Personal health records sharing scheme based on attribute based signcryption with data integrity verifiable

Abstract

The distribution of personal health records (PHRs) via a cloud server is a promising platform as it reduces the cost of data maintenance. Nevertheless, the cloud server is semi-trusted and can expose the patients’ PHRs to unauthorized third parties for financial gains or compromise the query result. Therefore, ensuring the integrity of the query results and privacy of PHRs as well as realizing fine-grained access control are critical key issues when PHRs are shared via cloud computing. Hence, we propose new personal health records sharing scheme with verifiable data integrity based on B+ tree data structure and attribute-based signcryption scheme to achieve data privacy, query result integrity, unforgeability, blind keyword search, and fine-grained access control.

Keywords

Attribute based signcryption signcrypt unsigncrypt personal health records keyword search B+ tree

1. Introduction

With the recent advancement in computing technology, patients are increasingly getting personal health records (PHRs) via wearable body sensors, diagnosis of diseases, treatments, etc. PHRs are the collection of health information that helps a patient to monitor and track his or her health status [44]. PHRs may consist of information about allergies, immunizations, illnesses, surgeries, body vital signs such as glucose level, heartbeat rhythm, and results of physical exams and screenings. The PHRs can save the patient’s time and money by avoiding unnecessary repetition of medical tests and providing an up-to-date, accurate, and full medical history for efficient patient diagnosis and treatment. The PHRs are also valuable resources that can positively transform the health sector, but if they are not shared with health research organizations, the full positive impact of them cannot be realized. Shared PHRs can boost the health sector through their usage in training machine learning algorithms, early detection of disease outbreaks, disease prevention, etc.

Fig. 1.

Health data sharing scenario.

For example, even a fairly healthy person (patient) may require the services of a primary care physician for overall health, an optometrist for eyeglasses, a cardiologist for a minor heart murmur, a podiatrist for a fractured arm condition, and a dentist for dental care. All other specialists require basic information collected by the primary care physician, such as vital signs. The podiatrist and dentist would also like to know about the medical prescription of the cardiologist since heart diseases could cause arm or dental health issues. So, patients who share their personal health records (PHRs) with their physicians can greatly benefit in terms of disease diagnosis and medication prescriptions. As shown in Fig. 1, a patient (data owner $D O$ ) can share personal health records (PHRs) data with the health entities: primary care physician, optometrist, cardiologist, podiatrist and researcher through the cloud server ( $C S$ ). With the cloud-based data-sharing model, the patient can enjoy benefits such as minimal storage cost and 24-hour data availability on the internet. Notwithstanding these enormous benefits, security and privacy remain significant challenges in cloud computing [4,36,45,50]. A snapshot of issues that a data owner encounters when implementing cloud-based PHRs data sharing are:

Ensuring that only authorized users have access to sensitive PHR data.

Providing fine-grained access control to the PHRs data among multi-users with a different scope of access privileges.

Preventing the forgery of PHRs data saved on the cloud server.

Performing a secure search on the encrypted PHRs data without leaking search keywords.

Performing remote verifiable PHRs database updates.

Guaranteeing the integrity of the query result (i.e., completeness, freshness, and correctness).

The leading cause of the issues mentioned above is that the data owner loses control of his/her data stored on the cloud. So, if a PHR falls into the wrong hands, it can be misused, falsified, and publicly disclosed, thereby putting the data owner’s identity at risk. A study in [36] shows high exploitation of PHRs for many reasons, including identity thefts and financial data crimes. Therefore, ensuring a secure querying on encrypted data, integrity of the query results and privacy of PHRs as well as realizing fine-grained access control are critical key issues when PHRs are shared via cloud computing.

Recent research works [23,39,43,49] on cloud-based PHRs sharing focus on fine-grained access control, data searchability, authenticity, and privacy; but do not consider query results integrity and remote verifiable database update. In practice, it is prudent to design a scheme that simultaneously tackles the issues to . Nevertheless, to the best of the authors’ knowledge, there are no PHRs schemes that concurrently address all the issues outlined above. Consequently, we proposed a new PHRs sharing scheme based on attribute-based signcryption and B+ tree to simultaneously addresses all the issues listed above. Our proposed scheme provides unforgeability of ciphertext, fine-grained access control, the integrity of query results, encrypted data retrieval, and verifiable remote database modification. In summary, our contributions are:

We construct an attribute-based signcryption scheme to facilitate the secure exchange of PHRs through a cloud server. Our scheme ensures fine-grained access control and public verifiability of the integrity of the PHRs.

We adopt an encrypted B+ tree with embedded Merkel-like digest in each node of the B+ tree to efficiently retrieve data from the cloud server, perform remote verifiable PHRs database update and verify the query result integrity respective to the correctness, freshness, and completeness.

We design a search mechanism to enable blind search on the B+ tree without revealing the content of the search key and the query key (keyword). The proposed search mechanism supports exact query and range query on the B+ tree.

We also compared our proposed construction with the existing ABSC schemes concerning storage and computation cost. The results from our analysis demonstrate that our scheme has better performance than others.

1.1. Paper organization

Section 2 provides a review of related works on PHRs data security, searching on encrypted data, and verification of the integrity of query the result. The important concepts and theories applied in our work are presented in Section 3. In Section 4, the detailed design of the proposed scheme is presented. Section 5 presents the security proof of the ABSC scheme. Section 6 shows the performance analysis of the proposed PHRs sharing scheme. Finally, Section 7 presents the conclusion of our work.

2. Related works

This section briefly reviews the relevant research on PHRs data security, searching on encrypted data, and verifying the integrity of query results.

2.1. PHRs data security

To prevent unauthorized access and exposure of PHR data, the PHRs must first be encrypted offline before being outsourced to the cloud. While traditional encryption schemes [11,16,27,40] or identity based encryption (IBE) schemes [7–9,25] can ensure confidentiality of PHRs, they are limited to “one-to-one” mapping, which implies that only a single user can access the data. The flexibility and efficiency are limited. Additionally, these schemes are not desirable in the context of sharing PHRs as they require the $D O$ to know the identity of every data user in advance. However, in sharing PHRs data that involves numerous data users, this may not be possible. Even if the $D O$ knows all the identities of the data users, the $D O$ has to share either the same decryption keys or the PHRs data has to be stored in multiple instances encrypted with different keys. Both of these options are inappropriate. Attribute-based encryption (ABE) is deemed perfect for the cloud-based sharing of PHRs due to the less key overhead computation and storage. ABE provides ‘one-to-many’ mapping, which implies that a message is encrypted under either attribute set or access structure and multiple users can decrypt it based on their granted privileges or attributes [37] instead of identities.

Since the introduction of the concept of ABE by Sahai and Waters [37], many ABE schemes [17,29,46,51] have been designed for cloud-based sharing of data. ABE scheme comes with two flavors: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, access policies are associated with private keys, and ciphertexts are associated with attribute sets. A CP-ABE is a dual variant of KP-ABE for which an attribute set is assigned to a private key while an access policy is associated with a ciphertext. However, the ABE schemes only ensure data confidentiality and cannot prevent the forgery of a ciphertext.

Digital signature and encryption can provide data authenticity and confidentiality, respectively. To obtain the advantages of using these two mechanisms at the same time, the traditional method is “encrypt-then-sign” or “sign-then-encrypt”. To minimize the total computation overhead and communication cost associated with these two approaches, Zheng [57] presented a new cryptographic primitive called signcryption. Signcryption provides a mechanism to simultaneously sign and encrypt a message in parallel with a minimal computation overhead and communication cost. For instance, Zheng [57] applied signcryption approach on “Schnorr signature + ElGamal encryption” to saves two modular exponentiations, which yields a significant reduction in computation cost. Subsequently, Gagńe et al. [13] presented the first attribute-based signcryption (ABSC). The ABSC scheme simultaneously combines attribute-based encryption and attribute-based signature schemes, providing many useful security properties such as unforgeability, confidentiality, signer’s privacy, and fine-grained access control of the encrypted message. It also has less computational overhead and storage cost when compared with the traditional encryption-after-sign scheme [54].

Since the creation of ABSC, several sharing schemes based on cloud computing have been proposed. Liu et al. [21] proposed a ciphertext-policy ABSC (CP-ABSC) scheme to secure medical data and claimed that their scheme guarantees data confidentiality, authenticity, unforgeability, and anonymity. Unfortunately, Rao [33] demonstrated that [21] does not attain data confidentiality and public verification of the authenticity of a ciphertext. Au et al. [3] presented a general scheme for secure sharing of PHR, and the scheme ensures that a doctor can provide their patients’ health records to specialists for research purposes. Liu et al. [22] proposed a secure online/offline attribute-based signature scheme for sharing Mobile Health Records. Though many attribute-based signcryption schemes [23,34,35,48] have been proposed, they have high computation and communication cost. Particularly, ciphertext size and computation cost associated with message unsigncryption depend linearly on the number of attributes under which a message was signcrypted. This will limit the application of CP-ABSC in cloud computing if the number of attributes is too large and the length of ciphertext is too long. Hence, we construct a new CP-ABSC scheme with a constant ciphertext size and a constant value of bilinear pairing operation that reduces the computation cost and communication overhead.

2.2. Searching on encrypted data

Encryption is an efficient technique for securing sensitive data. But, the performance of querying on a database degrades when the data is stored as ciphertext. Searchable encryption is a technique that enables a user to publish a symmetrically encrypted dataset to an untrusted server and later perform a keyword search on the encrypted dataset without exposing the content of the encrypted dataset and search information. Song et al. [41] presented the first searchable symmetric encryption scheme that enables the $C S$ to search on a ciphertext with a given keyword. The $C S$ gains no information about the search keywords and search results’ plaintext. We emphasize that searchable encryption alone does not satisfy our requirement since none of the existing searchable encryption schemes supports logarithmic-complexity range query search. Order-preserving encryption (OPE) schemes that support range queries and aggregate queries over ciphertext without decryption were presented by Agrawal [1], GE [15] and Sun [42]. However, OPE has trouble managing duplicate values and often assumes the plaintext domain distribution is static, and this distribution has to be known in advance by the encryption function, which is not always feasible with dynamic data. Recently, authors in [23] proposed a searchable attribute-based signcryption scheme for electronic personal health records. While the scheme supports fine-grained access control, data searchability, data authenticity, and data privacy, one unfortunate drawback of the ABE-based searchable encryption scheme is that attributes cannot be hidden for the messages matched by the search token. This is undesirable in the cloud-based data sharing scenario. Boneh and Waters [9] addressed this problem by proposing a public-key based on a hidden vector encryption scheme that hides attributes for messages that match a query. Blundo, et al. [6] developed a private-key version of hidden vector encryption and demonstrated that it guarantees security for key patterns. As shown in the studies of [24], this method has high computation costs, especially those involving bilinear pairing. Yanbin [24] proposed efficient searchable encryption based on B+ tree and binary tree. However, the scheme requires that the data owner is always available online to approve range query, extract a search token, and a decryption key for the queried range formed by the data users.

The searchable encryption scheme, which supports range queries with operators like “=, <, >, ⩽, ⩾, ≠” is powerful and allows the result to be filtered precisely according to the condition of a user’s query keyword, e.g. Select * from record R where Age > 18. This work develops a searchable mechanism based on a B+ tree to replicate both exact and range queries search capabilities of plaintexts on encrypted messages. The mechanism enables blind search on the encrypted B+ tree without revealing the content of the B+ tree and the query keywords to the $C S$ . Hence, the privacy of query keywords is ensured. Moreover, with our mechanism, the data users do not have to directly contact the data owner before they can form a valid range query.

2.3. Verification of integrity of the query result

Another critical issue is how to verify the integrity (i.e. completeness, freshness, and correctness) of the query result returned by the $C S$ . Incorrect or incomplete query results can mislead health workers to make erroneous decisions that can endanger the lives of patients or others. Therefore, end-users need to be assured that the query results produced by the $C S$ are the same results that the data owner would have given them. For example, with a given range query like Select * from record R where blood-pressure ⩾ 120/80, the ABSC scheme can ensure the soundness of the query result (i.e. the result tuples are not tampered with and that no superfluous tuples are introduced). However, it cannot determine the query result’s correctness, i.e. the result tuples are accurate under the user query conditions, completeness, i.e. any data object that meets the query requirements in the original database is included in the tuple results, and freshness, i.e. the result tuples are based on the most current version of database [18,28].

