LEPA: A Lightweight and Efficient Public Auditing Scheme...

Research ArticleLEPA A Lightweight and Efficient Public Auditing Scheme forCloud-Assisted Wireless Body Sensor Networks

Song Li1 Jie Cui1 Hong Zhong1 Yiwen Zhang1 and Qiang He2

1School of Computer Science and Technology Anhui University Hefei Anhui China2School of Software and Electrical Engineering Swinburne University of Technology Melbourne VIC Australia

Correspondence should be addressed to Jie Cui cuijiemailustceducn

Received 26 March 2017 Accepted 23 May 2017 Published 19 July 2017

Academic Editor Chang Liu

Copyright copy 2017 Song Li et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

From smart watch to remote healthcare system wireless body sensor networks (WBSNs) play an important role in modernhealthcare system However the weak capacity of devices has limited WBSNs development Considering the huge processingand storage capacity of the cloud it can be merged with WBSNs to make up for the deficiencies of weak capacity Based on thisconsideration the concept of cloud-assisted WBSNs has been proposed recently In contrast to generic data the data in cloud-assisted WBSNs will be used for providing medical diagnosis so the integrity of data is very important because any modificationwill result in severe consequences such as misdiagnosis The public auditing scheme could provide an efficient solution to checkthe data integrity remotely without downloading them However the traditional public auditing scheme for cloud cannot be useddirectly due to the high data density and weak processing capacity in WBSNs So in this paper we proposed a lightweight andefficient public auditing scheme LEPA for cloud-assisted WBSNs Compared with similar schemes the WBSNsrsquo client only needsto do one symmetrical encryption with low computational cost in LEPA Security proof shows that LEPA can resist two types ofadversaries in random oracle model The efficiency evaluation also shows that LEPA outperforms previous proposals

1 Introduction

With the technological advances in various fields the peoplersquoslife expectancy increased all over the world In Unites Statesthe life expectancy has increased to 782 years from 698years over the last 50 years [1] It is expected that thenumber of people aged 60 years and older will reach about81 million in 2050 The aging population brings many socialand economic challenges For example the healthcare ofelderly with chronic diseases caused the huge burden onsociety To solve these problems the modern medical systemwith function of the remote medical clinical diagnosticsand real-time health monitoring has gained more and moreattention while the WBSNs (wireless body sensor networks)technique plays a fundamental role in intelligent modernmedical system

The body sensor networks (BSNs) were initially proposedby Zimmerman [2] Due to the use of wireless commu-nication technique they are also known as wireless body sen-sor networks (WBSNs) WBSNs are body-centric networks

within of 3ndash5m In general the WBSNs devices can beclassified as wearable devices and implantable devices Thewearable devices can be deployed on clothing or body surfaceand implantable devices can be implanted into human bodyto collect the Personal Health Information (PHI) such aselectrocardiogram and blood pressure After being collectedthe PHI will be sent to the controller (mobile phone) viawireless technique such asWiFi or BluetoothThen controllercan processstore the received PHI locally or send it toremote medical service provider which can analyze the userrsquosPHI to give health suggestion In some emergency situationssuch as sudden infant death syndrome (SIDS) which wasnot preventable in the past the SP can react process PHIimmediately and inform the medical staff to take emergencymeasures immediately (Figure 1 shows the typical architec-ture of WBSNs application for remote medical diagnosis)In addition WBSNs also can provide other entertainmentapplications such as motion sensing game or social network

Considering the eager demand of WBSNs in reality anumber of research institutions have conducted researches on

HindawiSecurity and Communication NetworksVolume 2017 Article ID 4364376 16 pageshttpsdoiorg10115520174364376

2 Security and Communication Networks

Patient

Mobilephone Access

pointInternet

Computingserver

Storageserver

Cloud service provider

Family Emergency Hospital

Figure 1 The system model of WBSNs application for remote medical treatment

theWBSNs system [3ndash8] In 2004 [6] theHarvardUniversitylaunched a system called CodeBlue for emergency care In2004 [7] the French CENS Research Institute launched theMARSIAN project MARSIAN is a wrist ambulatory moni-toring and recording system with a smart glove embeddedwith physiology sensors for the detection of the activity of theautonomic nervous system In 2005 [8] NASA and StanfordUniversity jointly developed the LifeGuard system for spaceand terrestrial applications Recently some WBSNs basedhealthcare monitoring and diagnosis architecture also havebeen proposed [9 10] In [9] Wannenburg and Malekianproposed a health monitoring scheme which is capable ofmeasuring the vital physiological parameters and sendingbiofeedback to user When an emergency is detected themedical notification will be sent to medical team To connectthe conventional electromagnetic-based Internet to the bio-chemical signaling-based bionanonetworkChude-Okonkwoet al proposed an illustrative scenario and system model ofan IoBNT for application in an advanced healthcare deliverysystem in literature [10] In 2012 [11] to generalize theapplications based on WBSNs the Institute of Electrical andElectronics Engineers (IEEE) released the 802156 standardto support for low energy consumption short distance andreliable wireless network communication surrounding thehuman body area

For the reason that theWBSNs applications are related topeoplersquos life security the security problem is a very importantissue On the Black Hat conference in 2012 a McAfee experthas proved that by remotely controlling the insulin pumpimplanted in the body hacker can inject an overdose ofinsulin causing patient death Besides the data collected

and transmitted in WBSNs are very sensitive because theyare used for clinical diagnostics Therefore authenticationdata confidentiality integrity access control and privacypreserving should be guaranteed while using the WBSNsIn HIPAA (Health Insurance Portability and AccountabilityAct) there are strict requirements for the patientrsquos identityand data privacy The standard 802156 also emphasises thesecurity issues in WBSNs In 802156 the communication isdivided into three security levels

Level 0 It is unsecured level without authentication orencryptionThis is the lowest level of security in 802156 thedata is transmitted in plaintext and no authentication stepsare executed at all

Level 1 (Only Authentication) Some measures are involved tovalidate the data but the data is still transmitted in plaintextwithout encryption

Level 2 (Authentication and Encryption) This is the highestlevel of security in 802156 where the data is transmitted inciphertext form and authentication is provided

However some recent works show that 802156 hassecurity defects [12 13] Therefore the 802156 is not secureenough for reality practice

With the maturity of the cloud computing technologyWBSNs and cloud computing technique have been mergedclosely Compared with WBSNs device cloud server hasmore powerful computing and storage capacity which isnicely complementary with WBSNs devices Based on thisconsideration the concept of cloud-assisted WBSNs has

Security and Communication Networks 3

been proposed Cloud-assisted WBSNs can provide the userwith richer experience than traditional WBSNs user canupload the PHI to cloud storage server to reduce the localstorage burden user also can outsource the large amount ofcollected PHI to cloud computing server to conduct medicalbig data analysis Recently many cloud-assisted WBSNssystems have been proposed [14ndash17] It is noteworthy thatthe data stored in cloud-assisted WBSNs are the basis ofall clinical diagnoses so the integrity of storing data is avery important issue because any modification on data willresult in severe consequences such as misdiagnosis To solvethis problem the public auditing technique is proposed Thepublic auditing scheme could provide an efficient solution tocheck the data integrity remotely without downloading themMany public auditing schemes for cloud have been proposed[18ndash28] recently However these schemes cannot be useddirectly in cloud-assistedWBSNs due to the high data densityin WBSNs and weak processing capacity of WBSNs devices

To resolve the drawbacks in the existing schemes weproposed a lightweight and efficient public auditing schemefor cloud-assistedWBSNsmdashLEPA in this paper Based on thelightweight designing concept we reduced the cryptographicoperation of client in our protocol besides by transferringthe authenticator generation work to service provider theclient (WBSNs devices) in our scheme only needs to do onesymmetric encryption

Based on our scheme LEPA a large number of userrsquosphysiological data can be uploaded to the remote cloud serverto build the userrsquos historical health record Besides the usercan check the integrity of the data stored in the cloud at anytime Our scheme can be used in the environment belowif a hospital is reluctant to purchase equipment or build itsown data center the hospital can upload patientsrsquo data tothe remote cloud service provider However considering therequirement for the accuracy of medical data hospital needsto audit the data integrity stored in the cloud at any timeThecontributions in this paper can be summarized as follows

(1) We analyzed the differences between cloud envi-ronment and cloud-assisted WBSNs including the trafficcharacteristic the capacity of the equipment and the privacyrequirements Based on these discussions we think that theexisting public auditing schemes are not suitable for the dataintegrity checking task in cloud-assisted WBSNs

(2) We proposed a new public auditing scheme LEPA forcloud-assisted WBSNs Based on the designing concept oflightweight cryptographic protocols we reduced the oper-ations with expensive time cost such as bilinear mappingand hash to point and improved the efficiency of the systembesides we translated the tag generation work from client toservice provider so as to reduce the computational burden onclient kind

The rest of paper is organized as follows in Section 2we introduce some related works including the securityresearches in WBSNs and storage auditing scheme for cloudenvironment in Section 3 some preliminaries are pre-sented the security requirements and system model are alsopresented in Section 3 in Section 4 we describe our proposedscheme LEPA in detail in Section 5 we prove that our schemeis secure under random oracle model and can defend two

types of adversaries performance analysis is presented inSection 6 At last we conclude our paper in Section 7

