an attribute-based encryption scheme with revocation for fine-grained access...
TRANSCRIPT
An Attribute-Based Encryption Scheme with Revocation for Fine-Grained
Access Control in Wireless Body Area Networks
Ye Tian1,2
, Yanbin Peng1, Xinguang Peng
1, Hongbin Li
2
1College of Computer Science and Technology, Taiyuan University of technology, Taiyuan, 030024, China
2Computer center, Taiyuan normal college, Taiyuan, 030012, China
Abstract
The Wireless Body Area Networks (WBANs) have emerged as a new method for e-healthcare. Without
measured face to face, the medical workers can give guidance to patients in a real-time way. WBANs
can greatly improve the healthcare quality. The personal information and medical data are stored and
processed in sensors. The security and privacy are two vital issues.
In this paper, we design an attribute-based encryption scheme for fine-grained access control in
WBANs. In our scheme, a user can decrypt a ciphertext if the attributes related with a ciphertext satisfy
the user’s access structure. The users can be revoked if necessary. Therefore, the security and privacy of
patients can be protected. Our scheme provides confidentiality, security and resistance to collusion
attack. We analyze the correctness, security and energy consumption of the scheme.
Keywords: Wireless Body Area Networks (WBANs), security and privacy, data access control,
attribute-based encryption (ABE).
1. Introduction
Wireless Body Area Networks (WBANs) are gaining popularity rapidly in recent years, especially in
the area of medical use, such as healthcare monitoring, medical treatment, and emergency medical
response systems (EMRS) which greatly increase the efficiency of healthcare. A typical WBAN consists
of a controller and a number of sensors, which are wearable or can be implanted into human body to
monitor the body parameters (e.g., electrocardiogram(ECG), heart rate, blood pressure, blood glucose),
the surrounding environments parameters (e.g., temperature, humidity, and location) and the movements
of body. WBANs can be used to pervasive and real time monitoring the status of patients in the form of
text, visual or audio, etc. Home monitoring is a good choice for chronic patients and old people, as it
frees patients from visiting the hospital frequently. Sensor nodes and users are mobile in the sense that
they can move, be relocated to another position or associated to other nodes or users [1].Figure1 shows
the general healthcare system of a WBAN. The sensors are used to measure certain parameters of human
body and send these signals to a controller, which may be a mobile phone or a PDA[2].These medical
data will be processed in the controller, and the controller can give guidance to other devices. For
example, in the diabetes monitoring, the glucose sensors monitor and transmit blood glucose levels to
the controller for insulin release. The medical data can be stored locally in WBANs or be transferred
remotely to the doctors, emergency medical response or database of patients through internet using WiFi,
Bluetooth, or Zigbee etc.. The remoter can give guidance to the patients or healthcare staff.
Figure1. A General Healthcare System of WBAN
Security and privacy are two major concerns in WBANs. Since the medical data stored in WBANs is
sensitive, it is essential to ensure the security of these data. Obtaining inaccurate and wrong medical data
will possibly make the therapy ineffectively, or even lead to wrong treatments [3]. We summarize two
threats and possible consequences in WBANs:
(1) Eavesdropping threats. The attackers may eavesdrop the information of patients, thus this may
cause the privacy issues. For example, a patient has an embarrassing disease, or a patient may want to
keep medical information out from insurance. For another example, the location of patients can be found
by a criminal minded person, so this threat is vital importance. Data confidentiality is an important
requirement in healthcare applications using WBANs.
(2) Modification threats. The data transferred is vital for patients as the modified information may
lead to wrong diagnose. The nature of wireless makes the data prone to being lost. Thus, in order to
ensure that the received data has not been modified by an adversary, there should be proper data
integrity mechanisms.
So, the users who want to access the patient-related data must be strictly limited; otherwise, the
privilege of patients could not be protected. In order to enforce the access control, data encryption is
needed to protect the patient-related data. The traditional methods are Symmetric Key
Cryptography(SKC) and Public Key Cryptography(PKC) systems. In SKC scheme, the sender and
receiver use the same key. If an attacker compromise a node, he can get all the data stored in the node. A
hospital
database
EMRS
Internet
Wifi
Zigbee
Bluetooth
controller sensor
EMRS: emergency medical response system
solution to this problem is dividing the lifetime of sensors into series periods. During different periods
different keys are used, but this need update the keys timely and increase the load of sensors. In PCK
scheme, any patient-related data is encrypted by a public key and only the users who have the
corresponding master key can decrypt the data. This general scheme is simple to implement, but
inefficient as the number of encryption operations and the size of ciphertexts both which are linear with
the number of users. So when the number of users increases, the cost of key distribution will be high. A
better way to solve the problem is broadcast encryption. The sender specifies the receivers, and
broadcast the keys to the revoked users. Although the broadcast encryption is efficient, the sender need
store the list of receivers, and this need increase the storage space.
