A Secure and Lightweight Data Sharing Scheme for Internet of Medical Things

As cloud computing has many advantages such as large storage capacity, low cost and scalability, more and more patients prefer to store their health data in cloud to share with physicians, researchers or other users. However, storing shared data in remote cloud is out of patient’s control and exposes to lots of security problems such as privacy and data integrity. So far, more and more data sharing schemes to preserve data security in health field have been put forward, but in most of them, data encryption and decryption are completely implemented by terminal devices, which increases the communication and computation burden of patient and user. Furthermore, most sharing schemes have no integrity verification mechanism, resulting in incomplete data for users to share. To solve the problems, we propose a secure and lightweight data sharing scheme for Internet of Medical Things. Firstly, the scheme guarantees the privacy and authorized access of shared data. Secondly, the scheme realizes efficient integrity verification before user downloads shared data to avoid incorrect query or computation result. Finally, the scheme achieves lightweight operations of patient and user.


I. INTRODUCTION
With the rapid development of information technology, Internet of Medical Things (IoMT) has been widely applied in the field of health care [1]- [5]. IOMT can not only bring conveniences to patients such as telemedicine anywhere, but also help medical professionals realize intelligent medical treatments like predicting disease for patients. However, with continuous increase of health data and medical applications, the health information system is faced with challenges of how to efficiently store, retrieve and deal with the big health data. [6], [7]. Cloud computing [8]- [10] is a suitable platform with large storage and computation resources that can support big data applications [11]. Nowadays, more and more patients prefer to upload their personal health data to cloud for disease diagnosis or prediction by medical experts. Outsourcing health data to cloud not only saves the local storage space of the health information system, but also greatly reduces the investment cost in software and hardware maintenance of medical enterprises [12]. However, storing sensitive health data in cloud can also bring some security and privacy issues [13]- [19].
The associate editor coordinating the review of this manuscript and approving it for publication was Asad Waqar Malik .
Firstly, the health data not only relates to personal identity information of the patient, but also involves health information such as infectious diseases and so on. The leakage of sensitive data is no doubt harmful to patient's life and work, so it is imperative to ensure the privacy of health data. Secondly, cloud storage servers expose to hardware or software failures, and subject to malicious internal or external attacks. Therefore, it is extremely important to ensure the integrity of shared health data stored in cloud storage servers [20]- [21]. Thirdly, any unauthorized users should not access the shared health data. Once unauthorized users access and tamper with medical records, it will lead to serious results such as misdiagnosis [22]. Consequently, it is important to ensure privacy, integrity and authorization of health data. In addition, the Internet-of-Things terminal are usually resource-constrained devices with small storage space and low processing speed. Therefore, it is essential to propose a secure and lightweight data-sharing scheme for IoMT.

A. MAIN CONTRIBUTIONS
In order to improve the computation efficiency of terminal devices in IoMT and guarantee the security and privacy of shared data, we construct a secure and lightweight data sharing scheme for Internet of Medical Things. The main contributions of the paper are as follow.
1) The scheme guarantees the privacy of patient and authorized access of shared data based on identity-based broadcast encryption. 2) The scheme achieves efficient integrity verification before user downloads shared data to avoid incorrect computation. 3) We prove the security of the sharing scheme and evaluate the computation and communication cost of patient and user side. The results indicate that our scheme is more efficient than the previous ones.

B. ORGANIZATION
The organization of the rest paper is as follows. We first introduce the related works in Section II. Then we describe system model, security requirements and design goals in Section III. We present the preliminaries in Section IV and the constructions of data sharing scheme for IoMT in section V. Then we analyze security of the scheme in section VI and performance of the scheme in Section VII. Finally, we conclude this paper in Section VIII.