To address the query results’ integrity issue, several verifiable query processing techniques have been proposed (e.g., [19,31]). There are mainly two approaches to validating query results’ integrity: authenticated data structure (ADS) and circuit-based verifiable computation (VC). The VC-based approach (e.g., SNARKs [32]) can support arbitrary computing but has very high and often impracticable overhead costs. Also, it requires a costly pre-processing step as both the proving key and the verification key have to be hardcoded into the database software. To tackle this problem, the authors in [5] proposed another variant of SNARKs in which the pre-processing step is based on only the upper-bound size of the database and query program. Zhang et al. [56] presented a vSQL system that allows verifiable SQL queries via an interactive protocol. Nevertheless, it is restricted to relational databases with a fixed schema. In contrast, the ADS-based solution is generally more efficient as it tailors to a specific query. Therefore, our proposed solution is based on this approach. Digital signature and MHT are two types of structures widely used as ADS. Digital signatures authenticate a digital message’s content based on asymmetric cryptography. To allow verifiable queries, all data records must be signed and hence unable to scale up to large datasets [31]. On the other hand, MHT is constructed on a hierarchical tree [26]. A hash digest of a data record is assigned to each entry in a leaf node and a digest from the children’s nodes is also assigned to each entry in the internal node. To validate any data subset, the $D O$ must sign the root digest of MHT. MHT has been widely adapted to various index structures [10,19,52,53]. Li et al. [18] presented ADS based on MHT that stores sorted data at leaves of a B+ tree. Leaf nodes contain the hash of data, while non-leaf nodes contain a hash value of their children by hashing a combination of children’s hashes. These computations maintain the order of data in the sorted list. With the provision of a verification object $V O$ from the $C S$ , the recipient can re-compute the root digest and match it with the signed root digest of the $D O$ . If they are the same, then the query result is correct and complete.

3. Preliminaries

Definition 1 (Lagrange Interpolation).

Let S be a set with size $| S | = k$ , and $x \overset{$}{\leftarrow} Z_{p}$ denotes the operation of choosing an element x uniformly at random from S. Lagrange interpolation for a polynomial $q (\cdot)$ over $Z_{p}$ of order $k - 1$ is computed as $q (x) = \sum_{i \in S} q (i) \cdot Δ_{i, S} (x)$ , where the Lagrange coefficient $Δ_{i, S} (x) = \prod_{j \in S, j \neq i} \frac{x - j}{i - j}$ .

Definition 2 (Predicate).

Let U denotes a universal attribute. A predicate (over U) is a monotone boolean function whose inputs are associated with an attribute set $W \subseteq U$ . A predicate function Υ is defined as: $\begin{matrix} (1) & Υ (W) = \{\begin{matrix} 1, & for | W \cap U | ⩾ k, \\ 0, & otherwise, \end{matrix} \end{matrix}$ where k is the threshold value. Since the predicate Υ is monotone, we have that $Υ (A) = 1$ , implies $Υ (L) = 1$ for attribute set $L \supset A$ .

3.1. Bilinear maps

Let $G$ and $G_{T}$ be two multiplicative cyclic groups of prime order p. Let g be a generator of $G$ and e be a bilinear map, $e : G \times G \to G_{T}$ . The bilinear map e has the following properties:

Bilinearity: For all $g, h \in G$ and $y, z \in Z_{p}$ , we have $e (g^{y}, h^{z}) = e {(g, h)}^{y z}$ .

Non-degeneracy: $e (g, h) \neq 1$ .

Computability: There is an efficient algorithm to compute $e (g, h)$ for all $g, h \in G$ .

Note that the map e is symmetric since

e (g^{y}, h^{z}) = e {(g, h)}^{y z} = e (g^{z}, h^{y})

3.2. Hardness assumption

The security of our construction is based on the q-Diffie-Hellman Exponentiation (q-DHE) assumption [14] and Decisional q-Diffie-Hellman Bilinear Exponentiation (q-DBDHE) assumption [7].

Definition 3 (q-DHE Assumption).

We say the $(t, ϵ)$ q-DHE assumption holds in a group $G$ , if there is no probabilistic polynomial time (PPT) adversary who is able to compute $g^{α^{q + 1}}$ just given $(g, h, g^{α}, g^{α^{2}}, \dots, g^{α^{q}}, g^{α^{q + 2}}, \dots, g^{α^{2 q}}) \in G^{2 q + 1}$ running in time at most t with probability at least ϵ, where $α \in Z_{p}^{*}$ and $g \in G$ are chosen independently and uniformly.

Definition 4 (q-DBDHE Assumption).

Let $G$ be a bilinear group of order p and e be a bilinear map such that $e : G \times G \to G_{T}$ . The q-DBDHE problem in $G_{T}$ is stated as follows: Given the element $\vec{Y} = (g, h, g^{α}, g^{α^{2}}, \dots, g^{α^{q}}, g^{α^{q + 2}}, \dots, g^{α^{2 q}}) \in G^{2 q + 1}$ as input, where α is selected at random from $Z_{p}^{*}$ , it is difficult for a PPT algorithm $A$ to distinguish $e {(g, h)}^{α^{q + 1}} \in G_{T}$ from the random element $Z \in G_{T}$ . The Algorithm $A$ can solve the q-DBDHE problem with the advantage ϵ if $\begin{matrix} | Pr [A (\vec{Y}, T = e {(g, h)}^{α^{q + 1}}) = 0] - Pr [A (\vec{Y}, T = Z) = 0] | ⩾ ϵ . \end{matrix}$ We say that the q-DBDHE assumption holds if no PPT algorithm $A$ has a non-negligible advantage in solving the q-DBDHE problem.

Definition 5 (Ciphertext policy attribute based signcryption (CP-ABSC)).

As presented in [57], CP-ABSC consists of four basic polynomial time algorithms wherein $U_{e}$ and $U_{s}$ are disjoint universe of encryption/decryption attribute and signature attribute sets respectively.

$Setup (λ, U_{e}, U_{s})$ : The Setup algorithm takes the security parameter λ, attribute universes $U_{e}$ and $U_{s}$ as input and it outputs the master secret key $MSK$ and the public parameters $PK$ . Here, we adopt the method of adding “dummy attributes” from Waters and Sahai [38] to achieve a flexible threshold. Beside the real universe attributes (i.e., $U_{e}$ , $U_{s}$ ), other dummy attribute sets $D_{e}$ and $D_{s}$ are also selected for $U_{e}$ and $U_{s}$ respectively. Note that every user in the system possess the dummy attribute sets to ensure the consistency of signcryption and unsigncryption of messages. The public parameters consists of the real universe attributes $U_{e}$ and $U_{s}$ , and the dummy attribute sets $D_{e}$ and $D_{s}$ .

KeyGen: This algorithm generates a pair of keys for decrypting and signing separately. So, we provide the two types of the key generation algorithms as follows:

sExtract $(PK, MSK, W_{s})$ : The sExtract algorithm takes the public parameters $PK$ , a master secret key $MSK$ , a set of signing attributes $W_{s} \subseteq (U_{s} \cup D_{s})$ as input, and it returns the signing private key ${SK}_{W_{s}}$ .

dExtract $(PK, MSK, W_{e})$ : The dExtract algorithm takes the system public parameters $PK$ , a master secret key $MSK$ , a set of decrypting attributes $W_{e} \subseteq (U_{e} \cup D_{e})$ as input, and it returns the decrypting private key ${SK}_{W_{e}}$ .

Signcrypt $(PK, m, Υ_{e}, Υ_{s}, {SK}_{W_{s}})$ : The Signcrypt algorithm takes the system public parameters $PK$ , a message m, an encrypting predicate $Υ_{e}$ , a signing predicate $Υ_{s}$ and signing private key ${SK}_{W_{s}}$ with attribute set $W_{s}^{'} \subseteq W_{s}$ satisfying predicate $Υ_{s}$ (i.e., an attribute set $W_{s}^{'}$ satisfies the predicate $Υ_{s}$ if $Υ_{s} (W_{s}^{'}) = 1$ ). Then, it returns ${CT}_{Υ_{e} Υ_{s}}$ .

Unsigncrypt $(PK, {CT}_{Υ_{e} Υ_{s}}, {SK}_{W_{e}}, Υ_{s})$ : The Unsigncrypt algorithm takes the system public parameters $PK$ , a ciphertext ${CT}_{Υ_{e} Υ_{s}}$ , a receiver’s decrypting private key ${SK}_{W_{e}}$ , and a signing predicate $Υ_{s}$ . Then, it outputs either the message m or rejects symbol ⊥.

Definition 6.
We say that CP-ABSC construction is correct if for all messages $m \in M$ , all attribute sets $W_{s}$ and $W_{e}$ , all claim-predicates $Υ_{s} (W_{s}) = 1$ and $Υ_{e} (W_{e}) = 1$ such that

3.3. Security model of CP-ABSC scheme

The security definitions of message confidentiality and ciphertext unforgeability for CP-ABSC are defined as follows.

3.3.1. Message confidentiality

The security notion of message confidentiality is defined on indistinguishability of ciphertexts under adaptive chosen ciphertext attack in the selective encryption predicate model (IND-ABSC-sCCA) through an interactive game between an adversary $A$ and a challenger $C$ as follows:

Init: An adversary $A$ first outputs an encryption predicate $Υ_{e}^{*}$ over encryption attributes that will be used in the challenge phase to construct the challenge ciphertext.

Setup: The challenger $C$ runs the $Setup (λ, U_{e}, U_{s})$ , sends the public parameters $PK$ to adversary $A$ and keeps the master secret $MSK$ private.

Query Phase 1: The adversary $A$ makes polynomial time queries to the following oracles which are simulated by the challenger $C$ .

sExtract oracle $O_{s E} (W_{s})$ : on inputting a signing attribute set $W_{s}$ , the challenger $C$ returns ${SK}_{W_{s}} \leftarrow sExtract (PK, MSK, W_{s})$ to the adversary $A$ .

dExtract oracle $O_{d E} (W_{e})$ : on inputting a decryption attribute set $W_{e}$ such that $Υ_{e}^{*} (W_{e}) = 0$ , the challenger $C$ returns ${SK}_{W_{e}} \leftarrow dExtract (PK, MSK, W_{e})$ to the adversary $A$ .

Signcrypt oracle $O_{s C} (m, Υ_{s}, Υ_{e})$ : on inputting a message m, a decryption predicate $Υ_{e}$ and a signing predicate $Υ_{s}$ , the challenger $C$ returns ${CT}_{Υ_{e} Υ_{s}} \leftarrow Signcrypt (PK, m, Υ_{e}, Υ_{s}, {SK}_{W_{s}})$ to the adversary $A$ .

Unsigncrypt oracle $O_{u C} ({CT}_{Υ_{e} Υ_{s}}, W_{e}, Υ_{s})$ : on inputting a ciphertext ${CT}_{Υ_{e} Υ_{s}}$ , a decryption attribute set $W_{e}$ and a signing predicate $Υ_{s}$ , the challenger $C$ gets the decryption secret key ${SK}_{W_{e}} \leftarrow dExtract (PK, MSK, W_{e})$ and sends the output of Unsigncrypt $(PK, {CT}_{Υ_{e} Υ_{s}}, {SK}_{W_{e}}, Υ_{s})$ to $A$ .

Challenge: The adversary $A$ outputs two equal length of messages $m_{0}^{*}$ , $m_{1}^{*}$ and a signing predicate $Υ_{s}^{*}$ . The challenger $C$ chooses a signing attribute set $W_{s}^{*}$ such that $Υ_{s}^{*} (W_{s}^{*}) = 1$ and returns the challenge ciphertext ${CT}^{*}_{Υ_{e}^{*} Υ_{s}^{*}} \leftarrow Signcrypt (PK, m_{τ}^{*}, Υ_{e}^{*}, Υ_{s}^{*}, sExtract (PK, MSK, W_{s}^{*}))$ to the adversary $A$ , where $τ \overset{$}{\leftarrow} {0, 1}$ .

Query Phase 2: The adversary $A$ keeps on making adaptive queries as in Query Phase 1 except the dExtract queries: $O_{d E} (W_{e}^{*})$ , for any decryption attribute set $W_{e}^{*}$ satisfying $Υ_{e}^{*} (W_{e}^{*}) = 1$ .

Guess: The adversary $A$ outputs a guess τ of $τ^{'}$ and succeeds in this game if $τ = τ^{'}$ . The advantage of $A$ is defined to be ${Adv}^{IND-ABSC-sCCA} (A) = | Pr [τ = τ^{'}] - \frac{1}{2} |$ , where the probability is taken over all random coin tosses.

Definition 7.
A CP-ABSC scheme is said to be $(t, q_{s E}, q_{d E}, q_{s C}, q_{u S}, ϵ) - IND-ABSC-sCCA$ secure if the advantage ${Adv}^{IND-ABSC-sCCA} (A) ⩽ ϵ$ , for any PPT adversary $A$ running in time at most t that makes at most $q_{s E}$ sExtract queries, $q_{d E}$ dExtract queries, $q_{s C}$ Signcrypt queries and $q_{u S}$ Unsigncrypt queries in the above game.

3.3.2. Ciphertext unforgeability

This security notion is defined on existential unforgeability under adaptive chosen message attack in the selective predicate model (EUF-ABSC-sCMA), through following game between a challenger $C$ and an adversary $A$ .

Init: The adversary $A$ outputs a challenge signing predicate $Υ_{s}^{*}$ over attributes which will be used to forge a signature.

