An Attribute-Based Encryption Scheme with Revocation for Fine-Grained Access Control in Wireless Body Area Networks

Abstract

The wireless body area networks (WBANs) have emerged as a new method for e-healthcare. Without being measured face-to-face, the medical workers can give guidance to patients in a real-time way. WBANs can greatly improve the healthcare quality. The personal information and medical data are stored and processed in sensors. The security and privacy are two vital issues. In this paper, we design an attribute-based encryption scheme for fine-grained access control in WBANs. In our scheme, a user can decrypt a ciphertext if the attributes related with a ciphertext satisfy the user's access structure. The users can be revoked if necessary. Therefore, the security and privacy of patients can be protected. Our scheme provides confidentiality, security, and resistance to collusion attack. We analyze the correctness, security, and energy consumption of the scheme.

1. Introduction

Wireless body area networks (WBANs) are gaining popularity rapidly in recent years, especially in the area of medical use, such as healthcare monitoring, medical treatment, and emergency medical response systems (EMRS) which greatly increase the efficiency of healthcare. A typical WBAN consists of a controller and a number of sensors, which are wearable or can be implanted into human body to monitor the body parameters (e.g., electrocardiogram (ECG), heart rate, blood pressure, and blood glucose), the surrounding environments parameters (e.g., temperature, humidity, and location), and the movements of body. WBANs can be used in pervasive and real-time monitoring of the status of patients in the form of text, visual, or audio, and so forth. Home monitoring is a good choice for chronic patients and old people, as it frees patients from visiting the hospital frequently. Sensor nodes and users are mobile in the sense that they can move, be relocated to another position, or be associated with other nodes or users [1]. Figure 1 shows the general healthcare system of a WBAN. The sensors are used to measure certain parameters of human body and send these signals to a controller, which may be a mobile phone or a PDA [2]. These medical data will be processed in the controller, and the controller can give guidance to other devices. For example, in the diabetes monitoring, the glucose sensors monitor and transmit blood glucose levels to the controller for insulin release. The medical data can be stored locally in WBANs or be transferred remotely to the doctors, emergency medical response, or database of patients through internet using WiFi, Bluetooth, or Zigbee, and so forth. The remoter can give guidance to the patients or healthcare staff.

Figure 1

A general healthcare system of WBAN.

Security and privacy are two major concerns in WBANs. Since the medical data stored in WBANs are sensitive, it is essential to ensure the security of these data. Obtaining inaccurate and wrong medical data will possibly make the therapy ineffective or even lead to wrong treatments [3]. We summarize two threats and possible consequences in WBANs. (1)

Eavesdropping Threats. The attackers may eavesdrop on the information of patients; thus, this may cause the privacy issues. For example, a patient has an embarrassing disease or a patient may want to keep medical information out from insurance. For another example, the location of patients can be found by a criminal minded person, so this threat is of vital importance. Data confidentiality is an important requirement in healthcare applications using WBANs.

(2)

Modification Threats. The data transferred is vital for patients as the modified information may lead to wrong diagnosis. The nature of wireless makes the data prone to being lost. Thus, in order to ensure that the received data has not been modified by an adversary, there should be proper data integrity mechanisms.

So, the users who want to access the patient-related data must be strictly limited; otherwise, the privilege of patients could not be protected. In order to enforce the access control, data encryption is needed to protect the patient-related data. The traditional methods are symmetric key cryptography (SKC) and public key cryptography (PKC) systems. In SKC scheme, the sender and receiver use the same key. If an attacker compromises a node, he can get all the data stored in the node. A solution to this problem is dividing the lifetime of sensors into series of periods. During different periods different keys are used, but this needs updating the keys timely and increasing the load of sensors. In PCK scheme, any patient-related data is encrypted by a public key and only the users who have the corresponding master key can decrypt the data. This general scheme is simple to implement but inefficient as the number of encryption operations and the size of ciphertexts both of which are linear with the number of users. So when the number of users increases, the cost of key distribution will be high. A better way to solve the problem is broadcast encryption. The sender specifies the receivers and broadcasts the keys to the revoked users. Although the broadcast encryption is efficient, the sender needs to store the list of receivers, and this will increase the storage space.

We design a security mechanism for access control, data encryption, and user revocation in WBANs. The major users in a typical WBAN are different doctors, nurses, healthcare staff, and medical insurance response systems. The patient may not know the exact users who are able to access the data but rather has a way to describe them in terms of descriptive attributes or credentials [4]. Attribute-based encryption (ABE) is suitable to encrypt messages without exact knowledge of the receivers.

Besides security and privacy, another issue which should be considered in WBANs is resource constraints. The sensors are limited in energy, storage space, and computational capability, and the lifetime of a battery is restricted. In order to reduce the energy consumption, it is necessary to build limited size of security mechanism. The energy consumption of sensing and computation are usually so small that they are almost negligible compared to the expensive cost of communication in WBANs; for example, according to the report of NAI Labs [5], the energy consumption of sending data is 0.0.2 mJ/bit and receiving data is 0.014 mJ/bit; however, the energy consumption used in accomplishing SHA-1 is 0.0000072 mJ/bit on the same MIPS processer. So, there should be as less transmitting as possible.

