1 Introduction

The Internet of Things is a system that relies on autonomous communication between groups of physical objects, including a group of object networks, such as intelligent machines, intelligent cars, and intelligent home appliances, which communicate with each other and use unique Internet addresses to communicate with external devices or networks [1].

There are many applications based on the Internet of Things, such as smart home, smart city, smart industrial automation, and smart services. IoT systems deliver improved productivity, efficiency and quality to a wide range of service providers and industries.

Currently, the application of the rapidly developing Internet of Things (IoT) technology in the field of medical testing has attracted considerable research attention. A typical wireless body area network (WBAN) is a network of various tiny sensors that collect a patient's personal health information (PHI) via sensors implanted or placed in the patient's body. Specifically, wireless body area network is a network used in ubiquitous healthcare to collect and remotely transmit a patient's real-time PHI data by connecting and communicating with implanted or worn sensors such as smart sphygmomanometer, smart glucose meter, smart bracelet, smart pacemaker, and smart pulse monitor, including respiratory rate, heart rate, and blood pressure [2] for use by health care providers, doctors, and hospitals to provide better support and medication.

Typically, IOMTs consist of a variety of tiny sensors that have limited battery life, storage space, and computing power. After collecting patient health information data over a period of time, these sensors send it to medical professionals (i.e., data consumers) over a public network [3]. Obviously, the patient’s PHI is crucial, as any malicious or controlled sensors or unauthorized access to the patient’s PHI can pose a life-threatening risk to the patient’s health. Therefore, security and privacy issues are two extremely important challenges facing the further application of wireless body area network [4].

While mobile technology has benefited smart healthcare, the increasing data transfer is overloading cellular networks. The cloud-based Internet of Things shows great promise in the storage and processing of medical data. Cloud server is an outsourcing platform with a large amount of storage memory and computing resources. Cloud services are usually provided by powerful and well-known companies, which provide users with sufficient storage space and powerful computing power [5]. Therefore, patients can use cloud servers to efficiently store, manage, and share massive medical data generated by various medical sensors, which is not only convenient for users to access, but also can improve the storage utilization of health information system. However, in the medical Internet of Things system, patients who outsource their health data to the cloud server will also face data integrity problems [6]. Because when a data file is uploaded to a cloud server, the data owner loses direct control over the file. Sometimes, dishonest cloud servers may inadvertently delete files or actively modify files and hide it to save storage space or gain other financial benefits. Therefore, to prevent such attacks, it is necessary to authenticate the integrity of the data stored in the cloud server.

In addition, ensuring user legitimacy is critical to a data sharing scheme. PHI can be tampered with or falsified by unauthorized users, which poses a health risk to patients, as medical professionals may make incorrect decisions and recommendations based on incorrect information. Therefore, it is necessary to design a low cost and lightweight data sharing scheme to meet the security requirements and reduce energy consumption as much as possible.

To sum up, how to build a secure cloud-assisted medical Internet of Things system is crucial for the future of smart medicine.

1.1 Related work

In 2019, Sun et al. [7] reviewed the security and privacy challenges of IoT in medical systems and discussed future research directions. Akinyele et al. [8] proposed a self-protection electronic medical record system based on attribute encryption on mobile devices.

Hu et al. [9] used attribute-based encryption technology to solve the secure communication between the body area network and the data consumer (final user). Chandrasekaran et al. [10] reported the low efficiency of the system [9] in multidata transmission and proposed a secure data communication system for multidata transmission in the WBAN.

Li et al. [11] proposed the use of identity-based signature encryption for low-power devices to set up online or offline sensors to satisfy both authentication and confidentiality without additional authentication steps by using the receiver's public key. However, this scheme is vulnerable to the well-known key escrow attack. Therefore, in [12], Omala et al. proposed a lightweight certificate-free signcryption scheme with the help of certificate-free encryption technology. Subsequently, Zhang et al. extended the technique proposed by Omala et al. and discussed the data communication scheme of the electronic medical system using a generalized signcryption scheme [13]. However, Zhou revealed that the protocol proposed in [13] is vulnerable to internal attacks reported in [14]. Thus, protocol is fragile in data confidentiality and not secure.

In 2020, Kumar and Chand proposed a cloud-centric intelligent medical system (KC system) based on the medical IoT [15]. Specifically, they proposed escrow-free identity-based aggregated signcryption (EF-IBASC) public key encryption to ensure the privacy and identity verification of PHI and developed a device to device using the KC system. The security of the system is based on the underlying EF-IBASC scheme. As stated by Kumar, the health care system has numerous advantages, including privacy protection of PHI and the mutual authenticity of authentication entities because encryption and signature functions can be provided by the underlying signcipher scheme.

However, in subsequent studies, Kumar et al. found that the KC system was unsafe [16] because the attacker can calculate the private key of the entity from the communication content transmitted in the network. Therefore, entity authentication and registration become meaningless. This result completely invalidates the mutual authentication function between entities. A malicious attacker may obtain the private key of the entity by disguising as a legitimate entity to join the system to break the intelligent medical system. The KC system was improved in a subsequent study [16] to overcome existing security loopholes in the system.

In this study, we proved that the improved KC system is still insecure, and its key authentication function cannot be guaranteed because the private key of the personal auxiliary device (PAD) in the system can still be obtained from the network, and the content of the transmitted communication is restored. Furthermore, in the KC system, the biomedical sensor (BMS) achieved excellent privacy and authenticity through signcryption. Although the cost of the signcryption operation is smaller than that of first signing and subsequent encrypting or first encrypting and then signing, a BMS is a resource-constrained device. Therefore, the operation of the device should be simplified. We found that the public verification algorithm is ineffective.

In 2021, Zhang et al. [17] designed an efficient and secure electronic personal health record sharing system based on the Boneh–Franklin identity encryption scheme. Their scheme is sufficiently lightweight for use in mobile devices and allows both parties to decrypt the ciphertext without reconstructing the private key. In 2022, Liu et al. [18] proposed the first DSSE scheme that can be satisfactorily applied to personal health record file databases and resists file injection attacks. This affected effective access control to protect the privacy of patients' personal health record files. Wang et al. [19] studied edge computing by introducing the framework of federated learning and designed a lightweight privacy protection protocol based on secret sharing and weight masks. The scheme was extended as a security system. We proved that the system for edge computing can protect the privacy of medical data and simultaneously reduce the communication overhead. Zhou et al. [20] designed a human-in-loop-aided (HITL-aided) scheme to protect privacy in intelligent healthcare. In this scheme, block design technology is used to blur various health indicators of hospitals and smart wearable devices. After introducing human-in-the-loop (HITL), the smart medical platform was used to realize privacy access to health reports.

1.2 Our contribution

  1. 1.

    We first analyzed the security of the improved KC system [16] and revealed that the previous system was insecure. Malicious adversaries may join the system disguised as legitimate entities and break the intelligent medical system. Thus, the mutual authentication function of the improved KC system has become invalid.

  2. 2.

    On the basis of the bilinear Diffie–Hellman problem, we proposed an escrow-free identity-based signature scheme (EF-IDS) and proved its security in the random oracle model.

  3. 3.

    A secure intelligent medical system was constructed, and the efficiency and secure data transmission mechanism from BMS to PAD, MCS, and SD were considered. The system can accomplish public verification of the data stored by the user on the MCS.

  4. 4.

    Finally, performance analysis on the proposed system revealed the system is efficient in terms of communication overheads and computation cost compared with those in [15, 16], especially for BMS.

1.3 Organization of research

In Sect. 2, we introduce some basic cryptography techniques to be used in the following paper and introduce the system model of intelligent medical systems. In addition, we also list the English abbreviations and mathematical symbols used in this paper and their meanings.

In Sect. 3, we analyze whether the improved KC system still has security vulnerabilities and analyze the consequences of its security vulnerabilities.

In Sect. 4, we propose an escrow-free identity-based scheme in view of the security holes in the improved KC system. It is proven that our proposed scheme solves the vulnerability of the KC system.

In Sect. 5, we redesigned the IoMT-based intelligent medical system with detailed protocols.

In Sect. 6, we analyze the security and other attributes of our proposed system. It is proven that our proposed system not only avoids the security vulnerabilities of the improved KC system but also guarantees the integrity of the data stored in the cloud.

In Sect. 7, we analyze the performance of our proposed system, and the analysis shows that our proposed system has a strong performance advantage over Kumar's system, reducing the computing consumption of medical sensors.

In Sect. 8, we summarize the conclusions of this paper and describe future work.

2 Preliminaries

See Table 1.

Table 1 Symbols and abbreviations
Full size table

2.1 Bilinear map

Consider two multiplicative cyclic groups \({\mathbb{G}}_{1}\),\({\mathbb{G}}_{2}\) with the same prime order \(q\) and generator \(g\). Definition \(e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{1}\to {\mathbb{G}}_{2}\) is a bilinear mapping if it satisfies the following conditions.

  • Computability It is efficient to compute the value of \(e\).

  • Bilinear For any \(u,v\in {\mathbb{G}}_{1}\),\(a,b\in {Z}_{q}\), It holds that \(e({u}^{a},{v}^{b})={e(u,v)}^{ab}\).

  • Nondegenerative If \(g\) is a \({\mathrm{generator of }{\mathbb{G}}}_{1}\), it remains\(e(g,g)\ne {1}_{{\mathbb{G}}_{2}}\).

