Preprint
Article

This version is not peer-reviewed.

Fine-Grained and Flexible Dual Authentication for IoT-Connected Healthcare Sensor Networks

Submitted:

02 July 2026

Posted:

03 July 2026

You are already at the latest version

Abstract
IoT-connected healthcare sensor networks require authenticated and privacy-preserving data exchange among wearable sensors, mobile medical terminals, edge gateways, cloud servers, and medical institutions. Existing authentication schemes for healthcare IoT often bind signatures directly to user identities, exposing sensitive personal or institutional information and imposing heavy verification costs on resource-constrained sensing devices. To address this problem, we propose a fine-grained and flexible dual authentication scheme for healthcare sensor networks. In the proposed scheme, health data and diagnoses are signed with a fresh signing key and a fine-grained access control policy each time, so that the signer identity remains hidden while authorized entities can still modify permitted parts of signed data. No entity other than an authorized entity can trace a malicious signer or modify signed data without changing the data source. To support lightweight verification in sensor-edge-cloud deployments, we further present a verifiable outsourced authentication scheme that outsources time-consuming pairing operations to cloud servers; the online verification process then requires only six multiplication operations. As a fundamental technical component, we present a practical attribute-based sanitizable signature with shorter signature and key lengths and more efficient signing and signature-changing operations than the state-of-the-art policy-based sanitizable signature (P3S). Formal security analysis and experiments demonstrate the security and practicality of the proposed scheme for privacy-preserving healthcare sensing and medical data exchange.
Keywords: 
;  ;  ;  ;  ;  ;  

1. Introduction

Healthcare sensor networks are increasingly built from wearable sensors, mobile medical terminals, home gateways, edge devices, cloud services, and hospital information systems. These connected sensing environments enable continuous physiological monitoring, teleconsultation, emergency triage, and data-driven diagnosis, but they also enlarge the attack surface: health data and diagnosis messages may traverse heterogeneous sensing devices, edge gateways, cloud servers, and multiple medical institutions before reaching the final verifier. Therefore, authentication mechanisms for IoT-connected healthcare must protect both data integrity and personal privacy while remaining efficient enough for resource-constrained sensors, gateways, and mobile medical devices.
Internet of Things (IoT) is dramatically changing the way we live through a variety of applications such as smart city, smart transportation and connected healthcare [1]. As a vital application of IoT, IoT-connected healthcare is proposed to improve the efficiency of health systems and reduce health costs [2]. Users can monitor their health status in real-time and enjoy teleconsultation with web-connected wearable devices. IoT-connected healthcare allows users to obtain the diagnosis from the medical institutions anytime and anywhere, which brings certain protection to the health of residents. Despite the aforementioned advantages, IoT-connected healthcare poses numerous security challenges. IoT-connected healthcare is considered as an on-demand service, i.e., it provides health services only to users who subscribe to and pay for it. Therefore, the medical institutions need to verify the validity of the user’s identity after receiving the request. In most of existing authentication schemes for IoT-connected healthcare, users need to sign the health data with a signing key bounded to their identity. This severely exposes the information of users’ identity. Moreover, such schemes only consider the authentication of the user. In reality, however, authenticating the source of data for remote diagnosis is just as important. Only a diagnosis from the legitimate medical institutions is credible. In some cases, the source of the diagnosis also reveals the patient’s privacy to some extent. For instance, the adversary could infer that the patient might suffer from reproductive diseases based on the diagnosis from the reproductive surgeon. Normally, a patient with reproductive disease does not want other people to know about it. The rapid development of IoT-connected healthcare is making this an increasingly common problem. Therefore, the implementation of dual authentication for privacy protection in IoT healthcare networks is a very important problem of concern. Signing the data with a pseudonym before uploading it to the network is one of the potential solutions to the above problem. The health data, such as Health Level Seven (HL7) [3], contains the identifier, gender and birthdate of the user. As shown in Figure 1, a user signs the health data that is removed the personal information with a pseudonym. Then, the user uploads the signed data to the network. Using only one or a few of pseudonyms is unable to realize the privacy-preserving of the user’s identity. Therefore, the user needs to save numerous pseudonyms in advance, but it causes a serious storage burden. After receiving the signed health data, the medical institutions first verify whether the user is valid. In order to authenticate users, the medical institutions need to pre-store the mapping between all possible pseudonyms and all user identities it served. Clearly, such an approach is impractical. This is because the number of users needed to be served is extremely large. Another problem caused by this solution is that medical institutions are unable to make an accurate diagnosis according to the health data included no user’s personal information, such as age, gender, etc. As shown in Figure 1, medical institutions need to sign their diagnosis with pseudonyms and then send the signed diagnosis to users. In the same vein, users need to pre-store the mappings between all possible pseudonyms and all candidate medical institutions’ identities. This imposes the heavy storage burden on resource-constrained users that far exceeds their capacities. This results in the user being unable to authenticate the medical institutions exactly. The adversary may successfully pretend to be a legitimate medical institutions and give the malicious diagnosis, which may endanger the user’s life. Besides, in reality, the diagnosis is not only accessible to the user, but also to authorized family members and friends. Furthermore, the health data should be accessed by multiple authorized medical institutions for better treatment. Considering the above limitations, three questions naturally arise:
  • Is there any approach that enables the signature exposing no information of signer’s identity while the signer does not need to save numerous pseudonyms?
  • Whether any method exists to allow someone other than the signer to modify the signed data non-interactively without changing the data source?
  • Whether any method exists to allow the signer specify who can modify the signed data and which parts of the data can be modified through a fine-grained access control policy?
Our Contribution. In order to address above problems in IoT-connected healthcare sensor networks, we propose a fine-grained and flexible dual authentication scheme that can be deployed over wearable-sensor, mobile-health, and edge-assisted medical communication networks. The scheme treats sensor gateways, edge nodes, and mobile medical terminals as potentially resource-constrained communication and verification participants: they may forward, verify, or help process authenticated healthcare data, but they should not learn users’ or medical institutions’ private identities. Considering that healthcare sensors and edge gateways have limited computation and energy budgets, we further design a verifiable outsourced authentication scheme that outsources the time-consuming pairing operations to two mutually distrusted cloud servers.
In addition, to realize a fine-grained privacy-preserving dual authentication scheme for IoT-connected healthcare sensor networks, we propose a new attribute-based sanitizable signature (ABSS). Our main contributions are summarized as below:
  • Fine-grained Access Control: Users and medical institutions can specify who can modify the data and which parts of the data they sign can be modified through a fine-grained access control policy. Only authorized entities can modify the permitted parts of the signed data.
  • Privacy Preserving: In our scheme, to hide the identity, the user and the medical institutions sign the data with a fresh related signing key each time, which belongs to the same equivalence class. Unauthorized entities without the corresponding trapdoor cannot link these different keys, i.e., unauthorized entities cannot trace the original signer and modifier of the signed data. Thus, the transmitted data do not reveal user’s personal information.
  • Transparency: Authorized entity can sign the modified data in a non-interactive way, and the signature is difficult to distinguish from the original signature.
  • Accountability: Neither the original signer (the user or the medical institutions) nor the authorized modifier can accuse the other’s signature. Only authorized entities can trace to the malicious signer or the modifier accurately.
  • Friendly to Resource-Constrained Sensors and IoT Nodes: We further design a verifiable outsourced authentication scheme for IoT-connected healthcare sensor networks. In this scheme, the time-consuming pairing operations are outsourced to two cloud servers that are mutually distrusted. In this way, the verification process only needs six multiplication operations, which is friendly to resource-constrained users, wearable devices, sensor gateways, and edge relay nodes.
In addition, the signed data contains a timestamp to ensure accurate treatment and prevent replay attacks. On the theoretical side, we present a new ABSS based on Ciphertext- Policy Attribute-Based Encryption (CP-ABE) and Signature with Flexible Public Key (SFPK). In ABSS, the original signer can specify the modifiable part of the data and the user who can modify the signed data through a fine-grained access control policy. ABSS supports the privacy-preserving of signer’s identity. Only authorized users can track signers and modifiers of signature data and modify the parts of the data that are allowed to be modified. Encouragingly, ABSS has shorter signature and key lengths and more efficient signature and signature changes than the most advanced policy-based sanitizable signature (P3S) [4], as shown in Table 1.

