sage a strong privacy preserving scheme against global eavesdropping for ehealth systems

8/6/2019 sage a strong privacy preserving scheme against global eavesdropping for ehealth systems

1/14

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009 365

SAGE: A Strong Privacy-Preserving SchemeAgainst Global Eavesdropping for eHealth Systems

Xiaodong Lin, Member, IEEE, Rongxing Lu, Xuemin (Sherman) Shen, Fellow, IEEE,Yoshiaki Nemoto, Senior Member, IEEE, and Nei Kato, Senior Member, IEEE

Abstract The eHealth system is envisioned as a promising ap-proach to improving health care through information technology,where security and privacy are crucial for its success and large-scale deployment. In this paper, we propose a strong privacy-preserving Scheme Against Global Eavesdropping, named SAGE,for eHealth systems. The proposed SAGE can achieve not only thecontent oriented privacy but also the contextual privacy againsta strong global adversary. Extensive analysis demonstrates theeffectiveness and practicability of the proposed scheme.

Index Terms eHealth system, security and privacy, content

oriented privacy, contextual privacy, strong global eavesdropping

I. INTRODUCTION

T IME is crucial when dealing with acute diseases, suchas heart disease and stroke. By statistics, in the UnitedStates alone stroke kills 150,000 people each year. The pa-tients lives could be saved if they are transported quickly toa hospital and receive immediate treatment and expeditiouscare. However, before a patient can receive crucial medicaltreatment on time, he or she needs to get early and rapiddiagnosis. Many approaches have been developed to reducethe fatalities due to acute diseases, such as angioplasty, life-saving debrillators installed in popular areas, but there arestill tremendous losses. Over the last twenty years, the mirac-ulous evolution of wireless technology has imposed a major impact on the revolution of humans lifestyle by providingthe best ever convenience and exibility in accessing theInternet services and various types of personal communicationapplications. Recently, Body Area Networks (BANs) (or BodySensor Networks (BSNs)) are emerging and envisioned tobe a promising approach for helping improve health care byeffectively monitoring patient health and disease progression[1].

In BANs, wearable, implantable, or portable medical wire-less sensors are deployed in patients to monitor the physio-logical conditions within the body and then send these patientinformation to a remote healthcare provider over the Internetfor receiving high quality healthcare from their physicians on

Manuscript received 27 July 2008; revised 5 December 2008.X. Lin is with the Faculty of Business and Information Technology,

University of Ontario Institute of Technology, 2000 Simcoe Street North,Oshawa, Ontario, Canada L1H 7K4 (e-mail: [email protected]).

R. Lu and X. Shen are with the Centre for Wireless Communications,Department of Electrical and Computer Engineering, University of Waterloo,200 University Avenue West, Waterloo, Ontario, Canada N2L 3G1 (e-mail:{rxlu,xshen }@bbcr.uwaterloo.ca).

Y. Nemoto and N. Kato are with the Graduate School of Informa-tion Sciences, Tohoku University, Sendai, 980-8579, Japan (e-mail: [email protected]; [email protected]).

Digital Object Identier 10.1109/JSAC.2009.090502.

At Home

sink

On Body Sensors

WiFi

Router

Router

Internet

eHealth center

DatabasePhysician

WiFi

Fig. 1. Typical scenario of an eHealth system

time but without seeing their physicians in person [1], [2].It could avoid patients lengthy waiting times and hospitalstay. The patient information may include blood pressure(BP), heart failure status, heart rhythms, and blood oxygenlevel etc. This leads to an eHealth system shown in Fig. 1,which consists of three components: BSNs at home, wirelesstransmission network and eHealth center. With the rapidincrease of elderly people in our societies, the eHealth systemhas been widely accepted by the healthcare communities. For example, over the last decade, European Commission activitiesin eHealth have devoted to a series of patient-centered healthdelivery systems across all stages of care including prevention,diagnosis, treatment and followup [2], [3].

The new wireless technology has offered many advantagesover the conventional healthcare system from efciencies inthe hospital clinic to new ways monitoring patient health anddisease progression. However, the design of eHealth systemcomes with a set of newly emerged challenges. One of themain challenges is on how to ensure the security and privacy of the patients Personal Health Information (PHI) from variousthreats [4][10]. Most of the patients are concerned aboutthe privacy of their PHI, such as unauthorized collection,disclosure or other uses of PHI. Without the proper protectionof patients PHI, they may refuse for any treatment since theyare afraid of the loss of their PHI including information abouttheir illness or disability. The government has also establishedstringent regulations to ensure that the security and privacyof patients PHI are properly protected, for example HIPAA[11]. A healthcare provider is subject to severe civil andcriminal penalties if regulations are not followed exactly, for example, nes up to $250K and/or imprisonment up to 10years for knowing misuse of individually identiable healthinformation. Therefore, it is crucial to protect the security andprivacy of patients PHI before eHealth system reaches itsfull ourish and puts into practice. However, just keeping the

0733-8716/09/$25.00 c 2009 IEEE

Authorized licensed use limited to: University of Waterloo. Downloaded on May 28, 2009 at 10:48 from IEEE Xplore. Restrictions apply.


2/14

366 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

patients PHI secret is not enough for patient privacy since itcould be disclosed by other means. For example, if an observer knows that a patient often sends his/her PHI to a specicphysician, then based on the medical treatment domain of the physician, the observer can correctly guess the patientsdisease with a high probability. Therefore, besides preventingthe PHI from eavesdropping, how to cut off the relation

between the patient and his/her physician is also crucial topatient privacy.To address the patient privacy issues lying in eHealth

systems, in this paper, we propose a strong privacy-preservingScheme Against G lobal Eavesdropping for eHealth systems,called SAGE. Firstly, we formally dene the patient privacyissues in eHealth systems. Specically, we divide patientprivacy into content oriented privacy and contextual privacy.For the contextual privacy threats in eHealth systems, wefurther categorize the eavesdroppers into three classes: nonglobal adversary, weak global adversary and strong globaladversary. Secondly, the proposed SAGE can achieve not only

the content oriented privacy but also the contextual privacyagainst the strong global adversary, which is the most powerfulattack model against patient privacy. Furthermore, both of these two privacies are formally proved with provable securitytechnique. Thirdly, since the time is crucial when dealingwith some acute diseases in eHealth systems, we discussthe SAGEs transmission delay with extensive performanceevaluation, which further convinces its practicality.

The remainder of this paper is organized as follows. Werst formalize the problem in Section II, and then describethe related work in Section III. The proposed SAGE is pre-sented in Section IV. Section V presents the security analysis,

followed by the performance evaluation in Section VI. Finally,conclusions remarks are given in Section VII.

II . PROBLEM FORMALIZATION

In this section, we provide a concise problem formalization,including system model, adversary model and privacy problemstatement.

A. System Model

The emergence of eHealth system can be accredited tothe development of two promising techniques: body sensor

devices and wireless communications networks. Body sensor devices can collect patients health information, while thewireless communication networks can deliver the informationto a physician, so that the patient could get quick and accuratehealthcare from the physician. Here, we dene the systemmodel by dividing the eHealth system into three parts: bodysensor network at home, wireless transmission network andeHealth center, as shown in Fig. 1.

1) Body sensor network at home: As in other BSNs [12] [17], a body sensor network at home consists of manybody sensor devices as well as a powerful data sink device.These sensor devices could be accelerometer, blood pressure

and oxygen saturation (SpO2) and temperature sensors, andcontinuously report the patient health information to thedata sink. Then, the data sink transmits these information tothe physician at eHealth center via wireless communication

Patients Physicians

PHI PHI

TA

PIDB

Fig. 2. eHealth center in a typical eHealth system

networks. Since the body sensor network is deployed at home,its security should be guaranteed.

2) Wireless transmission network: WiFi is a globally usedwireless networking technology that uses the 802.11 standard[18]. In our eHealth system, we adopt WiFi technology.Then, the data sink with a WiFi card can transmit patienthealth information over Internet to the physician via accessingthe access point within a radius of 200 feet. However in aWiFi enabled work environment, anyone, within an accessibledistance, can access the information. Therefore, the securityof transmitted data cant be guaranteed if they are lack of necessary precautious measures.

3) eHealth center: eHealth center is organized by a trustedauthority (TA), and includes registered patients (PAs), physi-cians (PHs) and patient information database (PIDB), asshown in Fig. 2. A patient, after registering himself/herself toTA, can get some body sensor devices suitable to him/her, andthen deploy a body sensor network at home so that PHI canbe collected and sent to the PIDB and physicians at eHealthcenter. We assume both patients and physicians are secure,while the PIDB may be compromised by a strong adversarydue to some sophisticated attacks. However, the secret keys inPIDB are still secure due to some tamper proof devices beingemployed [19], [20]. For example, those secret keys and key-related operations are executed in the tamper proof devices,and an adversary cant access these keys.