2 Related Works

21 The Security Researches in WBSNs There are many pro-posals that have been proposed to secure the communicationin WBSNs Generally speaking these proposals are mainlyfocused on authentication between sensors or authenticationbetween service provider (SP) and client Basically theseschemes can be classified as physiological parameter basedschemes and cryptography based schemes Physiologicalparameter based schemes use the similar biological charac-teristics (electrocardiogram blood pressure etc) collectedfrom the same individuals to identity the legal devices Theseschemes are mainly used to solve the problem of authentica-tion or key agreement between sensorswhich is also known asintrabody communication In [29 30] the authors proposedto use the interpulse interval of electrocardiogram (ECG) andphotoplethysmogram (PPG) to generate key for encryptionand authentication In [31 32] the frequency coefficientsof ECG and PPG are proposed to generate key In [33]Juels and Sudan put forward a method called ldquofuzzy vaultrdquofor biometric authentication In [34] Venkatasubramanianet al proposed a fuzzy vault based physiological signalkey agreement scheme (PSKA) however the ldquofuzzy vaultrdquobased scheme needs to add confusion data (chaff point)to achieve the security so the computational cost becomeshigher with the increasing of extra chaff points In [35 36]two modified fuzzy vault methods were proposed to improvethe performance In [37] Zhang et al proposed to use atime variation ECG features based scheme to achieve thekey extracting In [38] Mohana and Bai proposed a methodto generate 128-bit key from the dynamic behavior of ECGHowever the methods based on the physiological parameterhave the problem of poor accuracy because even in the sameindividual the collected signals still have small differences indifferent body parts In addition the physiological signal istime-variant so strict clock synchronization is needed but thestrict clock synchronization is difficult to achieve Further-more it is limited to use between different types of sensors(eg between the blood pressure sensor and accelerometer)So the physiological parameter based schemes are difficult tobe applied in practical applications

In contrast to the physiological parameter based schemesthe cryptography based schemes aremoremature and flexiblewhich can be applied in both intrabody communicationand external-body communication (authentication betweenservice provider and controller) The cryptography basedschemes can be divided into three types in general symmetriccryptography based schemes [39ndash44] traditional public keyinfrastructure (PKI) based schemes [45ndash50] and some spe-cial cryptographic methods based schemes such as identitycryptography [51] and certificateless cryptography [52] Com-pared with the latter two methods symmetric cryptographybased schemes need relatively low computational cost butsupport limited security functions and create key distributionproblem PKI based scheme needs relatively higher compu-tational cost compared with symmetric cryptography based


schemes the special cryptographic methods support richersecurity service but need the highest computational cost

In [39ndash44] the symmetrical cryptography based WBSNssecurity schemes have been proposed however the distribu-tion of secret keys is not efficient In [45ndash50] some public keycryptography based schemes are proposed however com-pared with the proposal [39ndash44] not only is higher compu-tational cost needed but also the certificate management andstorage are not efficient in resource-constraint WBSNs envi-ronment Compared with symmetrical cryptography basedschemes [39ndash44] and PKI based schemes [45ndash50] certificate-less cryptography based schemes [53ndash58] eliminate both thekey distribution problem in symmetrical key based schemesand certificate management in PKI based schemes so it ismore suitable for the application of WBSNs Liu et al pro-posed two certificateless authentication schemes for WBSNsfirstly [53] however their schemes have been observed tohave security defect [54 55] In [54] Zhao found that Liuet alrsquos scheme [53] cannot withstand the stolen verifier tableattack and proposed a new scheme but in Zhaorsquos scheme[54] a large number of pseudoidentities should be stored In[55] Zhaorsquos scheme [54] has proven that the userrsquos pseudo-identities could be traced In [56] He et alrsquos pointed out thesecurity defect of signature forging attack in Liu et alrsquos scheme[53] and proposed an improved scheme with proven securityXiong [57] pointed out that Liu et alrsquos scheme [53] cannotresist the attack mounted by the key replacement adversaryThey proposed a lightweight and certificateless anonymousauthentication scheme for extrabody communication How-ever their scheme cannot support revocation of illegal usersTo solve this problem Xiong and Qin [58] proposed anotherscheme with user revocation based on KUNODE revocationtree but the high computational and storage cost is needed intheir scheme

The schemes introduced above are mainly focused on theauthentication between sensors or authentication betweenSP and controller Some other security researches in WBSNshave been presented recently In [59] Lu et al proposeda secure and privacy preserving opportunistic computingframework for mobile health emergency based on attributeaccess control Once the execution of a task exceeds theenergy and computing power available on a single nodeother opportunistically contacted nodes can contribute to theexecution of the original task by running a subset of taskHowever in [60] Lee et al found that Lu et alrsquos scheme [57]has some security flaws such as user anonymity and theyproposed an improvedmobile-healthcare emergency schemebased on extended chaotic maps In [61] Yi et al proposedmedical data analysis scheme with homomorphic encryptionto achieve the privacy preserving however the security oftheir scheme is based on the assumption that the distributingservers cannot collude

The security problems in cloud-assisted WBSNs are alsobeing studied by more and more researchers [62ndash66] In[62] Zhou et al proposed a key management scheme forcloud-assisted WBSNs based on the Blomrsquos symmetrical keyTheir schemes could resist two types of adversaries the time-based adversaries and location-based adversaries In [63]Han et al proposed amultivalued and ambiguous encryption

scheme to ensure data confidentiality In [64] Wan et alproposed a cloud-assisted WBSNs architecture to solvethe problems including energy-efficient routing and cloudresource allocation however security properties were notachieved in their schemes In [65] Xie et al proposed a secureroaming authentication protocol for cloud-assisted WBSNsto achieve the devices authentication in different access pointIn [66] Zhu et al proposed a secure outsourced computingscheme for cloud-assisted WBSNs with 2DNF cryptosystemHowever their scheme could not simultaneously achievethe satisfying security goals and low computation cost In[67] Gupta et al proposed a secure IoT based cloud centricarchitecture to perform predictive analysis of userrsquos activitiesin sustainable health centers with RSA and DES encryptionalgorithms

22 Storage Auditing for Cloud Environment As can be seenfrom the schemes above the study of data integrity checkingfor cloud-assisted WBSNs is relatively limited Howeverdata integrity checking for cloud-assisted WBSNs is veryimportant because any modification on data will result insevere consequences such as misdiagnosis In cloud-assistedWBSNs userrsquos data is stored in remote cloud server instead ofstoring it locally Therefore it is not efficient to download allthe data from cloud server to check the integrity To addressthis problem the concept of public auditing was proposedby Shacham and Waters firstly [18] With public auditingtechnique user can check the data integrity remotely withoutdownloading all the stored data Based on this considerationmany public auditing schemes have been proposed later [19ndash22] However these schemes [18ndash22] are based on traditionalpublic key based cryptograph (TPKC) In TPKC a certificate-manager-certified certificate is needed to be bound withuserrsquos public key and identity With the increasing number ofusers the certificate management becomes difficult Besidesthe certificate transmitting is not suitable for bandwidth-constrained applications Considering the large number ofusers and limited bandwidthstorage resource in WBSNsdevices the TPKC-based schemes are not suitable for cloud-assisted WBSNs

To address the certificate management problem in TPKCthe identity-based public key cryptography (ID-based PKC)has been proposed by Shamir [51] In ID-based PKC the pub-lic key is userrsquos identity and the private key is extracted by keygenerate center (KGC) based on userrsquos public key (identity)Based on the identity-based public key cryptography (ID-based PKC) [51] several ID-based public auditing schemeshave been proposed [23ndash25] Wang et al [23] presented thefirst ID-based public auditing protocol proven to be secureassuming the hardness of the computational Diffie-Hellmanproblem Later Tan and Jia [24] proposed an ID-based publicverification scheme with aggregate signature In [25] Wangproposed an ID-based public auditing scheme for multicloudenvironment Though these schemes eliminate the certificatemanagement drawback in TPKC-based schemes [18ndash22]these schemes suffer from the drawback of key escrow (KGCcan get userrsquos private key) which is inherited from ID-basedPKC So these schemes are also not suitable for cloud-assistedWBSNs


In 2003 Al-Riyami and Paterson [52] presented theconcept of certificateless public key cryptography (CLPKC) toresolve the key escrow problem in ID-based PKC In CLPKCthe key is generally divided into two parts that are gener-ated by the user and KGC respectively Therefore CLPKCtechnique could resolve the key escrow problem in ID-based PKC and the key management in TPKC Some CLPKCbased authentication schemes have been proposed [26 27]Wang et al presented certificateless public auditing scheme(CLPA) [26] with blockless verifiability and homomorphicauthentication firstly Their scheme could resolve the keyescrow problem in ID-based public auditing schemes [23ndash25] and certificate management problem in TPKC Howevertheir scheme has proved that it cannot withstand the publickey replacement attack which is defined as type I by He et al[27] Considering that the CLPA based scheme is suitable forresource-constraintWBSNs environment He et al presentedanother CLPA scheme which can withstand the public keyreplacement attack in Wang et alrsquos scheme [26] Howeverwe found that He et alrsquos scheme [27] has some defectsbelow

(1) The scheme in [27] is based on the public auditingscheme in [26] The scheme in [26] is a public auditingscheme for cloud environment The authenticator generatingphase is conducted in client side considering that theWBSNsclient has weak processing capacity this part of computa-tional work will cause high energy loss and storage burdenforWBSNs client So it is not suitable to transplant the publicauditing scheme for cloud to WBSNs environment directly

(2) Secondly the public auditing scheme in [27] is usedfor personal file File uploading is a discrete event that mayhappen only once in a few days However when the WBSNsuser requests medical service the physiological informationis constantly collected (several times in one second) andlasts for a long period of time Similar to IoT the density ofcollected data by sensors is extremely large Based on (1) and(2) it is better to design a lightweight public auditing schemeto reduce the burden of authenticator generation in usersides

(3) At last we know that the cloud server can be dividedinto public cloud private cloud and hybrid cloud Privatecloud is a cloud server for individuals or company the privacyof data can be guaranteed But public cloud or hybrid cloudis a cloud service provider with untrusted third party soif the confidentiality of the data is not protected the userrsquossensitive medical information will be disclosed to the cloudservice provider However in [27] the userrsquos data is uploadedto cloud server directly without encryption Considering thatthe cloud server is untrusted the confidentiality cannot beprotected in their scheme

