Lightweight Fine-Grained Access Control for Wireless Body Area Networks

Wireless Body Area Network (WBAN) is a highly promising technology enabling health providers to remotely monitor vital parameters of patients via tiny wearable and implantable sensors. In a WBAN, medical data is collected by several tiny sensors and usually transmitted to a server-side (e.g., a cloud service provider) for long-term storage and online/offline processing. However, as the health data includes several sensitive information, providing confidentiality and fine-grained access control is necessary to preserve the privacy of patients. In this paper, we design an attribute-based encryption (ABE) scheme with lightweight encryption and decryption mechanisms. Our scheme enables tiny sensors to encrypt the collected data under an access control policy by performing very few computational operations. Also, the computational overhead on the users in the decryption phase is lightweight, and most of the operations are performed by the cloud server. In comparison with some excellent ABE schemes, our encryption mechanism is more than 100 times faster, and the communication overhead in our scheme decreases significantly. We provide the security definition for the new primitive and prove its security in the standard model and under the hardness assumption of the decisional bilinear Diffie-Hellman (DBDH) problem.

working as a gateway transfers the gathered health data to a cloud service provider. WBANs can significantly raise the efficiency of healthcare services as individuals do not need to visit the hospital anymore. Thus, WBANs play an important role in affording highly reliable ubiquitous healthcare services. However, as in the cloud-based WBANs the health data are outsourced to a third-party cloud server, some security concerns over fine-grained access control and data confidentiality are raised. Moreover, as tiny sensors in WBANs usually have limited computational and power resources, providing a secure lightweight encryption mechanism is another challenge in this scenario. Attribute-based encryption (ABE) [8,9] is a promising tool to afford confidentiality and fine-grained access control simultaneously. Generally, ABE schemes can be divided into three categories key-policy ABE (KP-ABE) [10], ciphertext-policy ABE (CP-ABE) [11], and dual-policy ABE (DP-ABE) [12]. In a KP-ABE, a data user's secret-key is associated with an access control policy which is defined by a central authority, and each ciphertext is labeled by a set of attributes. A data user can decrypt a ciphertext if the access policy associated with its secret-key is satisfied by the attribute set associated with the ciphertext. Also, in a CP-ABE, a data user's secret-key is associated with the data user's attributes, and ciphertexts are associated with an access control policy. The secret-key of a data user can decrypt a ciphertext only if the attribute set of the data user satisfies the access policy associated with the ciphertext. In a DP-ABE scheme, secret-key of a data user corresponds to both an access control policy defined by the central authority and the data user's attributes. Each ciphertext also is associated with both an access control policy defined by a data owner and a set of attributes. A data user can decrypt a ciphertext if and only if the access control policy embedded in the ciphertext is satisfied by attributes of the data user, and attributes of the ciphertext satisfy the data user's access policy. It seems that CP-ABE is more comfortable for both data owners and data users.
However, to the best of the authors' knowledge, current ABE schemes suffer from expensive computational operations in the encryption phase. Therefore, since the sensors have limited computational and power resources, existing ABE schemes are not appropriate for providing fine-grained access control in WBANs. To address this problem, in this paper, we design a lightweight fine-grained access control scheme called LW-FGAC which is able to offer lightweight encryption and decryption mechanisms. Our main contributions are given below: • Lightweight encryption mechanism: Our proposed encryption mechanism is very efficient. In fact, in contrast with existing schemes, in our encryption scheme, the number of expensive operations performed by data owners (smart devices in the WBAN) does not depend on the number of attributes in the access control policy, and almost all the computational operations are offloaded onto the cloud service provider. As we will see, our encryption approach is more than 100 times faster than some excellent schemes in the literature.
• Lightweight communication overhead: In LW-FGAC, in comparison with the existing work, the communication overhead from a data owner to the cloud server is very few. Indeed, in LW-FGAC, lightweight partial ciphertexts are uploaded to the cloud server instead of ciphertexts with huge size. • Lightweight decryption mechanism: Similar to the encryption phase, in the decryption phase, heavy computational operations can be outsourced to the CSP such that the CSP learns no partial information about data users' secret-keys and also the underlying data files. • Security definition and security proof: We formalize the system model and the security definition for the new primitive. Also, we prove the security of the scheme under the hardness assumption of the DBDH problem in the standard model.

