Sage Journals: Discover world-class research

Abstract

With the development of the wireless communication technologies, the wireless sensor networks (WSNs for short) are considered as one of the key research areas in healthcare systems. However, there is sometimes a need for removing bugs or adding new functionalities after WSNs are deployed. Wireless reprogramming is a process for propagating a new code image or relevant commands to sensor nodes in WSNs. In this paper, we propose a robust distributed reprogramming protocol of WSNs for healthcare systems, in which the security requirements are proved to be secure based on the elliptic curve discrete logarithm problem, such as existential unforgeability of signature for code image, authenticity of code image, freshness, and node compromised tolerance.

1. Introduction

Wireless sensor networks (WSNs for short) are spatially distributed sensors to gather physical or environmental information. The distributed sensors cooperate to pass their data through the network to a main location [1]. Recently, WSNs are considered as potential applications in providing high quality for healthcare services in recent years [2]. In healthcare applications, it may be necessary for removing bugs or adding new functionalities after WSNs are deployed. The reprogramming is an important operation function to propagate a new code image or relevant commands to sensor nodes in WSNs. However, an adversary may intercept or modify the transmitted messages in a WSN. Hence, it is critical to design a secure protocol for securely propagating a new code image or relevant commands to sensor nodes in WSNs.

In 2008, Das and Joshi [3] adopted orthogonality principle to design a protocol for dynamically updating sensor nodes in WSNs. A shared secret chosen by a base station has to be preinstalled on all sensor nodes before deploying them in a WSN, and the shared secret is used to validate a received advertisement message. After all sensor nodes accept a correct advertisement message, the sensor nodes dynamically update the shared secret. However, Zeng et al. [4] demonstrated that Das and Joshi's protocol is vulnerable to an impersonation attack. Assume that an adversary obtains the shared secret as he/she has compromised a sensor node. Then, the adversary can impersonate the base station to install his/her preferred program on sensor nodes by using the shared secret. Zeng et al. further proposed an improved scheme, but Wang et al. [5] pointed out that Zeng et al.'s proposed protocol [4] still suffers from an impersonation attack. In 2012, He et al. [6] showed that an adversary can impersonate a base station to install his/her preferred program on sensor nodes in a WSN, and further, the adversary can control the whole WSN. He et al. proposed two simple countermeasures which are formally validated by model checking. Soon afterwards, He et al. [7] proposed a secure and distributed reprogramming protocol (SDRP for short) based on an identity-based signature scheme in WSNs. In the SDRP, multiple authorized users are supported and each authorized user may have a different privilege for reprogramming sensor nodes. Subsequently, He et al. [8] and Yeo et al. [9] pointed out that there is a private key compromised problem in the SDRP, respectively. Furthermore, He et al. proposed an improved protocol based on Barreto et al.'s identity-based signature scheme [10]. In 2014, Shim [11] showed that He et al.'s improved protocol [8] is entirely broken and further proposed an improved protocol based on a pairing-free identity-based signature scheme. However, we find that Shim's proposed improved protocol is unworkable because the signature verification does not hold true. Among various secure protocols in WSNs [3–9, 11–24], most of the published reprogramming protocols [3, 6, 12–14, 16, 18, 20–23] are based on the centralized approach, which assumes the existence of a base station, and only the base station has the authority to reprogram sensor nodes. The centralized approach is not reliable in reality because of inefficiency, weak scalability, and vulnerability to potential attacks along the communication path [24].

Inspired from He et al.'s protocol [7], we adopt a short signature scheme to design a robust distributed reprogramming protocol of WNSs for healthcare applications. In the proposed protocol, each sensor node validates the received message by verifying the corresponding signature. The proposed protocol provides the following requirements. (1)

Existential unforgeability of signature for code image: any adversary cannot successfully forge a signature for any code image by mounting chosen-message attacks. That is, only authorized users can construct valid reprogramming packets.

(2)

Authenticity of code image: prior to the start of installation, a sensor node can verify the source of a code image.

(3)

Freshness: prior to the start of installation, a sensor node can confirm that the to-be-installed program is the newest version.

(4)

Node compromised tolerance: even though a sensor node is compromised, the compromised sensor node will not cause other uncompromised sensor nodes to violate authenticity of code image, integrity of code image, and freshness.

2. Overview of He et al.'s SDRP

In this section, we review the first proposed distributed reprogramming protocol (SDRP for short) proposed by He et al. [7]. The symbols used in the subsequent descriptions are listed as follows.

The Used Symbols and Descriptions

G: an additive group with an order q, where q is a large prime.

