Certificateless Remote AnonymousAuthentication Schemes for Wireless

Body Area NetworksJingwei Liu, Member, IEEE, Zonghua Zhang, Xiaofeng Chen, and

Kyung Sup Kwak, Member, IEEE

Abstract—Wireless body area network (WBAN) has been recognized as one of the promising wireless sensor technologies for

improving healthcare service, thanks to its capability of seamlessly and continuously exchanging medical information in real time.

However, the lack of a clear in-depth defense line in such a new networking paradigm would make its potential users worry about the

leakage of their private information, especially to those unauthenticated or even malicious adversaries. In this paper, we present a pair

of efficient and light-weight authentication protocols to enable remote WBAN users to anonymously enjoy healthcare service. In

particular, our authentication protocols are rooted with a novel certificateless signature (CLS) scheme, which is computational,

efficient, and provably secure against existential forgery on adaptively chosen message attack in the random oracle model. Also, our

designs ensure that application or service providers have no privilege to disclose the real identities of users. Even the network

manager, which serves as private key generator in the authentication protocols, is prevented from impersonating legitimate users. The

performance of our designs is evaluated through both theoretic analysis and experimental simulations, and the comparative studies

demonstrate that they outperform the existing schemes in terms of better trade-off between desirable security properties and

computational overhead, nicely meeting the needs of WBANs.

Index Terms—Anonymous authentication, certificateless signature, wireless body area network, healthcare

Ç

1 INTRODUCTION

BY using wireless personal area network (WPAN)technologies for communications on, near, and around

the human body, Zimmerman [1] first proposed wirelessbody area network (WBAN) in 1996. The work thenimmediately drew much attention from both academiaand industry. For instance, IEEE802.15 has developed afamily of short distance communication standards. Inparticular, 802.15.6 was formally standardized in 2012 afterfive years effort of engineers from 60 companies. It is aboutthe low-power wireless sensor nodes used in WBAN togather biomedical information for various applications inhospitals, residential, and work environments [2], [3], [4],[5]. Basically there are two categories of WBAN applica-tions, i.e., medical and nonmedical ones [6]. Medicalapplications need to collect vital information of a patientcontinuously and forward it to a remote monitoring stationfor further analysis. This huge amount of data can be used

to prevent the occurrence of myocardial infarction andtreat various diseases such as gastrointestinal tract, cancer,asthma, and neurological disorder. Nonmedical applica-tions include monitoring forgotten things, data file transfer,gaming, and social networking applications. For example,in gaming, sensors in WBAN can collect coordinatemovements of different parts of the body and subsequentlymake the movement of a character in the game, forexample, moving soccer player or capturing the intensityof a ball in table tennis. The use of WBAN in socialnetworking allows people to exchange digital profile orbusiness card only by shaking hands. Fig. 1 illustrates onetypical medical application scenario of WBAN, wherebiological information of concerns like heartbeat rate andblood pressure are gathered by the sensors around thebody (in-body networks) and transmitted to body areanetwork (BAN) controller nodes (out-body networks), suchas PDA and smart phones, which serve as a gateway foranonymously accessing the services provided by externalnetworks and servers.

Despite the past nontrivial effort, WBAN is still in itsinfancy, attracting increasing research attention [7]. Inparticular, among the open issues, leakage of privacy isone of the major concerns of potential users, impeding thefurther development and practical application of suchnetworks. This issue is especially challenging in WBANdue to its unique characteristics, such as open mediumchannel, signal noise, mobile terminals, flexible infrastruc-ture, and so on, leading to many novel security vulnerabil-ities and threats. For example, in remote healthcareapplications, authorized patients should anonymouslyaccess and share medical services, and the doctors only

332 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014

. J. Liu and X. Chen are with the State Key Lab of ISN, South Taibai Road 2,Xidian University, PO Box 106, Xi’an, Shaanxi 710071, China.E-mail: jwliu@mail.xidian.edu.com, xfchen@xidian.edu.cn.

. Z. Zhang is with the Institute Mines-Telecom/TELECOM Lille1,Villeneuve d’Ascq, France. E-mail: zonghua.zhang@telecom-lille.fr.

. K.-Sup Kwak is with the School of Information and CommunicationEngineering, Inha University, #6142, No. 6 Building, 253, YonghyunDong,NamGu, Incheon 402-751, Korea. E-mail: kskwak@inha.ac.kr.

Manuscript received 15 Sept. 2012; revised 22 Mar. 2013; accepted 11 May2013; published online 21 May 2013.Recommended for acceptance by X. Li, P. McDaniel, R. Poovendran, andG. Wang.For information on obtaining reprints of this article, please send e-mail to:tpds@computer.org, and reference IEEECS Log NumberTPDSSI-2012-09-0859.Digital Object Identifier no. 10.1109/TPDS.2013.145.

1045-9219/14/$31.00 � 2014 IEEE Published by the IEEE Computer Society

need to know the bio-information of the patient, whereas allthe rest private information such as name and ID numbermust be kept unknown. In other words, the legitimate usersshould be allowed to preserve their privacy to the maximumextent. One of the most effective solutions to achieve that isremote anonymous authentication schemes, which are consid-ered in this paper.

1.1 Related Work

Theoretically, remote user authentication can be imple-mented by traditional public-key cryptosystems (PKC) [8],[9]. But most of the designs are infeasible in mobilenetworks, because PKC needs to compute modularexponentiation, which may consume more computationalresource than what mobile devices can offer. Then variousauthentication schemes based on elliptic curve cryptosys-tem (ECC) have been proposed as alternatives [10], [11],[12], [13], [14], [15], [16], [17], which have betterperformance, thanks to the smaller key size used in ECC[18]. For example, 160-bit ECC achieves the same securitylevel as 1,024-bit RSA. However, ECC-based ones alsorequire a certification authority (CA) to maintain a pool ofcertificates for users’ public keys, and the users need extracomputation to verify the certificates of others.

We have also seen a vast amount of work on anonymousauthentication protocols of RFID systems [19], [20], [21],[22], [23], [24], [25], [26], which are used to verify that RFIDtags are legitimate or not without knowing their actualidentities. However, most symmetric-cryptosystem-basedRFID authentication schemes [20], [21], [22], [23] alwaysassume RFID readers to be fully trusted and involveonerous management. In [24], based on PKC, anonymityof tags is preserved against readers by using anonymouscredentials. But this design may incur high computationaland management complexity. Based on the recentlyproposed anoymizer approach, the authors of [25] proposedan anonymous authentication scheme, but it involves anadditional device called anonymizer, which frequentlyinteracts with the tags to ensure anonymity and unlink-ability of tags. Thus, it is clear that most of the exiting RFIDauthentication schemes cannot be simply applied to theremote WBAN application scenario.