II. THE RELATED WORKS
So far, many data sharing schemes have been put forward in medical health field. The security of them mainly focus on data integrity, privacy and access control, which are core security problems in cloud data sharing. Cloud data auditing is a technology for user to verify the availability of remote data. So far, many auditing schemes [23]- [39] have been proposed to verify the integrity of data stored on remote servers. Ateniese et al. [23] presented the first public auditing scheme in which provable data possession (PDP) is proposed. To prove the integrity of dynamic data, Ateniese et al. [24] presented another scheme based on the symmetric key PDP scheme. The scheme supports dynamic modification and deletion operations, but does not support insertion operation. To achieve dynamic operation, Erway et al. [25] raised a dynamic provable data possession (DPDP) scheme by introducing an authenticated skip list. Zhu et al. [26] introduced an index-hash table for dynamic verification. Later Yang [27] proposed a data structure named Dynamic-Hash- Table. Wang et al. [28] and Liu et al. [29] proposed dynamic public auditing schemes based on Merkle Hash Tree (MHT). To protect data privacy, Wang et al. [30] put forward an integrity verification scheme by employing a random masking technique. Wang et al. [31] designed an auditing scheme with ring signature to achieve secure cloud storage. Yang and Yu [32] also proposed an integrity verification scheme supporting the identity privacy.
To achieve privacy to cloud servers and access control to users, identity-based broadcast encryption (IBBE) is involved in many schemes. IBBE is a specific case of identity-base encryption (IBE), in which the user's public key can be any arbitrary strings such as user's email. In 1984, Shamir [40] proposed the first IBE scheme. Later the bilinear pairing made IBE more efficient because it avoids certificate management. In 2001, Boneh and FrankliN [41] proposed an identity-based encryption scheme from the Weil Pairing. Yoon et al. [42] proposed an IDB signature scheme with message recovery. In 2007, Delerablee and Cécile [43] proposed the first IBBE scheme with constant size cipher texts and private keys. Later, Gentry and Waters [44] proposed the first adaptively CPA-secure IBBE scheme, which presents the first adaptively secure system with sublinear cipher-texts and proves security in the standard model. In 2015, Kim and Susilo [45] presented another adaptively secure identity-based broadcast encryption system featuring constant sized cipher-text in the standard model. Since then, many other IBBE schemes [46]- [48] are proposed in diverse fields and applications.

III. SYSTEM MODEL, SECURITY REQUIREMENT AND DESIGN GOALS
In our secure data sharing scheme for IoMT, patient with health sensor devices collects and encrypts his health data before uploading it to cloud servers for sharing. In addition, patient designates the identity set of user for achieving the authorized access. In our scheme, the identity can be any string that can represent user's attributes such as work number of doctor. To ensure cloud data intact before sharing and decrease computation burden of patient, an entity named Security-Mediator (SEM) help patient generate blocks and block tags for later integrity verification. A SEM can be a server within a certain area, such as a community health server. If a user wants to access the health data, he must register his identity to Trusted Authority and gets the warrant to limit his access time. Only when user's identity and valid access time are valid, the user can download and decrypt shared data.  Trusted Authority (TA): It is trusted by other entities. It is responsible to generate public and private parameters of the system and issues private keys for users according to his identity.

A. SYSTEM MODEL
Patient: It refers to entity with sensor devices to gather health data such as temperature and blood pressure, etc. Patient owns his health data and prefer to upload it to CS for data sharing with physicians, nurses or other authorized users. He is responsible to encrypt his health data for privacy and establish authority for user to access his data. To save patient's computation burden, a Security-Mediator (SEM) is introduced to help patient divide encrypted data into blocks and compute block tags for user's later data integrity verification.
Cloud server (CS): It is the entity with large storage and computation resources to maintain and manipulate shared data and can provide data access to legitimate user. CS is managed by CSP (Cloud Server Provider).
User: The entity refers to medical professionals, nurses or medical researchers to utilize shared health data for medical diagnosis and data mining. In the scheme, only the authorized user is able to download shared data from CS and decrypt the data.

B. SECURITY REQUIREMENT
In our sharing scheme, we assume that SEM is semi-trusted. Though it can help patient divide data into blocks and compute block tags, it might be curious about sensitive health data of patient. Therefore, the shared data must keep secret to SEM. Similarly, we suppose CS is also semi-trusted. CS is responsible to store data and block tags in data sharing, but once data is corrupt or lost, it might launch forge attack or replace attack for economic reasons. Furtherly, CS may also be curious about the content of sensitive data, so the data should preserve secret to CS. After patient transferring his data to CS, only the authorized user is able to download and access the plain text. In the scheme, we assume TA is a fully trusted authority and can honestly generate private key for each user. Therefore, the following security requirements of the scheme should be satisfied.
Privacy preserving: The shared data must keep confidential to SEM, CS and any unauthorized users to keep patient's health data secure. The health data involves not only personal identity information, but also medical information such as infectious disease, so any disclosure of health information is undoubtedly harmful to patient's life and work. Consequently, it is imperative to ensure the privacy of patient's health data.
Authorized access: It means only legitimate user designated by patient himself can download and access the health data stored in cloud. Furtherly, the authorized user can only download the data within the definite time limit.
Data Integrity: It ensures that health data not be modified or deleted during transmission and storage process. In the scheme, user can detect any malicious tamper operations of shared data before downloading the data.

