedthe Offline and Online computations at the signing stage oftheir algorithm However schemes [8 10 11] did not adoptoffline and online methods in their signing computations

MHCOOS scheme employs 2 scalar multiplications at bothoffline and online stages which are lesser when compared toschemes [9 12] at the online phase and schemes [8 9 11] atthe offline approach except scheme [10] which has the samenumber of scalar multiplications with the proposed scheme

At the verification stage our pairing operation wasslightly higher than the pairing operation in schemes [8 9]but similar to scheme [10] Schemes [11 12] had the highestthe number of pairing operations e signing part of theMHCOOS scheme was split into both Offline and Onlinecomputations During the offline computation an offline-computed value is generated which is used in conjunctionwith the message (health data) to generate an online sig-nature No pairing computation was introduced at thesigning stage due to the fact that pairing computations basedon elliptic curves require heavy computational cost and extraexecution time Execution of the whole signature process isfaster and quicker because at the offline stage the devicedoes not record any message but minute computations takeplace to generate a precomputed offline value

As soon as the mobile device records an activity (receivesa message) the online computation takes place using therecorded message and the precomputed offline value togenerate the online signature In the MHCOOS scheme theuser need not perform a lot of computations at the verifi-cation stage despite its 2 times pairing computation becausemuch of the computations already took place at the signingstage Overall the MHCOOS scheme has proven to be ofmuch advantage over scheme [8 9 12] at the signing stagesand better than [11 12] at the verification stage because ourscheme adopted lesser pairing computations in both stages

52 Application Scenario In this section an m-healthpractical scenario is provided to demonstrate the workflowof a secure data transmission of the entities that employ theMHCOOS scheme First of all mobile health (m-health)supported by e-health is a healthcare technology by whichentities utilize smart devices to access their healthcare needsIt consists of an already installed mobile medical applicationwhich records the daily and fitness activities of its users

(a) (b)

Figure 3 Simulated results generated from message signature using the MIRACL library


Table 2 Performance comparison-communication cost

Scheme Execution time for round 1 (s) Execution time for round 2 (s) Total Execution time (s)

MHCOOS (proposed scheme) 0619 0511 113CL-SDVS [8] mdash mdash 6793


SchemeSigning

VerificationOffline Online

L-OOCLSHRAAP [9] 3M+ 1Exp 3M 1P+ 1Exp+ 1MMHCOOS scheme 2M 2M 2P+ 1ExpLiu et al [10] mdash 1P+ 1Exp + 2M 2P+ 1ExpKumar et al [11] mdash 3M 3P+ 1MHafizul Islam and Biswas [8] mdash 3P+ 3M+Exp 1P + 1M+1ExpSelvi [12] 3M mdash 6M+4P

MS initialization

Computed value for user

Offline parameters

Online parameters

Userrsquos mobileL isin Zr

lowast SKID PKID

Health terminalpoint (HTP)

Take 1k s isinR ℤrlowast

Ppub = sP paramsl = langG1 G2 e r Ppub H1 H2 H3rang

DID = sH1 (ID)Sends DID to user

Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID

σ = (U Y t s1lowast)

θ = s1htndash1 mod pδ = (U X θ)Sign (δ m)

If e (Xθ LP + Ppub) ne e (U P)h

Sends

data

Requests

user data

(δ m)

Figure 4 A toy scenario for the m-health model


simultaneously collecting vital health datae standard ISOTR 17522 2015 developed for health applications on mo-bilesmart devices is used to establish communicationamongst entities

e data is securely transmitted via a Bluetooth andWLAN medium onto the medical server for storage ehealthcare terminal submits the userrsquos identity to request fortheir respective stored datae data is stored at the databaseof the data center where the health practitioner is able tocollect the recorded data of each health respondent ecommunication scenario initiates the lightweight MHCOOSalgorithm It performs the offline computations when nohealth data is present to generate an offline-computed valueIt then fully performs the online computations using thedetected health data and the already offline-computed valueto generate the online signature with the received health data(health data present) e various activities that take place inthe MHCOOS system are well expounded in the followingsteps and diagramatically represented in Figure 4

