Group authentication and key distribution for sensors in wireless body area network

Wireless body area network can be employed to collect patient’s electronic health data. To guarantee the reliability and confidentiality of the collected data, secure data transmission in wireless body area network is required. In wireless body area network, a mutual authentication process has to be carried out between the controller and sensors to ensure their legitimacy, and a key distribution mechanism is required to secure communication after successful mutual authentication. Li et al. proposed a cryptographic solution, which allows group device pairing authentication and key agreement but has low authentication efficiency and key leakage problems. To address these issues, a group authentication and key distribution scheme is proposed in this article. It enables effectively mutual authentication between controller and sensors, supports all signatures of sensors in the group to be checked by the controller through aggregation verification to achieve efficient authentication, and allows key distribution during authentication to improve the computation efficiency. Security analysis indicates that the proposed scheme enjoys existentially unforgeability, and theoretical and experimental comparison demonstrates its practicality in terms of computation and communication cost.


Introduction
Wireless body area network (WBAN) is an important branch of the Internet of things (IoT). 1 With the development of the sensor technology, WBAN has great practical significance in remote medicine detection, health care and service, 2 and so on. WBAN is mainly composed of sensors equipped or implanted into a human body. Sensor nodes can sense and collect physiological data of a human body as well as surrounding environmental information. 3 The collected data can be sent to the controller with powerful storage and computing capacities. The data are forwarded to the remote medicine data center for processing and analysis. According to these data, the doctor would be able to make treatment plan. For example, wearable pulse oximetry sensors can be used by patients with vascular disease to measure blood oxygen saturation. 4 For emergency case detected by sensors, relevant measures can be taken to relieve the suffering of patients, for example, implanted blood glucose sensors can be employed to analyze the blood glucose index of the patient in real-time to trigger the insulin pump for insulin injection when necessary. 5 While WBAN brings convenience to patients, some security and privacy issues are also arising. The collected data may contain the private information of users, which are at risk of being leaked and tampered during transmission. 6 Therefore, it is extremely important to protect the security and privacy of users' sensitive data. Due to the openness of the transmission channel, attackers can affect the accuracy of data by replaying, forgery, and interference, which may lead to misdiagnosis of patients, slow down the recovery speed, and even worsen the condition. 7 For preventing malicious nodes from joining WBAN, the entities authentication is an effective way to ensure the authenticity of entities. Since there are a lot of sensors in WBAN, it is necessary to use group authentication to improve the efficiency of one-by-one authentication. Li et al. 8 proposed a group device pairing authentication method based on secure sensor association and key management. All sensor nodes should be authenticated not only by the controller, but also by each sensor in the same group. The system assigns a serial number to each node in advance, so that the authentication message and group key can be computed using the parameters of adjacent nodes in the authentication and key negotiation phase. Note that it is difficult to ensure the true identity of each node due to the authentication process mainly depends on the verification of the group size. Thus, malicious nodes can impersonate honest nodes to participate in the authentication process and key negotiation without being detected.

Our contributions
This article proposes a group authentication and key distribution scheme, which supports mutual authentication between controller and sensors. The main contributions of this article are summarized as follows: The controller in our scheme is able to aggregate the signatures of sensor nodes, which improves the authentication efficiency. It is especially suitable for WBAN with a large number of sensor nodes. Secure distribution of session key can be accomplished during authentication. No additional communication for key agreement is required after authentication. The proposed protocol can prevent malicious entities from joining the system, ensure the authenticity of sensor nodes, and guarantee the confidentiality of the session key. It can also resist traditional attacks. Theoretical comparison and experimental results show that our scheme has higher transmission and communication efficiency than existing schemes.
Compared with the preliminary version, 9 this article provides a secure session key distribution method during authentication, security model, security proof, and experimental results of the proposed scheme.

Article organization
The rest of the article is arranged as follows. Section ''Related works'' reviews related works. Section ''System model and security requirements'' presents system model and security requirements. Section ''Identity based aggregate authentication'' provides the proposed scheme. Sections ''Security analysis'' and ''Performance analysis'' show the security analysis and the performance analysis, respectively. Finally, section ''Conclusion'' concludes the article.