We design a security mechanism for access control, data encryption and user revocation in WBANs.
The major users in a typical WBAN are different doctors, nurses, healthcare staff, and medical insurance
response systems. The patient may not know the exact users who are able to access the data, but rather
has a way to describe them in terms of descriptive attributes or credentials [4]. Attribute-based
encryption(ABE) is suitable to encrypt without exact knowledge of the receivers.
Besides security and privacy, another issue should be considered in WBANs is resource constraints.
The sensors are limited in energy, storage space, and computational capability, and the lifetime of a
battery is restricted. In order to reduce the energy consumption, it is necessary to build limited size of
security mechanism. According to [5], the energy consumption of sensing and computation are usually
so small that they are almost negligible compared to the expensive cost of communication in WBANs,
e.g. according to the report of NAI Labs[20], the energy consuming of sending data is 0.0.2mJ/bit,
receiving data is 0.014mJ/bit, however, the energy consuming used in accomplishing SHA-1 is
0.0000072mJ/bit on the same MIPS processer. So, there should be as less transmitting as possible.
This paper makes contributions as follows: Firstly, we design the access tree structures of users.
Secondly, we develop the encryption algorithms for fine-grained access control in WBANs. Thirdly, we
introduce the user revocation algorithm. Fourthly, we evaluate the performance of our scheme.
2. Related Work
Security and privacy of patient-related data are two indispensable components in WBANs. Security
means that data is securely stored and transferred, and privacy means that the people who have
authorization can access, view and use the data [2].There are two main methods about the security and
privacy protection in WBANs:
(1) Key distribution in WBANs. The researches in [6,7,8,9] use the biometric signal (such as
Electrocardiograph) as the key to encrypt the medical data which is to be transferred, and the receiver
has the same key to decrypt the data. For the advantage of biometric signal, this method ensures the
security of transferred data, and testability makes the method applicable widely, but this method also has
the drawbacks. When the attackers get the biometric signal of patient, he can decrypt all the data which
is encrypted by the signal, and this will leak the privacy of patients. In order to capture the biometric
signal, there is a need to attach the biometric sensor to a body sensor node, but this will increase the cost.
(2) Data storage and access control. The authors in [3] propose the concept of secure storage and data
access control in WBANs, summarize the methods of secure and privacy protection, but it doesn’t
analyze and compare the energy consumption. The research in[10] develops a distributed data access
control scheme, in which the ciphertext is associated with attributes, and the key is associated with
access structure. The access structure identifies the ciphertext which can be decrypted by the key. In that
paper, the users access data in a fine-grained way, but it lack the timeliness of access control. In paper
[11], the important multisender broadcast authentication problem is solved in WSNs. In [12], the authors
propose a fuzzy attribute-based signcryption scheme. Their scheme leverages fuzzy attribute-based
encryption to enable data encryption, access control, and digital signature for a patient’s medical
information in a WBAN. For using the signature, it is complicated in the message transmission, and the
energy consumption should be considered. In [13], the authors propose an identity-based encryption
scheme for WBANs, nonetheless, it lacks the access control feature which we develop in the paper.
ABE is considered suitable for access control in WBANs, because it reduces the cost between the
sensors and users. In [14], the authors first introduce the idea of ABE based on Fuzzy Identity-based
encryption(FIBE) which is built on the idea of Identity-Based Encryption(IBE). The identity of users can
be described by strings, such as email address: [email protected]. In FIBE, the senders can encrypt the
ciphertext by a public key, ω′. A user has a master key with the identity ω. When the users access the
medical data, if and only if ω includes at least k parameters the same to ω′, they can decrypt the
ciphertext. The scheme has the tolerance ability as the ω and ω′ need not to be the same, and no need
to obtain the certificate of receivers, so it reduces the energy cost of authentication.
In ABE, identity consist of attributes, for example, the attributes set of a doctor is {hospital,
department, onduty}. Both the ciphertext and keys are associated with attributes. The ABE has two
variants, key policy ABE(KP-ABE)[15] and ciphertext policy ABE(CP-ABE)[16].In KP-ABE, the
ciphertext is associated with the attributes and the key is associated with an access structure. Decryption
is enabled if and only if the attributes associated with a ciphertext satisfy the key’s access structure.
