Robust Distributed Reprogramming Protocol of Wireless Sensor Networks for Healthcare Systems

With the development of the wireless communication technologies, the wireless sensor networks (WSNs for short) are considered as one of the key research areas in healthcare systems. However, there is sometimes a need for removing bugs or adding new functionalities after WSNs are deployed. Wireless reprogramming is a process for propagating a new code image or relevant commands to sensor nodes in WSNs. In this paper, we propose a robust distributed reprogramming protocol of WSNs for healthcare systems, in which the security requirements are proved to be secure based on the elliptic curve discrete logarithm problem, such as existential unforgeability of signature for code image, authenticity of code image, freshness, and node compromised tolerance.


Introduction
Wireless sensor networks (WSNs for short) are spatially distributed sensors to gather physical or environmental information. The distributed sensors cooperate to pass their data through the network to a main location [1]. Recently, WSNs are considered as potential applications in providing high quality for healthcare services in recent years [2]. In healthcare applications, it may be necessary for removing bugs or adding new functionalities after WSNs are deployed. The reprogramming is an important operation function to propagate a new code image or relevant commands to sensor nodes in WSNs. However, an adversary may intercept or modify the transmitted messages in a WSN. Hence, it is critical to design a secure protocol for securely propagating a new code image or relevant commands to sensor nodes in WSNs.
In 2008, Das and Joshi [3] adopted orthogonality principle to design a protocol for dynamically updating sensor nodes in WSNs. A shared secret chosen by a base station has to be preinstalled on all sensor nodes before deploying them in a WSN, and the shared secret is used to validate a received advertisement message. After all sensor nodes accept a correct advertisement message, the sensor nodes dynamically update the shared secret. However, Zeng et al. [4] demonstrated that Das and Joshi's protocol is vulnerable to an impersonation attack. Assume that an adversary obtains the shared secret as he/she has compromised a sensor node. Then, the adversary can impersonate the base station to install his/her preferred program on sensor nodes by using the shared secret. Zeng et al. further proposed an improved scheme, but Wang et al. [5] pointed out that Zeng et al. 's proposed protocol [4] still suffers from an impersonation attack. In 2012, He et al. [6] showed that an adversary can impersonate a base station to install his/her preferred program on sensor nodes in a WSN, and further, the adversary can control the whole WSN. He et al. proposed two simple countermeasures which are formally validated by model checking. Soon afterwards, He et al. [7] proposed a secure and distributed reprogramming protocol (SDRP for short) based on an identity-based signature scheme in WSNs. In the SDRP, multiple authorized users are supported and each authorized user may have a different privilege for reprogramming sensor nodes. Subsequently, He et al. [8] and Yeo et al. [9] pointed out that there is a private key compromised problem in the SDRP, respectively. Furthermore, He et al. proposed an improved protocol based on Barreto et al. 's identitybased signature scheme [10]. In 2014, Shim [11] showed 2 International Journal of Distributed Sensor Networks that He et al. 's improved protocol [8] is entirely broken and further proposed an improved protocol based on a pairingfree identity-based signature scheme. However, we find that Shim's proposed improved protocol is unworkable because the signature verification does not hold true. Among various secure protocols in WSNs [3][4][5][6][7][8][9][11][12][13][14][15][16][17][18][19][20][21][22][23][24], most of the published reprogramming protocols [3, 6, 12-14, 16, 18, 20-23] are based on the centralized approach, which assumes the existence of a base station, and only the base station has the authority to reprogram sensor nodes. The centralized approach is not reliable in reality because of inefficiency, weak scalability, and vulnerability to potential attacks along the communication path [24].
Inspired from He et al. 's protocol [7], we adopt a short signature scheme to design a robust distributed reprogramming protocol of WNSs for healthcare applications. In the proposed protocol, each sensor node validates the received message by verifying the corresponding signature. The proposed protocol provides the following requirements.
(1) Existential unforgeability of signature for code image: any adversary cannot successfully forge a signature for any code image by mounting chosen-message attacks.
That is, only authorized users can construct valid reprogramming packets.
(2) Authenticity of code image: prior to the start of installation, a sensor node can verify the source of a code image.
(3) Freshness: prior to the start of installation, a sensor node can confirm that the to-be-installed program is the newest version.
(4) Node compromised tolerance: even though a sensor node is compromised, the compromised sensor node will not cause other uncompromised sensor nodes to violate authenticity of code image, integrity of code image, and freshness.

