Sage Journals: Discover world-class research

Abstract

In body sensor networks, both wearable and implantable biosensors are deployed in a patient body to monitor and collect patient health record information. The health record information is then transmitted toward the medical server via a base station for analysis, diagnosis, and treatment by medical experts. Advancement in wireless technology although improves the patient health–monitoring mechanism, but still there are some limitations regarding security, privacy, and efficiency due to open wireless channel and limited resources of body sensor networks. To overcome these limitations, we have proposed an efficient and secure heterogeneous scheme for body sensor networks, in which biosensor nodes use a certificate-less cryptography environment to resolve the key escrow and certificate-management problems, while MS uses a public key infrastructure environment to enhance the scalability of the networks. Furthermore, we design an online/offline signcryption method to overcome the burden on biosensor nodes. We split the signcryption process into two phases: offline phase and online phase. In the offline phase, the major operations are computed without prior knowledge of patient data. While in online phase, the minor operations are computed when patient data are known. Besides, we have used a new hybrid blockchain technology approach for the secure transmission of patient information along with attributes stored in the medical server toward the cloud that provides ease of patient data access remotely from anywhere by the authorized users and data backup in case of medical server failure. Moreover, hybrid blockchain provides advantages of interoperability, transparency traceability, and universal access. The formal security analysis of the proposed scheme is proved in the standard model, and informal security assures that our scheme provides resistance against possible attacks. As compared to other existing schemes, our proposed scheme consumes fewer resources and efficient in terms of processing cost, transmission overhead, and energy consumption.

Keywords

Body sensor networks security certificate-less cryptosystem online/offline signcryption blockchain public key infrastructure advanced encryption standard

Introduction

Body sensor networks (BSNs) are a special type of wireless sensor networks (WSNs) composed of tiny biosensor nodes deployed inside or outside a patient’s body to sense their physiological vital signs, that is, electrocardiogram (ECG), electroencephalogram (EEG), blood pressure (BP), electromyography (EMG), respiratory rate, temperature, and oxygen level in a blood, and then securely transmitted these vital signs to a medical server (MS) through a base station (BS) for further data analysis and treatment. Moreover, a patient can be monitored in real-time or non-real-time basis remotely from the hospital. In signcryption, the function of encryption and signature are performed in one single logical step. It provides 50% processing efficiency and 76.8%–96.0% less transmission efficiency as compared to EI-Gamal encryption and digital signature standard (DSS).¹ Due to cost efficiency, it is suitable in resource-constrained environments, that is, BSNs, electronic and mobile commerce, satellite communication, and mobile ad hoc network (MANET). The concept of blockchain was introduced for bitcoin in 2009 by Satoshi Nakamoto; with high security, the blockchain is spread rapidly in different areas like medical, Internet of Things (IoT), smart grid, electronic voting, and WSNs. Blockchain is a peer-to-peer decentralized distributed network and a secure technology system which protects patient data from the alteration of adversaries.² In a blockchain, multiple blocks of data are connected to make a chain of blocks and create encoded digital ledger for each transaction to store patient complete data and related information in a well-organized and a systematic way for future reference and analysis. Patient data stored on a server can be compromised, so the blockchain provides you the rights to control the access to the digital ledger and only the legitimate users can access the patient information, and no one can change the data of a block easily because the hash value of each block is stored in the next block along with the current block hash value and time stamp $(T_{S})$ . Valid users add new information in a block, so it is synchronized with each other and provides efficient security and privacy. Illegal users cannot add incorrect data in a block of chain easily because the blockchain technology is a writing-once and append-only system. Only an authentic user can change the block information and has access rights to the ledger. Blockchain provides better security and privacy to the patient data stored in the blocks, and we can check the correctness of patient data using hash and proof of works $(PoW)$ . Both bitcoin and Ethereum are public blockchains that have been commonly implemented in practice.³ In recent times, due to the distributed nature, along with the lack of a third-party, blockchain technologies have achieved a protuberant reputation in the electronic healthcare system.^4,5 We reviewed many relevant recent research results and determine that the security, privacy, and efficiency of smart health data have not been adequately addressed. The motivation regarding the use of hybrid blockchain technology in BSNs is that in the traditional system, the data of the patient are only stored on a single location such as the target hospital or the MS. The traditional approach suffers from certain issues and problems such as (1) monopoly problem, (2) vulnerability problem, (3) privacy problem, and (4) integrity problem.² In a monopoly problem, when the data of a patient are needed to be transferred to other locations, some hospitals are reluctant to share such type of data for the sake of interest. In a vulnerability problem, there is a chance of loss of patient data because it is stored in a single location. In a privacy problem, the hospital may disclose the data of a patient to some other persons or organization for commercial purposes or benefits without prior knowledge of the patient. In an integrity problem, the hospital management can make changes in the data of patient for their benefits. Our proposed hybrid blockchain technology not only overcomes the aforementioned problems but also provides the advantages of interoperability, integrity, security, traceability, and universal access. Therefore, in our scheme, we will use the concept of hybrid blockchain technology because it uses the best futures of two well-known blockchain technologies: private blockchain and public blockchain. A public blockchain is further divided into two major types: (1) bitcoin blockchain, which is commonly used for a smart payment mechanism and (2) Ethereum blockchain, which is commonly used for smart contract and other such type of services. In our scheme, for confidential and private data of the patient and online payment transactions, private blockchain technology will be used. Similarly, for the general information of a patient, public blockchain technology will be used. In the case of a public blockchain, general payments and transactions are made through bitcoin blockchain technology, and for a smart contract or agreement between the user and the service provider, the Ethereum blockchain technology is used. In our proposed heterogeneous scheme, biosensor nodes which are deployed on a patient body can reside in a certificate-less cryptography (CLC) environment, while MS resides in a public key infrastructure (PKI) environment. Moreover, in this article, online/offline signcryption algorithm reduces the computational burden on biosensor nodes where heavy operations are computed using offline method, and minor operations, such as addition, subtraction, and XOR, are performed by using the online method. Furthermore, our hybrid blockchain enhances the security and privacy of patient-streamed sensitive medical information. Our scheme is suitable for resource-constrained environment of BSNs, which consumes fewer resources and provides a higher degree of security and privacy along with efficiency. Our scheme fulfills the security properties of confidentiality, integrity, authentication, and non-repudiation as well as provides facilities that the communicating nodes can access the encoded messages by their attributes as an alternative of identities.

Literature review

Security and privacy of patient-related data are two indispensable components in BSNs. Security means that data are securely stored and transferred, and privacy means that the people who have authorization can access, view, and use the data.⁶ Generally, attributes are used for identity purposes. In a BSN environment, attributes mean vital signs of human body such as BP, temperature, respiration rate, pulse, and oxygen saturation. Each attribute is associated with a private and a public key component such that, only the user holding those attributes will be able to decrypt the data encrypted under those attributes. Sahai and Waters⁷ introduced the concept of attribute-based encryption (ABE) for the first time. In which encryption and decryption of data are performed using a set of attributes for secure communication among different parties. Only that users can access the data which attribute of the public key is corresponding with master key. No need to obtain the certificate for authenticity of public keys.

Limitation:

High computational cost (encryption and key generation).

Scalability.

Goyal et al.⁸ proposed and used a novel concept called the key policy attribute-based encryption (KP-ABE). In this study, the encrypted data are related to a set of predefined attributes. Access tree is used here to define the user access strategy and is also responsible for generating private keys to decrypt the encrypted data; however, only users with attributes satisfy the key’s access tree can decrypt the encrypted data. This proposed scheme consists of four ciphers: setup, encryption, key generation, and decryption.

Limitation:

Less control over the encryption policy.

Ramya et al.⁹ proposed a novel and efficient framework (secure and privacy-preserving opportunistic computing (SPOC)) along with centric user privacy that enhanced the security and privacy of patient-sensitive information using attribute-based technique and overcame the challenges that occur especially in patient emergency situation. Moreover, using the privacy-preserving scalar product computation (PPSPC) method, the patient can decide who can get access to the patient-sensitive information and protect the stored patient data from adversary’s attacks. Bianchi et al.¹⁰ proposed a novel Access control for GREEn wireless sensor network (AGREE) base-distributed data approach is developed for assigning different data-access rights to multiple users based on ciphertext-policy attribute-based encryption (CP-ABE). The proposed access policy in this study is dynamic, which overcomes the problems of single authority failure.

Limitation:

Security weakness due to data sharing.

Bethencourt et al.¹¹ used the CP-ABE approach for data authorization, where data-access rights are hidden in the encoded message itself.

Limitation:

Computationally inefficient on resource-constrained environment.

High-energy-consuming technique.

Hur¹² only concentrates how to protect illegal access to the nodes and they do not think about the privacy of critical data-access process. If we apply the attribute base heterogeneous signcryption primitives to Hur,¹² it will achieve efficient access control over the data. Ren et al.¹³ emphasized two major security challenges of wireless body area network (WBAN): unauthorized access and tempering of patient’s vital signs. To overcome these issues, the concept of blockchain is used to protect patient data from alteration in this study, while sequential aggregate signature scheme with a designated verifier (DVSSA) method can be used to avoid the illegal access of patient’s vital signs. Moreover, compression of data resolved the small storage problem of blockchain. Tian et al.¹⁴ designed a novel scheme based on ABE for BSNs security, in which each user decrypts the encoded message if and only if its secrete key is matched with the predefined attribute access design. The users can be revoked if necessary.

Limitation:

Maximum communication overhead.

High memory usage.

Han et al.¹⁵ proposed a new method to improve the security and privacy of data based on (privacy-preserving decentralized ciphertext-policy attribute-based encryption (PPDCP-ABE)). Each authority can work independently and provide keys to each user for confidential forwarding of data to a sink node. It provides a stronger privacy protection and avoids the flaws of centralized approach, such as, performance bottleneck and security vulnerabilities.

Limitation:

Complex and difficult key management.

Zavattoni et al.¹⁶ introduced a new protocol for securing of data based on ABE bilinear pairings. In this study, a set of users attributes is specified in advance to protect patient data from illegal usage.

Limitation:

More energy consumption.

Tan et al.¹⁷ used a secure data-transmission method based on KP-ABE for forwarding confidential information from biosensor nodes to a sink node.

Limitation:

Scheme cannot provide authenticity of the users.

Hohenberger and Waters¹⁸ proposed new approach online/offline ABE, which overcomes high computational costs problem (encryption and key generation) of ABE. The proposed scheme comprises two phases: online phase and offline phase. Costly operations are computed in the offline phase, and other minor operations are computed in the online phase. It is suitable in BSNs environments. Liu et al.¹⁹ proposed a new protocol for authentication based on a certificate-less signature scheme. The scheme provides anonymous communication among source and destination.