However, in CP-ABE, the situation is reversed: the ciphertext is associated with access structure and the
key is associated with attributes.
In this paper, we consider the security and privacy of WBANs by designing a fine-grained access
control scheme. The medical data is encrypted by attributes and only when these attributes satisfy the
key’s access structure, the users can decrypt it. For the patients, they may not know the doctors or nurses,
but he can explicit the attributes which should be satisfied for the users. A user will be able to decrypt
the medical data if the attributes satisfy the access structure.
User management is an important issue since malicious users are dangerous to WBANs. If some users
need to be revoked, such as changing the medical workers, finding some malicious users and so on, they
will lose their capability of decryption, while the capability of non-revoked users remains valid. Some
researches propose different methods to solve the problem. The authors in [17] propose a way to renew
the users’ master key periodically, so the users’ privilege of access the date will be expired after a time.
This method will fail when the malicious users access the data before the expired time. In [18], the
sensor nodes encrypt the data using the identity attributes which are not owned by the revoked users,
therefore, only the non-revoked users can decrypt the data. However, all the revoked users in the history
are recorded in the ciphertext, so the ciphertext size will be very large.
The rest of this paper is organized as follows. Section 3 introduces the preliminaries of the scheme.
Section 4 presents the system model. Section 5 analyzes the scheme, including the correctness, security
and energy consumption. Section 6 overviews the conclusion and future work.
3. Preliminaries
3.1. Bilinear Maps
Let G1 and G2 be two groups of prime order p, g be a generator of G1. A bilinear map is an
injective function e: G1 × G1 → G2 with the following properties:
a. Bilinearity: ∀u, v ∈ G1, a, b ∈ Zp , there is e(ua , vb) = e(u, v)ab .
b. Non-degeneracy: e(g, g) ≠ 1.
c. Computability: There is an efficient algorithm to compute e u, v for each u ∈ G1 and v ∈ G2.
3.2. Bilinear Diffie-Hellman Problem (BDHP)
Given two groups G1 and G2 with the same prime order p, let e: G1 × G1 → G2 be a bilinear map
and g be a generator of G1. The objective of BDHP is to compute e(g, g)abc in (G1 , G2 , e) from the
given (g, ga , gb , gc), where a, b, c ∈ Zp .
3.3. Decisional Bilinear Diffie-Hellman Problem (DBDHP)
Given a, b, c ∈ Zp , ga , gb , gc ∈ G1,h ∈ G2, the objective is to decide whether h = e(g, g)abc .
3.4. Key-Policy Scheme
Usually, the key-policy scheme consists of 4 steps:
(1) Setup. According to the random numbers produced by the system, the scheme generates the
public parameters PK and a master key MK. PK is used to encrypt message by senders. MK is used to
generate decryption keys.
(2) Encryption. The plaintext M is encrypted using the attributes and PK. It outputs the ciphertext
E.
(3) Key generation. It takes the access structure, master key MK and the public parameters PK as
input. It outputs the decryption key DK.
(4) Decryption. The ciphertext E is decrypted by the decryption key DK for access control
structure and outputs the plaintext M.
3.5. Security Game for ABE
We define the security game for our scheme. The game can be described as follows:
Init: The adversary commits the attributes set γ
to the challenger.
Setup: The challenger runs the Setup algorithm and gives the public parameters (PK) to the adversary.
Phase 1: The adversary submits queries for master keys for access structures Ai, where for all i,
γ ∉ Ai.
Challenge: The adversary submits two equal length messages M0 and M1 to the challenger. The
challenger flips a random coin b and passes the ciphertext Mb encrypted with γ to the adversary.
Phase 2: Phase 1 is repeated.
Guess: The adversary outputs a guess b′ of b.
The advantage of an adversary A in this game is defined as Pr b′ = b −1
2.
This game can be extended to handle chosen-ciphertext attacks by allowing for decryption queries in
Phase 1 and Phase 2.
3.6. Access Tree
Access tree expresses the structure of access control. Ciphertext is associated with attributes.
Decryption key is labeled with an access tree structure, in which each non-leaf node is the threshold gate
described by a threshold value and its children and each leaf node is labeled with attributes. A user can
decrypt a ciphertext with a given key if and only if there is an assignment of attributes from the
ciphertext to nodes of the tree such that the tree is satisfied.