Related works
To address the key management issue against malicious key generation center in public key cryptosystems, many certificateless signature schemes have been proposed 10,11 and proved unforgeable under adaptively chosen message attacks. Due to the key escrow problem, Mwitende et al. 12 proposed a pairing-based certificateless authentication scheme. Restricted by the computing and storage resources of entities in WBAN, Huang et al. 13 presented an identity-based signature scheme suitable for sensor networks, which reduces the online computation cost and resists replay attacks effectively. Xu et al. 14 proposed a lightweight anonymous authentication scheme with only hash operations and XOR operations. Thumbur et al. 15 presented an efficient certificateless signature scheme for resourceconstrained devices using lightweight computing operations. However, Xu et al. 16 found that Thumbur et al.'s 15 scheme cannot resist signature forgery attack and proposed an improved scheme with high efficiency.
In order to achieve efficient and secure data transmission, many schemes have been proposed to support mutual authentication and session key establishment between sensor nodes and controller in the form of groups. 17 Keoh et al. 18 presented a sensor association scheme based on synchronous LED flashing mode, where the controller and each sensor need to be authenticated by digital signatures and then the user verifies the flashing result of LEDs. Therefore, multiple associations between sensors and the controller would bring more time costs. Li et al. 8 proposed a scheme of sensor association and key management, which supports mutual authentication of group membership through group device pairing. Shen et al. 19 proposed a lightweight multi-layer authentication and secure session key generation scheme. This scheme allows one-tomany authentication and group key to be established between the controller and each sensor node, which has the advantage of efficient authentication. Liu et al. 20 noticed that Shen et al.'s 19 scheme is vulnerable to impersonation attacks and proposed an improved two-layer authentication scheme. Tan and Chung 21 proposed a group key management scheme with cooperative sensors association, which utilizes the Chinese remainder theorem to realize group key management and supports batch key update. Shu et al. 22 proposed aggregated signatures for WBAN applications, whose computational efficiency is independent of the number of signers. The secret sharing 23 is used to realize multigroup key establishment protocol, where users only need to keep one share to recover multiple group keys. When a group member leaves or joins, there is no need to rebuild the key.
Secure key distribution is the basic requirement for achieving secure data transmission. The scheme proposed by Kuo et al. 24 can send the key material to designated sensors without being eavesdropped, where the closed Faraday-cage is used as a secure channel for key distribution. The cage not only prevents the joining of external malicious sensor nodes but also increases the difficulty of new nodes joining. Benmansour et al. 25 designed a secure key management scheme to improve the system security, which enables all information can be communicated in ciphertext format. Owing to the limited sensor resources, most WBAN systems have the structure of distributed perception acquisition and centralized processing mechanism. 5 Besides, WBAN has small network scale, and there is no necessity to communicate with sensor nodes. Thus, the star topology structure is often adopted in the distributed acquisition phase. 26 In Li et al.'s 27 scheme, WBAN is divided into two layers, where sensors act as the second layer to send the collected data to the central node through the first layer with powerful storage, calculation, and communication capabilities. Li et al.'s 8 scheme also divides WBAN into two layers, and the data collected by sensor nodes in the second layer is transmitted to users through controllers in the first layer.
When the decryption key is exposed, the decryption functionality of the key needs to be revoked. Almuhaideb and Alqudaihi 28 introduced the user revocation function to the factor authentication scheme. Xiong and Qin 29 proposed a certificate-free remote anonymous authentication scheme supporting scalable revocation, which is suitable to the large-scale WBAN. However, Shim 30 pointed out Xiong and Qin's 29 scheme cannot resist forgery attacks. Also, it requires resource-intensive bilinear pairings, which is not suitable for WBAN applications. Shen et al. 19 improved the efficiency of the schemes by Li et al. 8 and Xiong and Qin. 29 Besides, Cai and Niu 31 proposed a lightweight data fusion method to solve the problems of long data transmission time and low efficiency. To make the authentication process more efficient and secure, the verification process needs to be simplified to reduce the number of interactions between the sensor and the controller. Therefore, Abro et al. 32 proposed an authentication scheme based on ElGamal, which can reduce communication overhead and resist man-inthe-middle attacks. Jegadeesan et al. 33 and Wang et al. 34 also proposed an efficient and secure mutual authentication scheme for privacy protection, which can reduce the cost of computation and communication, and introduces time stamp to prevent replay attacks.

