Syed Sajid Ullah,Saddam Hussain,Abdu Gumaei,Mohsin S.Alhilal,Bader Fahad Alkhamees,Mueen Uddin and Mabrook Al-Rakhami

1Department of Information Technology,Hazara University Mansehra,KPK,21120,Pakistan

2Research Chair of Pervasive and Mobile Computing,Department of Information Systems,King Saud University,Riyadh,11543,Saudi Arabia

3Department of Computer Science,Faculty of Applied Sciences,Taiz University,Taiz,6803,Yemen

4Department of Information Systems,College of Computer and Information Sciences,King Saud University,Riyadh,11543,Saudi Arabia

5Digital Science,Faculty of Science,Universiti Brunei Darussalam,Jln Tungku link,Gadong,Brunei,BE1410,Darussalam

Abstract:Nowadays,healthcare has become an important area for the Internet of Things (IoT) to automate healthcare facilities to share and use patient data anytime and anywhere with Internet services.At present,the host-based Internet paradigm is used for sharing and accessing healthcare-related data.However,due to the location-dependent nature,it suffers from latency,mobility,and security.For this purpose,Named Data Networking(NDN)has been recommended as the future Internet paradigm to cover the shortcomings of the traditional host-based Internet paradigm.Unfortunately,the novel breed lacks a secure framework for healthcare.This article constructs an NDN-Based Internet of Medical Things (NDN-IoMT) framework using a lightweight certificateless(CLC)signature.We adopt the Hyperelliptic Curve Cryptosystem (HCC) to reduce cost,which provides strong security using a smaller key size compared to Elliptic Curve Cryptosystem (ECC).Furthermore,we validate the safety of the proposed scheme through AVISPA.For cost-efficiency,we compare the designed scheme with relevant certificateless signature schemes.The final result shows that our proposed scheme uses minimal network resources.Lastly,we deploy the given framework on NDN-IoMT.

Keywords: Internet of Medical Things;healthcare;Named Data Networking

1 Introduction

The Internet of Medical Things (IoMT) is an IoT subsidiary capable of compiling all medical things for collecting,analyzing,and exchanging patient-related data over the traditional IP-based Internet paradigm [1].The data such as respiration rate,blood pressure,electrocardiogram (ECG),and body temperature,etc.,can be sensed by biomedical sensors and managed via edge devices(i.e.,smartwatches,computers,smartphones,or a specific embedded device) [2,3].Additionally,IoMT can also monitor ecological conditions such as room conditions,laboratory transition time,treatment time,and patient rates from staff.

The edge devices are connected to gateways via short-distance wireless technologies such as WiFi,ZigBee,and Bluetooth Low Energy (BLE).BLE has robust features like low power consumption,unlicensed band,and moderate data rate,making it a highly desirable option for attaching wearable sensor nodes [4].In a healthcare automation system,patient details are maintained in an electronic health table,accessible to medical experts when the patients visit a hospital.Yet,IoMT exchanges data using conventional models and protocols with the risks allied with mobility,privacy,and security.

To tackle this,a new Internet model known as Named Data Networking (NDN) has been proposed [5].NDN paradigm is specially designed to add some interesting features such as innetwork caching,named based routing,and mobility support,that provides efficient information access to end-users [6,7].Considering the positives of NDN,some frameworks for NDN-based healthcare have been introduced [8-10].However,there is no concrete cryptographic scheme that can secure NDN-IoMT communications,but the authentication information that NDN-IoMT needs can be achieved through a digital signature.

The digital signature has been widely adopted for plenty of schemes.Conversely,the traditional Public Key Cryptography needs additional support from the Public Key Infrastructure(PKI) [11].In PKI,a third party,called Certificate Authority (CA),allocates and distributes customer authentication.Unfortunately,PKI has certificate management issues like distribution,revocation,and verification.

In 1984,Shamir [12] presented Identity Based Cryptography (IBC) to solve the PKI’s problems.IBC selects each party’s IP address,email address,etc.,as his/her public key without CA verification.A third party called the private Key Generation Center (KGC) calculates and sends participants’secret keys via a private channel.However,this makes KGC a target for rivals,commonly referred to as the Key Escrow Problem (KEP).