Setup: The challenger $C$ runs the $Setup (λ, U_{e}, U_{s})$ , gives the public parameters $PK$ to adversary $A$ and keeps the master secret $MSK$ secret.

Query Phase: The adversary $A$ makes polynomial time queries to the following oracles which are simulated by the challenger $C$ .

sExtract oracle $O_{s E}^{'} (W_{s})$ : on inputting a signing attribute set $W_{s}$ such that $Υ_{s}^{*} (W_{s}) = 0$ , the challenger $C$ returns ${SK}_{W_{s}} \leftarrow sExtract (PK, MSK, W_{s})$ to the adversary $A$ .

dExtract oracle $O_{d E}^{'} (W_{e})$ : on inputting a decryption attribute set $W_{e}$ , the challenger $C$ returns ${SK}_{W_{e}} \leftarrow dExtract (PK, MSK, W_{e})$ to the adversary $A$ .

Signcrypt oracle $O_{s C}^{'} (m, Υ_{s}, Υ_{e})$ : on inputting a message m, decryption predicate $Υ_{e}$ and signing predicate $Υ_{s} (W_{s}) = 1$ , the challenger $C$ returns ${CT}_{Υ_{e} Υ_{s}} \leftarrow Signcrypt (PK, m, Υ_{e}, Υ_{s}, {SK}_{W_{s}})$ to the adversary $A$ , where ${SK}_{W_{s}} \leftarrow sExtract (PK, MSK, W_{s})$ .

Unsigncrypt oracle $O_{u C}^{'} ({CT}_{Υ_{e} Υ_{s}}, W_{e}, Υ_{s})$ : on inputting a ciphertext ${CT}_{Υ_{e} Υ_{s}}$ , a decryption attribute set $W_{e}$ and a signing predicate $Υ_{s}$ , the challenger $C$ gets the decryption secret key ${SK}_{W_{e}} \leftarrow dExtract (PK, MSK, W_{e})$ and sends the output of Unsigncrypt $(PK, {CT}_{Υ_{e} Υ_{s}}, {SK}_{W_{e}}, Υ_{s})$ to the adversary $A$ .

Forgery Phase: An adversary $A$ outputs a forgery ${CT}^{*}_{Υ_{e}^{*} Υ_{s}^{*}}$ for some message $m^{*}$ with a decryption predicate $Υ_{e}^{*}$ . The $A$ can succeed in this game, if Unsigncrypt $(PK, {CT}_{Υ_{e} Υ_{s}}^{*}, Υ_{s}, {SK}_{W_{e}}^{*}) = m^{*} \neq ⊥$ , where $Υ_{e}^{*} (W_{e}^{*}) = 1$ and $A$ did not issue query on $O_{S C}^{'} ({CT}_{Υ_{e} Υ_{s}}, W_{e}, Υ_{s})$ .

The advantage of $A$ winning this game is $Adv {(A)}^{EUF-ABSC-sCMA} = Pr [A_{A wins the game}]$ .

Definition 8.
A CP-ABSC scheme is said to be $(t, q_{s E}, q_{d E}, q_{s C}, q_{u S}, ϵ) -EUF-ABSC-sCMA$ secure if the advantage $Adv {(A)}^{EUF-ABSC-sCMA} ⩽ ϵ$ , for any PPT adversary $A$ running in time at most t that makes at most $q_{s E}$ sExtract queries, $q_{d E}$ dExtract queries, $q_{s C}$ Signcrypt queries and $q_{u S}$ Unsigncrypt queries in the above game.

3.4. B+ tree

The B+ tree is a tree-like index structure in which every node is a disk block. The B+ tree remains balance: all paths from the root to the leaf node have the same depth [55]. Every node in B+ tree has between $⌈m / 2⌉$ and m children. This implies that every node is required to have at least $⌈m / 2⌉$ children. Therefore, at any depth d of the tree, there must be at least ${⌈m / 2⌉}^{d}$ leaf node. Thus the tree must have depth at most $⌈{log}_{⌈m / 2⌉} Q⌉$ where Q is the number of leaf nodes. The actual number of children for a node, specified here as m, is constrained for internal nodes so that $⌈ b / 2 ⌉ ⩽ m ⩽ b$ , where b is a branching factor. Here the root node is an exception, it is usually allowed to have as few as 2 children. This has only a small effect on the answer [12].

Fig. 2.

System architecture.

4. System design

In this part, the system architecture of our scheme, the function of each entity in the scheme, design objectives, and the construction of a cloud-based PHRs sharing scheme are presented.

4.1. The scheme entities

To share PHRs data among untrusted parties via the cloud, we design an access control scheme. The system architecture is shown in Fig. 2.

4.1.1. Private key generator

The private key generator generates a secret key and public keys for the system users based on their attributes.

4.1.2. Cloud server

Data generated by the patients are indexed, encrypted, and outsourced to the $C S$ . Data requests are sent to the $C S$ . The $C S$ retrieves the data and sends it to the requester.

4.1.3. Data owner

The patient (Data owner) usually encrypts PHRs with other details and uploads them to the $C S$ to achieve information sharing and reduced data maintenance cost. In our construction, the patient is primarily responsible for data indexing, generating search information, and authentication information.

4.1.4. Data users

These are the individuals who have been authorized by the PKG to access the patient’s medical data from the cloud for usage.

4.2. Design objectives

The attribute based signcryption scheme CP-ABSC [21,30,54] provides effective mechanism to signcrypt (encrypt-then-sign) and unsigncrypt (decrypt-then verify). Thus, it addresses the problems of privacy leak, forgery and ensures fine grained access control and public verification of the authenticity of the plaintext. The application of the CP-ABSC scheme introduces another set of challenges. Firstly, there can be a large set of PHRs dataset such as x-ray scan which has to be encrypted and outsource to the cloud server. But all asymmetric encryption schemes have high computation overhead which includes our signcryption scheme. To tackle this problem, the encryptor can use symmetric encryption such as AES [27] to encrypt the PHRs data and then encrypts the secret key with the CP-ABSC scheme.

Secondly, searching on the encrypted data in the $C S$ to retrieve the specific ciphertext or range of ciphertexts based on the keyword without revealing the content of the keyword to the $C S$ is another difficult to address. The challenge is how to develop a searching mechanism that will support exact match keyword search and range keywords search with almost equivalent efficiency of searching on the plaintext. To address this problem we build an index for the dataset based on the B+ tree. The encryptor encrypts the B+ tree together with the PHRs. A hash table is constructed based on a matrix that is used to compare encrypted keyword (query key) and encrypted B+ search keys to retrieve correct encrypted PHRs data from the remote $C S$ . However, there is an inherent problem of using a sorted index structure such as a B+ tree. Thus, the $C S$ can learn the access pattern of ciphertext (i.e., which ciphertexts are more frequently queried) [24]. However, the leakage of access patterns of encrypted databases is not as serious as that of plaintext databases.

In addition, the $C S$ cannot be trusted with the correctness, completeness, and freshness of the query result. Especially, for range query, the result might not be complete. To address this problem, the encryptor constructs an authentication structure based on the B+ tree and provides the B+ tree root digest to $D U$ . This mechanism enables the $D U$ to reconstruct the B+ tree root digest with the query result which includes the verification object (i.e. authentication information from the B+ tree). If the reconstructed B+ tree root digest matches with the one originally computed by the $D O$ , then the query result is correct, complete, and fresh.

Finally, to modify (delete and update operations) the outsourced database on the cloud server, the $D O$ does not download the whole database to modify it offline before the updated database can be committed on the cloud server. As this approach is undesirable due to high bandwidth usage, the $D O$ rather uses the B+ tree to modify the specific section of the database with the ability to confirm whether the server has executed the database update according to the $D O$ requirements. This approach is efficient and does not consume as high data bandwidth as the former.

4.3. Construction of cloud-based PHRs sharing scheme

To solve the problem of ciphertext size that scales linearly with the number of times an attribute is used in general CP-ABSC and to minimize computation cost we propose a CP-ABSC scheme that supports a flexible threshold predicate for signing and encrypting messages. As shown in Fig. 3, the proposed scheme is categorized into four main phases. The first phase is registration which consists of step to step . The second phase is data outsourcing and consists of step to step . The third phase is data obtainment, consisting of step to step . The last phase is provable database modification and it consists of step to step .

Fig. 3.

The process flow of the system architecture.

4.3.1. Registration

To have access to PHR’s system, users must go through the steps of registering their credential with the PKG. To initialize the system, the PKG runs the $Setup (λ, U_{e}, U_{s})$ in Algorithm 1 to generate the system public parameters $PK$ and master secret key $MSK$ . The $PK$ is announced to the public while the $MSK$ is kept secret by the PKG. For simplicity, we suppose that the real decryption attribute universe $U_{e} = {{attx}_{1}, {attx}_{2}, \dots, {attx}_{n}}$ and signing attribute universe $U_{s} = {{atty}_{1}, {atty}_{2}, \dots, {atty}_{n}}$ are publicly known. Let $D_{e} = {{attx}_{n + 1}, {attx}_{n + 2}, \dots, {attx}_{2 n - 1}}$ and $D_{s} = {{atty}_{n + 1}, {atty}_{n + 2}, \dots, {atty}_{2 n - 1}}$ denote the dummy decryption attribute set and signing attribute set respectively which are possessed by all the parties in the system to ensure consistency of signcryption with unsigncryption.

Algorithm 1

$Setup (λ, U_{e}, U_{s})$

Generation of signature key. When a new data owner $D O$ wants to join the system, the $D O$ presents proof of his/her attribute set to the PKG. The PKG confirms the validity of the attributes and runs the $sExtract (PK, MSK, W_{s})$ in Algorithm 2 to produce the signing private key for the $D O$ . The signature key generation algorithm takes the input of public parameters $PK$ , master secret key $MSK$ and the $D O$ ’s valid attribute set $W_{s}$ .

Algorithm 2

$sExtract (PK, MSK, W_{s})$

Generation of decryption key. To have access to PHR’s system, data users $D U s$ (i.e. patients, medical doctors, researchers, etc) go through the steps of registering their credentials with the PKG to obtain their decryption key. First, $D U s$ present the proof of their decryption attribute sets to the PKG. The PKG confirms the validity of the attributes and runs the $dExtract (PK, MSK, W_{e})$ in Algorithm 3 to generate the decryption private key. The PKG sends the private key through a secure channel to the requested $D U$ .

Algorithm 3

$dExtract (PK, MSK, W_{e})$

4.3.2. Data outsourcing

To simultaneously achieve unforgeability of ciphertext, fine-grained access control, the integrity of query results, encrypted data retrieval, and provable remote database modification, the data owner will perform the following steps before uploading PHRs to the cloud server.

Step 1 (Encryption of PHR data). The complexity of the CP-ABSC algorithm makes it not suitable to encrypt large PHR data. Therefore, the $D O$ encrypts the PHR data using a symmetric data encryption algorithm with a symmetric data encryption key ${DEK}_{1} \overset{$}{\leftarrow} κ$ , where κ is a keyspace as in [27]. In this work, the data owner will use a strong symmetric encryption algorithm specifically Advanced Encryption Standard (AES) to secure the PHR data (for details of AES encryption scheme, please refer to [27,47]).

Fig. 4.

Example of encrypted B+ index structure.

Step 2 (Construction of authenticated data structure (ADS)). To reduce the number of disk access operations when processing a query over encrypted data, the $D O$ builds authenticated index structure for the encrypted dataset using the B+ tree. With a given encrypted dataset $E (D) = (E (D_{1}), E (D_{2}), \dots, E (D_{7}))$ , the $D O$ creates a B+ tree structure shown in Fig. 4. Since the search keys contain sensitive information, each search key $k_{i}$ in the B+ tree is encrypted using the AES encryption algorithm. The $D O$ takes a secret key ${DEK}_{2} \overset{$}{\leftarrow} κ$ and use it as a symmetric data encryption key to execute AES encryption algorithm to encrypt each search key $k_{i}$ in the B+ tree. The $D O$ replaces each search $(k_{i})$ with $e (k_{i})$ in the B+ tree and maintains sorted encrypted records $E (D) = (E (D_{1}), E (D_{2}), \dots, E (D_{7}))$ by traversing through the leaf nodes. Then, the $D O$ embeds a digest in each leaf node of the B+ tree. The digests are computed as: $\begin{matrix} (2) & h_{i} = H (h_{01} | \dots | h_{0 f}) \end{matrix}$ Where $h_{i}$ is the hash value for a leaf node i, $H (\cdot)$ is a one way secure hash function, $^{'} |^{'}$ is concatenation operator and $h_{01} = H (E (D_{1}) | e (k_{1})), \dots, h_{0 f} = H (E (D_{f}) | e (k_{f}))$ are hashes of the encrypted entries in a leaf node. For the non-leaf node, the digest n is computed as: $\begin{matrix} (3) & h_{n} = H (h_{1} | h_{2} | \dots | h_{f}) \end{matrix}$ Where n is the identity of the node, $h_{1}, \dots, h_{f}$ are the respective child nodes’ digest of the non-leaf node n. Figure 5 shows an example of the resulting B+ tree. Note that $E (\cdot)$ and $e (\cdot)$ denote AES encryption of the PHRs data and the search keys respectively.

