Efficient Anonymous Authentication for Wireless Body Area Networks

Advances in integrated circuit and wireless communication technologies are making wireless body area networks (WBANs) an increasingly important medical paradigm. By collecting, uploading, and processing real-time physical parameters, WBANs assist clients in better recognizing and managing their bodies. Besides conveniences it brings, WBANs are facing the risk of clients’ privacy leakage during data transmission. Anonymous authentication schemes were proposed to resolve this challenge, and latest schemes ensure that even if a WBAN client’s private key is exposed, previous session keys generated by this client cannot be compromised (known as forward security). Unfortunately, previous forward secure schemes need bilinear pairing operations, which is undesirable in computation-resource-bounded WBANs. Furthermore, the property, that once a WBAN client’s private key is exposed, previous sessions shouldn’t be identified (dubbed forward anonymity), hasn’t been considered in existing works. In response to the above challenges, in this paper, we propose an identity-based authenticated encryption method without pairing, and based on this method, we construct an anonymous authentication scheme. Subsequent security and performance analyses demonstrate that our schemes are secure (including forward anonymous) under the random oracle model, and practical in WBANs with limited resources.


I. INTRODUCTION
W IRELESS body area networks (WBANs), which allow clients to monitor their physical status remotely from medical institutions in real-time, are emerging and promising paradigms in modern medical systems. With the rapid advances in integrated circuit and wireless communication technologies [1], but also with the increase of the world's average age and the advent of population aging in many countries, WBAN plays an increasingly important role in easing the burden on medical institutions.
WBAN consists of three entities, namely sensor nodes, a smart portable device (SPD), and application providers (AP). Among them, sensor nodes are machines placed in, on, and around clients' bodies to monitor their physical parameters (such as body temperature, heart rate, moving speed, etc.) or surrounding environmental parameters (such as ambient temperature, humidity, wind speed, etc.). Sensor nodes send these data to an SPD. The SPD could be a smartphone, a dedicated data sink, or other portable devices. After collecting data from sensor nodes, the SPD transmits these data to an AP. The AP may be a doctor or a medical server in a hospital, a clinic, or a health center. By analyzing data sent by the SPD, the AP returns feedback results to the SPD. In this paper, we take sensor nodes and the SPD as a whole (dubbed WBAN client), and focus on communications between the WBAN client and the AP (dubbed external communication). Fig. 1 presents an typical architecture of WBAN.
As a result of openness, mobility, signal noise and other characteristics of external communication [2], an adversary may intercept, eavesdrop on, modify, or forge these transmitted data. Moreover, the portability of sensor nodes and the SPD limits their power of storage and computation. Authentication for WBANs is one solution to these challenges [3]. An authentication scheme enables a WBAN client and an AP to achieve mutual authentication, and negotiate a session key to secure subsequent conversations [4]- [6]. Unfortunately, since clients' identities are transmitted in plaintexts, an adversary can distinguish data from different VOLUME 4, 2016 FIGURE 1. Typical WBAN Architecture clients. Thus, it's easy for the adversary to obtain time and frequency of data transmission, which may expose clients' privacy. For example, an adversary can easily judge whether a WBAN client has heart disease or fever based on this client's communicating frequencies, for the reason that transmitting frequencies of a client suffering from heart disease (once a minute), and fever (once an hour) are different.
Anonymous authentication (AA) resolves the above challenge by using a certain way to hide clients' identities [7]. In this case, transmitted messages cannot be identified or linked to the same WBAN client. Authentication schemes are generally based on public key infrastructure (PKI), that requires a certificate authority to sign, distribute, and revoke clients' certificates [8]- [11]. Certificates management is cumbersome and undesirable in WBANs. In order to avoid this problem, identity-based AA was proposed [12]. Different from the PKI that binds a client's identity with his/her public key by a certificate, identity-based scheme enables a private key generator (PKG) to generate clients' public keys directly from their identities [8]. Recently, a new security requirement, known as forward security (once the long-term private key of a client is exposed session keys of previous sessions should not be compromised), is proposed [13], [14], and some subsequent works are proved to be forward secure [15]- [18].
However, there are several challenges that need to be paid attention to. First, previous forward secure identitybased AA schemes need bilinear pairing operations, which is time-consuming especially in a resource-limited device of a WBAN client. Second, the property, that once a WBAN client's private key is exposed, previous sessions shouldn't be identified (dubbed forward anonymity), hasn't been considered in existing works. Third, in identity-based AA schemes, it is natural for a PKG to have access to a client's private key. Thus, it is critical for an identity-based AA scheme to prevent the PKG from compromising the security of messages.
In response to the above challenges, we propose identitybased anonymous authentication for WBANs without pairing. To summarize, main contributions of our paper are listed as follows: 1) We propose an identity-based anonymous authenticated encryption scheme without bilinear pairing, dubbed IB-AAE. Our IB-AAE combines the functions of anonymous authentication in [19] and identity-based authentication encryption, and achieves forward security. 2) We propose an identity-based anonymous authentication scheme, dubbed IB-AA. In our IB-AA scheme, once a WBAN client's private key is exposed, or the P-KG is compromised by an adversary, the adversary cannot compromise previous sessions. We also demonstrate the security (including forward security and forward anonymity) of our IB-AA scheme under the random oracle model. 3) Experimental performance comparisons indicate that our scheme needs less computation and communication overhead compared with previous anonymous authentication schemes. Roadmap. Section II shows related works. We present preliminaries, system model, and objectives of this paper in section III. Corresponding constructions are given in section IV. We prove the security of our proposed schemes in section V, and show the performance of IB-AA in section VI. Section VII concludes our works.