2.2 Bilinear Diffie–Hellman problem

Let the additive cyclic group of the same order \({\mathbb{G}}_{1}\) and multiplicative cyclic group \({\mathbb{G}}_{2}\), where \(q\) is a very large prime number. Let \(P\) denote the generator of the group \({\mathbb{G}}_{1}\) of length \(q\) bits, and \({e}:{\mathbb{G}}_{1}\times {\mathbb{G}}_{1}\to {\mathbb{G}}_{2}\) is a bilinear mapping. Given a tuple \({T}=\langle {P},{xP},{yP},{zP}\rangle \in {\mathbb{G}}_{1}\), in the absence of information \({x},{y},{Z}\in {{Z}}_{\mathrm{q}}\), in the case of any probabilistic polynomial time (PPT) algorithm \(A\) for the calculation \({Z}={{e}\left({P},{P}\right)}^{{xyz}}\in {\mathbb{G}}_{1}\), it is difficult to calculate. This formula ensures that the advantage of algorithm A is utilized in solving the problem.

$$\left|\text{Pr}\left[A={e\left(P,P\right)}^{xyz}\left|P,xP,yP,zP\in {\mathbb{G}}_{1},x,y,z\in {Z}_{q}\right.\right]\right|\ge \varepsilon .$$
(1)

2.3 CDH assumption

Let the additive cyclic group \({\mathbb{G}}_{1}\) of order \(q\), where \(q\) is a very large prime, and let \(P\) denote the generator of groups of length \(q\) bits. Given a tuple \(T=\langle {P},{aP},{bP}\rangle \in {\mathbb{G}}_{1}\), in the absence of information \({a},b\in {{Z}}_{{q}}\), in the case of any PPT algorithm \(A\) for correct output \(abP\), the possibility is negligible.

2.4 System model

The system model based on the IoMT health care system was introduced. As illustrated in Fig. 1, seven types of entities are present in the system. Their details are as follows:

Fig. 1
figure 1

System model of the IoMT intelligent medical system. NM, Network manager; KPSs, key protection servers; BMS, biomedical sensor; IoMT, Internet of Medical Things; PAD, personal auxiliary device; and IoT, Internet of Things

Full size image

Network manager (NM): The system would be initialized, and the master key and public key would be calculated through this half-trusted organization. It authenticates the entity and issues a partial private key to it.

Key protection servers (KPSs): With their own keys, KPSs protect the private keys of entities and then send out private keys that are protected shares to them. Calculation is performed on the cloud to reduce computational costs.

BMS: BMSs are miniature sensors with limited storage, typical battery life, and computing power. BMSs are typically placed on/outside of the patient’s body or deployed in the patient’s tissues. Patient’s PHI would be collected, and the symmetric key that is shared by the device for serving is used to encrypt and identify PHI and finally sent to the PAD.

Personal-assisted device (PAD): The data receiver with sufficient storage space and computing power. After gaining some incomplete private key, the PAD completes it by selecting a secret value. The encrypted PHI value that is sent by BMS is verified PAD using BMS. PAD is an entity that is not trusted because, as per Kumar et al., for some opponents, the sensitive data of patients can be easily stolen through statistical attacks or physical attacks.

MCS: MCS is not only an entity can be used to offer storage services to other entities but also has a storage capacity and provides access of encrypted PHI to the server device. Because the possibility that some users’ data stored could be lost, MCS is a half-trusted entity.

SD: The PHI value of patients stored on MCS could be visited by the medical organizations and based on the recovered PHI value and patient diagnosis can be performed using this device. Furthermore, with the diagnosis, according to the transition of MCS and PAD, a prescription would be sent to the BMS.

Public verifier (PV): This entity can audit the integrity of data stored in MCS. Specifically, to detect whether the MCS has lost any data blocks stored by the user, PV initiates a challenge to the MCS and receives a response from the MCS. The validator can then verify that the MCS is storing user data.

3 Security analysis of the improved kc system

We analyzed the security of the improved KC system [16]. We first proved that the PAD private key can be easily recovered and subsequently analyzed its consequences.

3.1 Private Key of the entity is not secure

In the final stage of the “entity authentication and registration” algorithm, each entity is \(E\in \left\{BMS,PAD,SD\right\}\). The private key of each entity is obtained as follows:

$${d}_{E}={s}_{0}\left({s}_{1}+{s}_{2}+\cdots {s}_{n}\right){H}_{1}\left({ID}_{E}\right)\in {\mathbb{G}}_{1}$$
(2)

Thus, the secret of each entity cannot be obtained by others. We analyzed and proved that anyone can recover the PAD private key by eavesdropping on the transmission parameters \({d}_{\mathrm{PAD}}\).

Specifically, recalling the algorithms “PHI Aggregate Signcryption” and “PHI ReAggregation,” the \(j\) BMS signcrypts the original PHI data \({M}_{1,j},{M}_{2,j},\ldots ,{M}_{m,j}\) into the signciphertext \({CT}_{j}=\langle {A}_{j},{B}_{j},{C}_{j},{\sum }_{i=1}^{n}{D}_{i,j},{E}_{j}\rangle \) and subsequently sends the signcryption text to PAD for reaggregation through \({c}_{PAD}={H}_{4}\left({C}_{1},{C}_{2},\ldots ,{C}_{m}\right)\in {Z}_{q}^{*}\) and uses its private key to sign through \({C}_{\mathrm{PAD}}={c}_{\mathrm{PAD}}Y\) and \(F={c}_{\mathrm{PAD}}{d}_{\mathrm{PAD}}\). The PAD then sends the \({CT}_{\mathrm{PAD}}=\langle {A}_{j},{B}_{j},{C}_{j},{C}_{PAD},{\sum }_{i=1}^{n}{D}_{I,j},{E}_{j},F\rangle \) go to the MCS.

Any eavesdropper can view the transmitted \({CT}_{\mathrm{PAD}}\), where the eavesdropper can recover the private key \({d}_{\mathrm{PAD}}\) of this PAD by \(F\) and each \({C}_{j}\) in the \({CT}_{\mathrm{PAD}}\).

First, the attacker computes \({\mathrm{c}}_{\mathrm{PAD}}={H}_{4}\left({C}_{1},{C}_{2},\ldots ,{C}_{m}\right)\) with all \({C}_{j}\). From \({c}_{\mathrm{PAD}}\in {Z}_{q}^{*}\) and prime \(q\), an integer \(\mu \) exists such that \(\mu {c}_{\mathrm{PAD}}\equiv 1 mod q\), \(\mu \) can be obtained by the extended Euclidean algorithm. Thus, we have \(\mu F=\mu {c}_{\mathrm{PAD}}{d}_{\mathrm{PAD}}=\left(\mu {c}_{\mathrm{PAD}}\right){d}_{\mathrm{PAD}}=1{d}_{\mathrm{PAD}}={d}_{\mathrm{PAD}}\). A hacker focusing on the \({CT}_{\mathrm{PAD}}\) content can easily compute and recover the PAD’s private key \({d}_{\mathrm{PAD}}\).

3.2 Consequence 1

First, in the improved KC system [16], the NM establishes the system in the “system-setup” stage. Then, first authentication is performed, and the entity is registered through identity \({ID}_{E}\). Finally, the partial private key is calculated using the master private key, which is protected by multiple KPSs. KPSs calculate the protected private keys and forward them to the entity, which merges and shares them to obtain their private keys \({d}_{E}\). This measure ensures that the entity can obtain the correct and authenticated private key \({d}_{E}\). However, the private key of the PAD, \({d}_{\mathrm{PAD}}\), can be easily recovered. Therefore, the function of the “Entity's Authentication and Registration” phase is invalid.

3.3 Consequence 2

The private key \({d}_{\mathrm{PAD}}\) of the PAD was exposed. \({d}_{\mathrm{PAD}}\), which affected the certification stage of the entire medical system. Next, we proved that an attacker can compromise the mutual authentication of the medical system.

Assume a malicious entity or adversary \(adv\) pretends to pose as a real entity, joins this network to destroy the entire medical system \(adv\), and pretends to be an entity \(BMS\). The following formula is then performed:

  1. 1.

    For any \({a}_{j}^{\mathrm{adv}},x\in {Z}_{q}^{*}\), and calculate \({A}_{j}^{\mathrm{adv}}={a}_{j}^{\mathrm{adv}}xP,{B}_{j}^{\mathrm{adv}}={a}_{j}^{\mathrm{adv}}P,\) where \({Q}_{\mathrm{BMS}}^{j}={H}_{1}\left({ID}_{\mathrm{BMS}}^{j}\right)\)

  2. 2.

    Set \({Q}_{\mathrm{SD}}={H}_{1}\left({ID}_{\mathrm{SD}}\right)\) and \({K}_{j}^{\mathrm{adv}}=e\left({a}_{j}^{\mathrm{adv}}xY,{Q}_{\mathrm{SD}}\right)\), and then calculate the signature key \({sk}_{j}^{\mathrm{adv}}={H}_{2}\left({ID}_{\mathrm{SD}},{K}_{j}^{\mathrm{adv}},{sk}_{j}^{-\mathrm{adv}}\right)\), where \({sk}_{j}^{-\mathrm{adv}}\) is the previous secret key.

  3. 3.

    Set \({h}_{i,j}^{\mathrm{adv}}={H}_{3}\left({M}_{i,j}^{\mathrm{adv}},{A}_{j}^{\mathrm{adv}},{T}_{i,j}^{\mathrm{adv}}\right)\), \({C}_{i,j}^{\mathrm{adv}}=\left({a}_{j}^{\mathrm{adv}}+{h}_{i,j}^{\mathrm{adv}}\right)xY\).

  4. 4.