Fig. 5.

Example of authenticated B+ data structure.

Step 3 (Construction of search mechanism). To preserve the privacy of the query keyword while providing the ability of the $C S$ to search on the encrypted B+ tree, the $D O$ creates a comparison matrix. The comparison matrix supports both exact match and range queries processing on the B+ tree. The cost of determining the value of a node to carry out a comparison operation is $O (1)$ and the storage space is $O (n^{2})$ . $\begin{array}{l} (4) & Δ_{i j} = \{\begin{matrix} Δ_{i j} = 0 & if i = j, \\ Δ_{i j} = - 1 & if i < j, \\ Δ_{i j} = 1 & if i > j, \end{matrix} \\ (5) & [\begin{matrix} 0 & - 1 & - 1 & - 1 & - 1 & - 1 & - 1 \\ 1 & 0 & - 1 & - 1 & - 1 & - 1 & - 1 \\ 1 & 1 & 0 & - 1 & - 1 & - 1 & - 1 \\ 1 & 1 & 1 & 0 & - 1 & - 1 & - 1 \\ 1 & 1 & 1 & 1 & 0 & - 1 & - 1 \\ 1 & 1 & 1 & 1 & 1 & 0 & - 1 \\ 1 & 1 & 1 & 1 & 1 & 1 & 0 \end{matrix}] = Δ \end{array}$ The comparison matrix Δ in equation (5) is based on three conditions as shown in equation (4). The conditions are to guide efficient search for an encrypted record in the B+ tree. The subscript values i and j denote a query key and a search key in the B+ tree respectively. Using the comparison matrix, the $C S$ can determines the upper bound $(i > j)$ , lower bound $(i < j)$ and equality $(i = j)$ in the encrypted tree, which will enable the $D O$ to easily retrieve the right encrypted record. However, the comparison matrix has high storage overhead. To reduce the storage cost, we encrypt and compute the hash values of all i and j and store them in a hash table (i.e. hashmap) only if the last condition in equation (4) $(i > j)$ is satisfied. Now the storage cost is $O ((\frac{1}{2} (n^{2} - n))$ and the cost of determining a key in the hashmap is $O (1)$ . The Algorithm 4 shows the details of storing the values of comparison matrix in a hashmap. Also, Algorithm 5 shows the details of how to exploit the stored information in the hashmap to execute privacy preserving comparison operation on the B+ tree.

Algorithm 4

Storing of comparison matrix value in hash table

Algorithm 5

Comparison matrix privacy operation

Step 4 (Creation of manifest file). The $D O$ creates a manifest file $IMF$ which is made up of secret keys: ${DEK}_{1}$ , ${DEK}_{2}$ and B+ tree hash root $h_{root}$ . To enable the verification of freshness of the query results, we do not use the known approach of the $D O$ signing the root of the B+ hash root. This approach involves high computation cost of signing if multiple hash roots are involved. However, with the inclusion of $h_{root}$ in the $IMF$ , a $D U$ can verify not only the freshness but correctness, and completeness of a query result. Note that the $D O$ has to update the $h_{root}$ whenever there is a modification on the B+ tree. The $D O$ creates a decryption predicate $Υ_{e}$ over attributes that users are required to have to decrypt a message and signing predicate $Υ_{s}$ over the attribute she/her possessed. With the input of the manifest file $IMF$ , predicates: $Υ_{e}$ , $Υ_{s}$ , signing private key ${SK}_{W_{s}}$ and the public parameter $PK$ , the $D O$ runs the Algorithm 6 (i.e. Signcrypt algorithm) to encrypt and sign the $IMF$ .

Finally, the $D O$ uploads the encrypted B+ tree along with the encrypted PHRs, signcrypted manifest file, and the hashmap to the $C S$ . Upon receiving the data, the $C S$ computes the B+ tree root digest and sends it to the $D O$ . The $D O$ compares the B+ tree’s root digest computed by the $C S$ with the one she/her computed. If there is a match, then the data has been successfully stored on the $C S$ .

Algorithm 6

$Signcrypt (PK, IMF, Υ_{e}, Υ_{s}, {SK}_{W_{s}})$

4.3.3. Data obtainment

PHRs data request. First, a $D U$ gets the manifest file from the $C S$ and unsigncrypt the manifest file using Algorithm 7. Note that the $D U$ can perform unsigncryption only if he/she has the complete set of the attribute under which the manifest file was signcrypted. The symmetric data encryption key ${DEK}_{2}$ is retrieved from the manifest file and used to run the AES algorithm to encrypt the query keyword. Then, the $D U$ sends a query to the $C S$ . Please refer to the Appendix for the correctness of the Unsigncrypt algorithm.

Algorithm 7

$Unsigncrypt (PK, C T_{Υ_{e}, Υ_{s}}, {SK}_{W_{e}}, Υ_{s})$

PHRs data retrieval. When the $C S$ receives PHRs data retrieval request, it runs either Algorithm 8 or Algorithm 9 to retrieve result in addition with verification object $V O$ . As the encrypted B+ tree efficiently supports not only exact-match query which returns a single-record that satisfies the given query key, but also, a range query that retrieves all records where some value is between an upper and lower boundary, the specific algorithm the $C S$ runs will be determined by the query key(s). To perform an exact-match query on the encrypted B+ tree as shown in Algorithm 8 , starting from the root node to the leaf node, Algorithm 5 is used to determine the upper bound/lower bound of search key in the present child node to find the leaf node which contains the search key to retrieve the encrypted data. For the range query as shown in Algorithm 9 , the upper bound and lower bound node in the encrypted tree is determined via Algorithm 5 . Once the upper bound and lower bound are localized, the encrypted records between them are easily retrieved as the query result. The result is sent to the $D U$ .

Algorithm 8

Query over encrypted B+ tree [exact-match queries]

Algorithm 9

Query over encrypted B+ tree [range queries]

Data integrity verification with usage. Since the $C S$ is untrusted, the user cannot simply accept the query result from the server. Instead, the user needs proof that the result is indeed correct, complete, and fresh; this is called query authentication. To achieve query authentication for a user’s query result, the $D U$ gets the data owner’s B+ tree root digest from the manifest file and the query result with $V O$ to run the query authentication algorithm. The query authentication algorithm recomputes the B+ tree root digest in a “bottom-up” manner based on the query result and the $V O$ (i.e. all additional sibling digests) from the leaf nodes to the root node. Then, the recomputed root digest is compared with the root digest which was originally computed by the $D O$ . If they are the same, then the query result is correct, complete, and fresh. The details are shown in Algorithm 10 . After successful integrity checking, the $D U$ decrypt the ciphertext of data using ${DEK}_{1}$ to obtain the original data file and then, use the data.

Algorithm 10

Verification of the query results

4.3.4. Provable database modification

Data insertion. Let’s suppose that the $D O$ wants to insert a new data record into the B+ tree. Firstly, the $D O$ encrypts the data records and search keys. It runs Algorithm 4 to generate a hashmap for the key and sends the encrypted information and the hashmap to the $C S$ . After receiving the request for data insertion, the $C S$ traverses the B+ tree to find the appropriate leaf node where the insertion can be executed. The server records metadata on all the nodes that are on the traversal path during the traverse. Also, the server records all the hash values of the sibling nodes on the path. The server then performs a B+ tree insertion operation, which can cause the splitting of several nodes on the traverse path. The server updates the hash value of all the affected nodes in a bottom-up manner, from the root node to the leaf nodes, until a new root hash $h_{root}$ value is created. Eventually, the server sends the insertion proof $h_{root}$ to the $D O$ . The $D O$ can simulate the insertion operation and further compute the new hash root. The $D U$ compares the B+ tree hash root return by the server with the one she/he computed. If there is a match, then the server has executed the data update as expected. The details are shown in Algorithm 11 .

Algorithm 11

Data insertion

Data deletion. Let’s suppose that the $D O$ wants to delete a data record from the B+ tree. The $D O$ sends a delete message request to the $C S$ . After the server receives the delete request, first the server performs a traverse on the B+ tree to locate the leaf node where the deletion should be executed. The server records details of all nodes on the path during the traversal. Since B+ tree delete entails key redistribution and merging between immediate sibling nodes, the information about all the affected sibling nodes is also recorded. The server executes the delete operation and computes the hash value of the root $h_{root}$ in a bottom-up manner, from the root node to the leaf node. Eventually, the server sends the deletion proof $h_{root}$ to the $D O$ . The $D O$ can simulate the data deletion operation and further computes the new hash root. The $D O$ compares the B+ tree hash root return by the server with the one she/he computed. If there is a match, then the server has executed the data deletion operation as expected. The details are shown in Algorithm 12 .

To guarantee that the $D U$ s can perform a valid integrity check on the query result after successful database modification, the $D O$ updates the root digest in the manifest file.

Algorithm 12

Data delete

5. Security proof

5.1. Confidentiality

Theorem 1.
Our CP-ABSC scheme is $(t, q_{s E}, q_{d E}, q_{s C}, q_{u S}, ϵ) - IND-ABSC-sCCA$ secure in the standard model, supposing the q-DBDHE problem in $(G, G_{T})$ is $(t^{'}, ϵ^{'})$ is hard, where $ϵ^{'} = ϵ - (q_{u S} / p)$ and $t^{'} = t + O (| U_{s} |^{2} . (q_{s E} + q_{s C}) + n^{2} . (q_{d E} + q_{u S}) \cdot t_{exp} + O (q_{u S}) \cdot t_{pair})$ . Here $t_{pair}$ and $t_{exp}$ represent the running time of one pairing computation and one exponentiation respectively.
Proof.
Assuming that there is an adversary $A$ against our CP-ABSC construction that makes at most $q_{s E}$ sExtract query, $q_{d E}$ dExtract query, $q_{s C}$ Signcrypt query, $q_{u S}$ Unsigncrypt query, then a PPT algorithm $C$ can be constructed to solve the q-DBDHE problem with probability at least $ϵ^{'}$ . Suppose the challenger $C$ is given a q-DBDHE challenge $(g, h, g^{α}, \dots, g^{α^{q}}, g^{α^{q + 2}}, \dots, g^{α^{2 q}}, T)$ , where T is either $T = e {(h, g)}^{α^{q + 1}}$ or a random element in $G_{T}$ . Consider the following interactive game played between a challenger $C$ and an adversary $A$ . □

Init: Adversary $A$ provides the challenge predicate $Υ_{e}^{}$ over a decryption attribute $W_{e}^{}$ .

Setup: The challenger $C$ first defines a set of real encryption attribute universe as $U_{e} = {1, 2, \dots, n}$ (signing attribute universe as $U_{s} = {1, 2, \dots, n}$ ) with the dummy attribute set as $D_{e} = {n + 1, n + 2, \dots, 2 n - 1}$ (respectively, dummy attribute set as $D_{s} = {n + 1, n + 2, \dots, 2 n - 1}$ ). For simplicity, here we let $q = 2 n - 1$ and the $2 n - k$ dummy decryption attributes chosen for the challenge predicate to be $D_{e}^{} = {n + 1, n + 2, \dots, 2 n - k^{}}$ . The challenger $C$ computes the public parameters as follows:

Sample $α^{'} \overset{$}{\leftarrow} Z_{p}^{}$ and let $Z = {(g, h)}^{α} = {(g, h)}^{α^{'} + α^{q + 1}}$ , which implicitly sets the master key as $α = α^{'} + α^{q + 1}$ .

Set $C_{2}^{} = h^{s}$ , $μ^{} = H_{2} (C_{2}^{})$ , $Φ_{1} = {(g^{α q})}^{\frac{1}{μ^{}}}$ and $Φ_{2} = g^{- α^{q}} g^{d}$ , where $s, d \overset{$}{\leftarrow} Z_{p}^{}$ .

For each $i \in {U_{e} \cup D_{e}}$ (i.e. $i \in [2 n - 1]$ ), sample $r_{i} (0 ⩽ i ⩽ q)$ from $Z_{p}^{}$ randomly and computes $β_{0} = g^{r_{0}} \prod_{i \in W_{e}^{} \cup D_{e}^{}} β_{i}^{- 1}$ , $β_{i} = g^{r_{i}} g^{α^{q - i + 1}}$ .

For each attribute $i \in {U_{s} \cup D_{s}}$ , sample $t_{0} \overset{$}{\leftarrow} Z_{p}^{}$ , $t_{i} \overset{$}{\leftarrow} Z_{p}^{}$ and set $δ_{0} = g_{1} g^{t_{0}}$ , $δ_{i} = g^{t_{i}}$ .

