Cryptoanalysis on a Cloud-Centric Internet-of-Medical-Things-Enabled Smart Healthcare System

The interconnecting of the biomedical sensors (in healthcare system) with cloud for the internet-of-medical-things (IoMT) technology has great potential to ameliorate people’s living conditions. The privacy-preserving of personal health information (PHI) and the mutual authentication between the sensors and other entities are two main factors that affect the further applications of cloud-centric IoMT technology. In the recent work [IEEE IoT Journal, vol. 7(10), 10650-10659, 2020], Kumar and Chand applied identity-based aggregate signcryption scheme to the smart healthcare system (KC-system, for short), which provides privacy-preserving of PHI and the mutual authentication function, simultaneously. However, in this paper, we carefully analyze the security of KC-system and find out that the critical authentication keys of entities can be easily recovered from their communication contents. In other words, the mutual authentication function of KC-system can be easily broken. Moreover, the recovering of the keys will lead to the tedious processes, including obtaining partial private key (from network manager) and requesting for key-protection (from key-protection servers), become completely useless. Finally, we also twist their protocol into a new one, which can be proven secure against the previous attack.


I. INTRODUCTION
Wireless body area network (WBAN) is an emerging paradigm in ubiquitous healthcare, whereby sensors, that are implanted or worn on human body, collect and send realtime patient's personal health information (PHI) data such as breathing rate, heart rate and blood pressure and so on [1]. Typically, WBAN is a kind of network consisting of various tiny sensors, which have limited power, storage as well as computing ability. After collecting patient's PHI, they transmit it to medical professional (or data consumer) via this public network [2].
From security perspective, any attack on the sensors or unauthorized access to the network may result in lifethreatening risk to the patients since the transmitted data is just their sensitive PHI [3]. Obviously, the security and The associate editor coordinating the review of this manuscript and approving it for publication was Junggab Son . privacy problems are the first challenge for the further applications of WBAN [4]. The second challenge lies in that dayto-day increasing transmission of PHI data overburdens the resource-constraint cellular network [5], [6]. Many literatures find that the recent cloud-enabled internet of things (IoT) can be potentially served the data storage and computing power [7]- [10]. Another advantage of combing cloud with e-health monitoring system is that the remote diagnosing from an authorized medical entity becomes more convenient. However, some new security risks, such as a semi-trusty cloud may be curious to inappropriately access patient's PHI [11], also appear. In addition, how to validate the integrity of the stored PHI on cloud is another critical problem for the cloudbased smart healthcare system [12].
In order to solve the above security and privacy-preserving problems, kinds of cryptographic techniques, like encryption and signature, are considered for the cloud-centric IoMT system to simultaneously ensure privacy and authenticity.
In general, encryption and signature can be composed in several ways: Sign-and-encrypt, sign-then-encrypt, and encrypt-then-sign. Each implementation mode is a simple composition of encryption and signature schemes, and thus is inefficient for the IoMT healthcare system. It is also well-known that signcryption is an important public-key cryptographic primitive, which can achieve authentication and privacy simultaneously with a much smaller cost. Like other public-key cryptographic primitives [13], [14], signcryption scheme has also to face the problem that how to fix the relation between the publickey and its true entity. Identity-based signcryption (IBSC) scheme (see [15]- [20]) can easily bypass this issue since entity's public-key is just its public information, such as email address, identity-card number, and so on. But the key-escrow problem (i.e. any entity's private key is known to the keygeneration center) still exists in IBSC schemes. Therefore, researchers suggested the notion of certificateless signcryption scheme and tried to use it to the cloud-centric IoMT healthcare system.
In the recent work [21], Kumar and Chand pointed out that, compared with IBSC, certificateless signcryption cannot achieve the identity-based nature. Therefore, they proposed an escrow-free identity-based aggregated signcryption (EF-IBASC) scheme and constructed a device-todevice aggregated-data communication protocol (see [22]) for cloud-centric smart healthcare system (KC-system, for short), whose security is based on the underlying EF-IBASC scheme. As Kumar et al. claimed, their healthcare system has many merits including PHI's privacy-preserving, mutual authenticity of the entities, because the underlying signcryption scheme can simultaneously provide encryption and signature functions.
Unfortunately, in this paper, we will prove that the critical authentication function of the KC-system cannot be guaranteed because the authentication key(s) can be easily recovered from the communication contents transmitted in the network. In other words, one of the two guarantees (i.e. authentication and privacy) for Kumar et al.'s signcryption scheme is completely broken.
Next, we briefly introduce the underlying idea of our attack and then discuss its consequences.
Recall that, in KC-system, each entity E needs to register and obtain its authentication key d E from the network manager (NM). In order to avoid the key-escrow problem, the NM only returns a partial private key for E. Moreover, for key's security, E also requests for key protection from many key-protection servers (KPSs), who return the corresponding shares. The key d E is computed by combining the partial private key (from NM) with the shares (from KPSs).
In the process of data transmission, the jth biomedical sensor (BMS) computes the encryption of the PHI data and signature (under the authentication key d j BMS ). Then send the aggregated message CT j to personal-assisted device (PAD).
Note that, CT j contains the two items: C aggr,j ∈ Z * q , and E j = C aggr,j d j BMS ∈ G 1 , where G 1 is an additional group with large prime-order q. According to the basic number theory [23], we know that the authentication key d j BMS can be easily recovered from E j if C aggr,j is public. Hence, the authentication key d j BMS (of this BMS) is no longer secure. Similarly, other entities' authentication keys can also be recovered.
The consequences of this attack contain the following two aspects: 1) The exposure of the authentication key leads to the tedious generation of d E be completely useless.
2) The mutual authentication function of the KC-system does not work. As a result, malicious adversary may pretend to be legal entity to join in the system and try to break the smart healthcare system. 3) The ''public verifiability'' algorithm cannot achieve the expected function.