To solve this problem,Al-Riyami and Paterson [13] construct novel cryptography known as Certificateless Cryptography (CLC).The new cryptosystem is born from the achievements of IBC and PKC.CLC has introduced a unique concept for calculating private and public keys using KGC’s partial private key (PPK).CLC allows each user to have a set of keys,such as a secret key and a PPK.The secret value of each participant is randomly selected,but KGC calculates the PPK using its master secret key [14].

Since most IoT devices have limited system power and communication bandwidth,we aim to decrease the complexity of resource-limited devices of NDN-IoMT.Currently,bilinear pairing,ECC,and HCC are providing services for effective communication.However,both bilinear pairing and ECC are not effective for resource-limited devices [15].

Due to the aforementioned discussion,we are motivated to use HCC which uses a smaller key compared to bilinear pairing,and ECC which fits NDN-IoMT environments with limited computing power,storage space,and bandwidth [16].In this work,the communication efficiency and computational cost of the CLC signature scheme are improved by proposing a more efficient CLC signature scheme for NDN-IoMT using HCC.

We summarize the main contributions of our proposed work as follows:

· We present the basic syntax of our scheme (NDN-IoMT).

· We provide a concrete construction for the proposed NDN-IoMT scheme.

· We provide detailed security proof under the ROM,which shows that the given scheme can resist both Type-I(TI)and Type-II(TII)adversaries.

· We compare the designed scheme with previously recommended solutions based on computational time and communicational overhead,and the results show that the proposed scheme is efficient.

· We present a detail deployment of our proposed scheme on NDN-IoMT.

· Finally,we simulate our proposed scheme with help of AVISPA.

The paper is organized as follows.Section 2 provides the related work.Section 3 provides preliminaries.Section 4 presents the construction of our scheme.Section 5 comprises of security analysis while Section 6 is dedicated to comparative analysis.Section 7 shows the robust deployment of our scheme.Finally,in Section 8 we conclude our research.

2 Related Work

The work related to our scheme divided into two parts i.e.,NDN-based healthcare schemes and CLC schemes.

2.1 Healthcare Schemes for NDN Network

Saxena et al.[8] provided an NDN-based health setup.The given solution can find networkbased healthcare.Later,Saxena and Raychoudhury [9] provided an alternative NDN-based scheme for emergency messages in healthcare.The recommended scheme aims to authenticate the source of emergency messages.Unfortunately,in both solutions,the authors do not provide a definitive security plan for healthcare in NDN settings.

Recently,Wang and Kai [10] designed a monitoring model for protecting NDN-enabled healthcare using Edge and cloud services.The authors took the advantage of NDN to improve the effectiveness of clinical data.However,due to heavy map-to-map functions of bilinear pairing,the scheme was inefficient for healthcare systems.

2.2 Certificateless Signature Solutions

He et al.[17] constructed a pairing-free CLC signature scheme based on ECC,hence affected by high computation and communication costs [14].Moreover,Tsai et al.[18] and Huang [19]claim that the scheme was not secure and improved.Gong and Li [20] found that the designed approach of Tsai et al.[18] was not secure,and construct a whole CLC signature scheme built on ECC.

After two years,Yeh et al.[21] prove that the designed approach of Gong and Li [20] was insecure.Moreover,the authors presented an efficient CLC signature scheme constructed on ECC.Wang et al.[22] present a new and improve version of Yeh et al.[21].Later,Wang et al.[23]launch a CLC signature approach for limited-resource devices.

Yeh et al.[24] constructed a lightweight CLC signature approach for IoT-based smart objects.However,the security complexity of the given approach was constructed on ECC,which is not an ideal choice for devices with limited resources.

One year later,Karati et al.[25] launched a lightweight CLC signing approach for the Industrial Internet of Things (IIoT).Zhang et al.[26] found that this scheme was insecure against internal and external adversaries.Additionally,its security is constructed on bilinear pairing,which makes it costly for the IIoT infrastructure.

In this context,Pakiniat and Vanda [27],claim that the scheme of [25],is not secure,so they constructed a modified version.Unfortunately,the improved scheme was built on ECC.Zhang et al.[26] present a modified version of [25],by tossing a concrete CLC signing approach for IIoT via ECC.Later,Rezaeibagha et al.[28] introduce an improved version of [25],by throwing out an efficient approach using the bilinear pairing for IIoT.After that,Thumbur et al.[29] developed a CLC signing scheme using ECC.Although the given scheme reduces the cost complexities to some extent,it still needs some improvement as it is constructed on ECC [14].