Let T be an access tree with root r, attr(x) be the attributes associated with the leaf node x. If numx is
the number of children of a node x and kx is its threshold value, then 0< numx≤kx. When kx =1, the
threshold gate is an OR gate; when kx =numx, it is an AND gate. Each leaf node x of the tree is
described by an attribute. Denote Tx as the subtree of T rooted at the node x. Hence Tx is the same as T. If
a set of attributes satisfy the access tree Tx , we denote it as Tx(γ) = 1. Tx(γ) can be computed recursively
as follows: if x is a non-leaf node, evaluate Tx’(γ) for all children x′ of node x. Tx(γ) returns 1 if and only
if at least kx children return 1. If x is a leaf node, then Tx(γ) returns1 if and only if attr(x)∈ γ.
When the attributes associated with the ciphertext satisfy the users’ access structures, the users can
get the medical data. Figure 2 shows an example of the access tree structure. Every no-leaf node is
assigned with a threshold. The ciphertext which has at least k attributes can be decrypted by the users.
For example, a ciphertext has the following attributes{hospital m, physician, onduty}. Hospital m refers
to which hospital the doctor belonged to. On duty indicates whether the doctor is on duty that time. If the
ciphertext satisfies the access tree, the doctor can get the patient’s medical data and give treatments to
the patient. The same is true for a nurse, healthcare staff, and medical insurance company agents or
emergency room.
Figure 2. An Example of Access Structure
4. System Model
4.1 Definition
We consider a typical WBAN consisting of a number of sensors denoted by S = {s1, s2 ,… , sm }, n
users denoted by U = {u1,u2, …un,}, the number of users denoted by Nuser . Let G be a bilinear group of
prime order p, and g be the generator of G. We define the Lagrange coefficient ∆i,S for i ∈ Zp and a
set, S, of elements in Zp :∆i,S= x−j
i−jj∈S,j≠i .
4.2 Communication Procedure
Suppose a doctor will get the patient’s medical data stored in sensors. The communication procedure
can be sketched as follows:
(1) The sensors execute algorithm 1 and algorithm 2 to produce the public keys and master keys.
(2) The sensors encrypt the medical data M using public key and send the ciphertext to the doctor.
(3) Once the doctor need to be revoked, the controller updates the keys of all the users except the
doctor. We adopt the method in [19]. The controller broadcast any n-r out of n users with ciphertext and
master key. This method is suitable when the number of revoked users each time is small.
(4) The non-revoked users check the time, produce the decryption key, and decrypt the ciphertext
when the attributes satisfy the access structure of the users.
We design a scheme for fine-grained access control in WBANs. Our scheme consists of five
algorithms:(1)System Initialization;(2)Key Generation;(3) Encryption; (4) User Revocation; (5)
Decryption.
AND
OR
OR
physician
hospital n
AND AND
hospital 1
M.D. Internal
medicine nurse staff nurse
…
OR
emergency room
AND
healthy staff name
on duty On duty
Algorithm1 System Initialization
(1) Choose y randomly in Zp . Let g be the generator of G1,choose an element g2 ∈ G1 , g1 = gy ;
(2) Define the universe of attributes set A = (a1 , a2 ,… an+1). For each attribute ai ∈ A, choose
a number ti uniformly at random from Zp , T1 = gt1 ,… , T A = gt A , Y = e(g, g)y ;
(3) Define a function T x = g2xn t
i
∆i ,N (x)n+1i=1 ;
(4) The public key PK =< T1 = gt1 ,… , T A = gt A , Y = e(g, g)y >, the master key MK =<
y,t1,,…,tA>.
(5) The maximum number of users is N;
Algorithm2 Key Generation
(1) Choose a polynomial qx for each non-leaf node as follows:
Set the degree dx = kx − 1. For the root node r, to define it completely, set qr 0 = y, and dr
other points of the polynomial qr randomly. For each other node x, set
qx(0) = qparent x (index x ) and choose dx other points randomly to completely define qx;
(2) For each leaf node x, give the decryption key to the users: Dx=g2q x T(i)−rx , dx = grx .
The decryption key DK = Dx , dx = ( g2qx (0)T(i)−rx , grx ).
Algorithm 3 Encryption
To encrypt a message M ∈ G2 under a set of attributes, the sender chooses a random value
s ∈ Zp , and compute ciphertext E with the following steps:
(1) E1 = Me(g1 , g2)s;
(2) E2 = gs;
(3) {E3 = Tis}i∈A;
(4) Current time tt;
(5) Ciphertext E = (E1 , E2 , {E3}i∈A , tt).
Algorithm4 User Revocation
In order to revoke a user, the controller updates decryption key for the non-revoked users.