II. RELATED WORKS
Based on our contribution, we describe related works from two aspects, namely identity-based anonymous authenticated encryption, and anonymous authentication for WBAN.
Signcryption (i.e., authenticated encryption) was first proposed by [20]. In a signcryption scheme, a sender sends an encrypted message along with his/her identity information to a specific receiver [21]- [24]. It requires that only the receiver can decrypt the message, and it enable the receiver to authenticate the sender through the decryption. Identitybased signcryption was then proposed [25], [26] thereafter. Recently, researchers bring security concerns of identity concealment and x-security into signcryption, and introduced a new cryptographic primitive, named higncryption [19], [27]. By identity concealment, we denote that participants' identities of this scheme should not be leaked to any third party. In the last few years, identity-based higncryption was proposed [28]- [30]. Unfortunately, these schemes are based on bilinear pairing operations.
In the research of anonymous authentication for WBAN, a few studies were conducted to meet forward security. [31] proposed a revocable and forward secure anonymous authentication scheme to revoke expired or exposed clients' keys, while the sender of this scheme can be impersonated according to [32]. [12] conducted an identity-based anonymous authentication scheme that is forward secure and provable secure. Later, [16] described an key replacement attack, and showed that [12] fails to achieve anonymity. [17] presented an online/offline signature, and constructed a anonymous authentication scheme based on this signature, while [33] demonstrated that there is a forgery attack in this scheme. [33] also gave an improved version of the signature algorithm. [34] proposed a anonymous authentication with location privacy using bilinear pairings.
Let G be an additive cyclic group, and G is a generator of G with a prime order q. We select two random numbers a, b ∈ R Z * q , where ∈ R denotes that one randomly selects elements from a set. According to previous works [35], [36], hard problems are defined as follows.
CDH Problem. Given (G, aG, bG) ∈ G 3 , the CDH problem is to compute abG.
DDH Oracle. Given (G, aG, bG, T ) ∈ G 4 , this oracle returns T rue if T = abG, and F alse otherwise.
GDH Problem. Given (G, aG, bG) ∈ G 3 , the GDH problem is to compute abG with the aid of DDH oracle. There is a public GDH assumption that the probability of solving GDH problem within polynomial time is negligible [37], [38].

B. PUBLIC-KEY SIGNATURE
We review the definitions of Sign and Verify algorithms in a public-key signature scheme. This scheme can be any secure public-key signature scheme.
Sign(s, M ) → σ: This is a probabilistic algorithm that takes as input a signer's private key s and a message M , and outputs the corresponding signature σ.
V erif y(P, M, σ) → F alse or T rue: This is a deterministic algorithm that takes signer's public key P , message M , and signature σ, and outputs T rue if σ is a valid signature of M , and F alse otherwise.

C. AUTHENTICATED ENCRYPTION WITH ASSOCIATED DATA
In this paper, authenticated encryption with associated data (AEAD) is used to protect the confidentiality of transmitted data. Based on works in [39], [40], and [41], we provide the definition and security game of AEAD as follows. Definition 1: (AEAD) An AEAD scheme consists of the following three algorithms.
Initialization. This is a probabilistic algorithm that takes a security parameter κ as input, and outputs random-number space N , plaintext space M, ciphertext space C, publicheader space H, symmetric-key space K, and a symmetric key K ∈ K.
Enc. This is a probabilistic algorithm that takes a random number N ∈ N , a plaintext M ∈ M, corresponding public header information H ∈ H, and K as input, and outputs a ciphertext C ∈ C.
Dec. This is a deterministic algorithm that takes K, C, and H as input, and outputs corresponding plaintext M or an error symbol "⊥". Definition 2: (AEAD security) Security game of AEAD is defined as follows: Initialization: A simulator S generates all the value spaces and the symmetric key K, and keeps K privately. S also selects σ ∈ R {0, 1}.
Enc Guess: Adversary A outputs a guess σ , and wins the game if σ = σ.
Definition: We say that a scheme is AEAD secure if the advantage for any probabilistic polynomial-time (PPT) adversary to win the game is negligible. The advantage is Adv AEAD According to the above definitions, we can conclude that in an AEAD secure scheme any PPT adversary cannot generate the same ciphertext with different plaintexts. We can also learn from [40] that any PPT adversary cannot generate the same ciphertext with different symmetric keys. In this paper, the encryption algorithm is denoted by C = Enc K (M ) that takes a symmetric key K and a message M as input, and outputs a ciphertext C; the decryption algorithm is denoted by M = Dec K (C) that takes a symmetric key K and a ciphertext C, and outputs the corresponding message M . Here, we treat the encryption and decryption algorithms as subroutines, and omit random number N and public header information H for simplicity.

D. SYSTEM MODEL
We consider the generalized system model which consists of three entities, namely private key generator (PKG), application provider (AP), and WBAN client, as shown in Fig. 2.
In general, the PKG is assumed to be an honest but curious third party. An application provider (AP) could be a remote server or a remote system at a health center, a clinic, or a hospital that could provide diagnosis and treatment measures. WBAN client is a general term for SPDs and sensor nodes. First, the PKG chooses its master key, and generates publicprivate key pairs of APs. Second, WBAN clients' private keys are generated by the PKG. Third, a WBAN client and an AP authenticate each other, and the WBAN client could get services of the AP after authentication.