B. Adversary Model

We divide the adversaries based on their capacities into

three types: non global adversary , weak global adversary andstrong global adversary .1) Non global adversary: A non global adversary doesnt

compromise the patients or the physicians but trying to eaves-drop the messages transmitting from the patients to the physi-cians. However, the capability of the non global adversaryis limited, and he cannot gain the whole transmission pathinformation from the patient to the physician.

2) Weak global adversary: The capability of an adversaryhighly depends on what skills it has. Compared with the nonglobal adversary, the weak global adversary has the ability tomonitor all trafc. Therefore, when a message transmits from

a patient to a physician, the adversary can log the whole pathinformation that the message passed by. Fig. 3 shows such aweak global adversary. Here weak means the adversary onlypassively eavesdrops all the communications in the network.



3/14

LIN et al. : SAGE: A STRONG PRIVACY-PRESERVING SCHEME AGAINST GLOBAL EAVESDROPPING FOR EHEALTH SYSTEMS 367

At Home

sink

On Body Sensors

WiFi

Router

Router

Internet

eHealth center

DatabasePhysician

WiFi

Global Adversary

observing

Fig. 3. An eHealth system with a global adversary

As noted in [21], the global passive adversary is perhaps themost popular threat model for evaluating the anonymity.

3) Strong global adversary: In Fig. 3, if the global ad-versary can also compromise the intermediate nodes alongwith the path, then such a global adversary is called a strongglobal adversary. For example, the strong global adversarymay implant some malicious Trojan horse programs in PIDB,so that he can monitor the inside data ows in PIDB whilewithout being detected. (Note that the strong global adversarystill cant access the secret keys due to the secret keys beingprotected by tamper proof devices.) Obviously, the strongglobal adversary is a stronger threat model than what neededin most realistic scenarios. However, if the eHealth system canwithstand this type of adversary, then it is necessarily secure

against the non global adversary and weak global adversary.Note that, since the goal of the strong global adversary isto disclose the patient privacy, other active attacks that areirrelative to the patient privacy, such as some denial-of-service(DoS) attacks are outside the scope of this paper.

C. Privacy Problem Statement

eHealth systems have many characteristics that make themmore vulnerable to the privacy attack than other scenarios. For example, communication between a patient and a physiciancould indicate the patients disease and sickness to health.

Simply providing the content oriented privacy is insufcient.Therefore, we divide the privacy issues in eHealth systemsinto two categories: content oriented privacy and contextual privacy [22], [23]. If an eHealth system can withstand not onlythe content oriented privacy attacks but also the contextualprivacy attacks, then it is said to be a secure eHealth system.

1) Content oriented privacy: Content oriented privacy con-cerns whether an adversary has the capability in disclosingthe patients PHI that he cares about by observing andmanipulating the data transmitted over the communicationnetworks. In an eHealth system, if any adversary has no abilityto reveal the patient PHI, then the content oriented privacy is

achieved. Although the content oriented privacy is pivotal for eHealth systems, it is not difcult to address due to manycryptographic techniques such as available authentication andencryption algorithms [24].

(a) direct relation

(b) single path transit relation

(c) multi path transit relation

1 I

i I

k I

DS

S

S

D

D

I

Fig. 4. Observed relations

2) Contextual privacy: Contextual privacy means an adver-sary has the ability to link the source and the destination of a message. In eHealth systems, if an adversary can link thepatient with a specic physician, then the patient privacy willbe disclosed. (See the example below).

EXAMPLE : Let E1 be the event that a patient PA has somekind of disease and E2 be the event that PA sees a specicphysician PH. By statistics, the following conditions areavailable.

1) If PA has the disease, then the probability that he willsee the specic PH is 1 , i.e., Pr[E 2 |E1] = 1 = 98%

2) If PA does not have the disease, then the proba-bility that he will see the specic PH is 2 , i.e.,Pr[E 2 | E1] = 2 = 1%

3) Suppose that only 5% of the population in a region hasthe disease, i.e., Pr[E 1] = 5%

INFERENCE : When the PHI of the patient PA reaches thespecic physician, based on the Bayesian inference, we have

Pr[E 1 |E2] =Pr[E 2 |E1] Pr[E 1]

Pr[E 2 |E1] Pr[E 1] + Pr[E 2 | E1] Pr[E1]

=1 5%

1 5% + 2 95%= 83 .76%

From the above example, we can see, even though thecontent oriented privacy is well protected, the contextual pri-vacy still largely affects patient privacy. To subtly consider thecontextual privacy, we dene relations and observed relationdepths as follows.

Relations & observed relation depths. We consider therelation between the source S and the destination D by twoways: 1) if S can directly send a message m to D by onehop, the direct relation can be established; 2) if the messagem sent by S requires more than one hops to reach D , thetransit relation between S and D will also be established.(See Fig. 4 for these relations).

Direct relation: As shown in Fig. 4 (a), if a message

m transmitting from the sender S to receiver D onlyrequires one hop, the relation R (S, D ) is called directrelation . In the direct relation R (S, D ), we determinethe observed relation depth, denoted as RD (S, D ) =



4/14


Pr[R (S, D )], by three factors: {observed transmission ,inside data ow , outside data ow }. In general,

Observed transmission refers to that S transmitinga message to D is observed by an observer with aprobability . We denotes this event as F1 . If F1occurs, then Pr[F1] = .

Inside data ow refers to that receiver D executessome inside operations on the received message or drops it. We dene F2 the event that D s inside dataow is observed.

Outside data ow refers to that receiver D runs someoutside operations on the received message such asresponding or forwarding. We dene F3 the eventthat D s outside data ow is observed.

Then, we dene the value of RD (S, D ) as

RD (S, D ) =

0, case 1 if F1 ; , case 2 if (F1 F2 F3) ;

0 or , case 3 if (F1 F2) ;, case 4 if (F1 F2 F3) .

(1)

where 0 1 is the observers guess probability thatD has some interests in the received message in the case2, since he cant observe neither inside nor outside dataow. In the case 3, since the inside data ow is observed,the observer can determine the value of RD (S, D ). Inthe case 4, since the outside data ow is observed,RD (S, D ) is clearly equal to . RD (S, D ) captures theobserved tightness of R (S, D ). When RD (S, D ) = 0 ,the transmission of message m from S to D is hidden;RD (S, D ) = 1 , the transmission is fully observed.

Single path transmit relation: When a message m istransmitted from S to D through an intermediate node I ,as shown in Fig. 4 (b), the relation R (S,I ,D ) is calledsingle path transmit relation , and the observed relationdepth of R (S, D ) is dened as

RD (S, D ) = Pr( R (S, D )) = Pr( R (S,I ,D ))= Pr( R (S, I ) R(I, D ))= Pr( R (S, I )) Pr( R (I, D ))= RD (S, I ) RD (I, D )

(2)

Multi path transmit relation: In the multi path routing

environments, a message m could reach D via differentintermediate nodes I 1 , I 2 , , I k , then there exist morethan one path transmit relations between S and D . For example, in Fig. 4 (c), R (S, I 1 , D ), R (S, I 2 , D ), ,R (S, I k , D ) are valid path transmit relations. In this case,we dene the observed relation depth of R (S, D ) asfollows,

RD (S, D ) =k

i =1

i Pr( R (S, I i , D ))

=k

i =1

i Pr( R (S, I i )) Pr( R (I i , D ))

=k

i =1

i RD (S, I i ) RD (I i , D )

(3)

PA PHPIDB N 1 N 2 N w

Fig. 5. Transmission path of patient PHI

where

i =RD (S, I i ) RD (I i , D )

kj =1 RD (S, I j ) RD (I j , D )(4)

Note that in the multi path routing environments, if anobservers capability is limited, he cant observe all pathssimultaneously, then it is not difcult to prove that theRD (S, D ) will decrease. However, for the global ob-server, the multi path routing environments cant reducethe RD (S, D ) due to the adversarys powerful capability.

Patient-physician relation & its observed relation depth. Letthe routing information of the patient PHI be PA N 1 N 2 N w PIDB PH , as shown in Fig. 5. Here we wont

discuss the multi path transmission, since a global adversarycan identify all trafc information even though the multi pathtransmission is employed.