(a) e MS initializes the system by generating systemsetup and other parameterse userrsquos mobile devicesends the identity of the user IDs to MS to computeDID sH1(ID) for the user and transmits it securelyto the user

(b) At this stage the health app installed on the mobiledevice is termed idle if it is not reading the heart beator checking the pulse of the patient It performsoffline computations at this idle stage and generatesthe offline value (σ) As soon as the mobile devicedetects the presence of any health activity the ap-plication starts to record the vital health data (heartrate or records his pulses) At the online stage theapplication performs several computations using thealready computed offline parameters with the cap-tured data e installed health application (healthapp) signs the online computed value δ on themessage thus sign(δ m) and sends it to the MS forstorage

(c) During verification the HTP submits the identity ofthe mobile user to the MS and requests for the healthdata and checks for the veracity of signature on themessage sign(δ m)

6 Conclusions

In this paper we presented an MHCOOS scheme byadopting an Offline-Online approach to Certificatelesssignatures that are applicable to mobile devices used in thehealth environment MHCOOS is a lightweight crypto-graphic scheme designed to support mobile devices used forhealth applications Based on minimum bilinear pairingsthe scheme splits the signing part into two phases the offlinephase and the online phase e offline phase performs a lotof computational processes when a message (no record ofhealth data) is unavailable to generate an offline computedvalue whereas the online computations take place duringthe presence of a message MHCOOS has been shown to beunforgeable against the Type I and Type II adversaries

(AI andAII) respectively under the adaptive chosen mes-sage attacks whilst it is subsequently proven to be intractableunder the BDH and CDH assumptions in the random oraclee scheme is shown to be lightweight and has wider ap-plicability not only to mobile health (m-health) devices butother wearable devices In our future works we will lookfurther to propose a different lightweight scheme useful fordevices with wearable technology without the use of heavycryptographic methods

Data Availability

edata used in running the simulation were download fromthe Miracl Github repository from the below website httpsgithubcommiraclMIRACL A demo code from this sitehttpsgithubcommiraclMIRACLblobmastersourcepk-democpp was used to test pk-democpp of the library file

Conflicts of Interest

e authors declare that there are no conflicts of interest

Acknowledgments

is paper was supported by Fundamental Research Fundsfor the Central Universities (no 30918012204) MilitaryCommon Information System Equipment Pre-ResearchSpecial Technology Project (315075701) 2019 IndustrialInternet Innovation and Development Project from theMinistry of Industry and Information Technology of Chinaand 2018 Jiangsu Province Major Technical Research ProjectldquoInformation Security Simulation Systemrdquo ShanghaiAerospace Science and Technology Innovation Fund(SAST2018-103)

References

[1] S S Al-riyami and K G Paterson ldquoCertificateless public keycryptographyrdquo Advances in CryptologymdashASIACRYPT 2003Springer Berlin Germany 2003

[2] S Even O Goldreich and S Micali ldquoOn-lineoff-line digitalsignaturesrdquo Advances in CryptologymdashCRYPTOrsquo 89 Proceed-ings pp 263ndash275 1990

[3] M Mana ldquoTrust key management scheme for wireless bodyarea networksrdquo International Journal of NetworkSecurityvol 12 no 2 pp 71ndash79 2011

[4] C C Tan and H Wang ldquoBody sensor network Security anidentity-based cryptography approachrdquo in Proceedings of theFirst ACM Conference on Wireless Network SecuritymdashWiSecrsquo08 Alexandria VA USA April 2008

[5] J K Liu Efficient OnlineOffline Identity-Based Signature forWireless Sensor Network Institute for Infocomm ResearchSingapore 2010