This paper makes contributions as follows. Firstly, we design the access tree structures of users. Secondly, we develop the encryption algorithms for fine-grained access control in WBANs. Thirdly, we introduce the user revocation algorithm. Fourthly, we evaluate the performance of our scheme.

2. Related Work

Security and privacy of patient-related data are two indispensable components in WBANs. Security means that data is securely stored and transferred, and privacy means that the people who have authorization can access, view, and use the data [2]. There are two main methods about the security and privacy protection in WBANs.

(1) Key Distribution in WBANs. The researches in [6–9] use the biometric signal (such as electrocardiograph) as the key to encrypt the medical data which is to be transferred, and the receiver has the same key to decrypt the data. For the advantage of biometric signal, this method ensures the security of transferred data, and testability makes the method applicable widely, but this method also has drawbacks. When the attackers get the biometric signal of patient, they can decrypt all the data which is encrypted by the signal, and this will leak the privacy of patients. In order to capture the biometric signal, there is a need to attach the biometric sensor to a body sensor node, but this will increase the cost.

(2) Data Storage and Access Control. The authors in [3] proposed the concept of secure storage and data access control in WBANs and summarized the methods of secure and privacy protection, but this paper did not analyze and compare the energy consumption. The research in [10] develops a distributed data access control scheme, in which the ciphertext is associated with attributes and the key is associated with access structure. The access structure identifies the ciphertext which can be decrypted by the key. In that paper, the users access data in a fine-grained way, but it lacks the timeliness of access control. In [11], the important multisender broadcast authentication problem is solved in WSNs. In [12], the authors proposed a fuzzy attribute-based signcryption scheme. Their scheme leverages fuzzy attribute-based encryption to enable data encryption, access control, and digital signature for a patient's medical information in a WBAN. For using the signature, it is complicated in the message transmission, and the energy consumption should be considered. In [13], the authors proposed an identity-based encryption scheme for WBANs; however, their scheme lacked the access control feature.

ABE is considered suitable for access control in WBANs, because it reduces the cost between the sensors and users. In [14] the authors first introduced the idea of ABE based on fuzzy identity-based encryption (FIBE) which was built on the idea of identity-based encryption (IBE). The identity of users can be described by strings, such as email address: alice@yahoo.com. In FIBE, the senders can encrypt the ciphertext by a public key, $ω^{'}$ . A user has a master key with the identity ω. When the users access the medical data, if and only if ω includes at least k parameters similar to $ω^{'}$ , they can decrypt the ciphertext. The scheme has the tolerance ability as the ω and $ω^{'}$ need not be the same, and there is no need to obtain the certificate of receivers, so it reduces the energy cost of authentication.

In ABE, identity consists of attributes; for example, the attributes set of a doctor is {hospital, department, on duty}. Both the ciphertext and keys are associated with attributes. The ABE has two variants, key policy ABE (KP-ABE) [15] and ciphertext policy ABE (CP-ABE) [16]. In KP-ABE, the ciphertext is associated with the attributes and the key is associated with an access structure. Decryption is enabled if and only if the attributes associated with a ciphertext satisfy the key's access structure. However, in CP-ABE, the situation is reversed: the ciphertext is associated with access structure and the key is associated with attributes.

In this paper, we consider the security and privacy of WBANs by designing a fine-grained access control scheme. The medical data is encrypted by attributes and only when these attributes satisfy the key's access structure, the users can decrypt it. The patients may not know the doctors or nurses, but they can explicit the attributes which should be satisfied for the users. A user will be able to decrypt the medical data if the attributes satisfy the access structure.

User management is an important issue since malicious users are dangerous to WBANs. If some users need to be revoked, such as changing the medical workers and finding some malicious users, they will lose their capability of decryption, while the capability of nonrevoked users remains valid. Some researches propose different methods to solve the problem. The authors in [17] proposed to renew the user's master key periodically, but the users' privilege of accessing the data would expire after a time. This method will fail when the malicious users access the data before the expired time. In [18], the sensor nodes encrypt the data using the identity attributes which are not owned by the revoked users; therefore, only the nonrevoked users can decrypt the data. However, all the revoked users in the history are recorded in the ciphertext, so the ciphertext size will be very large.

The rest of this paper is organized as follows. Section 3 introduces the preliminaries of the scheme. Section 4 presents the system model. Section 5 analyzes the scheme, including the correctness, security, and energy consumption. Section 6 overviews the conclusion and future work.

