An Attribute-Based Encryption Scheme with Revocation for Fine-Grained Access Control in Wireless Body Area Networks

The wireless body area networks (WBANs) have emerged as a new method for e-healthcare. Without being measured face-to-face, the medical workers can give guidance to patients in a real-time way. WBANs can greatly improve the healthcare quality. The personal information and medical data are stored and processed in sensors. The security and privacy are two vital issues. In this paper, we design an attribute-based encryption scheme for fine-grained access control in WBANs. In our scheme, a user can decrypt a ciphertext if the attributes related with a ciphertext satisfy the user's access structure. The users can be revoked if necessary. Therefore, the security and privacy of patients can be protected. Our scheme provides confidentiality, security, and resistance to collusion attack. We analyze the correctness, security, and energy consumption of the scheme.


Introduction
Wireless body area networks (WBANs) are gaining popularity rapidly in recent years, especially in the area of medical use, such as healthcare monitoring, medical treatment, and emergency medical response systems (EMRS) which greatly increase the efficiency of healthcare.A typical WBAN consists of a controller and a number of sensors, which are wearable or can be implanted into human body to monitor the body parameters (e.g., electrocardiogram (ECG), heart rate, blood pressure, and blood glucose), the surrounding environments parameters (e.g., temperature, humidity, and location), and the movements of body.WBANs can be used in pervasive and real-time monitoring of the status of patients in the form of text, visual, or audio, and so forth.Home monitoring is a good choice for chronic patients and old people, as it frees patients from visiting the hospital frequently.Sensor nodes and users are mobile in the sense that they can move, be relocated to another position, or be associated with other nodes or users [1]. Figure 1 shows the general healthcare system of a WBAN.The sensors are used to measure certain parameters of human body and send these signals to a controller, which may be a mobile phone or a PDA [2].These medical data will be processed in the controller, and the controller can give guidance to other devices.For example, in the diabetes monitoring, the glucose sensors monitor and transmit blood glucose levels to the controller for insulin release.The medical data can be stored locally in WBANs or be transferred remotely to the doctors, emergency medical response, or database of patients through internet using WiFi, Bluetooth, or Zigbee, and so forth.The remoter can give guidance to the patients or healthcare staff.
Security and privacy are two major concerns in WBANs.Since the medical data stored in WBANs are sensitive, it is essential to ensure the security of these data.Obtaining inaccurate and wrong medical data will possibly make the therapy ineffective or even lead to wrong treatments [3].We summarize two threats and possible consequences in WBANs.
(1) Eavesdropping Threats.The attackers may eavesdrop on the information of patients; thus, this may cause the privacy issues.For example, a patient has an embarrassing disease or a patient may want to keep medical information out from insurance.For another example, the location of patients can be found  by a criminal minded person, so this threat is of vital importance.Data confidentiality is an important requirement in healthcare applications using WBANs.
(2) Modification Threats.The data transferred is vital for patients as the modified information may lead to wrong diagnosis.The nature of wireless makes the data prone to being lost.Thus, in order to ensure that the received data has not been modified by an adversary, there should be proper data integrity mechanisms.
So, the users who want to access the patient-related data must be strictly limited; otherwise, the privilege of patients could not be protected.In order to enforce the access control, data encryption is needed to protect the patient-related data.The traditional methods are symmetric key cryptography (SKC) and public key cryptography (PKC) systems.In SKC scheme, the sender and receiver use the same key.If an attacker compromises a node, he can get all the data stored in the node.A solution to this problem is dividing the lifetime of sensors into series of periods.During different periods different keys are used, but this needs updating the keys timely and increasing the load of sensors.In PCK scheme, any patient-related data is encrypted by a public key and only the users who have the corresponding master key can decrypt the data.This general scheme is simple to implement but inefficient as the number of encryption operations and the size of ciphertexts both of which are linear with the number of users.So when the number of users increases, the cost of key distribution will be high.A better way to solve the problem is broadcast encryption.The sender specifies the receivers and broadcasts the keys to the revoked users.Although the broadcast encryption is efficient, the sender needs to store the list of receivers, and this will increase the storage space.
We design a security mechanism for access control, data encryption, and user revocation in WBANs.The major users in a typical WBAN are different doctors, nurses, healthcare staff, and medical insurance response systems.The patient may not know the exact users who are able to access the data but rather has a way to describe them in terms of descriptive attributes or credentials [4].Attribute-based encryption (ABE) is suitable to encrypt messages without exact knowledge of the receivers.
Besides security and privacy, another issue which should be considered in WBANs is resource constraints.The sensors are limited in energy, storage space, and computational capability, and the lifetime of a battery is restricted.In order to reduce the energy consumption, it is necessary to build limited size of security mechanism.The energy consumption of sensing and computation are usually so small that they are almost negligible compared to the expensive cost of communication in WBANs; for example, according to the report of NAI Labs [5], the energy consumption of sending data is 0.0.2 mJ/bit and receiving data is 0.014 mJ/bit; however, the energy consumption used in accomplishing SHA-1 is 0.0000072 mJ/bit on the same MIPS processer.So, there should be as less transmitting as possible.
This paper makes contributions as follows.Firstly, we design the access tree structures of users.Secondly, we develop the encryption algorithms for fine-grained access control in WBANs.Thirdly, we introduce the user revocation algorithm.Fourthly, we evaluate the performance of our scheme.