A. RELATED WORKS
In [24], Akinyele et al. proposed an electronic medical record (EMR) with self-protecting by invoking attributebased encryption technique. Similarly, Hu et al. also discused the secure communication between a body area network and its data consumer, which still is attribute-based [25].
In [26], Li et al. gave the suggestions on using identitybased signcryption for low-power devices, such as sensors in an online/offline setting that simultaneously satisfies the authentication and confidentiality without authenticating a recipient's public key additionally. However, this scheme suffers from the famous key-escrow attack. Hence, in [ 's technique and also discussed the data communication scheme for e-health system using a generalized signcryption scheme [27]. Unfortunately, in [28], Zhou pointed out that Zhang et al.'s protocol is susceptible to insider's attack, which means that it is insecure and vulnerable for data confidentiality.
In the previous literatures, kinds of cryptographic primitives based on bilinear map have been discussed for healthcare system. Compared with identity-based ones, certificateless-based schemes focused on the key-escrow-free problem but could not achieve the identity-based property. This is also the motivation of escrow-free identity-based aggregated signcryption scheme for the smart healthcare system.

B. ORGANIZATIONS
The following parts are organized as follows. In Section II, we introduce the system model of IoMT-enabled smart healthcare system. Next, in Section III, we present our attack VOLUME 10, 2022 on the KC-system and discuss the consequences of this attack. Then present our proposed solution in Section IV. Finally, conclusions are given in Section V.

II. PRELIMINARIES A. HARDNESS ASSUMPTION
First, we would like to introduce the hardness assumption based on Okamoto's conference-key sharing scheme (CONF) [29]. Concretely, for a cyclic group G with primeorder q and generator P. For randomly chosen x, y ∈ Z q , given the tuple (g, xg, (xy)g) ∈ G 3 , an algorithm A intends to compute and output g y ∈ G. If for any probabilistic polynomial time adversary A, the probability that it can successfully output g y is negligible, then we call that the CONF assumption holds.