System model
As shown in Figure 1, a WBAN system consists of two types of entities, namely, sensors deployed on and around users and the controller for data collection. There is a private key generator (PKG) to initialize the system and issue private keys for all entities.
The sensors can collect physiological data of users and information of surrounding environment. Limited by the storage space of sensors, the collected data need to be transmitted to the controller for storing and computing. Before collection data, sensors and the controller need to perform mutual authentication to confirm their authenticity. When the controller is legal, the sensor sends the collected data to the controller. During the mutual authentication procedure, the controller is able to securely distribute a session key to the sensors in a group, so that all sensors in the same group can share the same session key.

Security requirements
In WBAN, it is important to prevent malicious sensors and controller from impersonating honest entities and eavesdropping sensitive data during data collection and transmission. Therefore, a secure WBAN authentication and key distribution scheme supporting aggregate verification needs to meet the following security requirements.
Authenticity of controller: The signature issued by the legal controller can be successfully verified by sensor nodes in a group. A malicious attacker cannot forge a signature to pass the verification conditions. Authenticity of sensors: The signatures issued by legitimate sensors in a group can be successfully verified by the controller by means of aggregation. Malicious nodes cannot impersonate legitimate sensor nodes to pass the authentication conditions, so as to join the group communication.
Confidentiality of session key: When the controller and sensors in a group perform mutual authentication, the session key can be securely shared.
Efficiency: As the number of sensor nodes increases, the computations during authentication will be increased at both sides of the controller and sensors. Therefore, the WBAN system should support aggregate verification to improve the authentication efficiency.

Security model
The security model for the unforgeability of sensor's identity in WABN is defined by the following game between a probabilistic polynomial time adversary A 1 and challenger.
The challenger runs the initialization algorithm and gives the system public parameter param to A 1 . When A 1 issues private key generation query for an entity u, the challenger runs the key generation algorithm to obtain the corresponding private key sk u and sends it to A 1 . When A 1 issues group registration query for an entity u, the challenger runs the group registration algorithm and returns group key t to A 1 . When A 1 issues signature generation query on some message m with regard to identity u, the challenger returns signature s 1 .
Adversary A 1 wins the game if u 0 has not been queried for the private key and m 0 has not been queried for the signature with regard to identity u 0 . The adversary's advantage Adv is defined as the probability of winning the game. If the probability of A 1 outputs a valid signature s 1 0 of identity u 0 in polynomial time t is at most e 1 after the adversary A 1 makes no more than q k key generation queries, q r group registration queries and q s signing queries, then the scheme is said to be (e 1 , t)secure under A 1 attack in the sense of existentially unforgeable against adaptively chosen message attacks.
The security model for the unforgeability of controller's identity in WABN is defined by the following game between a probabilistic polynomial time adversary A 2 and challenger.
The challenger runs the initialization algorithm and gives the system public parameter param to A 2 . When A 2 issues private key generation query for an entity u 0 , the challenger runs the key generation algorithm to obtain the corresponding private key sk u 0 and sends it to A 2 . When A 2 issues signature generation query on some message m with regard to identity u 0 , the challenger returns signature s 2 . Finally, A 2 outputs (u 0 0 , m 0 , s 2 0 ), where s 2 0 is a signature of message m 0 for entity u 0 0 .
Adversary A 2 wins the game if u 0 0 has not been queried for the private key and m 0 has not been queried for the signature with regard to identity u 0 0 . If the probability of A 2 outputs a valid signature s 2 0 of identity u 0 0 in polynomial time t is at most e 2 after the adversary A 2 makes no more than q k key generation queries and q s signing queries, then the scheme is said to be (e 2 , t)-secure under A 2 attack in the sense of existentially unforgeable against adaptively chosen message attacks.

Identity-based aggregate authentication scheme
The security of the proposed scheme depends on the following discrete logarithm (DLog) problem.
Discrete logarithm problem: Let G be a cyclic group of prime-order q with generator g. Given an element g x 2 G where x 2 Z q , compute x. If no algorithm with running time at most t can solve the DLog problem with probability at least e, it is said that the (e, t)-DLog assumption holds in cyclic group G.