E. OBJECTIVES
An identity-based anonymous authentication scheme for W-BANs is considered to achieve the following objectives.
-Unforgeability: An adversary cannot impersonate a W-BAN client or an AP to establish a valid session without the corresponding private key. -Anonymity: Any message sent by a targeted WBAN client cannot be identified by a PPT adversary. -Forward security: An adversary cannot compromise a session key of any previous session sent by a WBAN client with the client's private key. -Forward anonymity: An adversary cannot identify any previous session sent by a WBAN client with the client's private key. -Scalability: It is not necessary for an AP to store any WBAN client's credential.

A. IDENTITY-BASED ANONYMOUS AUTHENTICATED ENCRYPTION (IB-AAE)
Initialization. Let E : y 3 = x 2 +ax+b mod p be an elliptic curve. In this elliptic curve, a, b are two coefficients, and p is a big prime. Let G be a cyclic additive group with order q and generator G. Let H 1 : {0, 1} * → Z * q and H 2 : {0, 1} * → K be two secure hash functions where K is the key space of an AEAD algorithm. Let Enc(.) and Dec(.) be the encryption algorithm and decryption algorithm in an AEAD secure scheme. Denote by Enc K (M ) that encrypt message M using key K, and output the corresponding ciphertext. Denote by Dec K (C) that decrypt ciphertext C with key K, and output the corresponding plaintext. The PKG also runs as follows to set up this system. 1) Select its master key s ∈ R Z * q , and compute the corresponding public key P pub = sG. 2) Publish system parameters params = {a, b, p, q, G, P pub , Registration. The registration phase is executed through secure channels that cannot be compromised by an adversary. In this scheme, the generation method of the AP's private key can be arbitrary. Finally, the AP generates its public and private key pair (P AP = s AP G, s AP ) in its own way, and publishes P AP . The client runs the following steps.
Client A sends its identity id A to the PKG in a secure channel for registration, and the PKG runs as follows.
Client A then sets d A as his/her private key, and publishes R A as his/her public key.
IB-AAE. When a client A transmits a message M to the AP, client A executes the following steps.
3) Return (T, C) to the AP. UnIB-AAE. On receiving (T, C), the AP runs as follows.
and k = H 1 (M, k ). 4) Check whether equation T = P A + kG holds. If so, the AP accept M, id A , R A , and aborts otherwise.

B. IDENTITY-BASED ANONYMOUS AUTHENTICATION (IB-AA)
Now, we extend the above IB-AAE to identity-based anonymous authentication (IB-AA).
Initialization. Besides the execution of Initialization phase in section IV-A, the PKG does as follows. 1) Select a secure hash function H 3 : {0, 1} * → K 2 . 2) Publish system parameters params = {a, b, p, q, G, P pub , Enc, Dec, H 1 , H 2 , H 3 }, and keep s. Registration. As described in Registration of section IV-A, client A's private and public key pair is (d A , R A ), and the AP's private and public key pair is (s AP , P AP ).
Authentication. In this phase, client A and the AP authenticates each other through three phases. Here, we assume that client A obtains the AP's public key before authentication.
Phase 1. Client A executes the following steps.
The AP executes the following steps at the same time. 1) Choose k AP ∈ R Z * q , and compute T AP = k AP G + P AP . 2) Send T AP to the AP.
Phase 2. After receiving T AP , client A executes the following steps. 1) Compute V = (d A + k A )T AP , and derive session key After receiving T A , the AP executes the following steps. 1) Compute V = (s AP + k AP )R A , and derive session key , and send C AP to A. Phase 3. After receiving C AP , A executes the following steps.
A sets session key as K 2 ; otherwise, A aborts. After receiving C A , the AP executes the following steps.
If it is valid, the AP sets session key as K 2 ; otherwise, the AP aborts.
Let Γ denote a client or an AP, and Γ i denote the ith instance of a Γ. We assume that all the clients and APs register at the same PKG. We first prove that our IB-AAE is secure under the random oracle model. Based on it, we prove the security of our IB-AA scheme under the random oracle model. We define the ability of a probabilistic polynomial-time adversary in IB-AAE and IB-AA respectively as follows.