Related Work
Cao et al. presented a thorough survey on WBANs [13]. Their work surveyed several basic WBAN research projects and enabling technologies. It also explored application scenarios, radio systems, smart devices, and the interconnection of WBANs to afford perspective on the trade-offs between data rate, power consumption, and network coverage. Li et al. [14] introduced an anonymous key agreement and mutual authentication scheme for WBANs. Their work enables the sensor nodes attached to patients' bodies to authenticate with the local server and establish a session key in an unlinkable and anonymous way. Chen et al. presented a detailed review of body area networks and their related issues [15]. They provided a comprehensive investigation of sensor devices, data link layer, physical layer, and radio technology aspects of WBANs. They also introduced some of the design challenges and open problems in this area. Zhang et al. [16] designed an efficient key agreement mechanism for WBANs. Their scheme enables neighboring nodes in WBANs to share a common key established by electrocardiogram (ECG) signals. Their proposed key agreement scheme can secure data communications over WBANs in a plug-n-play manner with no key distribution overhead. He et al. [17] introduced the security and performance challenges related to sensor networks for wireless medical monitoring. They also proposed an attack-resistant and lightweight trust management scheme. Zhou et al. [18] presented several fundamental and sophisticated cyberattacks to wireless sensors networks and introduced some substantial and promising solutions to satisfy the requirements. Ghamari et al. [19] presented a survey on WBANs for health care systems. They compared some current low-power communication technologies supporting the quick advancement and deployment of WBANs. Zhou et al. [20] proposed a privacy-preserving key management system for cloud-based WBANs in m-healthcare social networks. Their proposed scheme protects the patient's identity privacy, location privacy, and sensor deployment privacy by employing a blinding technique and embedding the human body's symmetric structure into the Blom's symmetric-key mechanism with a modified secret sharing technique. Liu et al. [21] designed a medium access control for WBANs. In their work, by employing the Nash Bargaining Solution (NBS), they proposed a cooperative game-theoretic method providing priority-based tuning and maintaining the fairness axioms of game theory. Shen et al. [22] proposed a lightweight multi-layer authentication protocol for WBANs. In their work, using the ECC algorithm, they designed a one-to-many group authentication mechanism and a group key establishment algorithm between personal digital assistants and the other sensor nodes. They also designed a certificateless authentication mechanism without pairing. Whereas, it is known that access control is a major problem in WBANs [23], the mentioned schemes did not consider this problem.
ABE is a promising solution to the access control problem. The notion of ABE was first proposed by Sahai and Waters [8]. In their proposed scheme, a data owner can determine the authorized user to access its data by specifying an attribute set and a threshold value d. Each data user that has at least d common attributes with the specified set can access the outsourced data. After proposing ABE schemes, three schemes [12,24,25] divided ABE schemes into three categories key-policy ABE (KP-ABE), ciphertext-policy ABE (CP-ABE), and dual-policy ABE (DP-ABE), respectively. Zhou et al. [26] designed a constant size CP-ABE. In their work, the size of ciphertexts is not sensitive to the number of attributes in access control policies. This feature significantly reduces the storage and communication overhead of the system. Guo et al. [27] designed a lightweight CP-ABE scheme with a constant secret-key size [28]. In their scheme, the length of a user's secret-key does not depend on the number of the user's attributes. Chen et al. [29] proposed an attribute-based scheme with short ciphertexts and signatures. Their proposed scheme has adaptive security in the standard model. However, none of the schemes presented in [26,28,29] provide a flexible access structure. Indeed, the schemes presented in [26,28] only supports the And-gates access control policy, and [29] only provides the threshold access control policy. Yao et al. [30], designed a KP-ABE scheme for IoT applications. Their work supports access trees as access control policies. Also, in their work, by using the ECC algorithm, the communication and storage overhead is reduced significantly. He et al. [31] proposed an ABE scheme for mobile cloud-assisted cyber-physical systems. In their work, by eliminating pairing operations, they tried to lighten the encryption and decryption overhead. However, several expensive operations still remain. So, it seems that their scheme is not suitable for WBANs. Moreover, none of the mentioned ABE schemes provide lightweight encryption and decryption mechanisms which is not desirable for WBANs. To address this issue, several lightweight ABE schemes have been put forward. Yang et al. [32,33] designed lightweight access control systems for healthcare IoT networks. Their scheme provides a lightweight decryption mechanism and supports access trees as access control policies. Also, their schemes have adaptive security in the standard model. Xu et al. [34] proposed a lightweight DP-ABE for healthcare IoT systems. Their work offers a lightweight decryption system, and it is provably secure in the selective model. Lin et al. [35] proposed CP-ABE with a lightweight decryption mechanism by using an outsourcing technique. Lai et al. [36] put forward a CP-ABE scheme with verifiable outsourced decryption. Their work also provides a lightweight decryption approach and is provable in the adaptive model. However, none of the mentioned ABE schemes provide a lightweight encryption mechanism. Indeed, in these schemes, the computational operations on the user's side in the encryption phase is very expensive. This feature definitely makes such schemes inappropriate for WBANs. Table 1 compares the features of the mentioned ABE schemes with our proposed LW-FGAC. As we see, LW-FGAC is the only one providing a lightweight encryption approach. Also, we see that LW-FGAC is the only scheme that simultaneously meets all the features given in the table. We refer the reader to [37][38][39][40][41][42][43][44], to see more references related to attribute-based systems and wireless sensor networks.