3. Preliminaries

3.1. Bilinear Maps

Let $G_{1}$ and $G_{2}$ be two groups of prime order p and g a generator of $G_{1}$ . A bilinear map is an injective function $e : G_{1} \times G_{1} \to G_{2}$ with the following properties. (a)

Bilinearity: $\forall u, v \in G_{1}$ , $a, b \in Z_{p}$ , there is $e (u^{a}, v^{b}) = {e (u, v)}^{a b}$ .

(b)

Nondegeneracy: $e (g, g) \neq 1$ .

(c)

Computability: there is an efficient algorithm to compute $e (u, v)$ for each $u \in G_{1}$ and $v \in G_{2}$ .

3.2. Bilinear Diffie-Hellman Problem (BDHP)

Given two groups $G_{1}$ and $G_{2}$ with the same prime order p, let $e : G_{1} \times G_{1} \to G_{2}$ be a bilinear map and g a generator of $G_{1}$ . The objective of BDHP is to compute ${e (g, g)}^{a b c}$ in ( $G_{1}, G_{2}, e$ ) from the given $(g, g^{a}, g^{b}, g^{c})$ , where $a, b, c \in Z_{p}$ .

3.3. Decisional Bilinear Diffie-Hellman Problem (DBDHP)

Given $a, b, c \in Z_{p}$ , $g^{a}, g^{b} {, g}^{c} \in G_{1}$ , and $h \in G_{2}$ , the objective is to decide whether ${h = e (g, g)}^{a b c}$ .

3.4. Key Policy Scheme

Usually, the key policy scheme consists of 4 steps. (1)

Setup. According to the random numbers produced by the system, the scheme generates the public parameters PK and a master key MK. PK is used to encrypt message by senders. MK is used to generate decryption keys.

(2)

Encryption. The plaintext M is encrypted using the attributes and PK. It outputs the ciphertext E.

(3)

Key Generation. It takes the access structure, master key MK, and the public parameters PK as input. It outputs the decryption key DK.

(4)

Decryption. The ciphertext E is decrypted by the decryption key DK for access control structure and outputs the plaintext M.

3.5. Security Game for ABE

We define the security game for our scheme. The game can be described as follows.

Init: the adversary commits the attributes set γ to the challenger.

Setup: the challenger runs the Setup algorithm and gives the public parameters (PK) to the adversary.

Phase 1: the adversary submits queries for master keys for access structures $A_{i}$ , where, for all i, $γ \notin A_{i}$ .

Challenge: the adversary submits two equal length messages $M_{0}$ and $M_{1}$ to the challenger. The challenger flips a random coin b and passes the ciphertext $M_{b}$ encrypted with γ to the adversary.

Phase 2: phase 1 is repeated.

Guess: the adversary outputs a guess $b^{'}$ of b.

The advantage of an adversary A in this game is defined as $\Pr [b^{'} = b] - 1 / 2$ .

This game can be extended to handle chosen-ciphertext attacks by allowing for decryption queries in phases 1 and 2.

3.6. Access Tree

Access tree expresses the structure of access control. Ciphertext is associated with attributes. Decryption key is labeled with an access tree structure, in which each nonleaf node is the threshold gate described by a threshold value and its children and each leaf node is labeled with attributes. A user can decrypt a ciphertext with a given key if and only if there is an assignment of attributes from the ciphertext to nodes of the tree such that the tree is satisfied.

Let $T$ be an access tree with root r and attr(x) the attributes associated with the leaf node x. If $nu m_{x}$ is the number of children of node x and $k_{x}$ is its threshold value, then $0 < nu m_{x} ⩽ k_{x}$ . When $k_{x} = 1$ , the threshold gate is an OR gate; when $k_{x} = {num}_{x}$ , it is an AND gate. Each leaf node x of the tree is described by an attribute. Denote the subtree of $T$ rooted as the node x by $T_{ x}$ . Hence $T_{ x}$ is the same as $T$ . If a set of attributes satisfy the access tree $T_{ x}$ , we denote it by $T_{ x} (γ) = 1$ . $T_{ x} (γ)$ can be computed recursively as follows: if x is a nonleaf node, evaluate $T_{ x^{'}} (γ)$ for all children $x^{'}$ of node x. $T_{ x} (γ)$ returns 1 if and only if at least $k_{x}$ children return 1. If x is a leaf node, then $T_{ x} (γ)$ returns 1 if and only if $attr (x) \in γ$ .

When the attributes associated with the ciphertext satisfy the users' access structures, the users can get the medical data. Figure 2 shows an example of the access tree structure. Every no-leaf node is assigned with a threshold. The ciphertext which has at least k attributes can be decrypted by the users. For example, a ciphertext has the following attributes {hospital m, physician, on duty}. Hospital m refers to which hospital the doctor belonged to. On duty indicates whether the doctor is on duty that time. If the attributes related with ciphertext satisfies the access tree, the doctor can get the patient's medical data and give treatments to the patient. The same is true for a nurse, healthcare staff, and medical insurance company agents or emergency room.

Figure 2

An example of access structure.