$G_{T}$ : a multiplicative group with an order q, where q is a large prime.

P: a generator in G.

q: a prime number.

$\hat{e}$ : a bilinear mapping function, defined as $\hat{e} : G \times G \to G_{T}$ .

s: a master key for a sensor network owner.

${P K}_{S N O}$ : a public key for a sensor network owner, where $P K_{S N O} = s \cdot P$ .

$H_{1}$ : a hash function defined as $H_{1} : {0,1}^{*} \to G$ .

$H_{2}$ : a hash function defined as $H_{2} : {0,1}^{*} \to Z_{q}^{*}$ .

$U_{j}$ : an authorized user.

$U {I D}_{j}$ : an identifier for $U_{j}$ , where $U {I D}_{j} \in {0,1}^{*}$ .

${Pri}_{j}$ : a privilege for $U_{j}$ .

${P K}_{j}$ : a public key for $U_{j}$ , where ${P K}_{j} = H_{1} (U {I D}_{j} ∥ {Pri}_{j}) \in G$ .

${SK}_{j}$ : a private key for $U_{j}$ , where ${SK}_{j} = s \cdot {P K}_{j}$ .

He et al.'s SDRP includes System Initialization Phase, User Preprocessing Phase, and Sensor Node Verification Phase, and there are three kinds of roles: Sensor Network Owner (SNO for short), Authorized User (AU for short), and Sensor Node (SN for short). The detailed descriptions of each phase are given in the following.

System Initialization. In this phase, a sensor network owner SNO first generates his/her own private/public key pair s/ $P K_{S N O}$ and system parameters. Then, SNO assigns the privilege to each authorized user AU and generates the corresponding key pair for AU. The detailed descriptions of all steps are shown as follows. (1)

Choose an additive group G and a multiplicative group $G_{T}$ , where G and $G_{T}$ have the same order q.

(2)

Generate a generator P for G.

(3)

Choose a bilinear mapping function $\hat{e}$ .

(4)

Randomly choose a master key $s \in Z_{q}^{*}$ .

(5)

Compute the corresponding public key $P K_{S N O} = s \cdot P$ .

(6)

Choose two secure one-way hash functions $H_{1}$ and $H_{2}$ .

(7)

Load the system parameters ${G, G_{T}, \hat{e}, q, P, P K_{S N O}, H_{1}, H_{2}}$ into the sensor nodes before deploying a sensor network.

(8)

Assign the privilege ${Pri}_{j}$ to each AU $U_{j}$ with an identifier $U {I D}_{j} \in {0,1}^{*}$ .

(9)

Generate the corresponding private/public key pair ${SK}_{j} / {P K}_{j}$ for each $U_{j}$ , where

\begin{matrix} {PK}_{j} = H_{1} (U {ID}_{j} ∥ {Pri}_{j}) \in G, \\ {SK}_{j} = s \cdot {PK}_{j} . \end{matrix}

(1)

(10)

Send ${{PK}_{j}, {SK}_{j}, {Pri}_{j}}$ to each $U_{j}$ via a secure channel.

User Preprocessing. Suppose that an AU $U_{j}$ attempts to construct new reprogramming packets. He/she has to sign the packets with his/her private key and then sends them to the sensor nodes. The $U_{j}$ performs the following tasks. (1)

Partition the code image into l pages with the fixed size.

(2)

Split the page i into n packets with the fixed sized, where $1 \leq i \leq l$ . Note that the n packets are denoted as $P k t_{i, 1}, A P k t_{i, 2}, \dots, P k t_{i, n}$ .

(3)

Compute the hashing value for each packet, where the hash value for each packet in the page i is appended to the corresponding packet in the page $i - 1$ .

(4)

Use the Merkle hash tree [25] for authenticating the hash values for the packets in page 1. The packets related to the Merkle hash tree are referred to in page 0. Suppose that m represent the root of the Merkle hash tree and the metadata about the code image.

(5)

Sign m to generate the signature $σ_{j}$ with his/her private key ${SK}_{j}$ :

\begin{matrix} σ_{j} = H_{2} (m) \cdot {SK}_{j} . \end{matrix}

(2)

(6)

Send ${U {I D}_{j}, {Pri}_{j}, m, σ_{j}}$ to the target sensor nodes as the notification for the new code image.

Sensor Node Verification. Upon receiving ${U {I D}_{j}, {Pri}_{j}, m, σ_{j}}$ , each sensor node SN has to verify the received messages prior to the start of installation as follows. (1)

Verify the legality for the privilege ${Pri}_{j}$ and the received messages. If both of them are valid, SN continues to perform Step (2); otherwise, SN rejects the messages.