It has been shown that the performance of ECC-basedschemes can be enhanced through ID-based cryptosystem[27], especially those ID-based signatures (IBS) over ECC[28], [29], [30], [31], [32], [33], [34], [35], [36]. As some of theearlier studies, such as [28], [29], [30], have keyescrow problems, Al-Riyami and Paterson [31] introduced

certificateless public key cryptography (CL-PKC) to dealwith this fundamental limitation of IBS-based schemes.Also, an IBS scheme without trusted private key generator(PKG) was proposed to solve the inherent key escrowproblem [32]. In particular, an efficient certificatelesssignature (CLS) scheme, which is more efficient than IBSproposed in [31], was presented in [34]. In [35], Zhang et al.reported an efficient and simple certificateless publickeysignature scheme (with security proof in the random oraclemodel). In [36], Wang et al. proposed an efficient CLSscheme based on bilinear pairings, claiming that itsefficiency can be improved by precomputing the pairingeðP; P Þ ¼ g, which are then used as system parameters.

1.2 Our Contribution

By carefully exploring the intrinsic characteristics ofWBANs and examining the existing remote authenticationschemes, we present two novel certificateless remoteanonymous authentication protocols. Our nontrivial effortscan be summarized as follows:

. We develop a new CLS scheme as the cryptographicprimitive, which is cost-effective, efficient, andprovably secure against existential forgery onadaptively chosen message attack in the randomoracle model by assuming that CDHP is intractable.The detailed design is given in Section 3, along withefficiency comparisons with the existing well-known schemes.

. The proposed CLS scheme then serves as a designbasis for two remote anonymous authenticationprotocols, which are particularly suitable forresource-constrained mobile clients. In particular,the protocols use an anonymous account indexinstead of a WBAN client’s real identity to accessWBAN service, thereby preventing the potentialprivacy leakage to application providers (APs) andnetwork managers (NMs). The protocol design isreported in Section 4.

. A formal security analysis on our proposed proto-cols is conducted, laying a theoretic foundation forexamining the soundness and performance of thesimilar designs. The concrete analysis is presented inSection 5, and a set of experimental simulations isreported in Section 6 to complement with thetheoretic analysis.

2 PRELIMINARIES

To facilitate the understanding of our designs, we brieflygive the basic definitions and properties of bilinear pairingsover elliptic curve group.

2.1 Notation

For easier illustration, Table 1 lists some importantnotations which will be further explained in detail wherethey occur for the first time.

2.2 Bilinear Pairings

The bilinear pairings namely Weil pairing and Tate pairingof algebraic curves are defined as a map e : G1 �G1 ! G2,where G1 is a cyclic additive group generated by P ,whose order is a prime q, and G2 is a cyclic multiplicative

LIU ET AL.: CERTIFICATELESS REMOTE ANONYMOUS AUTHENTICATION SCHEMES FOR WIRELESS BODY AREA NETWORKS 333

Fig. 1. A WBAN example for healthcare.

group of the same order q. Let a and b be elements of ZZ�q .We assume that the discrete logarithm problems (DLP) inboth G1 and G2 are hard. Bilinear pairings have thefollowing properties:

1. Bilinear: eðaR; bSÞ ¼ eðR;SÞab, 8R;S 2 G1, and a; b 2ZZ�q . This can be related as 8R;S; T 2 G1; eðRþ S; T Þ ¼eðR; T ÞeðS; T Þ and eðR;S þ T Þ ¼ eðR;SÞeðR; T Þ.

2. Nondegenerate: There exists R;S 2 G1, such thateðR;SÞ 6¼ IG2

, where IG2denotes the identity element

of group G2.3. Computable: There is an efficient algorithm to

compute eðR;SÞ for all R;S 2 G1.

2.3 Intractable Problems

Let G1 be a cyclic additive group generated by P , whoseorder is a prime q. Assume that the inversion and multi-plication in G1 can be computed efficiently. To prove thesecurity of our schemes, we need the following intractableproblems in G1:

. Discrete logarithm problem. Given two elementsR;S 2 G1, to find an integer n 2 ZZ�q , such thatS ¼ nR, whenever such an integer exists.

. Computational Diffie-Hellman problem (CDHP). GivenP , aP , bP for a, b 2 ZZ�q , to compute abP .

. Decisional Diffie-Hellman problem (DDHP). Given P ,aP , bP , cP for a, b, c 2 ZZ�q to decide whetherc � abmod q.

. Pairing inversion problem (PIP) [37]. Given a pairing eand a value c 2 ZZ�q , find R;S 2 G1 with eðR; SÞ ¼ c.

3 DESIGN BASIS: CERTIFICATELESS SIGNATURE

SCHEME

This section presents our new certificateless signaturescheme, laying down a design foundation for our remoteanonymous authentication protocols presented in Section 4.

3.1 Our New Certificateless Signature Scheme

A CLS scheme primarily consists of six algorithms:Setup, Set-Partial-Private-Key, Set-Partial-Public-Key, Par-tial-Private-Key-Extract, CL-Sign and CL-Verify, which arespecified as follows:

. Setup: Let ðG1;þÞ and ðG2; �Þ denote cyclic groups ofprime order q > 2l, where l is the security parameter.Let P be a generator of G1 and e : G1 �G1 ! G2 be apairing operator that satisfies the propertiesof bilinear and nondegenerate. PKG selects twosecure hash functions H : f0; 1g� �G1 ! G1 and h:

f0; 1g� �G2 ! ZZ�q . It picks a random integer sPKG 2ZZ�q , as its private key—the master key—and com-putes QPKG ¼ sPKGP , as its public key. PKG thenpublishes fl; G1; G2; q; P ; e;H; h; QPKGg as the systemparameter, while sPKG is kept secret.

. Set-Partial-Private-Key: The signer also selects arandom integer s1 2 ZZ�q , as his partially secret key.

. Set-Partial-Public-Key: The signer computesQ1 ¼ s1P , as his partially public key.

. Partial-Private-Key-Extract: This algorithm is per-formed by PKG when a signer requests the secretkey corresponding to his identity. Suppose thesigner’s identity is given by the string id, which isthe other partially public key. The other partiallysecret key of the identity is then given byS2 ¼ sPKGQ2, where Q2 ¼ Hðid;Q1Þ. It is computedby PKG and distributed to the signer in a secretchannel. For a signer, hid; Q1i is his public key andhs1; S2i is his private key. The extraction step istypically done once for each identity.