Based on the discussions above we can see that so farthere is still no public auditing scheme suitable for the low-capacity high data density and privacy preserving require-ments in cloud-assisted WBSNs However this kind ofscheme is necessary in reality before the cloud-assistedWBSNs healthcare systems are widely applied So thisinduced the motivation behind proposing our scheme LEPAin this paper

3 Preliminaries and Formulation

In this section we introduce the cryptographic techniqueused to construct LEPA and give a formal definition of cloud-assisted WBSNs public auditing scheme Besides the systemmodel and security requirements are also introduced in thissection

31 Cryptographic Techniques

Definition 1 (bilinear Pairing) Given an additive group 1198661and amultiplicative group1198662with the same order 119902 a bilinearparing refers to a map 119890 1198661 times1198662 rarr 1198662 if the following threeconditions hold

(1) Bilinearity forall119875119876 isin 1198661 and forall119886 119887 isin 119885lowast119902 119890(119886 sdot119875 119887 sdot119876) =119890(119875 119876)119886119887

(2) Nondegeneracy exist119875119876 isin 1198661 such that 119890(119886 sdot 119875 119887 sdot 119876) =11198662 (3) Computability forall119875119876 isin 1198661 and forall119886 119887 isin 119885lowast119902 these

exists an algorithm to compute 119890(119886sdot119875 119887sdot119876) efficiently

Definition 2 (ECDLP) forall119875 119904 sdot 119875 isin 1198661 119904 isin 119885lowast119902 it is difficult tofind out an algorithm 119860 to compute 119904 with input (119875 119904 sdot 119875)Definition 3 (CDLP) forall119875 119904sdot119875 119905sdot119875 isin 1198661 119904 119905 isin 119885lowast119902 it is difficultto find out an algorithm 119860 to compute 119904 sdot 119905 sdot 119875 with input(119875 119904 sdot 119875 119905 sdot 119875)32 System Model There are five entities in our schemekey generating center (KGC) cloud server (CS) clientservice provider (SP) and third-party auditor (TPA) Therelationship among them is shown in Figure 2

(1) CSTheCS in our scheme is a semitrusted entity with largecomputing power and storage capacity the client can uploadmedical data to the CS for storage If user wants to checkthe data integrity stored in CS the CS can execute interactiveprotocols (LEPA) with TPA to check if the stored data is well-kept

(2) KGC The KGC is also a semitrusted entity responsiblefor generating system parameters and extracting key for theother entities

(3) TPA The TPA is a semitrusted third party If the clientwants to check the integrity of stored data in CS heshe canrequest the service to TPA and then TPA runs an interactivealgorithm with CS to achieve the goal of integrity checkingIn this process TPA should not get any information aboutstored sensitivemedical dataThe reason of using TPA is thatfor a task of data integrity checking the checking result willbe unfair no matter whether it is generated by client or CSreluctant to take the responsibility of data corruption the CSmay give out an incorrect result similarly client also wants toshirk the responsibility of the data corruption to CS

(4) Client Client is a cloud-assisted WBSNs service userHeshe uses sensor devices to obtain PHI uploads PHI to the


Client

Medical dataauthenticator

Cloudserver

Serviceprovider

Third-partyauditor

Medicaldata

Proof

Challenge

WiFiUser

Auditingrequest

Figure 2 The system model of our public auditing scheme

CS and forms historical archivesThe client has limited com-puting and storage capacity compared with CS and SP Theclient does not want any part to get hisher PHI except for SP

(5) SP SP is a trusted part which can provide medical servicefor client The SP has stronger capacity of computing andstorage than client The SP is responsible for generatingauthenticator and uploading the real-time collected PHI toCS The SP also needs to analyze PHI and give a diagnosticresult to client

33 The Definition of Cloud-Assisted WBSNs Public AuditingScheme Here we give a formal definition of cloud-assistedWBSNs public auditing scheme

Definition 4 (cloud-assistedWBSNs public auditing scheme)A cloud-assistedWBSNs public auditing scheme is composedof algorithms below

(1) 119878119910119904119878119890119905119906119901(1119897) rarr (119902 1198661 1198662 119875119867 ℎ 119890PKKGC) The Sys-Setup is a probabilistic algorithm which takes a securityparameter 119897 as input and generate the published systemparameters (119902 1198661 1198662 119875119867 ℎ 119890PKKGC) This algorithm isrun by KGC

(2) ParKeyGen(IDSPPKSP1) rarr (PKSP1PKSP2) TheParKeyGen is a probabilistic algorithm which takes the SPrsquosidentity IDSP and SPrsquos partial public key PKSP1 as inputs andthen KGC generates another partial key PKSP2 and returns(PKSP1PKSP2) to SP This algorithm is run by KGC

(3) PriKeyGen(119873119880119871119871) rarr (SKSP) The PriKeyGen algorithmis a probabilistic algorithm which takes NULL as input

and generates private key for SP This algorithm is run bySP

(4) PubKeyGen(SKSP) rarr (PKSP1) The PubKeyGen algo-rithm is a probabilistic algorithm which takes SKSP as inputand generates partial public key PKSP1 for SPThis algorithmis run by SP

(5) Encryption(119898119894) rarr (119888119894) The Encryption algorithm is aprobabilistic algorithm which takes the plaintext of medicaldata119898119894 as input and generates the ciphertext of medical data119888119894 as output This algorithm is run by client

(6) 119860119906119905ℎ119866119890119899(SKSP id119894PKKGCPKSP1PKSP2 IDSP 119888119894) rarr(auth119894) The 119860119906119905ℎ119866119890119899 algorithm is a probabilistic algorithmwhich takes SPrsquos private key SKSP the identity id119894 of 119888119894 the SPrsquospublic key (PKSP1PKSP2) and KGCrsquos public key PKKGC asinputs and generates the authenticator auth119894 for 119888119894 This algo-rithm is run by SP

(7) 119875119903119900119900119891119866119890119899(Chal auth119894) rarr (Pro 119862) The 119875119903119900119900119891119866119890119899 algo-rithm is a probabilistic algorithm which takes Chal as thechallenge and the generator auth119894 as input and generates aproof (Pro 119862) This algorithm is run by CS

(8) 119875119903119900119900119891119881119890119903119894119891119910(Pro 119862) rarr (ldquoTRUErdquo or ldquoFALSErdquo) The119875119903119900119900119891119881119890119903119894119891119910 algorithm is a deterministic algorithm whichtakes (Pro 119862) as input and returns ldquoTRUErdquo or ldquoFALSErdquo Thisalgorithm is run by TPA

34 Security Requirements Here we give some securityrequirements for cloud-assisted WBSNs public auditingscheme [27]


Input a security parameter 119897Output system parameters (119902 1198661 1198662 119875119867 ℎ 119890PKKGC)(1)The KGC chooses a large prime number 119902 gt 2119897(2)The KGC chooses an additive group ⟨1198661 +⟩ a multiplicative group ⟨1198662 sdot⟩ a generator 119875 of 1198661

Then KGC chooses a bilinear paring 1198661 times 1198661 rarr 1198662(3)The KGC chooses three hash functions119867 (0 1)lowast 1198661 rarr 1198661 ℎ (0 1)lowast 1198661 1198661 1198661 rarr 119885lowast119902 (4)The KGC choose a random number SKKGC isin 119885lowast119902 as secret key and generates PKKGC = SKKGC sdot 119875(5) Returns (119902 1198661 1198662 119875119867 ℎ 119890PKKGC)Algorithm 1 SysSetup

(1) Publicly Verifiability TPA should verify the data integritystored inCSwithout downloading the entire data and causingadditional computational burden on user

(2) Privacy Preserving The uploaded data should not beaccessed by the CS or TPA even while uploading or auditing

(3) Storage Correctness Only the server keeping the userrsquosdata can accomplish the publicly verifiability with TPA

(4) ConfidentialityThe data transfer between any two partiesshould be encrypted

(5) Batch Auditing To improve the efficiency the TPAshould execute multiple auditing tasks simultaneously whenreceiving several requests

4 Our Proposed Scheme LEPA

There are eight polynomial-time algorithms in our proposedscheme LEPA that is SysSetup PriKeyGen PubKeyGenParKeyGen EncryptionAuthGen ProofGen and ProofVerifyNotations shows the notation list of our scheme

Our designed protocolrsquos general work flow is as follows inthe SysSetup phase KGC generates a set of system parametersand publishes them next SP needs to generate its private keyand public key in PriKeyGen and PubKeyGen respectivelyafter these two steps the SP sends the partial public keygenerated by himselfherself to KGC and KGC will generateanother partial public key for SP in ParKeyGen phase inEncryption phase client encrypts the collected PHI withshared secret key and sends the ciphertext to SP (we assumethat a shared secret key has been established and this partof the work is not considered in this paper because thereexist many authentication and key establishment schemesfor SP and client in WBSNs [53ndash58]) after SP receives thePHI the SP generates an authenticator for the encrypted data(AuthGen phase) and uploads the PHI with authenticatorto CS uploaded PHI forms a userrsquos medical history filesclientSP can apply for data from the CS when the clientSPwants to check the integrity of stored data (whether the datahas been lost or damaged for the reason of CS) clientSPrequests service to TPA (third-party auditing is to ensurefairness) After TPA receives the request TPA will send achallenge to the CS and then CS will respond with a proofto TPA (ProofGen phase) TPA can check the data integrity

ParKeyGen

PriKeyGen

PubKeyGen

SysSetup

ProofVerify

AuthGen

ProofGen

(Pro C)

Result (TRUE or FALSE)

(Pro C)

(）＄３００＋３０1)

ＯＮＢi

ＯＮＢi３＋３０

３＋３０

０＋３０1

０＋３０2

Figure 3 The flow chart of our public auditing scheme

with proof (ProofVerify) and then send the auditing result tothe clientSP The work process of our scheme is shown inFigure 3