Limitation:

High processing cost.

Key revocation problem.

Tan et al.²⁰ proposed the identity-based encryption (IBE) for secure communication of patient medical data to destination in the BSNs environments.

Limitation:

Cannot provide non-repudiation property.

High processing cost.

Key escrow problem.

In Yu et al.’s²¹ study, the sensor nodes encrypt the data using the identity attributes which are not owned by the revoked users. Therefore, only the non-revoked users can decrypt the data, this enhanced the security.

Limitation:

Required high memory for storage of encoded data

In ABE,¹⁶ all those attributes which are used for creating a secret key generation are managed by a central authority (CA), in case the patient shifts from one hospital to another hospital for special tests like electronic medical record (EMR) to diagnose patient data. So the doctor of the other hospital cannot read all secret data of that patient but only read some of them. Jin et al.²² highlighted various blockchain-based security and privacy approaches, for example, public and consortium blockchains, for secure sharing of patient medical record using a public network. Furthermore, the advantages and disadvantages of each blockchain-based approach are also presented. Li et al.²³ proposed a novel technique for data-access control. In this study, personal data of human are stored in the cloud in an encoded format using ABE.

Limitation:

Key-management problem.

Hu et al.²⁴ used a novel concept for securing the patient data in BSNs based on fuzzy attribute-based signcryption (FABSC). This scheme is suffering with security weakness.

Limitation:

Insecure in their defined security model.

Indistinguishability chosen ciphertext attack (IND-CCA).

Chatterjee and Das²⁵ developed a new security technique based on elliptic-curve cryptography (ECC) for authentication and access control under WBAN environments. After completion of a successful authentication, a unique secret session key is developed for communication between a particular sensor node and a user. In this study, the user can easily change the password without interacting to BS, and the scheme provides scalability property. Here, the AVISPA tool is used for proving security against various attacks. Li et al.²⁶ proposed the concept of secure storage and data-access control in WBANs and summarized the methods of secure and privacy protection, but this article did not analyze and compare the energy consumption. Garg et al.²⁷ proposed the construction of ABE for general circuits based on existence multilinear maps. This study used the bilinear decisional Diffie–Hellman (BDDH) assumption to prove its security. Both variants (KP-ABE and CP-ABE) of the ABE are used here.

Limitation:

Platform dependency.

High computation cost and communication overhead.

The rapid growth of technologies, especially in the field of cloud computing and IoT, enhanced the quality of patient healthcare. But still, smart health suffers due to data security and privacy problems. To improve the patient data security and privacy, Zhang et al.²⁸ proposed the CP-ABE method. In this study, the authors claimed that privacy aware smart health (PASH) is a secure standard model and provides efficient results than previous techniques. Due to fast development of ABE, the identity-based signature (IBS) notation was also extended and the concept of ABS is introduced. In an ABS concept, the private key of signer, along with a special signing predicate, is used to compute the signature of any data, and after that, the verifier can only verify that the signer’s attributes fulfill the signing predicate and cannot get any information related to the signer attributes. The concept of ABS was first introduced by Maji et al.²⁹ Subsequently, numerous ABS studies^30–32 were developed in the literature for secure communication. To enhance the security of WBANs, various studies^33–37 based on CLC were proposed in the literature but still require improvements to reduce the processing cost and transmission overhead and increase the security of overall networks. Zhang et al.³⁸ proposed a novel, efficient, and secure revocable certificate-less signature (RCLS) for the cloud-based industrial Internet of Things (IIoT). In this study, the authors also address the current issues of IIoT and claimed that Karati et al.’s³⁹ study does not satisfy the basic security properties of data authenticity and untrustworthiness of third parties. The method proposed by Zheng¹ needs public channel and security against attacks in the standard model. Liu et al.⁴⁰ proposed a novel concept which securely stored the patient health record (PHR) in cloud environments based on ciphertext-policy attribute-based signcryption (CP-ABSC). This study fulfills the basic security parameter of cryptography and reduces cost. It still has a chance to improve it in BSNs environments. Han et al.⁴¹ proposed the attribute-based signcryption (ABSC) with non-monotonic access structures and fixed length encoded message, in which AND and OR logic gates with extra parameters are used for defining the access tree. The scheme reduces the cost with respect to pervious schemes presented in the literature. Rajput et al.⁴² proposed a novel and efficient framework called the emergency access-control management system (EACMS) based on consortium blockchain to overcome the problems of traditional emergency system, that is, in emergency case, consent from medical officers to access his or her sensitive medical information. Moreover, it also describes the rules based on smart contract to efficiently control the situation in case of medical emergency and set the duration of time to protect the patient’s personal information from adversary’s attacks. The research on ABSC is still a new area, so we propose new ABSC scheme along with blockchain technology with fixed-size encoded text that consumes less resources and provides higher degree of security and privacy. Furthermore, we improve the overall efficiency of the BSNs to prolong the patient life. To secure the BSNs environment, various techniques are presented in the literature based on IBE, CLC, ABE, ABS, and ABSC. However, all these approaches are insecure in their security as well as inefficient in processing cost and transmission overhead. Our proposed scheme is suitable for resource-constrained environment of BSNs. There are three types of signcryption according to the public key cryptosystem: PKI signcryption, iD-based signcryption, and certificate-less signcryption. PKI is mostly used for the security of a large network, that is, the Internet. Numerous effective PKI-based signcryption schemes are available in the literature.^43,44 In PKI base scheme, several entities are involved, such as, registration authority, certificate authority, verification authority, and certificate revocation list. PKI basically used for authenticity of public keys among sender and receiving nodes. Therefore, the PKI approach is not suitable for resource-constrained environment, that is, BSNs, because certificate distribution and revocation are heavy processes which consume a lot of system resources. To overcome the certificate-management problem of PKI, several iD-based signcryption schemes were proposed.^45–49 In these schemes, users send request for obtaining private keys to third-party called private key generator (PKG). The sender request contains ID, phone number, and email when it reaches the PKG, after which the PKG generates private keys for a secure communication using a master secret key and other system parameters which are already stored in the PKG. ID-based signcryption provides authenticity of public keys without using certificates, but these schemes still suffered from key escrow problem because all private keys are generated by PKG; therefore, if someone compromises the PKG, the overall security of the system will be compromised. Researchers have now overcome the key escrow and certificate-management problems using certificate-less signcryption. Oliveira et al.⁵⁰ proposed a secure technique using blockchain technology to enhance the security and privacy of the patient’s EMRs and made sure of the availability of sensitive vital signs. Moreover, the patient’s encoded EMRs can be transmitted in the blockchain. In this study, the patient only distributed the secret keys for data decryption among trustable professional medical staff to avoid the any illegal activities and improve the overall performance of the networks. Using simulation results proved that the proposed scheme satisfied the scalability property. Some schemes based on certificate-less signcryption were proposed in previous studies.^51–55 In these schemes, the user’s full private key will be generated from two parts: one part generated by a third-party called key generator center (KGC) and the second part generated by the user itself. As a result, certificate-less signcryption is the optimal solution for resource-constrained environment of BSNs. The idea of online/offline scheme was first introduced by Even et al.⁵⁶ In this study, any signature is transformed into two sub-phases called online and offline phases. Mostly complex and heavy operations are done in offline phase before a data or message is known. In an online phase, all minor operation is performed using pre-computation of offline phase and the data to generate signature. An et al.⁵⁷ proposed the concept of online/offline signcryption in this study to combine the concept of encryption and signature for data confidentiality and data integrity. As a result, online/offline signcryption is a very optimal solution for resource-constrained environment of BSNs, cell phone, smart card, and radio-frequency identification (RFID). Powerful devices can compute the complex and heavy operation in offline phase and minimize load on resource-constrained devices. As a result, signcryption can process data in minimum time using pre-computation. A lot of schemes published in the literature based on online/offline signcryption mostly involve PKI online/offline signcryption schemes.^58–60 Thwin and Vasupongayya⁶¹ used the concept of blockchain along with proxy re-encryption method for secure transmission of personal health information (vital signs) and to overcome the issues of network performance, privacy and security, sensor-storage limitation, revocation of consent, and scalability. It is secure against adversary’s attacks. Kuo et al.⁶² highlighted the blockchain applications as well as advantages in the field of biomedical and patient healthcare system. It compared the traditional distributed system with blockchain concept and claim that blockchain is a suitable choice to improve the security and privacy of patient’s medical records. We also found the certificate-less online/offline signcryption schemes used by Li et al.⁶³ and Luo et al.⁶⁴ All these schemes are homogeneous (same environment), which mean that the sensitive data of sender and receiver belong to same environment. Li et al.⁵⁴ and Lai et al.⁶⁵ published few studies on online/offline signcryption methods. In this study, all the complex operation is removed in the online part. Lai and colleagues^65,66 proposed the iD-based signcryption which suffers from key escrow problem as well as a lack of scalability on the server side. Sun and Li⁶⁷ published two different domains based on heterogeneous signcryption. In the first domain, the sender belongs to a PKI-based signcryption and the receiver belongs to an iD-based signcryption, while in the second domain, the sender belongs to the iD-based signcryption and the receiver belongs to the PKI-based signcryption and exchange data with each other. However, both aforementioned domains are not feasible for resource-constrained environments. In addition, both domains only protect the insider attacks and not the outsider attacks.⁵⁷ Huang et al.⁶⁸ proposed a heterogeneous signcryption, in which the sender belongs to an iD-based signcryption that sends data to the receiver of a PKI-based signcryption. In this study, the sender side suffers from key escrow problem. Li et al.⁶⁹ proposed a heterogeneous signcryption which overcomes the problems of methods proposed by Sun and Li⁶⁷ and Huang et al.⁶⁸ In this study, data are sent though certificate-less signcryption which is used in WSNs to PKI-based signcryption. All three studies^67–69 are not recommended for tiny devices which have less computational power memory and less energy. They have more computational cost for signcrypting a message. We proposed a novel efficient and secure attribute-based heterogeneous online/offline signcryption scheme for BSNs using hybrid blockchain technology which is suitable for resource-constrained environments. In our proposed scheme, certificate-less signcryption is used in the biosensor side to remove the certificate-management and key escrow problems. In addition, our scheme uses the concept of online/offline method to overcome the computational burden on tiny biosensor nodes. Moreover, in our proposed scheme, we implement the PKI-based signcryption in the MS to improve the performance of scalability. PKI-based signcryption is a suitable choice for maintaining a large network, that is, the Internet. To improve the security and privacy of patient’s vital signs, we use the concept of hybrid blockchain. One of the best features of blockchain is to remove the centralized management. Blockchain used peer-to-peer network, which means the user of blockchain (users in network) have a copy of entire blocks, and if a new block is created, the block is distributed through the entire network, and each node receives the copy of a new created block. Moreover, each node verifies whether the block is a legitimate block or not. If the block is fake, it is marked as invalid. Blockchain is a distributed database which stores the records and these records are called blocks. Every block of blockchain contains data, hash of the block, and previous block hash. If data are stored in blocks, then a one-way hash function is performed on these blocks, through the hash these blocks are interconnected with each other. If someone wants to introduce a fake block into the blockchain, then they need to change every node of the blockchain, recalculate the PoW for every block in a node and take minimum 50% of control of the whole blockchain network, which is impossible. If a hacker wants to tamper with block, then the blockchain network easily detects the invalid block.