. CL-Sign: To sign a message m, the signer chooses arandom integer k 2 ZZ�q and computes as follows:

1: r ¼ eðQ2; QPKGÞk; ð1Þ

2: v ¼ hðmkr; P Þ; ð2Þ

3: U ¼ kS2 � vs1Q2: ð3Þ

The pair ðv; UÞ 2 ðZZ�q ; G1Þ is then taken as the

signature.. CL-Verify: On receiving a message m and signaturehv; Ui, the verifier performs in the following way:

1: Computes Q2 ¼ Hðid; Q1Þ; ð4Þ

2: Accepts the signature if and only if

v ¼ hðmkeðU; P Þ � eðQ2; Q1Þv; P Þ:ð5Þ

It is straightforward to check that the verification

equation holds for a valid signature. We can also

easily prove that our proposed CLS scheme

satisfies completeness:

v ¼ hðmkeðU; P Þ � eðQ2; Q1Þv; P Þ¼ hðmkeðkS2 � vs1Q2; P Þ � eðQ2; vs1P Þ; P Þ¼ hðmkeðksPKGQ2; P Þ; P Þ¼ hðmkr; P Þ:

ð6Þ

334 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014

TABLE 1Notation

3.2 Security Proof of Our New CLS Scheme

In this part, we prove that our new CLS is existentiallyunforgeable against adaptively chosen message attacks inthe random oracle model [38] based on the hardness ofCDHP. As defined in [31], [35], [39], we suppose that thereis an adversary A which attempts to forge a validsignature with the help of PKG. The proof details can beshown as follows.

Theorem 1. The proposed CLS scheme is existentially unforgeable

against adaptively chosen message attack of adversary A in the

random oracle model, assuming the hardness of the CDHP.

Proof. Suppose A is a probabilistic polynomial time Turingmachine whose input only consists of public data. It canbreak the proposed CLS scheme with nonnegligibleprobability. Let H and h be random oracles. We assume

that A can calculate a piece of additional information S2

with the master key sPKG. C gives the parametersfl; G1; G2; q; P ; e;H; h; QPKGg and hid; Q1; S2i to A. Cattempts to simulate all the oracles to obtain s1Q2 tohave the same ability of signing arbitrary message m asthe real signer. In particular, A can query as follows:

. H-Queries: A can query the random oracle H atany time. C simulates the random oracle bykeeping a list of couples h>i; Qð2;iÞi called LH,where>i is a couple of hidi; Qð1;iÞi. When the oracleis queried with input >, C responds as follows:

- If the query > is already in the item ofh>; Qð2;iÞi in LH, C outputs Qð2;iÞ.

- Otherwise, C selects a random Q2 2 G1, out-puts Q2, and adds h>; Q2i to LH.

. Extract-Queries: A can query the partially privatekey of any public key hidi; Qð1;iÞi. C outputs thepartially private key Sð2;iÞ corresponding toidentity idi by running algorithm Partial-Private-Key-Extract.

. h-Queries: A can query the random oracle h atany time. C simulates the random oracle bykeeping a list of couples h?i; vii that is called Lh,where ?i is a couple of hxi; Yii, where xi 2 f0; 1g�and Yi 2 G1. When the oracle is queried with aninput ?, C responds as follows:

- If the query ? is already in the item of h?; viiin Lh, C outputs vi.

- Otherwise C selects a random v 2 ZZ�q , outputsv, and adds h?; vi to Lh.

. CL-Sign-Queries: C simulates the signature oracleby responding to the signature query of anymessage m, and answers the query as follows:

- C picks up a random U 2 G1 and v 2 ZZ�qwhere v is not equal to any existing output ofh oracle.

- C computes r ¼ eðU; P Þ � eðQ2; Q1Þv. If ? ¼hm k r; P i is equal to any previous input of horacle, then returns to step 1.

- C adds h?; vi to Lh.- C outputs hv; Ui as the signature for messagem.

Thus, the valid triple hr; v; Ui can be generatedwithout knowing the partially private key s1. The signingoracle, simulated by C, has high quality; A is fullysatisfied with the CL-Sign-Queries’ answers. It can fullyexert its forgery ability.

Eventually, with nonnegligible probability, A outputsa signature � ¼ hr; v; Ui with a message m 2M, whereCL-Verifyðid;Q1Þðm; v; UÞ ¼ True. In this case, A generatesv through h-Queries, S2 through Extract-Queries withinput hid; Q1i, but it does not make Sign-Queries withinput m.C then replays the process so that A should produce

two valid signatures � ¼ hr; v; Ui and �0 ¼ hr; v0; U 0i withv 6¼ v0, naturally leading to the following equations:

U ¼ kS2 � vs1Q2

U 0 ¼ kS2 � v0s1Q2

�

) R1 ¼ s1Q2 ¼ ðv0 � vÞ�1ðU � U 0Þ:ð7Þ

Using hR1; S2i, C can generate a valid signature hv; Ui forany message m, where v ¼ hðm; eðQ2; kQPKGÞÞ; U ¼kS2 � vR1 and k is chosen randomly in ZZ�q , just as thereal signer uses hs1; S2i. C can solve the CDHP as followsin the above equations:

Q1 ¼ aP ¼ s1PQ2 ¼ bP

�) abP ¼ R1 ¼ s1Q2: ð8Þ

This obviously contradicts the hardness of the CDHP. tu

3.3 Computational Complexity Analysis

Our scheme has some precomputations, making ourscheme efficient. Before signing any message, the user canprecompute eðQ2; QPKGÞ for r ¼ eðQ2; QPKGÞk in step 1 ands1Q2 for U ¼ kS2 � vs1Q2 in step 3. Similarly, beforeverifying any signature, the verifier can precomputeeðQ2; Q1Þ for r ¼ eðU; P ÞeðQ2; Q1Þv in step 1 and Q2 ¼Hðid; Q1Þ. These precomputations can be used in the futureprotocols design for a special purpose.

Generally, the pairing operation is several times morecomplex than the scalar multiplication in G1. Thus, thenumber of pairing operations is a key performance metric.We then carefully examined the operational efficiency ofour scheme and compared it to those of the existingschemes. Table 2 summarizes the results, in which “P”denotes the number of pairing operations, “E” denotes thenumber of exponentiations in G2, and “M” denotes thenumber of multiplications in G1.

LIU ET AL.: CERTIFICATELESS REMOTE ANONYMOUS AUTHENTICATION SCHEMES FOR WIRELESS BODY AREA NETWORKS 335

TABLE 2Comparison of Computational Complexity

Note: “P”—the number of pairing operations; “E”—the number ofexponentiations in G2; “M”—the number of multiplications in G1.

The other operations are omitted from the table due totheir trivial computational cost. It is easily observed that ourscheme does not perform better than [31] and even worsethan [32], [33], [34], [35], [36] for solely signing operation.However, our verification algorithm is significantly simpli-fied. Our scheme can obtain higher efficiency as a whole,since a signature scheme generally contains a single-time-sign and multi-time-verify.

4 OUR AUTHENTICATION PROTOCOLS FOR WBANs

To meet the unique security demands of wireless body areanetworks, we use our new certificateless signature schemeto design remote anonymous authentication protocols,which can preserve the anonymity of remote WBAN clientsand save computational overhead.

