Table of Contents Author Guidelines Submit a Manuscript
Journal of Electrical and Computer Engineering
Volume 2016, Article ID 1905872, 14 pages
http://dx.doi.org/10.1155/2016/1905872
Research Article

Anticollusion Attack Noninteractive Security Hierarchical Key Agreement Scheme in WHMS

School of Electronic and Information Engineering, Beihang University, Beijing 100191, China

Received 16 February 2016; Accepted 4 May 2016

Academic Editor: Jit S. Mandeep

Copyright © 2016 Kefei Mao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Wireless Health Monitoring Systems (WHMS) have potential to change the way of health care and bring numbers of benefits to patients, physicians, hospitals, and society. However, there are crucial barriers not only to transmit the biometric information but also to protect the privacy and security of the patients’ information. The key agreement between two entities is an essential cryptography operation to clear the barriers. In particular, the noninteractive hierarchical key agreement scheme becomes an attractive direction in WHMS because each sensor node or gateway has limited resources and power. Recently, a noninteractive hierarchical key agreement scheme has been proposed by Kim for WHMS. However, we show that Kim’s cryptographic scheme is vulnerable to the collusion attack if the physicians can be corrupted. Obviously, it is a more practical security condition. Therefore, we proposed an improved key agreement scheme against the attack. Security proof, security analysis, and experimental results demonstrate that our proposed scheme gains enhanced security and more efficiency than Kim’s previous scheme while inheriting its qualities of one-round communication and security properties.

1. Introduction

Wireless Health Monitoring System (WHMS) is a dedicated network environment that supports the biometric information acquisition devices to gather people’s health data anytime and anywhere [1]. Moreover, WHMS is a typical example of using wireless technologies to reduce medical expense and improve social benefits, such as detecting the lonely stroke patients timely [2, 3]. Security and privacy are the major concerns in medical activities, and WHMS is not an exception [46]. To provide privacy and security assurances in WHMS, it is important to provide security services by using cryptographic algorithms. Thus, obtaining cryptographic keys is an essential operation to achieve the security goals in WHMS. There are several key agreement schemes that have been proposed for WHMS applications [5, 710].

The noninteractive scheme is becoming a very active direction in the sensors networks [1114] because sensor nodes have limited energy and processing and storage abilities. A noninteractive hierarchical key agreement scheme, called the Freshness-Preserving Noninteractive Hierarchical Key Agreement Protocol (FNKAP), was proposed by Kim [8] in 2014. The major advantages of the proposed scheme in Kim [8] go as follows. Firstly, there is only one-round communication to agree on a session key between two entities. Secondly, it is declared that the FNKAP achieves the patient anonymity and the session key confidentiality, and it can resist active and passive security attacks. However, we found that there is a flaw in the FNKAP when the physicians are not to be trusted. The scheme is not strong enough against the collusion attack where there are two adversaries who are a physician and a patient, separately. More precisely, in order to obtain a specific patient’s electronic medical data, the adversary can pretend to be sick and become the same physician’s patient with the victim in the real world. Then, the adversary bribes any other physician to get the private values of a physician. Finally, the adversary could calculate the session key and decrypts the victim’s electronic health data freely. Note that a physician can casually expose the private values because the disclosed values are untraceable in Kim’s scheme. As a result, this method of attack is reasonable and straightforward to implement.

The contributions of this paper are twofold. First, we illustrate that there is a weakness in FNKAP and introduce specific attack methods. Second, we propose an enhanced security hierarchical key agreement scheme with noninteracting for WHMS based on pairings. Security proof and analysis illustrate our scheme enhances security strength of FNKAP, and it can resist the collusion attack. Moreover, theoretical analysis results show that our scheme is more efficient than Kim’s work.

The rest of this paper is organized as follows. We formalize a basic system structure for WHMS in Section 2, and we also give the security model and define the adversary’s ability in the same section. We simply highlight Kim’s scheme [8] in Section 3. The weakness of Kim’s scheme is discussed in Section 4. We detail our enhanced security hierarchical key agreement scheme against the security attacks in Section 5. We present the analysis of our improvements regarding correctness and security in Section 6. We compare our scheme with Kim’s scheme in terms of functionality and performance in Section 7. Finally, this paper is concluded in Section 8.

2. Preliminaries

We first illustrate the basic system structure of WHMS in this section. Moreover, we introduce security threats, security model, bilinear group, and mathematic assumption, separately. Basic notations are provided in Notations section.