    Signcryption \({D}_{i,j}^{\mathrm{adv}}={M}_{i,j}^{\mathrm{adv}}||{C}_{i,j}^{\mathrm{adv}}||{ID}_{\mathrm{BMS}}^{j}||{T}_{i,j}^{\mathrm{adv}}\oplus {sk}_{j}^{\mathrm{adv}}\).

  5. 5.

    Calculate \({C}_{\mathrm{aggr},j}^{\mathrm{adv}}={H}_{4}\left({C}_{1,j}^{\mathrm{adv}},{C}_{2,j}^{\mathrm{adv}},\ldots ,{C}_{m,j}^{\mathrm{adv}}\right)\),\({E}_{j}^{\mathrm{adv}}={C}_{\mathrm{aggr},j}^{\mathrm{adv}}xY\) and \({C}_{j}^{\mathrm{adv}}={C}_{\mathrm{aggr},j}^{\mathrm{adv}}Y\).

  6. 6.

    Let \(adv~ send {CT}_{j}^{\mathrm{adv}}=\langle {A}_{j}^{\mathrm{adv}},{B}_{j}^{\mathrm{adv}},{C}_{j}^{\mathrm{adv}},{\sum }_{i=1}^{n}{D}_{i,j}^{adv},{E}_{j}^{\mathrm{adv}}\rangle \) to PAD.

Similarly, \(adv\) disguised as a real one \(PAD\) communicates with other entities by generating transmission parameters. An adversary can easily obtain all \(PAD\) private keys \({d}_{\mathrm{PAD}}\) by calculating \({c}_{\mathrm{PAD}}^{\mathrm{adv}}={H}_{4}\left({C}_{1}^{\mathrm{adv}},{C}_{2}^{\mathrm{adv}},...,{C}_{m}^{\mathrm{adv}}\right)\),\({C}_{\mathrm{PAD}}^{\mathrm{adv}}={c}_{\mathrm{PAD}}^{\mathrm{adv}}Y\) and \({F}_{\mathrm{adv}}={c}_{\mathrm{PAD}}^{\mathrm{adv}}{d}_{\mathrm{PAD}}\)

Therefore,\(adv\) to \(MCS\) upload \(CTPADadv=\langle {A}_{j}^{\mathrm{adv}},{B}_{j}^{\mathrm{adv}},{C}_{j}^{\mathrm{adv}},{C}_{\mathrm{PAD}}^{\mathrm{adv}},{\sum }_{i=1}^{n}{D}_{i,j}^{\mathrm{adv}},{E}_{j}^{\mathrm{adv}},{F}_{\mathrm{adv}}\rangle \).

Two public verification formulas (3) and (4) can pass the verification.

$$ e\left( {E_{j}^{{{\text{adv}}}} ,B_{j}^{{{\text{adv}}}} } \right) = e\left( {C_{{{\text{aggr}},j}}^{{{\text{adv}}}} xY,a_{j}^{{{\text{adv}}}} P} \right) = e\left( {a_{j}^{{{\text{adv}}}} xP,C_{{{\text{aggr}},j}}^{{{\text{adv}}}} Y} \right) = e\left( {A_{j}^{{{\text{adv}}}} ,C_{j}^{{{\text{adv}}}} } \right) $$
(3)
$$ \begin{aligned} e\left( {F_{{{\text{adv}}}} ,P} \right) & = e\left( {c_{{{\text{PAD}}}}^{{{\text{adv}}}} d_{{{\text{PAD}}}} ,P} \right) \\ & = e\left( {s_{0} \left( {s_{1} + s_{2} + \cdots s_{n} } \right)H_{1} \left( {ID_{{{\text{PAD}}}} } \right),c_{{{\text{PAD}}}}^{{{\text{adv}}}} P} \right) \\ & = e\left( {H_{1} \left( {ID_{{{\text{PAD}}}} } \right),c_{{{\text{PAD}}}}^{{{\text{adv}}}} s_{0} \left( {s_{1} + s_{2} + \cdots s_{n} } \right)P} \right) \\ & = e\left( {H_{1} \left( {ID_{{{\text{PAD}}}} } \right),C_{{{\text{PAD}}}}^{{{\text{adv}}}} } \right) \\ \end{aligned} $$
(4)

Although malicious adversaries \(Adv\) can replace BMSs or PADs, the improved KC system could not detect or avoid it. Therefore, the mutual authentication function of the system of Kumar et al. [16] fails.

3.4 Invalid public verifiable algorithm

As demonstrated by Zhou et al. [19], even if an adversarial cloud server cannot satisfactorily maintain outsourcing data satisfactorily, it can still pass the audit of the “public verifiability” algorithm. This problem exists in both [15, 16]. The detailed description of the proof is omitted in this study.

4 Escrow-free identity-based scheme and its security

Kumar et al.'s cloud-centric healthcare IoT system has many problems. We designed an escrow-free identity-based scheme to ensure mutual authentication and nonforgerability of PHI uploaded by patients to the cloud. In this section, we demonstrate the security of EF-IDS because EF-IDS solves the private key leak problem of 3.1, thus avoiding the consequences of 3.2 and 3.3.

The following BDH-based escrow-free identity-scheme, namely EF-IDS, was introduced:

Setup This is the master key generation algorithm and outputs\(NM\), master key of \({KPS}_{s},\) and system parameters. Specifically, given a given security parameter\(\left({1}^{\lambda }\right)\), the algorithm generates bilinear maps\(e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{1}\to {\mathbb{G}}_{2}\), where \({\mathbb{G}}_{1}\) and \({\mathbb{G}}_{2}\) are additive and multiplicative cyclic groups with the same prime order\(q(|q|\ge \lambda \)), where \(P\) is a generator of \({\mathbb{G}}_{1}.\) Furthermore, \(u\in {\mathbb{G}}_{1}\) is selected randomly. \({H}_{1}\) is defined as the hash function from \({\{{0,1}\}}^{*}\) to \({\mathbb{G}}_{1}\) and \({H}_{2}\) as the hash function from \({\{\mathrm{0,1}\}}^{*}\) to \({Z}_{q}^{*}\).

NP and KPS each randomly select \(<{s}_{0},{s}_{1},{s}_{2},\ldots ,{s}_{n}>\in {Z}_{q}^{*}\), where \({s}_{0}\) is the master key of NM and \(<{s}_{1},{s}_{2},\ldots ,{s}_{n}>\) is the key of \({KPS}_{s}\). NM computes \({P}_{0}={ s}_{0}P\) and sends \({P}_{0}\) to \({KPS}_{i}\). \({KPS}_{i}\) calculates the \({P}_{i}= {s}_{i}{P}_{0}\) and keeps the \({s}_{i}\) secret and responds the \({P}_{i}\) back to NM. NM computes the system public key \(Y=\sum_{i=1}^{i=n}{P}_{i}={s}_{0}\left({s}_{1}+{s}_{2}+\cdots {s}_{n}\right)P\). The system parameters \(params=\left(e,{\mathbb{G}}_{1},{\mathbb{G}}_{2}, P,u,{H}_{1},{H}_{2},Y\right)\) are exposed, and their master key is kept secret. KeyGen On the identity of a given entity \({ID}_{E}\),

  1. 1.

    Select \({x}_{E}\in {Z}_{q}^{*}\) at random, calculate \({X}_{E} ={x}_{E}P\), \({D}_{E}={x}_{E}{Q}_{E}\), where \({Q}_{E}= {H}_{1}({ID}_{E})\), and send \(<{X}_{E},{ID}_{E},{D}_{E}>\) to NM.

  2. 2.

    NM calculates \({D}_{E0}={s}_{0}{D}_{E}\) and returns to \(E\).

  3. 3.

    \(E\) requests \({\mathrm{KPS}}_{{i}}\) for key protection and sends \({D}_{E0}\) to \({\mathrm{KPS}}_{{i}}\).

  4. 4.

    \({\mathrm{KPS}}_{{i}}\) calculates the protected partial private key sharing \({D}_{Ei}={s}_{i}{D}_{E0}\) and sends \({D}_{Ei}\) to \(E\).

  5. 5.

    Entity \(E\) computes its private key \({d}_{E}={x}_{E}^{-1}\sum_{i=1}^{i=n}{D}_{Ei}={s}_{0}\left({s}_{1}+{s}_{2}+\cdots {s}_{n}\right){Q}_{E}\)

Sign This is a signature algorithm run by signers who identify as \({\mathrm{ID}}_{\mathrm{S}}\). Specifically, given a message \(M=({M}_{1},{M}_{2},\ldots ,{M}_{m})\), the signer randomly selects a secret value \(s\in {Z}_{q}^{*}\) and computes \({A}_{s}=s{Q}_{s}\), \({B}_{s}=sP\),\({C}_{s}=s{Q}_{R}\), and \(F_{s} = sH_{2} \left( {M_{1} ,M_{2} , \ldots ,M_{m} } \right)(Y + d_{S} )\) as the signature of the message \(M\).

Verify Given system parameters and message signature \((M,{A}_{s},{B}_{s},{C}_{s},{F}_{s})\), the receiver uses its own private key DK to verify whether the following three equations are true.

$$e\left({C}_{s},Y\right)=e\left({d}_{R},{B}_{s}\right)$$
(5)
$$e\left({A}_{s},P\right)=e\left({Q}_{s},{B}_{s}\right)$$
(6)
$$e\left({F}_{s},{Q}_{R}\right)=e\left({A}_{s}+{B}_{s},{H}_{2}\left({M}_{1},{M}_{2},\ldots ,{M}_{m}\right){d}_{R}\right)$$
(7)

For validating the message. If so, output is 1. Otherwise, the output is 0.