1) Adversarial Model of Anonymous Authenticated Encryption
In this model, the adversary is allowed to access the following oracles.
Create oracle: Upon receiving query id i (the identity of a client), S runs algorithms Registration of IB-AAE, gets the private key d i , stores (id i , d i ) into a list L Key , and stores id i in list L honest .
Corrupt-SK oracle: Upon receiving query id i , if id i is recorded in list L Key , S returns the private key of client id i , and removes id i from L honest ; otherwise, S returns ⊥.
Create-AP oracle: Upon receiving query id AP , S selects s AP ∈ Z * q randomly as this AP's private key, returns P AP = s AP G, stores (P AP , s AP ) in a list L AP , and stores id AP in list L honest .
Corrupt-AP oracle: Upon receiving query id AP , if id AP ∈ L AP , S returns the private key of id AP , and removes id AP in L honest ; otherwise, S returns ⊥.
The above oracles consider the adversary's ability that the adversary can compromise the client's and the AP's private key. The hash functions are also assumed to be random oracles.
H 1 oracle: Upon receiving query Str (an arbitrary-length string), S returns a random element h 1 in H 1 's output space, and stores (Str, h 1 ) into a list L H1 if Str wasn't in L H1 before; otherwise, S returns the corresponding element in L H1 .
H 2 oracle: Upon receiving query Str (an arbitrary-length string), S returns a random element h 2 in H 2 's output space, and stores (Str, h 2 ) into a list L H2 if Str wasn't in L H2 before; otherwise, S returns the corresponding element in L H2 .
H 3 oracle: Upon receiving query Str (an arbitrary-length string), S returns a random element h 3 in H 3 's output space, and stores (Str, h 3 ) into a list L H3 if Str wasn't in L H3 before; otherwise, S returns the corresponding element in L H3 .
Moreover, the adversary is allowed to query IB-AAE and UnIB-AAE oracle in IB-AAE. To prove that our IB-AAE is secure once the random numbers of this scheme are exposed (dubbed x-security), we also build a Corrupt-R oracle.
IB-AAE oracle: Upon receiving query (id A , id B , M ) (represent the sender, the receiver, and a message respectively), if id A , id B ∈ L Key , S executes IB-AAE phase of IB-AAE, and returns the corresponding output Cipher. Otherwise, it outputs ⊥. S Stores (Cipher, id B , k) in list L x where k is the random number generated during IB-AAE phase.
UnIB-AAE oracle: Upon receiving query (id B , Cipher), if id B isn't in the list L Key , S outputs ⊥; otherwise, S runs UnIB-AAE phase, and returns the corresponding output.
Corrupt-R oracle: Upon receiving query (id B , Cipher), if (id B , Cipher) ∈ L R , S outputs the corresponding k; otherwise, S outputs ⊥.
With the help of the above oracles, we construct two security games, dubbed OU and IC, as below. Concretely, OU is built in terms of unforgeability and x-security, and IC is constructed in terms of anonymity, forward security, and forward anonymity. Definition 3: (OU) The security game of OU is defined as follows: Initialization: S runs as Initialization phase described in section IV.
Query Phase: The adversary is allowed to query all the above oracles polynomial times adaptively.
Forgery Phase: The adversary chooses (id * s , id * r , M * ) where id * s , id * r ∈ L honest . During the forgery phase, the adversary is unallowed to query . Challenge: The adversary outputs a forgery for the output of IB-AAE(id * s , id * r , M * ). If the forgery is valid, the adversary wins this game.
Definition: An IB-AAE scheme is OU secure if the probability P r OU A for any PPT adversary in winning this game is negligible. Definition 4: (IC) The security game of IC is defined as follows: Initialization: S runs as Initialization phase described in section IV.
Query Phase 1: The adversary is allowed to query all the above oracles polynomial times adaptively.
Challenge: The adversary chooses two tuples ( The adversary sends these tuples to S, and S selects a bit σ ∈ {0, 1} randomly. S then sets id * s = id * sσ , and generates the target output Cipher * with the help of the above oracles. If Cipher * is output by the AAE oracle, S aborts; otherwise, S sends Cipher * to the adversary. Query Phase 2: The adversary is unallowed to query UnIB-AAE(id * r , Cipher * ), Corrupt-R(id * r , Cipher * ), or Corrupt-SK(id * r ). Guess: The adversary outputs a bit σ . If σ = σ, the adversary wins this game.
Definition: An IB-AAE scheme is IC secure if any PPT adversary's advantage in winning this game is negligible.