1.1. Related Work

The first sanitizable signature scheme is proposed by Ateniese et al. [5] in 2005. However, this scheme did not provide the complete definition and security proof of the sanitizable signature. Next, Brzuska et al. [6] solved the above problems. Canard et al. [7] introduced the definition and general construction of a trapdoor sanitizable signature. Then, the definition of the other accountable trapdoor sanitizable signature was proposed by Lai et al. [8] which is based on the chameleon hash. However, the above two schemes did not give the detailed parameters of a sanitizable signature scheme. Then, many sanitizable signature schemes are presented [9, 10]. Firstly, we want to address the problem of the privacy-preserving dual authentication for IoT-connected healthcare by using one of the above sanitizabe signature schemes. Unfortunately, none of above schemes are suitable for IoT-healthcare because none of them support fine-grained control of candidate sanitizers and accountability for malicious users. Attribute-based cryptography schemes [11–15] can help solve the above problem. The ABS proposed by Maji et al. [14] and Li et al. [16] satisfy the safety under the generic group model and the safety under the random prediction model, respectively. However, none of the above ABSs supports expressive access structure.The non-monotone access structure supports expressive access. Based on this property, Okamoto and Takashima [17] proposed an ABS scheme that exploits non-monotonic access structure. Next, several ABS schemes are proposed [18–20]. None of the users in the above ABS scheme can modify the data and update the signature in the name of the data owner. Sanitizable signature schemes [4, 21–23] can solve the problem. The scheme in [22] did not introduce attribute based disinfectable signatures in detail, while the scheme proposed in [21] did not back expressive access structure.The scheme proposed by [23] did not achieve the traceability of the signer. The scheme in [4], the number of signed data blocks is certain and the inadmissible block set requires to be saved. In a real IoT-connected healthcare environment, identities of users and medical institutions should be fully protected.
However, none of the above schemes can realize the privacy-preserving of the signer’s identity in a setting where healthcare data may be forwarded through wearable sensors, IoT devices, edge nodes, cloud services, and medical institutions. This paper proposes a fine-grained privacy-preserving dual authentication scheme to secure users’ personal information in IoT-connected healthcare sensor networks. Based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and Signature with Flexible Public Key (SFPK), an attribute-based sanitizable signature is designed.

1.2. Organization

This paper is organized as follows. We concisely review the fundamental knowledge related to this paper in Section 2. In Section 3, we give the system model and security model definitions. In Section 4, we characterize the proposed scheme. In Section 5, we analyze the security and performance of the proposed scheme. Finally, we conclude the paper in Section 6.

2. Materials and Methods

Using the PDF skill for formula-sensitive reconstruction. In this paper, in addition to common cryptographic tools, Prime Order Bilinear Groups, Monotone Span Program, Ciphertext-Policy Attribute-Based Encryption ( CP ABE ), Non-Interactive Zero-Knowledge Proof (NIZK), Signatures with Flexible Public Keys ( SFPK ), and Programmable Hash Functions ( PHF ) are also used.

2.1. Prime Order Bilinear Groups

Let Φ ( 1 λ ) be a function with security parameter λ as input and output a tuple
( p , G , G 1 , G T , e ^ ) ,
where G, G 1 , and G T are three multiplicative cyclic groups with prime order p. A mapping
e ^ : G × G 1 G T
is called a bilinear mapping if it satisfies the following properties:
  • Bilinearity: For all u G , v G 1 , and a , b Z p ,
    e ^ ( u a , v b ) = e ^ ( u b , v a ) = e ^ ( u , v ) a b .
  • Non-degeneracy: For all u G and v G 1 , e ^ ( u , v ) 1 .
  • Computability: For all u G and v G 1 , e ^ ( u , v ) can be efficiently computed.

2.2. Monotone Span Program

A monotone span program can be represented by a triad M = ( F , M , f ) , where F is a field, M is an a × b matrix, and
f : { 1 , , a } { p 1 , , p n } .
The elements of the matrix M are all taken from the field F. The sub-matrix M B with B { p 1 , , p n } is accepted if the rows of M B span the vector ( 1 , 0 , , 0 ) .

2.3. Ciphertext-Policy Attribute-Based Encryption

Definition: Ciphertext-Policy Attribute-Based Encryption ( CP ABE ).

The CP ABE primitive consists of the following four algorithms:
  • CP ABE . Setup ( 1 λ ) takes the security parameter λ as input and outputs the public parameter p p CP ABE and the master secret key m s k CP ABE .
  • CP ABE . Encrypt ( p p CP ABE , A , m ) takes the public parameter p p CP ABE , the access policy A, and the message m as input, and outputs the ciphertext C CP ABE .
  • CP ABE . KeyGen ( m s k CP ABE , S ) takes the master secret key m s k CP ABE and the set of attributes S as input, and outputs the secret key s k CP ABE for S.
  • CP ABE . Decrypt ( p p CP ABE , C CP ABE , s k CP ABE ) takes the public parameter p p CP ABE , the ciphertext C CP ABE , and the secret key s k CP ABE as input, and outputs the message m .
The detailed definition of correctness and formal security proof of CP ABE are given in [25].

2.4. Non-Interactive Zero-Knowledge Proof (NIZK)

Let
L = { x ω : R ( x , ω ) = 1 } ,
where L is an NP-language with associated witness relation R. A non-interactive proof system Ω for the language L consists of the following three algorithms:
  • Setup Ω ( 1 λ ) takes the security parameter λ as input and outputs the common reference string c r s Ω .
  • Prove Ω ( c r s Ω , x , ω ) takes c r s Ω , the statement x, and the corresponding witness ω as input, and outputs the proof π .
  • Verify Ω ( c r s Ω , x , π ) takes c r s Ω , the statement x, and the proof π as input, and outputs 1 if π is valid; otherwise, it outputs 0.

2.5. Signature with Flexible Public Key

Definition: Signature with Flexible Public Keys ( SFPK ).

This type of signature contains the following eight algorithms:
  • SFPK . Setup ( 1 λ ) inputs the security parameter λ and outputs the public reference string ρ , which is then used as the default input to subsequent algorithms.
  • SFPK . KGen ( 1 λ , ω ) inputs the security parameter λ and the random coins ω , and outputs the public/private key pair { p k SFPK , s k SFPK } .
  • SFPK . TKGen ( 1 λ , ω ) inputs the security parameter λ and the random coins ω , and outputs the public/private key pair { p k SFPK , s k SFPK } and the trapdoor δ .
  • SFPK . Sign ( s k SFPK , m ) inputs the signing key s k SFPK and the message m { 0 , 1 } * , and outputs the signature σ .
  • SFPK . ChkRep ( σ , p k SFPK ) outputs 1 if p k SFPK [ p k SFPK ] R ; otherwise, it outputs 0.
  • SFPK . ChgPK ( p k SFPK , r ) inputs the public key p k SFPK , which is a delegate of the equivalence class [ p k SFPK ] R , and random coins r, and outputs a different delegate p k SFPK [ p k SFPK ] R .
  • SFPK . ChgSK ( s k SFPK , r ) inputs the secret key s k SFPK , which is a delegate of the equivalence class [ s k SFPK ] R , and random coins r, and outputs a different delegate s k [ s k SFPK ] R .
  • SFPK . Verify ( p k SFPK , m , σ ) inputs the public key p k SFPK , the message m, and the signature σ , and outputs 1 if the signature is valid; otherwise, it outputs 0.
The scheme [26] defines the correctness and a formal security proof of SFPK in detail.