(2)

Verify the signature by using SNO's public key:

\begin{matrix} \hat{e} (σ_{j}, P) = \hat{e} (H_{2} (m) \cdot H_{1} (U {ID}_{j} ∥ {Pri}_{j}), {PK}_{SNO}) . \end{matrix}

(3)

If the above equality holds,

σ_{j}

is the valid signature, and each SN accepts the received messages; otherwise, SN rejects the messages.

Security Analysis. According to He et al.'s [8] and Yeo et al.'s [9] analysis, He et al.'s SDRP [7] is vulnerable to a key compromise attack. Assume that $H_{2} (m)$ and q are coprime. An adversary can compute the inverse $H_{2} (m)^{- 1}$ and derive the private ${SK}_{j} = H_{2} (m)^{- 1} \cdot σ_{j}$ from the signature $σ_{j}$ , where $σ_{j} = H_{2} (m) \cdot {SK}_{j}$ . He et al.'s SDRP [7] cannot achieve the security requirements as they claimed.

3. Our Proposed Reprogramming Protocol for Healthcare Systems

The basic idea for our proposed protocol is that maintenance staffs responsible for maintaining different healthcare applications have to register with the sensor owner. Upon the successful registration, a staff receives a smart card storing authorized private key. Then, the staff can construct secure reprogramming packets to WSNs, whenever demanded. In order to assure the validity for the packets, the sensor nodes in WSNs have to verify the signature for the packets.

Our reprogramming protocol also consists of three phases: System Initialization, User Preprocessing, and Sensor Node Verification. The descriptions for System Initialization Phase in our proposed protocol are almost the same as ones in He et al.'s SDRP [7], but an extra one-way hash function $H_{3}$ is used in our protocol, where $H_{3} : G \to Z_{q}^{*}$ . The detailed descriptions for User Preprocessing and Sensor Node Verification are as follows.

User Preprocessing. Assume that an AU $U_{j}$ constructs the reprogramming packets, signs the packets with his/her own private key, and sends them to the sensor nodes. The steps from (1) to (4) for constructing reprogramming packets are the same as He et al.'s SDRP [7]. We also assume that the message m represents the root of the Merkle hash tree [25] and the metadata about the code image. Other steps for the $U_{j}$ are as follows. (5)

Choose a random number $r_{j} \in Z_{q}^{*}$ .

(6)

Compute $R_{j} = r_{j} \cdot P$ .

(7)

Generate the nonce $n_{j}$ .

(8)

Compute $S_{j}$ by using his/her private key ${SK}_{j}$ :

\begin{matrix} S_{j} = r_{j}^{- 1} (H_{1} (m ∥ n_{j}) + H_{3} (R_{j}) \cdot {SK}_{j}) . \end{matrix}

(4)

(9)

Send ${U {I D}_{j}, {Pri}_{j}, m, R_{j}, S_{j}}$ to the target sensor nodes as the notification for the new code image.

Sensor Node Verification. Upon receiving ${U {I D}_{j}, {Pri}_{j}, m, R_{j}, S_{j}}$ , each sensor node SN verifies the received messages to assure the validity prior to the start of installation. Detailed descriptions are as follows. (1)

Verify the legality for the privilege ${Pri}_{j}$ and the received message. If both of them are valid, SN continues to perform the next step; otherwise, SN rejects the received messages.

(2)

Verify the signature with the public key of the SNO and public system parameters:

\begin{matrix} \hat{e} (R_{j}, S_{j}) = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} {({PK}_{SNO}, Q)}^{H_{3} (R_{j})}, \end{matrix}

(5)

where

Q = H_{1} (U {ID}_{j} ∥ {Pri}_{j})

. If the above equality holds, the received signature

(R_{j}, S_{j})

is valid, and each SN accepts the received messages; otherwise, each SN rejects the received messages.

Correctness. According to the verification equation, each sensor node can verify if the signature $(R_{j}, S_{j})$ is valid:

\begin{matrix} \hat{e} (R_{j}, S_{j}) = \hat{e} (r_{j} \cdot P, r_{j}^{- 1} (H_{1} (m ∥ n_{j}) + H_{3} (R_{j}) \cdot {SK}_{j})) = \hat{e} (P, r_{j} r_{j}^{- 1} (H_{1} (m ∥ n_{j}) + H_{3} (R_{j}) \cdot {SK}_{j})) = \hat{e} (P, H_{1} (m ∥ n_{j}) + H_{3} (R_{j}) \cdot {SK}_{j}) = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} (P, H_{3} (R_{j}) \cdot {SK}_{j}) = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} {(P, {SK}_{j})}^{H_{3} (R_{j})} = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} {(P, s \cdot {PK}_{j})}^{H_{3} (R_{j})} = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} {(s \cdot P, {PK}_{j})}^{H_{3} (R_{j})} = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} {({PK}_{SNO}, {PK}_{j})}^{H_{3} (R_{j})} = \hat{e} (P, H_{1} (m ∥ n_{j})) \hat{e} {({PK}_{SNO}, Q)}^{H_{3} (R_{j})} . \end{matrix}