Related Work
Security and privacy of patient-related data are two indispensable components in WBANs.Security means that data is securely stored and transferred, and privacy means that the people who have authorization can access, view, and use the data [2].There are two main methods about the security and privacy protection in WBANs.
(1) Key Distribution in WBANs.The researches in [6][7][8][9] use the biometric signal (such as electrocardiograph) as the key to encrypt the medical data which is to be transferred, and the receiver has the same key to decrypt the data.For the advantage of biometric signal, this method ensures the security of transferred data, and testability makes the method applicable widely, but this method also has drawbacks.When the attackers get the biometric signal of patient, they can decrypt all the data which is encrypted by the signal, and this will leak the privacy of patients.In order to capture the biometric signal, there is a need to attach the biometric sensor to a body sensor node, but this will increase the cost.
(2) Data Storage and Access Control.The authors in [3] proposed the concept of secure storage and data access control in WBANs and summarized the methods of secure and privacy protection, but this paper did not analyze and compare the energy consumption.The research in [10] develops a distributed data access control scheme, in which the ciphertext is associated with attributes and the key is associated with access structure.The access structure identifies the ciphertext which can be decrypted by the key.In that paper, the users access data in a fine-grained way, but it lacks the timeliness of access control.In [11], the important multisender broadcast authentication problem is solved in WSNs.In [12], the authors proposed a fuzzy attribute-based signcryption scheme.Their scheme leverages fuzzy attribute-based encryption to enable data encryption, access control, and digital signature for a patient's medical information in a WBAN.For using the signature, it is complicated in the message transmission, and the energy consumption should be considered.In [13], the authors proposed an identity-based encryption scheme for WBANs; however, their scheme lacked the access control feature.
ABE is considered suitable for access control in WBANs, because it reduces the cost between the sensors and users.In [14] the authors first introduced the idea of ABE based on fuzzy identity-based encryption (FIBE) which was built on the idea of identity-based encryption (IBE).The identity of users can be described by strings, such as email address: alice@yahoo.com.In FIBE, the senders can encrypt the ciphertext by a public key,   .A user has a master key with the identity .When the users access the medical data, if and only if  includes at least  parameters similar to   , they can decrypt the ciphertext.The scheme has the tolerance ability as the  and   need not be the same, and there is no need to obtain the certificate of receivers, so it reduces the energy cost of authentication.
In ABE, identity consists of attributes; for example, the attributes set of a doctor is {hospital, department, on duty}.Both the ciphertext and keys are associated with attributes.The ABE has two variants, key policy ABE (KP-ABE) [15] and ciphertext policy ABE (CP-ABE) [16].In KP-ABE, the ciphertext is associated with the attributes and the key is associated with an access structure.Decryption is enabled if and only if the attributes associated with a ciphertext satisfy the key's access structure.However, in CP-ABE, the situation is reversed: the ciphertext is associated with access structure and the key is associated with attributes.
In this paper, we consider the security and privacy of WBANs by designing a fine-grained access control scheme.The medical data is encrypted by attributes and only when these attributes satisfy the key's access structure, the users can decrypt it.The patients may not know the doctors or nurses, but they can explicit the attributes which should be satisfied for the users.A user will be able to decrypt the medical data if the attributes satisfy the access structure.
User management is an important issue since malicious users are dangerous to WBANs.If some users need to be revoked, such as changing the medical workers and finding some malicious users, they will lose their capability of decryption, while the capability of nonrevoked users remains valid.Some researches propose different methods to solve the problem.The authors in [17] proposed to renew the user's master key periodically, but the users' privilege of accessing the data would expire after a time.This method will fail when the malicious users access the data before the expired time.In [18], the sensor nodes encrypt the data using the identity attributes which are not owned by the revoked users; therefore, only the nonrevoked users can decrypt the data.However, all the revoked users in the history are recorded in the ciphertext, so the ciphertext size will be very large.
The rest of this paper is organized as follows.Section 3 introduces the preliminaries of the scheme.Section 4 presents the system model.Section 5 analyzes the scheme, including the correctness, security, and energy consumption.Section 6 overviews the conclusion and future work.(c) Computability: there is an efficient algorithm to compute  (, V) for each  ∈  1 and V ∈  2 .

