EPPDA: An Efficient and Privacy-Preserving Data Aggregation Scheme with Authentication and Authorization for IoT-Based Healthcare applications

Internet of Things (IoT) connects various kinds of intelligent objects and devices using the internet to collect and exchange data. Nowadays, The IoT is used in diverse application domains, including the healthcare. In the healthcare domain, the IoT devices can collects patient data, and its forwards the data to the healthcare professionals can view it. The IoT devices are usually resource-constrained in terms of energy consumption, storage capacity, computational capability, and communication range, data aggregation techniques are used to reduce the communication overhead. However, in healthcare system using IoT, the heterogeneity of technologies, the large number of devices and systems, and the different types of users and roles create important challenges in terms of security. For that, the security and privacy aggregation of health data are very important aspects. In this paper, we propose a novel secure data aggregation scheme based on homomorphic primitives in IoT based healthcare systems, called “An Efficient and Privacy-Preserving Data Aggregation Scheme with authentication for IoT-Based Healthcare applications” (EPPDA). EPPDA is based the Verification and Authorization phase to verifying the legitimacy of the nodes wants to join the process of aggregation. EPPDA uses additive homomorphic encryption to protect data privacy and combines it with homomorphic MAC to check the data integrity. The security analysis and experimental results show that our proposed scheme guarantees data privacy, messages authenticity, and integrity, with lightweight communication overhead and computation.


Introduction
The Internet of Things (IoT) is a new paradigm that is rapidly gaining ground in the modern wireless telecommunications scenario. The basic idea behind this concept is that the ubiquitous presence around us of a variety of things or objects -such as RFID, sensors, actuators, cell phones, etc, this through unique addressing schemes, are able to interact with each other and cooperate with their neighbors to achieve common goals [1]. The IoT will promote the

Related work
Security is one of the important factors that must be considered when developing IoT-based healthcare systems [14].
This section describes the popular research projects on secure data aggregation of IoT-based healthcare applications.
Then, we used this review to highlight the research gaps and report own research motivations.
In [15], Zhang et al. present a health data aggregation scheme named: A priority based health data aggregation with privacy preservation for cloud assisted WBANs (PHDA). It is used to improve the efficiency of aggregation between different types of health data. Based on different data priorities, adjustable transfer strategies that can be selected to transmit user's health data to cloud servers at reasonable communication costs. In addition, PHDA can resist tampering attacks and achieve a desirable delivery rate with reasonable communication costs and reduced delivery time for data in different priorities. But at the same time, it reduces the communication overload. Indeed, their system was not tolerant of failure in the event of failure of users or cloud servers, nor is it resistant to different types of attacks.
In [16], et al. Introduce an efficient and privacy-friendly data aggregation known as Fault Tolerance Multifunctional Health and Privacy Preserving Data Aggregation for Cloud Assisted WBANs (PPM-HAD). This aims to address the need for a fault-tolerant cloud framework to manage sensitive user health data in a large-scale network. The aggregation of temporal and spatial statistical data on health is taken into account. In other words, the PPM-HDA mechanism preserves not only differential confidentiality for additive aggregations, such as summation and variance aggregations, but also nonadditive aggregations, such as min / max, median, percentile, and histogram. The additive aggregation feature uses the Boneh-Goh Nissim Encryption System, which is a public key encryption scheme used to protect user privacy. The PPM-HDA scheme ensures that the remaining uncompromising cloud servers can decrypt the aggregated data, which is collected by the healthcare sensors. The prefix membership check scheme is used to reduce computational overhead by changing the question of whether a data item belongs to a range of data or not to a few check questions whether a numeric value is equal or not.
Another approach proposed by Ben othman et al. [17] named Lightweight Secure Data Aggregation Scheme in Healthcare using IoT (LSDA). This new scheme is characterized by the use of homomorphic encryption. In addition, each aggregator should check all the packets received from its member nodes, which can filter out the false packets in the network and thus the nodes can save power in the transmission phase. The LSDA scheme has three phases: encryption, authentication and aggregation, and decryption and verification. By using this LSDA, many advantages can be obtained, such as reduced power consumption as well as improved bandwidth utilization and data privacy. Indeed, the limit of the approach is that it does not take into account different types of health data.
In [18], Ben othman et al. presents an end-to-end secure data aggregation scheme named: Robust and Efficient Secure Data Aggregation Scheme in Healthcare Using IoT (RESDA). The main objective of the proposed scheme is the security of the data aggregation to be achieved without introducing significant overheads on the sensors limited by the battery. The proposed approach uses homomorphic privacy encryption. The proposed RESDA program meets several security requirements, including confidentiality, authenticity and integrity. The results of the performance appraisal demonstrated the feasibility and advantages of the proposed system as well as the performance gains. Indeed, the limit of the approach is that it does not take into account different types of health data.
Yi Liu et al. [19] proposed a new contribution named: A reliable and energy-efficient communication system based on trust for remote monitoring of patients in body-zone wireless networks (ERCS). Is a trust-based communication scheme to ensure the reliability and confidentiality of the WBAN. To ensure reliability, a cooperative communication approach is used, while for the preservation of confidentiality, a cryptographic mechanism is used. The cooperative strategy was adopted to create trust between the bio-sensors in order to make the network more reliable. Additionally, the trust was generated at the remote medical server by applying the trust certificate. The performance evaluation has shown that the proposed system outperforms previously offered advanced systems in terms of confidence, energy efficiency and reliability.
Insaf Ullah et al. [20] proposed a novel contribution named: An efficient and provable secure certificate-based The techniques are discussed above and summarized in table 1.