C. DESIGN GOALS
Based on the system model and security requirements, our data sharing scheme for IoMT is designed to achieve the following goals.
Security requirements: The scheme should satisfy the security requirements including data privacy, authorized access and data integrity during data sharing process.
Lightweight operations: To improve efficiency of data sharing, the scheme should decrease computation operations of patient and user because the terminals on both sides are mostly mobiles devices. In our scheme, SEM divides encrypted data into blocks and computes block tags instead of patient. Furtherly, before patients encrypts data, TA calculates the intermediate data of encryption to decrease patient's computation overhead. Similarly, when user wants to access shared data, TA help him compute intermediate data of decryption to less user's computation burden.
Effectiveness: The scheme should effectively achieve oneto-many data sharing, allowing patient securely share his data and any authorized user correctly access the data.

IV. PRELIMINARIES A. NOTATIONS
The notations in this paper are described in Table 1.

B. BILINEAR MAPS
Suppose G 1 , G 2 are two multiplicative groups with same large prime order q, and g is a generator in G 1 . A bilinear map e is a map function e:G 1 ×G 2 →G 1 with the following properties: i) Computability. ∀u,v∈G 1 , an efficient algorithm exists to compute e(u, v). ii) Binearity. ∀a,b∈Z q , ∃e u a ,v b =e (u,v) ab . iii) Nondegeneracy. e [g,g] = 1. iv) Security. It is hard to compute Discrete Logarithm (DL) in G 1 .

C. DEFINITION
Our secure data sharing scheme for IoMT includes the following polynomial algorithms. identity Pid and outputs challenge information chal. 7) ProfGen M , T , chal, pk → P. It is run by CS and generates integrity proof P. 8) ProfVer (P, chal, pk) → ("true", "false") . It is run by user. It takes P, chal and pk as input and outputs the verification result "true" or "false".

V. CONSTRUCTIONS OF SECURE DATA SHARING SCHEME
In this section, we present the secure sharing scheme for IoMT in detail. We divide the sharing scheme into three phases named initial phase, preprocessing phase and data sharing phase.

A. INITIAL PHASE
In this phase, TA generates public system parameter and master key. Because each user in the scheme must register his identity Uid j to TA and get his private key before downing shared data, TA is also responsible to generate private key and warrant for each user. Similarly, the patient should register his identity in TA before sharing his data with other users. This phase consists of the following three algorithms and fig. 2 illustrates the flowchart of the phase.
Setup. Given security parameter λ and integer y, TA constructs the bilinear map group system = G 1 G 2 , q, e where G 1 ,G 2 are multiplicative groups with order q, and e is a bilinear map e:G 1 ×G 1 →G 2 . TA also selects two random generators g, h∈G 1  for him. Next TA picks random a 1 ,a 2 ∈Z * q and computes b 1 =h a 1 ,b 2 =h a 2 . Then the warrant of user is warr = a 1 +a 2 ·H 1 U id j time , where time refers to the valid time for user to access shared data. Finally, TA sends sk Uid to user via a secure channel and Uid j , warr, b 1 , b 2 to CS.
PatientReg. Patient Pid first chooses S= Uid k t k=1 , t ≤ y to denote user identity set to access his health data. Any user with U id k ⊆S can access shared data M in valid time. After receiving register information Pid, S from patient, TA computes φ = t k=1 (γ +H 1 (Uid k )). Then TA transfers φ to patient secretly and keeps φ locally for later computation.

B. PRE-PROCESS PHASE OF SHARING DATA
In our scheme, suppose the max length of shared data is l. To preserve M ∈ {0, 1} l secret to others, patient first encrypts data M to M and transfers M to SEM. Then SEM divides M into n blocks and gets block tags. This phase includes the following two algorithms and fig. 3 is the flowchart of the phase. DataEnc. Patient Pid computes symmetric encryption key K and encrypts M with H 2 (K ) as follows. He picks a VOLUME 8, 2020 random r ∈Z * q and computes C 1 =w −r ,C 2 =h r·φ ,K =v r . Next patient encrypts M as M .
Finally, patient sends Pid, S, C = C1, C 2 to CS, Pid, M to SEM and Pid, S to TA. TagGen. In order to ensure the integrity of shared data M , SEM computes tag for each block. He first divides M into n data blocks, namely M = m i , with erasure code algorithm. Then he picks random x, τ ∈Z * q and computes pk=h x ,u = h τ . He denote x his private key and pk his public key. Finally, SEM gets block tags as follows.
SEM denotes T = σ j and transfers D= Pid, M , T , u to CS.