If an IB-AAE scheme is OU-secure, we can conclude that this scheme satisfies unforgeability, anonymity, and xsecurity. If an IB-AAE scheme is IC-secure, we can conclude that this scheme achieves confidentiality, forward security, and forward anonymity. Then we have the following definition. VOLUME 4, 2016 Definition 5: (IB-AAE security) An IB-AAE scheme is IB-AAE secure if it is OU secure and IC secure for any sufficiently large security parameter, and against any PPT adversary.

2) Adversarial Model of Identity-Based Anonymous Authentication
In this model, the adversary is allowed to access Create, Corrupt-SK, Create-AP, Corrupt-AP H 1 , H 2 , H 3 oracles defined in section V-A1. The adversary can also access the following oracles. By entity Γ we denote a client or an AP.
Corrupt-SSK oracle: Upon receiving query Γ i , S returns the session key of Γ i .
Authentication oracle. For an entity Γ, this oracle takes a receiving message M in along with the PKG's public key P pub , Γ's identity id Γ and private key d Γ (if Γ is an AP, there should be s Γ ) as input, and the outputs are shown in equation 1. The symbols are explained in table 1. Moreover, in this equation, acc i Γ is a state with the following four situations. 00) this algorithm is completed; 01) this algorithm is waiting for the next message; 10) this algorithm encounters something wrong and aborts; 11) this algorithm hasn't received the next message within a specific time and expires.A client A and an AP are partners if there exists i, j that pid i A = id AP , sid j AP = id A , and sid i A = sid j AP . In this oracle, we set sid i Γ = i for simplicity. Specifically, S replies queries for Authentication oracle as follows.
-Upon receiving query (Start, id A ), if id A / ∈ L honest , S returns ⊥ and aborts; otherwise, S computes i = i + 1, pid i A = ⊥, acc i A = 01, and ssk i A = ⊥. The output is (msg According to the above oracles, we give the definitions below. Note that an unexposed session means that the session key, and the private keys of participants are not acquired by the adversary. Definition 6: (Label security) An identity-based anonymous authentication scheme is label-secure if the following events' probabilities are negligible: -At least three sessions has the same session identity.
-If sid i A = sid j AP for a client A and an AP, the following following events occurs: 1) both client A and AP are initiators or responders; 2) ssk i Definition 7: (Impersonation security) The security game is defined as follows: Setup: S runs as Initialization phase described in section IV.
Query Phase: The adversary is allowed to query all the oracles polynomial times adaptively.
Challenge: The adversary chooses (id * s , id * AP ) as the targeted client and the targeted AP, where id * s , id * AP ∈ L honest . The adversary is not allowed to query Corrupt-SK(id * s ) or Corrupt-AP(AP * ) during this phase.
Test: The adversary A wins the game if A completes the Challenge phase without being aborted.
Definition: An IB-AA scheme is impersonation secure if any PPT adversary's advantage Adv IMP A in winning this game is negligible. Definition 8: (Anonymous session-key (ASK) indistinguishability) The ASK indistinguishability is constructed in terms of anonymity, forward security, and forward anonymity. The security game is defined as follows: Setup: S runs as Initialization phase described in section IV.
Query Phase: The adversary is allowed to query all the oracles polynomial times adaptively.
Challenge: The adversary chooses two tuples (id s0 , id * AP , Start) and (id s1 , id * AP , Start) where id * s0 , id * s1 , id * AP ∈ L honest . The adversary then sends these two tuples to S, and S selects σ ← {0, 1} randomly. S then sets id * s = id * sσ as the target client, and acts according to the specification of Authentication oracle. Upon receiving query Corrupt-SSK(sid * ) for the targeted session by the adversary, S returns the corresponding session key if σ = 1; otherwise, S returns a random element in key space. Guess: The adversary guesses a bit σ , and wins this game if σ = σ.
Definition: An IB-AA scheme is ASK indistinguishable if any PPT adversary's advantage in winning this game is negligible. The advantage is Adv ASK−IN A = |2 · P r[σ = σ] − 1|. Definition 9: (Strong IB-AA security) An IB-AA scheme is strongly IB-AA secure, if it is label secure, impersonation secure, and ASK indistinguishable for any sufficiently large security parameter and any PPT adversary defined above.