The challenger $C$ provides $A$ with the public parameters as $PK = {e, g, h, H_{1}, H_{2}, Φ_{1}, Φ_{2}, β_{0}, β_{1}, \dots, β_{q}, δ_{0}, δ_{1}, \dots, δ_{q}, Z, u^{'}, u_{0}, u_{0}, \dots, u_{q}}$ , where $H_{1}$ and $H_{2}$ are collision-resistant hash functions. Note that the public parameters $u_{0}, u_{0}, \dots, u_{q}$ and $u^{'}$ are generated as usual.

Query Phase 1: The $A$ is granted access to the following oracles simulated by $C$ .
sExtract oracle* $O_{s E} (W_{s})$ : Given a signing attribute set $W_{s}$ from $A$ , $C$ constructs ${SK}_{W_{s}}$ as follows:

For every attribute $i \in {W_{s} \cup D_{s}}$ , $C$ randomly selects a $n - 1$ degree polynomial $q (\cdot)$ with a constraint that $q (0) = α = α^{'} + α^{q + 1}$ . Observe that $C$ does not know $α^{q + 1}$ and the master secret key $α = α^{'} + α^{q + 1}$ , but has the knowledge of $α^{'}$ . Therefore, $C$ must ensure that there is no term of the form $g^{α^{q + 1}}$ which is involved in the secret key. The challenger then implicitly creates suitable $r_{i}$ values in such a way that the unknown terms are automatically eliminated from the secret key. The $C$ computes a signing secret key corresponding to $i \in {W_{s} \cup D_{s}}$ as follows. Select $r_{i}^{'} = Z_{p}^{}$ and implicitly set $r_{i} = r^{'} - α^{i}$ . The private signature key ${{SK}_{W_{s}}^{(i)}}_{i \in W_{s} \cup D_{s}}$ is return as: $\begin{array}{l} {SK}_{W_{s}}^{(i)} = & (g^{q (i)} {(δ_{0} δ_{i})}^{r_{i}^{'}}, h^{r_{i}^{'}}, δ_{i}^{r_{i}^{'}}, \dots, δ_{i - 1}^{r_{i}^{'}}, δ_{i + 1}^{r_{i}^{'}}, \dots, δ_{q}^{r_{i}^{'}}) \end{array}$ The signature key ${{SK}_{W_{s}}^{(i)}}_{i \in W_{s} \cup D_{s}}$ is sent to $A$ . It can be observed that the simulated values of key ${{SK}_{W_{s}}^{(i)}}_{i \in W_{s} \cup D_{s}}$ is equivalent to that of the original scheme as explained subsequently: $\begin{array}{l} {SK}_{W_{s}}^{(i)} = & (g^{q (i)} {(δ_{0} δ_{i})}^{r_{i}^{'}} {(g_{1} g^{t_{0}} \prod_{i \in W_{e}^{} \cup D_{e}^{'}} g^{t_{i}})}^{- α^{i}}, h^{r_{i}^{'}} h^{- α^{i}}, δ_{i}^{r_{i}^{'}} δ_{i}^{- α^{i}}, \dots, δ_{i - 1}^{r_{i}^{'}} δ_{i - 1}^{- α^{i}}, δ_{i + 1}^{r_{i}^{'}} δ_{i + 1}^{- α^{i}}, \dots, \\ δ_{q}^{r_{i}^{'}} δ_{q}^{- α^{i}}) \\ = & (g^{q (i)} {(δ_{0} δ_{i})}^{r^{'} - α^{i}}, h^{r^{'} - α^{i}}, δ_{i}^{r^{'} - α^{i}}, \dots, δ_{i - 1}^{r^{'} - α^{i}}, δ_{i + 1}^{r^{'} - α^{i}}, \dots, δ_{q}^{r^{'} - α^{i}}) \\ = & (g^{q (i)} {(δ_{0} δ_{i})}^{r_{i}}, h^{r_{i}}, δ_{i}^{r_{i}}, \dots, δ_{i - 1}^{r_{i}}, δ_{i + 1}^{r_{i}}, \dots, δ_{q}^{r_{i}}) \end{array}$

dExtract oracle $O_{d E} (W_{e})$ : $A$ submits an attributes set $W_{e}$ such that $| W_{e} \cup W_{e}^{} | < k$ (that is $Υ_{e}^{} (W_{e}) = 0$ ). Motivated by Li et al.’s approach in [20], here we define three sets Γ, $Γ^{'}$ , $S_{x}$ , as follows: $Γ = (W_{e} \cap W_{e}^{}) \cup D_{e}^{'}$ , $Γ \subseteq Γ^{'} \subseteq (W_{e}^{} \cup D_{e}^{'})$ and $S_{x} = Γ^{'} \cup {0}$ . For each attribute $i \in W_{e} \cup D_{e}^{'}$ , $C$ randomly selects an $n - 1$ degree polynomial $q (\cdot)$ such that $q (0) = α = α^{'} + α^{q + 1}$ (Here, $C$ is not aware the value of α). For each attribute i, the private signature key ${{SK}_{W_{e}}^{(i)}}$ is computed as follows:

For each $i \in Γ^{'}$ , i.e., $i \in (W_{e}^{} \cup D_{e}^{'})$ , $C$ selects $t_{i}, r_{i}^{'} \overset{$}{\leftarrow} Z_{p}^{}$ and lets $q (i) = t_{i}$ , $r_{i} = r_{i}^{'} - α^{i}$ , then it computes: $\begin{array}{l} {SK}_{W_{e}}^{(i)} = & (g^{q (i)} {(β_{0} β_{i})}^{r_{i}}, h^{r_{i}}, β_{i}^{r_{i}}, \dots, β_{i - 1}^{r_{i}}, β_{i + 1}^{r_{i}}, \dots, β_{q}^{r_{i}}) \\ = & (g^{q (i)} {(β_{0} β_{i})}^{r_{i}^{'}} {(g^{r_{0}} \prod_{i \in W_{e}^{} \cup D_{e}^{'}, j \neq i} β_{j}^{- 1})}^{- α^{i}}, h^{r_{i}^{'}} h^{- α^{i}}, β_{i}^{r_{i}^{'}} β_{i}^{- α^{i}}, \dots, β_{i - 1}^{r_{i}^{'}} β_{i - 1}^{- α^{i}}, \\ β_{i + 1}^{r_{i}^{'}} β_{i + 1}^{- α^{i}}, \dots, β_{q}^{r_{i}^{'}} β_{q}^{- α^{i}}) \\ = & (g^{q (i)} {(β_{0} β_{i})}^{r_{i}^{'} - α^{i}}, h^{r_{i}^{'} - α^{i}}, β_{i}^{r_{i}^{'} - α^{i}}, \dots, β_{i - 1}^{r_{i}^{'} - α^{i}}, β_{i + 1}^{r_{i}^{'} - α^{i}}, \dots, β_{q}^{r_{i}^{'} - α^{i}}) \end{array}$

For each $i \notin Γ^{'}$ , i.e., $i \notin (W_{e}^{} \cup D_{e}^{'})$ , $C$ selects $r_{i}^{'} \overset{$}{\leftarrow} Z_{p}^{}$ and lets $r_{i} = r_{i}^{'} - Δ_{0}, S_{y} (i) α^{i}$ . Using the Lagrange interpolation $q (i) = \sum_{j \in Γ^{'}} Δ_{j, S_{y}} (i) q (j) + Δ_{0, S_{x}} (i) q (0)$ , the decryption private can be computed by $C$ as follows: $\begin{array}{l} {SK}_{W_{e}}^{(i)} = & (g^{q (i)} {(β_{0} β_{i})}^{r_{i}}, h^{r_{i}}, β_{i}^{r_{i}}, \dots, β_{i - 1}^{r_{i}}, β_{i + 1}^{r_{i}}, \dots, β_{q}^{r_{i}}) \\ = & (g^{\sum_{j \in Γ^{'}} Δ_{j, S_{y}} (i) q (j) + Δ_{0, S_{x}} (i) q (0)} {(β_{0} β_{i})}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, h^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, β_{i}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, \dots, \\ β_{i - 1}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, β_{i + 1}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, \dots, β_{q}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}) \\ = & (g^{\sum_{j \in Γ^{'}} Δ_{j, S_{y}} (i) t_{j} + Δ_{0, S_{x}} (i) α^{'}} {(β_{0} β_{i})}^{r_{i}^{'}} {(β_{0})}^{- Δ_{0, S_{x}} (i) α^{i}} {(g^{α^{i}})}^{- Δ_{0, S_{x}} (i) r_{i}}, h^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, \\ β_{i}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, \dots, β_{i - 1}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, β_{i + 1}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}, \dots, β_{q}^{r_{i}^{'} - Δ_{0, S_{x}} (i) α^{i}}) \end{array}$

Remarks 1.
The most crucial part is to simulate the ${sk}_{i}$ elements so that they do not contain the $g^{α^{q + 1}}$ term which is unknown to $C$ . By using the three sets: Γ, $Γ^{'}$ , $S_{x}$ in simulating the secret key ${SK}_{W_{e}}^{(i)}$ , all the unknown terms of the form $g^{α^{q + 1}}$ can be cancelled out. Obviously, for $i \in Γ^{'}$ , the term $g^{α^{q + 1}}$ can be cancelled out by ${(β_{0}, β_{i})}^{α^{i}}$ ; for $i \notin Γ$ , the term of $g^{α^{q + 1}}$ can be cancelled out by $g^{q (0)} {(β_{i})}^{α^{i}}$ . As $C$ knows $(g^{α}, g^{α^{2}}, \dots, g^{α^{q}}, g^{α^{q + 2}}, \dots, g^{α^{2 q}})$ group elements, it can simulate the secret key ${SK}_{W_{e}}^{(i)}$ without knowing the $g^{α^{q + 1}}$ term. In addition, the distribution of the simulated private key is similar to that of the original scheme.

Signcrypt oracle* $O_{s C} (m, Υ_{s}, Υ_{e})$ : $A$ submits a message $m \in M$ , signing predicate $Υ_{s}$ and encryption predicate $Υ_{e}$ . $C$ selects a signing attribute set $W_{s}$ such that $Y_{k, W_{s}} = 1$ , computes the signature key as ${SK}_{W_{s}} = O_{s E} (W_{s})$ and return the ciphertext ${CT}_{Υ_{e} Υ_{s}} \leftarrow Signcrypt (PK, m, Υ_{e}, Υ_{s}, {SK}_{W_{s}})$ to $A$ .

Unsigncrypt oracle $O_{u C} ({CT}_{Υ_{e} Υ_{s}}, W_{e}, Υ_{s})$ : Given a ciphertext ${CT}_{Υ_{e} Υ_{s}}$ , encryption attributes $W_{e}$ , along with the encryption predicate $Υ_{e}$ and signing predicate $Υ_{s}$ , if $C_{2} = C_{2}^{}$ , $C$ aborts. Since $C_{2} = h^{s}$ is random, the probability of such an event is at most $\frac{1}{p}$ . Otherwise, $C$ continues as follows.

If $W_{e}$ does not satisfy the predicate $Υ_{e}$ , $C$ generates the secret key ${SK}_{W_{e}}$ by running $O_{d E} (W_{e})$ and outputs a message m or a reject symbol ⊥. If $W_{e}$ satisfies the $Υ_{e}$ , $C$ checks the validity of the ciphertext. If it is invalid, outputs ⊥, else computes $\begin{array}{l} m = & \frac{C_{0}}{e {(C_{3} / C_{2}^{d}, g^{α})}^{(\frac{μ}{μ^{}} - 1) - 1} e (C_{2}^{d}, g^{α^{'}})} . \end{array}$
$C$ compute $Z = e {(C_{3} / C_{2}^{d}, g^{α})}^{(\frac{μ}{μ^{}} - 1) - 1} e (C_{2}^{d}, g^{α^{'}})$ and set $Θ = H_{1} (C_{0}, Z^{s}, m) = {η_{1}, η_{2}, \dots, η_{n}}$ . The message m has valid signature if $Z = \frac{e (h, σ_{1})}{(e (δ_{0} \prod_{j \in W_{s}^{} \cup D_{s}^{'}} δ_{j}, σ_{2}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}}, C_{2}))}$ .