Scheme design
The controller performs mutual authentication with sensor nodes in a group, where the validity of each entity's identity can be checked through aggregate authentication. Figure 2 shows the authentication process of the proposed scheme.
Initialization. PKG chooses a cyclic group G of order q, where q is a large prime and g is a generator of G. PKG randomly chooses w 2 Z Ã q , computes W = g w , and picks a cryptographic hash function H: f0, 1g Ã ! Z Ã q . The system public parameter is param = (G, q, g, W , H), and the master key is msk = w.
KeyGen. PKG chooses a random integer r j 2 Z Ã q for each entity u j (j = 0, 1, 2, . . . , n), where u 0 is the controller and other u j represents sensor nodes. PKG computes and gives the private key (R j , s j ) to entity u j through a secure channel.
Group registration. The controller chooses l group keys t 1 , t 2 , . . . , t l 2 Z Ã q corresponding to groups S i (i = 1, 2, . . . , l). When each sensor node u j (j = 1, 2, . . . , n) performs group registration, the controller specifies a group S i for it and returns the corresponding group key t i .
Group authentication request. When the controller communicates with group S i , it needs to mutually authenticate with all nodes in such group. The controller sets where l i denotes the number of sensor nodes in the group S i . The controller randomly chooses y i , v i , k i 2 Z Ã q for group S i , and computes where a l i = 1. The controller constructs a string and broadcasts signature (R 0 , Y i , z i ), identity u 0 , and tuple (v i , m i ) to all sensor nodes in group S i .
Sensor verification and response. After receiving the signature and tuple, each sensor node in group S i computes h i = H(Y i k R 0 k m i k S i ) and checks the following equality If equation (1) does not hold, the authentication request from the controller will be rejected. Otherwise, each sensor node u ' reconstructs f i (x) according to m i and computes as session key for secure communication. Then each sensor node u ' chooses a random integer y ' 2 Z Ã q , computes and sends the signature (R ' , Y ' , z ' ) and identity u ' to the controller.
Aggregate verification. After the controller receives the signatures and identities from a group S i of sensor nodes, it performs aggregate verification as follows. The controller computes and h ' of each sensor node u ' 2 S i , and verifies the following equation If equation (2) does not hold, the authentication responses from sensors will be rejected. Otherwise, the controller is able to communicate with sensor nodes in group S i via session key k i .
Correctness verification Theorem 1. The proposed authentication scheme for WBAN is correct.
Proof. To prove the correctness of the proposed scheme, we only need to show both equations (1) and (2) hold.
First, each sensor node u ' in the group S i can verify the authenticity of the controller by checking equation (1), which is shown as follows Second, the controller can verify the authenticity of all sensor nodes in group S i by checking equation (2), which is shown as follows Therefore, the signatures generated by the controller and all sensor nodes in a group can be successfully verified. Thus, the proposed authentication scheme for WBAN is correct. h