4.1 Design Objectives

In general, we assume that the authentication protocols aredeployed in distributed WBAN application environmentsequipped with public key cryptographic primitives. Thisimplies the existence of some authority mechanisms, suchas the CA that can generate and certify cryptographic keysfor different purposes. The patients, as well as healthcareservice providers, must contact with a CA in advance forkey distribution. Because the keys are individual-specific, itavoids one body authentication problem, i.e., ensuring that thebody sensors in a WBAN collect data about one individualand not multiple individuals [40]. Moreover, we assumeanonymity to be a fundamental property and service ondemand, and there exist active adversaries which attempt tosubvert the anonymous authentication system by recover-ing or misusing the real identities of WBAN clients. Becausein these remote healthcare application scenarios, the doctorsand nurses only need to know the bioinformation of thepatient, rather than other private information such as nameand ID number, while legitimate users should be allowed topreserve their sensitive information to the maximum extent.Remote anonymous authentication schemes in insecurechannels are required to achieve this.

Based on the assumptions and taking into account thespecial characteristics of WBANs, we intend to design suchan authentication scheme which can do the following:

. Achieve anonymity regardless of particular opera-tional environments or WBAN network infrastruc-ture.

. Provide services for a WBAN client more than once.

. Operate with high efficiency while incurring negli-gible computational cost.

4.2 Design Architecture

There are three types of participants involved in theauthentication protocol, as shown in Fig. 2: WBAN client,network manager (NM for short), and application provider(APfor short). In particular, WBAN clients refer to the userswho use certain WBAN terminals or applications such asPDA, smart phone, biosensor or medical device to regularlyaccess various medical services that are offered by AP,including patient monitoring, physician consultation, andso on. APs can be hospital, clinic, physician, and even

weather forecast station. In addition, there is an NM whichserves as a key generator. It is not required to be a strongtrusted third party (TTP), because it is only used to issueone-half of the private key of a legitimate client, while thishalf of the private key alone is not sufficient to impersonatelegitimate clients. This is a desirable property in practice.For example, a commercial organization can be delegated asprivate key generator for managing an enrollment system.

4.3 Preliminary Version Authentication Protocol

In principle, our protocols take the new CLS schemeproposed in Section 3.1 as design basis, in which NM firstgenerates an account index for each requesting WBAN clientand uses it for signature generation and verification. Asignature is generated using the account index togetherwith the specified rights including prescriptive period andservice type for the requesting client. To log in, a clientneeds to send its signature of the message issued by NM,along with the account index, to the corresponding AP,which then verifies the client’s signature using the accountindex and NM’s signature by NM’s public key. It is obviousthat the role of AP is only to verify the generated signature,and the information in hand does not allow it to recover thereal identity of the client. By assuming that the requestedAP and requesting client are synchronous in time, ourprotocol can be formally described as follows:

1. Initialization. System is set up by NM, generatingkeys and establishing an enrollment system. In thisstep, given security parameter l, NM determinesits public/private key pair hQNM; sNMi, whereQNM ¼ sNMP , and publicizes the system para-meters fl; G1; G2; q; P ; e;H; h; QNMg, as described inSection 3.1. We suppose that each AP also has along-term key pair hQAP ; sAP i, where QAP ¼ sAPP .

2. Registration. A WBAN client with identifier C mustperform this operation with NM to access an AP ofinterest. The following steps should be performedin turn:

a. A legitimate client chooses one partial privatekey while obtains another partial private keyusing algorithm Partial-Private-Key-Extract de-scribed in Section 3.1,

b. NM creates an account in the form hC; indCv ;indCs ; righti for client C, where indCv ¼ eðQ2;Q1Þ is verifying index, indCs ¼ eðQ2; QNMÞ issigning index for algorithm CL-Sign. Also, rightindicates auxiliary information such as servicetype and prescriptive period.

336 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014

Fig. 2. Participants and working flow in the anonymous authenticationprotocol.

c. NM issues a ticket ¼ hm;�i to client C, wherem ¼ rightkindCv and � is the correspondingsignature on m.

In the same way, client C can store a group of QAP atthe mobile device for different APs. Two predeter-

mined functions, hð�Þ (defined in Section 3.1) and

message authentication code, denoted as MACð�Þð�Þ,are loaded simultaneously for access.

3. Authentication. The WBAN client performs thefollowing steps to anonymously authenticate him/herself to the AP of interest:

a. Select at random k; t 2 ZZ�q , and compute T ¼ tPand T 0 ¼ tQAP .

b. Pick up the current time tc of the requestingWBAN terminal. Then, compute v ¼ hð�ktc kr; T Þ.

c. Compute U ¼ kS2 � vs1Q2.d. Compute the session key key ¼ hðv; T Þ.e. Send a service request message Req ¼ ðv; U;m;

�; tc; T0Þ to the AP.

When the AP receives Req ¼ ðv; U;m; �; tc; T 0Þ, itchecks the validity of hm;�i and tc. The AP rejects

the request if � on m and tc are not valid. Otherwise,

the AP does the following:

1. Compute r ¼ eðU; P Þ � indvCv .2. Compute T ¼ s�1

APT0 with its private key sAP .

3. Verify v ¼? hð�ktckr; T Þ.4. Compute the session key key ¼ hðv; T Þ.5. Compute MACkeyðvÞ as the reply.6. Reply to C’s service request by sending back

MACkeyðvÞ.On receiving the reply from the AP, C checks the

integrity of MACkeyðvÞ with session key key. C willquit the current session if the check produces a

negative result; otherwise, C authenticates the AP

and uses key as the session key with the AP in futurecommunications. The message flow of the anon-

ymous authentication phase is described in Fig. 3.

4.4 Security-Enhanced Authentication Protocol

In the preliminary version, all the requested authenticationinformation, including the account index and the corre-sponding right of the client, is carried in the requestmessage. This may allow one sophisticated adversary todetermine whether two different sessions are initiated bythe same client, and may also allow NM to trace the client’sreal identity from the session information. To remedy thisvulnerability, we propose a security-enhanced anonymousauthentication protocol, which also consists of three phases:initialization, registration, and remote anonymous authen-tication. More formally,

1. Initialization. System setup (the same as the pre-liminary version).

2. Registration. This process is as the same as prelimin-ary version but NM issues hI; indCv ; righti to AP andclient C, where I ¼ indCvP , instead of sending aticket ¼ hm;�i to client C.

3. Authentication. The WBAN client performs thefollowing steps to anonymously authenticate him/herself to the requested AP:

a. Select at random k; t 2 ZZ�q , and compute T ¼ tP ,T 0 ¼ tQAP and I 0 ¼ I þ T .

b. Pick up the current time tc of the requestingWBAN terminal, and then, compute v ¼ hðtc kr; T Þ.

c. Compute U ¼ kS2 � vs1Q2.d. Compute the session key key ¼ hðv; T Þ.e. Send a service request message Req ¼ ðv; U; tc;

T 0; I 0Þ to the AP.

When the AP receives Req ¼ ðv; U; tc; T 0; I 0Þ, itchecks the validity of tc. The AP rejects the request iftc is invalid. Otherwise, AP does the following:

1. Compute T ¼ s�1APT

0 with its private key sAP andI ¼ I 0 � T .