The correctness of (5) can be verified as follows:

$$e\left({C}_{s},Y\right)=e\left(s{Q}_{R},{s}_{0}\left({s}_{1}+{s}_{2}+\cdots {s}_{n}\right)P\right)=e\left({s}_{0}\left({s}_{1}+{s}_{2}+\cdots {s}_{n}\right){Q}_{R},sP\right)=e\left({d}_{R},{B}_{s}\right)$$
(8)

The correctness of (6) can be verified as follows:

$$e\left({A}_{s},P\right)=e\left(s{Q}_{s},P\right)=e\left({Q}_{s},sP\right)=e\left({Q}_{s},{B}_{s}\right)$$
(9)

The correctness of (7) can be verified as follows:

$$ \begin{aligned} e\left( {F_{s} ,Q_{R} } \right) & = e\left( {sH_{2} \left( {M_{1} ,M_{2} , \ldots ,M_{m} } \right)Y + d_{S} ,Q_{R} } \right) \\ & = e\left( {ss_{0} \left( {s_{1} + s_{2} + \cdots s_{n} } \right)P + s_{0} \left( {s_{1} + s_{2} + \cdots s_{n} } \right)Q_{s} ,H_{2} \left( {M_{1} ,M_{2} , \ldots ,M_{m} } \right)Q_{R} } \right) \\ & = e\left( {sP + Q_{s} ,H_{2} \left( {M_{1} ,M_{2} , \ldots ,M_{m} } \right)s_{0} \left( {s_{1} + s_{2} + \cdots s_{n} } \right)Q_{R} } \right) \\ & = e\left( {A_{s} + B_{s} ,H_{2} \left( {M_{1} ,M_{2} , \ldots ,M_{m} } \right)d_{R} } \right) \\ \end{aligned} $$
(10)

Regarding its security, we have the following points:

Theorem 1

If the BDH assumption holds for \({\mathbb{G}}_{1}\), the scheme EF-IDS is safe in the random oracle. Here,\({H}_{1}\) and \({H}_{2}\) were modeled as random oracle s, respectively. Outputting an effective forgery is unfeasible. Thus, for any PPT adversary

Proof.

We discuss two types of adversaries in the EF-IDS scheme, which are called Type-I and Type-II. Informally, Type-I adversary \({A}_{{i}}\) represents a general adversary (i.e., non-NM and KPS) and cannot access the master keys of NM and KPS. Class II adversary \({A}_{\mathrm{II}}\) represents a malicious NM, which can also collude with (n−1) of the n KPSs and is not allowed to change the public key of any user. If the second type of adversary succeeds, a key escrow problem occurs. Next, a reduction from the BDH assumption to the security of EF-IDS is established for \({A}_{{i}}\) and \({A}_{\mathrm{II}}\).

Type-I Adversary Assume that the generator of \({\mathbb{G}}_{1}\) is P. Let \({B}_{I}\) be the algorithm that attacks the BDH assumption on \({\mathbb{G}}_{1}\). Here, \({B}_{I}\) simulates the environment for the PPT adversary \({A}_{I}\). Specifically, a given tuple is given \(\left({P},{aP},{bP},{cP}\right)\), \({B}_{I}\) defined a linear map \(e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{1}\to {\mathbb{G}}_{2}\).

Here, \({B}_{I}\) does not know that \(a,b,c\in {\mathbb{Z}}_{q}\). The hash function \({H}_{1}\) and \({H}_{2}\) are modeled as a random oracle simulated by \({B}_{I}\). \({B}_{I}\) set up \(Y=cP\in {\mathbb{G}}_{1}\) and sends \(\left(e,{\mathbb{G}}_{1},{\mathbb{G}}_{2},P,Y\right)\) to \({A}_{I}\).

Suppose \({{A}}_{{i}}\) makes at most \({{q}}_{{i}}\) queries to \({H}_{i}\left(i=1,2\right)-\mathrm{Oracle}\), \({q}_{k}\) private key queries, and \({q}_{{s}}\) signature queries. Then, \({A}_{{i}}\) wins the EUF-CMA-I game by a nonnegligible advantage \(\varepsilon \). Algorithm \({B}_{{i}}\) can solve the BDH problem in polynomial time \({t}^{{\prime}}\) with advantages \(\mathrm{Adv}\left({A}_{{i}}\right)\) and time \({t}^{{\prime}}\), where \({t}_{{B}_{I}}\) is the running time of algorithm \({B}_{{i}}\). \(\mathrm{Here}, {B}_{{i}}\) selects two numbers \(S,R\in \left\{{1,2},\ldots ,{q}_{1}\right\}\) randomly as \({B}_{{i}}\)'s guess on the identities of the final sender and receiver, where \(S\) is the sender and \(R\) is the receiver.

Phase 1 Here,\( {A}_{I}\) asks the following query.

  1. 1.

    \({{\varvec{H}}}_{1}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) queries: \({A}_{I}\) requests \({H}_{1}\) query on \({ID}_{i}\), \({B}_{I}\) randomly selects \({x}_{i}\in {\mathbb{Z}}_{q}\), where \(i\in \left\{1,2,\ldots ,{q}_{1}\right\}\), and checks whether it is the Sth or Rth queries. If not, compute \({Q}_{i}={H}_{1}\left({ID}_{i}\right)={x}_{i}P\). Otherwise, \({B}_{I}\) outputs \({H}_{1}\left({ID}_{S}\right)={x}_{S}aP\) and \({Q}_{R}={H}_{1}\left({ID}_{R}\right)={x}_{R}bP\) and to \({A}_{I}\).

  2. 2.

    \({{\varvec{H}}}_{2}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) queries: Answers to the \({H}_{2}-Oracle\) query are simply sampled by delay.

  3. 3.

    KeyGen queries: For \({ID}_{i}\) of the query, \({B}_{I}\) performs a \({H}_{1}\) query on it. If it is not the Sth or Rth \({H}_{1}\) queries, \({B}_{I}\) computes and returns \({d}_{i}={x}_{i}cP;\) otherwise, \(\perp \) is returned.

  4. 4.

    Signature query: \({A}_{I}\) commits tuple \(\left(M,{ID}_{i},{ID}_{j}\right)\) to this \(Oracle\). Then, for the query from \({A}_{I}\), it sends identity \({ID}_{i}\) and receives identity \({ID}_{j}\), and \({B}_{I}\) checks whether \({ID}_{i}\) and \({ID}_{j}\) are the \(S\) th or \(R\) th \({H}_{1}\) queries. If not, \({B}_{I}\) randomly selects \(s\in {Z}_{q}^{*}\), sets \(A=s{x}_{i}P\),\(B=sP\),\(C=s{x}_{j}P\), and \(F=s{H}_{2}\left(M\right)\left(Y+{d}_{i}\right)\) and returns \(\langle {ID}_{i},{ID}_{j},M,A,B,C,F\rangle \) to \({A}_{I}\) Otherwise, \(\perp \) is returned.

Forge Finally, the \({A}_{I}\) responds to the forged message signature pair \(\langle {ID}_{i}^{*},{ID}_{j}^{*},{M}^{*},{A}^{*},{B}^{*},{C}^{*},{F}^{*}\rangle \), which satisfies \(e\left({C}^{*},Y\right)=e\left({d}_{j}^{*},{B}^{*}\right)\), \(e\left({A}^{*},P\right)=e\left({Q}_{i}^{*},{B}^{*}\right)\) and \(e\left({F}^{*},{Q}_{j}^{*}\right)=e\left({A}^{*}+{B}^{*},{H}_{2}\left({M}^{*}\right){d}_{j}^{*}\right)\). If the sending identity \({ID}_{i}^{*}\) and receiving identity \({ID}_{j}^{*}\) are not \({ID}_{S}\) and \({ID}_{R}\), the process is aborted. Every other case has \({A}^{*}=s{x}_{S}aP\), \({B}^{*}=sP\), \({C}^{*}=s{x}_{R}bP\), and \(F^{*} = sH_{2} \left( {M^{*} } \right)\left( {Y + d_{S} } \right) = sH_{2} \left( {M^{*} } \right)(c + x_{S} ac)P\). \({B}_{I}\) computes formula (11) where formula (12) is verified.

$$ W = \left( {\frac{{e\left( {F^{*} ,C^{*} } \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)Y,C^{*} } \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)x_{S} x_{R} }}}} $$
(11)
$$ \begin{aligned} W &= \left( {\frac{{e\left( {F^{*} ,C^{*} } \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)Y,C^{*} } \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)x_{S} x_{R} }}}}\\& = \left( {\frac{{e\left( {sH_{2} \left( {M^{*} } \right)c + x_{S} acP,sx_{R} bP} \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)cP,sx_{R} bP} \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)x_{S} x_{R} }}}} \\ & = \left( {\frac{{e\left( {sH_{2} \left( {M^{*} } \right)cP,sx_{R} bP} \right)\cdot\left( {sH_{2} \left( {M^{*} } \right)x_{S} acP,sx_{R} bP} \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)cP,sx_{R} bP} \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)x_{S} x_{R} }}}} \\ & = e\left( {sH_{2} \left( {M^{*} } \right)x_{S} acP,sx_{R} bP} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)x_{S} x_{R} }}}} = e\left( {P,P} \right)^{{{\text{abc}}}} \\ \end{aligned} $$
(12)

So we have formula (13) to the BDH problem as the solution.

$$W={\left(\frac{e\left({F}^{*},{C}^{*}\right)}{e\left({C}^{*},s{H}_{2}\left({M}^{*}\right)Y\right)}\right)}^{\frac{1}{ss{H}_{2}\left({M}^{*}\right){x}_{S}{x}_{R}}}={e\left(P,P\right)}^{abc}$$
(13)

If simulator \({B}_{I}\) guesses \(S,R\), the signature query of tuple \(\left(M,{ID}_{i},{ID}_{j}\right)=\left(M,{ID}_{S},{ID}_{R}\right)\) can be simulated, and the forged signature can be reducible because the message of the choice of the signature query should differ from \({ID}_{S}\) and \({ID}_{R}\). Thus, the probability of successful simulation and useful attack is \(1/q_{1} (q_{1} - 1)\). Assume adversary \({A}_{I}\) cracks this scheme with \(\left(t,1,\varepsilon \right)\) by executing \({q}_{1}\mathrm{th}\) \({H}_{1}-Oracle\) query, the advantage of solving the BDH problem is \(\varepsilon /q_{1} \left( {q_{1} - 1} \right)\). Here, \({T}_{S}\) represents the time cost of the simulation, and we have \({T}_{S}=O\left(1\right)\). Furthermore, \({B}_{I}\) \(\left(t+{T}_{S},\varepsilon /{q}_{1}({q}_{1}-1)\right)\) is used to solve the BDH problem.