2.1. Basic Structure

As depicted in Figure 1, a typical hierarchical key agreement for WHMS involves five types of parties. They are, namely, the u-Health Server (), the physicians (), the patients (), the gateways (), and the sensor nodes (). There is a hierarchical permission structure from the u-Health Server to the physicians , , to the gateway , of patients and to the sensor node , of the gateway [7, 8].

Figure 1: Basic hierarchical key agreement structure in WHMS.

As the root authority, is responsible for managing the entities’ authorities in WHMS. produces the private keys of entities such as , , and . When wants to use WHMS, his/her and should agree on the session keys with the physician (), separately. Similarly, when wants to send a diagnostic report to , he/she should also agree on a session key with .

2.2. Security Threats

Kim assumes that the physicians are trusted in paper [8]. However, we point out that the scheme should take the risk of the physician’s corruption because it is more practical. In practice, not all physicians are trusted all the time. For example, as reported, the staff of a famous hospital sold the patient’s personal medical data in USA [7], and 500 patients’ medical information may have been compromised at a medical center in LA because an employee’s laptop was stolen [15].

Thus, we assume a security model in which the adversary has the following abilities. First, the adversary can totally control the channel. Therefore, the adversary can eavesdrop, intercept, modify, replay, or inject any data via the channel. Second, the adversary can compromise the secure information from the physicians except for the victim’s current physician. Third, the adversary can also compromise several sensor nodes and gateways except for the victim’s current and .

We aim to achieve the following security goals under the above security threats.

Key Agreement. Two entities establish a session key which is only known by specific entities.

Anonymity and Untraceability. The identities of and should be kept confidential from the adversary and cannot be traced by the adversary.

Resistance Passive and Active Attacks. The scheme is secure against the passive and active attacks.

2.3. Security Model

Inspired by the security model for a noninteractive hierarchical key agreement scheme [11] and the original Bellare-Rogaway key exchange model [16], the security model of our scheme is stated as follows.

Participants. We model the scheme participants as a finite set of fixed size with each being a Probabilistic Polynomial Time (PPT) turing machine. Each scheme participant may execute a polynomial number of protocol instances in parallel. We will refer to th instance of principal communicating with peer as .

Adversary Model. The adversary is modeled as a PPT Turing machine and can be given all public parameters of the system, and he/she can access the oracle by issuing some specified queries:(i). The adversary sends the message to the session executed by communicating with . Since our proposal is a noninteractive scheme, the query does not need to be responded to.(ii). The adversary names a node and obtains all the secret values held by the node. Neither of the patient’s gateway and sensor nodes named in the test query or any of their ancestors can be established.(iii). If the query is achieved, the system returns the session key to the adversary . The session between the target patient’s facilities (a gateway and sensor nodes) and the physician cannot be revealed.(iv). Only one query of this form is allowed for the adversary . The adversary names and and executes this query at any time. Then, a number is returned as follows. A bit is chosen at random in . If then the adversary gets the secret key shared between the two nodes, and if it gets a key chosen at random from the set of all possible shared keys.

Definition 1 (HKA-security). As a function of the security parameter , we define the advantage of the PPT adversary in an attacking scheme as

Here, is the probability that the adversary queries and outputs a bit such that is used by the test query. We call a hierarchical key agreement scheme to be HKA secure if for any PPT adversary the function is negligible.

2.4. Bilinear Groups

Definition 2 (bilinear map). is an additive cyclic group of prime order and is a multiplicative cyclic group of prime order . The bilinear pairing is a map with the following properties [17].

Bilinearity. For all and , we have .

Nondegeneracy. The map does not send all pairs in to the identity in .

Computability. There exists an efficient algorithm to compute for all .

2.5. Mathematic Assumption

The mathematic assumptions used in the paper are listed as follows.

Definition 3 (Elliptic Curve Discrete Logarithm Problem, ECDL problem). Suppose is an elliptic curve over a finite field . Given to find the , is believed to be hard [18].

Definition 4 (Bilinear Diffie-Hellman Problem, BDH problem). BDH problem is defined as follows. There is a bilinear map . Given for , to compute the is believed to be hard [17].

Definition 5 (Decisional Bilinear Diffie-Hellman Problem, DBDH problem). DBDH problem is defined as follows. There is a bilinear map . Given for , to differentiate the and is believed to be hard [17].