Key Policy Scheme.
Usually, the key policy scheme consists of 4 steps.
(1) Setup.According to the random numbers produced by the system, the scheme generates the public parameters PK and a master key MK.PK is used to International Journal of Distributed Sensor Networks

Security Game for ABE.
We define the security game for our scheme.The game can be described as follows.
Init: the adversary commits the attributes set  to the challenger.Setup: the challenger runs the Setup algorithm and gives the public parameters (PK) to the adversary.Phase 1: the adversary submits queries for master keys for access structures   , where, for all ,  ∉   .Challenge: the adversary submits two equal length messages  0 and  1 to the challenger.The challenger flips a random coin  and passes the ciphertext   encrypted with  to the adversary.Phase 2: phase 1 is repeated.Guess: the adversary outputs a guess   of .
The advantage of an adversary  in this game is defined as Pr This game can be extended to handle chosen-ciphertext attacks by allowing for decryption queries in phases 1 and 2.
3.6.Access Tree.Access tree expresses the structure of access control.Ciphertext is associated with attributes.Decryption key is labeled with an access tree structure, in which each nonleaf node is the threshold gate described by a threshold value and its children and each leaf node is labeled with attributes.A user can decrypt a ciphertext with a given key if and only if there is an assignment of attributes from the ciphertext to nodes of the tree such that the tree is satisfied.
Let T be an access tree with root  and attr() the attributes associated with the leaf node .If num  is the number of children of node  and   is its threshold value, then 0 < num  ⩽   .When   = 1, the threshold gate is an OR gate; when   = num  , it is an AND gate.Each leaf node  of the tree is described by an attribute.Denote the subtree of T rooted as the node  by T  .Hence T  is the same as T. If a set of attributes satisfy the access tree T  , we denote it by T  () = 1.T  () can be computed recursively as follows: if  is a nonleaf node, evaluate T   () for all children   of node .T  () returns 1 if and only if at least   children return 1.If  is a leaf node, then T  () returns 1 if and only if attr() ∈ .
When the attributes associated with the ciphertext satisfy the users' access structures, the users can get the medical data.Figure 2 shows an example of the access tree structure.Every no-leaf node is assigned with a threshold.The ciphertext which has at least  attributes can be decrypted by the users.For example, a ciphertext has the following attributes {hospital , physician, on duty}.Hospital  refers to which hospital the doctor belonged to.On duty indicates whether the doctor is on duty that time.If the attributes related with ciphertext satisfies the access tree, the doctor can get the patient's medical data and give treatments to the patient.The same is true for a nurse, healthcare staff, and medical insurance company agents or emergency room.(1) Choose a polynomial   for each non-leaf node as follows: Set the degree   =   − 1.For the root node , to define it completely, set   (0) = , and   other points of the polynomial   randomly.For each other node , set   (0) =  parent() (index ()) and choose   other points randomly to completely define   ; (2) For each leaf node , give the decryption key to the users: The decryption key DK = (  ,   ) = ({ 2   (0)  () −  } , {   }).

