Energy-Aware Key Exchange for Securing Implantable Medical ...

Research ArticleEnergy-Aware Key Exchange for Securing ImplantableMedical Devices

Wonsuk Choi Youngkyung Lee Duhyeong Lee Hyoseung Kim Jin Hyung ParkIn Seok Kim and Dong Hoon Lee

Graduate School of Information Security Korea University Seoul Republic of Korea

Correspondence should be addressed to Dong Hoon Lee donghleekoreaackr

Received 11 September 2017 Revised 1 March 2018 Accepted 27 March 2018 Published 14 May 2018

Academic Editor Vincenzo Conti

Copyright copy 2018 Wonsuk Choi et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Implantable medical devices (IMDs) continuously monitor the condition of a patient and directly apply treatments if considerednecessary Because IMDs are highly effective for patients who frequently visit hospitals (eg because of chronic illnesses such asdiabetes and heart disease) their use is increasing significantly However related security concerns have also come to the fore Ithas been demonstrated that IMDs can be hackedmdashthe IMD power can be turned off remotely and abnormally large doses of drugscan be injected into the body Thus IMDs may ultimately threaten a patientrsquos life In this paper we propose an energy-aware keyexchange protocol for securing IMDs We utilize synchronous interpulse intervals (IPIs) as the source of a secret key These IPIsenable IMDs to agree upon a secret key with an external programmer in an authenticated and transparent manner without any keymaterial being exposed either before distribution or during initialization We demonstrate that it is difficult for adversaries to guessthe keys established using our method In addition we show that the reduced communication overhead of our method enhancesbattery life making the proposed approach more energy-efficient than previous methods

1 Introduction

Implantable medical devices (IMDs) enable the continuousmonitoring of patients with chronic illnesses and automat-ically deliver therapies when necessary Recently advancesin medical technology and a convergence with informa-tion technology (IT) have led to the development of high-performance IMDs As a result millions of people worldwideare now supported by IMDs [1 2] Because IMDs are partiallyor fully inserted into the body of a patient to monitor hisherhealth they carry and handle large amounts of personal dataAt least once a year patients with an IMD are supposed tovisit their doctors for treatment The status of the device ischecked by the doctor and its settings are adjusted accordingto the functionality of the patientrsquos organs

Only authorized medical staff should be able to adjustan IMDrsquos settings and access the data stored in the IMDrelated to the health of a patient However current IMDs havelimited resources for applying securitymeasures so they havebeen commercialized and placed on the market without anypreventive method against security threats on IMD systems

In fact the possibilities for a hacker to break into a deviceto obtain sensitive health-related data and intentionally causethe device to malfunction have been reported over severalyears [3 4]This implies that these devices have the potentialto lead to deaths although they are intended to save lives

To resolve the security problems of medical devicesincluding IMD systems relevant policy regulations have beenpresented The United States Government AccountabilityOffice (GAO) issued a report in 2012 entitled ldquoMedicalDevices FDA Should Expand Its Consideration of Informa-tion Security for Certain Types of Devicesrdquo [5] In this reportthe GAO identifies the potential security risks of IMDsand determines how the Food and Drug Administration(FDA) should protect IMDs against information securityrisks that affect their safety and effectiveness by examiningpre- and postmarket activities The key to reducing thesecurity risks faced by patients using IMDs lies in theauthentication technology because the underlying cause ofthe IMD vulnerabilities is that external programmers canaccess the system without any authentication Howeverunlike security technologies in other areas it is difficult

HindawiSecurity and Communication NetworksVolume 2018 Article ID 1809302 16 pageshttpsdoiorg10115520181809302

2 Security and Communication Networks

to directly apply security protocols to an IMD because ofits limited resources and constraining requirements Thefollowing four limitations need to be resolved in order toapply effective security to IMD systems (i) there are highenergy overheads of authentication and encryption protocols(ii) the use of preshared credentials deployed during themanufacturing process remains unchangeable after deviceimplantation (iii) secure access cannot be deployed duringemergency situations and (iv) protection against resourcedepletion attacks and denial of IMD functions is insuf-ficient

This study focuses on the first limitation and suggests acorresponding solution for IMD systems As IMDs operateon a nonrechargeable battery inside the body the ultimatedepletion of the battery inevitably means that the old IMDneeds to be replaced with a new one through surgery Thismeans that the lifespan of an IMD is mainly determined bythe batteryrsquos capacity Therefore energy-inefficient securitymechanisms cannot be applied to an IMD system even ifthey would guarantee a high level of security In this studywe designed a key-exchange method between an IMD and anexternal programmer which minimizes the communicationoverhead of the IMDThe external programmer is the deviceused by the medical staff to communicate with a patientrsquosIMDOur basic premise involves utilizing an error correctioncode (ECC) to adjust the physiological values measured byan IMD and an external programmer The ECC enablesthe error correction of redundant data without additionalcommunication between the two entities Because wirelesscommunication consumesmore energy than other processessuch as computation it is possible to dramatically reducethe total energy consumption of IMDs This implies thatour method not only establishes a secure channel betweenthe IMD and an external programmer but also allows forlonger use compared with previous methods [6ndash15] Inaddition we provide a security analysis by showing that ourmethod satisfies the properties of Secure Sketch whichmeansthat our method is secure against random guessing Thefollowing points summarize the detailed contributions of ourmethod

(i) Ourmethodminimizes the communication overheadto significantly reduce the IMDrsquos battery consump-tion

(ii) We propose a self-recovery method that does notrely on mutual communication between the IMD andan external programmer at the peak misdetection ofphysiological signals (eg ECG or PPG)

2 Related Work

In this section we introduce related work focusing onsecurity and privacy issues related to IMDs We classifythese studies into several groups presented in the followingsubsections

21 Alarm-Based Methods Halperin et al [3] suggested thatan alarm should sound as a warning whenever an attemptis made to access a patientrsquos IMD Upon hearing the alarm

patients are able to distinguish between valid and invalidattempts If an invalid attempt by a malicious attacker occursthe patient takes appropriate action such as moving fromtheir current location to avoid the attack However thereare several limitations that prevent this method from beingapplied to IMD systemsWhen the patient is in a noisy area itmay be difficult to hear the alarm and disabled patients couldfind it difficult to avoid an attack or take appropriate action

22 Distance Bounding Rasmussen et al [16] suggestedemploying proximity-based access control They assumedthat malicious attacks cannot be launched from within acertain distance as the patient would notice such an attackBased on this assumption the IMD authenticates an externalprogrammer by checking that the distance between them isbelow a certain threshold The distance is estimated usingthe relation between the speed of ultrasound and its arrivaltime However their method requires an additional modulethat enables ultrasonic communication which results in anadditional cost This module may also incur a significantburden on the battery

23 Communication Cloaking To reduce battery consump-tion in IMDs methods have been suggested that use anexternal device (called a cloaker) [17ndash19] A cloaker is adevice such as a smartphone that operates on behalf ofthe IMD The IMD obtains computational results fromthe cloaker thus saving its battery resources As a resultseveral cryptographic methods can be applied to IMDs eventhough they require heavy computation (ie they requiresignificant battery consumption) However an additionalcomplex security method must be designed to establish asecure channel between an IMD and a cloaker

24 Jamming or Body-Coupled Communication To achievesecurity without an additional module or heavy compu-tational burden on the IMD jamming techniques can beemployed [19 20] When a hacker attempts to access apatientrsquos IMD a wireless signal is generated Accordinglya jamming technique interrupts the malicious signal toblock access to the IMD However jamming techniques canaffect other valid signals implying that authorized electronicdevices may also not work properly Although Shen et al[21] proposed an approach for jamming an attack signaland simultaneously maintaining valid wireless connectivitychannel information must be known in advance to separatethe jammed and normal channels In terms of securitythis information should only be shared with authenticateddevices It is impossible to securely share informationwithoutusing an additional method such as a secret key exchangeThus the jamming technique is not a suitable securitymethod for application to body sensors

Body-coupled communication [4 22] is assumed to besecure because an attacker eavesdropping on a communi-cation must be close to or even touching the targetrsquos bodyHowever to apply thismethod to a body area network (BAN)body sensors require an additionalmodule that enables body-coupled communication

Security and Communication Networks 3

25 Physiological ValueIPI-Based Key Exchange The con-cept of physiological value- (PV-) based key exchange (or keyagreement) was first introduced by Cherukuri et al [23] AsPV-based key exchange does not require the exchange of pre-shared secret information between body sensors it is highlyeffective from a key management perspective In particularthis can resolve the problem of emergency access whichis an important requirement in the IMD setting For thisreason there have been many recent studies conducted inthis field [6ndash15] Interpulse intervals (IPIs) are the mostcommon metric used in PV-based key exchange They canbe measured noninvasively and easily using low-cost equip-ment Studies concerning IPI-based key exchange generallyconsider three aspects First IPIs are derived from differenttypes of heart-related biometric information (eg ECG orPPG) [9 11] For example even if an IMD and an externalprogrammer measure different biometric information thesame IPI information can be extracted for key exchangeSecond peak misdetection must be handled effectively [1124] In general to measure IPIs from heart-related biometricinformation a peak detection algorithm is employed Inthe real world all peak detection algorithms have imper-fections which can cause a significant drop in the securityperformance If a security method uses an inaccurate peakdetection algorithm then there is a decrease in the securityperformance compared with the case of using a perfectpeak detection algorithm [24] The third aspect concernsextracting the bit sequence with the highest entropy fromone IPI A 4-bit sequence is extracted from the most com-mon IPI [10 11 19] This implies that at least 32 IPIs arerequired if a 128-bit key is required In general measuringone IPI takes about 085 s and it would take approxi-mately 272 s to obtain 32 IPIsTherefore to reduce the overalltime required for key exchange high entropy should beretained from one IPI and long bit sequences extracted [25]