Overview of He et al.'s SDRP
In this section, we review the first proposed distributed reprogramming protocol (SDRP for short) proposed by He et al. [7]. The symbols used in the subsequent descriptions are listed as follows.

The Used Symbols and Descriptions
: an additive group with an order , where is a large prime.
: a multiplicative group with an order , where is a large prime.
: a generator in .
: a prime number.
: a master key for a sensor network owner.
PK SNO : a public key for a sensor network owner, where PK SNO = ⋅ .
ID : an identifier for , where ID ∈ {0, 1} * . Pri : a privilege for . PK : a public key for , where PK = 1 ( ID ‖ Pri ) ∈ . SK : a private key for , where SK = ⋅ PK . System Initialization. In this phase, a sensor network owner SNO first generates his/her own private/public key pair /PK SNO and system parameters. Then, SNO assigns the privilege to each authorized user AU and generates the corresponding key pair for AU. The detailed descriptions of all steps are shown as follows.
(1) Choose an additive group and a multiplicative group , where and have the same order .
User Preprocessing. Suppose that an AU attempts to construct new reprogramming packets. He/she has to sign the packets with his/her private key and then sends them to the sensor nodes. The performs the following tasks.
(1) Partition the code image into pages with the fixed size. (2) Split the page into packets with the fixed sized, where 1 ≤ ≤ . Note that the packets are denoted as ,1 , ,2 , . . . , , .
International Journal of Distributed Sensor Networks 3 (3) Compute the hashing value for each packet, where the hash value for each packet in the page is appended to the corresponding packet in the page − 1.
(4) Use the Merkle hash tree [25] for authenticating the hash values for the packets in page 1. The packets related to the Merkle hash tree are referred to in page 0. Suppose that represent the root of the Merkle hash tree and the metadata about the code image.
(5) Sign to generate the signature with his/her private key SK : (2) (6) Send { ID , Pri , , } to the target sensor nodes as the notification for the new code image.
Sensor Node Verification. Upon receiving { ID , Pri , , }, each sensor node SN has to verify the received messages prior to the start of installation as follows.
(1) Verify the legality for the privilege Pri and the received messages. If both of them are valid, SN continues to perform Step (2); otherwise, SN rejects the messages.
(2) Verify the signature by using SNO's public key: If the above equality holds, is the valid signature, and each SN accepts the received messages; otherwise, SN rejects the messages.  [7] cannot achieve the security requirements as they claimed.

Our Proposed Reprogramming Protocol for Healthcare Systems
The basic idea for our proposed protocol is that maintenance staffs responsible for maintaining different healthcare applications have to register with the sensor owner. Upon the successful registration, a staff receives a smart card storing authorized private key. Then, the staff can construct secure reprogramming packets to WSNs, whenever demanded. In order to assure the validity for the packets, the sensor nodes in WSNs have to verify the signature for the packets. Our reprogramming protocol also consists of three phases: System Initialization, User Preprocessing, and Sensor Node Verification. The descriptions for System Initialization Phase in our proposed protocol are almost the same as ones in He et al. 's SDRP [7], but an extra one-way hash function 3 is used in our protocol, where 3 : → * . The detailed descriptions for User Preprocessing and Sensor Node Verification are as follows.
User Preprocessing. Assume that an AU constructs the reprogramming packets, signs the packets with his/her own private key, and sends them to the sensor nodes. The steps from (1) to (4) for constructing reprogramming packets are the same as He et al. 's SDRP [7]. We also assume that the message represents the root of the Merkle hash tree [25] and the metadata about the code image. Other steps for the are as follows.
(6) Compute = ⋅ . (7) Generate the nonce . (8) Compute by using his/her private key SK : (1) Verify the legality for the privilege Pri and the received message. If both of them are valid, SN continues to perform the next step; otherwise, SN rejects the received messages. (2) Verify the signature with the public key of the SNO and public system parameters: where = 1 ( ID ‖ Pri ). If the above equality holds, the received signature ( , ) is valid, and each SN accepts the received messages; otherwise, each SN rejects the received messages.