Security analysis
This section analyzes the security of the proposed scheme.
Theorem 2. The proposed scheme can ensure the authenticity of sensors during the authentication process. That is, the proposed scheme is (e 1 , t)-secure in the sense of existentially unforgeability against adaptively chosen message attacks under the (e 1 0 , t 0 )-DLog assumption, where and q k , q s , q r , q h are the number of key generation, group registration, signing, and hash queries that the adversary A 1 is allowed to make, respectively, and e is the time for an exponentiation operation.
Proof. Suppose an adversary A 1 can forge a valid signature of an entity u. We construct an algorithm B 1 to solve the DLog problem using A 1 . B 1 is given a cyclic group G with generator g and prime-order q, and an element A 2 G. The goal of B 1 is to find a 2 Z q so that g a = A. The following proof for Theorem 2 follows the standard framework established in Liu et al.'s 35 scheme. Initialization: B 1 selects a hash function H : f0, 1g ! Z q . B 1 sets W = A, and sends the public parameter param = (G, g, q, W , H) to A 1 .
Key generation queries: When A 1 queries the KeyGen for identity u, B 1 performs the following simulation operation. It first randomly selects a, b 2 Z q , and then calculates R = W a g b , s = b, H(R k u) = À a. B 1 sends (R, s) to A 1 and stores (R, s, H(R k u), u) in list L 1 .
Group registration queries: When A 1 queries the Group registration for a group S, B 1 randomly selects t 2 Z q as the group key and sends it to the corresponding S.
Hash queries: We consider the following cases.
Queries 1: When A 1 issues a query on H(u l k v i k t i ), Signing queries: When A 1 requests the signature of a sensor u l in group S i , B 1 first checks whether u l has been queried for private key and the group key of group S i . If so, B 1 retrieves (R, s, H(R k u), u), (u l , v i , t i , h x ), (k i , h), and (Y l , R l , H(k i ), S i , h l ) from L 1 , L 2 , L 3 , and L 4 , respectively, and produces a signature s 1 accordingly. If not, B 1 first invokes key generation query, group registration query, and hash query and then produces the signature. Output: about message m Ã and identity u Ã . Repeat again, A 1 outputs another two valid signatures represent the different outputs of the hash queries.
Note that z Ã j = y + h (j) i r + h (j) i wH(R Ã k u) mod q for j = 1, 2, 3, where y, r, w are not known by B 1 . Let Y = g y , R = g r , and W = A = g a . As long as the above three linear equations are solved, B 1 can get the value of a, which solves the given DLog problem instance.
Reduction analysis: If H(R k u) assigned by the random oracle is inconsistent with that in L 1 , then the key generation queries simulation fails, and the probability is at most q h =q. Therefore, the simulation of a valid signature is successful q k + q s + q r times with probability at least 1 À (q h =q) ð Þ q k + q s + q r .
1 À q h q q k + q s + q r ø 1 À q h (q k + q s + q r ) q In the hash queries, due to its ideal randomness, the hash query is always queried with a probability of 1 À (1=q). B 1 guesses that H(u l k v i k t i ) matches h x in L 2 with probability of 1=q h , H(k i ) matches h in L 3 with probability of 1=q h , and H(Y l k R l k H(k i ) k S i ) matches h l in L 4 with probability of 1=q h . Thus, the overall probability of success is The time complexity of B 1 is determined by key generation queries and signing queries, which is h Theorem 3. The proposed scheme can ensure the authenticity of controller during the authentication process. That is, the proposed scheme is (e 2 , t)-secure in the sense of existentially unforgeability against adaptively chosen message attacks under the (e 2 0 , t 0 )-DLog assumption, where and q k , q s , and q h are the number of key generation, signing, and hash queries that the adversary A 2 is allowed to make, respectively, and e is the time for an exponentiation operation.
Proof. Suppose an adversary A 2 can forge a valid signature of an entity u 0 . We construct an algorithm B 2 to solve the DLog problem using A 2 . B 2 is given a cyclic group G with generator g and prime order q, and an element A 2 G. The goal of B 2 is to find a 2 Z q so that g a = A. Initialization: This phase directly follows from the Initialization of Theorem 2.
Key generation queries: This phase directly follows from the Key generation queries of Theorem 2.
Hash queries: We consider the following cases.