Preliminaries

In the section “Preliminaries,” we discuss the basic cryptographic primitives and mathematical hard problems which are used in our proposed scheme.

1. Bilinear pairings:

Let there be two groups of prime order p in which $(G_{1}, +)$ belongs to an additive group and $G_{2}$ belongs to a multiplicative group $(G_{1}, *)$ . While P as a generator of $G_{1}$ with prime order p and a bilinear map: $\hat{e} : G_{1} \times G_{2} \to G_{2}$ which satisfied the following properties.⁷⁰

Bilinearity: for all $P, Q \in G_{1}$ and $x, y \in Z_{P}^{*}$ computes $\hat{e} (P^{x}, Q^{y}) = \hat{e} (P, Q)^{xy}$ .

Non-degeneracy: for all $P, Q \in G_{1}$ and $\hat{e} (P, Q) = 1$ such that 1 represented the identity element of multiplicative group $G_{2}$ .

Computability: for all $P, Q \in G_{1}$ such that the $\hat{e} (P, Q)$ , can be computed efficiently.

In our proposed scheme, the security of patient’s vital signs relies on the following computational hard problems. According to the given additive group $(G_{1}, +)$ and multiplicative group $(G_{1}, *)$ of the prime order p and using the generator P of $G_{1}$ and a bilinear map: $\hat{e} : G_{1} \times G_{2} \to G_{2}$ , we discuss the mathematical hard problems of cryptography.

2. Computational Diffie–Hellman problem (CDHP):

Let G be a group of prime order p and P is the generator ∈ G, such that (x, y, z) are three random numbers $\to \in_{R} Z_{P}^{*}$ ; therefore, $(P, P^{x}, P^{y}) \to (P^{xy})$ , so assumption is proved that it is computationally hard for the attacker.

3. Bilinear Diffie–Hellman problem (BDHP):

In BDHP $(G_{1}, G_{2}, \hat{e})$ such that (x, y, z) are three random numbers $\to \in_{R} Z_{P}^{*}$ , so to compute $(P, P^{x}, P^{y}, P^{z}) \to T = \hat{e} (P, P)^{xyz}$ , assumption proved that it is a computationally hard problem.

4. Decisional bilinear Diffie–Hellman problem (DBDHP):

Let G be a group of prime order p and P is the generator ∈ G, such that (x, y, z) are three random numbers $\to x, y, z \in_{R} Z_{p}^{*}$ , so $(P, P^{x}, P^{y}, P^{z}) \to T = \hat{e} (P)^{xy} = (P)^{z}$ or decide whether $T = \hat{e} (P, P)^{xyz}$ , if $(P, P^{x}, P^{y}, P^{z})$ not given and element $T \in G_{2}$ . If $T = \hat{e} (P, P)^{xyz}$ , so we denoted that it is a DBDHP $(P, P^{x}, P^{y}, P^{z}, T) \geq$ Else, it is denoted DBDHP as $(P, P^{x}, P^{y}, P^{z}, T) = ⊥$ .

5. Gap bilinear Diffie–Hellman problem (GBDHP):

In the GBDH problem, let $(G_{1}, G_{1}, e)$ is to calculate $T = \hat{e} (P, P)^{xyz}$ given $(P, P^{x}, P^{y}, P^{z})$ using DBDHP $(P, P^{x}, P^{y}, P^{z}, T) \geq or ⊥$ .

6. Gap Diffie–Hellman problem (GDHP):

In the GDHP, the $G_{1}$ calculates $(P)^{xy}$ , given $(P, P^{x}, P^{y})$ using DBDHP procedure $(P, P^{x}, P^{y}, P^{z}, T) \geq or ⊥$ .

Applications of blockchain

In this era, many researchers have used the concept of blockchain technology for security purposes to enhance the integrity and traceability of sensitive data in different domains like healthcare,⁷¹ cloud computing,⁷² IoT,⁷³ and electronic voting.^74,75

Advantages of blockchain technology in BSNs

There are some advantages of blockchain in the medical field which are discussed as follows:

Public health

In our proposed scheme using blockchain technology, dictatorial bodies can generate a common flow of de-identified medical patient information. This flow will help to the system to distinguish the pandemics and threats and perform essential action to manage the issue in timely bases.

Patient data security

We proposed a smarter and optimal technology called blockchain to preserve the medical information of a particular patient in a block and protect the medical data from illegal accessing.

Managed consent

Admitted authentic patient in ward of hospital can specifically permit any external users to access their history, that is, medical information, medicine, age, admitted date, and gender.

Flexibility in patient data updating

Authorized patients in ward of hospital can easily store and upload their medical data without modification in previous stored information.

Easy claim processing

Using blockchain technology, the (medical billing) complex process can be constructed easily by removing the third-party validation process.

Threat model

In our proposed scheme, we have used the most popular Dolev–Yao (DY) threat model.⁷⁶ According to this model, the communication among any two nodes is performed on the open channel. Moreover, the endpoint of a communication is also not reliable. In BSNs, due to the susceptible nature of public networks, the adversary can easily alter or delete the patient-sensitive information for misuse while transmitting it from biosensor nodes to an MS. Besides, an attacker can easily imprison some biosensor nodes as well as an MS for illegal activities. Moreover, the smartphones of medical experts can be lost or stolen. In this case, the attacker can easily extract the patient’s secret information stored in that smartphone and use it for specious activities, such as man-in-the-middle attack, offline password guessing attack, replay attack, insider attack, biosensor node or MS impersonation attacks, and computation of secret key. To maintain the security and privacy of patient data, it is important to secure the BSNs against all estimated threats. In our proposed scheme, the KGC is considered as the full trusted server of the entire BSNs. Furthermore, the computed partial private key is encrypted by the server using advanced encryption standard (AES) algorithm and then transmitted toward the biosensor nodes for the generation of the full private key. In case of MS failure, the sensitive patient data backup is available in the cloud and hybrid blockchain technology is used to protect these data from possible adversaries’ attacks. Our scheme fulfills the basic security properties of confidentiality, integrity, authenticity, non-repudiation, scalability, and traceability with minimal cost.

Proposed scheme

In our proposed scheme, we used the attribute-based heterogeneous online/offline scheme that securely transmitted patient information from the biosensor nodes to an MS using online/offline heterogeneous signcryption, while hybrid blockchain technology is used to enhance the overall security and privacy of BSNs along with the performance of medical data sharing among various entities and users. The transmission of physiological sensitive data of patient in a wireless channel may cause serious threats to the patient medical records privacy, and illegal users may perform malicious activities on sensitive patient data to disclose the privacy and security of patient for misuses. In our proposed scheme, we design a novel heterogeneous model that highlighted the issue of patient data sharing among various departments, that is, healthcare staff in hospital, researchers, government agencies, and insurance companies in trust-fewer environments. Using hybrid blockchain, our system provides data auditing, data provenance, scalability, and control for patient medical record shared in cloud repositories among large data objects. In our proposed cloud-based environment, we share patient information among various entities with minimal risk to patient data privacy. In our proposed heterogeneous model, biosensor nodes belong to a certificate-less environment that allows the biosensor nodes to sense patient’s vital signs, such as BP, ECG, EMG, and peripheral capillary oxygen saturation (SpO2), and then transmitted to the MS via a BS in the PKI-based domain. Moreover, in the biosensor side, online/offline techniques are used. The biosensor nodes performed all the heavy cryptographic computation in the offline phase, while the receiver credential and patient information are unknown. The online phase is used for minor operations in biosensor side to increase the performance of the networks. Our proposed heterogeneous online/offline signcryption scheme comprises the following phases: setup phase, MS key-generation phase, biosensor node key-generation phase, offline signcryption phase, online signcryption phase, and un-signcryption phase. The following notations are used in our proposed scheme (Table 1).

Table 1.

Scheme notation.

Notation	Descriptions
BSNs	Body sensor networks
$I D_{i}$	Identity of biosensor node
$X_{i}$	Random number
MS	Medical server
$spm$	Key-generation center
$M_{sk}$	System parameters
$M_{puk}$	Master secret key of KGC
$M S_{sk}$	Master public key of KGC
$S_{ipuk}$	Biosensor node public key
$S_{ippk}$	Partial private key
$F P_{K}$	Full private key
$H_{i}$	Hash function, where i = 1,2,3,4
$\hat{e}$	Bilinear map
P	Generator of
p	Prime order of
$G_{1}$	Additive cycle group
$G_{2}$	Multiplicative cycle group
$CLCS$	Certificate-less cryptosystem
$PKI$	Public key infrastructure
$IBCS$	Identity-based cryptosystem
⊥	Reject
$T_{S}$	Time stamp
$ECG$	Electrocardiogram
$EMG$	Electromyography
$SPo 2$	Peripheral capillary oxygen saturation
$PoW$	Proof of work
$AD$	Adversary
$CH$	Challenger
$KGC$	Key-generation center
n	Patient-sensitive information

Setup phase

In this phase, we take initial security parameter K as an input. Moreover, KGC selects $(G_{1} and G_{2})$ two groups of prime order p, in which $G_{1}$ belong to the additive group and $G_{2}$ belong to the multiplicative group. While P as a generator of $G_{1}$ and a bilinear map: $\hat{e} : G_{1} \times G_{2} \to G_{2}$ . Moreover, four one-way collision-resistance functions are used, which are discussed as follows

H_{1} : {0, 1}^{*} \to Z_{p}^{*}; H_{2} : G_{1} \to Z_{p}^{*}

H_{3} : G_{2} \to {0, 1}^{n}; H_{4} : {0, 1}^{n} \times G_{2} \times G_{1} \to Z_{p}^{*}

where n represents patient-sensitive information in bits. KGC chooses randomly its master secret key $M_{sk} \in Z_{p}^{*}$ and then computes its master public key $M_{puk} = M_{sk} . P$ , while KGC publishes other system parameters spm publicly, that is, $G_{1}, G_{2}, \hat{e}, p, P, M_{puk}, g, H_{1}$ and keep secret $(M_{sk}, H_{2}, H_{3}, H_{4})$ , where $g = (P, P)$ . Normally, this algorithm is run by KGC. We assumed that spm is accessed publicly by each user of the networks, moreover $M_{sk}$ will be secure and only KGC can used.