[6] C Zhou ldquoComments on ldquoLight-Weight and robust security-aware D2D-assist data transmission protocol for mobile-health systemsrdquordquo IEEE Transactions on Information Forensicsand Security vol 13 no 7 pp 1869-1870 2018

[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo SIAM Journal on Computing vol 32 no 3pp 586ndash615 2003

[8] S Hafizul Islam and G P Biswas ldquoProvably secure certifi-cateless strong designated verifier signature scheme based on


elliptic curve bilinear pairingsrdquo Journal of King Saud Uni-versitymdashComputer and Information Sciences vol 25 no 1pp 51ndash61 2013

[9] M E S Saeed Q-Y Liu G Tian B Gao and F Li ldquoRemoteauthentication schemes for wireless body area networks basedon the Internet of thingsrdquo IEEE Internet of Oings Journalvol 5 no 6 pp 4926ndash4944 2018

[10] J Liu Z Zhang X Chen K Sup and K Member ldquoCertif-icateless remote anonymous authentication schemes forwireless body area networksrdquo IEEE Transactions on Paralleland Distributed Systems vol 25 no 2 pp 332ndash342 2014

[11] P Kumar S Kumari V Sharma A K Sangaiah J Wei andX Li ldquoA certificateless aggregate signature scheme forhealthcare wireless sensor networkrdquo Sustainable ComputingInformatics and Systems vol 18 pp 80ndash89 2018

[12] S S D Selvi ldquoEfficient certificateless onlineoffline signaturewith tight securityrdquo Journal of Internet Services and Infor-mation Security vol 2 no 34 pp 77ndash92 2012

[13] M C Gorantla and A Saxena ldquoAn efficient certificatelesssignature schemerdquo Computational Intelligence and Securitypp 110ndash116 Springer Berlin Germany 2005

[14] A Ge S Chen and X Huang ldquoA concrete certificatelesssignature scheme without pairingsrdquo in Proceedings of the 2009International Conference on Multimedia Information Net-working and Security vol 2 pp 374ndash377 Hubei ChinaNovember 2009

[15] Y-C Chen R Tso G Horng C-I Fan and R-H HsuldquoStrongly secure certificate less signature cryptanalysis andimprovement of two schemesrdquo Journal of Information Scienceand Engineering vol 31 no 1 pp 297ndash314 2015

[16] A C-C Yao and Y Yunlei Zhao ldquoOnlineoffline signaturesfor low-power devicesrdquo IEEE Transactions on InformationForensics and Security vol 8 no 2 pp 283ndash294 2013

[17] Y Sun Z Zhang and L Shen ldquoA revocable certificatelesssignature scheme without pairingrdquo Cloud Computing andSecurity vol 10039 pp 355ndash364 springer Berlin Ger-many 2016

[18] Y Xie S Zhang X Li Y Li and Y Chai ldquoCasCP efficientand secure certificateless authentication scheme for wirelessbody area networks with conditional privacy-PreservingrdquoSecurity and Communication Networks vol 2019 Article ID5860286 13 pages 2019

[19] S Li J Cui H Zhong Y Zhang and Q He ldquoLEPA alightweight and efficient public auditing scheme for cloud-assisted wireless body sensor networksrdquo Security and Com-munication Networks vol 2017 Article ID 4364376 16 pages2017

[20] A Adavoudi-Jolfaei M Ashouri-Talouki and S F AghilildquoLightweight and anonymous three-factor authentication andaccess control scheme for real-time applications in wirelesssensor networksrdquo Peer-to-Peer Networking and Applicationsvol 12 no 1 pp 43ndash59 2019

[21] K-A Shim ldquoUniversal forgery attacks on remote authenti-cation schemes for wireless body area networks based onInternet of thingsrdquo IEEE Internet of Oings Journal vol 6no 5 pp 9211-9212 2019

[22] Z Xu X Liu G Zhang and W He ldquoMcCLS certificatelesssignature scheme for emergency mobile wireless cyber-physical systemsrdquo International Journal of Computers Com-munications amp Control vol 3 no 4 pp 395ndash411 2008