From the routing information, we can compute the observedrelation depth RD (PA , PH) as follows,

RD (PA , PH) =Pr( R (PA , N 1 , N 2 , , N w , PIDB , PH))=Pr( R (PA , N 1) R(N 1 , N 2)

R (N w , PIDB) R(PIDB , PH)=Pr( R (PA , N 1)) Pr( R (N 1 , N 2))

Pr( R (N w , PIDB)) Pr( R (PIDB , PH))

= RD (PA , N 1) w 1

i =1RD (N i , N i +1 )

RD (N w , PIDB) RD (PIDB , PH)(5)

According to the relation model, RD (PA , PH) is tightlyrelated to each sub-relation depth along with the routing path.Only if one sub-relation depth equals or tends to 0, for exam-ple, RD (N 1 , N 2) equals or tends to 0, then RD (PA , PH) alsoequals or tends to 0 immediately, which subsequently meansthe contextual privacy is protected. Based on this observation,we further discuss the relation between the contextual privacy

and the adversaries with different capabilities. Non global adversary: Since the capability of non global

adversary is limited, at least one F1 event doesnt occur between two neighboring nodes, for example N 1 and N 2 .Then, from Eqs. (1) and (5), we have RD (PA , PH) = 0 ,which means the non global adversary has no abilityto launch the contextual privacy attack. As a result,the contextual privacy is secure against the non globaladversary.

Weak global adversary: A weak global adversary canmonitor all trafcs over the communication network,i.e., he can observe not only the transmission but also

all intermediate nodes outside data ows. Then, wehave RD (PIDB , PH) = for the last hop betweenPIDB and PH and for any other sub-relation depth.As a result, we have RD (PA , PH) = w +2 from



5/14


MIX

a1

a2

a3

a4

b1

b2

b3

b4

Fig. 6. Mix technique to achieve anonymity communications

Eq. (5). Since the adversary has global eavesdroppingability, can be assumed to be 1. At the same time, PHis the exclusive destination, then the adversarys guessprobability could be 1. Concluding with these, wehave RD (PA , PH) = 1 . This result indicates that thecontextual privacy is not secure against the weak globaladversary.Fortunately, many mix techniques after Chaums seminalpaper [25] have been proposed to achieve anonymitycommunications [26][30]. For clarity, we outline themix technique as follows and refer to [25] for moredetails. The main idea of the mix technique, as shownin Fig. 6, is to cut off the relation between the input andthe output. Then, an adversary has no idea on the link re-lation, especially on the link relation between the sourceand the destination. For example, when the mix techniqueis applied in the PIDB, the weak global adversary cantobserve the link relation from PIDB s outside dataows. Then, for n possible physicians, the probabilityof adversarys observation is only RD (PIDB , PH) = 1nand RD (PA , PH) = 1n subsequently. As a result, thecontextual privacy against the weak global adversary canbe achieved in this case. However, in any mix technique,the parameter n should be large. Otherwise, the levelof anonymity will decrease quickly. In an extreme case,when n = 1 , no matter what mix technique is adopted,it is impossible to achieve the receiver anonymity.

Strong global adversary: Compared with the weak globaladversary, a strong global adversary can also observeall intermediate nodes inside data ows. In this case,the pure mix technique cannot cut off the link relationagainst this type of adversary. Accordingly, the contextualprivacy cannot be guaranteed, and nally the patientprivacy will be disclosed.

Based on the privacy issues existing in the strong globaladversary model, the goal of the SAGE is to achieve not onlythe context oriented privacy but also the contextual privacy.Thus, the patient privacy can be protected against strong globaleavesdropping in eHealth systems.

III . E XISTING APPROACHES

Besides the mix techniques [25][30], many of the privacytechniques adopted in other scenarios such as the sensor networks are also not appropriate for protecting the patient

privacy in eHealth systems. The reason is partially due tothe fact that the problems considered are not same, andpartially due to the fact that the adversarys capabilities arealso different. In this section, we review some of these existing

works [22], [23], [31][38]. Generally, to achieve contextualprivacy, the existing approaches can be categorized into twotypes: one is by protecting the source location privacy , andthe other is by protecting the destination location privacy .

By protecting the source location privacy, the relationbetween the source and the destination can be cut off, andthen the contextual privacy is achieved. The design goals

of [22], [23], [31][37] are to protect the source locationprivacy. Kamat et al. [22] observed the facts that both baselineooding routing [32][34] and single-path routing [36], [37]cannot achieve privacy protection, and provided two newtechniques to provide efcient source location privacy. Onetechnique is called routing with fake sources , and the other is called phantom single path routing . In the routing withfake sources, when a source wants to send data, several fakesources, which are away the real source, are involved. Then,both the real and fake sources send data at the same time.Clearly, this technique can provide location privacy againstlocal eavesdropping. However, it is not suitable for eHealth

systems. In real life, since the locations of different patientsare scattered, when a patient wants to send data, it is notreasonable to assume that he can inform other patients toparticipate. In phantom single-path routing , after a data isgenerated by the source, it will walk a random path beforereaching the destination. By walking a random path, the sourcedata can prevent the local eavesdropping. Another technique,called cyclic entrapment [31], is very similar to the phantomsingle-path routing, which deals with the local eavesdroppingby creating looping pathes at various places. Although theabove techniques can deal with non global eavesdropping, theyare still not suitable for the dened eHealth system, since the

tricks used in these techniques are not effective to a strongglobal eavesdropper. To deal with the global eavesdropping,Mehta et al. [23] proposed two new techniques: periodicalcollect and source simulation . However, the periodical collectshould send dummy packets and thus could cause largedata delivery latency. Therefore, it is not suitable for thereal eHealth system. Although the source simulation methodprovides practical tradeoffs between privacy, communicationcost and latency, it will bring inconvenience to the patientsince a set of virtual objects should be simulated. On the other hand, the global eavesdropping they considered is conned tothe weak global adversary.

Protecting the destination privacy is another alternative toachieve contextual privacy. In 2007, Jian et al. [38] proposeda location privacy routing protocol, call LPR, to achievepath diversity. By combining LPR with fake packet injection,the location privacy of the receiver can be protected, andsubsequently, the contextual privacy is achieved. In this paper,similar to [38], we deal with the contextual privacy also fromprotecting the receivers location privacy.

IV. T HE PROPOSED SAGE S CHEMEIn this section, we present the proposed SAGE, including

system setting, patient registration, patient health information

transmission and patient health information receiving. Thebasic idea of SAGE is quite straightforward: when the PIDBreceives the PHIs from patients, it broadcasts the PHIs to allphysicians. Then, only the potential physicians will be aware



6/14


of the PHIs of their patients. Obviously, due to the natureof broadcast, the SAGE can achieve unconditional receiver anonymity. As a consequence, the patient privacy can beguaranteed in SAGE. Before describing the SAGE in detail,we rst review the bilinear pairing technique [39], whichserves as the basis of the proposed SAGE.

A. Bilinear Pairing TechniqueLet G , G T be two cyclic groups of the same prime order

q. Let e be a computable bilinear map e : G G G T ,which satises the following three properties: 1) bilinear:e(aP,bP ) = e(P, P )ab , where P, Q G and a, b Z q ; 2)non-degenerate: there exists P, Q G such that e(P, Q ) =1G T ; and 3) computability: there exists an efcient algorithmto compute e(P, Q ) for all P, Q G . We call such abilinear map e as an admissible bilinear pairing, and themodied Weil or Tate pairing in elliptic curve can give a goodimplementation of the admissible bilinear pairing [39].

Denition 4.1 (Bilinear Parameter Generator): A bilinear parameter generator Gen is a probabilistic algorithm thattakes a security parameter k as input and outputs a 5-tuple(q, G , G T ,e ,P ) as the bilinear parameters, including a primenumber q with |q| = k, two cyclic groups G , G T of the sameorder q, an admissible bilinear map e : G G G T and agenerator P of G .

Denition 4.2 (Bilinear Dife-Hellman (BDH) Problem):Let (q, G , G T , e ,P ) be a 5-tuple generated by Gen(k). TheBDH problem is stated as follows: given aP,bP,cP Gwith unknown a , b, c Z q , compute e(P, P )abc G T .The success probability of any polynomial-time adversary Aagainst the BDH problem is dened to be

Succ BDHA = Pr[ = e(P, P )abc : A(aP,bP,cP )].

The BDH assumption holds if for all polynomial-time adver-sary A, the success probability Succ BDHA is negligible.

B. System SettingTo establish an eHealth system, TA rst initializes all

required system parameters. Given the security parametersk, l1 , l2 , TA generates a 5-tuple (q, G , G T , e ,P ) by running

Gen(k). Then, TA picks up a random number s Z

q asa master-key , and computes the corresponding public keyP pub = sP . TA also chooses three secure cryptographichash functions H, H 1 , H 2 , where H : {0, 1} G , H 1 :G T {0, 1}l 1 and H 2 : {0, 1} G T {0, 1}l 2 , anda secure symmetric encryption algorithm Enc k () , i.e., DES[24]. In the end, TA publishes the public system parame-ters (q, G , G T ,e ,P,P pub ,H ,H 1 , H 2 , Enc k ()) and keeps themaster-key s secretly. In the eHealth system, all PHIs arestored in PIDB at eHealth center. To achieve access control,i.e., only registered patients can store their data and onlylegal physicians can retrieve patients data, TA implants a

programmable daemon program (DP) in database, which ownsa private key S DP = sH (IDDP ) derived from its identier IDDP . As discussed in Section II, many physicians are enrolledin the eHealth system. When they register themselves, each of

them will get a private key S PH = sH (IDPH ) from TA basedon his/her identity ID PH .