4. System Model

4.1. Definition

We consider a typical WBAN consisting of a number of sensors denoted by $S = {s_{1}, s_{2}, \dots, s_{m}}$ , n users denoted by $U = {u_{1}, u_{2}, \dots, u_{n}}$ , and the number of users denoted by $N_{user}$ . Let G be a bilinear group of prime order p and g the generator of G. We define the Lagrange coefficient $Δ_{i, S}$ for $i \in Z_{p}$ and a set, S, of elements in $Z_{p} : Δ_{i, S} = \prod_{j \in S, j \neq i} ((x - j) / (i - j))$ .

4.2. Communication Procedure

Suppose a doctor will get the patient's medical data stored in sensors. The communication procedure can be sketched as follows. (1)

The sensors execute Algorithms 1 and 2 to produce the public keys and master keys.

(2)

The sensors encrypt the medical data M using public key and send the ciphertext to the doctor.

(3)

Once the doctor needs to be revoked, the controller updates the keys of all the users except the doctor. We adopt the method in [19]. The controller broadcasts any $n - r$ out of n users with ciphertext and master key. This method is suitable when the number of revoked users each time is small.

(4)

The nonrevoked users check the time, produce the decryption key, and decrypt the ciphertext when the attributes satisfy the access structure of the users.

Algorithm 1: System initialization.

(1) Choose y randomly in $Z_{p}$ . Let g be the generator of $G_{1}$ , choose an element $g_{2} \in G_{1}$ , $g_{1} = g^{y}$ ;

(2) Define the universe of attributes set $A = (a_{1}, a_{2}, \dots, a_{n + 1})$ . For each attribute $a_{i} \in A$ , choose

a number $t_{i}$ uniformly at random from $Z_{p}$ , $T_{1} = g^{t_{1}}, \dots, T_{| A |} = g^{t_{| A |}}, Y = {e (g, g)}^{y}$ ;

(3) Define a function $T (x) = {g_{2}}^{x^{n}} \prod_{i = 1}^{n + 1} t_{i}^{Δ_{i, N (x)}}$ ;

(4) The public key $PK = 〈 T_{1} = g^{t_{1}}, \dots, T_{| A |} = g^{t_{| A |}}, Y = {e (g, g)}^{y} 〉$ , the master key $MK = 〈 y, t_{1}, \dots, t_{| A |} 〉$ .

(5) The maximum number of users is $N$ ;

Algorithm 2: Key generation.

(1) Choose a polynomial $q_{x}$ for each non-leaf node as follows:

Set the degree $d_{x} = k_{x} - 1$ . For the root node r, to define it completely, set $q_{r} (0) = y$ , and $d_{r}$ other

points of the polynomial $q_{r}$ randomly. For each other node x, set $q_{x} (0) = q_{parent (x)} (index (x))$ and

choose $d_{x}$ other points randomly to completely define $q_{x}$ ;

(2) For each leaf node x, give the decryption key to the users: $D_{x} = {g_{2}}^{q (x)} {T (i)}^{- r_{x}}$ , $d_{x} = g^{r_{x}}$ .

The decryption key $DK = (D_{x}, d_{x}) = ({{g_{2}}^{q_{x} (0)} {T (i)}^{{- r}_{x}}}, {g^{r_{x}}})$ .

We design a scheme for fine-grained access control in WBANs. Our scheme consists of five algorithms: (1) system initialization; (2) key generation; (3) encryption; (4) user revocation; (5) decryption.

5. System Analysis

5.1. Correctness Analysis

Now that we have defined the function decryptnode, the decryption algorithm simply calls the function on the root of the tree. We observe that decryptnode $(E, DK, r) = {e (g, g)}^{y s} = Y^{s}$ if and only if the attributes associated with the ciphertext satisfy the access tree. Since $E_{1} = M {e (g_{1}, g_{2})}^{s}$ , the decryption algorithm simply divides out ${e (g_{1}, g_{2})}^{s}$ and recovers the message M:

\begin{array}{l} M^{'} = \frac{E_{1}}{\prod_{i \in S} {(e (D_{x}, E_{2}) / e (d_{x}, E_{3}))}^{Δ_{i, S} (0)}} \\ = M {e (g, g)}^{t} \\ \times {(\prod_{i \in S} {(\frac{e ({g_{2}}^{q_{x} (0)} {T (i)}^{{- r}_{x}}, g^{s})}{e (g^{r_{x}}, {T (x)}^{- s})})}^{Δ_{i, S} (0)})}^{- 1} \\ = M {e (g, g)}^{t} \\ \times {(\prod_{i \in S} {(\frac{e ({g_{2}}^{q_{x} (0)}, g^{s}) e (T {(i)}^{{- r}_{x}}, g^{s})}{e (g^{r_{x}}, {T (x)}^{- s})})}^{Δ_{i, S} (0)})}^{- 1} \\ = \frac{M {e (g, g)}^{t}}{\prod_{i \in S} {(e ({g_{2}}^{q_{x} (0)}, g^{s}))}^{Δ_{i, S} (0)}} = M . \end{array}

(1)

5.2. Security Analysis

(1) Collusion Attack Resistance. In this scheme, different users have different access structures. The master key is generated randomly and independently from $Z_{p}$ ; therefore, it is impossible for them to collude together to get the medical data. Even if they collude together, they satisfy neither of the entries to the medical data.