B. SECURITY PROOF
Assume that the adversary is able to issue at most q 1 queries to H 1 oracle, q 2 queries to H 2 oracle, q 3 queries to H 3 oracle, q C queries to Create oracle, q CAP queries to Create-AP oracle, q R queries to Corrupt-R oracle, q AP queries to Corrupt-AP oracle, q SK queries to Corrupt-SK oracle, q AAE queries to IB-AAE oracle, q U nAAE queries to UnIB-AAE oracle, q SSK queries to Corrupt-SSK oracle, and q Auth queries to Authentication oracle. We have three theorems below. Theorem 1: Our IB-AAE scheme is IB-AAE secure in the random oracle model under the GDH assumption. Theorem 2: Our IB-AA scheme is strong IB-AA secure in the random oracle model under the GDH assumption.

1) Proof of Theorem 1
Lemma 1: Our IB-AAE scheme is OU secure in the random oracle model under the GDH assumption and AEAD security.
Proof. Given A = aP, B = bP ∈ G without a, b, we now demonstrate that the simulator S can solve GDH(A, B) with a non-negligible probability if the adversary A breaks OU security with a non-negligible probability ε 1 .
Query Phase: S simulates H 1 , H 2 oracles as specification, and simulates other oracles as follows: Create oracle: S maintains a counter i that is initiated to be zero. Upon receiving a Create query id, S computes i = i + 1, and checks whether i = i * or i = j * . If i = i * , S runs Registration phase as specification, S stores the tuple (id i , R i , d i ) into list L Key ; if i = i * , S sets R i = A and stores the tuple (id i , R i , ⊥) into list L Key .
Create-AP oracle: S maintains a counter j that is initiated to be zero. Upon receiving a Create query id, S computes j = j + 1, and checks whether j = j * . If so, S sets P j = B, and stores the tuple (id i , R i , ⊥) into list L Key ; otherwise, S runs Registration phase as specification.
Corrupt-SK oracle: Upon receiving query id i , if id i = id * i , S runs as specification; otherwise, S aborts. Corrupt-AP oracle: Upon receiving query id j , if id j = id * j , S runs as specification; otherwise, S aborts. IB-AAE oracle: Upon receiving query (id s , id r , M ) where id s is the sender's identity, id r is the receiver's identity, and M is the message to be sent, S executes as below: 1) If id s = id * i , S returns Cipher ← IB − AAE(id s , id r , M ) as specification. S stores (k , id r , Cipher) into a list ST C that is initiated empty. S also stores the tuple (id r , Cipher, K) into list L GDH if id r = id * j . 2) If id r = id * j , S sets k ∈ R Z * q , and calculates k = H 1 (M, k ), h s = H 1 (id s , R s , P pub ), P s = R s + h s P pub , T = kG + P s , and V = kd r G + d r P s . S computes the session key K = H 2 (V, T, id r , R r ) and C ← Enc K (id s , R s , k , M ). S then returns Cipher = (T, C). S stores (k , id r , Cipher) into list ST C . 3) If id s = id * i and id r = id * j , S sets k ∈ R Z * q , and computes k = H 1 (M, k ), h s = H 1 (id s , R s , P pub ), P s = R s + h s P pub , and T = P s + kG. S selects K ∈ R K ensuring that K is different from previous session keys. S computes C ← Enc K (id s , R s , k , M ), and sends T, C to the adversary. S stores (id r , Cipher, K) into list L GDH , and stores (k , id r , Cipher) into list ST C . UnIB-AAE oracle: Upon receiving query (id r , Cipher), S executes as below: 1) If id r = id * j , S returns U nIB − AAE(id r , Cipher) as specification.
2) If id r = id * j , we consider two cases. If id B , Cipher ∈ L GDH , S obtains the corresponding session key K, and computes (id s , R s , k , M ) = Dec K (Cipher). If id B , Cipher / ∈ L GDH , S goes through all the queries in L H2 , and checks whether there exists a tuple (V, T, id r , R r ) that satisfies V = CDH(T, P r ) with the help of DDH oracle. If the tuple doesn't exist, S returns ⊥; otherwise, S computes K = H 2 (V, T, id r , R r ). Then S calculates (id s , R s , k , M ) = Dec K (C), k = h 2 (M, k ), and checks whether equation T = P s + kG holds. S returns (M, id s ) if the equation holds, and returns ⊥ otherwise. Corrupt-R oracle: On query (id r , Cipher), S outputs the relevant random number if (id r , Cipher) ∈ ST C , and returns ⊥ otherwise.
Forgery Phase: A chooses the target tuple (id * s , id * r , M * ) where id * s , id * r ∈ L honest . If id * s = id i * or id * r = id j * , S aborts.
Suppose that A has successfully forges a valid ciphertext (id j * , Cipher * ). In this case, A has issued H 2 (V * , T * , id j * , R j * ) query with overwhelming probability. Thus, S could get the contents and the output of this query, and can derive (id i * , R i * , k * , M * ) = Dec K * (C). Due to equation 2, S could solve GDH(A, B) by computing The probability of the event that S fails the simulation is analyzed as follows: E1: A breaks the AEAD security. This happens with negligible probability. E2: The target K * is the same with other outputs of IB-AAE. Concretely, the targeted temporary value is V * = (d i * + k * )s j * G, and the other temporary value is V = (d s + k)s r G. We consider two cases below: 1) id r = id * j . Due to the randomness of H 2 oracle, the probability of K = K * is at most q 2 2 /2|K|. 2) id r = id * j . If V * = V or T * = T , the probability of K = K * is at most q 2 2 /2|K|. Otherwise, we can easily conclude that k + d s = k * + d i * , that is, k = k * + VOLUME 4, 2016 d i * − d s . Since k and k * are output by H 1 oracle, the probability of this event is at most q 2 1 /2q. Therefore, P r[E2] ≤ max{q 2 2 /2|K|, q 2 1 /2q}. E3: The target K * is generated without H 2 oracle by A. The probability of this event is P r[E3] ≤ 1/|K|. E4: A issues Corrupt-SK(id i * ) or Corrupt-AP(id j * ). The probability of this event is P r In summary, S can solve GDH(A, B) with the advantage where P E2 = max{ 2q }. Therefore, lemma 1 is proved. Lemma 2: Our IB-AAE scheme is IC secure in the random oracle model under the GDH assumption and AEAD security.
Proof. Given A = aP, B = bP ∈ E without a, b, we now demonstrate that the simulator S can solve GDH(A, B) with a non-negligible probability if the adversary A breaks IC security with a non-negligible advantage ε 2 .
Create oracle: S maintains a counter i that is initiated to be zero. Upon receiving a Create query id, S computes i = i+1, and checks whether i = i * , i = j * . If i = i * , and i = j * , S runs Registration phase as specification, S stores the tuple (id i , R i , d i ) into list L Key ; if i = i * , S sets R i = y 0 A, and stores the tuple (id i , R i , ⊥) into list L Key ; if i = j * , S sets R i = y 1 A, and stores the tuple (id i , R i , ⊥) into list L Key .
sσ P pub , and T * = P * sσ + k * G. S goes through all the queries in L H2 , and checks whether there exists a tuple (V, T, id * r , R * r ) that satisfies V = CDH(T, P r ) with the help of DDH oracle. If the tuple exists, S returns ⊥; otherwise, S sets K * ∈ R K so that K * is different from previous session keys. Then S calculates C * = Enc K * (id * sσ , R * sσ , k * , M * σ ), returns Cipher * = (T * , C * ), and stores (id * r , Cipher * , K * ) into list L GDH .
Query Phase 2: A can query all the oracles as in Query Phase 1.
Guess: Assume that A outputs the right bit σ with advantage ε 2 . We could conclude that A decrypts the target ciphertext with non-negligible probability. In this case, S can obtain V * from the H 2 query. According to equation 4, S then solves GDH(A, B) by computing equation 5.
The probability of the event that S fails the simulation is analyzed as follows: First, the E1, E2, E3 events in this simulation is the same as those in the simulation of lemma 1. Second, the E4 event is that A queries Corrupt-SK oracle with id i * , id j * , or id k * . The probability is P r In summary, S can solve GDH(A, B) with an advantage where P E2 = max{ 2q }. Therefore, theorem 1 is proved.