System Model and design Objectives
In this section, we formalize the system model, and the design goals of the proposed scheme.

Network Model
The architecture considered in the proposed work is shown in Figure 2. The proposed model can be utilized in a hospital and by even a located remotely patient. The architecture model of our proposed scheme comprises three architectural components: Medical Sensors Nodes, an Aggregator, and Medical Server.    The following design goals are to be achieved.
❖ High efficiency: The proposed aggregation scheme should be efficient, that is, the computational costs at IoT devices should be as less as possible, and the communication overheads should also be minimal.
❖ Security: The proposed aggregation scheme should be can resist against the false data injection attack from external attackers, that is, the proposed system must filter false data locally at the Aggregator.

Proposed EPPDA Solution
The proposed protocol provides efficient secure data aggregation with an mutual authentication. In this section, we present the EPPDA protocol for secure data aggregation in healthcare Based IoT, which mainly consists of the following four parts: (1) Setup and key generation phase; (2) Encryption-Sign data; (3) Verification and Authorization phase, and (4) Data Aggregation phase. The flowchart for the proposed solution process is shown in Figure 3.

Setup and key generation phase
For each patient, the putting an admitted on sensor-based monitoring is based on the recommendation of the doctor.
The according to the patient's health data needs, the medical personnel places the medical sensors on the patient's body.
First, each patient must be registered into the Medical Server prior to attaching to him or her any body sensor network.
When the hardware configuration is end, the Medical Server send a demand the Keys information from each sensors.
After receiving the request by the Aggregator, the Medical Sensor Nodes processes the request and send the Keys paramatr as a broadcast message toward the Aggregator.
For each Medical Sensor, the ID and the private key is generated and sended to the Aggregator. The ID and the private key is specified as IDMS and MSPvkey. The private key of the sensor node is created using the Diffie-Hellman key exchange [21]. The Aggregator receive the sensor node ID and the private key and stores it.
Moreover, the Aggregator generates the IDAgg and AggPvkey. The Aggregator transfers the generated ID and private key to the Medical Server. The Medical Server receives the ID and private key of Aggregator and and stores it.
The symbol of the various symbol are shown in Table 2. Figure 4 represent the Keys exchange model of the setup and key generation phase in the proposed EPPDA. The pseudocode of the Setup and key generation phase can be seen in Algorithm 1.

Medical Sensor ID mi
Health data IDAgg Aggregator ID MSPvkey Private key of Medical Sensor AggPvkey Private key of Aggregator * Stored S1, S2 Messages Exchange RN1, RN 2 Random Numbers PKMS Public key of Medical Server

SKMS
Secret key shared between the Medical Sensor and Medical Server.