C. Patient Registration

To take the benets from the eHealth system, a patientwill register himself/herself to the eHealth system. When thepatient with identity ID PA registers to TA, TA will execute thefollowing steps.

Step 1. Check the identity ID PA and compute the pseudo-identity PID PA = Enc s (IDPA ) with the master-key s ;

Step 2. Compute the private key S PA = sH (PIDPA );Step 3. Choose the appropriate body sensors S and desig-

nate a physician with ID PH based on the patients requirement.Step 4. Send (PIDPA , S PA , S , IDPH ) to the patient and PID PA

to the physician. (Note that since the patient doesnt want thephysician to know his/her real identity, the pseudo-identityPIDPA can guarantee the identity privacy).

After receiving (PIDPA , S PA , S , IDPH ), the patient deploysthese sensor nodes at home to form a BSN. Through the BSN,the patient can periodically report his/her health data to theeHealth system.

Static shared key: With the patient registration proce-dure, the patient gets (S PA , IDPH ) and the physician holds(S PH , PIDPA ). Then, based on the properties of bilinear pair-ing, the non-interactive static shared key K PP can be conve-niently computed in advance as follows,

K PP = e(H (PIDPA ), H (IDPH )) s

=e(sH (PIDPA ), H (IDPH )) = e(S PA , H (IDPH ))e(H (PIDPA ), sH (IDPH )) = e(H (PIDPA ), S PH )

(6)

Due to the static shared key, the subsequent content orientedprivacy between the patient and the physician can be achievedwhen employing a secure symmetric encryption algorithm.The formal proof will be presented in Section V.

D. Patient Health Information Transmission

When the patients BSN gathers the health data m andis ready to report it to the eHealth system and the physi-cian, it rst runs the Algorithm 1, and sends the returnedC to the eHealth system via Internet (ref. Fig. 1). Notethat the form of = Enc k(m) can provide the content

oriented privacy. At the same time, since the static sharedkey K PD = e(H (PIDPA ), S DP ) = e(S PA , H (IDDP )) is onlyknown by the patient and the DP, the authentication onC at the side of DP is achieved. In addition, the self-encryption technique [40] encrypts the patient identity, C = IBCID DP {PIDPA || || H 2(, K PD )} wont disclose the identityprivacy to the non-global adversary, although it may notprevent the global adversary from eavesdropping.

Upon receiving an incoming ciphertext C , DP runs thefollowing operations.

Step 1. DP rst invokes the Algorithm 2 with the private keyS DP = sH (IDDP ). If the returned value is , DP terminates

the operation and discards the incoming message. Otherwise,DP continues to the next step.Step 2. DP stores the entry (PID PA , ) into PIDB for

backup and puts the PHI into a Patient Information Report



7/14


Algorithm 1 : ReadySend()Input: Gathered patient health data mResult : Ciphertext C ready for transmissionbegin1

Obtain the current timestamp T ;2Compute the temporary key k = H 1 (T K PP );3Compute = Enc k(m ) and H 2 (T || , K PP ), where ||4denotes the concatenation ;

Compute H 2 ( , K PD ) where5 = T || || H 2 (T || , K PP )

and K PD = e(S PA , H (IDDP )) is static shared key betweenthe patient and the daemon program DP ;Employ a chosen-plaintext secure identity-based encryption6algorithm, for example IBC in [39], and use self encryption technique [40] with DPs identity IDDP tocompute the ciphertext

C = IBC ID DP {PIDPA || || H 2 ( , K PD )} (7)

return C ;7end8

IDDP n

n1 valid patient health information

Fig. 7. Format of patient information report (PIR) for PHIs

(PIR), which serves a container for PHIs aggregating andbroadcasting. The format of PIR is illustrated in Fig. 7, andeach eld is as follows: the header is xed as the DPs identity

IDDP ; the second eld n species the number of encapsulatedPHIs; the third eld is the identity-based signature on all nencapsulated PHIs, and the fourth eld is the payload of PIRthat contains n valid PHIs.

When the PIR is full of n valid PHIs, DP uses the privatekey S DP = sH (IDDP ) to compute the signature

= IBS S DP {1 | | | | n } (8)

where IBS is an efcient identity-based signature algorithmpresented in [41], and as shown in Fig. 8, DP also broadcaststhe PIR so that all physicians in eHealth center can receive

these valid PHIs.

E. Patient Health Information Receiving

Each physician in eHealth center rst checks the validity of the signature , after he receives the PIR broadcasted by DP.If the signature is invalid, he discards the PIR. Otherwise, hetries to recover his patients information.

Assume that a physician IDPH has patients with pseudoIDs {PID PA1 , PID PA2 , , PID PA }, he can compute staticshared keys {K PP 1 , K PP 2 , , K PP } in advance, where

K PP i = e(H (PID PA i ), S PH ), for 1 i . Then, for n PHIs{1 , 2 , , n } in the PIR, he invokes the Algorithm 3. If the returned set M is not vacant, the physician can efcientlyretrieve his patents PHIs in the current broadcast.

PIDB

PIR

Fig. 8. Broadcasting the PIR to all physicians in eHealth center

Algorithm 2 : AuthConvert()Input: DPs private key S DP and an incoming ciphertextC = IBC ID DP {PIDPA || || H 2 ( , K PD )}Result : or converted ciphertext begin1

Use S DP to recover M from C and parse M as2

PIDPA || || H 2 ( , K PD )

Based on the pseudo ID PID PA , compute static shared key3K PP = e(H (PIDPA ) , S DP ) or get it from the cache if existing, and check

H 2 ( , K PD )?

= H 2 ( , K PD ) (9)

if it doesnt hold then4return ;5

else6 parse the item as T || || H 2 (T || , K PP ) and check7whether T is a valid timestamp ;if it is not valid then8

return ;9else10

return = T || || H 2 (T || , K PP ) ;11end12

end13end14

V. SECURITY ANALYSIS

In this section, we rst prove that the proposed SAGE hasthe content oriented privacy, then show that it is also secureagainst global eavesdropping in terms of contextual privacy.Finally, we discuss the robustness of the SAGE against severalknown attacks.

A. Content Oriented Privacy

In the proposed SAGE, the content oriented privacy canbe guaranteed by the security of Enc k(m). If the ciphertextEnc k(m) is provably secure, so does the content orientedprivacy in SAGE. Therefore, we will prove the semantic

security property of Enc

k(m) by using the techniques fromprovable security [42], [43].The semantic security of Enc k(m) in SAGE is dened

using a game between a challenger and an adversary. Both



8/14


Algorithm 3 : RecoverValidRecord()Input: {K PP 1 , K PP 2 , , K PP } and {1 , 2 , , n }Result : valid M

begin1set M = {} ;2for i = 1 to do3

for j = 1 to n do4parse j as T j || j || H 2 (T j || j , K PP i );5

check H 2 (T j || j , K PP i )?

= H 2 (T j || j , K PP i );6if it does hold then7

recover m j from = Enc k(m j ) with8temporary key k, where k = H 1 (T j K PP i ) ;M = M {m j } ;9

end10end11

end12return M ;13

end14

the challenger and adversary are given the system parameters,and the game proceeds as follows:

Dene the adversary A = ( A1 , A2) that runs in thefollowing two stages.

In the rst stage: A1 is allowed to make extraction queries on identi-

ties he chooses so that he can gain some private keysof other patients and physicians, which is similar tothe Identity-based cryptography in [39].

A1 is also allowed to make some random oraclesqueries if the game is running in the random oraclemodel [42].

At some time, A1 terminates the query and sends twoequal length messages m0 , m 1 , a fresh timestampT , unextracted patients pseudo-id PID PA and unex-tracted physicians identity ID PH to the challenger.

In the second stage: The challenger picks a random bit b {0, 1} and

sends C = Enc k(mb), where k = H 1(T K PP ),as the challenge to A2 .

At the end, A2 returns a guess b {0, 1} on b andand wins the game if b = b.