MS key-generation phase

Our proposed heterogeneous online/offline scheme comprises two different domains. In the biosensor side, we used certificate-less domain, while in the MS side, we used PKI-based domain suitable for large-scale networks, that is, the Internet. In this phase, the MS chooses a random secret value $s \in Z_{p}^{*}$ , then calculates its secret key as: secret key $M S_{sk} = (1 / s) \times P$ and public key $M S_{puk} = s \times P$ .

Key generation on biosensor using certificate-less domain

In our proposed system, all biosensor nodes belong to the CLC-based domain. The biosensor nodes generated keys are as follows:

Generation of public key

The biosensor nodes which are deployed on a patient body to sense vital signs can randomly choose a value $X_{i} \in Z_{P}^{*}$ and calculate its public key as: $S_{ipuk} = X_{i} . H_{1} (I D_{i}) \cdot P$ . Moreover, this public key of sensor node $S_{ipuk}$ is publishing without digital certificate in our proposed certificate-less domain.

Extraction of partial private key

In this phase, biosensor nodes send its identity $I D_{i}$ and have a public key $S_{ipuk}$ to KGC. Now KGC runs algorithm, in which $(S_{ipuk} M_{SK}, I D_{i}, spm)$ is used as an input and then return partial private key as: $S_{ippk} = (1 / (H_{2 (S_{ipuk}) + M_{sk}})) P$ .

Secure distribution of partial private key using AES algorithm

In this phase, we securely transmitted partial private key $S_{ippk}$ from server side to biosensor nodes using symmetric cipher AES. This algorithm is fast in terms of encryption and decryption and consumes less energy. Moreover AES algorithm is secure and suitable for resource-constrained environments like BSNs.

Generation of full private key

In this phase, the cipher input $(S_{ippk}, X_{i}, I D_{i})$ means taking $S_{ippk}$ and $X_{i} \in Z_{P}^{*}$ as input along with the biosensor identity $I D_{i}$ and generate a full private key $F P_{K}$ for biosensor nodes as: $F P_{K} = (X_{i})^{- 1} \cdot S_{ippk}$ . The above steps of partial and private keys generation among biosensor node and KGC are generally elaborated in Figure 1.

Figure 1.

Generation process of full private key.

Offline signcryption phase

This cipher is computed using a powerful machine, that is, medical server, and after computation, the output of the algorithm is stored in the biosensor node before deployment on a patient body. In the offline phase, we reduced the computational burden of the biosensor nodes.

Offline signcryption $(F P_{K}, S_{ipuk}, P U_{ms}, I D_{i}, spm, M S_{puk}, X_{i})$ :

Choose randomly $q and r \in Z_{p}^{*}$

Computes $D = q \cdot M S_{puk}$

Computes $Z = r^{- 1} \cdot F P_{K}$

Computes $U_{i} = X_{i} \cdot M_{puk}$

Computes $T_{i} = X_{i} \cdot H_{2} (S_{ipuk}) P$

Computes $L = g^{q}$

Offline signcryption output $B = (q, r, Z, D, L, T_{i}, U_{i})$

Release $X_{i}$

Online signcryption phase

In this phase, the patient data (M) and the output of previous offline phase is taken as the input and computes the encoded text as follows:

Online signcryption $(M, B)$ :

Computes $V = H_{3} (L)$

Computes $C = M \oplus V$

Computes $h = H_{4} (M, L, Z)$

Computes $β = (q + h) rmodp$

Output encoded text $C' = (C, β, Z, D)$

Biosensor node sends $(C', T_{i}, U_{i})$ to MS.

Un-signcryption phase

In this phase, the cipher takes an encoded text $C'$ , full private key $F P_{K}, T_{i}, and U_{i}$ as input and run un-signcryption cipher to get patient-sensitive data in plain text and to check the correctness of that data.

Un-signcryption $(C', F P_{K}, T_{i}, U_{i})$ :

Computes $L = \hat{e} (D, F P_{K})$

Recover the patient data $M = C_{3} \oplus H_{3} (L)$

Computes h = H₄ (M, L, Z)

Computes $F = β \cdot Z$

Check the correctness of data

If $L = \hat{e} (F, T_{i}, U_{i}) g^{- h}$ then patient data are original and accepted.

Otherwise data are modified and rejected ⊥.

Proposed scheme correctness

To validate the correctness of our proposed scheme, there are two steps. In the first step, we check the correctness of the decryption, while in the second step, we check the correctness of verification.

First step: correctness of the decryption

L = \hat{e} (D, M S_{sk})

L = \hat{e} (q . sP, \frac{1}{s} \times P)

L = \hat{e} (P, P)^{q}

L = L

Second step: correctness of verification

L = \hat{e} (F, T_{i} + U_{i}) g^{- h}

L = \hat{e} (q + h) F P_{K}, X_{i} H_{4} (S_{ipuk} . P + X_{i} . M_{sk} P) . g^{- h}

L = \hat{e} ((X + h) \frac{1}{X_{i}} \frac{1}{H_{4} S_{ipuk} + M_{sk}} P, X_{i} (H_{4} S_{ipuk}) + M_{sk}) P) g^{- h}

L = \hat{e} (P, P)^{(q + h)} g^{- h}

L = g^{(q + h)} g^{- h}

L = g^{q}

L = L

Proposed formal heterogeneousmodel for BSN

We proposed secure and efficient attribute-based online/offline heterogeneous signcryption scheme for BSNs using hybrid blockchain technology, in which we improve the overall security performance of the BSNs with lower transmission overhead along with processing cost. In our proposed scheme, KGC is a third-party or a server between certificate-less domain and PKI-based domain that is working in a secret key–generation process. In the key-generation process, we compute cryptographic keys for secure transmission of patient’s vital sign from source to destination node. KGC contain its own master public key, master secret key and other public parameters for the generation of partial private key. Now with the help of partial private key and random number, each biosensor nodes can be able to compute their full private keys for secure communication of patient data from source node to destination node. The biosensor nodes that are deployed on a patient body admitted in a hospital ward can continuously sense patient’s vital signs and then securely transmit these patient’s vital signs to a BS using the IEEE.802.15.6 standards. After receiving the patient’s encoded information, the BS used 3G/4G Internet services for transmission of patient information in a signcrypted format to the MS. Authentic medical doctors can access the patient information stored in the MS directly and also remotely from the cloud. Medical doctors analyze patient information and provide treatments based on an analysis of medical data. Using hybrid blockchain technology, we securely stored patient-sensitive information on a cloud and multiple types of external users can access the patient information after verification. Furthermore, in our proposed heterogeneous scheme, biosensor nodes deployed on a patient body can work in CLC domain while for enhancement of scalability on MS side PKI-based environment is used. To maintain data security and privacy of sensitive medical information, the concept of blockchain technology is used in our proposed scheme. Figure 2 shows our proposed formal heterogeneous model for BSNs.

Figure 2.

Proposed formal heterogeneous model for BSNs.

Secure transmission among MS and external users

In our proposed scheme for accessing patient’s vital signs, all the external users must be register to the MS for verification or authentication process using their credentials, that is, ID, email address, location, and also transmitted the time stamp (T_S). Each authentic user can access the patient-sensitive information after verification according to security policies which are predefine by system administrator in access control list (ACL).

KGC runs the key-generation algorithms to generate secret keys and securely distribute these secret keys among data producers and data consumers for secure communication.

Data producers, that is, hospitals, encode patient’s medical sensitive data using secret keys and send secret data with related description to a data pool of blockchain.

Data consumers, that is, medical research institutes, insurance companies, doctors, and government agencies, first login, and after verification, if it is declared legal or authentic, only then can access the patient data according to predefine attribute-based access structure or policies.

Data producers send signcrypted authorized letter to the data pool of a blockchain system to authorize their data-sharing policies.

Attribute-based security policies are used to provide fine grain access control to all external users, and patients can manage easily their own sensitive medical information and securely disseminate without violating patient data privacy and also enhanced the network life while keeping patient medical records private.

Data pool securely transfer data to blockchain for further processing and then patient secret data stored on medical cloud.

In a blockchain, we apply one-way hash function (MD-512) to maintain the integrity and traceability of medical records and improve the security to prevent the patient data from tempering, while the descriptions of patient medical information along with data address are stored in the blockchain in a decentralized manner.

Now data consumers can access that patient’s data and description of data from the cloud and blockchain using Internet technology. Figure 3 shows the secure transmission between the MS and external users.

Figure 3.

Secure cloud-based patient electronic record system.

Proposed network model for BSN

In BSNs, the patient should have full authority of his or her attributes (vital signs) such that only those legitimate users he wants to share with can access the patient attributes. The attributes may contain physiological sensitive information of patient such as full information of disease, family relationship history, medication, and dosing, as well as some insensitive information like healthy diet, physical exercise, and secrets of longevity. Therefore, for security efficiency, we want to create an ACL in the MS, which classifies the patient attributes into different categories according to their criticalness, due to which security and privacy of patients’ information can be protected. External users (healthcare staff, researchers, insurance companies, and government agencies) can only access those attributes which are predefined in the ACL. Healthcare staff need to analyze an individual health profile and identify health threats and then suggest improvements in treatments based on an analysis of drug interaction, current medical practices, gaps in medical care plans, and identification of medical errors. They must have the right to access the patients’ full attributes. On the other side, researchers, insurance companies, and government agencies cannot use these full rights. The security and privacy of patients’ information are the essential components of secure BSN environments. In case the medical doctors obtain modified data of the patients, it may lead to a misdiagnosis of the patient and may have a serious consequence. Malicious users also try to get patient attributes for illegal purposes. In our proposed network model, we maintain the privacy of patients’ data with low processing cost and transmission overhead and provide a higher degree of security. Our proposed scheme achieves confidentiality against CCAs and unforgeability against chosen message attacks in the selective attribute model. Attribute-based keys of patients can be revoked if necessary for privacy efficiency. Using attribute-based security, only legitimate users can only access the information for which he or she is authorized. Our proposed network model is presented in Figure 4.