Encryption and Signing Phase
The health data comes from a variety of devices, resulting in a large number of data records [15]. In general, we distinguish different types of health data with different characteristics, including emergency situation, vital health data and regular health data. The vital health data are the requested data by doctors for continuous monitors a patient's condition. There are many diseases that can be diagnosed and controlled through regular monitoring of these medical data.
The regular data are not for emergency situation and do not present urgent delivery requirements. The Medical Server receives periodical updates. At each update, the Medical Server validates the data. If the patient's data falls within the reference interval, no sending an emergency alert for the doctor. In case of any abnormalities of the data, the Medical Server send a notification for the doctor.
The confidentiality of data is mandatory in data aggregation in healthcare based-IoT. It ensures that the data cannot be accessed by unauthorized person while they flow in the network. The homomorphic encryption algorithm which can protect end-to-end data confidentiality will be applied in this protocol. The major advantage of Homomorphic encryption is allows complex mathematical operations to be performed on encrypted data without know the contents of the original plain data [22]. As calculations are performed on encrypted texts, the data privacy and confidentiality are protected [23].
So that we can ensures the content exchanged between the Medical Sensors and Medical Server is protectedagainst any modification by malicious or unauthorized users, and moreover to allow the Medical Server to determine the evil data, we uses the homomorphic Message Authentication Code (MAC) scheme, in order to provide data integrity. MAC ensures that received message is from the authenticated source and it is not tempered by any third party during transmission [23].
The proposed solution can guarantee data freshness in time and value. Each echange of the encryption data between of the proposed network devices, we send a nonce N. The nonce is an implicit sequence number that is used only once for data freshness.
In the Algorithm 2, we describe the algorithm executed by the Medical Sensor for encryption and Signing the collected data. In this regard, and as an effective solution to the above mentioned issue, we propose an Verification and Authorization phase, and for that we are using a signature scheme based on Chebyshev polynomials [24][25][26]. The first verification is between Medical Sensors and the Aggregator. For that, a signature is created by the Medical Sensor.
In the first ordre, the Medical Sensor creates two different messages as, S1 and S2 and the Chebyshev polynomial factor. The message S1 is generated by encrypting the private key of the Medical Sensor and is modulated with the random number RN1. The message S1 is expressed as, S1 =E(MSPvkey) mod RN1 (1) Moreover, the message S2 is computed as following. The sensor node IDMS is concatenated with the chebyshev polynomial, which is then concatenated with the message S1. Finally, the hashing function is applied to the concatenated factor to generate the message S2.
S2 =h(IDMS M S1) (2) Where, M is the Chebyshev polynomial, and h is the hashing function. The chebyshev polynomial factor M generated at the Medical Sensor is expressed as, The EX-OR operation is applied with the private key of the Medical Sensor and the hashing function of the node IDMS to generate the factor m. Where, the term m is computed as, m= MSPvkey ⊕h(IDMS) Finally, the signature α is generated using the messages S1 and S2, respectively. Therefore, the signature generated at the Medical Sensor is denoted as, α=( S1, S2) (4) The signature α generated by the Medical Sensors is forward and stores it in the Aggregator to perform the verification phase. The messages that is stored in the Aggregator is denoted as S 1 * and S 2 * , respectively. Figure 5 shows Conversely, if the Medical Sensors is malicious and unauthorized, the Aggregator will reject the Medical Sensors from joining his network.
The Aggregator receives the signature generated by the Medical Sensors and stores it to perform the verification process. The message S1 and S2 that are stored in the Aggregator is specified as,