3 Motivation

As mentioned in Section 1 security attacks on IMDs havebecome a critical issue as researchers have demonstrated thatsecurity attacks on commercial IMDs are a reality [3 4]In 2008 Halperin et al [3] described several examples ofattacks on a commercial implantable cardioverter defibrilla-tor (ICD) They fully analyzed the communication protocolbetween a commercial ICD and an external programmerusing an oscilloscope and a universal software defined radio(USRP) Because the communication channel they analyzedwas not encrypted they could capture the transmitted datawithout any difficulty Using this method they were able toread and modify the patientrsquos name in the ICD Moreoverthe attackers could even access the patientrsquos ECG data asmeasured by the ICD Because this information is related tothe patientrsquos health it should be well protected Furthermorebecause the ICD accepts commands that are used by anexternal programmer tomodify its configuration without anyauthentication process the attackers were able to regenerate acertain command using the USRP device In this manner theattackers could intentionally deactivate the ICD and inducefibrillation

Another security problem related to IMDs was demon-strated by Li et al [4] who were able to attack a popularglucose monitoring and insulin delivery system The systemthey targeted used a personal identification number (PIN)for secure access They explained how to discover PIN infor-mation by reverse-engineering the communication protocoland packet format Moreover because they could discoverthe information in a legitimate packet format it was possibleto regenerate a legitimate data packet containing misleadinginformation which was accepted by the insulin pump forexample incorrect reading of the glucose level a control com-mand for stoppingresuming an insulin injection or a controlcommand for immediately injecting a dose of insulin into thehuman body It should be noted that misconfigured insulintherapy may cause hyperglycemia (high blood glucose) orhypoglycemia (low blood glucose) and endanger the patientrsquoslife [26]

Fundamentally the reason for such security problems inthe IMD system is that IMDs are not able to authenticateexternal programmers for secure communication This lackof authentication makes IMDs vulnerable to a variety ofpotential attacks thus compromising their reliable function-ing

4 System Model

In this section we describe the overall system model forour proposed method Figure 1 illustrates an example ofan IMD system It is possible to extend the domain towhich our method can be applied from IMD systems tobody area networks (BANs) As body sensors handle health-related personal information an appropriate security methodfor protecting this information is necessary In particularbecause IMDs typically have very limited resources it isdifficult to apply an effective security method Therefore inthis paper we focus on the development of a security methodthat can be applied to IMDs Moreover if a security methodcan be applied to IMDs this generally implies that the samesecurity method could be used with other body sensorsWe propose a method that can perform an authenticationprotocol and establish a secure channel before the IMDand external programmer communicate with each other Toclarify our proposed method we describe the IMD systemthe main requirements for a security method the threatmodel and our underlying assumptions below

41 IMD System The IMD system consists of two compo-nents an IMD and an external programmer Because weare designing a security method for IMDs with resourceconstraints only the characteristics of IMDswill be explainedin this paper As IMDs are surgically implanted wirelesscommunication with an external programmer should beestablished to access the IMD configuration especially whenthe doctor decides to change the therapy delivered by theIMD Access is also required for diagnosing problems withthe equipment extracting historic information related tothe patientrsquos vital signs or updating the IMD firmwareTraditionally the IMD and the programmer communicateusing inductive telemetry which is based on inductive


Medical staffs

(i) Configuring setting(ii) Querying monitoring logs

External Programmer

Physical Contact

Body Sensor(Insulin Pump)

Body sensor(Pacemaker)


Figure 1 An example of an IMD system

coupling between coils in the IMD and coils in the pro-grammer However this type of communication involvesseveral limitations including a short communication rangeand a limited data rate (less than 50 kbps) However modernIMDs communicatewirelesslywith programmers using radiofrequency (RF) telemetry through the 402ndash405MHzMedicalImplant Communication Service (MICS) band which wasestablished in 1999 by the US Federal CommunicationsCommission The introduction of MICS has enabled greatercommunication ranges and higher data rates [27]

42 Requirements In our systemmodel there are two under-lying requirements for the securitymethod to be applied to anIMD system

421 Efficient Energy Consumption (Efficiency) Once anIMD is implanted its battery can last for up to 8 years (in thecase of neurostimulators [28]) or up to 10 years (in the caseof pacemakers [29])The exact period is highly dependent onthe patientrsquos health (ie the more the patient exhibits abnor-mal physiological conditions over time the more energy willbe consumed by the IMD to react and apply therapy) Threeongoing trends suggest that energy consumption will remaina challenge for IMDs [30] First the devices are becomingincreasingly complex and power-hungry because of demandsfor new and sophisticated therapeutic and monitoring func-tionalities Their power requirements are outstripping the

benefits of Moorersquos Law and low-power design techniquesthat have enabled progress in the area of smartphonesSecond IMDs are collecting more data as new sensors areadded to monitor patient health The transmission of sensordata from an IMD involves wireless communication whichis power-intensive Third well-designed security protocolsincluding authentication and code verification require theuse of cryptography primitives Even though the overall IMDenergy consumption does not stem from a key-exchangeprotocol it is known that key-exchange protocols are noto-riously computation- and power-intensive Moreover theminimal energy consumption in a key-exchange protocol hasrarely been considered Battery usage has a direct impacton the lifetime of an IMD Once the battery has beendepleted the entire device has to be replaced which requiresa surgical procedure along with the associated risks Somedesigns support batteries that can be charged wirelessly usingmagnetic fields [31ndash33] but this incurs the risk of damagingthe organs close to the IMD [27]The only realistic alternativeis to perform surgery to replace the old battery with a newone Accordingly we assume that IMDs use nonrechargeablebatteries meaning that the battery issue is critical when asecurity method is applied to an IMD system Therefore theenergy consumption should be minimized

422 Emergency Access (Usability) In IMD systems thebalance between usability and security is very important


Because an IMD is a life-support machine for a patient itsusability has a direct effect on that patientrsquos life In otherwords if the usability of the device is affected by its securityfeatures life-threatening problems can arise When a securitymethod is applied to an IMD one typical requirement isemergency access When a patient loses consciousness theIMD should be automatically turned off to enable a properexamination of the patient without errors being introducedby the operating IMD [34 35] For wearable devices thiscan be achieved by simply removing the device from thepatientrsquos body However this does not apply to IMDsimplying that emergency access should also be consideredwhen designing a security method More specifically if thepatient requires an operation in a case of emergency or ascan with magnetic resonance imaging (MRI) when they arefitted with a pacemaker the pacemaker must be deactivatedbefore the operation in order to prevent unintentional shocksHowever because a hacker may attempt to access the IMDby pretending that there is an emergency there must be aclear distinction between normal and emergency situationsTherefore an appropriate security method should define thecriteria to distinguish between these situations and performthe appropriate operations

43 Threat ModelAssumption To clarify the purpose ofour method we first define the threat model that formallyidentifies the adversaries who may attack an IMD in oursystem model The goal of adversaries is to compromisethe confidentiality of communications between an IMDand the external programmer Adversariesrsquo abilities are toeavesdrop on communications replay old messages andinjectmessages Because ourmethod is a kind of IPI- (or PV-)based key agreement adversaries may attempt to break thekey-exchange process by using PVs from another person orold physiological values from the victim

We assume that adversaries are unable to obtain the validPVs to be used as the source of a secret key Recently remotephotoplethysmography has been suggested which measuressubtle color variations in a human skin surface using aregular RGB camera [36 37] where heart-related PVs can beinferredThismethod could represent one of themost seriousthreats to PV-based key agreements including our methodHowever it can only be employed to remotely measure suchPVs within a short distance (eg 50 cm) and thus is not yeta practical threat We expect that PV-based key agreementwill have to be improved as threats that remotely measurePVs of a human body emerge in the future In additiondenial-of-service (DoS) attacks such as jamming or batterydepletion attacks are beyond the scope of this paper Suchattacks should be considered separately

5 The Proposed Method

In this section we describe our method which enablesefficient key exchanges between an IMD and an externalprogrammer For ease of understanding we first explain IPI-based key exchange and ECCs which are the underlyingmethods of our approach We then describe our method indetail

1

08

06

04

02

0

minus02

minus04

minus06

minus080 1 2 3 4 5 6 7 8 9 10

Am

plitu

de (V

)

Gray code Gray code Gray code Gray code Gray code(Second)

10011010 10010111 10011010 10011111 10010100

IPI IPIIPI

IPI IPI

R PeakR PeakR Peak

R PeakR PeakR PeakR PeakR Peak

R Peak

Figure 2 Example of IPIs and their bit strings from ECG signals

51 IPI-Based Key Exchange There have been many studiesconcerning the authentication of external programmers byIMDs using IPI-based key exchange in which measured IPIsare converted to a bit sequence [6ndash15] In these methods IPIsshould be simultaneously measured at different parts of abody so that they can be converted to the same bit sequenceThese bit sequences are then used as a secret value in a key-exchange method

An IPI is defined as the elapsed time between twosuccessive pulses (heart rates) The pulse rate changes slightlydepending on the condition of the arteries and heart the rateis around 60ndash80 beats per minute for an adult and 120ndash140beats per minute for an infant Moreover the more activethe heart is the faster the blood will be pumped throughthe arteries thus leading to a faster pulse rate Because itis possible to extract randomness from such IPIs the samerandom bit sequences can be generated by measuring IPIs atthe same time on the same body Furthermore two randombit sequences will be different from each other even if they areextracted from two different sets of IPIs that are measured atdifferent times on the same body Rostami et al [10] showedthat an 8-bit gray-coded sequence from an IPI contains atleast 4 bits of entropy The IPI information is obtained bymeasuring biosignals of the heart such as ECGs and PPGsBased on these biosignals the expansion and contractionintervals of the heart can be measured thus giving thecorresponding IPI values The expansion and contractionintervals of the heart are calculated from the biosignals usinga peak detection algorithm Figure 2 shows an example of thecalculation of IPIs and their conversion to bit sequences usinggray encoding based on ECG measurements