Figure 4.

Proposed network model for BSNs.

Secure distribution of access policies for data privacy

All entities which are participating in the networks for transmission of information can register their secret keys from KGC.

All admitted patients in a hospital wards can transmit patient’s medical information in a secure format toward the MS.

The system administrator can set the data-access policies and structures using AND, OR logic gates and transmitted these access policies toward the patient to authorizes theses polices along with doctor policy for data accessing (Figure 5).

The biosensor node deployed on a particular patient body can sense the vital signs and then securely communicate these vital signs to BS using IEEE 802.15.6 standard. BS further transmitted the received patient information toward the MS in a secure manner using 3G/4G Internet technology.

Now MS used the predefine data-access policies to encrypt the patient information and transmitted to the data pool of blockchain.

The relevant detail about patient information is also written in the blockchain.

Now blockchain verify the transmission source of data pool and also stored the received encrypted data of patient in medical cloud. Moreover, all the external users can access the patient data from cloud using their valid user ID and assigned password using Internet technology.

Figure 5.

Distribution of access policies/structure for secure data privacy.

Smart contract

Our proposed heterogeneous scheme can also provide the support of smart contract for automatic claims of settlement.⁷⁷ The smart contract is just like a reality contract, but the reality contract is in written format and the blockchain smart contract is a small program or protocol inside a blockchain. The process of smart contract can be run between patient, MS, and all external parties. Through the smart contract, any two users can communicate securely without a trusted third-party, meaning it removes the trusted third-party. Smart contracts are open-distributed ledgers that are impossible to hack. The smart contracts are distributed and immutable: immutable, meaning that once a smart contract is created, it certainly cannot be changed and distributed, meaning that the smart contract is validated by each node of the network (Figure 6).

Figure 6.

Secure patient medical information using blockchain.

Cryptographic keys

The cryptographic keys are used to succeed confidentiality for exchange of information between requester and server. Through these cryptographic keys, a high-level security for our scheme is achieved.

Requester privet key: the private key is generated by the requester, and it is used to sign the data digitally for access.

Requester public key: the public key is also generated by the requester and is sent to the authenticator to verify the requester identity for the access of data.

Authenticator contract key: the authenticator also generates the couple of keys and attached with smart contract in a suite used to encrypt the reports from requester system in our network.

Security model

In this section, we demonstrate the formal security model of our proposed heterogeneous online/offline method. In our proposed scheme, biosensor nodes belong to CLC environment and we consider two kinds of adversaries Type-I and Type-II for (EUF-CMA). In Type-I adversary model, common users of the system cannot access the master secret key $(M_{SK})$ of KGC, but it can try to change the public key of any biosensor node with their own choice. In Type-II adversary model, common user is honest—but curious and knows the master secret key of the KGC, but it does not alter the public key of the any biosensor nodes. However, in our proposed heterogeneous signcryption, we used CLC-based signcryption in Tier-1 while PKI-based signcryption in Tier-3 and obtain the security properties of confidentiality (IND-CCA2) and unforgeability $(EUF - CMA)$ . Moreover, in Tier-3, our scheme satisfies the confidentiality property (IND-CCA2), while in Tier-1 satisfy the unforgeability properties (EUF-CMA), so we need to prove Type-I and Type-II adversaries using games for both (EUF-CMA) and (IND-CCA2).

First, we proved the game for confidentiality $(IND - CCA 2)$ , in which the challenger (CH) communicates with the adversary (AD).

Initial CH executes the setup algorithm on input data, that is, initial security parameters K, and assigns master secret key $(M_{SK})$ of KGC and system parameters $spm$ to adversary (AD). Furthermore, challenger (CH) assigns the adversary (AD) server public key (PU_K).

Phase-I

Public key queries

Adversary (AD) can add the identification number $(I D_{si})$ of biosensor node to the challenger (CH). Moreover, the challenger (CH) executes the algorithm of public key generation $(I D_{s} i, spm) \to (P U_{K}, X_{i})$ and returns $(P U_{K})$ to $(AD)$ . Now the adversary (AD) saves a list for further queries.

Private key queries

Adversary (AD) can add the identification number $(I D_{si})$ of a biosensor node to the challenger (CH). Moreover, challenger (CH) executes full private key $(F P_{K})$ algorithm $(X_{i}, S_{ippk}) \to (F P_{K}) and returns (F P_{K})$ to adversary (AD). Now the adversary (AD) saves a list for further queries while the challenger (CH) can use other types of queries.

Public key–replacement queries

In such types of queries, adversary (AD) can alter the biosensor nodes public key by its own choice.

Signcryption queries

In such type of queries, adversary (AD) executes a signcryption algorithm. It submits a biosensor node identity $(I D_{si})$ and patient data. Now the challenger (CH) verifies the biosensor nodes secret key along with public key, in case both data do not match, it will run the PKG algorithm to obtain a biosensor node public key and full private key algorithm to get $(F P_{K})$ with the help of partial private key $(S_{ippk})$ . Challenger (CH) executes offline signcryption $(F P_{K}, S_{ipuk}, P U_{ms}, I D_{i}, spm, M S_{puk}, X_{i})$ to get output of the offline signcryption $B = (q, r, Z, D, L, T_{i}, U_{i})$ . The challenger (CH) already knows the server public key and runs the online signcryption algorithm and transmits the obtained result to the adversary (AD). In case the public key has been changed, the adversary (AD) provides it for further execution.

Un-signcryption queries

An adversary (AD) can execute the queries of un-signcryption and submits the encoded data. The challenger (CH) executes the un-signcryption algorithm and transmits the obtained result to the adversary (AD). In a PKI environment, the adversary (AD) knows the public key of the server.

Challenge phase

An adversary (AD) defines when Phase-1 is completed. The adversary (AD) produces challenge for two same size plain texts $(n_{0}, n_{1})$ and biosensor identity $(I D_{si})$ , in which the adversary (AD) wants to be challenged. Moreover, the challenger (CH) selects a random number and executes both the offline signcryption along with online signcryption algorithms and submits the obtained result to the adversary (AD). In case the public key has been changed, the adversary (AD) assigns the confidential value to the challenger (CH) for further computation.

Phase-II

Adversary (AD) can execute polynomial-bounded numbers of queries for Phase-II with some constraints on un-signcryption phase to get the related data after the challenge phase.

Adversary (AD) finally guesses the output $X'_{i} \in Z_{p}^{*}$ and wins the game if $(X'_{i} = X_{i})$ .

${AD}_{Heterogeneous scheme}^{IND - CCA 2} (AD) = | 2 \Pr [((X'_{i} = X_{i})] - 1 |$ , where $\Pr [(X'_{i} = X_{i})]$ represents the probability that $(X'_{i} = X_{i})$ .

Definition 1

However, insider security is achieved in the form of confidentiality (IND-CCA2) against the attacker in the aforementioned (IND-CCA2) game.

Second, we proved game for Existential Unforgeability (EUF-CMA) here we used two types of adversaries: Type-I and Type-II. Furthermore, Type-II includes (EUF-CMA-I) game and (EUF-CMA-II) game.

EUF-CMA-I: In our proposed scheme (EUF-CMA-I game), the challenger (CH) directly communicates with the adversary of Type-I denoted as ADT_I.

Initial: The challenger (CH) executes the setup algorithm on input data, that is, initial security parameters $(K)$ , and assigns system parameters $spm$ to the adversary $(AD T_{I})$ and protects the master secret key $(M_{SK})$ . Furthermore, the challenger (CH) assigns the adversary (AD) a server public key $(P U_{K})$ and a private key $(S_{K})$ .

Attack: $AD T_{I}$ can execute polynomial-bounded numbers of queries as same as the (IND-CCA2) game. Moreover, $AD T_{I}$ is permitted to execute partial private key–extraction queries.

Forgery: $AD T_{I}$ can create a forge-encoded text $(B^{*})$ along with a biosensor identity (ID_si), and finally, $AD T_{I}$ wins the game if the below steps hold.

Un-signcryption $(B^{*}, F P_{K}) = n^{*}$ .

Adversary $(AD T_{I})$ does not execute a secret key query for biosensor identity $(I D_{si})$ .

Adversary $(AD T_{I})$ does not execute a public key replacement along with a secret key extraction for biosensor identity $(I D_{si})$ .

Adversary $(AD T_{I})$ does not execute a signcryption $(B^{*}, I D_{si}, P U_{K})$ .

Definition 2

Our proposed heterogeneous scheme (EUF-CMA-I) is secure if it satisfied the benefits of probabilistic algorithm in the standard model, and adversary $(AD T_{I})$ is negligible in public key queries $Q_{Puk}$ , partial private key queries $Q_{ppk}$ , signcryption queries $Q_{sign}$ , and un-signcryption queries $Q_{un - sign}$ in the $(EUF - CMA - I)$ game.

EUF-CMA-II: the challenger (CH) communicates in this game with a Type-II adversary $(AD T_{II})$ .

Initial: The challenger (CH) executes the setup algorithm on input data, that is, initial security parameters $(K)$ , and assigns system parameters $spm$ along with master secret key $(M_{SK})$ to the adversary $(AD T_{II})$ .

Attack: $AD T_{II}$ can execute polynomial-bounded numbers of queries for public key creation, full private key extraction, signcryption, and un-signcryption in a systematic way using a standard model similar to the $(IND - CCA 2)$ game. Moreover, $AD T_{II}$ is permitted to execute the partial private key–extraction queries since it has access to $M_{SK}$ .

Forgery: $AD T_{II}$ can create a forge-encoded text $(B^{*})$ along with a biosensor identity $(I D_{si})$ , and finally, $AD T_{II}$ wins the game if the below steps hold.

Un-signcryption $(B^{*}, F P_{K}) = n^{*}$ .

Adversary $(AD T_{II})$ does not execute a secret key query for biosensor identity $(I D_{si})$ .

Adversary $(AD T_{II})$ does not execute a signcryption $(B^{*}, I D_{si}, P U_{K})$ .

Definition 3

Our proposed heterogeneous scheme $(EUF - CMA - II)$ is secure if it satisfied the benefits of the probabilistic algorithm in the standard model, and adversary $(AD T_{II})$ is negligible in public key queries $Q_{Puk}$ , full private key queries $Q_{Fpk}$ , signcryption queries $Q_{sign}$ , and un-signcryption queries $Q_{un - sign}$ in the $EUF - CMA - II$ game.