3 Preliminaries

3.1 Hyperelliptic Curve Discrete Logarithm Problem(HDLP)

Supposeβ∈{1,2,....(n-1)}andW=β.D,findingβandWis called HDLP.

3.2 Generic Syntax

The given scheme includes seven algorithms,as mentioned below.

·Setup: The Network Manager (NM) runs this algorithm.It takes the security parameter(l),generates the master secret key (K) and the master public key (S),and sets the system public parameter (Q).

·Extraction of PPK: This step is executed by the NM.It takes the identities (IDP),K,S,and system public parameter (Q) as in input and generates the users PPK (O).

·Set Secret Values: In this step,both entities set their secret values.

·Key Generations: This algorithm runs on the user’s side and produces a private key (Ptp)and a public key (Pkp).

·Sign: This algorithm is executed by the provider.It takes the content c,IDp,Pkp,and υ as in input and generates a signed tuple (Ω).

·Verification: This algorithm is performed by the consumer.It takes content (c),Pkp,IDp,andΩas input to verify the signed content (Ω).

3.3 Threat Model

For our security explanation,we consider two types of adversaries: Type-I (TI) and Type-II(TII).

· Type-I (TI) Adversary: The TIadversary is generally known as outsider adversary which can request for the participants public key for the replacement of its own.

· Type-II (TII) Adversary: The TIadversary is generally known as insider adversary or malicious KGC which can make a participants PPK with help of a master secret key.However,it is unable to replace users’public keys.

4 Proposed Scheme for NDN-IoMT

4.1 Design Network Model

For NDN-IoMT environments,the intended data must not be changed,and the source of data is reliable and authentic during the entire transmission.Hence,our aim is concentrated on the authenticity and integrity of NDN-IoMT data while concurrently aiming to minimize the bandwidth and computational cost of NDN-IoMT devices.Fig.1 shows our network model,containing four elements: a Network Manager (NM),consumers,producers,and NDN routers.

·Network Manager (NM):This NM is primarily responsible for establishing a secure connection between consumers and producers.Moreover,the NM produces system parameters and PPKs.

·Consumer:Here in the given network model,a consumer can be an IoMT device such as a smartphone,hospital,ambulance,patient,etc.,or can be a user that can request some content related to Medical.

·Provider:Here in the given network model,a provider can be an IoMT device such as a smartphone,hospital,ambulance,patient,etc.,or can be a user that can provide content related to Medical.

·NDN Routers:NDN routers are in-between nodes that carry interest with caching capability.

For successful registration,both participants send their respective identities to the NM as illustrated in Fig.3.Next,NM produces a PPK for participants and delivers it using a secure channel.Upon receipt,both participating parties take the PPK with their chosen secret value to create their keys (private and public).

Now,whenever the consumer requests some content,the intermediate routers forward the request to a potential content provider.The content provider signs the requested content and forwards it to the intended receiver.The intermediate router R1 caches the forwarded content utilizing its CS.After getting the requested content,the consumer can verify the validity of the content.

4.2 Construction of the Designed IoMT-NDN Scheme

The designed algorithm is a generalized version of G.Thumbur et al.[29],as it is based on HCC.The notations used in our proposed scheme are given in Tab.1.

Figure 1:Proposed network model for NDN-IoMT

Table 1:List of abbreviations

Setup

The Network Manager (NM) initializes the system to generateK,SandQusing a security parameter (l) to complete the subsequent steps.

· Select (D) as a devisor of HCC of ordern

· Select K ∈{1,2,...,(n-1)}and calculateS=K.D

· Choose three secure hash functions (SHA-512)=H1,H2,H3

· Initialize public parameter setQ={n,H0,H1,H2,S,D}

The NM then publishesQand keepsKsecret.

Partial Private Key Setting

After receiving the identities IDP,both participants complete the subsequent computations to generate PPK keys for both participating entities.

· The KGC randomly picks Rn∈{1,2,...,(n-1)}

· Compute private numberPn=Rn.D

· Compute h0=H0 (IDp,S,Pn,η)

· Compute λ=(Rn+Kh0) modn

· Produce a PPKO=(λ,Pn) for both participants.