We dene that the advantage of A breaking the semanticsecurity of Enc k(m) is

Adv SAGEA = 2 Pr[b = b ] 1

If for all adversaries A, the advantage Adv SAGEA is negligible,we say Enc k(m) in SAGE is semantic security under adap-tively chosen plaintext attacks. In the following theorem, wewill formally prove that the Enc k(m) in SAGE is semanticsecurity within the random oracle model, where H, H 1 behaveas the random oracles [42].

Theorem 5.1: Let Gen be a bilinear parameter generator,

and A be an adversary against the semantic security of Enc k(m) in SAGE in the random oracle model. Assumethat A has advantage = Adv SAGEA , within running time , making qH , qH 1 , and 2qE queries to the random oracles

OH , OH 1 , and the extraction oracle OE . Then, there exist[0, 1] and N as follows

exp(1) 2 qH 1 (1 + qE )2

+ ( qH + qH 1 + qE ) T

such that BDH problem can be solved with probability ,within time , where T denotes the average time required byeach query.

Proof: We dene a sequence of games Game 0 , Game 1 , of modied attacks starting from the actual adversary A[43]. All the games operate on the same underlying probabilityspace: the system parameters and master key, the coin tossesof A and the random oracles. Let X = xP,Y = yP,Z = zP be a random instance of BDH. We will use A to computee(P, P )xyz G T , and starred letter C = Enc k(mb) torepresent the challenge ciphertext.

Game 0 : This is the real attack game in the randomoracle model. TA chooses the master keys s Z qand computes P

pub= sP . Then the system parameters

(q, G , G T ,e ,P,P pub ,H ,H 1 , H 2 , Enc k ()) are published. Theadversary A is fed with these system parameters and queriesthe oracles OH , OH 1 and OE , and outputs two equal lengthmessages (m0 , m 1), a fresh timestamp T and (PIDPA , IDPH ).The challenger then ips a coin b {0, 1} and produces aciphertext C = Enc k(mb) as the challenge to the adversary,where k = H 1 (T K PP ) with K PP the static shared keybetween PID PA and IDPH . Finally, the adversary outputs a bitb {0, 1} as the guess of b. In any Game j , we denote byGuess j the event b = b and Adv j the guess advantage inGuess j . Then, by denition, we have

Adv0 = = 2 Pr[ b = b ] 1 = 2 Pr[Guess 0 ] 1 (10)

Pr[Guess 0] =12

+Adv0

2(11)

Game 1 : In this game, we modify the simulation by replac-ing the system public key P pub = sP by X = xP . Since thedistribution of system public key is unchanged, we have

Adv 1 = Adv 0 ; Pr[Guess 1] = Pr[Guess 0] (12)

Game 2 : In this game, we simulate the random oracles OH and OH 1 as follows.

Simulate qH queries on OH : for any fresh query, we uniformly pick a random

number r Z q ; pick one bit c {0, 1} with Pr( c = 0) = , where

, 0 < < 1, is a parameter to be determined later [44];

If the fresh query is on a patient pseudo-id PID PA ,then1) if c = 0 , sets u = rP , otherwise sets u = rY =

ryP ;2) store (PIDPA ,c,r,u ) in the H -list, which is ini-

tially empty, and return H (PIDPA ) = u as theanswer to the oracle query.

If a fresh query is on a physician identity ID PH , then1) if c = 0 , sets v = rP , otherwise sets v = rZ =

rzP ;



9/14


2) store (IDPH ,c,r,v ) in the H -list and returnH (IDPH ) = v as the answer to the oracle query.

Simulate qH 1 queries on OH 1 : For any fresh query R G T , we pick up a random number h {0, 1}l 1 , store(R, h ) in the H 1 -list, which is also initially empty, andreturn H 1(R) = h as the answer to the oracle query.

Clearly, in the random oracle model, this game is identical tothe previous one. Hence,

Adv2 = Adv 1 ; Pr[Guess 2 ] = Pr[Guess 1] (13)

Game 3 : In this game, we simulate total 2qE extractionoracle OE queries as follows.

Simulate qE queries with patient pseudo-id PID PA : look up (PIDPA ,c,r,u ) in H -list ; if c = 0 , we compute S PA = rY = ryP as the

private key and return it to A; if c = 1 , we have to terminate the game and report

the failure. Simulate qE queries with physician identity ID PH :

look up (IDPH ,c,r,v ) in H1 -list ; if c = 0 , we compute S PH = rZ = rzP as the

private key and return it to A; if c = 1 , we have to terminate the game and report

the failure.In Game 3 , only if the event c = 1 occurs during any query,we terminate the game. Therefore, after total 2qE queries, theprobability that the game is not terminated (i.e., c = 0 in allqueries) is

[Pr( c = 0)] 2qE = 2qE

and we haveAdv 3 = 2qE Adv2 ; (14)

Pr[Guess 3 ] =12

+Adv3

2(15)

Game 4 : In this game, we observe (PIDPA , IDPH ) that Asubmitted at the end of the rst stage.

look up (PIDPA , c , r , u ) in H -list with PID PA ; if c =0, terminate the game and report failure.

look up (IDPH , c , r , v ) in H 1-list with ID PH ; if c =0, terminate the game and report failure.

In Game 4 , we will also terminate when the event c = 0or c = 0 occurs. Thus, the probability that Game 4 is notterminated (i.e., c = 1 and c = 1 in two irrelevant cases)is

[Pr( c = 1 c = 1)] = (1 )2

and we haveAdv4 = (1 )2 Adv3 ; (16)

Pr[Guess 4 ] =12

+Adv4

2(17)

Let AskH4 denote the event that the adversary A has asked

H 1(T e(PIDPA , IDPH )x

). Thus, if the event AskH4 doesntoccur, C is independent on b, we have

Pr[Guess 4 | AskH4] =12

and

Pr[Guess 4] = Pr[Guess 4 |AskH4 ] Pr[AskH 4]+ Pr[Guess 4 | AskH4] Pr[AskH4]

12

Pr[AskH4] + 1 Pr[AskH 4]

=12

(1 Pr[AskH 4]) + 1 Pr[AskH 4]

= 12

+ 12

Pr[AskH 4]

(18)

When the event AskH4 occurs, the entry (R = T e(PIDPA , IDPH )x , h ) is in the H 1-list. We can randomly pickan entry (R, h ) from the H 1 -list and compute

RT

1

r r

= [e(PIDPA , IDPH )x ]

1

r r = e(r yP,r zP )x

r r

and output it as the challenge e(P, P )xyz with the probability1/q H 1 . Therefore, we have

Pr[AskH 4]qH 1 = = Succ

BDHA (19)

By combining Eqs. (10)-(19), we have

1

qH 1 2qE (1 )2 (20)

When minimizing the function qE (1 ), we nd theoptimal value

=1

1 + qE(21)

and the overall probability of 2qE (1 )2 is at least1

exp(1) 2 (1 + qE )2 (22)Then, from Eqs. (20)-(22), we have

Succ BDHA = exp(1) 2 qH 1 (1 + qE )2(23)

Also, based on the time costs in all oracle queries, we canobtain the claimed bound for

+ ( qH + qH 1 + qE ) T (24)

This completes the proof.

B. Contextual PrivacyIn this subsection, we further demonstrate that the proposed

SAGE is secure against the strong global eavesdropping interms of contextual privacy. As discussed in section II, thestrong global adversary has the ability to monitor not onlyall trafc over the communication network but also all inner trafc in each intermediate node along the routing. Therefore,the contextual privacy, i.e., RD (PA , PH) = 0 , cannot beachieved by pure mix technique, since an adversary alwayshas ways to link the patient to a specic physician.

In the proposed SAGE, to gain RD (PA , PH) 0, the keytrick is to ensure RD (PIDB , PH) 0 by DPs broadcasting.

Due to the broadcasting, the PIR can be received by allphysicians. At the same time, since the adversary cant observeany physicians inner operations, each physician is then equalsuspicious by the adversary.



10/14


In the following, the link privacy between PIDB and PH isformally dened using a game between a challenger and anadversary. Both the challenger and the adversary are fed withsystem parameters, and the game proceeds as follows.

Dene the adversary A that runs in the following twostages.

In the rst stage: A set of physicians D = {PH 1 , PH 2 , , PH } are

available to both the adversary A and the challenger.The adversary knows that there is only one patientPA in the game, and the challenger knows the PAsprivate key.

At some time, the challenger picks at random anumber j {1, 2, , }, generates an =T || || H 2(T || , K PP j ), and broadcasts .

In the second stage: After receiving the message , the adversary A

returns a guess j {0, 1} on j and wins the gameif j = j .