Algorithm 3 : Generate the signature α
Created the S1 and S2 S1 =E(MSPvkey)mod RN1 S2 =h(IDMS M S1) Generate the signature α=( S1, S2) Send α to Aggregator α=( S1, S2) The chebyshev polynomial is send to the Aggregator and is stored for further processing. The chebyshev polynomial that is received by the Aggregator is specified as, M * =8m 4 −8m 2 +1 (7) Here, the term m is expressed as, m =MS Pvkey * ⊕h(ID MS * ) (8) If the signature received by the Aggregator and the signature generated by the Medical Sensor are equals, S1 = S 1 * and S2 =S 2 * , then the signatures are well verified.
After the Verification of the legitimacy of the Medical Sensors, the Aggregator send an demand to the Medical Server to demand the Aggregation authorization.
The Aggregator generates the message S3. The message S3 generated at the Aggregator is speified as, S3 =h(IDAgg RN 2) ⊕ AggPvkey (9) The message S3 generated at Aggregator is send to the Medical Server and stored as S 3 * . The message S 3 * is expressed as, Once the Medical Server receives of the S3, it verifies the message S 3 * with the message S3. If S3 =S 3 * then, the Medical Server generates an Aggregation authorization messages A1 for Aggregator. Conversely, if the Aggregator is malicious and unauthorized, the Medical Server will reject the Aggregator from joining his network.
By this process, the sensors devices,the gateway device, medical server, are mutually authenticated before the actual heath data transmission. Next, the Medical Server sends the message A1 to Aggregator. After reception of Aggregation authorization message A1, the Aggregation phase is activate. Figure 6 shows the system model of the verification phase.
The pseudocode of the Verification phase can be seen in Algorithm 4.

Algorithm 4 : Verification and Authorization phase
Message S1 and S1 are stored in the Aggregator If S1 = S 1 * and S2 =S 2 * , signature is verified Generates the message S3 S3 =h(IDAgg RN 2) ⊕ AggPvkey Send S3 to Medical Server and stored

Generate the Aggregation authorization messages A1 and A2
Send A1 Aggregator

Data Aggregation phase with priority
After receiving the the Aggregation authorization message from the Medical Server, the Aggregator run the Data Aggregation phase. In the EPPDA solution, the data aggregation phase is based-priority of data. In our proposed solution, the ciphertexts for each data priorities cannot be combined together. only the ciphertext from the same data priority can be combined together. In the rest of this section, we describe the different forwarding strategies for the data with different priorities. The pseudocode of the Data Aggregation phase can be seen in Algorithm 5.

Decryption and Verification phase:
In this step, after receiving all data packets i.e. the aggregated data, the medical server invokes the decryption and verification processes. The medical server first decrypts the aggregated ciphertext and checks the end-to-end integrity. If the verification holds, the aggregated data will be accepted, otherwise rejected. Then, the data can be accessed by different entities, including hospital, doctors, insurance companies. The pseudocode of the Data Decryption and Verification phase can be seen in Algorithm 6.

Security analysis
In this section, we discuss the security strength of our proposed EPPDA scheme. The proposed EPPDA scheme achieves confidentiality, authenticity and end-to-end privacy on patient's medical health data.
❖ Data Confidentiality: To protect the data patient's privacy, the data should be transmitted securely. The data confidentiality is the most important factors to be considered when designing the Healthcare security architecture using the IoT. In the proposed EPPDA scheme, the collected sensor's data are encrypted using the homomorphic encryption algorithm. Thus the Aggregator or attacker has no access to the data even if the Aggregator is compromised physically or virtually since the major advantage of homomorphic encryption is allows operations to be performed on encrypted data without know the contents of the original data. Hence, the privacy is maintained end-to-end. Therefore, our proposed scheme provides good confidentiality for patient's health data, i.e., it protects the users' privacy data patient's. The security proof of the homomorphic encryption is provided in [22,23].
❖ Integrity: In order to guarantee the integrity of the health data, our scheme allows the Medical Server to check whether the aggregation is done correctly since the data can be perceived at any time. We claim that the proposed scheme provides data integrity and originality. As previously described and to maintain data integrity, each Medical Sensors computes the HMAC for its encrypted measurement and sends the result to the Aggregator.
The Aggregator calcute the aggregat on encrypted data without know the contents of the original data. The security proof of HMAC is provided in [23]. Hence, an adversary will be unable to generate a valid HMAC unless he/she knows the secret key that is shared between the Medical Sensors and the Medical Server. Even if the attacker successfully modifies the information or launches replay attacks, the Medical Server can verify the correctness of the received data. As a result, our developed scheme guarantees the integrity and validity of the patient's private data.
❖ Identity anonymity and authenticity: In order to verify the legitimacy communication between the network components devices, we propose an authentication phase in each layers of proposed network model. In the proposed scheme, the authentication of the communicating parties depends on the verification of proposed signature. In the authentication phase, the hash Chebyshev polynomials are jointly applied to achieve mutual authentication. The initial authentication is between the Medical Sensors and the Aggregator. The Aggregator authenticates the Medical Sensors using the shared signatures. If the signature stored by the Aggregator and the signature generated by the Medical Sensor are equals, S1 = S 1 * and S2 =S 2 * , then the signatures are well verified.
In case of a successful authentication, the Aggregator receives the related health data successfully. Conversely, if the Medical Sensors is in-successful authentication, the Aggregator will reject the health data and not accept the Medical Sensors wants to join his network. On the other side, the second authentication is between the Aggregator and the Medical Server. The Medical Server verifies the legitimacy of the Aggregator. The Aggregator is authenticated when the S 3 * value stored in the Medical Server matches with the received S3. If S3 =S 3 * then, the successful authentication. Conversely, if the Aggregator is malicious and unauthorized, the Medical Server will reject the Aggregator from joining his network. However, our identity authenticity mechanism can identify the identity fraud behavior. We can see that the proposed scheme realizes the mutual authentication of between the communication parties. By this process, the sensors devices,the gateway device, medical server, are mutually authenticated before the actual heath data transmission. Conversely, if the Medical Sensors is malicious and unauthorized, the Aggregator will reject the Medical Sensors from joining his network.
❖ Data Freshness: In order to ensure the data freshness of the message originator, the number of the nonce and the time of sensing data are added to each data transmissions. An attacker who attempts to send valid packets already transmitted, called replay attack, cannot disrupt the network, because even if it is valid, it is not fresh, and the use of Nonce prevents that attack, so the scheme ensures the data freshness.