Communication
Procedure.Suppose a doctor will get the patient's medical data stored in sensors.The communication procedure can be sketched as follows.
(1) The sensors execute Algorithms 1 and 2 to produce the public keys and master keys.(2) The sensors encrypt the medical data  using public key and send the ciphertext to the doctor.(3) Once the doctor needs to be revoked, the controller updates the keys of all the users except the doctor.We adopt the method in [19].The controller broadcasts any − out of  users with ciphertext and master key.This method is suitable when the number of revoked users each time is small.(4) The nonrevoked users check the time, produce the decryption key, and decrypt the ciphertext when the attributes satisfy the access structure of the users.

System Analysis
5.1.Correctness Analysis.Now that we have defined the function decryptnode, the decryption algorithm simply calls the function on the root of the tree.We observe that decryptnode (, DK, ) = (, )  =   if and only if the attributes associated with the ciphertext satisfy the access tree.Since  1 = ( 1 ,  2 )  , the decryption algorithm simply divides out ( 1 ,  2 )  and recovers the message : ) ) (1)

Security Analysis
(1) Collusion Attack Resistance.In this scheme, different users have different access structures.The master key is generated randomly and independently from   ; therefore, it is impossible for them to collude together to get the medical data.Even if they collude together, they satisfy neither of the entries to the medical data.
International Journal of Distributed Sensor Networks (2) Confidentiality Theorem 1.If an attacker A can break the scheme in the security game with probability , then a simulator B can be constructed to win the DBDH game with the probability /2.
Proof.The security of the game is based on the hardness of the DBDH assumption.We prove it as the approach proposed in [15].The simulation proceeds as follows.
Init: the simulator B runs A. A chooses the attributes set  which it wishes to be challenged on.
Setup: B assigns the public key as follows.It sets  =  (, ) = (, )  .For all  ∈ , it chooses   ∈   randomly and sets   =    =    ; otherwise, it sets   =    and then gives the public key to .
Phase 1: A makes requests for the master key of an access structure  where  does not satisfy .
To generate the master key, B needs to define a polynomial   of degree   for every node in access tree .
We define recursive function polynode () to assign the polynomial   for node  as follows.
For each node  in , we use   and index() to denote node's threshold value and the unique index of node , respectively.The procedure takes an access tree  and attributes set  as input.
(i) If  is the root node ,   (0) =   and   is chosen from   randomly.
(ii) Select the satisfied children   of .For each   , choose a random number    ∈   and let When polynode () terminates, B constructs the polynomials for all nodes in .Therefore, the master key corresponding to each leaf node  of  is given as follows: Therefore, B constructs a master key for the access structure .
Challenge.A submits two challenge messages  1 and  2 to B. B flips a fair binary coin V and returns an encryption of  V .The ciphertext is output as  = (,  V , , {  =    } ∈ ).
If  = 0,  = (, )  .This indicates that the ciphertext is valid for the message under the identity.If  = 1,  = (, )  .Since  is random,  V  will be a random element from the adversaries view and the message contains no information about  V .
Phase 2: the simulator acts exactly the same as in phase 1.
Guess: A will submit a guess V  of V.If V  = V, the simulator will output   = 0 to indicate that it is given a valid tuple; otherwise, it will output   = 1 to indicate it is given a random 4-tuple.
If   = 1, the adversary gains no information about V, If   = 0, the adversary gains an encryption of  V .The adversary's advantage in this situation is  by definition.Therefore, Pr[V  = V |  = 0] = 1/2 + .The overall advantage of the simulator in the DBDH game is (3) Unforgeability.The adversary cannot forge the ciphertext because he cannot guess the attributes which are used to encrypt the ciphertext.Even if the adversary gets other user's ciphertext, he cannot create a new, valid ciphertext as the attributes which are used to encrypt a ciphertext are different from others, and the number  is chosen randomly.Therefore, we claim that our scheme is unforgeable under chosen-ciphertext attacks.