Queries 1: When A 2 issues a query on
Queries 2: The hash queries here are consistent with the Queries 1 in Theorem 2.
Signing queries: When A 2 requests the signature of identity u 0 and message m i to communication with group S i , B 2 first checks whether the private key of u 0 has been queried. If so, from L 1 , L 5 , and L 2 , respectively, and generates the signature s 2 accordingly. If not, B 2 first invokes key generation query on u 0 and hash queries, and then produces the signature. Output: about message m Ã and identity u Ã 0 . Repeat again, A 2 outputs another two valid signatures 1, 2, 3) represent the different outputs of the hash queries.
Note that z Ã j = y + h (j) i r + h (j) i wH(R Ã 0 k u 0 ) mod q for j = 1, 2, 3, where y, r 0 , w are not known by B 2 . Let Y = g y , R 0 = g r 0 , and W = A = g a . As long as the above three linear equations are solved, B 2 can get the value of a, which solves the given DLog problem instance.
Reduction analysis: If H(R 0 k u 0 ) assigned by the random oracle is inconsistent with that in L 1 , then the key generation queries simulation fails, and the probability is at most q h =q. Therefore, the simulation of a valid signature is successful q k + q s times with probability at least 1 À (q h =q) ð Þ q k + q s 1 À q h q q k + q s ø 1 À q h (q k + q s ) q In the hash queries, due to its ideal randomness, the hash query is always queried with a probability of 1 À (1=q). B 2 guesses that H(Y i k R 0 k m i k S i ) matches h i in L 5 with probability of 1=q h , and H(u l k v i k t i ) matches h x in L 2 with probability of 1=q h . Thus, the overall probability of success is The time complexity of B 2 is determined by key generation queries and signing queries, which is h Theorem 4. The proposed scheme can guarantee the confidentiality of the session key, that is, only the legitimate controller and sensor nodes in the group can get the session key after authentication.
Proof. The session key k i of the scheme is selected by the controller and used to construct polynomial f i (x). All sensor nodes in the group can get the the group key t i in the group registration phase, which can be used to recover k i . For recovering the session key k i , the sensor nodes have to conduct the verification procedure to confirm the authenticity of the controller. If the authentication request sent by the legitimate controller can be successfully verified by the sensor node in the group, the sensor nodes can obtain the session key k i and then use it to communicate with the controller. The controller can performs aggregate authentication when it received all responses of sensors. Only when the verification is passed, k i will be used as the communication key. Thus, the privacy and security of the session key can be guaranteed by the proposed scheme. h Replay attack. In the authentication phase of the proposed scheme, random numbers (v i , k i ) will be reselected in every authentication request. Therefore, the proposed scheme can effectively resist replay attacks.
Forward security. In the proposed scheme, the session key is randomly selected. Thus, if the adversary obtains a session key, it would be unable to deduce the session keys in previous stages. Therefore, the proposed scheme can ensure the forward security. Table 1 shows the comparison of security property. All schemes except SCSLS I 20 allow mutual authentication between sensors and the controller in the form of group. The difference is that the controller in our scheme can perform aggregate authentication on all signatures of sensor nodes in the group, which improves the efficiency of authentication. Whereas the other authentication schemes do not support aggregation verification and require the members in the group to be authenticated one by one. Moreover, our scheme and the ones in Tan and Chung's 36 scheme and Huang et al. 37 scheme support the distribution of the session key during authentication, while GDP 8 and SCSLS I 20 require symmetric encryption to obtain the group key after authentication and then establish the session key. Thus, the solutions in GDP 8 and SCSLS I 20 do not enjoy high efficiency in session key generation.
Moreover, GDP 8 is vulnerable to replay attack and forgery attack, SCSLS I 20 cannot resist replay attacks, and Tan and Chung's 36 scheme and Huang et al.'s 37 scheme cannot achieve forward security. It can be seen from the Table 1 that the proposed scheme has more security functionalities than the existing schemes.

Efficiency analysis
This section compares the efficiency of the proposed scheme with existing ones in terms of computation costs at each stage. In Table 2, the exponentiation operation is represented as E, the hash operation as H, the bilinear pairing computation as B, and the number of sensor nodes participating in authentication as n.
As shown in Table 2, for the group authentication request generation phase, the computational complexity of our scheme and the ones in SCSLS I 20 and Huang et al.'s 37 scheme are determined by the number of sensor nodes in the group, while the complexity in GDP 8 and Tan and Chung's 36 scheme is independent of the number n. Note that the computational complexity of our scheme is higher than that of SCSLS I 20 and Huang et al.'s 37 scheme, since our scheme needs to construct a polynomial containing the session key. In sensor verification phase, the computation complexity of GDP 8 is determined by the number of sensors in the group to evaluate hashes. For the controller verification phase, the computation complexity of existing schemes are determined by the number of sensor nodes. The proposed scheme requires more (n + 2) and (n + 1) exponentiation operations than GDP 8 and SCSLS I, 20 respectively, since our scheme allows strict authentication between the controller and sensor nodes. Also, the proposed scheme requires less (7n À 1) exponentiation operations and (4n + 2) hash operations than Tan and Chung's 36 scheme. Besides, Huang et al.'s 37 scheme requires n hash operations and 2n bilinear pairing operations. Note that in the group key generation phase, there is no heavy computations in our scheme, since the group key has been distributed to the sensors in the group registration phase, while SCSLS I 20 has to take n exponentiation operations.