Performance analyses and experimental results
In this section, we evaluate the EPPDA scheme described in the previous section in terms of performance. First, we provide an overview of the Hardware Platform. Then, we present the performance results of our proposed EPPDA scheme.

Hardware Components
The vital signs sensing unit of this system is the MySignals HW V2 platform, which is a development platform for medical devices and ehealth applications, figure 7 shows the platform. It monitors patients' health by deploying different medical sensors on patients' body to get sensitive data of patients for subsequent analysis by physicians [27]. The MySignals HW V2 platform is the most complete on the market, as it supports more than 20 biomedical sensors to measure biometric parameters such as ECG signals, blood pressure, blood oxygen, pulse, respiratory rate, and body temperature. The MySignals HW V2 platform relies on the Atmega 328 (Arduino UNO) microcontroller to manage various sensors and also allows tablets and smartphones to communicate with it. Figure 6 represents the MySignals HW V2 platform [28].

Fig. 7. MySignals HW V2 platform [27].
In contrast to the medical sensor, the Aggregator should be a device that has access to unlimited power and resources.
The tablet plays the Aggregator role and communicates with the MySignals HW V2 platform via WiFi to collected the vital signs. Figure 7 is the MySignals platform with various sensor ports. This platform is also integrated with a WiFi serial transceiver module ESP8266 in figure 8. All the data gathered by MySignals is encrypted and sent to the Aggregator through WiFi.
Therefore, the Medical server is developed with the purpose of receiving, storing, and distributing the medical data from patients. In healthcare application, the medical information usually needs to be distributed among medical doctors and display, archival, and analysis devices. in the proposed solution, the Medical server is a laptops PC. These PCs have relatively powerful processing, memory, transmission capacity, and have long battery life, so that there is no power constraint. Also, it can be displayed in an easy-to-read format for fast assessment and action. The Medical server is composed of presentation tier, web tier, and database tier. The medical information of the patient that is stored the Medical server will be accessible by specific people who have the authorization to access such as patient himself, doctor, patient's family member, etc. The aggreted data between the system components will encrypted by our proposed EPPDA scheme to protect it from any malicious acts of the hackers.

Experiment and Performance Evaluation
We analyze the efficiency of the proposed EPPDA scheme in this section by evaluating the End-to-End delay, Computation overhead, Communication overhead, and Energy consumption. We also present the comparative analysis of our proposed system with the existing systems LSDA [17] and RESDA [18].