Later the participants can check the validity ofOfrom λ.D=Rn+h0S.

Key Settings

The participants obtain the computed PPKs from the NM and set their secret values.They then compute their private and public keys,respectively.

The participants pick a number at random υ ∈{1,2...,(n-1)},and set it as their secret values.Further,the user’s computers calculate V=υ.D.

Then the users set the private key (Ptp) and public keys (Pkp) by performing the following computations.

h1=

?=Pn+h1V

Finally,the users set Ptp=(λ,υ) and Pkp=(?,Pn)

Sign

Here,the content provider produces signed content,by doing the following computations.

· Pick a number at random?∈{1,2,...(n-1)}

· Compute private numberδ=?.D.

· Compute h2=H2 (c,IDp,Pkp,δ,η)

· Computeω=?+h2(λ+h1.υ) modn

Finally,the provider generates signed contentΩ=(δ,ω) and delivers it to the requested consumer.

Verify

Here,the consumer takesQ,Pkp,IDp,Ω=(δ,ω),and c to verify the signature (Ω) on the received tuple by doing the following steps.

· Compute h0=H0 (IDp,S,Pn,η)

· Compute h2=H2 (c,IDp,Pkp,δ,η)

· Finally,verify the equationω.D=δ+h2(?+h0.S).If it holds,accept the content.Otherwise reject the content.

Correctness

ω.D=?+h2(λ+h1.υ)

=(?+h2(λ+h1.υ)).D

=(?+h2((Rn+h0K )+h1.υ)).D

=(?.D+h2((Rn.D+h0K.D )+h1.υ.D))

=δ+ h2Pn+h0S+h1.V

=δ+ h2(?+h0S)

5 Threat Model and Security Analysis

Here,we performed the security analysis of the given scheme against TIand TIIadversaries by supposing the hardness of HDLP.For the security model,we follow the model presented by Thumber et al.[29].

Theorem I:

Under HDLP,the given scheme is existentially unforgeable against TI.

Proof:

Suppose TIcan forge a valid signature with the help of a polynomial algorithm (ψ).Now we constructψthat can solve the HDLP using TI.For (D,?=KD) of HDLP,the aim ofψis to find K.Letψtake ID*pas a target identity of TIon contentc*.

Setup Phase:

ψsets S=?=KD and executes the setup algorithm.

Query Phase:

In this phase,TIrequests with multiple queries which should be responded to byψ.Initially,ψmaintains empty lists such asl0,l1,l2,lCU,and lpsk.

Queries on H0

When TIrequests a query on H0 (IDp,S,Pn),if the tuple already exists inl0,ψdelivers h0.If not,ψselects h0∈{1,2,...,(n-1)},sets H0 (IDp,S,Pn,η)=h0,delivers it to TI,and adds the given (IDp,S,Pn,h0)intol0.

Queries on H1

When TIrequests a query on H1if the tuple already exists inl1,ψdelivers h1.If not,ψselects h1∈{1,2,...,(n-1)},setsdelivers it to TI,and adds the giveni ntol1.

Queries on H2

When TIrequests a query on H2 (c,IDp,Pkp,δ),if the tuple already exists inl2,ψdelivers h2.If not,ψselects h2∈{1,2,...,(n-1)},sets H2 (c,IDp,Pkp,δ)=h2,delivers it to TI,and adds the given H2 (c,IDp,Pkp,δ,η,h2) intol2.

Reveal Partial Secret Key Oracle

When TIrequests a query on PSK (O),if the tuple already exists inlpsk,ψdeliversO=(λ,Pn).IfO=O*,ψaborts.Otherwise,ψselectsα,β∈{1,2,...,(n-1)} and sets λ=α,H0(IDp,S,Pn)=β,andPn=αD-βS.ψ,then adds (IDp,S,Pn,β) tol0and (IDp,Pn,λ) tolpsk.

Create User Oracle

When TIrequests a query onCU(IDp),if the public key Pkp=(?,Pn) already exists inlCU,ψdelivers it to TI.Otherwise,ψdoes the following steps.

(1) If IDp=ID*p,ψselectsα,β,z,υ ∈{1,2,...,(n-1)} and setsPn=αD,H0 (IDp,S,Pn,η)=β,V=υ.D,and=z.Nowψsets?=Pn+h1V=αD+z(υ.D) and adds(IDp,S,Pn,η,β) tol0,tol1,andtolCU.Finally,ψdelivers the public key Pkp=(?,Pn) to TI.