Type-II Adversary We constructed another algorithm \({\mathrm{B}}_{\mathrm{II}}\). Here, \({B}_{\mathrm{II}}\) uses \({A}_{\mathrm{II}}\) as a subroutine to attack the BDH hypothesis. Given tuple \(\left(P, aP,bP,cP\right)\), \({B}_{\mathrm{II}}\) simulates system parameters \({B}_{{i}}\), in addition to generating \(Y\). Specifically, \({B}_{\mathrm{II}}\) selects \(h,r\in {Z}_{q}^{*}\) as the master key randomly; then, \(Y=hrP+hcP\in {\mathbb{G}}_{1}\). Subsequently, we provide \(\left(e,{\mathbb{G}}_{1},{\mathbb{G}}_{2},P,Y,h,r\right)\) to \({A}_{\mathrm{II}}\) and select two numbers \(S,R\in \left\{1,2,\ldots ,{q}_{1}\right\}\) as \({B}_{\mathrm{II}}\)'s guess on the identities of the final sender and receiver, where \(S\) is the sender and \(R\) is the receiver.

  • Phase 1: \({A}_{II}\) asks the following query.

  • \({{\varvec{H}}}_{1}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) queries: \({A}_{\mathrm{II}}\) runs the same query as Theorem 1.

  • \({{\varvec{H}}}_{2}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) queries:\({ A}_{\mathrm{II}}\) runs the same query as Theorem 1.

  • KeyGen queries: For \({ID}_{i}\) of the query, \({B}_{II}\) performs a \({H}_{1}\) query on it. If it is not the Sth or Rth queries, \({B}_{\mathrm{II}}\) computes and returns\( {d}_{i}={x}_{i}hrP+{x}_{i}hcP\); otherwise, \(\perp \) is returned.

  • Signature query: \({A}_{II}\) commits tuple \(\left(M,{ID}_{i}\right)\) to this \(\mathrm{Oracle}\). Then, for the query from \({A}_{II}\), it sends identity \({\mathrm{ID}}_{{i}}\) and receives identity \({\mathrm{ID}}_{\mathrm{j}}\), and \({B}_{{i}}\) checks whether \({\mathrm{ID}}_{{i}}\) and \({\mathrm{ID}}_{\mathrm{j}}\) are \(S\) th or \(R\) th \({{H}}_{1}\) queries. If not, \({B}_{II}\) randomly selects \(\mathrm{s}\in {{Z}}_{\mathrm{q}}^{*}\), sets \(\mathrm{A}={\mathrm{sx}}_{{i}}{P}\),\(\mathrm{B}=\mathrm{sP}\),\(\mathrm{C}={\mathrm{sx}}_{\mathrm{j}}{P}\), and \(F=s{H}_{2}\left(M\right)\left(Y+{d}_{i}\right)\), and returns \(\langle {ID}_{i},{ID}_{j},M,A,B,C,F\rangle \) to \({A}_{II}\) Otherwise, \(\perp \) is returned.


Forge Finally, \({A}_{II}\) responds to the forged message signature pair \(\langle {ID}_{i}^{*},{ID}_{j}^{*},{M}^{*},{A}^{*},{B}^{*},{C}^{*},{F}^{*}\rangle \), which satisfies \(e\left({C}^{*},Y\right)=e\left({d}_{j}^{*},{B}^{*}\right)\), \(e\left({A}^{*},P\right)=e\left({Q}_{i}^{*},{B}^{*}\right)\) and \(e\left({F}^{*},{Q}_{j}^{*}\right)=e\left({A}^{*}+{B}^{*},{H}_{2}\left({M}^{*}\right){d}_{j}^{*}\right)\). If the sending identity \({ID}_{i}^{*}\) and receiving identity \({ID}_{j}^{*}\) are not \({ID}_{S}\) and \({ID}_{R}\), the process is aborted. Every other case has \({A}^{*}=s{x}_{S}aP\), \({B}^{*}=sP\), \({C}^{*}=s{x}_{R}bP\), and \({F }^{*}=s{H}_{2}\left({M}^{*}\right)\left(Y+{d}_{S}\right)=s{H}_{2}\left({M}^{*}\right)(h\left(r+c\right)+{x}_{S}ah\left(r+c\right))P\). \({B}_{II}\) computes formula (14) where formula (15) is verified.

$$W={\left(\frac{e\left({F}^{*},{C}^{*}\right)}{e\left(s{H}_{2}\left({M}^{*}\right)Y,{C}^{*}\right)\cdot e\left({H}_{2}\left({M}^{*}\right)hr{A}^{*},{C}^{*}\right)}\right)}^{\frac{1}{ss{H}_{2}\left({M}^{*}\right)h{x}_{S}{x}_{R}}}$$
(14)
$$ \begin{aligned} W & = \left( {\frac{{e\left( {F^{*} ,C^{*} } \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)Y,C^{*} } \right)\cdot\left( {H_{2} \left( {M^{*} } \right)hrA^{*} ,C^{*} } \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)hx_{S} x_{R} }}}} \\ & = \left( {\frac{{e\left( {sH_{2} \left( {M^{*} } \right)h\left( {r + c} \right) + x_{S} ah\left( {r + c} \right)P,C^{*} } \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)Y,C^{*} } \right)\cdot\left( {H_{2} \left( {M^{*} } \right)hrA^{*} ,C^{*} } \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)hx_{S} x_{R} }}}} \\ & = \left( {\frac{{e\left( {sH_{2} \left( {M^{*} } \right)Y + sH_{2} \left( {M^{*} } \right)x_{S} ah\left( {r + c} \right)P,C^{*} } \right)}}{{e\left( {sH_{2} \left( {M^{*} } \right)Y,C^{*} } \right)\cdot\left( {H_{2} \left( {M^{*} } \right)hrA^{*} ,C^{*} } \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)hx_{S} x_{R} }}}} \\ & = \left( {\frac{{e\left( {H_{2} \left( {M^{*} } \right)hrA^{*} + sH_{2} \left( {M^{*} } \right)x_{S} ahcP,C^{*} } \right)}}{{e\left( {H_{2} \left( {M^{*} } \right)hrA^{*} ,C^{*} } \right)}}} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)hx_{S} x_{R} }}}} \\ & = e\left( {sH_{2} \left( {M^{*} } \right)x_{S} ahcP,sx_{R} bP} \right)^{{\frac{1}{{ssH_{2} \left( {M^{*} } \right)hx_{S} x_{R} }}}} \\ & = e\left( {P,P} \right)^{{{\text{abc}}}} \\ \end{aligned} $$
(15)

We have \(W={e\left(P,P\right)}^{\mathrm{abc}}\) to the BDH problem as the solution.

If the simulator \({B}_{I}\) successfully guesses \(S,R\), the signature query of tuple \(\left(M,{ID}_{i},{ID}_{j}\right)=\left(M,{ID}_{S},{ID}_{R}\right)\) can be simulated, and the forged signature can also be reducible too because the message of the choice of the signature query should differ from \({ID}_{S}\) and \({ID}_{R}\). Therefore, the probability of successful simulation and useful attack is \(1/{q}_{1}({q}_{1}-1)\). Assume that adversary \({A}_{I}\) cracks this scheme with \(\left(t,1,\varepsilon \right)\) by executing \({q}_{1}\mathrm{th}\) \({H}_{1}-Oracle\) query. The advantage of solving the BDH problem is \(\varepsilon /{q}_{1}({q}_{1}-1)\).

Here, \({T}_{S}\) represents the time cost of the simulation, and we have \({T}_{S}=O\left(1\right)\), \({B}_{I}\) \(\left( {t + T_{S} ,\varepsilon /q_{1} \left( {q_{1} - 1} \right)} \right)\) is used to solve the BDH problem.

5 Proposed IoMT-based intelligent medical system

In this section, we provide the specific algorithmic implementation of the proposed smart healthcare system, which consists of the following seven stages.