Challenge: The adversary $A$ outputs two messages $m_{0}^{}$ , $m_{1}^{}$ of the same size and a signing predicate $Υ_{s}^{}$ . $C$ picks $τ \overset{$}{\leftarrow} {0, 1}$ and generates ciphertext ${CT}_{Υ_{e} Υ_{s}}$ of $m_{τ}^{}$ as follows: $\begin{array}{l} C_{0}^{} = m_{τ}^{} \cdot Z \cdot e (h^{s}, g^{α^{'}}), C_{1}^{} = {(h^{s})}^{r_{0}}, C_{2}^{} = h^{s}, C_{3} = {(g^{s})}^{d}, \\ σ_{1}^{} = g^{α} {(δ_{0} \prod_{j \in W_{s}^{} \cup D_{s}^{'}} δ_{j})}^{ψ^{'}} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η})}^{s}, \\ σ_{2} = g^{ψ^{'}} h, \end{array}$ where $ψ \overset{$}{\leftarrow} Z_{p}^{}$ and implicitly set $ψ = ψ^{'} - α^{q}$ . Given $C_{2}^{} = h^{s}$ and $μ^{} = H_{2} (C_{2}^{})$ , which are defined in the setup phase, if $Z = e (h^{s}, g^{α^{q + 1}})$ , the correctness of the challenged ciphertext can be verified as follows. $\begin{array}{l} C_{0}^{} = m_{τ}^{} \cdot e (h^{s}, g^{α^{q + 1}}) \cdot e (h^{s}, g^{α^{'}}) = e {(h, g)}^{s (α^{'} + α^{q + 1})}, \\ C_{1}^{} = {(h^{s})}^{r_{0}} = {(h^{r_{0}})}^{s} = {(β_{0} \prod_{j \in W_{s}^{} \cup D_{s}^{'}} β_{j})}^{s}, \\ C_{3} = {(g^{s})}^{d} = {(g^{d})}^{s} = ({({(g^{α^{q}})}^{\frac{1}{μ^{}}})}^{μ^{}} (g^{α^{q}}) g^{d}) = {(Φ_{1}^{μ^{}} Φ_{2})}^{s}, \\ \begin{matrix} σ_{1}^{} = & g^{α^{'} + α^{q + 1}} {(δ_{0} \prod_{j \in W_{s}^{} \cup D_{s}^{'}} δ_{j})}^{ψ^{'}} \times {(g_{1} g^{t_{0}} \prod_{i \in W_{e}^{} \cup D_{e}^{'}} g^{t_{i}})}^{- α^{q}} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η})}^{s} \\ = & g^{α^{'} + α^{q + 1}} {(δ_{0} \prod_{j \in W_{s}^{} \cup D_{s}^{'}} δ_{j})}^{ψ^{'} - α^{q}} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η})}^{s} \\ = & \prod_{i \in S_{y}} (g^{q (i) Δ_{i, S_{y}} (0)} {(δ_{0} \prod_{j \in W_{s}^{} \cup D_{s}^{'}} {(δ_{j})}^{r_{i}})}^{ψ Δ_{i, S_{y}} (0)}) \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η})}^{s}, \end{matrix} \\ σ_{2} = g^{ψ^{'}} h = g^{ψ^{'}} g^{- α^{q}} h = g^{ψ} h \end{array}$ Thus, the challenged ciphertext ${CT}_{Υ_{e}^{}, Υ_{s}^{}}^{}$ is a valid signcryption of the message $m_{τ}^{}$ under the signing predicate $Υ_{s}^{}$ and decryption predicate $Υ_{e}^{}$ . if $Z \overset{$}{\leftarrow} G_{T}$ , the challenge ciphertext is independent of τ in the adversary point of view.

Query Phase 2: The sequence of queries performed by the adversary $A$ in this phase is identical to that of Query Phase 1. The query answer provided by the challenger $C$ is also identical to that of Query Phase 1. Here, $A$ is restricted from querying the Unsigncrypt oracle on the challenge ciphertext ${CT}_{Υ_{s}^{}, Υ_{e}^{}}^{}$ .

Guess: The adversary $A$ provides a guess $τ^{'} \in {0, 1}$ . If $τ^{'} = τ$ , then $C$ returns 1 in the q-DBDHE game to guess that $Z = e (h^{s}, g^{α^{q + 1}})$ ; else it returns 0 to denote that Z is a random element in $G_{T}$ .

Probability analysis: The event for which $C$ can abort the game is when $A$ queries the Unsigncrypt oracle with $C_{2} = C_{2}^{}$ . The most likely case in this event is at the probability of $\frac{q_{u S}}{P}$ , where $q_{u S}$ is the maximum number of Unsigncrypt queries performed by the adversary. If the game is not aborted by $C$ and $Z = e (h^{s}, g^{α^{q + 1}})$ , then $C$ has the right guess with the probability at least $\frac{1}{2} + ϵ - \frac{q_{u S}}{P}$ . If Z is a random element, then $A$ does not get any information about $m_{τ}^{*}$ and hence $C$ has a right guess with the probability of $\frac{1}{2}$ . Consequently, $C$ can solve the q-DBDHE problem with advantage at least $ϵ^{'} = ϵ - \frac{q_{u S}}{P}$ .
5.2. Unforgeability

Theorem 2.
Assuming that the signing attribute universe $U_{s}$ has n attributes and collision-resistant hash function exists. Then our CP-ABSC scheme is $(t, q_{s E}, q_{d E}, q_{s C}, q_{u S}, ϵ) -EUF-ABSC-sCMA$ secure under the selective predicate attack in the standard mode, supposing that the $(t^{'}, ϵ^{'})$ q-DHE assumption holds in $G$ , where $ϵ^{'} ⩾ ϵ / (4 k q_{s C} + 2)$ and $t^{'} = t + O (n^{2} \cdot (q_{s E} + q_{s C}) + {| U_{e} |}^{2} \cdot (q_{d E} + q_{u S}) \cdot t_{exp} + O (q_{s C} + q_{u S}) \cdot t_{pair})$ . Here $t_{pair}$ and $t_{exp}$ represent the running time of one pairing computation and one exponentiation, respectively.
Proof.
Suppose there is an adversary $A$ against our CP-ABSC construction that makes at most $q_{s E}$ sExtract query, $q_{d E}$ dExtract query, $q_{s C}$ Signcrypt query, $q_{u S}$ Unsigncrypt query, then a PPT algorithm $C$ can be constructed to solve the decisional q-DHE problem with probability at least $ϵ^{'}$ in time at most $t^{'}$ . Suppose the challenger $C$ is given a q-DHE challenge $(g, h, g^{α}, g^{α^{2}}, \dots, g^{α^{q}}, g^{α^{q + 2}}, \dots, g^{α^{2 q}})$ , the goal of $C$ is to compute $g^{α^{q + 1}}$ . □

Due to page restrictions, the details of the security proof are omitted. Suffice to say that, unforgeability results for our scheme can easily be proved using the techniques of [25,34].
6. Performance analysis

In this section we evaluate the efficiency of the proposed schemes in terms of communication overhead, computation cost, memory requirement, and make a comparison with other schemes.

6.1. Complexity analysis

Table 1 provides a complexity analysis of operations in our proposed with the relevant schemes [21,23,33] on PHRs sharing. As shown in the table, the size of the ciphertext of the schemes [21,33] and [23] grows linear with the number of attributes used in signcryption of a message and so is the number of pairing computations, which makes the scheme less practical. The ciphertext in [21,33] and [23] consists of $O (W_{s} + W_{e})$ , $O (W_{s} + W_{e})$ and $O (W_{e})$ group elements, respectively. Our scheme achieves a short ciphertext size of $(6)$ group elements which are constant and not affected by an increment in the number of attributes. Therefore, the use of large attributes in signcryption will not affect the length of the ciphertext size to yield high unsigncryption computation cost. This makes our scheme the better choice. The size of the key encryption and decryption keys in our scheme is higher than [21,33] and [23]. The results from our analysis demonstrate that our scheme has better performance than others.

As the pairing computation is regarded as the most expensive operation, the practicality of an ABSC construction becomes a concern if the number of pairing operations required to unsigncrypt a ciphertext is high. However, our construction requires 4 pairings to recover the plaintext message and only 3 number of pairings for ciphertext verification. To sum up, 7 constant number of bilinear pairings are needed to unsigncrypt ciphertext which is not dependent on the length of decryption and signing attributes. Hence our unsigncryption algorithm is efficient from a computation point of view. On the contrary, the number of pairings in [21,23,33] are linear to the sum of underlying decryption and signing attributes (see Table 1 for comparison).

Table 1
The comparison of computational complexity

Scheme Communication overhead Computational cost

Signature key size Decryption key size Ciphertext size Signcryption (pairing) Unsigncryption (pairing)

[21] $O (W_{s}^{})$ $O (W_{e}^{})$ $O (W_{s} + W_{e})$ - $O (W_{s} + W_{e})$

[33] $O (W_{s}^{})$ $O (W_{e}^{})$ $O (W_{s} + W_{e})$ - $O (W_{s})$

[23] $O (W_{s}^{})$ $O (W_{e}^{})$ $O (W_{e})$ - $O (W_{e})$

Ours $O (n (W_{s}^{}))$ $O (n (W_{s}^{}))$ 6 - 7

Scheme	Communication overhead	Computational cost
[21]	$O (W_{s}^{*})$	$O (W_{e}^{*})$	$O (W_{s} + W_{e})$	-	$O (W_{s} + W_{e})$
[33]	$O (W_{s}^{*})$	$O (W_{e}^{*})$	$O (W_{s} + W_{e})$	-	$O (W_{s})$
[23]	$O (W_{s}^{*})$	$O (W_{e}^{*})$	$O (W_{e})$	-	$O (W_{e})$
Ours	$O (n (W_{s}^{*}))$	$O (n (W_{s}^{*}))$	6	-	7

Legends: We omit the message size from the ciphertext size in all the schemes listed in the table. $W_{e}$ and $W_{s}$ refer to the minimum number of decryption key attributes and signature key attributes required to unsigncrypt ciphertext respectively. $W_{e}^{*}$ and $W_{s}^{*}$ refer to the number of the attribute used in encryption and signing a message respectively.

6.2. Simulation and performance analysis

In this sub-section, we will focus on the simulation and performance analysis of our PHRs cloud based sharing scheme. All the simulations are executed on Intel i7 personal laptop with a 2.2 GHz CPU and 8 GB RAM running on macOS High Sierra 10.13.6. We used SS512 elliptic curve with a 512-bit base field in the python cryptographic library known as charm-crypto 0.43 [2]. In the simulation, the message m was chosen from $G_{T}$ . We also, use the Sha-3 hash function and AES encryption algorithm in pycrypto 2.6.1 python library in our simulation.

6.2.1. Key size

In this sub-section, we analyze the relationship between the number of attributes with the public key and the private keys size. In the algorithm $Setup (λ, U_{e}, U_{s})$ , the public key is $PK = {e, g, h, H_{1}, H_{2}, Φ_{1}, Φ_{2}, β_{0}, δ_{0}, u^{'}, Z, β_{1}, \dots, β_{2 n - 1}, δ_{1}, \dots, δ_{2 n - 1}, u_{1}, \dots, u_{| U_{s} |}}$ , where the number of variable terms are $β_{i}$ , $δ_{i}$ and $u_{i}$ . Here, let i, denotes an attribute for the variables $β_{i}$ , $δ_{i}$ and $u_{i}$ . Then, the size of $PK$ will grow linearly with the number of attribute i appearing in the encryption set $U_{e}$ and signing set $U_{s}$ . The Fig. 6a shows a linear growth with an increment in the size of attributes. For attributes of $(5 / 50)$ the public key size is $(2.688 / 19.968)$ kilobytes (Here, $| U_{e} | = | U_{s} |$ ). The private keys consist of the encryption and the signature keys which are generated by the dExtract and sExtract algorithm respectively. Since the $sExtract (PK, MSK, W_{s})$ algorithm and the $dExtract (PK, MSK, W_{e})$ algorithm have the same storage space complexity, here we present analysis on only the $sExtract (PK, MSK, W_{s})$ algorithm. In the $sExtract (PK, MSK, W_{s})$ algorithm, the generation of the secret key for attribute $i \in {U_{s} \cup D_{s}}$ is ${sk}_{i} = (g^{q (i)} {(δ_{0} δ_{i})}^{r_{i}}, h^{r_{i}}, δ_{i}^{r_{i}}, \dots, δ_{i - 1}^{r_{i}}, δ_{i + 1}^{r_{i}}, \dots, δ_{2 n - 1}^{r_{i}}) = (a_{i}^{'}, b_{i}^{'}, c_{i, 1}^{'}, \dots, c_{i, i - 1}^{'}, c_{i, i + 1}^{'}, \dots, c_{i, 2 n - 1}^{'})$ . Supposing there are $a^{'}$ attributes in the attribute set ${U_{s} \cup D_{s}}$ and n attributes in the set $U_{s}$ , the structure of the secret key is $2 n \times (a + n - 1)$ matrix. Thus, there are the $2 n^{2} + 2 n \times (a^{'} - 1)$ elements in the secret key. The length of the secret key grows linearly with $a^{'}$ , where $a^{'}$ is less than or equal to n as shown in Fig. 6b. For attributes of $(5 / 50)$ the signature key size increases to $(11.520 / 1267.200)$ kilobytes.

6.2.2. Ciphertext size

As stated previously, the information stored on the cloud server comprises the encrypted B+ tree along with the encrypted PHRs, signcrypted manifest file, and the hashmap. We mainly consider the size of the ciphertext of the manifest file. For simplicity, here the manifest file is denoted as m. The length of the ciphertext is $6 | G | + | G_{T}$ . In the $Signcrypt (PK, m, Υ_{e}, Υ_{s}, {SK}_{W_{s}})$ algorithm, the ciphertext size is ${CT}_{Υ_{e}, Υ_{s}} = (Υ_{e}, Υ_{s}, C_{0}, C_{1}, C_{2}, C_{3}, σ_{1}, σ_{2})$ , where $C_{0}$ is in $G_{T}$ , $C_{i} (i = 1, 2, 3)$ and $σ_{i} (i = 1, 2)$ are in $G$ . The length of ciphertext is constant (i.e. 0.769 kilobytes) regardless in a change with the number of attributes n (see Fig. 6c). This minimizes the communication and the storage cost directly.