Definition 4

We obtain the security property of unforgeability $(EUF - CMA)$ in our proposed scheme if it satisfied both the properties of $(EUF - CMA - I)$ and $(EUF - CMA - II)$ .

Definition 5

However, insider security is achieved in both unforgeability (EUF-CMA-I) and $(EUF - CMA - II)$ against the attacker in the aforementioned $(EUF - CMA)$ game.

Proposed scheme informal security analysis

In a security model, using a formal security analysis, we have proved that our proposed heterogeneous scheme is secure against Type-I and Type-II adversaries. Moreover, we show that our scheme satisfies the security properties of data confidentiality $(IND - CCA 2)$ and unforgeability $(EUF - CMA)$ in the standard model. While using informal security analysis, we also have proved that our scheme resists other potential attacks. Now with the help of informal security analysis of the proposed heterogeneous scheme, we have proved the resistance of our proposed scheme against possible attacks.

Proposed scheme resistance against replay attack

Proof. In our proposed heterogeneous scheme, we used the concept of time stamp $(T_{S})$ among communication devices of two different environments in which biosensor nodes belong to CLC environment, while MS belongs to PKI environment to ensure that the patient data received by the external users, that is, doctors, nurses, insurance companies, and government agencies, are fresh and protect Type-I and Type-II adversaries to launch replay attack. Moreover, we used the concept of hybrid blockchain, which improves the transparency and privacy of the patient-sensitive medical records and also protects the adversaries to launch replay attack.

Proposed scheme resistance against man-in-the-middle attack

Proof. In our proposed scheme for secure distribution of partial private key, we used the concept of AES algorithm. We securely transmitted a partial private key $S_{ippk}$ from the server side to the biosensor nodes using symmetric cipher $AES$ . This algorithm is fast in terms of encryption and decryption and consumes less energy. Moreover, $AES$ algorithm protects the secret key during transmission and adversaries cannot guess or alter the session key for illegal activities. Hence, our scheme is secure against man-in-the-middle attacks.

Proposed scheme resistance against offline password guessing attack

Proof. The patient-sensitive medical information is stored in a MS for future reference and treatment. Each external user, that is, a doctor, who wants to access patient information must be registered with the MS to maintain the real-time patient data privacy. Only registered doctors can access patient-sensitive medical information stored in an MS using their smartphones according to predefine attribute-based access structure or policies. Therefore, in case the doctor’s smartphone is lost or stolen, an adversary cannot access or guess the password of the server because we used the hybrid blockchain technology in our proposed scheme, and due to one-way collision-resistance function, it is difficult for the attacker to guess the password of the MS. Moreover, illegal users are blacklisted to protect the BSNs networks from Type-I and Type-II adversaries and maintain fine-grained access control for patient data privacy.

Proposed scheme resistance against privileged insider attack

Proof. In our proposed scheme, we used attribute-based access structure or policies to protect privilege abuse or overcome the damage it can cause. If the doctor’s policy matched with the predefine policy stored in the MS, permission is granted to the doctor for accessing the concerned patient’s medical sensitive information otherwise discard the policy. Therefore, for security efficiency, we want to create ACL on $MS$ , which classifies the patient attributes into different categories according to their criticalness, due to which security and privacy of patients’ information can be protected. Moreover, using these policies, we overcome illegal activities inside the BSNs.

Performance analysis

Performance analysis consists of two main sub parts. In the first part, we compare the computation cost of our proposed heterogeneous scheme with other related schemes^67–69 shown in the below table, while in the second part, we discuss the energy consumption of our proposed scheme with other heterogeneous schemes.^67–69

Computation cost

In this sub-section, we compared the processing time of existing schemes discussed in the literature^67–69 with our proposed scheme. Our proposed secure attribute-based online/offline heterogeneous signcryption scheme provides efficient results in terms of processing cost than other schemes. We assumed that $| G_{1} | = 160 bits$ , $| G_{2} | = 1024 bits$ , $| p | = 160 bits$ , $| I D_{i} | = 160 bits$ , |M| = 160 bits, and hash value = |512| bits. For processing cost comparison, we ignore the minor operations like hash value, addition and subtraction operations, and only major and expensive operations are considered, that is, pairing operations (Pr), exponentiation (E) in $| G_{2} | = 1024 bits$ , and point multiplication (M) in $| G_{1} | = 160 bits$ .⁷⁸ Table 2 shows the computational cost comparisons of the proposed scheme with four homogeneous schemes and five heterogeneous schemes. The online signcryption algorithm phase of our proposed scheme involves no major or expensive operations, which is why the biosensor node’s life time increased and works for longer times, while in the un-signcryption phase, the comparison shows that the model by F Li et al.⁶⁹ has a high computational cost than all the existing heterogeneous schemes discussed in the literature, and the model by Luo et al.⁶⁴ has lower computational cost but is still insecure.⁷⁹ According to the schemes proposed in previous works,^80,81 the National Institute of Standards and Technology (NIST)-recommended security level for 80 bits one-point multiplication in $G_{1}$ takes 0.81 s,⁸⁰ while single pairing operation in $G_{2}$ takes 1.90 s,⁸¹ and using the method by Shim et al.,⁸² single exponentiation operation requires 0.9 s in $G_{2}$ . During implementation, a MICA2 sensor is used in the ATmega 128 8-bit microcontroller based on the AVR architecture along with ROM of size 128 KB and RAM of size 4 KB.

Table 2.

Computation cost comparisons in terms of expensive or major operations.

References	Offline signcryption	Onlinesigncryption	Un-signcryption
Li et al.⁶³	1E + 5M	1M	1E + 5Pr + 5M
Luo et al.⁶⁴	1E + 2M	1M	3Pr + 4M
Li et al.⁵⁴	1E + 4M	0	1E + 2Pr + 3M
Lai et al.⁶⁵	1E + 3M	0	1E + 2Pr + 3M
Sun and Li⁶⁷	0	1Pr	1Pr
Huanget al.⁶⁸ (I)	0	3M	1Pr + 2M
Huanget al.⁶⁸ (II)	0	2M	4M
Li et al.⁶⁹	0	1E + 2M	1E + 2Pr + 3M
This study	1E + 4M	0	1E + 2Pr + 1M

Table 3 shows that the sender private key size of our proposed heterogeneous scheme and that of Sun and Li⁶⁷ and Li et al.⁶⁹ are same and less then Huang et al.⁶⁸ schemes, while the encoded text size of Li et al.⁶⁹ is lower than other heterogeneous schemes. Sun and Li⁶⁷ scheme does not provide the non-repudiation security property, and the recipient can create the same encoded text as the sender does. Moreover, in the studies of Huang et al.(I) and (II)⁶⁸ and Sun and Li,⁶⁷ the sender belongs to identity-based cryptosystem (IBCS) domain and suffers from the key escrow problem.

Table 3.

Comparison of private key size and transmitted encoded text size in (bits).

References	Sender private key size in bits	Encoded textsize in bits
Li et al.⁶³	320	1120
Luo et al.⁶⁴	320	800
Li et al.⁵⁴	160	640
Lai et al.⁶⁵	160	800
Sun and Li⁶⁷	160	640
Huang et al.⁶⁸ (I)	320	960
Huang et al.⁶⁸ (II)	320	960
Li et al.⁶⁹	160	480
This study	160	640

Table 4 shows the security properties fulfilled by our proposed scheme and other four homogeneous and five heterogeneous schemes. Only the scheme by Sun and Li⁶⁷ does not fulfill the EUF-CMA security property, and all other heterogeneous schemes in the table achieve this property. All four homogeneous schemes in Table 4 are not suitable for large networks in the sever side since CLC and IBCS are used.

Table 4.

Comparison of security properties of proposed scheme and existing schemes.

References	Security achieved	Environments
Li et al.⁶³	$CCA 2 + CMA$	$CLCS \to CLCS$
Luo et al.⁶⁴	$No$	$CLCS \to CLCS$
Li et al.⁵⁴	$CCA 2 + CMA$	$CLCS \to CLCS$
Lai et al.⁶⁵	$CCA 2 + CMA$	$IBCS \to IBCS$
Sun and Li⁶⁷	$CCA 2$	$IBCS \to PKICS$
Huang et al.⁶⁸ (I)	$CCA 2 + CMA$	$IBCS \to PKICS$
Huang et al.⁶⁸ (II)	$CCA 2 + CMA$	$IBCS \to PKICS$
Li et al.⁶⁹	$CCA 2 + CMA$	$CLCS \to PKICS$
This study	$CCA 2 + CMA$	$CLCS \to PKICS$

CCA: chosen ciphertext attack; CLCS: certificate-less cryptosystem; IBCS: identity-based cryptosystem; PKI: public key infrastructure.

Energy consumption

According to the Shim et al.’s model,⁸² assume that in transmitting mode, current is drawn 27 mA, while in receiving mode current drawn ratio is 10 mA. Moreover, in the active mode, current drawn is 8.0 mA and the speed of the data is 12.4 Kbps, and using previous methods,^83,84 the microcontroller needs 3 × 27 × 8/12,400 = 0.052 mJ and 3 × 10 × 8/12,400 = 0.019 mJ to transfer and receive 1 byte of data through the MICA2 sensor node, respectively. Now we find the energy consumption during the transmission process.

Transmission cost

The data size in previous works,^67,68^{(I) and (II),69} and the proposed scheme is as follows:

In a study by Sun and Li,⁶⁷ the microcontroller transfers (||Encoded text||/8) = 640/8 = 80 byte. In a study by Huang et al. (I),⁶⁸ microcontroller transfers (||Encoded text||/8) = 960/8 = 120 byte. In a study by Huang et al. (II),⁶⁸ microcontroller transfers (||Encoded text||/8) = 960/8 = 120 byte. In a study by Li et al.,⁶⁹ microcontroller transfers: (||Encoded text||/8) + ( $I D_{i}$ /8) + ( $S_{ipuk}$ /8) = 480/8 + 160/8 + 160/8 = 800/8 = 100 byte. Therefore, $S_{ipuk}$ belongs to $G_{1}$ while, $| | G_{1} | | = 160 bits$ . In the proposed scheme, data transmission: (||Encoded text||/8) + ( $T_{i}$ /8) + ( $U_{i}$ /8) = 640/8 + 160/8 + 160/8 = 960/8 = 120 byte. Therefore, $T_{i}$ and $U_{i}$ belongs to $G_{1}$ , while $| | G_{1} | | = 160 bits$ .

Now we calculate the data-transmission energy consumption using the following procedure shown in Tables 5 –7.