5.1 System initialization

First, \(NM\) and \({KPS}_{s}\) follow the steps below to generate the system master key and system public parameters.

figure a

5.2 BMS, PAD, and SD registration

The NM verifies the identity of the new entity that it wants to add to the network and issues a partial private key. The entity then seeks partial private key protection from multiple KPSs. Its private key is extracted.

figure b

5.3 Data communication from BMS to PAD

We now focus on the authentication communication from the BMS to the PAD. Each PAD is assumed to be connected to nth BMSs in the general case. Here, \({m}_{i,j}\) can denote PHI collected at time \({t}_{i,j}\) for the jth BMS, where 1 ≤ i ≤ m and 1 ≤ j ≤ n. Algorithm 2 describes secure data communication from \({\mathrm{BMS}}_{j}\) to the PAD. Thus,\({ \mathrm{BMS}}_{j}\) encrypted the collected messages, timestamps, and their identifications. Finally, the authenticated content is transmitted to the PAD.

figure c

5.4 Data communication from PAD to MCS

By collecting \(\mathrm{m}\) authentication data \({M}_{1,j},{M}_{2,j},\ldots ,{M}_{m,j}\), from \({\mathrm{BMS}}_{j}\), the aggregate signature \({\sigma }_{j}\) is generated. Because data \({M}_{i,j}\) are encrypted by \(\mathrm{jth}\) BMS, the PAD cannot know the actual PHI. Finally, the PAD uploads the reaggregated label and ciphertext to the MCS for storage.

figure d

5.5 Public verification

Algorithm 6 defines public verifiability: The data need not be downloaded from the MCS but still can verify the integrity of PHI. Therefore, PAD, SD, or other PVs can perform verification tasks. Furthermore, public validation is performed in the classical challenger response model. The verifier informally sends the challenge message \(chal\) to the MCS to compute and return the proof generated from the stored data and challenge message. Eventually, the validator checks whether Γ is valid. The PHI data are complete if the Γ is valid. Otherwise, the data integrity of PHI is destroyed.

figure e

The correctness of step 5 in Algorithm 4 can be proven as follows.

$$e\left(T,P\right)=e\left({\sum }_{\tau =1}^{l}\left({b}_{\tau }{\sigma }_{{a}_{\tau }}\right),P\right)=e\left({\sum }_{\tau =1}^{l}{b}_{\tau }\left(s\left({H}_{1}\left({ID}_{\mathrm{PAD}}\parallel {ID}_{\mathrm{SD}}\parallel {id}_{{a}_{\tau }}\right)+{\sum }_{i=1}^{m}{M}_{i,{a}_{\tau }}u\right)+{d}_{\mathrm{PAD}}\right),P\right)=e\left({\sum }_{\tau =1}^{l}s\left({b}_{\tau }{H}_{1}\left({ID}_{\mathrm{PAD}}\parallel {ID}_{\mathrm{SD}}\parallel {id}_{{a}_{\tau }}\right)+{\sum }_{i=1}^{m}{b}_{\tau }{M}_{i,{a}_{\tau }}u\right)+{b}_{\tau }{d}_{\mathrm{PAD}},P\right)=e\left({\sum }_{\tau =1}^{l}{b}_{\tau }{H}_{1}\left({ID}_{\mathrm{PAD}}\parallel {ID}_{\mathrm{SD}}\parallel {id}_{{a}_{\tau }}\right),{B}_{\mathrm{PAD}}\right)\cdot e\left({\sum }_{\tau =1}^{l}{\sum }_{i=1}^{m}{b}_{\tau }{M}_{i,{a}_{\tau }}u,{B}_{\mathrm{PAD}}\right)\cdot e\left({\sum }_{\tau =1}^{l}{b}_{\tau }{Q}_{\mathrm{PAD}},Y\right)=e\left({\sum }_{\tau =1}^{l}{b}_{\tau }{H}_{1}\left({ID}_{\mathrm{PAD}}\parallel {ID}_{\mathrm{SD}}\parallel {id}_{j}\right),{B}_{\mathrm{PAD}}\right)\cdot e\left({\sum }_{i=1}^{m}{M}_{i}u,{B}_{\mathrm{PAD}}\right)\cdot e\left({\sum }_{\tau =1}^{l}{b}_{\tau }{Q}_{\mathrm{PAD}},Y\right)$$
(16)

5.6 Decryption of PHI data by SD

To assist in the diagnosis of patients, SD first downloads authenticated PHI data and decrypts it to obtain real information about the patient's status. Algorithm 5 provides a detailed description.

figure f

5.7 Data communication from the SD to BMS

If SD suspects the integrity of PHI, Algorithm 6 is run to verify it. SD diagnoses the patient after evaluating the true decrypted PHI data and sends the prescription data back to the j-th BMS through identity verification. The reverse process of data transmission from the BMS to the SD can be performed. Specifically, the SD calculates key \({S}_{j}^{k}\) (by using \({K}_{j}^{^{\prime}}\)) and encrypts the prescription. The signature is then generated according to the EF-IDS and stored in the MCS. The PAD can download the encrypted prescription and its label (from the MCS), verify the validity of the signature, and send \({\mathrm{BMS}}_{j}\) back. The original prescription can eventually be recovered by decrypting the ciphertext through the key \({S}_{j}^{k}\), and commands can be executed according to the SD's recommendations.

6 Security analysis

We analyze the security concerning our IoMT-based health care system.

6.1 Privacy

Theorem 2

Assume that hash functions \({H}_{1}\) and \({H}_{2}\) are random oracles. If it is difficult to solve the BDH assumption, the aforementioned health care system is probably safe under the indistinguishability under the chosen-ciphertext attack (IND-CCA) security model.

Proof

Assuming an adversary \(\mathcal{A}\) that can crack the encryption scheme by using \(\left(t,{q}_{k},{q}_{d},\varepsilon \right)\) under the IND-CCA security model, a simulator \(\mathcal{B}\) was constructed to solve the BDH problem. Given a problem instance \(\left(P,aP,bP,cP\right)\) with a bilinear map \(e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{1}\to {\mathbb{G}}_{2}\), \(\mathcal{B}\) controls the random predictor machine and simulates the environment for the PPT adversary \(\mathcal{A}\). Then, \(\mathcal{B}\) finishes the following step.

Setup \(\mathcal{B}\) Set up \(Y=cP\in {\mathbb{G}}_{1}\) and send \(\left(e,{\mathbb{G}}_{1},{\mathbb{G}}_{2},P,Y\right)\) to \(\mathcal{A}\). Assume that \(\mathcal{A}\) has conducted \({q}_{i}\) queries to \({H}_{i}\left(i=1,2\right)-Oracle\) at most, \({q}_{k}\) private key queries, \({q}_{\mathrm{en}}\) encryption queries, and \({q}_{\mathrm{de}}\) decryption queries. \(\mathcal{B}\) randomly selects two numbers \(S,R\in \left\{1,2,\ldots ,{q}_{1}\right\}\) as B's guess randomly on the identity of the final sender and receiver, where \(S\) is the sender and \(R\) is the receiver.

Stage 1 \(\mathcal{A}\) Ask the following query.

  1. 1.

    \({{\varvec{H}}}_{1}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) Query:\(\mathcal{A}\) requests \({H}_{1}\) query on\({ID}_{i}\),\(\mathcal{B}\) randomly selects\({x}_{i}\in {\mathbb{Z}}_{q}\), where\(i\in \left\{1,2,\ldots ,{q}_{1}\right\}\). It is checked whether it is the \(S\mathrm{th}\) or \(R\mathrm{th}\) query. If not,\({ Q}_{i}={H}_{1}\left({ID}_{i}\right)={x}_{i}P\). Otherwise\(,\mathcal{B}\) output \({Q}_{S}={H}_{1}\left({ID}_{S}\right)={x}_{S}aP\) and \({Q}_{R}={H}_{1}\left({ID}_{R}\right)={x}_{R}bP\) to \(\mathcal{A}\).

  2. 2.

    \({{\varvec{H}}}_{2}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) Query: The answer to the \({H}_{2}-Oracle\) query is found only through delayed sampling.

  3. 3.

    KeyGen query: For the query \({ID}_{i}\), \(\mathcal{B}\) performs an \({H}_{1}\) query on it. If it is not the \(S\mathrm{th}\) \({H}_{1}\) query, \(\mathcal{B}\) returns \({d}_{i}={x}_{i}cP\); otherwise, \(\perp \) is returned.

  4. 4.

    Decryption query:\(\boldsymbol{ }\mathcal{A}\) asks \(\left({ID}_{i},{CT}_{i}\right)\) for the decryption result, let \({CT}_{i}=\left({A}_{i},{M}_{i}\right)\). Only by \({ID}_{i}\ne {ID}_{S}\), the simulator \(\mathcal{B}\) generate a corresponding private key to decrypt the information; otherwise, \({ID}_{i}={ID}_{S}\). Thus, simulator continues decryption only if the decryption inquiry can pass verification.