(2) Confidentiality

Theorem 1.

If an attacker $A$ can break the scheme in the security game with probability ε, then a simulator $B$ can be constructed to win the DBDH game with the probability $ε / 2$ .

Proof.

The security of the game is based on the hardness of the DBDH assumption. We prove it as the approach proposed in [15]. The simulation proceeds as follows.

Let $G_{1}$ and $G_{2}$ be two groups with a bilinear map e and a generator g. The challenger chooses a fair binary coin $μ \in {0,1}$ , $a, b, c \in Z_{p}$ . We construct a simulator $B$ ; then $B$ plays the role of challenger. If $μ = 0$ , $B$ is given $(A, B, C, Z) = (g^{a}, g^{b}, g^{c}, {e (g, g)}^{a b c})$ ; otherwise, it sets z as a random number and $B$ is given $(A, B, C, Z) = (g^{a}, g^{b}, g^{c}, {e (g, g)}^{z})$ .

Init: the simulator $B$ runs $A$ . $A$ chooses the attributes set γ which it wishes to be challenged on.

Setup: $B$ assigns the public key as follows. It sets $Y = e (A, B) = {e (g, g)}^{a b}$ . For all $i \in γ$ , it chooses $β_{i} \in Z_{p}$ randomly and sets $T_{i} = C^{β_{i}} = g^{c β_{i}}$ ; otherwise, it sets $T_{i} = g^{δ_{i}}$ and then gives the public key to A.

Phase 1: $A$ makes requests for the master key of an access structure T where γ does not satisfy T. To generate the master key, $B$ needs to define a polynomial $q_{x}$ of degree $d_{x}$ for every node in access tree T.

We define recursive function polynode (x) to assign the polynomial $q_{x}$ for node x as follows.

For each node x in T, we use $k_{x}$ and $index (x)$ to denote node's threshold value and the unique index of node x, respectively. The procedure takes an access tree T and attributes set γ as input. (i)

If x is the root node r, $q_{x} (0) = λ_{x}$ and $λ_{x}$ is chosen from $Z_{p}$ randomly.

(ii)

Select the satisfied children $x^{'}$ of x. For each $x^{'}$ , choose a random number $r_{x^{'}} \in Z_{p}$ and let $q_{x} (index t (i)) = {b r}_{x^{'}}$ . For each unsatisfied child j, calculate $q_{x} (j) = \sum_{i \in X_{i}} (index (i)) Δ_{i, S_{x}} (j)$ .

(iii)

For each child $x^{'}$ of x, $q_{x^{'}} (0) = q_{x} (index (x^{'}))$ .

When polynode (x) terminates, $B$ constructs the polynomials for all nodes in T. Therefore, the master key corresponding to each leaf node x of T is given as follows:

\begin{matrix} D_{x} = \{\begin{cases} g^{Q_{x} (0) / t_{x}} = g^{{b q}_{x} (0) / r_{i}} = B^{q_{x} (0) / r_{i}}, & attr  (x) \in γ \\ g^{Q_{x} (0) / t_{i}} = g^{{b q}_{x} (0) / {b β}_{i}} = B^{q_{x} (0) / β_{i}}, & otherwise . \end{cases} \end{matrix}

(2)

Therefore, $B$ constructs a master key for the access structure T.

Challenge. $A$ submits two challenge messages $M_{1}$ and $M_{2}$ to $B$ . $B$ flips a fair binary coin v and returns an encryption of $M_{v}$ . The ciphertext is output as $E = (γ, M_{v}, Z, {\{E_{i} = C^{t_{i}}\}}_{i \in γ})$ . If $μ = 0$ , $Z = {e (g, g)}^{a b c}$ . This indicates that the ciphertext is valid for the message under the identity. If $μ = 1$ , $Z = {e (g, g)}^{z}$ . Since z is random, $M_{v} Z$ will be a random element from the adversaries view and the message contains no information about $M_{v}$ .

Phase 2: the simulator acts exactly the same as in phase 1.

Guess: A will submit a guess $v^{'}$ of v. If $v^{'} = v$ , the simulator will output $μ^{'} = 0$ to indicate that it is given a valid tuple; otherwise, it will output $μ^{'} = 1$ to indicate it is given a random 4-tuple.