(2) If IDp/=ID*p,ψrecovers (IDp,Pn,λ) fromlpsk.ψ,sets V=υ.D,{1,2,...,(n-1)} and?=Pn+zV=Pn+h1V.ψproduces Pkp=(?,Pn) as a public key and addstol1andtolCU.

Reveal Secret Value Oracle

When TIrequests a query on RSK (IDp),ψperforms the following steps.

If IDp=ID*p,ψaborts.Otherwise,ψrecoversfromlCUand sends υ to TI.If such tuple does not exist inlCU,ψdoes a query onCU(IDp) to generate (υ,?) and add it tolCU.ψ,then delivers υ the secret value.

Reveal Public-Key Oracle:

If TIdesires to replace the respective public key Pkp=(?,Pn) of IDpwith Pk*p=(?*,P*n),thenψfindsfromlCUand updates?with?*andPnwithP*n.Finally,ψsets υ*=↓and λ=↓.

Hereafter,the replaced tuple looks like (IDp,?*,P*n,↓,↓).

Signing Oracle.

When TIrequests a sign query on (IDp,c),ψperforms the following steps.

(1) If IDp/=ID*p,teψrecovers (IDp,Pn,S,η,h0),(IDp,V,h1),andfroml0,l1,and lCUrespectively,and produces a valid signature using the following steps.

· Select?,h2,ε{1,2,...,(n-1)},computeω=?+h2(λ+h1.υ) modn,and computeδ=?.D.ψ,then returnsΩ=(δ,ω) toAV1and inserts (IDp,c,Pkp,δ,h2) tol2.

· 2.If IDp=ID*p,ψrecoversfroml0andfromlCU.Here,

υ=↓and λ=↓.ψchooses?,h2∈{1,2,...,(n-1)}and setsδ=?.D-h2(?+h0.S),ω=?.ψ,then returnsΩ=(δ,ω) to TIand inserts (IDp,c,Pkp,δ,h2) tol2.

Forgery.

Here TIdelivers a tuple of forged signature(ID*p,c*,Ω*),asΩ*=(δ*,ω*).

If IDp/=ID*p,ψaborts the entire simulation.Otherwise,it recovers the given tuples(ID*p,V*,h*1),(ID*p,c*,Pk*p,δ*,h*2),(ID*p,c*,Pk*p,δ*,h*2),and (ID*p,?*,P*n,υ*,λ*)from the given lists ofl0,l1,l2,andlCU,respectively.

Since theΩ*is a valid signature,soω*.D=δ*+?ω*=?*+h*2(n*+h*0K) as?*,n*and K are unknown values toψ.According to Forking Lemma,AV1produces two other forged signaturesΩ*(t)=(δ*,ω*(t)) fort=2,3.

?ω*(t)=?*+h*2(t)(n*+h*0K),fort=1,2,3,as?*,n*and K are not known values toψ.Hence by solving these linear independent equations,ψobtains the value of K which is an HDLP.

Theorem II:

Under HDLP,the given scheme is existentially unforgeable against TII

Proof:

The proof is the same as that of Theorem I.

6 Comparative Analysis

This section is dedicated to the comparative analysis of cost complexity such as computational and communicational costs.

6.1 Computational Cost

Here,we analyzes and compare our new scheme with relevant recommended schemes [24-29]in terms of computational cost.However,to compute the operational computational cost of a scheme,we only consider the heavy mathematical operation that is used in any cryptographic solution.

For our computational cost analysis,we consider Bilinear Pairing (BP),Point Multiplication of Bilinear Pairing (PBM),exponentiation (E),Point Multiplication of ECC (ESPM),and Devisor Multiplication of HCC (HEDM).The software and hardware specifications [30,31] are presented in the following Tab.2.

According to [30,31],the running time ofBPis estimated to be 14.90 milliseconds,forPBMit is 4.31 milliseconds,forEit is 1.25 milliseconds,forESPMit is estimated to be 0.97 milliseconds while the running time ofHEDMis 0.48 milliseconds [32].

The results in Tabs.3 and 4 and Fig.2,shows that our scheme is more efficient in terms of computational time from previous recommended schemes.