2.6. Programmable Hash Functions

A programmable hash function ( PHF ) [27] consists of the following two PPT algorithms:
  • K PHF PHF . Gen ( 1 λ ) inputs the security parameter λ and outputs the key K PHF .
  • y G 1 PHF . Eval ( K PHF , X ) inputs the key K PHF and X { 0 , 1 } ( λ ) , and deterministically outputs the hash value y, where ( λ ) represents the length of λ .

3. System Model and Security Model

3.1. System Model

As shown in Figure 2, the system model of the proposed scheme is organized for an IoT-connected healthcare sensor-network scenario and contains four types of entities: users, sensor/edge relay nodes, the trusted authority (TA), and medical institutions. The same cryptographic framework can also be deployed in other mobile IoT systems with similar security requirements.
  • Users: Users collect health data through wearable or portable IoT devices. A user may be malicious in the sense that an unauthorized user may attempt to impersonate a legitimate subscriber of a remote diagnosis service. Multiple IoT devices owned by the same user correspond to the same set of keys. Before transmission, the user removes personal information from the collected health data, specifies which medical institutions may modify the signed data and which parts may be modified, and signs the transmitted health data with a fresh related signing key.
  • Sensor/edge relay nodes: Wearable sensors, home gateways, mobile medical terminals, and edge relay nodes provide sensing, communication, relay, and lightweight verification support between users and medical institutions, especially in continuous monitoring, emergency response, rural coverage, temporary medical service, and public-safety healthcare scenarios. These nodes are not assumed to be fully trusted with identity information. They may forward signed health data, help perform verification, or interact with outsourced cloud servers, but they should not be able to infer the identities of users or medical institutions from transmitted signatures.
  • Trusted Authority: The TA is considered honest. It generates signing private keys for users and medical institutions, and issues attributes and attribute keys to all entities other than itself. The TA also supports the traceability function required for accountability.
  • Medical Institutions: Medical institutions are semi-honest. They can add or remove users’ personal information from signed data when they are authorized by the access control policy, generate diagnoses based on the recovered medical context, and sign diagnoses with fresh related signing keys. A valid signature generated after authorized modification is indistinguishable from an original signature.
The workflow is as follows. First, a user collects health data via wearable or portable sensing devices and removes personal information to obtain transmitted health data. The user signs the transmitted health data with a fresh related signing key and a fine-grained access control policy. The signed data can then be forwarded through sensor gateways or edge relay nodes to medical institutions. Only authorized medical institutions with the corresponding trapdoor can link the user’s different signing keys and trace the user’s identity. After receiving signed health data, an authorized medical institution verifies the data source, restores necessary personal information, and generates an accurate diagnosis. The medical institution then signs the diagnosis with a fresh related signing key and specifies a new access control policy for subsequent modification. When the diagnosis is transmitted back through the healthcare sensor network, authorized medical institutions can remove the user’s personal information and generate a new indistinguishable signature. Finally, the user verifies the medical institution’s identity and accepts the diagnosis only if the verification succeeds.

3.2. Design Goals

To realize fine-grained and flexible privacy-preserving dual authentication for IoT-connected healthcare sensor networks, our scheme aims to achieve the following goals.
  • Fine-grained Access Control: Users and medical institutions can determine which entities may modify the signed data and which parts of the signed data may be modified through a specified fine-grained access control policy. Authorized entities can generate a new signature for modified data in a non-interactive manner, and the new signature is indistinguishable from the original signature.
  • Privacy Preserving: The personal information of users and medical institutions should remain hidden during transmission through sensor, IoT, edge, and cloud communication channels.
  • Transparency: The signature of modified data generated by authorized entities is indistinguishable from the signature of the original data.
  • Accountability: Neither the original signer nor the authorized modifier can falsely accuse the other of signing. Authorized entities can trace malicious signers or modifiers accurately.
  • Sensor/IoT Friendliness: The authentication mechanism should reduce online verification overhead so that sensor gateways, wearable devices, mobile medical terminals, and other resource-constrained IoT entities can participate in secure healthcare data exchange.

3.3. Definition

Definition: Fine-Grained and Flexible Privacy-Preserving Dual Authentication Scheme for IoT-Connected Healthcare Sensor Networks.

A fine-grained and flexible privacy-preserving dual authentication scheme for IoT-connected healthcare sensor networks contains seven algorithms, namely Setup, KGenS, KGenA, Sign, SignChg, Verify, and Trace, which are described as follows:
  • ( m s k , m p k ) Setup ( 1 λ ) : TA runs the setup algorithm, inputs the security parameter λ , and outputs the public/private key pair ( m p k , m s k ) .
  • ( s k , p k ) KGenS ( m s k , m p k ) : TA runs the key generation algorithm for signers, inputs ( m p k , m s k ) , and outputs the signer’s signing public/private key pair ( p k , s k ) .
  • ( s k S , s k A , p k A ) KGenA ( m s k , m p k , S ) : TA runs the key generation algorithm for all entities, inputs ( m p k , m s k ) and the entity-owned attribute set S, and outputs the private attribute key s k S and the public/private key pair ( s k A , p k A ) of the entity.
  • σ Sign ( m p k , s k , A , m ) : Users or medical institutions run the signing algorithm, input m p k , the private signing key s k , the access control policy A, and the message m, and output a valid signature σ .
  • σ SignChg ( m p k , σ , m , s k S ) : Authorized entities run the signature modification algorithm, input m p k , the previous signature σ , the modified message m , and the private attribute key s k S , and output a new signature σ for the modified message.
  • b Verify ( m p k , σ , m , p k ) : Anyone can run the verification algorithm with input m p k , σ , m, and the signer’s public key p k . The algorithm outputs 1 if the signature is valid; otherwise, it outputs 0.
  • I D Trace ( m p k , σ , π ABSS ) : Authorized entities run the trace algorithm with input m p k , σ , and the proof π ABSS , and output the identity I D of the last signer.

3.4. Security Model

Definition: Fine-grained Access Control.

We consider two adversaries with formal descriptions of the fine-grained access control of signed data. Adversary A 1 does not own the set of attributes that satisfies the access control policy, while adversary A 2 attempts to edit the inadmissible parts of the signed data. We introduce two games between the challenger C and adversaries A 1 and A 2 .
For A 1 , challenger C generates ( m s k , m p k ) by running Setup ( 1 λ ) , stores m s k locally, and sends m p k to A 1 . In the query phase, A 1 may adaptively issue KGenA, Sign, SignChg, Verify, and Trace queries. In particular, for KGenA queries, A 1 queries the authorized entity’s key for
( ( m p k , m s k ) , S ) with A ( S ) = 0 ,
and C returns s k S and ( p k A , s k A ) by running KGenA ( m s k , m p k , S ) . For signing and changing queries, C returns σ or σ by running the corresponding algorithms, and for verification and tracing queries, C returns the output of Verify or Trace.
In the challenge phase, A 1 adaptively selects an unauthorized attribute set S such that A ( S ) = 0 , generates the challenged signature σ * for the challenged message m * by running SignChg, and returns ( S , m * , σ * ) to C. In the verify phase, A 1 makes polynomially many queries and obtains
Q = { s k S , S , m i , A i , σ i } i = 1 | Q |
through L queries. Challenger C runs Verify ( m p k , p k , m * , σ * ) and outputs a bit b 0 . If b 0 = 1 , C checks whether there exists i [ | Q | ] such that σ * is accepted while A ( S ) = 0 . If such an i exists, C outputs b 1 = 1 ; otherwise, C outputs b 1 = 0 . The advantage of A 1 is Pr [ b 1 = 1 ] . If for any polynomial-time adversary A 1 ,
Pr [ b 1 = 1 ] < 1 poly ( n )
for sufficiently large n, the proposed scheme satisfies signature unforgeability against unauthorized modification.
For A 2 , the setup and query phases are the same. In the challenge phase, A 2 adaptively selects an attribute set S such that A ( S ) = 1 , and generates the challenged signature σ * for the challenged message m * by SignChg, where m * does not include all inadmissible blocks. It sends ( S , m * , σ * ) to C. After polynomially many queries, A 2 obtains
Q = { s k S , S , m i , A i , σ i } i = 1 | Q | .
Challenger C runs Verify ( m p k , p k , A , m * , σ * ) and outputs b 0 . If b 0 = 1 , C checks whether there exists i [ | Q | ] such that m * does not contain all inadmissible blocks. If so, C outputs b 1 = 1 ; otherwise, it outputs b 1 = 0 . The advantage of A 2 is Pr [ b 1 = 1 ] . If for any polynomial-time adversary A 2 ,
Pr [ b 1 = 1 ] < 1 poly ( n )
for sufficiently large n, the proposed scheme satisfies the unforgeability of the signature.