If $μ^{'} = 1$ , the adversary gains no information about v, $\Pr [v^{'} = v ∣ μ = 1] = 1 / 2$ . If $μ^{'} = 0$ , the adversary gains an encryption of $M_{v}$ . The adversary's advantage in this situation is ε by definition. Therefore, $\Pr [v^{'} = v ∣ μ = 0] = 1 / 2 + ε$ . The overall advantage of the simulator in the DBDH game is

\begin{array}{l} \frac{1}{2} \Pr [v^{'} = v ∣ v = 0] + \frac{1}{2} \Pr [v^{'} = v ∣ v = 1] - \frac{1}{2} \\ = \frac{1}{2} (\frac{1}{2} + ε) + \frac{1}{2} \times \frac{1}{2} - \frac{1}{2} = \frac{1}{2} ε . \end{array}

(3)

(3) Unforgeability. The adversary cannot forge the ciphertext because he cannot guess the attributes which are used to encrypt the ciphertext. Even if the adversary gets other user's ciphertext, he cannot create a new, valid ciphertext as the attributes which are used to encrypt a ciphertext are different from others, and the number y is chosen randomly. Therefore, we claim that our scheme is unforgeable under chosen-ciphertext attacks.

5.3. Performance Analysis

In this part, we present the performance analysis results about our scheme in terms of transmission and computation. We also compare the performance results with previous best known ones. In this paper, we mainly consider the energy consumption about message transmission and computation in WBANs. The energy consumption on transmission is much more than computing, so improving the performance of transmission will increase the overall performance greatly.

5.3.1. Energy Consumption on Transmission

According to Algorithms 3 and 4 (if there are some users to be revoked), the total message size is

| E_{1} | + | E_{2} | + | E_{3} | + | t t | + | D_{x}^{'} | + | D_{x}^{'} | .

(*)

Algorithm 3: Encryption.

To encrypt a message $M \in G_{2}$ under a set of attributes, the sender chooses

a random value $s \in Z_{p}$ , and compute ciphertext E with the following steps:

(1) $E_{1} = M e {(g_{1}, g_{2})}^{s}$ ;

(2) $E_{2} = g^{s}$ ;

(3) ${E_{3} = T_{i}^{s}}_{i \in A}$ ;

(4) Current time $t t$ ;

(5) Ciphertext $E = (E_{1}, E_{2}, {{E}_{3}}_{i \in A}, t t)$ .

Algorithm 4: User revocation.

In order to revoke a user, the controller updates decryption key for the non-revoked users.

(1) Choose another random number $y^{'}$ from $Z_{P}$ , $Δ y = y^{'} - y$ , $Y^{'} = {e (g, g)}^{y^{'}}$ ;

(2) Choose an exponents $r_{x}^{'} \in Z_{p}$ , for each user $u_{j}$ , give the decryption key to the non-revoked

users: $D_{x}^{'} = {g_{2}}^{q (x)} {T (i)}^{- r_{x}^{'}}$ , $d_{x}^{'} = g^{r_{x}^{'}}$ . The updated decryption key ${DK}^{'} = {D_{x}^{'}, d_{x}^{'}}$ .

We use Tate pairing [20] to evaluate the bilinear map e. The parameters in (*) are variable. Assuming $|t t|$ is 2 bytes, p is the prime order of G and $G_{T}$ , and n is the number of attributes, the total message size is ( $|p| + |p| + n |p| + 2 + |p| + | p |) = 2 + (n + 4) | p |$ . According to [21], a chipcon CC1000 radio used in Crossbow MICA2DOT motes consumes 28.6 μJ and 59.2 μJ to receive and transmit one byte, respectively. The total energy consumption for one user is $(2 + (n + 4) |p|) * (28.6 + 59.2)$ μJ, and W users need $W * (1.931 + 0.1756 | p |)$ mJ. The parameters are set as follows: $n = 3$ , $| p | = 20$ , 42.5, 60 bytes. The first three lines in Table 1 are the results.

Table 1

The energy consumption on transmission in our scheme and other schemes.

Length of p (byte)	Energy consumption (mJ)
Our scheme ( $\| p \| = 20$ )	12.643
Our scheme ( $\| p \| = 42.5$ )	26.296
Our scheme ( $\| p \| = 60$ )	37.051
Certificate-based	146.99
Merkle hash tree	144.56
ID-based	111.02

Table 1 shows the comparison energy consumption on transmission of our scheme and other schemes. It can be seen that, even though we set $| p | = 60$ bytes, the energy consumption on transmission of our scheme is much lower than others.

Figure 3 presents the relationship between the number of attributes (indicated by n) and the energy consumption on transmission. The curves in Figure 3 indicate that, with the increase of attribute numbers, the energy consumption increases.

Figure 3

Energy consumption on transmission with regard to the number of attributes.

5.3.2. Energy Consumption on Computation

In this part, we evaluate the energy consumption on computation in our scheme. n is the number of attributes. Firstly, we show the operations of initialization (Algorithm 1), key generation (Algorithm 2), encryption (Algorithm 3), user revocation (Algorithm 4), and decryption (Algorithm 5) in Table 2.

Table 2

The operations in our scheme.