Communication cost analysis
This section compares the communication cost of the proposed scheme with related ones. 8,20,36,37 Suppose the length of random number, identity, time stamp, hash   Table 3. It can be seen that the total communication cost of the proposed scheme is better than the GDP 8 and SCSLS I 20 schemes. Although it is higher than the schemes in Tan and Chung's 36 scheme and Huang et al.'s 37 scheme, our scheme is able to resist more types of attacks.

Experimental analysis
In this section, the code is implemented based on the pairing-based cryptography library (PBC-0.5.14, https://crypto.stanford.edu/pbc/). The simulation is conducted run on a virtual machine with 4-core 4GB memory, 64 bit Linux Ubuntu 18.04 operating system, and Intel (R) core (TM) i7-8550u CPU (1.80 GHz). Figure 3 compares the time required in each phase of mutual authentication between 100 sensor nodes and the controller. The element of cyclic group is 512 bits, and the length of q is 160 bits.
As shown in Figure 3, Tan and Chung's 36 scheme takes less time than our scheme in the group authentication request generation and sensor verification phases. Our scheme needs to distribute the session key during authentication, while Tan and Chung's 36 scheme distributes the key after authentication. Moreover, in the controller verification phase, our scheme shows distinct advantages. Another outstanding feature is that Huang et al.'s 37 scheme needs more time in each stage than other schemes. Besides, SCSLS I 20 and our scheme have almost the same efficiency in the group authentication request generation and sensor verification phases, and our scheme is more efficient than SCSLS I 20 in the controller verification phase. Compared with GDP, 8 our scheme enjoys higher computational efficiency in all phases except sensor verification.
As shown in Figure 4, the mutual authentication performance is compared, where the group size is considered to be 25, 50, . . . , 200, respectively. when the number of sensors in a group is small, except Huang et al.'s 37 scheme, other existing schemes have almost the same computational efficiency to complete mutual authentication. When the number of nodes increases, the computing efficiency of our scheme is slightly better than SCSLS I. 20 Particularly, both schemes show a linear growth of computation cost with slow growth trend. Compared with GDP 8 and Tan and Chung's 36 scheme, the proposed scheme presents obvious advantages in performing controller aggregate verification to   validate the authenticity of sensor nodes. Especially, when the number of nodes increases, the time required for GDP 8 to complete authentication increases rapidly, which makes the communication efficiency of GDP 8 is lower than our scheme. Therefore, the aggregate authentication mechanism within a group is more efficient than validation one by one. Due to the involved bilinear pairing operations, the mutual authentication time of Huang et al.'s 37 scheme has low authentication efficiency.
In the mutual authentication phase, after the controller receives the signature of all sensor nodes, it needs to verify the authenticity of their identities, so as to share the session key with sensor nodes in the group. When there are multiple sensor nodes, the efficiency comparison between aggregate verification and single verification is shown in Figure 5. It can be seen that for the same number of nodes, the time required for aggregate verification is less than that for single verification. Moreover, when the number of nodes increases, the time required for aggregate verification shows a better linear relationship with the number of nodes, and the growth rate of running time is slower than that for single verification.
From the above analysis, it can be seen that our scheme can not only ensure the authenticity of each entity's identity in WBAN and the confidentiality of session key during mutual authentication but also enjoys higher computing efficiency than single verification. Compared with existing schemes, the proposed scheme has lower computation cost, lower communication cost, and higher authentication efficiency.

Conclusion
To address the problems of identity authentication and key distribution of WBAN with a large number of sensor nodes, this article proposed a group authentication and session key distribution scheme supporting aggregate authentication. The controller can verify the authenticity of all sensor nodes in the way of aggregation, which improves the efficiency of mutual authentication between the controller and each sensor node. At the same time of mutual authentication, the session key can be shared between the controller and valid sensor nodes. Security analysis showed that the proposed scheme can resist impersonate attacks, assuming the discrete logarithm problem is hard and can guarantee the confidentiality of the session key. Theoretical performance analysis and experimental results indicated that, compared with existing schemes, our scheme has less computational overhead and higher authentication efficiency. Regarding future research, we would study the efficient joining and exiting of sensor nodes without revealing any private information.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.