Security Analysis and Efficiency Comparison
Based on the elliptic curve discrete logarithm problem (ECDLP for short) [26,27], the computation Diffie-Hellman problem (CDH for short) [28], the decisional Diffie-Hellman problem (DDH for short) [28], and the assumption of oneway hash function (OWHF for short) [29], we will analyze our reprogramming protocol and verify if it satisfies the security requirements: existential unforgeability of signature for code image, authenticity of code image, freshness, and node compromise tolerance. In addition, we will compare the computation costs in our proposed protocol with the ones in He et al. 's protocol [8]. The descriptions for the ECDLP, the CDH, the DDH, and the OWHF are as follows.
Definition 1 (elliptic curve discrete logarithm problem). Let be an elliptic curve defined over ( ). Given ( , ), determining an integer such that = ⋅ is computationally infeasible, where , ∈ the order of is a large prime , and 0 ≤ ≤ − 1. We give a formal definition for existential unforgeability of a signature for a code image under a chosen-message attack, which is based on the established notion of existential unforgeability against chosen-message attacks [30,31]. The game between an adversary A and a challenger C is defined as follows.
S: given a security parameter , the challenger C first builds up a system parameter set . Then, the C generates a private/public key pair ( , PK SNO ) and a private/public key pair (SK , PK ) for each authorized user AU with an identifier . Finally, the adversary A is given , PK SNO , and PK , and the private keys SK and are kept secret by the C.
Q: the A can submit various queries to the C as follows.
(1) 1 queries: to respond to the A's queries, the C maintains a list 1 . (2) 3 queries: to respond to the A's queries, the C maintains a list 3 . (3) Signature for code image: for requesting a signature for a code image, the A submits a message and a public key PK . Upon receiving the request, the C computes the signature under the public key PK and returns the result to A. F: the A outputs a signature * for a target message * and the A never submits the target message * for requesting signature for code image. We can say that A wins the game if the signature * is valid for the target * .

Definition 5.
The proposed protocol is said to achieve existential unforgeability of signature for code image against chosenmessage attacks if successful probability for any polynomially bounded adversary will be negligible in the above game.
Theorem 6. The proposed protocol achieves existential unforgeability of signature for code image against chosenmessage attacks in the random oracle model, assuming the hardness of the CDH problem.
Proof. Assume that a polynomial-time algorithm A can forge the signature under a chosen-message attack, and let 1 and 3 be random oracles in the simulation and the polynomialtime algorithm A can make 1 and 3 queries to 1 and 3 , respectively.
We will show how to construct a polynomial-time algorithm that solves the CDH problem by using the A. Let ( , ⋅ , ⋅ ) be a random instance of the CDH problem. Computing ⋅ is the goal for the .
In the S phase, the algorithm builds up a system parameter set = ⟨ , , ,̂, , 1 , 3 ⟩, 1 = ⋅ , and 2 = ⋅ with a security parameter . Then, the generates a private/public key pair ( , PK SNO ) for the sensor network owner SNO and a private/public key pair (SK , PK ) for an authorized user , where PK SNO = ⋅ and PK = ⋅ . Finally, the A is given , PK SNO , and PK , and the private keys and SK are kept secret.
In the Q phase, the A adaptively submits the following queries.
(1) 1 queries: the has to maintain a list 1 storing ( , , ℎ 1, ) for responding to the A's queries. Upon receiving an 1 query for any subdocument , the has to check if there is the tuple ( , , ℎ 1, ) in list 1 . If it exits in list 1 , the returns ℎ 1, and terminates the step; otherwise, the generates a random number ℎ 1, ∈ * , returns it, and stores ( , , ℎ 1, ) in list 1 . (2) 3 queries: the has to maintain a list 3 storing ( , , ℎ 3, ) for responding to the A's queries. Upon receiving an ℎ 3 query for any , the checks if there is ( , , ℎ 3, ) in list 3 . If the tuple exists in list 3 , the International Journal of Distributed Sensor Networks 5 returns ℎ 3, and terminates the step; otherwise, the generates a random number ℎ 3, ∈ * , returns it, and stores ( , , ℎ 3, ) in list 3 . (3) Signature for code image: the A submits to the and requests a signature . Upon receiving the request, the simulates an 1 oracle to get ( , , ℎ 1, ) and simulates an 3 oracle to get ( , , ℎ 3, ). After the simulation, the generates a random bit ∈ {0, 1}. If = 1, the computes by using SK and returns it; otherwise, the randomly generates and returns it.
Let be the probability that the A successfully outputs a signature * for a target * . We can say that the successful probability that solves the CDH problem is greater than according to the above simulation. That is, the proposed protocol can achieve existential unforgeability of signature for code image.