[23] D Stebila An introduction to provable security 2014[24] J Liu Z Zhang R Sun and K S Kwak ldquoAn efficient cer-

tificateless remote anonymous authentication scheme forwireless body area networksrdquo in Proceedings of the 2012 IEEE

International Conference on Communications (ICC)pp 3404ndash3408 Ottawa ON Canada June 2012

[25] J Hanen Z Kechaou and M B Ayed ldquoAn enhancedhealthcare system in mobile cloud computing environmentrdquoVietnam Journal of Computer Science vol 3 no 4 pp 267ndash277 2016

[26] S S Al-Riyami and K G Paterson ldquoCertificateless public keycryptographyrdquo Advances in Cryptology - ASIACRYPT 2003pp 1ndash40 Springer Berlin Germany 2003

[27] Ernst and Young mHealth Mobile Technology Poised toEnable a New Era in Health Care pp 1ndash54 2012 httpswwweycomPublicationvwLUAssetsmHealth$FILEmHealth20Report_Final_1920Nov2012pdf

[28] L Wu Z Xu D He and X Wang ldquoNew certificatelessaggregate signature scheme for healthcare multimedia socialnetwork on cloud environmentrdquo Security and Communica-tion Networks vol 2018 Article ID 2595273 13 pages 2018


check pulses monitor blood pressure and check the fitnesslevels of patients whereas some mobile health sensors areimplanted into the body to monitor and observe the physicalactivity of patients e European Commission funds aproject named theMobiHealthey explained how patientswear a lightweight monitoring system in accordance withtheir health needs eir system requires shorter or longermonitoring where patients need not stay in the hospital formonitoring (httpwwwmobihealthorg)

Despite the enormous advantages m-health has to offerthe problems encountered cannot be overlooked Mostmobile devices that carry out health functions are fragilelightweight devices with limited computational capabilitiesand minimal processing power Its interactivity to largecooperated networks obstructs their functionality Mostpublic key cryptosystems proposed in the literature involveheavy computations and its implementation has not beensuitable for mobile health devices Likewise their limitedprocessing nature makes it difficult to perform excessivecomputational tasks Algorithms in security protocols in-volve heavy computations that impede the security per-formance of m-health devices

11 Our Contributions We propose an Offline-Online Cer-tificateless Scheme for m-health devices (mobile health de-vices) e idea is to split the Certificateless signature intooffline and online methods e motivation for choosing bothschemes was influenced by Certificateless cryptography (CL-PKC) as introduced byAl-Riyami [1]He identified the benefitsof being suitable for the lightweight infrastructure e CL-PKC dealt with the elimination of the certificate managementproblem in the traditional PKI and also eliminated the keyescrow problem in Identity-Based Cryptography (IBC)Similarly CL-PKC is appropriate for low-bandwidth andlower power situations such as themobile security applications[1]e offline-online signature methods as presented by Evenet al [2] are useful for storage-limited devicese execution oftheir method makes use of the offline phase to execute ex-cessive computations whilst the device is at the idle state andno message is available It further stores the message withoutknowing the signed message [2]

MHCOOS scheme has the following advantages

(i) It is a lightweight signature scheme that incorpo-rates both Certificateless signature and Offline-Online Methods into one signature scheme usthe Certificateless signature scheme is lightweightbecause the signature part is divided into bothOffline and Online signing phases

(ii) e Offline computations are performed wheneverthe mobile health device has not recorded anymessage (thus there is no message available) andthe online computations are performed when thedevice has recorded a message Secondly heavycomputations occur at the Offline phase which anoffline-computed signature value is produced whilstlighter computations take place at the online phasewith the already computed offline signature value

(iii) Our scheme is attractive for mobile devices used forhealth applications because it does not requireheavy cryptographic computations especially at thesigning stage where most computations take placeHeavy computations such as bilinear pairings werenot initiated which present great advantages to ourscheme