2.6. Notations

To provide a quick reference, the basic notations used in the paper are listed in Notations section.

3. Review of the Kim’s Scheme

In this section, we briefly review Kim’s key agreement scheme [8], which consists of three phases: System Initialization Phase, Physician and Patient Registration Phase, and Noninteractive Key Agreement and Secure Communication Phase.

3.1. System Initialization Phase

generates two groups and of prime order with a bilinear map . Also, it chooses a cryptographic hash function . After that, picks four random numbers as the master private keys. Then, computes an amplified identity and a public key . Finally, keeps the master private keys and the amplified identity, securely.

3.2. Physician and Patient Registration Phase

Before providing service, the patient and his/her physician must register in . Here, the statement denotes that receives a message from via a secure channel. The Physician and Patient Registration Phase is basically shown in Figure 2.

Figure 2: Physician and patient registration phase in Kim’s paper [8].

Step R1 (). When a physician wants to be a legal e-medical physician, he/she sends his/her identity to via a secure channel. Then, validates the identity . If the solution is positive, sends . Here, . Finally, stores the received information, securely.

Step R2 ( and ). When a patient of wants to use the service in the WHMS, he/she should register his/her gateway and sensor nodes , in . validates the identity submitted by . If the solution is positive, receives the gateway’s identity and the sensor nodes’ identity , . Then, sends and to them via a secure channel. Here, and as follows:

Finally, and store their received information, securely.

3.3. Noninteractive Key Agreement and Secure Communication

In this phase, the sensor node and the gateway of the patient and the physician agree on a fresh session key for establishing a secure communication channel. Here, the statement denotes that receives a message from via a unsecure channel. The Noninteractive Key Agreement and Secure Communication is basically shown in Figure 3.

Figure 3: Noninteractive key agreement and secure communication in Kim’s paper [8].

Step K1 (). chooses a random number and computes . The fresh session key is computed as follows:Then, computes and , where is the data collected by .

Step K2. When is authenticated by , he/she can check the data of the patient . computes the fresh session key as follows:Then, computes . Only if is equal to does assure the correctness of . Then, decrypts to get by using the key .

Step K3 (). When wants to send the electronic health report to , he/she chooses a random number and computes . computes the fresh session key as follows:In addition, computes and . Here, is the electronic health report composed by .

Step K4. When is authenticated by , he/she can receive the report of the patient from . computes the fresh session key as follows:Then, computes . Only if is equal to does assure the correctness of . Then, decrypts to get by using the key .

4. Security Analysis of Kim’s Scheme

The author of [8] proposed a noninteractive key agreement scheme for freshness-preserving in WHMS. Under our security model, there is a weakness in the scheme as explained in the following section.

4.1. Security against Collusion Attack

We now demonstrate that Kim’s scheme is vulnerable to the collusion attack as claimed. One adversary has registered as a legal physician , and the other adversary has registered as a normal patient , as shown in Figure 4. The adversaries can obtain the electronic health data of any patient who is diagnosed by the same physician with the adversary . The adversaries attack a patient as follows.

Figure 4: Security against collusion attack.

Step A1. Assume that is an attacker who has registered as a physician in , and then he/she can legally receive a private key set from (Step R1). Then, sends a part of private key set to .

Step A2. is an adversary who has registered as a patient of the physician . He/she can legally receive a secure data set and a private key set of his/her gateway from (Step R2).

Step A3. Suppose is a victim ’s smart node that sends information through the gateway . is diagnosed by the same physician with . When runs the Step K1, an adversary can intercept the data because the communications are unsecure between and .

Step A4. When sends the electronic health report to at the Step K3, an adversary can intercept data because the communications are also unsecure between and .

Step A5. can compute the session key after the above steps. receives from at Step A1. Then, he/she gets and at Step A2. Moreover, the information and is intercepted at Steps A3 and A4, separately. Therefore, can compute the same session keys and as follows:

Step A6. decrypts and to obtain the victim’s medical information using the session keys and , respectively.

5. Our Proposed Scheme

In this section, we propose an improved scheme that can overcome the flaw of Kim’s scheme in Section 4. Our scheme construction is inspired by the practical noninteractive key distribution scheme in [12] and Kim’s paper [8]. Our scheme consists of four operational phases: Setup Phase, Key Generation Phase, Key Agreement from to Phase, and Key Agreement from to Phase. The details of our scheme are described as follows.