In the real world the measurement data includes noisemeaning that the IPI values measured at two differentlocations may be slightly different Accordingly every IPI-based key-exchange method requires a step to make thesethe same Figure 3 shows an example of a procedure in IPI-based key-exchange method as a diagram Step 4 of this figureis the step for the error correction which usually requireswireless communication between the IMD and the external


(1) Measurephysiological signalat the same timeIMD

External Programmer

(2) Peak detectionIPI extraction


(3) Encoding IPIto bit sequence


(5) Share thesame secret


(4) Communication making thetwo different bit sequencesbe the same

Slightlydifferent

10

6

2

minus2

minus6

minus10

6

2

minus2

minus6

minus100

100

200

300

400

500

600

700

0

100

200

300

400

500

600

700

Figure 3 Example of IPI-based key exchange

programmer Because wireless communications require a lotof battery power this step is key saving battery power in anIPI-based key-exchange method

52 Error Correction Code In general most communicationchannels are subject to channel noise and thus errors canbe introduced during transmission from the source to thereceiver To handle such errors error detection or errorcorrection techniques are often employed Error detectionidentifies errors caused by noise or other impairmentsduring transmission from the transmitter to the receiverCyclic redundancy checks (CRCs) and checksums are typicalexamples of error detection techniques In the case of errorcorrection more redundant data is added to the originaldata than in error detection because error correction aimsto reconstruct the original data as well as detect errors Ina simple example known as a repetition code each data bitis transmitted three times When the bit sequence 001 istransmitted through a noisy channel if the third bit containsan error then the bit sequence 001 is interpreted as being 0

Formally ECC is an injective mapping of the form

119862 0 1119896 997888rarr 0 1119899 (1)

where 119896 lt 119899 Here 119896 isin 119885+ is the message length and 119899 isin 119885+is the block length

An ECC with Hamming distance 2119905 + 1 is denoted by(119899 119896 2119905 + 1) For an ECC (119899 119896 2119905 + 1) the original messageshould be correctly decoded if no more than 119905 errors occur

53 Our Method We describe the two steps of the proposedmethod (i) the self-recovery of peakmisdetection and (ii) thekey-exchange protocol Before describing our method we listthe notations used in our method in the ldquoNotationrdquo section

531 Self-Recovery of Peak Misdetection A peak detectionalgorithm is used to calculate IPIs from PVs such as ECGsor PPGs Using a peak detection algorithm the R peaks of anECG can be detected and the time differences between twoadjacent R peaks can be calculated to obtain 119899 IPIs We notethat the QRS complex is a name for the combination of threeof the graphical deflections seen on a typical ECG Unfor-tunately peak detection algorithms are not 100 accurateleading to peak misdetections Although such misdetections

degrade the performance of IPI-based key exchange mostprevious studies have not attempted to resolve this problem[7 10 14 15] For such methods the only available methodis to restart the whole procedure for obtaining a set ofIPIs whenever a peak misdetection occurs which drains thebattery

For the first time Seepers et al [11 24] pointed outthis inefficiency and proposed a method that tolerates peakmisdetection Their method detects any missed peaks basedon a threshold and the detected results are exchanged via a1-bit flag If peak misdetection occurs in one result then bothIPIs are dropped and remeasured

Unlike the method devised by Seepers et al we suggesta new approach that can perform a self-recovery procedurewhen peak misdetection occurs without any communicationbetween the IMD and external programmer Figure 4 showstwo types of peak misdetection namely failure of peakdetection and fake peak detection where in the latter theIPIs are misaligned As peak detection algorithms havereported detection rates of over 99 we assume that peakmisdetection occurs at most once every time our method isperformed [38ndash40]

For a given set of 119899 IPIs we calculate the sample mean 119909and sample variance 1199042 as follows

119909 = 1119899119899

sum119894=1

IPI119894

1199042 = 1119899 minus 1

119899

sum119894=1

(IPI119894 minus 119909)2 (2)

To verify IPI119894 we measure the one-dimensional Mahalanobisdistance between IPI119894 and a distribution of IPIs as follows

119889 = radic(IPI119894 minus 119909) 119904minus2 (IPI119894 minus 119909) =10038161003816100381610038161003816100381610038161003816IPI119894 minus 119909

11990410038161003816100381610038161003816100381610038161003816 (3)

Because we assume that IPIs are normally distributed 99of IPIs are separated by less than 2575 from the standardnormal (119885) table Accordingly we consider any IPI119894 witha Mahalanobis distance larger than 2575 to be incorrectbecause of peak misdetection If the value of (IPI119894 minus 119909)119904 ispositive and its distance is larger than 2575 then it can be



Correct IPIs

Type I Misdetection(A failure of peak detection)

Type II Misdetection(A fake peak detection)

IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned

Figure 4 Two types of peak misdetection

considered as a Type IMisdetection If the value of (IPI119894minus119909)119904is negative and its distance is larger than 2575 then it isconsidered as a Type II Misdetection In case of Type I errorwe add a new peak to half of IPI119894 In our method an IMD andan external programmer need to have the same number of IPIblocks even if their values of IPI blocks are not equal By thisaddition IMD does not have to additionally communicatewith an external programmer for peak misdetection Thedifference that is caused by the simple addition of a new peakwould be corrected by the error correction code In case ofType II error we discard the corresponding peak of IPI119894

Because this method for peak misdetection recoverydoes not require communication between the IMD andthe external programmer less battery power is consumedMoreover because extra IPIs are not measured the overallkey-exchange time for our method is shorter than in thetechnique devised by Seepers et al

532 Key-Exchange Protocol Because we focus on theenergy efficiency of IMDs under a secure key exchangeour method is designed to minimize the communicationoverhead We describe the key-exchange procedure betweenthe IMD (119868) and external programmer (119875) in three stepsThebit sequences from IPIs of 119868 and 119875 are denoted by 120572 and120573 isin 0 1119899 respectively

(1) 119875 sends identifiers ID119868 and ID119875 to 119868 to initiate the key-exchange procedure We note that both 119868 and 119875 workon the same body and simultaneously measure IPIsGiven the measured IPIs the ldquoself-recovery of peakmisdetectionrdquo procedure is performed

(2) 119875 randomly chooses 120574 isin 0 1119896 Using the (119899 119896 2119905 +1) ECC SS(120573 120574) isin 0 1119899 is calculated as follows

SS (120573 120574) = 120573 oplus ECCencode (120574) (4)

A secret key sk is then calculated using the crypto-graphic hash function119867 0 1119896 997888rarr 0 1119897 as

sk = 119867(120574) (5)

Using sk a message authentication code (MAC) isthen calculated for (1 ID119875 ID119868) and 119875 transmits

SS(120573 120574) and MACsk (1 ID119875 ID119868) to 119868 We note thatthe message authentication code is used for keyconfirmation

(3) With the (119899 119896 2119905+1) ECC 119868 recovers 1205741015840 from SS(120573 120574)as follows

1205741015840 = ECCdecode (SS (120573 120574) oplus 120572) (6)

Since ECCencode() and ECCdecode are inverseto each other ECCdecode(SS(120573 120574) oplus 120573) is natu-rally decoded to 120574 In addition the values that areencoded by SS() and have smaller difference thana threshold can be also decoded to 120574 AccordinglyECCdecode(SS(120573 120574)oplus120572) can be successfully decodedif 120572 and 120573 are within the threshold

Using the calculated 1205741015840 and119867() the secret key sk1015840 canbe calculated as

sk1015840 = 119867(1205741015840) (7)

Using sk1015840 for key confirmation the MAC value trans-mitted by 119875 is verified as follows

MACsk1015840 (1 ID119875 ID119868)997904997904997904 MACsk (1 ID119875 ID119868) (8)

Once the verification is complete the IMD checkswhether it is sharing the same key as the programmerand calculatesMACsk1015840(2 ID119875 ID119868) to send to119875 If thisfails then the session will be aborted119875 also uses sk to verify the MAC values from119875 for thekey confirmation as follows


If the verification fails then the session will beabortedIf dist (120572 120573) le 119905 then 119868 obtains 1199031015840 = 119903 From thisthe secret key can be exchanged as in 119875 (ie sk1015840 =sk) Figure 5 illustrates the key-exchange protocolbetween 119868 and119875We note that a hash operation would


larr R0 1m

IMD (I)

Read IPIs isin Vwith self-recovery of peak misdetection

= CCdecode (SS( ) oplus )

ＭＥ = H()

Verify －ＭＥ(1 ）＄P ）＄I) with ＭＥ

）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)


３３( ) = oplus CCencode()ＭＥ = H()

Verify －ＭＥ(2 ）＄P ）＄I) with sk

Figure 5 Key-exchange protocol

be cheaper than the MAC operation in our methodin terms of the computational overhead HowevertheMACoperation enables explicit key confirmationwhich provides stronger assurances for the IMD thanimplicit key confirmation [41] The MAC operationin our method can be made optional to reducecomputational overhead In addition our method isdesigned as an authenticated key-exchange protocolapproach that provides authentication before the keyestablishment Because external programmers areauthenticated by IMDs in our method the symmetrickey generated by the programmer can be trusted

6 Security Analysis

To verify the security of our method we show that it satisfiesthe requirements of Secure Sketch on the metric space 119872 =0 1119899 under the Hamming distance metric If a functionsatisfies the properties of Secure Sketch we can analyze itssecurity in terms of the entropy That is we show that theencoding function of our method satisfies the requirementsof Secure Sketch