2. Find indCv with I in the database and computer ¼ eðU; P Þ � indvCv .

3. Verify v ¼? hðtckr; T Þ.4. Compute the session key key ¼ hðv; T Þ.5. Compute MACkeyðvÞ as the reply.6. Reply to C’s service request by sending back

MACkeyðvÞ.On receiving the reply from the AP, C checks the

integrity of MACkeyðvÞ with session key key. C willquit the current session if the check produces anegative result; otherwise, C authenticates the APand uses key as the session key with the AP in futurecommunications. Fig. 4 describes the message flowof the anonymous authentication phase.

5 SECURITY ANALYSIS

This section presents the security analysis of our authenti-cation protocols. Our protocols ensure that NM can onlygenerate partial private keys, avoiding it impersonating aslegitimate client. This property makes NM more applicablein real WBAN network application scenarios. In whatfollows, we examine the proposed authentication protocolsin terms of six security properties of particular concern.

LIU ET AL.: CERTIFICATELESS REMOTE ANONYMOUS AUTHENTICATION SCHEMES FOR WIRELESS BODY AREA NETWORKS 337

Fig. 3. Preliminary version authentication protocol.

Anonymity means that an adversary AI cannot obtainthe real identity of any WBAN client based on the existingcommunication. Now, we formalize a game: when anoracle O�ðidÞ outputs a session message � with the realidentity id of a legitimate client, AI outputs id0 with thehelp of AP.

Definition 1. An authentication scheme achieves anonymity, iffor any probabilistic polynomial time adversary AI , Pr½� O�ðidÞ; id0 AI : id0 ¼ id� is negligible.

Theorem 2. (Anonymity) The proposed two authenticationprotocols meet anonymity, assuming the hardness of PIPdescribed in Section 2.3.

Proof. Here we only give detailed proof of anonymity forthe security-enhanced version due to space limitations.The anonymity of the preliminary version can beproved in the same way. Suppose adversary AI is aprobabilistic polynomial time Turing machine whoseinput consists of public data. It can find the true id andQ1 corresponding to any existing session message withnonnegligible probability after getting enough experi-ence. Simulator C has strong ability to imitate any stateof whole communication environment and share allinformation with AP, who maybe a malice AP. Onreceivin a PIP instance, indCv ¼ eðQ2; Q1Þ, C’s goal is tocompute Q2 2 G1 and Q1 2 G1. C gives the parametersfl; G1; G2; q; P ; e;H; h; QPKGg and indCv to AI . It attemptsto simulate the challenger by simulating all the oraclesto obtain hid; Q1i of client C. In particular, AI can queryas follows:

. h-Queries: AI can query the random oracle h atany time. C simulates the random oracle bykeeping a list of couples h?i; vii that is called Lh,where ?i is a couple of hxi; Yii, where xi 2 f0; 1g�and Yi 2 G1. When the oracle is queried with aninput ?, C responds as follows:

- If the query ? is already in the item of h?; viiin Lh, C outputs vi.

- Otherwise C selects a random v 2 ZZ�q , outputsv, and adds h?; vi to Lh.

. Extract-Queries: AI can query indCv of any ðT 0; I 0Þ.C computes T ¼ s�1

APT0 and I ¼ I 0 � T . If I can be

found in the database, C outputs indCv . Otherwise,it outputs “error”.

. Initial-Queries: C simulates the initial message sentby any WBAN client Ci with hQð1;iÞ; Qð2;iÞi and tc.C answers the query as follows:

- C picks up a random t 2 ZZ�q , U 2 G1 and v 2ZZ�q where v is not equal to any existing outputof h oracle.

- C computes r ¼ eðU; P Þ � eðQð2;iÞ; Qð1;iÞÞv andT ¼ tP . If ? ¼ htckr; T i equals any previousinput of h oracle, then returns to step 1.

- C adds h?; vi to Lh.- C computes T 0 ¼ tQAP , I 0 ¼ I þ T , and out-

puts ðhv; Ui; tc; T 0; I 0Þ as the initial messagesent from client C.

. Respond-Queries: C simulates the respond mes-sage sent by AP with ðhv; Ui; tc; T 0; I 0Þ. C answersthe query as follows:

- C computes T ¼ s�1APT

0 and I ¼ I 0 � T . If Ccan find indCv corresponding to I in thedatabase and hv; Ui is legal, go to step 2.Otherwise, C outputs “error”.

- C computes key ¼ hðv; T Þ.- C outputs MACkeyðvÞ as the respond message

sent from AP.

Thus, the initial message can be generated withoutknowing the private key hs1; S2i of client C. All oracles,simulated by C, have high quality; AI is fully satisfiedwith the all queries’ answers. It can fully exert its ability.

Eventually, given an input of ðhv; Ui; tc; T 0; I 0Þ,adversary AI ,with nonnegligible probability, outputs alegal pair of hid;Q1i of client C. Here, ðhv; Ui; tc; T 0; I 0Þ isnot any output of Initial-Queries. C then computesQ2 ¼ Hðid;Q1Þ, so that it successfully outputs hid;Q1iwith the equation indCv ¼ eðQ2; Q1Þ, which obviouslycontradicts the hardness of the PIP. tu

Unlinkability [21], [22], [23], [25] means that an adver-

sary AII cannot distinguish WBAN clients based on their

communication. This means that all the session messages

generated by clients should not leak any information to AIIthat allows AII to trace them. Now , similar to [25], we

formalize a UL Game: when an oracle O�ðbÞ for b 2 ð0; 1Þoutputs two session messages h�1;�2i with two identical

ðb ¼ 0Þ or two different ðb ¼ 1Þ legitimate clients, AIIguesses b0 2 ð0; 1Þ with the help of NM.

Definition 2. An authentication scheme achieves unlinkability,

if for any probabilistic polynomial time adversary AII in above

UL Game, AdvAII ¼ jPr½h�1;�2i O�ðbÞ; b0 AII : b0 ¼b� � 1

2 j is negligible.

Theorem 3. (Unlinkability) The security-enhanced anonymous

authentication protocol achieves unlinkability, assuming the

hardness of DDHP described in Section 2.3.

Proof. Suppose adversary AII is a probabilistic polynomial

time Turing machine whose input consists of public data.

338 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014

Fig. 4. Security-enhanced authentication protocol.

It can represent two identical or two different WBANclient from two given session messages with nonnegligibleprobability after getting enough experience. Simulator Chas strong ability to imitate any state of whole commu-nication environment and share all information with NM,who maybe a malice NM. When C receives a DDHPinstance ðaP; bP ;QÞ. Its goal is to decide if Q ¼ abP . Cgives the parameters fl; G1; G2; q; P ; e;H; h; QPKGg to AII .It attempts to simulate the challenger by simulating all theoracles. In particular, AII can query as follows:

. h-Queries: The same as in Theorem 2.

. Extract-Queries: AII can query any elements ofhid;Q1; Q2; indCv ; indCsi for having the others. If therelated information can be found in the database, Coutputs it. Otherwise, C outputs “error”.

. Initial-Queries: The same as in Theorem 2.

. Respond-Queries: The same as in Theorem 2.