C. DATA SHARING PHASE
When user wants to access shared data, he first verifies the integrity of data. He generates integrity challenge chal and sends chal to CS. If the user warrant is valid, CS computes data integrity proof P and send it to user. After user proves the shared data is intact, he downloads and decrypts M . This phase consists of the following five algorithms and fig. 4 describes the flowchart of the phase. ChalGen. Before downloading shared data M , user Uid j first generates integrity challenge. He selects two pseudorandom functions named f 1 : {1, 2, · · · ,n} → {1, 2, · · · ,n} and f 2 : {1, 2, · · · ,n} → Z * q . Then he generates a subset I = i with c elements from [1,n] by f 1 and corresponding random numbers d i ∈Z * q by f 2 . Finally, he transfers challenge chal = Uid j , (i, d i ) i∈I , Pid to CS.
ProfGen. On receiving chal from user, CS first checks user warrant with the following equation: If eq. (3) holds, CS generates signature proof TP and data proof DP as follows.
Then CS sends P= TP, DP to user. ProfVer. On receiving proof P from CS, user verifies the integrity of data M as follows.
PreCompute. If shared data is intact, user sends Uid j Pid to TA to get intermediate result of decryption. TA computes δ = t k=1,k =j (H 1 (Uid k )) and γ Uid j , S = γ −1 · φ · γ + H 1 Uid j −1 − δ based on Pid, S and transfers γ (Uid j , S), δ to user secretly for data decryption. DataDecry. User Uid j downloads M , C from CS and decrypts shared data. He first retrieves symmetric key K as follows.
Then user computes M =M ⊕H 2 (K ) to get plain text of shared data.

VI. SECURITY ANALYSIS
In this section, we analyze the security of the scheme, including correctness, unforgeability and privacy.
Theorem1: Authorized user can correctly verify the integrity of the data stored in CS.
Proof: Theorem 1 can be proved by verifying the correctness of eq. (5). The proof is as follows.
From the proof of eq. (5), user can verify whether the data is undamaged stored in CS. Theorem 2: Authorized user can correctly recover K if the identity ID i is legitimate.
Proof: Theorem 2 can be proved by verifying the correctness of eq. (6). The proof is as follows.
Theorem 3: As long as the DL assumption holds, it is computationally infeasible for unauthorized user, SEM and CS to get health data in the scheme. Proof: In preprocess phase of shared file, patient encrypts file M to M , therefore the data is private to CS and SEM. In sharing phase, CS sends P= {TP,DP} to user, where DP= i∈I d i ·m i . Because m i are blocks of encrypted data M , unauthorized user cannot get any information on the sensitive data.
Theorem 4: It is computationally impossible for CS to forge an integrity proof to pass the public verification, if the Computational Diffie-Hellman (CDH) problem is hard in bilinear group.
Proof: In sharing phase, After CS receives the challenge chal from user, he should send the correct proof P= TP, DP where DP= i∈I d i ·m i . In the scheme, P is the correct proof and equation e (TP,g) =e i∈I H 3 (i) d i ·u DP ,pk holds. Suppose the adversary's proof is P = TP , DP , where DP = i∈I d i ·m i . Then the equation e TP ,g =e i∈I H 3 (i) d i ·u DP ,pk also holds. Suppose ξ =DP= i∈I d i ·m i , ξ =DP = i∈I d i ·m i . We can construct a simulator that uses the adversary to solve the CDH problem. Given g,g a ,ε∈G 1 , the simulator is asked to output ε a .The simulator sets pk=g a and u=g µ ε v where µ,v∈Z * p . From the above two equations and the properties of bilinear maps, we conclude the following: e TP /TP,g = e u ξ −ξ ,pk = e u ξ ,pk = e (g µ ε v ) ξ ,pk . From this equation, we can get e TP TP −1 pk −µ ξ ,g =e (ε,pk) v ξ , so ε a = TP TP −1 pk −µ ξ 1 v ξ . We can analyze the probability of the game failure through computing the probability that v ξ = 0 mod q. Because the probability that v ξ = 0 mod q is only 1/q, the probability can be negligible.

VII. PERFORMANCE EVALUATION
In this section, we evaluate the computation costs of patient and user in the scheme and compare it with scheme [49].