Operations	Initialization	Key generation	Encryption	User revocation	Decryption
Exponent computation	$n + 1$	$2 n + 1$	$n + 3$	$2 n + 1$	n
e evaluation	$1$	$0$	$1$	$1$	$2 n$
Multiplication	$0$	$n + 1$	$n + 2$	$n + 2$	$1$
Addition	$0$	$0$	$0$	$0$	$1$
Comparison	$0$	$0$	$0$	$0$	n

Algorithm 5: Decryption.

If $T (γ) = 1$ and $N_{user} \leq N$ , the user can decrypt a message M which is encrypted under a set of attributes.

(1) On receiving the ciphertext E, the receiver checks the current time $\tilde{tt}$ ;

(2) If $| tt - \tilde{tt} | < ε$ , the receiver decrypts the ciphertext using decryption key $DK$ ;

(3) $N_{user} + 1$ ;

$M^{'} = \frac{E_{1}}{\prod_{i \in S} {(e (D_{x}, E_{2}) / e (d_{x}, E_{3}))}^{Δ_{i, S} (0)}}$

It x is a leaf node, we can compute:

$Decryptnode (E, DK, x) = \frac{e (D_{x}, E_{2})}{e (d_{x}, E_{i})} = \frac{e ({g_{2}}^{q_{x} (0)} \cdot {T (i)}^{r_{x}}, g^{s})}{e ({g_{2}}^{r_{x}}, T_{i}^{s})} = {e (g, g)}^{s \cdot q_{x} (0)}$

If x is a non-leaf node, then:

$F_{x} = \prod_{z \in S_{x}} F_{z}^{Δ_{i, S_{x}^{'}} (0)}$ where, $\begin{matrix} i = index (z) \\ S_{x}^{'} = index (z)   : z \in S_{x} \end{matrix}$

$= \prod_{z \in S_{x}} {e (g, g)}^{s \cdot q_{z} (0)}^{Δ_{i, S_{x}^{'}} (0)}$

$= \prod_{z \in S_{x}} {e (g, g)}^{s \cdot q_{parent (z)} (index (z))}^{Δ_{i, S_{x}^{'}} (0)}$

$= \prod_{z \in S_{x}} {e (g, g)}^{s \cdot q_{x} (i) \cdot Δ_{i, S_{x}^{'}} (0)}$

$= {e (g, g)}^{s \cdot q_{x} (0)}$

We consider the sensor CPU is a 32-bit Inter PXA-255 processor at 400 MHz. It is reported in [22] that the typical power consumption of PXA-255 in active and idle modes is 411 mW and 121 mW, respectively. We adopt Tate pairing to compute the Bilinear Maps. According to [23], it takes 752 ms to compute Tate pairing on a 32-bit ST22 smartcard microprocessor at 33 MHZ. As a result, the computation of Tate pairing on PXA-255 roughly needs 33/ $440 \times 752 \approx 62.04$ ms. Using the equation $E = W \times t$ , where E is the energy consumption, W is the power, and t is the execution time, the energy consumed at work is $411 \times 62.04 = 25.5$ mJ. As mentioned in [23], the Tate pairing takes the most running time; we thus use energy consumed on pairing to approximate that of the procedure. In our scheme, we compute the Tate pairing which happened in sensors (we do not consider the Tate pairing in decryption as it takes place on the client for users). The energy consumption is 3*62.04 ms = 186.12 ms. Table 3 shows the computation cost of our scheme and other schemes when the number of users is 1. From Table 3 we can see that the computation time of our scheme is higher than the first three and lower than the fourth one.

Table 3

The energy consumption on computation of our scheme and other schemes.

Scheme	Computation cost (ms)
Certificate-based	39.96
Merkle hash tree	18.48
ID-based	124.08
FABSC	310.2
Our scheme	186.12

Figure 4 presents the energy consumption on computation with regard to the number of users. From Figure 4 we can observe that the computation cost of our scheme is lower than FABSC and higher than others. Nevertheless, when we take the transmission and computation into account, our scheme is energy-efficient when the number of users is large.

Figure 4

Computation cost with regard to the number of users.

6. Conclusion and Future Work

In this paper, we design a key policy attribute-based scheme for access control in WBANs. When the attributes related to the ciphertext satisfy the users' access structures, the ciphertext can be decrypted. User revocation is introduced to the scheme. In the future, we can classify the medical data according to the hierarchy, for example, the sensitive data and the no-sensitive data. Sensitive data includes the data which is of vital importance and embarrassed data. No-sensitive data is the ordinary medical data such as temperature, pulse, and blood pressure. Anyone who wants to get the sensitive data must have high level privilege, and the no-sensitive data can be accessed by low level privilege.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This research is part of Projects 2009011022-2 supported by Natural Science Foundation of Shanxi Province.