6.2.3. The computation time

We evaluated the computation time of running the algorithms: Setup, sExtract (here, we omit dExtract algorithm since it has the same computational complexity as sExtact), Signcryption, and Unsigncryption. The execution times are based on the average of 100 trials. The experimental results for Setup, sExtract, Signcryption and Unsigncryption in Fig. 7a, Fig. 7b, Fig. 7c, and Fig. 7d respectively show that the execution time and the size of attribute n have a linear correlation. For attribute size $5 - 50$ the increment in the execution time are as follows: Setup $0.7 - 4.41$ seconds, sExtract $1.6 - 95.9$ seconds, $0.3 - 2.1$ seconds and Unsigncryption $0.29 - 1.41$ seconds. Note that with Signcryption and Unsigncryption algorithms, we set $| W_{e} | = | W_{s} | = k$ . The value of k is the threshold value of attributes required by a user to satisfy the predicate $Υ_{e}$ and $Υ_{s}$ before unsigncryption can be successful. In summary, the running time of Setup, sExtract, Signcryption, and Unsigncryption algorithm is reasonably well and viable for a real-world application.

Fig. 6.

Evaluation of communication cost.

Fig. 7.

Evaluation of computation time.

Fig. 8.

Cost of computing and storing comparison matrix value in hashmap.

6.2.4. Performance of B+ tree

For the first experiment shown in Fig. 8, we consider the computation cost of constructing hashmap for the B+ tree. The size of the B+ search keys is changed from 100, 200, 300, 400. The result shows the computation time increases with the increment of the size of keys. For the next set of experiments, we use a synthetic database that contains one table with 1000 tuples of records. Each tuple contains multiple attributes, a primary key A and is 500 bytes long. For simplicity, we assume that an index is built on primary key A with page size equal to 5 kilobytes. The experiment results presented here are the average case of 100 trials. We consider the workload of 100, 200, 300, and 400 range queries generated uniformly at random over the domain of A. We consider two set of B+ tree: encrypted B+ tree with embedded digest (EB+) and normal B+ tree (NB+). Figure 9a shows query performance between the two B+ trees. The result shows that there is a reduction in query performance when the B+ tree is encrypted. This happens because the algorithm has to compute the hash value of the query keyword (key) and search key to obtain the correct query result. It also includes the cost of constructing a verification object.

There are two types of update operations: insertion and deletion. Here, we conducted the test on updating the B+ tree that involves either insertions or deletions to reveal the actions of each type of update. Ones that are generated uniformly at random and ones that exhibit a certain degree of locality. Due to lack of space, we present the results for only uniform insertions, deletions work similarly. The result shows that there is a slight difference in the performance of update on EB+ and NB+. In the next set of experiments, we measure the $V O$ size and verification cost at the client-side. The size of $V O$ and the cost of verifying query result are shown in Fig. 9c and Fig. 9d respectively. The EB+ has small $V O$ size and fast verification time. The reason for the minimal verification time is that the number of hash computations is dominated by the height of an index structure. Since the EB+ has low height, the computation overhead of hashes is minimal.

In summary, our simulated experimental results demonstrate that our PHRs scheme can supports secure sharing of data via cloud computing efficiently and effectively.

Fig. 9.

Object’s computational cost and $V O$ size.

Table 2

Comparison between our proposed scheme and other related schemes

Metric	[21]	[33]	[23]	Our
Data confidentiality	✓	✓	✓	✓
Fine grained access control	✓	✓	✓	✓
Unforgeability of ciphertext	✓	✓	✓	✓
Integrity of query results	✗	✗	✓	✓
Blind search	✗	✗	✓	✓
provable database modification	✗	✗	✗	✓
Exact match and range queries	✗	✗	✗	✓

6.3. Discussion

In this section, we compare our work with some existing relevant schemes on cloud based PHRs sharing. The comparison is shown in Table 2.

Data confidentiality: PHRs are very sensitive data and should not be accessible without correct decrypting keys. In our scheme, the $D O$ encrypts the PHRs offline using AES and ABSC scheme before the resultant ciphertext is outsourced to the $C S$ . This greatly decreases the possibility of private information disclosure of the PHRs.

provable database modification: The digest computed by the $C S$ after either new insertion or deletion of records in the B+ tree ensures that the $C S$ carries out data updates exactly as prescribed by the $D O$ . Otherwise, there will be a mismatch with the root digest computed locally by the $D O$ on the updated B+ tree with the one computed by the $C S$ .

Fine grained access control: The signcryption is based on attributes and therefore enables the encryptor to define a predicate over attributes and encrypts the data according to the predicate. This allows flexible access to the plaintext dependent on the scope of the access privileges of the decryptor.

Unforgeability of ciphertext: The proposed ABSC scheme provides proof of the origin of data via appending of signature of the data encryptor.

Blind search: The proposed scheme enables the cloud server to compute on ciphertexts to retrieve the appropriate query result without the knowledge of the plaintext of the search keywords and the ciphertext.

Integrity of query results: The integrity of query results (freshness, completeness, and correctness) is achieved by comparing the root digest of the B+ tree originally computed by the $D O$ with the one computed by the $D U$ .

Exact match and range queries: Our scheme stores the encrypted PHRs data on the encrypted B+ tree which supports efficient exact-match query and range query.

7. Conclusion

In this paper, we have proposed a new personal health sharing scheme. The new scheme uses attribute-based signcryption and B+ data structure to achieve privacy protection, data integrity, unforgeability, blindly keyword search, and fine-grained access control. In particular, the new scheme relies on authenticated data structure based on a B+ tree to authenticate the query results. For future works, we will consider a searching mechanism that will enable query on an encrypted database without the cloud server learning the search pattern.

Footnotes

Acknowledgments

This work was partially supported by Sichuan Science and Technology Program (2018HH0102, 2019YFH0014, 2020YFH0030, 2020YFSY0061).

Correctness of unsigncryption algorithm

Suppose ${SK}_{W_{e}}$ has the attribute set $W_{e}$ that satisfy the decryption predicate $Υ_{e} (W_{e}) = 1$ (that is a subset $W_{e} \subseteq W_{e}^{*} \cup D_{e}^{'} \subseteq D_{e} \cap S_{x}$ , $| W_{e} \cup D_{e}^{'} | = k$ and $1 ⩽ k ⩽ | S_{x} |$ ), then the decrypt algorithm computes: $\begin{array}{l} Λ_{1} = \prod_{i \in S_{x}} b^{Δ_{i, S_{x}} (0)}, \\ Λ_{2} = \prod_{i \in S_{x}} {(a_{i} \prod_{j \in W_{e} \cup D_{e}^{'}, j \neq i} (c_{i, j}))}^{Δ_{i, S_{x}} (0)}, \\ \begin{matrix} Z^{s} = & e {(g, h)}^{α s} = \frac{e (C_{2}, Λ_{2})}{e (C_{1}, Λ_{1})} \\ = & \frac{e (h^{s}, \prod_{i \in S_{x}} {(a_{i} \prod_{j \in W_{e} \cup D_{e}^{'}, j \neq i} (c_{i, j}))}^{Δ_{i, S_{x}} (0)})}{e ({(β_{0} \prod_{j \in W_{e}^{*} \cup D_{e}^{'}} β_{j})}^{s}, \prod_{i \in S_{x}} b_{i}^{Δ_{i, S_{x}} (0)})} \\ = & \frac{e (h^{s}, \prod_{i \in S_{x}} {(g^{q (i)} {(β_{0} β_{i})}^{r_{i}} \prod_{j \in W_{e} \cup D_{e}^{'}, j \neq i} {(β_{j})}^{r_{i}})}^{Δ_{i, S_{x}} (0)})}{e ({(β_{0} \prod_{j \in W_{e}^{*} \cup D_{e}^{'}} β_{j})}^{s}, \prod_{i \in S_{x}} h_{i}^{r_{i} Δ_{i, S_{x}} (0)})} \\ = & \frac{e (h^{s}, \prod_{i \in S_{x}} (g^{q (i) Δ_{i, S_{x}} (0)} {(β_{0} \prod_{j \in W_{e} \cup D_{e}^{'}} β_{j})}^{r_{i} Δ_{i, S_{x}} (0)}))}{e ({(β_{0} \prod_{j \in W_{e}^{*} \cup D_{e}^{'}} β_{j})}^{s}, \prod_{i \in S_{x}} h^{r_{i} Δ_{i, S_{x}} (0)})} \\ = & \frac{e (h^{s}, g^{\sum_{i \in S_{x}} q (i) Δ_{i, S_{x}} (0)} {(β_{0} \prod_{j \in W_{e} \cup D_{e}^{'}} β_{j})}^{\sum_{i \in S_{x}} r_{i} Δ_{i, S_{x}} (0)})}{e ({(β_{0} \prod_{j \in W_{e}^{*} \cup D_{e}^{'}} β_{j})}^{s}, h^{\sum_{i \in S_{x}} r_{i} Δ_{i, S_{x}} (0)})} \\ = & e {(g, h)}^{α s} \end{matrix} \end{array}$ The message is retrieved as: $m^{'} = \frac{C_{0}}{Z^{s}} = \frac{m \cdot e {(g, h)}^{α s}}{e {(g, h)}^{α s}}$ .

When a legitimate user obtains the message $m^{'}$ , he/she verifies whether $m^{'}$ is from the real $D O$ or not. Then, the user computes $Θ \leftarrow H_{1} (C_{0}, Z^{s}, m^{'})$ and set $Θ = {η_{1}, η_{2}, \dots, η_{n}} \in {0, 1}^{n}$ . The user further computes: $\begin{array}{l} V & = \frac{e (h, σ_{1})}{(e (δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j}, σ_{2}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}}, C_{2}))} \\ = \frac{e (h, \prod_{i \in S_{y}} {(a_{i}^{'} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}, j \neq i} (c_{i, j}^{'}))}^{Δ_{i, S_{y}} (0)} \times {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j})}^{ψ} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}})}^{s})}{(e (δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j}, g^{ψ} \prod_{i \in S_{y}^{'}} b_{i}^{' Δ_{i, S_{y}} (0)}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}}, h^{s}))} \\ = \frac{e (h, \prod_{i \in S_{y}} {(g^{q (i)} {(δ_{0} δ_{i})}^{r_{i}} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}, j \neq i} {(δ_{j})}^{r_{i}})}^{Δ_{i, S_{y}} (0)} \times {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j})}^{ψ} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}})}^{s})}{(e (δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j}, g^{ψ} \prod_{i \in S_{y}^{'}} h_{i}^{r_{i} Δ_{i, S_{y}} (0)}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}}, h^{s}))} \\ = \frac{e (h, \prod_{i \in S_{y}} (g^{q (i) Δ_{i, S_{y}} (0)} {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} {(δ_{j})}^{r_{i}})}^{Δ_{i, S_{y}} (0)}) \times {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j})}^{ψ} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}})}^{s})}{(e (δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j}, g^{ψ} \prod_{i \in S_{y}} h_{i}^{r_{i} Δ_{i, S_{y}} (0)}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η}, h^{s}))} \\ = \frac{e (h, g^{\sum_{i \in S} q (i) Δ_{i, S_{y}} (0)} {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} (δ_{j}))}^{\sum_{i \in S_{y}} r_{i} Δ_{i, S_{y}} (0)} \times {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j})}^{ψ} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}})}^{s})}{(e (δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j}, g^{ψ} h^{\sum_{i \in S} r_{i} Δ_{i, S_{y}} (0)}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}}, h^{s}))} \\ = \frac{e (h, g^{α} {(δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} (δ_{j}))}^{ψ + \sum_{i \in S_{y}} r_{i} Δ_{i, S_{y}} (0)} \times {(u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}})}^{s})}{(e (δ_{0} \prod_{j \in W_{s}^{*} \cup D_{s}^{'}} δ_{j}, g^{ψ} h^{\sum_{i \in S} r_{i} Δ_{i, S_{y}} (0)}) \times e (u^{'} \prod_{j = 1}^{n} u_{j}^{η_{j}}, h^{s}))} \\ = e {(g, h)}^{α} \end{array}$ If $e {(g, h)}^{α} = V$ , then $m^{'}$ is valid and not falsified, otherwise $m^{'}$ is invalid.

References

Agrawal,

Kirenan,

Srikant and

Xu, Order-preserving encryption for numeric data, in: The Proceedings of the SIGMOD, Paris, 2004, pp. 563–574.

J.A.