Before the detailed analysis we describe the concept ofhow our method is securely designed based on the SecureSketch It is verified that the random value 120574 encoded withbiometric information (ie SS(120573 120574)) leaks only 119899 minus 119896 bitsabout 120574 where 119899 is the length of the encoded bit sequence bythe Secure Sketch and 119896 is the entropy of the decodedmessageby error correction code (ie a random secret in our case)With respect to a biometric value whose entropy is119898 at most(119899 minus 119896) bits of information are leaked from SS(120573 120574) and theremaining 119898 minus (119899 minus 119896) bits of information are still preservedAccordingly it is said that 120573 is of high entropy when the valueof119898minus (119899 minus 119896) is larger than the security level In our methodwe determined the security level at 128 bits to conform withcurrent NIST key length recommendations [42]

61 Secure Sketch TheSecure Sketch concept was introducedby Dodis et al [43 44] for correcting errors in noisy secrets(eg biometrics) by releasing a helper string 119878 that does notreveal any information about the secret An (1198721198981198981015840 119905)-Secure Sketch is a randomized map SS 119872 997888rarr 0 1lowastwith the following properties where119872 is a metric space withdistance function dist(sdot)

(1) There is a deterministic recovery function Rec(sdot) thatrecovers the original 120596 from its sketch SS(120596) asfollows

Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)

for all 120596 1205961015840 isin 119872(2) For all random variables119882 over119872with min-entropy

119898 the average min-entropy variable with the min-entropy of 119882 given SS(120596) is at least 1198981015840 That isinfin(119882 | SS(120596)) ge 1198981015840

The Secure Sketch is efficient if SS and Rec run inpolynomial time in the representation size of a point in 119872Secure Sketches have been constructed for various differenttypes of metric spaces with defined distance functions Thesecurity of a Secure Sketch is evaluated in terms of theentropy of 119882 when releasing the sketch SS(120596) that is theentropy loss 119898 minus 1198981015840 associated with making SS(120596) publicTo satisfy the properties of Secure Sketches most SecureSketch constructions are designed using the ECC mentionedin previous sections Furthermore in this paper we mainlyfocus on the second property of Secure Sketches for thesecurity analysis In other words we show that the secretkey is secure by proving that our method satisfies the secondproperty of Secure Sketches Regarding the first property ourmethod does not use the recovery function as it is In ourmethod only random numbers are recovered to generate the


Secure Sketches whereas the conventional recovery functionrecovers biosignals as well as random numbers

62 Security of the Proposed Method We show that thefunction SS(sdot) in our method which is based on the (119899 119896 2119905+1) ECC satisfies the requirements of the (119872119898119898 + 119896 minus 119899 119905)Secure Sketch Function SS(sdot) is expressed as follows


where 120573 isin 119882 sub 119872 and 120574isin119877119883 sub 0 1119896To be a Secure Sketch this function must satisfy the

following properties

(1) For any 120572 120573 isin 119882 such that dist(120572 120573) le 119905 and120574 isin 119883 when SS(120573 120574) and 120572 are given 120573 needs to berecovered Here because recovering 120573 is equivalent torecovering 120574 we will show how to recover 120574

(2) infin(120596 | SS(120596)) ge 119898 + 119896 minus 119899 should hold

We can prove that SS(sdot) satisfies the above two propertiesusing Lemma 3 of [44] as follows

Proof Let ECCdecode(sdot) be the decoding procedure ofECCencode(sdot) As ECCdecode(sdot) can correct up to 119905 errorsif V = 120573 oplus ECCencode(120574) and dist(120572 120573) le 119905 thenECCdecode(120572 oplus V) = 120574

Let 119860 be the joint variable (119883119882) These have minimumentropy119898+119896when infin(119882) = 119898 and119883 is independent of119882Because SS(119882) isin 0 1119899 and SS(119882) is dependent on (119883119882)we have that infin(119860 | SS(119882)) ge 119898 + 119896 minus 119899 If the informationexposure of 119860 resulting from SS(119882) is the maximum (iethe entropy reduction caused by information exposure is themaximum) then the minimum value of infin(119860 | SS(119882)) is119898 + 119896 minus 119899 In other words because SS(119882) exposes at most 119899bits of information infin(119860 | SS(119882)) cannot be smaller than119898+119896minus 119899 Now given SS(119882)119882 and119883 determine each otheruniquely and so it also holds that119867infin (119882 | SS(119882)) ge 119898+119896minus119899

As a result our method provides (119897 = 119898 + 119896 minus 119899)-bitsecurity

7 Experimental Results

We evaluated our method by performing a series of exper-iments First we calculated the entropy of the IPIs usedfor the secret key to demonstrate the security level of ourmethod We set the security level to 128 bits to conformwith current NIST key length recommendations [45] Weestimated the parameters that yield 128-bit security and usedthese to evaluate the performance of our method Second weevaluated the energy consumed by our method in terms ofcomputation and communication and compared this with theenergy consumption of state-of-the-art secure IMD systems[7 10 11]

71 Experimental Setup We extracted IPIs from ECG signalsprovided by PhysioBank which is a large archive of well-characterized digital recordings of physiological signals [46]Among their many data types we used the MIT-BIH [47]

Table 1 Average entropy

lowest bits Entropy lowest bits EntropyH(8IPI) 651 H(7IPI1015840) 555H(7IPI) 623 H(6IPI1015840) 526H(6IPI) 587 H(5IPI1015840) 473H(5IPI) 495 H(4IPI1015840) 396H(4IPI) 399 H(3IPI1015840) 299We let 119896IPI1015840119894 denote the 119896 lowest bits other than the least significant bit Inother words if a least significant bit is removed from the (119896 + 1)th IPI thenthis becomes 119896IPI1015840119894

PTB [48] andMGHMF datasets to ensure a fair comparisonbetween our method and previous methods [10 11] Inaddition we evaluated our method on the EUROPEAN ST-T and LONG-TERM ST datasets in order to demonstratehow IPI-based key agreements work on IPIs for patients withheart-related diseases With the extracted IPIs we adopteda quantization method that uses the cumulative distributionfunction (CDF) transformation known as dynamic quan-tization The quantized values were then encoded as 8-bitunsigned integers and their gray code representations werecalculated The Bose-Chaudhuri-Hocquenghem (BCH) codewas used as the ECC in our method

72 Entropy of IPIs Before evaluating the security level ofthe secret key derived from our method we first calculatethe entropy of the IPIs which is the source of the secretkey In comparison to [10 11] in which three or four least-significant bits were used from an 8-bit gray-coded IPI ourmethod is designed to acquire the maximum entropy from asingle IPI For most human bodies the IPI value would beabout 085 s [7] and so reducing the number of IPIs savestime for the key exchange We first extracted IPIs from ECGsignals in the MIT-BIH PTB and MGHMF datasets andthen gray codes were converted from the IPIs Using the gray-coded sequences we performed the MatLab function calledEntropy(sdot) [49] to obtain the entropies of the sequencesIn this function a probability density function (PDF) isestimated from the normalized histogram of a sequenceUsing the PDF function the entropy is calculated as follows

119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)

where 119909119894 is a bit sequence Table 1 shows the average entropywhen 119899 least-significant bits are selected from the 8-bit gray-coded bit sequence of a single IPI We will evaluate thesecurity level of our method based on this result

73 Parameter Estimation for BCHCode Weestimate param-eters used in the BCH code We consider the false rejection(FR) and false acceptance (FA) rates FR refers to the case inwhich a valid pair of IPIs that were simultaneously measuredfrom the same human body is incorrectly considered as beinginvalid FA refers to the case in which an invalid pair ofIPIs that were measured from two different human bodies isincorrectly considered as being valid


Table 2 Two types of error rates

errsame errdiff1st MSB 0001 1st MSB 00012nd MSB 0003 2nd MSB 02683rd MSB 0005 3rd MSB 04264th MSB 0007 4th MSB 04255th MSB 0010 5th MSB 04396th MSB 0020 6th MSB 04537th MSB 0045 7th MSB 04448th MSB 0092 8th MSB 0448

For the FR and FA rates we utilize the cumulativedistribution function (CDF) of the binomial distribution Wedefine two types of error rates errsame denotes the error ratewhere values of two bit sequences are different at each biteven if they are from the same body and errdiff denotes theerror rate where values of two bit sequences are the same ateach bit even if they are from two different bodies Table 2shows the two types of error rates at each most significantbit (MSB) of an 8-bit sequence These error rates werecalculated from theMIT-BIH PTB andMGHMFdatabasesWe note that we obtained different results compared withexisting studies [10 11] even if we employed the same datasetHowever because we used a higher error rate to evaluate ourmethod the difference does not affect the fair comparisonwith other methods

Theprobability in the binominal distribution is calculatedusing the mean value of error rates For example for 8IPI theaverage errsame is (0001 + 0003 + 0005 + 0007 + 0010 +0020 + 0045 + 0092)8 = 0023 When 7IPI is used theaverage errsame is (0001+0003+0005+0007+0010+0020+0045)7 = 0013 In our evaluation we set the objective FRand FA rates as 10minus3 and 10minus30 respectively These values areconsidered to be reasonable in terms of usability and securityFurthermore the FA rate should be lower than the FR ratebecause security should be a more important concern

A threshold 119905 in BCH code should be calculated thatsatisfies 119875(119883same gt 119905) le 10minus3 and 119875(119883diff gt 119905) le 10minus30where 119883same and 119883diff are binomial distribution with errsameand errdiff respectively Table 3 lists the minimum values of 119905that achieve these FR and FA rates for each 119899 value