Definition: Transparency.

Claiming that a fine-grained and flexible dual authentication scheme for IoT-connected healthcare sensor networks enables transparency if the PPT adversary cannot distinguish, with non-negligible probability, between the signature of the modified data generated by the authorized entity and the signature of the original signer.

Definition: Privacy Preserving.

We say a fine-grained and flexible dual authentication scheme for IoT-connected healthcare sensor networks achieves privacy preserving if no PPT adversary can obtain the user’s personal information from the transmitted data.

Definition: Accountability.

We say a fine-grained and flexible dual authentication scheme for IoT-connected healthcare sensor networks supports accountability if authorized entities can trace to the original signer or the latest modifier’s identity of the data from any valid signature with non-negligible probability.

4. The Proposed Scheme

4.1. Overview

In an IoT-connected healthcare sensor-network deployment, wearable sensors, home gateways, mobile terminals, and edge nodes may relay signed health data from users to medical institutions, support emergency medical communication, and help perform lightweight verification before data are forwarded. Such sensing and edge nodes are useful for continuous monitoring, coverage extension, and mobility, but they should not expose patient identity, medical-institution identity, or the linkage between multiple signatures generated by the same entity. Therefore, the cryptographic layer must simultaneously support privacy-preserving dual authentication, fine-grained modification authorization, and efficient verification.
To realize fine-grained and flexible dual authentication for IoT-connected healthcare sensor networks, we first try out the idea from recent work P3S [4] to allow the authorized medical institutions to add and remove the user’s personal information for the signed data and generate a new indistinguishable signature for the modified data. However, the direct use of the P3S [4] severely exposes the identities of users and medical institutions. This is due to two ineluctable reasons: 1) the signing key used by the original signer is tied to his/her identity. 2) P3S contains a public key encryption, whose key is also bound to the identity. Therefore, P3S is ill-suited for privacy-preserving healthcare sensor networks, which require users’ and medical institutions’ identity to be hidden during transmission through sensor, edge, and cloud channels. To solve the mentioned problems, we design a new attribute-based sanitizable signature (ABSS) based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and Signature with Flexible Public Key (SFPK). The general construction of ABSS as shown in Table 2. In ABSS, the signer (user or medical institutions) signs the data using different keys each time, which belong to the same equivalence class. Only authorized entities with the corresponding trapdoor can link these different keys. Therefore, ABSS supports the privacy-preserving of the signer’s identity. ABSS also supports fine-grained access control and accountability as P3S [4]. Encouragingly, ABSS has small signature and key lengths and less computational overhead for signing and signature changing compare with the state-of-the-art P3S [4]. Further, we propose a fine-grained and flexible dual authentication scheme for IoT-connected healthcare sensor networks based on the proposed ABSS. In our scheme, the user and the medical institutions sign the data with a fresh related signing key each time and specify which one can modify the data and which parts of their signed data can be modified through a specified fine-grained access control policy. The transmitted data contain no personal information even when they pass through sensor gateways, edge nodes, or cloud servers. Authorized medical institutions can add or remove the user’s personal information into the signed data (the transmitted health data or the transmitted diagnosis), and non-interactively generate the new indistinguishable signature for the modified data. Our scheme supports accountability, i.e. authorized entities can trace to the original signer and the modifier of the signed data. In addition, the signed health data and diagnoses contain timestamps to ensure accurate treatment and against replay attacks. The following subsections describe the proposed scheme in detail.