5.1. Setup Phase

In this phase, the u-Health Server , as the Private Key Generator (PKG), takes as inputs a security parameter and the maximal number of the physicians . Then, outputs the system public parameters and the master private key sets . publishes and keeps private.

Similar to the identity-based cryptography scheme, generates two groups and of prime order with a bilinear map . However, it chooses three cryptographic hash functions , , and . After that, generates random numbers and selects a random generator . Finally, keeps the master key secret and publishes , . Here, is used to verify the correctness of the secret key sets.

It is important to note that although our proposal increase the storage space because of the values , there is a one-to-one mapping between a physician and a value . In addition, the list of physicians must be stored in . Thus, we can use the mapping to reduce the storage space. For instance, gets the list of the registration physicians. Then, chooses a secret hash function and a random value . Finally, can compute the times hash function to get the secret value . In this way, only needs to store the selected hash function and initial value , secretly. On one hand, the proposal can save the storage resources by using the hash function. On the other hand, it increases the consumption of the computing resources. In order to balance the computing cost and the storage space, can store not only the initial value , but also some intermediate random values . We introduce the scheme by using the secret values , to help the analysis.

5.2. Key Generation Phase

In this phase, takes the identity as an input and outputs a secret key set . Moreover, takes his/her secret key set and the identities and as inputs and outputs two secret key sets and , separately.

Step 1. A physician , submits his/her identity to for registration. If the identity of is validated, Then, computes , , and a private key set of , as follows:In addition, packs a data package containing a private key set and two amplified identities and delivers the data package to via a secure channel. Here, the secure channel could be a smart card passed by a trusted person. Finally, keeps the received information, securely.

Step 2. When a patient goes to see a doctor in a real clinic, they decide to use the WHMS to monitor his/her health directed by a physician . The patient submits his/her identity and the identity of gateway and sensor nodes to for registration. If the patients’ identity is validated, generates a random value and computes the amplified identities and . computes the private key sets of and as follows:Next, packs a data package containing a private key set and three amplified identities and delivers the data package to via a secure channel. Furthermore, packs a data package containing a private key set and delivers it to via a secure channel. Finally, and store their received information in a secure area, respectively.

5.3. Key Agreement from SN to PH Phase

In this phase, a sensor node of the patient makes a connection with the physician . The sensor node and the physician achieve a key agreement.

Step 1. When a sensor node wants to upload the patient’s medical data, chooses a random number and computes using its amplified identity . The session key is calculated as follows:Then, computes and . Here, is the data collected by and is a current timestamp. Finally, sends a message package to .

Step 2. After receiving the data package , verifies the timestamp whether it is within the valid time for communication. If it is invalid, the key agreement terminates. Otherwise, it can assure the package by judging as follows:Only if is equal to included in does assure the source of package from a sensor node and send a notice to . Finally, store the package in its database.

Step 3. When is authenticated by , he/she can check the data of a sensor node . computes the fresh session key as follows:In addition, computes by using the information of . Only if is equal to does assure the correctness of and decrypt to get by using the key .

5.4. Key Agreement from PH to GW Phase

In this phase, the physician makes a connection with a patient’s gateway , and they agree on a fresh session key for communication.

Step 1. When wants to communicate with such as sending the electronic health report, he/she chooses a random number and computes . computes the fresh session key as follows:In addition, computes and . Here, is the electronic health report composed by , and is a current timestamp. Finally, sends a message package to .

Step 2. After receiving the data package , checks the validity of the timestamp . If it has grown stale, quits the session. Otherwise, can assure the package by judging as follows:Only if is equal to included in does assure the source of package from a physician and send a notice to . Finally, stores the package in its database.

Step 3. When is authenticated by , he/she can get the report of the patient from . computes the fresh session key as follows:Then, computes . Only if is equal to does assure the correctness of and decrypt to get by using the key .

6. Correctness and Security

In this section, we present the correctness of our improved scheme. Then, we illustrate that our enhanced key agreement scheme can overcome the two security weaknesses of security analysis of FNKAP by security analysis.

6.1. Correctness

We verify the correctness of key agreement in our scheme as follows:

Thus, the agreed session keys , , and computed by , , and are equal. The same as above, we prove that is equal to because is equal to and :

6.2. Security Proof

In the following, we will show that our scheme is provably secure under DBDH assumption in the random oracle model. We treat , , and as three random oracles.

Theorem 6. Let and be two groups of order and be a bilinear mapping that together satisfy the DBDH assumption. Let the hash functions , , and used in the scheme be modeled as the random oracles. Suppose that the DBDH assumption holds; the proposed scheme is a secure key agreement in our security model.

Proof. Suppose an adversary is an attack algorithm that breaks our scheme in the probability ; we will show how to use the ability of to build an algorithm that solves the DBDH assumption with probability of at least . Thus, ’s advantage must be negligible because the DBDH assumption holds.

We refer to as “the simulator” because it simulates a real attacking environment for . is initialized with the DBDH parameters and the points , , and . The idea of the proof is that will embed the DBDH problem into the queries issued by . Since the hash function is modeled as random oracle, after the adversary issues the test query, it has only two unneglected cases to distinguish the tested session key or from a random string.

Case 1 (key-replication attack). The adversary forces a nonmatching session to have the same session key with the . In this case, the adversary can get the session key by querying the nonmatching session. However, the input of hash function includes the entities’ identities and the random nonce. Furthermore, they and a timestamp are integrally protected by . For example, in Step 1, the session key includes the identities and and the random nonce . The certification value includes them and the timestamp . Therefore, two nonmatching sessions cannot have the same values and when and are modeled as a random oracle, the success probability of key-replication attack is negligible.

Case 2 (forging attack). The adversary queries on the value or in the test query. Obviously, in this case the adversary can compute the value or by itself.

In the following, we mainly analyze the Case 2 forging attack. A simulator is interested in using the to turn ’s advantage in distinguishing the tested session key from a random string into an advantage in solving the DBDH problem. During the game, has to answer all queries of the .

Setup. simulates the Setup algorithm as follows. starts by choosing security and public parameters for our scheme using its input DBDH parameters and . also chooses a random master key set from , as the PKG would do. Using these keys, sets the random generator , and then ’s public parameters are . invokes the adversary , providing it with the public parameters . Note that the DBDH parameters have been embedded in the game and the simulator has no idea about the value . With the probability at least , guesses the adversary will select one patient and his/her physician . With the probability at least , guesses the adversary will select the session as test session.

Queries. When the adversary makes his/her queries, the simulator answers the queries in arbitrary order as follows. Note that , , and are the guessed victims physician and devices.

. In order to enhance simulation’s fidelity, maintains an initially empty list of tuples . When queries the oracle as an input , responds to the query in the following way.(i) checks the list ; if and are already there, then responds with stored value .(ii)Otherwise, if and , randomly chooses , and it computes . Then, it inserts into the . Finally, it responds with .(iii)Otherwise, if , randomly chooses and computes the value . Then, it inserts into the . Here, . Finally, it responds with .(iv)Otherwise, if , randomly chooses and computes the value . Then, it inserts into the . Here, . Finally, it responds with .(v)Otherwise, randomly chooses , computes , and inserts in the list. Finally, it responds with .

. The simulator maintains an initially empty list with entries of the form . When queries the oracle as a input , the simulator responds to the query in the following way.(i) checks the list ; if is already there, responds with the value .(ii)Otherwise, randomly chooses and sends back the value to . Finally, stores the new tuple in the list .

. The simulator maintains an initially empty list with entries of the form . The simulator responds to these queries in the following ways.(i) checks the list ; if is already there, responds with the value .(ii)Otherwise, randomly chooses and sends back to . Finally, stores the new tuple in the list .

. When receiving this query, responds to the query in the following way.(i)If is the target physician or the target patient’s gateway or sensor nodes, aborts the game.(ii)Otherwise, if is a physician , looks in for the entries and . Then, returns .(iii)Otherwise, if is a patient’s , looks in for the entries , , and . Then, returns .(iv)Otherwise, if is a physician , the simulator looks in for the entries , , , and . Then, returns .

. Since the and are the random oracles, the adversary cannot change the communication message. the simulator needs only to store the values according to the scheme. Moreover, the parameters are included in the data , which can be found in the lists and .

. maintains a list with tuples of the form . The simulator responds to the query in the following way.(i)If and are the target physician and the target patient’s gateway or sensor nodes, aborts the game.(ii)Otherwise, if is a target physician and is not target patients’ facilities, proceeds in the following way to respond:(a)If is an identity of gateway, computes . Then, finds the value from and returns as the response.(b)Otherwise should be an identity of sensor node; the simulator computes . Then, finds the value from and returns as the response.(iii)Otherwise, if is another physician and is his/her patients facilities, proceeds in the following way to respond:(a)If is an identity of gateway, computes . Then, finds the value from and returns as the response.(b)Otherwise should be an identity of sensor node; computes . Then, finds the value from and returns as the response.

. issues a test query. Suppose the identity tuple of the first node is and the second target node is or .(i)If and do not belong to our guessed victims and , aborts the game.(ii) Otherwise, queries , , , and .(a)If , computes .(b)Otherwise, computes . looks in the list and returns the value or to the adversary .

The test query is answered by with its DBDH input or . Consider the following two cases:(i)If , since in the DBDH instance, thenThus, the response by corresponds to the real values and .(ii)If , since is random, then the response by to the test query of is a random element in .

If the adversary succeeds in getting the session key or , it shall distinguish between the value or and a random value; then, it outputs the correct bit or . can give the correct answer to the DBDH problem by using ’s output.

The success probability of isHere, is the probability that the adversary succeeds in launching the attack. is the polynomial bound on the number of the adversary ’s queries.

If the adversary succeeds with nonnegligible probability to attack our scheme, we can also solve the DBDH problem with a nonnegligible probability. Thus, our scheme is based on the DBDH problem.

6.3. Security Analysis

In the following, we will directly analyze how our proposed scheme achieves entity anonymity and untraceability and resists collusion attack and whether the security requirements have been satisfied.

Proposition 7. The proposed scheme can resist the replay attack.

Proof. It should be noted that our proposed scheme inherits the structure of FNKAP. We also use the random numbers and to achieve the freshness key agreement. The adversary cannot compute the , from and because of the difficulty of the ECDL problem. Moreover, the proposed scheme can efficiently resist the replay attack by considering the following scenarios. An adversary cannot replay the data package to cheat and . During the Key Agreement from SN to PH Phase, when receives a data package , it verifies the timestamp with the current time. If the data package is a replay attack, will detect it. Moreover, if the adversary changes the timestamp in , will find the behavior by checking the equation because it cannot obtain the session key . An adversary cannot replay the data package to cheat and . Similar to the above, an adversary cannot replay the data package to cheat and . During the key agreement from PH to GW Phase, when receives a data package , it verifies the timestamp with the current time. If the data package is a replay attack, then will detect it. Moreover, if the adversary changes the timestamp in , will find the behavior by checking the equation because it cannot know the session key .

Proposition 8. The proposed scheme can provide basic forward secrecy.

Proof. To establish session key between SN and PH, and use various for each session. Thus, the current session key is disclosed, and an adversary cannot obtain the information about . In other words, the adversary cannot get more opportunities to guess previous key than before, even if he/she knows the current key . Similarly, because is equal to , the adversary cannot gain any benefits to guess previous key between PH and GW compared to before, even if he/she knows the current key . Thus, our proposal can provide basic forward secrecy.

Proposition 9. The proposed scheme can prevent fraud attack.

Proof. Our proposal provides mutual authentication between and or and . The proposed scheme can prevent fraud attack by considering the following scenarios. An adversary cannot impersonate to cheat . can authenticate by verifying in Step 3. Since the adversary cannot obtain or , he/she cannot compute , , or . Thus, the adversary cannot get and , sequentially. Thus, the adversary cannot generate the valid verifier to . An adversary cannot impersonate to cheat . Similar to the above, can authenticate by verifying in Step 3. Since the adversary cannot obtain or , he/she cannot compute , , or . Thus, the adversary cannot get and , sequentially. Thus, the adversary cannot generate the valid verifier to .

Proposition 10. The proposed scheme can provide entity anonymity and untraceability.

Proof. In the proposed scheme, the adversary can obtain the amplified identities , , , and instead of , , , and in Steps K1 and K3. Here, and are big random numbers in . Therefore, the adversary cannot verify whether the guessed identity is correct or incorrect by testing all possible identities without the secret and . For example, to guess , the adversary should input the guess values of and at the same time. Suppose the identity is composed of bits; it is infeasible for adversary to launch an exhausted search for possible solutions. Here, is the group order of , and it is a big random number. In particular, if the physicians reregister on a period, would be fresh regularly. Thus, this risk of corruption will be lower to . Moreover, is also a big random number in , and each patient has a different value. Even if it is the same patient, there are different values on the various diagnoses. Based on the similar reason, the adversary cannot know the identities of and