System Architecture
In this section, we present the architecture of our proposed health system. We first describe the system model, and then we present the threat model of our system.

System Model
As we have shown in Figure 2, our proposed system consists of four generic entities Healthcare Authority (HA), the Cloud Service Provider (CSP), several data owners, and several data users. In below, we describe the mentioned four entities: • HA: This entity is responsible for initializing the health system and also generating secret-keys of data owners and data users according to their attributes. • CSP: The CSP has almost unlimited computational and storage resources. Its primary responsibility is to provide storage and computational services. When data owners want to encrypt their collected data, they can outsource most of the computational operations of the encryption phase to the CSP. Moreover, data users can also use the CSP's computational services. When a data user retrieves an encrypted health data, the CSP can help it to recover the associated data by performing most of the heavy computations of the decryption phase without learning any partial information about the underlying health data.

•
Data owner: Data owners modeling the tiny wireless sensors attached to bodies of patients and employed to monitor the patients' vital physiological parameters such as blood pressure, heart rate, diabetes, asthma, and etc. The health data collected by data owners first is encrypted under an access control policy and then transferred to a smart device. Finally, the health data are outsourced to the CSP for online/offline analyzing and long-term storage. • Data owner: Data owners modeling smart devices that collect the health data from patients' bodies and transfer the data to the CSP. The smart devices can be categorized into two following groups: 1. Implanted and wearable sensors: These sensors usually embedded on the surface of a patient's body or implanted in the deep tissue of a human body. Their main responsibility is to monitor the patients' vital physiological parameters such as blood pressure, heart rate, diabetes, asthma, and etc. After collecting the health data, the sensors first partially encrypt the data under a predetermined access control policy. Then, the partially encrypted data are transferred to the data collector. Note that as the sensors usually have limited computational and power resources, the partial encryption process should be adequate sufficient and does not include costly operations.

2.
Data collector: A data collector could be the WBAN's controller or a mobile device like a tablet or a smartphone. Its main responsibility is to transfer the collected partially encrypted health data to the CSP for completing the encryption process, long-term storage, and online/offline analyzing.
• Data user: Data users model health service providers such as hospitals, doctors, medical clinics, etc. They can be specified by a set of descriptive attributes. Each data user should obtain a secret-key corresponding to its attribute set. Its secret-key can decrypt an outsourced encrypted health data only if the attribute set associated with the secret-key satisfies the access control policy associated with the ciphertext. In the following, we give an overview of our proposed LW-FGAC. As shown in Figure 3, our proposed scheme consists of four phases Systeminitialization, Key delegation, Data encryption, and Decryption described below:

•
System initialization: This phase is managed by the HA. In this phase, the HA generates the public parameters and the master secret-key of the system. It publishes the public parameters to the other parties and keeps the master secret-key confidential by itself.