2) Proof of Theorem 2
Label security. First, for our IB-AA scheme, we set the session id sid as (T A , T AP ). We first prove that the session ids are unique. Lemma 3: The probability for an adversary to generate two point T A and T A which satisfy that Proof. We can conclude from lemma 3 that k A = d A − d A + k A . Since k A and k A are the output of H 1 oracle, the probability that the equation holds is 1/q, which is negligible. So is it for T AP . Thus, it is negligible for an adversary to generate the same session id. That is, the probability of the event that at least three sessions have the same session identity is negligible, and both the client and AP can't be initiator or responder in one session. Lemma 4: The probability that two session keys of two different sessions (T A , T AP ) and (T A , T AP ) are the same is negligible.
Proof. First, both calculation methods of the session key on each side are (K 1 , We could judge that the session keys generated on each side are the same. Second, according to lemma 3 the sid = sid with overwhelming probability. In this case, the session keys are the same with negligible probability 1/|K| according to the randomness of hash function H 3 .
In summary, our IB-AA scheme satisfies label security. ASK security. The demonstrations that our protocol enjoys impersonation security and ASK indistinguishability are shown as follows separately.
Impersonation security. Given A = aG, B = bG ∈ E, S is able to break GDH(A, B) assumption with non-negligible probability if the adversary breaks impersonation security with non-negligible probability ε 3 .
Query Phase: S simulates H 1 , H 2 , Authentication oracles as specification, and simulates other oracles as follows.
Create oracle: S maintains a counter i that is initiated to be zero. Upon receiving a Create query id, S computes i = i + 1, and checks whether i = i * . If i = i * , S runs Registration phase as specification, S stores the tuple Create-AP oracle: S maintains a counter j that is initiated to be zero. Upon receiving a Create query id, S computes j = j + 1, and checks whether j = j * . If j = j * , S runs Initialization phase as specification, S stores the tuple (id j , P j , s j ) into list L Key ; if j = j * , S sets P j = B, and stores the tuple (id j , P j , ⊥) into list L Key . S stores id j into L honest .
Corrupt-SK oracle: Upon receiving query id i , if id i = id * i , S runs as specification; otherwise, S aborts. Corrupt-AP oracle: Upon receiving query id j , if id j = id * j , S runs as specification; otherwise, S aborts. Challenge: The adversary chooses (id * s , id * AP ) as the targeted client and the targeted AP, where id * s , id * AP ∈ L honest . If id * s = id i * or id * r = id j * , S aborts. Assume that the adversary aims to simulate the target client, S executes as follows. Note that, the probability for the adversary to simulate the target AP is the same as that of this event.
Upon receiving query (Start, id * AP ), S chooses k AP ∈ R Z * q , and returns T AP = d AP G + k AP G. Upon receiving query (id * AP , T A ), S goes through all the queries in L H3 , and checks whether there exists a tuple (V * , T A , T AP ) that satisfies V * = CDH(T A , T AP ) with the help of DDH oracle. If the tuple exists, S gets the corresponding output from L H3 , and computes C AP = Enc K1 (k AP ). Otherwise, S selects a random session key K 1 ∈ R K, and returns the ciphertext C AP = Enc K1 (k AP ). Upon receiving other queries, S runs as specification.
Test: Assume that the adversary A has completed the scheme. As a result, A is able to get the corresponding session key. A generates the same K 1 as that generated by S with negligible probability 1/|K|. Therefore, A queries H 3 oracle with the correct V * = CDH(T A , T AP ) with overwhelming probability. According to equation 7, S is able to solve GDH(A, B) by computing equation 8.
In the same way as the proof in lemma 1, we can conclude that the probability that if the adversary wins the game with non-negligible probability, S solves GDH(A, B) assumption will be non-negligible.
ASK indistinguishability. Given A = aG, B = bG ∈ E, S is able to break GDH(A, B) assumption with nonnegligible probability if the adversary breaks ASK indistinguishability with non-negligible advantage ε 4 .
Create oracle: S maintains a counter i that is initiated to be zero. Upon receiving a Create query id, S computes i = i + 1, and checks whether i = i * . If i = i * , S runs Registration phase as specification, S stores the tuple Create-AP oracle: S maintains a counter j that is initiated to be zero. Upon receiving a Create query id, S computes j = j + 1, and checks whether j = k * . If j = k * , S runs Initialization phase as specification, S stores the tuple (id j , P j , s j ) into list L Key ; if j = k * , S sets P j = B, and stores the tuple (id j , P j , ⊥) into list L Key . S stores id j into L honest .
Corrupt-SK oracle: Upon receiving query id i , if id i = id * i or id i = id * j , S runs as specification; otherwise, S aborts. Corrupt-AP oracle: Upon receiving query id j , if id j = id * k , S runs as specification; otherwise, S aborts. Challenge: The adversary chooses two tuples (id * s0 , id * AP , Start) and (id * s1 , id * AP , Start) where id * s0 , id * s1 , id * AP ∈ L honest . The adversary then sends these two tuples to S, and S selects σ ← {0, 1} randomly. If id * s0 = id i * , id * s1 = id j * or id * r = id k * , S aborts. S sets the targeted client as id * sσ . S acts as specification of Authentication oracle.
Guess: Assume that A outputs the right bit σ with advantage ε 4 . As a result, A is able to get the corresponding session key. A generates the same K 1 as that generated by S with negligible probability 1/|K|. Therefore, A queries H 3 oracle with the correct V = CDH(T A , T AP ) with overwhelming probability. In this case, S can obtain the targeted V * from the H 3 query. According to equation 9, S then solves GDH(A, B) by computing CDH (A, B) In the same way as the proof in lemma 2, we can conclude that the simulation is perfect. Thus, if the adversary wins the game with a non-negligible advantage, S solves GDH(A, B) assumption also with non-negligible probability. VOLUME 4, 2016 In summary, our IB-AA scheme is label secure, impersonation secure, and ASK indistinguishable. Therefore, our IB-AA scheme is strongly IB-AA secure.