41 The Details of LEPA

SysSetup Phase The KGC inputs a security parameter119897 into Algorithm 1 and outputs the system parameters(119902 1198661 1198662 119875119867 ℎ 119890PKKGC) KGC publishes these parame-ters and the other entities including CS TPA client and SPcan get them

PriKeyGen Phase The SP generated Algorithm 2 to generateprivate key for himselfherself

PubKeyGen Phase The SP executes Algorithm 3 to gen-erate partial public key for himselfherself Then SP sends(IDSPPKSP1) to KGC where IDSP is SPrsquos identity

ParKeyGen Phase Upon receiving the request (IDSPPKSP1)from SP the KGC generates another partial public key forSP with Algorithm 4 Then KGC sends PKSP2 to SP Afterreceiving PKSP2 the SP takes (PKSP1PKSP2) as hisherpublic key


Input119873119880119871119871Output SKSP(1)The SP chooses a random number SKSP isin 119885lowast119902 as SPrsquos secret key(2) Returns SKSP

Algorithm 2 PriKeyGen

Input SKSPOutput PKSP1(1)The SP computes PKSP1 = SKSP sdot 119875 as partial public key(2) Returns PKSP1

Algorithm 3 PubKeyGen

Input (IDSPPKSP1)Output PKSP2(1) KGC computes 119876 = 119867(IDSPPKSP1) isin 1198661(2) KGC computes PKSP2 = SKKGC sdot 119876(3) Returns PKSP2

Algorithm 4 ParKeyGen

Encryption Phase In this phase the client generates theciphertext of collected data119898119894 (we assume that the establishedkey is KEY) The client computes ciphertext 119888119894 with KEY (anysymmetrical cryptosystem can be taken such as AES) Theclient sends 119888119894 to SPAuthGen Phase The SP executes Algorithm 5 to generate theauthenticator for 119888119894 After that the SP sends (auth119894 119888119894) to CSThe CS stores the collected data block 119888119894 and its authenticatorauth119894

ProofGen Phase If SPclient wants to check the integrity ofstored data in CS Heshe can send the auditing request toTPAThenTPA executes Algorithm6withCS to get the proof(Pro 119862) from CS The proof will be used for auditing in thenext phase

ProofVerify Phase Upon receiving the proof (Pro 119862) fromCS the TPA executes Algorithm 7 to check the integrity of 11988811989442 Correctness Proof The correctness of TPA can check theintegrity of data block (119894 119903119894)119894isin119868 with proof (Pro 119862) that canbe proved by the formula derivation below

119890 (Pro 119875) = 119890( 119896sum119894=1

119903119894 sdot auth119894 119875) = 119890( 119896sum119894=1

119903119894 sdot (SKSP

sdot ℎ (id119894PKKGCPKSP1PKSP2) sdot 119867 (IDSPPKSP1)+ PKSP2 sdot 119888119894) 119875) = 119890( 119896sum

119894=1

119903119894 sdot (SKSP

sdot ℎ (id119894PKKGCPKSP1PKSP2) sdot 119867 (IDSPPKSP1)+ SKKGC sdot 119867 (IDSPPKSP1) sdot 119888119894) 119875) = 119890( 119896sum

119894=1

119903119894sdot (SKSP sdot ℎ (id119894PKKGCPKSP1PKSP2) + SKKGC sdot 119888119894)sdot 119867 (IDSPPKSP1) 119875) = 119890(119867(IDSPPKSP1) 119896sum

119894=1

119903119894sdot (SKSP sdot ℎ (id119894PKKGCPKSP1PKSP2) + SKKGC sdot 119888119894)sdot 119875) = 119890(119867(IDSPPKSP1) 119896sum

119894=1

119903119894 sdot SKSP

sdot ℎ (id119894PKKGCPKSP1PKSP2) sdot 119875 + 119896sum119894=1

119903119894 sdot SKKGC

sdot 119888119894 sdot 119875) = 119890(119867(IDSPPKSP1) 119896sum119894=1

119903119894

sdot ℎ (id119894PKKGCPKSP1PKSP2) sdot (SKSP sdot 119875) + 119896sum119894=1

119903119894

sdot 119888119894 sdot (SKKGC sdot 119875)) = 119890(119867 (IDSPPKSP1) 119877

sdot PKSP1 + 119896sum119894=1

119903119894 sdot 119888119894 sdot PKKGC) = 119890 (119867 (IDSPPKSP1) 119877 sdot PKSP1 + 119862 sdot PKKGC) = 119890 (ℎ0 119877 sdot PKSP1 + 119862sdot PKKGC) = 119890 (119862 sdot PKKGC + 119877 sdot PKSP1 ℎ0)

(1)

5 Security Analysis

In this part we analyze the security of our certificatelesspublic auditing scheme LEPA in the random oracle modelwe analyze and prove that the two types of attackers in certifi-cateless cryptography will not succeed We first introduce thesecurity model in Section 51 in Section 52 we give proofs oftwo security lemmas

51 Adversary Model There are two types of adversaries incertificateless based schemes [24] type I adversary 1198601 andtype II adversary 1198602 The type I adversary 1198601 can accessprivate key of KGC but cannot replace the SPrsquos public key the


Input (SKSP id119894PKKGCPKSP1PKSP2 IDSP 119888119894)Output auth119894(1)The SP computes auth119894 = SKSP sdot ℎ(id119894PKKGCPKSP1PKSP2) sdot 119867(IDSPPKSP1) + 119888119894 sdot PKSP2(2) Returns auth119894

Algorithm 5 AuthGen

Input NULLOutput (Pro 119862)(1) TPA generates a challenge Chal = (119894 119903119894)119894isin119868 where 119868 is a 119896-element subset of set [1 119899] and 119903119894 isin 119885lowast119902 and

sends Chal to CS(2)The CS computes Pro = sum119896119894=1 119903119894 sdot auth119894 and 119862 = sum119896119894=1 119903119894 sdot 119888119894(3) Returns (Pro 119862)Algorithm 6 ProofGen

Input (Pro 119862)Output ldquoTRUErdquo or ldquoFALSErdquo(1)The TPA computes ℎ0 = 119867(IDSPPKSP1) and ℎ119894 = ℎ(id119894PKKGCPKSP1PKSP2) and 119877 = sum119896119894minus1 119903119894 sdot ℎ119894(2)The TPA checks whether equation 119890(Pro 119875) = 119890(119862 sdot PKKGC + 119877 sdot PKSP1 ℎ0) holds(3) Returns result

Algorithm 7 ProofVerify

type II 1198602 can replace the SPrsquos public key but cannot accessKGCrsquos private key Our proof is based on this model andtwo games are set up between the challenger 119862 and 1198601 1198602The adversary 1198601 1198602 cloud accesses the following oraclecontrolled by 119862Create-User Upon receiving a request with ID119883 119862 computesPKSP1PKSP2 and SKSP with algorithms PriKeyGen Pub-KeyGen and ParKeyGen finally 119862 returns PKSP1PKSP2 to11986011198602Public Key Replacement Upon receiving the query withIDSPPK1015840SP1PK1015840SP2 119862 replaces PKSP1PKSP2 withPK1015840SP1PK1015840SP2Tag-Gen Upon receiving the query with 119888119894 119894119889119894 119862 computesauth119894 with algorithm AuthGen and returns 119888119894 id119894 auth119894 to1198601119860252 Security Analysis In this section we prove that ourscheme is secure against two types of adversaries 1198601 1198602 inrandom oracle model

Lemma 5 The proposed scheme is secure against type Iadversary 1198601 if CDH problem is hard in 1198661Proof Suppose 1198601 could win the authenticator forginggame then 119862 can construct a polynomial-algorithm to solve

the CDH problem with nonnegligible probability 120576 givenan instance (119875 1198761 = 119886 sdot 119875 1198762 = 119887 sdot 119875) we set PKSP1 = 1198761here

ℎ-Query 119862 maintains a list 119871ℎ of tuples id119894PKKGCPKSP1PKSP2 1199061 and sets them as empty initially Uponreceiving a request with id119894PKKGCPKSP1PKSP2 119862checks whether tuple id119894PKKGCPKSP1PKSP2 exists Ifso 119862 returns 1199061 to 1198601 else 119862 generates a random number1199061 isin 119885lowast119902 and returns 1199061 to 1198601119867-Query 119862 maintains a list 119871119867 of tuples IDSPPKSP1 1199062and sets them as empty initially Upon receiving a requestwith IDSPPKSP1 119862 checks whether tuple IDSPPKSP1exists If so 119862 returns 1199062 to 1198601 else 119862 generates a randomnumber 1199111 isin 119885lowast119902 and returns 1199062 = 1199111 sdot 1198762 to 1198601Create-User 119862 maintains a list 119871119880 of tuples IDSP SKSPPKSP1PKSP2 and sets them as empty initially Upon receiv-ing a request with ID119883 119862 checks whether tuple IDSP SKSPPKSP1PKSP2 exists If so 119862 returns PKSP1PKSP2 to 1198601else if ID119883 = IDSP119862 generates a randomnumber SKSP isin 119885lowast119902 requesting 119867-query with IDSPPKSP1 then 119862 computesPKSP2 = SKKGC sdot119867(IDSPPKSP1) and returns PKSP1PKSP2to 1198601 if ID119883 = IDSP 119862 chooses a random number 119908 andcomputes PKSP2 = 119908 sdot SKKGC sdot 119867(IDSPPKSP1) and returnsPKSP1PKSP2 to 1198601