Challenge \(\mathcal{A}\) outputs two messages of equal length \({m}_{0},{m}_{1}\in {\left\{\mathrm{0,1}\right\}}^{n}\) and sends identity \({ID}_{i}^{*}\) and receiving identity\({ID}_{j}^{*}\). In the hash list of \({H}_{1}\),\({ID}_{i}^{*}\) corresponds to\(\left({i}^{*},{ID}_{i}^{*},{x}_{{i}^{*}},{H}_{1}\left({ID}_{i}^{*}\right)\right)\), and \({ID}_{j}^{*}\) corresponds to\(\left({j}^{*},{ID}_{j}^{*},{x}_{{j}^{*}},{H}_{1}\left({ID}_{j}^{*}\right)\right)\). If \({ID}_{i}^{*}\) and \({ID}_{j}^{*}\) are not \({ID}_{S}\) and\({ID}_{R}\), the process is aborted; otherwise,\({i}^{*}=S,{H}_{1}\left({ID}_{i}^{*}\right)={x}_{S}aP\),\({j}^{*}=R\) and\({H}_{1}\left({ID}_{j}^{*}\right)={x}_{R}bP\). Here,\(\mathcal{B}\) guesses a bit\(b\in \left\{\mathrm{0,1}\right\}\), and the challenge ciphertext is calculated as\({CT}^{*}=\left({A}^{*},{M}^{*}\right)\). Select \(s\in {Z}_{q}^{*}\) and set\({A}^{*}=s{x}_{S}aP\), where \({A}^{*}\) from the problem case. Challenge ciphertext is the function of random number \(s\) on message\({m}_{b}\). If\({H}_{2}\left({ID}_{R}||{e\left(P,P\right)}^{s{x}_{S}{x}_{R}\mathrm{abc}}\right)={M}^{*}\oplus{m}_{b}\), then\({CT}^{*}=\left(s{x}_{S}aP,{H}_{2}\left({ID}_{R}||{e\left(P,P\right)}^{s{x}_{S}{x}_{R}\mathrm{abc}}\right)\oplus{m}_{b}\right)\).

Therefore, if the random oracle machine \({H}_{2}\) has never been used by inquired \({ID}_{R}||{e\left(P,P\right)}^{s{x}_{S}{x}_{R}\mathrm{abc}}\), from the perspective of adversary \(\mathcal{A}\), the challenge ciphertext is the correct ciphertext.

Stage 2 The same as phase 1, but this phase does not allow the \({ID}_{S}\) and \({ID}_{R}\) to interrogate the private key.

Guess \(\mathcal{A}\) output a guessed result \({b}^{^{\prime}}\in \left\{\mathrm{0,1}\right\}\). If \({b}^{^{\prime}}=b\), the adversary \(\mathcal{A}\) wins this game.

Probabilistic analysis If the sending identity \({ID}_{i}^{*}\) and receiving identity \({ID}_{j}^{*}\) of the challenge are the \({i}^{*}\)th and \({j}^{*}\)th identities asked to the random predictor, the adversary cannot ask for its private key. Only then can the interrogation and challenge phases be simulated. Because \({q}_{{H}_{1}}th\) \({H}_{1}\) inquiries exist in the simulation process, the success probability is \(2/{q}_{{H}_{1}}\). Suppose the adversary asks the random predictor for \({e\left(P,P\right)}^{\mathrm{abc}}\) with probability \(\varepsilon \), and the simulator calculates \({e\left(P,P\right)}^{\mathrm{abc}}\) with probability \(\varepsilon /{q}_{{H}_{2}}\).

Therefore, simulator \(\mathcal{B}\) becomes \(2\varepsilon /{q}_{{H}_{1}}{q}_{{H}_{2}}\) which benefits solving the aforementioned BDH problem.

6.2 Integrity of PHI on MCS

Theorem 3.

In the IoMT-based health care system, generating an effective forgery in the calculation is difficult if the MCS loses data blocks stored by users. Specifically, if the CDH assumption holds in \({\mathbb{G}}_{1}\), the CDH assumption is solved by an effective forgery.

Proof.

Suppose \(MCS\) is a malicious cloud server that outputs valid forged files on corrupted data. We use \(MCS\) as a subroutine and construct algorithm \(\mathcal{B}\) that attacks the CDH assumption.

Specifically, given tuples \(\left(P,aP,bP\right)\in {\mathbb{G}}_{1}^{3}\),\(\mathcal{B}\) give \(MCS\) simulation environment. Here, B defines a bilinear map \(e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{1}\to {\mathbb{G}}_{2}\) and randomly selects \(u\in {\mathbb{G}}_{1}\). Next, set \(Y=aP\in {\mathbb{G}}_{1}\). B simulates and models hash functions \({H}_{1}\) and \({H}_{2}\) as random oracles. Next, \(\mathcal{B}\) sends \(\left(e,{\mathbb{G}}_{1},{\mathbb{G}}_{2},P,u,Y\right)\) to \(MCS\). Assume that \(MCS\) makes \(p\) query to \({H}_{1}-Oracle\). Here, \(\mathcal{B}\) randomly selects \({\tau }^{*}\in [{q}_{1}]\) as the number for \(\mathcal{B}\) to guess the final identity.

  1. 1.

    \({{\varvec{H}}}_{1}-{\varvec{O}}{\varvec{r}}{\varvec{a}}{\varvec{c}}{\varvec{l}}{\varvec{e}}\) Query: For the identity \(ID\) of the query, \(\mathcal{B}\) randomly selects \(r\in {\mathbb{Z}}_{q}\) and checks whether it is the \({\tau }^{*}\) query. If not, \({H}_{1}\left(ID\right)=rP\); otherwise, \({H}_{1}\left(ID\right)=brP\).

  2. 2.

    Label generation query:\(MCS\) submits tuples \(\left({\{{M}_{i}\}}_{i=1}^{m},{ID}_{i},{id}_{j}\right)\) to this\(Oracle\). Then, for query \({ID}_{j}\) from\(MCS\), \(\mathcal{B}\) checks whether \({ID}_{i}\) is an \({\tau }^{*}\) \({H}_{1}\) query. If not, \(\mathcal{B}\) selects \(s\in {Z}_{q}^{*}\) randomly, sets \(B=sP\) and\(\sigma =s\left({H}_{1}\left({ID}_{i}||{id}_{j}\right)+{\sum }_{i=1}^{m}{M}_{i}u\right)+arP\), and returns \(\langle {ID}_{i},{id}_{j},{\{{M}_{i}\}}_{i=1}^{m},B,\sigma \rangle \) to MCS. Otherwise, return\(\perp \).

Forgery Finally, the MSC responds to the forged message signature pair \(\langle {ID}_{i}^{*},{id}_{j},{\{{M}_{i}\}}_{i=1}^{m},{B}^{*},{\sigma }^{*}\rangle \), which satisfies \(e\left({\sigma }^{*},P\right)=e\left({H}_{1}\left({ID}_{i}^{*}||{id}_{j}\right),{B}^{*}\right)\cdot e\left({\sum }_{i=1}^{m}{M}_{i}u,{B}^{*}\right)\cdot e\left({H}_{1}\left(ID\right),Y\right)\). If the identity \({ID}_{i}^{*}\) is not \({\tau }^{*}\) queries, it aborts; otherwise, \({B}^{*}=sP\), \({\sigma }^{*}=s\left({H}_{1}\left({ID}_{i}^{*}||{id}_{j}\right)+{\sum }_{i=1}^{m}{M}_{i}u\right)+abrP\).\(\mathcal{B}\) calculates \(W={r}^{-1}\left({\sigma }^{*}-s\left({H}_{1}\left({ID}_{i}^{*}||{id}_{j}\right)+{\sum }_{i=1}^{m}{M}_{i}u\right)\right)\), where \(W={r}^{-1}\left({\sigma }^{*}-s\left({H}_{1}\left({ID}_{i}^{*}||{id}_{j}\right)+{\sum }_{i=1}^{m}{M}_{i}u\right)\right)={r}^{-1}\left(abrP\right)=abP\).

Therefore, \(W=abP\) is used to solve the \(CDH\) assumption.

If simulator \(\mathcal{B}\) successfully guessed \({\tau }^{*}\), the label generation query of the tuple \(\left({\{{M}_{i}\}}_{i=1}^{m},{ID}_{i},{id}_{j}\right)=\left({\{{M}_{i}\}}_{i=1}^{m},{ID}_{{\tau }^{*}},{id}_{j}\right)\) is simulable, and the forged label is reducible because the simulator cannot select the message \({\{{M}_{i}\}}_{i=1}^{m} and {\{{M}_{i}\}}_{i=1}^{m}\) for the label generation query to be used for the label generation query. Therefore, for \({q}_{1}\) queries, the probability of successful simulation and useful attack is \(1/{q}_{1}\). Assume the adversary \(MCS\) cracks the tag generation scheme with \(\left(t,{q}_{t},\varepsilon \right)\) after executing \({q}_{1}\) \({H}_{1}-Oracle\) queries. The advantages of solving the CDH problem are \(\varepsilon /{q}_{1}\). Ensure \({T}_{S}\) represents the time cost of the simulation, and we have \({T}_{S}=O\left({q}_{1}+{q}_{t}\right)\), and \(\mathcal{B}\) is \(\left(t+{T}_{S},\varepsilon /{q}_{1}\right)\) the advantages of solving the CDH problem.

The error detection probability of the MCS is critical because in the proposed protocol, the random sampling technique is used to detect the damage of the power factor.

Theorem 4.

Suppose a total of \(n\) blocks are stored on the \(MCS\), of which \(p\left(p\le n\right)\) blocks have been tampered with. For questioning information \(chal=\left(l,{k}_{1},{k}_{2}\right)\), randomly selected \(l\) different blocks are used to generate the integrity proof. Without loss of generality, assume that \({l}_{1}\left({l}_{1}\le p\right)\) blocks are selected. Let \({P}_{a}\) represent the probability of false detection. Then, \({P}_{a}\ge 1-{\left(\frac{n-p}{n}\right)}^{l}\) is obtained.

Proof.