4.2. Description of the Proposed Scheme

A fine-grained and flexible dual authentication scheme for IoT-connected healthcare sensor networks includes seven algorithms. Table 2 gives the generic construction of ABSS based on CP ABE , SFPK , NIZK, and PHF .
  • Setup.  ( m s k , m p k ) Setup ( 1 λ ) . Let
    e ^ : G 1 × G 2 G T
    be a bilinear pairing, where G 1 , G 2 , and G T are three multiplicative cyclic groups with prime order p, and g 1 and g 2 are generators of G 1 and G 2 , respectively. TA randomly chooses
    ( a 1 , a 2 , b 1 , b 2 ) Z p * , ( d 1 , d 2 , d 3 ) Z p ,
    selects a random string ρ , and obtains c r s Ω Setup Ω ( 1 λ ) . It then computes
    H 1 = g 2 a 1 , H 2 = g 2 a 2 , T 1 = e ^ ( g 1 , g 2 ) d 1 a 1 + d 3 , T 2 = e ^ ( g 1 , g 2 ) d 2 a 2 + d 3 .
    Finally, TA outputs
    m p k = ( g 2 , H 1 , H 2 , T 1 , T 2 ) , m s k = ( g 1 , g 2 , a 1 , a 2 , b 1 , b 2 , g 1 d 1 , g 1 d 2 , g 1 d 3 ) .
  • KGenS.  ( s k , p k ) KGenS ( m s k , m p k ) . TA first computes
    K PHF PHF . Gen ( λ ) ,
    randomly selects A , B , C , D , X G 1 and z Z p * , and computes
    h e ^ ( X z , g 2 ) .
    It outputs
    s k = ( z , X ) , p k = ( A , B , C , D , h , K PHF ) .
  • KGenA.  ( s k S , s k A , p k A ) KGenA ( m s k , m p k , S ) . TA first selects r 1 , r 2 Z p and computes
    s k 0 = ( g 2 b 1 r 1 , g 2 b 2 r 2 , g 2 r 1 + r 2 ) .
    For a t S and s = 1 , 2 , it computes
    s k a t , s = H ( a t 1 s ) b 1 r 1 / a s · H ( a t 2 s ) b 2 r 2 / a s · H ( a t 3 s ) ( r 1 + r 2 ) / a s · g 1 σ a t / a s ,
    where σ a t Z p and H : { 0 , 1 } * G 1 . TA sets
    s k a t = ( s k a t , 1 , s k a t , 2 , g 1 σ a t ) .
    For s = 1 , 2 , TA computes
    s k s = g 1 d s · H ( 011 s ) b 1 r 1 / a s · H ( 012 s ) b 2 r 2 / a s · H ( 013 s ) ( r 1 + r 2 ) / a s · g 1 k / a s ,
    where k Z p , and sets
    s k = ( s k 1 , s k 2 , g 1 d 3 · g 1 k ) .
    The entity computes y = f ( x ) , where f is a one-way function and x is a random number in G 1 , sends y to TA, and proves to TA that it owns x by zero knowledge. Finally, TA outputs
    s k S = ( s k 0 , { s k a t } a t S , s k ) , ( s k A = x , p k A = y ) .
  • Sign.  σ Sign ( m p k , s k , A , m ) . The user or medical institution computes
    δ ( d , g 2 y 2 , g 2 a , g 2 b , g 2 c , ( g 2 μ 0 , g 2 μ 1 , , g 2 μ λ ) ) ,
    where ω is a random coin, a , b , c , d , y 2 Z p * , and μ i Z p for i { 0 , , λ } . It selects n Z p * and computes
    p k = ( A n , B n , C n , D n , h n , K PHF n ) , s k = ( z , X n ) .
    Similarly, it selects n Z p * and obtains
    p k = ( A n , B n , C n , D n , h n , K PHF n ) , s k = ( z , X n ) .
    Then it computes C CP ABE CP ABE . Encrypt ( s k SFPK , δ , r ) . Specifically, it randomly chooses s 1 , s 2 Z p and computes
    c t 0 = ( H 1 s 1 , H 2 s 2 , g 2 s 1 + s 2 ) ,
    c t i , l = H ( f ( i ) l 1 ) s 1 · H ( f ( i ) l 2 ) s 2 · j = 1 n 2 H ( 0 j l 1 ) s 1 · H ( 0 j l 2 ) s 2 M i , j ,
    where ( M , f ) is a monotone span program corresponding to the access structure, M has n 1 rows and n 2 columns, i = 1 , , n 1 , and l = 1 , 2 , 3 . It computes
    c t = T 1 s 1 · T 2 s 2 · ( s k SFPK δ r ) ,
    and outputs
    C CP ABE = ( c t 0 , c t 1 , , c t n 1 , c t ) .
    Next, it computes
    Sig 1 SFPK . Sign s k ( p k , p k , m , C CP ABE , π + r , y 1 + r ) ,
    where π Prove Ω ( c r s Ω , x , s t ) and s t is the statement. It chooses r Z p * and computes
    Sig 1 = X y · H K PHF ( m C CP ABE π + r y 1 + r ) r , g 1 r , g 2 r .
    In the same vein, it computes
    Sig 2 SFPK . Sign s k ( H ( i U A ) , i U A , t , y + r , H ( m ) , A ) ,
    where U A represents a collection of message blocks that are not allowed to be modified and t represents the expiration time of the signature. Finally, it outputs
    σ = { C CP ABE , Sig 1 , Sig 2 , A } .
  • SignChg.  σ SignChg ( m p k , σ , m , s k S ) . The authorized entity computes
    ( s k , r , δ ) CP ABE . Decrypt s k CP ABE ( C CP ABE ) .
    Let v = { v i } i { 1 , 2 , , n 2 } satisfy M · v = ( 1 , 0 , , 0 ) . The authorized entity computes
    n u m = c t · e ^ v i { 1 , , n 2 } c t v i , 1 v i , s k 0 , 1 · e ^ v i { 1 , , n 2 } c t v i , 2 v i , s k 0 , 2 · e ^ v i { 1 , , n 2 } c t v i , 3 v i , s k 0 , 3 ,
    and
    d e n = e ^ s k 1 · v i { 1 , , n 2 } s k f ( i ) , 1 v i , c t 0 , 1 · e ^ s k 2 · v i { 1 , , n 2 } s k f ( i ) , 2 v i , c t 0 , 2 · e ^ s k 3 · v i { 1 , , n 2 } s k f ( i ) , 3 v i , c t 0 , 3 .
    It outputs
    ( s k , r , δ ) = n u m / d e n .
    The authorized entity computes
    Sig 1 SFPK . Sign s k ( p k , p k , m , C CP ABE , π + r , y + r ) ,
    where y = f ( x ) and π is a proof of x . Finally, it outputs
    σ = { C CP ABE , Sig 1 , Sig 2 , A } .
  • Verify.  b Verify ( m p k , σ , m , p k ) . The verifier first computes H ( m ) and checks whether it is equal to H ( m ) in Sig 2 . If so, the verifier checks whether y + r in Sig 2 is equal to the corresponding value in Sig 1 . If the checks pass, it returns
    b SFPK . Verify ( p k , p k , m , σ ) ;
    otherwise, it returns ⊥. If H ( m ) is not equal to H ( m ) in Sig 2 , the verifier computes H ( i U A ) and checks whether it equals H ( i U A ) in Sig 2 , and then checks whether y + r in Sig 2 equals the corresponding value in Sig 1 . If all checks pass, it returns b; otherwise, it returns ⊥.
  • Trace.  I D Trace ( m p k , σ , π ABSS ) . If
    1 Verify Ω ( c r s Ω , s t , π ) ,
    the algorithm returns the identity I D corresponding to y; otherwise, it returns ⊥.

4.3. A Verifiable Outsourced Authentication Scheme

The most time-consuming operation in the proposed scheme is the pairing operation in the Verify algorithm. To make the scheme more user-friendly for resource-constrained entities, we present a verifiable outsourced authentication scheme that retains the advantages of the above scheme while allowing time-consuming pairing operations to be outsourced to two mutually distrusted cloud servers [28]. The verifiable outsourced authentication scheme differs only in the following two algorithms.
  • Pre-computation.  τ PreC ( q ) is performed offline by the entity. The entity randomly selects q integers α 1 , , α q Z p and computes
    β j 1 = α j g 1 , β j 2 = α j g 2 , j = 1 , , q .
    It computes e ^ ( g 1 , g 2 ) and stores e ^ ( g 1 , g 2 ) and { α j , β j 1 , β j 2 } j = 1 , , q locally. For vector generation, the entity selects a set E such that | E | = k and E { 1 , , q } . For each j E , it randomly chooses χ j { 1 , , v 1 } , where v is a small integer and v > 1 , and computes
    x 1 = j E α j χ j mod p .
    If x 1 = 0 mod p , it repeats the operation; otherwise, it computes
    x 1 g 1 = j E χ j β j 1 .
    In the same vein, it computes ( x 3 , x 3 g 1 ) , ( x 4 , x 4 g 2 ) , ( x 7 , x 7 g 1 ) , and ( x 8 , x 8 g 2 ) . It randomly selects x 2 , x 5 , x 6 Z p * and computes
    x 1 1 x 2 g 2 , x 1 x 2 1 x 5 g 1 , x 1 1 x 6 g 2 , e ^ ( g 1 , g 2 ) x 7 x 8 , e ^ ( g 1 , g 2 ) x 5 + x 6 x 2 .
    Finally, it stores
    τ = ( x 1 g 1 , x 3 g 1 , x 7 g 1 , x 1 1 x 2 g 2 , x 1 x 2 1 x 5 g 1 , x 4 g 2 , x 1 1 x 6 g 2 , e ^ ( g 1 , g 2 ) x 7 x 8 , e ^ ( g 1 , g 2 ) x 5 + x 6 x 2 , x 8 g 2 ) .
  • Outsourced verification.  b Verify ( m p k , σ , m , p k , τ ) . When the verifier runs SFPK . Verify ( p k , p k , m , σ ) , the pairing operations can be outsourced to two cloud servers U 1 and U 2 . Let
    Sig 1 = ( X z · ( H K PHF ( m ) ) n , g 1 n , g 2 n ) .
    The verifier needs to check
    e ^ ( g 1 n , g 2 ) = e ^ ( g 1 , g 2 n ) .
    To outsource e ^ ( g 1 n , g 2 ) , the verifier sends
    g 1 n + x 1 g 1 , g 2 + x 1 1 x 2 g 2 , x 3 g 1 , x 4 g 2
    to U 1 . Then U 1 computes
    α 1 = e ^ ( g 1 n + x 1 g 1 , g 2 + x 1 1 x 2 g 2 ) , α 2 = e ^ ( x 3 g 1 , x 4 g 2 ) ,
    and sends α 1 and α 2 to the verifier. The verifier sends
    g 1 n + x 1 x 2 1 x 5 g 1 , x 1 1 x 2 g 2 , x 1 g 1 , g 2 + x 1 1 x 6 g 2 , x 3 g 1 , x 4 g 2 , x 7 g 1 , x 8 g 2
    to U 2 . Then U 2 computes
    α 1 = e ^ ( g 1 n + x 1 x 2 1 x 5 g 1 , x 1 1 x 2 g 2 ) , α 2 = e ^ ( x 1 g 1 , g 2 + x 1 1 x 6 g 2 ) , α 3 = e ^ ( x 3 g 1 , x 4 g 2 ) , α 4 = e ^ ( x 7 g 1 , x 8 g 2 ) ,
    and sends ( α 1 , α 2 , α 3 , α 4 ) to the verifier. The verifier checks whether
    α 2 = α 3 , e ^ ( g 1 , g 2 ) x 7 x 8 = α 4 .
    If the checks hold, the verifier sets
    e ^ ( g 1 n , g 2 ) = α 1 α 1 α 2 e ^ ( g 1 , g 2 ) x 5 + x 6 x 2 .
    In the same vein, the verifier obtains e ^ ( g 1 , g 2 n ) and checks whether
    e ^ ( g 1 n , g 2 ) = e ^ ( g 1 , g 2 n )
    holds. It also checks whether
    e ^ ( X z · ( H K PHF ( m ) ) n , g 2 ) = h · e ^ ( ( H K PHF ( m ) ) n , g 2 n )
    holds. If the above equations hold, the verifier outputs 1; otherwise, it outputs 0. Therefore, after outsourcing one pairing operation, the verifier only needs to perform three modular multiplication operations, and the whole verification process only needs six multiplication operations.