(iv) Due to the lighter computations initiated there isoptimum reduction in the overall operationaloverhead cost us the operational overhead cost(computation and communication cost) is muchlower and insignificant

e proposed scheme is existential unforgeable under theadaptive chosen message attack against the Type I and Type IIadversaries Furthermore the scheme is proven to be hardunder the CDH and BDH assumptions in the random oracle

12 System Requirements For every IOT health systemthere are some fundamental requirements needed to achievein the design process which are mentioned and expoundedas follows

(i) Authentication entities within the system shouldregister and have legitimate access to themedical server

(ii) Device traceability unauthorized persons shouldnot be able to track messages (health data) sent fromthe clientrsquos mobile device to the server during theonline phase

(iii) Message availability clientrsquos health informationshould be readily available at the server side for easyaccess by the Healthcare Terminal Point

(iv) Anti-interception attack no unscrupulous personscan gain access to the system to alter messagesbetween the mobile device and the server as well asthe server and the Healthcare Terminal Point

(v) User anonymity Adversaries should not be able toextract userrsquos identity whilst the users submit their IDto the medical server during the registration phase

13 Related Work Security is a major issue in the imple-mentation of the m-health system Many public key cryp-tosystems have been proposed for devices with lowoperational functionality An example is the introduction ofElliptic Curve cryptography (ECC) Mana gave severalimportant traditional cryptomethods which fit intom-health context He further suggested ECC to be an effi-cient public key cryptographic system suitable for mobiledevices e use of ECC for devices on the mobile healthnetwork is due to its smaller key sizes but its energy re-quirements are far higher as compared to symmetriccryptosystems [3] Tan andWang [4] proposed a lightweightIdentity-Based Encryption (IBE) for Body Sensor Networks(BSN) eir approach had several shortcomings higherexecution time greater energy consumption due to in-creased computational overhead and higher storage re-quirements because of public key storage Some other book







2 Preliminaries





(R + S T) eand

(R T)eand

(S T) and eand

(R S + T) eand

(R S)eand

(R T)


(P P)ne 1G2




and(u v)ab







and P)





MLCOOSAi(k)le ε





31 Syntax
















4 Proposed Scheme










and r Ppub H1 H2 H3
















Set-Secret-Value





(i)

(ii)


(i)




(i)


(ii)


(ii)


(iii)


(i)


(ii)


(i)


(ii)








(b) Compute U s1P


(d) Compute X tSKID













eand Xθ LP + Ppub1113872 1113873 e

and (U P)

h

eand tSKIDs1ht

minus 1P LP + sP1113872 1113873

eand tSKIDs1ht

minus 1P (L + s)P1113872 1113873

eand t

1(L + s)

Pshtminus 1

(L + s)P1113888 1113889


eand s1P P( 1113857

h

eand (U P)

h

(1)







qE qEqH1+ 11113872 1113873



+ O qH1qH2 + qEqH1qH2( 1113857 te

(2)






























accordingly



lowastr




lowastr










(d) Compute X tSKID









eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)








qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References






































2 Preliminaries





(R + S T) eand

(R T)eand

(S T) and eand

(R S + T) eand

(R S)eand

(R T)


(P P)ne 1G2




and(u v)ab







and P)





MLCOOSAi(k)le ε





31 Syntax
















4 Proposed Scheme










and r Ppub H1 H2 H3
















Set-Secret-Value





(i)

(ii)


(i)




(i)


(ii)


(ii)


(iii)


(i)


(ii)


(i)


(ii)








(b) Compute U s1P


(d) Compute X tSKID













eand Xθ LP + Ppub1113872 1113873 e

and (U P)

h

eand tSKIDs1ht

minus 1P LP + sP1113872 1113873

eand tSKIDs1ht

minus 1P (L + s)P1113872 1113873

eand t

1(L + s)