(1) Choose another random number y′ from ZP , ∆y = y′ − y,Y′ = e(g, g)y ′ ;
(2) Choose an exponents rx′ ∈ Zp , for each user uj , give the decryption key to the
non-revoked users: D′x=g2q x T(i)−r′x , d′x = gr′x . The updated decryption key DK′ = {D′x , d′x}.
5. System Analysis
5.1. Correctness Analysis
Now that we have defined the function Decryptnode, the decryption algorithm simply calls the
function on the root of the tree. We observe that Decryptnode(E, DK, r)=e(g, g)ys = Ys if and only if
the attributes associated with the ciphertext satisfy the access tree. Since E1 = Me(g1 , g2)s , the
decryption algorithm simply divides out e(g1 , g2)s and recovers the message M.
M′=E1
(e (D x ,E 2e (d x ,E 3
)Δi ,S (0)
i∈S
=Me(g,g)t
(e(g 2
q x (0)T (i)−rx ,g s
e (g rx ,T(x)−s )Δi ,S (0)
i∈S
=Me(g,g)t
(e(g 2
q x 0 ,g s )e (T(i)−rx ,g s )
e(g rx ,T(x )−s )Δi ,S (0)
i∈S
=Me(g,g)t
(e(g2q x 0 ,gs )
Δi ,S (0)i∈S
=M
Algorithm5 Decryption
= e(g, g)s∙qz (0)Δi ,S x
′ (0)
z∈Sx
= e(g, g)s∙qparent z (index (z))Δi ,S x
′ (0)
z∈Sx
= e(g, g)s∙qx (i)∙Δ
i ,S x′ (0)
z∈Sx
If T(γ)=1 and Nuser ≤ N, the user can decrypt a message M which is encrypted under a set of
attributes.
(1) On receiving the ciphertext E, the receiver checks the current time tt ;
(2) If tt − tt < 𝜀, the receiver decrypts the ciphertext using decryption key DK;
(3) Nuser + 1;
M′=E1
(e (D x ,E 2e (d x ,E 3
)Δi ,S (0)
i∈S
It x is a leaf node, we can compute:
Decryptnode(E,DK,x)=e(Dx ,E2)
e(dx ,Ei )=
e(g2q x 0 ∙T i rx ,gs )
e(g2rx ,Ti
s )=e(g, g)s∙qx (0)
If x is a non-leaf node, then:
Fx = Fz
Δi ,S x′ (0)
z∈Sxwhere
=e(g, g)s∙qx (0)
Sx′ = index z : z ∈ Sx
i=index(z)
5.2. Security Analysis
(1) Collusion attack resistance
In this scheme, different users have different access structures. The master key is generated randomly
and independently from Zp , therefore, it is impossible for them to collude together to get the medical
data. Even they collude together, they can access neither of the entry to the medical data.
(2) Confidentiality
Theorem: If an attacker A can break our scheme in the security game with probability ε, then a
simulator B can be constructed to win the DBDH game with the probability ε
2.
Proof: The security of the game is based on the hardness of the DBDH assumption. We prove it as
the approach proposed in [15]. The simulation proceeds as follows:
Let G1 and G2 be two groups with a bilinear map e and a generator g. The challenger chooses a fair
binary coin μ ∈ {0,1}, a, b, c ∈ Zp . We construct a simulator B, then B plays the role of challenger. If
μ = 0, B is given (A, B, C, Z) = (ga , gb , gc , e g, g abc ); otherwise it sets z as a random number, B is
given (A, B, C, Z) = (ga , gb , gc , e g, g z).
Init: The simulator B runs A. A chooses the attributes set γ which it wishes to be challenged on.
Setup: B assigns the public key as follows. It sets Y = e A, B = e(g, g)ab . For all i ∈ γ, it chooses
βi ∈ Zp randomly, and sets Ti = Cβ i = gcβ i ; otherwise sets Ti = gδ i , then gives the public key to A.
Phase 1: A makes requests for the master key of an access structure T where γ does not satisfy T. To
generate the master key, B needs to define a polynomial qx of degree dx for every node in access tree T.
We define recursive function Polynode(x) to assign the polynomial qx for node x as follows:
For each node x in T, we use kx and idex(x) to denote node’s threshold value and the unique index of
node x respectively. The procedure takes an access tree T and attributes set γ as input.