Thus, the initial message can be generated withoutknowing the partial private key s1 of client C. Alloracles, simulated by C, have high quality; AII is fullysatisfied with the all queries’ answers. It can fully exertits ability.

Eventually, given two sessions of ðhv1; U1i; tðc;1Þ; T 01; I 01Þand ðhv2; U2i; tðc;2Þ; T 02; I 02Þ, adversary AII , with nonnegli-gible probability, outputs “0” or “1” (Note: “0” meansI1 ¼ I2 and “1” means I1 6¼ I2). Here, ðhv1; U1i; tðc;1Þ;T 01; I

01Þ and ðhv2; U2i; tðc;2Þ; T 02; I 02Þ are not any output of

Initial-Queries. Without knowing ha; bi, C then can solvea DDHP instance ðaP ¼ sapP ¼ Qap, bP ¼ I 01 � I 02, Q ¼T 01 � T 02Þ with the help of AII , because

I1 ¼? I2

, I 01 � s�1ap T

01 ¼

?I 02 � s�1

ap T02

, sap�I 01 � I 02

�¼? T 01 � T 02

, abP ¼? Q:

ð9Þ

This obviously contradicts the hardness of the DDHP. tu

Theorem 4. (Immunity of key escrow) The two proposedprotocols are constructed based on the new CLS scheme thatcan solve the inherent key-escrow problem in general ID-basedsignature schemes.

Proof. This property can be obtained directly fromTheorem 1. tu

Theorem 5. (Mutual authentication) The two proposedprotocols achieve the property of mutual authentication.

Proof. Only the requested AP can authenticate the accessingclient by checking the client’s signature hv; Ui, because v ¼hð�ktckr; T Þ and v ¼ hðtckr; T Þ in the two proposedauthentications, respectively, are both based on T , whichcan only be recovered by AP. The client authenticates theAP by comparing the received MACkeyðvÞ to the resultcalculated by him/herself, because AP is the only one whocan recover T fromT 0 and then calculates the key ¼ hðv; T Þand MACkeyðvÞ. If the client received a right MACkeyðvÞ,then the AP is the correct one the client wishes to access forservice. Here, this value is completely dependent on thetime token tc and the two random numbers k; t. It canidentify each authentication process uniquely. tu

Theorem 6. (Session key establishment) After successfulaccess, both sides share the session key.

Proof. Client C checks the MACkeyðvÞ to authenticate theAP and agrees upon the session key. If the value iscorrect, then the requested AP generates the correctkey ¼ hðv; T Þ with the recovered T . key is only shared byC and AP. The opponents cannot deduce key even ifthey eavesdrop all of the session information no matterin which protocol we proposed. tu

Theorem 7. (Nonrepudiation) After successful access, client Ccannot deny that he/she has accessed the service provided byAP for the CLS signature hv; Ui.

Proof. Client C is the unique signer who can generate a legalsignature pair of hv; Ui. Even NM is unable to impersonateC to sign such a valid signature for Theorem 1. tu

We carefully select nine existing schemes for comparativeanalysis and the results are summarized in Table 3. Wediscuss the above six security properties in these schemesrespectively, including two anonymities (P1,P2) and the otherfour security characters. In the first six schemes, theauthentication protocols do not meet the anonymous prop-erty. The scheme in [15] only has the property P2 in twoanonymities. In [16], only anonymous propertyP1 is satisfied;moreover, the mutual authentication property can only beachieved under special conditions. The scheme in [17] meetsboth two anonymous properties, but it only provides one-way authentication and misses the propertiesP3,P5,P6. FromTable 3, we can conclude that the new schemes achieve ahigher security level with strict anonymity.

6 SIMULATION-BASED PERFORMANCE VALIDATION

We are particularly concerned about the computationalcomplexity of our protocol in addition to the security

LIU ET AL.: CERTIFICATELESS REMOTE ANONYMOUS AUTHENTICATION SCHEMES FOR WIRELESS BODY AREA NETWORKS 339

TABLE 3Comparison of Security Properties between Different Schemes

Note Px represents theorem ðxþ 1Þ, p indicates that the property is satisfied,! and! denote that the protocol satisfies mutual authentication andone-way authentication, respectively.

properties. To validate that, we set up simulations andcompare its run time with a number of typical schemes.

6.1 Simulation Setup

In this section, to evaluate the computation overhead ofthe proposed schemes, we first setup simulation hardwareenvironment and quantify the computation time of thecryptographic operations used in the selected schemes.The simulation environment of AP is Windows XP OS overan Inter(R) Pentium IV 3.0 GHz processor and 512-MBmemory. The hardware environment of the mobile WBANclient, such as a PDA, has a low-power high-performance 32-bit Inter(R) PXA270 624-MHz processor and 128-MB memoryrunning Windows CE 5.2 OS. In addition, we set the publicmodulator used in RSA signature to be 1,024 bits. The pairoperation is defined over a supersingular elliptic curvey2 ¼ x3 þ x. The run time of cryptographic primitives on APis obtained by experiment, and that on the client terminal isestimated using the method in [41]. The simulations were runseveral times, and the results were averaged to compensatefor the randomness. Table 4 lists the run time of severalcryptographic operations. In these schemes, the computationoverhead is mainly due to the cryptographic operations ofexponentiation in ZZ�q , multiplication in GG1, and pairing.

6.2 Results and Analysis

Table 5 and Fig. 5 compare the run time of AP and theWBAN client between 11 authentication schemes. Weseparate the selected authentication schemes into twogroups for convenience: 1) without anonymity; 2) withanonymity. Compared with the first group, our schemedoes not clearly show better performance, but it achievesthe certificateless and anonymous properties that consume

computational resource. Within the second group, the runtime of our scheme obviously outperforms schemes LLZHS[16] and TFS [17]. In CZKH [15], the scheme seems to run ashorter time, but it costs more storage space and theanonymity property is weaker.

The results demonstrate that our designed protocolgenerally outperforms the others, offering a better tradeoffbetween the security properties of concern and the run timeof APs and WBAN clients. These make it more suitable towireless body area networks.

7 CONCLUSION AND FUTURE WORK

In this paper, we presented two certificateless remoteauthentication protocols to preserve the privacy of potentialWBAN users when they access network medical servicethrough WBANs terminals. To design the protocols, wedeveloped a novel certificateless signature scheme as acryptographic primitive by carefully exploring the specialcharacteristics of WBANs. We formally proved that ourcertificateless signature scheme has a potential to achievemore desirable security properties with less computationalcost than the existing schemes. One salient feature of ourprotocols is that medical application or service providers donot have privilege to reveal the true identity of users evengiven all the session information. Also, the networkmanager cannot impersonate any legitimate users althoughit serves as PKG. Sound theoretic analysis, comparativestudies, and simulations were conducted to evaluate ourproposed protocols, which outperformed most of the

340 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014

TABLE 4Operating Time on Server and Client

Fig. 5. A comparison of running time between different schemes.