Table 5.

Energy consumption in transmission.

References	Energy consumption in data transmission
Sun and Li⁶⁷	0.052 × 80 = 4.16 mJ
Huang et al.⁶⁸ (I)	0.052 × 120 = 6.24 mJ
Huang et al.⁶⁸ (II)	0.052 × 120 = 6.24 mJ
Li et al.⁶⁹	0.052 × 100 = 5.2 mJ
This study	0.052 × 120 = 6.24 mJ

Table 6.

Energy consumption in processing.

References	Energy consumptionin data processing
Sun and Li⁶⁷	45.5 × 1 = 45.6 mJ
Huanget al.⁶⁸ (I)	19.44 × 3 = 58.32 mJ
Huanget al.⁶⁸ (II)	19.44 × 2 = 38.88 mJ
Li et al.⁶⁹	19.44 × 2 + 21.6 × 1 = 60.48 mJ
This study	No majoroperationis performed

Table 7.

Total energy consumption.

References	Total energyconsumption = energyconsumption in dataprocessing + energyconsumption in datatransmission
Sun and Li⁶⁷	4.16 + 45.6 = 49.76 mJ
Huang et al.⁶⁸ (I)	6.24 + 58.32 = 64.56 mJ
Huang et al.⁶⁸ (II)	6.24 + 38.88 = 45.12 mJ
Li et al.⁶⁹	5.2 + 60.48 = 65.68 mJ
This study	6.24 + 0 = 6.24 mJ

Table 8 shows that the energy-consumption ratio increased when the number of transmitted messages increased in the heterogeneous domain. Our proposed scheme consumes less energy as compared to other heterogeneous schemes shown in the Table 8.

Table 8.

Energy consumption versus number of transmitted messages in a heterogeneous domain.

Number of transmittedmessages	References
Number of transmittedmessages	Sun and Li⁶⁷	Huang et al.⁶⁸ (I)	Huang et al.⁶⁸ (II)	F Li et al.⁶⁹	This study
01	49.76	64.56	45.12	65.68	6.24
20	995.2	1291.2	902.4	1313.6	124.8
40	1990.4	2582.4	1804.8	2627.2	249.6
60	2985.6	3873.6	2707.2	3940.8	374.4
80	3980.8	5164.8	3609.6	5254.4	499.2
100	4976	6456	4512	6568	624

Figure 7 shows the comparison of total energy consumed at the sender side in various schemes. The graph shows that our proposed heterogeneous online/offline signcryption scheme consumed less energy during data transmission and data processing at biosensor side as compared to other schemes.^67–69 Data transmissions consume more energy than data processing.

Figure 7.

Total consumption of energy in biosensor node.

Figures 8 and 9 show the processing cost comparison of one message in the online signcryption phase of various heterogeneous schemes as discussed in the literature. The graph shows that our proposed online signcryption phase has no major operation and needs only the one-way hash function and arithmetic operations that are negligible; therefore, the processing cost of our proposed online phase is the smallest when compared with other existing schemes.^67–69

Figure 8.

Processing cost of online signcryption phase.

Figure 9.

Energy consumption versus number of transmitted messages in the heterogeneous domain.

Conclusion

Due to extensive use of BSNs, designing a secure and efficient heterogeneous scheme is an important requirement for the resource-constrained environment. BSNs face three major challenges which are security, privacy, and efficiency. To cope with these problems, in our proposed scheme, we have used a heterogeneous online/offline signcryption and CLC environment to overcome the computational burden on biosensor nodes, while PKI environment at the MS side to enhance the scalability of the networks. Besides, we achieved the advantages of interoperability, transparency, traceability, and privacy using hybrid blockchain technology. We thoroughly examined our proposed scheme for its security analysis with the help of formal security under the standard model along with informal security. Using informal security analysis, we proved that our scheme provides resistance against possible attacks. The detailed results of performance analysis show that our proposed heterogeneous scheme provides better security and privacy while consuming less energy during patient data computation and transmission than other heterogeneous schemes discussed in the literature and enhance the overall performance of the networks. Therefore, this study is preferable for practical applications of BSNs, where two different parties can securely communicate even if their architecture and domain are different.

Footnotes

Handling Editor: Benny Lo

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Jawaid Iqbal

References

Zheng

Digital signcryption or how to achieve cost (signature & encryption) << cost(signature) + cost(encryption). In: Kaliski

(ed.) Advances in cryptology: CRYPTO’97—lecture notes in computer science, vol. 1294. Berlin; Heidelberg: Springer, 1997, pp.165–179.

Zhao

Bai

Peng

, et al. Efficient key management scheme for health blockchain. CAAI T Intell Technol 2018; 3(2): 114–118.

Zhang

Deng

Liu

, et al. Outsourcing service fair payment based on blockchain and its applications in cloud computing. IEEE T Serv Comput. Epub ahead of print 7 August 2018. DOI: 10.1109/TSC.2018.2864191.

Zhang

Deng

Shu

, et al. TKSE: trustworthy keyword search over encrypted data with two-side verifiability via blockchain. IEEE Access 2018; 6: 31077–31087.

Zhang

Deng

Zheng

, et al. Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Inform Sci 2018; 462: 262–277.

Latré

Braem

Moerman

, et al. A survey on wireless body area networks. Wirel Netw 2011; 17(1): 1–18.

Sahai

Waters

. Fuzzy identity-based encryption. In: Cramer

(ed.) Advances in cryptology—EUROCRYPT 2005: Lecture notes in computer science, vol. 3494. Berlin; Heidelberg: Springer, 2010, pp.457–473.

Goyal

Pandey

Sahai

, et al. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on computer and communications security (CCS 2006), Alexandria, VA, 30 October–3 November 2007, pp.89–98. New York: ACM.

Ramya

Naga Sravanthi

Kumar

. Reliable healthcare monitoring system using SPOC framework. In: Saini

Sayal

Govardhan

, et al. (eds) Innovations in computer science and engineering, vol. 74. Singapore: Springer, 2019, pp.393–401.

10.

Bianchi

Capossele

Petrioli

, et al. AGREE: exploiting energy harvesting to support data-centric access control in WSNs. Ad Hoc Networks 2013; 11(8): 2625–2636.

11.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: Proceedings of the 2017 IEEE symposium on security and privacy, Berkeley, CA, 20–23 May 2007, pp.321–334. New York: IEEE.

12.

Hur

Fine-grained data access control for distributed sensor networks. Wirel Netw 2011; 17(5): 1235–1249.

13.

Ren

Leng

Zhu

, et al. Data storage mechanism based on blockchain with privacy protection in wireless body area network. Sensors 2019; 19(10): 2395.

14.

Tian

Peng

, et al. An attribute-based encryption scheme with revocation for fine-grained access control in wireless body area networks. Int J Distrib Sens Netw 2014; 10(11). DOI: 10.1155/2014/259798.

15.

Han

Susilo

, et al. Improving privacy and security in decentralized ciphertext-policy attribute-based encryption. IEEE T Inf Foren Sec 2015; 10(3): 665–678.

16.

Zavattoni

Perez

Mitsunari

Software implementation of an attribute-based encryption scheme. IEEE T Comput 2015; 64(5): 1429–1441.

17.

Tan

Y-L

Goi

B-M

Komiya

, et al. Design and implementation of key-policy attribute-based encryption in body sensor network. Int J Cryptol Res 2013; 4(1): 84–101.

18.

Hohenberger

Waters

. Online/offline attribute-based encryption. In: Krawczyk

(ed.) Public—key cryptography—PKC 2014: lecture notes in computer science, vol. 8383. Berlin: Heidelberg: Springer, 2014, pp.293–310.

19.

Liu

Zhang

Chen

. Certificateless remote anonymous authentication schemes for wirelessbody area networks. IEEE T Parall Distr 2014; 25(2): 332–342.

20.

Tan

Wang

Zhong

SQL

. Body sensor network security: an identity-based cryptography approach. In: Proceedings of the 1st ACM conference on wireless network security (WISEC’08), Alexandria, VA, 31 March–2 April 2008, pp.148–153. New York: ACM.

21.

Ren

Lou

. Attribute-based on-demand multicast group setup with membership anonymity. Comput Netw 2010; 54(3): 377–386.

22.

Jin

Luo

. A review of secure and privacy-preserving medical data sharing. IEEE Access 2019; 7: 61656–61669.

23.

Zheng

, et al. Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE T Parallel Distrib 2013; 24(1): 131–143.

24.

Zhang

, et al. Body area network security: a fuzzy attribute-based signcryption scheme. IEEE J Sel Area Comm 2013; 31(9): 37–46.

25.

Chatterjee

Das

. A novel and efficient user access control scheme for wireless body area sensor networks. J King Saud Univ Inf Sci 2014; 26(2): 181–201.

26.

Lou

Ren

. Data security and privacy in wireless body area networks. IEEE Wirel Comm 2010; 17(1): 51–58.

27.

Garg

Gentry

Halevi

, et al. Attribute-based encryption for circuits from multilinear maps. In: Canetti

Garay

(eds) Advances in cryptology—CRYPTO 2013: lecture notes in computer science, vol. 8043. Berlin; Heidelberg: Springer, 2013, pp.479–499.

28.

Zhang

Zheng

Deng

. Security and privacy in smart health: efficient policy-hiding attribute-based access control. IEEE Internet Things J 2018; 5(3): 2130–2145.

29.

Maji

Prabhakaran

Rosulek

. Attribute-based signatures: achieving attribute-privacy and collusion-resistance (IACR Cryptology ePrint Archive). 2008, https://pdfs.semanticscholar.org/9565/f498c89fbebe19ec7485bacaa5b420fe0fae.pdf

30.

Susilo

, et al. Attribute-based signature and its applications. In: Proceedings of the 5th ACM symposium on information, computer and communications security, Beijing, China, 13–16 April 2010, pp.60–69. New York: ACM.

31.

Kim

. Hidden attribute-based signatures without anonymity revocation. Inform Sci 2010; 180(9): 1681–1689.

32.

A-J

C-G

Zhang

Z-F

. Attribute-based signature scheme with constant size signature in the standard model. IET Inf Secur 2012; 6(2): 47–54.

33.

Xiong

Qin

. Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE T Inf Foren Sec 2015; 10(7): 1442–1455.

34.

Basavashri

Manjula

. Ensuring certificateless remote anonymity and authenticity wireless body area network. Int Res J Eng Technol 2015; 2(3): 1981–1986.

35.