Table 2:System description

Table 3:Major operations in signature generation and verification

Table 4:Cost reduction from previous recommended schemes

Cost Reduction from Previous Recommended Schemes

Figure 2:Computational cost complexity

6.2 Communication Overhead

The section is dedicated to the comparative analysis of the recommended schemes[24-29],with the proposed scheme in terms of communication complexity.Though,to compute the communication complexity of any cryptographic scheme,we consider the additional bits alone the original message.For our comparative analysis,we use the variables such as HCC (Q),ECC(N),message (M),and Bilinear pairing (G) as given in Tab.5.

From the final outputs,as shown in Tabs.6 and 7 and Fig.3,it is obvious that the designed scheme outperforms the previously recommended schemes in terms of communicational complexity.

Table 5:Variables used in cost complexity

6.3 Simulation Through AVISPA

Here we check the validity of the proposed approach through the backend checker of AVISPA known as OFMC and CL-AtSe [33,34].

Validation Results

Figs.4 and 5 show the validation results of the proposed scheme under CL-AtSe and OFMC.The results indicate the safety of the proposed approach.

Table 6:Communication cost complexity

Table 7:Communication cost reduction

Figure 3:Communication cost complexity

7 Deployment on Internet of Medical Things

Here,we show the deployment of our new approach on IoMT-NDN.We assume several connected IoMT devices for the exchange of medical data.Also,the IoMT devices are connected based on the NDN standard policy.The comprehensive deployment scenario is labeled below.

Figure 4:Validation result of OFMC

Figure 5:Validation result of CL-AtSe

7.1 Registration Phase

In this stage,both entities register themselves with the NM,and to do so,the NM picksland D of the HEC of ordernand secure hash functions (H1,H2,H3),choosesK ∈{1,2,...,(n-1)}and computes S=K.D.Then the NM publishes the public parameters in the entire networkQ={n,H0,H1,H2,D,S}.After that,both participating entities assign their identities to the NM.After recaptioning IDP,the NM produces the PPK for the participants,and to do so,the KGC randomly picks a number Rn∈({1,2,...,(n-1)}and computesPn=Rn.D,h0=H0 (IDp,S,Pn),and λ=(Rn+Kh0) modn.Finally,NM generates PPKO=(λ,Pn) for both entities.

After both participants set their secret υ ∈{1,2,...,(n-1)} and compute their respective private key (Ptp) and public key (Pkp).The overall initialization and registration are shown in Fig.6.

7.2 Sign Generation Phase

After registration,when a consumer requests content,the provider of the content generates a sign on the content.For this purpose,the legitimate provider takes the content c with a random number?∈{1,2,...(n-1)},and computesδ=?.D,h1=H1h2=H2 (c,IDp,Pkp,δ),andω=?+h2(λ+h1.υ) modn.Lastly,the provider of the content generates a signed tupleΩ=(δ,ω) as shown in Fig.6.

Figure 6:Initialization and registration phases

7.3 Verification Phase

After the reception,the consumer takesQ,Pkp,IDp,Ω=(δ,ω),and c to verify the signature(Ω) on the received content by computing h0=H0 (IDp,S,Pn) and h2=H2 (c,IDp,Pkp,δ).Finally,it verifies the equationω.D=δ+h2(?+h0.S).If it holds,accept the content.Otherwise,reject the content as shown in Fig.7.

Figure 7:Signature generation and verification phases

8 Conclusions

In this article,we present a secure framework NDN-Based Internet of Medical Things (NDNIoMT).In the proposed framework,we use a lightweight certificateless signature scheme.To reduce cost consumption,we utilized Hyperelliptic Curve Cryptosystem (HCC) which provides strong security using a smaller key size as compared to ECC.The designed approach is formally secured under ROM.Furthermore,we take the services of AVISPA to validate the security of the newly proposed scheme.For cost-efficiency,we compare our newly designed scheme with the recently proposed certificateless signature schemes.The final result shows that our scheme uses minimal computational and communicational resources.Finally,we deploy the given framework on NDN-IoMT.

Acknowledgement: The authors are grateful to the Deanship of Scientific Research,King Saud University for funding through Vice Deanship of Scientific Research Chairs.

Funding Statement: The authors received no specific funding for this study.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.