(6)

Note that

Q = H_{1} (U {I D}_{j} ∥ {Pri}_{j})

4. Security Analysis and Efficiency Comparison

Based on the elliptic curve discrete logarithm problem (ECDLP for short) [26, 27], the computation Diffie-Hellman problem (CDH for short) [28], the decisional Diffie-Hellman problem (DDH for short) [28], and the assumption of one-way hash function (OWHF for short) [29], we will analyze our reprogramming protocol and verify if it satisfies the security requirements: existential unforgeability of signature for code image, authenticity of code image, freshness, and node compromise tolerance. In addition, we will compare the computation costs in our proposed protocol with the ones in He et al.'s protocol [8]. The descriptions for the ECDLP, the CDH, the DDH, and the OWHF are as follows.

Definition 1 (elliptic curve discrete logarithm problem).

Let E be an elliptic curve defined over $G F (p)$ . Given $(P, Q)$ , determining an integer r such that $Q = r \cdot P$ is computationally infeasible, where $P, Q \in E$ the order of E is a large prime q, and $0 \leq r \leq q - 1$ .

Definition 2 (computation Diffie-Hellman problem).

Given $(P$ , $a \cdot P$ , $b \cdot P)$ , computing $a b \cdot P$ is computationally infeasible, where $P \in G_{1}$ and $a, b \in Z_{q}^{*}$ .

Definition 3 (decisional Diffie-Hellman problem).

Given $(P$ , $a \cdot P$ , $b \cdot P$ , $c \cdot P)$ , deciding if $c = a b$ is computationally infeasible, where $P \in G_{1}$ and $a, b, c \in Z_{q}^{*}$ .

Definition 4 (one-way hash function).

Let H be a one-way hash function. The input for H is a message m with an arbitrary length, and the output for H is a hashing value $H (m)$ with a fixed length. There are three properties. (1) Given $H (m)$ , deriving m is computationally infeasible. (2) Finding two different messages m and $m^{'}$ such that $H (m) = H (m^{'})$ is computationally infeasible. (3) There exists an efficient algorithm to compute $H (m)$ .

We give a formal definition for existential unforgeability of a signature for a code image under a chosen-message attack, which is based on the established notion of existential unforgeability against chosen-message attacks [30, 31]. The game between an adversary $A$ and a challenger $C$ is defined as follows.

S :given a security parameter k, the challenger $C$ first builds up a system parameter set π. Then, the $C$ generates a private/public key pair $(s, P K_{S N O})$ and a private/public key pair $({SK}_{j}, {P K}_{j})$ for each authorized user AU with an identifier $U_{j}$ . Finally, the adversary $A$ is given π, $P K_{S N O}$ , and ${P K}_{j}$ , and the private keys ${S K}_{j}$ and s are kept secret by the $C$ .

Q :the $A$ can submit various queries to the $C$ as follows.

(1)

$H_{1}$ queries: to respond to the $A$ 's queries, the $C$ maintains a ${l i s t}_{H_{1}}$ .

(2)

$H_{3}$ queries: to respond to the $A$ 's queries, the $C$ maintains a ${l i s t}_{H_{3}}$ .

(3)

Signature for code image: for requesting a signature $σ_{j}$ for a code image, the $A$ submits a message m and a public key ${P K}_{j}$ . Upon receiving the request, the $C$ computes the signature under the public key ${P K}_{j}$ and returns the result to $A$ .

F :

the $A$ outputs a signature $σ^{*}$ for a target message $m^{*}$ and the $A$ never submits the target message $m^{*}$ for requesting signature for code image. We can say that $A$ wins the game if the signature $σ^{*}$ is valid for the target $m^{*}$ .

Definition 5.

The proposed protocol is said to achieve existential unforgeability of signature for code image against chosen-message attacks if successful probability for any polynomially bounded adversary will be negligible in the above game.

Theorem 6.

The proposed protocol achieves existential unforgeability of signature for code image against chosen-message attacks in the random oracle model, assuming the hardness of the CDH problem.