Once 119899 and 119905 are determined for the BCH code theremaining parameter 119896 is determined automatically Forexample if we use 119899 = 255 and 119905 = 19 then 119896 = 123 [50]Details on the BCH code parameters and their relationshipsare not discussed in this paper

Subsequently the security level was calculated for variouscode parameters The security level of our method is equalto 119897 = 119898 + 119896 minus 119899 where 119898 is the entropy of the entire IPIRecall that we analyzed the security level of our method inSection 62 For example when 255-bit sequences need tobe derived using 5IPI 51 IPI blocks are needed Thereforethe entropy of the bit sequence is 119898 = 51 times 119867(5IPI) =51 times 495 = 25245 Figure 6 shows the security level 119897(=119898 + 119896 minus 119899) for different values of 119899 119896 and 119905 when the FR andFA rate constraints are satisfied These results show that the

680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)

8IPI7IPI6IPI5IPI4IPI

7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI

Figure 6 Security level as a function of BCH code parameters(119899 119896 119905)

10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0

106 times 10minus2 106 times 10minus2

474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4

Figure 7 The FR and FA rates with BCH code (255 131 18) and6IPI

security level increases with the length of the bit sequenceThe security level of our method is 128 bits when a 255-bitsequence is derived using 6IPI with BCH code parameters(119899 119896 119905) of (255 131 18) Although a higher security level canbe obtained if a larger value of 119899 is used [119899119902] IPI blocks areneeded to derive 119899-bit sequences (119902 = |119902IPI|)

74 Performance We calculated the FR and FA rates for eachdataset provided by PhysioBank using the estimated param-eters (119899 119896 119905) = (255 131 18) and 6IPI Figure 7 presents theFR and FA rates of five different datasets including the three


Table 3 BCH code parameter (119899 119905) for various 1198968IPI 7IPI 6IPI 5IPI 4IPI

119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64

7IPI1015840 6IPI1015840 5IPI1015840 4IPI1015840 3IPI1015840

119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 - 255 - 255 -511 - 511 18 511 19 511 22 511 251023 26 1023 29 1023 32 1023 36 1023 42ldquo-rdquo indicates no (119899 119905) values available for FN = 10minus3 and FP = 27 times 10minus15

FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200

Differences between IPIs

MIT-BIH

MGHMFPTB

EUROPEAN ST-TLONG-TERM ST

Figure 8 Temporal variance

mentioned datasets in the previous section The reason forthe high values in Figure 7 (compared with the initial valuesfor the FR rate of 10minus3 and FA rate of 10minus30) is that whenwe estimated the parameters there were differences in theaverage error rate The higher FA rate for EUROPEAN ST-T and LONG-TERM ST may be because of these datasetsbeing taken from patients diagnosed with heart diseasemeaning that the key randomness was relatively lower andthe corresponding performance was lower than for the otherdatasets

75 Temporal Variance A higher temporal variance impliesthat an ECG signal has a higher randomness which reducesthe probability of success for attackers employing a replayattack The bit sequence that is converted from IPIs has suf-ficient entropy which means that asynchronous IPIs shouldnot match each other However in reality the probabilitythat asynchronous IPIs match each other is not zero We

examine the temporal variance of our method by employingasynchronous IPIs If an IMD and an external programmerestablish a secret key with the asynchronous IPIs this canbe considered to represent the FA case Figure 8 illustratesthe FA rates with respect to the time differences of IPIs Forexample the FA rate is approximately 001 when an IMD andexternal programmer have a time difference of 3 IPIs from thePTB dataset We can see that the FAR decreases if the timedifference is greater than 130 IPIs which is around 2min Weconclude that the IPI information should be protected fromattackers for at least 2min as attackers can establish a secretkey for IMDs within this time

76 Energy Consumption The effectiveness of IMDs that usenonrechargeable batteries is highly sensitive to the additionalenergy consumption resulting from new security techniquesWe analyzed the energy consumption of ourmethod in termsof communication and computation

761 Energy Consumption due to Communication We usedthe method proposed in [51] to evaluate the energy con-sumption of message exchanges As presented in [52] aChipconCC1000 radio used inCrossbowMICA2DOTmotesconsumes 286 120583J and 592120583J to receive and transmit 1 byterespectively Moreover most of the communication protocoldata payloads are set in bytes For instance the length of thepayload of ZigBeersquos frame format ranges from 0 to 127 bytes[42] That is even when 1 bit of data is transmitted 1 byte ofpayload space is required Therefore we measured the com-munication overhead of our method and existing methodsin terms of the byte size To ensure a fair comparison wemeasured the communication overhead by modifying eachmethod slightly to enable key confirmation

For our method the message sizes to be transmittedand received were 64 and 96 bytes respectively Hence theenergy consumption required to transmit and receive themessage was 379mJ and 183mJ respectively Table 4 lists thecommunication overheads for our method and the existingmethodsThemethod in [7]was set to 4000 so that theCoffersize (the number of chaff points) provided 128-bit securityAlthough 128-bit security could be achieved with aCoffer size


Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM

Dandexternalprogrammerrespectively|ID

IMD|=|ID119875|=16bytes(iii)Coff

erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898

IMDand119898119875deno

tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof

anexternalprogrammer

(|Cert|=1024

bytes)


Table 5 Approximate number of cycles and energy consumption of each component block

Block name cycles Energy consumption (120583J) WhereSHA256 5140 474 Every methodHMAC SHA256 32710 4173 Every methodBCH-encoding 500928 51799 [11]BCH-decoding 142704 11043 Our methodAES128 encryption 2740 01 [11]RSA2048 encryption 8558400 655179 [10]

10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]

Figure 9 Energy consumption due to communication overhead

of 2000 this gave a high FRR In [11] the authors employPRESENT which is an encryption algorithm using an 80-bit symmetric key However we evaluate the method in [11]assuming AES128 is employed for a fair comparison withour method which also employs AES128 Figure 9 shows theenergy consumption of each method due to communicationsunder 128-bit security Because our method has the lowestcommunication overhead of the techniques compared herethe energy consumption due to communication is also thelowest

762 Energy Consumption due to Computation To mea-sure the energy consumed by computations we used theEFM32LG-DK3650 Development Kit with a 32-bit ARMCortex-M3 processor 256 Kb flash and 32 Kb SRAMThis development kit provides a power-consumption profilerand power debugging tools We implemented various blockcomponents used by either our method or the comparativetechniques in the EFM32LG-DK3650 Development Kit Thecode size number of clock cycles and approximate powerconsumption of each block component are listed in Table 5We note that we assume that the method in [11] employsAES128 instead of PRESENT with an 80-bit symmetric key

[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256

HMAC_SHA256BCH-decoding

BCH-encodingAES128RSA2048-encryption

104

103

102

101

100

Figure 10 Energy consumption due to computation overhead Itis difficult to identify the amount of energy consumed by SHA256HMACSHA256 and AES128 because these algorithms consume rela-tively little energy

for a fair comparison with our method Because less energyis consumed for BCH encoding than BCH decoding wedesigned the IMD to perform BCH decoding Thus theenergy consumption of our method is lower than that of [11]which performs BCH encoding Figure 10 shows the energyconsumption of our method and existing approaches due tocomputation

As public key operations require a considerable amountof energy the method described in [10] consumes the mostenergy in the computation stage For [7] which has the lowestenergy consumption for computations the overall amount ofenergy consumption is high because of the communicationoverhead In conclusion our method consumes the leastamount of energy when the IMD and external programmerperform the key-exchange protocol

8 Discussion

Electrogram (EGM) Signal Our method was evaluated usingIPIs that are extracted from an ECG However an IMDactually measures electrograms (EGMs) rather than ECGwithin individual chambers of hearts On the other hand


EGM is not measurable outside the body and hence anexternal programmer is not able to measure it Our plans forfuture work involve additional evaluations using EGM for anIMD and ECG for an external programmer Because EGMalso determines heart-related PVs like ECG it is expectedthat IPIs can be extracted fromEGM In addition most IMDshave the functionality to record a series of IPIs [53]

Cardiac Arrhythmia Those who implant IMDs into theirbody would be patients with heart-related diseases such asarrhythmia It is known that it is difficult to detect peaks in theECG signals of such patients [54] In fact most PV-based keyagreement solutions have the same limitation [7 34 51 52]Our plans for future work include an improved method toaddress this issue

Distribution of IPIs The normal distribution of IPIs wasassumed for self-recovery of peak misdetection Our methodis designed based on the existing research results assumingthe normal distribution for IPIs [55 56] However it isexpected that the more accurate distribution for IPIs isnecessary to improve our self-recovery of peak misdetectionOne of our future works will cover analyzing distribution ofIPIs

9 Conclusion

In this paper we have presented an energy-aware key-exchange protocol that enables secure communicationbetween an IMD and an external programmer Our methodutilizes IPIs to generate a secret key in an authenticatedand transparent manner without any keying material beingexposed predistribution or during initialization As thebattery consumption of IMDs is a critical issue we firstfocused on the energy efficiency of IMDs when using ourmethod Our method reduces energy consumption whilestill enabling secure key exchange A security analysis showedthat our method satisfies the Secure Sketch requirementsmeaning that it is difficult for adversaries to guess the secretkey Finally experiments were conducted to estimate theentropy of IPIs and the parameters for the BCH code Wealso analyzed the performance temporal variance and key-exchange time Finally we demonstrated that our methodconsumes less energy in communications and computationsthan comparable techniques As a result our method is morefeasible and efficient for securing IMD systems than theexisting approaches

Notation

119909 given a sample of size 119899 consider 119899independent random variables1198831 1198832 119883119899 each corresponding to onerandomly selected observation Thesample mean is defined to be119909 = (1119899)(1199091 1199092 119909119899) where 119909119894 is the119894th observation