If x is the root node r, qx 0 = λx , λx is chosen from Zp randomly;
Select the satisfied children 𝑥′ of 𝑥 . For each 𝑥′, choose a random number 𝑟𝑥′ ∈ Zp and let
𝑞𝑥 𝑖𝑑𝑒𝑥𝑡 𝑖 = 𝑏𝑟𝑥′ . For each unsatisfied child j, calculate 𝑞𝑥 𝑗 = 𝑖𝑑𝑒𝑥 𝑖 ∆𝑖,𝑆𝑥 (𝑗)𝑖∈𝑋𝑖 .
For each child x′ of x, qx ′ 0 = qx(index x′ ).
When Polynode(x) terminate, B construct the polynomials for all nodes in T. Therefore, the master
key corresponding to each leaf node x of T is given as follows:
Dx = g
Q x (0)
tx = gbq x (0)
ri = Bq x (0)
ri , attr(x)ϵγ
gQ x (0)
ti = gbq x (0)
bβ i = Bq x (0)
β i , otherwise
Therefore, B construct a master key for the access structure T.
Challenge: A submits two challenge messages M1 , M2 to B. B flips a fair binary coin v, and returns
an encryption of M𝑣 . The ciphertext is output as: E = (γ, Mv , Z, Ei = Cti i∈γ) . If μ = 0 , Z =
e(g, g)abc . This indicates that the ciphertext is valid for the message under the identity. If μ = 1,
Z = e(g, g)z . Since z is random, M𝑣Z will be a random element from the adversaries view and the
message contains no information about M𝑣.
Phase 2: The simulator acts exactly the same as in phase 1.
Guess: A will submit a guess 𝑣′of v. If 𝑣 ′ = 𝑣, the simulator will output μ′ = 0 to indicate that it is
given a valid tuple; otherwise, it will output μ′ = 1 to indicate it is given a random 4-tuple.
If μ′ = 1 , the adversary gains no information about v, Pr 𝑣 ′ = 𝑣 𝜇 = 1 =1
2. If μ′ = 0 ,
the
adversary gains an encryption of M𝑣. The adversary’s advantage in this situation is ε by definition.
Therefore, Pr 𝑣 ′ = 𝑣 𝜇 = 0 =1
2+ ε. The overall advantage of the simulator in the DBDH game is
1
2Pr 𝑣 ′ = 𝑣|𝑣 = 0 +
1
2Pr 𝑣 ′ = 𝑣|𝑣 = 1 −
1
2=
1
2
1
2+ 𝜀 +
1
2×
1
2−
1
2=
1
2𝜀
(3) Unforgeability: The adversary cannot forge the ciphertext because he can’t guess the attributes
which are used to encrypt the ciphertext. Even the adversary get other user’s ciphertext, he can’t create a
new, valid ciphertext as the attributes which are used to encrypt a ciphertext are different from others,
and the y is chosen randomly. Therefore, we claim that our scheme is unforgeable under
chosen-ciphertext attacks.
5.3. Performance Analysis
In this part, we present the performance analysis results about our scheme in terms of transmission
and computation. We also compare the performance results with previous best known ones. In this paper,
we mainly consider the energy consumption about message transmission and computation in WBANs.
The energy consuming on transmission is much more than computing, so improving the performance of
transmission will increase the overall performance greatly.
(1) Energy consumption on transmission
According to algorithm 3 and algorithm 4 (if there are some users to be revoked), the total message
size is:
E1 + E2 + E3 + tt + | D′x| + |d′x| *
We use Tate pairing [21] to evaluate the bilinear map e. The parameters in * is variable. Assuming
tt is 2 bytes, p is the prime order of G and GT , n is the number of attributes. The total message size is
( p + p + n p + 2 + p + |p|) = 2 + (n + 4)|p|.According to [22], a chipcon CC1000 radio used
in Crossbow MICA2DOT motes consumes 28.6μJ and 59.2μJ to receive and transmit one byte
respectively. The total energy consumption for one user is 2 + n + 4 p ∗ (28.6 + 59.2)μJ, and W
users need (W*(1.931+0.1756|p|) mJ . The parameters are set as follows: n = 3, |p|=20, 42.5, 60 bytes.
The first three lines in Table 1 are the results.
Table 1 shows the comparison energy consumption on transmission of our scheme and other schemes.
It can be seen that even we set |p|=60 bytes, the energy consumption on transmission of our scheme is
much lower than others.
Figure 3 presents the relationship between the number of attributes (indicated by n) and the energy
consumption on transmission. The curves in Figure 3 indicate that with the increase of attribute numbers,
the energy consumption increases.