5. Results

5.1. Security Analysis

In this section, we analyze the security of the proposed healthcare sensor-network authentication scheme in terms of fine-grained access control, transparency, privacy preserving, and accountability.
Theorem 1
(Fine-Grained Access Control). For two PPT adversaries A 1 and A 2 , it is computationally infeasible to generate a valid signature for the modified data. Here, A 1 represents unauthorized entities that possess an attribute set S such that A ( S ) = 0 , and A 2 updates the parts of the signed data that are not allowed to be modified.
Proof. 
To prove this theorem, we define two games between a challenger C and PPT adversaries A 1 and A 2 .
Game 1.
The setup and query phases are as in the security model. Next, A 1 adaptively chooses an unauthorized entity’s attribute set S such that A ( S ) = 0 . A 1 attempts to generate the challenged signature σ * for the modified data m * by running SignChg. Finally, A 1 sends ( S , m * , σ * ) to C.
Analysis.
Assume that A 1 wins Game 1 with non-negligible probability, i.e., the challenged signature σ * passes the Verify algorithm. According to the security of SFPK [26], A 1 must know the private signing key s k if it wants to generate a valid signature pair for modified data. This means that A 1 can correctly decrypt the ciphertext C CP ABE to obtain s k . In other words, an unauthorized entity with attribute set S and A ( S ) = 0 can correctly decrypt the ciphertext, which contradicts the security of CP ABE [25]. Therefore, A 1 is computationally infeasible to generate a valid signature for the modified data.
Game 2.
The setup and query phases are again as in the security model. Next, A 2 adaptively chooses an entity’s attribute set S such that A ( S ) = 1 . A 2 attempts to generate the challenged signature σ * for the modified data m * by running SignChg. The modified data m * does not contain all inadmissible blocks. Finally, A 2 sends ( S , m * , σ * ) to C.
Analysis.
Assume that A 2 wins Game 2 with non-negligible probability, i.e., the challenged signature σ * passes the Verify algorithm. In Verify, the challenger computes H ( i U A ) and checks whether it equals the corresponding H ( i U A ) in Sig 2 . Thus, A 2 needs to forge a valid signature
Sig 2 SFPK . Sign s k ( H ( i U A ) , i U A , t , y + r , H ( m ) , A )
for the modified data m * . Because m * does not contain all inadmissible blocks, the security of SFPK [26] implies that the probability of forging Sig 2 without the private signing key s k is negligible. Therefore, A 2 is computationally infeasible to generate a valid signature for the modified data. Hence, the proposed scheme achieves fine-grained access control. □
Theorem 2
(Transparency). For any PPT adversary, it is computationally infeasible to distinguish the modified signature from the original signature.
Proof. 
The original signature σ and the signature σ for the modified data are
σ = A ; C CP ABE CP ABE . Encrypt ( s k , δ , r ) ; Sig 1 SFPK . Sign s k ( p k , p k , m , C CP ABE , π + r , y + r ) ; Sig 2 SFPK . Sign s k ( H ( i U A ) , i U A , t , y + r , H ( m ) , A ) ,
and
σ = A ; C CP ABE CP ABE . Encrypt ( s k , δ , r ) ; Sig 1 SFPK . Sign s k ( p k , p k , m , C CP ABE , π + r , y + r ) ; Sig 2 SFPK . Sign s k ( H ( i U A ) , i U A , t , y + r , H ( m ) , A ) .
The only difference between σ and σ is that Sig 1 and Sig 1 have different values. However, Sig 1 and Sig 1 are both outputs of SFPK . Sign s k ( · ) and belong to the same distribution. Therefore, for any PPT adversary, it is computationally infeasible to distinguish the signature of modified data from the signature of original data, and the scheme achieves transparency in healthcare sensor-network data transmission. □
Theorem 3
(Privacy Preserving). In the proposed scheme, the transmitted data contains no personal information of users or medical institutions.
Proof. 
The user removes personal information before signing and uploading health data, so the transmitted health data contains no user’s personal information. In the Sign and SignChg algorithms, the user or medical institution uses a fresh signing key each time. Thus, no one can trace the signer or modifier from the original signature and the modified-data signature except authorized entities. Authorized medical institutions also remove the user’s personal information from the signed diagnosis before uploading it. Therefore, the signed diagnosis contains no user’s personal information, and the scheme achieves privacy preservation. □
Theorem 4
(Accountability). In the proposed scheme, only authorized entities can extract the last modifier’s identity from any valid signature, and the original signer cannot accuse the authorized entities, or vice versa, of signing.
Proof. 
The signature contains the blinded proof π + r . Only authorized entities can correctly decrypt
C CP ABE = CP ABE . Encrypt ( s k , δ , r )
to obtain the blinding factor r. Thus, authorized entities can recover
π = ( π + r ) + ( r ) , y = ( y + r ) + ( r ) .
Because y corresponds to the entity identity, authorized entities can obtain the identity of the signer or modifier. To prevent authorized entities from impersonating the original signer, the verifier first computes H ( m ) in Verify and checks whether it equals H ( m ) in Sig 2 . If they are not equal, the data has been modified. The verifier then checks whether y + r in Sig 2 equals the corresponding value in Sig 1 . If they are equal, the modifier is trying to impersonate the original signer, so the verifier returns ⊥. Therefore, only authorized entities can extract the last modifier’s identity from any valid signature, and neither party can falsely accuse the other of signing. □

5.2. Performance Evaluation

In this section, we first compare the functionality of the proposed scheme with several related schemes, and then perform an experimental analysis of the computational burden of our scheme and the related schemes [4, 5, 23].

5.3. Functionality Comparison

We compare the functionality of the proposed scheme with the related schemes [4, 6, 9, 16, 17, 21–23]. As shown in Table 3, only our scheme satisfies all the following properties: fine-grained access control, unforgeability, transparency, accountability, privacy-preserving and friendly to resource-constrained users. The remaining schemes are all unfriendly to resource-constrained users where schemes [16], [17] and [22] do not support transparency, and only scheme [4] supports accountability except our scheme.

5.4. Performance Analysis and Comparison

5.4.1. The Comparison of Storage Space

We define the following notations for the comparison. Let L ( · ) denote the length of the input element. Let N = p 1 · p 2 , where p 1 and p 2 are two prime numbers. Let e 1 be a random number such that e 1 = 1 mod ( p 1 1 ) ( p 2 1 ) , and let e 2 be a number such that e 1 · e 2 = 1 mod ( p 1 1 ) ( p 2 1 ) . Let n 1 and n 2 denote the row and column numbers of the monotonic span matrix of the access control policy A, respectively. Let s k D S and S D S denote the private signing key and the signature of the standard digital signature scheme.
The concrete instantiation of the standard digital signature is not given in [4]. Here, p is the large prime number used in [4] and π is a proof. Finally, | S | denotes the number of attributes in the attribute set S. From Table 4, the scheme in [5] has the shortest signing-key length, while our scheme has the shortest signature length. Schemes in [5] and [23] cannot support fine-grained access control. Our scheme has smaller key length and signature length compared with the scheme in [4], since L ( S D S ) + L ( p ) + L ( π ) 2 L ( G ) generally. Hence, in terms of storage space overhead, our scheme is efficient.