1199042 the sample variance is defined to be1199042 = (1119899)sum119899119894=1(119909119894 minus 119909)2

120572 120573 120572 and 120573 isin 0 1119899 are denoted by 119899-bitsequences converted from IPIs measuredat the IMD and external programmerrespectively

120574 120574 is denoted by a 119896-bit random sequenceisin 0 1119896 selected by the externalprogrammer

ECCencode(sdot) for (119899 119896 2119905 + 1) minus ECC ECCencode(sdot) isthe encoding mapping

ECCdecode(sdot) for (119899 119896 2119905 + 1) minus ECC ECCencode(sdot) isthe decoding mapping

119867(sdot) 119867(sdot) is denoted by a cryptographic hashfunction

MAC119896(sdot) MAC119896(sdot) is denoted by a messageauthentication code with a secret key 119896

ID119875 ID119868 ID119875 and ID119868 are denoted by identities ofthe external programmer (119875) and IMD (119868)respectively

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by Samsung Electronics

References

[1] A J Greenspon J D Patel E Lau et al ldquo16-Year trends in theinfection burden for pacemakers and implantable cardioverter-defibrillators in the United States 1993 to 2008rdquo Journal of theAmerican College of Cardiology vol 58 no 10 pp 1001ndash10062011

[2] C Zhan W B Baine A Sedrakyan and C Steiner ldquoCardiacdevice implantation in the United States from 1997 through2004 a population-based analysisrdquo Journal of General InternalMedicine vol 23 no 1 pp 13ndash19 2008

[3] D Halperin T S Heydt-Benjamin B Ransford et al ldquoPace-makers and implantable cardiac defibrillators software radioattacks and zero-power defensesrdquo in Proceedings of the IEEESymposium on Security and Privacy (SP rsquo08) pp 129ndash142Oakland Calif USA May 2008

[4] C Li A Raghunathan and N K Jha ldquoHijacking an insulinpump security attacks and defenses for a diabetes therapy sys-temrdquo in Proceedings of the Proceeding of the IEEE 13th Inter-national Conference on e-Health Networking Applications andServices (HEALTHCOM rsquo11) pp 150ndash156 Columbia Mo USAJune 2011

[5] TU S G AOfficeMedical devices citation fda should expandits consideration of information security for certain types ofdevice 2012

[6] S-D Bao C C Y Poon Y-T Zhang and L-F Shen ldquoUsing thetiming information of heartbeats as an entity identifier to securebody sensor networkrdquo IEEE Transactions on Information Tech-nology in Biomedicine vol 12 no 6 pp 772ndash779 2008

[7] C Hu X Cheng F Zhang D Wu X Liao and D ChenldquoOPFKA secure and efficient ordered-physiological-feature-based key agreement for wireless body area networksrdquo in


Proceedings of the 32nd IEEE Conference on Computer Com-munications IEEE INFOCOM 2013 pp 2274ndash2282 Italy April2013

[8] N Jamali and L C Fourati ldquoSKEP a secret key exchange proto-col using physiological signals in wireless body area networksrdquoin Proceedings of the International Conference on WirelessNetworks and Mobile Communications WINCOM 2015 Mar-rakech Morocco October 2015

[9] C C Y Poon Y-T Zhang and S-D Bao ldquoA novel biometricsmethod to secure wireless body area sensor networks for tele-medicine and M-healthrdquo IEEE Communications Magazine vol44 no 4 pp 73ndash81 2006

[10] M Rostami A Juels and F Koushanfar ldquoHeart-to-Heart(H2H) authentication for implanted medical devicesrdquo in Pro-ceedings of the ACM SIGSACConference on Computer and Com-munications Security (CCS rsquo13) pp 1099ndash1111 ACM BerlinGermany November 2013

[11] R M Seepers J H Weber Z Erkin I Sourdis and C StrydisldquoSecure key-exchange protocol for implants using heartbeatsrdquoin Proceedings of the ACM International Conference on Comput-ing Frontiers CF 2016 pp 119ndash126 Como Italy May 2016

[12] K K Venkatasubramanian A Banerjee and S K S GuptaldquoPlethysmogram-based secure inter-sensor communication inbody area networksrdquo in Proceedings of the 2008 IEEE MilitaryCommunications Conference MILCOM2008 - AssuringMissionSuccess San Diego Calif USA November 2008

[13] K K Venkatasubramanian A Banerjee and S K S GuptaldquoEKG-based key agreement in body sensor networksrdquo inProceedings of the 2008 IEEE INFOCOM Workshops pp 1ndash6Phoenix Ariz USA April 2008

[14] K K Venkatasubramanian A Banerjee and S K S GuptaldquoPSKA usable and secure key agreement scheme for bodyarea networksrdquo IEEE Transactions on Information Technology inBiomedicine vol 14 no 1 pp 60ndash68 2010

[15] J Zhou Z Cao and X Dong ldquoBDK Secure and efficient bio-metric based deterministic key agreement in wireless body areanetworksrdquo in Proceedings of the 8th International Conference onBody Area Networks BODYNETS 2013 pp 488ndash494 BostonMass USA October 2013

[16] K B Rasmussen C Castelluccia T S Heydt-Benjamin and SCapkun ldquoProximity-based access control for implantablemedi-cal devicesrdquo in Proceedings of the 16th ACMConference on Com-puter and Communications Security (CCS rsquo09) pp 410ndash419Chicago Ill USA November 2009

[17] T Denning K Fu and T Kohno ldquoAbsence makes the heartgrow fonder new directions for implantable medical devicesecurityrdquo in Proceedings of the 3rd USENIX Workshop on HotTopics in Security San Jose Calif USA January 2008

[18] X Hei X Du J Wu and F Hu ldquoDefending resource depletionattacks on implantable medical devicesrdquo in Proceedings of the53rd IEEE Global Communications Conference (GLOBECOMrsquo10) Seattle Wash USA December 2010

[19] F Xu Z Qin C C Tan BWang andQ Li ldquoIMDGuard secur-ing implantable medical devices with the external wearableguardianrdquo in Proceedings of the 30th IEEE International Con-ference on Computer Communications pp 1862ndash1870 ShanghaiChina April 2011

[20] S Gollakota H Hassanieh B Ransford D Katabi and KFu ldquoThey can hear your heartbeats Non-invasive securityfor implantable medical devicesrdquo in Proceedings of the ACMSIGCOMM 2011 Conference SIGCOMM rsquo11 pp 2ndash13 TorontoOntario Canada August 2011

[21] W Shen P Ning X He and H Dai ldquoAlly friendly jammingHow to jam your enemy and maintain your own wireless con-nectivity at the same timerdquo in Proceedings of the 34th IEEESymposium on Security and Privacy SP 2013 pp 174ndash188Berkeley Calif USA May 2013

[22] S-Y Chang Y-C Hu H Anderson T Fu and E Y HuangBody Area Network Security Robust Key Establishment UsingHuman Body Channel HealthSec 2012

[23] S Cherukuri K K Venkatasubramanian and S K S GuptaldquoBiosec a biometric based approach for securing communica-tion in wireless networks of biosensors implanted in the humanbodyrdquo in Proceedings of the 32nd International Conference onParallel Processing (ICPP rsquo03) pp 432ndash439 Kaohsiung TaiwanOctober 2003

[24] R M Seepers C Strydis P Peris-Lopez I Sourdis and CI De Zeeuw ldquoPeak misdetection in heart-beat-based securityCharacterization and tolerancerdquo in Proceedings of the 201436th Annual International Conference of the IEEE Engineeringin Medicine and Biology Society EMBC 2014 pp 5401ndash5405Chicago Ill USA August 2014

[25] R M Seepers C Strydis I Sourdis and C I De ZeeuwldquoEnhancing heart-beat-based security for mhealth applica-tionsrdquo IEEE Journal of Biomedical and Health Informatics vol21 no 1 pp 254ndash262 2017

[26] C H Raine III L E Schrock S V Edelman et al ldquoSignificantinsulin dose errors may occur if blood glucose results areobtained from miscoded metersrdquo Journal of Diabetes Scienceand Technology vol 1 no 2 pp 205ndash210 2007

[27] C Camara P Peris-Lopez and J E Tapiador ldquoSecurity andprivacy issues in implantablemedical devices A comprehensivesurveyrdquo Journal of Biomedical Informatics vol 55 pp 272ndash2892015

[28] Parkisons disease httpwwwmedtroniceuyour-healthpar-kinsons-diseasedeviceour-dbs-therapy-productsactivaRCindexhtm

[29] V S Mallela V Ilankumaran and S N Rao ldquoTrends in cardiacpacemaker batteriesrdquo Indian Pacing and Electrophysiology Jour-nal vol 4 no 4 pp 201ndash212 2004

[30] M Rostami W Burleson A Juels and F Koushanfar ldquoBalanc-ing security andutility inmedical devicesrdquo inProceedings of the50th Annual Design Automation Conference DAC 2013 AustinTex USA June 2013

[31] H Jiang J Zhang D Lan et al ldquoA low-frequency versatilewireless power transfer technology for biomedical implantsrdquoIEEETransactions on Biomedical Circuits and Systems vol 7 no4 pp 526ndash535 2013

[32] K M Silay C Dehollain and M Declercq ldquoA closed-loopremote powering link for wireless cortical implantsrdquo IEEESensors Journal vol 13 no 9 pp 3226ndash3235 2013

[33] R F Xue K W Cheng and M Je ldquoHigh-efficiency wirelesspower transfer for biomedical implants by optimal resonantload transformationrdquo IEEETransactions on Circuits and SystemsI Regular Papers vol 60 no 4 pp 867ndash874 2013