Proof.

Assume that a polynomial-time algorithm $A$ can forge the signature under a chosen-message attack, and let $H_{1}$ and $H_{3}$ be random oracles in the simulation and the polynomial-time algorithm $A$ can make $q_{H_{1}}$ and $q_{H_{3}}$ queries to $H_{1}$ and $H_{3}$ , respectively.

We will show how to construct a polynomial-time algorithm β that solves the CDH problem by using the $A$ . Let $(P, a \cdot P, b \cdot P)$ be a random instance of the CDH problem. Computing $a b \cdot P$ is the goal for the β.

In the S phase, the algorithm β builds up a system parameter set $π = 〈q, G, G_{T}, \hat{e}, P, H_{1}, H_{3}〉$ , $I_{1} = a \cdot P$ , and $I_{2} = b \cdot P$ with a security parameter k. Then, the β generates a private/public key pair $(a, P K_{S N O})$ for the sensor network owner SNO and a private/public key pair $({S K}_{j}, {P K}_{j})$ for an authorized user $U_{j}$ , where $P K_{S N O} = a \cdot P$ and ${P K}_{j} = b \cdot P$ . Finally, the $A$ is given π, $P K_{S N O}$ , and ${P K}_{j}$ , and the private keys a and ${S K}_{j}$ are kept secret.

In the Q phase, the $A$ adaptively submits the following queries. (1)

$H_{1}$ queries: the β has to maintain a ${l i s t}_{H_{1}}$ storing $(m, n_{j}, h_{1, j})$ for responding to the $A$ 's queries. Upon receiving an $H_{1}$ query for any subdocument m, the β has to check if there is the tuple $(m, n_{j}, h_{1, j})$ in ${l i s t}_{H_{1}}$ . If it exits in ${l i s t}_{H_{1}}$ , the β returns $h_{1, j}$ and terminates the step; otherwise, the β generates a random number $h_{1, j} \in Z_{q}^{*}$ , returns it, and stores $(m, n_{j}, h_{1, j})$ in ${l i s t}_{H_{1}}$ .

(2)

$H_{3}$ queries: the β has to maintain a ${l i s t}_{H_{3}}$ storing $(r_{i}, R_{i}, h_{3, i})$ for responding to the $A$ 's queries. Upon receiving an $h_{3}$ query for any $R_{j}$ , the β checks if there is $(r_{j}, R_{j}, h_{3, j})$ in ${l i s t}_{H_{3}}$ . If the tuple exists in ${l i s t}_{H_{3}}$ , the β returns $h_{3, j}$ and terminates the step; otherwise, the β generates a random number $h_{3, j} \in Z_{q}^{*}$ , returns it, and stores $(r_{j}, R_{j}, h_{3, j})$ in ${l i s t}_{H_{3}}$ .

(3)

Signature for code image: the $A$ submits m to the β and requests a signature $σ_{j}$ . Upon receiving the request, the β simulates an $H_{1}$ oracle to get $(m, n_{j}, h_{1, j})$ and simulates an $H_{3}$ oracle to get $(r_{j}, R_{j}, h_{3, j})$ . After the simulation, the β generates a random bit $b_{j} \in {0,1}$ . If $b_{j} = 1$ , the β computes $S_{i}$ by using ${S K}_{j}$ and returns it; otherwise, the β randomly generates $S_{i}$ and returns it.

Let

ɛ^{'}

be the probability that the

A

successfully outputs a signature

σ_{j}^{*}

for a target

m_{j}^{*}

. We can say that the successful probability ɛ that β solves the CDH problem is greater than

ɛ^{'}

according to the above simulation. That is, the proposed protocol can achieve existential unforgeability of signature for code image.

Theorem 7.

The proposed protocol is said to achieve authenticity of code image if successful probability for any polynomially bounded adversary will be negligible.

Proof.

The source of a code image must be verified by a sensor node prior to the installation. Assume that an adversary attempts to construct reprogramming packets. Thus, a polynomial-time algorithm $A$ can simulate the following attacks: (1)

Given a SNO's public key $(a, P K_{S N O})$ , an AU $U_{j}$ 's identifier $U {I D}_{j} \in {0,1}^{*}$ , and the corresponding privilege ${Pri}_{j}$ , the polynomial-time algorithm $A$ attempts to output the private key ${S K}_{j}$ for the $U_{j}$ . First of all, the $A$ computes the $U_{j}$ 's public key ${P K}_{j} = H_{1} (U {I D}_{j} ∥ {Pri}_{j})$ . Then, the $A$ derives SNO's private key a from the public key $P K_{S N O} = a \cdot P$ . Finally, the $A$ outputs the $U_{j}$ 's private key ${S K}_{j} = s \cdot {P K}_{j}$ . However, the $A$ cannot successfully output the $U_{j}$ 's private key ${S K}_{j}$ because the $A$ cannot derive s from the public key $P K_{S N O} = a \cdot P$ assuming the hardness of the ECDLP.