Table1. The Energy Consumption on Transmission in Our Scheme and Other Schemes
Figure3. Energy Consumption on Transmission with regard to the Number of Attribute
(2) Energy consumption on computation
In this part, we evaluate the energy consumption on computation in our scheme. n is the number of
attributes. Firstly, we show the operations of Initialization (algorithm 1), Key generation (algorithm 2),
Encryption (algorithm 3), User revocation (algorithm 4) and Decryption (algorithm 5) in Table 2.
Table2. The Operations in Our Scheme
We consider the sensor CPU is a 32-bit Inter PXA-255 processor at 400MHz. It is reported in [23]
that the typical power consumption of PXA-255 in active and idle modes is 411mW and 121mW,
respectively. We adopt Tate pairing to computer the Bilinear Maps. According to [24], it takes 752 ms to
compute Tate pairing on a 32-bit ST22 smartcard microprocessor at 33 MHZ. As a result, the
computation of Tate pairing on PXA-255 roughly needs 33/440×752≈62.04ms. Using the equation
0
10
20
30
40
50
60
70
80
n=1 n=5 n=10
|p|=20
|p|=42.5
|p|=60
Length of P(byte) Energy consumption(mJ)
Our scheme(|p|=20) 12.643
Our scheme(|p|=42.5) 26.296
Our scheme(|p|=60) 37.051
Certificate-based 146.99
Merkle hash tree 144.56
ID-BASED 111.02
Operations Initialization Key
Generation Encryption
User
Revocation Decryption
Exponent
computation n+1 2n+1 n+3 2n+1 n
e evaluation 1 0 1 1 2n
Multiplication 0 n+1 n+2 n+2 1
Addition 0 0 0 0 1
Comparison 0 0 0 0 n
E = W × t, where E is the energy consumption, W is the power, t is the execution time. The energy
consumed at work is 411 × 62.04 = 25.5mJ. As mentioned in [24], the Tate pairing takes the most
running time, we thus use energy consumed on pairing to approximate that of the procedure. In our
scheme, we compute the Tate pairing happened in sensors (we don’t consider the Tate pairing in
decryption as it takes place at client for users). The energy consumption is 3*62.04ms=186.12ms.
Table3 shows the computation cost of our scheme and other schemes when the number of users is 1.
From Table 3 we can see that the computation time of our scheme is higher than the first three, and
lower than the fourth one.
Figure 4 presents the energy consumption on computation with regard to the number of users. From
Figure4 we can observe that the computation cost of our scheme is lower than FABSC and higher than
others. Nevertheless, when we take the transmission and computation into account, our scheme is
energy-efficient when the number of users is large.
Table3. The Energy Consumption on Computation of Our scheme and other Schemes
Figure4. Computation Cost with regard to the Number of Users
6. Conclusion and Future Work
In this paper, we design an key policy attribute-based scheme for access control in WBANs. When
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
n=1 n=5 n=10 n=15
×100(mJ)FABSC
our scheme
ID-based scheme
Merkle hash tree scheme
Certificate-based scheme
Scheme Computation cost(ms)
Certificate-based 39.96
Merkle hash tree 18.48
ID-BASED 124.08
FABSC 310.2
Our scheme 186.12
the attributes related to the ciphertext satisfy the users’ access structures, the ciphertext can be decrypted.
User revocation is introduced to the scheme. In the future, we can classify the medical data according to
the hierarchy, for example, the sensitive data and no-sensitive data. Sensitive data includes the data
which is vital importance and these embarrassed data, no-sensitive data is the ordinary medical data
such as temperature, pulse, and blood-pressure. Anyone who wants to get the sensitive data must have
high level privilege, and the no-sensitive data can be accessed by low level privilege.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgment
This research is part of Projects 2009011022-2 supported by Natural Science Foundation of Shanxi
Province.
References
[1]John Paul Walters, Zhengqiang Liang, Weisong Shi, and VipinChaudhary. “Wireless sensor network security: a survey,”
Security in distributed, grid, and pervasive computing, CRC Press, New York ,2006.
[2]Benoît Latré,Bart Braem, Ingrid Moerman, Chris Blondia, Piet Demeester. “A survey on wireless body area networks,”
Wireless Networks, vol.17,no.1(2011),pp.1-18.
[3]Ming Li,Wenjing Lou. “Data security and privacy in wireless body area networks,” IEEE Wireless communications,vol.17,
no.1,pp.51-58,2010.
[4]John bethencourt, Amitsahai, brent waters.”Ciphertext-policy attribute-based encryption,” Proceedings of IEEE symposium
on Security and Privacy, Berkely, CA, pp.321-334, May 20-23,2007.