[34] W Choi I S Kim and D H Lee ldquoE2PKA An Energy-Efficient and PV-Based Key Agreement Scheme for Body AreaNetworksrdquoWireless Personal Communications vol 97 no 1 pp977ndash998 2017

[35] D Pitcher J Soar K Hogg et al ldquoCardiovascular implantedelectronic devices in people towards the end of life duringcardiopulmonary resuscitation and after death guidance fromthe Resuscitation Council (UK) British Cardiovascular Society


and National Council for Palliative Carerdquo Heart vol 102 ppA1ndashA17 2016

[36] J Kranjec S Begus G Gersak and J Drnovsek ldquoNon-contactheart rate and heart rate variability measurements A reviewrdquoBiomedical Signal Processing and Control vol 13 no 1 pp 102ndash112 2014

[37] WVerkruysse LO Svaasand and J S Nelson ldquoRemote plethy-smographic imaging using ambient lightrdquo Optics Express vol16 no 26 pp 21434ndash21445 2008

[38] P JM FardMHMoradi andMR Tajvidi ldquoA novel approachin R peak detection using Hybrid Complex Wavelet (HCW)rdquoInternational Journal of Cardiology vol 124 no 2 pp 250ndash2532008

[39] A Ghaffari H Golbayani andM Ghasemi ldquoA newmathemat-ical based QRS detector using continuous wavelet transformrdquoComputers and Electrical Engineering vol 34 no 2 pp 81ndash912008

[40] J P VMadeiro P C Cortez J A LMarques C R V Seisdedosand C R M R Sobrinho ldquoAn innovative approach of QRS seg-mentation based on first-derivativeHilbert andWavelet Trans-formsrdquo Medical Engineering amp Physics vol 34 no 9 pp 1236ndash1246 2012

[41] S Blake-Wilson and A Menezes ldquoAuthenticated diffe-hellmankey agreement protocolsrdquo in InternationalWorkshop on SelectedAreas in Cryptography vol 1556 of Lecture Notes in ComputerScience pp 339ndash361 Springer Berlin Germany 1998

[42] Z Alliance and et al ldquoZigbee specificationrdquo 2006[43] Y Dodis R Ostrovsky L Reyzin and A Smith ldquoFuzzy extract-

ors how to generate strong keys from biometrics and othernoisy datardquo SIAM Journal on Computing vol 38 no 1 pp 97ndash139 2008

[44] Y Dodis L Reyzin and A Smith ldquoFuzzy extractors how togenerate strong keys from biometrics and other noisy datardquoin International Conference on the Theory and Applications ofCryptographic Techniques vol 3027 of Lecture Notes in Com-puter Science pp 523ndash540 Springer Berlin Germany 2004

[45] E B Barker and A L Roginsky ldquoTransitions recommendationfor transitioning the use of cryptographic algorithms and keylengthsrdquo National Institute of Standards and Technology NISTSP 800-131a 2011

[46] A L Goldberger L A Amaral L Glass et al ldquoPhysioBankPhysioToolkit and PhysioNet components of a new researchresource for complex physiologic signalsrdquo Circulation vol 101no 23 pp E215ndashE220 2000

[47] G B Moody and R G Mark ldquoThe impact of the MIT-BIHarrhythmia databaserdquo IEEE Engineering inMedicine andBiologyMagazine vol 20 no 3 pp 45ndash50 2001

[48] R Bousseljot D Kreiseler andA Schnabel ldquoNutzung der EKG-Signaldatenbank CARDIODAT der PTB uber das InternetrdquoBiomedizinische Technik Biomedical Engineering vol 40 no 1pp 317-318 1995

[49] Entropy httpskrmathworkscommatlabcentralfileexchange28692-entropy

[50] W C Huffman and V Pless Fundamentals of Error-CorrectingCodes Cambridge University Press New York NY USA 2003

[51] K RenW Lou K Zeng andP JMoran ldquoOn broadcast authen-tication in wireless sensor networksrdquo IEEE Transactions onWireless Communications vol 6 no 11 pp 4136ndash4144 2007

[52] A S Wandert N Gura H Eberle V Gupta and S C ShantzldquoEnergy analysis of public-key cryptography for wireless sensor

networksrdquo in Proceedings of the 3rd IEEE International Con-ference on Pervasive Computing and Communications (PerComrsquo05) pp 324ndash328 Kauai Island Hawaii USA March 2005

[53] N Wessel C Ziehmann J Kurths U Meyerfeldt A Schird-ewan and A Voss ldquoShort-term forecasting of life-threateningcardiac arrhythmias based on symbolic dynamics and finite-time growth ratesrdquo Physical Review E Statistical Physics Plas-mas Fluids and Related Interdisciplinary Topics vol 61 no 1pp 733ndash739 2000

[54] C Kamath ldquoEntropy-based algorithm to detect life threateningcardiac arrhythmias using raw electrocardiogram signalsrdquoMid-dle East Journal of Scientific Research vol 12 no 10 pp 1403ndash1412 2012

[55] A A Kuznetsov and S A Permyakov ldquoDistribution functionsfor patient heart rate parametersrdquoMeasurement Techniques vol58 no 5 pp 567ndash573 2015

[56] P Verbeeten S Ray andM Peters ldquoG450(p) the distribution ofheart rate in critically ill childrenrdquo 2017

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


to directly apply security protocols to an IMD because ofits limited resources and constraining requirements Thefollowing four limitations need to be resolved in order toapply effective security to IMD systems (i) there are highenergy overheads of authentication and encryption protocols(ii) the use of preshared credentials deployed during themanufacturing process remains unchangeable after deviceimplantation (iii) secure access cannot be deployed duringemergency situations and (iv) protection against resourcedepletion attacks and denial of IMD functions is insuf-ficient

This study focuses on the first limitation and suggests acorresponding solution for IMD systems As IMDs operateon a nonrechargeable battery inside the body the ultimatedepletion of the battery inevitably means that the old IMDneeds to be replaced with a new one through surgery Thismeans that the lifespan of an IMD is mainly determined bythe batteryrsquos capacity Therefore energy-inefficient securitymechanisms cannot be applied to an IMD system even ifthey would guarantee a high level of security In this studywe designed a key-exchange method between an IMD and anexternal programmer which minimizes the communicationoverhead of the IMDThe external programmer is the deviceused by the medical staff to communicate with a patientrsquosIMDOur basic premise involves utilizing an error correctioncode (ECC) to adjust the physiological values measured byan IMD and an external programmer The ECC enablesthe error correction of redundant data without additionalcommunication between the two entities Because wirelesscommunication consumesmore energy than other processessuch as computation it is possible to dramatically reducethe total energy consumption of IMDs This implies thatour method not only establishes a secure channel betweenthe IMD and an external programmer but also allows forlonger use compared with previous methods [6ndash15] Inaddition we provide a security analysis by showing that ourmethod satisfies the properties of Secure Sketch whichmeansthat our method is secure against random guessing Thefollowing points summarize the detailed contributions of ourmethod

(i) Ourmethodminimizes the communication overheadto significantly reduce the IMDrsquos battery consump-tion

(ii) We propose a self-recovery method that does notrely on mutual communication between the IMD andan external programmer at the peak misdetection ofphysiological signals (eg ECG or PPG)

2 Related Work

In this section we introduce related work focusing onsecurity and privacy issues related to IMDs We classifythese studies into several groups presented in the followingsubsections

21 Alarm-Based Methods Halperin et al [3] suggested thatan alarm should sound as a warning whenever an attemptis made to access a patientrsquos IMD Upon hearing the alarm

patients are able to distinguish between valid and invalidattempts If an invalid attempt by a malicious attacker occursthe patient takes appropriate action such as moving fromtheir current location to avoid the attack However thereare several limitations that prevent this method from beingapplied to IMD systemsWhen the patient is in a noisy area itmay be difficult to hear the alarm and disabled patients couldfind it difficult to avoid an attack or take appropriate action

22 Distance Bounding Rasmussen et al [16] suggestedemploying proximity-based access control They assumedthat malicious attacks cannot be launched from within acertain distance as the patient would notice such an attackBased on this assumption the IMD authenticates an externalprogrammer by checking that the distance between them isbelow a certain threshold The distance is estimated usingthe relation between the speed of ultrasound and its arrivaltime However their method requires an additional modulethat enables ultrasonic communication which results in anadditional cost This module may also incur a significantburden on the battery

23 Communication Cloaking To reduce battery consump-tion in IMDs methods have been suggested that use anexternal device (called a cloaker) [17ndash19] A cloaker is adevice such as a smartphone that operates on behalf ofthe IMD The IMD obtains computational results fromthe cloaker thus saving its battery resources As a resultseveral cryptographic methods can be applied to IMDs eventhough they require heavy computation (ie they requiresignificant battery consumption) However an additionalcomplex security method must be designed to establish asecure channel between an IMD and a cloaker

24 Jamming or Body-Coupled Communication To achievesecurity without an additional module or heavy compu-tational burden on the IMD jamming techniques can beemployed [19 20] When a hacker attempts to access apatientrsquos IMD a wireless signal is generated Accordinglya jamming technique interrupts the malicious signal toblock access to the IMD However jamming techniques canaffect other valid signals implying that authorized electronicdevices may also not work properly Although Shen et al[21] proposed an approach for jamming an attack signaland simultaneously maintaining valid wireless connectivitychannel information must be known in advance to separatethe jammed and normal channels In terms of securitythis information should only be shared with authenticateddevices It is impossible to securely share informationwithoutusing an additional method such as a secret key exchangeThus the jamming technique is not a suitable securitymethod for application to body sensors