B. SYSTEM MODEL OF IoMT-ENABLED SMART HEALTHCARE SYSTEM
In this section, we introduce the system model of IoMTenabled smart healthcare system. As depicted in Fig. 1, it consists of the following six entities.
• Network Manager (NM). This entity initializes the whole system, and generates the system parameters as well as its own master secret key. In order to avoid the key-escrow problem of the previous identity-based authentication scheme, the NM is viewed as a semitrusted entity. Therefore, given the identity ID 1 , it only returns a partial private key.
• Key-Protection Servers (KPSs). These entities provide the key-protection services for user's private key. More precisely, they generate their public-secret key pairs, and then compute independent shares to user's protected private key.
• Biomedical Sensor (BMS). The whole system includes many BMSs. Each BMS is a tiny sensor and has very limited storage space, battery life as well as computing power. All the BMSs are installed on/outside the patient's body (i.e. some wearable sensors), or deployed in the patient's tissues (i.e. some implanted sensors).
• Personal-Assisted Device (PAD). This entity is a data sink, which has sufficient computing power and storage space. In the system, the PAD collects real-time PHI data transmitted from several BMSs and transfers patient's PHI to cloud server for storing (after signing it based on its private key). In fact, it is viewed as not trustworthy entity in Kumar et al.'s model because they think that, for an adversary, it is effortless to physically steal or statistically attack it.
• Medical Cloud Server (MCS). This entity provides storing services for the PHI transferred from PAD. In addition, it also provides the accessability of the stored PHI to SD. It is viewed as a semi-trusted entity.
• Service Device (SD). This device is on the medical institution's side, which is allowed to access the PHI stored on MCS, and diagnoses the patient's diseases  (based on PHI). Finally, send the prescription to the corresponding BMS in the reverse direction.

III. SECURITY ANALYSIS ON THE KC-SYSTEM
In this section, we analyze the security of the KC-system. In particular, we will first prove that the authentication keys for BMS and PAD can be easily recovered, and then analyze its consequences.

A. INSECURITY OF ENTITIES' AUTHENTICATION KEYS
Note that, in the final phase of algorithm ''Entity's Authentication and Registration'', each entity E ∈ {BMS, PAD, SD} obtains the authentication key d E = s 0 (s 1 + s 2 + · · · + s n )H 1 (ID E ) ∈ G 1 , 1 which should be secret to anyone else. However, we will analyze that these authentication keys can be recovered by anyone who eavesdrops the transmitted contents among the entities.
Concretely, recall that, in the algorithm ''PHI Aggregate Signcryption'', the jth BMS signs and encrypts the original PHI messages M 1,j , M 2,j , · · · , M m,j into (C 1,j , D 1,j ), (C 2,j , D 2,j ), · · · , (C m,j , D m,j ), and then aggregates them into C aggr,j = H 4 (C 1,j , C 2,j , · · · , C m,j ) ∈ Z * q , Here, we know that any eavesdropper can see the transmitted CT j , which includes C aggr,j and E j . From the two items, the eavesdropper can recover the authentication key d j BMS of this BMS as follows.
From C aggr ∈ Z * q and the prime q, one can easily know that there exist integer µ such that µC aggr ≡ 1 mod q, which can be obtained by Extended-Euclidean algorithm. Hence, it holds that As a result, anyone seeing the content CT j can easily compute and recover the authentication key d j BMS of the jth BMS.
In addition, from the description of the algorithm ''PHI Re-Aggregation'', we know that the PAD will send CT PAD = A j , B j , C PAD , C aggr,j , i D i,j , E j , F , in which C PAD ∈ Z * q and F = C PAD d PAD , to the MCS. Similarly, any eavesdropper can easily compute and recover the authentication key d PAD of the PAD from F. As Kumar and Chand suggested, after obtaining the patient PHI, SD diagnoses it and returns the signcrypted prescription P by using a similar algorithm as ''PHI Aggregate Signcryption''. In this case, anyone can also recover SD's authentication key by performing a similar analysis as recovering d j BMS . In all, the authentication keys can be recovered by any eavesdropper who only needs to observe the communication contents among the entities.