We dene that the advantage of A breaking the link privacyproperty of is

Adv SAGEA = Pr[ j = j ] 1

For all adversaries A, if the advantage Adv SAGEA is negligible,we say the link privacy of in SAGE is achieved. If theadvantage Adv SAGEA is exactly 0, then the link privacy isunconditional. A standard way of proving that SAGE in thisgame enjoys the unconditional link privacy is by showingthat s destination PH j , guessed by the adversary A inthe game, follows the same probability distribution for anypossible physician in D = {PH 1 , PH 2 , , PH }. If it canbe proved, then in the second phase of the game denedabove, the adversary A cannot obtain any information aboutwhich PH j D is actually s destination from and hisobservations, and therefore its success probability Pr[ j = j ]is limited to 1 . In the following theorem, we prove thatthe information achieves the unconditional link privacy bybroadcasting.

Theorem 5.2: The information in SAGE achieves uncon-ditional link privacy by broadcasting.

Proof: Since the content oriented privacy of has beenprotected, the only way for the adversary A to nd the sdestination is by using all trafc information he obtained fromglobal eavesdropping. However, in the eye of the adversary,each physician is equal suspicious by broadcasting mecha-nism. Therefore, in the second stage, Pr[ j = j ] = 1 . Then,by denition, we have

Adv SAGEA = Pr[ j = j ] 1 = 1

1 = 0 (25)

and the proof is completed.

From theorem 5.2, the information in SAGE achievesunconditional link privacy. Unconditional link privacy meansRD (PIDB , PH) = Pr[ j = j ] = 1 , and RD (PA , PH) =

1

for a strong global eavesdropper. However, similar to the

TABLE IT IME COSTS OF REQUIRED OPERATIONS

Operation Time

pairing (without precompution) 6.7 ms

pairing (with precompution) 3.0 ms

point multiplication 2.9 ms

mix technique [25], if the set size |D| = 1 , i.e., = 1 ,then RD (PA , PH) still equals 1. Therefore, to achieve highcontextual privacy, should be a large number. Fortunately,from the view of practice, it is reasonable to assume that aneHealth center involves many physicians.

C. Robustness

In this subsection, we discuss the robustness of SAGE.Concretely, we show how the SAGE prevents other knownattacks, such at the replaying attack and the forging attack.

Although these two attacks are not relevant to the patientprivacy, they will affect the performance of SAGE.

1) Resistance against the replaying attack.: One possibleattack launched by an adversary is the replaying attack, whichrefers to the adversary maliciously replaying some valid butold messages. However, the replaying attack doesnt affectthe proposed SAGE because the DP will check the validity of timestamp in the Algorithm 2. If the timestamp is outdated, itwill be directly discarded.

2) Resistance against the forging attack.: Another attackcould be launched by an adversary is the forging attack. Ina forging attack, the adversary can inject forged messages

in transmission. Fortunately, the forging attack can be alsoprevented by SAGE, since the message authentications basedon the static shared key and digital signature techniques havebeen integrated in the proposed SAGE.

VI. PERFORMANCE EVALUATION

An important performance matric in eHealth systems is howlong it takes for a patient PHI to reach its specic physician.Thus, in this section, to evaluate the performance of SAGE,we focus on the transmission delay of SAGE at the eHealthcenter. First, we estimate the computation costs of SAGE.

Roughly, the computation costs of SAGE include PHIauthentication, PIR signing and verication, which mainlyinvolve the following cryptographic operations: pairing, pointmultiplication, multiplication in Z q and hash operations. Sincethe time costs of the latter two can be negligible comparedwith that of the rst two, we only consider pairing andpoint multiplication when measuring the performance. Weimplement the Tate pairing with an embedding degree k = 2Cocks-Pinch curve [45]. The curve is over F p with 512-bitprime p and a subgroup of 160-bit prime q. Benchmarks for the selected pairing were running on a modern workstation,where the processor is 32 bits, 3GHz Pentium 4. The measured

result are given in Table I. Based on these benchmark numbersand the adopted IBE [39] and IBS [41], we can estimate thecomputation costs in SAGE, and the relevant results are givenin Table II [45].



11/14


0 20 40 60 80 100 1200.015

0.02

0.025

0.03

0.035

0.04

0.045

Average arrival rate at DP (#/second)

A v e r a g e

d e l a y

t i m e

t d ( s e c o n

d )

w/o. pairing precomput.with pairing precomput.

(a) T v.s. with n = 1 , p = 0

0 20 40 60 80 100 1200.03

0.035

0.04

0.045

0.05

0.055

0.06

0.065

0.07

0.075

0.08


A v e r a g e

d e l a y

t i m e

t d ( s e c o n

d )


(b) T v.s. with n = 10 , p = 10%

0 20 40 60 80 100 1200.05

0.06

0.07

0.08

0.09

0.1

0.11

0.12


A v e r a g e

d e

l a y

t i m e

t d ( s e c o n

d )


(c) T v.s. with n = 20 , p = 15%

0 20 40 60 80 100 120

0.08

0.09

0.1

0.11

0.12

0.13

0.14

0.15

0.16

0.17


A v e r a g e

d e

l a y

t i m e

t d ( s e c o n

d )


(d) T v.s. with n = 40 , p = 20%

0 20 40 60 80 100 120

0.16

0.18

0.2

0.22

0.24

0.26

0.28

0.3

0.32

0.34


A v e r a g e

d e

l a y

t i m e

t d ( s e c o n

d )


(e) T v.s. with n = 60 , p = 25%

0 20 40 60 80 100 1200.2

0.25

0.3

0.35

0.4

0.45

0.5


A v e r a g e

d e

l a y

t i m e

t d ( s e c o n

d )


(f) T v.s. with n = 80 , p = 40%

Fig. 9. Average transmission delay t d varies with the average arrival rate , where 1 120

Next we evaluate the transmission delay of SAGE. Weconsider the average arrival of PHI at DP is a Poisson processwith rate . In addition, each xed-length PHI packet has thesame authentication time estimated in Table II. Then, we have

=149.3/ sec, w/o pairing precomputation;333.3/ sec, with pairing precomputation.

(26)

Based on the M/D/1 process [46], the average delay time (waittime + authentication time) of PHI before being put into thePRI buffer is

2 2(1 ) , where =

< 1 (27)

By broadcasting PIR, the number for PHIs broadcasting,signing and verication can be reduced. However, this mech-



12/14


020

4060

80100

120

0

0.2

0.4

0.6

0.80

0.5

1

1.5

2

2.5

np

A v e r a g e

d e

l a y

t i m e

t d ( s e c o n

d )

(a) T v.s. n and p with = 120 w/o pairing precomput.

020

4060

80100

120

0

0.2

0.4

0.6

0.80

0.2

0.4

0.6

0.8

1

np

A v e r a g e

d e l a y

t i m e

t d ( s e c o n

d )

(b) T v.s. n and p with = 120 with pairing precomput.

Fig. 10. Average transmission delay t d varies with p and n , where 1% p 80% and 1 n 120

anism will incur the transmission delay. In addition, boththe replaying attack and the forging attack will also causethe transmission delay. Let the invalid probability of a PHIarriving at DP be p due to the replaying and forging attacks.We study the average delay time in PIR buffer as follows.

We rst consider how long it takes the i-th PHI in PRIto wait for the arrival of the next i + 1 -th PHI. Since theinvalid probability of a PHI is p, when a valid PHI is put intothe PRI buffer, the number of PHI authentications at DP is ageometrically distributed random variable:

P (number of authentication = k) = pk 1 (1 p) (28)

where k = 1 , 2, . We dene t i ( i +1) to be average waitingtime,

t i ( i +1) =

k =1

k

pk 1(1 p) =1

(1 p)(29)

for i = 1 , 2, , n 1. Also, for the trivial case i = n ,t ii = tnn = 0 . Thus, before a PRI is sent, the waiting timefor each PHI in the PRI buffer is

T i =

n i(1 p)

, i = 1 , 2, , n 1;

0, i = n.(30)

and the average waiting time isn

i =1

1n

T i =1n

1

(1 p) (1 + 2 + + ( n 1))

=1n

1

(1 p)

n(n 1)2

=n 1

2(1 p)

(31)

Subsequently, we can calculate the transmission delay td of SAGE at eHealth center is

td =2

2(1 )+

n 12(1 p)

+ t s + tv , =

< 1 (32)

Fixing the parameters n and p, Fig. 9 shows the transmis-sion delay td varies with the average arrival rate , where1 120. As seen in Fig. 9, the transmission delay td

TABLE IIT IME COSTS OF REQUIRED OPERATIONS

Operation Rough Estimated Time

PHI authentication 6.7 ms 3.0 ms

PIR signing ( t s ) 5.8 ms

PIR verication (t v ) 16 .3 ms 8.9 ms

w/o pairing precomput., with pairing precomput.

rises with the increase of on the whole. For the same , thetransmission delay td with pairing precomputation is less than

that without pairing precomputation. This result indicates thatthe transmission delay could be reduced when the performanceof DP is improved. In addition, from Fig. 9, we can alsoroughly observe the relation between td and p, n , i.e., withthe increase of p and n , the transmission delay td will alsoincrease.