Body-coupled communication [4 22] is assumed to besecure because an attacker eavesdropping on a communi-cation must be close to or even touching the targetrsquos bodyHowever to apply thismethod to a body area network (BAN)body sensors require an additionalmodule that enables body-coupled communication



3 Motivation




4 System Model




Medical staffs


External Programmer

Physical Contact
















1

08

06

04

02

0

minus02

minus04

minus06

minus080 1 2 3 4 5 6 7 8 9 10

Am

plitu

de (V

)


10011010 10010111 10011010 10011111 10010100

IPI IPIIPI

IPI IPI

R PeakR PeakR Peak


R Peak







External Programmer








Slightlydifferent

10

6

2

minus2

minus6

minus10

6

2

minus2

minus6

minus100

100

200

300

400

500

600

700

0

100

200

300

400

500

600

700





119862 0 1119896 997888rarr 0 1119899 (1)









119909 = 1119899119899

sum119894=1

IPI119894

1199042 = 1119899 minus 1

119899

sum119894=1

(IPI119894 minus 119909)2 (2)



11990410038161003816100381610038161003816100381610038161003816 (3)




Correct IPIs



IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned









sk = 119867(120574) (5)







sk1015840 = 119867(1205741015840) (7)







larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




3 Motivation




4 System Model




Medical staffs


External Programmer

Physical Contact
















1

08

06

04

02

0

minus02

minus04

minus06

minus080 1 2 3 4 5 6 7 8 9 10

Am

plitu

de (V

)


10011010 10010111 10011010 10011111 10010100

IPI IPIIPI

IPI IPI

R PeakR PeakR Peak


R Peak







External Programmer








Slightlydifferent

10

6

2

minus2

minus6

minus10

6

2

minus2

minus6

minus100

100

200

300

400

500

600

700

0

100

200

300

400

500

600

700





119862 0 1119896 997888rarr 0 1119899 (1)









119909 = 1119899119899

sum119894=1

IPI119894

1199042 = 1119899 minus 1

119899

sum119894=1

(IPI119894 minus 119909)2 (2)



11990410038161003816100381610038161003816100381610038161003816 (3)




Correct IPIs



IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned









sk = 119867(120574) (5)







sk1015840 = 119867(1205741015840) (7)







larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Medical staffs


External Programmer

Physical Contact
















1

08

06

04

02

0

minus02

minus04

minus06

minus080 1 2 3 4 5 6 7 8 9 10

Am

plitu

de (V

)


10011010 10010111 10011010 10011111 10010100

IPI IPIIPI

IPI IPI

R PeakR PeakR Peak


R Peak







External Programmer








Slightlydifferent

10

6

2

minus2

minus6

minus10

6

2

minus2

minus6

minus100

100

200

300

400

500

600

700

0

100

200

300

400

500

600

700





119862 0 1119896 997888rarr 0 1119899 (1)









119909 = 1119899119899

sum119894=1

IPI119894

1199042 = 1119899 minus 1

119899

sum119894=1

(IPI119894 minus 119909)2 (2)



11990410038161003816100381610038161003816100381610038161003816 (3)




Correct IPIs



IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned









sk = 119867(120574) (5)







sk1015840 = 119867(1205741015840) (7)







larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








1

08

06

04

02

0

minus02

minus04

minus06

minus080 1 2 3 4 5 6 7 8 9 10

Am

plitu

de (V

)


10011010 10010111 10011010 10011111 10010100

IPI IPIIPI

IPI IPI

R PeakR PeakR Peak


R Peak







External Programmer








Slightlydifferent

10

6

2

minus2

minus6

minus10

6

2

minus2

minus6

minus100

100

200

300

400

500

600

700

0

100

200

300

400

500

600

700





119862 0 1119896 997888rarr 0 1119899 (1)









119909 = 1119899119899

sum119894=1

IPI119894

1199042 = 1119899 minus 1

119899

sum119894=1

(IPI119894 minus 119909)2 (2)



11990410038161003816100381610038161003816100381610038161003816 (3)




Correct IPIs



IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned









sk = 119867(120574) (5)







sk1015840 = 119867(1205741015840) (7)







larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




External Programmer








Slightlydifferent

10

6

2

minus2

minus6

minus10

6

2

minus2

minus6

minus100

100

200

300

400

500

600

700

0

100

200

300

400

500

600

700





119862 0 1119896 997888rarr 0 1119899 (1)









119909 = 1119899119899

sum119894=1

IPI119894

1199042 = 1119899 minus 1

119899

sum119894=1

(IPI119894 minus 119909)2 (2)



11990410038161003816100381610038161003816100381610038161003816 (3)




Correct IPIs



IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned









sk = 119867(120574) (5)







sk1015840 = 119867(1205741015840) (7)







larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




Correct IPIs



IPI1

IPI1

IPI1

IPI2

IPI2

IPI2

IPI3

IPI3

IPI3

IPI4

IPI4 IPI5

Misaligned

Misaligned









sk = 119867(120574) (5)







sk1015840 = 119867(1205741015840) (7)







larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



larr R0 1m

IMD (I)



ＭＥ = H()


）＄I ）＄P

SS( ) －ＭＥ(1 ）＄P ）＄I)

－ＭＥ(2 ）＄P ）＄I)

Programmer (P)






6 Security Analysis





Rec (1205961015840 SS (120596)) = 120596 if dist (120596 1205961015840) le 119905 (10)























119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





















119867(119883) = minus119899

sum119894=1

119901 (119909119894) log119901 (119909119894) (12)











680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










680

600

500

400

300

200

128100

0

Secu

rity

leve

l (bi

t)


7IP）6IP）

5IP）4IP）

3IP）

127 255 511 1023

n

(255 12841) at 6IPI


10minus1

10minus2

10minus3

10minus4

10minus6

Erro

r rat

e

FRRFAR

MIT

-BIH

MG

HM

F

PTB

EURO

PEA

N S

T-T

LON

G-T

ERM

ST

325 times 10minus3

0 0 0


474 times 10minus2

666 times 10minus6

325 times 10minus2

560 times 10minus4






119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




119899 119905 119899 119905 119899 119905 119899 119905 119899 119905127 - 127 - 127 - 127 - 127 -255 - 255 - 255 18 255 19 255 22511 23 511 26 511 28 511 32 511 371023 39 1023 44 1023 49 1023 55 1023 64



FAR

004

0035

003

0025

002

0015

001

0005

00 20 40 60 80 100 120 140 160 180 200


MIT-BIH

MGHMFPTB










Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Table4Com

mun

icationoverhead

Preparationfork

eyexchange

Misd

etectio

ntolerance

Secure

PVexchange

(authentication)

Keyconfi

rmation

Total

[7] Se

nd|ID

IMD|+

|ID119875|

na

|Coff

er|+

|No|

|MAC

||ID

IMD|+

|ID119875|+

|119877|+

|MAC

|=10080

bytes

Receive

|IDIM

D|+

|ID119875|

|Ind|

+|MAC

|-

|IDIM

D|+

|ID119875|+

|IND|+

|MAC

|=65

bytes

[10] Se

nd|ID

IMD|+

|ID119875|+

|Enc R

SA2014|

na

|MAC

||ACK

Auth|

|Enc R

SA2014|+

|MAC

|+|ACK

Auth|=

289bytes

Receive

|IDIM

D|+

|ID119875|+

|Cert|

|MAC

|-

|IDIM

D|+

|ID119875|+

|Cert|+

|MAC

|=10

88bytes

[11] Se

nd|ID

IMD|+

|ID119875|

85times|

119898 IMD|

|ECC|

|MAC

||ID

IMD|+

|ID119875|+

85|119898119903|+

|ECC|

+|MAC

|=181b

ytes

Receive

|IDIM

D|+

|ID119875|

85times|

119898 119875|

|Enc A

ES128|

-|ID

IMD|+

|ID119875|+

85|119898119904|+

|Enc A

ES128|=

133bytes

Ours Send

|IDIM

D|+

|ID119875|

--

|MAC

||ID

IMD|+

|ID119875|+

|MAC

|=64

bytes

Receive

|IDIM

D|+

|ID119875|

-|EC

C||M

AC|

|IDIM

D|+

|ID119875|+

|ECC|

+|MAC

|=96

bytes

(i)Re

ferences

[710]

dono

tsup

portmisd

etectio

ntolerance(ii)IDIM

DandID119875deno

tetheidentityof

anIM



erdeno

testhe

setthat

inclu

desb

othrealPV

sand

chaff

points(|C

offer|=10000

bytes)(iv)N

odeno

tesa

nonce(uniqu

erand

omnu

mber)(|N

o|=16

bytes)(v)

Inddeno

testhe

inform

ationindicatin

gtheindexof

realmeasurements

outo

fallelem

entsin

Coff

er(|Ind|=1b

yte)(vi)M

ACdeno

testhe

message

authenticationcode

(|MAC|=32

bytes)(vii)EC

Cdeno

testhe

errorc

orrectioncode

(|ECC|

=32

bytes)(viii)119898


tethe

misd

etectio

nflag(|119898

IMD|=|119898119875|=1b

yte)(ix)C

ertd

enotes

thec

ertifi

catethatinclu

desthe

publickeyof


(|Cert|=1024

bytes)




10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





10000

1000

100

10

1

01

Am

ount

of e

nerg

y co

nsum

ed (m

J)

ReceiveSend

Ours[1] [35] [16]




[1] [35] [16] Ours

Am

ount

of e

nerg

y co

nsum

ed (

J)

SHA256



104

103

102

101

100




8 Discussion






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






9 Conclusion


Notation












Acknowledgments


References
































































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


























































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


Energy-Aware Key Exchange for Securing Implantable Medical ...

Documents

Transcript of Energy-Aware Key Exchange for Securing Implantable Medical ...