Public Key Replacement Upon receiving the query withIDSPPK1015840SP1PK1015840SP2 PK1015840SP1 and PK1015840SP2 are replaced keysgenerated by 1198601 119862 looks up 119871119880 and replaces PKSP1PKSP2with PK1015840SP1PK1015840SP2Tag-Gen Upon receiving the query with 119888119894 id119894 119862 makesℎ-query with id119894PKKGCPKSP1PKSP2 andmakes119867-querywith IDSPPKSP1 Then auth119894 = SKSP sdot 1199061 sdot 1199062 + 119888119894 sdot PKSP2is computed At last 119862 returns 119888119894 id119894 auth119894 to 1198601

Eventually 1198601 outputs a forgery proof (Pro1015840 1198621015840) withchallenge Chal = (119894 119903119894)119894isin119868 from TPA 119862 looks up 119871ℎ and119871119867 respectively at last 119862 could get the following equation

119890 (Pro 119875) = 119890 (119862 sdot PKKGC + 119877 sdot ℎ1 sdot PKSP1 ℎ0)= 119890 (119862 sdot PKKGC ℎ0) sdot 119890 (119877 sdot ℎ1 sdot PKSP1 ℎ0) (2)

119862 also can get another equation

119890 (Pro1015840 119875) = 119890 (119862 sdot PKKGC + 119877 sdot ℎ10158401 sdot PKSP1 ℎ0)= 119890 (119862 sdot PKKGC ℎ0) sdot 119890 (119877 sdot ℎ10158401 sdot PKSP1 ℎ0) (3)

Based on (2) and (3) we could get

119890 (Pro minus Pro1015840 119875)= 119890 (119877 sdot ℎ1 sdot PKSP1 minus 119877 sdot ℎ10158401 sdot PKSP1 ℎ0)= 119890 (119877 sdot (ℎ1 minus ℎ10158401) sdot PKSP1 ℎ0)= 119890 (119877 sdot (ℎ1 minus ℎ10158401) sdot 1198761 sdot 119877 119911119894 sdot 1198762)= 119890 (119877 sdot (ℎ1 minus ℎ10158401) sdot 119886 sdot 119877 sdot 119875 119911119894 sdot 119887 sdot 119875)= 119890 (119877 sdot (ℎ1 minus ℎ10158401) sdot 119911119894 sdot 119886 sdot 119887 sdot 119877 sdot 119875 119875)

(4)

Then we could get ProminusPro1015840 = 119877 sdot (ℎ1 minusℎ10158401) sdot 119911119894 sdot 119886 sdot 119887 sdot 119877 sdot 119875and output (119877 sdot (ℎ1 minus ℎ10158401) sdot 119911119894 sdot 119877 sdot 119886 sdot 119887)minus1 sdot (Pro minus Pro1015840) as thesolution of CDH instance (119875 1198761 = 119886 sdot 119875 1198762 = 119887 sdot 119875)Lemma 6 The proposed scheme is secure against type IIadversary 1198602 if CDH problem is hard in 1198661Proof Suppose1198602 could win the authenticator forging gamethen 119862 can construct a polynomial-algorithm to solve theCDH problem with nonnegligible probability 120576 given aninstance (119875 1198761 = 119886 sdot 119875 1198762 = 119887 sdot 119875)Create-User 119862 maintains a list 119871119880 of tuples IDSP SKSPPKSP1PKSP2 and sets them as empty initially Upon receiv-ing a request with ID119883 119862 checks whether tuple IDSPSKSPPKSP1PKSP2 exists If so119862 returns PKSP1PKSP2 to1198601 else if ID119883 = IDSP119862 generates a randomnumber SKSP isin119885lowast119902 sets PKSP1 = 1198761 requests 119867-query with IDSPPKSP1and computes PKSP2 = SKKGC sdot 119867(IDSPPKSP1) then 119862returns PKSP1PKSP2 to 1198601 if ID119883 = IDSP 119862 chooses arandom number 119908 and computes PKSP1 = 119908 sdot 119875PKSP2 =SKKGC sdot 119867(IDSPPKSP1) and returns PKSP1PKSP2 to 1198601

The other queries are the same as Lemma 5

Eventually 1198602 outputs a forgery proof (Pro1015840 1198621015840) withchallenge Chal = (119894 119903119894)119894isin119868 from TPA119862 looks up 119871ℎ and 119871119867respectively at last 119862 could get the following equation






(7)

Then we could get ProminusPro1015840 = 119877 sdot (ℎ1 minusℎ10158401) sdot 119911119894 sdot 119886 sdot 119887 sdot 119877 sdot 119875and output (119877 sdot (ℎ1 minus ℎ10158401) sdot 119911119894 sdot 119877 sdot 119886 sdot 119887)minus1 sdot (Pro minus Pro1015840) as thesolution of CDH instance (119875 1198761 = 119886 sdot 119875 1198762 = 119887 sdot 119875)

Through Lemmas 5 and 6 we have proved that ourscheme could defend two types of attackers in certificatelesspublic auditing scheme

53 Security Requirements Discussions

(1) Publicly Verifiability From the equation of correctnessanalysis we can see that through the ProofGen and ProofVer-ify TPA only needs to verify the proof generated by CSwhen the user requests public auditing serviceTherefore ourscheme satisfies the publicly verifiability requirement

(2) Privacy Preserving We can see that our scheme achievesprivacy preserving from two aspects firstly the medicaldata storing on CS is encrypted so CS cannot get anyinformation about the clientrsquos PHI the TPA also cannot getany information with proof generated from CS So we cansee that our scheme achieves the goal of protecting the clientrsquosprivacy

(3) Storage Correctness When the stored data in CS has beenmodified deleted or corrupted the TPA can check the resultwith the algorithm ProofVerify Besides we can see that anyadversaries cannot forge the proof without secret key throughLemmas 5 and 6 So we see that the storage correctness hasbeen achieved in our scheme

(4) Confidentiality The data has been encrypted with sessionkey established between client and SP So the monitor cannot


Table 1 The cryptographic operation in client side

LEPA He et alrsquos scheme [27] Yu et alrsquos scheme [28]1Enc (2PM + 2119867 + 1ℎ) (3Exp + 1119867)Enc symmetrical encryption PM point multiplication119867 hash to elementℎ hash Exp exponentiation

get any information of clientrsquos collected medical data So wesee that the confidentiality has been achieved in our scheme

(5) Batch Auditing Through the algorithm of ProofVerify wecan see that several blocks of data can be checked in onephaseTherefore our scheme achieves batch auditing require-ment

6 Performance Analysis

61 Computational Cost We evaluate the performance ofour proposed scheme through several experiments with thehelp of Java Pairing-Based Cryptography (JPBC) library [68]These experiments are carried out on a machine with IntelCore i5-3337U CPU (18 GHz clock speed) 4GB RAM andrunning the Win 8 Operating System The selected ellipticcurve is a supersingular curve 1199102 = 1199093 + 119909 with the orderof 160 bits and elements in 1198661 is 128 bytes We comparedour scheme with the other two schemes [27 28] for thereason that these two schemes are similar to our proposedschemes The comparison is mainly focused on ProofVerifyand AuthGen phase for the reason that these two phases arethe two most time-consuming phases

In Figure 4(a) we can see that in AuthGen phaseour scheme needs less time compared with the other twoschemes We tested [0 1000] blocks of data The time costof the authenticator generating time is linearly increasingBesides considering that in our scheme the AuthGen phaseis conducted in SP side (in [27 28] the AuthGen phase isgenerated by client) the time cost of authenticator generationfor client is 0 The client only needs to do one symmetricalencryption such as AES (computational cost in client side isshown in Table 1) For the reason that in pairing-based cryp-tographic schemes the point multiplication operation hashto point and bilinear pairing are the main computationalexpansive operations the time cost of each algorithmmainlydepends on the number of point multiplication operationsHowever the symmetrical encryption only needs almost thesame computational cost with hash function which is negligi-ble compared with point multiplication and exponentiationSo from Table 1 we can see that the computational cost of ourscheme LEPA with 1Enc greatly reduces the computationalcost in client side compared with He et alrsquos scheme (2PM +2119867 + 1ℎ) and Yu et alrsquos scheme (3Exp + 1119867)

In Figures 4(b) and 5 we tested the ProofVerify efficiencyof the three schemes In Yu et alrsquos scheme [28] the proofverifying time will be affected with the changing of timeperiod for the reason that the proof verifying parametersare changed in different time period In Yu et alrsquos schemeeach time period corresponds to a tree node and with thevariation of the node depth in tree the time cost is different

Table 2 The communication cost comparison

LEPA He et alrsquos scheme [27] Yu et alrsquos scheme [28]

1 group elementand 1 integer

1 group element and 1integer

(119889 + 2) groupelements and 2

integers119889 is the parameter numbers ofΩ119895 in Yu et alrsquos scheme [28]

We tested the results in different depth of the node 119889 = 110 and 15 We can see that in the three conditions (Figures4(b) 5(a) and 5(b)) our scheme needs the least computationcost The reason is that with the increase of data blocks inthe verification step only several integer arithmetic and hashoperations are conducted however integer multiplicationand hash operations are relatively of low computation cost Inscheme [28] one more bilinear pairing operation is neededthe bilinear pairing operation is computation-expensive soYuet alrsquos scheme needs the highest time cost In scheme [27]with increasing of verifying data blocks themapping to pointoperations and point multiplications are increasing but thetime cost of these two operations is relatively high so withthe increasing amount of data blocks the time cost of schemeis growing quickly

Yu et alrsquos scheme needs relatively more bilinear maps (3bilinear maps) and this part of computational cost makes upa large proportion when verified blocks are fewTherefore inthe initial stage Yu et alrsquos scheme costs more time comparedwith other two schemes However the computational cost ofHe et alrsquos scheme will gradually increase and transcend Yu etalrsquos scheme due to the mapping to point operation and pointmultiplication operations The time point of transcendingchanges with the depth of time node in Yu et alrsquos schemein Figure 4(b) (119889 = 1) He et alrsquos scheme transcend Yu etalrsquos scheme in earlier time point with the increase of thetime node depth the time point of transcending will bedelayed the transcending time was delayed in Figure 5(a)(119889 = 10) compared with Figure 4(b) (119889 = 1) When 119889 = 15(Figure 5(b)) the time of transcending time disappeared (butit will certainly appear at a certain moment in future)