Performance Analysis.
In this part, we present the performance analysis results about our scheme in terms of transmission and computation.We also compare the performance results with previous best known ones.In this paper, we mainly consider the energy consumption about message transmission and computation in WBANs.The energy consumption on transmission is much more than computing, so improving the performance of transmission will increase the overall performance greatly.  1 shows the comparison energy consumption on transmission of our scheme and other schemes.It can be seen that, even though we set || = 60 bytes, the energy consumption on transmission of our scheme is much lower than others.

Energy Consumption on
Figure 3 presents the relationship between the number of attributes (indicated by ) and the energy consumption on transmission.The curves in Figure 3 indicate that, with the increase of attribute numbers, the energy consumption increases.

Energy Consumption on Computation.
In this part, we evaluate the energy consumption on computation in our scheme. is the number of attributes.Firstly, we show the operations of initialization (Algorithm 1), key generation (Algorithm 2), encryption (Algorithm 3), user revocation (Algorithm 4), and decryption (Algorithm 5) in Table 2.
We consider the sensor CPU is a 32-bit Inter PXA-255 processor at 400 MHz.It is reported in [22] that the typical power consumption of PXA-255 in active and idle modes is 411 mW and 121 mW, respectively.We adopt Tate pairing to compute the Bilinear Maps.According to [23], it takes 752 ms to compute Tate pairing on a 32-bit ST22 smartcard microprocessor at 33 MHZ.As a result, the computation of Tate pairing on PXA-255 roughly needs 33/440 × 752 ≈ 62.04 ms.Using the equation  =  × , where  is the energy consumption,  is the power, and  is the execution time, the energy consumed at work is 411 × 62.04 = 25.5 mJ.As mentioned in [23], the Tate pairing takes the most running time; we thus use energy consumed on pairing to approximate that of the procedure.In our scheme, we compute the Tate pairing which happened in sensors (we do not consider the Tate pairing in decryption as it takes place on the client for users).The energy consumption is 3 * 62.04 ms = 186.12ms.Table 3 shows the computation cost of our scheme and other schemes when the number of users is 1.From Table 3 we can see that the computation time of our scheme is higher than the first three and lower than the fourth one.Figure 4 presents the energy consumption on computation with regard to the number of users.From Figure 4 we can observe that the computation cost of our scheme is lower than FABSC and higher than others.Nevertheless, when we take If () = 1 and  user ≤ , the user can decrypt a message  which is encrypted under a set of attributes.
(1) On receiving the ciphertext , the receiver checks the current time tt; (2) If     tt − tt     < , the receiver decrypts the ciphertext using decryption key DK; ( If  is a non-leaf node, then:  the transmission and computation into account, our scheme is energy-efficient when the number of users is large.

Conclusion and Future Work
In this paper, we design a key policy attribute-based scheme for access control in WBANs.When the attributes related to the ciphertext satisfy the users' access structures, the ciphertext can be decrypted.User revocation is introduced to the scheme.In the future, we can classify the medical data according to the hierarchy, for example, the sensitive data and the no-sensitive data.Sensitive data includes the data which is of vital importance and embarrassed data.No-sensitive data is the ordinary medical data such as temperature, pulse, and blood pressure.Anyone who wants to get the sensitive data must have high level privilege, and the no-sensitive data can be accessed by low level privilege.

Figure 1 :
Figure 1: A general healthcare system of WBAN.

Figure 2 :
Figure 2: An example of access structure.

Figure 3 :
Figure 3: Energy consumption on transmission with regard to the number of attributes.

Figure 4 :
Figure 4: Computation cost with regard to the number of users.

Table 2 :
The operations in our scheme.

Table 3 :
The energy consumption on computation of our scheme and other schemes.