To further discuss the relation subtly, we plot td varieswith p and n in Fig. 10, where is xed as 120. It canbe seen that for small p, the transmission delay increases veryslow with n . However, for large p, the transmission delayincreases quickly. This indicates that the parameter p due tothe replaying attack and forging attack is the dominant factor

for the transmission delay. Therefore, for small p, the proposedscheme can gain a good performance in terms of transmissiondelay. In addition, the difference between Fig. 10(a) andFig. 10(b) also demonstrates that the precomputation canreduce the transmission delay.

VII. C ONCLUSIONS

Patient privacy is crucial to the success and full ourishof the eHealth systems. In this paper, we have studied thecapabilities of different adversaries, and proposed a strongprivacy-preserving Scheme Against Global Eavesdropping for

eHealth systems. Formal security proofs show the SAGE canachieve not only the content oriented privacy but also thecontextual privacy under the strong global adversary model.In addition, through the extensive performance evaluation, the



13/14


SAGE has been demonstrated efcient in terms of transmis-sion delay. Our future work will focus on investigating therelation between patient mobility and privacy under the strongglobal eavesdropping.

REFERENCES[1] U. Varshney, Pervasive healthcare and wireless health monitoring,

Mobile Networks and Applications , Vol. 12, No. 2-3, pp. 113-127, 2007.[2] L. Gatzoulis and I. Iakovidis, Wearable and portable eHealth systems, IEEE Eng. Med. Biol. Mag. , Vol. 26, No. 5, pp. 51-56, 2007.

[3] I. Iakovidis, Towards personal health record: Current situation, obsta-cles and trends in implementation of electronic healthcare records inEurope, International Journal of Medical Informatics , Vol. 52, No. 1,pp. 105-115, 1998.

[4] Y. Xiao, X. Shen, B. Sun, and L. Cai, Security and privacy in rd andapplications in telemedicine, IEEE Commun. Mag. , Vol. 44, No. 4, pp.64-72, 2006.

[5] C. Dong and N. Dulay, Privacy preserving trust negotiation for per-vasive healthcare, in Proc. 1st International Conference on PervasiveComputing Technologies for Healthcare - PervasiveHealth 2006 , Inss-bruck, Austria, Nov.-Dec. 2006.

[6] M. Meingast, T. Roosta, and S. Sastry, Security and privacy issues withhealth care information technology, in Proc. 28th Annual International

Conference of the IEEE Engineering in Medicine and Biology Society ,pp. 5053-5058, New York, US, Aug. 2006.[7] K.K. Venkatasubramanian and S.K.S. Gupta, Security for pervasive

health monitoring sensor applications, in Proc. 4th International Con- ference on Intelligent Sensing and Information Processing 2006 - ICISIP 2006 , pp. 197-202, Bangalore, India, Dec. 2006.

[8] K.K. Venkatasubramanian and S.K.S. Gupta, Security Solutions for Pervasive Healthcare, in Security in distributed, grid, mobile, and per-vasive computing, eds Yang Xiao , pp. 443-464, Auerbach Publications,CRC Press, 2007.

[9] D. Halperin, T.S. Heydt-Benjamin, K. Fu, T. Kohno, and W.H. Maisel,Security and privacy for implantable medical devices, PervasiveComputing , Vol. 7, No. 1, pp. 30-39, 2008.

[10] R.G. Lee, K.C. Chen, C.C. Hsiao, and C.L. Tseng, A mobile caresystem with alert mechanism, IEEE Trans. Inform. Technol. Biomed. ,Vol. 11, No. 5, pp. 507-517, 2007.

[11] Health Insurance Portability Accountability Act (HIPAA).[12] E. Villalba, M.T. Arredondo, S. Guillen, and E. Hoyo-Barbolla, A newsolution for a heart failure monitoring system based on wearable andinformation technologies, in Proc. International Workshop on Wearableand Implantable Body Sensor Networks 2006 - BSN 2006 , Cambridge,Massachusetts, US, Apr. 2006.

[13] O. Aziz, B. Lo, R. King, A. Darzi, and G.Z. Yang, Pervasive bodysensor network: an approach to monitoring the post-operative surgicalpatient, in Proc. International Workshop on Wearable and Implantable Body Sensor Networks 2006 - BSN 2006 , Cambridge, Massachusetts,US, Apr. 2006.

[14] C. Linti, H. Horter, P. Osterreicher, H. Planck, Sensory baby vest for the monitoring of infants, in Proc. International Workshop on Wearableand Implantable Body Sensor Networks 2006 - BSN 2006 , Cambridge,Massachusetts, US, Apr. 2006.

[15] J. Espina, T. Falck, J. Muehlsteff, and X. Aubert, Wireless body sensor

network for continuous cuff-less blood pressure monitoring, in Proc. 3rd IEEE-EMBS Internation Summer School and Symposium on Medical Devices and Biosensors , MIT, Boston, US, Sept. 2006.

[16] S.D. Bao and Y.T. Zhang, A new symmetric cryptosystem of body areasensor networks for telemedicine, in Proc. 6th Asian-Pacic Conferenceon Medical and Biological Engineering , Japan, Apr. 2005.

[17] S.D. Bao, Y.T. Zhang, and L.F. Shen, Physiological signal based entityauthentication for body area sensor networks and mobile healthcaresystems, in Proc. 27th IEEE Conference on Engineering in Medicineand Biology , pp. 2455-2458, Shanghai, China, Sept. 2005.

[18] K. Tan, F. Jiang, Q. Zhang, and X. Shen, Congestion control inmultihop wireless networks, IEEE Trans. Veh. Technol. , Vol. 56, No.2, pp. 863-873, July 2007.

[19] C. Zhang, R. Lu, X. Lin, P.H. Ho and X. Shen, An efcient identity-based batch verication scheme for vehicular sensor networks, in Proc. IEEE INFOCOM08 , Phoenix, AZ, USA, April 14-18, 2008.

[20] R. Lu and Z. Cao, Efcient remote user authentication scheme usingsmart card, Computer Networks , Vol. 49, No. 4, pp. 535-540, 2005.[21] A. Serjantov and S.J. Murdoch, Message splitting against the partial

adversary, in 5th International Workshop on Privacy Enhancing Tech-nologies - PET 2005 , LNCS 3856, pp. 26-39, Springer-Verlag, 2006.

[22] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk, Enhancing source-location privacy in sensor network routing, in Proc. 25th IEEE Inter-national Conference on Distributed Computing Systems - ICDCS 2005 ,Columbus, Ohio, USA, June 2005, pp. 599-608.

[23] K. Mehta, D. Liu, and M. Wright, Location privacy in sensor networksagainst a global eavesdropper, in Proc. IEEE International Conferenceon Network Protocols, 2007 - ICNP 2007 , Beijing, China, 2007, pp.314-323.

[24] W. Mao, Modern Cryptography: Theory and Practice , Prentice Hall

PTR, 2003.[25] D. Chaum, Untraceable electronic mail, return addresses and digitalpseudonyms, Communications of the A.C.M. , Vol. 24, No. 2, pp. 84-88, February 1981.

[26] D. Chaum, The dining cryptographers problem: unconditional sender and recipient untraceability, J. Cryptology , Vol. 1, No. 1, pp. 65-75,1988.

[27] A. Ptzmann and M. Waidner, Networks without user observability,design options, Computers & Security , Vol. 6, No. 2, pp. 158-166,1987.

[28] A. Jerichow, J. M uller, A. Ptzmann, B. Ptzmann, and M. Waidner,Real-time mixes: a bandwidth-efcient anonymity protocol, IEEE J.Sel. Areas Commun. , Vol. 16, No. 4, pp. 495-509, 1998.

[29] D. Kesdogan, J. Egner, and R. B uschkes, Stop-and-go mixes providingprobabilistic security in an open system, in Prof. of Second Inter-national Workshop on Information Hiding , LNCS 1525, pp. 213-229,

Springer-Verlag, 1998.[30] O. Berthold, H. Federrath, and S. K opsell, Web mixes: a system for anonymous and unobservable internet access, in Proc. InternationalWorkshop on Design Issues in Anonymity and Unobservability , LNCS2009, pp. 115-129, Springer-Verlag, 2001.

[31] Y. Ouyang, Z. Le, G. Chen, J. Ford, and F. Makedon, Entrapping adver-saries for source protection in sensor networks, in Proc. InternationalSymposium on on Word of Wireless, Mobile and Multimedia Networks(WoWMoM) , pp. 23 -24, June 2006.