•
Key delegation: This phase is operated by the HA. In this phase, public-key and secret-key of data owners as well as secret-keys of data users associated with their attributes are issued. Each data owner should ask the HA to generate its public-key and secret-key. The generated secret-key is given to the data owner, and the public-key is outsourced to the CSP. Also, in this phase, each data user possessing an attribute set can request its secret-key corresponding to the attribute set from the HA. The HA first checks if the data user has the attributes or not. If so, it provides the data user with an attribute secret-key.

•
Data encryption: This phase is executed by data owners and the CSP. When a data owner wants to outsource its collected health data to the CSP, to provide confidentiality and access control, it should define an access control policy and encrypt the health data under it. However, as the computational power of the data owner (implanted and wearable sensors) is assumed to be limited, the heavy computational operations should be offloaded onto the CSP. Using its secret-key, the data owner (implanted and wearable sensors) first performs some lightweight computations and generates a partial ciphertext. Then, the data owner (data collector) gives the partially encrypted data to the CSP, and the CSP completes the encryption procedure. In this phase, the CSP cannot learn any partial information about the underlying health data.

•
Decryption: This phase is managed by the CSP and data users. When a data user is authorized for accessing an outsourced health data, using its secret-key obtained in the key delegation phase, it can make a decryption query to the CSP. The CSP performs heavy operations associated with the decryption phase without obtaining any information about the data user's secret-key and also the associated health data. Afterward, the data user can recover the health data by performing some lightweight computational operations.

Threat Model
The HA is assumed to be trustworthy. It does not collude with data users and does not gives unauthorized secret-keys to them. Data owners also are assumed to be trusted. They do not reveal the contents of their data to the other parties and do not grant access rights to unauthorized data users. The CSP is assumed to be honest but curious entity. It always executes the given protocols correctly, but it is curious to learn some unauthorized information about the outsourced health data. To gain some information about the outsourced data files, it may collude with unauthorized data users. Data users are assumed to be malicious. Although they do not reveal the contents of health data files if they are authorized to access them, they may try to learn some unauthorized information about the other outsourced health data through colluding with the CSP and the other data users.

Preliminaries
For an arbitrary set S, let x ← S denote the random selection of an element x ∈ S. Also, for algorithm A, let O ← A(I) denote executing A on input I and outputting O. In the following, we present some related cryptographic notions.

Cryptographic Background
Bilinear map: Consider two cyclic groups G 1 and G 2 of a prime order q. A functionê : G 1 × G 1 → G 2 is said to be a bilinear map if the following conditions hold: Non-degeneracy: There is a g ∈ G 1 such thatê(g, g) = 1.
Assume that G is a probabilistic polynomial-time (PPT) algorithm that (λ, q, G 1 , where λ is the security parameter of the system and (q, G 1 , G 2 ,ê) is the same as before. In this work, we consider the following assumption called decisional bilinear Diffie Hellman (DBDH) on G: Decisional Bilinear Diffie Hellman assumption (DBDH): Consider (λ, q, G 1 , G 2 ,ê) ← G(1 λ ), g ← G 1 and α, β, γ ← Z q . The DBDH assumption states that for all PPT adversaries A there is a negligible function negl such that where the above probabilities are taken over the random selection of g ∈ G and α, β, γ, z ∈ Z q , and also the randomness employed in G and A.

Access Trees
In an access tree, each leaf is associated with a unique attribute, and each inner node represents a threshold value. Also, the threshold value of each leaf node is assumed to be 1. Suppose that T is an access tree, v a is the leaf associated with an attribute a, k v is the threshold value associated with a node v in T , R T is the root node of T , L T is the leaf node set of T , and T v is a subtree of T rooted at a node v.
Let U be the universal attribute set, and T be an access tree on U. For a given attribute set Att ⊆ U and a node v in T , let F T v be a function mapping Att to {0, 1} and performing as follows: • When v is a leaf node corresponding to an attribute a, F T v (Att) = 1 if a ∈ Att, and 0 otherwise.

•
When v is an inner node, F T v (Att) = 1 if and only if v has at least k v children c 1 , . . . , We say that an attribute set Att satisfies an access tree T if F T R T (Att) = 1. Suppose that q is a prime number, and T is an access tree. Consider an algorithm {q v (0)} v∈L T ← Share q (T , r) which shares a secret r ∈ Z q according to T and q and performs as below: • It generates a (k R T − 1)-degree polynomial q R T for R T such that q R T (0) = r, and its other coefficients are chosen uniformly at random from Z q .