A. PERFORMANCE ANALYSIS
To analyze computation overhead of the scheme, we define the following notations to denote the corresponding operations: Let Pair denote a paring operation, Hash denote a hash operation and Exp denote an exponentiation operation. Similarly, let Mul and Add respectively represent a multiplication and addition operations. X or and Pref respectively denote XOR and pseudo-random function operation of the scheme.

1) INITIAL PHASE
In algorithm Setup, TA computes w=g γ , v = e (g, h), and the computation overhead is Exp + Pair. In algorithm KeyExtract, TA first computes the private key for user. Then TA picks random a 1 ,a 2 ∈Z * q and computes b 1 =h a 1 , b 2 =h a 2 . The warrant of user represents as warr = a 1 +a 2 ·H 1 Uid j time . Therefore, the computation overhead of the algorithm is 2Hash+3Exp+2pair+2Add+2Mul.

2) PREPROCESS PHASE
In DataEnc, Patient computes C 1 =w −r ,C 2 =h r·φ ,K =v r and encrypts M as M = M ⊕ H 2 (K ). Therefore, the computation overhead of the algorithm is 3Exp + Hash + mul + Xor. In TagGen, SEM generates his public key pk=h x and computes u=h τ . Then SEM computes n tags as σ i =(H 3 (i) ·u m i ) x . Therefore the computation overhead of the algorithm is (2 + 2n) Exp + nHash + nMul.

3) SHARING PHASE
In ChalGen, user generates a subset I = i with c elements by f 1 and random numbers l i ∈Z * q by f 2 . Therefore, the computation overhead is 2Pref . In ProfGen, CS first checks user authority with equation h warr =b 1 ·b 2 and generates signature proof TP= i∈I σ d i i and data proof DP= i∈I d i ·m i . Therefore the computation overhead of the algorithm is (c + 2) Exp + Hash+ (2c + 1) Mul + cAdd. In ProfVer, user verifies the integrity of data F with equation e (TP,g) =e i∈I H 1 (i) d i ·u DP ,pk , so the computation overhead is 2Pair + cHash+ (c + 1) Exp + Mul. In PreCompute, TA computes δ = t k=1,k =j (H 1 (Uid k )) and γ Uid j , S = γ −1 · φ· γ +H 1 Uid j −1 −δ , so the computation overhead of the algorithm is tHash+ (t + 1) Mul + 2Add + 2Exp. In DataDecry, user U id j first retrieve the symmetric encryption key K with equation K = e C 1 ,h γ (Uidj,S) ·e (sk Uid ,C 2 )) 1 δ . Then user computes M =M ⊕H 2 (K ) to get shared data. Therefore, the computation overhead in this VOLUME 8, 2020

B. EXPERIMENTAL RESULTS
We simulate our scheme with the Pairing based Cryptography (PBC) library of version 0.5.14. We compare the computation time of DO and user with scheme [49] by utilizing an MNT d159 curve with 160-bit group order. All the experiment results represent the average of 20 trials.

1) COMPUTAION TIME OF DO IN PREPROCESSING PHASE
The computation time of DO mainly generates in preprocessing phase. We first test the relation between DO's computation time and the number of user identity. From fig. 5, we can see that when the number of user identity varies from 1 to 100, the computation time of DO remains constant. Then we test the relation between DO's computation time and the size of shared data as described in fig. 6. When size of data is 1M, the time cost of DO is 25.1ms. With the size growing, the time increases slowly. When the size reaches 10M, the time cost is 37.72ms. From fig. 5 and fig. 6, we can conclude that DO's computation time in our scheme is lower than that of Zhang's scheme.

2) COMPUTAION TIME OF USER IN SHARING PHASE
In data sharing phase, we first test the relationship between user's computation cost and the identity number as described in fig. 7. Because TA computes the intermediate data of decryption, user's computation time is constant when the number of user identity increases. We also test the relationship between user's computation cost and the size of shared data as described in fig. 8. We can see that with the number of identity growing, the computation cost of user increases slowly. From fig. 7 and fig. 8, we can conclude that the user's computation time in our scheme is less than that in Zhang's scheme.

VIII. CONCLUSION
In this paper, we propose a lightweight and secure health data sharing scheme for IoMT. The scheme ensures the health data private by allowing only the authorized user access the shared data. The scheme can also achieve efficient integrity verification by preventing user downloading damaged data. Finally, the scheme realizes lightweight operations of patient and user by IDDB encryption. From the experiment results and security analysis, we conclude that our scheme is more efficient in computation cost and more secure in health data sharing.