B. THE CONSEQUENCE I
Now, we discuss the first consequence (denoted by Consequence I) of the above attack.
Recall that, in the system-setup step of the KC-system, the NM initializes the system, authenticates the entity with identity ID, and issues partial private key, which is further protected by multiple KPSs, to it. Meanwhile, the KPSs forward the protected private key shares to the entity, who finally combines the shares and extracts its authentication key d E . We remark that the ultimate goal of these processes is to guarantee that the entity can correctly extract the key d E .
Since, in our attack, any eavesdropper can easily recover the authentication key d E , the tedious processes, such as requesting partial private key (from NM) and asking for keyprotection (from multiple KPSs), are of no use. Therefore, the first consequence under our attack is that many steps in the algorithms ''System Setup'' and ''Entity's Authentication and Registration'' (especially for the latter one) become useless and thus can be ''cut'' from the KC-system.

C. THE CONSEQUENCE II
Here, we discuss the second consequence (denoted by Consequence II) of our attack. In particular, the exposure of d E (for E ∈ {BMS, PAD, SD}) will result in loss of the authentication function of the whole KC-system. In other words, malicious adversary may pretend to be legal entity to join in the system and thus break the smart healthcare system. Next, we take ''malicious BMS'' (denoted by BMS * ) for example to show it. According to the description of our attack, BMS * can easily recover the authentication key d j BMS of the jth BMS, who is a legal entity in the system. Then it can pretend to BMS j and interact with other entities as follows.
Randomly choose a * ∈ Z * q and compute Then set K * = e a * d j BMS , H 1 (ID SD ) and compute Aggregate the PHI as Finally, send CT * = A * , B * , C * aggr , i D * i , E * to PAD. Note that this CT * can pass the public verifiability since it holds that e E * , B * = e C * aggr d j BMS , a * P = e C * aggr s 0 (s 1 + s 2 + · · · + s n )H 1 (ID j BMS ), a * P = e a * H 1 (ID j BMS ), s 0 (s 1 + s 2 + · · · + s n )P Obviously, the legal entity BMS j is successfully replaced by a malicious adversary BMS * , but the KC-system cannot detect and avoid it. Therefore, the mutual authentication function as Kumar et al. claimed is broken.

D. INVALID PUBLIC VERIFIABILITY ALGORITHM
An adversarial cloud server can pass the algorithms ''Public Verifiability'' auditing, even if it does not well maintain the outsourced data. In other words, the ''Public Verifiability'' algorithm cannot achieve the expected function. Specifically, i D i,j in the data packet sent to the cloud by user U can be arbitrarily deleted or modified by the cloud, while i D i,j is the most important in the entire data package, because the user's personal health information M i,j and T i,j are XORed with S k j and then stored in D i,j .
For example, we assume that the encrypted data CT PAD = A j , B j , C PAD , C aggr,j , i D i,j , E j , F on the MCS has been modified to Therefore, the MCS passes the verifier's auditing, even if CT PAD is modified to CT * PAD . The expected public verifiability function is invalid.