VI. COMPARISON WITH COMPETITIVE SCHEMES
Detailed performance analysis of our proposed scheme is given in this section. Our scheme is also compared with four previous anonymous authentication schemes in terms of security, storage overhead, communication overhead, and computation overhead. We denote "PV", "YL", "DH", and "MESS" by previous schemes of [34], [33], [12], and [17] respectively.
First, comparison results of security objectives, which have been described in section III-E, are shown in Table 2. " √ " is used to indicate that the corresponding objective is achieved; "×" is used to refer that this objective isn't achieved; "-" indicates this objective isn't considered in this scheme. In the PV scheme, the PKG generates an anonymous identity for each client every period of time, and the client sends this anonymous identity in plaintext. Once the client sends two messages during one period, the forward anonymity of the client cannot be reached. Reference [16] has shown that the DH scheme is vulnerable to key-replacement attacks of the AP. Therefore, once the AP's public key has been replaced, clients in the DH scheme cannot hold anonymity and forward anonymity objectives. The MESS scheme suffers from a forgery attack according to [33], and thereby, it cannot achieve impersonation security. In both MESS scheme and YL scheme, the forward anonymity of the AP hasn't been considered, since once an adversary compromises the AP's private key, it can decrypt and authenticate any message whose receiver is the AP. On the contrary, according to the security proofs in section V, our scheme reaches all objectives in Table 2. Moreover, the MESS scheme needs the AP to build a table for clients' identities and indexes so that the AP could identify an index from a message the AP received. While, in other schemes (including our scheme), there is no need to build or store any index. Therefore, MESS cannot achieve scalability. Our scheme is implemented with PBC library. Concretely, we simulate the AP through a machine with i5-6500 3.20 GHz 8G RAM; we simulate a client through a machine with Intel PXA270 624-MHz. In this implementation, we set p as a 512-bit-length prime, and we build on F p an elliptic curve E : y 2 = x 3 + x mod p. We choose an additive group G 1 with 160-bit-length prime order q, and 512-bitlength generator G on curve E. We set bilinear pairing e : G 1 × G 1 → G 2 , and set the length of elements in G 2 as 1024 bits. According to previous works, the length of a WBAN client's identity, a MAC value, a timestamp, and a "right" value are 32, 160, 32, and 160 bits separately. Execution times of the basic operations, namely double point in G 1 , bilinear Pairing, and double point in G 2 , are shown in Table 3.
Due to the resource limitation of WBAN clients, storage overhead a client needs is an important factor when comparing WBAN schemes. Storage overhead of an AP determines whether a scheme is scalable or not. Therefore, in this paper, we provide storage comparisons on both client and AP sides in Table 4. As for the computing method of storage overhead, we take PV for example. In PV, a client needs to store his/her public-private key pair, temporary identity, and tracking parameter all of which are elements in G 1 . Thereby, the total storage overhead is 4 × 512 = 2048 bits. It is needed for an AP to store its four elements in G 1 (namely its public-private key pair, temporary identity, and tracking parameter) and two elements in Z * q (namely two secret keys). Thus, the total storage overhead on the AP side is 4 × 512 + 2 × 160 = 2368 bits. We denote by n the number of clients in Table 4. It is apparent that storage overheads in our scheme is 67.2% and 71.6% less than that in the PV and YL schemes on client and AP sides separately, is 43.2% less than in the MESS scheme on the client side, and is equal to that in the DH scheme. This indicates that our scheme is scalable and practical in terms of storage overheads. Comparisons of computation and communication overheads are given in Fig. 4 and Fig. 3 respectively. Specifically, we present the computation time required by a client or an AP to execute a scheme in Fig. 4 through "Client" and "AP" items; we provide the length of messages that a client sends and receives in Fig. 3 through "Send" and "Receive" items. Take PV for example. Average computation time of a client to execute a scheme once in PV is 8×4.00+30.00+2×96.00 = 254.00 ms, since it requires computing eight double point operations in G 1 , one double point operation in G 2 , and two bilinear pairing operations. Average computation time of an AP to execute a scheme once in PV is 3 × 29.00 = 60.00 ms, since it requires three bilinear pairing operations. In the same way, the computation time of the client and the AP in YL, DH, MESS and our scheme are 54.00 and 125.00 ms, 16.00 and 42.40 ms, 50.00 and 29.15 ms, 12.00 and 3.30ms respectively. After finishing a scheme in PV successfully, a clients sends seven G 1 elements, two elements in Z * q , an element in G 2 , and a timestamp, which are 7 × 512 + 2 × 160 +1024+32 = 4960 bits; a client receives three elements in G 1 and a timestamp that are 3 × 512 + 32 = 1568 bits. In the same way, the communication costs a client sends and receives in YL, DH, MESS and our scheme are 3680 and 672   bits, 1248 and 672 bits, 2400 and 672 bits, 1216 and 672 bits respectively. According to Fig. 4, we can conclude that our scheme needs 95.3% and 94.5%, 77.8% and 97.4%, 25% and 92.2%, 76% and 88.7% less computation overheads than PV, YL, DH, and MESS on both sides respectively, since our scheme does not require bilinear pairing operations. According to Fig. 3, the message a client needs to send in our proposed scheme is 75.5%, 67.0%, 2.6%, and 49.3% less than that in PV, YL, DH, and MESS, and the message a client needs to receive is 57.1% less than that in PV, and is the same with that in other schemes. This indicates that our scheme is efficient and practical in terms of communication and computation overheads.

VII. CONCLUSION
In this paper, an identity-based pairing-free anonymous authenticated encryption scheme (IB-AAE) has been proposed. An identity-based anonymous authentication scheme (IB-AA) in WBAN have been proposed based on IB-AAE, where forward anonymity can be reached without bilinear pairing. Both IB-AAE and IB-AA have been proved to be secure in the random oracle model. A comprehensive comparison has been conducted to demonstrate that our IB-AA is secure and efficient in terms of computation, communication and storage costs.