•
For each node v having a polynomial q v , it generates a polynomial q c i for the i-th child of v such that q c i (0) = q v (i), and the other its coefficients are uniform elements of Z q .
When this algorithm stops, it assigns a value q v (0) to each leaf node v in the tree.

System Definition and Security Model
In this section we present the system definition and the secrity model. Table 2 presents the notations used in this section. User.KeyGen(params, MSK, id u , Att u ): This algorithm is executed by the CSP. On input the public parameters params, the master secret-key MSK, a data user's identifier id u , and an attribute set Att u , this algorithm outputs a secret-key SK u associated with id u and Att u .

Security Definition
Security of LW-FGAC requires that for any PPT adversary modeling the CSP colluding with unauthorized data users, the advantage of the adversary in learning partial information about encrypted data files is a negligible function in the security parameter of the system. In other words, the adversary is unable to distinguish the encryption of two data files of its choice. We formalize the security requirement by using the following indistinguishability experiment. Indistinguishability experiment LW − FGAC A,Π (λ): Let Π = (Setup, User.KeyGen, Owner.KeyGen, Part.Enc, Full.Enc, TokenGen, Part.Dec, Full.Dec) be an LW-FGAC scheme and A be a PPT adversary. Consider the following experiment:

1.
Setup: A challenger chooses a security parameter λ and a universal attribute set U. It executes (params, MSK) ←Setup(λ, U). params is given to A and MSK is maintained by the challenger.

2.
Phase 1: For polynomially many times, A makes some queries to the following oracle, and for each data user with identifier id u , the challenger maintains a list L id u which is initially empty.
O User.KeyGen (Att, id u ): The challenger runs SK u ← UKeyGen(PK, MSK, Att, id u ) and returns SK u to the adversary. It also substitutes L id u ∪ Att with L id u .

3.
Challenge: A declares an access tree T * and two equal-length messages M 0 and M 1 . The challenger checks if there is an identifier id u such that L id u satisfies T * or not. If so, the challenger stops and returns 0. Otherwise, it first selects b ← {0, 1} and an identifier id O . Then, it runs (SK O , PK O ) ← Owner.KeyGen(params) and PCT b T ← Part.Enc(params, T , SK O , M b ). PK O and PCT b T are given to A.

4.
Phase 2: A makes more queries to the oracle O User.KeyGen (Att, id u ) and the challenger answers it provided Att ∪ L id u does not satisfy T * .
The output of the experiment is defined to be 1 if b = b , and 0 otherwise. We say that the adversary A wins the game, and we write LW − FGAC A,Π (λ) = 1 if the experiment's output is equal to 1.

Definition 2.
An LW − FGAC scheme Π is said to be secure if for all PPT adversaries A there exists a negligible function negl such that

Our Construction
In this section, we present our proposed LW-FGAC scheme. As mentioned in Section 3.1, our proposed scheme consists of four phases System initialization, Key delegation, Data encryption, and Decryption. In the following, the mentioned four phases are described in detail. The notations employed in our construction are given in Table 2.

System Initialization
In this phase, the HA selects a security parameter λ and a universal attribute set U. Then, it executes (params, MSK) ← Setup(λ, U) as follows and publishes params to the other entities.

Key Delegation
As shown in Figure 4, in this phase, the HA provides data users with some secret-keys according to their attributes and also provides each data owner with a pair of public-key and secret-key. Each data user possessing an attribute set Att u should first select a unique identifier id u and ask the HA to generate its secret-key. The HA runs SK u ← User.KeyGen(params, MSK, id u , Att u ) and returns SK u to the data user. Also, each data owner with identifier id O can request its public-key and secret-key from the HA. The HA runs (SK O , PK O ) ← Owner.KeyGen(params) and returns SK O to the data owner. (id O , PK O ) is also outsourced to the CSP. Note that secret-key and public-key of a data owner can be generated by itself. However, as its computational power is assumed to be limited, this task usually is outsourced to the HA. In the following, we describe the mentioned two algorithms: User.KeyGen(params, MSK, id u , Att u ): It calculates: for each i ∈ Att u , and outputs SK u = {SK i,u } i∈Att u .