62 Communication Cost The communication cost ofscheme is generated in Algorithm 5 AuthGen Algorithm 6ProofGen and Algorithm 7 ProofVerify The communicationcost of Chal is the same in three schemes with the formChal = (119894 119903119894)119894isin119868 the elements 119894 and 119903119894 are two integers andthe size of Chal depends on the number of (119894 119903119894) in Chal Thenumber of (119894 119903119894) in Chal will depend on the number of datablocks to be checked in the cloud server which was decidedby the auditor

However the communication cost of Proof is different inthree schemes (a detailed comparison is shown in Table 2)from Table 2 we can see that our scheme has the samecommunication cost as He et alrsquos scheme [27] in He et alrsquosscheme the form of proof is (119898 119878) and in our scheme theform of proof is (Pro 119862) where Pro = sum119896119894=1 119903119894 sdot auth119894 and119862 = sum119896119894=1 119903119894 sdot119888119894 For the reason that auth119894 = SKSP sdotℎ(id119894PKKGCPKSP1PKSP2)sdot119867(IDSPPKSP1)+119888119894 sdotPKSP2 is a group element


0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)

The number of messages to be tagged

He et alrsquos schemeOur schemeYu et alrsquos scheme

(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)

The number of messages to audit

Our schemeHe et alrsquos schemeYu et alrsquos scheme

(b)

Figure 4 (a) The time cost of authenticator generating phase with regard to the number of blocks in seconds (b) the time cost of proofverifying phase with regard to the number of blocks in seconds (119889 = 1)

0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)

Figure 5 (a) The time cost of proof verifying phase with regard to the number of blocks in seconds (119889 = 10) (b) the time cost of proofverifying phase with regard to the number of blocks in seconds (119889 = 15)


Pro = sum119896119894=1 119903119894 sdot auth119894 is also a group element So we can com-pute that the communication cost in our scheme is 1 groupelement and 1 integer In He et alrsquos scheme 119878 = sum119888119895=1 119908119894 sdot119878119894119895 and 119898 = sum119888119895=1 119908119894 sdot 119898119894119895 with the same method we canget that the communication cost in their scheme is 1 groupelement and 1 integer For the reason that the communica-tion and computational cost in Yu et alrsquo scheme [28] are time-varying the proof in Yu et alrsquos schemewill be changing in dif-ferent time periodThe proof in their scheme is (119895 119880 120590 120583 Ω119895)about (119889 + 2) group elements and 2 integers where 119889 is theparameter numbers inΩ119895 (the depth of time node) So fromTable 2 we can see that our scheme needs the same commu-nication cost as He alrsquos scheme and less communication costthan Yu et alrsquos scheme

7 Conclusion

Considering that there has been no good solution for publicauditing in cloud-assisted WBSNs we propose a lightweightand efficient public auditing scheme LEPA for cloud-assistedWBSNs in this paper With our proposed scheme LEPAin some healthcare applications of cloud-assisted WBSNs(such as the hospital without private data center that needsto outsource the important medical data into cloud serviceprovider) the sensitive data used for diagnosis could bechecked whether it is well-kept in remote cloud serverThrough the lightweight designing concepts we reduce thecomputational expensive operations such as hash to point orpoint multiplication in user side In addition the authenti-cator generation is outsourced to service provider and useronly needs to do one symmetrical encryption Compared torelated works the client in our scheme has the least securitycomputational burden Besides we give the formal securityproof of that our scheme can resist two kinds of adversariesin the randomoraclemodel including public key replacementattacker and master key accessing attacker Furthermore weuse Java language to implement our scheme The experi-mental result shows that our scheme outperforms other sim-ilar schemes in both the verification phase and authenticatorgenerating phase To the best of our knowledge and using theanalysis above we think that the proposed scheme LEPA isthe most suitable public auditing scheme for cloud-assistedWBSNs

Although our proposed scheme LEPA achieves bettersecurity properties and efficiency compared with similarworks however we think that our scheme still has the defectsbelow

(1) The application model is relatively simple and notsuitable for complicated model such as multiuser model Insome application scenarios such as community hospital theusers may be organized as a group to share the data stored incloud So it is meaningful to propose amultiusermodel basedcloud-assisted WBSNs auditing scheme

(2) Considering that with the physiological sensors inWBSNs the physiological information can be collected andthese data can be used to achieve biometric authenticationthe two-factor based auditing schemes will support strongersecurity goals

So in the future we plan to extend our scheme LEPAto different application scenarios such as mobile WBSNbased healthcare system or the multiuser model of cloud-assisted WBSNs environment Besides the two-factor basedauthentication technology with physiological informationand modern cryptographic technology will be used togetherin our future works to enhance the security of cloud-assistedWBSN applications

Notations

119897 A security parameter119902 A large prime number 119902 gt 2119897119890 A bilinear pairing 119890 1198661 times 1198662 rarr 1198662SKKGC The KGCrsquos secret keyPKKGC The public key of KGCIDSP The identity of SPPKSP1 The partial public key generated by oneselfPKSP2 The partial public key generated by KGCSKSP The secret key of SPauth119894 The authenticator of119898119894(Pro 119862) The proof of medical data 1198881 1198882 119888119894

generated by SPChal The integrity checking challenge generated

by TPA Chal = (119894 119903119894)119894isin119868119888119894119898119894 The medical data119898119894 and correspondingciphertext 119888119894 encrypted by clientℎ A hash function(0 1)lowast 1198661 1198661 1198661 rarr 119885lowast119902119867 A hash to point function(0 1)lowast 1198661 rarr 1198661

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work was supported by the National Natural ScienceFoundation of China (no 61572001 no 61502008) theResearch Fund for the Doctoral Program of Higher Educa-tion (no 20133401110004) the Natural Science Foundationof Anhui Province (no 1508085QF132) and the DoctoralResearch Start-Up Funds Project of Anhui University

References

[1] S Movassaghi M Abolhasan J Lipman D Smith and AJamalipour ldquoWireless body area networks a surveyrdquo IEEECom-munications Survey amp Tutorials vol 16 no 3 pp 1658ndash16862014

[2] T G Zimmerman ldquoPersonal area networks near-field intra-body communicationrdquo IBM Systems Journal vol 35 no 3-4 pp609ndash617 1996

[3] S Ivanov C Foley S Balasubramaniam and D Botvich ldquoVir-tual groups for patient WBSNs monitoring in medical environ-mentrdquo IEEE Transactions on Biomedical Engineering vol 59 no11 pp 3238ndash3246 2012

[4] T Gao T Massey L Selavo et al et al ldquoThe Advanced Healthand Disaster Aid Network a Light-Weight Wireless Medical


System for Triagerdquo IEEE Transactions on Biomedical CircuitsSystems vol 1 no 3 pp 203ndash216 2007

[5] E Jovanov A Milenkovic C Otto et al ldquoA WBAN system forambulatory monitoring of physical activity and health statusapplications and challengesrdquo in Proceedings of the 27th AnnualInternational Conference of the Engineering in Medicine andBiology Society (IEEE-EMBS rsquo05) pp 3810ndash3813 September2005

[6] K Lorincz D J Malan T R F Fulford-Jones et al ldquoSensor net-works for emergency response challenges and opportunitiesrdquoIEEE Pervasive Computing vol 3 no 4 pp 16ndash23 2004

[7] F Axisa C Gehin G Delhomme C Collet O Robin and ADittmar ldquoWrist ambulatorymonitoring system and smart glovefor real time emotional sensorial and physiological analysisrdquo inProceedings of the 26th Annual International Conference of theIEEE Engineering in Medicine and Biology Society (EMBC rsquo04)pp 2161ndash2164 September 2004

[8] C Mundt W K Montgomery N and U Udoh E ldquoA multi para-meter wearable physiologic monitoring system for space andterrestrial applicationsrdquo IEEETransactions on Information Tech-nology in Biomedicine vol 9 no 3 pp 382ndash391 2005

[9] J Wannenburg and R Malekian ldquoBody sensor network formobile healthmonitoring a diagnosis and anticipating systemrdquoIEEE Sensors Journal vol 15 no 12 pp 6839ndash6852 2015

[10] UAK Chude-Okonkwo RMalekian andB TMaharaj ldquoBio-logically inspired bio-cyber interface architecture andmodel forinternet of bio-Nanothings applicationsrdquo IEEE Transactions onCommunications vol 64 no 8 pp 3444ndash3455 2016

[11] K S Kwak S Ullah and N Ullah ldquoAn overview of IEEE802156 standardrdquo in Proceedings of the 3rd International Sym-posium on Applied Sciences in Biomedical and CommunicationTechnologies (ISABEL rsquo10) pp 1ndash6 IEEE November 2010

[12] M Toorani ldquoOn vulnerabilities of the security association inthe IEEE802156 standardrdquo inFinancial Cryptography andDataSecurity vol 8976 ofLectureNotes inComputer Science pp 245ndash260 Springer Berlin Heidelberg 2015

[13] M Toorani ldquoCryptanalysis of two PAKE protocols for bodyarea networks and smart environmentsrdquo International Journalof Network Security vol 17 no 5 pp 629ndash636 2015

[14] G Fortino andM Pathan ldquoIntegration of cloud computing andbody sensor networksrdquo Future Generation Computer Systemsvol 35 no 5 pp 57ndash61 2014

[15] M Chen ldquoNDNC-BAN supporting rich media healthcare ser-vices via nameddata networking in cloud-assistedwireless bodyarea networksrdquo Information Sciences vol 284 no 10 pp 142ndash156 2014