TABLE 5A Comparison of Running Time between Different Schemes

existing authentication schemes in terms of better tradeoffbetween security properties, computational overhead, aswell as implementation and running time.

As what we have clearly analyzed in the paper, the runround of mutual authentication protocols has been reducedto 2. Thus, we attempt to design signature schemes withbetter trade-off between computational overhead andefficiency, so that the computational complexity of theauthentication protocols can be decreased as a whole. Inaddition, we intend to develop a set of realistic experi-mental scenarios to test our protocols. As such, benchmarkscenarios are still available, it would benefit to the WBANresearch community.

ACKNOWLEDGMENTS

This work is supported by National Natural ScienceFoundation of China (No. 61100232, No.61001131, No.61103198, and No. 61272455), the Fundamental ResearchFunds for the Central Universities (No. K5051301012 ), the111 Project (B08038), National Science and TechnologyMajor Project of the Ministry of Science and Technology ofChina (No. 2013ZX03005007) and the National ResearchFoundation of Korea (NRF) grant funded by the Koreagovernment (MEST)(No. 2010-0018116). The authors wouldlike to thank the anonymous referees and the associateeditor for their constructive comments and suggestions thathelped to improve the manuscript. The author would alsolike to thank Dr. Rong Sun for the inspiring discussions andvaluable suggestions during this research.

REFERENCES

[1] T.G. Zimmerman, “Personal Area Networks: Near-Field Intra-body Communication,” IBM Systems J., vol. 35, no. 3/4, pp. 609-617, 1996.

[2] H.-B. Li, K.-I. Takizawa, B. Zhen, and R. Kohno, “Body AreaNetwork and Its Standardization at IEEE 802.15.MBAN,” Proc.16th IST Mobile and Wireless Comm. Summit, pp. 1-5, 2007.

[3] C. Otto, A. Milenkovic, C. Sanders, and E. Jovanov, “SystemArchitecture of a Wireless Body Area Sensor Network forUbiquitous Health Monitoring,” J. Mobile Multimedia, vol. 1,no. 4, pp. 307-326, 2006.

[4] M. Seyedi, B. Kibret, D.T.H. Lai, and M. Faulkner, “A Survey onIntrabody Communications for Body Area Network Applica-tions,” IEEE Trans. Biomedical Eng., vol. 60, no. 8, pp. 2067-2079,Aug. 2013.

[5] B. Latre, B. Braem, I. Moerman, C. Blondia, and P. Demeester, “ASurvey on Wireless Body Area Networks,” J. Wireless Networks,vol. 17, no. 4, pp. 1-18, 2011.

[6] K.S. Kwak, U. Sana, and U. Niamat, “An Overview of IEEE802.15.6 Standard,” Proc. Third Int’l Symp. Applied SciencesBiomedical and Comm. Technologies (ISABEL ’10), pp. 1-6, 2010.

[7] M. Chen et al., “Body Area Networks: A Survey,” Mobile Networksand Applications, vol. 16, pp. 171-193, 2011.

[8] J. Zhu and J. Ma, “A New Authentication Scheme withAnonymity for Wireless Environments,” IEEE Trans. ConsumerElectronics, vol. 50, no. 1, pp. 231-235, Feb. 2004.

[9] G. Horn and B. Preneel, “Authentication and Payment in FutureMobile Systems,” Proc. Fifth European Symp. Research ComputerSecurity, pp. 277-293, 1998.

[10] C. Yang, W. Ma, and X. Wang, “Novel Remote User Authentica-tion Scheme Using Bilinear Pairings,” Proc. Fourth Int’l Conf.(ATC ’07), pp. 306-312, 2007.

[11] P. Abichar, A. Mhamed, and B. Elhassan, “A Fast and SecureElliptic Curve Based Authenticated Key Agreement Protocol forLow Power Mobile Communications,” Proc. Int’l Conf. NextGeneration Mobile Applications, Services and Technologies, pp. 235-240, 2007.

[12] K.Y. Choi, J.Y. Hwang, D.H. Lee, and I.S. Seo, “ID-BasedAuthenticated Key Agreement for Low-Power Mobile Devices,”Proc. 10th Australasian Conf. Information Security Privacy(ACISP ’05), pp. 494-505, 2005.

[13] Y.M. Tseng, T.Y. Wu, and J.D. Wu, “A Mutual Authentication andKey Exchange Scheme from Bilinear Pairings for Low PowerComputing Devices,” Proc. 31st Ann. Int’l Computer Software andApplications Conf. (COMPSAC ’07), vol. 2, pp. 700-710, 2007.

[14] J. Yang and C. Chang, “An ID-Based Remote Mutual Authentica-tion with Key Agreement Scheme for Mobile Devices on EllipticCurve Cryptosystem,” Computers & Security, vol. 28, no. 3/4,pp. 138-143, 2009.

[15] X. Cao, X. Zeng, W. Kou, and L. Hu, “Identity-Based AnonymousRemote Authentication for Value-Added Services in MobileNetworks,” IEEE Trans. Vehicular Technology, vol. 58, no. 7,pp. 3508-3517, Sept. 2009.

[16] R. Lu, X. Lin, H. Zhu, P. Ho, and X. Shen, “A Novel AnonymousMutual Authentication Protocol with Provable Link-Layer Loca-tion Privacy,” IEEE Trans. Vehicular Technology, vol. 58, no. 3,pp. 1454-1466, Mar. 2009.

[17] I. Teranishi, J. Furukawa, and K. Sako, “k-Times AnonymousAuthentication,” IEICE Trans. Fundamentals of Electronics, Comm.Computer Sciences, vol. E92-A, no. 1, pp. 147-165, 2009.

[18] D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic CurveCryptography. Springer-Verlag, 2003.

[19] A. Juels, “RFID Security and Privacy: A Research Survey,” IEEEJ. Selected Areas Comm., vol. 24, no. 2, pp. 381-394, Feb. 2006.

[20] S. Piramuthu, “Lightweight Cryptographic Authentication inPassive RFID-Tagged Systems,” IEEE Trans. System, Man, andCybernetics Part C: Applications and Rev., vol. 38, no. 3, pp. 360-376,May 2008.

[21] T. van Deursen, S. Mauw, and S. Radomirovi�c, “Untraceability ofRFID Protocols,” Proc. Second IFIP WG 11.2 Int’l Conf. InformationSecurity Theory and Practices: Smart Devices, Convergence NextGeneration Networks (WISTP ’08), pp. 1-15, 2008.

[22] E. Cesena, H. Lohr, G. Ramunno, A. Sadeghi, and D. Vernizzi,“Anonymous Authentication with TLS and DAA,” Proc. Third Int’lConf. Trust and Trustworthy Computing (TRUST ’10), pp. 47-62,2010.

[23] M. Burmester, T. Van Le, B. De Medeiros, and G. Tsudik,“Universally Composable RFID Identification and AuthenticationProtocols,” ACM Trans. Information and System Security, vol. 12,no. 4, article 21, Apr. 2009.