IV. OUR PROPOSED SCHEME
First, we present the twisted KC-scheme, which is based on the original KC-scheme and consists of the following algorithms: • System Setup. For the security parameter λ, the NM generates a bilinear map e : where G 1 and G 2 are additive and multiplicative groups, respectively, with the same prime-order q. Let P be G 1 's generator and denote by m, , and t the sizes of message, identity and timestamp (in bits). Then five hash functions are chosen as follows.
Next, the NM randomly chooses s 0 from Z * q and defines the public key as P 0 = s 0 P. Broadcast P 0 to each KPS i , who also randomly chooses s i ∈ Z * q , defines P i = s i P 0 , and returns P i to the NM. Finally, the NM generates the system public key as Y = n i=1 P i = s 0 (s 1 + s 2 + · · · + s n )P.
• Entity's Authentication and Registration. Let E ∈ {BMS, PAD, SD} and ID E be its identity. First, E randomly chooses x E ∈ Z * q , computes and sends (ID E , X E , D E ) to NM, who computes and returns the partial private key Then E requests to KPS i for key protection, who computes and returns D Ei = s i D E0 (to E). Finally, E recovers the (full) private key D Ei = s 0 (s 1 + s 2 + · · · + s n )H 1 (ID E ).
• PHI Aggregate Signcryption. The jth BMS first randomly chooses a j ∈ Z * q and computes Then set K j = e a j d j BMS , H 1 (ID SD ) , and compute Aggregate the PHI as C aggr,j = H 4 (C 1,j , C 2,j , · · · , C m,j ) ∈ Z * q , and then compute • PHI Re-Aggregation. After receiving the signcrypted data CT 1 , CT 2 , · · · , CT n , the PAD re-aggregates them as C PAD = H 5 (x PAD , X 1 , X 2 , · · · , X n ) ∈ Z * q , and Then store on the MCS.
• Public Verifiability. On stored encrypted data and e E j , B j = e A j , X j .
If it is true, the data is complete and correct; otherwise, it is incorrect or missing. The correctness of the twisted KC-system can be obtained in the similar way as that of Kumar and Chand in [21]. As for its security against our previous attack, we have the following result.
Theorem 1: If Okamoto's CONF assumption holds, then our twisted KC-scheme is secure against the attack presented in Section III in the random oracle.
Proof: Let A be an adversary who launches the attack given in Section III. Now, we construct another adversary B attacking on Okamoto's CONF assumption by invoking A as the subroutine. More concretely, given the tuple (g, xg, (xy)g) ∈ G 3 , B intends to compute and output the element g y ∈ G. Simulate the environment for A as follows.

• Simulating Entity's Authentication and Registration.
For an entity E ∈ {BMS, PAD, SD} but not BMS j , the algorithm B computes X E , D E by randomly choosing x E Z * q . Then the partial private key (X E0 , D E0 ) can be calculated as follows.
Finally, the (full) private key d E is generated by computing d E = (s 1 + s 2 + · · · + s n )H 1 (ID E ).
• Simulating PHI Aggregate Signcryption. The jth BMS computes A j and B j by randomly choosing a j ∈ Z * q , and then sets K j as e a j d j BMS , H 1 (ID SD ) . Then normally compute C i,j and D i,j for 1 ≤ i ≤ m, 1 ≤ j ≤ n and set X j = xg, E j = (xy)g.
Finally, transmit CT j = {A j , B j , X j , i D i,j , E j } to PAD.
• Simulating PHI Re-Aggregation. Given the signcrypted data CT 1 , CT 2 , · · · , CT n , the algorithm B computes C PAD , Z PAD and F. Then store on the MCS.
• Public Verifiability. Since the process of verifiability does not relies on any private key, B can correctly simulate it for A.
In the last phase, if the adversary A can correctly compute and output d j BMS , then the algorithm B also outputs it as its solution of (xy)g. Then the proof of Theorem 1 is obtained since Okamoto's CONF assumption holds. This ends the proof of Theorem 1.

V. CONCLUSION
In this paper, we analyze the security of the KC-system, which is proposed for smart healthcare system. Although Kumar et al. claimed that their system can achieve both the privacy-preserving of patient's health information and identity, and the mutual authentication of the entities included in the system, we proved that their authentication key can be easily recovered from their communication contents. Hence, the complicated processes of the KC-system become completely useless. Moreover, potential attacks may also occur in their smart healthcare system. In addition, we also proved that the KC-system did not achieve the expected public verifiability function. Finally, we proposed a twisted KC-scheme to defend against the previous attack and proved its security.