[16] O Diallo J J P C Rodrigues M Sene and J Niu ldquoReal-timequery processing optimization for cloud-based wireless bodyarea networksrdquo Information Sciences vol 284 pp 84ndash94 2014

[17] G Fortino G Di Fatta M Pathan and A V VasilakosldquoCloud-assisted body area networks state-of-the-art and futurechallengesrdquoWirelessNetworks vol 20 no 7 pp 1925ndash1938 2014

[18] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Advances in CryptologymdashASIACRYPT 2008 Proceedings ofthe 14th International Conference on the Theory and Applicationof Cryptology and Information Security Melbourne AustraliaDecember 2008 vol 5350 of Lecture Notes in Computer Sciencepp 90ndash107 Springer Berlin Germany 2008

[19] Z Hao S Zhong and N Yu ldquoA privacy-preserving remote dataintegrity checking protocol with data dynamics and public veri-fiabilityrdquo IEEE Transactions on Knowledge and Data Engineer-ing vol 23 no 9 pp 1432ndash1437 2011

[20] CWang QWang K Ren N Cao andW Lou ldquoToward secureand dependable storage services in cloud computingrdquo IEEETransactions on Services Computing vol 5 no 2 pp 220ndash2322012

[21] C Wang S S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 62 no 2 pp 362ndash375 2013

[22] K HuangM Xian S Fu and J Liu ldquoSecuring the cloud storageaudit service defending against frame and collude attacks ofthird party auditorrdquo IET Communications vol 8 no 12 pp2106ndash2113 2014

[23] H Wang J Domingo-Ferrer Q Wu and B Qin ldquoIdentity-based remote data possession checking in public cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014

[24] S Tan and Y Jia ldquoNaEPASC a novel and efficient public audit-ing scheme for cloud datardquo Frontiers of Information Technologyamp Electronic Engineering vol 15 no 9 pp 794ndash804 2014

[25] H Wang ldquoIdentity-based distributed provable data possessionin multi-cloud storagerdquo IEEE Transactions on Services Comput-ing vol 8 no 2 pp 328ndash340 2015

[26] B Wang B Li H Li and F Li ldquoCertificateless public auditingfor data integrity in the cloudrdquo in Proceedings of the 1stIEEE International Conference onCommunications andNetworkSecurity (CNS rsquo13) pp 136ndash144 National Harbo Md USAOctober 2013

[27] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal no 99 pp 1ndash10 2015

[28] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016

[29] C C Y Poon Y-T Zhang and S-D Bao ldquoA novel biometricsmethod to secure wireless body area sensor networks fortelemedicine and M-healthrdquo IEEE Communications Magazinevol 44 no 4 pp 73ndash81 2006

[30] S-D Bao Y-T Zhang and L-F Shen ldquoPhysiological signalbased entity authentication for body area sensor networks andmobile healthcare systemsrdquo in Proceedings of the 2005 27thAnnual International Conference of the Engineering in Medicineand Biology Society (IEEE-EMBS rsquo05) pp 2455ndash2458 Septem-ber 2005

[31] K K Venkatasubramanian A Banerjee and S K S GuptaldquoEKG-based key agreement in body sensor networksrdquo in Pro-ceedings of the 2008 IEEE INFOCOMWorkshops pp 1ndash6 IEEEXplore April 2008

[32] S Cherukuri K K Venkatasubramanian and S K S GuptaldquoBiosec a biometric based approach for securing communica-tion in wireless networks of biosensors implanted in the humanbodyrdquo in Proceedings of the 32nd International Conference onParallel Processing (ICPP rsquo03) pp 432ndash439 October 2003

[33] A Juels andM Sudan ldquoA fuzzy vault schemerdquo in Proceedings ofthe IEEE International Symposium on Information Theory pp408ndash415 July 2002

[34] K K Venkatasubramanian A Banerjee and S K Gupta ldquoSKAusable and secure key agreement scheme for body area net-worksrdquo IEEE Transactions on Information Technology in Bio-medicine vol 14 no 1 pp 60ndash68 2010


[35] F Miao S-D Bao and Y Li ldquoA modified fuzzy vault schemefor biometrics-based body sensor networks securityrdquo in Pro-ceedings of the 53rd IEEE Global Communications Conference(GLOBECOM rsquo10) pp 1ndash5 December 2010

[36] H Liu D Sun K Xiong and Z Qiu ldquoA new fuzzy vaultmethod using cubic spline interpolationrdquo in Proceedings ofthe 2010 International Conference on Artificial Intelligence andComputational Intelligence (AICI rsquo10) pp 103ndash106 October2010

[37] Z Zhang HWang A V Vasilakos andH Fang ldquoECG-crypto-graphy and authentication in body area networksrdquo IEEE Trans-actions on Information Technology in Biomedicine vol 16 no 6pp 1070ndash1078 2012

[38] J Mohana and V T Bai ldquo128 bit key generations from thedynamic behavior of ECG for securing wireless body area net-workrdquo ARPN Journal of Engineering and Applied Sciences vol10 no 18 pp 8048ndash8051 2015

[39] F Hu M Jiang MWagner and D-C Dong ldquoPrivacy-preserv-ing telecardiology sensor networks Toward a low-cost portablewireless hardwaresoftware codesignrdquo IEEE Transactions onInformation Technology in Biomedicine vol 11 no 6 pp 619ndash627 2007

[40] P Kumar Y Lee D and D Lee Y ldquoSecure health monitoringusing medical wireless sensor networksrdquo in Proceedings of theSixth International Conference on Networked Computing andAdvanced Information Management pp 491ndash494 2010

[41] S Raazi H Lee S Lee and Y-K Lee ldquoBARI+ a biometricbased distributed key management approach for wireless bodyarea networksrdquo Sensors vol 10 no 4 pp 3911ndash3933 2010

[42] A BWaluyo I Pek X Chen andW S Yeoh ldquoDesign and eval-uation of lightweight middleware for personal wireless bodyarea networkrdquo Personal and Ubiquitous Computing vol 13 no7 pp 509ndash525 2009

[43] X Yi J Willemson and F Nait-Abdesselam ldquoPrivacy-preserv-ing wireless medical sensor networkrdquo in Proceedings of the 12thIEEE International Conference on Trust Security and Privacy inComputing and Communications (TrustCom rsquo13) pp 118ndash125July 2013

[44] H Zhao J Qin and J Hu ldquoAn energy efficient keymanagementscheme for body sensor networksrdquo IEEE Transactions on Paral-lel and Distributed Systems vol 24 no 11 pp 2202ndash2210 2013

[45] D He S Chan and S Tang ldquoA novel and lightweight system tosecure wireless medical sensor networksrdquo IEEE Journal of Bio-medical and Health Informatics vol 18 no 1 pp 316ndash326 2014

[46] Y M Huang M Y Hsieh H C Chao S H Hung and J HPark ldquoPervasive secure access to a hierarchical sensor-basedhealthcare monitoring architecture in wireless heterogeneousnetworksrdquo IEEE Journal on Selected Areas in Communicationsvol 27 no 4 pp 400ndash411 2009

[47] X H Le M Khalid R Sankar and S Lee ldquoAn efficient mutualauthentication and access control scheme for wireless sensornetworks in healthcarerdquo Journal of Networks vol 6 no 3 pp355ndash364 2011

[48] X Lin R Lu X Shen Y Nemoto and N Kato ldquoSage a strongprivacy-preserving scheme against global eavesdropping forehealth systemsrdquo IEEE Journal on Selected Areas in Communi-cations vol 27 no 4 pp 365ndash378 2009

[49] K Malasri and L Wang ldquoDesign and implementation of asecure wireless mote-based medical sensor networkrdquo Sensorsvol 9 no 8 pp 6273ndash6297 2009

[50] J Misic and V Misic ldquoEnforcing patient privacy in healthcareWSNs through key distribution algorithmsrdquo Security amp Com-munication Networks vol 1 no 5 pp 417ndash429 2008

[51] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology Proceedings of (CRYPTOrsquo84) vol 196 of Lecture Notes in Computer Science pp 47ndash53Springer Berlin Germany 1985

[52] S S Al-Riyami and K G Paterson ldquoCertificateless publickey cryptographyrdquo in Advances in Cryptology-ASIACRYPTvol 2894 of Lecture Notes in Computer Science pp 452ndash473Springer 2003

[53] J Liu Z Zhang XChen andK S Kwak ldquoCertificateless remoteanonymous authentication schemes for wireless body areanetworksrdquo IEEE Transactions on Parallel and Distributed Sys-tems vol 25 no 2 pp 332ndash342 2014

[54] Z Zhao ldquoAn efficient anonymous authentication scheme forwireless body area networks using elliptic curve cryptosystemrdquoJournal of Medical Systems vol 38 no 2 pp 1ndash7 2014

[55] CWang andY Zhang ldquoNew authentication scheme forwirelessbody area networks using the bilinear pairingrdquo Journal ofMedical Systems vol 39 no 11 article 136 2015

[56] D He S Zeadally N Kumar and J-H Lee ldquoAnonymousauthentication for wireless body area networks with provablesecurityrdquo IEEE Systems Journal vol 99 pp 1ndash12 2016

[57] H Xiong ldquoCost-effective scalable and anonymous certificate-less remote authentication protocolrdquo IEEE Transactions onInformation Forensics amp Security vol 9 no 12 pp 2327ndash23392014

[58] H Xiong and Z Qin ldquoRevocable and scalable certificatelessremote authentication protocol with anonymity for wirelessbody area networksrdquo IEEE Transactions on Information Foren-sics and Security vol 10 no 7 pp 1442ndash1455 2015

[59] R Lu X Lin and X Shen ldquoSPOC a secure and privacy-pre-serving opportunistic computing framework formobile-health-care emergencyrdquo IEEE Transactions on Parallel and DistributedSystems vol 24 no 3 pp 614ndash624 2013