Pshtminus 1

(L + s)P1113888 1113889


eand s1P P( 1113857

h

eand (U P)

h

(1)







qE qEqH1+ 11113872 1113873



+ O qH1qH2 + qEqH1qH2( 1113857 te

(2)






























accordingly



lowastr




lowastr










(d) Compute X tSKID









eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)








qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References














































4 Proposed Scheme










and r Ppub H1 H2 H3
















Set-Secret-Value





(i)

(ii)


(i)




(i)


(ii)


(ii)


(iii)


(i)


(ii)


(i)


(ii)








(b) Compute U s1P


(d) Compute X tSKID













eand Xθ LP + Ppub1113872 1113873 e

and (U P)

h

eand tSKIDs1ht

minus 1P LP + sP1113872 1113873

eand tSKIDs1ht

minus 1P (L + s)P1113872 1113873

eand t

1(L + s)

Pshtminus 1

(L + s)P1113888 1113889


eand s1P P( 1113857

h

eand (U P)

h

(1)







qE qEqH1+ 11113872 1113873



+ O qH1qH2 + qEqH1qH2( 1113857 te

(2)






























accordingly



lowastr




lowastr










(d) Compute X tSKID









eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)








qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References









































Set-Secret-Value





(i)

(ii)


(i)




(i)


(ii)


(ii)


(iii)


(i)


(ii)


(i)


(ii)








(b) Compute U s1P


(d) Compute X tSKID













eand Xθ LP + Ppub1113872 1113873 e

and (U P)

h

eand tSKIDs1ht

minus 1P LP + sP1113872 1113873

eand tSKIDs1ht

minus 1P (L + s)P1113872 1113873

eand t

1(L + s)

Pshtminus 1

(L + s)P1113888 1113889


eand s1P P( 1113857

h

eand (U P)

h

(1)







qE qEqH1+ 11113872 1113873



+ O qH1qH2 + qEqH1qH2( 1113857 te

(2)






























accordingly



lowastr




lowastr










(d) Compute X tSKID









eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)








qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References





































(b) Compute U s1P


(d) Compute X tSKID













eand Xθ LP + Ppub1113872 1113873 e

and (U P)

h

eand tSKIDs1ht

minus 1P LP + sP1113872 1113873

eand tSKIDs1ht

minus 1P (L + s)P1113872 1113873

eand t

1(L + s)

Pshtminus 1

(L + s)P1113888 1113889


eand s1P P( 1113857

h

eand (U P)

h

(1)







qE qEqH1+ 11113872 1113873



+ O qH1qH2 + qEqH1qH2( 1113857 te

(2)






























accordingly



lowastr




lowastr










(d) Compute X tSKID









eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)








qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References























































accordingly



lowastr




lowastr










(d) Compute X tSKID









eand tSKIDs

lowast1 ct

minus 1P LP + aP1113872 1113873

eand tSKIDs

lowast1 ct

minus 1P (L + a)P1113872 1113873

eand t

1(L + a)

Pslowast1 ct

minus 1 (L + a)P1113888 1113889

eand (abcP P)

eand (P P)

abc

(3)








qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References







































qE qEqH1 + 1( 11138572minus k⎛⎝ ⎞⎠ (4)



as follows













lowastr




lowastr





eand (U P)

eand s1lowast

P P( 1113857

eand (abP P)

eand (P P)

ab

(5)














(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References










































(a) (b)







SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References





































SchemeSigning



MS initialization


Offline parameters

Online parameters


lowast SKID PKID





Verification

Verif

ies (

δ m

)

Use

r sen

ds ID

to M

S

s1 t isinR Zrlowast

U = s1PX = tSKID




Sends

data

Requests

user data

(δ m)








6 Conclusions



Data Availability




Acknowledgments


References






































6 Conclusions



Data Availability




Acknowledgments


References
























































Documents

MHCOOS:AnOffline ...downloads.hindawi.com/journals/scn/2020/7085623.pdfleverage the portability these mobile platforms can oﬀer. Some of the new mobile apps speciﬁcally target