A. End-to-End Delay
The End-to-End Delay is the total time consumed between the data packet sending by the Medical Sensors and the time when the packet arrives at the Medical Server.
Av. End to End Delay = (Start time(ij) -End time(ij)) / N (11) Where ij is the time when sending/receiving of packet j at node i starts/stops and N is the total number of nodes. ❖ Also, in our scheme, in the medical server, the packet of each Medical Sensor is verified individually. In this way, if the verification fails to pass for one packet, only this packet is discarded. Unlike other schemes, once the verification fails, all packets, including valid packets, will be abandoned, which means all data need to be retransmitted. The computation complexities of the major entities in the system are as show in Table 3.  Table 3: Computation complexity of the proposed SPPDA scheme In Figure 10, we present the computational cost of the proposed EPPDA scheme with a comparison with other solutions. We can observe that our proposed scheme achieves a significant reduction in the total computation cost compared with LSDA and RESDA. For example, when the number of Medical Sensors is 10, the total computation cost of our proposed scheme is 0.6ms, which reduces by 11% and 20% that of RESDA and LSDA, respectively. In the Medical Sensors -to-Aggregator communication, each Medical Sensor sign their health data and transmit the data to the Aggregator. According to [18], a ciphertext generated by the OU algorithm is 160 bits. Moreover, we consider a 4-byte homomorphic MAC for calculation in accordance with [27]. The signature of verification is also 4 bytes. Therefore, in our scheme, the size of one packet transmitted to Aggregator from each Medical Sensor is 224 bits.
In the Aggregator-to-Medical Server communication, the length of ciphertext Cj is 160 bits, the communication overhead of Cagg is equals 160 * n, when their n are sensors are evolved into the process. In our scheme, we consider a 4-byte MAC. The MACagg is also 4 bytes. The signature of verification is also 4 bytes. Therefore, the size of one transmitted packet in our scheme is ((160 * n) +32+32 bits.
In Figure 11, we present the communication overhead of the proposed EPPDA scheme with a comparison with other solutions. We can observe that our proposed scheme achieves a significant reduction in the total communication overhead compared with LSDA and RESDA. For example, when the number of Medical Sensors is 10, the total communication overhead of our proposed scheme is 1664bits, which reduces by 10% and 15% that of RESDA and LSDA, respectively. ComptCost(mJ) = cpu 32768 ×1.8mA×3V (13) The total power consumption by the sensor node for EPPDA scheme is estimated with the follow in equation: TotalEnergy(mJ)=EnergyComm+EnergyCompt (14) Figure 12 shows that the energy consumption by EPPDA is lower than that of two other schemes. The reason is that the RESDA and LSDA schemes generate too many unnecessary messages for providing integrity and privacy in data aggregation. This gain can be explained by the fact that far fewer computational loads are engaged in our algorithm, because of the use of Homomorphic encryption and the Medical Sensors wants to join the process of aggregation are verified, thus, avoid energy consumption unnecessary due to transmitting them. Figure. 12. The total energy consumption.

Comparison of Secure Data Aggregation Protocols
In this section, we compare the proposed protocol with existing secure data aggregation protocols. The comparison is based on the security requirements and the performance evaluation. From the table 4, it is evident that the proposed EPPDA scheme satisfies most of the security properties unlike other related data aggregation schemes in Internet of Things-Based Healthcare applications. In addition, through performance evaluation, we have also demonstrated the proposed EPPDA satisfies the communication and computation overheads requirements.

Conclusions and Future Work
The recent developments in the area of Internet of Things (IoT) show a great promise for providing solutions for healthcare. Protecting data privacy and integrity during data aggregation at the same time is challenging in IoT Based Healthcare Systems. This paper presents a novel secure aggregation scheme that provide provably secure message integrity with different trade-offs between computation cost, communication payload, and security assumptions. EPPDA is based the Verification and Authorization phase to verifying the legitimacy of the nodes wants to join the process of aggregation. The proposed scheme uses on an additive homomorphic encryption algorithm that allows aggregation on encrypted data, combined with homomorphic MAC. The security analysis and performance evaluation shows that our scheme is able to resist against various attacks such as compromise node attacks and Unauthorized aggregation. A comparison of the communication overhead with respect to the existing protocols exhibits the viability efficiency of the proposed protocol on resource-constrained devices. Further research will be to can study and improve the performance of this proposed scheme by applying this algorithm in different types of medical sensors.