[32] C. L. Barrett, S. J. Eidenbenz, L. Kroc, M. Marathe, and J. P. Smit,Parametric probabilistic sensor network routing, in Proc. 2nd ACMinternational conference on Wireless sensor networks and applications ,San Diego, CA, USA, 2003, pp. 122 - 131.

[33] Z. Cheng and W. Heinzelman, Flooding strategy for target discoveryin wireless networks, in Proc. 6th ACM international workshop on Modeling analysis and simulation of wireless and mobile systems

(MSWiM 2003) , San Diego, CA, USA, 2003, pp. 33 - 41.[34] C. Intanagonwiwat, R. Govindan, and D. Estrin, Directed diffusion:a scalable and robust communication paradigm for sensor networks,in Proc. Sixth Annual ACM/IEEE International Conference on MobileComputing and Networks (MobiCOM) , Boston, MA, USA, August2000, pp. 56 - 67.

[35] H. Lim and C. Kim, Flooding in wireless ad-hoc networks, ComputerCommunications , Vol. 24, No. 3. pp. 353-363, February 2001.

[36] B. Karp and H.T. Kung, GPSR: greedy perimeter stateless routingfor wireless networks, in Proc. Sixth Annual ACM/IEEE InternationalConference on Mobile Computing and Networks (MobiCOM) , Boston,MA, USA, August 2000, pp. 243-254.

[37] D. Niculescu and B. Nath, Trajectory based forwarding and its appli-cations, in Proc. Sixth Annual ACM/IEEE International Conference on Mobile Computing and Networks (MobiCOM) , San Diego, CA, USA,September 2003, pp. 260-272.

[38] Y. Jian, S. Chen, Z. Zhang, and L. Zhang, Protecting receiver-locationprivacy in wireless sensor networks, Proc. IEEE INFOCOM 2007 ,Anchorage, Alaska, USA, May 2007.

[39] D. Boneh and M. Franklin, Identity-based encryption from the Weilpairing, in Advances in Cryptology - CRYPTO 2001 , LNCS 2139, pp.213-229, Springer-Verlag, 2001.

[40] R. Lu, Z. Cao, and R. Su, A self-encryption remote user anonymousauthentication scheme using smart cards, J. Shanghai Jiaotong Univer-sity (Science) , Vol. E-11, No. 2, pp. 210-214, 2006.

[41] J. Cha and J. Cheon, An identity-based signature from gap dife-hellman groups, in Prof. Practice and Theory in Public Key Cryptog-raphy PKC2003 , LNCS 21392567 pp. 18-30, Springer-Verlag, 2003.

[42] M. Bellare and P. Rogaway, Random oracles are practical: a paradigmfor designing efcient protocols, in Proc. 1st ACM conference onComputer and Communications Security (CCS) 1993 , Fairfax, Virginia,USA, November 1993, pp. 62-73.

[43] V. Shoup, OAEP reconsidered, J.Cryptology , Vol. 15, No. 4, pp. 223-249, 2002.[44] J. Coron, On the exact security of full domain hash, in Advances

in Cryptology - CRYPTO 2000 , LNCS 1880, pp. 229 - 235, Springer-Verlag, 2000.



14/14


[45] M. Scott, Efcient implementation of crytographic pairings, [On-line]. Available: http://ecrypt-ss07.rhul.ac.uk/ Slides/Thursday/mscott-samos07.pdf

[46] D. Gross and C.M. Harris, Fundamentals of Queueing Theory , Wiley,1998.

Xiaodong Lin (S07-M09) received the Ph.D. de-gree in information engineering from Beijing Uni-versity of Posts and Telecommunications, Beijing,China, in 1998 and the Ph.D. degree (with Out-standing Achievement in Graduate Studies Award)in electrical and computer engineering from theUniversity of Waterloo, Waterloo, ON, Canada, in2008. He is currently an Assistant Professor of information security with the Faculty of Businessand Information Technology, University of OntarioInstitute of Technology, Oshawa, ON, Canada. His

research interests include wireless network security, applied cryptography,computer forensics, and anomaly-based intrusion detection. Dr. Lin was therecipient of a Natural Sciences and Engineering Research Council of Canada(NSERC) Canada Graduate Scholarships (CGS) Doctoral and the Best Paper Award of the IEEE International Conference on Communications (ICC07) -

Computer and Communications Security Symposium.

Rongxing Lu is currently working toward the Ph.Ddegree with the Department of Electrical and Com-puter Engineering, University of Waterloo, Water-loo, Ontario, Canada. He is currently a ResearchAssistant with the Broadband Communications Re-search (BBCR) Group, University of Waterloo. Hisresearch interests include wireless network security,applied cryptography, and trusted computing.

Xuemin (Sherman) Shen (M97-SM02-F09) re-ceived the B.Sc.(1982) degree from Dalian MaritimeUniversity (China) and the M.Sc. (1987) and Ph.D.degrees (1990) from Rutgers University, New Jer-sey (USA), all in electrical engineering. He is aUniversity Research Chair Professor, Department of Electrical and Computer Engineering, University of Waterloo, Canada. His research focuses on mobilityand resource management in interconnected wire-less/wired networks, UWB wireless communicationsnetworks, wireless network security, wireless body

area networks and vehicular ad hoc and sensor networks. He is a co-author of three books, and has published more than 400 papers and book chapters in

wireless communications and networks, control and ltering. Dr. Shen servesas the Tutorial Chair for IEEE ICC08, the Technical Program CommitteeChair for IEEE Globecom07, the General Co-Chair for Chinacom07 andQShine06, the Founding Chair for IEEE Communications Society TechnicalCommittee on P2P Communications and Networking. He also serves as aFounding Area Editor for IEEE Transactions on Wireless Communications;Editor-in-Chief for Peer-to-Peer Networking and Application; Associate Ed-itor for IEEE Transactions on Vehicular Technology; KICS/IEEE Journal of Communications and Networks, Computer Networks; ACM/Wireless Net-works; and Wireless Communications and Mobile Computing (Wiley), etc.He has also served as Guest Editor for IEEE JSAC, IEEE Wireless Com-munications, IEEE Communications Magazine, and ACM Mobile Networksand Applications, etc. Dr. Shen received the Excellent Graduate SupervisionAward in 2006, and the Outstanding Performance Award in 2004 and 2008from the University of Waterloo, the Premiers Research Excellence Award(PREA) in 2003 from the Province of Ontario, Canada, and the Distinguished

Performance Award in 2002 and 2007 from the Faculty of Engineering,University of Waterloo. Dr. Shen is a registered Professional Engineer of Ontario, Canada.

Yoshiaki Nemoto (SM05) received his B.E., M.E.,and Ph.D. degrees from Tohoku University in1968,1970, and 1973, respectively. He was a full professor with the Graduate School of Information Sciencesuntil 2008. Currently he is serving as the senior vice president of Tohoku University. He has beenengaged in research work on micro wave networks,communication systems, computer network systems,image processing, and handwritten character recog-nition. He is a co-recipient of the 1982 MicrowavePrize from the IEEE MTT society, the 2005 Distin-

guished Contributions to Satellite Communications award from IEEE ComSocsociety, FUNAI information Science Award 2007 and several prestigiousawards from Japanese Ministries. He is a senior member of IEEE, and afellow member of IEICE and IPSJ.

Nei Kato (SM05) received his M.S. and Ph.D.Degrees from Tohoku University, Japan, in 1988and 1991, respectively. He has been working withTohoku University since then and is currently a fullprofessor at the Graduate School of Information Sci-ences. He has been engaged in research on computer networking, wireless mobile communications, imageprocessing and neural networks. He has publishedmore than 130 papers in journals and peer-reviewedconference proceedings. Nei Kato has served as asymposium co-chair for GLOBECOM07 and Chi-

naCom08, and TPC member for a large number of IEEE international con-ferences, including ICC, GLOBECOM, WCNC and HPSR. He is a technicaleditor of IEEE Wireless Communications from 2006, an editor of IEEETransactions on Wireless Communications from 2008, a co-guest-editor for IEEE Wireless Communications Magazine SI on Wireless Communicationsfor E-healthcare. He is a co-recipient of the 2005 Distinguished Contributionsto Satellite Communications Award from the IEEE Communications Society,Satellite and Space Communications Technical Committee, the co-recipientof FUNAI information Science Award, 2007, and the co-recipient of 2008TELCOM System Technology Award from Foundation for Electrical Commu-nications diffusion. He is serving as an expert member of TelecommunicationsCouncil, Ministry of Internal Affairs and Communications, Japan. Nei Katois a member of the Institute of Electronics, Information and CommunicationEngineers (IEICE) and a senior member of IEEE.

sage a strong privacy preserving scheme against global eavesdropping for ehealth systems

Documents