(2)

Given a signature $(R_{j}, S_{j})$ , an AU $U_{j}$ 's identifier $U {I D}_{j} \in {0,1}^{*}$ , and the corresponding privilege ${P r i}_{j}$ , the polynomial-time algorithm $A$ attempts to output the $U_{j}$ 's private key ${S K}_{j}$ from the signature. First of all, the $A$ derives $r_{j}$ from $R_{j}$ . Then, the $A$ computes $r_{j} \cdot S_{j} = H_{1} (m ∥ n_{j}) + H_{3} (R_{j}) \cdot {S K}_{j}$ . Finally, the $A$ computes the inverse $H_{3} (R_{j})^{- 1}$ for $H_{3} (R_{j})$ and further outputs the private key ${S K}_{j}$ . However, the $A$ cannot successfully output the $U_{j}$ 's private key ${S K}_{j}$ because the $A$ cannot derive $r_{j}$ from $R_{j}$ due to the ECDLP.

According to the above analysis, the successful probability for the polynomial-time algorithm

A

cannot successfully be negligible. That is, any adversary cannot successfully impersonate the

U_{j}

to construct new reprogramming packets in the proposed protocol.

Theorem 8.

The proposed protocol is said to achieve freshness if successful probability for any polynomially bounded adversary will be negligible.

Proof.

In the simulation, a polynomial-time algorithm $A$ can obtain the same messages shown in Theorem 6. Given a nonce $n_{j}^{*}$ , the $A$ cannot successfully output another nonce $n_{j}^{'}$ such that $H_{1} (m ∥ n_{j}^{*}) = H_{1} (m ∥ n_{j}^{'})$ due to the assumption of the OWHF. That is, the nonce $n_{j}$ in the proposed protocol is used to ensure freshness.

Theorem 9.

The proposed protocol is said to achieve node compromise tolerance if successful probability for any polynomially bounded adversary will be negligible.

Proof.

Upon compromising a sensor node, a polynomial-time algorithm $A$ can obtain the system parameters ${G, G_{T}, \hat{e}, q, P, P K_{S N O}, H_{1}, H_{3}}$ . Further, the polynomial-time algorithm $A$ can submit the same queries shown in Theorem 6. According to the above analysis, the $A$ cannot cause an uncompromised node to violate the aforementioned security requirements.

In 2012, Gouvêa et al. [32] present a software implementation for an elliptic curve cryptosystem and a pairing-based cryptosystem for the MSP430 microcontroller family, which is used in wireless sensor nodes. That is, it is practical for the pairing computation using wireless sensor nodes. Further, we do not consider the time for computing a hashing value. The descriptions of symbols for different operations are shown as follows.

The Symbols for Different Operations.

$T_{e x e}$ : the time for computing a modular exponential operation.

$T_{m u l}$ : the time for computing a modular multiplication operation.

$T_{i n v}$ : the time for computing an inverse operation.

$T_{e c m}$ : the time for computing an elliptic curve multiplication operation.

$T_{e c a}$ : the time for computing an elliptic curve addition operation.

$T_{p a i r i n g}$ : the time for computing a bilinear function.

In the following, we will compare the computation costs in our proposed protocol with ones in He et al.'s protocol [8]. From Table 1, we can see that our proposed protocol is slightly outperformed and achieves additional security requirements, which is lack of in He et al.'s protocol [8].

Table 1

Computation comparisons.

	He et al.'s protocol [8]	Our protocol
User preprocessing	$T_{e x e} + T_{e c m}$	$T_{i n v} + 3 T_{e c m}$
Sensor node verification	$T_{e x e}$ + $T_{m u l}$ + $T_{e c m} + T_{e c a}$ + $T_{p a i r i n g}$	$T_{e x e} + 3 T_{p a i r i n g}$

5. Conclusions

We propose a robust distributed reprogramming protocol providing existential unforgeability of signature for code image, authenticity of code image, freshness, and node compromised tolerance. The proposed protocol is applicable to healthcare systems, in which maintenance staffs responsible for maintaining different healthcare applications can construct secure reprogramming packets to WSNs, and the sensor nodes in WSNs can ensure the validity of the constructed packets. Considering the resource limitation of sensor node in WSNs, our future work is to design a lightweight distributed reprogramming protocol in WSNs.