[24] P. Bichsel, J. Camenisch, T. Gro�, V. Shoup, “AnonymousCredentials on a Standard Java Card,” Proc. 11th ACM Conf.Computer Comm. Security, pp. 600-610, 2009.

[25] F. Armknecht, L. Chen, and A. Sadeghi, “Anonymous Authenti-cation for RFID Systems,” Proc. Sixth Int’l Conf. Radio FrequencyIdentification: Security and Privacy Issues (RFIDSec ’10), pp. 158-175,2010.

[26] J. Ren and L. Harn, “An Efficient Threshold AnonymousAuthentication Scheme for Privacy-Preserving Communications,”IEEE Trans. Wireless Comm., vol. 12, no. 3, pp. 1018-1025, Mar.2013.

[27] A. Shamir, “Identity-Based Cryptosystems and SignatureSchemes,” Proc. Advances in Cryptology (Crypto ’84), pp. 47-53,1984.

[28] K.G. Paterson, “Id-Based Signatures from Pairings on EllipticCurves,” Electronics Letters, vol. 38, no. 18, pp. 1025-1026, 2002.

[29] F. Hess, “Efficient Identity Based Signature Schemes Based onPairings,” Proc. Revised Papers Ninth Ann. Int’l Workshop SelectedAreas Cryptography (SAC ’02), pp. 310-324, 2003.

[30] J.C. Cha and J.H. Cheon, “An Identity-Based Signature from GapDiffie-Hellman Groups,” Proc. Sixth Int’l Workshop Theory andPractice Public Key Cryptography(PKC ’03), pp. 18-30, 2003.

[31] S.S. Al-Riyami and K.G. Paterson, “Certificateless Public KeyCryptography,” Proc. Advances in Cryptology (Asiacrypt ’03),pp. 452-473, 2003.

[32] X. Chen, F. Zhang, and K. Kim, “A New ID-Based GroupSignature Scheme from Bilinear Pairings,” Proc. Int’l WorkshopInformation Security Applications (WISA ’03), pp. 585-592, 2003.

[33] X. Li, K. Chen, and L. Sun, “Certificateless Signature and ProxySignature Schemes from Bilinear Pairings,” Lithuanian Math. J.,vol. 45, pp. 76-83, 2005.

[34] M.C. Gorantla and A. Saxena, “An Efficient CertificatelessSignature Scheme,” Proc. Int’l Conf. Computational Intelligence andSecurity (CIS ’05), Part II, pp. 110-116, 2005.

LIU ET AL.: CERTIFICATELESS REMOTE ANONYMOUS AUTHENTICATION SCHEMES FOR WIRELESS BODY AREA NETWORKS 341

[35] Z. Zhang, D. Wong, J. Xu, and D. Feng, “Certificateless Public-KeySignature: Security Model and Efficient Construction,” Proc.Fourth Int’l Conf. Applied Cryptography and Network Security(ACNS ’06), pp. 293-308, 2006.

[36] C.J. Wang, D.Y. Long, and Y. Tang, “An Efficient CertificatelessSignature from Pairings,” Int’l J. Network Security, vol. 8, no. 1,pp. 96-100, 2009.

[37] S. Galbraith, F. Hess, and F. Vercauteren, “Aspects of PairingInversion,” IEEE Trans. Information Theory, vol. 54, no. 12,pp. 5719-5728, Dec. 2008.

[38] D. Pointcheval and J. Stern, “Security Arguments for DigitalSignatures and Blind Signatures,” J. Cryptology, vol. 13, no. 3,pp. 361-396, 2000.

[39] X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the Security ofCertificateless Signature Schemes from Asiacrypt 2003,” Proc.Fourth Int’l Conf. Cryptology and Network Security (CANS ’05),pp. 13-25, 2005.

[40] C. Cornelius and D. Kotz, “On Usable Authentication for WirelessBody Area Networks,” Proc. First USENIX Workshop HealthSecurity and Privacy (HealthSec ’10), 2010.

[41] K. Ren, W. Lou, K. Zeng, and P.J. Moran, “On BroadcastAuthentication in Wireless Sensor Networks,” IEEE Trans. WirelessComm., vol. 6, no. 11, pp. 4136-4144, Nov. 2007.

Jingwei Liu received the BS (majoring inapplied mathematics), MS (majoring in com-munication and information systems), and PhD(majoring in communication and informationsystems) degrees from Xidian University, Xi’an,China in 2001, 2004, and 2007, respectively.Currently, he is with the School of Telecom-munications Engineering, Xidian University. Hehas published more than 20 papers in journalsand conference proceedings. His research

interests include information security, network security, and crypto-graphy. He is a member of the IEEE and the Chinese Association forCryptologic Research.

Zonghua Zhang received the BSc degree ininformation science and the MSc degree incomputer science from Xidian University, China,in 2003 and 2000, respectively. He received thePhD degree in information science from theJapan Advanced Institute of Science and Tech-nology (JAIST) in 2006. Earlier, he spent twoyears for postdoc research at the University ofWaterloo, Canada and INRIA, France. He wasan expert researcher at the Information Security

Research Center of National Institute of Information and Communica-tions Technology(NICT), Japan, from April, 2008 to April, 2010. He is anassociate professor at Institut Mines-Telecom of France. His researchinterests are centered on improving the quality of security services invarious computer and communication networks, with current focus oncost-effective security management, privacy-preserving network foren-sics and reputation systems.

Xiaofeng Chen received the BE and MEdegrees in mathematics from Northwest Uni-versity, and the PhD degree in cryptographyfrom Xidian University, Xi’an, China, in 1997,1999, and 2003, respectively. He is currentlywith the School of Telecommunications Engi-neering, Xidian University. His research inter-ests include information security, networksecurity, and cryptography. He is a member ofthe IEEE and the IEICE.

Kyung Sup Kwak received the BS degree fromInha University, Inchon, Korea in 1977, theMS degree from the University of SouthernCalifornia in 1981, and the PhD degree fromthe University of California, San Diego in 1988,under the Inha University Fellowship and theKorea Electric Association Abroad ScholarshipGrants, respectively. From 1988 to 1989, he wasa member of technical staff at Hughes NetworkSystems, San Diego, California. From 1989 to

1990, he was with the IBM Network Analysis Center at ResearchTriangle Park, North Carolina. He has been with the School ofInformation and Communication, Inha University, Korea, as a professor.He was the dean of the Graduate School of IT and Telecommunicationsfrom 2001 to 2002 at Inha University, Inchon, Korea. He is the currentdirector of the UWB Wireless Communications Research Center, a keynational IT research center in Korea. He has published 60 SCI journalpapers, more than 200 conference and domestic papers, received 11registered patents and had 35 patents pending. He has proposed ninetechnical proposals on IEEE 802.15 (WPAN) PHY/MAC. His researchinterests include multiple access communication systems, UWB radiosystems and WPAN/WBAN, sensor networks. He is a member of theIEEE, IEICE, KICS, and KIEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.

342 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014