5.4.2. The Comparison of Computation Overhead

In this subsection, we set the number of users from 50 to 500 and the health-data size from 0 to 50 MB, and conduct the performance evaluation. We further compare our scheme with the schemes in [4,5,23]. The simulation experiments were written in C++ with Pairing-based Cryptography (PBC) version 0.5.14 [29] and GNU Multiple Precision Arithmetic (GMP) [30]. The desktop was equipped with an Intel Core (TM) i5-4300 CPU @ 2.13 GHz and 8.0 GB RAM, and the size of elements in Z p * was 160 bits. The KGenS, Sign, SignChg, and Verify phases were evaluated while the health-data size ranged from 0 to 50 MB and N U ranged from 50 to 500, where N U denotes the number of users. When N U ranges from 50 to 500, the computational time of KGenS has a linear relationship with N U and is independent of the health-data size, as shown in Figure 3. Let N S denote the number of signatures. When N S ranges from 50 to 500, the computational times of Sign, SignChg, and Verify also have linear relationships with N S , as shown in Figure 3. For the performance comparison, Figure 4 shows that, when N S ranges from 0 to 200, the KGenS algorithms of the schemes in [4] and [23] vary from 0 ms to 88.59 ms, while [5] varies from 0 ms to 20.45 ms and our scheme varies from 0 ms to 22.34 ms. The Sign algorithms of [4] and [23] vary from 0 ms to 0.128 s and 0.119 s, respectively, while [5] varies from 0 ms to 0.025 s. For SignChg, the schemes in [4] and [23] vary from 0 ms to 0.109 s and 0.096 s, respectively, while [5] and our scheme vary from 0 ms to 0.042 s and 0 ms to 0.089 s, respectively. For Verify, the schemes in [23] and [5] vary from 0 ms to 8.04 ms and 6.02 ms, respectively, [4] varies from 0 ms to 4.32 ms, and the proposed scheme takes the shortest time because it outsources the time-consuming pairing operations to two cloud servers. As a result, the verifier only needs to perform three multiplication operations for each pairing operation, which is particularly useful when verification is performed by sensor gateways, mobile edge devices, or wearable healthcare terminals with limited computation and energy budgets.

6. Conclusions

In this paper, we proposed a fine-grained and flexible dual authentication scheme for IoT-connected healthcare sensor networks. The proposed scheme supports fine-grained access control, allowing users and medical institutions to specify who can modify signed data and which parts may be modified through a fine-grained access control policy. The scheme also supports privacy preserving and accountability: transmitted healthcare data contain no personal information, and only authorized entities can trace the modifier and the original signer of signed data. These properties are important when health data and diagnoses are forwarded through wearable sensors, sensor gateways, edge nodes, cloud servers, and multiple medical institutions. To further reduce the computational overhead for resource-constrained sensor and IoT participants, we proposed a verifiable outsourced authentication scheme that outsources expensive pairing operations to two mutually distrusted cloud servers. In this way, the verification process only needs to perform six multiplication operations. Therefore, the proposed scheme provides a lightweight privacy-preserving authentication layer for trustworthy healthcare sensing and medical data exchange.

Author Contributions

Conceptualization, H.H.; methodology, H.H. and J.M.; software, Y.M. and X.G.; validation, Y.M., X.G. and X.L.; formal analysis, H.H. and J.M.; investigation, Y.M. and X.G.; resources, X.L.; data curation, Y.M. and X.G.; writing—original draft preparation, H.H.; writing—review and editing, J.M. and X.L.; visualization, Y.M.; supervision, X.L.; project administration, H.H.; funding acquisition, H.H. All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by the National Natural Science Foundation of China (No. 62302152); the Henan Provincial Key Scientific and Technological Project (242102211074); the Zhengzhou Municipal R&D Special Fund-Supported Research Project (22ZZRDZX30); and the Open Project of Key Laboratory of Grain Information Processing and Control, Ministry of Education (KFJN2022017).

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ABSS Attribute-based sanitizable signature
CP-ABE Ciphertext-policy attribute-based encryption
IoT Internet of Things
NIZK Non-interactive zero-knowledge proof
PBC Pairing-Based Cryptography
PHF Programmable hash function
SFPK Signature with flexible public key
TA Trusted authority