Akinyele,

Garman,

Miers et al., Charm: A framework for rapidly prototyping cryptosystems, Journal of Cryptographic Engineering 3(2) (2013), 111–128. doi:10.1007/s13389-013-0057-3.

M.H.

Au,

T.H.

Yuen,

J.K.

Liu et al., A general framework for secure sharing of personal health records in cloud system, Journal of Computer and System Sciences 90 (2017), 46–62. doi:10.1016/j.jcss.2017.03.002.

Baird,

North and

T.S.

Raghu, Personal Health Records (PHR) and the future of the physician-patient relationship, in: Proceedings of the 2011 iConference, 2011, pp. 281–288. doi:10.1145/1940761.1940800.

Ben-Sasson,

Chiesa,

Tromer and

Virza, Succinct non-interactive zero knowledge for a von Neumann architecture, in: Proceedings of the 23rd USENIX Conference on Security Symposium, 2014, pp. 781–796.

Blundo,

Iovino and

Persiano, Private-key hidden vector encryption with key confidentiality, in: Cryptology and Network Security,

Garay,

Miyaji and

Otsuka, eds, Lecture Notes in Computer Science, Vol. 5888, Springer, Berlin/Heidelberg, 2009, pp. 259–277. doi:10.1007/978-3-642-10433-6_17.

Boneh,

Boyen and

E.-J.

Goh, Hierarchical identity based encryption with constant size ciphertext, in: Proc. Adv. Cryptol., 2005, pp. 440–456.

Boneh and

M.K.

Franklin, Identity-based encryption from the Weil pairing, in: Proc. 21st Annu. Int. Cryptol. Conf. Adv. Cryptol. (CRYPTO), London, U.K., 2001, pp. 213–229.

Boneh and

Waters, Conjunctive, subset, and range queries on encrypted data, in: Theory of Cryptography,

Vadhan, ed., Lecture Notes in Computer Science, Vol. 4392, Springer, Berlin/Heidelberg, 2007, pp. 535–554. doi:10.1007/978-3-540-70936-7_29.

10.

Chen,

Hu and

Xu, Authenticated online data integration services, in: ACM SIGMOD, 2015.

11.

Chen, Certificateless public-key authenticate encryption with keyword search revised: MCI and MTP, IACR Cryptology ePrint Archive, 2020. Available: https://eprint.iacr.org/2020/1230.

12.

T.H.

Cormen

et al., Introduction to Algorithms, MIT Press, 2009.

13.

Gagńe,

Narayan and

Safavi-Naini, Threshold attribute-based signcryption, in: SCN 2010,

J.A.

Garay and

De Prisco, eds, LNCS, Vol. 6280, Springer, Heidelberg, 2010, pp. 154–171.

14.

A.J.

Ge,

C.G.

Ma and

Z.F.

Zhang, Attribute-based signature scheme with constant size signature in the standard model, IET Information Security 6(2) (2012), 47–54. doi:10.1049/iet-ifs.2011.0094.

15.

Ge and

Adonik, Answering aggregation queries in a secure system model, in: The Proceedings of the Very Large Databases, Vienna, 2007, pp. 23–28.

16.

Krantz and

Parks, RSA encryption, 2014. doi:10.1007/978-1-4614-8939-9_9.

17.

Lewko,

Okamoto,

Sahai,

Takashima and

Waters, Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption, in: Advances in Cryptology – EUROCRYPT 2010,

Gilbert, ed., Vol. 6110, Springer, Berlin/Heidelberg, 2010, pp. 62–91. doi:10.1007/978-3-642-13190-5_4.

18.

Li,

Hadjieleftheriou,

Kollios and

Reyzin, Dynamic authenticated index structures for outsourced databases, in: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data, ACM, 2006, pp. 121–132. doi:10.1145/1142473.1142488.

19.

Li,

Hadjieleftheriou,

Kollios and

Reyzin, Dynamic authenticated index structures for outsourced databases, in: ACM SIGMOD, 2006.

20.

Li,

Au,

Susio et al., Attribute-based signature and its applications, in: Proc. Int. Conf. ASIACCS 2010, Beijing, China, 2010, pp. 60–69.

21.

Liu,

Huang and

J.K.

Liu, Secure sharing of personal health records in cloud computing: Ciphertext-policy attribute-based signcryption, Future Generat. Comput. Syst. 52 (2015), 67–76. doi:10.1016/j.future.2014.10.014.

22.

Liu,

Ma,

Wu et al., Protecting mobile health records in cloud computing: A secure, efficient, and anonymous design, ACM Transactions on Embedded Computing Systems 16(2) (2017), Article ID 57.

23.

Liu

et al., Searchable attribute-based signcryption scheme for electronic personal health record, in: IEEE Access, 2018, pp. 76381–76394. doi:10.1109/ACCESS.2018.2878527.

24.

Lu, Privacy-preserving logarithmic-time search on encrypted data in cloud, in: Proc. of the 19th Annual Network & Distributed System Security Symposium, 2012.

25.

Malone-Lee, Identity-based signcryption. IACR Cryptology ePrint Archive, 2002. doi:10.1007/978-3-540-89411-7_10.

26.

R.C.

Merkle, A certified digital signature, in: Advances in Cryptology – CRYPTO, 1989, pp. 218–238.

27.

National Institute of Standards and Technology, Advanced Encryption Standard (AES), 2001.

28.

Obiri ,

Amankona,

Wang,

R.E.

Nuhoho and

Owiyo, Authentication of multiple-user spatial keywords queries, in: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), IEEE, 2018, pp. 506–513. doi:10.1109/DSC.2018.00081.

29.

Ostrovsky and

Waters, Attribute-based encryption with non-monotonic access structures, in: CCS’07, Proc. 14th ACM Conf. Comput. Commun. Secur., 2007.

30.

Pandit,

S.K.

Pandey and

Barua, Attribute-based signcryption: Signer privacy, strong unforgeability and ind-cca2 security in adaptive-predicates attack, in: International Conference on Provable Security, Springer, 2014, pp. 274–290.

31.

Pang and

K.-L.

Tan, Authenticating query results in edge computing, in: IEEE ICDE, 2004.

32.

Parno,

Howell,

Gentry and

Raykova, Pinocchio: Nearly practical verifiable computation, in: 2013 IEEE S&P, 2013, pp. 238–252.

33.

Y.S.

Rao, A secure and efficient ciphertext-policy attribute-based signcryption for personal health records sharing in cloud computing, Future Generat. Comput. Syst. 67 (2017), 133–151. doi:10.1016/j.future.2016.07.019.

34.

Y.S.

Rao and

Dutta, Expressive attribute based signcryption with constant-size ciphertext, in: Progress in Cryptology – AFRIPKGCRYPT, International Publishing, Springer, Cham, 2014, pp. 398–419.

35.

Y.S.

Rao and

Dutta, Expressive bandwidth-efficient attribute based signature and signcryption in standard model, in: Information Security and Privacy, Springer International Publishing, Cham, 2014, pp. 209–225. doi:10.1007/978-3-319-08344-5_14.

36.

Ray and

Wimalasiri, The need for technical solutions for maintaining the privacy of EHR, in: Annu. Int. Conf. IEEE Eng. Med. Biol. – Proc., 2006, pp. 4686–4689.

37.

Sahai and

Waters, Fuzzy identity-based encryption, in: EUROCRYPT, 2005, pp. 457–473.

38.

Sahai and

Waters, Fuzzy identity-based encryption, in: Proc. Int. Conf. EUROCRYPT 2005, LNCS, Vol. 3494, Aarhus, Denmark, 2005, pp. 457–473. doi:10.1007/11426639_27.

39.

Sangeetha,

S.S.

Chakkaravarthy,

S.C.

Satapathy et al., Multi keyword searchable attribute based encryption for efficient retrieval of health records in cloud, Multimed Tools Appl (2021). doi:10.1007/s11042-021-10817-z.

40.

Schnorr and

Jakobsson, Security of signed ElGamal encryption, in: Vol. 1976, 2000, pp. 73–89. doi:10.1007/3-540-44448-3_7.

41.

D.X.

Song,

Wagner and

Perrig, Practical techniques for searches on encrypted data, in: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 2000. doi:10.1109/secpri.2000.848445.

42.

Sun ,

Chung and

Ozsoyoglu, Anti-tamper databases: Processing aggregate queries over encrypted database, in: Proceedings of the 22th International Conference on Data Engineering Workshops, Georgia, 2006, p. 98.

43.

Sun,

Wang,

Wang and

Ren, A searchable personal health records framework with fine-grained access control in cloud-fog computing, PloS One 13(11) (2018), e0207543. doi:10.1371/journal.pone.0207775.

44.

Tang,

Ash,

Bates,

Overhage and

Sands, White paper: Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption, Journal of the American Medical Informatics Association: JAMIA 13(2) (2006), 121–126. doi:10.1197/jamia.M2025.

45.

The Office of the Nat. Coordinator for Health Information Technology, Report on health information blocking, Tech. Rep., U.S. Department of HHS, 2018.

46.

Tomida,

Kawahara, Nishimaki and

Fast, Compact, and expressive attribute-based encryption, in: Cryptology ePrint Archive, 2019, p. 966.

47.

Trang and

Loi, An efficient FPGA implementation of the advanced encryption standard, in: Computing and Communication Technalogies, Research, Innavation, and Visian Far the Future (RIVF), 2012 IEEE RIVF Internatianal Conference on, 2012.

48.

Wang and

Huang, Attribute-based signcryption with ciphertext-policy and claim-predicate mechanism, in: Computational Intelligence and Security (CIS), 2011 Seventh International Conference on, IEEE, 2011, pp. 905–909. doi:10.1109/CIS.2011.204.

49.

Wang,

Ning,

Huang,

Wei,

G.S.

Poh and

Liu, Secure fine-grained encrypted keyword search for e-healthcare cloud, IEEE Transactions on Dependable and Secure Computing 18(3) (2021), 1307–1319. doi:10.1109/TDSC.2019.2916569.

50.

Wang,

Noel and Jajodia , Minimum-cost network hardening using attack graph, Comput. Commun 29(18) (2006), 3812–3824. doi:10.1016/j.comcom.2006.06.018.

51.

Waters, Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions, in: Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology, Berlin, Heidelberg, 2009, pp. 619–636.

52.

Xu,

Hu and

M.H.

Au, When query authentication meets fine-grained access control: A zero-knowledge approach, in: ACM SIGMOD, 2018.

53.

Yang,

Papadopoulos,

Papadias and

Kollios, Authenticated indexing for outsourced spatial databases, The VLDB Journal 18(3) (2008), 631–648. doi:10.1007/s00778-008-0113-2.

54.

Yin and

Liang, On security of a certificateless hybrid signcryption scheme, Wireless Pers. Commun. 85(4) (2015), 1727–1739. doi:10.1007/s11277-015-2864-6.

55.

Zhang,

K.P.

Baclawski and

V.J.

Tsotras, B+-tree, in: Encyclopedia of Database Systems,

Liu and

M.T.

Özsu, eds, Springer, Boston, MA, 2009.

56.

Zhang,

Genkin,

Katz,

Papadopoulos and

Papamanthou, vSQL: Verifying arbitrary SQL queries over dynamic outsourced databases, in: 2017 IEEE S&P, 2017, pp. 863–880.

57.

Zheng, Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption), in: Annual International Cryptology Conference, Springer, 1997, pp. 165–179.

Personal health records sharing scheme based on attribute based signcryption with data integrity verifiable

Abstract

Keywords

1. Introduction

2. Related works

2.1. PHRs data security

2.2. Searching on encrypted data

2.3. Verification of integrity of the query result

3. Preliminaries

Definition 1 (Lagrange Interpolation).

Definition 2 (Predicate).

3.1. Bilinear maps

3.2. Hardness assumption

Definition 3 (q-DHE Assumption).

Definition 4 (q-DBDHE Assumption).

Definition 5 (Ciphertext policy attribute based signcryption (CP-ABSC)).

Definition 6. We say that CP-ABSC construction is correct if for all messages m ∈ M , all attribute sets W s and W e , all claim-predicates Υ s ( W s ) = 1 and Υ e ( W e ) = 1 such that 3.3. Security model of CP-ABSC scheme

3.3.1. Message confidentiality

4.1. The scheme entities

4.1.1. Private key generator

4.1.2. Cloud server

4.1.3. Data owner

4.1.4. Data users

4.2. Design objectives

4.3. Construction of cloud-based PHRs sharing scheme

5.1. Confidentiality

6.1. Complexity analysis

6.2.1. Key size

6.2.2. Ciphertext size

6.2.3. The computation time

7. Conclusion

Footnotes

Acknowledgments

Correctness of unsigncryption algorithm

References

Definition 6.
We say that CP-ABSC construction is correct if for all messages $m \in M$ , all attribute sets $W_{s}$ and $W_{e}$ , all claim-predicates $Υ_{s} (W_{s}) = 1$ and $Υ_{e} (W_{e}) = 1$ such that

3.3. Security model of CP-ABSC scheme