According to the definition of \({P}_{a}\), we have the following:

$$ P_{a} = \Pr \left\{ {l_{1} \ge 1} \right\} = 1 - \Pr \left\{ {l_{1} = 0} \right\} = 1 - \frac{n - p}{n} \cdot \frac{n - p - 1}{{n - 1}} \cdots \frac{{n - p - \left( {l - 1} \right)}}{n - l + 1} \ge 1 - \left( {\frac{n - p}{n}} \right)^{l} . $$
(17)

The more challenging blocks are, the higher the probability of false detection is. If 1% of the blocks are tampered with, the challenge of 300 blocks can be obtained as \({P}_{a}\ge 95\%\). Challenge 460 blocks to obtain \({P}_{a}\ge 99\%\). If 5% of the blocks are tampered with, the challenge of 90 blocks can be obtained as \({P}_{a}\ge 99\%\). Therefore, the error detection rate of the proposed scheme is high.

6.3 Other properties

Eavesdropping In Theorem 2, we show that our solution is safe in IND-CCA. To intercept the original PHI from the encrypted data, the adversary requires the private key of the SD or BMS, which generates the NM-based master key and the KPS key. Theorem 2 reveals that the master key and secret generation are equivalent for solving the BDH assumption. Therefore, an entity without authentication cannot obtain the original message.

Identity authentication In the registration process of the proposed system, NM authenticates and registers every entity and obtains the private key. In the same system, two entities can communicate with each other if they have registered with the NM before.

Forward and reverse confidentiality If the private key of the BMS and the \(k-1\) session keys for each instance \({S}_{j}^{k-1}\) are leaked, the random element \({a}_{j}\) contained in the session key \({S}_{j}^{k}\) if the kth instance \(\mathrm{ensures the confidentiality of the session key}.\)

Public verifiability In Theorems 3 and 4, we proved that MCS cannot pass the integrity audit of the data stored in the cloud by the verifier in the case of data loss or tampering. In addition, because the verifier can perform the audit without using any private key, the audit task can be completed by anyone.

7 Performance analysis

In this section, we evaluate the performance of the proposed intelligent medical system from computing and communication cost perspectives. The focus is on computing data communication and the energy consumption used by the BMS side during computing because BMS is a resource-limited device. To highlight its efficiency, we compared four other related systems or schemes including Kumar et al.’s system [15, 16].

7.1 Communication overhead

First, in our system, communication contents include partial private keys \({D}_{E0}\) and \({D}_{Ei}\) and returns by entities from NM and KPSs, ciphertext from \({BMS}_{j}\) to PAD, ciphertext from PAD to MCS, signature and tag pairs, and the encrypted PHI data of SD downloaded from MCS are required. Let us analyze the parts of communication cost.

Specifically, suppose we have one NM and \(\rho \) KPS in our system. First, the entity registers with NM and each KPS to obtain the private key. The registration process occurs only once, so the communication overhead of generating the private key for each entity is negligible.

The \(j\) TH BMS sends encrypted text \({M}_{i,j}\in {\left\{\mathrm{0,1}\right\}}^{\lambda }\) and \({A}_{j}\in {\mathbb{G}}_{1}\) to the PAD such that the total communication overhead from the \(j\) TH BMS to the PAD is equal to \(m\lambda +\left|{\mathbb{G}}_{1}\right|\) for \(m\) messages.

PAD calculation identification \({id}_{j}\in {\left\{\mathrm{0,1}\right\}}^{\lambda }\), sign \({A}_{\mathrm{PAD}}\in {\mathbb{G}}_{1},{B}_{\mathrm{PAD}}\in {\mathbb{G}}_{1},{C}_{\mathrm{PAD}}\in {\mathbb{G}}_{1},{F}_{\mathrm{PAD}}\in {\mathbb{G}}_{1}\) and integrity label \({\sigma }_{j}\in {\mathbb{G}}_{1}\) Therefore, the total communication overhead from PAD to MCS is \(\left(m+1\right)\lambda +6\left|{\mathbb{G}}_{1}\right|\). The communication overhead of SD download from MCS is the same as that of PAD upload to MCS, which is \(\left(m+1\right)\lambda +6\left|{\mathbb{G}}_{1}\right|\).

Similarly, we evaluate the communication overheads of the corresponding processes in [15, 16] and list them in Table 2, where KeyGen-E represents the communication overheads generated by the key of entity E, and A- > B represents slave A communication overheads to B.

Table 2 Comparison of communication overhead
Full size table

7.2 Computation costs

For simplicity, let \({T}_{p},{T}_{pm},{T}_{pa}\), and \({T}_{H}\) denote the execution times of one pairing, one dot product, one dot addition, and one hash to point on group \({\mathbb{G}}_{1}\), respectively, with negligible computational cost for the other operations. Because the registration phase occurs only once, the computational cost is negligible.

In our system, after collecting PHI and timestamp, BMS should be \({T}_{p}+{T}_{pm}+3{T}_{H}\) to perform encryption calculation.

The PAD collects the data \({M}_{i,j}\in {\left\{\mathrm{0,1}\right\}}^{\lambda }\) and \({A}_{j}\in {\mathbb{G}}_{1}\) from the \({BMS}_{j}\), and the PAD calculates the identity \({id}_{j}\), signature \({A}_{\mathrm{PAD}},{B}_{\mathrm{PAD}},{C}_{\mathrm{PAD}},{F}_{\mathrm{PAD}}\), and integrity label \({\sigma }_{j}\). Therefore, the computational cost should equal \(\left(5+m\right){T}_{pm}+\left(m+2\right){T}_{pa}+4{T}_{H}\).

Finally, SD downloads file \(\left({id}_{j},{\{{M}_{i,j}\}}_{i=1}^{m},{\sigma }_{j},{A}_{j},{A}_{\mathrm{PAD}},{B}_{\mathrm{PAD}},{C}_{\mathrm{PAD}},{F}_{\mathrm{PAD}}\right)\) from the MCS and decrypts it. This action cost \(3{T}_{p}+{T}_{pm}+{T}_{pa}+3{T}_{H}\).

Similarly, we evaluated the computational costs of the corresponding processes in [15, 16] and listed them in Table 3.

Table 3 Comparison of computational cost
Full size table

7.3 Experimental comparisons

This section assesses the performance of the intelligent medical system from a computational cost perspective. We compared the corresponding processes of BMS encryption, PAD signature, and SD decryption with other systems or schemes to show our efficiency advantage. The focus is to calculate the computational cost used by the BMS side during data communication and calculation because compared with the machine in the medical institution, the BMS side is a resource-constrained device.

We conducted experiments on a laptop with an Intel Core i5-8300U CPU at 2.3 GHz and 16 GB RAM. In our implementation, a hypersingular curve \({y}^{2}+y={x}^{3}+x\) with embedding degree 4 was used and \(\eta:E\left({F}_{{2}^{271}}\right)\times E\left({F}_{{2}^{271}}\right)\to E\left({F}_{{2}^{4.271}}\right)\) is paired with eta, and the PBC library was used to perform calculations.

Specifically, to better illustrate the advantages of our proposed scheme, we choose the KC system [15] and the improved KC system [16] for comparison and then conduct the following experiments. The experiment is divided into three parts. The first part compares the time cost of different data blocks encrypted by BMS, and the second and third parts compare the time cost of signature and decryption in PAD and SD based on different data blocks encrypted by BMS.

Now, we choose to increase the encrypted data block m per transmission BMS from 50 to 100 blocks in increments of 10. Then, in Fig. 2, we plot the change in the time cost of encrypting blocks of data. It is easy to see that the cost of encryption algorithms running on BMS is significantly less than the KC system and the improved KC system. In our system, it takes approximately 17.5 ms to encrypt 100 blocks of data, which is a significant advantage. In addition, the key distribution process in the system only takes place once, which has little impact on the performance of each entity. In addition, in the second part of the experiment, although the time cost of the PAD signature is larger than the corresponding process of the KC system and the improved KC system, in our system, the PAD is a device with relatively powerful battery resources and computing power, so a slight increase in the time cost is acceptable for the PAD, as shown in Fig. 3. In the third part, the time consumption of SD verification and decryption to obtain PHI also has a significant advantage over the KC system and the improved KC system, as shown in Fig. 4.

Fig. 2
figure 2

Time consumption of BMS encryption. BMS, biomedical sensor

Full size image
Fig. 3
figure 3

Time consumption of PAD signing. BMS, biomedical sensor; PAD, personal auxiliary device

Full size image
Fig. 4
figure 4

Time consumption for SD decryption. BMS, biomedical sensor

Full size image

Through the analysis of the experimental results, we can see that our proposed intelligent medical system has great advantages in running time, especially for BMS. Therefore, the system is more suitable for intelligent healthcare based on IoMT.

8 Conclusion and future work

8.1 Conclusion

The patient may not have the ability to call for help in an emergency situation. Therefore, if the medical sensor detects obvious abnormal health information that requires immediate rescue, it should be equipped with an alarm or a means of calling for help. We proposed a cloud-centric IoMT-based intelligent medical system that is based on the EF-IDS and ensures the privacy of users' PHI. The proposed method includes mutual authentication and public verification of data integrity. Finally, experimental results demonstrate that our system is more efficient than Kumar et al.'s, especially for resource-constrained BMSs.

8.2 Future work

The first research direction for the future is to explore the application of our proposed technology in other scenarios, such as intelligent transportation and smart cities. Second, we aim to further optimize the key distribution process, which is crucial for practical implementation of intelligent medicine due to its complexity. Finally, we strive to enhance the timeliness of our medical Internet of Things (IoT) system. The patient may lack the capacity to request assistance in an emergency situation. Therefore, a medical sensor detecting significant deviations from normal health parameters should be equipped with either an alarm or a summoning aid.