Theorem 7.
The proposed protocol is said to achieve authenticity of code image if successful probability for any polynomially bounded adversary will be negligible.
Proof. The source of a code image must be verified by a sensor node prior to the installation. Assume that an adversary attempts to construct reprogramming packets. Thus, a polynomial-time algorithm A can simulate the following attacks: (1) Given a SNO's public key ( , PK SNO ), an AU 's identifier ID ∈ {0, 1} * , and the corresponding privilege Pri , the polynomial-time algorithm A attempts to output the private key SK for the . First of all, the A computes the 's public key PK = 1 ( ID ‖ Pri ). Then, the A derives SNO's private key from the public key PK SNO = ⋅ . Finally, the A outputs the 's private key SK = ⋅ PK . However, the A cannot successfully output the 's private key SK because the A cannot derive from the public key PK SNO = ⋅ assuming the hardness of the ECDLP.
(2) Given a signature ( , ), an AU 's identifier ID ∈ {0, 1} * , and the corresponding privilege Pri , the polynomial-time algorithm A attempts to output the 's private key SK from the signature. First of all, the A derives from . Then, the A computes ⋅ = 1 ( ‖ ) + 3 ( ) ⋅ SK . Finally, the A computes the inverse 3 ( ) −1 for 3 ( ) and further outputs the private key SK . However, the A cannot successfully output the 's private key SK because the A cannot derive from due to the ECDLP.
According to the above analysis, the successful probability for the polynomial-time algorithm A cannot successfully be negligible. That is, any adversary cannot successfully impersonate the to construct new reprogramming packets in the proposed protocol. Theorem 8. The proposed protocol is said to achieve freshness if successful probability for any polynomially bounded adversary will be negligible. Proof. In the simulation, a polynomial-time algorithm A can obtain the same messages shown in Theorem 6. Given a nonce * , the A cannot successfully output another nonce such that 1 ( ‖ * ) = 1 ( ‖ ) due to the assumption of the OWHF. That is, the nonce in the proposed protocol is used to ensure freshness.

Theorem 9.
The proposed protocol is said to achieve node compromise tolerance if successful probability for any polynomially bounded adversary will be negligible.
Proof. Upon compromising a sensor node, a polynomialtime algorithm A can obtain the system parameters { , , , , , PK SNO , 1 , 3 }. Further, the polynomial-time algorithm A can submit the same queries shown in Theorem 6. According to the above analysis, the A cannot cause an uncompromised node to violate the aforementioned security requirements.
In 2012, Gouvêa et al. [32] present a software implementation for an elliptic curve cryptosystem and a pairing-based cryptosystem for the MSP430 microcontroller family, which is used in wireless sensor nodes. That is, it is practical for the pairing computation using wireless sensor nodes. Further, we do not consider the time for computing a hashing value. The descriptions of symbols for different operations are shown as follows.
The Symbols for Different Operations. exe : the time for computing a modular exponential operation. mul : the time for computing a modular multiplication operation. inv : the time for computing an inverse operation. ecm : the time for computing an elliptic curve multiplication operation. eca : the time for computing an elliptic curve addition operation.
pairing : the time for computing a bilinear function. In the following, we will compare the computation costs in our proposed protocol with ones in He et al. 's protocol [8]. From Table 1, we can see that our proposed protocol is slightly outperformed and achieves additional security requirements, which is lack of in He et al. 's protocol [8].

Conclusions
We propose a robust distributed reprogramming protocol providing existential unforgeability of signature for code image, authenticity of code image, freshness, and node compromised tolerance. The proposed protocol is applicable to healthcare systems, in which maintenance staffs responsible for maintaining different healthcare applications can construct secure reprogramming packets to WSNs, and the sensor nodes in WSNs can ensure the validity of the constructed packets. Considering the resource limitation of sensor node in WSNs, our future work is to design a lightweight distributed reprogramming protocol in WSNs.