References

  1. Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions. Future Gener. Comput. Syst. 2013, 29, 1645–1660. [Google Scholar] [CrossRef]
  2. Leroy, G. A.; Chen, H.; Rindflesch, T. C. Smart and connected health. IEEE Intell. Syst. 2014, 29, 2–5. [Google Scholar] [CrossRef]
  3. Kiourtis, A.; Mavrogiorgou, A.; Kyriazis, D. A semantic similarity evaluation for healthcare ontologies matching to HL7 FHIR resources. Stud. Health Technol. Inform. 2020, 270, 13–17. [Google Scholar] [CrossRef] [PubMed]
  4. Kai, S.; Slamanig, D. Policy-based sanitizable signatures. CT-RSA 2020, 12006. [Google Scholar]
  5. Ateniese, G.; Chou, D. H.; Medeiros, B.; Tsudik, G. Sanitizable signatures. ESORICS 2005, 3679, 159–177. [Google Scholar] [CrossRef]
  6. Brzuska, C.; Fischlin, M.; Lehmann, A.; Schroder, D. Unlinkability of sanitizable signatures. PKC 2010, 6056, 444–461. [Google Scholar] [CrossRef]
  7. Canard, S.; Laguillaumie, F.; Milhau, M. Trapdoor sanitizable signatures and their application to content protection. ACNS 2008, 5037, 258–276. [Google Scholar] [CrossRef]
  8. Lai, J.; Ding, X.; Wu, Y. Accountable trapdoor sanitizable signatures. ISPEC 2013, 7863, 117–131. [Google Scholar] [CrossRef]
  9. Miyazaki, K.; Hanaoka, G.; Imai, H. Digitally signed document sanitizing scheme based on bilinear maps. In 2006 ACM CCS; 2006; pp. 343–354. [Google Scholar]
  10. Yuen, T. H.; Susilo, W.; Liu, J. K.; Mu, Y. Sanitizable signatures revisited. CANS 2008, 5339, 80–97. [Google Scholar] [CrossRef]
  11. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In 13th ACM CCS; 2006; pp. 89–98. [Google Scholar]
  12. Ning, J.; Cao, Z.; Dong, X.; Ma, H.; Wei, L.; Liang, K. Auditable sigma-times outsourced attribute-based encryption for access control in cloud computing. IEEE Trans. Inf. Forensics Secur. 2018, 13, 94–105. [Google Scholar] [CrossRef]
  13. Ning, J.; Cao, Z.; Dong, X.; Liang, K.; Wei, L.; Choo, K. CryptCloud+: Secure and expressive data access control for cloud storage. IEEE Trans. Serv. Comput. 2021, 14, 111–124. [Google Scholar]
  14. Maji, H. K.; Prabhakaran, M.; Rosulek, M. Attribute-based signatures. CT-RSA 2011, 6558, 376–392. [Google Scholar] [CrossRef]
  15. Cui, H.; Deng, R.; Wang, G. An attribute-based framework for secure communications in vehicular ad hoc networks. IEEE/ACM Trans. Netw. 2019, 27, 721–733. [Google Scholar] [CrossRef]
  16. Li, J.; Au, M. H.; Susilo, W.; Xie, D.; Ren, K. Attribute-based signature and its applications. In 5th ACM CCS; 2010; pp. 60–69. [Google Scholar]
  17. Okamoto, T.; Takashima, K. Efficient attribute-based signatures for non-monotone predicates in the standard model. PKC 2011, 6571, 35–52. [Google Scholar] [CrossRef]
  18. Su, Q.; Zhang, R.; Xue, R.; Sun, Y.; Gao, S. Distributed attribute-based signature with attribute dynamic update for smart grid. IEEE Trans. Ind. Inform. 2023, 19, 9424–9435. [Google Scholar] [CrossRef]
  19. Rao, Y. S.; Dutta, R. Efficient attribute-based signature and signcryption realizing expressive access structures. Int. J. Inf. Secur. 2016, 15, 81–109. [Google Scholar]
  20. Li, J.; Chen, X.; Huang, X. New attribute-based authentication and its application in anonymous cloud access service. Int. J. Web Grid Serv. 2015, 11, 125–141. [Google Scholar] [CrossRef]
  21. Liu, X. Attribute based sanitizable signature scheme. J. Commun. 2013, 34, 148–155. [Google Scholar]
  22. Xu, L.; Zhang, X.; Wu, X.; Shi, W. ABSS: an attribute-based sanitizable signature for integrity of outsourced database with public cloud. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy; 2015; pp. 167–169. [Google Scholar]
  23. Mo, R.; Ma, J.; Liu, X.; Li, Q. FABSS: Attribute-based sanitizable signature for flexible access structure. ICICS 2017, 10631. [Google Scholar]
  24. Beimel, A. Secret-sharing schemes: A survey. In Coding and Cryptology, IWCC 2011; 2011; Volume 6639. [Google Scholar]
  25. Agrawal, S.; Chase, M. FAME: Fast attribute-based message encryption. In ACM CCS 2017; 2017; pp. 665–682. [Google Scholar]
  26. Backes, M.; Hanzlik, L.; Kluczniak, K.; Schneider, J. Signatures with flexible public key: Introducing equivalence classes for public keys. In ASIACRYPT 2018; 2018. [Google Scholar]
  27. Hofheinz, D.; Kiltz, E. Programmable hash functions and their applications. In CRYPTO 2008; 2008; pp. 21–38. [Google Scholar]
  28. Tian, H.; Zhang, F.; Ren, K. Secure bilinear pairing outsourcing made more efficient and flexible. In ASIA CCS 2015; 2015; pp. 417–426. [Google Scholar]
  29. Pairing-Based Cryptography (PBC) library. Available online: https://crypto.stanford.edu/pbc/howto.html.
  30. The GNU Multiple Precision Arithmetic Library (GMP). Available online: http://gmplib.org.
Figure 1. The structure of IoT-connected healthcare sensor networks.
Figure 1. The structure of IoT-connected healthcare sensor networks.
Preprints 221359 g001
Figure 2. The IoT-connected healthcare sensor-network system model.
Figure 2. The IoT-connected healthcare sensor-network system model.
Preprints 221359 g002
Figure 3. The computational time of the proposed scheme in the KeyGenS, Sign, SignChg and Verify phases.
Figure 3. The computational time of the proposed scheme in the KeyGenS, Sign, SignChg and Verify phases.
Preprints 221359 g003
Figure 4. Performance comparison between the proposed scheme and related schemes in the KeyGenS, Sign, SignChg and Verify phases.
Figure 4. Performance comparison between the proposed scheme and related schemes in the KeyGenS, Sign, SignChg and Verify phases.
Preprints 221359 g004
Table 1. Comparison between our scheme and the scheme in [4].
Table 1. Comparison between our scheme and the scheme in [4].
Metric The scheme in [4] Ours
Length of signing key 6 L ( Z p * ) + 4 L ( G ) + L ( s k D S ) L ( Z p * ) + 3 L ( G )
Length of authorized entities’ key 3 ( | S | + 2 ) L ( G ) + L ( Z p * ) 3 ( | S | + 2 ) L ( G ) + L ( Z p * )
Length of signature 4 L ( Z p * ) + ( 3 n 1 + 5 ) L ( G ) + L ( S D S ) + L ( p ) + L ( π ) 3 L ( Z p * ) + ( 3 n 1 + 7 ) L ( G )
Time of signature generating ( N S = 200 ) 0.128 s 0.806 s
Time of signature changing ( N S = 200 ) 0.109 s 0.089 s
Notes: Let L ( · ) denote the length of the input element. Let n 1 and n 2 denote the row and column numbers of the monotonic span matrix of the access control policy A, respectively. S D S denotes the signature of the standard digital signature scheme. The concrete instantiation of the standard digital signature is not given in [4]. p is the large prime number used in [4] and π is a proof. Finally, | S | denotes the number of attributes in the attribute set S. N S denotes the number of signatures.
Table 2. The generic construction.
Table 2. The generic construction.
Algorithm Construction summary
Setup ( p p CP ABE , m s k CP ABE ) CP ABE . Setup ( 1 λ ) ; ρ SFPK . Setup ( 1 λ ) ; c r s Ω Setup Ω ( 1 λ ) ; return m p k = { p p CP ABE , ρ , c r s Ω } and m s k = m s k CP ABE .
KGenS ( s k SFPK , p k SFPK ) SFPK . KGen ( 1 λ , ω ) ; return s k = s k SFPK and p k = p k SFPK .
KGenA s k CP ABE CP ABE . KeyGen ( m s k , S ) ; y = f ( x ) ; return s k S = s k CP ABE , s k A = x , and p k A = y .
Sign δ SFPK . TKGen ( 1 λ , ω ) ; ( s k , p k ) SFPK . ChgKeys ( 1 λ , n ) ; ( s k , p k ) SFPK . ChgKeys ( 1 λ , n ) ; C CP ABE CP ABE . Encrypt ( s k , δ , r ) ; Sig 1 SFPK . Sign s k ( p k , p k , m , C CP ABE , π + r , y + r ) ; Sig 2 SFPK . Sign s k ( H ( i U A ) , i U A , t , y + r , H ( m ) , A ) ; return σ = { C CP ABE , Sig 1 , Sig 2 , A } .
SignChg ( s k , r , δ ) CP ABE . Decrypt s k CP ABE ( C CP ABE ) ; Sig 1 SFPK . Sign s k ( p k , p k , m , C CP ABE , π + r , y + r ) ; y = f ( x ) ; return σ = { C CP ABE , Sig 1 , Sig 2 , A } .
Verify b SFPK . Verify ( p k SFPK , m , σ ) ; return b.
Trace If 1 Verify Ω ( c r s Ω , s t , π ) , return I D ; if 0 Verify Ω ( c r s Ω , s t , π ) , return ⊥.
Table 3. Comparison of functionality among our scheme and related schemes.
Table 3. Comparison of functionality among our scheme and related schemes.
Scheme FGAC Unforgeability Transparency Accountability Privacy RCU-friendly
[6] N Y Y N N N
[9] N Y Y N N N
[16] N Y N N N N
[17] N Y N N N N
[21] N Y Y N N N
[22] Y Y N N
[23] Y Y Y N Y N
[4] Y Y Y Y Y N
Ours Y Y Y Y Y Y
FGAC: fine-grained access control; RCU-friendly: friendly to resource-constrained users. N denotes “No”, and Y denotes “Yes”.
Table 4. Comparison of storage space between our scheme and related schemes.
Table 4. Comparison of storage space between our scheme and related schemes.
Scheme Length of signing key Length of authorized entities’ key Length of signature
[5] L ( N ) + L ( e 1 ) + L ( e 2 ) L ( m ) L ( G )
[23] ( 2 + | S | ) L ( G ) ( 2 + n 1 + n 2 ) L ( G )
[4] 6 L ( Z p * ) + 4 L ( G ) + L ( s k D S ) 3 ( | S | + 2 ) L ( G ) + L ( Z p * ) 4 L ( Z p * ) + ( 3 n 1 + 5 ) L ( G ) + L ( S D S ) + L ( p ) + L ( π )
Ours L ( Z p * ) + 3 L ( G ) 3 ( | S | + 2 ) L ( G ) + L ( Z p * ) 3 L ( Z p * ) + ( 3 n 1 + 7 ) L ( G )
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings