Abstract
Wireless medical sensor networks (WMSNs) enable continuous patient monitoring by transmitting sensitive physiological data over open wireless links. Given the resource-constrained nature and large-scale deployment of such networks, authentication mechanisms must be both lightweight and privacy-preserving. Moreover, due to the frequent turnover of patients and devices in hospital environments, timely member revocation is crucial to prevent discharged or compromised entities from injecting forged reports that could mislead medical diagnosis. Although existing pairing-free certificateless aggregate authentication schemes are efficient, they often suffer from critical security and privacy vulnerabilities. Recently, an efficient certificateless authentication scheme with revocation has been proposed. However, our analysis reveals that the scheme presents the following security vulnerabilities: (i) member witnesses can be recovered from public information, (ii) revocation checks can be bypassed via identity grafting attack, and (iii) user identities can be linked due to the long-term use of static pseudonyms. To address these issues, we propose a security-enhanced certificateless aggregate authentication protocol with revocation for WMSNs. Our design enforces strong identity-membership binding to resist grafting attacks, employs a non-interactive zero-knowledge membership proof to preserve witness secrecy, and adopts dynamic pseudonym rotation to achieve unlinkability. We provide formal security proofs and comprehensive performance comparisons. The results indicate that, at the same security level, our protocol achieves more efficient signature verification while maintaining communication overhead comparable to existing schemes. In addition, the overhead introduced by our revocation mechanism remains constant, making it well suited for large-scale WMSNs deployments with frequent membership changes.