[60] C-C Lee C-W Hsu Y-M Lai and A Vasilakos ldquoAnenhanced mobile-healthcare emergency system based onextended chaotic mapsrdquo Journal of Medical Systems vol 37 no5 article 9973 pp 1ndash12 2013

[61] X Yi A Bouguettaya D Georgakopoulos A Song and JWillemson ldquoPrivacy protection for wireless medical sensordatardquo IEEE Transactions on Dependable and Secure Computingvol 13 no 3 pp 369ndash380 2016

[62] J Zhou Z Cao X Dong N Xiong and A V Vasilakosldquo4S a secure and privacy-preserving key management schemefor cloud-assisted wireless body area network in m-healthcaresocial networksrdquo Information Sciences vol 314 pp 255ndash2762015

[63] N D Han L Han D M Tuan H P In and M Jo ldquoA schemefor data confidentiality in cloud-assisted wireless body areanetworksrdquo Information Sciences vol 284 no 5 pp 157ndash1662014

[64] J Wan C Zou S Ullah C-F Lai M Zhou and X WangldquoCloud-Enabled wireless body area networks for pervasivehealthcarerdquo IEEE Network vol 27 no 5 pp 56ndash61 2013

[65] Q-Q Xie S-R Jiang L-M Wang and C-C Chang ldquoCom-posable secure roaming authentication protocol for cloud-assisted body sensor networksrdquo International Journal ofNetworkSecurity vol 18 no 5 pp 816ndash831 2016


[66] H Zhu L Gao andH Li ldquoSecure and privacy-preserving bodysensor data collection and query schemerdquo Sensors vol 16 no 2article 179 2016

[67] P K Gupta B TMaharaj and RMalekian ldquoA novel and secureIoT based cloud centric architecture to perform predictive anal-ysis of users activities in sustainable health centresrdquoMultimediaTools and Applications pp 1ndash24 2016

[68] A de Caro and V Iovino ldquojPBC Java pairing based cryptogra-phyrdquo in Proceedings of the 16th IEEE Symposium on Computersand Communications (ISCC rsquo11) pp 850ndash855 July 2011

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of


International Journal of

RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal of

Volume 201

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



Patient

Mobilephone Access

pointInternet

Computingserver

Storageserver

Cloud service provider

Family Emergency Hospital

Figure 1 The system model of WBSNs application for remote medical treatment

theWBSNs system [3ndash8] In 2004 [6] theHarvardUniversitylaunched a system called CodeBlue for emergency care In2004 [7] the French CENS Research Institute launched theMARSIAN project MARSIAN is a wrist ambulatory moni-toring and recording system with a smart glove embeddedwith physiology sensors for the detection of the activity of theautonomic nervous system In 2005 [8] NASA and StanfordUniversity jointly developed the LifeGuard system for spaceand terrestrial applications Recently some WBSNs basedhealthcare monitoring and diagnosis architecture also havebeen proposed [9 10] In [9] Wannenburg and Malekianproposed a health monitoring scheme which is capable ofmeasuring the vital physiological parameters and sendingbiofeedback to user When an emergency is detected themedical notification will be sent to medical team To connectthe conventional electromagnetic-based Internet to the bio-chemical signaling-based bionanonetworkChude-Okonkwoet al proposed an illustrative scenario and system model ofan IoBNT for application in an advanced healthcare deliverysystem in literature [10] In 2012 [11] to generalize theapplications based on WBSNs the Institute of Electrical andElectronics Engineers (IEEE) released the 802156 standardto support for low energy consumption short distance andreliable wireless network communication surrounding thehuman body area

For the reason that theWBSNs applications are related topeoplersquos life security the security problem is a very importantissue On the Black Hat conference in 2012 a McAfee experthas proved that by remotely controlling the insulin pumpimplanted in the body hacker can inject an overdose ofinsulin causing patient death Besides the data collected

and transmitted in WBSNs are very sensitive because theyare used for clinical diagnostics Therefore authenticationdata confidentiality integrity access control and privacypreserving should be guaranteed while using the WBSNsIn HIPAA (Health Insurance Portability and AccountabilityAct) there are strict requirements for the patientrsquos identityand data privacy The standard 802156 also emphasises thesecurity issues in WBSNs In 802156 the communication isdivided into three security levels

Level 0 It is unsecured level without authentication orencryptionThis is the lowest level of security in 802156 thedata is transmitted in plaintext and no authentication stepsare executed at all

Level 1 (Only Authentication) Some measures are involved tovalidate the data but the data is still transmitted in plaintextwithout encryption

Level 2 (Authentication and Encryption) This is the highestlevel of security in 802156 where the data is transmitted inciphertext form and authentication is provided

However some recent works show that 802156 hassecurity defects [12 13] Therefore the 802156 is not secureenough for reality practice

With the maturity of the cloud computing technologyWBSNs and cloud computing technique have been mergedclosely Compared with WBSNs device cloud server hasmore powerful computing and storage capacity which isnicely complementary with WBSNs devices Based on thisconsideration the concept of cloud-assisted WBSNs has









2 Related Works






























Client


Cloudserver

Serviceprovider

Third-partyauditor

Medicaldata

Proof

Challenge

WiFiUser

Auditingrequest



























ParKeyGen

PriKeyGen

PubKeyGen

SysSetup

ProofVerify

AuthGen

ProofGen

(Pro C)


(Pro C)

(）＄３００＋３０1)

ＯＮＢi


３＋３０

０＋３０1

０＋３０2


















119890 (Pro 119875) = 119890( 119896sum119894=1

119903119894 sdot auth119894 119875) = 119890( 119896sum119894=1

119903119894 sdot (SKSP


119894=1

119903119894 sdot (SKSP


119894=1


119894=1


119894=1

119903119894 sdot SKSP


119903119894 sdot SKKGC


119903119894


119903119894


sdot PKSP1 + 119896sum119894=1


(1)

5 Security Analysis





Algorithm 5 AuthGen

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















2 Related Works






























Client


Cloudserver

Serviceprovider

Third-partyauditor

Medicaldata

Proof

Challenge

WiFiUser

Auditingrequest



























ParKeyGen

PriKeyGen

PubKeyGen

SysSetup

ProofVerify

AuthGen

ProofGen

(Pro C)


(Pro C)

(）＄３００＋３０1)

ＯＮＢi


３＋３０

０＋３０1

０＋３０2


















119890 (Pro 119875) = 119890( 119896sum119894=1

119903119894 sdot auth119894 119875) = 119890( 119896sum119894=1

119903119894 sdot (SKSP


119894=1

119903119894 sdot (SKSP


119894=1


119894=1


119894=1

119903119894 sdot SKSP


119903119894 sdot SKKGC


119903119894


119903119894


sdot PKSP1 + 119896sum119894=1


(1)

5 Security Analysis





Algorithm 5 AuthGen

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation




































Client


Cloudserver

Serviceprovider

Third-partyauditor

Medicaldata

Proof

Challenge

WiFiUser

Auditingrequest



























ParKeyGen

PriKeyGen

PubKeyGen

SysSetup

ProofVerify

AuthGen

ProofGen

(Pro C)


(Pro C)

(）＄３００＋３０1)

ＯＮＢi


３＋３０

０＋３０1

０＋３０2


















119890 (Pro 119875) = 119890( 119896sum119894=1

119903119894 sdot auth119894 119875) = 119890( 119896sum119894=1

119903119894 sdot (SKSP


119894=1

119903119894 sdot (SKSP


119894=1


119894=1


119894=1

119903119894 sdot SKSP


119903119894 sdot SKKGC


119903119894


119903119894


sdot PKSP1 + 119896sum119894=1


(1)

5 Security Analysis





Algorithm 5 AuthGen

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation




















ParKeyGen

PriKeyGen

PubKeyGen

SysSetup

ProofVerify

AuthGen

ProofGen

(Pro C)


(Pro C)

(）＄３００＋３０1)

ＯＮＢi


３＋３０

０＋３０1

０＋３０2


















119890 (Pro 119875) = 119890( 119896sum119894=1

119903119894 sdot auth119894 119875) = 119890( 119896sum119894=1

119903119894 sdot (SKSP


119894=1

119903119894 sdot (SKSP


119894=1


119894=1


119894=1

119903119894 sdot SKSP


119903119894 sdot SKKGC


119903119894


119903119894


sdot PKSP1 + 119896sum119894=1


(1)

5 Security Analysis





Algorithm 5 AuthGen

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



















119890 (Pro 119875) = 119890( 119896sum119894=1

119903119894 sdot auth119894 119875) = 119890( 119896sum119894=1

119903119894 sdot (SKSP


119894=1

119903119894 sdot (SKSP


119894=1


119894=1


119894=1

119903119894 sdot SKSP


119903119894 sdot SKKGC


119903119894


119903119894


sdot PKSP1 + 119896sum119894=1


(1)

5 Security Analysis





Algorithm 5 AuthGen

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











Algorithm 5 AuthGen

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















(4)









(7)




























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





























0

20

40

60

80

100

120

140

0 100 200 300 400 500 600 700 800 900

The t

ime c

ost o

f aut

hent

icat

or g

ener

atin

g (s

)



(a)

01

02

03

04

05

06

07

1 15 2 25 3 35 4 45 5

The t

ime c

ost o

f aud

iting

(s)



(b)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10

The t

ime c

ost o

f aud

iting

(s)



(a)

The t

ime c

ost o

f aud

iting

(s)


0

02

04

06

08

1

12

14

1 2 3 4 5 6 7 8 9 10


(b)




7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











7 Conclusion






Notations






Acknowledgments


References









































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













































































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









LEPA: A Lightweight and Efficient Public Auditing Scheme...

Documents

Transcript of LEPA: A Lightweight and Efficient Public Auditing Scheme...