Data Encryption
As shown in Figure 5 and for any leaf node v i in T , it sets Finally, this algorithm outputs a ciphertext Data owner CSP Figure 5. Data encryption phase.

Decryption
As we have shown in Figure 6, in this phase, by outsourcing the heavy computational operations to the CSP, a data user can recover its desired data. Assume that CT T has been retrieved from the CSP. To decrypt the ciphertext, a data user with secret-key SK u and identifier id u first executes TK u ← TokenGen(params, id u , SK u , CT T ) and generates a decryption token TK u . It sends a decryption request (CT T , TK u ) to the CSP. Then, the CSP runs M ← Part.Dec(params, CT T , TK u ) and returns the partial decrypted ciphertext M to the data user. The data user can run the lightweight algorithm M ← Full.Dec(parms, M , k) and recover the associated message M. Detail of the mentioned three algorithms are given below: TokenGen(params, id u , SK u , CT T ): Given a data user's secret-key SK u = {SK i,u } i∈Att u associated with an attribute set Att u , a ciphertext CT T associated with an access tree T , and an identifier id u , this algorithm checks if there is an attribute set S ⊆ Att u satisfying T or not. If not, it returns ⊥. Otherwise, it selects k ← Z q and calculates K = k id u and K i = k SK i,u , for each i ∈ S. It outputs a private-key k and a token TK u = (K, {K i } i∈S ).
Part.Dec(params, CT T , TK u ): Given a ciphertext CT T = (T , v i } v i ∈L T ) and a token TK u = (K, {K i } i∈S ), it first computes for each i ∈ S. Then, by using the polynomial interpolation method, it computes Finally, it returns M = (C , C 1 ), where Full.Dec(parms, M , k): On input a partial decrypted ciphertext M and its associated private-key k, this algorithm outputs a message Data user CSP Figure 6. Decryption phase.

Correctness and Security Analysis
In this section, we first show that our proposed scheme is correct. Then, we prove its security in the standard model.

Correctness Proof
v i } v i ∈L T ), and TK u = (K, {K i } i∈S ) be a decryption token generated by TokenGen(params, id u , SK u , CT T ), where S ⊂ Att u satisfies T . We first prove the correctness of Equation (12). We have: So, Equation (12) is correct. Also, the correctness of Equations (13) and (14) is clear. Moreover, we see that It proves the theorem.

Security Proof
Theorem 2. If the DBDH problem is hard relative to G, then LW-FGAC construction is secure in the standard model.
Proof. Let Π be our proposed LW-FGAC scheme, and A is a PPT adversary in the experiment LW − FGAC A,Π (n) = 1 introduced in Section 6. In the following, we show that there exists a negligible function negl such that: where λ is the security parameter of the system. Suppose that A is another PPT adversary that attempts to solve the DBDH problem. Recall that the adversary A receives (λ, q, G 1 , G 2 ,ê, P, αP, βP, γP,ê(P, P) z ), where P ← G 1 , α, β, γ ← Z q , and z is equal to αβγ or is a uniform element of Z q . The aim of A is to determine the case of z. A runs A as a subroutine as follows: 1.
So, E 2 is chosen correctly. The correctness of the other components of params can be easily checked.

2.
Phase 1: For any data user with identifier id u , A makes a list L id u which is initially empty. When A submits a query O User.KeyGen (Att, id u ), it sets L id u = L id u ∪ Att and computes Combining Equations (20) and (22), we have: Also, by Equations (6) and (30), we see that SK i,u in Equation (29) is a valid secret-key.

3.
Challenge: A declares an access tree T * and two equal-length messages M 0 and M 1 such that there is no data user with identifier id u such that L id u satisfies T * . A selects b ← {0, 1} and r ← Z q and assumes that for an unknown SK O ∈ Z q , r = γ + SK O . It sets

PK
(2) and for each i ∈ U, it calculates Then, it runs {q v i (0)} v i ∈L T * ← Share(r , q, T * ) and calculates and Therefore, PK O , PK O , and PK i,O , for each i ∈ U, are chosen correctly. Also, when z = αβγ, and Thus, assuming z = αβγ and the random element r in Part.Enc algorithm described in Section 6.3 is equal to γ, one can see that PK O and PCT b T * are chosen correctly. 4.
Phase 2: A makes more queries for data users' secret-keys with the same restriction mentioned in the experiment presented in Section 5.2, and the adversary A responds to the queries similar to Phase 1.
Once the adversary A receives b , it checks whether b = b or not. If so, it outputs 1. Otherwise, it returns 0.