[5]Carman, D. W., Kruus, P. S., Matt, B. J., Constraints and approaches for distributed sensor network security. NAI Labs
Technical Report #00-010, Glenwood, MD, 2000.
[6]Jinyang Shi, Kwok-Yan Lam, Ming Gu, Mingze Li, Siu Leung Chung. “Energy-Efficient Key Distribution Using
Electrocardiograph Biometric Set for Secure Communications in Wireless Body Healthcare Networks,” Journal of Medical
Systerm, vol.35,no.5, pp.745-753,2011.
[7]Zhaoyang Zhang, Honggang Wang, Athanasios V. Vasilakos, Hua Fang “ECG_Cryptography and Authentication in Body
Area Networks,” IEEE transactions on information technology in biomedicine, vol.16, no.6, pp.1070-1078, 2012.
[8]L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in Proc. 9th ACM Conf.
Comput. Commun.Security. New York, NY: ACM, pp. 41–47,2002.
[9]A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. “SPINS: Security protocols for sensor networks,” Wireless
Networks, vol. 8, no. 5, pp. 521–534, 2002.
[10]Shucheng Yu, KuiRen, and Wenjing Lou. “FDAC: Toward Fine-Grained Distributed Data Access Control in Wireless
Sensor Networks,” IEEE transactions on parallel and distributed systems, vol.22, no.4, pp.673-686, 2011.
[11]KuiRen, Wenjing Lou, Kai Zeng. “On broadcast authentication in wireless sensor networks,” IEEE transactions on
wireless communications, vol.6, no.11, pp.4136-4144, 2007.
[12]Chunqiang Hu, Nan Zhang, Hongjuan Li, Xiuzhen Cheng, Xiaofeng Liao. “Body Area network security: A Fuzzy
Attribute-Based signcryption Scheme,” IEEE Journal on selected areas in communications/supplement. vol.31, no.9, pp37-45,
2013.
[13] Chiu C. Tan, H. Wang, S. Zhong, and Q. Li. “Body sensor network security: An identity-based cryptography approach,”
Proceedings of the first ACM conference on wireless network security, March 31-April 2, Virginia, USA,2008.
[14] A. Sahai and B. Waters. “Fuzzy identity based encryption,” Advances in Cryptology –EUROCRYPT 2005, vol. 3494, pp.
457–473,2005.
[15] Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters. “Attribute-Based Encryption for Fine-Grained Access Control of
Encrypted Data,” CCS '06 Proceedings of the 13th ACM conference on Computer and communications security, NewYork,
USA, October30-November 03,2006.
[16]Ling Cheung, Calvin Newport. “Provably secure ciphertext policy ABE,” Proceedings of the 14th ACM conference on
computer and communications security, October 29- November03, pp.456-465,2007.
[17] J.Bethencourt, A.Sahai, B.Waters. “Ciphertext-Policy Attribute-Based Encryption,” IEEE symposium on Security and
privacy,May 20-23,2007.
[18] S.Yu,K.Ren,and W.Lou. “Attriubte-based on-demand multicast group setup with membership anonymity,” Computer
Networks, vol.54, no.3, pp.377-386, 2010.
[19]D.Naor,M.Naor,and J.Lotspiech. “Revocation and Tracing Schemes for Stateless Receivers,” Proceedings of Advances in
Crytology, vol.2139,pp.41-62,2001.
[20]Carman, D. W., Kruus, P. S. and Matt, B. J. “Constraints and approaches for distributed sensor network security,” NAI
Labs Technical Report, Glenwood,2000: #00-010.
[21]P. Barreto, H. Kim, B. Bynn, and M. Scott, “Efficient algorithms for pairing-based cryptosystems,” Proceedings of 22nd
annual international cryptology conference, Santa Barbara, pp. 354-368, August 18-22,2002.
[22]A. Wander, N. Gura, H. Eberle, V. Gupta, and S. Shantz. “Energy analysis of public-key cryptography for wireless sensor
networks,” Third IEEE International Conference on Pervasive Computing Communications, Hawaii, USA, Mar. 8-12,2005.
[23] Intel Corp., Intel PXA255 processor electrical, mechanical, and thermal specification.
[Online].http://www.intel.com/design/pca/applicationsprocessors/manuals/278780.htm
[24] Kui Ren,Wenjing Lou,KaiZeng,Patrick J.Moran. “On Broadcast Authentication in Wireless Sensor Networks,” IEEE
Transactions on Wireless Communications, vol.6, no.11, 2007.