Footnotes

Conflict of Interests

The author declares that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This work was supported in part by Taiwan Information Security Center (TWISC), Ministry of Science and Technology (MOST), under the grants 103-2221-E-146-005-MY2 and 103-2221-E-011-090-MY2.

References

Akyildiz

I. F.

Kasimoglu

I. H.

Wireless sensor and actor networks: research challenges

Ad Hoc Networks 2004 2 4 351 367

10.1016/j.adhoc.2004.04.003

2-s2.0-5444275208

Alemdar

Ersoy

Wireless sensor networks for healthcare: a survey

Computer Networks 2010 54 15 2688 2710

10.1016/j.comnet.2010.05.003

2-s2.0-77956882701

Das

M. L.

Joshi

Dynamic program update in wireless sensor networks using orthogonality principle

IEEE Communications Letters 2008 12 6 471 473

10.1109/LCOMM.2008.080213

2-s2.0-46349092626

Zeng

Cao

Choo

K.-K. R.

Wang

Security weakness in a dynamic program update protocol for wireless sensor networks

IEEE Communications Letters 2009 13 6 426 428

10.1109/lcomm.2009.082215

2-s2.0-67650672499

Wang

Security analysis of a dynamic program update protocol for wireless sensor networks

IEEE Communications Letters 2010 14 8 782 784

10.1109/lcomm.2010.08.100406

2-s2.0-77955613096

Chan

Chen

Secure and efficient dynamic program update in wireless sensor networks

Security and Communication Networks 2012 5 7 823 830

10.1002/sec.377

2-s2.0-84862644376

Chen

Chan

SDRP: a secure and distributed reprogramming protocol for wireless sensor networks

IEEE Transactions on Industrial Electronics 2012 59 11 4155 4163

10.1109/tie.2011.2178214

2-s2.0-84861445209

Chen

Chan

Yang

L. T.

Security analysis and improvement of a secure and distributed reprogramming protocol for wireless sensor networks

IEEE Transactions on Industrial Electronics 2013 60 11 5348 5354

10.1109/tie.2012.2218562

2-s2.0-84879121354

Yeo

S. L.

Yap

W.-S.

Liu

J. K.

Henricksen

Comments on analysis and improvement of a secure and efficient handover authentication based on bilinear pairing functions

IEEE Communications Letters 2013 17 8 1521 1523

10.1109/lcomm.2013.052013.130642

2-s2.0-84883051753

10.

Barreto

P. S. L. M.

Libert

McCullagh

Quisquater

J.-J.

Efficient and provably-secure identity-based signatures and signcryption from bilinear maps

Advances in Cryptology—ASIACRYPT 2005 2005 3788

Berlin, Germany

Springer

515 532 Lecture Notes in Computer Science

10.1007/11593447_28

11.

Shim

K.-A.

S²DRP: secure implementations of distributed reprogramming protocol for wireless sensor networks

Ad Hoc Networks 2014 19 1 8

10.1016/j.adhoc.2014.01.011

2-s2.0-84901244949

12.

Bui

Ugus

Dissegna

Rossi

Zorzi

An integrated system for secure code distribution in wireless sensor networks

Proceedings of the 8th IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM '10)

April 2010

Mannheim, Germany

575 581

10.1109/percomw.2010.5470503

2-s2.0-77953972500

13.

Doh

Lim

Chae

Code updates based on minimal backbone and group key management for secure sensor networks

Mathematical and Computer Modelling 2013 57 11-12 2801 2813

10.1016/j.mcm.2012.04.001

MR3068772

ZBL1286.94007

2-s2.0-84892522762

14.

Dutta

P. K.

Hui

J. W.

Chu

D. C.

Culler

D. E.

Securing the deluge network programming system

Proceedings of the 5th International Conference on Information Processing in Sensor Networks (IPSN '06)

April 2006

Nashville, Tenn, USA

326 333

10.1145/1127777.1127826

2-s2.0-34247376029

15.

Kumar

Chen

Lee

C.-C.

Chilamkurti

Yeo

S.-S.

Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks

Multimedia Systems 2015 21 1 49 60

10.1007/s00530-013-0346-9

2-s2.0-84922001116

16.

Hyun

Ning

Liu

Seluge: secure and DoS-resistant code dissemination in wireless sensor networks

Proceedings of the 7th International Conference on Information Processing in Sensor Networks (IPSN '08)

2008

St. Louis, Mo, USA

445 456

17.

Kumar

Lee

S.-G.