References

Walters

J. P.

Liang

Shi

Chaudhary

Wireless sensor network security: a survey

Security in Distributed, Grid, and Pervasive Computing 2006

New York, NY, USA

CRC Press

Latré

Braem

Moerman

Blondia

Demeester

A survey on wireless body area networks

Wireless Networks 2011 17 1 1 18

10.1007/s11276-010-0252-4

2-s2.0-79951723271

Lou

Ren

Data security and privacy in wireless body area networks

IEEE Wireless Communications 2010 17 1 51 58

10.1109/MWC.2010.5416350

2-s2.0-77649094379

Bethencourt

Sahai

Waters

Ciphertext-policy attribute-based encryption

Proceedings of the IEEE Symposium on Security and Privacy

May 2007

Berkely, Calif, USA

321 334

Carman

D. W.

Kruus

P. S.

Matt

B. J.

Constraints and approaches for distributed sensor network security

NAI Labs Technical Report no. 2000 00-010

Glenwood, Md, USA

NAI Labs

Shi

Lam

K.-Y.

Chung

S.-L.

Energy-efficient key distribution using electrocardiograph biometric set for secure communications in wireless body healthcare networks

Journal of Medical Systems 2011 35 5 745 753

10.1007/s10916-010-9467-2

2-s2.0-84862967913

Zhang

Wang

Vasilakos

A. V.

Fang

ECG-cryptography and authentication in body area networks

IEEE Transactions on Information Technology in Biomedicine 2012 16 6 1070 1078

2-s2.0-84870926798

10.1109/TITB.2012.2206115

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communications Security

2002

New York, NY, USA

ACM

41 47

Perrig

Szewczyk

Tygar

J. D.

Wen

Culler

D. E.

SPINS: security protocols for sensor networks

Wireless Networks 2002 8 5 521 534

2-s2.0-0036738266

10.1023/A:1016598314198

10.

Ren

Lou

FDAC: toward fine-grained distributed data access control in wireless sensor networks

IEEE Transactions on Parallel and Distributed Systems 2011 22 4 673 686

10.1109/TPDS.2010.130

2-s2.0-79952071204

11.

Ren

Lou

Zeng

Moran

P. J.

On broadcast authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2007 6 11 4136 4144

10.1109/TWC.2007.060255

2-s2.0-36248988077

12.

Zhang

Cheng

Liao

Body area network security: a fuzzy attribute-based signcryption scheme

IEEE Journal on Selected Areas in Communications/Supplement 2013 31 9 37 45

13.

Tan

C. C.

Zhong

Wang

Body sensor network security: an identity-based cryptography approach

Proceedings of the 1st ACM Conference on Wireless Network Security (WiSec ′08)

March-April 2008

Virginia, Va, USA

148 153

10.1145/1352533.1352557

2-s2.0-56749165131

14.

Sahai

Waters

Fuzzy identity based encryption

Advances in Cryptology—EUROCRYPT 2005 2005 3494

Berlin, Germany

Springer

457 473 Lecture Notes in Computer Science

10.1007/11426639_27

15.

Goyal

Pandey

Sahai

Waters

Attribute-based encryption for fine-grained access control of encrypted data

Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS ′06)

October 2006

New York, NY, USA

16.

Cheung

Newport

Provably secure ciphertext policy ABE

Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ′07)

November 2007

Scottsdale, Ariz, USA

456 465

10.1145/1315245.1315302

2-s2.0-45749116552

17.

Bethencourt

Sahai

Waters

Ciphertext-policy attribute-based encryption

Proceedings of the IEEE Symposim on Security and Privacy

May 2007

18.

Ren

Lou

Attribute-based on-demand multicast group setup with membership anonymity

Computer Networks 2010 54 3 377 386

10.1016/j.comnet.2009.09.009

ZBL1184.68064

2-s2.0-75749102533

19.

Naor

Lotspiech

Revocation and tracing schemes for stateless receivers

Proceedings of Advances in Crytology 2001 2139 41 62

Zbl1002.94522

20.

Barreto

Kim

Bynn

Scott

Efficient algorithms for pairing-based cryptosystems

Advances in Cryptology—CRYPTO 2002: Proceedings of the 22nd Annual International Cryptology Conference Santa Barbara, California, USA, August 18–22, 2002 2002 2442

Berlin, Germany

Springer

354 368 Lecture Notes in Computer Science

10.1007/3-540-45708-9_23

21.

Wandert

A. S.

Gura

Eberle

Gupta

Shantz

S. C.

Energy analysis of public-key cryptography for wireless sensor networks

Proceedings of the 3rd IEEE International Conference on Pervasive Computing and Communications (PerCom ′05)

March 2005

Kauai Island, Hawaii, USA

324 328

2-s2.0-33646581008

22.

Intel Corp

Intel PXA255 processor electrical, mechanical, and thermal specification

http://www.intel.com/design/pca/applicationsprocessors/manuals/278780.htm

23.

Ren

Lou

Zeng

Moran

P. J.

On broadcast authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2007 6 11 4136 4144

2-s2.0-36248988077

10.1109/TWC.2007.060255