Corollary 1.
Our proposed system provides a secure lightweight encryption mechanism.
Proof. As we have seen in Theorem 1, the ciphertext generated by the lightweight encryption process is valid and can be decrypted by the algorithms presented in Section 6.4. Also, considering the security game presented in Section 5.2, the threat model presented in Section 3.2, and Theorem 2, one can see that the encryption mechanism leaks no information about the underlying health data to any PPT adversary modeling a group of unauthorized data users that colludes with the CSP. Therefore, our encryption mechanism is lightweight and secure.

Performance Analysis
In this section, we analyze the performance of our LW-FGAC scheme by comparing its execution time, storage cost, and communication overhead with some existing ABE schemes in terms of both actual execution time and asymptotic complexity. The employed notations in the asymptotic analysis are given in Table 3. Size of an element in G 1 l G 2 Size of an element in G 2 In the asymptotic analysis, we considered three computational operations: exponential operation in G 1 , exponential operation in G 2 , and paring operation. As the other computational operations are significantly more efficient than the mentioned three operations, we ignore them in our analysis. Also, in measuring storage cost and communication complexity, we consider the size of elements in the groups G 1 , G 2 , and Z q .
We implement our scheme by using an Ubuntu 18.04 laptop with an Intel Core i5-2410M Processor 2.3 GHz, 6 GB RAM using python Pairing-Based Cryptography (pyPBC) and hashlib libraries [45,46]. Also, we use the Type A pairings and SHA-1 algorithm. Moreover, in this section, we use And-gates access structure (a 1 ∧ . . . ∧ a n ) as the access control policy.
In the following, we describe our asymptotic and actual execution results. In our implementation, we assume that the number of leaf nodes in the access tree and the number of data users' attributes are ranged between 10 to 100.
The actual execution times incurred by data owners and data users in the encryption and decryption phases are shown in Figure 7. As we see in part (a) of the figure, our encryption algorithm is significantly more efficient than the schemes presented in [27,35,36]. The mentioned fact is confirmed by the results given in Table 4. According to the figure, our scheme is more than 100 times faster than the schemes [27,35,36]. Also, as shown in Table 4, in [27], execution time is a function of the universal attribute set's carnality, |U|. We measure its execution time when U ∈ {100, 200}. One can see that this scheme is inefficient for large universal attribute sets, and data owners and data users have to perform a considerable amount of heavy computational operations. Also, Figure 8 and Table 5 compare the execution time of the encryption and decryption phases in LW-FGAC with the schemes presented in [27,35,36]. We see that the performance of our proposed scheme is acceptable in comparison with the other schemes.
Also, Figure 10 and Table 7 present the communication overhead from data owners to the cloud server. We see that our proposed scheme significantly reduces the overhead as in our scheme data owners just transmit lightweight partially encrypted data to the cloud server. However, in the other scheme, a complete ciphertext should be given to the cloud, which consumes more communication resources.

Conclusions
We designed a novel attribute-based cryptographic scheme called lightweight fine-grained access control (LW-FGAC) for cloud-based wireless body area networks (WBANs). In our proposed scheme, by performing very lightweight computational operations, a data owner can encrypt its data under an access tree defined by itself. Any data user that its attributes satisfy the access policy can decrypt the ciphertext. Also, in our designed system, the computational overhead on the data user side is very efficient, and most of the computations in the decryption phase are performed by the cloud service provider. We also provided the security definition for the new primitive, and we proved its security in the standard model under the hardness assumption of decisional bilinear Diffie-Hellman (DBDH) problem.
Author Contributions: X.L. and M.A. conceived the scheme. M.A. designed the scheme, proved the schemes security, analyzed the data, performed the experiments, and wrote the paper. X.L. and M.-R.S. reviewed and edited the manuscript.