Lee

H.-J.

E-SAP: efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks

Sensors 2012 12 2 1625 1647

10.3390/s120201625

2-s2.0-84863271667

18.

Law

Y. W.

Zhang

Jin

Palaniswami

Havinga

Secure rateless deluge: pollution-resistant reprogramming and data dissemination for wireless sensor networks

EURASIP Journal on Wireless Communications and Networking 2011 2011 22

685219

10.1155/2011/685219

2-s2.0-78249233570

19.

Niu

Kumari

Liao

Liang

Khan

M. K.

A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity

Security and Communication Networks 2015

10.1002/sec.1214

20.

Lim

C. H.

Secure code dissemination and remote image management using short-lived signatures in WSNs

IEEE Communications Letters 2011 15 4 362 364

10.1109/lcomm.2011.012511.102146

2-s2.0-79954630985

21.

Luo

R. C.

Chen

Mobile sensor node deployment and asynchronous power management for wireless sensor networks

IEEE Transactions on Industrial Electronics 2012 59 5 2377 2385

10.1109/TIE.2011.2167889

2-s2.0-84857009260

22.

De La Parra

C. F. C.

Garcia-Macias

J. A.

A protocol for secure and energy-aware reprogramming in WSN

Proceedings of the ACM International Wireless Communications and Mobile Computing Conference (IWCMC '09)

June 2009

Leipzig, Germany

292 297

10.1145/1582379.1582443

2-s2.0-70450273270

23.

Tan

Zic

Jha

S. K.

Ostry

Secure multihop network programming with multiple one-way key chains

IEEE Transactions on Mobile Computing 2011 10 1 16 31

10.1109/tmc.2010.140

2-s2.0-84879075682

24.

Zhang

Ren

DP²AC: distributed privacy-preserving access control in sensor networks

Proceedings of the 28th Conference on Computer Communications (INFOCOM '09)

April 2009

Rio de Janeiro, Brazil

IEEE

1251 1259

10.1109/infcom.2009.5062039

2-s2.0-70349658629

25.

Merkle

R. C.

Protocols for public key cryptosystems

Proceedings of the IEEE Symposium on Security and Privacy (SP '80)

April 1980

Oakland, Calif, USA

122 134

10.1109/sp.1980.10006

2-s2.0-84920380941

26.

Blake

Seroussi

Smart

Elliptic Curves in Cryptography 1999

Cambridge, UK

Cambridge University Press

London Mathematical Society Lecture Note Series

27.

Menezes

Elliptic Curve Public Key Cryptosystems 1993

Norwell, Mass, USA

Kluwer Academic

10.1007/978-1-4615-3198-2

MR1700718

28.

Boneh

Lynn

Shacham

Short signatures from the weil pairing

Advances in Cryptology—ASIACRYPT 2001 2001 2248

Berlin, Germany

Springer

514 532 Lecture Notes in Computer Science

10.1007/3-540-45682-1_30

29.

Schneier

Applied Cryptography: Protocols, Algorithms, and Source Code in C 1996 2nd

New York, NY, USA

John Wiley & Sons

30.

Goldwasser

Micali

Rivest

R. L.

A digital signature scheme secure against adaptive chosen-message attacks

SIAM Journal on Computing 1988 17 2 281 308

10.1137/0217017

MR935341

2-s2.0-0023985465

31.

Pointcheval

Stern

Security arguments for digital signatures and blind signatures

Journal of Cryptology 2000 13 3 361 396

10.1007/S001450010003

ZBL1025.94015

2-s2.0-0000901529

32.

Gouvêa

C. P. L.

Oliveira

L. B.

López

Efficient software implementation of public-key cryptography on sensor networks using the MSP430X microcontroller

Journal of Cryptographic Engineering 2012 2 1 19 29

10.1007/s13389-012-0029-z

2-s2.0-84866035505

Robust Distributed Reprogramming Protocol of Wireless Sensor Networks for Healthcare Systems

Abstract

1. Introduction

2. Overview of He et al.'s SDRP

3. Our Proposed Reprogramming Protocol for Healthcare Systems

4. Security Analysis and Efficiency Comparison

Definition 1 (elliptic curve discrete logarithm problem).

Definition 2 (computation Diffie-Hellman problem).

Definition 3 (decisional Diffie-Hellman problem).

Definition 4 (one-way hash function).

Definition 5.

Theorem 6.

Proof.

Theorem 7.

Proof.

Theorem 8.

Proof.

Theorem 9.

Proof.

5. Conclusions

Footnotes

Conflict of Interests

Acknowledgment

References