Zhang

Liu

Sun

. An efficient and lightweight certificateless authentication protocol for wireless body area networks. In: Proceedings of the 2013 5th international conference on intelligent networking and collaborative systems, Xi’an, China, 9–11 September 2013, pp.637–639. New York: IEEE.

36.

Madhusudhan

Tijare

. WBAN client verification using remote anonymous authentication schemes without certificates. Int J Res Comput Appl Robot 2015; 3(7): 40–46.

37.

Zeadally

. Certificateless public auditing scheme for cloud-assisted wireless body area networks. IEEE Syst J 2015; 12(1): 64–73.

38.

Zhang

Deng

Zheng

, et al. Efficient and robust certificateless signature for data crowdsensing in cloud-assisted industrial IoT. IEEE T Ind Inform. Epub ahead of print 18 January 2019. DOI: 10.1109/TII.2019.2894108.

39.

Karati

Islam

SKH

Karuppiah

. Provably secure and lightweight certificateless signature scheme for IIoT environments. IEEE T Ind Inform 2018; 14(8): 3701–3711.

40.

Liu

Huang

Liu

. Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption. Futur Gener Comput Syst 2015; 52: 67–76.

41.

Han

Yang

. Attribute-based signcryption scheme with non-monotonic access structure. In: Proceedings of the 2013 5th international conference on intelligent networking and collaborative systems, Xi’an, China, 9–11 September 2013, pp.796–802. New York: IEEE.

42.

Rajput

Ahvanooey

, et al. EACMS: emergency access control management system for personal health record based on blockchain. IEEE Access 2019; 7: 84304–84317.

43.

Steinfeld

Zheng

. A signcryption scheme based on integer factorization. In: Proceedings of the third international workshop on information security, Wollongong, NSW, Australia, 20–21 December 2000, pp.308–332. London: Springer.

44.

Yum

Lee

. New signcryption schemes based on KCDSA. In: Proceedings of the 4th international conference Seoul on information security and cryptology, Seoul, Korea, 6–7 December 2002, pp.305–317. New York: ACM.

45.

Boyen

. Multipurpose identity-based signcryption. In: Proceedings of the annual international cryptology conference, Santa Barbara, CA, 17–21 August 2003, pp.383–399. Berlin: Springer.

46.

Huang

Yang

, et al. A novel identity-based signcryption scheme in the standard model. Information 2017; 8: 58.

47.

Din

Iqbal Umar

Waheed

, et al. A note on obtain confidentiality or/and authenticity in big data by ID-based generalized signcryption (IACR cryptology ePrint archive, 222). 2017, https://eprint.iacr.org/2017/222

48.

Qian

Weng

, et al. Fully secure identity-based signcryption scheme with shorter signcryptext in the standard model. Math Comput Model 2013; 57(3–4): 503–511.

49.

Choo

K-KR

Nam

Won

. A mechanical approach to derive identity-based protocols from Diffie-Hellman-based protocols. Inform Sci 2014; 281: 182–200.

50.

Oliveira

De Reis

Carrano

. Towards a blockchain-based secure electronic medical record for healthcare applications. In: Proceedings of the 2019 IEEE international conference on communications, Shanghai, China, 20–24 May 2019, pp.1–6. New York: IEEE.

51.

Weng

Yao

Deng

, et al. Cryptanalysis of a certificateless signcryption scheme in the standard model. Inform Sci 2011; 181(3): 661–667.

52.

Zhang

. On security of a certificateless signcryption scheme. Inform Sci 2013; 232: 475–481.

53.

Luo

Wan

. An enhanced certificateless signcryption in the standard model. Wirel Pers Comm 2018; 98: 2693–2709.

54.

Han

Jin

. Certificateless online/offline signcryption for the Internet of Things. Wirel Netw 2017; 23: 145–158.

55.

Luo

Wan

Huang

. Certificateless hybrid signcryption scheme with known session-specific temporary information security. Int J Netw Sec 2017; 19(6): 966–972.

56.

Even

Goldreich

Micali

. On-line/off-line digital signatures. In: Proceedings of the international conference on the theory and application of cryptology, Sydney, NSW, Australia, 8–11 January 1990, pp.263–275. New York: Springer.

57.

Dodis

Rabin

. On the security of joint signature and encryption. In: Proceedings of the international conference on the theory and applications of cryptographic techniques: advances in cryptology, Queenstown, New Zealand, 1–5 December 2002, pp.83–107. Berlin: Springer.

58.

Dai

Yang

. An efficient online/offline signcryption scheme for MANET. In: Proceedings of the 21st international conference on advanced information networking and applications workshops (AINAW’07), Niagara Falls, ON, Canada, 21–23 May 2007, pp.3–8. New York: IEEE.

59.

Susilo

Zhang

. Reducing security overhead for mobile networks. In: Proceedings of the 19th IEEE international conference on advanced information networking and applications (AINA’05), Taipei, 28–30 March 2005, pp.398–403. New York: IEEE.

60.

Chen

Zhang

Yan

, et al. Efficient online/offline signcryption without key exposure. Int J Grid Util Comput 2013; 4(1): 85–93.

61.

Thwin

Vasupongayya

. Blockchain based secret-data sharing model for personal health record system. In: Proceedings of the 2018 5th IEEE international conference on advanced informatics: concept theory and applications (ICAICTA), Krabi, Thailand, 14–17 August 2018, pp.196–201. New York: IEEE.

62.

Kuo

Kim

Ohno-Machado

. Blockchain distributed ledger technologies for biomedical and health care applications. J Am Med Inform Assoc 2017; 24(6): 1211–1220.

63.

Zhao

Zhang

. Certificateless online/offline signcryption scheme. Sec Comm Netw 2015; 8(11): 1979–1990.

64.

Luo

. A security communication model based on certificateless online/offline signcryption for Internet of Things. Sec Comm Netw 2014; 7(10): 1560–1569.

65.

Lai

Guo

. Efficient identity-based online/offline encryption and signcryption with short ciphertext. Int J Inf Sec 2017; 16(3): 299–311.

66.

Karati

Islam

Biswas

. Provably secure identity-based signcryption scheme for crowdsourced industrial Internet of Things environments. IEEE Internet Things J 2017; 5(4): 2904–2914.

67.

Sun

. Efficient signcryption between TPKC and IDPKC and its multi-receiver construction. Sci China Inf Sci 2010; 53(3): 557–566.

68.

Huang

Wong

Yang

. Heterogeneous signcryption with key privacy. Comput J 2011; 54(4): 525–536.

69.

Han

Jin

. Practical signcryption for secure communication of wireless sensor networks. Wirel Pers Comm 2016; 89(4): 1391–1412.

70.

Boneh

Franklin

. Identity-based encryption from the Weil pairing. SIAM J Comput 2003; 32(3): 586–615.

71.

Yue

Wang

Jin

, et al. Healthcare data gateways: found healthcare intelligence on blockchain with novel privacy risk control. J Med Syst 2016; 40(10): 218.

72.

Dong

Wang

Aldweesh

, et al. Betrayal, distrust, and rationality: smart counter-collusion contracts for verifiable cloud computing. In: Proceedings of the ACM SIGSAC conference on computer and communications security, Dallas, TX, 30 October–3 November 2017, pp.211–227. New York: ACM.

73.

Huang

Chen

, et al. Bitcoin-based fair payments for outsourcing computations of fog devices. Futur Gener Comput Syst 2018; 78: 850–858.

74.

McCorry

Shahandashti

Hao

. A smart contract for boardroom voting with maximum voter privacy. In: Proceedings of the international conference on financial cryptography and data security, Sliema, 3–7 April 2017, pp.357–375, https://eprint.iacr.org/2017/110.pdf

75.

Wang

Zhang

Song

, et al. Consensus problems for discrete-time agents with communication delay. Int J Control Autom Syst 2017; 15(4): 1515–1523.

76.

Dolev

Yao

. On the security of public key protocols. IEEE T Inf Theory 1983; 29(2): 198–208.

77.

Underwood

. Blockchain beyond bitcoin. Commun ACM 2016; 59(11): 15–17.

78.

Cui

Duan

Chan

, et al. An efficient identity-based signature scheme and its applications. IJ Netw Secur 2007; 5(1): 89–98.

79.

Shi

Kumar

Gong

, et al. On the security of a certificateless online/offline signcryption for Internet of Things. Peer Peer Netw Appl 2015; 8: 881–885.

80.

Gura

Patel

Wander

, et al. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Proceedings of the international workshop on cryptographic hardware and embedded systems, Santa Barbara, CA, 17–20 August 2010, pp.119–132. Berlin: Springer.

81.

Oliveira

Aranha

Gouvêa

, et al. TinyPBC: pairings for authenticated identity-based non-interactive key distribution in sensor networks. Comput Comm 34(3): 485–493.

82.

Shim

Lee

Park

. EIBAS: an efficient identity-based broadcast authentication scheme in wireless sensor networks. Ad Hoc Networks 2013; 11(1): 182–189.

83.

Cao

Kou

Dang

. IMBAS: identity-based multi-user broadcast authentication in wireless sensor networks. Comput Comm 2008; 31(4): 659–667.

84.

Shim

Lee

. S2DRP: secure implementations of distributed reprogramming protocol for wireless sensor networks. Ad Hoc Networks 2014; 19: 1–8.

Efficient and secure attribute-based heterogeneous online/offline signcryption for body sensor networks based on blockchain

Abstract

Keywords

Introduction

Literature review

Preliminaries

Applications of blockchain

Advantages of blockchain technology in BSNs

Public health

Patient data security

Managed consent

Flexibility in patient data updating

Easy claim processing

Threat model

Proposed scheme

Setup phase

MS key-generation phase

Key generation on biosensor using certificate-less domain

Generation of public key

Extraction of partial private key

Secure distribution of partial private key using AES algorithm

Generation of full private key

Offline signcryption phase

Online signcryption phase

Un-signcryption phase

Proposed scheme correctness

Proposed formal heterogeneousmodel for BSN

Secure transmission among MS and external users

Proposed network model for BSN

Secure distribution of access policies for data privacy

Smart contract

Cryptographic keys

Security model

Phase-I

Public key queries

Private key queries

Public key–replacement queries

Signcryption queries

Un-signcryption queries

Challenge phase

Phase-II

Definition 1

Definition 2

Definition 3

Definition 4

Definition 5

Proposed scheme informal security analysis

Proposed scheme resistance against replay attack

Proposed scheme resistance against man-in-the-middle attack

Proposed scheme resistance against offline password guessing attack

Proposed scheme resistance against privileged insider attack

Performance analysis

Computation cost

Energy consumption

Transmission cost

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References